1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "tls/tls.h"
16 #include "tls/x509v3.h"
17 #include "tls/tlsv1_common.h"
18 #include "tls/tlsv1_record.h"
19 #include "tls/tlsv1_server.h"
20 #include "tls/tlsv1_server_i.h"
21
22 #include "eap_peer/eap_i.h"
23
24 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
27 u8 ct, const u8 *in_data,
28 size_t *in_len);
29
30
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)31 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
32 const u8 *in_data, size_t *in_len)
33 {
34 const u8 *pos, *end, *c;
35 size_t left, len, i, j;
36 u16 cipher_suite;
37 u16 num_suites;
38 int compr_null_found;
39 u16 ext_type, ext_len;
40
41 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
42 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
43 "received content type 0x%x", ct);
44 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
45 TLS_ALERT_UNEXPECTED_MESSAGE);
46 return -1;
47 }
48
49 pos = in_data;
50 left = *in_len;
51
52 if (left < 4)
53 goto decode_error;
54
55 /* HandshakeType msg_type */
56 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
57 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
58 "message %d (expected ClientHello)", *pos);
59 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
60 TLS_ALERT_UNEXPECTED_MESSAGE);
61 return -1;
62 }
63 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
64 pos++;
65 /* uint24 length */
66 len = WPA_GET_BE24(pos);
67 pos += 3;
68 left -= 4;
69
70 if (len > left)
71 goto decode_error;
72
73 /* body - ClientHello */
74
75 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
76 end = pos + len;
77
78 /* ProtocolVersion client_version */
79 if (end - pos < 2)
80 goto decode_error;
81 conn->client_version = WPA_GET_BE16(pos);
82 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
83 conn->client_version >> 8, conn->client_version & 0xff);
84 if (conn->client_version < TLS_VERSION_1) {
85 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
86 "ClientHello %u.%u",
87 conn->client_version >> 8,
88 conn->client_version & 0xff);
89 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_PROTOCOL_VERSION);
91 return -1;
92 }
93 pos += 2;
94
95 if (TLS_VERSION == TLS_VERSION_1)
96 conn->rl.tls_version = TLS_VERSION_1;
97 #ifdef CONFIG_TLSV12
98 else if (conn->client_version >= TLS_VERSION_1_2)
99 conn->rl.tls_version = TLS_VERSION_1_2;
100 #endif /* CONFIG_TLSV12 */
101 else if (conn->client_version > TLS_VERSION_1_1)
102 conn->rl.tls_version = TLS_VERSION_1_1;
103 else
104 conn->rl.tls_version = conn->client_version;
105 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
106 tls_version_str(conn->rl.tls_version));
107
108 /* Random random */
109 if (end - pos < TLS_RANDOM_LEN)
110 goto decode_error;
111
112 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
113 pos += TLS_RANDOM_LEN;
114 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
115 conn->client_random, TLS_RANDOM_LEN);
116
117 /* SessionID session_id */
118 if (end - pos < 1)
119 goto decode_error;
120 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
121 goto decode_error;
122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
123 pos += 1 + *pos;
124 /* TODO: add support for session resumption */
125
126 /* CipherSuite cipher_suites<2..2^16-1> */
127 if (end - pos < 2)
128 goto decode_error;
129 num_suites = WPA_GET_BE16(pos);
130 pos += 2;
131 if (end - pos < num_suites)
132 goto decode_error;
133 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
134 pos, num_suites);
135 if (num_suites & 1)
136 goto decode_error;
137 num_suites /= 2;
138
139 cipher_suite = 0;
140 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
141 c = pos;
142 for (j = 0; j < num_suites; j++) {
143 u16 tmp = WPA_GET_BE16(c);
144 c += 2;
145 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
146 cipher_suite = tmp;
147 break;
148 }
149 }
150 }
151 pos += num_suites * 2;
152 if (!cipher_suite) {
153 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
154 "available");
155 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
156 TLS_ALERT_ILLEGAL_PARAMETER);
157 return -1;
158 }
159
160 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
162 "record layer");
163 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
164 TLS_ALERT_INTERNAL_ERROR);
165 return -1;
166 }
167
168 conn->cipher_suite = cipher_suite;
169
170 /* CompressionMethod compression_methods<1..2^8-1> */
171 if (end - pos < 1)
172 goto decode_error;
173 num_suites = *pos++;
174 if (end - pos < num_suites)
175 goto decode_error;
176 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
177 pos, num_suites);
