xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_read.c (revision cc16dea626cf2fc80cde667ac4798065108e596c)
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21 
22 
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 					   const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 					  u8 ct, const u8 *in_data,
27 					  size_t *in_len);
28 
29 
30 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
31 				    const u8 *in_data, size_t *in_len)
32 {
33 	const u8 *pos, *end, *c;
34 	size_t left, len, i, j;
35 	u16 cipher_suite;
36 	u16 num_suites;
37 	int compr_null_found;
38 	u16 ext_type, ext_len;
39 
40 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
41 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
42 			   "received content type 0x%x", ct);
43 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
44 				   TLS_ALERT_UNEXPECTED_MESSAGE);
45 		return -1;
46 	}
47 
48 	pos = in_data;
49 	left = *in_len;
50 
51 	if (left < 4)
52 		goto decode_error;
53 
54 	/* HandshakeType msg_type */
55 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
56 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
57 			   "message %d (expected ClientHello)", *pos);
58 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
59 				   TLS_ALERT_UNEXPECTED_MESSAGE);
60 		return -1;
61 	}
62 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
63 	pos++;
64 	/* uint24 length */
65 	len = WPA_GET_BE24(pos);
66 	pos += 3;
67 	left -= 4;
68 
69 	if (len > left)
70 		goto decode_error;
71 
72 	/* body - ClientHello */
73 
74 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
75 	end = pos + len;
76 
77 	/* ProtocolVersion client_version */
78 	if (end - pos < 2)
79 		goto decode_error;
80 	conn->client_version = WPA_GET_BE16(pos);
81 	wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
82 		   conn->client_version >> 8, conn->client_version & 0xff);
83 	if (conn->client_version < TLS_VERSION_1) {
84 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
85 			   "ClientHello %u.%u",
86 			   conn->client_version >> 8,
87 			   conn->client_version & 0xff);
88 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
89 				   TLS_ALERT_PROTOCOL_VERSION);
90 		return -1;
91 	}
92 	pos += 2;
93 
94 	if (TLS_VERSION == TLS_VERSION_1)
95 		conn->rl.tls_version = TLS_VERSION_1;
96 #ifdef CONFIG_TLSV12
97 	else if (conn->client_version >= TLS_VERSION_1_2)
98 		conn->rl.tls_version = TLS_VERSION_1_2;
99 #endif /* CONFIG_TLSV12 */
100 	else if (conn->client_version > TLS_VERSION_1_1)
101 		conn->rl.tls_version = TLS_VERSION_1_1;
102 	else
103 		conn->rl.tls_version = conn->client_version;
104 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
105 		   tls_version_str(conn->rl.tls_version));
106 
107 	/* Random random */
108 	if (end - pos < TLS_RANDOM_LEN)
109 		goto decode_error;
110 
111 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
112 	pos += TLS_RANDOM_LEN;
113 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
114 		    conn->client_random, TLS_RANDOM_LEN);
115 
116 	/* SessionID session_id */
117 	if (end - pos < 1)
118 		goto decode_error;
119 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
120 		goto decode_error;
121 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
122 	pos += 1 + *pos;
123 	/* TODO: add support for session resumption */
124 
125 	/* CipherSuite cipher_suites<2..2^16-1> */
126 	if (end - pos < 2)
127 		goto decode_error;
128 	num_suites = WPA_GET_BE16(pos);
129 	pos += 2;
130 	if (end - pos < num_suites)
131 		goto decode_error;
132 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
133 		    pos, num_suites);
134 	if (num_suites & 1)
135 		goto decode_error;
136 	num_suites /= 2;
137 
138 	cipher_suite = 0;
139 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
140 		c = pos;
141 		for (j = 0; j < num_suites; j++) {
142 			u16 tmp = WPA_GET_BE16(c);
143 			c += 2;
144 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
145 				cipher_suite = tmp;
146 				break;
147 			}
148 		}
149 	}
150 	pos += num_suites * 2;
151 	if (!cipher_suite) {
152 		wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
153 			   "available");
154 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
155 				   TLS_ALERT_ILLEGAL_PARAMETER);
156 		return -1;
157 	}
158 
159 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
160 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
161 			   "record layer");
162 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 				   TLS_ALERT_INTERNAL_ERROR);
164 		return -1;
165 	}
166 
167 	conn->cipher_suite = cipher_suite;
168 
