contrib/hostapd/src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_server.h"
  20 #include "tlsv1_server_i.h"
  21
  22
  23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  24                                            const u8 *in_data, size_t *in_len);
  25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  26                                           u8 ct, const u8 *in_data,
  27                                           size_t *in_len);
  28
  29
  30 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  31                                     const u8 *in_data, size_t *in_len)
  32 {
  33         const u8 *pos, *end, *c;
  34         size_t left, len, i, j;
  35         u16 cipher_suite;
  36         u16 num_suites;
  37         int compr_null_found;
  38         u16 ext_type, ext_len;
  39
  40         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  41                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  42                            "received content type 0x%x", ct);
  43                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  44                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  45                 return -1;
  46         }
  47
  48         pos = in_data;
  49         left = *in_len;
  50
  51         if (left < 4)
  52                 goto decode_error;
  53
  54         /* HandshakeType msg_type */
  55         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  56                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  57                            "message %d (expected ClientHello)", *pos);
  58                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  59                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  60                 return -1;
  61         }
  62         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
  63         pos++;
  64         /* uint24 length */
  65         len = WPA_GET_BE24(pos);
  66         pos += 3;
  67         left -= 4;
  68
  69         if (len > left)
  70                 goto decode_error;
  71
  72         /* body - ClientHello */
  73
  74         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  75         end = pos + len;
  76
  77         /* ProtocolVersion client_version */
  78         if (end - pos < 2)
  79                 goto decode_error;
  80         conn->client_version = WPA_GET_BE16(pos);
  81         wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
  82                    conn->client_version >> 8, conn->client_version & 0xff);
  83         if (conn->client_version < TLS_VERSION_1) {
  84                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  85                            "ClientHello %u.%u",
  86                            conn->client_version >> 8,
  87                            conn->client_version & 0xff);
  88                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  89                                    TLS_ALERT_PROTOCOL_VERSION);
  90                 return -1;
  91         }
  92         pos += 2;
  93
  94         if (TLS_VERSION == TLS_VERSION_1)
  95                 conn->rl.tls_version = TLS_VERSION_1;
  96 #ifdef CONFIG_TLSV12
  97         else if (conn->client_version >= TLS_VERSION_1_2)
  98                 conn->rl.tls_version = TLS_VERSION_1_2;
  99 #endif /* CONFIG_TLSV12 */
 100         else if (conn->client_version > TLS_VERSION_1_1)
 101                 conn->rl.tls_version = TLS_VERSION_1_1;
 102         else
 103                 conn->rl.tls_version = conn->client_version;
 104         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
 105                    tls_version_str(conn->rl.tls_version));
 106
 107         /* Random random */
 108         if (end - pos < TLS_RANDOM_LEN)
 109                 goto decode_error;
 110
 111         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 112         pos += TLS_RANDOM_LEN;
 113         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 114                     conn->client_random, TLS_RANDOM_LEN);
 115
 116         /* SessionID session_id */
 117         if (end - pos < 1)
 118                 goto decode_error;
 119         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 120                 goto decode_error;
 121         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 122         pos += 1 + *pos;
 123         /* TODO: add support for session resumption */
 124
 125         /* CipherSuite cipher_suites<2..2^16-1> */
 126         if (end - pos < 2)
 127                 goto decode_error;
 128         num_suites = WPA_GET_BE16(pos);
 129         pos += 2;
 130         if (end - pos < num_suites)
 131                 goto decode_error;
 132         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 133                     pos, num_suites);
 134         if (num_suites & 1)
 135                 goto decode_error;
 136         num_suites /= 2;
 137
 138         cipher_suite = 0;
 139         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 140                 c = pos;
 141                 for (j = 0; j < num_suites; j++) {
 142                         u16 tmp = WPA_GET_BE16(c);
 143                         c += 2;
 144                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 145                                 cipher_suite = tmp;
 146                                 break;
 147                         }
 148                 }
 149         }
 150         pos += num_suites * 2;
 151         if (!cipher_suite) {
 152                 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 153                            "available");
 154                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 155                                    TLS_ALERT_ILLEGAL_PARAMETER);
 156                 return -1;
 157         }
 158
 159         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 160                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 161                            "record layer");
 162                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 163                                    TLS_ALERT_INTERNAL_ERROR);
 164                 return -1;
 165         }
 166
 167         conn->cipher_suite = cipher_suite;
 168
 169         /* CompressionMethod compression_methods<1..2^8-1> */
 170         if (end - pos < 1)
 171                 goto decode_error;
 172         num_suites = *pos++;
 173         if (end - pos < num_suites)
