2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
44 const u8 *end = pos + len;
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
56 ext = WPA_GET_BE16(pos);
58 elen = WPA_GET_BE16(pos);
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
111 len = WPA_GET_BE24(pos);
118 /* body - ServerHello */
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
123 /* ProtocolVersion server_version */
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
142 if (end - pos < TLS_RANDOM_LEN)
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
150 /* SessionID session_id */
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
161 conn->session_id_len = *pos;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
169 /* CipherSuite cipher_suite */
172 cipher_suite = WPA_GET_BE16(pos);
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
203 conn->prev_cipher_suite = cipher_suite;
205 /* CompressionMethod compression_method */
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
217 if (end - pos >= 2) {
220 ext_len = WPA_GET_BE16(pos);
222 if (end - pos < ext_len) {
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
254 conn->use_session_ticket = !!res;
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
265 *in_len = end - in_data;
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
286 #endif /* CONFIG_SHA256 */
292 os_memset(&ev, 0, sizeof(ev));
293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
296 ev.peer_cert.cert = cert_buf;
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
309 #endif /* CONFIG_SHA256 */
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 wpabuf_free(cert_buf);
320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 struct x509_certificate *cert,
322 enum tls_fail_reason reason,
323 const char *reason_txt)
325 struct wpabuf *cert_buf = NULL;
326 union tls_event_data ev;
329 if (!conn->event_cb || !cert)
332 os_memset(&ev, 0, sizeof(ev));
333 ev.cert_fail.depth = depth;
334 x509_name_string(&cert->subject, subject, sizeof(subject));
335 ev.peer_cert.subject = subject;
336 ev.cert_fail.reason = reason;
337 ev.cert_fail.reason_txt = reason_txt;
338 cert_buf = wpabuf_alloc_copy(cert->cert_start,
340 ev.cert_fail.cert = cert_buf;
341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 wpabuf_free(cert_buf);
346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 const u8 *in_data, size_t *in_len)
350 size_t left, len, list_len, cert_len, idx;
352 struct x509_certificate *chain = NULL, *last = NULL, *cert;
355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 "received content type 0x%x", ct);
358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 TLS_ALERT_UNEXPECTED_MESSAGE);
367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 "(len=%lu)", (unsigned long) left);
369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
374 len = WPA_GET_BE24(pos);
379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 "length (len=%lu != left=%lu)",
381 (unsigned long) len, (unsigned long) left);
382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 return tls_process_server_key_exchange(conn, ct, in_data,
389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 return tls_process_certificate_request(conn, ct, in_data,
392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 return tls_process_server_hello_done(conn, ct, in_data,
395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 "message %d (expected Certificate/"
398 "ServerKeyExchange/CertificateRequest/"
399 "ServerHelloDone)", type);
400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 TLS_ALERT_UNEXPECTED_MESSAGE);
405 wpa_printf(MSG_DEBUG,
406 "TLSv1: Received Certificate (certificate_list len %lu)",
407 (unsigned long) len);
410 * opaque ASN.1Cert<2^24-1>;
413 * ASN.1Cert certificate_list<1..2^24-1>;
420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 "(left=%lu)", (unsigned long) left);
422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
426 list_len = WPA_GET_BE24(pos);
429 if ((size_t) (end - pos) != list_len) {
430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 "length (len=%lu left=%lu)",
432 (unsigned long) list_len,
433 (unsigned long) (end - pos));
434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 TLS_ALERT_DECODE_ERROR);
445 x509_certificate_chain_free(chain);
449 cert_len = WPA_GET_BE24(pos);
452 if ((size_t) (end - pos) < cert_len) {
453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 "length (len=%lu left=%lu)",
455 (unsigned long) cert_len,
456 (unsigned long) (end - pos));
457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 TLS_ALERT_DECODE_ERROR);
459 x509_certificate_chain_free(chain);
463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 (unsigned long) idx, (unsigned long) cert_len);
