1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 31 const u8 *in_data, size_t *in_len) 32 { 33 const u8 *pos, *end; 34 size_t left, len, i; 35 u16 cipher_suite; 36 u16 tls_version; 37 38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 40 "received content type 0x%x", ct); 41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 42 TLS_ALERT_UNEXPECTED_MESSAGE); 43 return -1; 44 } 45 46 pos = in_data; 47 left = *in_len; 48 49 if (left < 4) 50 goto decode_error; 51 52 /* HandshakeType msg_type */ 53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 55 "message %d (expected ServerHello)", *pos); 56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 57 TLS_ALERT_UNEXPECTED_MESSAGE); 58 return -1; 59 } 60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 61 pos++; 62 /* uint24 length */ 63 len = WPA_GET_BE24(pos); 64 pos += 3; 65 left -= 4; 66 67 if (len > left) 68 goto decode_error; 69 70 /* body - ServerHello */ 71 72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 73 end = pos + len; 74 75 /* ProtocolVersion server_version */ 76 if (end - pos < 2) 77 goto decode_error; 78 tls_version = WPA_GET_BE16(pos); 79 if (!tls_version_ok(tls_version)) { 80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 81 "ServerHello %u.%u", pos[0], pos[1]); 82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 83 TLS_ALERT_PROTOCOL_VERSION); 84 return -1; 85 } 86 pos += 2; 87 88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 89 tls_version_str(tls_version)); 90 conn->rl.tls_version = tls_version; 91 92 /* Random random */ 93 if (end - pos < TLS_RANDOM_LEN) 94 goto decode_error; 95 96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 97 pos += TLS_RANDOM_LEN; 98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 99 conn->server_random, TLS_RANDOM_LEN); 100 101 /* SessionID session_id */ 102 if (end - pos < 1) 103 goto decode_error; 104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 105 goto decode_error; 106 if (conn->session_id_len && conn->session_id_len == *pos && 107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 108 pos += 1 + conn->session_id_len; 109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 110 conn->session_resumed = 1; 111 } else { 112 conn->session_id_len = *pos; 113 pos++; 114 os_memcpy(conn->session_id, pos, conn->session_id_len); 115 pos += conn->session_id_len; 116 } 117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 118 conn->session_id, conn->session_id_len); 119 120 /* CipherSuite cipher_suite */ 121 if (end - pos < 2) 122 goto decode_error; 123 cipher_suite = WPA_GET_BE16(pos); 124 pos += 2; 125 for (i = 0; i < conn->num_cipher_suites; i++) { 126 if (cipher_suite == conn->cipher_suites[i]) 127 break; 128 } 129 if (i == conn->num_cipher_suites) { 130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 131 "cipher suite 0x%04x", cipher_suite); 132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 133 TLS_ALERT_ILLEGAL_PARAMETER); 134 return -1; 135 } 136 137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 139 "cipher suite for a resumed connection (0x%04x != " 140 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 142 TLS_ALERT_ILLEGAL_PARAMETER); 143 return -1; 144 } 145 146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 148 "record layer"); 149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_INTERNAL_ERROR); 151 return -1; 152 } 153 154 conn->prev_cipher_suite = cipher_suite; 155 156 /* CompressionMethod compression_method */ 157 if (end - pos < 1) 158 goto decode_error; 159 if (*pos != TLS_COMPRESSION_NULL) { 160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 161 "compression 0x%02x", *pos); 162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_ILLEGAL_PARAMETER); 164 return -1; 165 } 166 pos++; 167 168 if (end != pos) { 169 /* TODO: ServerHello extensions */ 170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 171 "end of ServerHello", pos, end - pos); 172 goto decode_error; 173 } 174 175 if (conn->session_ticket_included && conn->session_ticket_cb) { 176 /* TODO: include SessionTicket extension if one was included in 177 * ServerHello */ 178 int res = conn->session_ticket_cb( 179 conn->session_ticket_cb_ctx, NULL, 0, 180 conn->client_random, conn->server_random, 181 conn->master_secret); 182 if (res < 0) { 183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 184 "indicated failure"); 185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 186 