169 	/* CompressionMethod compression_methods<1..2^8-1> */
170 	if (end - pos < 1)
171 		goto decode_error;
172 	num_suites = *pos++;
173 	if (end - pos < num_suites)
174 		goto decode_error;
175 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
176 		    pos, num_suites);
177 	compr_null_found = 0;
178 	for (i = 0; i < num_suites; i++) {
179 		if (*pos++ == TLS_COMPRESSION_NULL)
180 			compr_null_found = 1;
181 	}
182 	if (!compr_null_found) {
183 		wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
184 			   "compression");
185 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 				   TLS_ALERT_ILLEGAL_PARAMETER);
187 		return -1;
188 	}
189 
190 	if (end - pos == 1) {
191 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
192 			    "end of ClientHello: 0x%02x", *pos);
193 		goto decode_error;
194 	}
195 
196 	if (end - pos >= 2) {
197 		/* Extension client_hello_extension_list<0..2^16-1> */
198 		ext_len = WPA_GET_BE16(pos);
199 		pos += 2;
200 
201 		wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
202 			   "extensions", ext_len);
203 		if (end - pos != ext_len) {
204 			wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
205 				   "extension list length %u (expected %u)",
206 				   ext_len, (unsigned int) (end - pos));
207 			goto decode_error;
208 		}
209 
210 		/*
211 		 * struct {
212 		 *   ExtensionType extension_type (0..65535)
213 		 *   opaque extension_data<0..2^16-1>
214 		 * } Extension;
215 		 */
216 
217 		while (pos < end) {
218 			if (end - pos < 2) {
219 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
220 					   "extension_type field");
221 				goto decode_error;
222 			}
223 
224 			ext_type = WPA_GET_BE16(pos);
225 			pos += 2;
226 
227 			if (end - pos < 2) {
228 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
229 					   "extension_data length field");
230 				goto decode_error;
231 			}
232 
233 			ext_len = WPA_GET_BE16(pos);
234 			pos += 2;
235 
236 			if (end - pos < ext_len) {
237 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
238 					   "extension_data field");
239 				goto decode_error;
240 			}
241 
242 			wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
243 				   "type %u", ext_type);
244 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
245 				    "Extension data", pos, ext_len);
246 
247 			if (ext_type == TLS_EXT_SESSION_TICKET) {
248 				os_free(conn->session_ticket);
249 				conn->session_ticket = os_malloc(ext_len);
250 				if (conn->session_ticket) {
251 					os_memcpy(conn->session_ticket, pos,
252 						  ext_len);
253 					conn->session_ticket_len = ext_len;
254 				}
255 			}
256 
257 			pos += ext_len;
258 		}
259 	}
260 
261 	*in_len = end - in_data;
262 
263 	wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
264 		   "ServerHello");
265 	conn->state = SERVER_HELLO;
266 
267 	return 0;
268 
269 decode_error:
270 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
271 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
272 			   TLS_ALERT_DECODE_ERROR);
273 	return -1;
274 }
275 
276 
277 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
278 				   const u8 *in_data, size_t *in_len)
279 {
280 	const u8 *pos, *end;
281 	size_t left, len, list_len, cert_len, idx;
282 	u8 type;
283 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
284 	int reason;
285 
286 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
287 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
288 			   "received content type 0x%x", ct);
289 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
290 				   TLS_ALERT_UNEXPECTED_MESSAGE);
291 		return -1;
292 	}
293 
294 	pos = in_data;
295 	left = *in_len;
296 
297 	if (left < 4) {
298 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
299 			   "(len=%lu)", (unsigned long) left);
300 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
301 				   TLS_ALERT_DECODE_ERROR);
302 		return -1;
303 	}
304 
305 	type = *pos++;
306 	len = WPA_GET_BE24(pos);
307 	pos += 3;
308 	left -= 4;
309 
310 	if (len > left) {
311 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
312 			   "length (len=%lu != left=%lu)",
313 			   (unsigned long) len, (unsigned long) left);
314 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
315 				   TLS_ALERT_DECODE_ERROR);
316 		return -1;
317 	}
318 
319 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
320 		if (conn->verify_peer) {
321 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
322 				   "Certificate");
323 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
324 					   TLS_ALERT_UNEXPECTED_MESSAGE);
325 			return -1;
326 		}
327 
