1/* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "x509v3.h" 17#include "tlsv1_common.h" 18#include "tlsv1_record.h" 19#include "tlsv1_server.h" 20#include "tlsv1_server_i.h" 21 22 23static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31{ 32#ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 42 return 1; 43#endif /* CONFIG_TESTING_OPTIONS */ 44 45 return 0; 46} 47 48 49static void tls_process_status_request_item(struct tlsv1_server *conn, 50 const u8 *req, size_t req_len) 51{ 52 const u8 *pos, *end; 53 u8 status_type; 54 55 pos = req; 56 end = req + req_len; 57 58 /* 59 * RFC 6961, 2.2: 60 * struct { 61 * CertificateStatusType status_type; 62 * uint16 request_length; 63 * select (status_type) { 64 * case ocsp: OCSPStatusRequest; 65 * case ocsp_multi: OCSPStatusRequest; 66 * } request; 67 * } CertificateStatusRequestItemV2; 68 * 69 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType; 70 */ 71 72 if (end - pos < 1) 73 return; /* Truncated data */ 74 75 status_type = *pos++; 76 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type); 77 if (status_type != 1 && status_type != 2) 78 return; /* Unsupported status type */ 79 /* 80 * For now, only OCSP stapling is supported, so ignore the specific 81 * request, if any. 82 */ 83 wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos); 84 85 if (status_type == 2) 86 conn->status_request_multi = 1; 87} 88 89 90static void tls_process_status_request_v2(struct tlsv1_server *conn, 91 const u8 *ext, size_t ext_len) 92{ 93 const u8 *pos, *end; 94 95 conn->status_request_v2 = 1; 96 97 pos = ext; 98 end = ext + ext_len; 99 100 /* 101 * RFC 6961, 2.2: 102 * struct { 103 * CertificateStatusRequestItemV2 104 * certificate_status_req_list<1..2^16-1>; 105 * } CertificateStatusRequestListV2; 106 */ 107 108 while (end - pos >= 2) { 109 u16 len; 110 111 len = WPA_GET_BE16(pos); 112 pos += 2; 113 if (len > end - pos) 114 break; /* Truncated data */ 115 tls_process_status_request_item(conn, pos, len); 116 pos += len; 117 } 118} 119 120 121static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 122 const u8 *in_data, size_t *in_len) 123{ 124 const u8 *pos, *end, *c; 125 size_t left, len, i, j; 126 u16 cipher_suite; 127 u16 num_suites; 128 int compr_null_found; 129 u16 ext_type, ext_len; 130 131 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 132 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 133 ct); 134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 135 TLS_ALERT_UNEXPECTED_MESSAGE); 136 return -1; 137 } 138 139 pos = in_data; 140 left = *in_len; 141 142 if (left < 4) 143 goto decode_error; 144 145 /* HandshakeType msg_type */ 146 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 147 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 148 *pos); 149 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_UNEXPECTED_MESSAGE); 151 return -1; 152 } 153 tlsv1_server_log(conn, "Received ClientHello"); 154 pos++; 155 /* uint24 length */ 156 len = WPA_GET_BE24(pos); 157 pos += 3; 158 left -= 4; 159 160 if (len > left) 161 goto decode_error; 162 163 /* body - ClientHello */ 164 165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 166 end = pos + len; 167 168 /* ProtocolVersion client_version */ 169 if (end - pos < 2) 170 goto decode_error; 171 conn->client_version = WPA_GET_BE16(pos); 172 tlsv1_server_log(conn, "Client version %d.%d", 173 conn->client_version >> 8, 174 conn->client_version & 0xff); 175 if (conn->client_version < TLS_VERSION_1) { 176 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 177 conn->client_version >> 8, 178 conn->client_version & 0xff); 179 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 180 TLS_ALERT_PROTOCOL_VERSION); 181 return -1; 182 } 183 pos += 2; 184 185 if (TLS_VERSION == TLS_VERSION_1) 186 conn->rl.tls_version = TLS_VERSION_1; 187#ifdef CONFIG_TLSV12 188 else if (conn->client_version >= TLS_VERSION_1_2) 189 conn->rl.tls_version = TLS_VERSION_1_2; 190#endif /* CONFIG_TLSV12 */ 191 else if (conn->client_version > TLS_VERSION_1_1) 192 conn->rl.tls_version = TLS_VERSION_1_1; 193 else 194 conn->rl.tls_version = conn->client_version; 195 tlsv1_server_log(conn, "Using TLS v%s", 196 tls_version_str(conn->rl.tls_version)); 197 198 /* Random random */ 199 if (end - pos < TLS_RANDOM_LEN) 200 goto decode_error; 201 