Lines Matching refs:conn
24 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
29 if (conn->cred == NULL)
32 cert = conn->cred->cert;
37 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
45 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
55 WPA_PUT_BE32(conn->client_random, now.sec);
56 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
62 conn->client_random, TLS_RANDOM_LEN);
64 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
87 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
90 *pos++ = conn->session_id_len;
91 os_memcpy(pos, conn->session_id, conn->session_id_len);
92 pos += conn->session_id_len;
94 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
96 for (i = 0; i < conn->num_cipher_suites; i++) {
97 WPA_PUT_BE16(pos, conn->cipher_suites[i]);
104 if (conn->client_hello_ext) {
105 os_memcpy(pos, conn->client_hello_ext,
106 conn->client_hello_ext_len);
107 pos += conn->client_hello_ext_len;
111 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
113 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
117 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
123 conn->state = SERVER_HELLO;
129 static int tls_write_client_certificate(struct tlsv1_client *conn,
155 cert = conn->cred ? conn->cred->cert : NULL;
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
173 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
176 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
190 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
194 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
200 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
208 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
214 csecret_len = conn->dh_p_len;
219 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
232 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
244 dh_yc_len = conn->dh_p_len;
249 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
254 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
256 conn->dh_p, conn->dh_p_len,
258 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
273 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
283 shared_len = conn->dh_p_len;
288 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
295 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
297 conn->dh_p, conn->dh_p_len,
299 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
310 if (tls_derive_keys(conn, shared, shared_len)) {
312 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
319 tlsv1_client_free_dh(conn);
324 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
331 tls_derive_keys(conn, pre_master_secret,
334 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
340 if (conn->server_rsa_key == NULL) {
343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 conn->server_rsa_key,
358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
379 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
403 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0)
406 if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
412 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
416 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
421 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
429 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
475 if (conn->rl.tls_version == TLS_VERSION_1_2) {
477 if (conn->verify.sha256_cert == NULL ||
478 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
480 conn->verify.sha256_cert = NULL;
481 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
485 conn->verify.sha256_cert = NULL;
510 if (conn->verify.md5_cert == NULL ||
511 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
513 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
515 conn->verify.md5_cert = NULL;
516 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
517 conn->verify.sha1_cert = NULL;
522 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
524 conn->verify.md5_cert = NULL;
526 if (conn->verify.sha1_cert == NULL ||
527 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
528 conn->verify.sha1_cert = NULL;
529 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
533 conn->verify.sha1_cert = NULL;
545 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
575 if (conn->cred == NULL ||
576 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
579 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
589 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
593 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
599 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
607 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
617 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
621 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
626 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
629 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 static int tls_write_client_finished(struct tlsv1_client *conn,
653 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
655 if (conn->verify.sha256_client == NULL ||
656 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
658 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
660 conn->verify.sha256_client = NULL;
663 conn->verify.sha256_client = NULL;
668 if (conn->verify.md5_client == NULL ||
669 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
670 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 conn->verify.md5_client = NULL;
673 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
674 conn->verify.sha1_client = NULL;
677 conn->verify.md5_client = NULL;
679 if (conn->verify.sha1_client == NULL ||
680 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
682 conn->verify.sha1_client = NULL;
683 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
687 conn->verify.sha1_client = NULL;
694 if (tls_prf(conn->rl.tls_version,
695 conn->master_secret, TLS_MASTER_SECRET_LEN,
699 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
714 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
716 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
720 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
731 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
740 if (conn->certificate_requested)
741 msglen += tls_client_cert_chain_der_len(conn);
750 if (conn->certificate_requested) {
751 if (tls_write_client_certificate(conn, &pos, end) < 0) {
757 if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
758 (conn->certificate_requested && conn->cred && conn->cred->key &&
759 tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
760 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
761 tls_write_client_finished(conn, &pos, end) < 0) {
768 conn->state = SERVER_CHANGE_CIPHER_SPEC;
774 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
788 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
789 tls_write_client_finished(conn, &pos, end) < 0) {
798 conn->state = ESTABLISHED;
804 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
807 switch (conn->state) {
809 return tls_send_client_key_exchange(conn, out_len);
811 return tls_send_change_cipher_spec(conn, out_len);
815 conn->state = ESTABLISHED;
824 "generating reply", conn->state);
830 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
848 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :