libeap/src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_server.h"
  20 #include "tlsv1_server_i.h"
  21
  22
  23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  24                                            const u8 *in_data, size_t *in_len);
  25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  26                                           u8 ct, const u8 *in_data,
  27                                           size_t *in_len);
  28
  29
  30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
  31 {
  32 #ifdef CONFIG_TESTING_OPTIONS
  33         if ((conn->test_flags &
  34              (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
  35               TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
  36               TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
  37             suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
  38             suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
  39             suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
  40             suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
  41             suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
  42                 return 1;
  43 #endif /* CONFIG_TESTING_OPTIONS */
  44
  45         return 0;
  46 }
  47
  48
  49 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  50                                     const u8 *in_data, size_t *in_len)
  51 {
  52         const u8 *pos, *end, *c;
  53         size_t left, len, i, j;
  54         u16 cipher_suite;
  55         u16 num_suites;
  56         int compr_null_found;
  57         u16 ext_type, ext_len;
  58
  59         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  60                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
  61                                  ct);
  62                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  63                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  64                 return -1;
  65         }
  66
  67         pos = in_data;
  68         left = *in_len;
  69
  70         if (left < 4)
  71                 goto decode_error;
  72
  73         /* HandshakeType msg_type */
  74         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  75                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
  76                                  *pos);
  77                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  78                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  79                 return -1;
  80         }
  81         tlsv1_server_log(conn, "Received ClientHello");
  82         pos++;
  83         /* uint24 length */
  84         len = WPA_GET_BE24(pos);
  85         pos += 3;
  86         left -= 4;
  87
  88         if (len > left)
  89                 goto decode_error;
  90
  91         /* body - ClientHello */
  92
  93         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  94         end = pos + len;
  95
  96         /* ProtocolVersion client_version */
  97         if (end - pos < 2)
  98                 goto decode_error;
  99         conn->client_version = WPA_GET_BE16(pos);
 100         tlsv1_server_log(conn, "Client version %d.%d",
 101                          conn->client_version >> 8,
 102                          conn->client_version & 0xff);
 103         if (conn->client_version < TLS_VERSION_1) {
 104                 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
 105                                  conn->client_version >> 8,
 106                                  conn->client_version & 0xff);
 107                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 108                                    TLS_ALERT_PROTOCOL_VERSION);
 109                 return -1;
 110         }
 111         pos += 2;
 112
 113         if (TLS_VERSION == TLS_VERSION_1)
 114                 conn->rl.tls_version = TLS_VERSION_1;
 115 #ifdef CONFIG_TLSV12
 116         else if (conn->client_version >= TLS_VERSION_1_2)
 117                 conn->rl.tls_version = TLS_VERSION_1_2;
 118 #endif /* CONFIG_TLSV12 */
 119         else if (conn->client_version > TLS_VERSION_1_1)
 120                 conn->rl.tls_version = TLS_VERSION_1_1;
 121         else
 122                 conn->rl.tls_version = conn->client_version;
 123         tlsv1_server_log(conn, "Using TLS v%s",
 124                          tls_version_str(conn->rl.tls_version));
 125
 126         /* Random random */
 127         if (end - pos < TLS_RANDOM_LEN)
 128                 goto decode_error;
 129
 130         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 131         pos += TLS_RANDOM_LEN;
 132         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 133                     conn->client_random, TLS_RANDOM_LEN);
 134
 135         /* SessionID session_id */
 136         if (end - pos < 1)
 137                 goto decode_error;
 138         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 139                 goto decode_error;
 140         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 141         pos += 1 + *pos;
 142         /* TODO: add support for session resumption */
 143
 144         /* CipherSuite cipher_suites<2..2^16-1> */
 145         if (end - pos < 2)
 146                 goto decode_error;
 147         num_suites = WPA_GET_BE16(pos);
 148         pos += 2;
 149         if (end - pos < num_suites)
 150                 goto decode_error;
 151         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 152                     pos, num_suites);
 153         if (num_suites & 1)
 154                 goto decode_error;
 155         num_suites /= 2;
 156
 157         cipher_suite = 0;
 158         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 159                 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
 160                         continue;
 161                 c = pos;
 162                 for (j = 0; j < num_suites; j++) {
 163                         u16 tmp = WPA_GET_BE16(c);
 164                         c += 2;
 165                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 166                                 cipher_suite = tmp;
