| /* |
| * TLSv1 server - read handshake message |
| * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> |
| * |
| * This software may be distributed under the terms of the BSD license. |
| * See README for more details. |
| */ |
| |
| #include "includes.h" |
| |
| #include "common.h" |
| #include "crypto/md5.h" |
| #include "crypto/sha1.h" |
| #include "crypto/sha256.h" |
| #include "crypto/tls.h" |
| #include "x509v3.h" |
| #include "tlsv1_common.h" |
| #include "tlsv1_record.h" |
| #include "tlsv1_server.h" |
| #include "tlsv1_server_i.h" |
| |
| |
| static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len); |
| static int tls_process_change_cipher_spec(struct tlsv1_server *conn, |
| u8 ct, const u8 *in_data, |
| size_t *in_len); |
| |
| |
| static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len) |
| { |
| const u8 *pos, *end, *c; |
| size_t left, len, i, j; |
| u16 cipher_suite; |
| u16 num_suites; |
| int compr_null_found; |
| u16 ext_type, ext_len; |
| |
| if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 4) |
| goto decode_error; |
| |
| /* HandshakeType msg_type */ |
| if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " |
| "message %d (expected ClientHello)", *pos); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); |
| pos++; |
| /* uint24 length */ |
| len = WPA_GET_BE24(pos); |
| pos += 3; |
| left -= 4; |
| |
| if (len > left) |
| goto decode_error; |
| |
| /* body - ClientHello */ |
| |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); |
| end = pos + len; |
| |
| /* ProtocolVersion client_version */ |
| if (end - pos < 2) |
| goto decode_error; |
| conn->client_version = WPA_GET_BE16(pos); |
| wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", |
| conn->client_version >> 8, conn->client_version & 0xff); |
| if (conn->client_version < TLS_VERSION_1) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " |
| "ClientHello %u.%u", |
| conn->client_version >> 8, |
| conn->client_version & 0xff); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_PROTOCOL_VERSION); |
| return -1; |
| } |
| pos += 2; |
| |
| if (TLS_VERSION == TLS_VERSION_1) |
| conn->rl.tls_version = TLS_VERSION_1; |
| #ifdef CONFIG_TLSV12 |
| else if (conn->client_version >= TLS_VERSION_1_2) |
| conn->rl.tls_version = TLS_VERSION_1_2; |
| #endif /* CONFIG_TLSV12 */ |
| else if (conn->client_version > TLS_VERSION_1_1) |
| conn->rl.tls_version = TLS_VERSION_1_1; |
| else |
| conn->rl.tls_version = conn->client_version; |
| wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", |
| tls_version_str(conn->rl.tls_version)); |
| |
| /* Random random */ |
| if (end - pos < TLS_RANDOM_LEN) |
| goto decode_error; |
| |
| os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); |
| pos += TLS_RANDOM_LEN; |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", |
| conn->client_random, TLS_RANDOM_LEN); |
| |
| /* SessionID session_id */ |
| if (end - pos < 1) |
| goto decode_error; |
| if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) |
| goto decode_error; |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); |
| pos += 1 + *pos; |
| /* TODO: add support for session resumption */ |
| |
| /* CipherSuite cipher_suites<2..2^16-1> */ |
| if (end - pos < 2) |
| goto decode_error; |
| num_suites = WPA_GET_BE16(pos); |
| pos += 2; |
| if (end - pos < num_suites) |
| goto decode_error; |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", |
| pos, num_suites); |
| if (num_suites & 1) |
| goto decode_error; |
| num_suites /= 2; |
| |
| cipher_suite = 0; |
| for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { |
| c = pos; |
| for (j = 0; j < num_suites; j++) { |
| u16 tmp = WPA_GET_BE16(c); |
| c += 2; |
| if (!cipher_suite && tmp == conn->cipher_suites[i]) { |
| cipher_suite = tmp; |
| break; |
| } |
| } |
| } |
| pos += num_suites * 2; |
| if (!cipher_suite) { |
| wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " |
| "available"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_ILLEGAL_PARAMETER); |
| return -1; |
| } |
| |
| if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " |
| "record layer"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| conn->cipher_suite = cipher_suite; |
| |
| /* CompressionMethod compression_methods<1..2^8-1> */ |
| if (end - pos < 1) |
| goto decode_error; |
| num_suites = *pos++; |
| if (end - pos < num_suites) |
| goto decode_error; |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", |
| pos, num_suites); |
| compr_null_found = 0; |
| for (i = 0; i < num_suites; i++) { |
| if (*pos++ == TLS_COMPRESSION_NULL) |
| compr_null_found = 1; |
| } |
| if (!compr_null_found) { |
| wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " |
| "compression"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_ILLEGAL_PARAMETER); |
| return -1; |
| } |
| |
| if (end - pos == 1) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " |
| "end of ClientHello: 0x%02x", *pos); |
| goto decode_error; |
| } |
| |
| if (end - pos >= 2) { |
| /* Extension client_hello_extension_list<0..2^16-1> */ |
| ext_len = WPA_GET_BE16(pos); |
| pos += 2; |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " |
| "extensions", ext_len); |
| if (end - pos != ext_len) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " |
| "extension list length %u (expected %u)", |
| ext_len, (unsigned int) (end - pos)); |
| goto decode_error; |
| } |
| |
| /* |
| * struct { |
| * ExtensionType extension_type (0..65535) |
| * opaque extension_data<0..2^16-1> |
| * } Extension; |
| */ |
| |
| while (pos < end) { |
| if (end - pos < 2) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid " |
| "extension_type field"); |
| goto decode_error; |
| } |
| |
| ext_type = WPA_GET_BE16(pos); |
| pos += 2; |
| |
| if (end - pos < 2) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid " |
| "extension_data length field"); |
| goto decode_error; |
| } |
| |
| ext_len = WPA_GET_BE16(pos); |
| pos += 2; |
| |
| if (end - pos < ext_len) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid " |
| "extension_data field"); |
| goto decode_error; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " |
| "type %u", ext_type); |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " |
| "Extension data", pos, ext_len); |
| |
| if (ext_type == TLS_EXT_SESSION_TICKET) { |
| os_free(conn->session_ticket); |
| conn->session_ticket = os_malloc(ext_len); |
| if (conn->session_ticket) { |
| os_memcpy(conn->session_ticket, pos, |
| ext_len); |
| conn->session_ticket_len = ext_len; |
| } |
| } |
| |
| pos += ext_len; |
| } |
| } |
| |
| *in_len = end - in_data; |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " |
| "ServerHello"); |
| conn->state = SERVER_HELLO; |
| |
| return 0; |
| |
| decode_error: |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| |
| static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len) |
| { |
| const u8 *pos, *end; |
| size_t left, len, list_len, cert_len, idx; |
| u8 type; |
| struct x509_certificate *chain = NULL, *last = NULL, *cert; |
| int reason; |
| |
| if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 4) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " |
| "(len=%lu)", (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| type = *pos++; |
| len = WPA_GET_BE24(pos); |
| pos += 3; |
| left -= 4; |
| |
| if (len > left) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " |
| "length (len=%lu != left=%lu)", |
| (unsigned long) len, (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { |
| if (conn->verify_peer) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " |
| "Certificate"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| return tls_process_client_key_exchange(conn, ct, in_data, |
| in_len); |
| } |
| if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " |
| "message %d (expected Certificate/" |
| "ClientKeyExchange)", type); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, |
| "TLSv1: Received Certificate (certificate_list len %lu)", |
| (unsigned long) len); |
| |
| /* |
| * opaque ASN.1Cert<2^24-1>; |
| * |
| * struct { |
| * ASN.1Cert certificate_list<1..2^24-1>; |
| * } Certificate; |
| */ |
| |
| end = pos + len; |
| |
| if (end - pos < 3) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " |
| "(left=%lu)", (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| list_len = WPA_GET_BE24(pos); |
| pos += 3; |
| |
| if ((size_t) (end - pos) != list_len) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " |
| "length (len=%lu left=%lu)", |
| (unsigned long) list_len, |
| (unsigned long) (end - pos)); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| idx = 0; |
| while (pos < end) { |
| if (end - pos < 3) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " |
| "certificate_list"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| x509_certificate_chain_free(chain); |
| return -1; |
| } |
| |
| cert_len = WPA_GET_BE24(pos); |
| pos += 3; |
| |
| if ((size_t) (end - pos) < cert_len) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " |
| "length (len=%lu left=%lu)", |
| (unsigned long) cert_len, |
| (unsigned long) (end - pos)); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| x509_certificate_chain_free(chain); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", |
| (unsigned long) idx, (unsigned long) cert_len); |
| |
| if (idx == 0) { |
| crypto_public_key_free(conn->client_rsa_key); |
| if (tls_parse_cert(pos, cert_len, |