328 		return tls_process_client_key_exchange(conn, ct, in_data,
329 						       in_len);
330 	}
331 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
332 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
333 			   "message %d (expected Certificate/"
334 			   "ClientKeyExchange)", type);
335 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 				   TLS_ALERT_UNEXPECTED_MESSAGE);
337 		return -1;
338 	}
339 
340 	wpa_printf(MSG_DEBUG,
341 		   "TLSv1: Received Certificate (certificate_list len %lu)",
342 		   (unsigned long) len);
343 
344 	/*
345 	 * opaque ASN.1Cert<2^24-1>;
346 	 *
347 	 * struct {
348 	 *     ASN.1Cert certificate_list<1..2^24-1>;
349 	 * } Certificate;
350 	 */
351 
352 	end = pos + len;
353 
354 	if (end - pos < 3) {
355 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
356 			   "(left=%lu)", (unsigned long) left);
357 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
358 				   TLS_ALERT_DECODE_ERROR);
359 		return -1;
360 	}
361 
362 	list_len = WPA_GET_BE24(pos);
363 	pos += 3;
364 
365 	if ((size_t) (end - pos) != list_len) {
366 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
367 			   "length (len=%lu left=%lu)",
368 			   (unsigned long) list_len,
369 			   (unsigned long) (end - pos));
370 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 				   TLS_ALERT_DECODE_ERROR);
372 		return -1;
373 	}
374 
375 	idx = 0;
376 	while (pos < end) {
377 		if (end - pos < 3) {
378 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
379 				   "certificate_list");
380 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
381 					   TLS_ALERT_DECODE_ERROR);
382 			x509_certificate_chain_free(chain);
383 			return -1;
384 		}
385 
386 		cert_len = WPA_GET_BE24(pos);
387 		pos += 3;
388 
389 		if ((size_t) (end - pos) < cert_len) {
390 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
391 				   "length (len=%lu left=%lu)",
392 				   (unsigned long) cert_len,
393 				   (unsigned long) (end - pos));
394 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
395 					   TLS_ALERT_DECODE_ERROR);
396 			x509_certificate_chain_free(chain);
397 			return -1;
398 		}
399 
400 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
401 			   (unsigned long) idx, (unsigned long) cert_len);
402 
403 		if (idx == 0) {
404 			crypto_public_key_free(conn->client_rsa_key);
405 			if (tls_parse_cert(pos, cert_len,
406 					   &conn->client_rsa_key)) {
407 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
408 					   "the certificate");
409 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
410 						   TLS_ALERT_BAD_CERTIFICATE);
411 				x509_certificate_chain_free(chain);
412 				return -1;
413 			}
414 		}
415 
416 		cert = x509_certificate_parse(pos, cert_len);
417 		if (cert == NULL) {
418 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
419 				   "the certificate");
420 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
421 					   TLS_ALERT_BAD_CERTIFICATE);
422 			x509_certificate_chain_free(chain);
423 			return -1;
424 		}
425 
426 		if (last == NULL)
427 			chain = cert;
428 		else
429 			last->next = cert;
430 		last = cert;
431 
432 		idx++;
433 		pos += cert_len;
434 	}
435 
436 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
437 					    &reason, 0) < 0) {
438 		int tls_reason;
439 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
440 			   "validation failed (reason=%d)", reason);
441 		switch (reason) {
442 		case X509_VALIDATE_BAD_CERTIFICATE:
443 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
444 			break;
445 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
446 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
447 			break;
448 		case X509_VALIDATE_CERTIFICATE_REVOKED:
449 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
450 			break;
451 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
452 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
453 			break;
454 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
455 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
456 			break;
457 		case X509_VALIDATE_UNKNOWN_CA:
458 			tls_reason = TLS_ALERT_UNKNOWN_CA;
459 			break;
460 		default:
461 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
462 			break;
463 		}
464 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
465 		x509_certificate_chain_free(chain);
466 		return -1;
467 	}
468 
469 	x509_certificate_chain_free(chain);
470 
471 	*in_len = end - in_data;
472 
473 	conn->state = CLIENT_KEY_EXCHANGE;
474 
475 	return 0;
476 }
477 
478 
479 static int tls_process_client_key_exchange_rsa(
480 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
