Home | History | Annotate | Download | only in tls
      1 /*
      2  * TLSv1 server - read handshake message
      3  * Copyright (c) 2006-2011, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/md5.h"
     13 #include "crypto/sha1.h"
     14 #include "crypto/sha256.h"
     15 #include "crypto/tls.h"
     16 #include "x509v3.h"
     17 #include "tlsv1_common.h"
     18 #include "tlsv1_record.h"
     19 #include "tlsv1_server.h"
     20 #include "tlsv1_server_i.h"
     21 
     22 
     23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
     24 					   const u8 *in_data, size_t *in_len);
     25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
     26 					  u8 ct, const u8 *in_data,
     27 					  size_t *in_len);
     28 
     29 
     30 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
     31 				    const u8 *in_data, size_t *in_len)
     32 {
     33 	const u8 *pos, *end, *c;
     34 	size_t left, len, i, j;
     35 	u16 cipher_suite;
     36 	u16 num_suites;
     37 	int compr_null_found;
     38 	u16 ext_type, ext_len;
     39 
     40 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
     41 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
     42 			   "received content type 0x%x", ct);
     43 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
     44 				   TLS_ALERT_UNEXPECTED_MESSAGE);
     45 		return -1;
     46 	}
     47 
     48 	pos = in_data;
     49 	left = *in_len;
     50 
     51 	if (left < 4)
     52 		goto decode_error;
     53 
     54 	/* HandshakeType msg_type */
     55 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
     56 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
     57 			   "message %d (expected ClientHello)", *pos);
     58 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
     59 				   TLS_ALERT_UNEXPECTED_MESSAGE);
     60 		return -1;
     61 	}
     62 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
     63 	pos++;
     64 	/* uint24 length */
     65 	len = WPA_GET_BE24(pos);
     66 	pos += 3;
     67 	left -= 4;
     68 
     69 	if (len > left)
     70 		goto decode_error;
     71 
     72 	/* body - ClientHello */
     73 
     74 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
     75 	end = pos + len;
     76 
     77 	/* ProtocolVersion client_version */
     78 	if (end - pos < 2)
     79 		goto decode_error;
     80 	conn->client_version = WPA_GET_BE16(pos);
     81 	wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
     82 		   conn->client_version >> 8, conn->client_version & 0xff);
     83 	if (conn->client_version < TLS_VERSION_1) {
     84 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
     85 			   "ClientHello %u.%u",
     86 			   conn->client_version >> 8,
     87 			   conn->client_version & 0xff);
     88 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
     89 				   TLS_ALERT_PROTOCOL_VERSION);
     90 		return -1;
     91 	}
     92 	pos += 2;
     93 
     94 	if (TLS_VERSION == TLS_VERSION_1)
     95 		conn->rl.tls_version = TLS_VERSION_1;
     96 #ifdef CONFIG_TLSV12
     97 	else if (conn->client_version >= TLS_VERSION_1_2)
     98 		conn->rl.tls_version = TLS_VERSION_1_2;
     99 #endif /* CONFIG_TLSV12 */
    100 	else if (conn->client_version > TLS_VERSION_1_1)
    101 		conn->rl.tls_version = TLS_VERSION_1_1;
    102 	else
    103 		conn->rl.tls_version = conn->client_version;
    104 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
    105 		   tls_version_str(conn->rl.tls_version));
    106 
    107 	/* Random random */
    108 	if (end - pos < TLS_RANDOM_LEN)
    109 		goto decode_error;
    110 
    111 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
    112 	pos += TLS_RANDOM_LEN;
    113 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
    114 		    conn->client_random, TLS_RANDOM_LEN);
    115 
    116 	/* SessionID session_id */
    117 	if (end - pos < 1)
    118 		goto decode_error;
    119 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
    120 		goto decode_error;
    121 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
    122 	pos += 1 + *pos;
    123 	/* TODO: add support for session resumption */
    124 
    125 	/* CipherSuite cipher_suites<2..2^16-1> */
    126 	if (end - pos < 2)
    127 		goto decode_error;
    128 	num_suites = WPA_GET_BE16(pos);
    129 	pos += 2;
    130 	if (end - pos < num_suites)
    131 		goto decode_error;
    132 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
    133 		    pos, num_suites);
    134 	if (num_suites & 1)
    135 		goto decode_error;
    136 	num_suites /= 2;
    137 
    138 	cipher_suite = 0;
    139 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
    140 		c = pos;
    141 		for (j = 0; j < num_suites; j++) {
    142 			u16 tmp = WPA_GET_BE16(c);
    143 			c += 2;
    144 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
    145 				cipher_suite = tmp;
    146 				break;
    147 			}
    148 		}
    149 	}
    150 	pos += num_suites * 2;
    151 	if (!cipher_suite) {
    152 		wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
    153 			   "available");
    154 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    155 				   TLS_ALERT_ILLEGAL_PARAMETER);
    156 		return -1;
    157 	}
    158 
    159 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
    160 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
    161 			   "record layer");
    162 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    163 				   TLS_ALERT_INTERNAL_ERROR);
    164 		return -1;
    165 	}
    166 
    167 	conn->cipher_suite = cipher_suite;
    168 
    169 	/* CompressionMethod compression_methods<1..2^8-1> */
