1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21
22
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 u8 ct, const u8 *in_data,
27 size_t *in_len);
28
29
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 if ((conn->test_flags &
34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44
45 return 0;
46 }
47
48
tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50 const u8 *req, size_t req_len)
51 {
52 const u8 *pos, *end;
53 u8 status_type;
54
55 pos = req;
56 end = req + req_len;
57
58 /*
59 * RFC 6961, 2.2:
60 * struct {
61 * CertificateStatusType status_type;
62 * uint16 request_length;
63 * select (status_type) {
64 * case ocsp: OCSPStatusRequest;
65 * case ocsp_multi: OCSPStatusRequest;
66 * } request;
67 * } CertificateStatusRequestItemV2;
68 *
69 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70 */
71
72 if (end - pos < 1)
73 return; /* Truncated data */
74
75 status_type = *pos++;
76 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77 if (status_type != 1 && status_type != 2)
78 return; /* Unsupported status type */
79 /*
80 * For now, only OCSP stapling is supported, so ignore the specific
81 * request, if any.
82 */
83 wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84
85 if (status_type == 2)
86 conn->status_request_multi = 1;
87 }
88
89
tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91 const u8 *ext, size_t ext_len)
92 {
93 const u8 *pos, *end;
94
95 conn->status_request_v2 = 1;
96
97 pos = ext;
98 end = ext + ext_len;
99
100 /*
101 * RFC 6961, 2.2:
102 * struct {
103 * CertificateStatusRequestItemV2
104 * certificate_status_req_list<1..2^16-1>;
105 * } CertificateStatusRequestListV2;
106 */
107
108 while (end - pos >= 2) {
109 u16 len;
110
111 len = WPA_GET_BE16(pos);
112 pos += 2;
113 if (len > end - pos)
114 break; /* Truncated data */
115 tls_process_status_request_item(conn, pos, len);
116 pos += len;
117 }
118 }
119
120
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122 const u8 *in_data, size_t *in_len)
123 {
124 const u8 *pos, *end, *c;
125 size_t left, len, i, j;
126 u16 cipher_suite;
127 u16 num_suites;
128 int compr_null_found;
129 u16 ext_type, ext_len;
130
131 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
133 ct);
134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 TLS_ALERT_UNEXPECTED_MESSAGE);
136 return -1;
137 }
138
139 pos = in_data;
140 left = *in_len;
141
142 if (left < 4)
143 goto decode_error;
144
145 /* HandshakeType msg_type */
146 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
147 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
148 *pos);
149 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_UNEXPECTED_MESSAGE);
151 return -1;
152 }
153 tlsv1_server_log(conn, "Received ClientHello");
154 pos++;
155 /* uint24 length */
156 len = WPA_GET_BE24(pos);
157 pos += 3;
158 left -= 4;
159
160 if (len > left)
161 goto decode_error;
162
163 /* body - ClientHello */
164
165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
166 end = pos + len;
167
168 /* ProtocolVersion client_version */
169 if (end - pos < 2)
170 goto decode_error;
171 conn->client_version = WPA_GET_BE16(pos);
172 tlsv1_server_log(conn, "Client version %d.%d",
173 conn->client_version >> 8,
174 conn->client_version & 0xff);
175 if (conn->client_version < TLS_VERSION_1) {
176 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
177 conn->client_version >> 8,
178 conn->client_version & 0xff);
179 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
180 TLS_ALERT_PROTOCOL_VERSION);
181 return -1;
182 }
183 pos += 2;
184
185 if (TLS_VERSION == TLS_VERSION_1)
186 conn->rl.tls_version = TLS_VERSION_1;
187 #ifdef CONFIG_TLSV12
188 else if (conn->client_version >= TLS_VERSION_1_2)
189 conn->rl.tls_version = TLS_VERSION_1_2;
190 #endif /* CONFIG_TLSV12 */
191 else if (conn->client_version > TLS_VERSION_1_1)
192 conn->rl.tls_version = TLS_VERSION_1_1;
193 else
194 conn->rl.tls_version = conn->client_version;
