1/* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "x509v3.h" 17#include "tlsv1_common.h" 18#include "tlsv1_record.h" 19#include "tlsv1_server.h" 20#include "tlsv1_server_i.h" 21 22 23static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 31 const u8 *in_data, size_t *in_len) 32{ 33 const u8 *pos, *end, *c; 34 size_t left, len, i, j; 35 u16 cipher_suite; 36 u16 num_suites; 37 int compr_null_found; 38 u16 ext_type, ext_len; 39 40 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 41 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 42 "received content type 0x%x", ct); 43 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 44 TLS_ALERT_UNEXPECTED_MESSAGE); 45 return -1; 46 } 47 48 pos = in_data; 49 left = *in_len; 50 51 if (left < 4) 52 goto decode_error; 53 54 /* HandshakeType msg_type */ 55 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 56 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 57 "message %d (expected ClientHello)", *pos); 58 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 59 TLS_ALERT_UNEXPECTED_MESSAGE); 60 return -1; 61 } 62 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 63 pos++; 64 /* uint24 length */ 65 len = WPA_GET_BE24(pos); 66 pos += 3; 67 left -= 4; 68 69 if (len > left) 70 goto decode_error; 71 72 /* body - ClientHello */ 73 74 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 75 end = pos + len; 76 77 /* ProtocolVersion client_version */ 78 if (end - pos < 2) 79 goto decode_error; 80 conn->client_version = WPA_GET_BE16(pos); 81 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 82 conn->client_version >> 8, conn->client_version & 0xff); 83 if (conn->client_version < TLS_VERSION_1) { 84 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 85 "ClientHello %u.%u", 86 conn->client_version >> 8, 87 conn->client_version & 0xff); 88 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 89 TLS_ALERT_PROTOCOL_VERSION); 90 return -1; 91 } 92 pos += 2; 93 94 if (TLS_VERSION == TLS_VERSION_1) 95 conn->rl.tls_version = TLS_VERSION_1; 96#ifdef CONFIG_TLSV12 97 else if (conn->client_version >= TLS_VERSION_1_2) 98 conn->rl.tls_version = TLS_VERSION_1_2; 99#endif /* CONFIG_TLSV12 */ 100 else if (conn->client_version > TLS_VERSION_1_1) 101 conn->rl.tls_version = TLS_VERSION_1_1; 102 else 103 conn->rl.tls_version = conn->client_version; 104 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 105 tls_version_str(conn->rl.tls_version)); 106 107 /* Random random */ 108 if (end - pos < TLS_RANDOM_LEN) 109 goto decode_error; 110 111 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 112 pos += TLS_RANDOM_LEN; 113 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 114 conn->client_random, TLS_RANDOM_LEN); 115 116 /* SessionID session_id */ 117 if (end - pos < 1) 118 goto decode_error; 119 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 120 goto decode_error; 121 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 122 pos += 1 + *pos; 123 /* TODO: add support for session resumption */ 124 125 /* CipherSuite cipher_suites<2..2^16-1> */ 126 if (end - pos < 2) 127 goto decode_error; 128 num_suites = WPA_GET_BE16(pos); 129 pos += 2; 130 if (end - pos < num_suites) 131 goto decode_error; 132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 133 pos, num_suites); 134 if (num_suites & 1) 135 goto decode_error; 136 num_suites /= 2; 137 138 cipher_suite = 0; 139 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 140 c = pos; 141 for (j = 0; j < num_suites; j++) { 142 u16 tmp = WPA_GET_BE16(c); 143 c += 2; 144 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 145 cipher_suite = tmp; 146 break; 147 } 148 } 149 } 150 pos += num_suites * 2; 151 if (!cipher_suite) { 152 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 153 "available"); 154 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 155 TLS_ALERT_ILLEGAL_PARAMETER); 156 return -1; 157 } 158 159 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 160 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 161 "record layer"); 162 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_INTERNAL_ERROR); 164 return -1; 165 } 166 167 conn->cipher_suite = cipher_suite; 168 169 /* CompressionMethod compression_methods<1..2^8-1> */ 170 if (end - pos < 1) 171 goto decode_error; 172 num_suites = *pos++; 173 if (end - pos < num_suites) 174 goto decode_error; 175 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 176 pos, num_suites); 177 compr_null_found = 0; 178 for (i = 0; i < num_suites; i++) { 179 if (*pos++ == TLS_COMPRESSION_NULL) 180 compr_null_found = 1; 181 } 182 if (!compr_null_found) { 183 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 184 "compression"); 185 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 186 TLS_ALERT_ILLEGAL_PARAMETER); 187 return -1; 188 } 189 190 if (end - pos == 1) { 191 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 192 "end of ClientHello: 0x%02x", *pos); 193 goto decode_error; 194 } 195 196 if (end - pos >= 2) { 197 /* Extension client_hello_extension_list<0..2^16-1> */ 198 ext_len = WPA_GET_BE16(pos); 199 pos += 2; 200 201 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 202 "extensions", ext_len); 203 if (end - pos != ext_len) { 204 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 205 "extension list length %u (expected %u)", 206 ext_len, (unsigned int) (end - pos)); 207 goto decode_error; 208 } 209 210 /* 211 * struct { 212 * ExtensionType extension_type (0..65535) 213 * opaque extension_data<0..2^16-1> 214 * } Extension; 215 */ 216 217 while (pos < end) { 218 if (end - pos < 2) { 219 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 220 "extension_type field"); 221 goto decode_error; 222 } 223 224 ext_type = WPA_GET_BE16(pos); 225 pos += 2; 226 227 if (end - pos < 2) { 228 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 229 "extension_data length field"); 230 goto decode_error; 231 } 232 233 ext_len = WPA_GET_BE16(pos); 234 pos += 2; 235 236 if (end - pos < ext_len) { 237 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 238 "extension_data field"); 239 goto decode_error; 240 } 241 242 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 243 "type %u", ext_type); 244 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 245 "Extension data", pos, ext_len); 246 247 if (ext_type == TLS_EXT_SESSION_TICKET) { 248 os_free(conn->session_ticket); 249 conn->session_ticket = os_malloc(ext_len); 250 if (conn->session_ticket) { 251 os_memcpy(conn->session_ticket, pos, 252 ext_len); 253 conn->session_ticket_len = ext_len; 254 } 255 } 256 257 pos += ext_len; 258 } 259 } 260 261 *in_len = end - in_data; 262 263 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 264 "ServerHello"); 265 conn->state = SERVER_HELLO; 266 267 return 0; 268 269decode_error: 270 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 271 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 272 TLS_ALERT_DECODE_ERROR); 273 return -1; 274} 275 276 277static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 278 const u8 *in_data, size_t *in_len) 279{ 280 const u8 *pos, *end; 281 size_t left, len, list_len, cert_len, idx; 282 u8 type; 283 struct x509_certificate *chain = NULL, *last = NULL, *cert; 284 int reason; 285 286 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 287 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 288 "received content type 0x%x", ct); 289 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 290 TLS_ALERT_UNEXPECTED_MESSAGE); 291 return -1; 292 } 293 294 pos = in_data; 295 left = *in_len; 296 297 if (left < 4) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 299 "(len=%lu)", (unsigned long) left); 300 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 301 TLS_ALERT_DECODE_ERROR); 302 return -1; 303 } 304 305 type = *pos++; 306 len = WPA_GET_BE24(pos); 307 pos += 3; 308 left -= 4; 309 310 if (len > left) { 311 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 312 "length (len=%lu != left=%lu)", 313 (unsigned long) len, (unsigned long) left); 314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 315 TLS_ALERT_DECODE_ERROR); 316 return -1; 317 } 318 319 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 320 if (conn->verify_peer) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 322 "Certificate"); 323 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 324 TLS_ALERT_UNEXPECTED_MESSAGE); 325 return -1; 326 } 327 328 return tls_process_client_key_exchange(conn, ct, in_data, 329 in_len); 330 } 331 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 332 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 