Lines Matching refs:conn
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver) in tls_version_disabled() argument
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && in tls_version_disabled()
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && in tls_version_disabled()
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && in tls_version_disabled()
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn, in tls_process_server_hello_extensions() argument
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, in tls_process_server_hello() argument
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
128 tls_version_disabled(conn, tls_version)) { in tls_process_server_hello()
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
139 conn->rl.tls_version = tls_version; in tls_process_server_hello()
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); in tls_process_server_hello()
148 conn->server_random, TLS_RANDOM_LEN); in tls_process_server_hello()
155 if (conn->session_id_len && conn->session_id_len == *pos && in tls_process_server_hello()
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { in tls_process_server_hello()
157 pos += 1 + conn->session_id_len; in tls_process_server_hello()
159 conn->session_resumed = 1; in tls_process_server_hello()
161 conn->session_id_len = *pos; in tls_process_server_hello()
163 os_memcpy(conn->session_id, pos, conn->session_id_len); in tls_process_server_hello()
164 pos += conn->session_id_len; in tls_process_server_hello()
167 conn->session_id, conn->session_id_len); in tls_process_server_hello()
174 for (i = 0; i < conn->num_cipher_suites; i++) { in tls_process_server_hello()
175 if (cipher_suite == conn->cipher_suites[i]) in tls_process_server_hello()
178 if (i == conn->num_cipher_suites) { in tls_process_server_hello()
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { in tls_process_server_hello()
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite); in tls_process_server_hello()
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { in tls_process_server_hello()
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
203 conn->prev_cipher_suite = cipher_suite; in tls_process_server_hello()
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
229 if (tls_process_server_hello_extensions(conn, pos, ext_len)) in tls_process_server_hello()
240 if (conn->session_ticket_included && conn->session_ticket_cb) { in tls_process_server_hello()
243 int res = conn->session_ticket_cb( in tls_process_server_hello()
244 conn->session_ticket_cb_ctx, NULL, 0, in tls_process_server_hello()
245 conn->client_random, conn->server_random, in tls_process_server_hello()
246 conn->master_secret); in tls_process_server_hello()
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
254 conn->use_session_ticket = !!res; in tls_process_server_hello()
257 if ((conn->session_resumed || conn->use_session_ticket) && in tls_process_server_hello()
258 tls_derive_keys(conn, NULL, 0)) { in tls_process_server_hello()
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello()
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ? in tls_process_server_hello()
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_hello()
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth, in tls_peer_cert_event() argument
289 if (!conn->event_cb) in tls_peer_cert_event()
293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) { in tls_peer_cert_event()
323 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev); in tls_peer_cert_event()
328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth, in tls_cert_chain_failure_event() argument
337 if (!conn->event_cb || !cert) in tls_cert_chain_failure_event()
349 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); in tls_cert_chain_failure_event()
354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, in tls_process_certificate() argument
366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate()
390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate()
395 return tls_process_server_key_exchange(conn, ct, in_data, in tls_process_certificate()
398 return tls_process_certificate_request(conn, ct, in_data, in tls_process_certificate()
401 return tls_process_server_hello_done(conn, ct, in_data, in tls_process_certificate()
408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
430 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate()
442 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate()
451 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
475 crypto_public_key_free(conn->server_rsa_key); in tls_process_certificate()
477 &conn->server_rsa_key)) { in tls_process_certificate()
480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
497 tls_peer_cert_event(conn, idx, cert); in tls_process_certificate()
509 if (conn->cred && conn->cred->server_cert_only && chain) { in tls_process_certificate()
519 os_memcmp(conn->cred->srv_cert_hash, hash, in tls_process_certificate()
525 if (conn->event_cb) { in tls_process_certificate()
533 conn->event_cb(conn->cb_ctx, in tls_process_certificate()
536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
541 } else if (conn->cred && conn->cred->cert_probe) { in tls_process_certificate()
544 if (conn->event_cb) { in tls_process_certificate()
557 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, in tls_process_certificate()
560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
564 } else if (conn->cred && conn->cred->ca_cert_verify && in tls_process_certificate()
566 conn->cred->trusted_certs, chain, &reason, in tls_process_certificate()
567 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) in tls_process_certificate()
576 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, in tls_process_certificate()
585 conn, 0, chain, TLS_FAIL_REVOKED, in tls_process_certificate()
591 conn, 0, chain, TLS_FAIL_EXPIRED, in tls_process_certificate()
600 conn, 0, chain, TLS_FAIL_UNTRUSTED, in tls_process_certificate()
607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); in tls_process_certificate()
