xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_read.c (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21 
22 
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 					   const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 					  u8 ct, const u8 *in_data,
27 					  size_t *in_len);
28 
29 
30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 	if ((conn->test_flags &
34 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 	      TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 	      TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 	    suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 		return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44 
45 	return 0;
46 }
47 
48 
49 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
50 				    const u8 *in_data, size_t *in_len)
51 {
52 	const u8 *pos, *end, *c;
53 	size_t left, len, i, j;
54 	u16 cipher_suite;
55 	u16 num_suites;
56 	int compr_null_found;
57 	u16 ext_type, ext_len;
58 
59 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
60 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
61 				 ct);
62 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
63 				   TLS_ALERT_UNEXPECTED_MESSAGE);
64 		return -1;
65 	}
66 
67 	pos = in_data;
68 	left = *in_len;
69 
70 	if (left < 4)
71 		goto decode_error;
72 
73 	/* HandshakeType msg_type */
74 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
75 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
76 				 *pos);
77 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
78 				   TLS_ALERT_UNEXPECTED_MESSAGE);
79 		return -1;
80 	}
81 	tlsv1_server_log(conn, "Received ClientHello");
82 	pos++;
83 	/* uint24 length */
84 	len = WPA_GET_BE24(pos);
85 	pos += 3;
86 	left -= 4;
87 
88 	if (len > left)
89 		goto decode_error;
90 
91 	/* body - ClientHello */
92 
93 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
94 	end = pos + len;
95 
96 	/* ProtocolVersion client_version */
97 	if (end - pos < 2)
98 		goto decode_error;
99 	conn->client_version = WPA_GET_BE16(pos);
100 	tlsv1_server_log(conn, "Client version %d.%d",
101 			 conn->client_version >> 8,
102 			 conn->client_version & 0xff);
103 	if (conn->client_version < TLS_VERSION_1) {
104 		tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
105 				 conn->client_version >> 8,
106 				 conn->client_version & 0xff);
107 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
108 				   TLS_ALERT_PROTOCOL_VERSION);
109 		return -1;
110 	}
111 	pos += 2;
112 
113 	if (TLS_VERSION == TLS_VERSION_1)
114 		conn->rl.tls_version = TLS_VERSION_1;
115 #ifdef CONFIG_TLSV12
116 	else if (conn->client_version >= TLS_VERSION_1_2)
117 		conn->rl.tls_version = TLS_VERSION_1_2;
118 #endif /* CONFIG_TLSV12 */
119 	else if (conn->client_version > TLS_VERSION_1_1)
120 		conn->rl.tls_version = TLS_VERSION_1_1;
121 	else
122 		conn->rl.tls_version = conn->client_version;
123 	tlsv1_server_log(conn, "Using TLS v%s",
124 			 tls_version_str(conn->rl.tls_version));
125 
126 	/* Random random */
127 	if (end - pos < TLS_RANDOM_LEN)
128 		goto decode_error;
129 
130 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
131 	pos += TLS_RANDOM_LEN;
132 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
133 		    conn->client_random, TLS_RANDOM_LEN);
134 
135 	/* SessionID session_id */
136 	if (end - pos < 1)
137 		goto decode_error;
138 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
139 		goto decode_error;
140 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
141 	pos += 1 + *pos;
142 	/* TODO: add support for session resumption */
143 
144 	/* CipherSuite cipher_suites<2..2^16-1> */
145 	if (end - pos < 2)
146 		goto decode_error;
147 	num_suites = WPA_GET_BE16(pos);
148 	pos += 2;
149 	if (end - pos < num_suites)
150 		goto decode_error;
151 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
152 		    pos, num_suites);
153 	if (num_suites & 1)
154 		goto decode_error;
155 	num_suites /= 2;
156 
157 	cipher_suite = 0;
158 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
159 		if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
160 			continue;
161 		c = pos;
162 		for (j = 0; j < num_suites; j++) {
163 			u16 tmp = WPA_GET_BE16(c);
164 			c += 2;
165 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
166 				cipher_suite = tmp;
167 				break;
168 			}
169 		}
170 	}
