2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
44 const u8 *end = pos + len;
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
56 ext = WPA_GET_BE16(pos);
58 elen = WPA_GET_BE16(pos);
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
111 len = WPA_GET_BE24(pos);
118 /* body - ServerHello */
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
123 /* ProtocolVersion server_version */
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
142 if (end - pos < TLS_RANDOM_LEN)
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
150 /* SessionID session_id */
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
161 conn->session_id_len = *pos;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
169 /* CipherSuite cipher_suite */
172 cipher_suite = WPA_GET_BE16(pos);
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
203 conn->prev_cipher_suite = cipher_suite;
205 /* CompressionMethod compression_method */
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
217 if (end - pos >= 2) {
220 ext_len = WPA_GET_BE16(pos);
222 if (end - pos < ext_len) {
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
254 conn->use_session_ticket = !!res;
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
265 *in_len = end - in_data;
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
286 #endif /* CONFIG_SHA256 */
292 os_memset(&ev, 0, sizeof(ev));
293 if (conn->cred->cert_probe || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
296 ev.peer_cert.cert = cert_buf;
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
309 #endif /* CONFIG_SHA256 */
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 wpabuf_free(cert_buf);
320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 struct x509_certificate *cert,
322 enum tls_fail_reason reason,
323 const char *reason_txt)
325 struct wpabuf *cert_buf = NULL;
326 union tls_event_data ev;
329 if (!conn->event_cb || !cert)
332 os_memset(&ev, 0, sizeof(ev));
333 ev.cert_fail.depth = depth;
334 x509_name_string(&cert->subject, subject, sizeof(subject));
335 ev.peer_cert.subject = subject;
336 ev.cert_fail.reason = reason;
337 ev.cert_fail.reason_txt = reason_txt;
338 cert_buf = wpabuf_alloc_copy(cert->cert_start,
340 ev.cert_fail.cert = cert_buf;
341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 wpabuf_free(cert_buf);
346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 const u8 *in_data, size_t *in_len)
350 size_t left, len, list_len, cert_len, idx;
352 struct x509_certificate *chain = NULL, *last = NULL, *cert;
355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 "received content type 0x%x", ct);
358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 TLS_ALERT_UNEXPECTED_MESSAGE);
367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 "(len=%lu)", (unsigned long) left);
369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
374 len = WPA_GET_BE24(pos);
379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 "length (len=%lu != left=%lu)",
381 (unsigned long) len, (unsigned long) left);
382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 return tls_process_server_key_exchange(conn, ct, in_data,
389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 return tls_process_certificate_request(conn, ct, in_data,
392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 return tls_process_server_hello_done(conn, ct, in_data,
395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 "message %d (expected Certificate/"
398 "ServerKeyExchange/CertificateRequest/"
399 "ServerHelloDone)", type);
400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 TLS_ALERT_UNEXPECTED_MESSAGE);
405 wpa_printf(MSG_DEBUG,
406 "TLSv1: Received Certificate (certificate_list len %lu)",
407 (unsigned long) len);
410 * opaque ASN.1Cert<2^24-1>;
413 * ASN.1Cert certificate_list<1..2^24-1>;
420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 "(left=%lu)", (unsigned long) left);
422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
426 list_len = WPA_GET_BE24(pos);
429 if ((size_t) (end - pos) != list_len) {
430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 "length (len=%lu left=%lu)",
432 (unsigned long) list_len,
433 (unsigned long) (end - pos));
434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 TLS_ALERT_DECODE_ERROR);
445 x509_certificate_chain_free(chain);
449 cert_len = WPA_GET_BE24(pos);
452 if ((size_t) (end - pos) < cert_len) {
453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 "length (len=%lu left=%lu)",
455 (unsigned long) cert_len,
456 (unsigned long) (end - pos));
457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 TLS_ALERT_DECODE_ERROR);
459 x509_certificate_chain_free(chain);
463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 (unsigned long) idx, (unsigned long) cert_len);
