1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
32 {
33 const u8 *pos, *end;
34 size_t left, len, i;
35 u16 cipher_suite;
36 u16 tls_version;
37
38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct);
41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 TLS_ALERT_UNEXPECTED_MESSAGE);
43 return -1;
44 }
45
46 pos = in_data;
47 left = *in_len;
48
49 if (left < 4)
50 goto decode_error;
51
52 /* HandshakeType msg_type */
53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos);
56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 TLS_ALERT_UNEXPECTED_MESSAGE);
58 return -1;
59 }
60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 pos++;
62 /* uint24 length */
63 len = WPA_GET_BE24(pos);
64 pos += 3;
65 left -= 4;
66
67 if (len > left)
68 goto decode_error;
69
70 /* body - ServerHello */
71
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 end = pos + len;
74
75 /* ProtocolVersion server_version */
76 if (end - pos < 2)
77 goto decode_error;
78 tls_version = WPA_GET_BE16(pos);
79 if (!tls_version_ok(tls_version)) {
80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos[0], pos[1]);
82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 TLS_ALERT_PROTOCOL_VERSION);
84 return -1;
85 }
86 pos += 2;
87
88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version));
90 conn->rl.tls_version = tls_version;
91
92 /* Random random */
93 if (end - pos < TLS_RANDOM_LEN)
94 goto decode_error;
95
96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 pos += TLS_RANDOM_LEN;
98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 conn->server_random, TLS_RANDOM_LEN);
100
101 /* SessionID session_id */
102 if (end - pos < 1)
103 goto decode_error;
104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 goto decode_error;
106 if (conn->session_id_len && conn->session_id_len == *pos &&
107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 pos += 1 + conn->session_id_len;
109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 conn->session_resumed = 1;
111 } else {
112 conn->session_id_len = *pos;
113 pos++;
114 os_memcpy(conn->session_id, pos, conn->session_id_len);
115 pos += conn->session_id_len;
116 }
117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 conn->session_id, conn->session_id_len);
119
120 /* CipherSuite cipher_suite */
121 if (end - pos < 2)
122 goto decode_error;
123 cipher_suite = WPA_GET_BE16(pos);
124 pos += 2;
125 for (i = 0; i < conn->num_cipher_suites; i++) {
126 if (cipher_suite == conn->cipher_suites[i])
127 break;
128 }
129 if (i == conn->num_cipher_suites) {
130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite);
132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 TLS_ALERT_ILLEGAL_PARAMETER);
134 return -1;
135 }
136
137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 TLS_ALERT_ILLEGAL_PARAMETER);
143 return -1;
144 }
145
146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 "record layer");
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
151 return -1;
152 }
153
154 conn->prev_cipher_suite = cipher_suite;
155
156 /* CompressionMethod compression_method */
157 if (end - pos < 1)
158 goto decode_error;
159 if (*pos != TLS_COMPRESSION_NULL) {
160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos);
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_ILLEGAL_PARAMETER);
164 return -1;
165 }
166 pos++;
167
168 if (end != pos) {
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos, end - pos);
172 goto decode_error;
173 }
174
175 if (conn->session_ticket_included && conn->session_ticket_cb) {
176 /* TODO: include SessionTicket extension if one was included in
177 * ServerHello */
178 int res = conn->session_ticket_cb(
179 conn->session_ticket_cb_ctx, NULL, 0,
180 conn->client_random, conn->server_random,
181 conn->master_secret);
182 if (res < 0) {
183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_HANDSHAKE_FAILURE);
187 return -1;
188 }
189 conn->use_session_ticket = !!res;
190 }
191
192 if ((conn->session_resumed || conn->use_session_ticket) &&
193 tls_derive_keys(conn, NULL, 0)) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 TLS_ALERT_INTERNAL_ERROR);
197 return -1;
198 }
199
200 *in_len = end - in_data;
201
202 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204
205 return 0;
206
207 decode_error:
208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 return -1;
211 }
212
213
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 const u8 *in_data, size_t *in_len)
216 {
217 const u8 *pos, *end;
218 size_t left, len, list_len, cert_len, idx;
219 u8 type;
220 struct x509_certificate *chain = NULL, *last = NULL, *cert;
221 int reason;
222
223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 "received content type 0x%x", ct);
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 TLS_ALERT_UNEXPECTED_MESSAGE);