171 	pos += num_suites * 2;
172 	if (!cipher_suite) {
173 		tlsv1_server_log(conn, "No supported cipher suite available");
174 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
175 				   TLS_ALERT_ILLEGAL_PARAMETER);
176 		return -1;
177 	}
178 
179 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
180 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
181 			   "record layer");
182 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
183 				   TLS_ALERT_INTERNAL_ERROR);
184 		return -1;
185 	}
186 
187 	conn->cipher_suite = cipher_suite;
188 
189 	/* CompressionMethod compression_methods<1..2^8-1> */
190 	if (end - pos < 1)
191 		goto decode_error;
192 	num_suites = *pos++;
193 	if (end - pos < num_suites)
194 		goto decode_error;
195 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
196 		    pos, num_suites);
197 	compr_null_found = 0;
198 	for (i = 0; i < num_suites; i++) {
199 		if (*pos++ == TLS_COMPRESSION_NULL)
200 			compr_null_found = 1;
201 	}
202 	if (!compr_null_found) {
203 		tlsv1_server_log(conn, "Client does not accept NULL compression");
204 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
205 				   TLS_ALERT_ILLEGAL_PARAMETER);
206 		return -1;
207 	}
208 
209 	if (end - pos == 1) {
210 		tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
211 				 *pos);
212 		goto decode_error;
213 	}
214 
215 	if (end - pos >= 2) {
216 		/* Extension client_hello_extension_list<0..2^16-1> */
217 		ext_len = WPA_GET_BE16(pos);
218 		pos += 2;
219 
220 		tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
221 				 ext_len);
222 		if (end - pos != ext_len) {
223 			tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
224 					 ext_len, (unsigned int) (end - pos));
225 			goto decode_error;
226 		}
227 
228 		/*
229 		 * struct {
230 		 *   ExtensionType extension_type (0..65535)
231 		 *   opaque extension_data<0..2^16-1>
232 		 * } Extension;
233 		 */
234 
235 		while (pos < end) {
236 			if (end - pos < 2) {
237 				tlsv1_server_log(conn, "Invalid extension_type field");
238 				goto decode_error;
239 			}
240 
241 			ext_type = WPA_GET_BE16(pos);
242 			pos += 2;
243 
244 			if (end - pos < 2) {
245 				tlsv1_server_log(conn, "Invalid extension_data length field");
246 				goto decode_error;
247 			}
248 
249 			ext_len = WPA_GET_BE16(pos);
250 			pos += 2;
251 
252 			if (end - pos < ext_len) {
253 				tlsv1_server_log(conn, "Invalid extension_data field");
254 				goto decode_error;
255 			}
256 
257 			tlsv1_server_log(conn, "ClientHello Extension type %u",
258 					 ext_type);
259 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
260 				    "Extension data", pos, ext_len);
261 
262 			if (ext_type == TLS_EXT_SESSION_TICKET) {
263 				os_free(conn->session_ticket);
264 				conn->session_ticket = os_malloc(ext_len);
265 				if (conn->session_ticket) {
266 					os_memcpy(conn->session_ticket, pos,
267 						  ext_len);
268 					conn->session_ticket_len = ext_len;
269 				}
270 			}
271 
272 			pos += ext_len;
273 		}
274 	}
275 
276 	*in_len = end - in_data;
277 
278 	tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
279 	conn->state = SERVER_HELLO;
280 
281 	return 0;
282 
283 decode_error:
284 	tlsv1_server_log(conn, "Failed to decode ClientHello");
285 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
286 			   TLS_ALERT_DECODE_ERROR);
287 	return -1;
288 }
289 
290 
291 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
292 				   const u8 *in_data, size_t *in_len)
293 {
294 	const u8 *pos, *end;
295 	size_t left, len, list_len, cert_len, idx;
296 	u8 type;
297 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
298 	int reason;
299 
300 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
301 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
302 				 ct);
303 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
304 				   TLS_ALERT_UNEXPECTED_MESSAGE);
305 		return -1;
306 	}
307 
308 	pos = in_data;
309 	left = *in_len;
310 
311 	if (left < 4) {
312 		tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
313 				 (unsigned long) left);
314 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
315 				   TLS_ALERT_DECODE_ERROR);
316 		return -1;
317 	}
318 
319 	type = *pos++;
320 	len = WPA_GET_BE24(pos);
321 	pos += 3;
322 	left -= 4;
323 
324 	if (len > left) {
325 		tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
