1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
21 #include "x509v3.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_client.h"
25 #include "tlsv1_client_i.h"
26
27 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
28 const u8 *in_data, size_t *in_len);
29 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
30 const u8 *in_data, size_t *in_len);
31 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
32 const u8 *in_data, size_t *in_len);
33
34
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)35 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
36 const u8 *in_data, size_t *in_len)
37 {
38 const u8 *pos, *end;
39 size_t left, len, i;
40 u16 cipher_suite;
41
42 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
43 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
44 "received content type 0x%x", ct);
45 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
46 TLS_ALERT_UNEXPECTED_MESSAGE);
47 return -1;
48 }
49
50 pos = in_data;
51 left = *in_len;
52
53 if (left < 4)
54 goto decode_error;
55
56 /* HandshakeType msg_type */
57 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
58 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
59 "message %d (expected ServerHello)", *pos);
60 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
61 TLS_ALERT_UNEXPECTED_MESSAGE);
62 return -1;
63 }
64 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
65 pos++;
66 /* uint24 length */
67 len = WPA_GET_BE24(pos);
68 pos += 3;
69 left -= 4;
70
71 if (len > left)
72 goto decode_error;
73
74 /* body - ServerHello */
75
76 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
77 end = pos + len;
78
79 /* ProtocolVersion server_version */
80 if (end - pos < 2)
81 goto decode_error;
82 if (WPA_GET_BE16(pos) != TLS_VERSION) {
83 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
84 "ServerHello");
85 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
86 TLS_ALERT_PROTOCOL_VERSION);
87 return -1;
88 }
89 pos += 2;
90
91 /* Random random */
92 if (end - pos < TLS_RANDOM_LEN)
93 goto decode_error;
94
95 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
96 pos += TLS_RANDOM_LEN;
97 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
98 conn->server_random, TLS_RANDOM_LEN);
99
100 /* SessionID session_id */
101 if (end - pos < 1)
102 goto decode_error;
103 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
104 goto decode_error;
105 if (conn->session_id_len && conn->session_id_len == *pos &&
106 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
107 pos += 1 + conn->session_id_len;
108 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
109 conn->session_resumed = 1;
110 } else {
111 conn->session_id_len = *pos;
112 pos++;
113 os_memcpy(conn->session_id, pos, conn->session_id_len);
114 pos += conn->session_id_len;
115 }
116 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
117 conn->session_id, conn->session_id_len);
118
119 /* CipherSuite cipher_suite */
120 if (end - pos < 2)
121 goto decode_error;
122 cipher_suite = WPA_GET_BE16(pos);
123 pos += 2;
124 for (i = 0; i < conn->num_cipher_suites; i++) {
125 if (cipher_suite == conn->cipher_suites[i])
126 break;
127 }
128 if (i == conn->num_cipher_suites) {
129 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
130 "cipher suite 0x%04x", cipher_suite);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_ILLEGAL_PARAMETER);
133 return -1;
134 }
135
136 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
137 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
138 "cipher suite for a resumed connection (0x%04x != "
139 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
140 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
141 TLS_ALERT_ILLEGAL_PARAMETER);
142 return -1;
143 }
144
145 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
146 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
147 "record layer");
148 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
149 TLS_ALERT_INTERNAL_ERROR);
150 return -1;
151 }
152
153 conn->prev_cipher_suite = cipher_suite;
154
155 /* CompressionMethod compression_method */
156 if (end - pos < 1)
157 goto decode_error;
158 if (*pos != TLS_COMPRESSION_NULL) {
159 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
160 "compression 0x%02x", *pos);
161 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
162 TLS_ALERT_ILLEGAL_PARAMETER);
163 return -1;
164 }
165 pos++;
166
167 if (end != pos) {
168 /* TODO: ServerHello extensions */
169 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
170 "end of ServerHello", pos, end - pos);
171 goto decode_error;
172 }
173