TLS_ALERT_HANDSHAKE_FAILURE); 187 return -1; 188 } 189 conn->use_session_ticket = !!res; 190 } 191 192 if ((conn->session_resumed || conn->use_session_ticket) && 193 tls_derive_keys(conn, NULL, 0)) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 196 TLS_ALERT_INTERNAL_ERROR); 197 return -1; 198 } 199 200 *in_len = end - in_data; 201 202 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 204 205 return 0; 206 207 decode_error: 208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 210 return -1; 211 } 212 213 214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 215 const u8 *in_data, size_t *in_len) 216 { 217 const u8 *pos, *end; 218 size_t left, len, list_len, cert_len, idx; 219 u8 type; 220 struct x509_certificate *chain = NULL, *last = NULL, *cert; 221 int reason; 222 223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 225 "received content type 0x%x", ct); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_UNEXPECTED_MESSAGE); 228 return -1; 229 } 230 231 pos = in_data; 232 left = *in_len; 233 234 if (left < 4) { 235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 236 "(len=%lu)", (unsigned long) left); 237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 238 return -1; 239 } 240 241 type = *pos++; 242 len = WPA_GET_BE24(pos); 243 pos += 3; 244 left -= 4; 245 246 if (len > left) { 247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 248 "length (len=%lu != left=%lu)", 249 (unsigned long) len, (unsigned long) left); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 251 return -1; 252 } 253 254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 255 return tls_process_server_key_exchange(conn, ct, in_data, 256 in_len); 257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 258 return tls_process_certificate_request(conn, ct, in_data, 259 in_len); 260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 261 return tls_process_server_hello_done(conn, ct, in_data, 262 in_len); 263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 265 "message %d (expected Certificate/" 266 "ServerKeyExchange/CertificateRequest/" 267 "ServerHelloDone)", type); 268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 269 TLS_ALERT_UNEXPECTED_MESSAGE); 270 return -1; 271 } 272 273 wpa_printf(MSG_DEBUG, 274 "TLSv1: Received Certificate (certificate_list len %lu)", 275 (unsigned long) len); 276 277 /* 278 * opaque ASN.1Cert<2^24-1>; 279 * 280 * struct { 281 * ASN.1Cert certificate_list<1..2^24-1>; 282 * } Certificate; 283 */ 284 285 end = pos + len; 286 287 if (end - pos < 3) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 289 "(left=%lu)", (unsigned long) left); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 291 return -1; 292 } 293 294 list_len = WPA_GET_BE24(pos); 295 pos += 3; 296 297 if ((size_t) (end - pos) != list_len) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 299 "length (len=%lu left=%lu)", 300 (unsigned long) list_len, 301 (unsigned long) (end - pos)); 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 303 return -1; 304 } 305 306 idx = 0; 307 while (pos < end) { 308 if (end - pos < 3) { 309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 310 "certificate_list"); 311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 312 TLS_ALERT_DECODE_ERROR); 313 x509_certificate_chain_free(chain); 314 return -1; 315 } 316 317 cert_len = WPA_GET_BE24(pos); 318 pos += 3; 319 320 if ((size_t) (end - pos) < cert_len) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 322 "length (len=%lu left=%lu)", 323 (unsigned long) cert_len, 324 (unsigned long) (end - pos)); 325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_DECODE_ERROR); 327 x509_certificate_chain_free(chain); 328 return -1; 329 } 330 331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 332 (unsigned long) idx, (unsigned long) cert_len); 333 334 if (idx == 0) { 335 crypto_public_key_free(conn->server_rsa_key); 336 if (tls_parse_cert(pos, cert_len, 337 &conn->server_rsa_key)) { 338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 339 "the certificate"); 340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 341 TLS_ALERT_BAD_CERTIFICATE); 342 x509_certificate_chain_free(chain); 343 return -1; 344 } 345 } 346 347 cert = x509_certificate_parse(pos, cert_len); 348 if (cert == NULL) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 350 "the certificate"); 351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 352 TLS_ALERT_BAD_CERTIFICATE); 353 