326 				 (unsigned long) len, (unsigned long) left);
327 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
328 				   TLS_ALERT_DECODE_ERROR);
329 		return -1;
330 	}
331 
332 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
333 		if (conn->verify_peer) {
334 			tlsv1_server_log(conn, "Client did not include Certificate");
335 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 					   TLS_ALERT_UNEXPECTED_MESSAGE);
337 			return -1;
338 		}
339 
340 		return tls_process_client_key_exchange(conn, ct, in_data,
341 						       in_len);
342 	}
343 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
344 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
345 				 type);
346 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
347 				   TLS_ALERT_UNEXPECTED_MESSAGE);
348 		return -1;
349 	}
350 
351 	tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
352 			 (unsigned long) len);
353 
354 	/*
355 	 * opaque ASN.1Cert<2^24-1>;
356 	 *
357 	 * struct {
358 	 *     ASN.1Cert certificate_list<1..2^24-1>;
359 	 * } Certificate;
360 	 */
361 
362 	end = pos + len;
363 
364 	if (end - pos < 3) {
365 		tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
366 				 (unsigned long) left);
367 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
368 				   TLS_ALERT_DECODE_ERROR);
369 		return -1;
370 	}
371 
372 	list_len = WPA_GET_BE24(pos);
373 	pos += 3;
374 
375 	if ((size_t) (end - pos) != list_len) {
376 		tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
377 				 (unsigned long) list_len,
378 				 (unsigned long) (end - pos));
379 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
380 				   TLS_ALERT_DECODE_ERROR);
381 		return -1;
382 	}
383 
384 	idx = 0;
385 	while (pos < end) {
386 		if (end - pos < 3) {
387 			tlsv1_server_log(conn, "Failed to parse certificate_list");
388 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
389 					   TLS_ALERT_DECODE_ERROR);
390 			x509_certificate_chain_free(chain);
391 			return -1;
392 		}
393 
394 		cert_len = WPA_GET_BE24(pos);
395 		pos += 3;
396 
397 		if ((size_t) (end - pos) < cert_len) {
398 			tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
399 					 (unsigned long) cert_len,
400 					 (unsigned long) (end - pos));
401 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
402 					   TLS_ALERT_DECODE_ERROR);
403 			x509_certificate_chain_free(chain);
404 			return -1;
405 		}
406 
407 		tlsv1_server_log(conn, "Certificate %lu (len %lu)",
408 				 (unsigned long) idx, (unsigned long) cert_len);
409 
410 		if (idx == 0) {
411 			crypto_public_key_free(conn->client_rsa_key);
412 			if (tls_parse_cert(pos, cert_len,
413 					   &conn->client_rsa_key)) {
414 				tlsv1_server_log(conn, "Failed to parse the certificate");
415 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
416 						   TLS_ALERT_BAD_CERTIFICATE);
417 				x509_certificate_chain_free(chain);
418 				return -1;
419 			}
420 		}
421 
422 		cert = x509_certificate_parse(pos, cert_len);
423 		if (cert == NULL) {
424 			tlsv1_server_log(conn, "Failed to parse the certificate");
425 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
426 					   TLS_ALERT_BAD_CERTIFICATE);
427 			x509_certificate_chain_free(chain);
428 			return -1;
429 		}
430 
431 		if (last == NULL)
432 			chain = cert;
433 		else
434 			last->next = cert;
435 		last = cert;
436 
437 		idx++;
438 		pos += cert_len;
439 	}
440 
441 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
442 					    &reason, 0) < 0) {
443 		int tls_reason;
444 		tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
445 				 reason);
446 		switch (reason) {
447 		case X509_VALIDATE_BAD_CERTIFICATE:
448 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
449 			break;
450 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
451 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
452 			break;
453 		case X509_VALIDATE_CERTIFICATE_REVOKED:
454 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
455 			break;
456 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
457 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
458 			break;
459 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
460 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
461 			break;
462 		case X509_VALIDATE_UNKNOWN_CA:
463 			tls_reason = TLS_ALERT_UNKNOWN_CA;
464 			break;
465 		default:
466 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
467 			break;
468 		}
469 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
470 		x509_certificate_chain_free(chain);
471 		return -1;
472 	}
473 
474 	x509_certificate_chain_free(chain);
475 
476 	*in_len = end - in_data;
477 
478 	conn->state = CLIENT_KEY_EXCHANGE;
479 
480 	return 0;
481 }
482 
483 
484 static int tls_process_client_key_exchange_rsa(
485 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
486 {
487 	u8 *out;
488 	size_t outlen, outbuflen;
489 	u16 encr_len;
490 	int res;
491 	int use_random = 0;
492 
493 	if (end - pos < 2) {
494 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
495 				   TLS_ALERT_DECODE_ERROR);
496 		return -1;
497 	}
498 
499 	encr_len = WPA_GET_BE16(pos);
500 	pos += 2;
501 	if (pos + encr_len > end) {
502 		tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
503 				 encr_len, (unsigned int) (end - pos));
504 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
505 				   TLS_ALERT_DECODE_ERROR);
506 		return -1;
507 	}
508 
509 	outbuflen = outlen = end - pos;
510 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
511 			outlen : TLS_PRE_MASTER_SECRET_LEN);
512 	if (out == NULL) {
513 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
514 				   TLS_ALERT_INTERNAL_ERROR);
515 		return -1;
516 	}
517 
518 	/*
519 	 * struct {
520 	 *   ProtocolVersion client_version;
521 	 *   opaque random[46];
522 	 * } PreMasterSecret;
523 	 *
524 	 * struct {
525 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
526 	 * } EncryptedPreMasterSecret;
527 	 */
528 
529 	/*
530 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
531 	 * parsing errors from EncryptedPreMasterSecret processing to the
532 	 * client. Instead, a random pre-master secret is used to force the
533 	 * handshake to fail.
534 	 */
535 
536 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
537 						 pos, encr_len,
538 						 out, &outlen) < 0) {
539 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
540 			   "PreMasterSecret (encr_len=%u outlen=%lu)",
541 			   encr_len, (unsigned long) outlen);
542 		use_random = 1;
543 	}
544 
545 	if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
546 		tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
547 				 (unsigned long) outlen);
548 		use_random = 1;
549 	}
550 
551 	if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
552 		tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
553 		use_random = 1;
554 	}
555 
556 	if (use_random) {
557 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
558 			   "to avoid revealing information about private key");
559 		outlen = TLS_PRE_MASTER_SECRET_LEN;
560 		if (os_get_random(out, outlen)) {
561 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
562 				   "data");
563 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
564 					   TLS_ALERT_INTERNAL_ERROR);
565 			os_free(out);
566 			return -1;
567 		}
568 	}
569 
570 	res = tlsv1_server_derive_keys(conn, out, outlen);
571 
572 	/* Clear the pre-master secret since it is not needed anymore */
573 	os_memset(out, 0, outbuflen);
574 	os_free(out);
575 
576 	if (res) {
577 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
578 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
579 				   TLS_ALERT_INTERNAL_ERROR);
580 		return -1;
581 	}
582 
583 	return 0;
584 }
585 
586 
587 static int tls_process_client_key_exchange_dh(
588 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
589 {
590 	const u8 *dh_yc;
591 	u16 dh_yc_len;
592 	u8 *shared;
593 	size_t shared_len;
594 	int res;
595 	const u8 *dh_p;
596 	size_t dh_p_len;
597 
598 	/*
599 	 * struct {
600 	 *   select (PublicValueEncoding) {
601 	 *     case implicit: struct { };
602 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
603 	 *   } dh_public;
604 	 * } ClientDiffieHellmanPublic;
605 	 */
606 
607 	tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
608 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
609 		    pos, end - pos);
610 
611 	if (end == pos) {
612 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
613 			   "not supported");
614 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
615 				   TLS_ALERT_INTERNAL_ERROR);
616 		return -1;
617 	}
618 
619 	if (end - pos < 3) {
620 		tlsv1_server_log(conn, "Invalid client public value length");
