1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
32 {
33 const u8 *pos, *end;
34 size_t left, len, i;
35 u16 cipher_suite;
36 u16 tls_version;
37
38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct);
41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 TLS_ALERT_UNEXPECTED_MESSAGE);
43 return -1;
44 }
45
46 pos = in_data;
47 left = *in_len;
48
49 if (left < 4)
50 goto decode_error;
51
52 /* HandshakeType msg_type */
53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos);
56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 TLS_ALERT_UNEXPECTED_MESSAGE);
58 return -1;
59 }
60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 pos++;
62 /* uint24 length */
63 len = WPA_GET_BE24(pos);
64 pos += 3;
65 left -= 4;
66
67 if (len > left)
68 goto decode_error;
69
70 /* body - ServerHello */
71
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 end = pos + len;
74
75 /* ProtocolVersion server_version */
76 if (end - pos < 2)
77 goto decode_error;
78 tls_version = WPA_GET_BE16(pos);
79 if (!tls_version_ok(tls_version)) {
80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos[0], pos[1]);
82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 TLS_ALERT_PROTOCOL_VERSION);
84 return -1;
85 }
86 pos += 2;
87
88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version));
90 conn->rl.tls_version = tls_version;
91
92 /* Random random */
93 if (end - pos < TLS_RANDOM_LEN)
94 goto decode_error;
95
96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 pos += TLS_RANDOM_LEN;
98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 conn->server_random, TLS_RANDOM_LEN);
100
101 /* SessionID session_id */
102 if (end - pos < 1)
103 goto decode_error;
104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 goto decode_error;
106 if (conn->session_id_len && conn->session_id_len == *pos &&
107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 pos += 1 + conn->session_id_len;
109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 conn->session_resumed = 1;
111 } else {
112 conn->session_id_len = *pos;
113 pos++;
114 os_memcpy(conn->session_id, pos, conn->session_id_len);
115 pos += conn->session_id_len;
116 }
117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 conn->session_id, conn->session_id_len);
119
120 /* CipherSuite cipher_suite */
121 if (end - pos < 2)
122 goto decode_error;
123 cipher_suite = WPA_GET_BE16(pos);
124 pos += 2;
125 for (i = 0; i < conn->num_cipher_suites; i++) {
126 if (cipher_suite == conn->cipher_suites[i])
127 break;
128 }
129 if (i == conn->num_cipher_suites) {
130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite);
132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 TLS_ALERT_ILLEGAL_PARAMETER);
134 return -1;
135 }
136
137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 TLS_ALERT_ILLEGAL_PARAMETER);
143 return -1;
144 }
145
146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 "record layer");
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
151 return -1;
152 }
153
154 conn->prev_cipher_suite = cipher_suite;
155
156 /* CompressionMethod compression_method */
157 if (end - pos < 1)
158 goto decode_error;
159 if (*pos != TLS_COMPRESSION_NULL) {
160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos);
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_ILLEGAL_PARAMETER);
164 return -1;
165 }
166 pos++;
167
168 if (end != pos) {
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos, end - pos);
172 goto decode_error;
173 }
174
175 if (conn->session_ticket_included && conn->session_ticket_cb) {
176 /* TODO: include SessionTicket extension if one was included in
177 * ServerHello */
178 int res = conn->session_ticket_cb(
179 conn->session_ticket_cb_ctx, NULL, 0,
180 conn->client_random, conn->server_random,
181 conn->master_secret);
182 if (res < 0) {
183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_HANDSHAKE_FAILURE);
187 return -1;
188 }
189 conn->use_session_ticket = !!res;
190 }
191
192 if ((conn->session_resumed || conn->use_session_ticket) &&
193 tls_derive_keys(conn, NULL, 0)) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 TLS_ALERT_INTERNAL_ERROR);
197 return -1;
198 }
199
200 *in_len = end - in_data;
201
202 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204
205 return 0;
206
207 decode_error:
208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 return -1;
211 }
212
213
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 const u8 *in_data, size_t *in_len)
216 {
217 const u8 *pos, *end;
218 size_t left, len, list_len, cert_len, idx;
219 u8 type;
220 struct x509_certificate *chain = NULL, *last = NULL, *cert;
221 int reason;
222
223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 "received content type 0x%x", ct);
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 TLS_ALERT_UNEXPECTED_MESSAGE);
228 return -1;
229 }
230
231 pos = in_data;
232 left = *in_len;
233
234 if (left < 4) {
235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 "(len=%lu)", (unsigned long) left);
237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238 return -1;
239 }
240
241 type = *pos++;
242 len = WPA_GET_BE24(pos);
243 pos += 3;
244 left -= 4;
245
246 if (len > left) {
247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 "length (len=%lu != left=%lu)",
