TLS client: Send decrypt_error on verify_data validation error

Previously, this was silently dropped which left the connection waiting
for timeout. decrypt_error alert can be used here to avoid that.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 475a6e90334e38ba951ecc7a5838b1652aeb9dbe..8367e361571b8887e4095dfcd843fd50f0bf1869 100644 (file)
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -931,6 +931,8 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 
        if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
                wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
+               tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
+                         TLS_ALERT_DECRYPT_ERROR);
                return -1;
        }