139beb93cSSam Leffler /* 239beb93cSSam Leffler * TLSv1 server - read handshake message 339beb93cSSam Leffler * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 439beb93cSSam Leffler * 539beb93cSSam Leffler * This program is free software; you can redistribute it and/or modify 639beb93cSSam Leffler * it under the terms of the GNU General Public License version 2 as 739beb93cSSam Leffler * published by the Free Software Foundation. 839beb93cSSam Leffler * 939beb93cSSam Leffler * Alternatively, this software may be distributed under the terms of BSD 1039beb93cSSam Leffler * license. 1139beb93cSSam Leffler * 1239beb93cSSam Leffler * See README and COPYING for more details. 1339beb93cSSam Leffler */ 1439beb93cSSam Leffler 1539beb93cSSam Leffler #include "includes.h" 1639beb93cSSam Leffler 1739beb93cSSam Leffler #include "common.h" 1839beb93cSSam Leffler #include "md5.h" 1939beb93cSSam Leffler #include "sha1.h" 2039beb93cSSam Leffler #include "x509v3.h" 2139beb93cSSam Leffler #include "tls.h" 2239beb93cSSam Leffler #include "tlsv1_common.h" 2339beb93cSSam Leffler #include "tlsv1_record.h" 2439beb93cSSam Leffler #include "tlsv1_server.h" 2539beb93cSSam Leffler #include "tlsv1_server_i.h" 2639beb93cSSam Leffler 2739beb93cSSam Leffler 2839beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 2939beb93cSSam Leffler const u8 *in_data, size_t *in_len); 3039beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 3139beb93cSSam Leffler u8 ct, const u8 *in_data, 3239beb93cSSam Leffler size_t *in_len); 3339beb93cSSam Leffler 3439beb93cSSam Leffler 3539beb93cSSam Leffler static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 3639beb93cSSam Leffler const u8 *in_data, size_t *in_len) 3739beb93cSSam Leffler { 3839beb93cSSam Leffler const u8 *pos, *end, *c; 3939beb93cSSam Leffler size_t left, len, i, j; 4039beb93cSSam Leffler u16 cipher_suite; 4139beb93cSSam Leffler u16 num_suites; 4239beb93cSSam Leffler int compr_null_found; 4339beb93cSSam Leffler 4439beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 4539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 4639beb93cSSam Leffler "received content type 0x%x", ct); 4739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 4839beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 4939beb93cSSam Leffler return -1; 5039beb93cSSam Leffler } 5139beb93cSSam Leffler 5239beb93cSSam Leffler pos = in_data; 5339beb93cSSam Leffler left = *in_len; 5439beb93cSSam Leffler 5539beb93cSSam Leffler if (left < 4) 5639beb93cSSam Leffler goto decode_error; 5739beb93cSSam Leffler 5839beb93cSSam Leffler /* HandshakeType msg_type */ 5939beb93cSSam Leffler if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 6039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 6139beb93cSSam Leffler "message %d (expected ClientHello)", *pos); 6239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 6339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 6439beb93cSSam Leffler return -1; 6539beb93cSSam Leffler } 6639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 6739beb93cSSam Leffler pos++; 6839beb93cSSam Leffler /* uint24 length */ 6939beb93cSSam Leffler len = WPA_GET_BE24(pos); 7039beb93cSSam Leffler pos += 3; 7139beb93cSSam Leffler left -= 4; 7239beb93cSSam Leffler 7339beb93cSSam Leffler if (len > left) 7439beb93cSSam Leffler goto decode_error; 7539beb93cSSam Leffler 7639beb93cSSam Leffler /* body - ClientHello */ 7739beb93cSSam Leffler 7839beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 7939beb93cSSam Leffler end = pos + len; 8039beb93cSSam Leffler 8139beb93cSSam Leffler /* ProtocolVersion client_version */ 8239beb93cSSam Leffler if (end - pos < 2) 8339beb93cSSam Leffler goto decode_error; 8439beb93cSSam Leffler conn->client_version = WPA_GET_BE16(pos); 8539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 8639beb93cSSam Leffler conn->client_version >> 8, conn->client_version & 0xff); 8739beb93cSSam Leffler if (conn->client_version < TLS_VERSION) { 8839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 8939beb93cSSam Leffler "ClientHello"); 9039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 9139beb93cSSam Leffler TLS_ALERT_PROTOCOL_VERSION); 9239beb93cSSam Leffler return -1; 9339beb93cSSam Leffler } 9439beb93cSSam Leffler pos += 2; 9539beb93cSSam Leffler 9639beb93cSSam Leffler /* Random random */ 9739beb93cSSam Leffler if (end - pos < TLS_RANDOM_LEN) 9839beb93cSSam Leffler goto decode_error; 9939beb93cSSam Leffler 10039beb93cSSam Leffler os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 10139beb93cSSam Leffler pos += TLS_RANDOM_LEN; 10239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 10339beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN); 10439beb93cSSam Leffler 10539beb93cSSam Leffler /* SessionID session_id */ 10639beb93cSSam Leffler if (end - pos < 1) 10739beb93cSSam Leffler goto decode_error; 10839beb93cSSam Leffler if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 10939beb93cSSam Leffler goto decode_error; 11039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 11139beb93cSSam Leffler pos += 1 + *pos; 11239beb93cSSam Leffler /* TODO: add support for session resumption */ 11339beb93cSSam Leffler 11439beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */ 11539beb93cSSam Leffler if (end - pos < 2) 11639beb93cSSam Leffler goto decode_error; 11739beb93cSSam Leffler num_suites = WPA_GET_BE16(pos); 11839beb93cSSam Leffler pos += 2; 11939beb93cSSam Leffler if (end - pos < num_suites) 12039beb93cSSam Leffler goto decode_error; 12139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 12239beb93cSSam Leffler pos, num_suites); 12339beb93cSSam Leffler if (num_suites & 1) 12439beb93cSSam Leffler goto decode_error; 12539beb93cSSam Leffler num_suites /= 2; 12639beb93cSSam Leffler 12739beb93cSSam Leffler cipher_suite = 0; 12839beb93cSSam Leffler for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 12939beb93cSSam Leffler c = pos; 13039beb93cSSam Leffler for (j = 0; j < num_suites; j++) { 13139beb93cSSam Leffler u16 tmp = WPA_GET_BE16(c); 13239beb93cSSam Leffler c += 2; 13339beb93cSSam Leffler if (!cipher_suite && tmp == conn->cipher_suites[i]) { 13439beb93cSSam Leffler cipher_suite = tmp; 13539beb93cSSam Leffler break; 13639beb93cSSam Leffler } 13739beb93cSSam Leffler } 13839beb93cSSam Leffler } 13939beb93cSSam Leffler pos += num_suites * 2; 14039beb93cSSam Leffler if (!cipher_suite) { 