x509_certificate_chain_free(chain); 354 return -1; 355 } 356 357 if (last == NULL) 358 chain = cert; 359 else 360 last->next = cert; 361 last = cert; 362 363 idx++; 364 pos += cert_len; 365 } 366 367 if (conn->cred && 368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 369 &reason, conn->disable_time_checks) 370 < 0) { 371 int tls_reason; 372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 373 "validation failed (reason=%d)", reason); 374 switch (reason) { 375 case X509_VALIDATE_BAD_CERTIFICATE: 376 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 377 break; 378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 380 break; 381 case X509_VALIDATE_CERTIFICATE_REVOKED: 382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 383 break; 384 case X509_VALIDATE_CERTIFICATE_EXPIRED: 385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 386 break; 387 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 389 break; 390 case X509_VALIDATE_UNKNOWN_CA: 391 tls_reason = TLS_ALERT_UNKNOWN_CA; 392 break; 393 default: 394 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 395 break; 396 } 397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 398 x509_certificate_chain_free(chain); 399 return -1; 400 } 401 402 x509_certificate_chain_free(chain); 403 404 *in_len = end - in_data; 405 406 conn->state = SERVER_KEY_EXCHANGE; 407 408 return 0; 409 } 410 411 412 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 413 const u8 *buf, size_t len) 414 { 415 const u8 *pos, *end; 416 417 tlsv1_client_free_dh(conn); 418 419 pos = buf; 420 end = buf + len; 421 422 if (end - pos < 3) 423 goto fail; 424 conn->dh_p_len = WPA_GET_BE16(pos); 425 pos += 2; 426 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 427 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 428 (unsigned long) conn->dh_p_len); 429 goto fail; 430 } 431 conn->dh_p = os_malloc(conn->dh_p_len); 432 if (conn->dh_p == NULL) 433 goto fail; 434 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 435 pos += conn->dh_p_len; 436 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 437 conn->dh_p, conn->dh_p_len); 438 439 if (end - pos < 3) 440 goto fail; 441 conn->dh_g_len = WPA_GET_BE16(pos); 442 pos += 2; 443 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 444 goto fail; 445 conn->dh_g = os_malloc(conn->dh_g_len); 446 if (conn->dh_g == NULL) 447 goto fail; 448 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 449 pos += conn->dh_g_len; 450 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 451 conn->dh_g, conn->dh_g_len); 452 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 453 goto fail; 454 455 if (end - pos < 3) 456 goto fail; 457 conn->dh_ys_len = WPA_GET_BE16(pos); 458 pos += 2; 459 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 460 goto fail; 461 conn->dh_ys = os_malloc(conn->dh_ys_len); 462 if (conn->dh_ys == NULL) 463 goto fail; 464 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 465 pos += conn->dh_ys_len; 466 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 467 conn->dh_ys, conn->dh_ys_len); 468 469 return 0; 470 471 fail: 472 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 473 tlsv1_client_free_dh(conn); 474 return -1; 475 } 476 477 478 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 479 const u8 *in_data, size_t *in_len) 480 { 481 const u8 *pos, *end; 482 size_t left, len; 483 u8 type; 484 const struct tls_cipher_suite *suite; 485 486 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 487 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 488 "received content type 0x%x", ct); 489 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 490 TLS_ALERT_UNEXPECTED_MESSAGE); 491 return -1; 492 } 493 494 pos = in_data; 495 left = *in_len; 496 497 if (left < 4) { 498 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 499 "(Left=%lu)", (unsigned long) left); 500 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 501 return -1; 502 } 503 504 type = *pos++; 505 len = WPA_GET_BE24(pos); 506 pos += 3; 507 left -= 4; 508 509 if (len > left) { 510 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 511 "length (len=%lu != left=%lu)", 512 (unsigned long) len, (unsigned long) left); 513 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 514 return -1; 515 } 516 517 end = pos + len; 518 519 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 520 return tls_process_certificate_request(conn, ct, in_data, 521 in_len); 522 