xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_read.c (revision 13ea0450a9c8742119d36f3bf8f47accdce46e54)
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21 
22 
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 					   const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 					  u8 ct, const u8 *in_data,
27 					  size_t *in_len);
28 
29 
30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 	if ((conn->test_flags &
34 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 	      TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 	      TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 	    suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 		return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44 
45 	return 0;
46 }
47 
48 
49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50 					    const u8 *req, size_t req_len)
51 {
52 	const u8 *pos, *end;
53 	u8 status_type;
54 
55 	pos = req;
56 	end = req + req_len;
57 
58 	/*
59 	 * RFC 6961, 2.2:
60 	 * struct {
61 	 *   CertificateStatusType status_type;
62 	 *   uint16 request_length;
63 	 *   select (status_type) {
64 	 *     case ocsp: OCSPStatusRequest;
65 	 *     case ocsp_multi: OCSPStatusRequest;
66 	 *   } request;
67 	 * } CertificateStatusRequestItemV2;
68 	 *
69 	 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70 	 */
71 
72 	if (end - pos < 1)
73 		return; /* Truncated data */
74 
75 	status_type = *pos++;
76 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77 	if (status_type != 1 && status_type != 2)
78 		return; /* Unsupported status type */
79 	/*
80 	 * For now, only OCSP stapling is supported, so ignore the specific
81 	 * request, if any.
82 	 */
83 	wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84 
85 	if (status_type == 2)
86 		conn->status_request_multi = 1;
87 }
88 
89 
90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91 					  const u8 *ext, size_t ext_len)
92 {
93 	const u8 *pos, *end;
94 
95 	conn->status_request_v2 = 1;
96 
97 	pos = ext;
98 	end = ext + ext_len;
99 
100 	/*
101 	 * RFC 6961, 2.2:
102 	 * struct {
103 	 *   CertificateStatusRequestItemV2
104 	 *                    certificate_status_req_list<1..2^16-1>;
105 	 * } CertificateStatusRequestListV2;
106 	 */
107 
108 	while (end - pos >= 2) {
109 		u16 len;
110 
111 		len = WPA_GET_BE16(pos);
112 		pos += 2;
113 		if (len > end - pos)
114 			break; /* Truncated data */
115 		tls_process_status_request_item(conn, pos, len);
116 		pos += len;
117 	}
118 }
119 
120 
121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122 				    const u8 *in_data, size_t *in_len)
123 {
124 	const u8 *pos, *end, *c;
125 	size_t left, len, i, j;
126 	u16 cipher_suite;
127 	u16 num_suites;
128 	int compr_null_found;
129 	u16 ext_type, ext_len;
130 
131 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
133 				 ct);
134 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 				   TLS_ALERT_UNEXPECTED_MESSAGE);
136 		return -1;
137 	}
138 
139 	pos = in_data;
140 	left = *in_len;
141 
142 	if (left < 4)
143 		goto decode_error;
144 
145 	/* HandshakeType msg_type */
146 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
147 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
148 				 *pos);
149 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 				   TLS_ALERT_UNEXPECTED_MESSAGE);
151 		return -1;
152 	}
153 	tlsv1_server_log(conn, "Received ClientHello");
154 	pos++;
155 	/* uint24 length */
156 	len = WPA_GET_BE24(pos);
157 	pos += 3;
158 	left -= 4;
159 
160 	if (len > left)
161 		goto decode_error;
162 
163 	/* body - ClientHello */
164 
165 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
166 	end = pos + len;
167 
168 	/* ProtocolVersion client_version */
169 	if (end - pos < 2)
170 		goto decode_error;
171 	conn->client_version = WPA_GET_BE16(pos);
172 	tlsv1_server_log(conn, "Client version %d.%d",
173 			 conn->client_version >> 8,
174 			 conn->client_version & 0xff);
175 	if (conn->client_version < TLS_VERSION_1) {
176 		tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
177 				 conn->client_version >> 8,
178 				 conn->client_version & 0xff);
179 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
180 				   TLS_ALERT_PROTOCOL_VERSION);
181 		return -1;
182 	}
183 	pos += 2;
184 
185 	if (TLS_VERSION == TLS_VERSION_1)
186 		conn->rl.tls_version = TLS_VERSION_1;
187 #ifdef CONFIG_TLSV12
188 	else if (conn->client_version >= TLS_VERSION_1_2)
189 		conn->rl.tls_version = TLS_VERSION_1_2;
190 #endif /* CONFIG_TLSV12 */
191 	else if (conn->client_version > TLS_VERSION_1_1)
192 		conn->rl.tls_version = TLS_VERSION_1_1;
193 	else
194 		conn->rl.tls_version = conn->client_version;
195 	tlsv1_server_log(conn, "Using TLS v%s",
196 			 tls_version_str(conn->rl.tls_version));
197 
198 	/* Random random */
199 	if (end - pos < TLS_RANDOM_LEN)
200 		goto decode_error;
201 
202 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
203 	pos += TLS_RANDOM_LEN;
204 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
205 		    conn->client_random, TLS_RANDOM_LEN);
206 
207 	/* SessionID session_id */
208 	if (end - pos < 1)
209 		goto decode_error;
210 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
211 		goto decode_error;
212 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
213 	pos += 1 + *pos;
214 	/* TODO: add support for session resumption */
215 
216 	/* CipherSuite cipher_suites<2..2^16-1> */
217 	if (end - pos < 2)
218 		goto decode_error;
219 	num_suites = WPA_GET_BE16(pos);
220 	pos += 2;
221 	if (end - pos < num_suites)
222 		goto decode_error;
223 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
224 		    pos, num_suites);
225 	if (num_suites & 1)
226 		goto decode_error;
227 	num_suites /= 2;
228 
229 	cipher_suite = 0;
230 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
231 		if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
232 			continue;
233 		c = pos;
234 		for (j = 0; j < num_suites; j++) {
235 			u16 tmp = WPA_GET_BE16(c);
236 			c += 2;
237 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
238 				cipher_suite = tmp;
239 				break;
240 			}
241 		}
242 	}
243 	pos += num_suites * 2;
244 	if (!cipher_suite) {
245 		tlsv1_server_log(conn, "No supported cipher suite available");
246 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
247 				   TLS_ALERT_ILLEGAL_PARAMETER);
248 		return -1;
249 	}
250 
251 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
252 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
253 			   "record layer");
254 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
255 				   TLS_ALERT_INTERNAL_ERROR);
256 		return -1;
257 	}
258 
259 	conn->cipher_suite = cipher_suite;
260 
261 	/* CompressionMethod compression_methods<1..2^8-1> */
262 	if (end - pos < 1)
263 		goto decode_error;
264 	num_suites = *pos++;
265 	if (end - pos < num_suites)
266 		goto decode_error;
267 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
268 		    pos, num_suites);
269 	compr_null_found = 0;
270 	for (i = 0; i < num_suites; i++) {
271 		if (*pos++ == TLS_COMPRESSION_NULL)
272 			compr_null_found = 1;
273 	}
274 	if (!compr_null_found) {
275 		tlsv1_server_log(conn, "Client does not accept NULL compression");
276 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 				   TLS_ALERT_ILLEGAL_PARAMETER);
278 		return -1;
279 	}
280 
281 	if (end - pos == 1) {
282 		tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
283 				 *pos);
284 		goto decode_error;
285 	}
286 
287 	if (end - pos >= 2) {
288 		/* Extension client_hello_extension_list<0..2^16-1> */
289 		ext_len = WPA_GET_BE16(pos);
290 		pos += 2;
291 
292 		tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
293 				 ext_len);
294 		if (end - pos != ext_len) {
295 			tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
296 					 ext_len, (unsigned int) (end - pos));
297 			goto decode_error;
298 		}
299 
300 		/*
301 		 * struct {
302 		 *   ExtensionType extension_type (0..65535)
303 		 *   opaque extension_data<0..2^16-1>
304 		 * } Extension;
305 		 */
306 
307 		while (pos < end) {
308 			if (end - pos < 2) {
309 				tlsv1_server_log(conn, "Invalid extension_type field");
310 				goto decode_error;
311 			}
312 
313 			ext_type = WPA_GET_BE16(pos);
314 			pos += 2;
315 
316 			if (end - pos < 2) {
317 				tlsv1_server_log(conn, "Invalid extension_data length field");
318 				goto decode_error;
319 			}
320 
321 			ext_len = WPA_GET_BE16(pos);
322 			pos += 2;
323 
324 			if (end - pos < ext_len) {
325 				tlsv1_server_log(conn, "Invalid extension_data field");
326 				goto decode_error;
327 			}
328 