    170 	if (end - pos < 1)
    171 		goto decode_error;
    172 	num_suites = *pos++;
    173 	if (end - pos < num_suites)
    174 		goto decode_error;
    175 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
    176 		    pos, num_suites);
    177 	compr_null_found = 0;
    178 	for (i = 0; i < num_suites; i++) {
    179 		if (*pos++ == TLS_COMPRESSION_NULL)
    180 			compr_null_found = 1;
    181 	}
    182 	if (!compr_null_found) {
    183 		wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
    184 			   "compression");
    185 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    186 				   TLS_ALERT_ILLEGAL_PARAMETER);
    187 		return -1;
    188 	}
    189 
    190 	if (end - pos == 1) {
    191 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
    192 			    "end of ClientHello: 0x%02x", *pos);
    193 		goto decode_error;
    194 	}
    195 
    196 	if (end - pos >= 2) {
    197 		/* Extension client_hello_extension_list<0..2^16-1> */
    198 		ext_len = WPA_GET_BE16(pos);
    199 		pos += 2;
    200 
    201 		wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
    202 			   "extensions", ext_len);
    203 		if (end - pos != ext_len) {
    204 			wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
    205 				   "extension list length %u (expected %u)",
    206 				   ext_len, (unsigned int) (end - pos));
    207 			goto decode_error;
    208 		}
    209 
    210 		/*
    211 		 * struct {
    212 		 *   ExtensionType extension_type (0..65535)
    213 		 *   opaque extension_data<0..2^16-1>
    214 		 * } Extension;
    215 		 */
    216 
    217 		while (pos < end) {
    218 			if (end - pos < 2) {
    219 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
    220 					   "extension_type field");
    221 				goto decode_error;
    222 			}
    223 
    224 			ext_type = WPA_GET_BE16(pos);
    225 			pos += 2;
    226 
    227 			if (end - pos < 2) {
    228 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
    229 					   "extension_data length field");
    230 				goto decode_error;
    231 			}
    232 
    233 			ext_len = WPA_GET_BE16(pos);
    234 			pos += 2;
    235 
    236 			if (end - pos < ext_len) {
    237 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
    238 					   "extension_data field");
    239 				goto decode_error;
    240 			}
    241 
    242 			wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
    243 				   "type %u", ext_type);
    244 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
    245 				    "Extension data", pos, ext_len);
    246 
    247 			if (ext_type == TLS_EXT_SESSION_TICKET) {
    248 				os_free(conn->session_ticket);
    249 				conn->session_ticket = os_malloc(ext_len);
    250 				if (conn->session_ticket) {
    251 					os_memcpy(conn->session_ticket, pos,
    252 						  ext_len);
    253 					conn->session_ticket_len = ext_len;
    254 				}
    255 			}
    256 
    257 			pos += ext_len;
    258 		}
    259 	}
    260 
    261 	*in_len = end - in_data;
    262 
    263 	wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
    264 		   "ServerHello");
    265 	conn->state = SERVER_HELLO;
    266 
    267 	return 0;
    268 
    269 decode_error:
    270 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
    271 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    272 			   TLS_ALERT_DECODE_ERROR);
    273 	return -1;
    274 }
    275 
    276 
    277 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
    278 				   const u8 *in_data, size_t *in_len)
    279 {
    280 	const u8 *pos, *end;
    281 	size_t left, len, list_len, cert_len, idx;
    282 	u8 type;
    283 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
    284 	int reason;
    285 
    286 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
    287 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
    288 			   "received content type 0x%x", ct);
    289 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    290 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    291 		return -1;
    292 	}
    293 
    294 	pos = in_data;
    295 	left = *in_len;
    296 
    297 	if (left < 4) {
    298 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
    299 			   "(len=%lu)", (unsigned long) left);
    300 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    301 				   TLS_ALERT_DECODE_ERROR);
    302 		return -1;
    303 	}
    304 
    305 	type = *pos++;
    306 	len = WPA_GET_BE24(pos);
    307 	pos += 3;
    308 	left -= 4;
    309 
    310 	if (len > left) {
    311 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
    312 			   "length (len=%lu != left=%lu)",
    313 			   (unsigned long) len, (unsigned long) left);
    314 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    315 				   TLS_ALERT_DECODE_ERROR);
    316 		return -1;
    317 	}
    318 
    319 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
    320 		if (conn->verify_peer) {
    321 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
    322 				   "Certificate");
    323 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    324 					   TLS_ALERT_UNEXPECTED_MESSAGE);
    325 			return -1;
    326 		}
    327 
    328 		return tls_process_client_key_exchange(conn, ct, in_data,
    329 						       in_len);
    330 	}
    331 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
    332 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
    333 			   "message %d (expected Certificate/"
    334 			   "ClientKeyExchange)", type);
    335 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    336 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    337 		return -1;
