134192Sjdp/*
255687Sjdp * TLSv1 server - read handshake message
334192Sjdp * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
434192Sjdp *
534192Sjdp * This program is free software; you can redistribute it and/or modify
634192Sjdp * it under the terms of the GNU General Public License version 2 as
734192Sjdp * published by the Free Software Foundation.
834192Sjdp *
934192Sjdp * Alternatively, this software may be distributed under the terms of BSD
1034192Sjdp * license.
1134192Sjdp *
1234192Sjdp * See README and COPYING for more details.
1334192Sjdp */
1434192Sjdp
1534192Sjdp#include "includes.h"
1634192Sjdp
1734192Sjdp#include "common.h"
1834192Sjdp#include "crypto/md5.h"
1934192Sjdp#include "crypto/sha1.h"
2034192Sjdp#include "crypto/tls.h"
2134192Sjdp#include "x509v3.h"
2234192Sjdp#include "tlsv1_common.h"
2334192Sjdp#include "tlsv1_record.h"
2434192Sjdp#include "tlsv1_server.h"
2550476Speter#include "tlsv1_server_i.h"
2634192Sjdp
2734192Sjdp
2834192Sjdpstatic int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
2934192Sjdp					   const u8 *in_data, size_t *in_len);
3034192Sjdpstatic int tls_process_change_cipher_spec(struct tlsv1_server *conn,
3176224Sobrien					  u8 ct, const u8 *in_data,
3234192Sjdp					  size_t *in_len);
3350608Sjdp
3434192Sjdp
3576224Sobrienstatic int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
3635529Sdfr				    const u8 *in_data, size_t *in_len)
37225152Skib{
38216695Skib	const u8 *pos, *end, *c;
3934192Sjdp	size_t left, len, i, j;
4034192Sjdp	u16 cipher_suite;
41115396Skan	u16 num_suites;
4245501Sjdp	int compr_null_found;
4345501Sjdp	u16 ext_type, ext_len;
44127250Speter
45127250Speter	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46127250Speter		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47127250Speter			   "received content type 0x%x", ct);
48127250Speter		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49127250Speter				   TLS_ALERT_UNEXPECTED_MESSAGE);
50127250Speter		return -1;
51127250Speter	}
52127250Speter
5334192Sjdp	pos = in_data;
54119013Sgordon	left = *in_len;
5534192Sjdp
56127250Speter	if (left < 4)
57127250Speter		goto decode_error;
58127250Speter
5934192Sjdp	/* HandshakeType msg_type */
6034192Sjdp	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61233307Skib		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
6234192Sjdp			   "message %d (expected ClientHello)", *pos);
6334192Sjdp		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
6434192Sjdp				   TLS_ALERT_UNEXPECTED_MESSAGE);
6534192Sjdp		return -1;
6634192Sjdp	}
6734192Sjdp	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
68133063Sdfr	pos++;
69133063Sdfr	/* uint24 length */
70133063Sdfr	len = WPA_GET_BE24(pos);
71133063Sdfr	pos += 3;
72133063Sdfr	left -= 4;
73133063Sdfr
74232831Skib	if (len > left)
75232831Skib		goto decode_error;
76232831Skib
77232831Skib	/* body - ClientHello */
7850609Sjdp
7934192Sjdp	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
8034192Sjdp	end = pos + len;
8155687Sjdp
8250608Sjdp	/* ProtocolVersion client_version */
8360938Sjake	if (end - pos < 2)
8450608Sjdp		goto decode_error;
8550608Sjdp	conn->client_version = WPA_GET_BE16(pos);
8650608Sjdp	wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
8760938Sjake		   conn->client_version >> 8, conn->client_version & 0xff);
8850608Sjdp	if (conn->client_version < TLS_VERSION) {
8963870Sjdp		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
9055687Sjdp			   "ClientHello");
91232831Skib		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
9255687Sjdp				   TLS_ALERT_PROTOCOL_VERSION);
9355687Sjdp		return -1;
9434192Sjdp	}
9534192Sjdp	pos += 2;
9634192Sjdp
9734192Sjdp	/* Random random */
9834192Sjdp	if (end - pos < TLS_RANDOM_LEN)
9934192Sjdp		goto decode_error;
100153515Skan
101153515Skan	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
102153515Skan	pos += TLS_RANDOM_LEN;
103153515Skan	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
104153515Skan		    conn->client_random, TLS_RANDOM_LEN);
10562801Sjdp
10662801Sjdp	/* SessionID session_id */
10762801Sjdp	if (end - pos < 1)
10862801Sjdp		goto decode_error;
10962801Sjdp	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
11062801Sjdp		goto decode_error;
11162801Sjdp	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
11262801Sjdp	pos += 1 + *pos;
11362801Sjdp	/* TODO: add support for session resumption */
11462801Sjdp
11562801Sjdp	/* CipherSuite cipher_suites<2..2^16-1> */
11662801Sjdp	if (end - pos < 2)
11762801Sjdp		goto decode_error;
11862801Sjdp	num_suites = WPA_GET_BE16(pos);
11962801Sjdp	pos += 2;