195 tlsv1_server_log(conn, "Using TLS v%s",
196 tls_version_str(conn->rl.tls_version));
197
198 /* Random random */
199 if (end - pos < TLS_RANDOM_LEN)
200 goto decode_error;
201
202 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
203 pos += TLS_RANDOM_LEN;
204 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
205 conn->client_random, TLS_RANDOM_LEN);
206
207 /* SessionID session_id */
208 if (end - pos < 1)
209 goto decode_error;
210 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
211 goto decode_error;
212 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
213 pos += 1 + *pos;
214 /* TODO: add support for session resumption */
215
216 /* CipherSuite cipher_suites<2..2^16-1> */
217 if (end - pos < 2)
218 goto decode_error;
219 num_suites = WPA_GET_BE16(pos);
220 pos += 2;
221 if (end - pos < num_suites)
222 goto decode_error;
223 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
224 pos, num_suites);
225 if (num_suites & 1)
226 goto decode_error;
227 num_suites /= 2;
228
229 cipher_suite = 0;
230 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
231 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
232 continue;
233 c = pos;
234 for (j = 0; j < num_suites; j++) {
235 u16 tmp = WPA_GET_BE16(c);
236 c += 2;
237 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
238 cipher_suite = tmp;
239 break;
240 }
241 }
242 }
243 pos += num_suites * 2;
244 if (!cipher_suite) {
245 tlsv1_server_log(conn, "No supported cipher suite available");
246 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
247 TLS_ALERT_ILLEGAL_PARAMETER);
248 return -1;
249 }
250
251 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
252 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
253 "record layer");
254 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
255 TLS_ALERT_INTERNAL_ERROR);
256 return -1;
257 }
258
259 conn->cipher_suite = cipher_suite;
260
261 /* CompressionMethod compression_methods<1..2^8-1> */
262 if (end - pos < 1)
263 goto decode_error;
264 num_suites = *pos++;
265 if (end - pos < num_suites)
266 goto decode_error;
267 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
268 pos, num_suites);
269 compr_null_found = 0;
270 for (i = 0; i < num_suites; i++) {
271 if (*pos++ == TLS_COMPRESSION_NULL)
272 compr_null_found = 1;
273 }
274 if (!compr_null_found) {
275 tlsv1_server_log(conn, "Client does not accept NULL compression");
276 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 TLS_ALERT_ILLEGAL_PARAMETER);
278 return -1;
279 }
280
281 if (end - pos == 1) {
282 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
283 *pos);
284 goto decode_error;
285 }
286
287 if (end - pos >= 2) {
288 /* Extension client_hello_extension_list<0..2^16-1> */
289 ext_len = WPA_GET_BE16(pos);
290 pos += 2;
291
292 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
293 ext_len);
294 if (end - pos != ext_len) {
295 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
296 ext_len, (unsigned int) (end - pos));
297 goto decode_error;
298 }
299
300 /*
301 * struct {
302 * ExtensionType extension_type (0..65535)
303 * opaque extension_data<0..2^16-1>
304 * } Extension;
305 */
306
307 while (pos < end) {
308 if (end - pos < 2) {
309 tlsv1_server_log(conn, "Invalid extension_type field");
310 goto decode_error;
311 }
312
313 ext_type = WPA_GET_BE16(pos);
314 pos += 2;
315
316 if (end - pos < 2) {
317 tlsv1_server_log(conn, "Invalid extension_data length field");
318 goto decode_error;
319 }
320
321 ext_len = WPA_GET_BE16(pos);
322 pos += 2;
323
324 if (end - pos < ext_len) {
325 tlsv1_server_log(conn, "Invalid extension_data field");
326 goto decode_error;
327 }
328
329 tlsv1_server_log(conn, "ClientHello Extension type %u",
330 ext_type);
331 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
332 "Extension data", pos, ext_len);
333
334 if (ext_type == TLS_EXT_SESSION_TICKET) {
335 os_free(conn->session_ticket);