202 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 203 pos += TLS_RANDOM_LEN; 204 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 205 conn->client_random, TLS_RANDOM_LEN); 206 207 /* SessionID session_id */ 208 if (end - pos < 1) 209 goto decode_error; 210 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 211 goto decode_error; 212 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 213 pos += 1 + *pos; 214 /* TODO: add support for session resumption */ 215 216 /* CipherSuite cipher_suites<2..2^16-1> */ 217 if (end - pos < 2) 218 goto decode_error; 219 num_suites = WPA_GET_BE16(pos); 220 pos += 2; 221 if (end - pos < num_suites) 222 goto decode_error; 223 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 224 pos, num_suites); 225 if (num_suites & 1) 226 goto decode_error; 227 num_suites /= 2; 228 229 cipher_suite = 0; 230 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 231 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 232 continue; 233 c = pos; 234 for (j = 0; j < num_suites; j++) { 235 u16 tmp = WPA_GET_BE16(c); 236 c += 2; 237 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 238 cipher_suite = tmp; 239 break; 240 } 241 } 242 } 243 pos += num_suites * 2; 244 if (!cipher_suite) { 245 tlsv1_server_log(conn, "No supported cipher suite available"); 246 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 247 TLS_ALERT_ILLEGAL_PARAMETER); 248 return -1; 249 } 250 251 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 252 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 253 "record layer"); 254 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 255 TLS_ALERT_INTERNAL_ERROR); 256 return -1; 257 } 258 259 conn->cipher_suite = cipher_suite; 260 261 /* CompressionMethod compression_methods<1..2^8-1> */ 262 if (end - pos < 1) 263 goto decode_error; 264 num_suites = *pos++; 265 if (end - pos < num_suites) 266 goto decode_error; 267 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 268 pos, num_suites); 269 compr_null_found = 0; 270 for (i = 0; i < num_suites; i++) { 271 if (*pos++ == TLS_COMPRESSION_NULL) 272 compr_null_found = 1; 273 } 274 if (!compr_null_found) { 275 tlsv1_server_log(conn, "Client does not accept NULL compression"); 276 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 277 TLS_ALERT_ILLEGAL_PARAMETER); 278 return -1; 279 } 280 281 if (end - pos == 1) { 282 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 283 *pos); 284 goto decode_error; 285 } 286 287 if (end - pos >= 2) { 288 /* Extension client_hello_extension_list<0..2^16-1> */ 289 ext_len = WPA_GET_BE16(pos); 290 pos += 2; 291 292 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 293 ext_len); 294 if (end - pos != ext_len) { 295 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 296 ext_len, (unsigned int) (end - pos)); 297 goto decode_error; 298 } 299 300 /* 301 * struct { 302 * ExtensionType extension_type (0..65535) 303 * opaque extension_data<0..2^16-1> 304 * } Extension; 305 */ 306 307 while (pos < end) { 308 if (end - pos < 2) { 309 tlsv1_server_log(conn, "Invalid extension_type field"); 310 goto decode_error; 311 } 312 313 ext_type = WPA_GET_BE16(pos); 314 pos += 2; 315 316 if (end - pos < 2) { 317 tlsv1_server_log(conn, "Invalid extension_data length field"); 318 goto decode_error; 319 } 320 321 ext_len = WPA_GET_BE16(pos); 322 pos += 2; 323 324 if (end - pos < ext_len) { 325 tlsv1_server_log(conn, "Invalid extension_data field"); 326 goto decode_error; 327 } 328 329 tlsv1_server_log(conn, "ClientHello Extension type %u", 330 ext_type); 331 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 332 "Extension data", pos, ext_len); 333 334 if (ext_type == TLS_EXT_SESSION_TICKET) { 335 os_free(conn->session_ticket); 336 conn->session_ticket = os_malloc(ext_len); 337 if (conn->session_ticket) { 338 os_memcpy(conn->session_ticket, pos, 339 ext_len); 340 conn->session_ticket_len = ext_len; 341 } 342 } else if (ext_type == TLS_EXT_STATUS_REQUEST) { 343 conn->status_request = 1; 344 } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) { 345 tls_process_status_request_v2(conn, pos, 346 ext_len); 347 } 348 349 pos += ext_len; 350 } 351 } 352 353 *in_len = end - in_data; 354 355 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 356 conn->state = SERVER_HELLO; 357 358 return 0; 