14139beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 14239beb93cSSam Leffler "available"); 14339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 14439beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 14539beb93cSSam Leffler return -1; 14639beb93cSSam Leffler } 14739beb93cSSam Leffler 14839beb93cSSam Leffler if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 14939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 15039beb93cSSam Leffler "record layer"); 15139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 15239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 15339beb93cSSam Leffler return -1; 15439beb93cSSam Leffler } 15539beb93cSSam Leffler 15639beb93cSSam Leffler conn->cipher_suite = cipher_suite; 15739beb93cSSam Leffler 15839beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */ 15939beb93cSSam Leffler if (end - pos < 1) 16039beb93cSSam Leffler goto decode_error; 16139beb93cSSam Leffler num_suites = *pos++; 16239beb93cSSam Leffler if (end - pos < num_suites) 16339beb93cSSam Leffler goto decode_error; 16439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 16539beb93cSSam Leffler pos, num_suites); 16639beb93cSSam Leffler compr_null_found = 0; 16739beb93cSSam Leffler for (i = 0; i < num_suites; i++) { 16839beb93cSSam Leffler if (*pos++ == TLS_COMPRESSION_NULL) 16939beb93cSSam Leffler compr_null_found = 1; 17039beb93cSSam Leffler } 17139beb93cSSam Leffler if (!compr_null_found) { 17239beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 17339beb93cSSam Leffler "compression"); 17439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 17539beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 17639beb93cSSam Leffler return -1; 17739beb93cSSam Leffler } 17839beb93cSSam Leffler 17939beb93cSSam Leffler if (end - pos == 1) { 18039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 18139beb93cSSam Leffler "end of ClientHello: 0x%02x", *pos); 18239beb93cSSam Leffler goto decode_error; 18339beb93cSSam Leffler } 18439beb93cSSam Leffler 18539beb93cSSam Leffler if (end - pos >= 2) { 18639beb93cSSam Leffler u16 ext_len; 18739beb93cSSam Leffler 18839beb93cSSam Leffler /* Extension client_hello_extension_list<0..2^16-1> */ 18939beb93cSSam Leffler 19039beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 19139beb93cSSam Leffler pos += 2; 19239beb93cSSam Leffler 19339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 19439beb93cSSam Leffler "extensions", ext_len); 19539beb93cSSam Leffler if (end - pos != ext_len) { 19639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 19739beb93cSSam Leffler "extension list length %u (expected %u)", 19839beb93cSSam Leffler ext_len, end - pos); 19939beb93cSSam Leffler goto decode_error; 20039beb93cSSam Leffler } 20139beb93cSSam Leffler 20239beb93cSSam Leffler /* 20339beb93cSSam Leffler * struct { 20439beb93cSSam Leffler * ExtensionType extension_type (0..65535) 20539beb93cSSam Leffler * opaque extension_data<0..2^16-1> 20639beb93cSSam Leffler * } Extension; 20739beb93cSSam Leffler */ 20839beb93cSSam Leffler 20939beb93cSSam Leffler while (pos < end) { 21039beb93cSSam Leffler u16 ext_type, ext_len; 21139beb93cSSam Leffler 21239beb93cSSam Leffler if (end - pos < 2) { 21339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 21439beb93cSSam Leffler "extension_type field"); 21539beb93cSSam Leffler goto decode_error; 21639beb93cSSam Leffler } 21739beb93cSSam Leffler 21839beb93cSSam Leffler ext_type = WPA_GET_BE16(pos); 21939beb93cSSam Leffler pos += 2; 22039beb93cSSam Leffler 22139beb93cSSam Leffler if (end - pos < 2) { 22239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 22339beb93cSSam Leffler "extension_data length field"); 22439beb93cSSam Leffler goto decode_error; 22539beb93cSSam Leffler } 22639beb93cSSam Leffler 22739beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 22839beb93cSSam Leffler pos += 2; 22939beb93cSSam Leffler 23039beb93cSSam Leffler if (end - pos < ext_len) { 23139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 23239beb93cSSam Leffler "extension_data field"); 23339beb93cSSam Leffler goto decode_error; 23439beb93cSSam Leffler } 23539beb93cSSam Leffler 23639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 23739beb93cSSam Leffler "type %u", ext_type); 23839beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 23939beb93cSSam Leffler "Extension data", pos, ext_len); 24039beb93cSSam Leffler 24139beb93cSSam Leffler if (ext_type == TLS_EXT_SESSION_TICKET) { 24239beb93cSSam Leffler os_free(conn->session_ticket); 24339beb93cSSam Leffler conn->session_ticket = os_malloc(ext_len); 24439beb93cSSam Leffler if (conn->session_ticket) { 24539beb93cSSam Leffler os_memcpy(conn->session_ticket, pos, 24639beb93cSSam Leffler ext_len); 24739beb93cSSam Leffler conn->session_ticket_len = ext_len; 24839beb93cSSam Leffler } 24939beb93cSSam Leffler } 25039beb93cSSam Leffler 25139beb93cSSam Leffler pos += ext_len; 25239beb93cSSam Leffler } 25339beb93cSSam Leffler } 25439beb93cSSam Leffler 25539beb93cSSam Leffler *in_len = end - in_data; 25639beb93cSSam Leffler 25739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 25839beb93cSSam Leffler "ServerHello"); 25939beb93cSSam Leffler conn->state = SERVER_HELLO; 26039beb93cSSam Leffler 26139beb93cSSam Leffler return 0; 26239beb93cSSam Leffler 26339beb93cSSam Leffler decode_error: 26439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 26539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 26639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 26739beb93cSSam Leffler return -1; 26839beb93cSSam Leffler } 26939beb93cSSam Leffler 27039beb93cSSam Leffler 27139beb93cSSam Leffler static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 27239beb93cSSam Leffler const u8 *in_data, size_t *in_len) 27339beb93cSSam Leffler { 27439beb93cSSam Leffler const u8 *pos, *end; 27539beb93cSSam Leffler size_t left, len, list_len, cert_len, idx; 27639beb93cSSam Leffler u8 type; 27739beb93cSSam Leffler struct x509_certificate *chain = NULL, *last = NULL, *cert; 27839beb93cSSam Leffler int reason; 27939beb93cSSam Leffler 28039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 28139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 28239beb93cSSam Leffler "received content type 0x%x", ct); 28339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 28439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 28539beb93cSSam Leffler return -1; 28639beb93cSSam Leffler } 