178 compr_null_found = 0;
179 for (i = 0; i < num_suites; i++) {
180 if (*pos++ == TLS_COMPRESSION_NULL)
181 compr_null_found = 1;
182 }
183 if (!compr_null_found) {
184 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
185 "compression");
186 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
187 TLS_ALERT_ILLEGAL_PARAMETER);
188 return -1;
189 }
190
191 if (end - pos == 1) {
192 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
193 "end of ClientHello: 0x%02x", *pos);
194 goto decode_error;
195 }
196
197 if (end - pos >= 2) {
198 /* Extension client_hello_extension_list<0..2^16-1> */
199 ext_len = WPA_GET_BE16(pos);
200 pos += 2;
201
202 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
203 "extensions", ext_len);
204 if (end - pos != ext_len) {
205 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
206 "extension list length %u (expected %u)",
207 ext_len, (unsigned int) (end - pos));
208 goto decode_error;
209 }
210
211 /*
212 * struct {
213 * ExtensionType extension_type (0..65535)
214 * opaque extension_data<0..2^16-1>
215 * } Extension;
216 */
217
218 while (pos < end) {
219 if (end - pos < 2) {
220 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
221 "extension_type field");
222 goto decode_error;
223 }
224
225 ext_type = WPA_GET_BE16(pos);
226 pos += 2;
227
228 if (end - pos < 2) {
229 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
230 "extension_data length field");
231 goto decode_error;
232 }
233
234 ext_len = WPA_GET_BE16(pos);
235 pos += 2;
236
237 if (end - pos < ext_len) {
238 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
239 "extension_data field");
240 goto decode_error;
241 }
242
243 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
244 "type %u", ext_type);
245 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
246 "Extension data", pos, ext_len);
247
248 if (ext_type == TLS_EXT_SESSION_TICKET) {
249 os_free(conn->session_ticket);
250 conn->session_ticket = os_malloc(ext_len);
251 if (conn->session_ticket) {
252 os_memcpy(conn->session_ticket, pos,
253 ext_len);
254 conn->session_ticket_len = ext_len;
255 }
256 }
257
258 pos += ext_len;
259 }
260 }
261
262 *in_len = end - in_data;
263
264 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
265 "ServerHello");
266 conn->state = SERVER_HELLO;
267
268 return 0;
269
270 decode_error:
271 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
272 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
273 TLS_ALERT_DECODE_ERROR);
274 return -1;
275 }
276
277
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)278 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
279 const u8 *in_data, size_t *in_len)
280 {
281 const u8 *pos, *end;
282 size_t left, len, list_len, cert_len, idx;
283 u8 type;
284 struct x509_certificate *chain = NULL, *last = NULL, *cert;
285 int reason;
286
287 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
289 "received content type 0x%x", ct);
290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_UNEXPECTED_MESSAGE);
292 return -1;
293 }
294
295 pos = in_data;
296 left = *in_len;
297
298 if (left < 4) {
299 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
300 "(len=%lu)", (unsigned long) left);
301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
302 TLS_ALERT_DECODE_ERROR);
303 return -1;
304 }
305
306 type = *pos++;
307 len = WPA_GET_BE24(pos);
308 pos += 3;
309 left -= 4;
310
311 if (len > left) {
312 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
313 "length (len=%lu != left=%lu)",
314 (unsigned long) len, (unsigned long) left);
315 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
316 TLS_ALERT_DECODE_ERROR);
317 return -1;
318 }
319
320 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
321 if (conn->verify_peer) {
322 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
323 "Certificate");
324 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
325 TLS_ALERT_UNEXPECTED_MESSAGE);
326 return -1;
327 }
328
329 return tls_process_client_key_exchange(conn, ct, in_data,
330 in_len);
331 }
332 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
333 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
334 "message %d (expected Certificate/"
335 "ClientKeyExchange)", type);
336 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
337 TLS_ALERT_UNEXPECTED_MESSAGE);
338 return -1;
339 }
340
341 wpa_printf(MSG_DEBUG, "TLSv1: Received Certificate (certificate_list len %lu)",
342 (unsigned long) len);
343
344 /*
345 * opaque ASN.1Cert<2^24-1>;
346 *
347 * struct {
348 * ASN.1Cert certificate_list<1..2^24-1>;
349 * } Certificate;
350 */
351
352 end = pos + len;
353