249 (unsigned long) len, (unsigned long) left);
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251 return -1;
252 }
253
254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 return tls_process_server_key_exchange(conn, ct, in_data,
256 in_len);
257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 return tls_process_certificate_request(conn, ct, in_data,
259 in_len);
260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 return tls_process_server_hello_done(conn, ct, in_data,
262 in_len);
263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 "message %d (expected Certificate/"
266 "ServerKeyExchange/CertificateRequest/"
267 "ServerHelloDone)", type);
268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_UNEXPECTED_MESSAGE);
270 return -1;
271 }
272
273 wpa_printf(MSG_DEBUG,
274 "TLSv1: Received Certificate (certificate_list len %lu)",
275 (unsigned long) len);
276
277 /*
278 * opaque ASN.1Cert<2^24-1>;
279 *
280 * struct {
281 * ASN.1Cert certificate_list<1..2^24-1>;
282 * } Certificate;
283 */
284
285 end = pos + len;
286
287 if (end - pos < 3) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 "(left=%lu)", (unsigned long) left);
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 return -1;
292 }
293
294 list_len = WPA_GET_BE24(pos);
295 pos += 3;
296
297 if ((size_t) (end - pos) != list_len) {
298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 "length (len=%lu left=%lu)",
300 (unsigned long) list_len,
301 (unsigned long) (end - pos));
302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 return -1;
304 }
305
306 idx = 0;
307 while (pos < end) {
308 if (end - pos < 3) {
309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 "certificate_list");
311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 TLS_ALERT_DECODE_ERROR);
313 x509_certificate_chain_free(chain);
314 return -1;
315 }
316
317 cert_len = WPA_GET_BE24(pos);
318 pos += 3;
319
320 if ((size_t) (end - pos) < cert_len) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 "length (len=%lu left=%lu)",
323 (unsigned long) cert_len,
324 (unsigned long) (end - pos));
325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_DECODE_ERROR);
327 x509_certificate_chain_free(chain);
328 return -1;
329 }
330
331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 (unsigned long) idx, (unsigned long) cert_len);
333
334 if (idx == 0) {
335 crypto_public_key_free(conn->server_rsa_key);
336 if (tls_parse_cert(pos, cert_len,
337 &conn->server_rsa_key)) {
338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 "the certificate");
340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 TLS_ALERT_BAD_CERTIFICATE);
342 x509_certificate_chain_free(chain);
343 return -1;
344 }
345 }
346
347 cert = x509_certificate_parse(pos, cert_len);
348 if (cert == NULL) {
349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 "the certificate");
351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_BAD_CERTIFICATE);
353 x509_certificate_chain_free(chain);
354 return -1;
355 }
356
357 if (last == NULL)
358 chain = cert;
359 else
360 last->next = cert;
361 last = cert;
362
363 idx++;
364 pos += cert_len;
365 }
366
367 if (conn->cred &&
368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 &reason, conn->disable_time_checks)
370 < 0) {
371 int tls_reason;
372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 "validation failed (reason=%d)", reason);
374 switch (reason) {
375 case X509_VALIDATE_BAD_CERTIFICATE:
376 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 break;
378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 break;
381 case X509_VALIDATE_CERTIFICATE_REVOKED:
382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 break;
384 case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 break;
387 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 break;
390 case X509_VALIDATE_UNKNOWN_CA:
391 tls_reason = TLS_ALERT_UNKNOWN_CA;
392 break;
393 default:
394 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 break;
396 }
397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 x509_certificate_chain_free(chain);
399 return -1;
400 }
401
402 x509_certificate_chain_free(chain);
403
404 *in_len = end - in_data;
405
406 conn->state = SERVER_KEY_EXCHANGE;
407
408 return 0;
409 }
410
411
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len)412 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
413 const u8 *buf, size_t len)
414 {
415 const u8 *pos, *end;
416
417 tlsv1_client_free_dh(conn);
418
419 pos = buf;
420 end = buf + len;
421
422 if (end - pos < 3)
423 goto fail;
424 conn->dh_p_len = WPA_GET_BE16(pos);
425 pos += 2;
426 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
427 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
428 (unsigned long) conn->dh_p_len);
429 goto fail;
430 }
431 conn->dh_p = os_malloc(conn->dh_p_len);
432 if (conn->dh_p == NULL)
433 goto fail;
434 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
435 pos += conn->dh_p_len;
436 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
437 conn->dh_p, conn->dh_p_len);
438
439 if (end - pos < 3)
440 goto fail;
441 conn->dh_g_len = WPA_GET_BE16(pos);
442 pos += 2;
443 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
444 goto fail;
445 conn->dh_g = os_malloc(conn->dh_g_len);
446 if (conn->dh_g == NULL)