28739beb93cSSam Leffler 28839beb93cSSam Leffler pos = in_data; 28939beb93cSSam Leffler left = *in_len; 29039beb93cSSam Leffler 29139beb93cSSam Leffler if (left < 4) { 29239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 29339beb93cSSam Leffler "(len=%lu)", (unsigned long) left); 29439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 29539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 29639beb93cSSam Leffler return -1; 29739beb93cSSam Leffler } 29839beb93cSSam Leffler 29939beb93cSSam Leffler type = *pos++; 30039beb93cSSam Leffler len = WPA_GET_BE24(pos); 30139beb93cSSam Leffler pos += 3; 30239beb93cSSam Leffler left -= 4; 30339beb93cSSam Leffler 30439beb93cSSam Leffler if (len > left) { 30539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 30639beb93cSSam Leffler "length (len=%lu != left=%lu)", 30739beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 30839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 30939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 31039beb93cSSam Leffler return -1; 31139beb93cSSam Leffler } 31239beb93cSSam Leffler 31339beb93cSSam Leffler if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 31439beb93cSSam Leffler if (conn->verify_peer) { 31539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 31639beb93cSSam Leffler "Certificate"); 31739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 31839beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 31939beb93cSSam Leffler return -1; 32039beb93cSSam Leffler } 32139beb93cSSam Leffler 32239beb93cSSam Leffler return tls_process_client_key_exchange(conn, ct, in_data, 32339beb93cSSam Leffler in_len); 32439beb93cSSam Leffler } 32539beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 32639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 32739beb93cSSam Leffler "message %d (expected Certificate/" 32839beb93cSSam Leffler "ClientKeyExchange)", type); 32939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 33039beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 33139beb93cSSam Leffler return -1; 33239beb93cSSam Leffler } 33339beb93cSSam Leffler 33439beb93cSSam Leffler wpa_printf(MSG_DEBUG, 33539beb93cSSam Leffler "TLSv1: Received Certificate (certificate_list len %lu)", 33639beb93cSSam Leffler (unsigned long) len); 33739beb93cSSam Leffler 33839beb93cSSam Leffler /* 33939beb93cSSam Leffler * opaque ASN.1Cert<2^24-1>; 34039beb93cSSam Leffler * 34139beb93cSSam Leffler * struct { 34239beb93cSSam Leffler * ASN.1Cert certificate_list<1..2^24-1>; 34339beb93cSSam Leffler * } Certificate; 34439beb93cSSam Leffler */ 34539beb93cSSam Leffler 34639beb93cSSam Leffler end = pos + len; 34739beb93cSSam Leffler 34839beb93cSSam Leffler if (end - pos < 3) { 34939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 35039beb93cSSam Leffler "(left=%lu)", (unsigned long) left); 35139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 35239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 35339beb93cSSam Leffler return -1; 35439beb93cSSam Leffler } 35539beb93cSSam Leffler 35639beb93cSSam Leffler list_len = WPA_GET_BE24(pos); 35739beb93cSSam Leffler pos += 3; 35839beb93cSSam Leffler 35939beb93cSSam Leffler if ((size_t) (end - pos) != list_len) { 36039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 36139beb93cSSam Leffler "length (len=%lu left=%lu)", 36239beb93cSSam Leffler (unsigned long) list_len, 36339beb93cSSam Leffler (unsigned long) (end - pos)); 36439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 36539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 36639beb93cSSam Leffler return -1; 36739beb93cSSam Leffler } 36839beb93cSSam Leffler 36939beb93cSSam Leffler idx = 0; 37039beb93cSSam Leffler while (pos < end) { 37139beb93cSSam Leffler if (end - pos < 3) { 37239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 37339beb93cSSam Leffler "certificate_list"); 37439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 37539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 37639beb93cSSam Leffler x509_certificate_chain_free(chain); 37739beb93cSSam Leffler return -1; 37839beb93cSSam Leffler } 37939beb93cSSam Leffler 38039beb93cSSam Leffler cert_len = WPA_GET_BE24(pos); 38139beb93cSSam Leffler pos += 3; 38239beb93cSSam Leffler 38339beb93cSSam Leffler if ((size_t) (end - pos) < cert_len) { 38439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 38539beb93cSSam Leffler "length (len=%lu left=%lu)", 38639beb93cSSam Leffler (unsigned long) cert_len, 38739beb93cSSam Leffler (unsigned long) (end - pos)); 38839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 38939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 39039beb93cSSam Leffler x509_certificate_chain_free(chain); 39139beb93cSSam Leffler return -1; 39239beb93cSSam Leffler } 39339beb93cSSam Leffler 39439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 39539beb93cSSam Leffler (unsigned long) idx, (unsigned long) cert_len); 39639beb93cSSam Leffler 39739beb93cSSam Leffler if (idx == 0) { 39839beb93cSSam Leffler crypto_public_key_free(conn->client_rsa_key); 39939beb93cSSam Leffler if (tls_parse_cert(pos, cert_len, 40039beb93cSSam Leffler &conn->client_rsa_key)) { 40139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 40239beb93cSSam Leffler "the certificate"); 40339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 40439beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 40539beb93cSSam Leffler x509_certificate_chain_free(chain); 40639beb93cSSam Leffler return -1; 40739beb93cSSam Leffler } 40839beb93cSSam Leffler } 40939beb93cSSam Leffler 41039beb93cSSam Leffler cert = x509_certificate_parse(pos, cert_len); 41139beb93cSSam Leffler if (cert == NULL) { 41239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 41339beb93cSSam Leffler "the certificate"); 41439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 41539beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 41639beb93cSSam Leffler x509_certificate_chain_free(chain); 41739beb93cSSam Leffler return -1; 41839beb93cSSam Leffler } 41939beb93cSSam Leffler 42039beb93cSSam Leffler if (last == NULL) 42139beb93cSSam Leffler chain = cert; 42239beb93cSSam Leffler else 42339beb93cSSam Leffler last->next = cert; 42439beb93cSSam Leffler last = cert; 42539beb93cSSam Leffler 42639beb93cSSam Leffler idx++; 42739beb93cSSam Leffler pos += cert_len; 42839beb93cSSam Leffler } 42939beb93cSSam Leffler 43039beb93cSSam Leffler if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 