336 conn->session_ticket = os_malloc(ext_len);
337 if (conn->session_ticket) {
338 os_memcpy(conn->session_ticket, pos,
339 ext_len);
340 conn->session_ticket_len = ext_len;
341 }
342 } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
343 conn->status_request = 1;
344 } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
345 tls_process_status_request_v2(conn, pos,
346 ext_len);
347 }
348
349 pos += ext_len;
350 }
351 }
352
353 *in_len = end - in_data;
354
355 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
356 conn->state = SERVER_HELLO;
357
358 return 0;
359
360 decode_error:
361 tlsv1_server_log(conn, "Failed to decode ClientHello");
362 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
363 TLS_ALERT_DECODE_ERROR);
364 return -1;
365 }
366
367
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)368 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
369 const u8 *in_data, size_t *in_len)
370 {
371 const u8 *pos, *end;
372 size_t left, len, list_len, cert_len, idx;
373 u8 type;
374 struct x509_certificate *chain = NULL, *last = NULL, *cert;
375 int reason;
376
377 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
378 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
379 ct);
380 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
381 TLS_ALERT_UNEXPECTED_MESSAGE);
382 return -1;
383 }
384
385 pos = in_data;
386 left = *in_len;
387
388 if (left < 4) {
389 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
390 (unsigned long) left);
391 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
392 TLS_ALERT_DECODE_ERROR);
393 return -1;
394 }
395
396 type = *pos++;
397 len = WPA_GET_BE24(pos);
398 pos += 3;
399 left -= 4;
400
401 if (len > left) {
402 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
403 (unsigned long) len, (unsigned long) left);
404 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
405 TLS_ALERT_DECODE_ERROR);
406 return -1;
407 }
408
409 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
410 if (conn->verify_peer) {
411 tlsv1_server_log(conn, "Client did not include Certificate");
412 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
413 TLS_ALERT_UNEXPECTED_MESSAGE);
414 return -1;
415 }
416
417 return tls_process_client_key_exchange(conn, ct, in_data,
418 in_len);
419 }
420 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
421 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
422 type);
423 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
424 TLS_ALERT_UNEXPECTED_MESSAGE);
425 return -1;
426 }
427
428 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
429 (unsigned long) len);
430
431 /*
432 * opaque ASN.1Cert<2^24-1>;
433 *
434 * struct {
435 * ASN.1Cert certificate_list<1..2^24-1>;
436 * } Certificate;
437 */
438
439 end = pos + len;
440
441 if (end - pos < 3) {
442 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
443 (unsigned long) left);
444 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
445 TLS_ALERT_DECODE_ERROR);
446 return -1;
447 }
448
449 list_len = WPA_GET_BE24(pos);
450 pos += 3;
451
452 if ((size_t) (end - pos) != list_len) {
453 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
454 (unsigned long) list_len,
455 (unsigned long) (end - pos));
456 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
457 TLS_ALERT_DECODE_ERROR);
458 return -1;
459 }
460
461 idx = 0;
462 while (pos < end) {
463 if (end - pos < 3) {
464 tlsv1_server_log(conn, "Failed to parse certificate_list");
465 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 TLS_ALERT_DECODE_ERROR);
467 x509_certificate_chain_free(chain);
468 return -1;
469 }
470
471 cert_len = WPA_GET_BE24(pos);
472 pos += 3;
473
474 if ((size_t) (end - pos) < cert_len) {
475 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
476 (unsigned long) cert_len,
477 (unsigned long) (end - pos));
478 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
479 TLS_ALERT_DECODE_ERROR);
480 x509_certificate_chain_free(chain);
