139beb93cSSam Leffler /* 239beb93cSSam Leffler * TLSv1 server - read handshake message 339beb93cSSam Leffler * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 439beb93cSSam Leffler * 539beb93cSSam Leffler * This program is free software; you can redistribute it and/or modify 639beb93cSSam Leffler * it under the terms of the GNU General Public License version 2 as 739beb93cSSam Leffler * published by the Free Software Foundation. 839beb93cSSam Leffler * 939beb93cSSam Leffler * Alternatively, this software may be distributed under the terms of BSD 1039beb93cSSam Leffler * license. 1139beb93cSSam Leffler * 1239beb93cSSam Leffler * See README and COPYING for more details. 1339beb93cSSam Leffler */ 1439beb93cSSam Leffler 1539beb93cSSam Leffler #include "includes.h" 1639beb93cSSam Leffler 1739beb93cSSam Leffler #include "common.h" 18*e28a4053SRui Paulo #include "crypto/md5.h" 19*e28a4053SRui Paulo #include "crypto/sha1.h" 20*e28a4053SRui Paulo #include "crypto/tls.h" 2139beb93cSSam Leffler #include "x509v3.h" 2239beb93cSSam Leffler #include "tlsv1_common.h" 2339beb93cSSam Leffler #include "tlsv1_record.h" 2439beb93cSSam Leffler #include "tlsv1_server.h" 2539beb93cSSam Leffler #include "tlsv1_server_i.h" 2639beb93cSSam Leffler 2739beb93cSSam Leffler 2839beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 2939beb93cSSam Leffler const u8 *in_data, size_t *in_len); 3039beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 3139beb93cSSam Leffler u8 ct, const u8 *in_data, 3239beb93cSSam Leffler size_t *in_len); 3339beb93cSSam Leffler 3439beb93cSSam Leffler 3539beb93cSSam Leffler static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 3639beb93cSSam Leffler const u8 *in_data, size_t *in_len) 3739beb93cSSam Leffler { 3839beb93cSSam Leffler const u8 *pos, *end, *c; 3939beb93cSSam Leffler size_t left, len, i, j; 4039beb93cSSam Leffler u16 cipher_suite; 4139beb93cSSam Leffler u16 num_suites; 4239beb93cSSam Leffler int compr_null_found; 433157ba21SRui Paulo u16 ext_type, ext_len; 4439beb93cSSam Leffler 4539beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 4639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 4739beb93cSSam Leffler "received content type 0x%x", ct); 4839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 4939beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 5039beb93cSSam Leffler return -1; 5139beb93cSSam Leffler } 5239beb93cSSam Leffler 5339beb93cSSam Leffler pos = in_data; 5439beb93cSSam Leffler left = *in_len; 5539beb93cSSam Leffler 5639beb93cSSam Leffler if (left < 4) 5739beb93cSSam Leffler goto decode_error; 5839beb93cSSam Leffler 5939beb93cSSam Leffler /* HandshakeType msg_type */ 6039beb93cSSam Leffler if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 6139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 6239beb93cSSam Leffler "message %d (expected ClientHello)", *pos); 6339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 6439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 6539beb93cSSam Leffler return -1; 6639beb93cSSam Leffler } 6739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 6839beb93cSSam Leffler pos++; 6939beb93cSSam Leffler /* uint24 length */ 7039beb93cSSam Leffler len = WPA_GET_BE24(pos); 7139beb93cSSam Leffler pos += 3; 7239beb93cSSam Leffler left -= 4; 7339beb93cSSam Leffler 7439beb93cSSam Leffler if (len > left) 7539beb93cSSam Leffler goto decode_error; 7639beb93cSSam Leffler 7739beb93cSSam Leffler /* body - ClientHello */ 7839beb93cSSam Leffler 7939beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 8039beb93cSSam Leffler end = pos + len; 8139beb93cSSam Leffler 8239beb93cSSam Leffler /* ProtocolVersion client_version */ 8339beb93cSSam Leffler if (end - pos < 2) 8439beb93cSSam Leffler goto decode_error; 8539beb93cSSam Leffler conn->client_version = WPA_GET_BE16(pos); 8639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 8739beb93cSSam Leffler conn->client_version >> 8, conn->client_version & 0xff); 8839beb93cSSam Leffler if (conn->client_version < TLS_VERSION) { 8939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 9039beb93cSSam Leffler "ClientHello"); 9139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 9239beb93cSSam Leffler TLS_ALERT_PROTOCOL_VERSION); 9339beb93cSSam Leffler return -1; 9439beb93cSSam Leffler } 9539beb93cSSam Leffler pos += 2; 9639beb93cSSam Leffler 9739beb93cSSam Leffler /* Random random */ 9839beb93cSSam Leffler if (end - pos < TLS_RANDOM_LEN) 9939beb93cSSam Leffler goto decode_error; 10039beb93cSSam Leffler 10139beb93cSSam Leffler os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 10239beb93cSSam Leffler pos += TLS_RANDOM_LEN; 10339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 10439beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN); 10539beb93cSSam Leffler 10639beb93cSSam Leffler /* SessionID session_id */ 10739beb93cSSam Leffler if (end - pos < 1) 10839beb93cSSam Leffler goto decode_error; 10939beb93cSSam Leffler if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 11039beb93cSSam Leffler goto decode_error; 11139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 11239beb93cSSam Leffler pos += 1 + *pos; 11339beb93cSSam Leffler /* TODO: add support for session resumption */ 11439beb93cSSam Leffler 11539beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */ 11639beb93cSSam Leffler if (end - pos < 2) 11739beb93cSSam Leffler goto decode_error; 11839beb93cSSam Leffler num_suites = WPA_GET_BE16(pos); 11939beb93cSSam Leffler pos += 2; 12039beb93cSSam Leffler if (end - pos < num_suites) 12139beb93cSSam Leffler goto decode_error; 12239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 12339beb93cSSam Leffler pos, num_suites); 12439beb93cSSam Leffler if (num_suites & 1) 12539beb93cSSam Leffler goto decode_error; 12639beb93cSSam Leffler num_suites /= 2; 12739beb93cSSam Leffler 12839beb93cSSam Leffler cipher_suite = 0; 12939beb93cSSam Leffler for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 13039beb93cSSam Leffler c = pos; 13139beb93cSSam Leffler for (j = 0; j < num_suites; j++) { 13239beb93cSSam Leffler u16 tmp = WPA_GET_BE16(c); 13339beb93cSSam Leffler c += 2; 13439beb93cSSam Leffler if (!cipher_suite && tmp == conn->cipher_suites[i]) { 13539beb93cSSam Leffler cipher_suite = tmp; 13639beb93cSSam Leffler break; 13739beb93cSSam Leffler } 13839beb93cSSam Leffler } 13939beb93cSSam Leffler } 14039beb93cSSam