43139beb93cSSam Leffler &reason) < 0) { 43239beb93cSSam Leffler int tls_reason; 43339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 43439beb93cSSam Leffler "validation failed (reason=%d)", reason); 43539beb93cSSam Leffler switch (reason) { 43639beb93cSSam Leffler case X509_VALIDATE_BAD_CERTIFICATE: 43739beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 43839beb93cSSam Leffler break; 43939beb93cSSam Leffler case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 44039beb93cSSam Leffler tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 44139beb93cSSam Leffler break; 44239beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_REVOKED: 44339beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 44439beb93cSSam Leffler break; 44539beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_EXPIRED: 44639beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 44739beb93cSSam Leffler break; 44839beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_UNKNOWN: 44939beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 45039beb93cSSam Leffler break; 45139beb93cSSam Leffler case X509_VALIDATE_UNKNOWN_CA: 45239beb93cSSam Leffler tls_reason = TLS_ALERT_UNKNOWN_CA; 45339beb93cSSam Leffler break; 45439beb93cSSam Leffler default: 45539beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 45639beb93cSSam Leffler break; 45739beb93cSSam Leffler } 45839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 45939beb93cSSam Leffler x509_certificate_chain_free(chain); 46039beb93cSSam Leffler return -1; 46139beb93cSSam Leffler } 46239beb93cSSam Leffler 46339beb93cSSam Leffler x509_certificate_chain_free(chain); 46439beb93cSSam Leffler 46539beb93cSSam Leffler *in_len = end - in_data; 46639beb93cSSam Leffler 46739beb93cSSam Leffler conn->state = CLIENT_KEY_EXCHANGE; 46839beb93cSSam Leffler 46939beb93cSSam Leffler return 0; 47039beb93cSSam Leffler } 47139beb93cSSam Leffler 47239beb93cSSam Leffler 47339beb93cSSam Leffler static int tls_process_client_key_exchange_rsa( 47439beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 47539beb93cSSam Leffler { 47639beb93cSSam Leffler u8 *out; 47739beb93cSSam Leffler size_t outlen, outbuflen; 47839beb93cSSam Leffler u16 encr_len; 47939beb93cSSam Leffler int res; 48039beb93cSSam Leffler int use_random = 0; 48139beb93cSSam Leffler 48239beb93cSSam Leffler if (end - pos < 2) { 48339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 48439beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 48539beb93cSSam Leffler return -1; 48639beb93cSSam Leffler } 48739beb93cSSam Leffler 48839beb93cSSam Leffler encr_len = WPA_GET_BE16(pos); 48939beb93cSSam Leffler pos += 2; 49039beb93cSSam Leffler 49139beb93cSSam Leffler outbuflen = outlen = end - pos; 49239beb93cSSam Leffler out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 49339beb93cSSam Leffler outlen : TLS_PRE_MASTER_SECRET_LEN); 49439beb93cSSam Leffler if (out == NULL) { 49539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49639beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 49739beb93cSSam Leffler return -1; 49839beb93cSSam Leffler } 49939beb93cSSam Leffler 50039beb93cSSam Leffler /* 50139beb93cSSam Leffler * struct { 50239beb93cSSam Leffler * ProtocolVersion client_version; 50339beb93cSSam Leffler * opaque random[46]; 50439beb93cSSam Leffler * } PreMasterSecret; 50539beb93cSSam Leffler * 50639beb93cSSam Leffler * struct { 50739beb93cSSam Leffler * public-key-encrypted PreMasterSecret pre_master_secret; 50839beb93cSSam Leffler * } EncryptedPreMasterSecret; 50939beb93cSSam Leffler */ 51039beb93cSSam Leffler 51139beb93cSSam Leffler /* 51239beb93cSSam Leffler * Note: To avoid Bleichenbacher attack, we do not report decryption or 51339beb93cSSam Leffler * parsing errors from EncryptedPreMasterSecret processing to the 51439beb93cSSam Leffler * client. Instead, a random pre-master secret is used to force the 51539beb93cSSam Leffler * handshake to fail. 51639beb93cSSam Leffler */ 51739beb93cSSam Leffler 51839beb93cSSam Leffler if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 51939beb93cSSam Leffler pos, end - pos, 52039beb93cSSam Leffler out, &outlen) < 0) { 52139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 52239beb93cSSam Leffler "PreMasterSecret (encr_len=%d outlen=%lu)", 52339beb93cSSam Leffler end - pos, (unsigned long) outlen); 52439beb93cSSam Leffler use_random = 1; 52539beb93cSSam Leffler } 52639beb93cSSam Leffler 52739beb93cSSam Leffler if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 52839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 52939beb93cSSam Leffler "length %lu", (unsigned long) outlen); 53039beb93cSSam Leffler use_random = 1; 53139beb93cSSam Leffler } 53239beb93cSSam Leffler 53339beb93cSSam Leffler if (WPA_GET_BE16(out) != conn->client_version) { 53439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 53539beb93cSSam Leffler "ClientKeyExchange does not match with version in " 53639beb93cSSam Leffler "ClientHello"); 53739beb93cSSam Leffler use_random = 1; 53839beb93cSSam Leffler } 53939beb93cSSam Leffler 54039beb93cSSam Leffler if (use_random) { 54139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 54239beb93cSSam Leffler "to avoid revealing information about private key"); 54339beb93cSSam Leffler outlen = TLS_PRE_MASTER_SECRET_LEN; 54439beb93cSSam Leffler if (os_get_random(out, outlen)) { 54539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 54639beb93cSSam Leffler "data"); 54739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 54839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 54939beb93cSSam Leffler os_free(out); 55039beb93cSSam Leffler return -1; 55139beb93cSSam Leffler } 55239beb93cSSam Leffler } 55339beb93cSSam Leffler 55439beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, out, outlen); 55539beb93cSSam Leffler 55639beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 55739beb93cSSam Leffler os_memset(out, 0, outbuflen); 55839beb93cSSam Leffler os_free(out); 55939beb93cSSam Leffler 56039beb93cSSam Leffler if (res) { 56139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 56239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 56339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 56439beb93cSSam Leffler return -1; 56539beb93cSSam Leffler } 56639beb93cSSam Leffler 56739beb93cSSam Leffler return 0; 56839beb93cSSam Leffler } 56939beb93cSSam Leffler 57039beb93cSSam Leffler 