481 {
482 	u8 *out;
483 	size_t outlen, outbuflen;
484 	u16 encr_len;
485 	int res;
486 	int use_random = 0;
487 
488 	if (end - pos < 2) {
489 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
490 				   TLS_ALERT_DECODE_ERROR);
491 		return -1;
492 	}
493 
494 	encr_len = WPA_GET_BE16(pos);
495 	pos += 2;
496 	if (pos + encr_len > end) {
497 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
498 			   "format: encr_len=%u left=%u",
499 			   encr_len, (unsigned int) (end - pos));
500 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
501 				   TLS_ALERT_DECODE_ERROR);
502 		return -1;
503 	}
504 
505 	outbuflen = outlen = end - pos;
506 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
507 			outlen : TLS_PRE_MASTER_SECRET_LEN);
508 	if (out == NULL) {
509 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
510 				   TLS_ALERT_INTERNAL_ERROR);
511 		return -1;
512 	}
513 
514 	/*
515 	 * struct {
516 	 *   ProtocolVersion client_version;
517 	 *   opaque random[46];
518 	 * } PreMasterSecret;
519 	 *
520 	 * struct {
521 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
522 	 * } EncryptedPreMasterSecret;
523 	 */
524 
525 	/*
526 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
527 	 * parsing errors from EncryptedPreMasterSecret processing to the
528 	 * client. Instead, a random pre-master secret is used to force the
529 	 * handshake to fail.
530 	 */
531 
532 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
533 						 pos, encr_len,
534 						 out, &outlen) < 0) {
535 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
536 			   "PreMasterSecret (encr_len=%u outlen=%lu)",
537 			   encr_len, (unsigned long) outlen);
538 		use_random = 1;
539 	}
540 
541 	if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
542 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
543 			   "length %lu", (unsigned long) outlen);
544 		use_random = 1;
545 	}
546 
547 	if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
548 		wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
549 			   "ClientKeyExchange does not match with version in "
550 			   "ClientHello");
551 		use_random = 1;
552 	}
553 
554 	if (use_random) {
555 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
556 			   "to avoid revealing information about private key");
557 		outlen = TLS_PRE_MASTER_SECRET_LEN;
558 		if (os_get_random(out, outlen)) {
559 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
560 				   "data");
561 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
562 					   TLS_ALERT_INTERNAL_ERROR);
563 			os_free(out);
564 			return -1;
565 		}
566 	}
567 
568 	res = tlsv1_server_derive_keys(conn, out, outlen);
569 
570 	/* Clear the pre-master secret since it is not needed anymore */
571 	os_memset(out, 0, outbuflen);
572 	os_free(out);
573 
574 	if (res) {
575 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
576 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
577 				   TLS_ALERT_INTERNAL_ERROR);
578 		return -1;
579 	}
580 
581 	return 0;
582 }
583 
584 
585 static int tls_process_client_key_exchange_dh_anon(
586 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
587 {
588 	const u8 *dh_yc;
589 	u16 dh_yc_len;
590 	u8 *shared;
591 	size_t shared_len;
592 	int res;
593 
594 	/*
595 	 * struct {
596 	 *   select (PublicValueEncoding) {
597 	 *     case implicit: struct { };
598 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
599 	 *   } dh_public;
600 	 * } ClientDiffieHellmanPublic;
601 	 */
602 
603 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
604 		    pos, end - pos);
605 
606 	if (end == pos) {
607 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
608 			   "not supported");
609 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
610 				   TLS_ALERT_INTERNAL_ERROR);
611 		return -1;
612 	}
613 
614 	if (end - pos < 3) {
615 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
616 			   "length");
617 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
618 				   TLS_ALERT_DECODE_ERROR);
619 		return -1;
620 	}
621 
622 	dh_yc_len = WPA_GET_BE16(pos);
623 	dh_yc = pos + 2;
624 
625 	if (dh_yc + dh_yc_len > end) {
626 		wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
627 			   "(length %d)", dh_yc_len);
628 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
629 				   TLS_ALERT_DECODE_ERROR);
630 		return -1;
631 	}
632 
633 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
634 		    dh_yc, dh_yc_len);
635 
636 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
637 	    conn->dh_secret == NULL) {