354 if (end - pos < 3) {
355 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
356 "(left=%lu)", (unsigned long) left);
357 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
358 TLS_ALERT_DECODE_ERROR);
359 return -1;
360 }
361
362 list_len = WPA_GET_BE24(pos);
363 pos += 3;
364
365 if ((size_t) (end - pos) != list_len) {
366 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
367 "length (len=%lu left=%lu)",
368 (unsigned long) list_len,
369 (unsigned long) (end - pos));
370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 TLS_ALERT_DECODE_ERROR);
372 return -1;
373 }
374
375 idx = 0;
376 while (pos < end) {
377 if (end - pos < 3) {
378 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
379 "certificate_list");
380 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
381 TLS_ALERT_DECODE_ERROR);
382 x509_certificate_chain_free(chain);
383 return -1;
384 }
385
386 cert_len = WPA_GET_BE24(pos);
387 pos += 3;
388
389 if ((size_t) (end - pos) < cert_len) {
390 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
391 "length (len=%lu left=%lu)",
392 (unsigned long) cert_len,
393 (unsigned long) (end - pos));
394 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
395 TLS_ALERT_DECODE_ERROR);
396 x509_certificate_chain_free(chain);
397 return -1;
398 }
399
400 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
401 (unsigned long) idx, (unsigned long) cert_len);
402
403 if (idx == 0) {
404 crypto_public_key_free(conn->client_rsa_key);
405 if (tls_parse_cert(pos, cert_len,
406 &conn->client_rsa_key)) {
407 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
408 "the certificate");
409 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
410 TLS_ALERT_BAD_CERTIFICATE);
411 x509_certificate_chain_free(chain);
412 return -1;
413 }
414 }
415
416 cert = x509_certificate_parse(pos, cert_len);
417 if (cert == NULL) {
418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
419 "the certificate");
420 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
421 TLS_ALERT_BAD_CERTIFICATE);
422 x509_certificate_chain_free(chain);
423 return -1;
424 }
425
426 if (last == NULL)
427 chain = cert;
428 else
429 last->next = cert;
430 last = cert;
431
432 idx++;
433 pos += cert_len;
434 }
435
436 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
437 &reason, 0) < 0) {
438 int tls_reason;
439 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
440 "validation failed (reason=%d)", reason);
441 switch (reason) {
442 case X509_VALIDATE_BAD_CERTIFICATE:
443 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
444 break;
445 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
446 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
447 break;
448 case X509_VALIDATE_CERTIFICATE_REVOKED:
449 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
450 break;
451 case X509_VALIDATE_CERTIFICATE_EXPIRED:
452 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
453 break;
454 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
455 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
456 break;
457 case X509_VALIDATE_UNKNOWN_CA:
458 tls_reason = TLS_ALERT_UNKNOWN_CA;
459 break;
460 default:
461 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
462 break;
463 }
464 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
465 x509_certificate_chain_free(chain);
466 return -1;
467 }
468
469 x509_certificate_chain_free(chain);
470
471 *in_len = end - in_data;
472
473 conn->state = CLIENT_KEY_EXCHANGE;
474
475 return 0;
476 }
477
478
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)479 static int tls_process_client_key_exchange_rsa(
480 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
481 {
482 u8 *out;
483 size_t outlen, outbuflen;
484 u16 encr_len;
485 int res;
486 int use_random = 0;
487
488 if (end - pos < 2) {
489 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
490 TLS_ALERT_DECODE_ERROR);
491 return -1;
492 }
493
494 encr_len = WPA_GET_BE16(pos);
495 pos += 2;
496 if (pos + encr_len > end) {
497 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
498 "format: encr_len=%u left=%u",
499 encr_len, (unsigned int) (end - pos));
500 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
501 TLS_ALERT_DECODE_ERROR);
502 return -1;
503 }
504
505 outbuflen = outlen = end - pos;
506 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
507 outlen : TLS_PRE_MASTER_SECRET_LEN);
508 if (out == NULL) {
509 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
510 TLS_ALERT_INTERNAL_ERROR);
511 return -1;
512 }
513
514 /*
515 * struct {
516 * ProtocolVersion client_version;
517 * opaque random[46];
518 * } PreMasterSecret;
519 *