333 "message %d (expected Certificate/" 334 "ClientKeyExchange)", type); 335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 336 TLS_ALERT_UNEXPECTED_MESSAGE); 337 return -1; 338 } 339 340 wpa_printf(MSG_DEBUG, 341 "TLSv1: Received Certificate (certificate_list len %lu)", 342 (unsigned long) len); 343 344 /* 345 * opaque ASN.1Cert<2^24-1>; 346 * 347 * struct { 348 * ASN.1Cert certificate_list<1..2^24-1>; 349 * } Certificate; 350 */ 351 352 end = pos + len; 353 354 if (end - pos < 3) { 355 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 356 "(left=%lu)", (unsigned long) left); 357 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 358 TLS_ALERT_DECODE_ERROR); 359 return -1; 360 } 361 362 list_len = WPA_GET_BE24(pos); 363 pos += 3; 364 365 if ((size_t) (end - pos) != list_len) { 366 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 367 "length (len=%lu left=%lu)", 368 (unsigned long) list_len, 369 (unsigned long) (end - pos)); 370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 371 TLS_ALERT_DECODE_ERROR); 372 return -1; 373 } 374 375 idx = 0; 376 while (pos < end) { 377 if (end - pos < 3) { 378 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 379 "certificate_list"); 380 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 381 TLS_ALERT_DECODE_ERROR); 382 x509_certificate_chain_free(chain); 383 return -1; 384 } 385 386 cert_len = WPA_GET_BE24(pos); 387 pos += 3; 388 389 if ((size_t) (end - pos) < cert_len) { 390 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 391 "length (len=%lu left=%lu)", 392 (unsigned long) cert_len, 393 (unsigned long) (end - pos)); 394 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 395 TLS_ALERT_DECODE_ERROR); 396 x509_certificate_chain_free(chain); 397 return -1; 398 } 399 400 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 401 (unsigned long) idx, (unsigned long) cert_len); 402 403 if (idx == 0) { 404 crypto_public_key_free(conn->client_rsa_key); 405 if (tls_parse_cert(pos, cert_len, 406 &conn->client_rsa_key)) { 407 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 408 "the certificate"); 409 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 410 TLS_ALERT_BAD_CERTIFICATE); 411 x509_certificate_chain_free(chain); 412 return -1; 413 } 414 } 415 416 cert = x509_certificate_parse(pos, cert_len); 417 if (cert == NULL) { 418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 419 "the certificate"); 420 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 421 TLS_ALERT_BAD_CERTIFICATE); 422 x509_certificate_chain_free(chain); 423 return -1; 424 } 425 426 if (last == NULL) 427 chain = cert; 428 else 429 last->next = cert; 430 last = cert; 431 432 idx++; 433 pos += cert_len; 434 } 435 436 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 437 &reason, 0) < 0) { 438 int tls_reason; 439 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 440 "validation failed (reason=%d)", reason); 441 switch (reason) { 442 case X509_VALIDATE_BAD_CERTIFICATE: 443 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 444 break; 445 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 446 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 447 break; 448 case X509_VALIDATE_CERTIFICATE_REVOKED: 449 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 450 break; 451 case X509_VALIDATE_CERTIFICATE_EXPIRED: 452 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 453 break; 454 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 455 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 456 break; 457 case X509_VALIDATE_UNKNOWN_CA: 458 tls_reason = TLS_ALERT_UNKNOWN_CA; 459 break; 460 default: 461 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 462 break; 463 } 464 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 465 x509_certificate_chain_free(chain); 466 return -1; 467 } 468 469 x509_certificate_chain_free(chain); 470 471 *in_len = end - in_data; 472 473 conn->state = CLIENT_KEY_EXCHANGE; 474 475 return 0; 476} 477 478 479static int tls_process_client_key_exchange_rsa( 480 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 481{ 482 u8 *out; 483 size_t outlen, outbuflen; 484 u16 encr_len; 485 int res; 486 int use_random = 0; 487 488 if (end - pos < 2) { 489 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 