Leffler pos += num_suites * 2; 14139beb93cSSam Leffler if (!cipher_suite) { 14239beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 14339beb93cSSam Leffler "available"); 14439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 14539beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 14639beb93cSSam Leffler return -1; 14739beb93cSSam Leffler } 14839beb93cSSam Leffler 14939beb93cSSam Leffler if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 15039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 15139beb93cSSam Leffler "record layer"); 15239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 15339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 15439beb93cSSam Leffler return -1; 15539beb93cSSam Leffler } 15639beb93cSSam Leffler 15739beb93cSSam Leffler conn->cipher_suite = cipher_suite; 15839beb93cSSam Leffler 15939beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */ 16039beb93cSSam Leffler if (end - pos < 1) 16139beb93cSSam Leffler goto decode_error; 16239beb93cSSam Leffler num_suites = *pos++; 16339beb93cSSam Leffler if (end - pos < num_suites) 16439beb93cSSam Leffler goto decode_error; 16539beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 16639beb93cSSam Leffler pos, num_suites); 16739beb93cSSam Leffler compr_null_found = 0; 16839beb93cSSam Leffler for (i = 0; i < num_suites; i++) { 16939beb93cSSam Leffler if (*pos++ == TLS_COMPRESSION_NULL) 17039beb93cSSam Leffler compr_null_found = 1; 17139beb93cSSam Leffler } 17239beb93cSSam Leffler if (!compr_null_found) { 17339beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 17439beb93cSSam Leffler "compression"); 17539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 17639beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 17739beb93cSSam Leffler return -1; 17839beb93cSSam Leffler } 17939beb93cSSam Leffler 18039beb93cSSam Leffler if (end - pos == 1) { 18139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 18239beb93cSSam Leffler "end of ClientHello: 0x%02x", *pos); 18339beb93cSSam Leffler goto decode_error; 18439beb93cSSam Leffler } 18539beb93cSSam Leffler 18639beb93cSSam Leffler if (end - pos >= 2) { 18739beb93cSSam Leffler /* Extension client_hello_extension_list<0..2^16-1> */ 18839beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 18939beb93cSSam Leffler pos += 2; 19039beb93cSSam Leffler 19139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 19239beb93cSSam Leffler "extensions", ext_len); 19339beb93cSSam Leffler if (end - pos != ext_len) { 19439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 19539beb93cSSam Leffler "extension list length %u (expected %u)", 1963157ba21SRui Paulo ext_len, (unsigned int) (end - pos)); 19739beb93cSSam Leffler goto decode_error; 19839beb93cSSam Leffler } 19939beb93cSSam Leffler 20039beb93cSSam Leffler /* 20139beb93cSSam Leffler * struct { 20239beb93cSSam Leffler * ExtensionType extension_type (0..65535) 20339beb93cSSam Leffler * opaque extension_data<0..2^16-1> 20439beb93cSSam Leffler * } Extension; 20539beb93cSSam Leffler */ 20639beb93cSSam Leffler 20739beb93cSSam Leffler while (pos < end) { 20839beb93cSSam Leffler if (end - pos < 2) { 20939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 21039beb93cSSam Leffler "extension_type field"); 21139beb93cSSam Leffler goto decode_error; 21239beb93cSSam Leffler } 21339beb93cSSam Leffler 21439beb93cSSam Leffler ext_type = WPA_GET_BE16(pos); 21539beb93cSSam Leffler pos += 2; 21639beb93cSSam Leffler 21739beb93cSSam Leffler if (end - pos < 2) { 21839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 21939beb93cSSam Leffler "extension_data length field"); 22039beb93cSSam Leffler goto decode_error; 22139beb93cSSam Leffler } 22239beb93cSSam Leffler 22339beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 22439beb93cSSam Leffler pos += 2; 22539beb93cSSam Leffler 22639beb93cSSam Leffler if (end - pos < ext_len) { 22739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 22839beb93cSSam Leffler "extension_data field"); 22939beb93cSSam Leffler goto decode_error; 23039beb93cSSam Leffler } 23139beb93cSSam Leffler 23239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 23339beb93cSSam Leffler "type %u", ext_type); 23439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 23539beb93cSSam Leffler "Extension data", pos, ext_len); 23639beb93cSSam Leffler 23739beb93cSSam Leffler if (ext_type == TLS_EXT_SESSION_TICKET) { 23839beb93cSSam Leffler os_free(conn->session_ticket); 23939beb93cSSam Leffler conn->session_ticket = os_malloc(ext_len); 24039beb93cSSam Leffler if (conn->session_ticket) { 24139beb93cSSam Leffler os_memcpy(conn->session_ticket, pos, 24239beb93cSSam Leffler ext_len); 24339beb93cSSam Leffler conn->session_ticket_len = ext_len; 24439beb93cSSam Leffler } 24539beb93cSSam Leffler } 24639beb93cSSam Leffler 24739beb93cSSam Leffler pos += ext_len; 24839beb93cSSam Leffler } 24939beb93cSSam Leffler } 25039beb93cSSam Leffler 25139beb93cSSam Leffler *in_len = end - in_data; 25239beb93cSSam Leffler 25339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 25439beb93cSSam Leffler "ServerHello"); 25539beb93cSSam Leffler conn->state = SERVER_HELLO; 25639beb93cSSam Leffler 25739beb93cSSam Leffler return 0; 25839beb93cSSam Leffler 25939beb93cSSam Leffler decode_error: 26039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 26139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 26239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 26339beb93cSSam Leffler return -1; 26439beb93cSSam Leffler } 26539beb93cSSam Leffler 26639beb93cSSam Leffler 26739beb93cSSam Leffler static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 26839beb93cSSam Leffler const u8 *in_data, size_t *in_len) 26939beb93cSSam Leffler { 27039beb93cSSam Leffler const u8 *pos, *end; 27139beb93cSSam Leffler size_t left, len, list_len, cert_len, idx; 27239beb93cSSam Leffler u8 type; 27339beb93cSSam Leffler struct x509_certificate *chain = NULL, *last = NULL, *cert; 27439beb93cSSam Leffler int reason; 27539beb93cSSam Leffler 27639beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 27739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 27839beb93cSSam Leffler "received content type 0x%x", ct); 27939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 28039beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 28139beb93cSSam Leffler return -1; 28239beb93cSSam Leffler } 