520 * struct {
521 * public-key-encrypted PreMasterSecret pre_master_secret;
522 * } EncryptedPreMasterSecret;
523 */
524
525 /*
526 * Note: To avoid Bleichenbacher attack, we do not report decryption or
527 * parsing errors from EncryptedPreMasterSecret processing to the
528 * client. Instead, a random pre-master secret is used to force the
529 * handshake to fail.
530 */
531
532 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
533 pos, encr_len,
534 out, &outlen) < 0) {
535 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
536 "PreMasterSecret (encr_len=%u outlen=%lu)",
537 encr_len, (unsigned long) outlen);
538 use_random = 1;
539 }
540
541 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
542 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
543 "length %lu", (unsigned long) outlen);
544 use_random = 1;
545 }
546
547 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
548 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
549 "ClientKeyExchange does not match with version in "
550 "ClientHello");
551 use_random = 1;
552 }
553
554 if (use_random) {
555 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
556 "to avoid revealing information about private key");
557 outlen = TLS_PRE_MASTER_SECRET_LEN;
558 if (os_get_random(out, outlen)) {
559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
560 "data");
561 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
562 TLS_ALERT_INTERNAL_ERROR);
563 os_free(out);
564 return -1;
565 }
566 }
567
568 res = tlsv1_server_derive_keys(conn, out, outlen);
569
570 /* Clear the pre-master secret since it is not needed anymore */
571 os_memset(out, 0, outbuflen);
572 os_free(out);
573
574 if (res) {
575 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
576 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
577 TLS_ALERT_INTERNAL_ERROR);
578 return -1;
579 }
580
581 return 0;
582 }
583
584
tls_process_client_key_exchange_dh_anon(struct tlsv1_server * conn,const u8 * pos,const u8 * end)585 static int tls_process_client_key_exchange_dh_anon(
586 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
587 {
588 const u8 *dh_yc;
589 u16 dh_yc_len;
590 u8 *shared;
591 size_t shared_len;
592 int res;
593
594 /*
595 * struct {
596 * select (PublicValueEncoding) {
597 * case implicit: struct { };
598 * case explicit: opaque dh_Yc<1..2^16-1>;
599 * } dh_public;
600 * } ClientDiffieHellmanPublic;
601 */
602
603 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
604 pos, end - pos);
605
606 if (end == pos) {
607 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
608 "not supported");
609 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
610 TLS_ALERT_INTERNAL_ERROR);
611 return -1;
612 }
613
614 if (end - pos < 3) {
615 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
616 "length");
617 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
618 TLS_ALERT_DECODE_ERROR);
619 return -1;
620 }
621
622 dh_yc_len = WPA_GET_BE16(pos);
623 dh_yc = pos + 2;
624
625 if (dh_yc + dh_yc_len > end) {
626 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
627 "(length %d)", dh_yc_len);
628 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
629 TLS_ALERT_DECODE_ERROR);
630 return -1;
631 }
632
633 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
634 dh_yc, dh_yc_len);
635
636 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
637 conn->dh_secret == NULL) {
638 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
639 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 TLS_ALERT_INTERNAL_ERROR);
641 return -1;
642 }
643
644 shared_len = conn->cred->dh_p_len;
645 shared = os_malloc(shared_len);
646 if (shared == NULL) {
647 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
648 "DH");
649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
650 TLS_ALERT_INTERNAL_ERROR);
651 return -1;
652 }
653
654 /* shared = Yc^secret mod p */
655 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
656 conn->dh_secret_len,
657 conn->cred->dh_p, conn->cred->dh_p_len,
658 shared, &shared_len)) {
659 os_free(shared);
660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661 TLS_ALERT_INTERNAL_ERROR);
662 return -1;
663 }
664
665 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
666 shared, shared_len);
667
668 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
669 os_free(conn->dh_secret);
670 conn->dh_secret = NULL;
671
672 res = tlsv1_server_derive_keys(conn, shared, shared_len);
673
674 /* Clear the pre-master secret since it is not needed anymore */
675 os_memset(shared, 0, shared_len);
676 os_free(shared);
677
678 if (res) {
679 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