359 360decode_error: 361 tlsv1_server_log(conn, "Failed to decode ClientHello"); 362 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 363 TLS_ALERT_DECODE_ERROR); 364 return -1; 365} 366 367 368static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 369 const u8 *in_data, size_t *in_len) 370{ 371 const u8 *pos, *end; 372 size_t left, len, list_len, cert_len, idx; 373 u8 type; 374 struct x509_certificate *chain = NULL, *last = NULL, *cert; 375 int reason; 376 377 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 378 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 379 ct); 380 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 381 TLS_ALERT_UNEXPECTED_MESSAGE); 382 return -1; 383 } 384 385 pos = in_data; 386 left = *in_len; 387 388 if (left < 4) { 389 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 390 (unsigned long) left); 391 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 392 TLS_ALERT_DECODE_ERROR); 393 return -1; 394 } 395 396 type = *pos++; 397 len = WPA_GET_BE24(pos); 398 pos += 3; 399 left -= 4; 400 401 if (len > left) { 402 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 403 (unsigned long) len, (unsigned long) left); 404 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 405 TLS_ALERT_DECODE_ERROR); 406 return -1; 407 } 408 409 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 410 if (conn->verify_peer) { 411 tlsv1_server_log(conn, "Client did not include Certificate"); 412 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 413 TLS_ALERT_UNEXPECTED_MESSAGE); 414 return -1; 415 } 416 417 return tls_process_client_key_exchange(conn, ct, in_data, 418 in_len); 419 } 420 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 421 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 422 type); 423 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 424 TLS_ALERT_UNEXPECTED_MESSAGE); 425 return -1; 426 } 427 428 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 429 (unsigned long) len); 430 431 /* 432 * opaque ASN.1Cert<2^24-1>; 433 * 434 * struct { 435 * ASN.1Cert certificate_list<1..2^24-1>; 436 * } Certificate; 437 */ 438 439 end = pos + len; 440 441 if (end - pos < 3) { 442 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 443 (unsigned long) left); 444 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 445 TLS_ALERT_DECODE_ERROR); 446 return -1; 447 } 448 449 list_len = WPA_GET_BE24(pos); 450 pos += 3; 451 452 if ((size_t) (end - pos) != list_len) { 453 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 454 (unsigned long) list_len, 455 (unsigned long) (end - pos)); 456 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 457 TLS_ALERT_DECODE_ERROR); 458 return -1; 459 } 460 461 idx = 0; 462 while (pos < end) { 463 if (end - pos < 3) { 464 tlsv1_server_log(conn, "Failed to parse certificate_list"); 465 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 466 TLS_ALERT_DECODE_ERROR); 467 x509_certificate_chain_free(chain); 468 return -1; 469 } 470 471 cert_len = WPA_GET_BE24(pos); 472 pos += 3; 473 474 if ((size_t) (end - pos) < cert_len) { 475 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 476 (unsigned long) cert_len, 477 (unsigned long) (end - pos)); 478 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 479 TLS_ALERT_DECODE_ERROR); 480 x509_certificate_chain_free(chain); 481 return -1; 482 } 483 484 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 485 (unsigned long) idx, (unsigned long) cert_len); 486 487 if (idx == 0) { 488 crypto_public_key_free(conn->client_rsa_key); 489 if (tls_parse_cert(pos, cert_len, 490 &conn->client_rsa_key)) { 491 tlsv1_server_log(conn, "Failed to parse the certificate"); 492 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 493 TLS_ALERT_BAD_CERTIFICATE); 494 x509_certificate_chain_free(chain); 495 return -1; 496 } 497 } 498 499 cert = x509_certificate_parse(pos, cert_len); 500 if (cert == NULL) { 501 tlsv1_server_log(conn, "Failed to parse the certificate"); 502 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 503 TLS_ALERT_BAD_CERTIFICATE); 504 x509_certificate_chain_free(chain); 505 return -1; 506 } 507 508 if (last == NULL) 509 chain = cert; 510 else 511 last->next = cert; 512 last = cert; 513 514 idx++; 515 pos += cert_len; 516 } 517 518 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 