467 crypto_public_key_free(conn->server_rsa_key);
468 if (tls_parse_cert(pos, cert_len,
469 &conn->server_rsa_key)) {
470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_BAD_CERTIFICATE);
474 x509_certificate_chain_free(chain);
479 cert = x509_certificate_parse(pos, cert_len);
481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 TLS_ALERT_BAD_CERTIFICATE);
485 x509_certificate_chain_free(chain);
489 tls_peer_cert_event(conn, idx, cert);
501 if (conn->cred && conn->cred->server_cert_only && chain) {
502 u8 hash[SHA256_MAC_LEN];
505 wpa_printf(MSG_DEBUG,
506 "TLSv1: Validate server certificate hash");
507 x509_name_string(&chain->subject, buf, sizeof(buf));
508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
511 os_memcmp(conn->cred->srv_cert_hash, hash,
512 SHA256_MAC_LEN) != 0) {
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Server certificate hash mismatch");
515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 hash, SHA256_MAC_LEN);
517 if (conn->event_cb) {
518 union tls_event_data ev;
520 os_memset(&ev, 0, sizeof(ev));
521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 ev.cert_fail.reason_txt =
523 "Server certificate mismatch";
524 ev.cert_fail.subject = buf;
525 conn->event_cb(conn->cb_ctx,
526 TLS_CERT_CHAIN_FAILURE, &ev);
528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 TLS_ALERT_BAD_CERTIFICATE);
530 x509_certificate_chain_free(chain);
533 } else if (conn->cred && conn->cred->cert_probe) {
534 wpa_printf(MSG_DEBUG,
535 "TLSv1: Reject server certificate on probe-only rune");
536 if (conn->event_cb) {
537 union tls_event_data ev;
540 os_memset(&ev, 0, sizeof(ev));
541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 ev.cert_fail.reason_txt =
543 "Server certificate chain probe";
545 x509_name_string(&chain->subject, buf,
547 ev.cert_fail.subject = buf;
549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 TLS_ALERT_BAD_CERTIFICATE);
554 x509_certificate_chain_free(chain);
556 } else if (conn->cred && conn->cred->ca_cert_verify &&
557 x509_certificate_chain_validate(
558 conn->cred->trusted_certs, chain, &reason,
559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 "validation failed (reason=%d)", reason);
565 case X509_VALIDATE_BAD_CERTIFICATE:
566 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 tls_cert_chain_failure_event(
568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
574 case X509_VALIDATE_CERTIFICATE_REVOKED:
575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 tls_cert_chain_failure_event(
577 conn, 0, chain, TLS_FAIL_REVOKED,
578 "certificate revoked");
580 case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 tls_cert_chain_failure_event(
583 conn, 0, chain, TLS_FAIL_EXPIRED,
584 "certificate has expired or is not yet valid");
586 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
589 case X509_VALIDATE_UNKNOWN_CA:
590 tls_reason = TLS_ALERT_UNKNOWN_CA;
591 tls_cert_chain_failure_event(
592 conn, 0, chain, TLS_FAIL_UNTRUSTED,
596 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 x509_certificate_chain_free(chain);
604 if (conn->cred && !conn->cred->server_cert_only && chain &&
605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 !(chain->ext_key_usage &
607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 tls_cert_chain_failure_event(
609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 "certificate not allowed for server authentication");
611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_BAD_CERTIFICATE);
613 x509_certificate_chain_free(chain);
617 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 x509_certificate_chain_free(conn->server_cert);
619 conn->server_cert = chain;
621 x509_certificate_chain_free(chain);
624 *in_len = end - in_data;
626 conn->state = SERVER_KEY_EXCHANGE;
632 static unsigned int count_bits(const u8 *val, size_t len)
638 for (i = 0; i < len; i++) {
645 bits = (len - i - 1) * 8;
656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 const u8 *buf, size_t len,
658 tls_key_exchange key_exchange)
660 const u8 *pos, *end, *server_params, *server_params_end;
665 tlsv1_client_free_dh(conn);
673 val = WPA_GET_BE16(pos);
675 if (val == 0 || val > (size_t) (end - pos)) {
676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
679 conn->dh_p_len = val;
680 bits = count_bits(pos, conn->dh_p_len);
682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 pos, conn->dh_p_len);
688 conn->dh_p = os_malloc(conn->dh_p_len);
689 if (conn->dh_p == NULL)
691 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
692 pos += conn->dh_p_len;
693 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
694 conn->dh_p, conn->dh_p_len);
698 val = WPA_GET_BE16(pos);
700 if (val == 0 || val > (size_t) (end - pos))
702 conn->dh_g_len = val;