680 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
681 TLS_ALERT_INTERNAL_ERROR);
682 return -1;
683 }
684
685 return 0;
686 }
687
688
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)689 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
690 const u8 *in_data, size_t *in_len)
691 {
692 const u8 *pos, *end;
693 size_t left, len;
694 u8 type;
695 tls_key_exchange keyx;
696 const struct tls_cipher_suite *suite;
697
698 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
699 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
700 "received content type 0x%x", ct);
701 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
702 TLS_ALERT_UNEXPECTED_MESSAGE);
703 return -1;
704 }
705
706 pos = in_data;
707 left = *in_len;
708
709 if (left < 4) {
710 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
711 "(Left=%lu)", (unsigned long) left);
712 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
713 TLS_ALERT_DECODE_ERROR);
714 return -1;
715 }
716
717 type = *pos++;
718 len = WPA_GET_BE24(pos);
719 pos += 3;
720 left -= 4;
721
722 if (len > left) {
723 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
724 "length (len=%lu != left=%lu)",
725 (unsigned long) len, (unsigned long) left);
726 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
727 TLS_ALERT_DECODE_ERROR);
728 return -1;
729 }
730
731 end = pos + len;
732
733 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
734 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
735 "message %d (expected ClientKeyExchange)", type);
736 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
737 TLS_ALERT_UNEXPECTED_MESSAGE);
738 return -1;
739 }
740
741 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
742
743 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
744
745 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
746 if (suite == NULL)
747 keyx = TLS_KEY_X_NULL;
748 else
749 keyx = suite->key_exchange;
750
751 if (keyx == TLS_KEY_X_DH_anon &&
752 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
753 return -1;
754
755 if (keyx != TLS_KEY_X_DH_anon &&
756 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
757 return -1;
758
759 *in_len = end - in_data;
760
761 conn->state = CERTIFICATE_VERIFY;
762
763 return 0;
764 }
765
766
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)767 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
768 const u8 *in_data, size_t *in_len)
769 {
770 const u8 *pos, *end;
771 size_t left, len;
772 u8 type;
773 size_t hlen, buflen;
774 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
775 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
776 u16 slen;
777
778 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
779 if (conn->verify_peer) {
780 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
781 "CertificateVerify");
782 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
783 TLS_ALERT_UNEXPECTED_MESSAGE);
784 return -1;
785 }
786
787 return tls_process_change_cipher_spec(conn, ct, in_data,
788 in_len);
789 }
790
791 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
792 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
793 "received content type 0x%x", ct);
794 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
795 TLS_ALERT_UNEXPECTED_MESSAGE);
796 return -1;
797 }
798
799 pos = in_data;
800 left = *in_len;
801
802 if (left < 4) {
803 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
804 "message (len=%lu)", (unsigned long) left);
805 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
806 TLS_ALERT_DECODE_ERROR);
807 return -1;
808 }
809
810 type = *pos++;
811 len = WPA_GET_BE24(pos);
812 pos += 3;
813 left -= 4;
814
815 if (len > left) {
816 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
817 "message length (len=%lu != left=%lu)",
818 (unsigned long) len, (unsigned long) left);
819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 TLS_ALERT_DECODE_ERROR);
821 return -1;
822 }
823
824 end = pos + len;
825
826 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
827 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
828 "message %d (expected CertificateVerify)", type);
829 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 TLS_ALERT_UNEXPECTED_MESSAGE);
831 return -1;
832 }
833
834 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
835
836 /*
837 * struct {
838 * Signature signature;
839 * } CertificateVerify;
840 */
841
842 hpos = hash;
843
844 #ifdef CONFIG_TLSV12
845 if (conn->rl.tls_version == TLS_VERSION_1_2) {
846 /*
847 * RFC 5246, 4.7:
848 * TLS v1.2 adds explicit indication of the used signature and
849 * hash algorithms.