174 if (conn->session_ticket_included && conn->session_ticket_cb) {
175 /* TODO: include SessionTicket extension if one was included in
176 * ServerHello */
177 int res = conn->session_ticket_cb(
178 conn->session_ticket_cb_ctx, NULL, 0,
179 conn->client_random, conn->server_random,
180 conn->master_secret);
181 if (res < 0) {
182 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
183 "indicated failure");
184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
185 TLS_ALERT_HANDSHAKE_FAILURE);
186 return -1;
187 }
188 conn->use_session_ticket = !!res;
189 }
190
191 if ((conn->session_resumed || conn->use_session_ticket) &&
192 tls_derive_keys(conn, NULL, 0)) {
193 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
194 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
195 TLS_ALERT_INTERNAL_ERROR);
196 return -1;
197 }
198
199 *in_len = end - in_data;
200
201 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
202 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
203
204 return 0;
205
206 decode_error:
207 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
209 return -1;
210 }
211
212
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)213 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
214 const u8 *in_data, size_t *in_len)
215 {
216 const u8 *pos, *end;
217 size_t left, len, list_len, cert_len, idx;
218 u8 type;
219 struct x509_certificate *chain = NULL, *last = NULL, *cert;
220 int reason;
221
222 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
223 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
224 "received content type 0x%x", ct);
225 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
226 TLS_ALERT_UNEXPECTED_MESSAGE);
227 return -1;
228 }
229
230 pos = in_data;
231 left = *in_len;
232
233 if (left < 4) {
234 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
235 "(len=%lu)", (unsigned long) left);
236 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
237 return -1;
238 }
239
240 type = *pos++;
241 len = WPA_GET_BE24(pos);
242 pos += 3;
243 left -= 4;
244
245 if (len > left) {
246 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
247 "length (len=%lu != left=%lu)",
248 (unsigned long) len, (unsigned long) left);
249 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
250 return -1;
251 }
252
253 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
254 return tls_process_server_key_exchange(conn, ct, in_data,
255 in_len);
256 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
257 return tls_process_certificate_request(conn, ct, in_data,
258 in_len);
259 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
260 return tls_process_server_hello_done(conn, ct, in_data,
261 in_len);
262 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
263 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
264 "message %d (expected Certificate/"
265 "ServerKeyExchange/CertificateRequest/"
266 "ServerHelloDone)", type);
267 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
268 TLS_ALERT_UNEXPECTED_MESSAGE);
269 return -1;
270 }
271
272 wpa_printf(MSG_DEBUG,
273 "TLSv1: Received Certificate (certificate_list len %lu)",
274 (unsigned long) len);
275
276 /*
277 * opaque ASN.1Cert<2^24-1>;
278 *
279 * struct {
280 * ASN.1Cert certificate_list<1..2^24-1>;
281 * } Certificate;
282 */
283
284 end = pos + len;
285
286 if (end - pos < 3) {
287 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
288 "(left=%lu)", (unsigned long) left);
289 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
290 return -1;
291 }
292
293 list_len = WPA_GET_BE24(pos);
294 pos += 3;
295
296 if ((size_t) (end - pos) != list_len) {
297 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
298 "length (len=%lu left=%lu)",
299 (unsigned long) list_len,
300 (unsigned long) (end - pos));
301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
302 return -1;
303 }
304
305 idx = 0;
306 while (pos < end) {
307 if (end - pos < 3) {
308 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
309 "certificate_list");
310 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
311 TLS_ALERT_DECODE_ERROR);
312 x509_certificate_chain_free(chain);
313 return -1;
314 }
315
316 cert_len = WPA_GET_BE24(pos);
317 pos += 3;
318
319 if ((size_t) (end - pos) < cert_len) {
320 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
321 "length (len=%lu left=%lu)",
322 (unsigned long) cert_len,
323 (unsigned long) (end - pos));
324 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
325 TLS_ALERT_DECODE_ERROR);
326 x509_certificate_chain_free(chain);
327 return -1;
328 }
329
330 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
331 (unsigned long) idx, (unsigned long) cert_len);