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 523 return tls_process_server_hello_done(conn, ct, in_data, 524 in_len); 525 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 526 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 527 "message %d (expected ServerKeyExchange/" 528 "CertificateRequest/ServerHelloDone)", type); 529 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 530 TLS_ALERT_UNEXPECTED_MESSAGE); 531 return -1; 532 } 533 534 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 535 536 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 537 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 538 "with the selected cipher suite"); 539 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 540 TLS_ALERT_UNEXPECTED_MESSAGE); 541 return -1; 542 } 543 544 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 545 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 546 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 547 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) { 548 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 549 TLS_ALERT_DECODE_ERROR); 550 return -1; 551 } 552 } else { 553 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 554 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 555 TLS_ALERT_UNEXPECTED_MESSAGE); 556 return -1; 557 } 558 559 *in_len = end - in_data; 560 561 conn->state = SERVER_CERTIFICATE_REQUEST; 562 563 return 0; 564 } 565 566 567 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 568 const u8 *in_data, size_t *in_len) 569 { 570 const u8 *pos, *end; 571 size_t left, len; 572 u8 type; 573 574 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 575 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 576 "received content type 0x%x", ct); 577 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 578 TLS_ALERT_UNEXPECTED_MESSAGE); 579 return -1; 580 } 581 582 pos = in_data; 583 left = *in_len; 584 585 if (left < 4) { 586 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 587 "(left=%lu)", (unsigned long) left); 588 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 589 return -1; 590 } 591 592 type = *pos++; 593 len = WPA_GET_BE24(pos); 594 pos += 3; 595 left -= 4; 596 597 if (len > left) { 598 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 599 "length (len=%lu != left=%lu)", 600 (unsigned long) len, (unsigned long) left); 601 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 602 return -1; 603 } 604 605 end = pos + len; 606 607 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 608 return tls_process_server_hello_done(conn, ct, in_data, 609 in_len); 610 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 611 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 612 "message %d (expected CertificateRequest/" 613 "ServerHelloDone)", type); 614 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 615 TLS_ALERT_UNEXPECTED_MESSAGE); 616 return -1; 617 } 618 619 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 620 621 conn->certificate_requested = 1; 622 623 *in_len = end - in_data; 624 625 conn->state = SERVER_HELLO_DONE; 626 627 return 0; 628 } 629 630 631 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 632 const u8 *in_data, size_t *in_len) 633 { 634 const u8 *pos, *end; 635 size_t left, len; 636 u8 type; 637 638 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 639 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 640 "received content type 0x%x", ct); 641 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 642 TLS_ALERT_UNEXPECTED_MESSAGE); 643 return -1; 644 } 645 646 pos = in_data; 647 left = *in_len; 648 649 if (left < 4) { 650 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 651 "(left=%lu)", (unsigned long) left); 652 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 653 return -1; 654 } 655 656 type = *pos++; 657 len = WPA_GET_BE24(pos); 658 pos += 3; 659 left -= 4; 660 661 if (len > left) { 662 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 663 "length (len=%lu != left=%lu)", 664 (unsigned long) len, (unsigned long) left); 665 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 666 return -1; 667 } 668 end = pos + len; 669 670 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 671 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 672 "message %d (expected ServerHelloDone)", type); 673 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 674 TLS_ALERT_UNEXPECTED_MESSAGE); 675 return -1; 676 } 677 678 