621 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 				   TLS_ALERT_DECODE_ERROR);
623 		return -1;
624 	}
625 
626 	dh_yc_len = WPA_GET_BE16(pos);
627 	dh_yc = pos + 2;
628 
629 	if (dh_yc_len > end - dh_yc) {
630 		tlsv1_server_log(conn, "Client public value overflow (length %d)",
631 				 dh_yc_len);
632 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 				   TLS_ALERT_DECODE_ERROR);
634 		return -1;
635 	}
636 
637 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
638 		    dh_yc, dh_yc_len);
639 
640 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
641 	    conn->dh_secret == NULL) {
642 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
643 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
644 				   TLS_ALERT_INTERNAL_ERROR);
645 		return -1;
646 	}
647 
648 	tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
649 
650 	shared_len = dh_p_len;
651 	shared = os_malloc(shared_len);
652 	if (shared == NULL) {
653 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
654 			   "DH");
655 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
656 				   TLS_ALERT_INTERNAL_ERROR);
657 		return -1;
658 	}
659 
660 	/* shared = Yc^secret mod p */
661 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
662 			   conn->dh_secret_len, dh_p, dh_p_len,
663 			   shared, &shared_len)) {
664 		os_free(shared);
665 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
666 				   TLS_ALERT_INTERNAL_ERROR);
667 		return -1;
668 	}
669 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
670 			shared, shared_len);
671 
672 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
673 	os_free(conn->dh_secret);
674 	conn->dh_secret = NULL;
675 
676 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
677 
678 	/* Clear the pre-master secret since it is not needed anymore */
679 	os_memset(shared, 0, shared_len);
680 	os_free(shared);
681 
682 	if (res) {
683 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
684 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
685 				   TLS_ALERT_INTERNAL_ERROR);
686 		return -1;
687 	}
688 
689 	return 0;
690 }
691 
692 
693 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
694 					   const u8 *in_data, size_t *in_len)
695 {
696 	const u8 *pos, *end;
697 	size_t left, len;
698 	u8 type;
699 	tls_key_exchange keyx;
700 	const struct tls_cipher_suite *suite;
701 
702 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
703 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
704 				 ct);
705 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
706 				   TLS_ALERT_UNEXPECTED_MESSAGE);
707 		return -1;
708 	}
709 
710 	pos = in_data;
711 	left = *in_len;
712 
713 	if (left < 4) {
714 		tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
715 				 (unsigned long) left);
716 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
717 				   TLS_ALERT_DECODE_ERROR);
718 		return -1;
719 	}
720 
721 	type = *pos++;
722 	len = WPA_GET_BE24(pos);
723 	pos += 3;
724 	left -= 4;
725 
726 	if (len > left) {
727 		tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
728 				 (unsigned long) len, (unsigned long) left);
729 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
730 				   TLS_ALERT_DECODE_ERROR);
731 		return -1;
732 	}
733 
734 	end = pos + len;
735 
736 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
737 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
738 				 type);
739 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
740 				   TLS_ALERT_UNEXPECTED_MESSAGE);
741 		return -1;
742 	}
743 
744 	tlsv1_server_log(conn, "Received ClientKeyExchange");
745 
746 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
747 
748 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
749 	if (suite == NULL)
750 		keyx = TLS_KEY_X_NULL;
751 	else
752 		keyx = suite->key_exchange;
753 
754 	if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
755 	    tls_process_client_key_exchange_dh(conn, pos, end) < 0)
756 		return -1;
757 
758 	if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
759 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
760 		return -1;
761 
762 	*in_len = end - in_data;
763 
764 	conn->state = CERTIFICATE_VERIFY;
765 
766 	return 0;
767 }
768 
769 
770 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
771 					  const u8 *in_data, size_t *in_len)
772 {
773 	const u8 *pos, *end;
774 	size_t left, len;
775 	u8 type;