481 return -1;
482 }
483
484 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
485 (unsigned long) idx, (unsigned long) cert_len);
486
487 if (idx == 0) {
488 crypto_public_key_free(conn->client_rsa_key);
489 if (tls_parse_cert(pos, cert_len,
490 &conn->client_rsa_key)) {
491 tlsv1_server_log(conn, "Failed to parse the certificate");
492 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
493 TLS_ALERT_BAD_CERTIFICATE);
494 x509_certificate_chain_free(chain);
495 return -1;
496 }
497 }
498
499 cert = x509_certificate_parse(pos, cert_len);
500 if (cert == NULL) {
501 tlsv1_server_log(conn, "Failed to parse the certificate");
502 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
503 TLS_ALERT_BAD_CERTIFICATE);
504 x509_certificate_chain_free(chain);
505 return -1;
506 }
507
508 if (last == NULL)
509 chain = cert;
510 else
511 last->next = cert;
512 last = cert;
513
514 idx++;
515 pos += cert_len;
516 }
517
518 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
519 &reason, 0) < 0) {
520 int tls_reason;
521 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
522 reason);
523 switch (reason) {
524 case X509_VALIDATE_BAD_CERTIFICATE:
525 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
526 break;
527 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
528 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
529 break;
530 case X509_VALIDATE_CERTIFICATE_REVOKED:
531 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
532 break;
533 case X509_VALIDATE_CERTIFICATE_EXPIRED:
534 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
535 break;
536 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
537 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
538 break;
539 case X509_VALIDATE_UNKNOWN_CA:
540 tls_reason = TLS_ALERT_UNKNOWN_CA;
541 break;
542 default:
543 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
544 break;
545 }
546 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
547 x509_certificate_chain_free(chain);
548 return -1;
549 }
550
551 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
552 !(chain->ext_key_usage &
553 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
554 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
555 TLS_ALERT_BAD_CERTIFICATE);
556 x509_certificate_chain_free(chain);
557 return -1;
558 }
559
560 x509_certificate_chain_free(chain);
561
562 *in_len = end - in_data;
563
564 conn->state = CLIENT_KEY_EXCHANGE;
565
566 return 0;
567 }
568
569
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)570 static int tls_process_client_key_exchange_rsa(
571 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
572 {
573 u8 *out;
574 size_t outlen, outbuflen;
575 u16 encr_len;
576 int res;
577 int use_random = 0;
578
579 if (end - pos < 2) {
580 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
581 TLS_ALERT_DECODE_ERROR);
582 return -1;
583 }
584
585 encr_len = WPA_GET_BE16(pos);
586 pos += 2;
587 if (pos + encr_len > end) {
588 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
589 encr_len, (unsigned int) (end - pos));
590 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
591 TLS_ALERT_DECODE_ERROR);
592 return -1;
593 }
594
595 outbuflen = outlen = end - pos;
596 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
597 outlen : TLS_PRE_MASTER_SECRET_LEN);
598 if (out == NULL) {
599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
600 TLS_ALERT_INTERNAL_ERROR);
601 return -1;
602 }
603
604 /*
605 * struct {
606 * ProtocolVersion client_version;
607 * opaque random[46];
608 * } PreMasterSecret;
609 *
610 * struct {
611 * public-key-encrypted PreMasterSecret pre_master_secret;
612 * } EncryptedPreMasterSecret;
613 */
614
615 /*
616 * Note: To avoid Bleichenbacher attack, we do not report decryption or
617 * parsing errors from EncryptedPreMasterSecret processing to the
618 * client. Instead, a random pre-master secret is used to force the
619 * handshake to fail.