12062801Sjdp	if (end - pos < num_suites)
12162801Sjdp		goto decode_error;
122153515Skan	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
123153515Skan		    pos, num_suites);
124153515Skan	if (num_suites & 1)
125153515Skan		goto decode_error;
126153515Skan	num_suites /= 2;
127153515Skan
128153515Skan	cipher_suite = 0;
129234840Skib	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
130234840Skib		c = pos;
131234840Skib		for (j = 0; j < num_suites; j++) {
132234840Skib			u16 tmp = WPA_GET_BE16(c);
133234840Skib			c += 2;
134234840Skib			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
135153515Skan				cipher_suite = tmp;
136153515Skan				break;
13734192Sjdp			}
13834192Sjdp		}
13934192Sjdp	}
14034192Sjdp	pos += num_suites * 2;
14134192Sjdp	if (!cipher_suite) {
14250977Sjdp		wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
14350977Sjdp			   "available");
14450977Sjdp		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
14550977Sjdp				   TLS_ALERT_ILLEGAL_PARAMETER);
14634192Sjdp		return -1;
14734192Sjdp	}
14834192Sjdp
14934192Sjdp	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
15034192Sjdp		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
15134192Sjdp			   "record layer");
152153504Smarcel		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153153504Smarcel				   TLS_ALERT_INTERNAL_ERROR);
15434192Sjdp		return -1;
15534192Sjdp	}
15634192Sjdp
157116511Smdodd	conn->cipher_suite = cipher_suite;
15834192Sjdp
15934192Sjdp	/* CompressionMethod compression_methods<1..2^8-1> */
16034192Sjdp	if (end - pos < 1)
16134192Sjdp		goto decode_error;
16234192Sjdp	num_suites = *pos++;
16334192Sjdp	if (end - pos < num_suites)
16434192Sjdp		goto decode_error;
16538467Sjb	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
16634192Sjdp		    pos, num_suites);
16738467Sjb	compr_null_found = 0;
16834192Sjdp	for (i = 0; i < num_suites; i++) {
16938467Sjb		if (*pos++ == TLS_COMPRESSION_NULL)
17034192Sjdp			compr_null_found = 1;
17150610Sjdp	}
172217153Skib	if (!compr_null_found) {
17334192Sjdp		wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
174133063Sdfr			   "compression");
175133063Sdfr		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
176133063Sdfr				   TLS_ALERT_ILLEGAL_PARAMETER);
177133063Sdfr		return -1;
178133063Sdfr	}
179133063Sdfr
180133063Sdfr	if (end - pos == 1) {
181133063Sdfr		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
182230784Skib			    "end of ClientHello: 0x%02x", *pos);
183230784Skib		goto decode_error;
184230784Skib	}
18534192Sjdp
18645501Sjdp	if (end - pos >= 2) {
18738467Sjb		/* Extension client_hello_extension_list<0..2^16-1> */
18834192Sjdp		ext_len = WPA_GET_BE16(pos);
18938816Sdfr		pos += 2;
19038816Sdfr
19138467Sjb		wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
19234192Sjdp			   "extensions", ext_len);
19338816Sdfr		if (end - pos != ext_len) {
19438816Sdfr			wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
19538467Sjb				   "extension list length %u (expected %u)",
19634192Sjdp				   ext_len, (unsigned int) (end - pos));
19734192Sjdp			goto decode_error;
198177924Simp		}
199177924Simp
200177924Simp		/*
201177924Simp		 * struct {
202177924Simp		 *   ExtensionType extension_type (0..65535)
20334192Sjdp		 *   opaque extension_data<0..2^16-1>
204153515Skan		 * } Extension;
205153515Skan		 */
206153515Skan
207153515Skan		while (pos < end) {
208153515Skan			if (end - pos < 2) {
209153515Skan				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
21085004Sdfr					   "extension_type field");
21134192Sjdp				goto decode_error;
21285004Sdfr			}
213234841Skib
21434192Sjdp			ext_type = WPA_GET_BE16(pos);
215234841Skib			pos += 2;
216234841Skib
217234841Skib			if (end - pos < 2) {
218234841Skib				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
219234841Skib					   "extension_data length field");
220234841Skib				goto decode_error;
221234841Skib			}
222234841Skib
223234841Skib			ext_len = WPA_GET_BE16(pos);
224189959Skib			pos += 2;
225238471Skib
22634192Sjdp			if (end - pos < ext_len) {
227216695Skib				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
228216695Skib					   "extension_data field");
22934192Sjdp				goto decode_error;
230153515Skan			}
231153515Skan
232153515Skan			wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
233153515Skan				   "type %u", ext_type);
234153515Skan			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
23585677Speter				    "Extension data", pos, ext_len);
23685677Speter
237232831Skib			if (ext_type == TLS_EXT_SESSION_TICKET) {
238232831Skib				os_free(conn->session_ticket);
239232831Skib				conn->session_ticket = os_malloc(ext_len);