    338 	}
    339 
    340 	wpa_printf(MSG_DEBUG,
    341 		   "TLSv1: Received Certificate (certificate_list len %lu)",
    342 		   (unsigned long) len);
    343 
    344 	/*
    345 	 * opaque ASN.1Cert<2^24-1>;
    346 	 *
    347 	 * struct {
    348 	 *     ASN.1Cert certificate_list<1..2^24-1>;
    349 	 * } Certificate;
    350 	 */
    351 
    352 	end = pos + len;
    353 
    354 	if (end - pos < 3) {
    355 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
    356 			   "(left=%lu)", (unsigned long) left);
    357 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    358 				   TLS_ALERT_DECODE_ERROR);
    359 		return -1;
    360 	}
    361 
    362 	list_len = WPA_GET_BE24(pos);
    363 	pos += 3;
    364 
    365 	if ((size_t) (end - pos) != list_len) {
    366 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
    367 			   "length (len=%lu left=%lu)",
    368 			   (unsigned long) list_len,
    369 			   (unsigned long) (end - pos));
    370 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    371 				   TLS_ALERT_DECODE_ERROR);
    372 		return -1;
    373 	}
    374 
    375 	idx = 0;
    376 	while (pos < end) {
    377 		if (end - pos < 3) {
    378 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
    379 				   "certificate_list");
    380 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    381 					   TLS_ALERT_DECODE_ERROR);
    382 			x509_certificate_chain_free(chain);
    383 			return -1;
    384 		}
    385 
    386 		cert_len = WPA_GET_BE24(pos);
    387 		pos += 3;
    388 
    389 		if ((size_t) (end - pos) < cert_len) {
    390 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
    391 				   "length (len=%lu left=%lu)",
    392 				   (unsigned long) cert_len,
    393 				   (unsigned long) (end - pos));
    394 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    395 					   TLS_ALERT_DECODE_ERROR);
    396 			x509_certificate_chain_free(chain);
    397 			return -1;
    398 		}
    399 
    400 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
    401 			   (unsigned long) idx, (unsigned long) cert_len);
    402 
    403 		if (idx == 0) {
    404 			crypto_public_key_free(conn->client_rsa_key);
    405 			if (tls_parse_cert(pos, cert_len,
    406 					   &conn->client_rsa_key)) {
    407 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
    408 					   "the certificate");
    409 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    410 						   TLS_ALERT_BAD_CERTIFICATE);
    411 				x509_certificate_chain_free(chain);
    412 				return -1;
    413 			}
    414 		}
    415 
    416 		cert = x509_certificate_parse(pos, cert_len);
    417 		if (cert == NULL) {
    418 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
    419 				   "the certificate");
    420 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    421 					   TLS_ALERT_BAD_CERTIFICATE);
    422 			x509_certificate_chain_free(chain);
    423 			return -1;
    424 		}
    425 
    426 		if (last == NULL)
    427 			chain = cert;
    428 		else
    429 			last->next = cert;
    430 		last = cert;
    431 
    432 		idx++;
    433 		pos += cert_len;
    434 	}
    435 
    436 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
    437 					    &reason, 0) < 0) {
    438 		int tls_reason;
    439 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
    440 			   "validation failed (reason=%d)", reason);
    441 		switch (reason) {
    442 		case X509_VALIDATE_BAD_CERTIFICATE:
    443 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
    444 			break;
    445 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
    446 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
    447 			break;
    448 		case X509_VALIDATE_CERTIFICATE_REVOKED:
    449 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
    450 			break;
    451 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
    452 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
    453 			break;
    454 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
    455 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
    456 			break;
    457 		case X509_VALIDATE_UNKNOWN_CA:
    458 			tls_reason = TLS_ALERT_UNKNOWN_CA;
    459 			break;
    460 		default:
    461 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
    462 			break;
    463 		}
    464 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
    465 		x509_certificate_chain_free(chain);
    466 		return -1;
    467 	}
    468 
    469 	x509_certificate_chain_free(chain);
    470 
    471 	*in_len = end - in_data;
    472 
    473 	conn->state = CLIENT_KEY_EXCHANGE;
    474 
    475 	return 0;
    476 }
    477 
    478 
    479 static int tls_process_client_key_exchange_rsa(
    480 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
    481 {
    482 	u8 *out;
    483 	size_t outlen, outbuflen;
    484 	u16 encr_len;
    485 	int res;
    486 	int use_random = 0;
    487 
    488 	if (end - pos < 2) {
    489 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    490 				   TLS_ALERT_DECODE_ERROR);
    491 		return -1;
    492 	}
    493 
    494 	encr_len = WPA_GET_BE16(pos);
    495 	pos += 2;
    496 	if (pos + encr_len > end) {
    497 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
    498 			   "format: encr_len=%u left=%u",
    499 			   encr_len, (unsigned int) (end - pos));
    500 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    501 				   TLS_ALERT_DECODE_ERROR);
    502 		return -1;
    503 	}
    504 
    505 	outbuflen = outlen = end - pos;
    506 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
    507 			outlen : TLS_PRE_MASTER_SECRET_LEN);