 174                 goto decode_error;
 175         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 176                     pos, num_suites);
 177         compr_null_found = 0;
 178         for (i = 0; i < num_suites; i++) {
 179                 if (*pos++ == TLS_COMPRESSION_NULL)
 180                         compr_null_found = 1;
 181         }
 182         if (!compr_null_found) {
 183                 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 184                            "compression");
 185                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 186                                    TLS_ALERT_ILLEGAL_PARAMETER);
 187                 return -1;
 188         }
 189
 190         if (end - pos == 1) {
 191                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 192                             "end of ClientHello: 0x%02x", *pos);
 193                 goto decode_error;
 194         }
 195
 196         if (end - pos >= 2) {
 197                 /* Extension client_hello_extension_list<0..2^16-1> */
 198                 ext_len = WPA_GET_BE16(pos);
 199                 pos += 2;
 200
 201                 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 202                            "extensions", ext_len);
 203                 if (end - pos != ext_len) {
 204                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 205                                    "extension list length %u (expected %u)",
 206                                    ext_len, (unsigned int) (end - pos));
 207                         goto decode_error;
 208                 }
 209
 210                 /*
 211                  * struct {
 212                  *   ExtensionType extension_type (0..65535)
 213                  *   opaque extension_data<0..2^16-1>
 214                  * } Extension;
 215                  */
 216
 217                 while (pos < end) {
 218                         if (end - pos < 2) {
 219                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 220                                            "extension_type field");
 221                                 goto decode_error;
 222                         }
 223
 224                         ext_type = WPA_GET_BE16(pos);
 225                         pos += 2;
 226
 227                         if (end - pos < 2) {
 228                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 229                                            "extension_data length field");
 230                                 goto decode_error;
 231                         }
 232
 233                         ext_len = WPA_GET_BE16(pos);
 234                         pos += 2;
 235
 236                         if (end - pos < ext_len) {
 237                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 238                                            "extension_data field");
 239                                 goto decode_error;
 240                         }
 241
 242                         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 243                                    "type %u", ext_type);
 244                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 245                                     "Extension data", pos, ext_len);
 246
 247                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 248                                 os_free(conn->session_ticket);
 249                                 conn->session_ticket = os_malloc(ext_len);
 250                                 if (conn->session_ticket) {
 251                                         os_memcpy(conn->session_ticket, pos,
 252                                                   ext_len);
 253                                         conn->session_ticket_len = ext_len;
 254                                 }
 255                         }
 256
 257                         pos += ext_len;
 258                 }
 259         }
 260
 261         *in_len = end - in_data;
 262
 263         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 264                    "ServerHello");
 265         conn->state = SERVER_HELLO;
 266
 267         return 0;
 268
 269 decode_error:
 270         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 271         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 272                            TLS_ALERT_DECODE_ERROR);
 273         return -1;
 274 }
 275
 276
 277 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 278                                    const u8 *in_data, size_t *in_len)
 279 {
 280         const u8 *pos, *end;
 281         size_t left, len, list_len, cert_len, idx;
 282         u8 type;
 283         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 284         int reason;
 285
 286         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 287                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 288                            "received content type 0x%x", ct);
 289                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 290                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 291                 return -1;
 292         }
 293
 294         pos = in_data;
 295         left = *in_len;
 296
 297         if (left < 4) {
 298                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 299                            "(len=%lu)", (unsigned long) left);
 300                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 301                                    TLS_ALERT_DECODE_ERROR);
 302                 return -1;
 303         }
 304
 305         type = *pos++;
 306         len = WPA_GET_BE24(pos);
 307         pos += 3;
 308         left -= 4;
 309
 310         if (len > left) {
 311                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 312                            "length (len=%lu != left=%lu)",
 313                            (unsigned long) len, (unsigned long) left);
 314                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 315                                    TLS_ALERT_DECODE_ERROR);
 316                 return -1;
 317         }
 318
 319         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 320                 if (conn->verify_peer) {
 321                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 322                                    "Certificate");
