libeap/src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_server.h"
  20 #include "tlsv1_server_i.h"
  21
  22
  23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  24                                            const u8 *in_data, size_t *in_len);
  25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  26                                           u8 ct, const u8 *in_data,
  27                                           size_t *in_len);
  28
  29
  30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
  31 {
  32 #ifdef CONFIG_TESTING_OPTIONS
  33         if ((conn->test_flags &
  34              (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
  35               TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
  36               TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
  37             suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
  38             suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
  39             suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
  40             suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
  41             suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
  42                 return 1;
  43 #endif /* CONFIG_TESTING_OPTIONS */
  44
  45         return 0;
  46 }
  47
  48
  49 static void tls_process_status_request_item(struct tlsv1_server *conn,
  50                                             const u8 *req, size_t req_len)
  51 {
  52         const u8 *pos, *end;
  53         u8 status_type;
  54
  55         pos = req;
  56         end = req + req_len;
  57
  58         /*
  59          * RFC 6961, 2.2:
  60          * struct {
  61          *   CertificateStatusType status_type;
  62          *   uint16 request_length;
  63          *   select (status_type) {
  64          *     case ocsp: OCSPStatusRequest;
  65          *     case ocsp_multi: OCSPStatusRequest;
  66          *   } request;
  67          * } CertificateStatusRequestItemV2;
  68          *
  69          * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
  70          */
  71
  72         if (end - pos < 1)
  73                 return; /* Truncated data */
  74
  75         status_type = *pos++;
  76         wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
  77         if (status_type != 1 && status_type != 2)
  78                 return; /* Unsupported status type */
  79         /*
  80          * For now, only OCSP stapling is supported, so ignore the specific
  81          * request, if any.
  82          */
  83         wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
  84
  85         if (status_type == 2)
  86                 conn->status_request_multi = 1;
  87 }
  88
  89
  90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
  91                                           const u8 *ext, size_t ext_len)
  92 {
  93         const u8 *pos, *end;
  94
  95         conn->status_request_v2 = 1;
  96
  97         pos = ext;
  98         end = ext + ext_len;
  99
 100         /*
 101          * RFC 6961, 2.2:
 102          * struct {
 103          *   CertificateStatusRequestItemV2
 104          *                    certificate_status_req_list<1..2^16-1>;
 105          * } CertificateStatusRequestListV2;
 106          */
 107
 108         while (end - pos >= 2) {
 109                 u16 len;
 110
 111                 len = WPA_GET_BE16(pos);
 112                 pos += 2;
 113                 if (len > end - pos)
 114                         break; /* Truncated data */
 115                 tls_process_status_request_item(conn, pos, len);
 116                 pos += len;
 117         }
 118 }
 119
 120
 121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
 122                                     const u8 *in_data, size_t *in_len)
 123 {
 124         const u8 *pos, *end, *c;
 125         size_t left, len, i, j;
 126         u16 cipher_suite;
 127         u16 num_suites;
 128         int compr_null_found;
 129         u16 ext_type, ext_len;
 130
 131         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 132                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 133                                  ct);
 134                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 135                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 136                 return -1;
 137         }
 138
 139         pos = in_data;
 140         left = *in_len;
 141
 142         if (left < 4)
 143                 goto decode_error;
 144
 145         /* HandshakeType msg_type */
 146         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
 147                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
 148                                  *pos);
 149                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 150                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 151                 return -1;
 152         }
 153         tlsv1_server_log(conn, "Received ClientHello");
 154         pos++;
 155         /* uint24 length */
 156         len = WPA_GET_BE24(pos);
 157         pos += 3;
 158         left -= 4;
 159
 160         if (len > left)
 161                 goto decode_error;
 162
 163         /* body - ClientHello */
 164
 165         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
 166         end = pos + len;
 167
 168         /* ProtocolVersion client_version */
 169         if (end - pos < 2)
 170                 goto decode_error;
 171         conn->client_version = WPA_GET_BE16(pos);
 172         tlsv1_server_log(conn, "Client version %d.%d",
 173                          conn->client_version >> 8,
 174                          conn->client_version & 0xff);
 175         if (conn->client_version < TLS_VERSION_1) {
 176                 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
 177                                  conn->client_version >> 8,
 178                                  conn->client_version & 0xff);
 179                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 180                                    TLS_ALERT_PROTOCOL_VERSION);
 181                 return -1;
 182         }
 183         pos += 2;
 184
 185         if (TLS_VERSION == TLS_VERSION_1)