703 conn->dh_g = os_malloc(conn->dh_g_len);
704 if (conn->dh_g == NULL)
706 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
707 pos += conn->dh_g_len;
708 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
709 conn->dh_g, conn->dh_g_len);
710 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
715 val = WPA_GET_BE16(pos);
717 if (val == 0 || val > (size_t) (end - pos))
719 conn->dh_ys_len = val;
720 conn->dh_ys = os_malloc(conn->dh_ys_len);
721 if (conn->dh_ys == NULL)
723 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
724 pos += conn->dh_ys_len;
725 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
726 conn->dh_ys, conn->dh_ys_len);
727 server_params_end = pos;
729 if (key_exchange == TLS_KEY_X_DHE_RSA) {
733 if (conn->rl.tls_version == TLS_VERSION_1_2) {
737 * TLS v1.2 adds explicit indication of the used
738 * signature and hash algorithms.
741 * HashAlgorithm hash;
742 * SignatureAlgorithm signature;
743 * } SignatureAndHashAlgorithm;
747 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
748 pos[0] != TLS_HASH_ALG_SHA384 &&
749 pos[0] != TLS_HASH_ALG_SHA512) ||
750 pos[1] != TLS_SIGN_ALG_RSA) {
751 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
756 hlen = tlsv12_key_x_server_params_hash(
757 conn->rl.tls_version, pos[0],
759 conn->server_random, server_params,
760 server_params_end - server_params, hash);
762 #else /* CONFIG_TLSV12 */
764 #endif /* CONFIG_TLSV12 */
766 hlen = tls_key_x_server_params_hash(
767 conn->rl.tls_version, conn->client_random,
768 conn->server_random, server_params,
769 server_params_end - server_params, hash);
774 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
777 if (tls_verify_signature(conn->rl.tls_version,
778 conn->server_rsa_key,
779 hash, hlen, pos, end - pos,
787 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
788 tlsv1_client_free_dh(conn);
793 static enum tls_ocsp_result
794 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
795 const u8 *pos, size_t len)
797 const u8 *end = pos + len;
800 /* opaque OCSPResponse<1..2^24-1>; */
802 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
803 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
804 return TLS_OCSP_INVALID;
806 ocsp_resp_len = WPA_GET_BE24(pos);
808 if (end - pos < ocsp_resp_len) {
809 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
810 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
811 return TLS_OCSP_INVALID;
814 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
818 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
819 const u8 *in_data, size_t *in_len)
823 u8 type, status_type;
824 enum tls_ocsp_result res;
825 struct x509_certificate *cert;
828 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
829 wpa_printf(MSG_DEBUG,
830 "TLSv1: Expected Handshake; received content type 0x%x",
832 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
833 TLS_ALERT_UNEXPECTED_MESSAGE);
841 wpa_printf(MSG_DEBUG,
842 "TLSv1: Too short CertificateStatus (left=%lu)",
843 (unsigned long) left);
844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
849 len = WPA_GET_BE24(pos);
854 wpa_printf(MSG_DEBUG,
855 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
856 (unsigned long) len, (unsigned long) left);
857 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
863 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
864 wpa_printf(MSG_DEBUG,
865 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 TLS_ALERT_UNEXPECTED_MESSAGE);
872 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
876 * CertificateStatusType status_type;
877 * select (status_type) {
878 * case ocsp: OCSPResponse;
879 * case ocsp_multi: OCSPResponseList;
881 * } CertificateStatus;
884 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
885 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
888 status_type = *pos++;
889 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
892 if (status_type == 1 /* ocsp */) {
893 res = tls_process_certificate_status_ocsp_response(
894 conn, pos, end - pos);
895 } else if (status_type == 2 /* ocsp_multi */) {
896 int good = 0, revoked = 0;
899 res = TLS_OCSP_NO_RESPONSE;
902 * opaque OCSPResponse<0..2^24-1>;
905 * OCSPResponse ocsp_response_list<1..2^24-1>;
906 * } OCSPResponseList;
909 wpa_printf(MSG_DEBUG,
910 "TLSv1: Truncated OCSPResponseList");
911 res = TLS_OCSP_INVALID;
914 resp_len = WPA_GET_BE24(pos);
916 if (end - pos < resp_len) {
917 wpa_printf(MSG_DEBUG,
918 "TLSv1: Truncated OCSPResponseList(len=%u)",
920 res = TLS_OCSP_INVALID;
923 end = pos + resp_len;
925 while (end - pos >= 3) {
926 resp_len = WPA_GET_BE24(pos);
928 if (resp_len > end - pos) {
929 wpa_printf(MSG_DEBUG,
930 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
931 resp_len, (int) (end - pos));
932 res = TLS_OCSP_INVALID;
