src/tls/tlsv1_client_read.c

   1 /*
   2  * TLSv1 client - read handshake message
   3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_client.h"
  20 #include "tlsv1_client_i.h"
  21
  22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  23                                            const u8 *in_data, size_t *in_len);
  24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  25                                            const u8 *in_data, size_t *in_len);
  26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  27                                          const u8 *in_data, size_t *in_len);
  28
  29
  30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
  31                                     const u8 *in_data, size_t *in_len)
  32 {
  33         const u8 *pos, *end;
  34         size_t left, len, i;
  35         u16 cipher_suite;
  36         u16 tls_version;
  37
  38         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  39                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  40                            "received content type 0x%x", ct);
  41                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  42                           TLS_ALERT_UNEXPECTED_MESSAGE);
  43                 return -1;
  44         }
  45
  46         pos = in_data;
  47         left = *in_len;
  48
  49         if (left < 4)
  50                 goto decode_error;
  51
  52         /* HandshakeType msg_type */
  53         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
  54                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  55                            "message %d (expected ServerHello)", *pos);
  56                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  57                           TLS_ALERT_UNEXPECTED_MESSAGE);
  58                 return -1;
  59         }
  60         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
  61         pos++;
  62         /* uint24 length */
  63         len = WPA_GET_BE24(pos);
  64         pos += 3;
  65         left -= 4;
  66
  67         if (len > left)
  68                 goto decode_error;
  69
  70         /* body - ServerHello */
  71
  72         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
  73         end = pos + len;
  74
  75         /* ProtocolVersion server_version */
  76         if (end - pos < 2)
  77                 goto decode_error;
  78         tls_version = WPA_GET_BE16(pos);
  79         if (!tls_version_ok(tls_version)) {
  80                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  81                            "ServerHello %u.%u", pos[0], pos[1]);
  82                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  83                           TLS_ALERT_PROTOCOL_VERSION);
  84                 return -1;
  85         }
  86         pos += 2;
  87
  88         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
  89                    tls_version_str(tls_version));
  90         conn->rl.tls_version = tls_version;
  91
  92         /* Random random */
  93         if (end - pos < TLS_RANDOM_LEN)
  94                 goto decode_error;
  95
  96         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
  97         pos += TLS_RANDOM_LEN;
  98         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
  99                     conn->server_random, TLS_RANDOM_LEN);
 100
 101         /* SessionID session_id */
 102         if (end - pos < 1)
 103                 goto decode_error;
 104         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 105                 goto decode_error;
 106         if (conn->session_id_len && conn->session_id_len == *pos &&
 107             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 108                 pos += 1 + conn->session_id_len;
 109                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 110                 conn->session_resumed = 1;
 111         } else {
 112                 conn->session_id_len = *pos;
 113                 pos++;
 114                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 115                 pos += conn->session_id_len;
 116         }
 117         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 118                     conn->session_id, conn->session_id_len);
 119
 120         /* CipherSuite cipher_suite */
 121         if (end - pos < 2)
 122                 goto decode_error;
 123         cipher_suite = WPA_GET_BE16(pos);
 124         pos += 2;
 125         for (i = 0; i < conn->num_cipher_suites; i++) {
 126                 if (cipher_suite == conn->cipher_suites[i])
 127                         break;
 128         }
 129         if (i == conn->num_cipher_suites) {
 130                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 131                            "cipher suite 0x%04x", cipher_suite);
 132                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 133                           TLS_ALERT_ILLEGAL_PARAMETER);
 134                 return -1;
 135         }
 136
 137         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 138                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 139                            "cipher suite for a resumed connection (0x%04x != "
 140                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 141                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 142                           TLS_ALERT_ILLEGAL_PARAMETER);
 143                 return -1;
 144         }
 145
 146         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 147                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 148                            "record layer");
 149                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 150                           TLS_ALERT_INTERNAL_ERROR);
 151                 return -1;
 152         }
 153
 154         conn->prev_cipher_suite = cipher_suite;
 155
 156         /* CompressionMethod compression_method */
 157         if (end - pos < 1)
 158                 goto decode_error;
 159         if (*pos != TLS_COMPRESSION_NULL) {