 167                                 break;
 168                         }
 169                 }
 170         }
 171         pos += num_suites * 2;
 172         if (!cipher_suite) {
 173                 tlsv1_server_log(conn, "No supported cipher suite available");
 174                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 175                                    TLS_ALERT_ILLEGAL_PARAMETER);
 176                 return -1;
 177         }
 178
 179         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 180                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 181                            "record layer");
 182                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 183                                    TLS_ALERT_INTERNAL_ERROR);
 184                 return -1;
 185         }
 186
 187         conn->cipher_suite = cipher_suite;
 188
 189         /* CompressionMethod compression_methods<1..2^8-1> */
 190         if (end - pos < 1)
 191                 goto decode_error;
 192         num_suites = *pos++;
 193         if (end - pos < num_suites)
 194                 goto decode_error;
 195         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 196                     pos, num_suites);
 197         compr_null_found = 0;
 198         for (i = 0; i < num_suites; i++) {
 199                 if (*pos++ == TLS_COMPRESSION_NULL)
 200                         compr_null_found = 1;
 201         }
 202         if (!compr_null_found) {
 203                 tlsv1_server_log(conn, "Client does not accept NULL compression");
 204                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 205                                    TLS_ALERT_ILLEGAL_PARAMETER);
 206                 return -1;
 207         }
 208
 209         if (end - pos == 1) {
 210                 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
 211                                  *pos);
 212                 goto decode_error;
 213         }
 214
 215         if (end - pos >= 2) {
 216                 /* Extension client_hello_extension_list<0..2^16-1> */
 217                 ext_len = WPA_GET_BE16(pos);
 218                 pos += 2;
 219
 220                 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
 221                                  ext_len);
 222                 if (end - pos != ext_len) {
 223                         tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
 224                                          ext_len, (unsigned int) (end - pos));
 225                         goto decode_error;
 226                 }
 227
 228                 /*
 229                  * struct {
 230                  *   ExtensionType extension_type (0..65535)
 231                  *   opaque extension_data<0..2^16-1>
 232                  * } Extension;
 233                  */
 234
 235                 while (pos < end) {
 236                         if (end - pos < 2) {
 237                                 tlsv1_server_log(conn, "Invalid extension_type field");
 238                                 goto decode_error;
 239                         }
 240
 241                         ext_type = WPA_GET_BE16(pos);
 242                         pos += 2;
 243
 244                         if (end - pos < 2) {
 245                                 tlsv1_server_log(conn, "Invalid extension_data length field");
 246                                 goto decode_error;
 247                         }
 248
 249                         ext_len = WPA_GET_BE16(pos);
 250                         pos += 2;
 251
 252                         if (end - pos < ext_len) {
 253                                 tlsv1_server_log(conn, "Invalid extension_data field");
 254                                 goto decode_error;
 255                         }
 256
 257                         tlsv1_server_log(conn, "ClientHello Extension type %u",
 258                                          ext_type);
 259                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 260                                     "Extension data", pos, ext_len);
 261
 262                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 263                                 os_free(conn->session_ticket);
 264                                 conn->session_ticket = os_malloc(ext_len);
 265                                 if (conn->session_ticket) {
 266                                         os_memcpy(conn->session_ticket, pos,
 267                                                   ext_len);
 268                                         conn->session_ticket_len = ext_len;
 269                                 }
 270                         }
 271
 272                         pos += ext_len;
 273                 }
 274         }
 275
 276         *in_len = end - in_data;
 277
 278         tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
 279         conn->state = SERVER_HELLO;
 280
 281         return 0;
 282
 283 decode_error:
 284         tlsv1_server_log(conn, "Failed to decode ClientHello");
 285         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 286                            TLS_ALERT_DECODE_ERROR);
 287         return -1;
 288 }
 289
 290
 291 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 292                                    const u8 *in_data, size_t *in_len)
 293 {
 294         const u8 *pos, *end;
 295         size_t left, len, list_len, cert_len, idx;
 296         u8 type;
 297         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 298         int reason;
 299
 300         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 301                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 302                                  ct);
 303                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 304                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 305                 return -1;
 306         }
 307
 308         pos = in_data;
 309         left = *in_len;
 310
 311         if (left < 4) {
 312                 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