57139beb93cSSam Leffler static int tls_process_client_key_exchange_dh_anon( 57239beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 57339beb93cSSam Leffler { 57439beb93cSSam Leffler #ifdef EAP_FAST 57539beb93cSSam Leffler const u8 *dh_yc; 57639beb93cSSam Leffler u16 dh_yc_len; 57739beb93cSSam Leffler u8 *shared; 57839beb93cSSam Leffler size_t shared_len; 57939beb93cSSam Leffler int res; 58039beb93cSSam Leffler 58139beb93cSSam Leffler /* 58239beb93cSSam Leffler * struct { 58339beb93cSSam Leffler * select (PublicValueEncoding) { 58439beb93cSSam Leffler * case implicit: struct { }; 58539beb93cSSam Leffler * case explicit: opaque dh_Yc<1..2^16-1>; 58639beb93cSSam Leffler * } dh_public; 58739beb93cSSam Leffler * } ClientDiffieHellmanPublic; 58839beb93cSSam Leffler */ 58939beb93cSSam Leffler 59039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 59139beb93cSSam Leffler pos, end - pos); 59239beb93cSSam Leffler 59339beb93cSSam Leffler if (end == pos) { 59439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 59539beb93cSSam Leffler "not supported"); 59639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 59739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 59839beb93cSSam Leffler return -1; 59939beb93cSSam Leffler } 60039beb93cSSam Leffler 60139beb93cSSam Leffler if (end - pos < 3) { 60239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 60339beb93cSSam Leffler "length"); 60439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 60539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 60639beb93cSSam Leffler return -1; 60739beb93cSSam Leffler } 60839beb93cSSam Leffler 60939beb93cSSam Leffler dh_yc_len = WPA_GET_BE16(pos); 61039beb93cSSam Leffler dh_yc = pos + 2; 61139beb93cSSam Leffler 61239beb93cSSam Leffler if (dh_yc + dh_yc_len > end) { 61339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 61439beb93cSSam Leffler "(length %d)", dh_yc_len); 61539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 61639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 61739beb93cSSam Leffler return -1; 61839beb93cSSam Leffler } 61939beb93cSSam Leffler 62039beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 62139beb93cSSam Leffler dh_yc, dh_yc_len); 62239beb93cSSam Leffler 62339beb93cSSam Leffler if (conn->cred == NULL || conn->cred->dh_p == NULL || 62439beb93cSSam Leffler conn->dh_secret == NULL) { 62539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 62639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 62739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 62839beb93cSSam Leffler return -1; 62939beb93cSSam Leffler } 63039beb93cSSam Leffler 63139beb93cSSam Leffler shared_len = conn->cred->dh_p_len; 63239beb93cSSam Leffler shared = os_malloc(shared_len); 63339beb93cSSam Leffler if (shared == NULL) { 63439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 63539beb93cSSam Leffler "DH"); 63639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 63839beb93cSSam Leffler return -1; 63939beb93cSSam Leffler } 64039beb93cSSam Leffler 64139beb93cSSam Leffler /* shared = Yc^secret mod p */ 64239beb93cSSam Leffler if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 64339beb93cSSam Leffler conn->dh_secret_len, 64439beb93cSSam Leffler conn->cred->dh_p, conn->cred->dh_p_len, 64539beb93cSSam Leffler shared, &shared_len)) { 64639beb93cSSam Leffler os_free(shared); 64739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 64939beb93cSSam Leffler return -1; 65039beb93cSSam Leffler } 65139beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 65239beb93cSSam Leffler shared, shared_len); 65339beb93cSSam Leffler 65439beb93cSSam Leffler os_memset(conn->dh_secret, 0, conn->dh_secret_len); 65539beb93cSSam Leffler os_free(conn->dh_secret); 65639beb93cSSam Leffler conn->dh_secret = NULL; 65739beb93cSSam Leffler 65839beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, shared, shared_len); 65939beb93cSSam Leffler 66039beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 66139beb93cSSam Leffler os_memset(shared, 0, shared_len); 66239beb93cSSam Leffler os_free(shared); 66339beb93cSSam Leffler 66439beb93cSSam Leffler if (res) { 66539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 66639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 66739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 66839beb93cSSam Leffler return -1; 66939beb93cSSam Leffler } 67039beb93cSSam Leffler 67139beb93cSSam Leffler return 0; 67239beb93cSSam Leffler #else /* EAP_FAST */ 67339beb93cSSam Leffler return -1; 67439beb93cSSam Leffler #endif /* EAP_FAST */ 67539beb93cSSam Leffler } 67639beb93cSSam Leffler 67739beb93cSSam Leffler 67839beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 67939beb93cSSam Leffler const u8 *in_data, size_t *in_len) 68039beb93cSSam Leffler { 68139beb93cSSam Leffler const u8 *pos, *end; 68239beb93cSSam Leffler size_t left, len; 68339beb93cSSam Leffler u8 type; 68439beb93cSSam Leffler tls_key_exchange keyx; 68539beb93cSSam Leffler const struct tls_cipher_suite *suite; 68639beb93cSSam Leffler 68739beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 68839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 68939beb93cSSam Leffler "received content type 0x%x", ct); 69039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 69139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 69239beb93cSSam Leffler return -1; 69339beb93cSSam Leffler } 69439beb93cSSam Leffler 69539beb93cSSam Leffler pos = in_data; 69639beb93cSSam Leffler left = *in_len; 69739beb93cSSam Leffler 69839beb93cSSam Leffler if (left < 4) { 69939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 70039beb93cSSam Leffler "(Left=%lu)", (unsigned long) left); 70139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 70239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 70339beb93cSSam Leffler return -1; 70439beb93cSSam Leffler } 70539beb93cSSam Leffler 70639beb93cSSam Leffler type = *pos++; 70739beb93cSSam Leffler len = WPA_GET_BE24(pos); 70839beb93cSSam Leffler pos += 3; 70939beb93cSSam Leffler left -= 4; 71039beb93cSSam Leffler 71139beb93cSSam Leffler if (len > left) { 71239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 71339beb93cSSam Leffler "length (len=%lu != left=%lu)", 71439beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 71539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 71639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 71739beb93cSSam