narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[tls] Verify the contents of the Finished record 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-03-03 22:29:20 +00:00
parent 56a7981d58
commit a42f6cab14
1 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/net/tls.c
View File

@ -997,10 +997,31 @@ static int tls_new_server_hello_done ( struct tls_session *tls,
*/ */
static int tls_new_finished ( struct tls_session *tls, static int tls_new_finished ( struct tls_session *tls,
void *data, size_t len ) { void *data, size_t len ) {
struct {
uint8_t verify_data[12];
char next[0];
} __attribute__ (( packed )) *finished = data;
void *end = finished->next;
uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE];
uint8_t verify_data[ sizeof ( finished->verify_data ) ];
/* FIXME: Handle this properly */ /* Sanity check */
( void ) data; if ( end != ( data + len ) ) {
( void ) len; DBGC ( tls, "TLS %p received overlength Finished\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL;
}
/* Verify data */
tls_verify_handshake ( tls, digest );
tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
verify_data, sizeof ( verify_data ), "server finished",
digest, sizeof ( digest ) );
if ( memcmp ( verify_data, finished->verify_data,
sizeof ( verify_data ) ) != 0 ) {
DBGC ( tls, "TLS %p verification failed\n", tls );
return -EPERM;
}
/* Mark session as ready to transmit plaintext data */ /* Mark session as ready to transmit plaintext data */
tls->tx_ready = 1; tls->tx_ready = 1;