 160                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 161                            "compression 0x%02x", *pos);
 162                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 163                           TLS_ALERT_ILLEGAL_PARAMETER);
 164                 return -1;
 165         }
 166         pos++;
 167
 168         if (end != pos) {
 169                 /* TODO: ServerHello extensions */
 170                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 171                             "end of ServerHello", pos, end - pos);
 172                 goto decode_error;
 173         }
 174
 175         if (conn->session_ticket_included && conn->session_ticket_cb) {
 176                 /* TODO: include SessionTicket extension if one was included in
 177                  * ServerHello */
 178                 int res = conn->session_ticket_cb(
 179                         conn->session_ticket_cb_ctx, NULL, 0,
 180                         conn->client_random, conn->server_random,
 181                         conn->master_secret);
 182                 if (res < 0) {
 183                         wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
 184                                    "indicated failure");
 185                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 186                                   TLS_ALERT_HANDSHAKE_FAILURE);
 187                         return -1;
 188                 }
 189                 conn->use_session_ticket = !!res;
 190         }
 191
 192         if ((conn->session_resumed || conn->use_session_ticket) &&
 193             tls_derive_keys(conn, NULL, 0)) {
 194                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 195                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 196                           TLS_ALERT_INTERNAL_ERROR);
 197                 return -1;
 198         }
 199
 200         *in_len = end - in_data;
 201
 202         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 203                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 204
 205         return 0;
 206
 207 decode_error:
 208         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 209         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 210         return -1;
 211 }
 212
 213
 214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 215                                    const u8 *in_data, size_t *in_len)
 216 {
 217         const u8 *pos, *end;
 218         size_t left, len, list_len, cert_len, idx;
 219         u8 type;
 220         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 221         int reason;
 222
 223         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 224                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 225                            "received content type 0x%x", ct);
 226                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 227                           TLS_ALERT_UNEXPECTED_MESSAGE);
 228                 return -1;
 229         }
 230
 231         pos = in_data;
 232         left = *in_len;
 233
 234         if (left < 4) {
 235                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 236                            "(len=%lu)", (unsigned long) left);
 237                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 238                 return -1;
 239         }
 240
 241         type = *pos++;
 242         len = WPA_GET_BE24(pos);
 243         pos += 3;
 244         left -= 4;
 245
 246         if (len > left) {
 247                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 248                            "length (len=%lu != left=%lu)",
 249                            (unsigned long) len, (unsigned long) left);
 250                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 251                 return -1;
 252         }
 253
 254         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 255                 return tls_process_server_key_exchange(conn, ct, in_data,
 256                                                        in_len);
 257         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 258                 return tls_process_certificate_request(conn, ct, in_data,
 259                                                        in_len);
 260         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 261                 return tls_process_server_hello_done(conn, ct, in_data,
 262                                                      in_len);
 263         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 264                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 265                            "message %d (expected Certificate/"
 266                            "ServerKeyExchange/CertificateRequest/"
 267                            "ServerHelloDone)", type);
 268                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 269                           TLS_ALERT_UNEXPECTED_MESSAGE);
 270                 return -1;
 271         }
 272
 273         wpa_printf(MSG_DEBUG,
 274                    "TLSv1: Received Certificate (certificate_list len %lu)",
 275                    (unsigned long) len);
 276
 277         /*
 278          * opaque ASN.1Cert<2^24-1>;
 279          *
 280          * struct {
 281          *     ASN.1Cert certificate_list<1..2^24-1>;
 282          * } Certificate;
 283          */
 284
 285         end = pos + len;
 286
 287         if (end - pos < 3) {
 288                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 289                            "(left=%lu)", (unsigned long) left);
 290                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 291                 return -1;
 292         }
 293
 294         list_len = WPA_GET_BE24(pos);
 295         pos += 3;
 296
 297         if ((size_t) (end - pos) != list_len) {
 298                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 299                            "length (len=%lu left=%lu)",
 300                            (unsigned long) list_len,
 301                            (unsigned long) (end - pos));