638 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
639 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 				   TLS_ALERT_INTERNAL_ERROR);
641 		return -1;
642 	}
643 
644 	shared_len = conn->cred->dh_p_len;
645 	shared = os_malloc(shared_len);
646 	if (shared == NULL) {
647 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
648 			   "DH");
649 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
650 				   TLS_ALERT_INTERNAL_ERROR);
651 		return -1;
652 	}
653 
654 	/* shared = Yc^secret mod p */
655 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
656 			   conn->dh_secret_len,
657 			   conn->cred->dh_p, conn->cred->dh_p_len,
658 			   shared, &shared_len)) {
659 		os_free(shared);
660 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661 				   TLS_ALERT_INTERNAL_ERROR);
662 		return -1;
663 	}
664 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
665 			shared, shared_len);
666 
667 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
668 	os_free(conn->dh_secret);
669 	conn->dh_secret = NULL;
670 
671 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
672 
673 	/* Clear the pre-master secret since it is not needed anymore */
674 	os_memset(shared, 0, shared_len);
675 	os_free(shared);
676 
677 	if (res) {
678 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
679 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
680 				   TLS_ALERT_INTERNAL_ERROR);
681 		return -1;
682 	}
683 
684 	return 0;
685 }
686 
687 
688 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
689 					   const u8 *in_data, size_t *in_len)
690 {
691 	const u8 *pos, *end;
692 	size_t left, len;
693 	u8 type;
694 	tls_key_exchange keyx;
695 	const struct tls_cipher_suite *suite;
696 
697 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
698 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
699 			   "received content type 0x%x", ct);
700 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
701 				   TLS_ALERT_UNEXPECTED_MESSAGE);
702 		return -1;
703 	}
704 
705 	pos = in_data;
706 	left = *in_len;
707 
708 	if (left < 4) {
709 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
710 			   "(Left=%lu)", (unsigned long) left);
711 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 				   TLS_ALERT_DECODE_ERROR);
713 		return -1;
714 	}
715 
716 	type = *pos++;
717 	len = WPA_GET_BE24(pos);
718 	pos += 3;
719 	left -= 4;
720 
721 	if (len > left) {
722 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
723 			   "length (len=%lu != left=%lu)",
724 			   (unsigned long) len, (unsigned long) left);
725 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
726 				   TLS_ALERT_DECODE_ERROR);
727 		return -1;
728 	}
729 
730 	end = pos + len;
731 
732 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
733 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
734 			   "message %d (expected ClientKeyExchange)", type);
735 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 				   TLS_ALERT_UNEXPECTED_MESSAGE);
737 		return -1;
738 	}
739 
740 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
741 
742 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
743 
744 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
745 	if (suite == NULL)
746 		keyx = TLS_KEY_X_NULL;
747 	else
748 		keyx = suite->key_exchange;
749 
750 	if (keyx == TLS_KEY_X_DH_anon &&
751 	    tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
752 		return -1;
753 
754 	if (keyx != TLS_KEY_X_DH_anon &&
755 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
756 		return -1;
757 
758 	*in_len = end - in_data;
759 
760 	conn->state = CERTIFICATE_VERIFY;
761 
762 	return 0;
763 }
764 
765 
766 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
767 					  const u8 *in_data, size_t *in_len)
768 {
769 	const u8 *pos, *end;
770 	size_t left, len;
771 	u8 type;
772 	size_t hlen, buflen;
773 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
774 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
775 	u16 slen;
776 
777 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
778 		if (conn->verify_peer) {
779 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
780 				   "CertificateVerify");
781 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
782 					   TLS_ALERT_UNEXPECTED_MESSAGE);
783 			return -1;
784 		}
785 
786 		return tls_process_change_cipher_spec(conn, ct, in_data,
787 						      in_len);
788 	}
789 
790 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
791 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
792 			   "received content type 0x%x", ct);
793 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