519 &reason, 0) < 0) { 520 int tls_reason; 521 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 522 reason); 523 switch (reason) { 524 case X509_VALIDATE_BAD_CERTIFICATE: 525 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 526 break; 527 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 528 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 529 break; 530 case X509_VALIDATE_CERTIFICATE_REVOKED: 531 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 532 break; 533 case X509_VALIDATE_CERTIFICATE_EXPIRED: 534 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 535 break; 536 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 537 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 538 break; 539 case X509_VALIDATE_UNKNOWN_CA: 540 tls_reason = TLS_ALERT_UNKNOWN_CA; 541 break; 542 default: 543 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 544 break; 545 } 546 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 547 x509_certificate_chain_free(chain); 548 return -1; 549 } 550 551 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 552 !(chain->ext_key_usage & 553 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) { 554 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 555 TLS_ALERT_BAD_CERTIFICATE); 556 x509_certificate_chain_free(chain); 557 return -1; 558 } 559 560 x509_certificate_chain_free(chain); 561 562 *in_len = end - in_data; 563 564 conn->state = CLIENT_KEY_EXCHANGE; 565 566 return 0; 567} 568 569 570static int tls_process_client_key_exchange_rsa( 571 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 572{ 573 u8 *out; 574 size_t outlen, outbuflen; 575 u16 encr_len; 576 int res; 577 int use_random = 0; 578 579 if (end - pos < 2) { 580 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 581 TLS_ALERT_DECODE_ERROR); 582 return -1; 583 } 584 585 encr_len = WPA_GET_BE16(pos); 586 pos += 2; 587 if (pos + encr_len > end) { 588 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 589 encr_len, (unsigned int) (end - pos)); 590 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 591 TLS_ALERT_DECODE_ERROR); 592 return -1; 593 } 594 595 outbuflen = outlen = end - pos; 596 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 597 outlen : TLS_PRE_MASTER_SECRET_LEN); 598 if (out == NULL) { 599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 600 TLS_ALERT_INTERNAL_ERROR); 601 return -1; 602 } 603 604 /* 605 * struct { 606 * ProtocolVersion client_version; 607 * opaque random[46]; 608 * } PreMasterSecret; 609 * 610 * struct { 611 * public-key-encrypted PreMasterSecret pre_master_secret; 612 * } EncryptedPreMasterSecret; 613 */ 614 615 /* 616 * Note: To avoid Bleichenbacher attack, we do not report decryption or 617 * parsing errors from EncryptedPreMasterSecret processing to the 618 * client. Instead, a random pre-master secret is used to force the 619 * handshake to fail. 620 */ 621 622 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 623 pos, encr_len, 624 out, &outlen) < 0) { 625 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 626 "PreMasterSecret (encr_len=%u outlen=%lu)", 627 encr_len, (unsigned long) outlen); 628 use_random = 1; 629 } 630 631 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 632 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 633 (unsigned long) outlen); 634 use_random = 1; 635 } 636 637 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 638 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 639 use_random = 1; 640 } 641 642 if (use_random) { 643 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 644 "to avoid revealing information about private key"); 645 outlen = TLS_PRE_MASTER_SECRET_LEN; 646 if (os_get_random(out, outlen)) { 647 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 648 "data"); 649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 650 TLS_ALERT_INTERNAL_ERROR); 651 os_free(out); 652 return -1; 653 } 654 } 655 656 res = tlsv1_server_derive_keys(conn, out, outlen); 657 658 /* Clear the pre-master secret since it is not needed anymore */ 659 os_memset(out, 0, outbuflen); 660 os_free(out); 661 662 if (res) { 663 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 664 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 665 TLS_ALERT_INTERNAL_ERROR); 666 return -1; 667 } 668 669 return 0; 670} 