 186                 conn->rl.tls_version = TLS_VERSION_1;
 187 #ifdef CONFIG_TLSV12
 188         else if (conn->client_version >= TLS_VERSION_1_2)
 189                 conn->rl.tls_version = TLS_VERSION_1_2;
 190 #endif /* CONFIG_TLSV12 */
 191         else if (conn->client_version > TLS_VERSION_1_1)
 192                 conn->rl.tls_version = TLS_VERSION_1_1;
 193         else
 194                 conn->rl.tls_version = conn->client_version;
 195         tlsv1_server_log(conn, "Using TLS v%s",
 196                          tls_version_str(conn->rl.tls_version));
 197
 198         /* Random random */
 199         if (end - pos < TLS_RANDOM_LEN)
 200                 goto decode_error;
 201
 202         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 203         pos += TLS_RANDOM_LEN;
 204         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 205                     conn->client_random, TLS_RANDOM_LEN);
 206
 207         /* SessionID session_id */
 208         if (end - pos < 1)
 209                 goto decode_error;
 210         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 211                 goto decode_error;
 212         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 213         pos += 1 + *pos;
 214         /* TODO: add support for session resumption */
 215
 216         /* CipherSuite cipher_suites<2..2^16-1> */
 217         if (end - pos < 2)
 218                 goto decode_error;
 219         num_suites = WPA_GET_BE16(pos);
 220         pos += 2;
 221         if (end - pos < num_suites)
 222                 goto decode_error;
 223         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 224                     pos, num_suites);
 225         if (num_suites & 1)
 226                 goto decode_error;
 227         num_suites /= 2;
 228
 229         cipher_suite = 0;
 230         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 231                 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
 232                         continue;
 233                 c = pos;
 234                 for (j = 0; j < num_suites; j++) {
 235                         u16 tmp = WPA_GET_BE16(c);
 236                         c += 2;
 237                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 238                                 cipher_suite = tmp;
 239                                 break;
 240                         }
 241                 }
 242         }
 243         pos += num_suites * 2;
 244         if (!cipher_suite) {
 245                 tlsv1_server_log(conn, "No supported cipher suite available");
 246                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 247                                    TLS_ALERT_ILLEGAL_PARAMETER);
 248                 return -1;
 249         }
 250
 251         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 252                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 253                            "record layer");
 254                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 255                                    TLS_ALERT_INTERNAL_ERROR);
 256                 return -1;
 257         }
 258
 259         conn->cipher_suite = cipher_suite;
 260
 261         /* CompressionMethod compression_methods<1..2^8-1> */
 262         if (end - pos < 1)
 263                 goto decode_error;
 264         num_suites = *pos++;
 265         if (end - pos < num_suites)
 266                 goto decode_error;
 267         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 268                     pos, num_suites);
 269         compr_null_found = 0;
 270         for (i = 0; i < num_suites; i++) {
 271                 if (*pos++ == TLS_COMPRESSION_NULL)
 272                         compr_null_found = 1;
 273         }
 274         if (!compr_null_found) {
 275                 tlsv1_server_log(conn, "Client does not accept NULL compression");
 276                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 277                                    TLS_ALERT_ILLEGAL_PARAMETER);
 278                 return -1;
 279         }
 280
 281         if (end - pos == 1) {
 282                 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
 283                                  *pos);
 284                 goto decode_error;
 285         }
 286
 287         if (end - pos >= 2) {
 288                 /* Extension client_hello_extension_list<0..2^16-1> */
 289                 ext_len = WPA_GET_BE16(pos);
 290                 pos += 2;
 291
 292                 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
 293                                  ext_len);
 294                 if (end - pos != ext_len) {
 295                         tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
 296                                          ext_len, (unsigned int) (end - pos));
 297                         goto decode_error;
 298                 }
 299
 300                 /*
 301                  * struct {
 302                  *   ExtensionType extension_type (0..65535)
 303                  *   opaque extension_data<0..2^16-1>
 304                  * } Extension;
 305                  */
 306
 307                 while (pos < end) {
 308                         if (end - pos < 2) {
 309                                 tlsv1_server_log(conn, "Invalid extension_type field");
 310                                 goto decode_error;
 311                         }
 312
 313                         ext_type = WPA_GET_BE16(pos);
 314                         pos += 2;
 315
 316                         if (end - pos < 2) {
 317                                 tlsv1_server_log(conn, "Invalid extension_data length field");
 318                                 goto decode_error;
 319                         }
 320
 321                         ext_len = WPA_GET_BE16(pos);
 322                         pos += 2;
 323
 324                         if (end - pos < ext_len) {
 325                                 tlsv1_server_log(conn, "Invalid extension_data field");
 326                                 goto decode_error;
 327                         }
 328
 329                         tlsv1_server_log(conn, "ClientHello Extension type %u",
 330                                          ext_type);