329 			tlsv1_server_log(conn, "ClientHello Extension type %u",
330 					 ext_type);
331 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
332 				    "Extension data", pos, ext_len);
333 
334 			if (ext_type == TLS_EXT_SESSION_TICKET) {
335 				os_free(conn->session_ticket);
336 				conn->session_ticket = os_malloc(ext_len);
337 				if (conn->session_ticket) {
338 					os_memcpy(conn->session_ticket, pos,
339 						  ext_len);
340 					conn->session_ticket_len = ext_len;
341 				}
342 			} else if (ext_type == TLS_EXT_STATUS_REQUEST) {
343 				conn->status_request = 1;
344 			} else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
345 				tls_process_status_request_v2(conn, pos,
346 							      ext_len);
347 			}
348 
349 			pos += ext_len;
350 		}
351 	}
352 
353 	*in_len = end - in_data;
354 
355 	tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
356 	conn->state = SERVER_HELLO;
357 
358 	return 0;
359 
360 decode_error:
361 	tlsv1_server_log(conn, "Failed to decode ClientHello");
362 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
363 			   TLS_ALERT_DECODE_ERROR);
364 	return -1;
365 }
366 
367 
368 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
369 				   const u8 *in_data, size_t *in_len)
370 {
371 	const u8 *pos, *end;
372 	size_t left, len, list_len, cert_len, idx;
373 	u8 type;
374 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
375 	int reason;
376 
377 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
378 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
379 				 ct);
380 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
381 				   TLS_ALERT_UNEXPECTED_MESSAGE);
382 		return -1;
383 	}
384 
385 	pos = in_data;
386 	left = *in_len;
387 
388 	if (left < 4) {
389 		tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
390 				 (unsigned long) left);
391 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
392 				   TLS_ALERT_DECODE_ERROR);
393 		return -1;
394 	}
395 
396 	type = *pos++;
397 	len = WPA_GET_BE24(pos);
398 	pos += 3;
399 	left -= 4;
400 
401 	if (len > left) {
402 		tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
403 				 (unsigned long) len, (unsigned long) left);
404 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
405 				   TLS_ALERT_DECODE_ERROR);
406 		return -1;
407 	}
408 
409 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
410 		if (conn->verify_peer) {
411 			tlsv1_server_log(conn, "Client did not include Certificate");
412 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
413 					   TLS_ALERT_UNEXPECTED_MESSAGE);
414 			return -1;
415 		}
416 
417 		return tls_process_client_key_exchange(conn, ct, in_data,
418 						       in_len);
419 	}
420 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
421 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
422 				 type);
423 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
424 				   TLS_ALERT_UNEXPECTED_MESSAGE);
425 		return -1;
426 	}
427 
428 	tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
429 			 (unsigned long) len);
430 
431 	/*
432 	 * opaque ASN.1Cert<2^24-1>;
433 	 *
434 	 * struct {
435 	 *     ASN.1Cert certificate_list<1..2^24-1>;
436 	 * } Certificate;
437 	 */
438 
439 	end = pos + len;
440 
441 	if (end - pos < 3) {
442 		tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
443 				 (unsigned long) left);
444 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
445 				   TLS_ALERT_DECODE_ERROR);
446 		return -1;
447 	}
448 
449 	list_len = WPA_GET_BE24(pos);
450 	pos += 3;
451 
452 	if ((size_t) (end - pos) != list_len) {
453 		tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
454 				 (unsigned long) list_len,
455 				 (unsigned long) (end - pos));
456 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
457 				   TLS_ALERT_DECODE_ERROR);
458 		return -1;
459 	}
460 
461 	idx = 0;
462 	while (pos < end) {
463 		if (end - pos < 3) {
464 			tlsv1_server_log(conn, "Failed to parse certificate_list");
465 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 					   TLS_ALERT_DECODE_ERROR);
467 			x509_certificate_chain_free(chain);
468 			return -1;
469 		}
470 
471 		cert_len = WPA_GET_BE24(pos);
472 		pos += 3;
473 
474 		if ((size_t) (end - pos) < cert_len) {
475 			tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
476 					 (unsigned long) cert_len,