 323                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 324                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 325                         return -1;
 326                 }
 327
 328                 return tls_process_client_key_exchange(conn, ct, in_data,
 329                                                        in_len);
 330         }
 331         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 332                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 333                            "message %d (expected Certificate/"
 334                            "ClientKeyExchange)", type);
 335                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 336                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 337                 return -1;
 338         }
 339
 340         wpa_printf(MSG_DEBUG,
 341                    "TLSv1: Received Certificate (certificate_list len %lu)",
 342                    (unsigned long) len);
 343
 344         /*
 345          * opaque ASN.1Cert<2^24-1>;
 346          *
 347          * struct {
 348          *     ASN.1Cert certificate_list<1..2^24-1>;
 349          * } Certificate;
 350          */
 351
 352         end = pos + len;
 353
 354         if (end - pos < 3) {
 355                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 356                            "(left=%lu)", (unsigned long) left);
 357                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 358                                    TLS_ALERT_DECODE_ERROR);
 359                 return -1;
 360         }
 361
 362         list_len = WPA_GET_BE24(pos);
 363         pos += 3;
 364
 365         if ((size_t) (end - pos) != list_len) {
 366                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 367                            "length (len=%lu left=%lu)",
 368                            (unsigned long) list_len,
 369                            (unsigned long) (end - pos));
 370                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 371                                    TLS_ALERT_DECODE_ERROR);
 372                 return -1;
 373         }
 374
 375         idx = 0;
 376         while (pos < end) {
 377                 if (end - pos < 3) {
 378                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 379                                    "certificate_list");
 380                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 381                                            TLS_ALERT_DECODE_ERROR);
 382                         x509_certificate_chain_free(chain);
 383                         return -1;
 384                 }
 385
 386                 cert_len = WPA_GET_BE24(pos);
 387                 pos += 3;
 388
 389                 if ((size_t) (end - pos) < cert_len) {
 390                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 391                                    "length (len=%lu left=%lu)",
 392                                    (unsigned long) cert_len,
 393                                    (unsigned long) (end - pos));
 394                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 395                                            TLS_ALERT_DECODE_ERROR);
 396                         x509_certificate_chain_free(chain);
 397                         return -1;
 398                 }
 399
 400                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 401                            (unsigned long) idx, (unsigned long) cert_len);
 402
 403                 if (idx == 0) {
 404                         crypto_public_key_free(conn->client_rsa_key);
 405                         if (tls_parse_cert(pos, cert_len,
 406                                            &conn->client_rsa_key)) {
 407                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 408                                            "the certificate");
 409                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 410                                                    TLS_ALERT_BAD_CERTIFICATE);
 411                                 x509_certificate_chain_free(chain);
 412                                 return -1;
 413                         }
 414                 }
 415
 416                 cert = x509_certificate_parse(pos, cert_len);
 417                 if (cert == NULL) {
 418                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 419                                    "the certificate");
 420                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 421                                            TLS_ALERT_BAD_CERTIFICATE);
 422                         x509_certificate_chain_free(chain);
 423                         return -1;
 424                 }
 425
 426                 if (last == NULL)
 427                         chain = cert;
 428                 else
 429                         last->next = cert;
 430                 last = cert;
 431
 432                 idx++;
 433                 pos += cert_len;
 434         }
 435
 436         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 437                                             &reason, 0) < 0) {
 438                 int tls_reason;
 439                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 440                            "validation failed (reason=%d)", reason);
 441                 switch (reason) {
 442                 case X509_VALIDATE_BAD_CERTIFICATE:
 443                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 444                         break;
 445                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 446                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 447                         break;
 448                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 449                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 450                         break;
 451                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 452                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 453                         break;
 454                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 455                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 456                         break;
 457                 case X509_VALIDATE_UNKNOWN_CA:
 458                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 459                         break;
 460                 default:
 461                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 462                         break;