671 672 673static int tls_process_client_key_exchange_dh( 674 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 675{ 676 const u8 *dh_yc; 677 u16 dh_yc_len; 678 u8 *shared; 679 size_t shared_len; 680 int res; 681 const u8 *dh_p; 682 size_t dh_p_len; 683 684 /* 685 * struct { 686 * select (PublicValueEncoding) { 687 * case implicit: struct { }; 688 * case explicit: opaque dh_Yc<1..2^16-1>; 689 * } dh_public; 690 * } ClientDiffieHellmanPublic; 691 */ 692 693 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 694 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 695 pos, end - pos); 696 697 if (end == pos) { 698 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 699 "not supported"); 700 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 701 TLS_ALERT_INTERNAL_ERROR); 702 return -1; 703 } 704 705 if (end - pos < 3) { 706 tlsv1_server_log(conn, "Invalid client public value length"); 707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 708 TLS_ALERT_DECODE_ERROR); 709 return -1; 710 } 711 712 dh_yc_len = WPA_GET_BE16(pos); 713 dh_yc = pos + 2; 714 715 if (dh_yc_len > end - dh_yc) { 716 tlsv1_server_log(conn, "Client public value overflow (length %d)", 717 dh_yc_len); 718 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 719 TLS_ALERT_DECODE_ERROR); 720 return -1; 721 } 722 723 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 724 dh_yc, dh_yc_len); 725 726 if (conn->cred == NULL || conn->cred->dh_p == NULL || 727 conn->dh_secret == NULL) { 728 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 729 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 730 TLS_ALERT_INTERNAL_ERROR); 731 return -1; 732 } 733 734 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 735 736 shared_len = dh_p_len; 737 shared = os_malloc(shared_len); 738 if (shared == NULL) { 739 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 740 "DH"); 741 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 742 TLS_ALERT_INTERNAL_ERROR); 743 return -1; 744 } 745 746 /* shared = Yc^secret mod p */ 747 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 748 conn->dh_secret_len, dh_p, dh_p_len, 749 shared, &shared_len)) { 750 os_free(shared); 751 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 752 TLS_ALERT_INTERNAL_ERROR); 753 return -1; 754 } 755 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 756 shared, shared_len); 757 758 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 759 os_free(conn->dh_secret); 760 conn->dh_secret = NULL; 761 762 res = tlsv1_server_derive_keys(conn, shared, shared_len); 763 764 /* Clear the pre-master secret since it is not needed anymore */ 765 os_memset(shared, 0, shared_len); 766 os_free(shared); 767 768 if (res) { 769 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 770 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 771 TLS_ALERT_INTERNAL_ERROR); 772 return -1; 773 } 774 775 return 0; 776} 777 778 779static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 780 const u8 *in_data, size_t *in_len) 781{ 782 const u8 *pos, *end; 783 size_t left, len; 784 u8 type; 785 tls_key_exchange keyx; 786 const struct tls_cipher_suite *suite; 787 788 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 789 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 790 ct); 791 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 792 TLS_ALERT_UNEXPECTED_MESSAGE); 793 return -1; 794 } 795 796 pos = in_data; 797 left = *in_len; 798 799 if (left < 4) { 800 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 801 (unsigned long) left); 802 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 803 TLS_ALERT_DECODE_ERROR); 804 return -1; 805 } 806 807 type = *pos++; 808 len = WPA_GET_BE24(pos); 809 pos += 3; 810 left -= 4; 811 812 if (len > left) { 813 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 814 (unsigned long) len, (unsigned long) left); 815 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 816 TLS_ALERT_DECODE_ERROR); 817 return -1; 818 } 819 820 end = pos + len; 821 822 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 823 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 824 type); 825 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 826 TLS_ALERT_UNEXPECTED_MESSAGE); 827 return -1; 828 } 829 830 tlsv1_server_log(conn, "Received ClientKeyExchange"); 