 331                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 332                                     "Extension data", pos, ext_len);
 333
 334                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 335                                 os_free(conn->session_ticket);
 336                                 conn->session_ticket = os_malloc(ext_len);
 337                                 if (conn->session_ticket) {
 338                                         os_memcpy(conn->session_ticket, pos,
 339                                                   ext_len);
 340                                         conn->session_ticket_len = ext_len;
 341                                 }
 342                         } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
 343                                 conn->status_request = 1;
 344                         } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
 345                                 tls_process_status_request_v2(conn, pos,
 346                                                               ext_len);
 347                         }
 348
 349                         pos += ext_len;
 350                 }
 351         }
 352
 353         *in_len = end - in_data;
 354
 355         tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
 356         conn->state = SERVER_HELLO;
 357
 358         return 0;
 359
 360 decode_error:
 361         tlsv1_server_log(conn, "Failed to decode ClientHello");
 362         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 363                            TLS_ALERT_DECODE_ERROR);
 364         return -1;
 365 }
 366
 367
 368 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 369                                    const u8 *in_data, size_t *in_len)
 370 {
 371         const u8 *pos, *end;
 372         size_t left, len, list_len, cert_len, idx;
 373         u8 type;
 374         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 375         int reason;
 376
 377         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 378                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 379                                  ct);
 380                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 381                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 382                 return -1;
 383         }
 384
 385         pos = in_data;
 386         left = *in_len;
 387
 388         if (left < 4) {
 389                 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
 390                                  (unsigned long) left);
 391                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 392                                    TLS_ALERT_DECODE_ERROR);
 393                 return -1;
 394         }
 395
 396         type = *pos++;
 397         len = WPA_GET_BE24(pos);
 398         pos += 3;
 399         left -= 4;
 400
 401         if (len > left) {
 402                 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
 403                                  (unsigned long) len, (unsigned long) left);
 404                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 405                                    TLS_ALERT_DECODE_ERROR);
 406                 return -1;
 407         }
 408
 409         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 410                 if (conn->verify_peer) {
 411                         tlsv1_server_log(conn, "Client did not include Certificate");
 412                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 413                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 414                         return -1;
 415                 }
 416
 417                 return tls_process_client_key_exchange(conn, ct, in_data,
 418                                                        in_len);
 419         }
 420         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 421                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
 422                                  type);
 423                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 424                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 425                 return -1;
 426         }
 427
 428         tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
 429                          (unsigned long) len);
 430
 431         /*
 432          * opaque ASN.1Cert<2^24-1>;
 433          *
 434          * struct {
 435          *     ASN.1Cert certificate_list<1..2^24-1>;
 436          * } Certificate;
 437          */
 438
 439         end = pos + len;
 440
 441         if (end - pos < 3) {
 442                 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
 443                                  (unsigned long) left);
 444                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 445                                    TLS_ALERT_DECODE_ERROR);
 446                 return -1;
 447         }
 448
 449         list_len = WPA_GET_BE24(pos);
 450         pos += 3;
 451
 452         if ((size_t) (end - pos) != list_len) {
 453                 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
 454                                  (unsigned long) list_len,
 455                                  (unsigned long) (end - pos));
 456                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 457                                    TLS_ALERT_DECODE_ERROR);
 458                 return -1;
 459         }
 460
 461         idx = 0;
 462         while (pos < end) {
 463                 if (end - pos < 3) {
 464                         tlsv1_server_log(conn, "Failed to parse certificate_list");
 465                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 466                                            TLS_ALERT_DECODE_ERROR);
 467                         x509_certificate_chain_free(chain);
 468                         return -1;
 469                 }
 470
 471                 cert_len = WPA_GET_BE24(pos);
 472                 pos += 3;
 473
 474                 if ((size_t) (end - pos) < cert_len) {
 475                         tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
 476                                          (unsigned long) cert_len,