240232831Skib				if (conn->session_ticket) {
241232831Skib					os_memcpy(conn->session_ticket, pos,
242232831Skib						  ext_len);
24334192Sjdp					conn->session_ticket_len = ext_len;
244232831Skib				}
245232831Skib			}
246168312Skan
247168312Skan			pos += ext_len;
248233231Skib		}
249233546Skib	}
250168312Skan
251168312Skan	*in_len = end - in_data;
252168312Skan
253168312Skan	wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
254168312Skan		   "ServerHello");
255168312Skan	conn->state = SERVER_HELLO;
256168312Skan
257168312Skan	return 0;
258189959Skib
259190543Skibdecode_error:
260199829Skib	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
261216695Skib	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
262256101Skib			   TLS_ALERT_DECODE_ERROR);
263238471Skib	return -1;
264194531Skan}
265194531Skan
266194531Skan
267214728Skibstatic int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
268216695Skib				   const u8 *in_data, size_t *in_len)
269228435Skib{
270228435Skib	const u8 *pos, *end;
271271469Skib	size_t left, len, list_len, cert_len, idx;
272232831Skib	u8 type;
273234841Skib	struct x509_certificate *chain = NULL, *last = NULL, *cert;
274234841Skib	int reason;
27535529Sdfr
276194531Skan	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
27750977Sjdp		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
27850977Sjdp			   "received content type 0x%x", ct);
27950977Sjdp		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
28050977Sjdp				   TLS_ALERT_UNEXPECTED_MESSAGE);
281229780Suqs		return -1;
28234192Sjdp	}
28334192Sjdp
28434192Sjdp	pos = in_data;
28534192Sjdp	left = *in_len;
28634192Sjdp
287192922Sdfr	if (left < 4) {
288133063Sdfr		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
289153515Skan			   "(len=%lu)", (unsigned long) left);
290153515Skan		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291228375Skib				   TLS_ALERT_DECODE_ERROR);
292153515Skan		return -1;
293233231Skib	}
294271469Skib
295271469Skib	type = *pos++;
296153515Skan	len = WPA_GET_BE24(pos);
297199829Skib	pos += 3;
298199877Skib	left -= 4;
299199877Skib
300199877Skib	if (len > left) {
301216695Skib		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
302216695Skib			   "length (len=%lu != left=%lu)",
303233231Skib			   (unsigned long) len, (unsigned long) left);
304233231Skib		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305199829Skib				   TLS_ALERT_DECODE_ERROR);
30676296Sjdp		return -1;
30776296Sjdp	}
30876296Sjdp
30976296Sjdp	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
31076296Sjdp		if (conn->verify_peer) {
31176296Sjdp			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
31276296Sjdp				   "Certificate");
31376296Sjdp			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
31476296Sjdp					   TLS_ALERT_UNEXPECTED_MESSAGE);
315216695Skib			return -1;
316216695Skib		}
317216695Skib
318216695Skib		return tls_process_client_key_exchange(conn, ct, in_data,
319216695Skib						       in_len);
320216695Skib	}
321216695Skib	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
322216695Skib		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
323216695Skib			   "message %d (expected Certificate/"
324216695Skib			   "ClientKeyExchange)", type);
325216695Skib		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326216695Skib				   TLS_ALERT_UNEXPECTED_MESSAGE);
327218476Skib		return -1;
328216695Skib	}
329216695Skib
330238471Skib	wpa_printf(MSG_DEBUG,
331238471Skib		   "TLSv1: Received Certificate (certificate_list len %lu)",
332238471Skib		   (unsigned long) len);
333238471Skib
334238471Skib	/*
335238471Skib	 * opaque ASN.1Cert<2^24-1>;
336238471Skib	 *
337238471Skib	 * struct {
338216695Skib	 *     ASN.1Cert certificate_list<1..2^24-1>;
339216695Skib	 * } Certificate;
340216695Skib	 */
341216695Skib
342216695Skib	end = pos + len;
343216695Skib
344234841Skib	if (end - pos < 3) {
345216695Skib		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
346216695Skib			   "(left=%lu)", (unsigned long) left);
347216695Skib		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
348216695Skib				   TLS_ALERT_DECODE_ERROR);
349216695Skib		return -1;
350216695Skib	}
351216695Skib
352233361Skib	list_len = WPA_GET_BE24(pos);
353233361Skib	pos += 3;
354233361Skib
355233361Skib	if ((size_t) (end - pos) != list_len) {
356233361Skib		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
357233361Skib			   "length (len=%lu left=%lu)",
358259290Skib			   (unsigned long) list_len,
359259290Skib			   (unsigned long) (end - pos));
36038816Sdfr		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