 302                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 303                 return -1;
 304         }
 305
 306         idx = 0;
 307         while (pos < end) {
 308                 if (end - pos < 3) {
 309                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 310                                    "certificate_list");
 311                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 312                                   TLS_ALERT_DECODE_ERROR);
 313                         x509_certificate_chain_free(chain);
 314                         return -1;
 315                 }
 316
 317                 cert_len = WPA_GET_BE24(pos);
 318                 pos += 3;
 319
 320                 if ((size_t) (end - pos) < cert_len) {
 321                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 322                                    "length (len=%lu left=%lu)",
 323                                    (unsigned long) cert_len,
 324                                    (unsigned long) (end - pos));
 325                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 326                                   TLS_ALERT_DECODE_ERROR);
 327                         x509_certificate_chain_free(chain);
 328                         return -1;
 329                 }
 330
 331                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 332                            (unsigned long) idx, (unsigned long) cert_len);
 333
 334                 if (idx == 0) {
 335                         crypto_public_key_free(conn->server_rsa_key);
 336                         if (tls_parse_cert(pos, cert_len,
 337                                            &conn->server_rsa_key)) {
 338                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 339                                            "the certificate");
 340                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 341                                           TLS_ALERT_BAD_CERTIFICATE);
 342                                 x509_certificate_chain_free(chain);
 343                                 return -1;
 344                         }
 345                 }
 346
 347                 cert = x509_certificate_parse(pos, cert_len);
 348                 if (cert == NULL) {
 349                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 350                                    "the certificate");
 351                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 352                                   TLS_ALERT_BAD_CERTIFICATE);
 353                         x509_certificate_chain_free(chain);
 354                         return -1;
 355                 }
 356
 357                 if (last == NULL)
 358                         chain = cert;
 359                 else
 360                         last->next = cert;
 361                 last = cert;
 362
 363                 idx++;
 364                 pos += cert_len;
 365         }
 366
 367         if (conn->cred &&
 368             x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 369                                             &reason, conn->disable_time_checks)
 370             < 0) {
 371                 int tls_reason;
 372                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 373                            "validation failed (reason=%d)", reason);
 374                 switch (reason) {
 375                 case X509_VALIDATE_BAD_CERTIFICATE:
 376                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 377                         break;
 378                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 379                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 380                         break;
 381                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 382                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 383                         break;
 384                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 385                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 386                         break;
 387                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 388                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 389                         break;
 390                 case X509_VALIDATE_UNKNOWN_CA:
 391                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 392                         break;
 393                 default:
 394                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 395                         break;
 396                 }
 397                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 398                 x509_certificate_chain_free(chain);
 399                 return -1;
 400         }
 401
 402         x509_certificate_chain_free(chain);
 403
 404         *in_len = end - in_data;
 405
 406         conn->state = SERVER_KEY_EXCHANGE;
 407
 408         return 0;
 409 }
 410
 411
 412 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 413                                         const u8 *buf, size_t len,
 414                                         tls_key_exchange key_exchange)
 415 {
 416         const u8 *pos, *end, *server_params, *server_params_end;
 417
 418         tlsv1_client_free_dh(conn);
 419
 420         pos = buf;
 421         end = buf + len;
 422
 423         if (end - pos < 3)
 424                 goto fail;
 425         server_params = pos;
 426         conn->dh_p_len = WPA_GET_BE16(pos);
 427         pos += 2;
 428         if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
 429                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
 430                            (unsigned long) conn->dh_p_len);
 431                 goto fail;
 432         }
 433         conn->dh_p = os_malloc(conn->dh_p_len);
 434         if (conn->dh_p == NULL)
 435                 goto fail;
 436         os_memcpy(conn->dh_p, pos, conn->dh_p_len);
 437         pos += conn->dh_p_len;
 438         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 439                     conn->dh_p, conn->dh_p_len);
 440
 441         if (end - pos < 3)
 442                 goto fail;