228 return -1;
229 }
230
231 pos = in_data;
232 left = *in_len;
233
234 if (left < 4) {
235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 "(len=%lu)", (unsigned long) left);
237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238 return -1;
239 }
240
241 type = *pos++;
242 len = WPA_GET_BE24(pos);
243 pos += 3;
244 left -= 4;
245
246 if (len > left) {
247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 "length (len=%lu != left=%lu)",
249 (unsigned long) len, (unsigned long) left);
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251 return -1;
252 }
253
254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 return tls_process_server_key_exchange(conn, ct, in_data,
256 in_len);
257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 return tls_process_certificate_request(conn, ct, in_data,
259 in_len);
260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 return tls_process_server_hello_done(conn, ct, in_data,
262 in_len);
263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 "message %d (expected Certificate/"
266 "ServerKeyExchange/CertificateRequest/"
267 "ServerHelloDone)", type);
268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_UNEXPECTED_MESSAGE);
270 return -1;
271 }
272
273 wpa_printf(MSG_DEBUG,
274 "TLSv1: Received Certificate (certificate_list len %lu)",
275 (unsigned long) len);
276
277 /*
278 * opaque ASN.1Cert<2^24-1>;
279 *
280 * struct {
281 * ASN.1Cert certificate_list<1..2^24-1>;
282 * } Certificate;
283 */
284
285 end = pos + len;
286
287 if (end - pos < 3) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 "(left=%lu)", (unsigned long) left);
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 return -1;
292 }
293
294 list_len = WPA_GET_BE24(pos);
295 pos += 3;
296
297 if ((size_t) (end - pos) != list_len) {
298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 "length (len=%lu left=%lu)",
300 (unsigned long) list_len,
301 (unsigned long) (end - pos));
302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 return -1;
304 }
305
306 idx = 0;
307 while (pos < end) {
308 if (end - pos < 3) {
309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 "certificate_list");
311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 TLS_ALERT_DECODE_ERROR);
313 x509_certificate_chain_free(chain);
314 return -1;
315 }
316
317 cert_len = WPA_GET_BE24(pos);
318 pos += 3;
319
320 if ((size_t) (end - pos) < cert_len) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 "length (len=%lu left=%lu)",
323 (unsigned long) cert_len,
324 (unsigned long) (end - pos));
325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_DECODE_ERROR);
327 x509_certificate_chain_free(chain);
328 return -1;
329 }
330
331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 (unsigned long) idx, (unsigned long) cert_len);
333
334 if (idx == 0) {
335 crypto_public_key_free(conn->server_rsa_key);
336 if (tls_parse_cert(pos, cert_len,
337 &conn->server_rsa_key)) {
338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 "the certificate");
340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 TLS_ALERT_BAD_CERTIFICATE);
342 x509_certificate_chain_free(chain);
343 return -1;
344 }
345 }
346
347 cert = x509_certificate_parse(pos, cert_len);
348 if (cert == NULL) {
349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 "the certificate");
351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_BAD_CERTIFICATE);
353 x509_certificate_chain_free(chain);
354 return -1;
355 }
356
357 if (last == NULL)
358 chain = cert;
359 else
360 last->next = cert;
361 last = cert;
362
363 idx++;
364 pos += cert_len;
365 }
366
367 if (conn->cred &&
368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 &reason, conn->disable_time_checks)
370 < 0) {
371 int tls_reason;
372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 "validation failed (reason=%d)", reason);
374 switch (reason) {
375 case X509_VALIDATE_BAD_CERTIFICATE:
376 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 break;
378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 break;
381 case X509_VALIDATE_CERTIFICATE_REVOKED:
382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 break;
384 case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 break;
387 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 break;
390 case X509_VALIDATE_UNKNOWN_CA:
391 tls_reason = TLS_ALERT_UNKNOWN_CA;
392 break;
393 default:
394 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 break;
396 }
397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 x509_certificate_chain_free(chain);
399 return -1;
400 }
401
402 x509_certificate_chain_free(chain);
403
404 *in_len = end - in_data;
405
406 conn->state = SERVER_KEY_EXCHANGE;
407
408 return 0;
409 }
410
411
count_bits(const u8 * val,size_t len)412 static unsigned int count_bits(const u8 *val, size_t len)