477 					 (unsigned long) (end - pos));
478 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
479 					   TLS_ALERT_DECODE_ERROR);
480 			x509_certificate_chain_free(chain);
481 			return -1;
482 		}
483 
484 		tlsv1_server_log(conn, "Certificate %lu (len %lu)",
485 				 (unsigned long) idx, (unsigned long) cert_len);
486 
487 		if (idx == 0) {
488 			crypto_public_key_free(conn->client_rsa_key);
489 			if (tls_parse_cert(pos, cert_len,
490 					   &conn->client_rsa_key)) {
491 				tlsv1_server_log(conn, "Failed to parse the certificate");
492 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
493 						   TLS_ALERT_BAD_CERTIFICATE);
494 				x509_certificate_chain_free(chain);
495 				return -1;
496 			}
497 		}
498 
499 		cert = x509_certificate_parse(pos, cert_len);
500 		if (cert == NULL) {
501 			tlsv1_server_log(conn, "Failed to parse the certificate");
502 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
503 					   TLS_ALERT_BAD_CERTIFICATE);
504 			x509_certificate_chain_free(chain);
505 			return -1;
506 		}
507 
508 		if (last == NULL)
509 			chain = cert;
510 		else
511 			last->next = cert;
512 		last = cert;
513 
514 		idx++;
515 		pos += cert_len;
516 	}
517 
518 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
519 					    &reason, 0) < 0) {
520 		int tls_reason;
521 		tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
522 				 reason);
523 		switch (reason) {
524 		case X509_VALIDATE_BAD_CERTIFICATE:
525 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
526 			break;
527 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
528 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
529 			break;
530 		case X509_VALIDATE_CERTIFICATE_REVOKED:
531 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
532 			break;
533 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
534 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
535 			break;
536 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
537 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
538 			break;
539 		case X509_VALIDATE_UNKNOWN_CA:
540 			tls_reason = TLS_ALERT_UNKNOWN_CA;
541 			break;
542 		default:
543 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
544 			break;
545 		}
546 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
547 		x509_certificate_chain_free(chain);
548 		return -1;
549 	}
550 
551 	if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
552 	    !(chain->ext_key_usage &
553 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
554 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
555 				   TLS_ALERT_BAD_CERTIFICATE);
556 		x509_certificate_chain_free(chain);
557 		return -1;
558 	}
559 
560 	x509_certificate_chain_free(chain);
561 
562 	*in_len = end - in_data;
563 
564 	conn->state = CLIENT_KEY_EXCHANGE;
565 
566 	return 0;
567 }
568 
569 
570 static int tls_process_client_key_exchange_rsa(
571 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
572 {
573 	u8 *out;
574 	size_t outlen, outbuflen;
575 	u16 encr_len;
576 	int res;
577 	int use_random = 0;
578 
579 	if (end - pos < 2) {
580 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
581 				   TLS_ALERT_DECODE_ERROR);
582 		return -1;
583 	}
584 
585 	encr_len = WPA_GET_BE16(pos);
586 	pos += 2;
587 	if (pos + encr_len > end) {
588 		tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
589 				 encr_len, (unsigned int) (end - pos));
590 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
591 				   TLS_ALERT_DECODE_ERROR);
592 		return -1;
593 	}
594 
595 	outbuflen = outlen = end - pos;
596 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
597 			outlen : TLS_PRE_MASTER_SECRET_LEN);
598 	if (out == NULL) {
599 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
600 				   TLS_ALERT_INTERNAL_ERROR);
601 		return -1;
602 	}
603 
604 	/*
605 	 * struct {
606 	 *   ProtocolVersion client_version;
607 	 *   opaque random[46];
608 	 * } PreMasterSecret;
609 	 *
610 	 * struct {
611 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
612 	 * } EncryptedPreMasterSecret;
613 	 */
614 
615 	/*
616 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
617 	 * parsing errors from EncryptedPreMasterSecret processing to the
618 	 * client. Instead, a random pre-master secret is used to force the
619 	 * handshake to fail.