 443         conn->dh_g_len = WPA_GET_BE16(pos);
 444         pos += 2;
 445         if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
 446                 goto fail;
 447         conn->dh_g = os_malloc(conn->dh_g_len);
 448         if (conn->dh_g == NULL)
 449                 goto fail;
 450         os_memcpy(conn->dh_g, pos, conn->dh_g_len);
 451         pos += conn->dh_g_len;
 452         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 453                     conn->dh_g, conn->dh_g_len);
 454         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 455                 goto fail;
 456
 457         if (end - pos < 3)
 458                 goto fail;
 459         conn->dh_ys_len = WPA_GET_BE16(pos);
 460         pos += 2;
 461         if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
 462                 goto fail;
 463         conn->dh_ys = os_malloc(conn->dh_ys_len);
 464         if (conn->dh_ys == NULL)
 465                 goto fail;
 466         os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
 467         pos += conn->dh_ys_len;
 468         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 469                     conn->dh_ys, conn->dh_ys_len);
 470         server_params_end = pos;
 471
 472         if (key_exchange == TLS_KEY_X_DHE_RSA) {
 473                 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *sbuf;
 474                 size_t hlen, buflen;
 475                 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 476                 u16 slen;
 477                 struct crypto_hash *ctx;
 478
 479                 hpos = hash;
 480
 481 #ifdef CONFIG_TLSV12
 482                 if (conn->rl.tls_version == TLS_VERSION_1_2) {
 483                         /*
 484                          * RFC 5246, 4.7:
 485                          * TLS v1.2 adds explicit indication of the used
 486                          * signature and hash algorithms.
 487                          *
 488                          * struct {
 489                          *   HashAlgorithm hash;
 490                          *   SignatureAlgorithm signature;
 491                          * } SignatureAndHashAlgorithm;
 492                          */
 493                         if (end - pos < 2)
 494                                 goto fail;
 495                         if (pos[0] != TLS_HASH_ALG_SHA256 ||
 496                             pos[1] != TLS_SIGN_ALG_RSA) {
 497                                 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
 498                                            pos[0], pos[1]);
 499                                 goto fail;
 500                         }
 501                         pos += 2;
 502
 503                         ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0);
 504                         if (ctx == NULL)
 505                                 goto fail;
 506                         crypto_hash_update(ctx, conn->client_random,
 507                                            TLS_RANDOM_LEN);
 508                         crypto_hash_update(ctx, conn->server_random,
 509                                            TLS_RANDOM_LEN);
 510                         crypto_hash_update(ctx, server_params,
 511                                            server_params_end - server_params);
 512                         hlen = SHA256_MAC_LEN;
 513                         if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
 514                                 goto fail;
 515                 } else {
 516 #endif /* CONFIG_TLSV12 */
 517                 if (alg == SIGN_ALG_RSA) {
 518                         ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
 519                         if (ctx == NULL)
 520                                 goto fail;
 521                         crypto_hash_update(ctx, conn->client_random,
 522                                            TLS_RANDOM_LEN);
 523                         crypto_hash_update(ctx, conn->server_random,
 524                                            TLS_RANDOM_LEN);
 525                         crypto_hash_update(ctx, server_params,
 526                                            server_params_end - server_params);
 527                         hlen = sizeof(hash);
 528                         if (crypto_hash_finish(ctx, hash, &hlen) < 0)
 529                                 goto fail;
 530                         hpos += hlen;
 531                 }
 532                 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
 533                 if (ctx == NULL)
 534                         goto fail;
 535                 crypto_hash_update(ctx, conn->client_random, TLS_RANDOM_LEN);
 536                 crypto_hash_update(ctx, conn->server_random, TLS_RANDOM_LEN);
 537                 crypto_hash_update(ctx, server_params,
 538                                    server_params_end - server_params);
 539                 hlen = hash + sizeof(hash) - hpos;
 540                 if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
 541                         goto fail;
 542                 hpos += hlen;
 543                 hlen = hpos - hash;
 544 #ifdef CONFIG_TLSV12
 545                 }
 546 #endif /* CONFIG_TLSV12 */
 547
 548                 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
 549                             hash, hlen);
 550
 551                 if (end - pos < 2)
 552                         goto fail;
 553                 slen = WPA_GET_BE16(pos);
 554                 pos += 2;
 555                 if (end - pos < slen)
 556                         goto fail;
 557
 558                 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 559                 if (conn->server_rsa_key == NULL) {
 560                         wpa_printf(MSG_DEBUG, "TLSv1: No server public key to verify signature");
 561                         goto fail;
 562                 }
 563
 564                 buflen = end - pos;
 565                 sbuf = os_malloc(end - pos);
 566                 if (crypto_public_key_decrypt_pkcs1(conn->server_rsa_key,
 567                                                     pos, end - pos, sbuf,