936 continue; /* Skip an empty response */
937 res = tls_process_certificate_status_ocsp_response(
938 conn, pos - 3, resp_len + 3);
939 if (res == TLS_OCSP_REVOKED)
941 else if (res == TLS_OCSP_GOOD)
947 res = TLS_OCSP_REVOKED;
951 wpa_printf(MSG_DEBUG,
952 "TLSv1: Ignore unsupported CertificateStatus");
957 if (res == TLS_OCSP_REVOKED) {
958 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
959 TLS_ALERT_CERTIFICATE_REVOKED);
960 for (cert = conn->server_cert, depth = 0; cert;
961 cert = cert->next, depth++) {
962 if (cert->ocsp_revoked) {
963 tls_cert_chain_failure_event(
964 conn, depth, cert, TLS_FAIL_REVOKED,
965 "certificate revoked");
971 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
973 * Verify that each certificate on the chain that is not part
974 * of the trusted certificates has a good status. If not,
975 * terminate handshake.
977 for (cert = conn->server_cert, depth = 0; cert;
978 cert = cert->next, depth++) {
979 if (!cert->ocsp_good) {
980 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
982 tls_cert_chain_failure_event(
984 TLS_FAIL_UNSPECIFIED,
985 "bad certificate status response");
988 if (cert->issuer_trusted)
993 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
994 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
995 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
996 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
997 if (conn->server_cert)
998 tls_cert_chain_failure_event(
999 conn, 0, conn->server_cert,
1000 TLS_FAIL_UNSPECIFIED,
1001 "bad certificate status response");
1005 conn->ocsp_resp_received = 1;
1008 *in_len = end - in_data;
1010 conn->state = SERVER_KEY_EXCHANGE;
1016 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1017 const u8 *in_data, size_t *in_len)
1019 const u8 *pos, *end;
1022 const struct tls_cipher_suite *suite;
1024 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1025 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1026 "received content type 0x%x", ct);
1027 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028 TLS_ALERT_UNEXPECTED_MESSAGE);
1036 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1037 "(Left=%lu)", (unsigned long) left);
1038 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1043 len = WPA_GET_BE24(pos);
1048 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1049 "length (len=%lu != left=%lu)",
1050 (unsigned long) len, (unsigned long) left);
1051 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1057 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1058 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1059 return tls_process_certificate_status(conn, ct, in_data,
1061 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1062 return tls_process_certificate_request(conn, ct, in_data,
1064 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1065 return tls_process_server_hello_done(conn, ct, in_data,
1067 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1068 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1069 "message %d (expected ServerKeyExchange/"
1070 "CertificateRequest/ServerHelloDone%s)", type,
1071 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1072 "/CertificateStatus" : "");
1073 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 TLS_ALERT_UNEXPECTED_MESSAGE);
1078 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1080 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1081 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1082 "with the selected cipher suite");
1083 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1084 TLS_ALERT_UNEXPECTED_MESSAGE);
1088 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1089 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1090 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1091 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1092 if (tlsv1_process_diffie_hellman(conn, pos, len,
1093 suite->key_exchange) < 0) {
1094 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1095 TLS_ALERT_DECODE_ERROR);
1099 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101 TLS_ALERT_UNEXPECTED_MESSAGE);
1105 *in_len = end - in_data;
1107 conn->state = SERVER_CERTIFICATE_REQUEST;
1113 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1114 const u8 *in_data, size_t *in_len)
1116 const u8 *pos, *end;
1120 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1121 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1122 "received content type 0x%x", ct);
1123 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1124 TLS_ALERT_UNEXPECTED_MESSAGE);
1132 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1133 "(left=%lu)", (unsigned long) left);
1134 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1139 len = WPA_GET_BE24(pos);