 313                                  (unsigned long) left);
 314                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 315                                    TLS_ALERT_DECODE_ERROR);
 316                 return -1;
 317         }
 318
 319         type = *pos++;
 320         len = WPA_GET_BE24(pos);
 321         pos += 3;
 322         left -= 4;
 323
 324         if (len > left) {
 325                 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
 326                                  (unsigned long) len, (unsigned long) left);
 327                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 328                                    TLS_ALERT_DECODE_ERROR);
 329                 return -1;
 330         }
 331
 332         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 333                 if (conn->verify_peer) {
 334                         tlsv1_server_log(conn, "Client did not include Certificate");
 335                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 336                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 337                         return -1;
 338                 }
 339
 340                 return tls_process_client_key_exchange(conn, ct, in_data,
 341                                                        in_len);
 342         }
 343         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 344                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
 345                                  type);
 346                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 347                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 348                 return -1;
 349         }
 350
 351         tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
 352                          (unsigned long) len);
 353
 354         /*
 355          * opaque ASN.1Cert<2^24-1>;
 356          *
 357          * struct {
 358          *     ASN.1Cert certificate_list<1..2^24-1>;
 359          * } Certificate;
 360          */
 361
 362         end = pos + len;
 363
 364         if (end - pos < 3) {
 365                 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
 366                                  (unsigned long) left);
 367                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 368                                    TLS_ALERT_DECODE_ERROR);
 369                 return -1;
 370         }
 371
 372         list_len = WPA_GET_BE24(pos);
 373         pos += 3;
 374
 375         if ((size_t) (end - pos) != list_len) {
 376                 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
 377                                  (unsigned long) list_len,
 378                                  (unsigned long) (end - pos));
 379                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 380                                    TLS_ALERT_DECODE_ERROR);
 381                 return -1;
 382         }
 383
 384         idx = 0;
 385         while (pos < end) {
 386                 if (end - pos < 3) {
 387                         tlsv1_server_log(conn, "Failed to parse certificate_list");
 388                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 389                                            TLS_ALERT_DECODE_ERROR);
 390                         x509_certificate_chain_free(chain);
 391                         return -1;
 392                 }
 393
 394                 cert_len = WPA_GET_BE24(pos);
 395                 pos += 3;
 396
 397                 if ((size_t) (end - pos) < cert_len) {
 398                         tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
 399                                          (unsigned long) cert_len,
 400                                          (unsigned long) (end - pos));
 401                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 402                                            TLS_ALERT_DECODE_ERROR);
 403                         x509_certificate_chain_free(chain);
 404                         return -1;
 405                 }
 406
 407                 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
 408                                  (unsigned long) idx, (unsigned long) cert_len);
 409
 410                 if (idx == 0) {
 411                         crypto_public_key_free(conn->client_rsa_key);
 412                         if (tls_parse_cert(pos, cert_len,
 413                                            &conn->client_rsa_key)) {
 414                                 tlsv1_server_log(conn, "Failed to parse the certificate");
 415                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 416                                                    TLS_ALERT_BAD_CERTIFICATE);
 417                                 x509_certificate_chain_free(chain);
 418                                 return -1;
 419                         }
 420                 }
 421
 422                 cert = x509_certificate_parse(pos, cert_len);
 423                 if (cert == NULL) {
 424                         tlsv1_server_log(conn, "Failed to parse the certificate");
 425                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 426                                            TLS_ALERT_BAD_CERTIFICATE);
 427                         x509_certificate_chain_free(chain);
 428                         return -1;
 429                 }
 430
 431                 if (last == NULL)
 432                         chain = cert;
 433                 else
 434                         last->next = cert;
 435                 last = cert;
 436
 437                 idx++;
 438                 pos += cert_len;
 439         }
 440
 441         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 442                                             &reason, 0) < 0) {
 443                 int tls_reason;
 444                 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
 445                                  reason);
 446                 switch (reason) {
 447                 case X509_VALIDATE_BAD_CERTIFICATE:
 448                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 449                         break;