| &conn->client_rsa_key)) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " |
| "the certificate"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_BAD_CERTIFICATE); |
| x509_certificate_chain_free(chain); |
| return -1; |
| } |
| } |
| |
| cert = x509_certificate_parse(pos, cert_len); |
| if (cert == NULL) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " |
| "the certificate"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_BAD_CERTIFICATE); |
| x509_certificate_chain_free(chain); |
| return -1; |
| } |
| |
| if (last == NULL) |
| chain = cert; |
| else |
| last->next = cert; |
| last = cert; |
| |
| idx++; |
| pos += cert_len; |
| } |
| |
| if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, |
| &reason, 0) < 0) { |
| int tls_reason; |
| wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " |
| "validation failed (reason=%d)", reason); |
| switch (reason) { |
| case X509_VALIDATE_BAD_CERTIFICATE: |
| tls_reason = TLS_ALERT_BAD_CERTIFICATE; |
| break; |
| case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: |
| tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; |
| break; |
| case X509_VALIDATE_CERTIFICATE_REVOKED: |
| tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; |
| break; |
| case X509_VALIDATE_CERTIFICATE_EXPIRED: |
| tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; |
| break; |
| case X509_VALIDATE_CERTIFICATE_UNKNOWN: |
| tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; |
| break; |
| case X509_VALIDATE_UNKNOWN_CA: |
| tls_reason = TLS_ALERT_UNKNOWN_CA; |
| break; |
| default: |
| tls_reason = TLS_ALERT_BAD_CERTIFICATE; |
| break; |
| } |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); |
| x509_certificate_chain_free(chain); |
| return -1; |
| } |
| |
| x509_certificate_chain_free(chain); |
| |
| *in_len = end - in_data; |
| |
| conn->state = CLIENT_KEY_EXCHANGE; |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_client_key_exchange_rsa( |
| struct tlsv1_server *conn, const u8 *pos, const u8 *end) |
| { |
| u8 *out; |
| size_t outlen, outbuflen; |
| u16 encr_len; |
| int res; |
| int use_random = 0; |
| |
| if (end - pos < 2) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| encr_len = WPA_GET_BE16(pos); |
| pos += 2; |
| if (pos + encr_len > end) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange " |
| "format: encr_len=%u left=%u", |
| encr_len, (unsigned int) (end - pos)); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| outbuflen = outlen = end - pos; |
| out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? |
| outlen : TLS_PRE_MASTER_SECRET_LEN); |
| if (out == NULL) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| /* |
| * struct { |
| * ProtocolVersion client_version; |
| * opaque random[46]; |
| * } PreMasterSecret; |
| * |
| * struct { |
| * public-key-encrypted PreMasterSecret pre_master_secret; |
| * } EncryptedPreMasterSecret; |
| */ |
| |
| /* |
| * Note: To avoid Bleichenbacher attack, we do not report decryption or |
| * parsing errors from EncryptedPreMasterSecret processing to the |
| * client. Instead, a random pre-master secret is used to force the |
| * handshake to fail. |
| */ |
| |
| if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, |
| pos, encr_len, |
| out, &outlen) < 0) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " |
| "PreMasterSecret (encr_len=%u outlen=%lu)", |
| encr_len, (unsigned long) outlen); |
| use_random = 1; |
| } |
| |
| if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " |
| "length %lu", (unsigned long) outlen); |
| use_random = 1; |
| } |
| |
| if (!use_random && WPA_GET_BE16(out) != conn->client_version) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Client version in " |
| "ClientKeyExchange does not match with version in " |
| "ClientHello"); |
| use_random = 1; |
| } |
| |
| if (use_random) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " |
| "to avoid revealing information about private key"); |
| outlen = TLS_PRE_MASTER_SECRET_LEN; |
| if (os_get_random(out, outlen)) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " |
| "data"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| os_free(out); |
| return -1; |
| } |
| } |
| |
| res = tlsv1_server_derive_keys(conn, out, outlen); |
| |
| /* Clear the pre-master secret since it is not needed anymore */ |
| os_memset(out, 0, outbuflen); |
| os_free(out); |
| |
| if (res) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_client_key_exchange_dh_anon( |
| struct tlsv1_server *conn, const u8 *pos, const u8 *end) |
| { |
| const u8 *dh_yc; |
| u16 dh_yc_len; |
| u8 *shared; |
| size_t shared_len; |
| int res; |
| |
| /* |
| * struct { |
| * select (PublicValueEncoding) { |