 477                                          (unsigned long) (end - pos));
 478                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 479                                            TLS_ALERT_DECODE_ERROR);
 480                         x509_certificate_chain_free(chain);
 481                         return -1;
 482                 }
 483
 484                 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
 485                                  (unsigned long) idx, (unsigned long) cert_len);
 486
 487                 if (idx == 0) {
 488                         crypto_public_key_free(conn->client_rsa_key);
 489                         if (tls_parse_cert(pos, cert_len,
 490                                            &conn->client_rsa_key)) {
 491                                 tlsv1_server_log(conn, "Failed to parse the certificate");
 492                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 493                                                    TLS_ALERT_BAD_CERTIFICATE);
 494                                 x509_certificate_chain_free(chain);
 495                                 return -1;
 496                         }
 497                 }
 498
 499                 cert = x509_certificate_parse(pos, cert_len);
 500                 if (cert == NULL) {
 501                         tlsv1_server_log(conn, "Failed to parse the certificate");
 502                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 503                                            TLS_ALERT_BAD_CERTIFICATE);
 504                         x509_certificate_chain_free(chain);
 505                         return -1;
 506                 }
 507
 508                 if (last == NULL)
 509                         chain = cert;
 510                 else
 511                         last->next = cert;
 512                 last = cert;
 513
 514                 idx++;
 515                 pos += cert_len;
 516         }
 517
 518         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 519                                             &reason, 0) < 0) {
 520                 int tls_reason;
 521                 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
 522                                  reason);
 523                 switch (reason) {
 524                 case X509_VALIDATE_BAD_CERTIFICATE:
 525                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 526                         break;
 527                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 528                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 529                         break;
 530                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 531                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 532                         break;
 533                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 534                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 535                         break;
 536                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 537                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 538                         break;
 539                 case X509_VALIDATE_UNKNOWN_CA:
 540                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 541                         break;
 542                 default:
 543                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 544                         break;
 545                 }
 546                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 547                 x509_certificate_chain_free(chain);
 548                 return -1;
 549         }
 550
 551         if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
 552             !(chain->ext_key_usage &
 553               (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
 554                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 555                                    TLS_ALERT_BAD_CERTIFICATE);
 556                 x509_certificate_chain_free(chain);
 557                 return -1;
 558         }
 559
 560         x509_certificate_chain_free(chain);
 561
 562         *in_len = end - in_data;
 563
 564         conn->state = CLIENT_KEY_EXCHANGE;
 565
 566         return 0;
 567 }
 568
 569
 570 static int tls_process_client_key_exchange_rsa(
 571         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 572 {
 573         u8 *out;
 574         size_t outlen, outbuflen;
 575         u16 encr_len;
 576         int res;
 577         int use_random = 0;
 578
 579         if (end - pos < 2) {
 580                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 581                                    TLS_ALERT_DECODE_ERROR);
 582                 return -1;
 583         }
 584
 585         encr_len = WPA_GET_BE16(pos);
 586         pos += 2;
 587         if (pos + encr_len > end) {
 588                 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
 589                                  encr_len, (unsigned int) (end - pos));
 590                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 591                                    TLS_ALERT_DECODE_ERROR);
 592                 return -1;
 593         }
 594
 595         outbuflen = outlen = end - pos;
 596         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 597                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 598         if (out == NULL) {
 599                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 600                                    TLS_ALERT_INTERNAL_ERROR);
 601                 return -1;
 602         }
 603
 604         /*
 605          * struct {
 606          *   ProtocolVersion client_version;
 607          *   opaque random[46];
 608          * } PreMasterSecret;
 609          *
 610          * struct {
 611          *   public-key-encrypted PreMasterSecret pre_master_secret;
 612          * } EncryptedPreMasterSecret;
 613          */
 614
 615         /*
 616          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 617          * parsing errors from EncryptedPreMasterSecret processing to the
 618          * client. Instead, a random pre-master secret is used to force the
 619          * handshake to fail.