776 	size_t hlen;
777 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
778 	u8 alert;
779 
780 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
781 		if (conn->verify_peer) {
782 			tlsv1_server_log(conn, "Client did not include CertificateVerify");
783 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
784 					   TLS_ALERT_UNEXPECTED_MESSAGE);
785 			return -1;
786 		}
787 
788 		return tls_process_change_cipher_spec(conn, ct, in_data,
789 						      in_len);
790 	}
791 
792 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
793 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
794 				 ct);
795 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
796 				   TLS_ALERT_UNEXPECTED_MESSAGE);
797 		return -1;
798 	}
799 
800 	pos = in_data;
801 	left = *in_len;
802 
803 	if (left < 4) {
804 		tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
805 				 (unsigned long) left);
806 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
807 				   TLS_ALERT_DECODE_ERROR);
808 		return -1;
809 	}
810 
811 	type = *pos++;
812 	len = WPA_GET_BE24(pos);
813 	pos += 3;
814 	left -= 4;
815 
816 	if (len > left) {
817 		tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
818 				 (unsigned long) len, (unsigned long) left);
819 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 				   TLS_ALERT_DECODE_ERROR);
821 		return -1;
822 	}
823 
824 	end = pos + len;
825 
826 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
827 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
828 				 type);
829 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 				   TLS_ALERT_UNEXPECTED_MESSAGE);
831 		return -1;
832 	}
833 
834 	tlsv1_server_log(conn, "Received CertificateVerify");
835 
836 	/*
837 	 * struct {
838 	 *   Signature signature;
839 	 * } CertificateVerify;
840 	 */
841 
842 	hpos = hash;
843 
844 #ifdef CONFIG_TLSV12
845 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
846 		/*
847 		 * RFC 5246, 4.7:
848 		 * TLS v1.2 adds explicit indication of the used signature and
849 		 * hash algorithms.
850 		 *
851 		 * struct {
852 		 *   HashAlgorithm hash;
853 		 *   SignatureAlgorithm signature;
854 		 * } SignatureAndHashAlgorithm;
855 		 */
856 		if (end - pos < 2) {
857 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
858 					   TLS_ALERT_DECODE_ERROR);
859 			return -1;
860 		}
861 		if (pos[0] != TLS_HASH_ALG_SHA256 ||
862 		    pos[1] != TLS_SIGN_ALG_RSA) {
863 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
864 				   "signature(%u) algorithm",
865 				   pos[0], pos[1]);
866 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
867 					   TLS_ALERT_INTERNAL_ERROR);
868 			return -1;
869 		}
870 		pos += 2;
871 
872 		hlen = SHA256_MAC_LEN;
873 		if (conn->verify.sha256_cert == NULL ||
874 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
875 		    0) {
876 			conn->verify.sha256_cert = NULL;
877 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
878 					   TLS_ALERT_INTERNAL_ERROR);
879 			return -1;
880 		}
881 		conn->verify.sha256_cert = NULL;
882 	} else {
883 #endif /* CONFIG_TLSV12 */
884 
885 	hlen = MD5_MAC_LEN;
886 	if (conn->verify.md5_cert == NULL ||
887 	    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
888 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
889 				   TLS_ALERT_INTERNAL_ERROR);
890 		conn->verify.md5_cert = NULL;
891 		crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
892 		conn->verify.sha1_cert = NULL;
893 		return -1;
894 	}
895 	hpos += MD5_MAC_LEN;
896 
897 	conn->verify.md5_cert = NULL;
898 	hlen = SHA1_MAC_LEN;
899 	if (conn->verify.sha1_cert == NULL ||
900 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
901 		conn->verify.sha1_cert = NULL;
902 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
903 				   TLS_ALERT_INTERNAL_ERROR);
904 		return -1;
905 	}
906 	conn->verify.sha1_cert = NULL;
907 
908 	hlen += MD5_MAC_LEN;
909 
910 #ifdef CONFIG_TLSV12
911 	}
912 #endif /* CONFIG_TLSV12 */
913 
914 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
915 
916 	if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
917 				 hash, hlen, pos, end - pos, &alert) < 0) {
918 		tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
919 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
920 		return -1;
921 	}
922 
923 	*in_len = end - in_data;
924 
925 	conn->state = CHANGE_CIPHER_SPEC;