447 goto fail;
448 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
449 pos += conn->dh_g_len;
450 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
451 conn->dh_g, conn->dh_g_len);
452 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
453 goto fail;
454
455 if (end - pos < 3)
456 goto fail;
457 conn->dh_ys_len = WPA_GET_BE16(pos);
458 pos += 2;
459 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
460 goto fail;
461 conn->dh_ys = os_malloc(conn->dh_ys_len);
462 if (conn->dh_ys == NULL)
463 goto fail;
464 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
465 pos += conn->dh_ys_len;
466 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
467 conn->dh_ys, conn->dh_ys_len);
468
469 return 0;
470
471 fail:
472 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
473 tlsv1_client_free_dh(conn);
474 return -1;
475 }
476
477
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)478 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
479 const u8 *in_data, size_t *in_len)
480 {
481 const u8 *pos, *end;
482 size_t left, len;
483 u8 type;
484 const struct tls_cipher_suite *suite;
485
486 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
487 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
488 "received content type 0x%x", ct);
489 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
490 TLS_ALERT_UNEXPECTED_MESSAGE);
491 return -1;
492 }
493
494 pos = in_data;
495 left = *in_len;
496
497 if (left < 4) {
498 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
499 "(Left=%lu)", (unsigned long) left);
500 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
501 return -1;
502 }
503
504 type = *pos++;
505 len = WPA_GET_BE24(pos);
506 pos += 3;
507 left -= 4;
508
509 if (len > left) {
510 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
511 "length (len=%lu != left=%lu)",
512 (unsigned long) len, (unsigned long) left);
513 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
514 return -1;
515 }
516
517 end = pos + len;
518
519 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
520 return tls_process_certificate_request(conn, ct, in_data,
521 in_len);
522 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
523 return tls_process_server_hello_done(conn, ct, in_data,
524 in_len);
525 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
526 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
527 "message %d (expected ServerKeyExchange/"
528 "CertificateRequest/ServerHelloDone)", type);
529 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
530 TLS_ALERT_UNEXPECTED_MESSAGE);
531 return -1;
532 }
533
534 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
535
536 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
537 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
538 "with the selected cipher suite");
539 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
540 TLS_ALERT_UNEXPECTED_MESSAGE);
541 return -1;
542 }
543
544 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
545 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
546 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
547 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
548 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
549 TLS_ALERT_DECODE_ERROR);
550 return -1;
551 }
552 } else {
553 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
554 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
555 TLS_ALERT_UNEXPECTED_MESSAGE);
556 return -1;
557 }
558
559 *in_len = end - in_data;
560
561 conn->state = SERVER_CERTIFICATE_REQUEST;
562
563 return 0;
564 }
565
566
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)567 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
568 const u8 *in_data, size_t *in_len)
569 {
570 const u8 *pos, *end;
571 size_t left, len;
572 u8 type;
573
574 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
575 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
576 "received content type 0x%x", ct);
577 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
578 TLS_ALERT_UNEXPECTED_MESSAGE);
579 return -1;
580 }
581
582 pos = in_data;
583 left = *in_len;
584
585 if (left < 4) {
586 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
587 "(left=%lu)", (unsigned long) left);
588 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
589 return -1;
590 }
591
592 type = *pos++;
593 len = WPA_GET_BE24(pos);
594 pos += 3;
595 left -= 4;
596
597 if (len > left) {
598 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
599 "length (len=%lu != left=%lu)",
600 (unsigned long) len, (unsigned long) left);
601 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
602 return -1;
603 }
604
605 end = pos + len;
606
607 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
608 return tls_process_server_hello_done(conn, ct, in_data,
609 in_len);
610 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
611 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
612 "message %d (expected CertificateRequest/"
613 "ServerHelloDone)", type);
614 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
615 TLS_ALERT_UNEXPECTED_MESSAGE);
616 return -1;
617 }
618
619 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
620
621 conn->certificate_requested = 1;
622
623 *in_len = end - in_data;
624
625 conn->state = SERVER_HELLO_DONE;