 620          */
 621
 622         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 623                                                  pos, encr_len,
 624                                                  out, &outlen) < 0) {
 625                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 626                            "PreMasterSecret (encr_len=%u outlen=%lu)",
 627                            encr_len, (unsigned long) outlen);
 628                 use_random = 1;
 629         }
 630
 631         if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
 632                 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
 633                                  (unsigned long) outlen);
 634                 use_random = 1;
 635         }
 636
 637         if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
 638                 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
 639                 use_random = 1;
 640         }
 641
 642         if (use_random) {
 643                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 644                            "to avoid revealing information about private key");
 645                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 646                 if (os_get_random(out, outlen)) {
 647                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 648                                    "data");
 649                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 650                                            TLS_ALERT_INTERNAL_ERROR);
 651                         os_free(out);
 652                         return -1;
 653                 }
 654         }
 655
 656         res = tlsv1_server_derive_keys(conn, out, outlen);
 657
 658         /* Clear the pre-master secret since it is not needed anymore */
 659         os_memset(out, 0, outbuflen);
 660         os_free(out);
 661
 662         if (res) {
 663                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 664                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 665                                    TLS_ALERT_INTERNAL_ERROR);
 666                 return -1;
 667         }
 668
 669         return 0;
 670 }
 671
 672
 673 static int tls_process_client_key_exchange_dh(
 674         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 675 {
 676         const u8 *dh_yc;
 677         u16 dh_yc_len;
 678         u8 *shared;
 679         size_t shared_len;
 680         int res;
 681         const u8 *dh_p;
 682         size_t dh_p_len;
 683
 684         /*
 685          * struct {
 686          *   select (PublicValueEncoding) {
 687          *     case implicit: struct { };
 688          *     case explicit: opaque dh_Yc<1..2^16-1>;
 689          *   } dh_public;
 690          * } ClientDiffieHellmanPublic;
 691          */
 692
 693         tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
 694         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 695                     pos, end - pos);
 696
 697         if (end == pos) {
 698                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 699                            "not supported");
 700                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 701                                    TLS_ALERT_INTERNAL_ERROR);
 702                 return -1;
 703         }
 704
 705         if (end - pos < 3) {
 706                 tlsv1_server_log(conn, "Invalid client public value length");
 707                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 708                                    TLS_ALERT_DECODE_ERROR);
 709                 return -1;
 710         }
 711
 712         dh_yc_len = WPA_GET_BE16(pos);
 713         dh_yc = pos + 2;
 714
 715         if (dh_yc_len > end - dh_yc) {
 716                 tlsv1_server_log(conn, "Client public value overflow (length %d)",
 717                                  dh_yc_len);
 718                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 719                                    TLS_ALERT_DECODE_ERROR);
 720                 return -1;
 721         }
 722
 723         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 724                     dh_yc, dh_yc_len);
 725
 726         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 727             conn->dh_secret == NULL) {
 728                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 729                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 730                                    TLS_ALERT_INTERNAL_ERROR);
 731                 return -1;
 732         }
 733
 734         tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
 735
 736         shared_len = dh_p_len;
 737         shared = os_malloc(shared_len);
 738         if (shared == NULL) {
 739                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 740                            "DH");
 741                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 742                                    TLS_ALERT_INTERNAL_ERROR);
 743                 return -1;
 744         }
 745
 746         /* shared = Yc^secret mod p */
 747         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 748                            conn->dh_secret_len, dh_p, dh_p_len,
 749                            shared, &shared_len)) {
 750                 os_free(shared);
 751                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 752                                    TLS_ALERT_INTERNAL_ERROR);
 753                 return -1;
 754         }
 755         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 756                         shared, shared_len);
 757
 758         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 759         os_free(conn->dh_secret);
 760         conn->dh_secret = NULL;
 761
 762         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 763
 764         /* Clear the pre-master secret since it is not needed anymore */
 765         os_memset(shared, 0, shared_len);
 766         os_free(shared);
 767
 768         if (res) {
 769                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 770                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 771                                    TLS_ALERT_INTERNAL_ERROR);