28339beb93cSSam Leffler 28439beb93cSSam Leffler pos = in_data; 28539beb93cSSam Leffler left = *in_len; 28639beb93cSSam Leffler 28739beb93cSSam Leffler if (left < 4) { 28839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 28939beb93cSSam Leffler "(len=%lu)", (unsigned long) left); 29039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 29139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 29239beb93cSSam Leffler return -1; 29339beb93cSSam Leffler } 29439beb93cSSam Leffler 29539beb93cSSam Leffler type = *pos++; 29639beb93cSSam Leffler len = WPA_GET_BE24(pos); 29739beb93cSSam Leffler pos += 3; 29839beb93cSSam Leffler left -= 4; 29939beb93cSSam Leffler 30039beb93cSSam Leffler if (len > left) { 30139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 30239beb93cSSam Leffler "length (len=%lu != left=%lu)", 30339beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 30439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 30539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 30639beb93cSSam Leffler return -1; 30739beb93cSSam Leffler } 30839beb93cSSam Leffler 30939beb93cSSam Leffler if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 31039beb93cSSam Leffler if (conn->verify_peer) { 31139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 31239beb93cSSam Leffler "Certificate"); 31339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 31439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 31539beb93cSSam Leffler return -1; 31639beb93cSSam Leffler } 31739beb93cSSam Leffler 31839beb93cSSam Leffler return tls_process_client_key_exchange(conn, ct, in_data, 31939beb93cSSam Leffler in_len); 32039beb93cSSam Leffler } 32139beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 32239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 32339beb93cSSam Leffler "message %d (expected Certificate/" 32439beb93cSSam Leffler "ClientKeyExchange)", type); 32539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 32639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 32739beb93cSSam Leffler return -1; 32839beb93cSSam Leffler } 32939beb93cSSam Leffler 33039beb93cSSam Leffler wpa_printf(MSG_DEBUG, 33139beb93cSSam Leffler "TLSv1: Received Certificate (certificate_list len %lu)", 33239beb93cSSam Leffler (unsigned long) len); 33339beb93cSSam Leffler 33439beb93cSSam Leffler /* 33539beb93cSSam Leffler * opaque ASN.1Cert<2^24-1>; 33639beb93cSSam Leffler * 33739beb93cSSam Leffler * struct { 33839beb93cSSam Leffler * ASN.1Cert certificate_list<1..2^24-1>; 33939beb93cSSam Leffler * } Certificate; 34039beb93cSSam Leffler */ 34139beb93cSSam Leffler 34239beb93cSSam Leffler end = pos + len; 34339beb93cSSam Leffler 34439beb93cSSam Leffler if (end - pos < 3) { 34539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 34639beb93cSSam Leffler "(left=%lu)", (unsigned long) left); 34739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 34839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 34939beb93cSSam Leffler return -1; 35039beb93cSSam Leffler } 35139beb93cSSam Leffler 35239beb93cSSam Leffler list_len = WPA_GET_BE24(pos); 35339beb93cSSam Leffler pos += 3; 35439beb93cSSam Leffler 35539beb93cSSam Leffler if ((size_t) (end - pos) != list_len) { 35639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 35739beb93cSSam Leffler "length (len=%lu left=%lu)", 35839beb93cSSam Leffler (unsigned long) list_len, 35939beb93cSSam Leffler (unsigned long) (end - pos)); 36039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 36139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 36239beb93cSSam Leffler return -1; 36339beb93cSSam Leffler } 36439beb93cSSam Leffler 36539beb93cSSam Leffler idx = 0; 36639beb93cSSam Leffler while (pos < end) { 36739beb93cSSam Leffler if (end - pos < 3) { 36839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 36939beb93cSSam Leffler "certificate_list"); 37039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 37139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 37239beb93cSSam Leffler x509_certificate_chain_free(chain); 37339beb93cSSam Leffler return -1; 37439beb93cSSam Leffler } 37539beb93cSSam Leffler 37639beb93cSSam Leffler cert_len = WPA_GET_BE24(pos); 37739beb93cSSam Leffler pos += 3; 37839beb93cSSam Leffler 37939beb93cSSam Leffler if ((size_t) (end - pos) < cert_len) { 38039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 38139beb93cSSam Leffler "length (len=%lu left=%lu)", 38239beb93cSSam Leffler (unsigned long) cert_len, 38339beb93cSSam Leffler (unsigned long) (end - pos)); 38439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 38539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 38639beb93cSSam Leffler x509_certificate_chain_free(chain); 38739beb93cSSam Leffler return -1; 38839beb93cSSam Leffler } 38939beb93cSSam Leffler 39039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 39139beb93cSSam Leffler (unsigned long) idx, (unsigned long) cert_len); 39239beb93cSSam Leffler 39339beb93cSSam Leffler if (idx == 0) { 39439beb93cSSam Leffler crypto_public_key_free(conn->client_rsa_key); 39539beb93cSSam Leffler if (tls_parse_cert(pos, cert_len, 39639beb93cSSam Leffler &conn->client_rsa_key)) { 39739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 39839beb93cSSam Leffler "the certificate"); 39939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 40039beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 40139beb93cSSam Leffler x509_certificate_chain_free(chain); 40239beb93cSSam Leffler return -1; 40339beb93cSSam Leffler } 40439beb93cSSam Leffler } 40539beb93cSSam Leffler 40639beb93cSSam Leffler cert = x509_certificate_parse(pos, cert_len); 40739beb93cSSam Leffler if (cert == NULL) { 40839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 40939beb93cSSam Leffler "the certificate"); 41039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 41139beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 41239beb93cSSam Leffler x509_certificate_chain_free(chain); 41339beb93cSSam Leffler return -1; 41439beb93cSSam Leffler } 41539beb93cSSam Leffler 41639beb93cSSam Leffler if (last == NULL) 41739beb93cSSam Leffler chain = cert; 41839beb93cSSam Leffler else 41939beb93cSSam Leffler last->next = cert; 42039beb93cSSam Leffler last = cert; 42139beb93cSSam Leffler 42239beb93cSSam Leffler idx++; 42339beb93cSSam Leffler pos += cert_len; 42439beb93cSSam Leffler } 42539beb93cSSam Leffler 42639beb93cSSam Leffler