620 	 */
621 
622 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
623 						 pos, encr_len,
624 						 out, &outlen) < 0) {
625 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
626 			   "PreMasterSecret (encr_len=%u outlen=%lu)",
627 			   encr_len, (unsigned long) outlen);
628 		use_random = 1;
629 	}
630 
631 	if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
632 		tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
633 				 (unsigned long) outlen);
634 		use_random = 1;
635 	}
636 
637 	if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
638 		tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
639 		use_random = 1;
640 	}
641 
642 	if (use_random) {
643 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
644 			   "to avoid revealing information about private key");
645 		outlen = TLS_PRE_MASTER_SECRET_LEN;
646 		if (os_get_random(out, outlen)) {
647 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
648 				   "data");
649 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
650 					   TLS_ALERT_INTERNAL_ERROR);
651 			os_free(out);
652 			return -1;
653 		}
654 	}
655 
656 	res = tlsv1_server_derive_keys(conn, out, outlen);
657 
658 	/* Clear the pre-master secret since it is not needed anymore */
659 	os_memset(out, 0, outbuflen);
660 	os_free(out);
661 
662 	if (res) {
663 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
664 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
665 				   TLS_ALERT_INTERNAL_ERROR);
666 		return -1;
667 	}
668 
669 	return 0;
670 }
671 
672 
673 static int tls_process_client_key_exchange_dh(
674 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
675 {
676 	const u8 *dh_yc;
677 	u16 dh_yc_len;
678 	u8 *shared;
679 	size_t shared_len;
680 	int res;
681 	const u8 *dh_p;
682 	size_t dh_p_len;
683 
684 	/*
685 	 * struct {
686 	 *   select (PublicValueEncoding) {
687 	 *     case implicit: struct { };
688 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
689 	 *   } dh_public;
690 	 * } ClientDiffieHellmanPublic;
691 	 */
692 
693 	tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
694 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
695 		    pos, end - pos);
696 
697 	if (end == pos) {
698 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
699 			   "not supported");
700 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
701 				   TLS_ALERT_INTERNAL_ERROR);
702 		return -1;
703 	}
704 
705 	if (end - pos < 3) {
706 		tlsv1_server_log(conn, "Invalid client public value length");
707 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
708 				   TLS_ALERT_DECODE_ERROR);
709 		return -1;
710 	}
711 
712 	dh_yc_len = WPA_GET_BE16(pos);
713 	dh_yc = pos + 2;
714 
715 	if (dh_yc_len > end - dh_yc) {
716 		tlsv1_server_log(conn, "Client public value overflow (length %d)",
717 				 dh_yc_len);
718 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
719 				   TLS_ALERT_DECODE_ERROR);
720 		return -1;
721 	}
722 
723 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
724 		    dh_yc, dh_yc_len);
725 
726 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
727 	    conn->dh_secret == NULL) {
728 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
729 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
730 				   TLS_ALERT_INTERNAL_ERROR);
731 		return -1;
732 	}
733 
734 	tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
735 
736 	shared_len = dh_p_len;
737 	shared = os_malloc(shared_len);
738 	if (shared == NULL) {
739 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
740 			   "DH");
741 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
742 				   TLS_ALERT_INTERNAL_ERROR);
743 		return -1;
744 	}
745 
746 	/* shared = Yc^secret mod p */
747 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
748 			   conn->dh_secret_len, dh_p, dh_p_len,
749 			   shared, &shared_len)) {
750 		os_free(shared);
751 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
752 				   TLS_ALERT_INTERNAL_ERROR);
753 		return -1;
754 	}
755 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
756 			shared, shared_len);
757 
758 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
759 	os_free(conn->dh_secret);
760 	conn->dh_secret = NULL;
761 
762 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
763 
764 	/* Clear the pre-master secret since it is not needed anymore */
765 	os_memset(shared, 0, shared_len);
766 	os_free(shared);
767 
768 	if (res) {
769 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