620 */
621
622 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
623 pos, encr_len,
624 out, &outlen) < 0) {
625 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
626 "PreMasterSecret (encr_len=%u outlen=%lu)",
627 encr_len, (unsigned long) outlen);
628 use_random = 1;
629 }
630
631 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
632 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
633 (unsigned long) outlen);
634 use_random = 1;
635 }
636
637 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
638 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
639 use_random = 1;
640 }
641
642 if (use_random) {
643 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
644 "to avoid revealing information about private key");
645 outlen = TLS_PRE_MASTER_SECRET_LEN;
646 if (os_get_random(out, outlen)) {
647 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
648 "data");
649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
650 TLS_ALERT_INTERNAL_ERROR);
651 os_free(out);
652 return -1;
653 }
654 }
655
656 res = tlsv1_server_derive_keys(conn, out, outlen);
657
658 /* Clear the pre-master secret since it is not needed anymore */
659 os_memset(out, 0, outbuflen);
660 os_free(out);
661
662 if (res) {
663 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
664 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
665 TLS_ALERT_INTERNAL_ERROR);
666 return -1;
667 }
668
669 return 0;
670 }
671
672
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)673 static int tls_process_client_key_exchange_dh(
674 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
675 {
676 const u8 *dh_yc;
677 u16 dh_yc_len;
678 u8 *shared;
679 size_t shared_len;
680 int res;
681 const u8 *dh_p;
682 size_t dh_p_len;
683
684 /*
685 * struct {
686 * select (PublicValueEncoding) {
687 * case implicit: struct { };
688 * case explicit: opaque dh_Yc<1..2^16-1>;
689 * } dh_public;
690 * } ClientDiffieHellmanPublic;
691 */
692
693 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
694 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
695 pos, end - pos);
696
697 if (end == pos) {
698 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
699 "not supported");
700 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
701 TLS_ALERT_INTERNAL_ERROR);
702 return -1;
703 }
704
705 if (end - pos < 3) {
706 tlsv1_server_log(conn, "Invalid client public value length");
707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
708 TLS_ALERT_DECODE_ERROR);
709 return -1;
710 }
711
712 dh_yc_len = WPA_GET_BE16(pos);
713 dh_yc = pos + 2;
714
715 if (dh_yc_len > end - dh_yc) {
716 tlsv1_server_log(conn, "Client public value overflow (length %d)",
717 dh_yc_len);
718 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
719 TLS_ALERT_DECODE_ERROR);
720 return -1;
721 }
722
723 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
724 dh_yc, dh_yc_len);
725
726 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
727 conn->dh_secret == NULL) {
728 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
729 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
730 TLS_ALERT_INTERNAL_ERROR);
731 return -1;
732 }
733
734 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
735
736 shared_len = dh_p_len;
737 shared = os_malloc(shared_len);
738 if (shared == NULL) {
739 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
740 "DH");
741 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
742 TLS_ALERT_INTERNAL_ERROR);
743 return -1;
744 }
745
746 /* shared = Yc^secret mod p */
747 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
748 conn->dh_secret_len, dh_p, dh_p_len,
749 shared, &shared_len)) {
750 os_free(shared);
751 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
752 TLS_ALERT_INTERNAL_ERROR);
753 return -1;
754 }
755 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
756 shared, shared_len);
757
758 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
759 os_free(conn->dh_secret);
760 conn->dh_secret = NULL;
761
762 res = tlsv1_server_derive_keys(conn, shared, shared_len);
763
764 /* Clear the pre-master secret since it is not needed anymore */
765 os_memset(shared, 0, shared_len);
766 os_free(shared);
767
768 if (res) {
769 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
770 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
771 TLS_ALERT_INTERNAL_ERROR);
772 return -1;
773 }
774
775 return 0;
776 }
777
778
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)779 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
780 const u8 *in_data, size_t *in_len)
781 {
782 const u8 *pos, *end;
783 size_t left, len;
784 u8 type;
785 tls_key_exchange keyx;
786 const struct tls_cipher_suite *suite;
787
788 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