if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 42739beb93cSSam Leffler &reason) < 0) { 42839beb93cSSam Leffler int tls_reason; 42939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 43039beb93cSSam Leffler "validation failed (reason=%d)", reason); 43139beb93cSSam Leffler switch (reason) { 43239beb93cSSam Leffler case X509_VALIDATE_BAD_CERTIFICATE: 43339beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 43439beb93cSSam Leffler break; 43539beb93cSSam Leffler case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 43639beb93cSSam Leffler tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 43739beb93cSSam Leffler break; 43839beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_REVOKED: 43939beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 44039beb93cSSam Leffler break; 44139beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_EXPIRED: 44239beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 44339beb93cSSam Leffler break; 44439beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_UNKNOWN: 44539beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 44639beb93cSSam Leffler break; 44739beb93cSSam Leffler case X509_VALIDATE_UNKNOWN_CA: 44839beb93cSSam Leffler tls_reason = TLS_ALERT_UNKNOWN_CA; 44939beb93cSSam Leffler break; 45039beb93cSSam Leffler default: 45139beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 45239beb93cSSam Leffler break; 45339beb93cSSam Leffler } 45439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 45539beb93cSSam Leffler x509_certificate_chain_free(chain); 45639beb93cSSam Leffler return -1; 45739beb93cSSam Leffler } 45839beb93cSSam Leffler 45939beb93cSSam Leffler x509_certificate_chain_free(chain); 46039beb93cSSam Leffler 46139beb93cSSam Leffler *in_len = end - in_data; 46239beb93cSSam Leffler 46339beb93cSSam Leffler conn->state = CLIENT_KEY_EXCHANGE; 46439beb93cSSam Leffler 46539beb93cSSam Leffler return 0; 46639beb93cSSam Leffler } 46739beb93cSSam Leffler 46839beb93cSSam Leffler 46939beb93cSSam Leffler static int tls_process_client_key_exchange_rsa( 47039beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 47139beb93cSSam Leffler { 47239beb93cSSam Leffler u8 *out; 47339beb93cSSam Leffler size_t outlen, outbuflen; 47439beb93cSSam Leffler u16 encr_len; 47539beb93cSSam Leffler int res; 47639beb93cSSam Leffler int use_random = 0; 47739beb93cSSam Leffler 47839beb93cSSam Leffler if (end - pos < 2) { 47939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 48039beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 48139beb93cSSam Leffler return -1; 48239beb93cSSam Leffler } 48339beb93cSSam Leffler 48439beb93cSSam Leffler encr_len = WPA_GET_BE16(pos); 48539beb93cSSam Leffler pos += 2; 48639beb93cSSam Leffler 48739beb93cSSam Leffler outbuflen = outlen = end - pos; 48839beb93cSSam Leffler out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 48939beb93cSSam Leffler outlen : TLS_PRE_MASTER_SECRET_LEN); 49039beb93cSSam Leffler if (out == NULL) { 49139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 49339beb93cSSam Leffler return -1; 49439beb93cSSam Leffler } 49539beb93cSSam Leffler 49639beb93cSSam Leffler /* 49739beb93cSSam Leffler * struct { 49839beb93cSSam Leffler * ProtocolVersion client_version; 49939beb93cSSam Leffler * opaque random[46]; 50039beb93cSSam Leffler * } PreMasterSecret; 50139beb93cSSam Leffler * 50239beb93cSSam Leffler * struct { 50339beb93cSSam Leffler * public-key-encrypted PreMasterSecret pre_master_secret; 50439beb93cSSam Leffler * } EncryptedPreMasterSecret; 50539beb93cSSam Leffler */ 50639beb93cSSam Leffler 50739beb93cSSam Leffler /* 50839beb93cSSam Leffler * Note: To avoid Bleichenbacher attack, we do not report decryption or 50939beb93cSSam Leffler * parsing errors from EncryptedPreMasterSecret processing to the 51039beb93cSSam Leffler * client. Instead, a random pre-master secret is used to force the 51139beb93cSSam Leffler * handshake to fail. 51239beb93cSSam Leffler */ 51339beb93cSSam Leffler 51439beb93cSSam Leffler if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 51539beb93cSSam Leffler pos, end - pos, 51639beb93cSSam Leffler out, &outlen) < 0) { 51739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 51839beb93cSSam Leffler "PreMasterSecret (encr_len=%d outlen=%lu)", 5193157ba21SRui Paulo (int) (end - pos), (unsigned long) outlen); 52039beb93cSSam Leffler use_random = 1; 52139beb93cSSam Leffler } 52239beb93cSSam Leffler 52339beb93cSSam Leffler if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 52439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 52539beb93cSSam Leffler "length %lu", (unsigned long) outlen); 52639beb93cSSam Leffler use_random = 1; 52739beb93cSSam Leffler } 52839beb93cSSam Leffler 52939beb93cSSam Leffler if (WPA_GET_BE16(out) != conn->client_version) { 53039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 53139beb93cSSam Leffler "ClientKeyExchange does not match with version in " 53239beb93cSSam Leffler "ClientHello"); 53339beb93cSSam Leffler use_random = 1; 53439beb93cSSam Leffler } 53539beb93cSSam Leffler 53639beb93cSSam Leffler if (use_random) { 53739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 53839beb93cSSam Leffler "to avoid revealing information about private key"); 53939beb93cSSam Leffler outlen = TLS_PRE_MASTER_SECRET_LEN; 54039beb93cSSam Leffler if (os_get_random(out, outlen)) { 54139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 54239beb93cSSam Leffler "data"); 54339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 54439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 54539beb93cSSam Leffler os_free(out); 54639beb93cSSam Leffler return -1; 54739beb93cSSam Leffler } 54839beb93cSSam Leffler } 54939beb93cSSam Leffler 55039beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, out, outlen); 55139beb93cSSam Leffler 55239beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 55339beb93cSSam Leffler os_memset(out, 0, outbuflen); 55439beb93cSSam Leffler os_free(out); 55539beb93cSSam Leffler 55639beb93cSSam Leffler if (res) { 55739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 55839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 55939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 56039beb93cSSam Leffler return -1; 56139beb93cSSam Leffler } 56239beb93cSSam Leffler 56339beb93cSSam Leffler return 0; 56439beb93cSSam Leffler } 56539beb93cSSam Leffler 