467 crypto_public_key_free(conn->server_rsa_key);
468 if (tls_parse_cert(pos, cert_len,
469 &conn->server_rsa_key)) {
470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_BAD_CERTIFICATE);
474 x509_certificate_chain_free(chain);
479 cert = x509_certificate_parse(pos, cert_len);
481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 TLS_ALERT_BAD_CERTIFICATE);
485 x509_certificate_chain_free(chain);
489 tls_peer_cert_event(conn, idx, cert);
501 if (conn->cred && conn->cred->server_cert_only && chain) {
502 u8 hash[SHA256_MAC_LEN];
505 wpa_printf(MSG_DEBUG,
506 "TLSv1: Validate server certificate hash");
507 x509_name_string(&chain->subject, buf, sizeof(buf));
508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
511 os_memcmp(conn->cred->srv_cert_hash, hash,
512 SHA256_MAC_LEN) != 0) {
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Server certificate hash mismatch");
515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 hash, SHA256_MAC_LEN);
517 if (conn->event_cb) {
518 union tls_event_data ev;
520 os_memset(&ev, 0, sizeof(ev));
521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 ev.cert_fail.reason_txt =
523 "Server certificate mismatch";
524 ev.cert_fail.subject = buf;
525 conn->event_cb(conn->cb_ctx,
526 TLS_CERT_CHAIN_FAILURE, &ev);
528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 TLS_ALERT_BAD_CERTIFICATE);
530 x509_certificate_chain_free(chain);
533 } else if (conn->cred && conn->cred->cert_probe) {
534 wpa_printf(MSG_DEBUG,
535 "TLSv1: Reject server certificate on probe-only rune");
536 if (conn->event_cb) {
537 union tls_event_data ev;
540 os_memset(&ev, 0, sizeof(ev));
541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 ev.cert_fail.reason_txt =
543 "Server certificate chain probe";
545 x509_name_string(&chain->subject, buf,
547 ev.cert_fail.subject = buf;
549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 TLS_ALERT_BAD_CERTIFICATE);
554 x509_certificate_chain_free(chain);
556 } else if (conn->cred && conn->cred->ca_cert_verify &&
557 x509_certificate_chain_validate(
558 conn->cred->trusted_certs, chain, &reason,
559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 "validation failed (reason=%d)", reason);
565 case X509_VALIDATE_BAD_CERTIFICATE:
566 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 tls_cert_chain_failure_event(
568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
574 case X509_VALIDATE_CERTIFICATE_REVOKED:
575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 tls_cert_chain_failure_event(
577 conn, 0, chain, TLS_FAIL_REVOKED,
578 "certificate revoked");
580 case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 tls_cert_chain_failure_event(
583 conn, 0, chain, TLS_FAIL_EXPIRED,
584 "certificate has expired or is not yet valid");
586 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
589 case X509_VALIDATE_UNKNOWN_CA:
590 tls_reason = TLS_ALERT_UNKNOWN_CA;
591 tls_cert_chain_failure_event(
592 conn, 0, chain, TLS_FAIL_UNTRUSTED,
596 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 x509_certificate_chain_free(chain);
604 if (conn->cred && !conn->cred->server_cert_only && chain &&
605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 !(chain->ext_key_usage &
607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 tls_cert_chain_failure_event(
609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 "certificate not allowed for server authentication");
611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_BAD_CERTIFICATE);
613 x509_certificate_chain_free(chain);
617 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 x509_certificate_chain_free(conn->server_cert);
619 conn->server_cert = chain;
621 x509_certificate_chain_free(chain);
624 *in_len = end - in_data;
626 conn->state = SERVER_KEY_EXCHANGE;
632 static unsigned int count_bits(const u8 *val, size_t len)
638 for (i = 0; i < len; i++) {
645 bits = (len - i - 1) * 8;
656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 const u8 *buf, size_t len,
658 tls_key_exchange key_exchange)
660 const u8 *pos, *end, *server_params, *server_params_end;
665 tlsv1_client_free_dh(conn);
673 val = WPA_GET_BE16(pos);
675 if (val == 0 || val > (size_t) (end - pos)) {
676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
679 conn->dh_p_len = val;
680 bits = count_bits(pos, conn->dh_p_len);
682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 pos, conn->dh_p_len);
688 conn->dh_p = os_memdup(pos, conn->dh_p_len);
689 if (conn->dh_p == NULL)
691 pos += conn->dh_p_len;
692 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
693 conn->dh_p, conn->dh_p_len);
697 val = WPA_GET_BE16(pos);
699 if (val == 0 || val > (size_t) (end - pos))
701 conn->dh_g_len = val;
702 conn->dh_g = os_memdup(pos, conn->dh_g_len);