413 {
414 size_t i;
415 unsigned int bits;
416 u8 tmp;
417
418 for (i = 0; i < len; i++) {
419 if (val[i])
420 break;
421 }
422 if (i == len)
423 return 0;
424
425 bits = (len - i - 1) * 8;
426 tmp = val[i];
427 while (tmp) {
428 bits++;
429 tmp >>= 1;
430 }
431
432 return bits;
433 }
434
435
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
437 const u8 *buf, size_t len,
438 tls_key_exchange key_exchange)
439 {
440 const u8 *pos, *end, *server_params, *server_params_end;
441 u8 alert;
442 unsigned int bits;
443
444 tlsv1_client_free_dh(conn);
445
446 pos = buf;
447 end = buf + len;
448
449 if (end - pos < 3)
450 goto fail;
451 server_params = pos;
452 conn->dh_p_len = WPA_GET_BE16(pos);
453 pos += 2;
454 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
455 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
456 (unsigned long) conn->dh_p_len);
457 goto fail;
458 }
459 bits = count_bits(pos, conn->dh_p_len);
460 if (bits < 768) {
461 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
462 bits);
463 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
464 pos, conn->dh_p_len);
465 goto fail;
466 }
467 conn->dh_p = os_malloc(conn->dh_p_len);
468 if (conn->dh_p == NULL)
469 goto fail;
470 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
471 pos += conn->dh_p_len;
472 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
473 conn->dh_p, conn->dh_p_len);
474
475 if (end - pos < 3)
476 goto fail;
477 conn->dh_g_len = WPA_GET_BE16(pos);
478 pos += 2;
479 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
480 goto fail;
481 conn->dh_g = os_malloc(conn->dh_g_len);
482 if (conn->dh_g == NULL)
483 goto fail;
484 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
485 pos += conn->dh_g_len;
486 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
487 conn->dh_g, conn->dh_g_len);
488 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
489 goto fail;
490
491 if (end - pos < 3)
492 goto fail;
493 conn->dh_ys_len = WPA_GET_BE16(pos);
494 pos += 2;
495 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
496 goto fail;
497 conn->dh_ys = os_malloc(conn->dh_ys_len);
498 if (conn->dh_ys == NULL)
499 goto fail;
500 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
501 pos += conn->dh_ys_len;
502 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
503 conn->dh_ys, conn->dh_ys_len);
504 server_params_end = pos;
505
506 if (key_exchange == TLS_KEY_X_DHE_RSA) {
507 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
508 int hlen;
509
510 if (conn->rl.tls_version == TLS_VERSION_1_2) {
511 #ifdef CONFIG_TLSV12
512 /*
513 * RFC 5246, 4.7:
514 * TLS v1.2 adds explicit indication of the used
515 * signature and hash algorithms.
516 *
517 * struct {
518 * HashAlgorithm hash;
519 * SignatureAlgorithm signature;
520 * } SignatureAndHashAlgorithm;
521 */
522 if (end - pos < 2)
523 goto fail;
524 if (pos[0] != TLS_HASH_ALG_SHA256 ||
525 pos[1] != TLS_SIGN_ALG_RSA) {
526 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
527 pos[0], pos[1]);
528 goto fail;
529 }
530 pos += 2;
531
532 hlen = tlsv12_key_x_server_params_hash(
533 conn->rl.tls_version, conn->client_random,
534 conn->server_random, server_params,
535 server_params_end - server_params, hash);
536 #else /* CONFIG_TLSV12 */
537 goto fail;
538 #endif /* CONFIG_TLSV12 */
539 } else {
540 hlen = tls_key_x_server_params_hash(
541 conn->rl.tls_version, conn->client_random,
542 conn->server_random, server_params,
543 server_params_end - server_params, hash);
544 }
545
546 if (hlen < 0)
547 goto fail;
548 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
549 hash, hlen);
550
551 if (tls_verify_signature(conn->rl.tls_version,
552 conn->server_rsa_key,
553 hash, hlen, pos, end - pos,
554 &alert) < 0)
555 goto fail;
556 }
557
558 return 0;
559
560 fail:
561 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
562 tlsv1_client_free_dh(conn);
563 return -1;
564 }
565
566
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)567 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
568 const u8 *in_data, size_t *in_len)
569 {
570 const u8 *pos, *end;
571 size_t left, len;
572 u8 type;
573 const struct tls_cipher_suite *suite;
574
575 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
576 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
577 "received content type 0x%x", ct);
578 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
579 TLS_ALERT_UNEXPECTED_MESSAGE);
580 return -1;
581 }
582
583 pos = in_data;
584 left = *in_len;
585
586 if (left < 4) {
587 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
588 "(Left=%lu)", (unsigned long) left);
589 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
590 return -1;
591 }
592
593 type = *pos++;
594 len = WPA_GET_BE24(pos);
595 pos += 3;
596 left -= 4;
597
598 if (len > left) {