1144 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1145 "length (len=%lu != left=%lu)",
1146 (unsigned long) len, (unsigned long) left);
1147 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1153 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1154 return tls_process_server_hello_done(conn, ct, in_data,
1156 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1157 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1158 "message %d (expected CertificateRequest/"
1159 "ServerHelloDone)", type);
1160 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161 TLS_ALERT_UNEXPECTED_MESSAGE);
1165 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1167 conn->certificate_requested = 1;
1169 *in_len = end - in_data;
1171 conn->state = SERVER_HELLO_DONE;
1177 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1178 const u8 *in_data, size_t *in_len)
1180 const u8 *pos, *end;
1184 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1185 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1186 "received content type 0x%x", ct);
1187 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1188 TLS_ALERT_UNEXPECTED_MESSAGE);
1196 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1197 "(left=%lu)", (unsigned long) left);
1198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1203 len = WPA_GET_BE24(pos);
1208 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1209 "length (len=%lu != left=%lu)",
1210 (unsigned long) len, (unsigned long) left);
1211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1216 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1217 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1218 "message %d (expected ServerHelloDone)", type);
1219 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1220 TLS_ALERT_UNEXPECTED_MESSAGE);
1224 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1226 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1227 !conn->ocsp_resp_received) {
1228 wpa_printf(MSG_INFO,
1229 "TLSv1: No OCSP response received - reject handshake");
1230 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1231 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1235 *in_len = end - in_data;
1237 conn->state = CLIENT_KEY_EXCHANGE;
1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1244 u8 ct, const u8 *in_data,
1250 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1251 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1252 "received content type 0x%x", ct);
1253 if (conn->use_session_ticket) {
1255 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1256 "rejected SessionTicket");
1257 conn->use_session_ticket = 0;
1259 /* Notify upper layers that SessionTicket failed */
1260 res = conn->session_ticket_cb(
1261 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1264 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1265 "callback indicated failure");
1266 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1267 TLS_ALERT_HANDSHAKE_FAILURE);
1271 conn->state = SERVER_CERTIFICATE;
1272 return tls_process_certificate(conn, ct, in_data,
1275 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 TLS_ALERT_UNEXPECTED_MESSAGE);
1284 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1289 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1290 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1291 "received data 0x%x", *pos);
1292 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1293 TLS_ALERT_UNEXPECTED_MESSAGE);
1297 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1298 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1299 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1300 "for record layer");
1301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1302 TLS_ALERT_INTERNAL_ERROR);
1306 *in_len = pos + 1 - in_data;
1308 conn->state = SERVER_FINISHED;
1314 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1315 const u8 *in_data, size_t *in_len)
1317 const u8 *pos, *end;
1318 size_t left, len, hlen;
1319 u8 verify_data[TLS_VERIFY_DATA_LEN];
1320 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1322 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1323 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1324 "received content type 0x%x", ct);
1325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1326 TLS_ALERT_UNEXPECTED_MESSAGE);
1334 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1336 (unsigned long) left);
1337 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1338 TLS_ALERT_DECODE_ERROR);
1342 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1343 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1344 "type 0x%x", pos[0]);
1345 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1346 TLS_ALERT_UNEXPECTED_MESSAGE);
1350 len = WPA_GET_BE24(pos + 1);