831 832 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 833 834 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 835 if (suite == NULL) 836 keyx = TLS_KEY_X_NULL; 837 else 838 keyx = suite->key_exchange; 839 840 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 841 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 842 return -1; 843 844 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 845 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 846 return -1; 847 848 *in_len = end - in_data; 849 850 conn->state = CERTIFICATE_VERIFY; 851 852 return 0; 853} 854 855 856static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 857 const u8 *in_data, size_t *in_len) 858{ 859 const u8 *pos, *end; 860 size_t left, len; 861 u8 type; 862 size_t hlen; 863 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 864 u8 alert; 865 866 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 867 if (conn->verify_peer) { 868 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 869 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 870 TLS_ALERT_UNEXPECTED_MESSAGE); 871 return -1; 872 } 873 874 return tls_process_change_cipher_spec(conn, ct, in_data, 875 in_len); 876 } 877 878 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 879 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 880 ct); 881 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 882 TLS_ALERT_UNEXPECTED_MESSAGE); 883 return -1; 884 } 885 886 pos = in_data; 887 left = *in_len; 888 889 if (left < 4) { 890 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 891 (unsigned long) left); 892 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 893 TLS_ALERT_DECODE_ERROR); 894 return -1; 895 } 896 897 type = *pos++; 898 len = WPA_GET_BE24(pos); 899 pos += 3; 900 left -= 4; 901 902 if (len > left) { 903 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 904 (unsigned long) len, (unsigned long) left); 905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 906 TLS_ALERT_DECODE_ERROR); 907 return -1; 908 } 909 910 end = pos + len; 911 912 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 913 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 914 type); 915 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 916 TLS_ALERT_UNEXPECTED_MESSAGE); 917 return -1; 918 } 919 920 tlsv1_server_log(conn, "Received CertificateVerify"); 921 922 /* 923 * struct { 924 * Signature signature; 925 * } CertificateVerify; 926 */ 927 928 hpos = hash; 929 930#ifdef CONFIG_TLSV12 931 if (conn->rl.tls_version == TLS_VERSION_1_2) { 932 /* 933 * RFC 5246, 4.7: 934 * TLS v1.2 adds explicit indication of the used signature and 935 * hash algorithms. 936 * 937 * struct { 938 * HashAlgorithm hash; 939 * SignatureAlgorithm signature; 940 * } SignatureAndHashAlgorithm; 941 */ 942 if (end - pos < 2) { 943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 944 TLS_ALERT_DECODE_ERROR); 945 return -1; 946 } 947 if (pos[0] != TLS_HASH_ALG_SHA256 || 948 pos[1] != TLS_SIGN_ALG_RSA) { 949 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 950 "signature(%u) algorithm", 951 pos[0], pos[1]); 952 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 953 TLS_ALERT_INTERNAL_ERROR); 954 return -1; 955 } 956 pos += 2; 957 958 hlen = SHA256_MAC_LEN; 959 if (conn->verify.sha256_cert == NULL || 960 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 961 0) { 962 conn->verify.sha256_cert = NULL; 963 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 964 TLS_ALERT_INTERNAL_ERROR); 965 return -1; 966 } 967 conn->verify.sha256_cert = NULL; 968 } else { 969#endif /* CONFIG_TLSV12 */ 970 971 hlen = MD5_MAC_LEN; 972 if (conn->verify.md5_cert == NULL || 973 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 974 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 975 TLS_ALERT_INTERNAL_ERROR); 976 conn->verify.md5_cert = NULL; 977 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 978 conn->verify.sha1_cert = NULL; 979 return -1; 980 } 981 hpos += MD5_MAC_LEN; 982 983 conn->verify.md5_cert = NULL; 984 hlen = SHA1_MAC_LEN; 985 if (conn->verify.sha1_cert == NULL || 986 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 987 conn->verify.sha1_cert = NULL; 988 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 989 TLS_ALERT_INTERNAL_ERROR); 990 return -1; 991 } 992 