599 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
600 "length (len=%lu != left=%lu)",
601 (unsigned long) len, (unsigned long) left);
602 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
603 return -1;
604 }
605
606 end = pos + len;
607
608 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
609 return tls_process_certificate_request(conn, ct, in_data,
610 in_len);
611 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
612 return tls_process_server_hello_done(conn, ct, in_data,
613 in_len);
614 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
615 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
616 "message %d (expected ServerKeyExchange/"
617 "CertificateRequest/ServerHelloDone)", type);
618 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
619 TLS_ALERT_UNEXPECTED_MESSAGE);
620 return -1;
621 }
622
623 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
624
625 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
626 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
627 "with the selected cipher suite");
628 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
629 TLS_ALERT_UNEXPECTED_MESSAGE);
630 return -1;
631 }
632
633 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
634 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
635 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
636 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
637 if (tlsv1_process_diffie_hellman(conn, pos, len,
638 suite->key_exchange) < 0) {
639 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 TLS_ALERT_DECODE_ERROR);
641 return -1;
642 }
643 } else {
644 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
645 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
646 TLS_ALERT_UNEXPECTED_MESSAGE);
647 return -1;
648 }
649
650 *in_len = end - in_data;
651
652 conn->state = SERVER_CERTIFICATE_REQUEST;
653
654 return 0;
655 }
656
657
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)658 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
659 const u8 *in_data, size_t *in_len)
660 {
661 const u8 *pos, *end;
662 size_t left, len;
663 u8 type;
664
665 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
666 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
667 "received content type 0x%x", ct);
668 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
669 TLS_ALERT_UNEXPECTED_MESSAGE);
670 return -1;
671 }
672
673 pos = in_data;
674 left = *in_len;
675
676 if (left < 4) {
677 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
678 "(left=%lu)", (unsigned long) left);
679 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
680 return -1;
681 }
682
683 type = *pos++;
684 len = WPA_GET_BE24(pos);
685 pos += 3;
686 left -= 4;
687
688 if (len > left) {
689 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
690 "length (len=%lu != left=%lu)",
691 (unsigned long) len, (unsigned long) left);
692 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
693 return -1;
694 }
695
696 end = pos + len;
697
698 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
699 return tls_process_server_hello_done(conn, ct, in_data,
700 in_len);
701 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
702 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
703 "message %d (expected CertificateRequest/"
704 "ServerHelloDone)", type);
705 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
706 TLS_ALERT_UNEXPECTED_MESSAGE);
707 return -1;
708 }
709
710 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
711
712 conn->certificate_requested = 1;
713
714 *in_len = end - in_data;
715
716 conn->state = SERVER_HELLO_DONE;
717
718 return 0;
719 }
720
721
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)722 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
723 const u8 *in_data, size_t *in_len)
724 {
725 const u8 *pos, *end;
726 size_t left, len;
727 u8 type;
728
729 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
730 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
731 "received content type 0x%x", ct);
732 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
733 TLS_ALERT_UNEXPECTED_MESSAGE);
734 return -1;
735 }
736
737 pos = in_data;
738 left = *in_len;
739
740 if (left < 4) {
741 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
742 "(left=%lu)", (unsigned long) left);
743 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
744 return -1;
745 }
746
747 type = *pos++;
748 len = WPA_GET_BE24(pos);
749 pos += 3;
750 left -= 4;
751
752 if (len > left) {
753 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
754 "length (len=%lu != left=%lu)",
755 (unsigned long) len, (unsigned long) left);
756 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
757 return -1;
758 }
759 end = pos + len;
760
761 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