 772                 return -1;
 773         }
 774
 775         return 0;
 776 }
 777
 778
 779 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 780                                            const u8 *in_data, size_t *in_len)
 781 {
 782         const u8 *pos, *end;
 783         size_t left, len;
 784         u8 type;
 785         tls_key_exchange keyx;
 786         const struct tls_cipher_suite *suite;
 787
 788         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 789                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 790                                  ct);
 791                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 792                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 793                 return -1;
 794         }
 795
 796         pos = in_data;
 797         left = *in_len;
 798
 799         if (left < 4) {
 800                 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
 801                                  (unsigned long) left);
 802                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 803                                    TLS_ALERT_DECODE_ERROR);
 804                 return -1;
 805         }
 806
 807         type = *pos++;
 808         len = WPA_GET_BE24(pos);
 809         pos += 3;
 810         left -= 4;
 811
 812         if (len > left) {
 813                 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
 814                                  (unsigned long) len, (unsigned long) left);
 815                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 816                                    TLS_ALERT_DECODE_ERROR);
 817                 return -1;
 818         }
 819
 820         end = pos + len;
 821
 822         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 823                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
 824                                  type);
 825                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 826                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 827                 return -1;
 828         }
 829
 830         tlsv1_server_log(conn, "Received ClientKeyExchange");
 831
 832         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 833
 834         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 835         if (suite == NULL)
 836                 keyx = TLS_KEY_X_NULL;
 837         else
 838                 keyx = suite->key_exchange;
 839
 840         if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
 841             tls_process_client_key_exchange_dh(conn, pos, end) < 0)
 842                 return -1;
 843
 844         if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
 845             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 846                 return -1;
 847
 848         *in_len = end - in_data;
 849
 850         conn->state = CERTIFICATE_VERIFY;
 851
 852         return 0;
 853 }
 854
 855
 856 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 857                                           const u8 *in_data, size_t *in_len)
 858 {
 859         const u8 *pos, *end;
 860         size_t left, len;
 861         u8 type;
 862         size_t hlen;
 863         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
 864         u8 alert;
 865
 866         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 867                 if (conn->verify_peer) {
 868                         tlsv1_server_log(conn, "Client did not include CertificateVerify");
 869                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 870                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 871                         return -1;
 872                 }
 873
 874                 return tls_process_change_cipher_spec(conn, ct, in_data,
 875                                                       in_len);
 876         }
 877
 878         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 879                 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
 880                                  ct);
 881                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 882                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 883                 return -1;
 884         }
 885
 886         pos = in_data;
 887         left = *in_len;
 888
 889         if (left < 4) {
 890                 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
 891                                  (unsigned long) left);
 892                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 893                                    TLS_ALERT_DECODE_ERROR);
 894                 return -1;
 895         }
 896
 897         type = *pos++;
 898         len = WPA_GET_BE24(pos);
 899         pos += 3;
 900         left -= 4;
 901
 902         if (len > left) {
 903                 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
 904                                  (unsigned long) len, (unsigned long) left);
 905                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 906                                    TLS_ALERT_DECODE_ERROR);
 907                 return -1;
 908         }
 909
 910         end = pos + len;
 911
 912         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 913                 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
 914                                  type);
 915                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 916                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 917                 return -1;
 918         }
 919
 920         tlsv1_server_log(conn, "Received CertificateVerify");
 921
 922         /*
 923          * struct {
 924          *   Signature signature;
 925          * } CertificateVerify;
 926          */
 927
 928         hpos = hash;
 929
 930 #ifdef CONFIG_TLSV12
 931         if (conn->rl.tls_version == TLS_VERSION_1_2) {
 932                 /*
 933                  * RFC 5246, 4.7:
 934                  * TLS v1.2 adds explicit indication of the used signature and
 935                  * hash algorithms.