626
627 return 0;
628 }
629
630
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)631 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
632 const u8 *in_data, size_t *in_len)
633 {
634 const u8 *pos, *end;
635 size_t left, len;
636 u8 type;
637
638 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
639 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
640 "received content type 0x%x", ct);
641 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
642 TLS_ALERT_UNEXPECTED_MESSAGE);
643 return -1;
644 }
645
646 pos = in_data;
647 left = *in_len;
648
649 if (left < 4) {
650 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
651 "(left=%lu)", (unsigned long) left);
652 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
653 return -1;
654 }
655
656 type = *pos++;
657 len = WPA_GET_BE24(pos);
658 pos += 3;
659 left -= 4;
660
661 if (len > left) {
662 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
663 "length (len=%lu != left=%lu)",
664 (unsigned long) len, (unsigned long) left);
665 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
666 return -1;
667 }
668 end = pos + len;
669
670 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
671 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
672 "message %d (expected ServerHelloDone)", type);
673 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
674 TLS_ALERT_UNEXPECTED_MESSAGE);
675 return -1;
676 }
677
678 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
679
680 *in_len = end - in_data;
681
682 conn->state = CLIENT_KEY_EXCHANGE;
683
684 return 0;
685 }
686
687
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)688 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
689 u8 ct, const u8 *in_data,
690 size_t *in_len)
691 {
692 const u8 *pos;
693 size_t left;
694
695 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
696 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
697 "received content type 0x%x", ct);
698 if (conn->use_session_ticket) {
699 int res;
700 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
701 "rejected SessionTicket");
702 conn->use_session_ticket = 0;
703
704 /* Notify upper layers that SessionTicket failed */
705 res = conn->session_ticket_cb(
706 conn->session_ticket_cb_ctx, NULL, 0, NULL,
707 NULL, NULL);
708 if (res < 0) {
709 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
710 "callback indicated failure");
711 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 TLS_ALERT_HANDSHAKE_FAILURE);
713 return -1;
714 }
715
716 conn->state = SERVER_CERTIFICATE;
717 return tls_process_certificate(conn, ct, in_data,
718 in_len);
719 }
720 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
721 TLS_ALERT_UNEXPECTED_MESSAGE);
722 return -1;
723 }
724
725 pos = in_data;
726 left = *in_len;
727
728 if (left < 1) {
729 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
730 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
731 return -1;
732 }
733
734 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
735 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
736 "received data 0x%x", *pos);
737 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
738 TLS_ALERT_UNEXPECTED_MESSAGE);
739 return -1;
740 }
741
742 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
743 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
744 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
745 "for record layer");
746 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
747 TLS_ALERT_INTERNAL_ERROR);
748 return -1;
749 }
750
751 *in_len = pos + 1 - in_data;
752
753 conn->state = SERVER_FINISHED;
754
755 return 0;
756 }
757
758
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)759 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
760 const u8 *in_data, size_t *in_len)
761 {
762 const u8 *pos, *end;
763 size_t left, len, hlen;
764 u8 verify_data[TLS_VERIFY_DATA_LEN];
765 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
766
767 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
768 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
769 "received content type 0x%x", ct);
770 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
771 TLS_ALERT_UNEXPECTED_MESSAGE);
772 return -1;
773 }
774
775 pos = in_data;
776 left = *in_len;
777
778 if (left < 4) {
779 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
780 "Finished",
781 (unsigned long) left);
782 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
783 TLS_ALERT_DECODE_ERROR);
784 return -1;
785 }
786
787 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
788 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
789 "type 0x%x", pos[0]);
790 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
791 TLS_ALERT_UNEXPECTED_MESSAGE);
792 return -1;
793 }
794
795 len = WPA_GET_BE24(pos + 1);
796
797 pos += 4;
798 left -= 4;
799
800 if (len > left) {
801 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
802 "(len=%lu > left=%lu)",
803 (unsigned long) len, (unsigned long) left);
804 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 TLS_ALERT_DECODE_ERROR);
806 return -1;
807 }
808 end = pos + len;
809 if (len != TLS_VERIFY_DATA_LEN) {
810 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
811 "in Finished: %lu (expected %d)",
812 (unsigned long) len, TLS_VERIFY_DATA_LEN);