| * case implicit: struct { }; |
| * case explicit: opaque dh_Yc<1..2^16-1>; |
| * } dh_public; |
| * } ClientDiffieHellmanPublic; |
| */ |
| |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", |
| pos, end - pos); |
| |
| if (end == pos) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " |
| "not supported"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| if (end - pos < 3) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " |
| "length"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| dh_yc_len = WPA_GET_BE16(pos); |
| dh_yc = pos + 2; |
| |
| if (dh_yc + dh_yc_len > end) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " |
| "(length %d)", dh_yc_len); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", |
| dh_yc, dh_yc_len); |
| |
| if (conn->cred == NULL || conn->cred->dh_p == NULL || |
| conn->dh_secret == NULL) { |
| wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| shared_len = conn->cred->dh_p_len; |
| shared = os_malloc(shared_len); |
| if (shared == NULL) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " |
| "DH"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| /* shared = Yc^secret mod p */ |
| if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, |
| conn->dh_secret_len, |
| conn->cred->dh_p, conn->cred->dh_p_len, |
| shared, &shared_len)) { |
| os_free(shared); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", |
| shared, shared_len); |
| |
| os_memset(conn->dh_secret, 0, conn->dh_secret_len); |
| os_free(conn->dh_secret); |
| conn->dh_secret = NULL; |
| |
| res = tlsv1_server_derive_keys(conn, shared, shared_len); |
| |
| /* Clear the pre-master secret since it is not needed anymore */ |
| os_memset(shared, 0, shared_len); |
| os_free(shared); |
| |
| if (res) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len) |
| { |
| const u8 *pos, *end; |
| size_t left, len; |
| u8 type; |
| tls_key_exchange keyx; |
| const struct tls_cipher_suite *suite; |
| |
| if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 4) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " |
| "(Left=%lu)", (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| type = *pos++; |
| len = WPA_GET_BE24(pos); |
| pos += 3; |
| left -= 4; |
| |
| if (len > left) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " |
| "length (len=%lu != left=%lu)", |
| (unsigned long) len, (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| end = pos + len; |
| |
| if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " |
| "message %d (expected ClientKeyExchange)", type); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); |
| |
| wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); |
| |
| suite = tls_get_cipher_suite(conn->rl.cipher_suite); |
| if (suite == NULL) |
| keyx = TLS_KEY_X_NULL; |
| else |
| keyx = suite->key_exchange; |
| |
| if (keyx == TLS_KEY_X_DH_anon && |
| tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) |
| return -1; |
| |
| if (keyx != TLS_KEY_X_DH_anon && |
| tls_process_client_key_exchange_rsa(conn, pos, end) < 0) |
| return -1; |
| |
| *in_len = end - in_data; |
| |
| conn->state = CERTIFICATE_VERIFY; |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len) |
| { |
| const u8 *pos, *end; |
| size_t left, len; |
| u8 type; |
| size_t hlen, buflen; |
| u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; |
| enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; |
| u16 slen; |
| |
| if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { |
| if (conn->verify_peer) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " |
| "CertificateVerify"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| return tls_process_change_cipher_spec(conn, ct, in_data, |
| in_len); |
| } |
| |
| if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 4) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " |
| "message (len=%lu)", (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| type = *pos++; |
| len = WPA_GET_BE24(pos); |
| pos += 3; |
| left -= 4; |
| |
| if (len > left) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " |
| "message length (len=%lu != left=%lu)", |
| (unsigned long) len, (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| end = pos + len; |
| |
| if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " |
| "message %d (expected CertificateVerify)", type); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); |
| |
| /* |
| * struct { |
| * Signature signature; |
| * } CertificateVerify; |
| */ |
| |
| hpos = hash; |
| |
| #ifdef CONFIG_TLSV12 |
| if (conn->rl.tls_version == TLS_VERSION_1_2) { |
| /* |
| * RFC 5246, 4.7: |
| * TLS v1.2 adds explicit indication of the used signature and |
| * hash algorithms. |
| * |
| * struct { |