762 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
763 "message %d (expected ServerHelloDone)", type);
764 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
765 TLS_ALERT_UNEXPECTED_MESSAGE);
766 return -1;
767 }
768
769 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
770
771 *in_len = end - in_data;
772
773 conn->state = CLIENT_KEY_EXCHANGE;
774
775 return 0;
776 }
777
778
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)779 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
780 u8 ct, const u8 *in_data,
781 size_t *in_len)
782 {
783 const u8 *pos;
784 size_t left;
785
786 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
787 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
788 "received content type 0x%x", ct);
789 if (conn->use_session_ticket) {
790 int res;
791 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
792 "rejected SessionTicket");
793 conn->use_session_ticket = 0;
794
795 /* Notify upper layers that SessionTicket failed */
796 res = conn->session_ticket_cb(
797 conn->session_ticket_cb_ctx, NULL, 0, NULL,
798 NULL, NULL);
799 if (res < 0) {
800 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
801 "callback indicated failure");
802 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
803 TLS_ALERT_HANDSHAKE_FAILURE);
804 return -1;
805 }
806
807 conn->state = SERVER_CERTIFICATE;
808 return tls_process_certificate(conn, ct, in_data,
809 in_len);
810 }
811 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
812 TLS_ALERT_UNEXPECTED_MESSAGE);
813 return -1;
814 }
815
816 pos = in_data;
817 left = *in_len;
818
819 if (left < 1) {
820 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
821 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
822 return -1;
823 }
824
825 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
826 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
827 "received data 0x%x", *pos);
828 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
829 TLS_ALERT_UNEXPECTED_MESSAGE);
830 return -1;
831 }
832
833 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
834 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
835 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
836 "for record layer");
837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
838 TLS_ALERT_INTERNAL_ERROR);
839 return -1;
840 }
841
842 *in_len = pos + 1 - in_data;
843
844 conn->state = SERVER_FINISHED;
845
846 return 0;
847 }
848
849
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)850 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
851 const u8 *in_data, size_t *in_len)
852 {
853 const u8 *pos, *end;
854 size_t left, len, hlen;
855 u8 verify_data[TLS_VERIFY_DATA_LEN];
856 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
857
858 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
859 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
860 "received content type 0x%x", ct);
861 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
862 TLS_ALERT_UNEXPECTED_MESSAGE);
863 return -1;
864 }
865
866 pos = in_data;
867 left = *in_len;
868
869 if (left < 4) {
870 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
871 "Finished",
872 (unsigned long) left);
873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
874 TLS_ALERT_DECODE_ERROR);
875 return -1;
876 }
877
878 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
879 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
880 "type 0x%x", pos[0]);
881 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
882 TLS_ALERT_UNEXPECTED_MESSAGE);
883 return -1;
884 }
885
886 len = WPA_GET_BE24(pos + 1);
887
888 pos += 4;
889 left -= 4;
890
891 if (len > left) {
892 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
893 "(len=%lu > left=%lu)",
894 (unsigned long) len, (unsigned long) left);
895 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
896 TLS_ALERT_DECODE_ERROR);
897 return -1;
898 }
899 end = pos + len;
900 if (len != TLS_VERIFY_DATA_LEN) {
901 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
902 "in Finished: %lu (expected %d)",
903 (unsigned long) len, TLS_VERIFY_DATA_LEN);
904 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
905 TLS_ALERT_DECODE_ERROR);
906 return -1;
907 }
908 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
909 pos, TLS_VERIFY_DATA_LEN);
910
911 #ifdef CONFIG_TLSV12
912 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
913 hlen = SHA256_MAC_LEN;
914 if (conn->verify.sha256_server == NULL ||
915 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
916 < 0) {
917 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
918 TLS_ALERT_INTERNAL_ERROR);
919 conn->verify.sha256_server = NULL;
920 return -1;
921 }
922 conn->verify.sha256_server = NULL;
923 } else {
924 #endif /* CONFIG_TLSV12 */
925
926 hlen = MD5_MAC_LEN;
927 if (conn->verify.md5_server == NULL ||