 568                                                     &buflen) < 0) {
 569                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 570                         os_free(sbuf);
 571                         goto fail;
 572                 }
 573
 574                 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 575                                 sbuf, buflen);
 576
 577 #ifdef CONFIG_TLSV12
 578                 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
 579                         /*
 580                          * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
 581                          *
 582                          * DigestInfo ::= SEQUENCE {
 583                          *   digestAlgorithm DigestAlgorithm,
 584                          *   digest OCTET STRING
 585                          * }
 586                          *
 587                          * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
 588                          *
 589                          * DER encoded DigestInfo for SHA256 per RFC 3447:
 590                          * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
 591                          * 04 20 || H
 592                          */
 593                         if (buflen >= 19 + 32 &&
 594                             os_memcmp(sbuf,
 595                                       "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
 596                                       "\x65\x03\x04\x02\x01\x05\x00\x04\x20",
 597                                       19) == 0) {
 598                                 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-256");
 599                                 os_memmove(sbuf, sbuf + 19, buflen - 19);
 600                                 buflen -= 19;
 601                         } else {
 602                                 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
 603                                 os_free(sbuf);
 604                                 goto fail;
 605                         }
 606                 }
 607 #endif /* CONFIG_TLSV12 */
 608
 609                 if (buflen != hlen || os_memcmp(sbuf, hash, buflen) != 0) {
 610                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in ServerKeyExchange - did not match calculated hash");
 611                         os_free(sbuf);
 612                         goto fail;
 613                 }
 614
 615                 os_free(sbuf);
 616         }
 617
 618         return 0;
 619
 620 fail:
 621         wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
 622         tlsv1_client_free_dh(conn);
 623         return -1;
 624 }
 625
 626
 627 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
 628                                            const u8 *in_data, size_t *in_len)
 629 {
 630         const u8 *pos, *end;
 631         size_t left, len;
 632         u8 type;
 633         const struct tls_cipher_suite *suite;
 634
 635         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 636                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 637                            "received content type 0x%x", ct);
 638                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 639                           TLS_ALERT_UNEXPECTED_MESSAGE);
 640                 return -1;
 641         }
 642
 643         pos = in_data;
 644         left = *in_len;
 645
 646         if (left < 4) {
 647                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
 648                            "(Left=%lu)", (unsigned long) left);
 649                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 650                 return -1;
 651         }
 652
 653         type = *pos++;
 654         len = WPA_GET_BE24(pos);
 655         pos += 3;
 656         left -= 4;
 657
 658         if (len > left) {
 659                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
 660                            "length (len=%lu != left=%lu)",
 661                            (unsigned long) len, (unsigned long) left);
 662                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 663                 return -1;
 664         }
 665
 666         end = pos + len;
 667
 668         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 669                 return tls_process_certificate_request(conn, ct, in_data,
 670                                                        in_len);
 671         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 672                 return tls_process_server_hello_done(conn, ct, in_data,
 673                                                      in_len);
 674         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
 675                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 676                            "message %d (expected ServerKeyExchange/"
 677                            "CertificateRequest/ServerHelloDone)", type);
 678                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 679                           TLS_ALERT_UNEXPECTED_MESSAGE);
 680                 return -1;
 681         }
 682
 683         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
 684
 685         if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
 686                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
 687                            "with the selected cipher suite");
 688                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 689                           TLS_ALERT_UNEXPECTED_MESSAGE);
 690                 return -1;
 691         }
 692
 693         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
 694         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 695         if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
 696                       suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
 697                 if (tlsv1_process_diffie_hellman(conn, pos, len,
 698                                                  suite->key_exchange) < 0) {
 699                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 700                                   TLS_ALERT_DECODE_ERROR);
