From: Jouni Malinen <j@w1.fi>
Date: Sun, 9 Mar 2014 16:19:32 +0000 (+0200)
Subject: TLS client: Send decrypt_error on verify_data validation error
X-Git-Tag: hostap_2_2~629
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3ef7a264043562a0023e00fad77869008429591;p=thirdparty%2Fhostap.git

TLS client: Send decrypt_error on verify_data validation error

Previously, this was silently dropped which left the connection waiting
for timeout. decrypt_error alert can be used here to avoid that.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 475a6e903..8367e3615 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -931,6 +931,8 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 
 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
+		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
+			  TLS_ALERT_DECRYPT_ERROR);
 		return -1;
 	}