490 TLS_ALERT_DECODE_ERROR); 491 return -1; 492 } 493 494 encr_len = WPA_GET_BE16(pos); 495 pos += 2; 496 if (pos + encr_len > end) { 497 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange " 498 "format: encr_len=%u left=%u", 499 encr_len, (unsigned int) (end - pos)); 500 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 501 TLS_ALERT_DECODE_ERROR); 502 return -1; 503 } 504 505 outbuflen = outlen = end - pos; 506 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 507 outlen : TLS_PRE_MASTER_SECRET_LEN); 508 if (out == NULL) { 509 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 510 TLS_ALERT_INTERNAL_ERROR); 511 return -1; 512 } 513 514 /* 515 * struct { 516 * ProtocolVersion client_version; 517 * opaque random[46]; 518 * } PreMasterSecret; 519 * 520 * struct { 521 * public-key-encrypted PreMasterSecret pre_master_secret; 522 * } EncryptedPreMasterSecret; 523 */ 524 525 /* 526 * Note: To avoid Bleichenbacher attack, we do not report decryption or 527 * parsing errors from EncryptedPreMasterSecret processing to the 528 * client. Instead, a random pre-master secret is used to force the 529 * handshake to fail. 530 */ 531 532 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 533 pos, encr_len, 534 out, &outlen) < 0) { 535 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 536 "PreMasterSecret (encr_len=%u outlen=%lu)", 537 encr_len, (unsigned long) outlen); 538 use_random = 1; 539 } 540 541 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 542 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 543 "length %lu", (unsigned long) outlen); 544 use_random = 1; 545 } 546 547 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 548 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 549 "ClientKeyExchange does not match with version in " 550 "ClientHello"); 551 use_random = 1; 552 } 553 554 if (use_random) { 555 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 556 "to avoid revealing information about private key"); 557 outlen = TLS_PRE_MASTER_SECRET_LEN; 558 if (os_get_random(out, outlen)) { 559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 560 "data"); 561 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 562 TLS_ALERT_INTERNAL_ERROR); 563 os_free(out); 564 return -1; 565 } 566 } 567 568 res = tlsv1_server_derive_keys(conn, out, outlen); 569 570 /* Clear the pre-master secret since it is not needed anymore */ 571 os_memset(out, 0, outbuflen); 572 os_free(out); 573 574 if (res) { 575 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 576 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 577 TLS_ALERT_INTERNAL_ERROR); 578 return -1; 579 } 580 581 return 0; 582} 583 584 585static int tls_process_client_key_exchange_dh_anon( 586 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 587{ 588 const u8 *dh_yc; 589 u16 dh_yc_len; 590 u8 *shared; 591 size_t shared_len; 592 int res; 593 594 /* 595 * struct { 596 * select (PublicValueEncoding) { 597 * case implicit: struct { }; 598 * case explicit: opaque dh_Yc<1..2^16-1>; 599 * } dh_public; 600 * } ClientDiffieHellmanPublic; 601 */ 602 603 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 604 pos, end - pos); 605 606 if (end == pos) { 607 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 608 "not supported"); 609 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 610 TLS_ALERT_INTERNAL_ERROR); 611 return -1; 612 } 613 614 if (end - pos < 3) { 615 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 616 "length"); 617 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 618 TLS_ALERT_DECODE_ERROR); 619 return -1; 620 } 621 622 dh_yc_len = WPA_GET_BE16(pos); 623 dh_yc = pos + 2; 624 625 if (dh_yc + dh_yc_len > end) { 626 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 627 "(length %d)", dh_yc_len); 628 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 629 TLS_ALERT_DECODE_ERROR); 630 return -1; 631 } 632 633 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 634 dh_yc, dh_yc_len); 635 636 if (conn->cred == NULL || conn->cred->dh_p == NULL || 637 conn->dh_secret == NULL) { 638 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 639 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 640 TLS_ALERT_INTERNAL_ERROR); 641 return -1; 642 } 643 644 shared_len = conn->cred->dh_p_len; 645 shared = os_malloc(shared_len); 646 if (shared == NULL) { 647 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 648 "DH"); 649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 650 TLS_ALERT_INTERNAL_ERROR); 651 return -1; 652 } 653 654 /* shared = Yc^secret mod p */ 655 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 656 conn->dh_secret_len, 657 conn->cred->dh_p, conn->cred->dh_p_len, 658 shared, &shared_len)) { 659 os_free(shared); 660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 661 TLS_ALERT_INTERNAL_ERROR); 662 return -1; 663 } 664 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 665 shared, shared_len); 666 667 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 668 os_free(conn->dh_secret); 669 conn->dh_secret = NULL; 670 671 res = tlsv1_server_derive_keys(conn, shared, shared_len); 672 673 /* Clear the pre-master secret since it is not needed anymore */ 674 os_memset(shared, 0, shared_len); 675 os_free(shared); 676 677 if (res) { 678 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 679 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 680 TLS_ALERT_INTERNAL_ERROR); 681 return -1; 682 } 683 684 return 0; 685} 686 687 688static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 689 const u8 *in_data, size_t *in_len) 690{ 691 const u8 *pos, *end; 692 size_t left, len; 693 u8 type; 694 tls_key_exchange keyx; 695 const struct tls_cipher_suite *suite; 696 697 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 698 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 699 "received content type 0x%x", ct); 700 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 701 TLS_ALERT_UNEXPECTED_MESSAGE); 702 return -1; 703 } 704 705 pos = in_data; 706 left = *in_len; 707 708 if (left < 4) { 709 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 710 "(Left=%lu)", (unsigned long) left); 711 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 712 TLS_ALERT_DECODE_ERROR); 713 return -1; 714 } 715 716 type = *pos++; 717 len = WPA_GET_BE24(pos); 718 pos += 3; 719 left -= 4; 720 721 if (len > left) { 722 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 723 "length (len=%lu != left=%lu)", 724 (unsigned long) len, (unsigned long) left); 725 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 726 TLS_ALERT_DECODE_ERROR); 727 return -1; 728 } 729 730 end = pos + len; 731 732 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 733 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 734 "message %d (expected ClientKeyExchange)", type); 735 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 736 TLS_ALERT_UNEXPECTED_MESSAGE); 737 return -1; 738 } 739 740 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 741 742 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 743 744 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 745 if (suite == NULL) 746 keyx = TLS_KEY_X_NULL; 747 else 748 keyx = suite->key_exchange; 749 750 if (keyx == TLS_KEY_X_DH_anon && 751 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 752 return -1; 753 754 if (keyx != TLS_KEY_X_DH_anon && 755 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 756 return -1; 757 758 *in_len = end - in_data; 759 760 conn->state = CERTIFICATE_VERIFY; 761 762 return 0; 763} 764 765 766static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 767 const u8 *in_data, size_t *in_len) 768{ 769 const u8 *pos, *end; 770 size_t left, len; 771 u8 type; 772 size_t hlen, buflen; 773 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 774 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 775 u16 slen; 776 777 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 778 if (conn->verify_peer) { 779 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 780 "CertificateVerify"); 781 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 782 TLS_ALERT_UNEXPECTED_MESSAGE); 783 return -1; 784 } 785 786 return tls_process_change_cipher_spec(conn, ct, in_data, 787 in_len); 788 } 789 790 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 791 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 792 "received content type 0x%x", ct); 793 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 794 TLS_ALERT_UNEXPECTED_MESSAGE); 795 return -1; 796 } 797 798 pos = in_data; 799 left = *in_len; 800 801 if (left < 4) { 802 