850 *
851 * struct {
852 * HashAlgorithm hash;
853 * SignatureAlgorithm signature;
854 * } SignatureAndHashAlgorithm;
855 */
856 if (end - pos < 2) {
857 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
858 TLS_ALERT_DECODE_ERROR);
859 return -1;
860 }
861 if (pos[0] != TLS_HASH_ALG_SHA256 ||
862 pos[1] != TLS_SIGN_ALG_RSA) {
863 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
864 "signature(%u) algorithm",
865 pos[0], pos[1]);
866 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
867 TLS_ALERT_INTERNAL_ERROR);
868 return -1;
869 }
870 pos += 2;
871
872 hlen = SHA256_MAC_LEN;
873 if (conn->verify.sha256_cert == NULL ||
874 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
875 0) {
876 conn->verify.sha256_cert = NULL;
877 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
878 TLS_ALERT_INTERNAL_ERROR);
879 return -1;
880 }
881 conn->verify.sha256_cert = NULL;
882 } else {
883 #endif /* CONFIG_TLSV12 */
884
885 if (alg == SIGN_ALG_RSA) {
886 hlen = MD5_MAC_LEN;
887 if (conn->verify.md5_cert == NULL ||
888 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
889 {
890 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
891 TLS_ALERT_INTERNAL_ERROR);
892 conn->verify.md5_cert = NULL;
893 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
894 conn->verify.sha1_cert = NULL;
895 return -1;
896 }
897 hpos += MD5_MAC_LEN;
898 } else
899 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
900
901 conn->verify.md5_cert = NULL;
902 hlen = SHA1_MAC_LEN;
903 if (conn->verify.sha1_cert == NULL ||
904 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
905 conn->verify.sha1_cert = NULL;
906 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
907 TLS_ALERT_INTERNAL_ERROR);
908 return -1;
909 }
910 conn->verify.sha1_cert = NULL;
911
912 if (alg == SIGN_ALG_RSA)
913 hlen += MD5_MAC_LEN;
914
915 #ifdef CONFIG_TLSV12
916 }
917 #endif /* CONFIG_TLSV12 */
918
919 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
920
921 if (end - pos < 2) {
922 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
923 TLS_ALERT_DECODE_ERROR);
924 return -1;
925 }
926 slen = WPA_GET_BE16(pos);
927 pos += 2;
928 if (end - pos < slen) {
929 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
930 TLS_ALERT_DECODE_ERROR);
931 return -1;
932 }
933
934 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
935 if (conn->client_rsa_key == NULL) {
936 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
937 "signature");
938 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
939 TLS_ALERT_INTERNAL_ERROR);
940 return -1;
941 }
942
943 buflen = end - pos;
944 buf = os_malloc(end - pos);
945 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
946 pos, end - pos, buf, &buflen) < 0)
947 {
948 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
949 os_free(buf);
950 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
951 TLS_ALERT_DECRYPT_ERROR);
952 return -1;
953 }
954
955 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
956 buf, buflen);
957
958 #ifdef CONFIG_TLSV12
959 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
960 /*
961 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
962 *
963 * DigestInfo ::= SEQUENCE {
964 * digestAlgorithm DigestAlgorithm,
965 * digest OCTET STRING
966 * }
967 *
968 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
969 *
970 * DER encoded DigestInfo for SHA256 per RFC 3447:
971 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
972 * H
973 */
974 if (buflen >= 19 + 32 &&
975 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
976 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
977 {
978 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = "
979 "SHA-256");
980 os_memmove(buf, buf + 19, buflen - 19);
981 buflen -= 19;
982 } else {
983 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized "
984 "DigestInfo");
985 os_free(buf);
986 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