770 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
771 				   TLS_ALERT_INTERNAL_ERROR);
772 		return -1;
773 	}
774 
775 	return 0;
776 }
777 
778 
779 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
780 					   const u8 *in_data, size_t *in_len)
781 {
782 	const u8 *pos, *end;
783 	size_t left, len;
784 	u8 type;
785 	tls_key_exchange keyx;
786 	const struct tls_cipher_suite *suite;
787 
788 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
789 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
790 				 ct);
791 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
792 				   TLS_ALERT_UNEXPECTED_MESSAGE);
793 		return -1;
794 	}
795 
796 	pos = in_data;
797 	left = *in_len;
798 
799 	if (left < 4) {
800 		tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
801 				 (unsigned long) left);
802 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
803 				   TLS_ALERT_DECODE_ERROR);
804 		return -1;
805 	}
806 
807 	type = *pos++;
808 	len = WPA_GET_BE24(pos);
809 	pos += 3;
810 	left -= 4;
811 
812 	if (len > left) {
813 		tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
814 				 (unsigned long) len, (unsigned long) left);
815 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
816 				   TLS_ALERT_DECODE_ERROR);
817 		return -1;
818 	}
819 
820 	end = pos + len;
821 
822 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
823 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
824 				 type);
825 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
826 				   TLS_ALERT_UNEXPECTED_MESSAGE);
827 		return -1;
828 	}
829 
830 	tlsv1_server_log(conn, "Received ClientKeyExchange");
831 
832 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
833 
834 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
835 	if (suite == NULL)
836 		keyx = TLS_KEY_X_NULL;
837 	else
838 		keyx = suite->key_exchange;
839 
840 	if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
841 	    tls_process_client_key_exchange_dh(conn, pos, end) < 0)
842 		return -1;
843 
844 	if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
845 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
846 		return -1;
847 
848 	*in_len = end - in_data;
849 
850 	conn->state = CERTIFICATE_VERIFY;
851 
852 	return 0;
853 }
854 
855 
856 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
857 					  const u8 *in_data, size_t *in_len)
858 {
859 	const u8 *pos, *end;
860 	size_t left, len;
861 	u8 type;
862 	size_t hlen;
863 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
864 	u8 alert;
865 
866 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
867 		if (conn->verify_peer) {
868 			tlsv1_server_log(conn, "Client did not include CertificateVerify");
869 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
870 					   TLS_ALERT_UNEXPECTED_MESSAGE);
871 			return -1;
872 		}
873 
874 		return tls_process_change_cipher_spec(conn, ct, in_data,
875 						      in_len);
876 	}
877 
878 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
879 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
880 				 ct);
881 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
882 				   TLS_ALERT_UNEXPECTED_MESSAGE);
883 		return -1;
884 	}
885 
886 	pos = in_data;
887 	left = *in_len;
888 
889 	if (left < 4) {
890 		tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
891 				 (unsigned long) left);
892 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
893 				   TLS_ALERT_DECODE_ERROR);
894 		return -1;
895 	}
896 
897 	type = *pos++;
898 	len = WPA_GET_BE24(pos);
899 	pos += 3;
900 	left -= 4;
901 
902 	if (len > left) {
903 		tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
904 				 (unsigned long) len, (unsigned long) left);
905 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 				   TLS_ALERT_DECODE_ERROR);
907 		return -1;
908 	}
909 
910 	end = pos + len;
911 
912 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
913 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
914 				 type);
915 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
916 				   TLS_ALERT_UNEXPECTED_MESSAGE);
917 		return -1;
918 	}
919 
920 	tlsv1_server_log(conn, "Received CertificateVerify");
921 
922 	/*
923 	 * struct {
924 	 *   Signature signature;
925 	 * } CertificateVerify;
926 	 */
927 
928 	hpos = hash;
929 
930 #ifdef CONFIG_TLSV12
931 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
932 		/*
933 		 * RFC 5246, 4.7:
934 		 * TLS v1.2 adds explicit indication of the used signature and
935 		 * hash algorithms.