789 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
790 ct);
791 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
792 TLS_ALERT_UNEXPECTED_MESSAGE);
793 return -1;
794 }
795
796 pos = in_data;
797 left = *in_len;
798
799 if (left < 4) {
800 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
801 (unsigned long) left);
802 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
803 TLS_ALERT_DECODE_ERROR);
804 return -1;
805 }
806
807 type = *pos++;
808 len = WPA_GET_BE24(pos);
809 pos += 3;
810 left -= 4;
811
812 if (len > left) {
813 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
814 (unsigned long) len, (unsigned long) left);
815 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
816 TLS_ALERT_DECODE_ERROR);
817 return -1;
818 }
819
820 end = pos + len;
821
822 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
823 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
824 type);
825 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
826 TLS_ALERT_UNEXPECTED_MESSAGE);
827 return -1;
828 }
829
830 tlsv1_server_log(conn, "Received ClientKeyExchange");
831
832 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
833
834 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
835 if (suite == NULL)
836 keyx = TLS_KEY_X_NULL;
837 else
838 keyx = suite->key_exchange;
839
840 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
841 tls_process_client_key_exchange_dh(conn, pos, end) < 0)
842 return -1;
843
844 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
845 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
846 return -1;
847
848 *in_len = end - in_data;
849
850 conn->state = CERTIFICATE_VERIFY;
851
852 return 0;
853 }
854
855
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)856 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
857 const u8 *in_data, size_t *in_len)
858 {
859 const u8 *pos, *end;
860 size_t left, len;
861 u8 type;
862 size_t hlen;
863 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
864 u8 alert;
865
866 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
867 if (conn->verify_peer) {
868 tlsv1_server_log(conn, "Client did not include CertificateVerify");
869 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
870 TLS_ALERT_UNEXPECTED_MESSAGE);
871 return -1;
872 }
873
874 return tls_process_change_cipher_spec(conn, ct, in_data,
875 in_len);
876 }
877
878 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
879 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
880 ct);
881 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
882 TLS_ALERT_UNEXPECTED_MESSAGE);
883 return -1;
884 }
885
886 pos = in_data;
887 left = *in_len;
888
889 if (left < 4) {
890 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
891 (unsigned long) left);
892 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
893 TLS_ALERT_DECODE_ERROR);
894 return -1;
895 }
896
897 type = *pos++;
898 len = WPA_GET_BE24(pos);
899 pos += 3;
900 left -= 4;
901
902 if (len > left) {
903 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
904 (unsigned long) len, (unsigned long) left);
905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 TLS_ALERT_DECODE_ERROR);
907 return -1;
908 }
909
910 end = pos + len;
911
912 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
913 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
914 type);
915 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
916 TLS_ALERT_UNEXPECTED_MESSAGE);
917 return -1;
918 }
919
920 tlsv1_server_log(conn, "Received CertificateVerify");
921
922 /*
923 * struct {
924 * Signature signature;
925 * } CertificateVerify;
926 */
927
928 hpos = hash;
929
930 #ifdef CONFIG_TLSV12
931 if (conn->rl.tls_version == TLS_VERSION_1_2) {
932 /*
933 * RFC 5246, 4.7:
934 * TLS v1.2 adds explicit indication of the used signature and
935 * hash algorithms.
936 *
937 * struct {
938 * HashAlgorithm hash;
939 * SignatureAlgorithm signature;
940 * } SignatureAndHashAlgorithm;
941 */
942 if (end - pos < 2) {
943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 TLS_ALERT_DECODE_ERROR);
945 return -1;
946 }
947 if (pos[0] != TLS_HASH_ALG_SHA256 ||
948 pos[1] != TLS_SIGN_ALG_RSA) {
949 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
950 "signature(%u) algorithm",
951 pos[0], pos[1]);
952 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
953 TLS_ALERT_INTERNAL_ERROR);
954 return -1;
955 }
956 pos += 2;
957
958 hlen = SHA256_MAC_LEN;
959 if (conn->verify.sha256_cert == NULL ||
960 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
961 0) {
962 conn->verify.sha256_cert = NULL;
963 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
964 TLS_ALERT_INTERNAL_ERROR);
965 return -1;
966 }
967 conn->verify.sha256_cert = NULL;
968 } else {
969 #endif /* CONFIG_TLSV12 */