361212497Snwhitehorn				   TLS_ALERT_DECODE_ERROR);
36234192Sjdp		return -1;
363233361Skib	}
364233361Skib
365233361Skib	idx = 0;
366233361Skib	while (pos < end) {
367116563Smdodd		if (end - pos < 3) {
36838816Sdfr			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
36938816Sdfr				   "certificate_list");
37038816Sdfr			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
37138816Sdfr					   TLS_ALERT_DECODE_ERROR);
37266056Sjdp			x509_certificate_chain_free(chain);
373216695Skib			return -1;
37445501Sjdp		}
375116557Smdodd
376232831Skib		cert_len = WPA_GET_BE24(pos);
37750608Sjdp		pos += 3;
37850608Sjdp
37945501Sjdp		if ((size_t) (end - pos) < cert_len) {
380228435Skib			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
381216695Skib				   "length (len=%lu left=%lu)",
382216695Skib				   (unsigned long) cert_len,
383133063Sdfr				   (unsigned long) (end - pos));
384133063Sdfr			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
385133063Sdfr					   TLS_ALERT_DECODE_ERROR);
386133063Sdfr			x509_certificate_chain_free(chain);
387133063Sdfr			return -1;
388142645Sdfr		}
389153515Skan
39038816Sdfr		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
391116558Smdodd			   (unsigned long) idx, (unsigned long) cert_len);
392116558Smdodd
393116558Smdodd		if (idx == 0) {
394116558Smdodd			crypto_public_key_free(conn->client_rsa_key);
395233231Skib			if (tls_parse_cert(pos, cert_len,
396233231Skib					   &conn->client_rsa_key)) {
397116558Smdodd				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
398233231Skib					   "the certificate");
399228435Skib				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
400233231Skib						   TLS_ALERT_BAD_CERTIFICATE);
401133063Sdfr				x509_certificate_chain_free(chain);
402116558Smdodd				return -1;
40334192Sjdp			}
404		}
405
406		cert = x509_certificate_parse(pos, cert_len);
407		if (cert == NULL) {
408			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
409				   "the certificate");
410			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411					   TLS_ALERT_BAD_CERTIFICATE);
412			x509_certificate_chain_free(chain);
413			return -1;
414		}
415
416		if (last == NULL)
417			chain = cert;
418		else
419			last->next = cert;
420		last = cert;
421
422		idx++;
423		pos += cert_len;
424	}
425
426	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
427					    &reason) < 0) {
428		int tls_reason;
429		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
430			   "validation failed (reason=%d)", reason);
431		switch (reason) {
432		case X509_VALIDATE_BAD_CERTIFICATE:
433			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
434			break;
435		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
436			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
437			break;
438		case X509_VALIDATE_CERTIFICATE_REVOKED:
439			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
440			break;
441		case X509_VALIDATE_CERTIFICATE_EXPIRED:
442			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
443			break;
444		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
445			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
446			break;
447		case X509_VALIDATE_UNKNOWN_CA:
448			tls_reason = TLS_ALERT_UNKNOWN_CA;
449			break;
450		default:
451			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
452			break;
453		}
454		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
455		x509_certificate_chain_free(chain);
456		return -1;
457	}
458
459	x509_certificate_chain_free(chain);
460
461	*in_len = end - in_data;
462
463	conn->state = CLIENT_KEY_EXCHANGE;
464
465	return 0;
466}
467
468
469static int tls_process_client_key_exchange_rsa(
470	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
471{
472	u8 *out;
473	size_t outlen, outbuflen;
474	u16 encr_len;
475	int res;
476	int use_random = 0;
477
478	if (end - pos < 2) {
479		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
480				   TLS_ALERT_DECODE_ERROR);
481		return -1;
482	}
483
484	encr_len = WPA_GET_BE16(pos);
485	pos += 2;
486
487	outbuflen = outlen = end - pos;
488	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
489			outlen : TLS_PRE_MASTER_SECRET_LEN);
490	if (out == NULL) {
491		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
492				   TLS_ALERT_INTERNAL_ERROR);
493		return -1;
494	}
495
496	/*
497	 * struct {
498	 *   ProtocolVersion client_version;
499	 *   opaque random[46];
500	 * } PreMasterSecret;
501	 *
502	 * struct {
503	 *   public-key-encrypted PreMasterSecret pre_master_secret;
504	 * } EncryptedPreMasterSecret;
505	 */
506
507	/*