| * HashAlgorithm hash; |
| * SignatureAlgorithm signature; |
| * } SignatureAndHashAlgorithm; |
| */ |
| if (end - pos < 2) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| if (pos[0] != TLS_HASH_ALG_SHA256 || |
| pos[1] != TLS_SIGN_ALG_RSA) { |
| wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" |
| "signature(%u) algorithm", |
| pos[0], pos[1]); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| pos += 2; |
| |
| hlen = SHA256_MAC_LEN; |
| if (conn->verify.sha256_cert == NULL || |
| crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < |
| 0) { |
| conn->verify.sha256_cert = NULL; |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| conn->verify.sha256_cert = NULL; |
| } else { |
| #endif /* CONFIG_TLSV12 */ |
| |
| if (alg == SIGN_ALG_RSA) { |
| hlen = MD5_MAC_LEN; |
| if (conn->verify.md5_cert == NULL || |
| crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) |
| { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| conn->verify.md5_cert = NULL; |
| crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); |
| conn->verify.sha1_cert = NULL; |
| return -1; |
| } |
| hpos += MD5_MAC_LEN; |
| } else |
| crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); |
| |
| conn->verify.md5_cert = NULL; |
| hlen = SHA1_MAC_LEN; |
| if (conn->verify.sha1_cert == NULL || |
| crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { |
| conn->verify.sha1_cert = NULL; |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| conn->verify.sha1_cert = NULL; |
| |
| if (alg == SIGN_ALG_RSA) |
| hlen += MD5_MAC_LEN; |
| |
| #ifdef CONFIG_TLSV12 |
| } |
| #endif /* CONFIG_TLSV12 */ |
| |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); |
| |
| if (end - pos < 2) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| slen = WPA_GET_BE16(pos); |
| pos += 2; |
| if (end - pos < slen) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); |
| if (conn->client_rsa_key == NULL) { |
| wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " |
| "signature"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| buflen = end - pos; |
| buf = os_malloc(end - pos); |
| if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, |
| pos, end - pos, buf, &buflen) < 0) |
| { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); |
| os_free(buf); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECRYPT_ERROR); |
| return -1; |
| } |
| |
| wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", |
| buf, buflen); |
| |
| #ifdef CONFIG_TLSV12 |
| if (conn->rl.tls_version >= TLS_VERSION_1_2) { |
| /* |
| * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 |
| * |
| * DigestInfo ::= SEQUENCE { |
| * digestAlgorithm DigestAlgorithm, |
| * digest OCTET STRING |
| * } |
| * |
| * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} |
| * |
| * DER encoded DigestInfo for SHA256 per RFC 3447: |
| * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || |
| * H |
| */ |
| if (buflen >= 19 + 32 && |
| os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" |
| "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) |
| { |
| wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = " |
| "SHA-256"); |
| os_memmove(buf, buf + 19, buflen - 19); |
| buflen -= 19; |
| } else { |
| wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized " |
| "DigestInfo"); |
| os_free(buf); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECRYPT_ERROR); |
| return -1; |
| } |
| } |
| #endif /* CONFIG_TLSV12 */ |
| |
| if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " |
| "CertificateVerify - did not match with calculated " |
| "hash"); |
| os_free(buf); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECRYPT_ERROR); |
| return -1; |
| } |
| |
| os_free(buf); |
| |
| *in_len = end - in_data; |
| |
| conn->state = CHANGE_CIPHER_SPEC; |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_change_cipher_spec(struct tlsv1_server *conn, |
| u8 ct, const u8 *in_data, |
| size_t *in_len) |
| { |
| const u8 *pos; |
| size_t left; |
| |
| if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 1) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| if (*pos != TLS_CHANGE_CIPHER_SPEC) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " |
| "received data 0x%x", *pos); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); |
| if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " |
| "for record layer"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| |
| *in_len = pos + 1 - in_data; |
| |
| conn->state = CLIENT_FINISHED; |
| |
| return 0; |
| } |
| |
| |
| static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, |
| const u8 *in_data, size_t *in_len) |
| { |
| const u8 *pos, *end; |
| size_t left, len, hlen; |