936 		 *
937 		 * struct {
938 		 *   HashAlgorithm hash;
939 		 *   SignatureAlgorithm signature;
940 		 * } SignatureAndHashAlgorithm;
941 		 */
942 		if (end - pos < 2) {
943 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 					   TLS_ALERT_DECODE_ERROR);
945 			return -1;
946 		}
947 		if (pos[0] != TLS_HASH_ALG_SHA256 ||
948 		    pos[1] != TLS_SIGN_ALG_RSA) {
949 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
950 				   "signature(%u) algorithm",
951 				   pos[0], pos[1]);
952 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
953 					   TLS_ALERT_INTERNAL_ERROR);
954 			return -1;
955 		}
956 		pos += 2;
957 
958 		hlen = SHA256_MAC_LEN;
959 		if (conn->verify.sha256_cert == NULL ||
960 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
961 		    0) {
962 			conn->verify.sha256_cert = NULL;
963 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
964 					   TLS_ALERT_INTERNAL_ERROR);
965 			return -1;
966 		}
967 		conn->verify.sha256_cert = NULL;
968 	} else {
969 #endif /* CONFIG_TLSV12 */
970 
971 	hlen = MD5_MAC_LEN;
972 	if (conn->verify.md5_cert == NULL ||
973 	    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
974 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
975 				   TLS_ALERT_INTERNAL_ERROR);
976 		conn->verify.md5_cert = NULL;
977 		crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
978 		conn->verify.sha1_cert = NULL;
979 		return -1;
980 	}
981 	hpos += MD5_MAC_LEN;
982 
983 	conn->verify.md5_cert = NULL;
984 	hlen = SHA1_MAC_LEN;
985 	if (conn->verify.sha1_cert == NULL ||
986 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
987 		conn->verify.sha1_cert = NULL;
988 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
989 				   TLS_ALERT_INTERNAL_ERROR);
990 		return -1;
991 	}
992 	conn->verify.sha1_cert = NULL;
993 
994 	hlen += MD5_MAC_LEN;
995 
996 #ifdef CONFIG_TLSV12
997 	}
998 #endif /* CONFIG_TLSV12 */
999 
1000 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1001 
1002 	if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1003 				 hash, hlen, pos, end - pos, &alert) < 0) {
1004 		tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1005 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1006 		return -1;
1007 	}
1008 
1009 	*in_len = end - in_data;
1010 
1011 	conn->state = CHANGE_CIPHER_SPEC;
1012 
1013 	return 0;
1014 }
1015 
1016 
1017 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1018 					  u8 ct, const u8 *in_data,
1019 					  size_t *in_len)
1020 {
1021 	const u8 *pos;
1022 	size_t left;
1023 
1024 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1025 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1026 				 ct);
1027 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1029 		return -1;
1030 	}
1031 
1032 	pos = in_data;
1033 	left = *in_len;
1034 
1035 	if (left < 1) {
1036 		tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1037 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 				   TLS_ALERT_DECODE_ERROR);
1039 		return -1;
1040 	}
1041 
1042 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1043 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1044 				 *pos);
1045 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1047 		return -1;
1048 	}
1049 
1050 	tlsv1_server_log(conn, "Received ChangeCipherSpec");
1051 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1052 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1053 			   "for record layer");
1054 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1055 				   TLS_ALERT_INTERNAL_ERROR);
1056 		return -1;
1057 	}
1058 
1059 	*in_len = pos + 1 - in_data;
1060 
1061 	conn->state = CLIENT_FINISHED;
1062 
1063 	return 0;
1064 }
1065 
1066 
1067 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1068 				       const u8 *in_data, size_t *in_len)
1069 {
1070 	const u8 *pos, *end;
1071 	size_t left, len, hlen;
1072 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1073 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1074 
1075 #ifdef CONFIG_TESTING_OPTIONS
1076 	if ((conn->test_flags &
1077 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1078 	    !conn->test_failure_reported) {
1079 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1080 		conn->test_failure_reported = 1;
1081 	}
1082 
1083 	if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1084 	    !conn->test_failure_reported) {
1085 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1086 		conn->test_failure_reported = 1;
1087 	}
1088 
1089 	if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1090 	    !conn->test_failure_reported) {
1091 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1092 		conn->test_failure_reported = 1;
1093 	}
1094 
1095 	if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1096 	    !conn->test_failure_reported) {
1097 		tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1098 		conn->test_failure_reported = 1;
1099 	}
1100 
1101 	if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1102 	    !conn->test_failure_reported) {
1103 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1104 		conn->test_failure_reported = 1;
1105 	}
1106 
1107 	if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1108 	    !conn->test_failure_reported) {
1109 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1110 		conn->test_failure_reported = 1;
1111 	}
1112 #endif /* CONFIG_TESTING_OPTIONS */
1113 
1114 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1115 		tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1116 				 ct);