 450                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 451                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 452                         break;
 453                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 454                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 455                         break;
 456                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 457                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 458                         break;
 459                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 460                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 461                         break;
 462                 case X509_VALIDATE_UNKNOWN_CA:
 463                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 464                         break;
 465                 default:
 466                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 467                         break;
 468                 }
 469                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 470                 x509_certificate_chain_free(chain);
 471                 return -1;
 472         }
 473
 474         x509_certificate_chain_free(chain);
 475
 476         *in_len = end - in_data;
 477
 478         conn->state = CLIENT_KEY_EXCHANGE;
 479
 480         return 0;
 481 }
 482
 483
 484 static int tls_process_client_key_exchange_rsa(
 485         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 486 {
 487         u8 *out;
 488         size_t outlen, outbuflen;
 489         u16 encr_len;
 490         int res;
 491         int use_random = 0;
 492
 493         if (end - pos < 2) {
 494                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 495                                    TLS_ALERT_DECODE_ERROR);
 496                 return -1;
 497         }
 498
 499         encr_len = WPA_GET_BE16(pos);
 500         pos += 2;
 501         if (pos + encr_len > end) {
 502                 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
 503                                  encr_len, (unsigned int) (end - pos));
 504                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 505                                    TLS_ALERT_DECODE_ERROR);
 506                 return -1;
 507         }
 508
 509         outbuflen = outlen = end - pos;
 510         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 511                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 512         if (out == NULL) {
 513                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 514                                    TLS_ALERT_INTERNAL_ERROR);
 515                 return -1;
 516         }
 517
 518         /*
 519          * struct {
 520          *   ProtocolVersion client_version;
 521          *   opaque random[46];
 522          * } PreMasterSecret;
 523          *
 524          * struct {
 525          *   public-key-encrypted PreMasterSecret pre_master_secret;
 526          * } EncryptedPreMasterSecret;
 527          */
 528
 529         /*
 530          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 531          * parsing errors from EncryptedPreMasterSecret processing to the
 532          * client. Instead, a random pre-master secret is used to force the
 533          * handshake to fail.
 534          */
 535
 536         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 537                                                  pos, encr_len,
 538                                                  out, &outlen) < 0) {
 539                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 540                            "PreMasterSecret (encr_len=%u outlen=%lu)",
 541                            encr_len, (unsigned long) outlen);
 542                 use_random = 1;
 543         }
 544
 545         if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
 546                 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
 547                                  (unsigned long) outlen);
 548                 use_random = 1;
 549         }
 550
 551         if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
 552                 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
 553                 use_random = 1;
 554         }
 555
 556         if (use_random) {
 557                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 558                            "to avoid revealing information about private key");
 559                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 560                 if (os_get_random(out, outlen)) {
 561                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 562                                    "data");
 563                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 564                                            TLS_ALERT_INTERNAL_ERROR);
 565                         os_free(out);
 566                         return -1;
 567                 }
 568         }
 569
 570         res = tlsv1_server_derive_keys(conn, out, outlen);
 571
 572         /* Clear the pre-master secret since it is not needed anymore */
 573         os_memset(out, 0, outbuflen);
 574         os_free(out);
 575
 576         if (res) {
 577                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 578                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 579                                    TLS_ALERT_INTERNAL_ERROR);
 580                 return -1;
 581         }
 582
 583         return 0;
 584 }
 585
 586
 587 static int tls_process_client_key_exchange_dh(
 588         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 589 {
 590         const u8 *dh_yc;
 591         u16 dh_yc_len;
 592         u8 *shared;
 593         size_t shared_len;
 594         int res;
 595         const u8 *dh_p;
 596         size_t dh_p_len;
 597
 598         /*
 599          * struct {
 600          *   select (PublicValueEncoding) {
 601          *     case implicit: struct { };
 602          *     case explicit: opaque dh_Yc<1..2^16-1>;
 603          *   } dh_public;