 701                         return -1;
 702                 }
 703         } else {
 704                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
 705                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 706                           TLS_ALERT_UNEXPECTED_MESSAGE);
 707                 return -1;
 708         }
 709
 710         *in_len = end - in_data;
 711
 712         conn->state = SERVER_CERTIFICATE_REQUEST;
 713
 714         return 0;
 715 }
 716
 717
 718 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
 719                                            const u8 *in_data, size_t *in_len)
 720 {
 721         const u8 *pos, *end;
 722         size_t left, len;
 723         u8 type;
 724
 725         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 726                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 727                            "received content type 0x%x", ct);
 728                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 729                           TLS_ALERT_UNEXPECTED_MESSAGE);
 730                 return -1;
 731         }
 732
 733         pos = in_data;
 734         left = *in_len;
 735
 736         if (left < 4) {
 737                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
 738                            "(left=%lu)", (unsigned long) left);
 739                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 740                 return -1;
 741         }
 742
 743         type = *pos++;
 744         len = WPA_GET_BE24(pos);
 745         pos += 3;
 746         left -= 4;
 747
 748         if (len > left) {
 749                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
 750                            "length (len=%lu != left=%lu)",
 751                            (unsigned long) len, (unsigned long) left);
 752                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 753                 return -1;
 754         }
 755
 756         end = pos + len;
 757
 758         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 759                 return tls_process_server_hello_done(conn, ct, in_data,
 760                                                      in_len);
 761         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
 762                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 763                            "message %d (expected CertificateRequest/"
 764                            "ServerHelloDone)", type);
 765                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 766                           TLS_ALERT_UNEXPECTED_MESSAGE);
 767                 return -1;
 768         }
 769
 770         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
 771
 772         conn->certificate_requested = 1;
 773
 774         *in_len = end - in_data;
 775
 776         conn->state = SERVER_HELLO_DONE;
 777
 778         return 0;
 779 }
 780
 781
 782 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
 783                                          const u8 *in_data, size_t *in_len)
 784 {
 785         const u8 *pos, *end;
 786         size_t left, len;
 787         u8 type;
 788
 789         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 790                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 791                            "received content type 0x%x", ct);
 792                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 793                           TLS_ALERT_UNEXPECTED_MESSAGE);
 794                 return -1;
 795         }
 796
 797         pos = in_data;
 798         left = *in_len;
 799
 800         if (left < 4) {
 801                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
 802                            "(left=%lu)", (unsigned long) left);
 803                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 804                 return -1;
 805         }
 806
 807         type = *pos++;
 808         len = WPA_GET_BE24(pos);
 809         pos += 3;
 810         left -= 4;
 811
 812         if (len > left) {
 813                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
 814                            "length (len=%lu != left=%lu)",
 815                            (unsigned long) len, (unsigned long) left);
 816                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 817                 return -1;
 818         }
 819         end = pos + len;
 820
 821         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
 822                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 823                            "message %d (expected ServerHelloDone)", type);
 824                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 825                           TLS_ALERT_UNEXPECTED_MESSAGE);
 826                 return -1;
 827         }
 828
 829         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
 830
 831         *in_len = end - in_data;
 832
 833         conn->state = CLIENT_KEY_EXCHANGE;
 834
 835         return 0;
 836 }
 837
 838
 839 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
 840                                                  u8 ct, const u8 *in_data,
 841                                                  size_t *in_len)
 842 {
 843         const u8 *pos;
 844         size_t left;
 845
 846         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 847                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 848                            "received content type 0x%x", ct);
 849                 if (conn->use_session_ticket) {
 850                         int res;
 851                         wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
 852                                    "rejected SessionTicket");
 853                         conn->use_session_ticket = 0;
 854
 855                         /* Notify upper layers that SessionTicket failed */
 856                         res = conn->session_ticket_cb(
 857                                 conn->session_ticket_cb_ctx, NULL, 0, NULL,
 858                                 NULL, NULL);