1356 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1357 "(len=%lu > left=%lu)",
1358 (unsigned long) len, (unsigned long) left);
1359 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1360 TLS_ALERT_DECODE_ERROR);
1364 if (len != TLS_VERIFY_DATA_LEN) {
1365 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1366 "in Finished: %lu (expected %d)",
1367 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1368 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1369 TLS_ALERT_DECODE_ERROR);
1372 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1373 pos, TLS_VERIFY_DATA_LEN);
1375 #ifdef CONFIG_TLSV12
1376 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1377 hlen = SHA256_MAC_LEN;
1378 if (conn->verify.sha256_server == NULL ||
1379 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1381 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1382 TLS_ALERT_INTERNAL_ERROR);
1383 conn->verify.sha256_server = NULL;
1386 conn->verify.sha256_server = NULL;
1388 #endif /* CONFIG_TLSV12 */
1391 if (conn->verify.md5_server == NULL ||
1392 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1393 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1394 TLS_ALERT_INTERNAL_ERROR);
1395 conn->verify.md5_server = NULL;
1396 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1397 conn->verify.sha1_server = NULL;
1400 conn->verify.md5_server = NULL;
1401 hlen = SHA1_MAC_LEN;
1402 if (conn->verify.sha1_server == NULL ||
1403 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1405 conn->verify.sha1_server = NULL;
1406 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1407 TLS_ALERT_INTERNAL_ERROR);
1410 conn->verify.sha1_server = NULL;
1411 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1413 #ifdef CONFIG_TLSV12
1415 #endif /* CONFIG_TLSV12 */
1417 if (tls_prf(conn->rl.tls_version,
1418 conn->master_secret, TLS_MASTER_SECRET_LEN,
1419 "server finished", hash, hlen,
1420 verify_data, TLS_VERIFY_DATA_LEN)) {
1421 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1423 TLS_ALERT_DECRYPT_ERROR);
1426 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1427 verify_data, TLS_VERIFY_DATA_LEN);
1429 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1430 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1431 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1432 TLS_ALERT_DECRYPT_ERROR);
1436 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1438 *in_len = end - in_data;
1440 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1441 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1447 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1448 const u8 *in_data, size_t *in_len,
1449 u8 **out_data, size_t *out_len)
1454 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1455 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1456 "received content type 0x%x", ct);
1457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1458 TLS_ALERT_UNEXPECTED_MESSAGE);
1465 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1468 *out_data = os_malloc(left);
1470 os_memcpy(*out_data, pos, left);
1478 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1479 const u8 *buf, size_t *len,
1480 u8 **out_data, size_t *out_len)
1482 if (ct == TLS_CONTENT_TYPE_ALERT) {
1484 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1485 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1486 TLS_ALERT_DECODE_ERROR);
1489 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1492 conn->state = FAILED;
1496 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1497 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1498 size_t hr_len = WPA_GET_BE24(buf + 1);
1499 if (hr_len > *len - 4) {
1500 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1501 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1502 TLS_ALERT_DECODE_ERROR);
1505 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1510 switch (conn->state) {
1512 if (tls_process_server_hello(conn, ct, buf, len))
1515 case SERVER_CERTIFICATE:
1516 if (tls_process_certificate(conn, ct, buf, len))
1519 case SERVER_KEY_EXCHANGE:
1520 if (tls_process_server_key_exchange(conn, ct, buf, len))
1523 case SERVER_CERTIFICATE_REQUEST:
1524 if (tls_process_certificate_request(conn, ct, buf, len))
1527 case SERVER_HELLO_DONE:
1528 if (tls_process_server_hello_done(conn, ct, buf, len))
1531 case SERVER_CHANGE_CIPHER_SPEC:
1532 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1535 case SERVER_FINISHED:
1536 if (tls_process_server_finished(conn, ct, buf, len))
1541 tls_process_application_data(conn, ct, buf, len, out_data,
1546 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1547 "while processing received message",
1552 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1553 tls_verify_hash_add(&conn->verify, buf, *len);