 604          * } ClientDiffieHellmanPublic;
 605          */
 606
 607         tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
 608         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 609                     pos, end - pos);
 610
 611         if (end == pos) {
 612                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 613                            "not supported");
 614                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 615                                    TLS_ALERT_INTERNAL_ERROR);
 616                 return -1;
 617         }
 618
 619         if (end - pos < 3) {
 620                 tlsv1_server_log(conn, "Invalid client public value length");
 621                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 622                                    TLS_ALERT_DECODE_ERROR);
 623                 return -1;
 624         }
 625
 626         dh_yc_len = WPA_GET_BE16(pos);
 627         dh_yc = pos + 2;
 628
 629         if (dh_yc_len > end - dh_yc) {
 630                 tlsv1_server_log(conn, "Client public value overflow (length %d)",
 631                                  dh_yc_len);
 632                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 633                                    TLS_ALERT_DECODE_ERROR);
 634                 return -1;
 635         }
 636
 637         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 638                     dh_yc, dh_yc_len);
 639
 640         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 641             conn->dh_secret == NULL) {
 642                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 643                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 644                                    TLS_ALERT_INTERNAL_ERROR);
 645                 return -1;
 646         }
 647
 648         tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
 649
 650         shared_len = dh_p_len;
 651         shared = os_malloc(shared_len);
 652         if (shared == NULL) {
 653                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 654                            "DH");
 655                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 656                                    TLS_ALERT_INTERNAL_ERROR);
 657                 return -1;
 658         }
 659
 660         /* shared = Yc^secret mod p */
 661         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 662                            conn->dh_secret_len, dh_p, dh_p_len,
 663                            shared, &shared_len)) {
 664                 os_free(shared);
 665                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 666                                    TLS_ALERT_INTERNAL_ERROR);
 667                 return -1;
 668         }
 669         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 670                         shared, shared_len);
 671
 672         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 673         os_free(conn->dh_secret);
 674         conn->dh_secret = NULL;
 675
 676         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 677
 678         /* Clear the pre-master secret since it is not needed anymore */
 679         os_memset(shared, 0, shared_len);
 680         os_free(shared);
 681
 682         if (res) {
 683                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 684                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 685                                    TLS_ALERT_INTERNAL_ERROR);
 686                 return -1;
 687         }
 688
 689         return 0;
 690 }
 691
 692
 693 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 694                                            const u8 *in_data, size_t *in_len)
 695 {
 696         const u8 *pos, *end;
 697         size_t left, len;
 698         u8 type;
 699         tls_key_exchange keyx;
 700         const struct tls_cipher_suite *suite;
 701
 702         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 703                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 704                                  ct);
 705                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 706                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 707                 return -1;
 708         }
 709
 710         pos = in_data;
 711         left = *in_len;
 712
 713         if (left < 4) {
 714                 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
 715                                  (unsigned long) left);
 716                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 717                                    TLS_ALERT_DECODE_ERROR);
 718                 return -1;
 719         }
 720
 721         type = *pos++;
 722         len = WPA_GET_BE24(pos);
 723         pos += 3;
 724         left -= 4;
 725
 726         if (len > left) {
 727                 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
 728                                  (unsigned long) len, (unsigned long) left);
 729                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 730                                    TLS_ALERT_DECODE_ERROR);
 731                 return -1;
 732         }
 733
 734         end = pos + len;
 735
 736         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 737                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
 738                                  type);
 739                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 740                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 741                 return -1;
 742         }
 743
 744         tlsv1_server_log(conn, "Received ClientKeyExchange");
 745
 746         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 747
 748         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 749         if (suite == NULL)
 750                 keyx = TLS_KEY_X_NULL;
 751         else
 752                 keyx = suite->key_exchange;
 753
 754         if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
 755             tls_process_client_key_exchange_dh(conn, pos, end) < 0)