    508 	if (out == NULL) {
    509 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    510 				   TLS_ALERT_INTERNAL_ERROR);
    511 		return -1;
    512 	}
    513 
    514 	/*
    515 	 * struct {
    516 	 *   ProtocolVersion client_version;
    517 	 *   opaque random[46];
    518 	 * } PreMasterSecret;
    519 	 *
    520 	 * struct {
    521 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
    522 	 * } EncryptedPreMasterSecret;
    523 	 */
    524 
    525 	/*
    526 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
    527 	 * parsing errors from EncryptedPreMasterSecret processing to the
    528 	 * client. Instead, a random pre-master secret is used to force the
    529 	 * handshake to fail.
    530 	 */
    531 
    532 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
    533 						 pos, encr_len,
    534 						 out, &outlen) < 0) {
    535 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
    536 			   "PreMasterSecret (encr_len=%u outlen=%lu)",
    537 			   encr_len, (unsigned long) outlen);
    538 		use_random = 1;
    539 	}
    540 
    541 	if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
    542 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
    543 			   "length %lu", (unsigned long) outlen);
    544 		use_random = 1;
    545 	}
    546 
    547 	if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
    548 		wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
    549 			   "ClientKeyExchange does not match with version in "
    550 			   "ClientHello");
    551 		use_random = 1;
    552 	}
    553 
    554 	if (use_random) {
    555 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
    556 			   "to avoid revealing information about private key");
    557 		outlen = TLS_PRE_MASTER_SECRET_LEN;
    558 		if (os_get_random(out, outlen)) {
    559 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
    560 				   "data");
    561 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    562 					   TLS_ALERT_INTERNAL_ERROR);
    563 			os_free(out);
    564 			return -1;
    565 		}
    566 	}
    567 
    568 	res = tlsv1_server_derive_keys(conn, out, outlen);
    569 
    570 	/* Clear the pre-master secret since it is not needed anymore */
    571 	os_memset(out, 0, outbuflen);
    572 	os_free(out);
    573 
    574 	if (res) {
    575 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
    576 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    577 				   TLS_ALERT_INTERNAL_ERROR);
    578 		return -1;
    579 	}
    580 
    581 	return 0;
    582 }
    583 
    584 
    585 static int tls_process_client_key_exchange_dh_anon(
    586 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
    587 {
    588 	const u8 *dh_yc;
    589 	u16 dh_yc_len;
    590 	u8 *shared;
    591 	size_t shared_len;
    592 	int res;
    593 
    594 	/*
    595 	 * struct {
    596 	 *   select (PublicValueEncoding) {
    597 	 *     case implicit: struct { };
    598 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
    599 	 *   } dh_public;
    600 	 * } ClientDiffieHellmanPublic;
    601 	 */
    602 
    603 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
    604 		    pos, end - pos);
    605 
    606 	if (end == pos) {
    607 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
    608 			   "not supported");
    609 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    610 				   TLS_ALERT_INTERNAL_ERROR);
    611 		return -1;
    612 	}
    613 
    614 	if (end - pos < 3) {
    615 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
    616 			   "length");
    617 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    618 				   TLS_ALERT_DECODE_ERROR);
    619 		return -1;
    620 	}
    621 
    622 	dh_yc_len = WPA_GET_BE16(pos);
    623 	dh_yc = pos + 2;
    624 
    625 	if (dh_yc + dh_yc_len > end) {
    626 		wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
    627 			   "(length %d)", dh_yc_len);
    628 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    629 				   TLS_ALERT_DECODE_ERROR);
    630 		return -1;
    631 	}
    632 
    633 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
    634 		    dh_yc, dh_yc_len);
    635 
    636 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
    637 	    conn->dh_secret == NULL) {
    638 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
    639 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    640 				   TLS_ALERT_INTERNAL_ERROR);
    641 		return -1;
    642 	}
    643 
    644 	shared_len = conn->cred->dh_p_len;
    645 	shared = os_malloc(shared_len);
    646 	if (shared == NULL) {
    647 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
    648 			   "DH");
    649 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    650 				   TLS_ALERT_INTERNAL_ERROR);
    651 		return -1;
    652 	}
    653 
    654 	/* shared = Yc^secret mod p */
    655 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
    656 			   conn->dh_secret_len,
    657 			   conn->cred->dh_p, conn->cred->dh_p_len,
    658 			   shared, &shared_len)) {
    659 		os_free(shared);
    660 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    661 				   TLS_ALERT_INTERNAL_ERROR);
    662 		return -1;
    663 	}
    664 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
    665 			shared, shared_len);
    666 
    667 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
    668 	os_free(conn->dh_secret);
    669 	conn->dh_secret = NULL;
    670 
    671 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
    672 
    673 	/* Clear the pre-master secret since it is not needed anymore */