1117 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1118 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1119 		return -1;
1120 	}
1121 
1122 	pos = in_data;
1123 	left = *in_len;
1124 
1125 	if (left < 4) {
1126 		tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1127 				 (unsigned long) left);
1128 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1129 				   TLS_ALERT_DECODE_ERROR);
1130 		return -1;
1131 	}
1132 
1133 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1134 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1135 			   "type 0x%x", pos[0]);
1136 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1137 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1138 		return -1;
1139 	}
1140 
1141 	len = WPA_GET_BE24(pos + 1);
1142 
1143 	pos += 4;
1144 	left -= 4;
1145 
1146 	if (len > left) {
1147 		tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1148 				 (unsigned long) len, (unsigned long) left);
1149 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1150 				   TLS_ALERT_DECODE_ERROR);
1151 		return -1;
1152 	}
1153 	end = pos + len;
1154 	if (len != TLS_VERIFY_DATA_LEN) {
1155 		tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1156 				 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1157 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158 				   TLS_ALERT_DECODE_ERROR);
1159 		return -1;
1160 	}
1161 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1162 		    pos, TLS_VERIFY_DATA_LEN);
1163 
1164 #ifdef CONFIG_TLSV12
1165 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1166 		hlen = SHA256_MAC_LEN;
1167 		if (conn->verify.sha256_client == NULL ||
1168 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1169 		    < 0) {
1170 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171 					   TLS_ALERT_INTERNAL_ERROR);
1172 			conn->verify.sha256_client = NULL;
1173 			return -1;
1174 		}
1175 		conn->verify.sha256_client = NULL;
1176 	} else {
1177 #endif /* CONFIG_TLSV12 */
1178 
1179 	hlen = MD5_MAC_LEN;
1180 	if (conn->verify.md5_client == NULL ||
1181 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1182 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1183 				   TLS_ALERT_INTERNAL_ERROR);
1184 		conn->verify.md5_client = NULL;
1185 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1186 		conn->verify.sha1_client = NULL;
1187 		return -1;
1188 	}
1189 	conn->verify.md5_client = NULL;
1190 	hlen = SHA1_MAC_LEN;
1191 	if (conn->verify.sha1_client == NULL ||
1192 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1193 			       &hlen) < 0) {
1194 		conn->verify.sha1_client = NULL;
1195 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1196 				   TLS_ALERT_INTERNAL_ERROR);
1197 		return -1;
1198 	}
1199 	conn->verify.sha1_client = NULL;
1200 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1201 
1202 #ifdef CONFIG_TLSV12
1203 	}
1204 #endif /* CONFIG_TLSV12 */
1205 
1206 	if (tls_prf(conn->rl.tls_version,
1207 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1208 		    "client finished", hash, hlen,
1209 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1210 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1211 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1212 				   TLS_ALERT_DECRYPT_ERROR);
1213 		return -1;
1214 	}
1215 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1216 			verify_data, TLS_VERIFY_DATA_LEN);
1217 
1218 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1219 		tlsv1_server_log(conn, "Mismatch in verify_data");
1220 		return -1;
1221 	}
1222 
1223 	tlsv1_server_log(conn, "Received Finished");
1224 
1225 	*in_len = end - in_data;
1226 
1227 	if (conn->use_session_ticket) {
1228 		/* Abbreviated handshake using session ticket; RFC 4507 */
1229 		tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1230 		conn->state = ESTABLISHED;
1231 	} else {
1232 		/* Full handshake */
1233 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1234 	}
1235 
1236 	return 0;
1237 }
1238 
1239 
1240 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1241 				   const u8 *buf, size_t *len)
1242 {
1243 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1244 		if (*len < 2) {
1245 			tlsv1_server_log(conn, "Alert underflow");
1246 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1247 					   TLS_ALERT_DECODE_ERROR);
1248 			return -1;
1249 		}
1250 		tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1251 		*len = 2;
1252 		conn->state = FAILED;
1253 		return -1;
1254 	}
1255 
1256 	switch (conn->state) {
1257 	case CLIENT_HELLO:
1258 		if (tls_process_client_hello(conn, ct, buf, len))
1259 			return -1;
1260 		break;
1261 	case CLIENT_CERTIFICATE:
1262 		if (tls_process_certificate(conn, ct, buf, len))
1263 			return -1;
1264 		break;
1265 	case CLIENT_KEY_EXCHANGE:
1266 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1267 			return -1;
1268 		break;
1269 	case CERTIFICATE_VERIFY:
1270 		if (tls_process_certificate_verify(conn, ct, buf, len))
1271 			return -1;
1272 		break;
1273 	case CHANGE_CIPHER_SPEC:
1274 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1275 			return -1;
1276 		break;
1277 	case CLIENT_FINISHED:
1278 		if (tls_process_client_finished(conn, ct, buf, len))
1279 			return -1;
1280 		break;
1281 	default:
1282 		tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1283 				 conn->state);
1284 		return -1;
1285 	}
1286 
1287 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1288 		tls_verify_hash_add(&conn->verify, buf, *len);
1289 
1290 	return 0;
1291 }
1292