926 
927 	return 0;
928 }
929 
930 
931 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
932 					  u8 ct, const u8 *in_data,
933 					  size_t *in_len)
934 {
935 	const u8 *pos;
936 	size_t left;
937 
938 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
939 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
940 				 ct);
941 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
942 				   TLS_ALERT_UNEXPECTED_MESSAGE);
943 		return -1;
944 	}
945 
946 	pos = in_data;
947 	left = *in_len;
948 
949 	if (left < 1) {
950 		tlsv1_server_log(conn, "Too short ChangeCipherSpec");
951 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
952 				   TLS_ALERT_DECODE_ERROR);
953 		return -1;
954 	}
955 
956 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
957 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
958 				 *pos);
959 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
960 				   TLS_ALERT_UNEXPECTED_MESSAGE);
961 		return -1;
962 	}
963 
964 	tlsv1_server_log(conn, "Received ChangeCipherSpec");
965 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
966 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
967 			   "for record layer");
968 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
969 				   TLS_ALERT_INTERNAL_ERROR);
970 		return -1;
971 	}
972 
973 	*in_len = pos + 1 - in_data;
974 
975 	conn->state = CLIENT_FINISHED;
976 
977 	return 0;
978 }
979 
980 
981 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
982 				       const u8 *in_data, size_t *in_len)
983 {
984 	const u8 *pos, *end;
985 	size_t left, len, hlen;
986 	u8 verify_data[TLS_VERIFY_DATA_LEN];
987 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
988 
989 #ifdef CONFIG_TESTING_OPTIONS
990 	if ((conn->test_flags &
991 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
992 	    !conn->test_failure_reported) {
993 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
994 		conn->test_failure_reported = 1;
995 	}
996 
997 	if ((conn->test_flags & TLS_DHE_PRIME_15) &&
998 	    !conn->test_failure_reported) {
999 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1000 		conn->test_failure_reported = 1;
1001 	}
1002 
1003 	if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1004 	    !conn->test_failure_reported) {
1005 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1006 		conn->test_failure_reported = 1;
1007 	}
1008 
1009 	if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1010 	    !conn->test_failure_reported) {
1011 		tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1012 		conn->test_failure_reported = 1;
1013 	}
1014 
1015 	if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1016 	    !conn->test_failure_reported) {
1017 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1018 		conn->test_failure_reported = 1;
1019 	}
1020 
1021 	if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1022 	    !conn->test_failure_reported) {
1023 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1024 		conn->test_failure_reported = 1;
1025 	}
1026 #endif /* CONFIG_TESTING_OPTIONS */
1027 
1028 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1029 		tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1030 				 ct);
1031 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1032 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1033 		return -1;
1034 	}
1035 
1036 	pos = in_data;
1037 	left = *in_len;
1038 
1039 	if (left < 4) {
1040 		tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1041 				 (unsigned long) left);
1042 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1043 				   TLS_ALERT_DECODE_ERROR);
1044 		return -1;
1045 	}
1046 
1047 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1048 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1049 			   "type 0x%x", pos[0]);
1050 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1051 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1052 		return -1;
1053 	}
1054 
1055 	len = WPA_GET_BE24(pos + 1);
1056 
1057 	pos += 4;
1058 	left -= 4;
1059 
1060 	if (len > left) {
1061 		tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1062 				 (unsigned long) len, (unsigned long) left);
1063 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1064 				   TLS_ALERT_DECODE_ERROR);
1065 		return -1;
1066 	}
1067 	end = pos + len;
1068 	if (len != TLS_VERIFY_DATA_LEN) {