Leffler return -1; 71839beb93cSSam Leffler } 71939beb93cSSam Leffler 72039beb93cSSam Leffler end = pos + len; 72139beb93cSSam Leffler 72239beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 72339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 72439beb93cSSam Leffler "message %d (expected ClientKeyExchange)", type); 72539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 72639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 72739beb93cSSam Leffler return -1; 72839beb93cSSam Leffler } 72939beb93cSSam Leffler 73039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 73139beb93cSSam Leffler 73239beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 73339beb93cSSam Leffler 73439beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite); 73539beb93cSSam Leffler if (suite == NULL) 73639beb93cSSam Leffler keyx = TLS_KEY_X_NULL; 73739beb93cSSam Leffler else 73839beb93cSSam Leffler keyx = suite->key_exchange; 73939beb93cSSam Leffler 74039beb93cSSam Leffler if (keyx == TLS_KEY_X_DH_anon && 74139beb93cSSam Leffler tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 74239beb93cSSam Leffler return -1; 74339beb93cSSam Leffler 74439beb93cSSam Leffler if (keyx != TLS_KEY_X_DH_anon && 74539beb93cSSam Leffler tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 74639beb93cSSam Leffler return -1; 74739beb93cSSam Leffler 74839beb93cSSam Leffler *in_len = end - in_data; 74939beb93cSSam Leffler 75039beb93cSSam Leffler conn->state = CERTIFICATE_VERIFY; 75139beb93cSSam Leffler 75239beb93cSSam Leffler return 0; 75339beb93cSSam Leffler } 75439beb93cSSam Leffler 75539beb93cSSam Leffler 75639beb93cSSam Leffler static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 75739beb93cSSam Leffler const u8 *in_data, size_t *in_len) 75839beb93cSSam Leffler { 75939beb93cSSam Leffler const u8 *pos, *end; 76039beb93cSSam Leffler size_t left, len; 76139beb93cSSam Leffler u8 type; 76239beb93cSSam Leffler size_t hlen, buflen; 76339beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 76439beb93cSSam Leffler enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 76539beb93cSSam Leffler u16 slen; 76639beb93cSSam Leffler 76739beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 76839beb93cSSam Leffler if (conn->verify_peer) { 76939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 77039beb93cSSam Leffler "CertificateVerify"); 77139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 77239beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 77339beb93cSSam Leffler return -1; 77439beb93cSSam Leffler } 77539beb93cSSam Leffler 77639beb93cSSam Leffler return tls_process_change_cipher_spec(conn, ct, in_data, 77739beb93cSSam Leffler in_len); 77839beb93cSSam Leffler } 77939beb93cSSam Leffler 78039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 78139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 78239beb93cSSam Leffler "received content type 0x%x", ct); 78339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 78539beb93cSSam Leffler return -1; 78639beb93cSSam Leffler } 78739beb93cSSam Leffler 78839beb93cSSam Leffler pos = in_data; 78939beb93cSSam Leffler left = *in_len; 79039beb93cSSam Leffler 79139beb93cSSam Leffler if (left < 4) { 79239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 79339beb93cSSam Leffler "message (len=%lu)", (unsigned long) left); 79439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 79539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 79639beb93cSSam Leffler return -1; 79739beb93cSSam Leffler } 79839beb93cSSam Leffler 79939beb93cSSam Leffler type = *pos++; 80039beb93cSSam Leffler len = WPA_GET_BE24(pos); 80139beb93cSSam Leffler pos += 3; 80239beb93cSSam Leffler left -= 4; 80339beb93cSSam Leffler 80439beb93cSSam Leffler if (len > left) { 80539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 80639beb93cSSam Leffler "message length (len=%lu != left=%lu)", 80739beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 80839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 80939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 81039beb93cSSam Leffler return -1; 81139beb93cSSam Leffler } 81239beb93cSSam Leffler 81339beb93cSSam Leffler end = pos + len; 81439beb93cSSam Leffler 81539beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 81639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 81739beb93cSSam Leffler "message %d (expected CertificateVerify)", type); 81839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 81939beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 82039beb93cSSam Leffler return -1; 82139beb93cSSam Leffler } 82239beb93cSSam Leffler 82339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 82439beb93cSSam Leffler 82539beb93cSSam Leffler /* 82639beb93cSSam Leffler * struct { 82739beb93cSSam Leffler * Signature signature; 82839beb93cSSam Leffler * } CertificateVerify; 82939beb93cSSam Leffler */ 83039beb93cSSam Leffler 83139beb93cSSam Leffler hpos = hash; 83239beb93cSSam Leffler 83339beb93cSSam Leffler if (alg == SIGN_ALG_RSA) { 83439beb93cSSam Leffler hlen = MD5_MAC_LEN; 83539beb93cSSam Leffler if (conn->verify.md5_cert == NULL || 83639beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 83739beb93cSSam Leffler { 83839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 83939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 84039beb93cSSam Leffler conn->verify.md5_cert = NULL; 84139beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 84239beb93cSSam Leffler conn->verify.sha1_cert = NULL; 84339beb93cSSam Leffler return -1; 84439beb93cSSam Leffler } 84539beb93cSSam Leffler hpos += MD5_MAC_LEN; 84639beb93cSSam Leffler } else 84739beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 84839beb93cSSam Leffler 84939beb93cSSam Leffler conn->verify.md5_cert = NULL; 85039beb93cSSam Leffler hlen = SHA1_MAC_LEN; 85139beb93cSSam Leffler if (conn->verify.sha1_cert == NULL || 85239beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 85339beb93cSSam Leffler conn->verify.sha1_cert = NULL; 85439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 85539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 85639beb93cSSam Leffler return -1; 85739beb93cSSam Leffler } 85839beb93cSSam Leffler conn->verify.sha1_cert = NULL; 85939beb93cSSam Leffler 86039beb93cSSam Leffler if (alg == SIGN_ALG_RSA) 86139beb93cSSam Leffler hlen += MD5_MAC_LEN; 86239beb93cSSam Leffler 86339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 