 463                 }
 464                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 465                 x509_certificate_chain_free(chain);
 466                 return -1;
 467         }
 468
 469         x509_certificate_chain_free(chain);
 470
 471         *in_len = end - in_data;
 472
 473         conn->state = CLIENT_KEY_EXCHANGE;
 474
 475         return 0;
 476 }
 477
 478
 479 static int tls_process_client_key_exchange_rsa(
 480         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 481 {
 482         u8 *out;
 483         size_t outlen, outbuflen;
 484         u16 encr_len;
 485         int res;
 486         int use_random = 0;
 487
 488         if (end - pos < 2) {
 489                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 490                                    TLS_ALERT_DECODE_ERROR);
 491                 return -1;
 492         }
 493
 494         encr_len = WPA_GET_BE16(pos);
 495         pos += 2;
 496         if (pos + encr_len > end) {
 497                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
 498                            "format: encr_len=%u left=%u",
 499                            encr_len, (unsigned int) (end - pos));
 500                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 501                                    TLS_ALERT_DECODE_ERROR);
 502                 return -1;
 503         }
 504
 505         outbuflen = outlen = end - pos;
 506         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 507                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 508         if (out == NULL) {
 509                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 510                                    TLS_ALERT_INTERNAL_ERROR);
 511                 return -1;
 512         }
 513
 514         /*
 515          * struct {
 516          *   ProtocolVersion client_version;
 517          *   opaque random[46];
 518          * } PreMasterSecret;
 519          *
 520          * struct {
 521          *   public-key-encrypted PreMasterSecret pre_master_secret;
 522          * } EncryptedPreMasterSecret;
 523          */
 524
 525         /*
 526          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 527          * parsing errors from EncryptedPreMasterSecret processing to the
 528          * client. Instead, a random pre-master secret is used to force the
 529          * handshake to fail.
 530          */
 531
 532         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 533                                                  pos, encr_len,
 534                                                  out, &outlen) < 0) {
 535                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 536                            "PreMasterSecret (encr_len=%u outlen=%lu)",
 537                            encr_len, (unsigned long) outlen);
 538                 use_random = 1;
 539         }
 540
 541         if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
 542                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 543                            "length %lu", (unsigned long) outlen);
 544                 use_random = 1;
 545         }
 546
 547         if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
 548                 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 549                            "ClientKeyExchange does not match with version in "
 550                            "ClientHello");
 551                 use_random = 1;
 552         }
 553
 554         if (use_random) {
 555                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 556                            "to avoid revealing information about private key");
 557                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 558                 if (os_get_random(out, outlen)) {
 559                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 560                                    "data");
 561                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 562                                            TLS_ALERT_INTERNAL_ERROR);
 563                         os_free(out);
 564                         return -1;
 565                 }
 566         }
 567
 568         res = tlsv1_server_derive_keys(conn, out, outlen);
 569
 570         /* Clear the pre-master secret since it is not needed anymore */
 571         os_memset(out, 0, outbuflen);
 572         os_free(out);
 573
 574         if (res) {
 575                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 576                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 577                                    TLS_ALERT_INTERNAL_ERROR);
 578                 return -1;
 579         }
 580
 581         return 0;
 582 }
 583
 584
 585 static int tls_process_client_key_exchange_dh_anon(
 586         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 587 {
 588         const u8 *dh_yc;
 589         u16 dh_yc_len;
 590         u8 *shared;
 591         size_t shared_len;
 592         int res;
 593
 594         /*
 595          * struct {
 596          *   select (PublicValueEncoding) {
 597          *     case implicit: struct { };
 598          *     case explicit: opaque dh_Yc<1..2^16-1>;
 599          *   } dh_public;
 600          * } ClientDiffieHellmanPublic;
 601          */
 602
 603         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 604                     pos, end - pos);
 605
 606         if (end == pos) {
 607                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 608                            "not supported");
 609                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 610                                    TLS_ALERT_INTERNAL_ERROR);
 611                 return -1;
 612         }
 613
 614         if (end - pos < 3) {
 615                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 616                            "length");
 617                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 618                                    TLS_ALERT_DECODE_ERROR);
 619                 return -1;
 620         }
 621
 622         dh_yc_len = WPA_GET_BE16(pos);
 623         dh_yc = pos + 2;
 624
 625         if (dh_yc + dh_yc_len > end) {
 626                 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 627                            "(length %d)", dh_yc_len);