1069 		tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1070 				 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1071 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1072 				   TLS_ALERT_DECODE_ERROR);
1073 		return -1;
1074 	}
1075 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1076 		    pos, TLS_VERIFY_DATA_LEN);
1077 
1078 #ifdef CONFIG_TLSV12
1079 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1080 		hlen = SHA256_MAC_LEN;
1081 		if (conn->verify.sha256_client == NULL ||
1082 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1083 		    < 0) {
1084 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1085 					   TLS_ALERT_INTERNAL_ERROR);
1086 			conn->verify.sha256_client = NULL;
1087 			return -1;
1088 		}
1089 		conn->verify.sha256_client = NULL;
1090 	} else {
1091 #endif /* CONFIG_TLSV12 */
1092 
1093 	hlen = MD5_MAC_LEN;
1094 	if (conn->verify.md5_client == NULL ||
1095 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1096 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1097 				   TLS_ALERT_INTERNAL_ERROR);
1098 		conn->verify.md5_client = NULL;
1099 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1100 		conn->verify.sha1_client = NULL;
1101 		return -1;
1102 	}
1103 	conn->verify.md5_client = NULL;
1104 	hlen = SHA1_MAC_LEN;
1105 	if (conn->verify.sha1_client == NULL ||
1106 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1107 			       &hlen) < 0) {
1108 		conn->verify.sha1_client = NULL;
1109 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1110 				   TLS_ALERT_INTERNAL_ERROR);
1111 		return -1;
1112 	}
1113 	conn->verify.sha1_client = NULL;
1114 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1115 
1116 #ifdef CONFIG_TLSV12
1117 	}
1118 #endif /* CONFIG_TLSV12 */
1119 
1120 	if (tls_prf(conn->rl.tls_version,
1121 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1122 		    "client finished", hash, hlen,
1123 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1124 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1125 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1126 				   TLS_ALERT_DECRYPT_ERROR);
1127 		return -1;
1128 	}
1129 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1130 			verify_data, TLS_VERIFY_DATA_LEN);
1131 
1132 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1133 		tlsv1_server_log(conn, "Mismatch in verify_data");
1134 		return -1;
1135 	}
1136 
1137 	tlsv1_server_log(conn, "Received Finished");
1138 
1139 	*in_len = end - in_data;
1140 
1141 	if (conn->use_session_ticket) {
1142 		/* Abbreviated handshake using session ticket; RFC 4507 */
1143 		tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1144 		conn->state = ESTABLISHED;
1145 	} else {
1146 		/* Full handshake */
1147 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1148 	}
1149 
1150 	return 0;
1151 }
1152 
1153 
1154 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1155 				   const u8 *buf, size_t *len)
1156 {
1157 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1158 		if (*len < 2) {
1159 			tlsv1_server_log(conn, "Alert underflow");
1160 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161 					   TLS_ALERT_DECODE_ERROR);
1162 			return -1;
1163 		}
1164 		tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1165 		*len = 2;
1166 		conn->state = FAILED;
1167 		return -1;
1168 	}
1169 
1170 	switch (conn->state) {
1171 	case CLIENT_HELLO:
1172 		if (tls_process_client_hello(conn, ct, buf, len))
1173 			return -1;
1174 		break;
1175 	case CLIENT_CERTIFICATE:
1176 		if (tls_process_certificate(conn, ct, buf, len))
1177 			return -1;
1178 		break;
1179 	case CLIENT_KEY_EXCHANGE:
1180 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1181 			return -1;
1182 		break;
1183 	case CERTIFICATE_VERIFY:
1184 		if (tls_process_certificate_verify(conn, ct, buf, len))
1185 			return -1;
1186 		break;
1187 	case CHANGE_CIPHER_SPEC:
1188 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1189 			return -1;
1190 		break;
1191 	case CLIENT_FINISHED:
1192 		if (tls_process_client_finished(conn, ct, buf, len))
1193 			return -1;
1194 		break;
1195 	default:
1196 		tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1197 				 conn->state);
1198 		return -1;
1199 	}
1200 
1201 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1202 		tls_verify_hash_add(&conn->verify, buf, *len);
1203 
1204 	return 0;
1205 }
1206