987 TLS_ALERT_DECRYPT_ERROR);
988 return -1;
989 }
990 }
991 #endif /* CONFIG_TLSV12 */
992
993 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
994 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
995 "CertificateVerify - did not match with calculated "
996 "hash");
997 os_free(buf);
998 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
999 TLS_ALERT_DECRYPT_ERROR);
1000 return -1;
1001 }
1002
1003 os_free(buf);
1004
1005 *in_len = end - in_data;
1006
1007 conn->state = CHANGE_CIPHER_SPEC;
1008
1009 return 0;
1010 }
1011
1012
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1013 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1014 u8 ct, const u8 *in_data,
1015 size_t *in_len)
1016 {
1017 const u8 *pos;
1018 size_t left;
1019
1020 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1021 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1022 "received content type 0x%x", ct);
1023 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1024 TLS_ALERT_UNEXPECTED_MESSAGE);
1025 return -1;
1026 }
1027
1028 pos = in_data;
1029 left = *in_len;
1030
1031 if (left < 1) {
1032 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1033 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1034 TLS_ALERT_DECODE_ERROR);
1035 return -1;
1036 }
1037
1038 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1039 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1040 "received data 0x%x", *pos);
1041 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1042 TLS_ALERT_UNEXPECTED_MESSAGE);
1043 return -1;
1044 }
1045
1046 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1047 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1048 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1049 "for record layer");
1050 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1051 TLS_ALERT_INTERNAL_ERROR);
1052 return -1;
1053 }
1054
1055 *in_len = pos + 1 - in_data;
1056
1057 conn->state = CLIENT_FINISHED;
1058
1059 return 0;
1060 }
1061
1062
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1063 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1064 const u8 *in_data, size_t *in_len)
1065 {
1066 const u8 *pos, *end;
1067 size_t left, len, hlen;
1068 u8 verify_data[TLS_VERIFY_DATA_LEN];
1069 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1070
1071 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1072 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1073 "received content type 0x%x", ct);
1074 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1075 TLS_ALERT_UNEXPECTED_MESSAGE);
1076 return -1;
1077 }
1078
1079 pos = in_data;
1080 left = *in_len;
1081
1082 if (left < 4) {
1083 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1084 "Finished",
1085 (unsigned long) left);
1086 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1087 TLS_ALERT_DECODE_ERROR);
1088 return -1;
1089 }
1090
1091 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1092 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1093 "type 0x%x", pos[0]);
1094 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1095 TLS_ALERT_UNEXPECTED_MESSAGE);
1096 return -1;
1097 }
1098
1099 len = WPA_GET_BE24(pos + 1);
1100
1101 pos += 4;
1102 left -= 4;
1103
1104 if (len > left) {
1105 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1106 "(len=%lu > left=%lu)",
1107 (unsigned long) len, (unsigned long) left);
1108 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1109 TLS_ALERT_DECODE_ERROR);
1110 return -1;
1111 }
1112 end = pos + len;
1113 if (len != TLS_VERIFY_DATA_LEN) {
1114 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1115 "in Finished: %lu (expected %d)",
1116 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1117 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1118 TLS_ALERT_DECODE_ERROR);
1119 return -1;
1120 }
1121 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1122 pos, TLS_VERIFY_DATA_LEN);
1123
1124 #ifdef CONFIG_TLSV12