 936                  *
 937                  * struct {
 938                  *   HashAlgorithm hash;
 939                  *   SignatureAlgorithm signature;
 940                  * } SignatureAndHashAlgorithm;
 941                  */
 942                 if (end - pos < 2) {
 943                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 944                                            TLS_ALERT_DECODE_ERROR);
 945                         return -1;
 946                 }
 947                 if (pos[0] != TLS_HASH_ALG_SHA256 ||
 948                     pos[1] != TLS_SIGN_ALG_RSA) {
 949                         wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
 950                                    "signature(%u) algorithm",
 951                                    pos[0], pos[1]);
 952                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 953                                            TLS_ALERT_INTERNAL_ERROR);
 954                         return -1;
 955                 }
 956                 pos += 2;
 957
 958                 hlen = SHA256_MAC_LEN;
 959                 if (conn->verify.sha256_cert == NULL ||
 960                     crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
 961                     0) {
 962                         conn->verify.sha256_cert = NULL;
 963                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 964                                            TLS_ALERT_INTERNAL_ERROR);
 965                         return -1;
 966                 }
 967                 conn->verify.sha256_cert = NULL;
 968         } else {
 969 #endif /* CONFIG_TLSV12 */
 970
 971         hlen = MD5_MAC_LEN;
 972         if (conn->verify.md5_cert == NULL ||
 973             crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
 974                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 975                                    TLS_ALERT_INTERNAL_ERROR);
 976                 conn->verify.md5_cert = NULL;
 977                 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 978                 conn->verify.sha1_cert = NULL;
 979                 return -1;
 980         }
 981         hpos += MD5_MAC_LEN;
 982
 983         conn->verify.md5_cert = NULL;
 984         hlen = SHA1_MAC_LEN;
 985         if (conn->verify.sha1_cert == NULL ||
 986             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 987                 conn->verify.sha1_cert = NULL;
 988                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 989                                    TLS_ALERT_INTERNAL_ERROR);
 990                 return -1;
 991         }
 992         conn->verify.sha1_cert = NULL;
 993
 994         hlen += MD5_MAC_LEN;
 995
 996 #ifdef CONFIG_TLSV12
 997         }
 998 #endif /* CONFIG_TLSV12 */
 999
1000         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1001
1002         if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1003                                  hash, hlen, pos, end - pos, &alert) < 0) {
1004                 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1005                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1006                 return -1;
1007         }
1008
1009         *in_len = end - in_data;
1010
1011         conn->state = CHANGE_CIPHER_SPEC;
1012
1013         return 0;
1014 }
1015
1016
1017 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1018                                           u8 ct, const u8 *in_data,
1019                                           size_t *in_len)
1020 {
1021         const u8 *pos;
1022         size_t left;
1023
1024         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1025                 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1026                                  ct);
1027                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1029                 return -1;
1030         }
1031
1032         pos = in_data;
1033         left = *in_len;
1034
1035         if (left < 1) {
1036                 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1037                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038                                    TLS_ALERT_DECODE_ERROR);
1039                 return -1;
1040         }
1041
1042         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1043                 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1044                                  *pos);
1045                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1047                 return -1;
1048         }
1049
1050         tlsv1_server_log(conn, "Received ChangeCipherSpec");
1051         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1052                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1053                            "for record layer");
1054                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1055                                    TLS_ALERT_INTERNAL_ERROR);
1056                 return -1;
1057         }
1058
1059         *in_len = pos + 1 - in_data;
1060
1061         conn->state = CLIENT_FINISHED;
1062
1063         return 0;
1064 }
1065
1066
1067 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1068                                        const u8 *in_data, size_t *in_len)
1069 {
1070         const u8 *pos, *end;
1071         size_t left, len, hlen;
1072         u8 verify_data[TLS_VERIFY_DATA_LEN];
1073         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1074
1075 #ifdef CONFIG_TESTING_OPTIONS
1076         if ((conn->test_flags &
1077              (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1078             !conn->test_failure_reported) {
1079                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1080                 conn->test_failure_reported = 1;
1081         }
1082
1083         if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1084             !conn->test_failure_reported) {
1085                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1086                 conn->test_failure_reported = 1;
1087         }
1088
1089         if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1090             !conn->test_failure_reported) {
1091                 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1092                 conn->test_failure_reported = 1;
1093         }
1094
1095         if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1096             !conn->test_failure_reported) {
1097                 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1098                 conn->test_failure_reported = 1;
1099         }
1100
1101         if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1102             !conn->test_failure_reported) {
1103                 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1104                 conn->test_failure_reported = 1;
1105         }
1106
1107         if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1108             !conn->test_failure_reported) {
1109                 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1110                 conn->test_failure_reported = 1;
1111         }
1112 #endif /* CONFIG_TESTING_OPTIONS */
1113
1114         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1115                 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1116                                  ct);