 628                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 629                                    TLS_ALERT_DECODE_ERROR);
 630                 return -1;
 631         }
 632
 633         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 634                     dh_yc, dh_yc_len);
 635
 636         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 637             conn->dh_secret == NULL) {
 638                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 639                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 640                                    TLS_ALERT_INTERNAL_ERROR);
 641                 return -1;
 642         }
 643
 644         shared_len = conn->cred->dh_p_len;
 645         shared = os_malloc(shared_len);
 646         if (shared == NULL) {
 647                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 648                            "DH");
 649                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 650                                    TLS_ALERT_INTERNAL_ERROR);
 651                 return -1;
 652         }
 653
 654         /* shared = Yc^secret mod p */
 655         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 656                            conn->dh_secret_len,
 657                            conn->cred->dh_p, conn->cred->dh_p_len,
 658                            shared, &shared_len)) {
 659                 os_free(shared);
 660                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 661                                    TLS_ALERT_INTERNAL_ERROR);
 662                 return -1;
 663         }
 664         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 665                         shared, shared_len);
 666
 667         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 668         os_free(conn->dh_secret);
 669         conn->dh_secret = NULL;
 670
 671         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 672
 673         /* Clear the pre-master secret since it is not needed anymore */
 674         os_memset(shared, 0, shared_len);
 675         os_free(shared);
 676
 677         if (res) {
 678                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 679                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 680                                    TLS_ALERT_INTERNAL_ERROR);
 681                 return -1;
 682         }
 683
 684         return 0;
 685 }
 686
 687
 688 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 689                                            const u8 *in_data, size_t *in_len)
 690 {
 691         const u8 *pos, *end;
 692         size_t left, len;
 693         u8 type;
 694         tls_key_exchange keyx;
 695         const struct tls_cipher_suite *suite;
 696
 697         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 698                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 699                            "received content type 0x%x", ct);
 700                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 701                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 702                 return -1;
 703         }
 704
 705         pos = in_data;
 706         left = *in_len;
 707
 708         if (left < 4) {
 709                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 710                            "(Left=%lu)", (unsigned long) left);
 711                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 712                                    TLS_ALERT_DECODE_ERROR);
 713                 return -1;
 714         }
 715
 716         type = *pos++;
 717         len = WPA_GET_BE24(pos);
 718         pos += 3;
 719         left -= 4;
 720
 721         if (len > left) {
 722                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 723                            "length (len=%lu != left=%lu)",
 724                            (unsigned long) len, (unsigned long) left);
 725                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 726                                    TLS_ALERT_DECODE_ERROR);
 727                 return -1;
 728         }
 729
 730         end = pos + len;
 731
 732         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 733                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 734                            "message %d (expected ClientKeyExchange)", type);
 735                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 736                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 737                 return -1;
 738         }
 739
 740         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 741
 742         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 743
 744         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 745         if (suite == NULL)
 746                 keyx = TLS_KEY_X_NULL;
 747         else
 748                 keyx = suite->key_exchange;
 749
 750         if (keyx == TLS_KEY_X_DH_anon &&
 751             tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 752                 return -1;
 753
 754         if (keyx != TLS_KEY_X_DH_anon &&
 755             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 756                 return -1;
 757
 758         *in_len = end - in_data;
 759
 760         conn->state = CERTIFICATE_VERIFY;
 761
 762         return 0;
 763 }
 764
 765
 766 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 767                                           const u8 *in_data, size_t *in_len)
 768 {
 769         const u8 *pos, *end;
 770         size_t left, len;
 771         u8 type;
 772         size_t hlen, buflen;
 773         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 774         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 775         u16 slen;
 776
 777         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 778                 if (conn->verify_peer) {
 779                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 780                                    "CertificateVerify");
 781                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 782                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 783                         return -1;
 784                 }
 785
 786                 return tls_process_change_cipher_spec(conn, ct, in_data,
 787                                                       in_len);
 788         }
 789