 756                 return -1;
 757
 758         if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
 759             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 760                 return -1;
 761
 762         *in_len = end - in_data;
 763
 764         conn->state = CERTIFICATE_VERIFY;
 765
 766         return 0;
 767 }
 768
 769
 770 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 771                                           const u8 *in_data, size_t *in_len)
 772 {
 773         const u8 *pos, *end;
 774         size_t left, len;
 775         u8 type;
 776         size_t hlen;
 777         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
 778         u8 alert;
 779
 780         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 781                 if (conn->verify_peer) {
 782                         tlsv1_server_log(conn, "Client did not include CertificateVerify");
 783                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 784                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 785                         return -1;
 786                 }
 787
 788                 return tls_process_change_cipher_spec(conn, ct, in_data,
 789                                                       in_len);
 790         }
 791
 792         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 793                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 794                                  ct);
 795                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 796                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 797                 return -1;
 798         }
 799
 800         pos = in_data;
 801         left = *in_len;
 802
 803         if (left < 4) {
 804                 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
 805                                  (unsigned long) left);
 806                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 807                                    TLS_ALERT_DECODE_ERROR);
 808                 return -1;
 809         }
 810
 811         type = *pos++;
 812         len = WPA_GET_BE24(pos);
 813         pos += 3;
 814         left -= 4;
 815
 816         if (len > left) {
 817                 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
 818                                  (unsigned long) len, (unsigned long) left);
 819                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 820                                    TLS_ALERT_DECODE_ERROR);
 821                 return -1;
 822         }
 823
 824         end = pos + len;
 825
 826         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 827                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
 828                                  type);
 829                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 830                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 831                 return -1;
 832         }
 833
 834         tlsv1_server_log(conn, "Received CertificateVerify");
 835
 836         /*
 837          * struct {
 838          *   Signature signature;
 839          * } CertificateVerify;
 840          */
 841
 842         hpos = hash;
 843
 844 #ifdef CONFIG_TLSV12
 845         if (conn->rl.tls_version == TLS_VERSION_1_2) {
 846                 /*
 847                  * RFC 5246, 4.7:
 848                  * TLS v1.2 adds explicit indication of the used signature and
 849                  * hash algorithms.
 850                  *
 851                  * struct {
 852                  *   HashAlgorithm hash;
 853                  *   SignatureAlgorithm signature;
 854                  * } SignatureAndHashAlgorithm;
 855                  */
 856                 if (end - pos < 2) {
 857                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 858                                            TLS_ALERT_DECODE_ERROR);
 859                         return -1;
 860                 }
 861                 if (pos[0] != TLS_HASH_ALG_SHA256 ||
 862                     pos[1] != TLS_SIGN_ALG_RSA) {
 863                         wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
 864                                    "signature(%u) algorithm",
 865                                    pos[0], pos[1]);
 866                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 867                                            TLS_ALERT_INTERNAL_ERROR);
 868                         return -1;
 869                 }
 870                 pos += 2;
 871
 872                 hlen = SHA256_MAC_LEN;
 873                 if (conn->verify.sha256_cert == NULL ||
 874                     crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
 875                     0) {
 876                         conn->verify.sha256_cert = NULL;
 877                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 878                                            TLS_ALERT_INTERNAL_ERROR);
 879                         return -1;
 880                 }
 881                 conn->verify.sha256_cert = NULL;
 882         } else {
 883 #endif /* CONFIG_TLSV12 */
 884
 885         hlen = MD5_MAC_LEN;
 886         if (conn->verify.md5_cert == NULL ||
 887             crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
 888                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 889                                    TLS_ALERT_INTERNAL_ERROR);
 890                 conn->verify.md5_cert = NULL;
 891                 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 892                 conn->verify.sha1_cert = NULL;
 893                 return -1;
 894         }
 895         hpos += MD5_MAC_LEN;
 896
 897         conn->verify.md5_cert = NULL;
 898         hlen = SHA1_MAC_LEN;
 899         if (conn->verify.sha1_cert == NULL ||
 900             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 901                 conn->verify.sha1_cert = NULL;
 902                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 903                                    TLS_ALERT_INTERNAL_ERROR);
 904                 return -1;
 905         }