56639beb93cSSam Leffler 56739beb93cSSam Leffler static int tls_process_client_key_exchange_dh_anon( 56839beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 56939beb93cSSam Leffler { 57039beb93cSSam Leffler const u8 *dh_yc; 57139beb93cSSam Leffler u16 dh_yc_len; 57239beb93cSSam Leffler u8 *shared; 57339beb93cSSam Leffler size_t shared_len; 57439beb93cSSam Leffler int res; 57539beb93cSSam Leffler 57639beb93cSSam Leffler /* 57739beb93cSSam Leffler * struct { 57839beb93cSSam Leffler * select (PublicValueEncoding) { 57939beb93cSSam Leffler * case implicit: struct { }; 58039beb93cSSam Leffler * case explicit: opaque dh_Yc<1..2^16-1>; 58139beb93cSSam Leffler * } dh_public; 58239beb93cSSam Leffler * } ClientDiffieHellmanPublic; 58339beb93cSSam Leffler */ 58439beb93cSSam Leffler 58539beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 58639beb93cSSam Leffler pos, end - pos); 58739beb93cSSam Leffler 58839beb93cSSam Leffler if (end == pos) { 58939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 59039beb93cSSam Leffler "not supported"); 59139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 59239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 59339beb93cSSam Leffler return -1; 59439beb93cSSam Leffler } 59539beb93cSSam Leffler 59639beb93cSSam Leffler if (end - pos < 3) { 59739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 59839beb93cSSam Leffler "length"); 59939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 60039beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 60139beb93cSSam Leffler return -1; 60239beb93cSSam Leffler } 60339beb93cSSam Leffler 60439beb93cSSam Leffler dh_yc_len = WPA_GET_BE16(pos); 60539beb93cSSam Leffler dh_yc = pos + 2; 60639beb93cSSam Leffler 60739beb93cSSam Leffler if (dh_yc + dh_yc_len > end) { 60839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 60939beb93cSSam Leffler "(length %d)", dh_yc_len); 61039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 61139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 61239beb93cSSam Leffler return -1; 61339beb93cSSam Leffler } 61439beb93cSSam Leffler 61539beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 61639beb93cSSam Leffler dh_yc, dh_yc_len); 61739beb93cSSam Leffler 61839beb93cSSam Leffler if (conn->cred == NULL || conn->cred->dh_p == NULL || 61939beb93cSSam Leffler conn->dh_secret == NULL) { 62039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 62139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 62239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 62339beb93cSSam Leffler return -1; 62439beb93cSSam Leffler } 62539beb93cSSam Leffler 62639beb93cSSam Leffler shared_len = conn->cred->dh_p_len; 62739beb93cSSam Leffler shared = os_malloc(shared_len); 62839beb93cSSam Leffler if (shared == NULL) { 62939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 63039beb93cSSam Leffler "DH"); 63139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 63339beb93cSSam Leffler return -1; 63439beb93cSSam Leffler } 63539beb93cSSam Leffler 63639beb93cSSam Leffler /* shared = Yc^secret mod p */ 63739beb93cSSam Leffler if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 63839beb93cSSam Leffler conn->dh_secret_len, 63939beb93cSSam Leffler conn->cred->dh_p, conn->cred->dh_p_len, 64039beb93cSSam Leffler shared, &shared_len)) { 64139beb93cSSam Leffler os_free(shared); 64239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 64439beb93cSSam Leffler return -1; 64539beb93cSSam Leffler } 64639beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 64739beb93cSSam Leffler shared, shared_len); 64839beb93cSSam Leffler 64939beb93cSSam Leffler os_memset(conn->dh_secret, 0, conn->dh_secret_len); 65039beb93cSSam Leffler os_free(conn->dh_secret); 65139beb93cSSam Leffler conn->dh_secret = NULL; 65239beb93cSSam Leffler 65339beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, shared, shared_len); 65439beb93cSSam Leffler 65539beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 65639beb93cSSam Leffler os_memset(shared, 0, shared_len); 65739beb93cSSam Leffler os_free(shared); 65839beb93cSSam Leffler 65939beb93cSSam Leffler if (res) { 66039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 66139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 66239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 66339beb93cSSam Leffler return -1; 66439beb93cSSam Leffler } 66539beb93cSSam Leffler 66639beb93cSSam Leffler return 0; 66739beb93cSSam Leffler } 66839beb93cSSam Leffler 66939beb93cSSam Leffler 67039beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 67139beb93cSSam Leffler const u8 *in_data, size_t *in_len) 67239beb93cSSam Leffler { 67339beb93cSSam Leffler const u8 *pos, *end; 67439beb93cSSam Leffler size_t left, len; 67539beb93cSSam Leffler u8 type; 67639beb93cSSam Leffler tls_key_exchange keyx; 67739beb93cSSam Leffler const struct tls_cipher_suite *suite; 67839beb93cSSam Leffler 67939beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 68039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 68139beb93cSSam Leffler "received content type 0x%x", ct); 68239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 68339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 68439beb93cSSam Leffler return -1; 68539beb93cSSam Leffler } 68639beb93cSSam Leffler 68739beb93cSSam Leffler pos = in_data; 68839beb93cSSam Leffler left = *in_len; 68939beb93cSSam Leffler 69039beb93cSSam Leffler if (left < 4) { 69139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 69239beb93cSSam Leffler "(Left=%lu)", (unsigned long) left); 69339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 69439beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 69539beb93cSSam Leffler return -1; 69639beb93cSSam Leffler } 69739beb93cSSam Leffler 69839beb93cSSam Leffler type = *pos++; 69939beb93cSSam Leffler len = WPA_GET_BE24(pos); 70039beb93cSSam Leffler pos += 3; 70139beb93cSSam Leffler left -= 4; 70239beb93cSSam Leffler 70339beb93cSSam Leffler if (len > left) { 70439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 70539beb93cSSam Leffler "length (len=%lu != left=%lu)", 70639beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 70739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 70839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 70939beb93cSSam Leffler return -1; 71039beb93cSSam Leffler } 71139beb93cSSam Leffler 71239beb93cSSam Leffler end = pos + len; 71339beb93cSSam Leffler 71439beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 71539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 71639beb93cSSam Leffler "message %d (expected ClientKeyExchange)", type); 71739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 71839beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 71939beb93cSSam Leffler return -1; 72039beb93cSSam Leffler } 72139beb93cSSam Leffler 72239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 72339beb93cSSam Leffler 72439beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 72539beb93cSSam Leffler 72639beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite); 72739beb93cSSam Leffler if (suite == NULL) 72839beb93cSSam Leffler keyx = TLS_KEY_X_NULL; 72939beb93cSSam Leffler else 73039beb93cSSam Leffler keyx = suite->key_exchange; 73139beb93cSSam Leffler 73239beb93cSSam Leffler if (keyx == TLS_KEY_X_DH_anon && 73339beb93cSSam Leffler tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 73439beb93cSSam Leffler return -1; 73539beb93cSSam Leffler 73639beb93cSSam Leffler if (keyx != TLS_KEY_X_DH_anon && 73739beb93cSSam Leffler tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 73839beb93cSSam Leffler return -1; 73939beb93cSSam Leffler 74039beb93cSSam Leffler *in_len = end - in_data; 74139beb93cSSam Leffler 74239beb93cSSam Leffler conn->state = CERTIFICATE_VERIFY; 74339beb93cSSam Leffler 74439beb93cSSam Leffler return 0; 74539beb93cSSam Leffler } 74639beb93cSSam Leffler 74739beb93cSSam Leffler 74839beb93cSSam Leffler static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 74939beb93cSSam Leffler const u8 *in_data, size_t *in_len) 75039beb93cSSam Leffler { 75139beb93cSSam Leffler const u8 *pos, *end; 75239beb93cSSam Leffler size_t left, len; 75339beb93cSSam Leffler u8 type; 75439beb93cSSam Leffler size_t hlen, buflen; 75539beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 75639beb93cSSam Leffler enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 75739beb93cSSam Leffler u16 slen; 75839beb93cSSam Leffler 75939beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 76039beb93cSSam Leffler if (conn->verify_peer) { 76139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 76239beb93cSSam Leffler "CertificateVerify"); 76339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 76439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 76539beb93cSSam Leffler return -1; 76639beb93cSSam Leffler } 76739beb93cSSam Leffler 76839beb93cSSam Leffler return tls_process_change_cipher_spec(conn, ct, in_data, 76939beb93cSSam Leffler in_len); 77039beb93cSSam Leffler } 77139beb93cSSam Leffler 77239beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 77339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 77439beb93cSSam Leffler "received content type 0x%x", ct); 77539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 77639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 77739beb93cSSam Leffler return -1; 77839beb93cSSam Leffler } 77939beb93cSSam Leffler 78039beb93cSSam Leffler pos = in_data; 78139beb93cSSam Leffler left = *in_len; 78239beb93cSSam Leffler 78339beb93cSSam Leffler if (left < 4) { 78439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 78539beb93cSSam Leffler "message (len=%lu)", (unsigned long) left); 78639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 78839beb93cSSam Leffler return -1; 78939beb93cSSam Leffler } 79039beb93cSSam Leffler 79139beb93cSSam Leffler type = *pos++; 79239beb93cSSam Leffler len = WPA_GET_BE24(pos); 79339beb93cSSam Leffler pos += 3; 79439beb93cSSam Leffler left -= 4; 79539beb93cSSam Leffler 79639beb93cSSam Leffler if (len > left) { 79739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 79839beb93cSSam Leffler "message length (len=%lu != left=%lu)", 79939beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 80039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 80139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 80239beb93cSSam Leffler return -1; 80339beb93cSSam Leffler } 80439beb93cSSam Leffler 80539beb93cSSam Leffler end = pos + len; 80639beb93cSSam Leffler 80739beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 80839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 80939beb93cSSam Leffler "message %d (expected CertificateVerify)", type); 81039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 81139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 81239beb93cSSam Leffler return -1; 81339beb93cSSam Leffler } 81439beb93cSSam Leffler 81539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 81639beb93cSSam Leffler 81739beb93cSSam Leffler /* 81839beb93cSSam Leffler * struct { 81939beb93cSSam Leffler * Signature signature; 82039beb93cSSam Leffler * } CertificateVerify; 82139beb93cSSam Leffler */ 82239beb93cSSam Leffler 82339beb93cSSam Leffler hpos = hash; 82439beb93cSSam Leffler 82539beb93cSSam Leffler if (alg == SIGN_ALG_RSA) { 82639beb93cSSam Leffler hlen = MD5_MAC_LEN; 82739beb93cSSam Leffler if (conn->verify.md5_cert == NULL || 82839beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 82939beb93cSSam Leffler { 83039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 83139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 83239beb93cSSam Leffler conn->verify.md5_cert = NULL; 83339beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 83439beb93cSSam Leffler conn->verify.sha1_cert = NULL; 83539beb93cSSam Leffler return -1; 83639beb93cSSam Leffler } 83739beb93cSSam Leffler hpos += MD5_MAC_LEN; 83839beb93cSSam Leffler } else 83939beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 84039beb93cSSam Leffler 84139beb93cSSam Leffler conn->verify.md5_cert = NULL; 84239beb93cSSam Leffler hlen = SHA1_MAC_LEN; 84339beb93cSSam Leffler if (conn->verify.sha1_cert == NULL || 84439beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 84539beb93cSSam Leffler conn->verify.sha1_cert = NULL; 84639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 84739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 84839beb93cSSam Leffler return -1; 84939beb93cSSam Leffler } 85039beb93cSSam Leffler conn->verify.sha1_cert = NULL; 85139beb93cSSam Leffler 85239beb93cSSam Leffler if (alg == SIGN_ALG_RSA) 85339beb93cSSam Leffler hlen += MD5_MAC_LEN; 85439beb93cSSam Leffler 85539beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 85639beb93cSSam Leffler 85739beb93cSSam Leffler if (end - pos < 2) { 85839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 85939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 86039beb93cSSam Leffler return -1; 86139beb93cSSam Leffler } 86239beb93cSSam Leffler slen = WPA_GET_BE16(pos); 86339beb93cSSam Leffler pos += 2; 86439beb93cSSam Leffler if (end - pos < slen) { 86539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 86639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 86739beb93cSSam Leffler return -1; 86839beb93cSSam Leffler } 86939beb93cSSam Leffler 87039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 87139beb93cSSam Leffler if (conn->client_rsa_key == NULL) { 87239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 87339beb93cSSam Leffler "signature"); 87439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 87539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 87639beb93cSSam Leffler return -1; 87739beb93cSSam Leffler } 87839beb93cSSam Leffler 87939beb93cSSam Leffler buflen = end - pos; 88039beb93cSSam Leffler buf = os_malloc(end - pos); 88139beb93cSSam Leffler if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 88239beb93cSSam Leffler pos, end - pos, buf, &buflen) < 0) 88339beb93cSSam Leffler { 88439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 88539beb93cSSam Leffler os_free(buf); 88639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 88739beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 88839beb93cSSam Leffler return -1; 88939beb93cSSam Leffler } 89039beb93cSSam Leffler 89139beb93cSSam Leffler wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 89239beb93cSSam Leffler buf, buflen); 89339beb93cSSam Leffler 89439beb93cSSam Leffler if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 89539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 89639beb93cSSam Leffler "CertificateVerify - did not match with calculated " 89739beb93cSSam Leffler "hash"); 89839beb93cSSam Leffler os_free(buf); 89939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 90039beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 90139beb93cSSam Leffler return -1; 90239beb93cSSam Leffler } 90339beb93cSSam Leffler 90439beb93cSSam Leffler os_free(buf); 90539beb93cSSam Leffler 90639beb93cSSam Leffler *in_len = end - in_data; 90739beb93cSSam Leffler 90839beb93cSSam Leffler conn->state = CHANGE_CIPHER_SPEC; 90939beb93cSSam Leffler 91039beb93cSSam Leffler return 0; 91139beb93cSSam Leffler } 91239beb93cSSam Leffler 91339beb93cSSam Leffler 91439beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 91539beb93cSSam Leffler u8 ct, const u8 *in_data, 91639beb93cSSam Leffler size_t *in_len) 91739beb93cSSam Leffler { 91839beb93cSSam Leffler const u8 *pos; 91939beb93cSSam Leffler size_t left; 92039beb93cSSam Leffler 92139beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 92239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 92339beb93cSSam Leffler "received content type 0x%x", ct); 92439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 92539beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 92639beb93cSSam Leffler return -1; 92739beb93cSSam Leffler } 92839beb93cSSam Leffler 92939beb93cSSam Leffler pos = in_data; 93039beb93cSSam Leffler left = *in_len; 93139beb93cSSam Leffler 93239beb93cSSam Leffler if (left < 1) { 93339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 93439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 93539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 93639beb93cSSam Leffler return -1; 93739beb93cSSam Leffler } 93839beb93cSSam Leffler 93939beb93cSSam Leffler if (*pos != TLS_CHANGE_CIPHER_SPEC) { 94039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 94139beb93cSSam Leffler "received data 0x%x", *pos); 94239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 94339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 94439beb93cSSam Leffler return -1; 94539beb93cSSam Leffler } 94639beb93cSSam Leffler 94739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 94839beb93cSSam Leffler if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 94939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 95039beb93cSSam Leffler "for record layer"); 95139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 95239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 95339beb93cSSam Leffler return -1; 95439beb93cSSam Leffler } 95539beb93cSSam Leffler 95639beb93cSSam Leffler *in_len = pos + 1 - in_data; 95739beb93cSSam Leffler 95839beb93cSSam Leffler conn->state = CLIENT_FINISHED; 95939beb93cSSam Leffler 96039beb93cSSam Leffler return 0; 96139beb93cSSam Leffler } 96239beb93cSSam Leffler 96339beb93cSSam Leffler 96439beb93cSSam Leffler static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 96539beb93cSSam Leffler const u8 *in_data, size_t *in_len) 96639beb93cSSam Leffler { 96739beb93cSSam Leffler const u8 *pos, *end; 96839beb93cSSam Leffler size_t left, len, hlen; 96939beb93cSSam Leffler u8 verify_data[TLS_VERIFY_DATA_LEN]; 97039beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 97139beb93cSSam Leffler 97239beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 97339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 97439beb93cSSam Leffler "received content type 0x%x", ct); 97539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 97639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 97739beb93cSSam Leffler return -1; 97839beb93cSSam Leffler } 97939beb93cSSam Leffler 98039beb93cSSam Leffler pos = in_data; 98139beb93cSSam Leffler left = *in_len; 98239beb93cSSam Leffler 98339beb93cSSam Leffler if (left < 4) { 98439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 98539beb93cSSam Leffler "Finished", 98639beb93cSSam Leffler (unsigned long) left); 98739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 98839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 98939beb93cSSam Leffler return -1; 99039beb93cSSam Leffler } 99139beb93cSSam Leffler 99239beb93cSSam Leffler if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 99339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 99439beb93cSSam Leffler "type 0x%x", pos[0]); 99539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 99639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 99739beb93cSSam Leffler return -1; 99839beb93cSSam Leffler } 99939beb93cSSam Leffler 100039beb93cSSam Leffler len = WPA_GET_BE24(pos + 1); 100139beb93cSSam Leffler 