612 if (conn->cred && !conn->cred->server_cert_only && chain && in tls_process_certificate()
617 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, in tls_process_certificate()
619 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate()
625 if (conn->flags & TLS_CONN_REQUEST_OCSP) { in tls_process_certificate()
626 x509_certificate_chain_free(conn->server_cert); in tls_process_certificate()
627 conn->server_cert = chain; in tls_process_certificate()
634 conn->state = SERVER_KEY_EXCHANGE; in tls_process_certificate()
664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, in tlsv1_process_diffie_hellman() argument
673 tlsv1_client_free_dh(conn); in tlsv1_process_diffie_hellman()
687 conn->dh_p_len = val; in tlsv1_process_diffie_hellman()
688 bits = count_bits(pos, conn->dh_p_len); in tlsv1_process_diffie_hellman()
693 pos, conn->dh_p_len); in tlsv1_process_diffie_hellman()
696 conn->dh_p = os_memdup(pos, conn->dh_p_len); in tlsv1_process_diffie_hellman()
697 if (conn->dh_p == NULL) in tlsv1_process_diffie_hellman()
699 pos += conn->dh_p_len; in tlsv1_process_diffie_hellman()
701 conn->dh_p, conn->dh_p_len); in tlsv1_process_diffie_hellman()
709 conn->dh_g_len = val; in tlsv1_process_diffie_hellman()
710 conn->dh_g = os_memdup(pos, conn->dh_g_len); in tlsv1_process_diffie_hellman()
711 if (conn->dh_g == NULL) in tlsv1_process_diffie_hellman()
713 pos += conn->dh_g_len; in tlsv1_process_diffie_hellman()
715 conn->dh_g, conn->dh_g_len); in tlsv1_process_diffie_hellman()
716 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) in tlsv1_process_diffie_hellman()
725 conn->dh_ys_len = val; in tlsv1_process_diffie_hellman()
726 conn->dh_ys = os_memdup(pos, conn->dh_ys_len); in tlsv1_process_diffie_hellman()
727 if (conn->dh_ys == NULL) in tlsv1_process_diffie_hellman()
729 pos += conn->dh_ys_len; in tlsv1_process_diffie_hellman()
731 conn->dh_ys, conn->dh_ys_len); in tlsv1_process_diffie_hellman()
738 if (conn->rl.tls_version == TLS_VERSION_1_2) { in tlsv1_process_diffie_hellman()
762 conn->rl.tls_version, pos[0], in tlsv1_process_diffie_hellman()
763 conn->client_random, in tlsv1_process_diffie_hellman()
764 conn->server_random, server_params, in tlsv1_process_diffie_hellman()
772 conn->rl.tls_version, conn->client_random, in tlsv1_process_diffie_hellman()
773 conn->server_random, server_params, in tlsv1_process_diffie_hellman()
783 if (tls_verify_signature(conn->rl.tls_version, in tlsv1_process_diffie_hellman()
784 conn->server_rsa_key, in tlsv1_process_diffie_hellman()
794 tlsv1_client_free_dh(conn); in tlsv1_process_diffie_hellman()
800 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn, in tls_process_certificate_status_ocsp_response() argument
809 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_status_ocsp_response()
816 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_status_ocsp_response()
820 return tls_process_ocsp_response(conn, pos, ocsp_resp_len); in tls_process_certificate_status_ocsp_response()
824 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct, in tls_process_certificate_status() argument
838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_status()
850 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_status()
863 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_status()
873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_status()
891 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_status()
900 conn, pos, end - pos); in tls_process_certificate_status()
944 conn, pos - 3, resp_len + 3); in tls_process_certificate_status()
964 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_status()
966 for (cert = conn->server_cert, depth = 0; cert; in tls_process_certificate_status()
970 conn, depth, cert, TLS_FAIL_REVOKED, in tls_process_certificate_status()
977 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) { in tls_process_certificate_status()
983 for (cert = conn->server_cert, depth = 0; cert; in tls_process_certificate_status()
986 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_status()
989 conn, depth, cert, in tls_process_certificate_status()
999 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) { in tls_process_certificate_status()
1000 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_status()
1003 if (conn->server_cert) in tls_process_certificate_status()
1005 conn, 0, conn->server_cert, in tls_process_certificate_status()
1011 conn->ocsp_resp_received = 1; in tls_process_certificate_status()
1016 conn->state = SERVER_KEY_EXCHANGE; in tls_process_certificate_status()
1022 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, in tls_process_server_key_exchange() argument
1033 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_key_exchange()
1044 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_key_exchange()
1057 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_key_exchange()
1063 if ((conn->flags & TLS_CONN_REQUEST_OCSP) && in tls_process_server_key_exchange()
1065 return tls_process_certificate_status(conn, ct, in_data, in tls_process_server_key_exchange()
1068 return tls_process_certificate_request(conn, ct, in_data, in tls_process_server_key_exchange()
1071 return tls_process_server_hello_done(conn, ct, in_data, in tls_process_server_key_exchange()
1077 (conn->flags & TLS_CONN_REQUEST_OCSP) ? in tls_process_server_key_exchange()
1079 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_key_exchange()
1086 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { in tls_process_server_key_exchange()
1089 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_key_exchange()
1095 suite = tls_get_cipher_suite(conn->rl.cipher_suite); in tls_process_server_key_exchange()
1098 if (tlsv1_process_diffie_hellman(conn, pos, len, in tls_process_server_key_exchange()
1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_key_exchange()
1106 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_key_exchange()
1113 conn->state = SERVER_CERTIFICATE_REQUEST; in tls_process_server_key_exchange()