 859                         if (res < 0) {
 860                                 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
 861                                            "callback indicated failure");
 862                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 863                                           TLS_ALERT_HANDSHAKE_FAILURE);
 864                                 return -1;
 865                         }
 866
 867                         conn->state = SERVER_CERTIFICATE;
 868                         return tls_process_certificate(conn, ct, in_data,
 869                                                        in_len);
 870                 }
 871                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 872                           TLS_ALERT_UNEXPECTED_MESSAGE);
 873                 return -1;
 874         }
 875
 876         pos = in_data;
 877         left = *in_len;
 878
 879         if (left < 1) {
 880                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 881                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 882                 return -1;
 883         }
 884
 885         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 886                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 887                            "received data 0x%x", *pos);
 888                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 889                           TLS_ALERT_UNEXPECTED_MESSAGE);
 890                 return -1;
 891         }
 892
 893         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 894         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 895                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 896                            "for record layer");
 897                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 898                           TLS_ALERT_INTERNAL_ERROR);
 899                 return -1;
 900         }
 901
 902         *in_len = pos + 1 - in_data;
 903
 904         conn->state = SERVER_FINISHED;
 905
 906         return 0;
 907 }
 908
 909
 910 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 911                                        const u8 *in_data, size_t *in_len)
 912 {
 913         const u8 *pos, *end;
 914         size_t left, len, hlen;
 915         u8 verify_data[TLS_VERIFY_DATA_LEN];
 916         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 917
 918         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 919                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 920                            "received content type 0x%x", ct);
 921                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 922                           TLS_ALERT_UNEXPECTED_MESSAGE);
 923                 return -1;
 924         }
 925
 926         pos = in_data;
 927         left = *in_len;
 928
 929         if (left < 4) {
 930                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 931                            "Finished",
 932                            (unsigned long) left);
 933                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 934                           TLS_ALERT_DECODE_ERROR);
 935                 return -1;
 936         }
 937
 938         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 939                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 940                            "type 0x%x", pos[0]);
 941                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 942                           TLS_ALERT_UNEXPECTED_MESSAGE);
 943                 return -1;
 944         }
 945
 946         len = WPA_GET_BE24(pos + 1);
 947
 948         pos += 4;
 949         left -= 4;
 950
 951         if (len > left) {
 952                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
 953                            "(len=%lu > left=%lu)",
 954                            (unsigned long) len, (unsigned long) left);
 955                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 956                           TLS_ALERT_DECODE_ERROR);
 957                 return -1;
 958         }
 959         end = pos + len;
 960         if (len != TLS_VERIFY_DATA_LEN) {
 961                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
 962                            "in Finished: %lu (expected %d)",
 963                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
 964                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 965                           TLS_ALERT_DECODE_ERROR);
 966                 return -1;
 967         }
 968         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
 969                     pos, TLS_VERIFY_DATA_LEN);
 970
 971 #ifdef CONFIG_TLSV12
 972         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
 973                 hlen = SHA256_MAC_LEN;
 974                 if (conn->verify.sha256_server == NULL ||
 975                     crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
 976                     < 0) {
 977                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 978                                   TLS_ALERT_INTERNAL_ERROR);
 979                         conn->verify.sha256_server = NULL;
 980                         return -1;
 981                 }
 982                 conn->verify.sha256_server = NULL;
 983         } else {
 984 #endif /* CONFIG_TLSV12 */
 985
 986         hlen = MD5_MAC_LEN;
 987         if (conn->verify.md5_server == NULL ||
 988             crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
 989                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 990                           TLS_ALERT_INTERNAL_ERROR);
 991                 conn->verify.md5_server = NULL;
 992                 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
 993                 conn->verify.sha1_server = NULL;
 994                 return -1;
 995         }
 996         conn->verify.md5_server = NULL;
 997         hlen = SHA1_MAC_LEN;
 998         if (conn->verify.sha1_server == NULL ||
 999             crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1000                                &hlen) < 0) {