703 if (conn->dh_g == NULL)
705 pos += conn->dh_g_len;
706 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
707 conn->dh_g, conn->dh_g_len);
708 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
713 val = WPA_GET_BE16(pos);
715 if (val == 0 || val > (size_t) (end - pos))
717 conn->dh_ys_len = val;
718 conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
719 if (conn->dh_ys == NULL)
721 pos += conn->dh_ys_len;
722 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
723 conn->dh_ys, conn->dh_ys_len);
724 server_params_end = pos;
726 if (key_exchange == TLS_KEY_X_DHE_RSA) {
730 if (conn->rl.tls_version == TLS_VERSION_1_2) {
734 * TLS v1.2 adds explicit indication of the used
735 * signature and hash algorithms.
738 * HashAlgorithm hash;
739 * SignatureAlgorithm signature;
740 * } SignatureAndHashAlgorithm;
744 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
745 pos[0] != TLS_HASH_ALG_SHA384 &&
746 pos[0] != TLS_HASH_ALG_SHA512) ||
747 pos[1] != TLS_SIGN_ALG_RSA) {
748 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
753 hlen = tlsv12_key_x_server_params_hash(
754 conn->rl.tls_version, pos[0],
756 conn->server_random, server_params,
757 server_params_end - server_params, hash);
759 #else /* CONFIG_TLSV12 */
761 #endif /* CONFIG_TLSV12 */
763 hlen = tls_key_x_server_params_hash(
764 conn->rl.tls_version, conn->client_random,
765 conn->server_random, server_params,
766 server_params_end - server_params, hash);
771 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
774 if (tls_verify_signature(conn->rl.tls_version,
775 conn->server_rsa_key,
776 hash, hlen, pos, end - pos,
784 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
785 tlsv1_client_free_dh(conn);
790 static enum tls_ocsp_result
791 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
792 const u8 *pos, size_t len)
794 const u8 *end = pos + len;
797 /* opaque OCSPResponse<1..2^24-1>; */
799 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
800 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
801 return TLS_OCSP_INVALID;
803 ocsp_resp_len = WPA_GET_BE24(pos);
805 if (end - pos < ocsp_resp_len) {
806 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
807 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
808 return TLS_OCSP_INVALID;
811 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
815 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
816 const u8 *in_data, size_t *in_len)
820 u8 type, status_type;
821 enum tls_ocsp_result res;
822 struct x509_certificate *cert;
825 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
826 wpa_printf(MSG_DEBUG,
827 "TLSv1: Expected Handshake; received content type 0x%x",
829 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 TLS_ALERT_UNEXPECTED_MESSAGE);
838 wpa_printf(MSG_DEBUG,
839 "TLSv1: Too short CertificateStatus (left=%lu)",
840 (unsigned long) left);
841 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
846 len = WPA_GET_BE24(pos);
851 wpa_printf(MSG_DEBUG,
852 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
853 (unsigned long) len, (unsigned long) left);
854 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
860 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
861 wpa_printf(MSG_DEBUG,
862 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
864 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865 TLS_ALERT_UNEXPECTED_MESSAGE);
869 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
873 * CertificateStatusType status_type;
874 * select (status_type) {
875 * case ocsp: OCSPResponse;
876 * case ocsp_multi: OCSPResponseList;
878 * } CertificateStatus;
881 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
882 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
885 status_type = *pos++;
886 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
889 if (status_type == 1 /* ocsp */) {
890 res = tls_process_certificate_status_ocsp_response(
891 conn, pos, end - pos);
892 } else if (status_type == 2 /* ocsp_multi */) {
893 int good = 0, revoked = 0;
896 res = TLS_OCSP_NO_RESPONSE;
899 * opaque OCSPResponse<0..2^24-1>;
902 * OCSPResponse ocsp_response_list<1..2^24-1>;
903 * } OCSPResponseList;
906 wpa_printf(MSG_DEBUG,
907 "TLSv1: Truncated OCSPResponseList");
908 res = TLS_OCSP_INVALID;
911 resp_len = WPA_GET_BE24(pos);
913 if (end - pos < resp_len) {
914 wpa_printf(MSG_DEBUG,
915 "TLSv1: Truncated OCSPResponseList(len=%u)",
917 res = TLS_OCSP_INVALID;
920 end = pos + resp_len;
922 while (end - pos >= 3) {
923 resp_len = WPA_GET_BE24(pos);
925 if (resp_len > end - pos) {
926 wpa_printf(MSG_DEBUG,
927 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
928 resp_len, (int) (end - pos));
929 res = TLS_OCSP_INVALID;