794 				   TLS_ALERT_UNEXPECTED_MESSAGE);
795 		return -1;
796 	}
797 
798 	pos = in_data;
799 	left = *in_len;
800 
801 	if (left < 4) {
802 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
803 			   "message (len=%lu)", (unsigned long) left);
804 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 				   TLS_ALERT_DECODE_ERROR);
806 		return -1;
807 	}
808 
809 	type = *pos++;
810 	len = WPA_GET_BE24(pos);
811 	pos += 3;
812 	left -= 4;
813 
814 	if (len > left) {
815 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
816 			   "message length (len=%lu != left=%lu)",
817 			   (unsigned long) len, (unsigned long) left);
818 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
819 				   TLS_ALERT_DECODE_ERROR);
820 		return -1;
821 	}
822 
823 	end = pos + len;
824 
825 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
826 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
827 			   "message %d (expected CertificateVerify)", type);
828 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
829 				   TLS_ALERT_UNEXPECTED_MESSAGE);
830 		return -1;
831 	}
832 
833 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
834 
835 	/*
836 	 * struct {
837 	 *   Signature signature;
838 	 * } CertificateVerify;
839 	 */
840 
841 	hpos = hash;
842 
843 #ifdef CONFIG_TLSV12
844 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
845 		/*
846 		 * RFC 5246, 4.7:
847 		 * TLS v1.2 adds explicit indication of the used signature and
848 		 * hash algorithms.
849 		 *
850 		 * struct {
851 		 *   HashAlgorithm hash;
852 		 *   SignatureAlgorithm signature;
853 		 * } SignatureAndHashAlgorithm;
854 		 */
855 		if (end - pos < 2) {
856 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
857 					   TLS_ALERT_DECODE_ERROR);
858 			return -1;
859 		}
860 		if (pos[0] != TLS_HASH_ALG_SHA256 ||
861 		    pos[1] != TLS_SIGN_ALG_RSA) {
862 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
863 				   "signature(%u) algorithm",
864 				   pos[0], pos[1]);
865 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866 					   TLS_ALERT_INTERNAL_ERROR);
867 			return -1;
868 		}
869 		pos += 2;
870 
871 		hlen = SHA256_MAC_LEN;
872 		if (conn->verify.sha256_cert == NULL ||
873 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
874 		    0) {
875 			conn->verify.sha256_cert = NULL;
876 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 					   TLS_ALERT_INTERNAL_ERROR);
878 			return -1;
879 		}
880 		conn->verify.sha256_cert = NULL;
881 	} else {
882 #endif /* CONFIG_TLSV12 */
883 
884 	if (alg == SIGN_ALG_RSA) {
885 		hlen = MD5_MAC_LEN;
886 		if (conn->verify.md5_cert == NULL ||
887 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
888 		{
889 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
890 					   TLS_ALERT_INTERNAL_ERROR);
891 			conn->verify.md5_cert = NULL;
892 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
893 			conn->verify.sha1_cert = NULL;
894 			return -1;
895 		}
896 		hpos += MD5_MAC_LEN;
897 	} else
898 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
899 
900 	conn->verify.md5_cert = NULL;
901 	hlen = SHA1_MAC_LEN;
902 	if (conn->verify.sha1_cert == NULL ||
903 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
904 		conn->verify.sha1_cert = NULL;
905 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 				   TLS_ALERT_INTERNAL_ERROR);
907 		return -1;
908 	}
909 	conn->verify.sha1_cert = NULL;
910 
911 	if (alg == SIGN_ALG_RSA)
912 		hlen += MD5_MAC_LEN;
913 
914 #ifdef CONFIG_TLSV12
915 	}
916 #endif /* CONFIG_TLSV12 */
917 
918 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
919 
920 	if (end - pos < 2) {
921 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
922 				   TLS_ALERT_DECODE_ERROR);
923 		return -1;
924 	}
925 	slen = WPA_GET_BE16(pos);
926 	pos += 2;
927 	if (end - pos < slen) {
928 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 				   TLS_ALERT_DECODE_ERROR);
930 		return -1;
931 	}
932 
933 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
934 	if (conn->client_rsa_key == NULL) {
935 		wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
936 			   "signature");
937 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
938 				   TLS_ALERT_INTERNAL_ERROR);
939 		return -1;
940 	}
941 
942 	buflen = end - pos;
943 	buf = os_malloc(end - pos);
944 	if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
945 					    pos, end - pos, buf, &buflen) < 0)
946 	{
947 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
948 		os_free(buf);
949 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
950 				   TLS_ALERT_DECRYPT_ERROR);
951 		return -1;