813 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
814 TLS_ALERT_DECODE_ERROR);
815 return -1;
816 }
817 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
818 pos, TLS_VERIFY_DATA_LEN);
819
820 #ifdef CONFIG_TLSV12
821 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
822 hlen = SHA256_MAC_LEN;
823 if (conn->verify.sha256_server == NULL ||
824 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
825 < 0) {
826 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
827 TLS_ALERT_INTERNAL_ERROR);
828 conn->verify.sha256_server = NULL;
829 return -1;
830 }
831 conn->verify.sha256_server = NULL;
832 } else {
833 #endif /* CONFIG_TLSV12 */
834
835 hlen = MD5_MAC_LEN;
836 if (conn->verify.md5_server == NULL ||
837 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 TLS_ALERT_INTERNAL_ERROR);
840 conn->verify.md5_server = NULL;
841 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
842 conn->verify.sha1_server = NULL;
843 return -1;
844 }
845 conn->verify.md5_server = NULL;
846 hlen = SHA1_MAC_LEN;
847 if (conn->verify.sha1_server == NULL ||
848 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
849 &hlen) < 0) {
850 conn->verify.sha1_server = NULL;
851 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
852 TLS_ALERT_INTERNAL_ERROR);
853 return -1;
854 }
855 conn->verify.sha1_server = NULL;
856 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
857
858 #ifdef CONFIG_TLSV12
859 }
860 #endif /* CONFIG_TLSV12 */
861
862 if (tls_prf(conn->rl.tls_version,
863 conn->master_secret, TLS_MASTER_SECRET_LEN,
864 "server finished", hash, hlen,
865 verify_data, TLS_VERIFY_DATA_LEN)) {
866 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 TLS_ALERT_DECRYPT_ERROR);
869 return -1;
870 }
871 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
872 verify_data, TLS_VERIFY_DATA_LEN);
873
874 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
875 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
876 return -1;
877 }
878
879 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
880
881 *in_len = end - in_data;
882
883 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
884 CHANGE_CIPHER_SPEC : ACK_FINISHED;
885
886 return 0;
887 }
888
889
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)890 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
891 const u8 *in_data, size_t *in_len,
892 u8 **out_data, size_t *out_len)
893 {
894 const u8 *pos;
895 size_t left;
896
897 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
898 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
899 "received content type 0x%x", ct);
900 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
901 TLS_ALERT_UNEXPECTED_MESSAGE);
902 return -1;
903 }
904
905 pos = in_data;
906 left = *in_len;
907
908 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
909 pos, left);
910
911 *out_data = os_malloc(left);
912 if (*out_data) {
913 os_memcpy(*out_data, pos, left);
914 *out_len = left;
915 }
916
917 return 0;
918 }
919
920
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)921 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
922 const u8 *buf, size_t *len,
923 u8 **out_data, size_t *out_len)
924 {
925 if (ct == TLS_CONTENT_TYPE_ALERT) {
926 if (*len < 2) {
927 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
928 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 TLS_ALERT_DECODE_ERROR);
930 return -1;
931 }
932 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
933 buf[0], buf[1]);
934 *len = 2;
935 conn->state = FAILED;
936 return -1;
937 }
938
939 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
940 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
941 size_t hr_len = WPA_GET_BE24(buf + 1);
942 if (hr_len > *len - 4) {
943 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
944 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
945 TLS_ALERT_DECODE_ERROR);
946 return -1;
947 }
948 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
949 *len = 4 + hr_len;
950 return 0;
951 }
952
953 switch (conn->state) {
954 case SERVER_HELLO:
955 if (tls_process_server_hello(conn, ct, buf, len))
956 return -1;
957 break;
958 case SERVER_CERTIFICATE:
959 if (tls_process_certificate(conn, ct, buf, len))
960 return -1;
961 break;
962 case SERVER_KEY_EXCHANGE:
963 if (tls_process_server_key_exchange(conn, ct, buf, len))
964 return -1;
965 break;
966 case SERVER_CERTIFICATE_REQUEST:
967 if (tls_process_certificate_request(conn, ct, buf, len))
968 return -1;
969 break;
970 case SERVER_HELLO_DONE:
971 if (tls_process_server_hello_done(conn, ct, buf, len))
972 return -1;
973 break;
974 case SERVER_CHANGE_CIPHER_SPEC:
975 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
976 return -1;
977 break;
978 case SERVER_FINISHED:
979 if (tls_process_server_finished(conn, ct, buf, len))
980 return -1;
981 break;
982 case ACK_FINISHED:
983 if (out_data &&
984 tls_process_application_data(conn, ct, buf, len, out_data,
985 out_len))
986 return -1;
987 break;
988 default:
989 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
990 "while processing received message",
991 conn->state);
992 return -1;
993 }
994
995 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
996 tls_verify_hash_add(&conn->verify, buf, *len);
997
998 return 0;
999 }
1000