1125 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1126 hlen = SHA256_MAC_LEN;
1127 if (conn->verify.sha256_client == NULL ||
1128 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1129 < 0) {
1130 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1131 TLS_ALERT_INTERNAL_ERROR);
1132 conn->verify.sha256_client = NULL;
1133 return -1;
1134 }
1135 conn->verify.sha256_client = NULL;
1136 } else {
1137 #endif /* CONFIG_TLSV12 */
1138
1139 hlen = MD5_MAC_LEN;
1140 if (conn->verify.md5_client == NULL ||
1141 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1142 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1143 TLS_ALERT_INTERNAL_ERROR);
1144 conn->verify.md5_client = NULL;
1145 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1146 conn->verify.sha1_client = NULL;
1147 return -1;
1148 }
1149 conn->verify.md5_client = NULL;
1150 hlen = SHA1_MAC_LEN;
1151 if (conn->verify.sha1_client == NULL ||
1152 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1153 &hlen) < 0) {
1154 conn->verify.sha1_client = NULL;
1155 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1156 TLS_ALERT_INTERNAL_ERROR);
1157 return -1;
1158 }
1159 conn->verify.sha1_client = NULL;
1160 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1161
1162 #ifdef CONFIG_TLSV12
1163 }
1164 #endif /* CONFIG_TLSV12 */
1165
1166 if (tls_prf(conn->rl.tls_version,
1167 conn->master_secret, TLS_MASTER_SECRET_LEN,
1168 "client finished", hash, hlen,
1169 verify_data, TLS_VERIFY_DATA_LEN)) {
1170 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1171 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1172 TLS_ALERT_DECRYPT_ERROR);
1173 return -1;
1174 }
1175 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1176 verify_data, TLS_VERIFY_DATA_LEN);
1177
1178 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1179 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1180 return -1;
1181 }
1182
1183 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1184
1185 *in_len = end - in_data;
1186
1187 if (conn->use_session_ticket) {
1188 /* Abbreviated handshake using session ticket; RFC 4507 */
1189 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1190 "successfully");
1191 conn->state = ESTABLISHED;
1192 } else {
1193 /* Full handshake */
1194 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1195 }
1196
1197 return 0;
1198 }
1199
1200
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1201 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1202 const u8 *buf, size_t *len)
1203 {
1204 if (ct == TLS_CONTENT_TYPE_ALERT) {
1205 if (*len < 2) {
1206 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1207 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1208 TLS_ALERT_DECODE_ERROR);
1209 return -1;
1210 }
1211 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1212 buf[0], buf[1]);
1213 *len = 2;
1214 conn->state = FAILED;
1215 return -1;
1216 }
1217
1218 switch (conn->state) {
1219 case CLIENT_HELLO:
1220 if (tls_process_client_hello(conn, ct, buf, len))
1221 return -1;
1222 break;
1223 case CLIENT_CERTIFICATE:
1224 if (tls_process_certificate(conn, ct, buf, len))
1225 return -1;
1226 break;
1227 case CLIENT_KEY_EXCHANGE:
1228 if (tls_process_client_key_exchange(conn, ct, buf, len))
1229 return -1;
1230 break;
1231 case CERTIFICATE_VERIFY:
1232 if (tls_process_certificate_verify(conn, ct, buf, len))
1233 return -1;
1234 break;
1235 case CHANGE_CIPHER_SPEC:
1236 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1237 return -1;
1238 break;
1239 case CLIENT_FINISHED:
1240 if (tls_process_client_finished(conn, ct, buf, len))
1241 return -1;
1242 break;
1243 default:
1244 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1245 "while processing received message",
1246 conn->state);
1247 return -1;
1248 }
1249
1250 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1251 tls_verify_hash_add(&conn->verify, buf, *len);
1252
1253 return 0;
1254 }
1255