508	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509	 * parsing errors from EncryptedPreMasterSecret processing to the
510	 * client. Instead, a random pre-master secret is used to force the
511	 * handshake to fail.
512	 */
513
514	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
515						 pos, end - pos,
516						 out, &outlen) < 0) {
517		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
518			   "PreMasterSecret (encr_len=%d outlen=%lu)",
519			   (int) (end - pos), (unsigned long) outlen);
520		use_random = 1;
521	}
522
523	if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
524		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
525			   "length %lu", (unsigned long) outlen);
526		use_random = 1;
527	}
528
529	if (WPA_GET_BE16(out) != conn->client_version) {
530		wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
531			   "ClientKeyExchange does not match with version in "
532			   "ClientHello");
533		use_random = 1;
534	}
535
536	if (use_random) {
537		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
538			   "to avoid revealing information about private key");
539		outlen = TLS_PRE_MASTER_SECRET_LEN;
540		if (os_get_random(out, outlen)) {
541			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
542				   "data");
543			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
544					   TLS_ALERT_INTERNAL_ERROR);
545			os_free(out);
546			return -1;
547		}
548	}
549
550	res = tlsv1_server_derive_keys(conn, out, outlen);
551
552	/* Clear the pre-master secret since it is not needed anymore */
553	os_memset(out, 0, outbuflen);
554	os_free(out);
555
556	if (res) {
557		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
558		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559				   TLS_ALERT_INTERNAL_ERROR);
560		return -1;
561	}
562
563	return 0;
564}
565
566
567static int tls_process_client_key_exchange_dh_anon(
568	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
569{
570	const u8 *dh_yc;
571	u16 dh_yc_len;
572	u8 *shared;
573	size_t shared_len;
574	int res;
575
576	/*
577	 * struct {
578	 *   select (PublicValueEncoding) {
579	 *     case implicit: struct { };
580	 *     case explicit: opaque dh_Yc<1..2^16-1>;
581	 *   } dh_public;
582	 * } ClientDiffieHellmanPublic;
583	 */
584
585	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
586		    pos, end - pos);
587
588	if (end == pos) {
589		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
590			   "not supported");
591		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
592				   TLS_ALERT_INTERNAL_ERROR);
593		return -1;
594	}
595
596	if (end - pos < 3) {
597		wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
598			   "length");
599		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
600				   TLS_ALERT_DECODE_ERROR);
601		return -1;
602	}
603
604	dh_yc_len = WPA_GET_BE16(pos);
605	dh_yc = pos + 2;
606
607	if (dh_yc + dh_yc_len > end) {
608		wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
609			   "(length %d)", dh_yc_len);
610		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
611				   TLS_ALERT_DECODE_ERROR);
612		return -1;
613	}
614
615	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
616		    dh_yc, dh_yc_len);
617
618	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
619	    conn->dh_secret == NULL) {
620		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
621		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
622				   TLS_ALERT_INTERNAL_ERROR);
623		return -1;
624	}
625
626	shared_len = conn->cred->dh_p_len;
627	shared = os_malloc(shared_len);
628	if (shared == NULL) {
629		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
630			   "DH");
631		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
632				   TLS_ALERT_INTERNAL_ERROR);
633		return -1;
634	}
635
636	/* shared = Yc^secret mod p */
637	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
638			   conn->dh_secret_len,
639			   conn->cred->dh_p, conn->cred->dh_p_len,
640			   shared, &shared_len)) {
641		os_free(shared);
642		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
643				   TLS_ALERT_INTERNAL_ERROR);
644		return -1;
645	}
646	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
647			shared, shared_len);
648
649	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
650	os_free(conn->dh_secret);
651	conn->dh_secret = NULL;
652
653	res = tlsv1_server_derive_keys(conn, shared, shared_len);
654
655	/* Clear the pre-master secret since it is not needed anymore */
656	os_memset(shared, 0, shared_len);
657	os_free(shared);
658
659	if (res) {
660		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