970
971 hlen = MD5_MAC_LEN;
972 if (conn->verify.md5_cert == NULL ||
973 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
974 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
975 TLS_ALERT_INTERNAL_ERROR);
976 conn->verify.md5_cert = NULL;
977 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
978 conn->verify.sha1_cert = NULL;
979 return -1;
980 }
981 hpos += MD5_MAC_LEN;
982
983 conn->verify.md5_cert = NULL;
984 hlen = SHA1_MAC_LEN;
985 if (conn->verify.sha1_cert == NULL ||
986 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
987 conn->verify.sha1_cert = NULL;
988 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
989 TLS_ALERT_INTERNAL_ERROR);
990 return -1;
991 }
992 conn->verify.sha1_cert = NULL;
993
994 hlen += MD5_MAC_LEN;
995
996 #ifdef CONFIG_TLSV12
997 }
998 #endif /* CONFIG_TLSV12 */
999
1000 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1001
1002 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1003 hash, hlen, pos, end - pos, &alert) < 0) {
1004 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1005 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1006 return -1;
1007 }
1008
1009 *in_len = end - in_data;
1010
1011 conn->state = CHANGE_CIPHER_SPEC;
1012
1013 return 0;
1014 }
1015
1016
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1017 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1018 u8 ct, const u8 *in_data,
1019 size_t *in_len)
1020 {
1021 const u8 *pos;
1022 size_t left;
1023
1024 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1025 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1026 ct);
1027 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028 TLS_ALERT_UNEXPECTED_MESSAGE);
1029 return -1;
1030 }
1031
1032 pos = in_data;
1033 left = *in_len;
1034
1035 if (left < 1) {
1036 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 TLS_ALERT_DECODE_ERROR);
1039 return -1;
1040 }
1041
1042 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1043 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1044 *pos);
1045 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046 TLS_ALERT_UNEXPECTED_MESSAGE);
1047 return -1;
1048 }
1049
1050 tlsv1_server_log(conn, "Received ChangeCipherSpec");
1051 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1052 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1053 "for record layer");
1054 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1055 TLS_ALERT_INTERNAL_ERROR);
1056 return -1;
1057 }
1058
1059 *in_len = pos + 1 - in_data;
1060
1061 conn->state = CLIENT_FINISHED;
1062
1063 return 0;
1064 }
1065
1066
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1067 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1068 const u8 *in_data, size_t *in_len)
1069 {
1070 const u8 *pos, *end;
1071 size_t left, len, hlen;
1072 u8 verify_data[TLS_VERIFY_DATA_LEN];
1073 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1074
1075 #ifdef CONFIG_TESTING_OPTIONS
1076 if ((conn->test_flags &
1077 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1078 !conn->test_failure_reported) {
1079 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1080 conn->test_failure_reported = 1;
1081 }
1082
1083 if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1084 !conn->test_failure_reported) {
1085 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1086 conn->test_failure_reported = 1;
1087 }
1088
1089 if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1090 !conn->test_failure_reported) {
1091 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1092 conn->test_failure_reported = 1;
1093 }
1094
1095 if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1096 !conn->test_failure_reported) {
1097 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1098 conn->test_failure_reported = 1;
1099 }
1100
1101 if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1102 !conn->test_failure_reported) {
1103 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1104 conn->test_failure_reported = 1;
1105 }
1106
1107 if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1108 !conn->test_failure_reported) {
1109 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1110 conn->test_failure_reported = 1;
1111 }
1112 #endif /* CONFIG_TESTING_OPTIONS */
1113
1114 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1115 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1116 ct);
1117 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1118 TLS_ALERT_UNEXPECTED_MESSAGE);
1119 return -1;
1120 }
1121
1122 pos = in_data;
1123 left = *in_len;
1124
1125 if (left < 4) {
1126 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1127 (unsigned long) left);
1128 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1129 TLS_ALERT_DECODE_ERROR);
1130 return -1;
1131 }
1132