 906         conn->verify.sha1_cert = NULL;
 907
 908         hlen += MD5_MAC_LEN;
 909
 910 #ifdef CONFIG_TLSV12
 911         }
 912 #endif /* CONFIG_TLSV12 */
 913
 914         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 915
 916         if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
 917                                  hash, hlen, pos, end - pos, &alert) < 0) {
 918                 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
 919                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
 920                 return -1;
 921         }
 922
 923         *in_len = end - in_data;
 924
 925         conn->state = CHANGE_CIPHER_SPEC;
 926
 927         return 0;
 928 }
 929
 930
 931 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 932                                           u8 ct, const u8 *in_data,
 933                                           size_t *in_len)
 934 {
 935         const u8 *pos;
 936         size_t left;
 937
 938         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 939                 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
 940                                  ct);
 941                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 942                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 943                 return -1;
 944         }
 945
 946         pos = in_data;
 947         left = *in_len;
 948
 949         if (left < 1) {
 950                 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
 951                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 952                                    TLS_ALERT_DECODE_ERROR);
 953                 return -1;
 954         }
 955
 956         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 957                 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
 958                                  *pos);
 959                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 960                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 961                 return -1;
 962         }
 963
 964         tlsv1_server_log(conn, "Received ChangeCipherSpec");
 965         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 966                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 967                            "for record layer");
 968                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 969                                    TLS_ALERT_INTERNAL_ERROR);
 970                 return -1;
 971         }
 972
 973         *in_len = pos + 1 - in_data;
 974
 975         conn->state = CLIENT_FINISHED;
 976
 977         return 0;
 978 }
 979
 980
 981 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 982                                        const u8 *in_data, size_t *in_len)
 983 {
 984         const u8 *pos, *end;
 985         size_t left, len, hlen;
 986         u8 verify_data[TLS_VERIFY_DATA_LEN];
 987         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 988
 989 #ifdef CONFIG_TESTING_OPTIONS
 990         if ((conn->test_flags &
 991              (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
 992             !conn->test_failure_reported) {
 993                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
 994                 conn->test_failure_reported = 1;
 995         }
 996
 997         if ((conn->test_flags & TLS_DHE_PRIME_15) &&
 998             !conn->test_failure_reported) {
 999                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1000                 conn->test_failure_reported = 1;
1001         }
1002
1003         if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1004             !conn->test_failure_reported) {
1005                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1006                 conn->test_failure_reported = 1;
1007         }
1008
1009         if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1010             !conn->test_failure_reported) {
1011                 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1012                 conn->test_failure_reported = 1;
1013         }
1014
1015         if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1016             !conn->test_failure_reported) {
1017                 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1018                 conn->test_failure_reported = 1;
1019         }
1020
1021         if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1022             !conn->test_failure_reported) {
1023                 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1024                 conn->test_failure_reported = 1;
1025         }
1026 #endif /* CONFIG_TESTING_OPTIONS */
1027
1028         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1029                 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1030                                  ct);
1031                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1032                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1033                 return -1;
1034         }
1035
1036         pos = in_data;
1037         left = *in_len;
1038
1039         if (left < 4) {
1040                 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1041                                  (unsigned long) left);
1042                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1043                                    TLS_ALERT_DECODE_ERROR);
1044                 return -1;
1045         }
1046
1047         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1048                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1049                            "type 0x%x", pos[0]);
1050                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1051                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1052                 return -1;
1053         }
1054
1055         len = WPA_GET_BE24(pos + 1);
1056
1057         pos += 4;
1058         left -= 4;
1059
1060         if (len > left) {
1061                 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1062                                  (unsigned long) len, (unsigned long) left);