952 	}
953 
954 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
955 			buf, buflen);
956 
957 #ifdef CONFIG_TLSV12
958 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
959 		/*
960 		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
961 		 *
962 		 * DigestInfo ::= SEQUENCE {
963 		 *   digestAlgorithm DigestAlgorithm,
964 		 *   digest OCTET STRING
965 		 * }
966 		 *
967 		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
968 		 *
969 		 * DER encoded DigestInfo for SHA256 per RFC 3447:
970 		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
971 		 * H
972 		 */
973 		if (buflen >= 19 + 32 &&
974 		    os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
975 			      "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
976 		{
977 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = "
978 				   "SHA-256");
979 			os_memmove(buf, buf + 19, buflen - 19);
980 			buflen -= 19;
981 		} else {
982 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized "
983 				   "DigestInfo");
984 			os_free(buf);
985 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
986 					   TLS_ALERT_DECRYPT_ERROR);
987 			return -1;
988 		}
989 	}
990 #endif /* CONFIG_TLSV12 */
991 
992 	if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
993 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
994 			   "CertificateVerify - did not match with calculated "
995 			   "hash");
996 		os_free(buf);
997 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
998 				   TLS_ALERT_DECRYPT_ERROR);
999 		return -1;
1000 	}
1001 
1002 	os_free(buf);
1003 
1004 	*in_len = end - in_data;
1005 
1006 	conn->state = CHANGE_CIPHER_SPEC;
1007 
1008 	return 0;
1009 }
1010 
1011 
1012 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1013 					  u8 ct, const u8 *in_data,
1014 					  size_t *in_len)
1015 {
1016 	const u8 *pos;
1017 	size_t left;
1018 
1019 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1020 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1021 			   "received content type 0x%x", ct);
1022 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1024 		return -1;
1025 	}
1026 
1027 	pos = in_data;
1028 	left = *in_len;
1029 
1030 	if (left < 1) {
1031 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1032 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 				   TLS_ALERT_DECODE_ERROR);
1034 		return -1;
1035 	}
1036 
1037 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1038 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1039 			   "received data 0x%x", *pos);
1040 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1042 		return -1;
1043 	}
1044 
1045 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1046 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1047 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1048 			   "for record layer");
1049 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050 				   TLS_ALERT_INTERNAL_ERROR);
1051 		return -1;
1052 	}
1053 
1054 	*in_len = pos + 1 - in_data;
1055 
1056 	conn->state = CLIENT_FINISHED;
1057 
1058 	return 0;
1059 }
1060 
1061 
1062 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1063 				       const u8 *in_data, size_t *in_len)
1064 {
1065 	const u8 *pos, *end;
1066 	size_t left, len, hlen;
1067 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1068 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1069 
1070 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1071 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1072 			   "received content type 0x%x", ct);
1073 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1075 		return -1;
1076 	}
1077 
1078 	pos = in_data;
1079 	left = *in_len;
1080 
1081 	if (left < 4) {
1082 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1083 			   "Finished",
1084 			   (unsigned long) left);
1085 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1086 				   TLS_ALERT_DECODE_ERROR);
1087 		return -1;
1088 	}
1089 
1090 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1091 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1092 			   "type 0x%x", pos[0]);
1093 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1094 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1095 		return -1;
1096 	}
1097 
1098 	len = WPA_GET_BE24(pos + 1);
1099 
1100 	pos += 4;
1101 	left -= 4;
1102 
1103 	if (len > left) {
1104 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1105 			   "(len=%lu > left=%lu)",
1106 			   (unsigned long) len, (unsigned long) left);
1107 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1108 				   TLS_ALERT_DECODE_ERROR);
1109 		return -1;