661		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
662				   TLS_ALERT_INTERNAL_ERROR);
663		return -1;
664	}
665
666	return 0;
667}
668
669
670static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
671					   const u8 *in_data, size_t *in_len)
672{
673	const u8 *pos, *end;
674	size_t left, len;
675	u8 type;
676	tls_key_exchange keyx;
677	const struct tls_cipher_suite *suite;
678
679	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
680		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
681			   "received content type 0x%x", ct);
682		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
683				   TLS_ALERT_UNEXPECTED_MESSAGE);
684		return -1;
685	}
686
687	pos = in_data;
688	left = *in_len;
689
690	if (left < 4) {
691		wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
692			   "(Left=%lu)", (unsigned long) left);
693		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
694				   TLS_ALERT_DECODE_ERROR);
695		return -1;
696	}
697
698	type = *pos++;
699	len = WPA_GET_BE24(pos);
700	pos += 3;
701	left -= 4;
702
703	if (len > left) {
704		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
705			   "length (len=%lu != left=%lu)",
706			   (unsigned long) len, (unsigned long) left);
707		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
708				   TLS_ALERT_DECODE_ERROR);
709		return -1;
710	}
711
712	end = pos + len;
713
714	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
715		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
716			   "message %d (expected ClientKeyExchange)", type);
717		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
718				   TLS_ALERT_UNEXPECTED_MESSAGE);
719		return -1;
720	}
721
722	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
723
724	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
725
726	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
727	if (suite == NULL)
728		keyx = TLS_KEY_X_NULL;
729	else
730		keyx = suite->key_exchange;
731
732	if (keyx == TLS_KEY_X_DH_anon &&
733	    tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
734		return -1;
735
736	if (keyx != TLS_KEY_X_DH_anon &&
737	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
738		return -1;
739
740	*in_len = end - in_data;
741
742	conn->state = CERTIFICATE_VERIFY;
743
744	return 0;
745}
746
747
748static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
749					  const u8 *in_data, size_t *in_len)
750{
751	const u8 *pos, *end;
752	size_t left, len;
753	u8 type;
754	size_t hlen, buflen;
755	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
756	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
757	u16 slen;
758
759	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
760		if (conn->verify_peer) {
761			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
762				   "CertificateVerify");
763			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
764					   TLS_ALERT_UNEXPECTED_MESSAGE);
765			return -1;
766		}
767
768		return tls_process_change_cipher_spec(conn, ct, in_data,
769						      in_len);
770	}
771
772	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
773		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
774			   "received content type 0x%x", ct);
775		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
776				   TLS_ALERT_UNEXPECTED_MESSAGE);
777		return -1;
778	}
779
780	pos = in_data;
781	left = *in_len;
782
783	if (left < 4) {
784		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
785			   "message (len=%lu)", (unsigned long) left);
786		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
787				   TLS_ALERT_DECODE_ERROR);
788		return -1;
789	}
790
791	type = *pos++;
792	len = WPA_GET_BE24(pos);
793	pos += 3;
794	left -= 4;
795
796	if (len > left) {
797		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
798			   "message length (len=%lu != left=%lu)",
799			   (unsigned long) len, (unsigned long) left);
800		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
801				   TLS_ALERT_DECODE_ERROR);
802		return -1;
803	}
804
805	end = pos + len;
806
807	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
808		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
809			   "message %d (expected CertificateVerify)", type);
810		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
811				   TLS_ALERT_UNEXPECTED_MESSAGE);
812		return -1;
813	}
814
815	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
816
817	/*
818	 * struct {
819	 *   Signature signature;
820	 * } CertificateVerify;
821	 */
822
823	hpos = hash;
824
825	if (alg == SIGN_ALG_RSA) {
826		hlen = MD5_MAC_LEN;
827		if (conn->verify.md5_cert == NULL ||