100239beb93cSSam Leffler pos += 4; 100339beb93cSSam Leffler left -= 4; 100439beb93cSSam Leffler 100539beb93cSSam Leffler if (len > left) { 100639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 100739beb93cSSam Leffler "(len=%lu > left=%lu)", 100839beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 100939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 101039beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 101139beb93cSSam Leffler return -1; 101239beb93cSSam Leffler } 101339beb93cSSam Leffler end = pos + len; 101439beb93cSSam Leffler if (len != TLS_VERIFY_DATA_LEN) { 101539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 101639beb93cSSam Leffler "in Finished: %lu (expected %d)", 101739beb93cSSam Leffler (unsigned long) len, TLS_VERIFY_DATA_LEN); 101839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 101939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 102039beb93cSSam Leffler return -1; 102139beb93cSSam Leffler } 102239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 102339beb93cSSam Leffler pos, TLS_VERIFY_DATA_LEN); 102439beb93cSSam Leffler 102539beb93cSSam Leffler hlen = MD5_MAC_LEN; 102639beb93cSSam Leffler if (conn->verify.md5_client == NULL || 102739beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 102839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 102939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 103039beb93cSSam Leffler conn->verify.md5_client = NULL; 103139beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 103239beb93cSSam Leffler conn->verify.sha1_client = NULL; 103339beb93cSSam Leffler return -1; 103439beb93cSSam Leffler } 103539beb93cSSam Leffler conn->verify.md5_client = NULL; 103639beb93cSSam Leffler hlen = SHA1_MAC_LEN; 103739beb93cSSam Leffler if (conn->verify.sha1_client == NULL || 103839beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 103939beb93cSSam Leffler &hlen) < 0) { 104039beb93cSSam Leffler conn->verify.sha1_client = NULL; 104139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 104239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 104339beb93cSSam Leffler return -1; 104439beb93cSSam Leffler } 104539beb93cSSam Leffler conn->verify.sha1_client = NULL; 104639beb93cSSam Leffler 104739beb93cSSam Leffler if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 104839beb93cSSam Leffler "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 104939beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN)) { 105039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 105139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 105239beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 105339beb93cSSam Leffler return -1; 105439beb93cSSam Leffler } 105539beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 105639beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN); 105739beb93cSSam Leffler 105839beb93cSSam Leffler if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 105939beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 106039beb93cSSam Leffler return -1; 106139beb93cSSam Leffler } 106239beb93cSSam Leffler 106339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 106439beb93cSSam Leffler 106539beb93cSSam Leffler *in_len = end - in_data; 106639beb93cSSam Leffler 106739beb93cSSam Leffler if (conn->use_session_ticket) { 106839beb93cSSam Leffler /* Abbreviated handshake using session ticket; RFC 4507 */ 106939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 107039beb93cSSam Leffler "successfully"); 107139beb93cSSam Leffler conn->state = ESTABLISHED; 107239beb93cSSam Leffler } else { 107339beb93cSSam Leffler /* Full handshake */ 107439beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC; 107539beb93cSSam Leffler } 107639beb93cSSam Leffler 107739beb93cSSam Leffler return 0; 107839beb93cSSam Leffler } 107939beb93cSSam Leffler 108039beb93cSSam Leffler 108139beb93cSSam Leffler int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 108239beb93cSSam Leffler const u8 *buf, size_t *len) 108339beb93cSSam Leffler { 108439beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_ALERT) { 108539beb93cSSam Leffler if (*len < 2) { 108639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 108739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 108839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 108939beb93cSSam Leffler return -1; 109039beb93cSSam Leffler } 109139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 109239beb93cSSam Leffler buf[0], buf[1]); 109339beb93cSSam Leffler *len = 2; 109439beb93cSSam Leffler conn->state = FAILED; 109539beb93cSSam Leffler return -1; 109639beb93cSSam Leffler } 109739beb93cSSam Leffler 109839beb93cSSam Leffler switch (conn->state) { 109939beb93cSSam Leffler case CLIENT_HELLO: 110039beb93cSSam Leffler if (tls_process_client_hello(conn, ct, buf, len)) 110139beb93cSSam Leffler return -1; 110239beb93cSSam Leffler break; 110339beb93cSSam Leffler case CLIENT_CERTIFICATE: 110439beb93cSSam Leffler if (tls_process_certificate(conn, ct, buf, len)) 110539beb93cSSam Leffler return -1; 110639beb93cSSam Leffler break; 110739beb93cSSam Leffler case CLIENT_KEY_EXCHANGE: 110839beb93cSSam Leffler if (tls_process_client_key_exchange(conn, ct, buf, len)) 110939beb93cSSam Leffler return -1; 111039beb93cSSam Leffler break; 111139beb93cSSam Leffler case CERTIFICATE_VERIFY: 111239beb93cSSam Leffler if (tls_process_certificate_verify(conn, ct, buf, len)) 111339beb93cSSam Leffler return -1; 111439beb93cSSam Leffler break; 111539beb93cSSam Leffler case CHANGE_CIPHER_SPEC: 111639beb93cSSam Leffler if (tls_process_change_cipher_spec(conn, ct, buf, len)) 111739beb93cSSam Leffler return -1; 111839beb93cSSam Leffler break; 111939beb93cSSam Leffler case CLIENT_FINISHED: 112039beb93cSSam Leffler if (tls_process_client_finished(conn, ct, buf, len)) 112139beb93cSSam Leffler return -1; 112239beb93cSSam Leffler break; 112339beb93cSSam Leffler default: 112439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 112539beb93cSSam Leffler "while processing received message", 112639beb93cSSam Leffler conn->state); 112739beb93cSSam Leffler return -1; 112839beb93cSSam Leffler } 112939beb93cSSam Leffler 113039beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 113139beb93cSSam Leffler tls_verify_hash_add(&conn->verify, buf, *len); 113239beb93cSSam Leffler 113339beb93cSSam Leffler return 0; 113439beb93cSSam Leffler } 1135