1063                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1064                                    TLS_ALERT_DECODE_ERROR);
1065                 return -1;
1066         }
1067         end = pos + len;
1068         if (len != TLS_VERIFY_DATA_LEN) {
1069                 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1070                                  (unsigned long) len, TLS_VERIFY_DATA_LEN);
1071                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1072                                    TLS_ALERT_DECODE_ERROR);
1073                 return -1;
1074         }
1075         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1076                     pos, TLS_VERIFY_DATA_LEN);
1077
1078 #ifdef CONFIG_TLSV12
1079         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1080                 hlen = SHA256_MAC_LEN;
1081                 if (conn->verify.sha256_client == NULL ||
1082                     crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1083                     < 0) {
1084                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1085                                            TLS_ALERT_INTERNAL_ERROR);
1086                         conn->verify.sha256_client = NULL;
1087                         return -1;
1088                 }
1089                 conn->verify.sha256_client = NULL;
1090         } else {
1091 #endif /* CONFIG_TLSV12 */
1092
1093         hlen = MD5_MAC_LEN;
1094         if (conn->verify.md5_client == NULL ||
1095             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1096                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1097                                    TLS_ALERT_INTERNAL_ERROR);
1098                 conn->verify.md5_client = NULL;
1099                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1100                 conn->verify.sha1_client = NULL;
1101                 return -1;
1102         }
1103         conn->verify.md5_client = NULL;
1104         hlen = SHA1_MAC_LEN;
1105         if (conn->verify.sha1_client == NULL ||
1106             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1107                                &hlen) < 0) {
1108                 conn->verify.sha1_client = NULL;
1109                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1110                                    TLS_ALERT_INTERNAL_ERROR);
1111                 return -1;
1112         }
1113         conn->verify.sha1_client = NULL;
1114         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1115
1116 #ifdef CONFIG_TLSV12
1117         }
1118 #endif /* CONFIG_TLSV12 */
1119
1120         if (tls_prf(conn->rl.tls_version,
1121                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1122                     "client finished", hash, hlen,
1123                     verify_data, TLS_VERIFY_DATA_LEN)) {
1124                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1125                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1126                                    TLS_ALERT_DECRYPT_ERROR);
1127                 return -1;
1128         }
1129         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1130                         verify_data, TLS_VERIFY_DATA_LEN);
1131
1132         if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1133                 tlsv1_server_log(conn, "Mismatch in verify_data");
1134                 return -1;
1135         }
1136
1137         tlsv1_server_log(conn, "Received Finished");
1138
1139         *in_len = end - in_data;
1140
1141         if (conn->use_session_ticket) {
1142                 /* Abbreviated handshake using session ticket; RFC 4507 */
1143                 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1144                 conn->state = ESTABLISHED;
1145         } else {
1146                 /* Full handshake */
1147                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1148         }
1149
1150         return 0;
1151 }
1152
1153
1154 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1155                                    const u8 *buf, size_t *len)
1156 {
1157         if (ct == TLS_CONTENT_TYPE_ALERT) {
1158                 if (*len < 2) {
1159                         tlsv1_server_log(conn, "Alert underflow");
1160                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161                                            TLS_ALERT_DECODE_ERROR);
1162                         return -1;
1163                 }
1164                 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1165                 *len = 2;
1166                 conn->state = FAILED;
1167                 return -1;
1168         }
1169
1170         switch (conn->state) {
1171         case CLIENT_HELLO:
1172                 if (tls_process_client_hello(conn, ct, buf, len))
1173                         return -1;
1174                 break;
1175         case CLIENT_CERTIFICATE:
1176                 if (tls_process_certificate(conn, ct, buf, len))
1177                         return -1;
1178                 break;
1179         case CLIENT_KEY_EXCHANGE:
1180                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1181                         return -1;
1182                 break;
1183         case CERTIFICATE_VERIFY:
1184                 if (tls_process_certificate_verify(conn, ct, buf, len))
1185                         return -1;
1186                 break;
1187         case CHANGE_CIPHER_SPEC:
1188                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1189                         return -1;
1190                 break;
1191         case CLIENT_FINISHED:
1192                 if (tls_process_client_finished(conn, ct, buf, len))
1193                         return -1;
1194                 break;
1195         default:
1196                 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1197                                  conn->state);
1198                 return -1;
1199         }
1200
1201         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1202                 tls_verify_hash_add(&conn->verify, buf, *len);
1203
1204         return 0;
1205 }