828		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
829		{
830			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831					   TLS_ALERT_INTERNAL_ERROR);
832			conn->verify.md5_cert = NULL;
833			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
834			conn->verify.sha1_cert = NULL;
835			return -1;
836		}
837		hpos += MD5_MAC_LEN;
838	} else
839		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
840
841	conn->verify.md5_cert = NULL;
842	hlen = SHA1_MAC_LEN;
843	if (conn->verify.sha1_cert == NULL ||
844	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
845		conn->verify.sha1_cert = NULL;
846		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
847				   TLS_ALERT_INTERNAL_ERROR);
848		return -1;
849	}
850	conn->verify.sha1_cert = NULL;
851
852	if (alg == SIGN_ALG_RSA)
853		hlen += MD5_MAC_LEN;
854
855	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
856
857	if (end - pos < 2) {
858		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
859				   TLS_ALERT_DECODE_ERROR);
860		return -1;
861	}
862	slen = WPA_GET_BE16(pos);
863	pos += 2;
864	if (end - pos < slen) {
865		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866				   TLS_ALERT_DECODE_ERROR);
867		return -1;
868	}
869
870	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
871	if (conn->client_rsa_key == NULL) {
872		wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
873			   "signature");
874		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
875				   TLS_ALERT_INTERNAL_ERROR);
876		return -1;
877	}
878
879	buflen = end - pos;
880	buf = os_malloc(end - pos);
881	if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
882					    pos, end - pos, buf, &buflen) < 0)
883	{
884		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
885		os_free(buf);
886		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
887				   TLS_ALERT_DECRYPT_ERROR);
888		return -1;
889	}
890
891	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
892			buf, buflen);
893
894	if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
895		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
896			   "CertificateVerify - did not match with calculated "
897			   "hash");
898		os_free(buf);
899		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
900				   TLS_ALERT_DECRYPT_ERROR);
901		return -1;
902	}
903
904	os_free(buf);
905
906	*in_len = end - in_data;
907
908	conn->state = CHANGE_CIPHER_SPEC;
909
910	return 0;
911}
912
913
914static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
915					  u8 ct, const u8 *in_data,
916					  size_t *in_len)
917{
918	const u8 *pos;
919	size_t left;
920
921	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
922		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
923			   "received content type 0x%x", ct);
924		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
925				   TLS_ALERT_UNEXPECTED_MESSAGE);
926		return -1;
927	}
928
929	pos = in_data;
930	left = *in_len;
931
932	if (left < 1) {
933		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
934		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
935				   TLS_ALERT_DECODE_ERROR);
936		return -1;
937	}
938
939	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
940		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
941			   "received data 0x%x", *pos);
942		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
943				   TLS_ALERT_UNEXPECTED_MESSAGE);
944		return -1;
945	}
946
947	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
948	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
949		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
950			   "for record layer");
951		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
952				   TLS_ALERT_INTERNAL_ERROR);
953		return -1;
954	}
955
956	*in_len = pos + 1 - in_data;
957
958	conn->state = CLIENT_FINISHED;
959
960	return 0;
961}
962
963
964static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
965				       const u8 *in_data, size_t *in_len)
966{
967	const u8 *pos, *end;
968	size_t left, len, hlen;
969	u8 verify_data[TLS_VERIFY_DATA_LEN];
970	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
971
972	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
973		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
974			   "received content type 0x%x", ct);
975		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
976				   TLS_ALERT_UNEXPECTED_MESSAGE);
977		return -1;
978	}
979
980	pos = in_data;
981	left = *in_len;
982
983	if (left < 4) {
984		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
985			   "Finished",
986			   (unsigned long) left);