933 continue; /* Skip an empty response */
934 res = tls_process_certificate_status_ocsp_response(
935 conn, pos - 3, resp_len + 3);
936 if (res == TLS_OCSP_REVOKED)
938 else if (res == TLS_OCSP_GOOD)
944 res = TLS_OCSP_REVOKED;
948 wpa_printf(MSG_DEBUG,
949 "TLSv1: Ignore unsupported CertificateStatus");
954 if (res == TLS_OCSP_REVOKED) {
955 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 TLS_ALERT_CERTIFICATE_REVOKED);
957 for (cert = conn->server_cert, depth = 0; cert;
958 cert = cert->next, depth++) {
959 if (cert->ocsp_revoked) {
960 tls_cert_chain_failure_event(
961 conn, depth, cert, TLS_FAIL_REVOKED,
962 "certificate revoked");
968 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
970 * Verify that each certificate on the chain that is not part
971 * of the trusted certificates has a good status. If not,
972 * terminate handshake.
974 for (cert = conn->server_cert, depth = 0; cert;
975 cert = cert->next, depth++) {
976 if (!cert->ocsp_good) {
977 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
978 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
979 tls_cert_chain_failure_event(
981 TLS_FAIL_UNSPECIFIED,
982 "bad certificate status response");
985 if (cert->issuer_trusted)
990 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
991 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
993 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
994 if (conn->server_cert)
995 tls_cert_chain_failure_event(
996 conn, 0, conn->server_cert,
997 TLS_FAIL_UNSPECIFIED,
998 "bad certificate status response");
1002 conn->ocsp_resp_received = 1;
1005 *in_len = end - in_data;
1007 conn->state = SERVER_KEY_EXCHANGE;
1013 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1014 const u8 *in_data, size_t *in_len)
1016 const u8 *pos, *end;
1019 const struct tls_cipher_suite *suite;
1021 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1022 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1023 "received content type 0x%x", ct);
1024 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025 TLS_ALERT_UNEXPECTED_MESSAGE);
1033 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1034 "(Left=%lu)", (unsigned long) left);
1035 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1040 len = WPA_GET_BE24(pos);
1045 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1046 "length (len=%lu != left=%lu)",
1047 (unsigned long) len, (unsigned long) left);
1048 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1054 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1055 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1056 return tls_process_certificate_status(conn, ct, in_data,
1058 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1059 return tls_process_certificate_request(conn, ct, in_data,
1061 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1062 return tls_process_server_hello_done(conn, ct, in_data,
1064 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1065 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1066 "message %d (expected ServerKeyExchange/"
1067 "CertificateRequest/ServerHelloDone%s)", type,
1068 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1069 "/CertificateStatus" : "");
1070 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071 TLS_ALERT_UNEXPECTED_MESSAGE);
1075 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1077 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1078 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1079 "with the selected cipher suite");
1080 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1081 TLS_ALERT_UNEXPECTED_MESSAGE);
1085 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1086 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1087 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1088 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1089 if (tlsv1_process_diffie_hellman(conn, pos, len,
1090 suite->key_exchange) < 0) {
1091 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092 TLS_ALERT_DECODE_ERROR);
1096 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1097 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1098 TLS_ALERT_UNEXPECTED_MESSAGE);
1102 *in_len = end - in_data;
1104 conn->state = SERVER_CERTIFICATE_REQUEST;
1110 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1111 const u8 *in_data, size_t *in_len)
1113 const u8 *pos, *end;
1117 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1118 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1119 "received content type 0x%x", ct);
1120 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1121 TLS_ALERT_UNEXPECTED_MESSAGE);
1129 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1130 "(left=%lu)", (unsigned long) left);