    674 	os_memset(shared, 0, shared_len);
    675 	os_free(shared);
    676 
    677 	if (res) {
    678 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
    679 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    680 				   TLS_ALERT_INTERNAL_ERROR);
    681 		return -1;
    682 	}
    683 
    684 	return 0;
    685 }
    686 
    687 
    688 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
    689 					   const u8 *in_data, size_t *in_len)
    690 {
    691 	const u8 *pos, *end;
    692 	size_t left, len;
    693 	u8 type;
    694 	tls_key_exchange keyx;
    695 	const struct tls_cipher_suite *suite;
    696 
    697 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
    698 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
    699 			   "received content type 0x%x", ct);
    700 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    701 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    702 		return -1;
    703 	}
    704 
    705 	pos = in_data;
    706 	left = *in_len;
    707 
    708 	if (left < 4) {
    709 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
    710 			   "(Left=%lu)", (unsigned long) left);
    711 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    712 				   TLS_ALERT_DECODE_ERROR);
    713 		return -1;
    714 	}
    715 
    716 	type = *pos++;
    717 	len = WPA_GET_BE24(pos);
    718 	pos += 3;
    719 	left -= 4;
    720 
    721 	if (len > left) {
    722 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
    723 			   "length (len=%lu != left=%lu)",
    724 			   (unsigned long) len, (unsigned long) left);
    725 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    726 				   TLS_ALERT_DECODE_ERROR);
    727 		return -1;
    728 	}
    729 
    730 	end = pos + len;
    731 
    732 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
    733 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
    734 			   "message %d (expected ClientKeyExchange)", type);
    735 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    736 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    737 		return -1;
    738 	}
    739 
    740 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
    741 
    742 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
    743 
    744 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
    745 	if (suite == NULL)
    746 		keyx = TLS_KEY_X_NULL;
    747 	else
    748 		keyx = suite->key_exchange;
    749 
    750 	if (keyx == TLS_KEY_X_DH_anon &&
    751 	    tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
    752 		return -1;
    753 
    754 	if (keyx != TLS_KEY_X_DH_anon &&
    755 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
    756 		return -1;
    757 
    758 	*in_len = end - in_data;
    759 
    760 	conn->state = CERTIFICATE_VERIFY;
    761 
    762 	return 0;
    763 }
    764 
    765 
    766 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
    767 					  const u8 *in_data, size_t *in_len)
    768 {
    769 	const u8 *pos, *end;
    770 	size_t left, len;
    771 	u8 type;
    772 	size_t hlen, buflen;
    773 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
    774 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
    775 	u16 slen;
    776 
    777 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
    778 		if (conn->verify_peer) {
    779 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
    780 				   "CertificateVerify");
    781 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    782 					   TLS_ALERT_UNEXPECTED_MESSAGE);
    783 			return -1;
    784 		}
    785 
    786 		return tls_process_change_cipher_spec(conn, ct, in_data,
    787 						      in_len);
    788 	}
    789 
    790 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
    791 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
    792 			   "received content type 0x%x", ct);
    793 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    794 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    795 		return -1;
    796 	}
    797 
    798 	pos = in_data;
    799 	left = *in_len;
    800 
    801 	if (left < 4) {
    802 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
    803 			   "message (len=%lu)", (unsigned long) left);
    804 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    805 				   TLS_ALERT_DECODE_ERROR);
    806 		return -1;
    807 	}
    808 
    809 	type = *pos++;
    810 	len = WPA_GET_BE24(pos);
    811 	pos += 3;
    812 	left -= 4;
    813 
    814 	if (len > left) {
    815 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
    816 			   "message length (len=%lu != left=%lu)",
    817 			   (unsigned long) len, (unsigned long) left);
    818 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    819 				   TLS_ALERT_DECODE_ERROR);
    820 		return -1;
    821 	}
    822 
    823 	end = pos + len;
    824 
    825 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
    826 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
    827 			   "message %d (expected CertificateVerify)", type);
    828 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    829 				   TLS_ALERT_UNEXPECTED_MESSAGE);
    830 		return -1;
    831 	}
    832 
    833 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
    834 
    835 	/*
    836 	 * struct {
    837 	 *   Signature signature;
    838 	 * } CertificateVerify;
    839 	 */
    840 
    841 	hpos = hash;
    842 
    843 #ifdef CONFIG_TLSV12
    844 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
    845 		/*
    846 		 * RFC 5246, 4.7:
    847 		 * TLS v1.2 adds explicit indication of the used signature and
    848 		 * hash algorithms.