 790         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 791                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 792                            "received content type 0x%x", ct);
 793                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 794                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 795                 return -1;
 796         }
 797
 798         pos = in_data;
 799         left = *in_len;
 800
 801         if (left < 4) {
 802                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 803                            "message (len=%lu)", (unsigned long) left);
 804                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 805                                    TLS_ALERT_DECODE_ERROR);
 806                 return -1;
 807         }
 808
 809         type = *pos++;
 810         len = WPA_GET_BE24(pos);
 811         pos += 3;
 812         left -= 4;
 813
 814         if (len > left) {
 815                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 816                            "message length (len=%lu != left=%lu)",
 817                            (unsigned long) len, (unsigned long) left);
 818                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 819                                    TLS_ALERT_DECODE_ERROR);
 820                 return -1;
 821         }
 822
 823         end = pos + len;
 824
 825         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 826                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 827                            "message %d (expected CertificateVerify)", type);
 828                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 829                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 830                 return -1;
 831         }
 832
 833         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 834
 835         /*
 836          * struct {
 837          *   Signature signature;
 838          * } CertificateVerify;
 839          */
 840
 841         hpos = hash;
 842
 843 #ifdef CONFIG_TLSV12
 844         if (conn->rl.tls_version == TLS_VERSION_1_2) {
 845                 /*
 846                  * RFC 5246, 4.7:
 847                  * TLS v1.2 adds explicit indication of the used signature and
 848                  * hash algorithms.
 849                  *
 850                  * struct {
 851                  *   HashAlgorithm hash;
 852                  *   SignatureAlgorithm signature;
 853                  * } SignatureAndHashAlgorithm;
 854                  */
 855                 if (end - pos < 2) {
 856                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 857                                            TLS_ALERT_DECODE_ERROR);
 858                         return -1;
 859                 }
 860                 if (pos[0] != TLS_HASH_ALG_SHA256 ||
 861                     pos[1] != TLS_SIGN_ALG_RSA) {
 862                         wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
 863                                    "signature(%u) algorithm",
 864                                    pos[0], pos[1]);
 865                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 866                                            TLS_ALERT_INTERNAL_ERROR);
 867                         return -1;
 868                 }
 869                 pos += 2;
 870
 871                 hlen = SHA256_MAC_LEN;
 872                 if (conn->verify.sha256_cert == NULL ||
 873                     crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
 874                     0) {
 875                         conn->verify.sha256_cert = NULL;
 876                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 877                                            TLS_ALERT_INTERNAL_ERROR);
 878                         return -1;
 879                 }
 880                 conn->verify.sha256_cert = NULL;
 881         } else {
 882 #endif /* CONFIG_TLSV12 */
 883
 884         if (alg == SIGN_ALG_RSA) {
 885                 hlen = MD5_MAC_LEN;
 886                 if (conn->verify.md5_cert == NULL ||
 887                     crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 888                 {
 889                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 890                                            TLS_ALERT_INTERNAL_ERROR);
 891                         conn->verify.md5_cert = NULL;
 892                         crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 893                         conn->verify.sha1_cert = NULL;
 894                         return -1;
 895                 }
 896                 hpos += MD5_MAC_LEN;
 897         } else
 898                 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 899
 900         conn->verify.md5_cert = NULL;
 901         hlen = SHA1_MAC_LEN;
 902         if (conn->verify.sha1_cert == NULL ||
 903             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 904                 conn->verify.sha1_cert = NULL;
 905                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 906                                    TLS_ALERT_INTERNAL_ERROR);
 907                 return -1;
 908         }
 909         conn->verify.sha1_cert = NULL;
 910
 911         if (alg == SIGN_ALG_RSA)
 912                 hlen += MD5_MAC_LEN;
 913
 914 #ifdef CONFIG_TLSV12
 915         }
 916 #endif /* CONFIG_TLSV12 */
 917
 918         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 919
 920         if (end - pos < 2) {
 921                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 922                                    TLS_ALERT_DECODE_ERROR);
 923                 return -1;
 924         }
 925         slen = WPA_GET_BE16(pos);
 926         pos += 2;
 927         if (end - pos < slen) {
 928                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 929                                    TLS_ALERT_DECODE_ERROR);
 930                 return -1;
 931         }
 932
 933         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 934         if (conn->client_rsa_key == NULL) {
 935                 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 936                            "signature");
 937                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 938                                    TLS_ALERT_INTERNAL_ERROR);
 939                 return -1;
 940         }
 941
 942         buflen = end - pos;
 943         buf = os_malloc(end - pos);