987		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
988				   TLS_ALERT_DECODE_ERROR);
989		return -1;
990	}
991
992	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
993		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
994			   "type 0x%x", pos[0]);
995		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
996				   TLS_ALERT_UNEXPECTED_MESSAGE);
997		return -1;
998	}
999
1000	len = WPA_GET_BE24(pos + 1);
1001
1002	pos += 4;
1003	left -= 4;
1004
1005	if (len > left) {
1006		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1007			   "(len=%lu > left=%lu)",
1008			   (unsigned long) len, (unsigned long) left);
1009		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010				   TLS_ALERT_DECODE_ERROR);
1011		return -1;
1012	}
1013	end = pos + len;
1014	if (len != TLS_VERIFY_DATA_LEN) {
1015		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1016			   "in Finished: %lu (expected %d)",
1017			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1018		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019				   TLS_ALERT_DECODE_ERROR);
1020		return -1;
1021	}
1022	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1023		    pos, TLS_VERIFY_DATA_LEN);
1024
1025	hlen = MD5_MAC_LEN;
1026	if (conn->verify.md5_client == NULL ||
1027	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1028		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029				   TLS_ALERT_INTERNAL_ERROR);
1030		conn->verify.md5_client = NULL;
1031		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1032		conn->verify.sha1_client = NULL;
1033		return -1;
1034	}
1035	conn->verify.md5_client = NULL;
1036	hlen = SHA1_MAC_LEN;
1037	if (conn->verify.sha1_client == NULL ||
1038	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1039			       &hlen) < 0) {
1040		conn->verify.sha1_client = NULL;
1041		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1042				   TLS_ALERT_INTERNAL_ERROR);
1043		return -1;
1044	}
1045	conn->verify.sha1_client = NULL;
1046
1047	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1048		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1049		    verify_data, TLS_VERIFY_DATA_LEN)) {
1050		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1051		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052				   TLS_ALERT_DECRYPT_ERROR);
1053		return -1;
1054	}
1055	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1056			verify_data, TLS_VERIFY_DATA_LEN);
1057
1058	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1059		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1060		return -1;
1061	}
1062
1063	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1064
1065	*in_len = end - in_data;
1066
1067	if (conn->use_session_ticket) {
1068		/* Abbreviated handshake using session ticket; RFC 4507 */
1069		wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1070			   "successfully");
1071		conn->state = ESTABLISHED;
1072	} else {
1073		/* Full handshake */
1074		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1075	}
1076
1077	return 0;
1078}
1079
1080
1081int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1082				   const u8 *buf, size_t *len)
1083{
1084	if (ct == TLS_CONTENT_TYPE_ALERT) {
1085		if (*len < 2) {
1086			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1087			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1088					   TLS_ALERT_DECODE_ERROR);
1089			return -1;
1090		}
1091		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1092			   buf[0], buf[1]);
1093		*len = 2;
1094		conn->state = FAILED;
1095		return -1;
1096	}
1097
1098	switch (conn->state) {
1099	case CLIENT_HELLO:
1100		if (tls_process_client_hello(conn, ct, buf, len))
1101			return -1;
1102		break;
1103	case CLIENT_CERTIFICATE:
1104		if (tls_process_certificate(conn, ct, buf, len))
1105			return -1;
1106		break;
1107	case CLIENT_KEY_EXCHANGE:
1108		if (tls_process_client_key_exchange(conn, ct, buf, len))
1109			return -1;
1110		break;
1111	case CERTIFICATE_VERIFY:
1112		if (tls_process_certificate_verify(conn, ct, buf, len))
1113			return -1;
1114		break;
1115	case CHANGE_CIPHER_SPEC:
1116		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1117			return -1;
1118		break;
1119	case CLIENT_FINISHED:
1120		if (tls_process_client_finished(conn, ct, buf, len))
1121			return -1;
1122		break;
1123	default:
1124		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1125			   "while processing received message",
1126			   conn->state);
1127		return -1;
1128	}
1129
1130	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1131		tls_verify_hash_add(&conn->verify, buf, *len);
1132
1133	return 0;
1134}
1135