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 679 680 *in_len = end - in_data; 681 682 conn->state = CLIENT_KEY_EXCHANGE; 683 684 return 0; 685 } 686 687 688 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 689 u8 ct, const u8 *in_data, 690 size_t *in_len) 691 { 692 const u8 *pos; 693 size_t left; 694 695 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 696 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 697 "received content type 0x%x", ct); 698 if (conn->use_session_ticket) { 699 int res; 700 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 701 "rejected SessionTicket"); 702 conn->use_session_ticket = 0; 703 704 /* Notify upper layers that SessionTicket failed */ 705 res = conn->session_ticket_cb( 706 conn->session_ticket_cb_ctx, NULL, 0, NULL, 707 NULL, NULL); 708 if (res < 0) { 709 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 710 "callback indicated failure"); 711 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 712 TLS_ALERT_HANDSHAKE_FAILURE); 713 return -1; 714 } 715 716 conn->state = SERVER_CERTIFICATE; 717 return tls_process_certificate(conn, ct, in_data, 718 in_len); 719 } 720 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 721 TLS_ALERT_UNEXPECTED_MESSAGE); 722 return -1; 723 } 724 725 pos = in_data; 726 left = *in_len; 727 728 if (left < 1) { 729 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 730 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 731 return -1; 732 } 733 734 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 735 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 736 "received data 0x%x", *pos); 737 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 738 TLS_ALERT_UNEXPECTED_MESSAGE); 739 return -1; 740 } 741 742 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 743 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 744 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 745 "for record layer"); 746 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 747 TLS_ALERT_INTERNAL_ERROR); 748 return -1; 749 } 750 751 *in_len = pos + 1 - in_data; 752 753 conn->state = SERVER_FINISHED; 754 755 return 0; 756 } 757 758 759 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 760 const u8 *in_data, size_t *in_len) 761 { 762 const u8 *pos, *end; 763 size_t left, len, hlen; 764 u8 verify_data[TLS_VERIFY_DATA_LEN]; 765 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 766 767 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 768 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 769 "received content type 0x%x", ct); 770 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 771 TLS_ALERT_UNEXPECTED_MESSAGE); 772 return -1; 773 } 774 775 pos = in_data; 776 left = *in_len; 777 778 if (left < 4) { 779 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 780 "Finished", 781 (unsigned long) left); 782 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 783 TLS_ALERT_DECODE_ERROR); 784 return -1; 785 } 786 787 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 788 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 789 "type 0x%x", pos[0]); 790 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 791 TLS_ALERT_UNEXPECTED_MESSAGE); 792 return -1; 793 } 794 795 len = WPA_GET_BE24(pos + 1); 796 797 pos += 4; 798 left -= 4; 799 800 if (len > left) { 801 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 802 "(len=%lu > left=%lu)", 803 (unsigned long) len, (unsigned long) left); 804 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 805 TLS_ALERT_DECODE_ERROR); 806 return -1; 807 } 808 end = pos + len; 809 if (len != TLS_VERIFY_DATA_LEN) { 810 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 811 "in Finished: %lu (expected %d)", 812 (unsigned long) len, TLS_VERIFY_DATA_LEN); 813 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 814 TLS_ALERT_DECODE_ERROR); 815 return -1; 816 } 817 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 818 pos, TLS_VERIFY_DATA_LEN); 819 820 #ifdef CONFIG_TLSV12 821 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 822 hlen = SHA256_MAC_LEN; 823 if (conn->verify.sha256_server == NULL || 824 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 825 < 0) { 826 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 827 TLS_ALERT_INTERNAL_ERROR); 828 conn->verify.sha256_server = NULL; 829 return -1; 830 } 831 conn->verify.sha256_server = NULL; 832 } else { 833 #endif /* CONFIG_TLSV12 */ 834 835 hlen = MD5_MAC_LEN; 836 if (conn->verify.md5_server == NULL || 837 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 839 TLS_ALERT_INTERNAL_ERROR); 840 conn->verify.md5_server = NULL; 841 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 842 conn->verify.sha1_server = NULL; 843 return -1; 844 } 845 conn->verify.md5_server = NULL; 846 hlen = SHA1_MAC_LEN; 847 if (conn->verify.sha1_server == NULL || 848 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 849 &hlen) < 0) { 850 conn->verify.sha1_server = NULL; 851 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 852 TLS_ALERT_INTERNAL_ERROR); 853 return -1; 854 } 855 conn->verify.sha1_server = NULL; 856 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 857 858 #ifdef CONFIG_TLSV12 859 } 860 #endif /* CONFIG_TLSV12 */ 861 862 if (tls_prf(conn->rl.tls_version, 863 conn->master_secret, TLS_MASTER_SECRET_LEN, 864 "server finished", hash, hlen, 865 verify_data, TLS_VERIFY_DATA_LEN)) { 866 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 868 TLS_ALERT_DECRYPT_ERROR); 869 return -1; 870 } 871 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 872 verify_data, TLS_VERIFY_DATA_LEN); 873 874 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 875 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 876 return -1; 877 } 878 879 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 880 881 *in_len = end - in_data; 882 883 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 884 CHANGE_CIPHER_SPEC : ACK_FINISHED; 885 886 return 0; 887 } 888 889 890 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 891 const u8 *in_data, size_t *in_len, 892 u8 **out_data, size_t *out_len) 893 { 894 const u8 *pos; 895 size_t left; 896 897 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 898 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 899 "received content type 0x%x", ct); 900 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 901 TLS_ALERT_UNEXPECTED_MESSAGE); 902 return -1; 903 } 904 905 pos = in_data; 906 left = *in_len; 907 908 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 909 pos, left); 910 911 *out_data = os_malloc(left); 912 if (*out_data) { 913 os_memcpy(*out_data, pos, left); 914 *out_len = left; 915 } 916 917 return 0; 918 } 919 920 921 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 922 const u8 *buf, size_t *len, 923 u8 **out_data, size_t *out_len) 924 { 925 if (ct == TLS_CONTENT_TYPE_ALERT) { 926 if (*len < 2) { 927 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 928 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 929 TLS_ALERT_DECODE_ERROR); 930 return -1; 931 } 932 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 933 buf[0], buf[1]); 934 *len = 2; 935 conn->state = FAILED; 936 return -1; 937 } 938 939 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 940 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 941 size_t hr_len = WPA_GET_BE24(buf + 1); 942 if (hr_len > *len - 4) { 943 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 944 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 945 TLS_ALERT_DECODE_ERROR); 946 return -1; 947 } 948 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 949 *len = 4 + hr_len; 950 return 0; 951 } 952 953 switch (conn->state) { 954 case SERVER_HELLO: 955 if (tls_process_server_hello(conn, ct, buf, len)) 956 return -1; 957 break; 958 case SERVER_CERTIFICATE: 959 if (tls_process_certificate(conn, ct, buf, len)) 960 return -1; 961 break; 962 case SERVER_KEY_EXCHANGE: 963 if (tls_process_server_key_exchange(conn, ct, buf, len)) 964 return -1; 965 break; 966 case SERVER_CERTIFICATE_REQUEST: 967 if (tls_process_certificate_request(conn, ct, buf, len)) 968 return -1; 969 break; 970 case SERVER_HELLO_DONE: 971 if (tls_process_server_hello_done(conn, ct, buf, len)) 972 return -1; 973 break; 974 case SERVER_CHANGE_CIPHER_SPEC: 975 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 976 return -1; 977 break; 978 case SERVER_FINISHED: 979 if (tls_process_server_finished(conn, ct, buf, len)) 980 return -1; 981 break; 982 case ACK_FINISHED: 983 if (out_data && 984 tls_process_application_data(conn, ct, buf, len, out_data, 985 out_len)) 986 return -1; 987 break; 988 default: 989 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 990 "while processing received message", 991 conn->state); 992 return -1; 993 } 994 995 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 996 tls_verify_hash_add(&conn->verify, buf, *len); 997 998 return 0; 999 } 1000