1110 	}
1111 	end = pos + len;
1112 	if (len != TLS_VERIFY_DATA_LEN) {
1113 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1114 			   "in Finished: %lu (expected %d)",
1115 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1116 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1117 				   TLS_ALERT_DECODE_ERROR);
1118 		return -1;
1119 	}
1120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1121 		    pos, TLS_VERIFY_DATA_LEN);
1122 
1123 #ifdef CONFIG_TLSV12
1124 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1125 		hlen = SHA256_MAC_LEN;
1126 		if (conn->verify.sha256_client == NULL ||
1127 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1128 		    < 0) {
1129 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1130 					   TLS_ALERT_INTERNAL_ERROR);
1131 			conn->verify.sha256_client = NULL;
1132 			return -1;
1133 		}
1134 		conn->verify.sha256_client = NULL;
1135 	} else {
1136 #endif /* CONFIG_TLSV12 */
1137 
1138 	hlen = MD5_MAC_LEN;
1139 	if (conn->verify.md5_client == NULL ||
1140 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1141 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1142 				   TLS_ALERT_INTERNAL_ERROR);
1143 		conn->verify.md5_client = NULL;
1144 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1145 		conn->verify.sha1_client = NULL;
1146 		return -1;
1147 	}
1148 	conn->verify.md5_client = NULL;
1149 	hlen = SHA1_MAC_LEN;
1150 	if (conn->verify.sha1_client == NULL ||
1151 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1152 			       &hlen) < 0) {
1153 		conn->verify.sha1_client = NULL;
1154 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1155 				   TLS_ALERT_INTERNAL_ERROR);
1156 		return -1;
1157 	}
1158 	conn->verify.sha1_client = NULL;
1159 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1160 
1161 #ifdef CONFIG_TLSV12
1162 	}
1163 #endif /* CONFIG_TLSV12 */
1164 
1165 	if (tls_prf(conn->rl.tls_version,
1166 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1167 		    "client finished", hash, hlen,
1168 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1169 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1170 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171 				   TLS_ALERT_DECRYPT_ERROR);
1172 		return -1;
1173 	}
1174 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1175 			verify_data, TLS_VERIFY_DATA_LEN);
1176 
1177 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1178 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1179 		return -1;
1180 	}
1181 
1182 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1183 
1184 	*in_len = end - in_data;
1185 
1186 	if (conn->use_session_ticket) {
1187 		/* Abbreviated handshake using session ticket; RFC 4507 */
1188 		wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1189 			   "successfully");
1190 		conn->state = ESTABLISHED;
1191 	} else {
1192 		/* Full handshake */
1193 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1194 	}
1195 
1196 	return 0;
1197 }
1198 
1199 
1200 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1201 				   const u8 *buf, size_t *len)
1202 {
1203 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1204 		if (*len < 2) {
1205 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1206 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1207 					   TLS_ALERT_DECODE_ERROR);
1208 			return -1;
1209 		}
1210 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1211 			   buf[0], buf[1]);
1212 		*len = 2;
1213 		conn->state = FAILED;
1214 		return -1;
1215 	}
1216 
1217 	switch (conn->state) {
1218 	case CLIENT_HELLO:
1219 		if (tls_process_client_hello(conn, ct, buf, len))
1220 			return -1;
1221 		break;
1222 	case CLIENT_CERTIFICATE:
1223 		if (tls_process_certificate(conn, ct, buf, len))
1224 			return -1;
1225 		break;
1226 	case CLIENT_KEY_EXCHANGE:
1227 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1228 			return -1;
1229 		break;
1230 	case CERTIFICATE_VERIFY:
1231 		if (tls_process_certificate_verify(conn, ct, buf, len))
1232 			return -1;
1233 		break;
1234 	case CHANGE_CIPHER_SPEC:
1235 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1236 			return -1;
1237 		break;
1238 	case CLIENT_FINISHED:
1239 		if (tls_process_client_finished(conn, ct, buf, len))
1240 			return -1;
1241 		break;
1242 	default:
1243 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1244 			   "while processing received message",
1245 			   conn->state);
1246 		return -1;
1247 	}
1248 
1249 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1250 		tls_verify_hash_add(&conn->verify, buf, *len);
1251 
1252 	return 0;
1253 }
1254