332
333 if (idx == 0) {
334 crypto_public_key_free(conn->server_rsa_key);
335 if (tls_parse_cert(pos, cert_len,
336 &conn->server_rsa_key)) {
337 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
338 "the certificate");
339 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
340 TLS_ALERT_BAD_CERTIFICATE);
341 x509_certificate_chain_free(chain);
342 return -1;
343 }
344 }
345
346 cert = x509_certificate_parse(pos, cert_len);
347 if (cert == NULL) {
348 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
349 "the certificate");
350 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
351 TLS_ALERT_BAD_CERTIFICATE);
352 x509_certificate_chain_free(chain);
353 return -1;
354 }
355
356 if (last == NULL)
357 chain = cert;
358 else
359 last->next = cert;
360 last = cert;
361
362 idx++;
363 pos += cert_len;
364 }
365
366 if (conn->cred &&
367 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
368 &reason, conn->disable_time_checks)
369 < 0) {
370 int tls_reason;
371 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
372 "validation failed (reason=%d)", reason);
373 switch (reason) {
374 case X509_VALIDATE_BAD_CERTIFICATE:
375 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
376 break;
377 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
378 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
379 break;
380 case X509_VALIDATE_CERTIFICATE_REVOKED:
381 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
382 break;
383 case X509_VALIDATE_CERTIFICATE_EXPIRED:
384 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
385 break;
386 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
387 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
388 break;
389 case X509_VALIDATE_UNKNOWN_CA:
390 tls_reason = TLS_ALERT_UNKNOWN_CA;
391 break;
392 default:
393 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
394 break;
395 }
396 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
397 x509_certificate_chain_free(chain);
398 return -1;
399 }
400
401 x509_certificate_chain_free(chain);
402
403 *in_len = end - in_data;
404
405 conn->state = SERVER_KEY_EXCHANGE;
406
407 return 0;
408 }
409
410
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len)411 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
412 const u8 *buf, size_t len)
413 {
414 const u8 *pos, *end;
415
416 tlsv1_client_free_dh(conn);
417
418 pos = buf;
419 end = buf + len;
420
421 if (end - pos < 3)
422 goto fail;
423 conn->dh_p_len = WPA_GET_BE16(pos);
424 pos += 2;
425 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
426 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
427 (unsigned long) conn->dh_p_len);
428 goto fail;
429 }
430 conn->dh_p = os_malloc(conn->dh_p_len);
431 if (conn->dh_p == NULL)
432 goto fail;
433 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
434 pos += conn->dh_p_len;
435 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
436 conn->dh_p, conn->dh_p_len);
437
438 if (end - pos < 3)
439 goto fail;
440 conn->dh_g_len = WPA_GET_BE16(pos);
441 pos += 2;
442 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
443 goto fail;
444 conn->dh_g = os_malloc(conn->dh_g_len);
445 if (conn->dh_g == NULL)
446 goto fail;
447 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
448 pos += conn->dh_g_len;
449 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
450 conn->dh_g, conn->dh_g_len);
451 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
452 goto fail;
453
454 if (end - pos < 3)
455 goto fail;
456 conn->dh_ys_len = WPA_GET_BE16(pos);
457 pos += 2;
458 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
459 goto fail;
460 conn->dh_ys = os_malloc(conn->dh_ys_len);
461 if (conn->dh_ys == NULL)
462 goto fail;
463 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
464 pos += conn->dh_ys_len;
465 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
466 conn->dh_ys, conn->dh_ys_len);
467
468 return 0;
469
470 fail:
471 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
472 tlsv1_client_free_dh(conn);
473 return -1;
474 }
475
476
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)477 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
478 const u8 *in_data, size_t *in_len)
479 {
480 const u8 *pos, *end;
481 size_t left, len;
482 u8 type;
483 const struct tls_cipher_suite *suite;
484
485 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
486 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
487 "received content type 0x%x", ct);
488 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
489 TLS_ALERT_UNEXPECTED_MESSAGE);
490 return -1;
491 }
492
493 pos = in_data;
494 left = *in_len;
495