conn->verify.sha1_cert = NULL; 993 994 hlen += MD5_MAC_LEN; 995 996#ifdef CONFIG_TLSV12 997 } 998#endif /* CONFIG_TLSV12 */ 999 1000 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 1001 1002 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 1003 hash, hlen, pos, end - pos, &alert) < 0) { 1004 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 1005 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 1006 return -1; 1007 } 1008 1009 *in_len = end - in_data; 1010 1011 conn->state = CHANGE_CIPHER_SPEC; 1012 1013 return 0; 1014} 1015 1016 1017static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 1018 u8 ct, const u8 *in_data, 1019 size_t *in_len) 1020{ 1021 const u8 *pos; 1022 size_t left; 1023 1024 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1025 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 1026 ct); 1027 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1028 TLS_ALERT_UNEXPECTED_MESSAGE); 1029 return -1; 1030 } 1031 1032 pos = in_data; 1033 left = *in_len; 1034 1035 if (left < 1) { 1036 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1038 TLS_ALERT_DECODE_ERROR); 1039 return -1; 1040 } 1041 1042 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1043 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 1044 *pos); 1045 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1046 TLS_ALERT_UNEXPECTED_MESSAGE); 1047 return -1; 1048 } 1049 1050 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 1051 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1052 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1053 "for record layer"); 1054 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1055 TLS_ALERT_INTERNAL_ERROR); 1056 return -1; 1057 } 1058 1059 *in_len = pos + 1 - in_data; 1060 1061 conn->state = CLIENT_FINISHED; 1062 1063 return 0; 1064} 1065 1066 1067static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 1068 const u8 *in_data, size_t *in_len) 1069{ 1070 const u8 *pos, *end; 1071 size_t left, len, hlen; 1072 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1073 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1074 1075#ifdef CONFIG_TESTING_OPTIONS 1076 if ((conn->test_flags & 1077 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 1078 !conn->test_failure_reported) { 1079 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 1080 conn->test_failure_reported = 1; 1081 } 1082 1083 if ((conn->test_flags & TLS_DHE_PRIME_15) && 1084 !conn->test_failure_reported) { 1085 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 1086 conn->test_failure_reported = 1; 1087 } 1088 1089 if ((conn->test_flags & TLS_DHE_PRIME_58B) && 1090 !conn->test_failure_reported) { 1091 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 1092 conn->test_failure_reported = 1; 1093 } 1094 1095 if ((conn->test_flags & TLS_DHE_PRIME_511B) && 1096 !conn->test_failure_reported) { 1097 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 1098 conn->test_failure_reported = 1; 1099 } 1100 1101 if ((conn->test_flags & TLS_DHE_PRIME_767B) && 1102 !conn->test_failure_reported) { 1103 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 1104 conn->test_failure_reported = 1; 1105 } 1106 1107 if ((conn->test_flags & TLS_DHE_NON_PRIME) && 1108 !conn->test_failure_reported) { 1109 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 1110 conn->test_failure_reported = 1; 1111 } 1112#endif /* CONFIG_TESTING_OPTIONS */ 1113 1114 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1115 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1116 ct); 1117 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1118 TLS_ALERT_UNEXPECTED_MESSAGE); 1119 return -1; 1120 } 1121 1122 pos = in_data; 1123 left = *in_len; 1124 1125 if (left < 4) { 1126 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1127 (unsigned long) left); 1128 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1129 TLS_ALERT_DECODE_ERROR); 1130 return -1; 1131 } 1132 1133 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1134 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1135 "type 0x%x", pos[0]); 1136 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1137 TLS_ALERT_UNEXPECTED_MESSAGE); 1138 return -1; 1139 } 1140 1141 len = WPA_GET_BE24(pos + 1); 1142 1143 pos += 4; 1144 left -= 4; 1145 1146 if (len > left) { 1147 