    849 		 *
    850 		 * struct {
    851 		 *   HashAlgorithm hash;
    852 		 *   SignatureAlgorithm signature;
    853 		 * } SignatureAndHashAlgorithm;
    854 		 */
    855 		if (end - pos < 2) {
    856 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    857 					   TLS_ALERT_DECODE_ERROR);
    858 			return -1;
    859 		}
    860 		if (pos[0] != TLS_HASH_ALG_SHA256 ||
    861 		    pos[1] != TLS_SIGN_ALG_RSA) {
    862 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
    863 				   "signature(%u) algorithm",
    864 				   pos[0], pos[1]);
    865 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    866 					   TLS_ALERT_INTERNAL_ERROR);
    867 			return -1;
    868 		}
    869 		pos += 2;
    870 
    871 		hlen = SHA256_MAC_LEN;
    872 		if (conn->verify.sha256_cert == NULL ||
    873 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
    874 		    0) {
    875 			conn->verify.sha256_cert = NULL;
    876 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    877 					   TLS_ALERT_INTERNAL_ERROR);
    878 			return -1;
    879 		}
    880 		conn->verify.sha256_cert = NULL;
    881 	} else {
    882 #endif /* CONFIG_TLSV12 */
    883 
    884 	if (alg == SIGN_ALG_RSA) {
    885 		hlen = MD5_MAC_LEN;
    886 		if (conn->verify.md5_cert == NULL ||
    887 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
    888 		{
    889 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    890 					   TLS_ALERT_INTERNAL_ERROR);
    891 			conn->verify.md5_cert = NULL;
    892 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
    893 			conn->verify.sha1_cert = NULL;
    894 			return -1;
    895 		}
    896 		hpos += MD5_MAC_LEN;
    897 	} else
    898 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
    899 
    900 	conn->verify.md5_cert = NULL;
    901 	hlen = SHA1_MAC_LEN;
    902 	if (conn->verify.sha1_cert == NULL ||
    903 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
    904 		conn->verify.sha1_cert = NULL;
    905 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    906 				   TLS_ALERT_INTERNAL_ERROR);
    907 		return -1;
    908 	}
    909 	conn->verify.sha1_cert = NULL;
    910 
    911 	if (alg == SIGN_ALG_RSA)
    912 		hlen += MD5_MAC_LEN;
    913 
    914 #ifdef CONFIG_TLSV12
    915 	}
    916 #endif /* CONFIG_TLSV12 */
    917 
    918 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
    919 
    920 	if (end - pos < 2) {
    921 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    922 				   TLS_ALERT_DECODE_ERROR);
    923 		return -1;
    924 	}
    925 	slen = WPA_GET_BE16(pos);
    926 	pos += 2;
    927 	if (end - pos < slen) {
    928 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    929 				   TLS_ALERT_DECODE_ERROR);
    930 		return -1;
    931 	}
    932 
    933 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
    934 	if (conn->client_rsa_key == NULL) {
    935 		wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
    936 			   "signature");
    937 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    938 				   TLS_ALERT_INTERNAL_ERROR);
    939 		return -1;
    940 	}
    941 
    942 	buflen = end - pos;
    943 	buf = os_malloc(end - pos);
    944 	if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
    945 					    pos, end - pos, buf, &buflen) < 0)
    946 	{
    947 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
    948 		os_free(buf);
    949 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    950 				   TLS_ALERT_DECRYPT_ERROR);
    951 		return -1;
    952 	}
    953 
    954 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
    955 			buf, buflen);
    956 
    957 #ifdef CONFIG_TLSV12
    958 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
    959 		/*
    960 		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
    961 		 *
    962 		 * DigestInfo ::= SEQUENCE {
    963 		 *   digestAlgorithm DigestAlgorithm,
    964 		 *   digest OCTET STRING
    965 		 * }
    966 		 *
    967 		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
    968 		 *
    969 		 * DER encoded DigestInfo for SHA256 per RFC 3447:
    970 		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
    971 		 * H
    972 		 */
    973 		if (buflen >= 19 + 32 &&
    974 		    os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
    975 			      "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
    976 		{
    977 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = "
    978 				   "SHA-256");
    979 			os_memmove(buf, buf + 19, buflen - 19);
    980 			buflen -= 19;
    981 		} else {