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 803 "message (len=%lu)", (unsigned long) left); 804 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 805 TLS_ALERT_DECODE_ERROR); 806 return -1; 807 } 808 809 type = *pos++; 810 len = WPA_GET_BE24(pos); 811 pos += 3; 812 left -= 4; 813 814 if (len > left) { 815 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 816 "message length (len=%lu != left=%lu)", 817 (unsigned long) len, (unsigned long) left); 818 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 819 TLS_ALERT_DECODE_ERROR); 820 return -1; 821 } 822 823 end = pos + len; 824 825 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 826 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 827 "message %d (expected CertificateVerify)", type); 828 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 829 TLS_ALERT_UNEXPECTED_MESSAGE); 830 return -1; 831 } 832 833 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 834 835 /* 836 * struct { 837 * Signature signature; 838 * } CertificateVerify; 839 */ 840 841 hpos = hash; 842 843#ifdef CONFIG_TLSV12 844 if (conn->rl.tls_version == TLS_VERSION_1_2) { 845 /* 846 * RFC 5246, 4.7: 847 * TLS v1.2 adds explicit indication of the used signature and 848 * hash algorithms. 849 * 850 * struct { 851 * HashAlgorithm hash; 852 * SignatureAlgorithm signature; 853 * } SignatureAndHashAlgorithm; 854 */ 855 if (end - pos < 2) { 856 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 857 TLS_ALERT_DECODE_ERROR); 858 return -1; 859 } 860 if (pos[0] != TLS_HASH_ALG_SHA256 || 861 pos[1] != TLS_SIGN_ALG_RSA) { 862 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 863 "signature(%u) algorithm", 864 pos[0], pos[1]); 865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 866 TLS_ALERT_INTERNAL_ERROR); 867 return -1; 868 } 869 pos += 2; 870 871 hlen = SHA256_MAC_LEN; 872 if (conn->verify.sha256_cert == NULL || 873 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 874 0) { 875 conn->verify.sha256_cert = NULL; 876 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 877 TLS_ALERT_INTERNAL_ERROR); 878 return -1; 879 } 880 conn->verify.sha256_cert = NULL; 881 } else { 882#endif /* CONFIG_TLSV12 */ 883 884 if (alg == SIGN_ALG_RSA) { 885 hlen = MD5_MAC_LEN; 886 if (conn->verify.md5_cert == NULL || 887 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 888 { 889 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 890 TLS_ALERT_INTERNAL_ERROR); 891 conn->verify.md5_cert = NULL; 892 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 893 conn->verify.sha1_cert = NULL; 894 return -1; 895 } 896 hpos += MD5_MAC_LEN; 897 } else 898 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 899 900 conn->verify.md5_cert = NULL; 901 hlen = SHA1_MAC_LEN; 902 if (conn->verify.sha1_cert == NULL || 903 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 904 conn->verify.sha1_cert = NULL; 905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 906 TLS_ALERT_INTERNAL_ERROR); 907 return -1; 908 } 909 conn->verify.sha1_cert = NULL; 910 911 if (alg == SIGN_ALG_RSA) 912 hlen += MD5_MAC_LEN; 913 914#ifdef CONFIG_TLSV12 915 } 916#endif /* CONFIG_TLSV12 */ 917 918 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 919 920 if (end - pos < 2) { 921 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 922 TLS_ALERT_DECODE_ERROR); 923 return -1; 924 } 925 slen = WPA_GET_BE16(pos); 926 pos += 2; 927 if (end - pos < slen) { 928 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 929 TLS_ALERT_DECODE_ERROR); 930 return -1; 931 } 932 933 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 934 if (conn->client_rsa_key == NULL) { 935 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 936 "signature"); 937 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 938 TLS_ALERT_INTERNAL_ERROR); 939 return -1; 940 } 941 942 buflen = end - pos; 943 buf = os_malloc(end - pos); 944 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 945 pos, end - pos, buf, &buflen) < 0) 946 { 947 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 948 os_free(buf); 949 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 950 TLS_ALERT_DECRYPT_ERROR); 951 return -1; 952 } 953 954 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 955 buf, buflen); 956 957#ifdef CONFIG_TLSV12 958 