david/ipxe
david
/
ipxe
Archived
1
0
Fork 0
Code

[tls] Verify the contents of the Finished record 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown 2012-03-03 22:29:20 +00:00
parent 56a7981d58
commit a42f6cab14
1 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/net/tls.c
View File

@ -997,10 +997,31 @@ static int tls_new_server_hello_done ( struct tls_session *tls,
*/
static int tls_new_finished ( struct tls_session *tls,
void *data, size_t len ) {
struct {
uint8_t verify_data[12];
char next[0];
} __attribute__ (( packed )) *finished = data;
void *end = finished->next;
uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE];
uint8_t verify_data[ sizeof ( finished->verify_data ) ];
/* FIXME: Handle this properly */
( void ) data;
( void ) len;
/* Sanity check */
if ( end != ( data + len ) ) {
DBGC ( tls, "TLS %p received overlength Finished\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL;
}
/* Verify data */
tls_verify_handshake ( tls, digest );
tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
verify_data, sizeof ( verify_data ), "server finished",
digest, sizeof ( digest ) );
if ( memcmp ( verify_data, finished->verify_data,
sizeof ( verify_data ) ) != 0 ) {
DBGC ( tls, "TLS %p verification failed\n", tls );
return -EPERM;
}
/* Mark session as ready to transmit plaintext data */
tls->tx_ready = 1;