1133 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1134 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1135 "type 0x%x", pos[0]);
1136 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1137 TLS_ALERT_UNEXPECTED_MESSAGE);
1138 return -1;
1139 }
1140
1141 len = WPA_GET_BE24(pos + 1);
1142
1143 pos += 4;
1144 left -= 4;
1145
1146 if (len > left) {
1147 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1148 (unsigned long) len, (unsigned long) left);
1149 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1150 TLS_ALERT_DECODE_ERROR);
1151 return -1;
1152 }
1153 end = pos + len;
1154 if (len != TLS_VERIFY_DATA_LEN) {
1155 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1156 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1157 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158 TLS_ALERT_DECODE_ERROR);
1159 return -1;
1160 }
1161 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1162 pos, TLS_VERIFY_DATA_LEN);
1163
1164 #ifdef CONFIG_TLSV12
1165 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1166 hlen = SHA256_MAC_LEN;
1167 if (conn->verify.sha256_client == NULL ||
1168 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1169 < 0) {
1170 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171 TLS_ALERT_INTERNAL_ERROR);
1172 conn->verify.sha256_client = NULL;
1173 return -1;
1174 }
1175 conn->verify.sha256_client = NULL;
1176 } else {
1177 #endif /* CONFIG_TLSV12 */
1178
1179 hlen = MD5_MAC_LEN;
1180 if (conn->verify.md5_client == NULL ||
1181 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1183 TLS_ALERT_INTERNAL_ERROR);
1184 conn->verify.md5_client = NULL;
1185 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1186 conn->verify.sha1_client = NULL;
1187 return -1;
1188 }
1189 conn->verify.md5_client = NULL;
1190 hlen = SHA1_MAC_LEN;
1191 if (conn->verify.sha1_client == NULL ||
1192 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1193 &hlen) < 0) {
1194 conn->verify.sha1_client = NULL;
1195 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1196 TLS_ALERT_INTERNAL_ERROR);
1197 return -1;
1198 }
1199 conn->verify.sha1_client = NULL;
1200 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1201
1202 #ifdef CONFIG_TLSV12
1203 }
1204 #endif /* CONFIG_TLSV12 */
1205
1206 if (tls_prf(conn->rl.tls_version,
1207 conn->master_secret, TLS_MASTER_SECRET_LEN,
1208 "client finished", hash, hlen,
1209 verify_data, TLS_VERIFY_DATA_LEN)) {
1210 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1211 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1212 TLS_ALERT_DECRYPT_ERROR);
1213 return -1;
1214 }
1215 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1216 verify_data, TLS_VERIFY_DATA_LEN);
1217
1218 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1219 tlsv1_server_log(conn, "Mismatch in verify_data");
1220 return -1;
1221 }
1222
1223 tlsv1_server_log(conn, "Received Finished");
1224
1225 *in_len = end - in_data;
1226
1227 if (conn->use_session_ticket) {
1228 /* Abbreviated handshake using session ticket; RFC 4507 */
1229 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1230 conn->state = ESTABLISHED;
1231 } else {
1232 /* Full handshake */
1233 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1234 }
1235
1236 return 0;
1237 }
1238
1239
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1240 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1241 const u8 *buf, size_t *len)
1242 {
1243 if (ct == TLS_CONTENT_TYPE_ALERT) {
1244 if (*len < 2) {
1245 tlsv1_server_log(conn, "Alert underflow");
1246 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1247 TLS_ALERT_DECODE_ERROR);
1248 return -1;
1249 }
1250 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1251 *len = 2;
1252 conn->state = FAILED;
1253 return -1;
1254 }
1255
1256 switch (conn->state) {
1257 case CLIENT_HELLO:
1258 if (tls_process_client_hello(conn, ct, buf, len))
1259 return -1;
1260 break;
1261 case CLIENT_CERTIFICATE:
1262 if (tls_process_certificate(conn, ct, buf, len))
1263 return -1;
1264 break;
1265 case CLIENT_KEY_EXCHANGE:
1266 if (tls_process_client_key_exchange(conn, ct, buf, len))
1267 return -1;
1268 break;
1269 case CERTIFICATE_VERIFY:
1270 if (tls_process_certificate_verify(conn, ct, buf, len))
1271 return -1;
1272 break;
1273 case CHANGE_CIPHER_SPEC:
1274 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1275 return -1;
1276 break;
1277 case CLIENT_FINISHED:
1278 if (tls_process_client_finished(conn, ct, buf, len))
1279 return -1;
1280 break;
1281 default:
1282 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1283 conn->state);
1284 return -1;
1285 }
1286
1287 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1288 tls_verify_hash_add(&conn->verify, buf, *len);
1289
1290 return 0;
1291 }
1292