TLS: Pass version to tls_prf() in preparation for new PRFs

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2011-11-27 21:35:11 +02:00
parent cd52acec85
commit d0485a6208
8 changed files with 22 additions and 12 deletions

View File

@ -67,7 +67,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
TLS_RANDOM_LEN); TLS_RANDOM_LEN);
if (tls_prf(pre_master_secret, pre_master_secret_len, if (tls_prf(conn->rl.tls_version,
pre_master_secret, pre_master_secret_len,
"master secret", seed, 2 * TLS_RANDOM_LEN, "master secret", seed, 2 * TLS_RANDOM_LEN,
conn->master_secret, TLS_MASTER_SECRET_LEN)) { conn->master_secret, TLS_MASTER_SECRET_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
@ -83,7 +84,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len); key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len);
if (conn->rl.tls_version == TLS_VERSION_1) if (conn->rl.tls_version == TLS_VERSION_1)
key_block_len += 2 * conn->rl.iv_size; key_block_len += 2 * conn->rl.iv_size;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"key expansion", seed, 2 * TLS_RANDOM_LEN, "key expansion", seed, 2 * TLS_RANDOM_LEN,
key_block, key_block_len)) { key_block, key_block_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
@ -536,7 +538,8 @@ int tlsv1_client_prf(struct tlsv1_client *conn, const char *label,
TLS_RANDOM_LEN); TLS_RANDOM_LEN);
} }
return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, return tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
label, seed, 2 * TLS_RANDOM_LEN, out, out_len); label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
} }

View File

@ -844,7 +844,8 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
} }
conn->verify.sha1_server = NULL; conn->verify.sha1_server = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data, TLS_VERIFY_DATA_LEN)) { verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");

View File

@ -621,7 +621,8 @@ static int tls_write_client_finished(struct tlsv1_client *conn,
} }
conn->verify.sha1_client = NULL; conn->verify.sha1_client = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");

View File

@ -268,7 +268,7 @@ const char * tls_version_str(u16 ver)
} }
int tls_prf(const u8 *secret, size_t secret_len, const char *label, int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
const u8 *seed, size_t seed_len, u8 *out, size_t outlen) const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
{ {
return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,

View File

@ -220,7 +220,7 @@ void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
void tls_verify_hash_free(struct tls_verify_hash *verify); void tls_verify_hash_free(struct tls_verify_hash *verify);
int tls_version_ok(u16 ver); int tls_version_ok(u16 ver);
const char * tls_version_str(u16 ver); const char * tls_version_str(u16 ver);
int tls_prf(const u8 *secret, size_t secret_len, const char *label, int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
const u8 *seed, size_t seed_len, u8 *out, size_t outlen); const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
#endif /* TLSV1_COMMON_H */ #endif /* TLSV1_COMMON_H */

View File

@ -49,7 +49,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
TLS_RANDOM_LEN); TLS_RANDOM_LEN);
if (tls_prf(pre_master_secret, pre_master_secret_len, if (tls_prf(conn->rl.tls_version,
pre_master_secret, pre_master_secret_len,
"master secret", seed, 2 * TLS_RANDOM_LEN, "master secret", seed, 2 * TLS_RANDOM_LEN,
conn->master_secret, TLS_MASTER_SECRET_LEN)) { conn->master_secret, TLS_MASTER_SECRET_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
@ -64,7 +65,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len + key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
conn->rl.iv_size); conn->rl.iv_size);
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"key expansion", seed, 2 * TLS_RANDOM_LEN, "key expansion", seed, 2 * TLS_RANDOM_LEN,
key_block, key_block_len)) { key_block, key_block_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
@ -449,7 +451,8 @@ int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
TLS_RANDOM_LEN); TLS_RANDOM_LEN);
} }
return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, return tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
label, seed, 2 * TLS_RANDOM_LEN, out, out_len); label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
} }

View File

@ -1063,7 +1063,8 @@ static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
} }
conn->verify.sha1_client = NULL; conn->verify.sha1_client = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data, TLS_VERIFY_DATA_LEN)) { verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");

View File

@ -609,7 +609,8 @@ static int tls_write_server_finished(struct tlsv1_server *conn,
} }
conn->verify.sha1_server = NULL; conn->verify.sha1_server = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");