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1148 (unsigned long) len, (unsigned long) left); 1149 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1150 TLS_ALERT_DECODE_ERROR); 1151 return -1; 1152 } 1153 end = pos + len; 1154 if (len != TLS_VERIFY_DATA_LEN) { 1155 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1156 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1157 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1158 TLS_ALERT_DECODE_ERROR); 1159 return -1; 1160 } 1161 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1162 pos, TLS_VERIFY_DATA_LEN); 1163 1164#ifdef CONFIG_TLSV12 1165 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1166 hlen = SHA256_MAC_LEN; 1167 if (conn->verify.sha256_client == NULL || 1168 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1169 < 0) { 1170 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1171 TLS_ALERT_INTERNAL_ERROR); 1172 conn->verify.sha256_client = NULL; 1173 return -1; 1174 } 1175 conn->verify.sha256_client = NULL; 1176 } else { 1177#endif /* CONFIG_TLSV12 */ 1178 1179 hlen = MD5_MAC_LEN; 1180 if (conn->verify.md5_client == NULL || 1181 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1183 TLS_ALERT_INTERNAL_ERROR); 1184 conn->verify.md5_client = NULL; 1185 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1186 conn->verify.sha1_client = NULL; 1187 return -1; 1188 } 1189 conn->verify.md5_client = NULL; 1190 hlen = SHA1_MAC_LEN; 1191 if (conn->verify.sha1_client == NULL || 1192 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1193 &hlen) < 0) { 1194 conn->verify.sha1_client = NULL; 1195 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1196 TLS_ALERT_INTERNAL_ERROR); 1197 return -1; 1198 } 1199 conn->verify.sha1_client = NULL; 1200 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1201 1202#ifdef CONFIG_TLSV12 1203 } 1204#endif /* CONFIG_TLSV12 */ 1205 1206 if (tls_prf(conn->rl.tls_version, 1207 conn->master_secret, TLS_MASTER_SECRET_LEN, 1208 "client finished", hash, hlen, 1209 verify_data, TLS_VERIFY_DATA_LEN)) { 1210 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1211 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1212 TLS_ALERT_DECRYPT_ERROR); 1213 return -1; 1214 } 1215 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1216 verify_data, TLS_VERIFY_DATA_LEN); 1217 1218 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1219 tlsv1_server_log(conn, "Mismatch in verify_data"); 1220 return -1; 1221 } 1222 1223 tlsv1_server_log(conn, "Received Finished"); 1224 1225 *in_len = end - in_data; 1226 1227 if (conn->use_session_ticket) { 1228 /* Abbreviated handshake using session ticket; RFC 4507 */ 1229 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1230 conn->state = ESTABLISHED; 1231 } else { 1232 /* Full handshake */ 1233 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1234 } 1235 1236 return 0; 1237} 1238 1239 1240int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1241 const u8 *buf, size_t *len) 1242{ 1243 if (ct == TLS_CONTENT_TYPE_ALERT) { 1244 if (*len < 2) { 1245 tlsv1_server_log(conn, "Alert underflow"); 1246 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1247 TLS_ALERT_DECODE_ERROR); 1248 return -1; 1249 } 1250 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1251 *len = 2; 1252 conn->state = FAILED; 1253 return -1; 1254 } 1255 1256 switch (conn->state) { 1257 case CLIENT_HELLO: 1258 if (tls_process_client_hello(conn, ct, buf, len)) 1259 return -1; 1260 break; 1261 case CLIENT_CERTIFICATE: 1262 if (tls_process_certificate(conn, ct, buf, len)) 1263 return -1; 1264 break; 1265 case CLIENT_KEY_EXCHANGE: 1266 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1267 return -1; 1268 break; 1269 case CERTIFICATE_VERIFY: 1270 if (tls_process_certificate_verify(conn, ct, buf, len)) 1271 return -1; 1272 break; 1273 case CHANGE_CIPHER_SPEC: 1274 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1275 return -1; 1276 break; 1277 case CLIENT_FINISHED: 1278 if (tls_process_client_finished(conn, ct, buf, len)) 1279 return -1; 1280 break; 1281 default: 1282 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1283 conn->state); 1284 return -1; 1285 } 1286 1287 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1288 tls_verify_hash_add(&conn->verify, buf, *len); 1289 1290 return 0; 1291} 1292