1119 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, in tls_process_certificate_request() argument
1129 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_request()
1140 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_request()
1153 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_certificate_request()
1160 return tls_process_server_hello_done(conn, ct, in_data, in tls_process_certificate_request()
1166 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_certificate_request()
1173 conn->certificate_requested = 1; in tls_process_certificate_request()
1177 conn->state = SERVER_HELLO_DONE; in tls_process_certificate_request()
1183 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, in tls_process_server_hello_done() argument
1193 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello_done()
1204 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_hello_done()
1217 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_hello_done()
1225 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello_done()
1232 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && in tls_process_server_hello_done()
1233 !conn->ocsp_resp_received) { in tls_process_server_hello_done()
1236 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_hello_done()
1243 conn->state = CLIENT_KEY_EXCHANGE; in tls_process_server_hello_done()
1249 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, in tls_process_server_change_cipher_spec() argument
1259 if (conn->use_session_ticket) { in tls_process_server_change_cipher_spec()
1263 conn->use_session_ticket = 0; in tls_process_server_change_cipher_spec()
1266 res = conn->session_ticket_cb( in tls_process_server_change_cipher_spec()
1267 conn->session_ticket_cb_ctx, NULL, 0, NULL, in tls_process_server_change_cipher_spec()
1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_change_cipher_spec()
1277 conn->state = SERVER_CERTIFICATE; in tls_process_server_change_cipher_spec()
1278 return tls_process_certificate(conn, ct, in_data, in tls_process_server_change_cipher_spec()
1281 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_change_cipher_spec()
1291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); in tls_process_server_change_cipher_spec()
1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_change_cipher_spec()
1304 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { in tls_process_server_change_cipher_spec()
1307 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_change_cipher_spec()
1314 conn->state = SERVER_FINISHED; in tls_process_server_change_cipher_spec()
1320 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, in tls_process_server_finished() argument
1331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1374 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1382 if (conn->rl.tls_version >= TLS_VERSION_1_2) { in tls_process_server_finished()
1384 if (conn->verify.sha256_server == NULL || in tls_process_server_finished()
1385 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) in tls_process_server_finished()
1387 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1389 conn->verify.sha256_server = NULL; in tls_process_server_finished()
1392 conn->verify.sha256_server = NULL; in tls_process_server_finished()
1397 if (conn->verify.md5_server == NULL || in tls_process_server_finished()
1398 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { in tls_process_server_finished()
1399 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1401 conn->verify.md5_server = NULL; in tls_process_server_finished()
1402 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); in tls_process_server_finished()
1403 conn->verify.sha1_server = NULL; in tls_process_server_finished()
1406 conn->verify.md5_server = NULL; in tls_process_server_finished()
1408 if (conn->verify.sha1_server == NULL || in tls_process_server_finished()
1409 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, in tls_process_server_finished()
1411 conn->verify.sha1_server = NULL; in tls_process_server_finished()
1412 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1416 conn->verify.sha1_server = NULL; in tls_process_server_finished()
1423 if (tls_prf(conn->rl.tls_version, in tls_process_server_finished()
1424 conn->master_secret, TLS_MASTER_SECRET_LEN, in tls_process_server_finished()
1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1437 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_server_finished()
1446 conn->state = (conn->session_resumed || conn->use_session_ticket) ? in tls_process_server_finished()
1453 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, in tls_process_application_data() argument
1463 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tls_process_application_data()
1484 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, in tlsv1_client_process_handshake() argument
1491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tlsv1_client_process_handshake()
1498 conn->state = FAILED; in tlsv1_client_process_handshake()
1507 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, in tlsv1_client_process_handshake()
1516 switch (conn->state) { in tlsv1_client_process_handshake()
1518 if (tls_process_server_hello(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1522 if (tls_process_certificate(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1526 if (tls_process_server_key_exchange(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1530 if (tls_process_certificate_request(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1534 if (tls_process_server_hello_done(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1538 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1542 if (tls_process_server_finished(conn, ct, buf, len)) in tlsv1_client_process_handshake()
1547 tls_process_application_data(conn, ct, buf, len, out_data, in tlsv1_client_process_handshake()
1554 conn->state); in tlsv1_client_process_handshake()
1559 tls_verify_hash_add(&conn->verify, buf, *len); in tlsv1_client_process_handshake()