928 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
929 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
930 TLS_ALERT_INTERNAL_ERROR);
931 conn->verify.md5_server = NULL;
932 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
933 conn->verify.sha1_server = NULL;
934 return -1;
935 }
936 conn->verify.md5_server = NULL;
937 hlen = SHA1_MAC_LEN;
938 if (conn->verify.sha1_server == NULL ||
939 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
940 &hlen) < 0) {
941 conn->verify.sha1_server = NULL;
942 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
943 TLS_ALERT_INTERNAL_ERROR);
944 return -1;
945 }
946 conn->verify.sha1_server = NULL;
947 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
948
949 #ifdef CONFIG_TLSV12
950 }
951 #endif /* CONFIG_TLSV12 */
952
953 if (tls_prf(conn->rl.tls_version,
954 conn->master_secret, TLS_MASTER_SECRET_LEN,
955 "server finished", hash, hlen,
956 verify_data, TLS_VERIFY_DATA_LEN)) {
957 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
958 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
959 TLS_ALERT_DECRYPT_ERROR);
960 return -1;
961 }
962 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
963 verify_data, TLS_VERIFY_DATA_LEN);
964
965 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
966 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
967 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
968 TLS_ALERT_DECRYPT_ERROR);
969 return -1;
970 }
971
972 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
973
974 *in_len = end - in_data;
975
976 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
977 CHANGE_CIPHER_SPEC : ACK_FINISHED;
978
979 return 0;
980 }
981
982
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)983 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
984 const u8 *in_data, size_t *in_len,
985 u8 **out_data, size_t *out_len)
986 {
987 const u8 *pos;
988 size_t left;
989
990 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
991 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
992 "received content type 0x%x", ct);
993 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
994 TLS_ALERT_UNEXPECTED_MESSAGE);
995 return -1;
996 }
997
998 pos = in_data;
999 left = *in_len;
1000
1001 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1002 pos, left);
1003
1004 *out_data = os_malloc(left);
1005 if (*out_data) {
1006 os_memcpy(*out_data, pos, left);
1007 *out_len = left;
1008 }
1009
1010 return 0;
1011 }
1012
1013
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1014 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1015 const u8 *buf, size_t *len,
1016 u8 **out_data, size_t *out_len)
1017 {
1018 if (ct == TLS_CONTENT_TYPE_ALERT) {
1019 if (*len < 2) {
1020 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1021 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1022 TLS_ALERT_DECODE_ERROR);
1023 return -1;
1024 }
1025 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1026 buf[0], buf[1]);
1027 *len = 2;
1028 conn->state = FAILED;
1029 return -1;
1030 }
1031
1032 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1033 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1034 size_t hr_len = WPA_GET_BE24(buf + 1);
1035 if (hr_len > *len - 4) {
1036 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1037 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 TLS_ALERT_DECODE_ERROR);
1039 return -1;
1040 }
1041 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1042 *len = 4 + hr_len;
1043 return 0;
1044 }
1045
1046 switch (conn->state) {
1047 case SERVER_HELLO:
1048 if (tls_process_server_hello(conn, ct, buf, len))
1049 return -1;
1050 break;
1051 case SERVER_CERTIFICATE:
1052 if (tls_process_certificate(conn, ct, buf, len))
1053 return -1;
1054 break;
1055 case SERVER_KEY_EXCHANGE:
1056 if (tls_process_server_key_exchange(conn, ct, buf, len))
1057 return -1;
1058 break;
1059 case SERVER_CERTIFICATE_REQUEST:
1060 if (tls_process_certificate_request(conn, ct, buf, len))
1061 return -1;
1062 break;
1063 case SERVER_HELLO_DONE:
1064 if (tls_process_server_hello_done(conn, ct, buf, len))
1065 return -1;
1066 break;
1067 case SERVER_CHANGE_CIPHER_SPEC:
1068 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1069 return -1;
1070 break;
1071 case SERVER_FINISHED:
1072 if (tls_process_server_finished(conn, ct, buf, len))
1073 return -1;
1074 break;
1075 case ACK_FINISHED:
1076 if (out_data &&
1077 tls_process_application_data(conn, ct, buf, len, out_data,
1078 out_len))
1079 return -1;
1080 break;
1081 default:
1082 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1083 "while processing received message",
1084 conn->state);
1085 return -1;
1086 }
1087
1088 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1089 tls_verify_hash_add(&conn->verify, buf, *len);
1090
1091 return 0;
1092 }
1093