| u8 verify_data[TLS_VERIFY_DATA_LEN]; |
| u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; |
| |
| if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " |
| "received content type 0x%x", ct); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| pos = in_data; |
| left = *in_len; |
| |
| if (left < 4) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " |
| "Finished", |
| (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| |
| if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " |
| "type 0x%x", pos[0]); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_UNEXPECTED_MESSAGE); |
| return -1; |
| } |
| |
| len = WPA_GET_BE24(pos + 1); |
| |
| pos += 4; |
| left -= 4; |
| |
| if (len > left) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " |
| "(len=%lu > left=%lu)", |
| (unsigned long) len, (unsigned long) left); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| end = pos + len; |
| if (len != TLS_VERIFY_DATA_LEN) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " |
| "in Finished: %lu (expected %d)", |
| (unsigned long) len, TLS_VERIFY_DATA_LEN); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", |
| pos, TLS_VERIFY_DATA_LEN); |
| |
| #ifdef CONFIG_TLSV12 |
| if (conn->rl.tls_version >= TLS_VERSION_1_2) { |
| hlen = SHA256_MAC_LEN; |
| if (conn->verify.sha256_client == NULL || |
| crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) |
| < 0) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| conn->verify.sha256_client = NULL; |
| return -1; |
| } |
| conn->verify.sha256_client = NULL; |
| } else { |
| #endif /* CONFIG_TLSV12 */ |
| |
| hlen = MD5_MAC_LEN; |
| if (conn->verify.md5_client == NULL || |
| crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| conn->verify.md5_client = NULL; |
| crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); |
| conn->verify.sha1_client = NULL; |
| return -1; |
| } |
| conn->verify.md5_client = NULL; |
| hlen = SHA1_MAC_LEN; |
| if (conn->verify.sha1_client == NULL || |
| crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, |
| &hlen) < 0) { |
| conn->verify.sha1_client = NULL; |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_INTERNAL_ERROR); |
| return -1; |
| } |
| conn->verify.sha1_client = NULL; |
| hlen = MD5_MAC_LEN + SHA1_MAC_LEN; |
| |
| #ifdef CONFIG_TLSV12 |
| } |
| #endif /* CONFIG_TLSV12 */ |
| |
| if (tls_prf(conn->rl.tls_version, |
| conn->master_secret, TLS_MASTER_SECRET_LEN, |
| "client finished", hash, hlen, |
| verify_data, TLS_VERIFY_DATA_LEN)) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECRYPT_ERROR); |
| return -1; |
| } |
| wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", |
| verify_data, TLS_VERIFY_DATA_LEN); |
| |
| if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { |
| wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); |
| return -1; |
| } |
| |
| wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); |
| |
| *in_len = end - in_data; |
| |
| if (conn->use_session_ticket) { |
| /* Abbreviated handshake using session ticket; RFC 4507 */ |
| wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " |
| "successfully"); |
| conn->state = ESTABLISHED; |
| } else { |
| /* Full handshake */ |
| conn->state = SERVER_CHANGE_CIPHER_SPEC; |
| } |
| |
| return 0; |
| } |
| |
| |
| int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, |
| const u8 *buf, size_t *len) |
| { |
| if (ct == TLS_CONTENT_TYPE_ALERT) { |
| if (*len < 2) { |
| wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); |
| tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| TLS_ALERT_DECODE_ERROR); |
| return -1; |
| } |
| wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", |
| buf[0], buf[1]); |
| *len = 2; |
| conn->state = FAILED; |
| return -1; |
| } |
| |
| switch (conn->state) { |
| case CLIENT_HELLO: |
| if (tls_process_client_hello(conn, ct, buf, len)) |
| return -1; |
| break; |
| case CLIENT_CERTIFICATE: |
| if (tls_process_certificate(conn, ct, buf, len)) |
| return -1; |
| break; |
| case CLIENT_KEY_EXCHANGE: |
| if (tls_process_client_key_exchange(conn, ct, buf, len)) |
| return -1; |
| break; |
| case CERTIFICATE_VERIFY: |
| if (tls_process_certificate_verify(conn, ct, buf, len)) |
| return -1; |
| break; |
| case CHANGE_CIPHER_SPEC: |
| if (tls_process_change_cipher_spec(conn, ct, buf, len)) |
| return -1; |
| break; |
| case CLIENT_FINISHED: |
| if (tls_process_client_finished(conn, ct, buf, len)) |
| return -1; |
| break; |
| default: |
| wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " |
| "while processing received message", |
| conn->state); |
| return -1; |
| } |
| |
| if (ct == TLS_CONTENT_TYPE_HANDSHAKE) |
| tls_verify_hash_add(&conn->verify, buf, *len); |
| |
| return 0; |
| } |