    982 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized "
    983 				   "DigestInfo");
    984 			os_free(buf);
    985 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    986 					   TLS_ALERT_DECRYPT_ERROR);
    987 			return -1;
    988 		}
    989 	}
    990 #endif /* CONFIG_TLSV12 */
    991 
    992 	if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
    993 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
    994 			   "CertificateVerify - did not match with calculated "
    995 			   "hash");
    996 		os_free(buf);
    997 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    998 				   TLS_ALERT_DECRYPT_ERROR);
    999 		return -1;
   1000 	}
   1001 
   1002 	os_free(buf);
   1003 
   1004 	*in_len = end - in_data;
   1005 
   1006 	conn->state = CHANGE_CIPHER_SPEC;
   1007 
   1008 	return 0;
   1009 }
   1010 
   1011 
   1012 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
   1013 					  u8 ct, const u8 *in_data,
   1014 					  size_t *in_len)
   1015 {
   1016 	const u8 *pos;
   1017 	size_t left;
   1018 
   1019 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
   1020 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
   1021 			   "received content type 0x%x", ct);
   1022 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1023 				   TLS_ALERT_UNEXPECTED_MESSAGE);
   1024 		return -1;
   1025 	}
   1026 
   1027 	pos = in_data;
   1028 	left = *in_len;
   1029 
   1030 	if (left < 1) {
   1031 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
   1032 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1033 				   TLS_ALERT_DECODE_ERROR);
   1034 		return -1;
   1035 	}
   1036 
   1037 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
   1038 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
   1039 			   "received data 0x%x", *pos);
   1040 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1041 				   TLS_ALERT_UNEXPECTED_MESSAGE);
   1042 		return -1;
   1043 	}
   1044 
   1045 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
   1046 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
   1047 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
   1048 			   "for record layer");
   1049 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1050 				   TLS_ALERT_INTERNAL_ERROR);
   1051 		return -1;
   1052 	}
   1053 
   1054 	*in_len = pos + 1 - in_data;
   1055 
   1056 	conn->state = CLIENT_FINISHED;
   1057 
   1058 	return 0;
   1059 }
   1060 
   1061 
   1062 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
   1063 				       const u8 *in_data, size_t *in_len)
   1064 {
   1065 	const u8 *pos, *end;
   1066 	size_t left, len, hlen;
   1067 	u8 verify_data[TLS_VERIFY_DATA_LEN];
   1068 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
   1069 
   1070 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
   1071 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
   1072 			   "received content type 0x%x", ct);
   1073 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1074 				   TLS_ALERT_UNEXPECTED_MESSAGE);
   1075 		return -1;
   1076 	}
   1077 
   1078 	pos = in_data;
   1079 	left = *in_len;
   1080 
   1081 	if (left < 4) {
   1082 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
   1083 			   "Finished",
   1084 			   (unsigned long) left);
   1085 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1086 				   TLS_ALERT_DECODE_ERROR);
   1087 		return -1;
   1088 	}
   1089 
   1090 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
   1091 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
   1092 			   "type 0x%x", pos[0]);
   1093 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1094 				   TLS_ALERT_UNEXPECTED_MESSAGE);
   1095 		return -1;
   1096 	}
   1097 
   1098 	len = WPA_GET_BE24(pos + 1);
   1099 
   1100 	pos += 4;
   1101 	left -= 4;
   1102 
   1103 	if (len > left) {
   1104 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
   1105 			   "(len=%lu > left=%lu)",
   1106 			   (unsigned long) len, (unsigned long) left);
   1107 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1108 				   TLS_ALERT_DECODE_ERROR);
   1109 		return -1;
   1110 	}
   1111 	end = pos + len;
   1112 	if (len != TLS_VERIFY_DATA_LEN) {
   1113 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
   1114 			   "in Finished: %lu (expected %d)",
   1115 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
   1116 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1117 				   TLS_ALERT_DECODE_ERROR);
   1118 		return -1;
   1119 	}
   1120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