1131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1136 len = WPA_GET_BE24(pos);
1141 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1142 "length (len=%lu != left=%lu)",
1143 (unsigned long) len, (unsigned long) left);
1144 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1150 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1151 return tls_process_server_hello_done(conn, ct, in_data,
1153 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1154 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1155 "message %d (expected CertificateRequest/"
1156 "ServerHelloDone)", type);
1157 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158 TLS_ALERT_UNEXPECTED_MESSAGE);
1162 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1164 conn->certificate_requested = 1;
1166 *in_len = end - in_data;
1168 conn->state = SERVER_HELLO_DONE;
1174 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1175 const u8 *in_data, size_t *in_len)
1177 const u8 *pos, *end;
1181 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1182 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1183 "received content type 0x%x", ct);
1184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1185 TLS_ALERT_UNEXPECTED_MESSAGE);
1193 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1194 "(left=%lu)", (unsigned long) left);
1195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1200 len = WPA_GET_BE24(pos);
1205 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1206 "length (len=%lu != left=%lu)",
1207 (unsigned long) len, (unsigned long) left);
1208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1213 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1214 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1215 "message %d (expected ServerHelloDone)", type);
1216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1217 TLS_ALERT_UNEXPECTED_MESSAGE);
1221 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1223 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1224 !conn->ocsp_resp_received) {
1225 wpa_printf(MSG_INFO,
1226 "TLSv1: No OCSP response received - reject handshake");
1227 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1228 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1232 *in_len = end - in_data;
1234 conn->state = CLIENT_KEY_EXCHANGE;
1240 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1241 u8 ct, const u8 *in_data,
1247 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1248 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1249 "received content type 0x%x", ct);
1250 if (conn->use_session_ticket) {
1252 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1253 "rejected SessionTicket");
1254 conn->use_session_ticket = 0;
1256 /* Notify upper layers that SessionTicket failed */
1257 res = conn->session_ticket_cb(
1258 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1261 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1262 "callback indicated failure");
1263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1264 TLS_ALERT_HANDSHAKE_FAILURE);
1268 conn->state = SERVER_CERTIFICATE;
1269 return tls_process_certificate(conn, ct, in_data,
1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273 TLS_ALERT_UNEXPECTED_MESSAGE);
1281 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1282 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1286 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1287 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1288 "received data 0x%x", *pos);
1289 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1290 TLS_ALERT_UNEXPECTED_MESSAGE);
1294 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1295 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1296 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1297 "for record layer");
1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299 TLS_ALERT_INTERNAL_ERROR);
1303 *in_len = pos + 1 - in_data;
1305 conn->state = SERVER_FINISHED;
1311 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1312 const u8 *in_data, size_t *in_len)
1314 const u8 *pos, *end;
1315 size_t left, len, hlen;
1316 u8 verify_data[TLS_VERIFY_DATA_LEN];
1317 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1319 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1320 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1321 "received content type 0x%x", ct);
1322 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1323 TLS_ALERT_UNEXPECTED_MESSAGE);
1331 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1333 (unsigned long) left);
1334 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1335 TLS_ALERT_DECODE_ERROR);
1339 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1340 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1341 "type 0x%x", pos[0]);