 944         if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 945                                             pos, end - pos, buf, &buflen) < 0)
 946         {
 947                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 948                 os_free(buf);
 949                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 950                                    TLS_ALERT_DECRYPT_ERROR);
 951                 return -1;
 952         }
 953
 954         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 955                         buf, buflen);
 956
 957 #ifdef CONFIG_TLSV12
 958         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
 959                 /*
 960                  * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
 961                  *
 962                  * DigestInfo ::= SEQUENCE {
 963                  *   digestAlgorithm DigestAlgorithm,
 964                  *   digest OCTET STRING
 965                  * }
 966                  *
 967                  * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
 968                  *
 969                  * DER encoded DigestInfo for SHA256 per RFC 3447:
 970                  * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
 971                  * H
 972                  */
 973                 if (buflen >= 19 + 32 &&
 974                     os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
 975                               "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
 976                 {
 977                         wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = "
 978                                    "SHA-256");
 979                         os_memmove(buf, buf + 19, buflen - 19);
 980                         buflen -= 19;
 981                 } else {
 982                         wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized "
 983                                    "DigestInfo");
 984                         os_free(buf);
 985                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 986                                            TLS_ALERT_DECRYPT_ERROR);
 987                         return -1;
 988                 }
 989         }
 990 #endif /* CONFIG_TLSV12 */
 991
 992         if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 993                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 994                            "CertificateVerify - did not match with calculated "
 995                            "hash");
 996                 os_free(buf);
 997                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 998                                    TLS_ALERT_DECRYPT_ERROR);
 999                 return -1;
1000         }
1001
1002         os_free(buf);
1003
1004         *in_len = end - in_data;
1005
1006         conn->state = CHANGE_CIPHER_SPEC;
1007
1008         return 0;
1009 }
1010
1011
1012 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1013                                           u8 ct, const u8 *in_data,
1014                                           size_t *in_len)
1015 {
1016         const u8 *pos;
1017         size_t left;
1018
1019         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1020                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1021                            "received content type 0x%x", ct);
1022                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1024                 return -1;
1025         }
1026
1027         pos = in_data;
1028         left = *in_len;
1029
1030         if (left < 1) {
1031                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1032                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033                                    TLS_ALERT_DECODE_ERROR);
1034                 return -1;
1035         }
1036
1037         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1038                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1039                            "received data 0x%x", *pos);
1040                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1042                 return -1;
1043         }
1044
1045         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1046         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1047                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1048                            "for record layer");
1049                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050                                    TLS_ALERT_INTERNAL_ERROR);
1051                 return -1;
1052         }
1053
1054         *in_len = pos + 1 - in_data;
1055
1056         conn->state = CLIENT_FINISHED;
1057
1058         return 0;
1059 }
1060
1061
1062 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1063                                        const u8 *in_data, size_t *in_len)
1064 {
1065         const u8 *pos, *end;
1066         size_t left, len, hlen;
1067         u8 verify_data[TLS_VERIFY_DATA_LEN];
1068         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1069
1070         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1071                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1072                            "received content type 0x%x", ct);
1073                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1075                 return -1;
1076         }
1077
1078         pos = in_data;
1079         left = *in_len;
1080
1081         if (left < 4) {
1082                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1083                            "Finished",
1084                            (unsigned long) left);
1085                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1086                                    TLS_ALERT_DECODE_ERROR);
1087                 return -1;
1088         }
1089
1090         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1091                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1092                            "type 0x%x", pos[0]);
1093                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1094                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1095                 return -1;
1096         }
1097
1098         len = WPA_GET_BE24(pos + 1);
1099
1100         pos += 4;
1101         left -= 4;
1102
1103         if (len > left) {
1104                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1105                            "(len=%lu > left=%lu)",