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 959 /* 960 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 961 * 962 * DigestInfo ::= SEQUENCE { 963 * digestAlgorithm DigestAlgorithm, 964 * digest OCTET STRING 965 * } 966 * 967 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 968 * 969 * DER encoded DigestInfo for SHA256 per RFC 3447: 970 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 971 * H 972 */ 973 if (buflen >= 19 + 32 && 974 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" 975 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) 976 { 977 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = " 978 "SHA-256"); 979 os_memmove(buf, buf + 19, buflen - 19); 980 buflen -= 19; 981 } else { 982 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized " 983 "DigestInfo"); 984 os_free(buf); 985 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 986 TLS_ALERT_DECRYPT_ERROR); 987 return -1; 988 } 989 } 990#endif /* CONFIG_TLSV12 */ 991 992 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 993 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 994 "CertificateVerify - did not match with calculated " 995 "hash"); 996 os_free(buf); 997 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 998 TLS_ALERT_DECRYPT_ERROR); 999 return -1; 1000 } 1001 1002 os_free(buf); 1003 1004 *in_len = end - in_data; 1005 1006 conn->state = CHANGE_CIPHER_SPEC; 1007 1008 return 0; 1009} 1010 1011 1012static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 1013 u8 ct, const u8 *in_data, 1014 size_t *in_len) 1015{ 1016 const u8 *pos; 1017 size_t left; 1018 1019 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1020 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1021 "received content type 0x%x", ct); 1022 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1023 TLS_ALERT_UNEXPECTED_MESSAGE); 1024 return -1; 1025 } 1026 1027 pos = in_data; 1028 left = *in_len; 1029 1030 if (left < 1) { 1031 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 1032 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1033 TLS_ALERT_DECODE_ERROR); 1034 return -1; 1035 } 1036 1037 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1038 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1039 "received data 0x%x", *pos); 1040 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1041 TLS_ALERT_UNEXPECTED_MESSAGE); 1042 return -1; 1043 } 1044 1045 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 1046 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1047 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1048 "for record layer"); 1049 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1050 TLS_ALERT_INTERNAL_ERROR); 1051 return -1; 1052 } 1053 1054 *in_len = pos + 1 - in_data; 1055 1056 conn->state = CLIENT_FINISHED; 1057 1058 return 0; 1059} 1060 1061 1062static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 1063 const u8 *in_data, size_t *in_len) 1064{ 1065 const u8 *pos, *end; 1066 size_t left, len, hlen; 1067 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1068 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1069 1070 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1071 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 1072 "received content type 0x%x", ct); 1073 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1074 TLS_ALERT_UNEXPECTED_MESSAGE); 1075 return -1; 1076 } 1077 1078 pos = in_data; 1079 left = *in_len; 1080 1081 if (left < 4) { 1082 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1083 "Finished", 1084 (unsigned long) left); 1085 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1086 TLS_ALERT_DECODE_ERROR); 1087 return -1; 1088 } 1089 1090 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1091 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1092 "type 0x%x", pos[0]); 1093 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1094 TLS_ALERT_UNEXPECTED_MESSAGE); 1095 return -1; 1096 } 1097 1098 len = WPA_GET_BE24(pos + 1); 1099 1100 pos += 4; 1101 left -= 4; 1102 1103 if (len > left) { 1104 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1105 "(len=%lu > left=%lu)", 1106 (unsigned long) len, (unsigned long) left); 1107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1108 TLS_ALERT_DECODE_ERROR); 1109 return -1; 1110 } 1111 end = pos + len; 1112 if (len != TLS_VERIFY_DATA_LEN) { 1113 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1114 "in Finished: %lu (expected %d)", 1115 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1116 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1117 TLS_ALERT_DECODE_ERROR); 1118 return -1; 1119 } 1120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1121 pos, TLS_VERIFY_DATA_LEN); 1122 1123#ifdef CONFIG_TLSV12 1124 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1125 hlen = SHA256_MAC_LEN; 1126 if (conn->verify.sha256_client == NULL || 1127 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1128 < 0) { 1129 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1130 TLS_ALERT_INTERNAL_ERROR); 1131 conn->verify.sha256_client = NULL; 1132 return -1; 1133 } 1134 conn->verify.sha256_client = NULL; 1135 } else { 1136#endif /* CONFIG_TLSV12 */ 1137 1138 hlen = MD5_MAC_LEN; 1139 if (conn->verify.md5_client == NULL || 1140 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1141 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1142 TLS_ALERT_INTERNAL_ERROR); 1143 conn->verify.md5_client = NULL; 1144 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1145 conn->verify.sha1_client = NULL; 1146 return -1; 1147 } 1148 conn->verify.md5_client = NULL; 1149 hlen = SHA1_MAC_LEN; 1150 if (conn->verify.sha1_client == NULL || 1151 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1152 &hlen) < 0) { 1153 conn->verify.sha1_client = NULL; 1154 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1155 TLS_ALERT_INTERNAL_ERROR); 1156 return -1; 1157 } 1158 conn->verify.sha1_client = NULL; 1159 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1160 1161#ifdef CONFIG_TLSV12 1162 } 1163#endif /* CONFIG_TLSV12 */ 1164 1165 if (tls_prf(conn->rl.tls_version, 1166 conn->master_secret, TLS_MASTER_SECRET_LEN, 1167 "client finished", hash, hlen, 1168 verify_data, TLS_VERIFY_DATA_LEN)) { 1169 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1170 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1171 TLS_ALERT_DECRYPT_ERROR); 1172 return -1; 1173 } 1174 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1175 verify_data, TLS_VERIFY_DATA_LEN); 1176 1177 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1178 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1179 return -1; 1180 } 1181 1182 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1183 1184 *in_len = end - in_data; 1185 1186 if (conn->use_session_ticket) { 1187 /* Abbreviated handshake using session ticket; RFC 4507 */ 1188 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1189 "successfully"); 1190 conn->state = ESTABLISHED; 1191 } else { 1192 /* Full handshake */ 1193 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1194 } 1195 1196 return 0; 1197} 1198 1199 1200int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1201 const u8 *buf, size_t *len) 1202{ 1203 if (ct == TLS_CONTENT_TYPE_ALERT) { 1204 if (*len < 2) { 1205 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1206 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1207 TLS_ALERT_DECODE_ERROR); 1208 return -1; 1209 } 1210 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1211 buf[0], buf[1]); 1212 *len = 2; 1213 conn->state = FAILED; 1214 return -1; 1215 } 1216 1217 switch (conn->state) { 1218 case CLIENT_HELLO: 1219 if (tls_process_client_hello(conn, ct, buf, len)) 1220 return -1; 1221 break; 1222 case CLIENT_CERTIFICATE: 1223 if (tls_process_certificate(conn, ct, buf, len)) 1224 return -1; 1225 break; 1226 case CLIENT_KEY_EXCHANGE: 1227 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1228 return -1; 1229 break; 1230 case CERTIFICATE_VERIFY: 1231 if (tls_process_certificate_verify(conn, ct, buf, len)) 1232 return -1; 1233 break; 1234 case CHANGE_CIPHER_SPEC: 1235 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1236 return -1; 1237 break; 1238 case CLIENT_FINISHED: 1239 if (tls_process_client_finished(conn, ct, buf, len)) 1240 return -1; 1241 break; 1242 default: 1243 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1244 "while processing received message", 1245 conn->state); 1246 return -1; 1247 } 1248 1249 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1250 tls_verify_hash_add(&conn->verify, buf, *len); 1251 1252 return 0; 1253} 1254