86439beb93cSSam Leffler 86539beb93cSSam Leffler if (end - pos < 2) { 86639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 86739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 86839beb93cSSam Leffler return -1; 86939beb93cSSam Leffler } 87039beb93cSSam Leffler slen = WPA_GET_BE16(pos); 87139beb93cSSam Leffler pos += 2; 87239beb93cSSam Leffler if (end - pos < slen) { 87339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 87439beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 87539beb93cSSam Leffler return -1; 87639beb93cSSam Leffler } 87739beb93cSSam Leffler 87839beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 87939beb93cSSam Leffler if (conn->client_rsa_key == NULL) { 88039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 88139beb93cSSam Leffler "signature"); 88239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 88339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 88439beb93cSSam Leffler return -1; 88539beb93cSSam Leffler } 88639beb93cSSam Leffler 88739beb93cSSam Leffler buflen = end - pos; 88839beb93cSSam Leffler buf = os_malloc(end - pos); 88939beb93cSSam Leffler if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 89039beb93cSSam Leffler pos, end - pos, buf, &buflen) < 0) 89139beb93cSSam Leffler { 89239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 89339beb93cSSam Leffler os_free(buf); 89439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 89539beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 89639beb93cSSam Leffler return -1; 89739beb93cSSam Leffler } 89839beb93cSSam Leffler 89939beb93cSSam Leffler wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 90039beb93cSSam Leffler buf, buflen); 90139beb93cSSam Leffler 90239beb93cSSam Leffler if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 90339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 90439beb93cSSam Leffler "CertificateVerify - did not match with calculated " 90539beb93cSSam Leffler "hash"); 90639beb93cSSam Leffler os_free(buf); 90739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 90839beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 90939beb93cSSam Leffler return -1; 91039beb93cSSam Leffler } 91139beb93cSSam Leffler 91239beb93cSSam Leffler os_free(buf); 91339beb93cSSam Leffler 91439beb93cSSam Leffler *in_len = end - in_data; 91539beb93cSSam Leffler 91639beb93cSSam Leffler conn->state = CHANGE_CIPHER_SPEC; 91739beb93cSSam Leffler 91839beb93cSSam Leffler return 0; 91939beb93cSSam Leffler } 92039beb93cSSam Leffler 92139beb93cSSam Leffler 92239beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 92339beb93cSSam Leffler u8 ct, const u8 *in_data, 92439beb93cSSam Leffler size_t *in_len) 92539beb93cSSam Leffler { 92639beb93cSSam Leffler const u8 *pos; 92739beb93cSSam Leffler size_t left; 92839beb93cSSam Leffler 92939beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 93039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 93139beb93cSSam Leffler "received content type 0x%x", ct); 93239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 93339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 93439beb93cSSam Leffler return -1; 93539beb93cSSam Leffler } 93639beb93cSSam Leffler 93739beb93cSSam Leffler pos = in_data; 93839beb93cSSam Leffler left = *in_len; 93939beb93cSSam Leffler 94039beb93cSSam Leffler if (left < 1) { 94139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 94239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 94339beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 94439beb93cSSam Leffler return -1; 94539beb93cSSam Leffler } 94639beb93cSSam Leffler 94739beb93cSSam Leffler if (*pos != TLS_CHANGE_CIPHER_SPEC) { 94839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 94939beb93cSSam Leffler "received data 0x%x", *pos); 95039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 95139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 95239beb93cSSam Leffler return -1; 95339beb93cSSam Leffler } 95439beb93cSSam Leffler 95539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 95639beb93cSSam Leffler if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 95739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 95839beb93cSSam Leffler "for record layer"); 95939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 96039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 96139beb93cSSam Leffler return -1; 96239beb93cSSam Leffler } 96339beb93cSSam Leffler 96439beb93cSSam Leffler *in_len = pos + 1 - in_data; 96539beb93cSSam Leffler 96639beb93cSSam Leffler conn->state = CLIENT_FINISHED; 96739beb93cSSam Leffler 96839beb93cSSam Leffler return 0; 96939beb93cSSam Leffler } 97039beb93cSSam Leffler 97139beb93cSSam Leffler 97239beb93cSSam Leffler static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 97339beb93cSSam Leffler const u8 *in_data, size_t *in_len) 97439beb93cSSam Leffler { 97539beb93cSSam Leffler const u8 *pos, *end; 97639beb93cSSam Leffler size_t left, len, hlen; 97739beb93cSSam Leffler u8 verify_data[TLS_VERIFY_DATA_LEN]; 97839beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 97939beb93cSSam Leffler 98039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 98139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 98239beb93cSSam Leffler "received content type 0x%x", ct); 98339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 98439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 98539beb93cSSam Leffler return -1; 98639beb93cSSam Leffler } 98739beb93cSSam Leffler 98839beb93cSSam Leffler pos = in_data; 98939beb93cSSam Leffler left = *in_len; 99039beb93cSSam Leffler 99139beb93cSSam Leffler if (left < 4) { 99239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 99339beb93cSSam Leffler "Finished", 99439beb93cSSam Leffler (unsigned long) left); 99539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 99639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 99739beb93cSSam Leffler return -1; 99839beb93cSSam Leffler } 99939beb93cSSam Leffler 100039beb93cSSam Leffler if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 100139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 100239beb93cSSam Leffler "type 0x%x", pos[0]); 100339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 100439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 100539beb93cSSam Leffler return -1; 100639beb93cSSam Leffler } 100739beb93cSSam Leffler 100839beb93cSSam Leffler len = WPA_GET_BE24(pos + 1); 100939beb93cSSam Leffler 101039beb93cSSam Leffler pos += 4; 101139beb93cSSam Leffler left -= 4; 101239beb93cSSam Leffler 101339beb93cSSam Leffler if (len > left) { 101439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 101539beb93cSSam Leffler "(len=%lu > left=%lu)", 101639beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 101739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 101839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 101939beb93cSSam Leffler return -1; 102039beb93cSSam Leffler } 102139beb93cSSam Leffler end = pos + len; 102239beb93cSSam Leffler if (len != TLS_VERIFY_DATA_LEN) { 102339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 102439beb93cSSam Leffler "in Finished: %lu (expected %d)", 102539beb93cSSam Leffler (unsigned long) len, TLS_VERIFY_DATA_LEN); 102639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 102739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 102839beb93cSSam Leffler return -1; 102939beb93cSSam Leffler } 103039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 103139beb93cSSam Leffler pos, TLS_VERIFY_DATA_LEN); 103239beb93cSSam Leffler 103339beb93cSSam Leffler hlen = MD5_MAC_LEN; 103439beb93cSSam Leffler if (conn->verify.md5_client == NULL || 103539beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 103639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 103739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 103839beb93cSSam Leffler conn->verify.md5_client = NULL; 103939beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 104039beb93cSSam Leffler conn->verify.sha1_client = NULL; 104139beb93cSSam Leffler return -1; 104239beb93cSSam Leffler } 104339beb93cSSam Leffler conn->verify.md5_client = NULL; 104439beb93cSSam Leffler hlen = SHA1_MAC_LEN; 104539beb93cSSam Leffler if (conn->verify.sha1_client == NULL || 104639beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 104739beb93cSSam Leffler &hlen) < 0) { 104839beb93cSSam Leffler conn->verify.sha1_client = NULL; 104939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 105039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 105139beb93cSSam Leffler return -1; 105239beb93cSSam Leffler } 105339beb93cSSam Leffler conn->verify.sha1_client = NULL; 105439beb93cSSam Leffler 105539beb93cSSam Leffler if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 105639beb93cSSam Leffler "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 105739beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN)) { 105839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 105939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 106039beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 106139beb93cSSam Leffler return -1; 106239beb93cSSam Leffler } 106339beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 106439beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN); 106539beb93cSSam Leffler 106639beb93cSSam Leffler if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 106739beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 106839beb93cSSam Leffler return -1; 106939beb93cSSam Leffler } 107039beb93cSSam Leffler 107139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 107239beb93cSSam Leffler 107339beb93cSSam Leffler *in_len = end - in_data; 107439beb93cSSam Leffler 107539beb93cSSam Leffler if (conn->use_session_ticket) { 107639beb93cSSam Leffler /* Abbreviated handshake using session ticket; RFC 4507 */ 107739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 107839beb93cSSam Leffler "successfully"); 107939beb93cSSam Leffler conn->state = ESTABLISHED; 108039beb93cSSam Leffler } else { 108139beb93cSSam Leffler /* Full handshake */ 108239beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC; 108339beb93cSSam Leffler } 108439beb93cSSam Leffler 108539beb93cSSam Leffler return 0; 108639beb93cSSam Leffler } 108739beb93cSSam Leffler 108839beb93cSSam Leffler 108939beb93cSSam Leffler int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 109039beb93cSSam Leffler const u8 *buf, size_t *len) 109139beb93cSSam Leffler { 109239beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_ALERT) { 109339beb93cSSam Leffler if (*len < 2) { 109439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 109539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 109639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 109739beb93cSSam Leffler return -1; 109839beb93cSSam Leffler } 109939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 110039beb93cSSam Leffler buf[0], buf[1]); 110139beb93cSSam Leffler *len = 2; 110239beb93cSSam Leffler conn->state = FAILED; 110339beb93cSSam Leffler return -1; 110439beb93cSSam Leffler } 110539beb93cSSam Leffler 110639beb93cSSam Leffler switch (conn->state) { 110739beb93cSSam Leffler case CLIENT_HELLO: 110839beb93cSSam Leffler if (tls_process_client_hello(conn, ct, buf, len)) 110939beb93cSSam Leffler return -1; 111039beb93cSSam Leffler break; 111139beb93cSSam Leffler case CLIENT_CERTIFICATE: 111239beb93cSSam Leffler if (tls_process_certificate(conn, ct, buf, len)) 111339beb93cSSam Leffler return -1; 111439beb93cSSam Leffler break; 111539beb93cSSam Leffler case CLIENT_KEY_EXCHANGE: 111639beb93cSSam Leffler if (tls_process_client_key_exchange(conn, ct, buf, len)) 111739beb93cSSam Leffler return -1; 111839beb93cSSam Leffler break; 111939beb93cSSam Leffler case CERTIFICATE_VERIFY: 112039beb93cSSam Leffler if (tls_process_certificate_verify(conn, ct, buf, len)) 112139beb93cSSam Leffler return -1; 112239beb93cSSam Leffler break; 112339beb93cSSam Leffler case CHANGE_CIPHER_SPEC: 112439beb93cSSam Leffler if (tls_process_change_cipher_spec(conn, ct, buf, len)) 112539beb93cSSam Leffler return -1; 112639beb93cSSam Leffler break; 112739beb93cSSam Leffler case CLIENT_FINISHED: 112839beb93cSSam Leffler if (tls_process_client_finished(conn, ct, buf, len)) 112939beb93cSSam Leffler return -1; 113039beb93cSSam Leffler break; 113139beb93cSSam Leffler default: 113239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 113339beb93cSSam Leffler "while processing received message", 113439beb93cSSam Leffler conn->state); 113539beb93cSSam Leffler return -1; 113639beb93cSSam Leffler } 113739beb93cSSam Leffler 113839beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 113939beb93cSSam Leffler tls_verify_hash_add(&conn->verify, buf, *len); 114039beb93cSSam Leffler 114139beb93cSSam Leffler return 0; 114239beb93cSSam Leffler } 1143