496 if (left < 4) {
497 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
498 "(Left=%lu)", (unsigned long) left);
499 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
500 return -1;
501 }
502
503 type = *pos++;
504 len = WPA_GET_BE24(pos);
505 pos += 3;
506 left -= 4;
507
508 if (len > left) {
509 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
510 "length (len=%lu != left=%lu)",
511 (unsigned long) len, (unsigned long) left);
512 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
513 return -1;
514 }
515
516 end = pos + len;
517
518 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
519 return tls_process_certificate_request(conn, ct, in_data,
520 in_len);
521 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
522 return tls_process_server_hello_done(conn, ct, in_data,
523 in_len);
524 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
525 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
526 "message %d (expected ServerKeyExchange/"
527 "CertificateRequest/ServerHelloDone)", type);
528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 TLS_ALERT_UNEXPECTED_MESSAGE);
530 return -1;
531 }
532
533 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
534
535 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
536 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
537 "with the selected cipher suite");
538 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
539 TLS_ALERT_UNEXPECTED_MESSAGE);
540 return -1;
541 }
542
543 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
544 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
545 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
546 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
547 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
548 TLS_ALERT_DECODE_ERROR);
549 return -1;
550 }
551 } else {
552 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
553 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
554 TLS_ALERT_UNEXPECTED_MESSAGE);
555 return -1;
556 }
557
558 *in_len = end - in_data;
559
560 conn->state = SERVER_CERTIFICATE_REQUEST;
561
562 return 0;
563 }
564
565
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)566 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
567 const u8 *in_data, size_t *in_len)
568 {
569 const u8 *pos, *end;
570 size_t left, len;
571 u8 type;
572
573 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
574 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
575 "received content type 0x%x", ct);
576 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
577 TLS_ALERT_UNEXPECTED_MESSAGE);
578 return -1;
579 }
580
581 pos = in_data;
582 left = *in_len;
583
584 if (left < 4) {
585 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
586 "(left=%lu)", (unsigned long) left);
587 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
588 return -1;
589 }
590
591 type = *pos++;
592 len = WPA_GET_BE24(pos);
593 pos += 3;
594 left -= 4;
595
596 if (len > left) {
597 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
598 "length (len=%lu != left=%lu)",
599 (unsigned long) len, (unsigned long) left);
600 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
601 return -1;
602 }
603
604 end = pos + len;
605
606 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
607 return tls_process_server_hello_done(conn, ct, in_data,
608 in_len);
609 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
610 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
611 "message %d (expected CertificateRequest/"
612 "ServerHelloDone)", type);
613 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
614 TLS_ALERT_UNEXPECTED_MESSAGE);
615 return -1;
616 }
617
618 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
619
620 conn->certificate_requested = 1;
621
622 *in_len = end - in_data;
623
624 conn->state = SERVER_HELLO_DONE;
625
626 return 0;
627 }
628
629
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)630 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
631 const u8 *in_data, size_t *in_len)
632 {
633 const u8 *pos, *end;
634 size_t left, len;
635 u8 type;
636
637 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
638 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
639 "received content type 0x%x", ct);
640 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
641 TLS_ALERT_UNEXPECTED_MESSAGE);
642 return -1;
643 }
644
645 pos = in_data;
646 left = *in_len;
647
648 if (left < 4) {
649 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
650 "(left=%lu)", (unsigned long) left);
651 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
652 return -1;
653 }
654
655 type = *pos++;