1342 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343 TLS_ALERT_UNEXPECTED_MESSAGE);
1347 len = WPA_GET_BE24(pos + 1);
1353 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1354 "(len=%lu > left=%lu)",
1355 (unsigned long) len, (unsigned long) left);
1356 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1357 TLS_ALERT_DECODE_ERROR);
1361 if (len != TLS_VERIFY_DATA_LEN) {
1362 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1363 "in Finished: %lu (expected %d)",
1364 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366 TLS_ALERT_DECODE_ERROR);
1369 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1370 pos, TLS_VERIFY_DATA_LEN);
1372 #ifdef CONFIG_TLSV12
1373 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1374 hlen = SHA256_MAC_LEN;
1375 if (conn->verify.sha256_server == NULL ||
1376 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1379 TLS_ALERT_INTERNAL_ERROR);
1380 conn->verify.sha256_server = NULL;
1383 conn->verify.sha256_server = NULL;
1385 #endif /* CONFIG_TLSV12 */
1388 if (conn->verify.md5_server == NULL ||
1389 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1391 TLS_ALERT_INTERNAL_ERROR);
1392 conn->verify.md5_server = NULL;
1393 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1394 conn->verify.sha1_server = NULL;
1397 conn->verify.md5_server = NULL;
1398 hlen = SHA1_MAC_LEN;
1399 if (conn->verify.sha1_server == NULL ||
1400 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1402 conn->verify.sha1_server = NULL;
1403 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1404 TLS_ALERT_INTERNAL_ERROR);
1407 conn->verify.sha1_server = NULL;
1408 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1410 #ifdef CONFIG_TLSV12
1412 #endif /* CONFIG_TLSV12 */
1414 if (tls_prf(conn->rl.tls_version,
1415 conn->master_secret, TLS_MASTER_SECRET_LEN,
1416 "server finished", hash, hlen,
1417 verify_data, TLS_VERIFY_DATA_LEN)) {
1418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1419 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1420 TLS_ALERT_DECRYPT_ERROR);
1423 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1424 verify_data, TLS_VERIFY_DATA_LEN);
1426 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1427 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429 TLS_ALERT_DECRYPT_ERROR);
1433 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1435 *in_len = end - in_data;
1437 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1438 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1444 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1445 const u8 *in_data, size_t *in_len,
1446 u8 **out_data, size_t *out_len)
1451 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1452 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1453 "received content type 0x%x", ct);
1454 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1455 TLS_ALERT_UNEXPECTED_MESSAGE);
1462 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1465 *out_data = os_malloc(left);
1467 os_memcpy(*out_data, pos, left);
1475 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1476 const u8 *buf, size_t *len,
1477 u8 **out_data, size_t *out_len)
1479 if (ct == TLS_CONTENT_TYPE_ALERT) {
1481 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1482 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1483 TLS_ALERT_DECODE_ERROR);
1486 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1489 conn->state = FAILED;
1493 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1494 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1495 size_t hr_len = WPA_GET_BE24(buf + 1);
1496 if (hr_len > *len - 4) {
1497 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1498 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1499 TLS_ALERT_DECODE_ERROR);
1502 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1507 switch (conn->state) {
1509 if (tls_process_server_hello(conn, ct, buf, len))
1512 case SERVER_CERTIFICATE:
1513 if (tls_process_certificate(conn, ct, buf, len))
1516 case SERVER_KEY_EXCHANGE:
1517 if (tls_process_server_key_exchange(conn, ct, buf, len))
1520 case SERVER_CERTIFICATE_REQUEST:
1521 if (tls_process_certificate_request(conn, ct, buf, len))
1524 case SERVER_HELLO_DONE:
1525 if (tls_process_server_hello_done(conn, ct, buf, len))
1528 case SERVER_CHANGE_CIPHER_SPEC:
1529 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1532 case SERVER_FINISHED:
1533 if (tls_process_server_finished(conn, ct, buf, len))
1538 tls_process_application_data(conn, ct, buf, len, out_data,
1543 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1544 "while processing received message",
1549 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1550 tls_verify_hash_add(&conn->verify, buf, *len);