1001                 conn->verify.sha1_server = NULL;
1002                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003                           TLS_ALERT_INTERNAL_ERROR);
1004                 return -1;
1005         }
1006         conn->verify.sha1_server = NULL;
1007         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1008
1009 #ifdef CONFIG_TLSV12
1010         }
1011 #endif /* CONFIG_TLSV12 */
1012
1013         if (tls_prf(conn->rl.tls_version,
1014                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1015                     "server finished", hash, hlen,
1016                     verify_data, TLS_VERIFY_DATA_LEN)) {
1017                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1018                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019                           TLS_ALERT_DECRYPT_ERROR);
1020                 return -1;
1021         }
1022         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1023                         verify_data, TLS_VERIFY_DATA_LEN);
1024
1025         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1026                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1027                 return -1;
1028         }
1029
1030         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1031
1032         *in_len = end - in_data;
1033
1034         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1035                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1036
1037         return 0;
1038 }
1039
1040
1041 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1042                                         const u8 *in_data, size_t *in_len,
1043                                         u8 **out_data, size_t *out_len)
1044 {
1045         const u8 *pos;
1046         size_t left;
1047
1048         if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1049                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1050                            "received content type 0x%x", ct);
1051                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052                           TLS_ALERT_UNEXPECTED_MESSAGE);
1053                 return -1;
1054         }
1055
1056         pos = in_data;
1057         left = *in_len;
1058
1059         wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1060                     pos, left);
1061
1062         *out_data = os_malloc(left);
1063         if (*out_data) {
1064                 os_memcpy(*out_data, pos, left);
1065                 *out_len = left;
1066         }
1067
1068         return 0;
1069 }
1070
1071
1072 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1073                                    const u8 *buf, size_t *len,
1074                                    u8 **out_data, size_t *out_len)
1075 {
1076         if (ct == TLS_CONTENT_TYPE_ALERT) {
1077                 if (*len < 2) {
1078                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1079                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1080                                   TLS_ALERT_DECODE_ERROR);
1081                         return -1;
1082                 }
1083                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1084                            buf[0], buf[1]);
1085                 *len = 2;
1086                 conn->state = FAILED;
1087                 return -1;
1088         }
1089
1090         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1091             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1092                 size_t hr_len = WPA_GET_BE24(buf + 1);
1093                 if (hr_len > *len - 4) {
1094                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1095                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1096                                   TLS_ALERT_DECODE_ERROR);
1097                         return -1;
1098                 }
1099                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1100                 *len = 4 + hr_len;
1101                 return 0;
1102         }
1103
1104         switch (conn->state) {
1105         case SERVER_HELLO:
1106                 if (tls_process_server_hello(conn, ct, buf, len))
1107                         return -1;
1108                 break;
1109         case SERVER_CERTIFICATE:
1110                 if (tls_process_certificate(conn, ct, buf, len))
1111                         return -1;
1112                 break;
1113         case SERVER_KEY_EXCHANGE:
1114                 if (tls_process_server_key_exchange(conn, ct, buf, len))
1115                         return -1;
1116                 break;
1117         case SERVER_CERTIFICATE_REQUEST:
1118                 if (tls_process_certificate_request(conn, ct, buf, len))
1119                         return -1;
1120                 break;
1121         case SERVER_HELLO_DONE:
1122                 if (tls_process_server_hello_done(conn, ct, buf, len))
1123                         return -1;
1124                 break;
1125         case SERVER_CHANGE_CIPHER_SPEC:
1126                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1127                         return -1;
1128                 break;
1129         case SERVER_FINISHED:
1130                 if (tls_process_server_finished(conn, ct, buf, len))
1131                         return -1;
1132                 break;
1133         case ACK_FINISHED:
1134                 if (out_data &&
1135                     tls_process_application_data(conn, ct, buf, len, out_data,
1136                                                  out_len))
1137                         return -1;
1138                 break;
1139         default:
1140                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1141                            "while processing received message",
1142                            conn->state);
1143                 return -1;
1144         }
1145
1146         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1147                 tls_verify_hash_add(&conn->verify, buf, *len);
1148
1149         return 0;
1150 }