656 len = WPA_GET_BE24(pos);
657 pos += 3;
658 left -= 4;
659
660 if (len > left) {
661 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
662 "length (len=%lu != left=%lu)",
663 (unsigned long) len, (unsigned long) left);
664 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
665 return -1;
666 }
667 end = pos + len;
668
669 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
670 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
671 "message %d (expected ServerHelloDone)", type);
672 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
673 TLS_ALERT_UNEXPECTED_MESSAGE);
674 return -1;
675 }
676
677 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
678
679 *in_len = end - in_data;
680
681 conn->state = CLIENT_KEY_EXCHANGE;
682
683 return 0;
684 }
685
686
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)687 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
688 u8 ct, const u8 *in_data,
689 size_t *in_len)
690 {
691 const u8 *pos;
692 size_t left;
693
694 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
695 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
696 "received content type 0x%x", ct);
697 if (conn->use_session_ticket) {
698 int res;
699 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
700 "rejected SessionTicket");
701 conn->use_session_ticket = 0;
702
703 /* Notify upper layers that SessionTicket failed */
704 res = conn->session_ticket_cb(
705 conn->session_ticket_cb_ctx, NULL, 0, NULL,
706 NULL, NULL);
707 if (res < 0) {
708 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
709 "callback indicated failure");
710 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
711 TLS_ALERT_HANDSHAKE_FAILURE);
712 return -1;
713 }
714
715 conn->state = SERVER_CERTIFICATE;
716 return tls_process_certificate(conn, ct, in_data,
717 in_len);
718 }
719 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
720 TLS_ALERT_UNEXPECTED_MESSAGE);
721 return -1;
722 }
723
724 pos = in_data;
725 left = *in_len;
726
727 if (left < 1) {
728 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
729 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
730 return -1;
731 }
732
733 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
734 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
735 "received data 0x%x", *pos);
736 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
737 TLS_ALERT_UNEXPECTED_MESSAGE);
738 return -1;
739 }
740
741 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
742 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
743 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
744 "for record layer");
745 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
746 TLS_ALERT_INTERNAL_ERROR);
747 return -1;
748 }
749
750 *in_len = pos + 1 - in_data;
751
752 conn->state = SERVER_FINISHED;
753
754 return 0;
755 }
756
757
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)758 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
759 const u8 *in_data, size_t *in_len)
760 {
761 const u8 *pos, *end;
762 size_t left, len, hlen;
763 u8 verify_data[TLS_VERIFY_DATA_LEN];
764 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
765
766 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
767 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
768 "received content type 0x%x", ct);
769 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
770 TLS_ALERT_UNEXPECTED_MESSAGE);
771 return -1;
772 }
773
774 pos = in_data;
775 left = *in_len;
776
777 if (left < 4) {
778 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
779 "Finished",
780 (unsigned long) left);
781 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
782 TLS_ALERT_DECODE_ERROR);
783 return -1;
784 }
785
786 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
787 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
788 "type 0x%x", pos[0]);
789 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
790 TLS_ALERT_UNEXPECTED_MESSAGE);
791 return -1;
792 }
793
794 len = WPA_GET_BE24(pos + 1);
795
796 pos += 4;
797 left -= 4;
798
799 if (len > left) {
800 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
801 "(len=%lu > left=%lu)",
802 (unsigned long) len, (unsigned long) left);
803 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
804 TLS_ALERT_DECODE_ERROR);
805 return -1;
806 }
807 end = pos + len;
808 if (len != TLS_VERIFY_DATA_LEN) {
809 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
810 "in Finished: %lu (expected %d)",
811 (unsigned long) len, TLS_VERIFY_DATA_LEN);
812 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
813 TLS_ALERT_DECODE_ERROR);
814 return -1;
815 }
816 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