1117                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1118                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1119                 return -1;
1120         }
1121
1122         pos = in_data;
1123         left = *in_len;
1124
1125         if (left < 4) {
1126                 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1127                                  (unsigned long) left);
1128                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1129                                    TLS_ALERT_DECODE_ERROR);
1130                 return -1;
1131         }
1132
1133         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1134                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1135                            "type 0x%x", pos[0]);
1136                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1137                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1138                 return -1;
1139         }
1140
1141         len = WPA_GET_BE24(pos + 1);
1142
1143         pos += 4;
1144         left -= 4;
1145
1146         if (len > left) {
1147                 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1148                                  (unsigned long) len, (unsigned long) left);
1149                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1150                                    TLS_ALERT_DECODE_ERROR);
1151                 return -1;
1152         }
1153         end = pos + len;
1154         if (len != TLS_VERIFY_DATA_LEN) {
1155                 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1156                                  (unsigned long) len, TLS_VERIFY_DATA_LEN);
1157                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158                                    TLS_ALERT_DECODE_ERROR);
1159                 return -1;
1160         }
1161         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1162                     pos, TLS_VERIFY_DATA_LEN);
1163
1164 #ifdef CONFIG_TLSV12
1165         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1166                 hlen = SHA256_MAC_LEN;
1167                 if (conn->verify.sha256_client == NULL ||
1168                     crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1169                     < 0) {
1170                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171                                            TLS_ALERT_INTERNAL_ERROR);
1172                         conn->verify.sha256_client = NULL;
1173                         return -1;
1174                 }
1175                 conn->verify.sha256_client = NULL;
1176         } else {
1177 #endif /* CONFIG_TLSV12 */
1178
1179         hlen = MD5_MAC_LEN;
1180         if (conn->verify.md5_client == NULL ||
1181             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1182                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1183                                    TLS_ALERT_INTERNAL_ERROR);
1184                 conn->verify.md5_client = NULL;
1185                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1186                 conn->verify.sha1_client = NULL;
1187                 return -1;
1188         }
1189         conn->verify.md5_client = NULL;
1190         hlen = SHA1_MAC_LEN;
1191         if (conn->verify.sha1_client == NULL ||
1192             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1193                                &hlen) < 0) {
1194                 conn->verify.sha1_client = NULL;
1195                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1196                                    TLS_ALERT_INTERNAL_ERROR);
1197                 return -1;
1198         }
1199         conn->verify.sha1_client = NULL;
1200         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1201
1202 #ifdef CONFIG_TLSV12
1203         }
1204 #endif /* CONFIG_TLSV12 */
1205
1206         if (tls_prf(conn->rl.tls_version,
1207                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1208                     "client finished", hash, hlen,
1209                     verify_data, TLS_VERIFY_DATA_LEN)) {
1210                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1211                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1212                                    TLS_ALERT_DECRYPT_ERROR);
1213                 return -1;
1214         }
1215         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1216                         verify_data, TLS_VERIFY_DATA_LEN);
1217
1218         if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1219                 tlsv1_server_log(conn, "Mismatch in verify_data");
1220                 return -1;
1221         }
1222
1223         tlsv1_server_log(conn, "Received Finished");
1224
1225         *in_len = end - in_data;
1226
1227         if (conn->use_session_ticket) {
1228                 /* Abbreviated handshake using session ticket; RFC 4507 */
1229                 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1230                 conn->state = ESTABLISHED;
1231         } else {
1232                 /* Full handshake */
1233                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1234         }
1235
1236         return 0;
1237 }
1238
1239
1240 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1241                                    const u8 *buf, size_t *len)
1242 {
1243         if (ct == TLS_CONTENT_TYPE_ALERT) {
1244                 if (*len < 2) {
1245                         tlsv1_server_log(conn, "Alert underflow");
1246                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1247                                            TLS_ALERT_DECODE_ERROR);
1248                         return -1;
1249                 }
1250                 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1251                 *len = 2;
1252                 conn->state = FAILED;
1253                 return -1;
1254         }
1255
1256         switch (conn->state) {
1257         case CLIENT_HELLO:
1258                 if (tls_process_client_hello(conn, ct, buf, len))
1259                         return -1;
1260                 break;
1261         case CLIENT_CERTIFICATE:
1262                 if (tls_process_certificate(conn, ct, buf, len))
1263                         return -1;
1264                 break;
1265         case CLIENT_KEY_EXCHANGE:
1266                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1267                         return -1;
1268                 break;
1269         case CERTIFICATE_VERIFY:
1270                 if (tls_process_certificate_verify(conn, ct, buf, len))
1271                         return -1;
1272                 break;
1273         case CHANGE_CIPHER_SPEC:
1274                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1275                         return -1;
1276                 break;
1277         case CLIENT_FINISHED:
1278                 if (tls_process_client_finished(conn, ct, buf, len))
1279                         return -1;
1280                 break;
1281         default:
1282                 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1283                                  conn->state);
1284                 return -1;
1285         }
1286
1287         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1288                 tls_verify_hash_add(&conn->verify, buf, *len);
1289
1290         return 0;
1291 }