   1121 		    pos, TLS_VERIFY_DATA_LEN);
   1122 
   1123 #ifdef CONFIG_TLSV12
   1124 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
   1125 		hlen = SHA256_MAC_LEN;
   1126 		if (conn->verify.sha256_client == NULL ||
   1127 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
   1128 		    < 0) {
   1129 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1130 					   TLS_ALERT_INTERNAL_ERROR);
   1131 			conn->verify.sha256_client = NULL;
   1132 			return -1;
   1133 		}
   1134 		conn->verify.sha256_client = NULL;
   1135 	} else {
   1136 #endif /* CONFIG_TLSV12 */
   1137 
   1138 	hlen = MD5_MAC_LEN;
   1139 	if (conn->verify.md5_client == NULL ||
   1140 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
   1141 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1142 				   TLS_ALERT_INTERNAL_ERROR);
   1143 		conn->verify.md5_client = NULL;
   1144 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
   1145 		conn->verify.sha1_client = NULL;
   1146 		return -1;
   1147 	}
   1148 	conn->verify.md5_client = NULL;
   1149 	hlen = SHA1_MAC_LEN;
   1150 	if (conn->verify.sha1_client == NULL ||
   1151 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
   1152 			       &hlen) < 0) {
   1153 		conn->verify.sha1_client = NULL;
   1154 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1155 				   TLS_ALERT_INTERNAL_ERROR);
   1156 		return -1;
   1157 	}
   1158 	conn->verify.sha1_client = NULL;
   1159 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
   1160 
   1161 #ifdef CONFIG_TLSV12
   1162 	}
   1163 #endif /* CONFIG_TLSV12 */
   1164 
   1165 	if (tls_prf(conn->rl.tls_version,
   1166 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
   1167 		    "client finished", hash, hlen,
   1168 		    verify_data, TLS_VERIFY_DATA_LEN)) {
   1169 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
   1170 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1171 				   TLS_ALERT_DECRYPT_ERROR);
   1172 		return -1;
   1173 	}
   1174 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
   1175 			verify_data, TLS_VERIFY_DATA_LEN);
   1176 
   1177 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
   1178 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
   1179 		return -1;
   1180 	}
   1181 
   1182 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
   1183 
   1184 	*in_len = end - in_data;
   1185 
   1186 	if (conn->use_session_ticket) {
   1187 		/* Abbreviated handshake using session ticket; RFC 4507 */
   1188 		wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
   1189 			   "successfully");
   1190 		conn->state = ESTABLISHED;
   1191 	} else {
   1192 		/* Full handshake */
   1193 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
   1194 	}
   1195 
   1196 	return 0;
   1197 }
   1198 
   1199 
   1200 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
   1201 				   const u8 *buf, size_t *len)
   1202 {
   1203 	if (ct == TLS_CONTENT_TYPE_ALERT) {
   1204 		if (*len < 2) {
   1205 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
   1206 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
   1207 					   TLS_ALERT_DECODE_ERROR);
   1208 			return -1;
   1209 		}
   1210 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
   1211 			   buf[0], buf[1]);
   1212 		*len = 2;
   1213 		conn->state = FAILED;
   1214 		return -1;
   1215 	}
   1216 
   1217 	switch (conn->state) {
   1218 	case CLIENT_HELLO:
   1219 		if (tls_process_client_hello(conn, ct, buf, len))
   1220 			return -1;
   1221 		break;
   1222 	case CLIENT_CERTIFICATE:
   1223 		if (tls_process_certificate(conn, ct, buf, len))
   1224 			return -1;
   1225 		break;
   1226 	case CLIENT_KEY_EXCHANGE:
   1227 		if (tls_process_client_key_exchange(conn, ct, buf, len))
   1228 			return -1;
   1229 		break;
   1230 	case CERTIFICATE_VERIFY:
   1231 		if (tls_process_certificate_verify(conn, ct, buf, len))
   1232 			return -1;
   1233 		break;
   1234 	case CHANGE_CIPHER_SPEC:
   1235 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
   1236 			return -1;
   1237 		break;
   1238 	case CLIENT_FINISHED:
   1239 		if (tls_process_client_finished(conn, ct, buf, len))
   1240 			return -1;
   1241 		break;
   1242 	default:
   1243 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
   1244 			   "while processing received message",
   1245 			   conn->state);
   1246 		return -1;
   1247 	}
   1248 
   1249 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
   1250 		tls_verify_hash_add(&conn->verify, buf, *len);
   1251 
   1252 	return 0;
   1253 }
   1254