817 pos, TLS_VERIFY_DATA_LEN);
818
819 hlen = MD5_MAC_LEN;
820 if (conn->verify.md5_server == NULL ||
821 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
822 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
823 TLS_ALERT_INTERNAL_ERROR);
824 conn->verify.md5_server = NULL;
825 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
826 conn->verify.sha1_server = NULL;
827 return -1;
828 }
829 conn->verify.md5_server = NULL;
830 hlen = SHA1_MAC_LEN;
831 if (conn->verify.sha1_server == NULL ||
832 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
833 &hlen) < 0) {
834 conn->verify.sha1_server = NULL;
835 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
836 TLS_ALERT_INTERNAL_ERROR);
837 return -1;
838 }
839 conn->verify.sha1_server = NULL;
840
841 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
842 "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
843 verify_data, TLS_VERIFY_DATA_LEN)) {
844 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
845 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
846 TLS_ALERT_DECRYPT_ERROR);
847 return -1;
848 }
849 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
850 verify_data, TLS_VERIFY_DATA_LEN);
851
852 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
853 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
854 return -1;
855 }
856
857 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
858
859 *in_len = end - in_data;
860
861 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
862 CHANGE_CIPHER_SPEC : ACK_FINISHED;
863
864 return 0;
865 }
866
867
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)868 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
869 const u8 *in_data, size_t *in_len,
870 u8 **out_data, size_t *out_len)
871 {
872 const u8 *pos;
873 size_t left;
874
875 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
876 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
877 "received content type 0x%x", ct);
878 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
879 TLS_ALERT_UNEXPECTED_MESSAGE);
880 return -1;
881 }
882
883 pos = in_data;
884 left = *in_len;
885
886 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
887 pos, left);
888
889 *out_data = os_malloc(left);
890 if (*out_data) {
891 os_memcpy(*out_data, pos, left);
892 *out_len = left;
893 }
894
895 return 0;
896 }
897
898
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)899 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
900 const u8 *buf, size_t *len,
901 u8 **out_data, size_t *out_len)
902 {
903 if (ct == TLS_CONTENT_TYPE_ALERT) {
904 if (*len < 2) {
905 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
906 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
907 TLS_ALERT_DECODE_ERROR);
908 return -1;
909 }
910 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
911 buf[0], buf[1]);
912 *len = 2;
913 conn->state = FAILED;
914 return -1;
915 }
916
917 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
918 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
919 size_t hr_len = WPA_GET_BE24(buf + 1);
920 if (hr_len > *len - 4) {
921 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
922 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
923 TLS_ALERT_DECODE_ERROR);
924 return -1;
925 }
926 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
927 *len = 4 + hr_len;
928 return 0;
929 }
930
931 switch (conn->state) {
932 case SERVER_HELLO:
933 if (tls_process_server_hello(conn, ct, buf, len))
934 return -1;
935 break;
936 case SERVER_CERTIFICATE:
937 if (tls_process_certificate(conn, ct, buf, len))
938 return -1;
939 break;
940 case SERVER_KEY_EXCHANGE:
941 if (tls_process_server_key_exchange(conn, ct, buf, len))
942 return -1;
943 break;
944 case SERVER_CERTIFICATE_REQUEST:
945 if (tls_process_certificate_request(conn, ct, buf, len))
946 return -1;
947 break;
948 case SERVER_HELLO_DONE:
949 if (tls_process_server_hello_done(conn, ct, buf, len))
950 return -1;
951 break;
952 case SERVER_CHANGE_CIPHER_SPEC:
953 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
954 return -1;
955 break;
956 case SERVER_FINISHED:
957 if (tls_process_server_finished(conn, ct, buf, len))
958 return -1;
959 break;
960 case ACK_FINISHED:
961 if (out_data &&
962 tls_process_application_data(conn, ct, buf, len, out_data,
963 out_len))
964 return -1;
965 break;
966 default:
967 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
968 "while processing received message",
969 conn->state);
970 return -1;
971 }
972
973 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
974 tls_verify_hash_add(&conn->verify, buf, *len);
975
976 return 0;
977 }
978