1106                            (unsigned long) len, (unsigned long) left);
1107                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1108                                    TLS_ALERT_DECODE_ERROR);
1109                 return -1;
1110         }
1111         end = pos + len;
1112         if (len != TLS_VERIFY_DATA_LEN) {
1113                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1114                            "in Finished: %lu (expected %d)",
1115                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1116                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1117                                    TLS_ALERT_DECODE_ERROR);
1118                 return -1;
1119         }
1120         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1121                     pos, TLS_VERIFY_DATA_LEN);
1122
1123 #ifdef CONFIG_TLSV12
1124         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1125                 hlen = SHA256_MAC_LEN;
1126                 if (conn->verify.sha256_client == NULL ||
1127                     crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1128                     < 0) {
1129                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1130                                            TLS_ALERT_INTERNAL_ERROR);
1131                         conn->verify.sha256_client = NULL;
1132                         return -1;
1133                 }
1134                 conn->verify.sha256_client = NULL;
1135         } else {
1136 #endif /* CONFIG_TLSV12 */
1137
1138         hlen = MD5_MAC_LEN;
1139         if (conn->verify.md5_client == NULL ||
1140             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1141                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1142                                    TLS_ALERT_INTERNAL_ERROR);
1143                 conn->verify.md5_client = NULL;
1144                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1145                 conn->verify.sha1_client = NULL;
1146                 return -1;
1147         }
1148         conn->verify.md5_client = NULL;
1149         hlen = SHA1_MAC_LEN;
1150         if (conn->verify.sha1_client == NULL ||
1151             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1152                                &hlen) < 0) {
1153                 conn->verify.sha1_client = NULL;
1154                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1155                                    TLS_ALERT_INTERNAL_ERROR);
1156                 return -1;
1157         }
1158         conn->verify.sha1_client = NULL;
1159         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1160
1161 #ifdef CONFIG_TLSV12
1162         }
1163 #endif /* CONFIG_TLSV12 */
1164
1165         if (tls_prf(conn->rl.tls_version,
1166                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1167                     "client finished", hash, hlen,
1168                     verify_data, TLS_VERIFY_DATA_LEN)) {
1169                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1170                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171                                    TLS_ALERT_DECRYPT_ERROR);
1172                 return -1;
1173         }
1174         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1175                         verify_data, TLS_VERIFY_DATA_LEN);
1176
1177         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1178                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1179                 return -1;
1180         }
1181
1182         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1183
1184         *in_len = end - in_data;
1185
1186         if (conn->use_session_ticket) {
1187                 /* Abbreviated handshake using session ticket; RFC 4507 */
1188                 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1189                            "successfully");
1190                 conn->state = ESTABLISHED;
1191         } else {
1192                 /* Full handshake */
1193                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1194         }
1195
1196         return 0;
1197 }
1198
1199
1200 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1201                                    const u8 *buf, size_t *len)
1202 {
1203         if (ct == TLS_CONTENT_TYPE_ALERT) {
1204                 if (*len < 2) {
1205                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1206                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1207                                            TLS_ALERT_DECODE_ERROR);
1208                         return -1;
1209                 }
1210                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1211                            buf[0], buf[1]);
1212                 *len = 2;
1213                 conn->state = FAILED;
1214                 return -1;
1215         }
1216
1217         switch (conn->state) {
1218         case CLIENT_HELLO:
1219                 if (tls_process_client_hello(conn, ct, buf, len))
1220                         return -1;
1221                 break;
1222         case CLIENT_CERTIFICATE:
1223                 if (tls_process_certificate(conn, ct, buf, len))
1224                         return -1;
1225                 break;
1226         case CLIENT_KEY_EXCHANGE:
1227                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1228                         return -1;
1229                 break;
1230         case CERTIFICATE_VERIFY:
1231                 if (tls_process_certificate_verify(conn, ct, buf, len))
1232                         return -1;
1233                 break;
1234         case CHANGE_CIPHER_SPEC:
1235                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1236                         return -1;
1237                 break;
1238         case CLIENT_FINISHED:
1239                 if (tls_process_client_finished(conn, ct, buf, len))
1240                         return -1;
1241                 break;
1242         default:
1243                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1244                            "while processing received message",
1245                            conn->state);
1246                 return -1;
1247         }
1248
1249         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1250                 tls_verify_hash_add(&conn->verify, buf, *len);
1251
1252         return 0;
1253 }