1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "md5.h" 19 #include "sha1.h" 20 #include "x509v3.h" 21 #include "tls.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_client.h" 25 #include "tlsv1_client_i.h" 26 27 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 28 const u8 *in_data, size_t *in_len); 29 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 30 const u8 *in_data, size_t *in_len); 31 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 32 const u8 *in_data, size_t *in_len); 33 34 35 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end; 39 size_t left, len, i; 40 u16 cipher_suite; 41 42 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 43 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 44 "received content type 0x%x", ct); 45 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 46 TLS_ALERT_UNEXPECTED_MESSAGE); 47 return -1; 48 } 49 50 pos = in_data; 51 left = *in_len; 52 53 if (left < 4) 54 goto decode_error; 55 56 /* HandshakeType msg_type */ 57 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 58 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 59 "message %d (expected ServerHello)", *pos); 60 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 61 TLS_ALERT_UNEXPECTED_MESSAGE); 62 return -1; 63 } 64 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 65 pos++; 66 /* uint24 length */ 67 len = WPA_GET_BE24(pos); 68 pos += 3; 69 left -= 4; 70 71 if (len > left) 72 goto decode_error; 73 74 /* body - ServerHello */ 75 76 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 77 end = pos + len; 78 79 /* ProtocolVersion server_version */ 80 if (end - pos < 2) 81 goto decode_error; 82 if (WPA_GET_BE16(pos) != TLS_VERSION) { 83 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 84 "ServerHello"); 85 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 86 TLS_ALERT_PROTOCOL_VERSION); 87 return -1; 88 } 89 pos += 2; 90 91 /* Random random */ 92 if (end - pos < TLS_RANDOM_LEN) 93 goto decode_error; 94 95 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 96 pos += TLS_RANDOM_LEN; 97 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 98 conn->server_random, TLS_RANDOM_LEN); 99 100 /* SessionID session_id */ 101 if (end - pos < 1) 102 goto decode_error; 103 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 104 goto decode_error; 105 if (conn->session_id_len && conn->session_id_len == *pos && 106 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 107 pos += 1 + conn->session_id_len; 108 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 109 conn->session_resumed = 1; 110 } else { 111 conn->session_id_len = *pos; 112 pos++; 113 os_memcpy(conn->session_id, pos, conn->session_id_len); 114 pos += conn->session_id_len; 115 } 116 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 117 conn->session_id, conn->session_id_len); 118 119 /* CipherSuite cipher_suite */ 120 if (end - pos < 2) 121 goto decode_error; 122 cipher_suite = WPA_GET_BE16(pos); 123 pos += 2; 124 for (i = 0; i < conn->num_cipher_suites; i++) { 125 if (cipher_suite == conn->cipher_suites[i]) 126 break; 127 } 128 if (i == conn->num_cipher_suites) { 129 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 130 "cipher suite 0x%04x", cipher_suite); 131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 132 TLS_ALERT_ILLEGAL_PARAMETER); 133 return -1; 134 } 135 136 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 137 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 138 "cipher suite for a resumed connection (0x%04x != " 139 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 140 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 141 TLS_ALERT_ILLEGAL_PARAMETER); 142 return -1; 143 } 144 145 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 146 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 147 "record layer"); 148 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 149 TLS_ALERT_INTERNAL_ERROR); 150 return -1; 151 } 152 153 conn->prev_cipher_suite = cipher_suite; 154 155 /* CompressionMethod compression_method */ 156 if (end - pos < 1) 157 goto decode_error; 158 if (*pos != TLS_COMPRESSION_NULL) { 159 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 160 "compression 0x%02x", *pos); 161 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 162 TLS_ALERT_ILLEGAL_PARAMETER); 163 return -1; 164 } 165 pos++; 166 167 if (end != pos) { 168 /* TODO: ServerHello extensions */ 169 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 170 "end of ServerHello", pos, end - pos); 171 goto decode_error; 172 } 173 174 if (conn->session_ticket_included && conn->session_ticket_cb) { 175 /* TODO: include SessionTicket extension if one was included in 176 * ServerHello */ 177 int res = conn->session_ticket_cb( 178 conn->session_ticket_cb_ctx, NULL, 0, 179 conn->client_random, conn->server_random, 180 conn->master_secret); 181 if (res < 0) { 182 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 183 "indicated failure"); 184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 185 TLS_ALERT_HANDSHAKE_FAILURE); 186 return -1; 187 } 188 conn->use_session_ticket = !!res; 189 } 190 191 if ((conn->session_resumed || conn->use_session_ticket) && 192 tls_derive_keys(conn, NULL, 0)) { 193 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 194 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 195 TLS_ALERT_INTERNAL_ERROR); 196 return -1; 197 } 198 199 *in_len = end - in_data; 200 201 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 202 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 203 204 return 0; 205 206 decode_error: 207 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 209 return -1; 210 } 211 212 213 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 214 const u8 *in_data, size_t *in_len) 215 { 216 const u8 *pos, *end; 217 size_t left, len, list_len, cert_len, idx; 218 u8 type; 219 struct x509_certificate *chain = NULL, *last = NULL, *cert; 220 int reason; 221 222 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 223 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 224 "received content type 0x%x", ct); 225 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 226 TLS_ALERT_UNEXPECTED_MESSAGE); 227 return -1; 228 } 229 230 pos = in_data; 231 left = *in_len; 232 233 if (left < 4) { 234 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 235 "(len=%lu)", (unsigned long) left); 236 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 237 return -1; 238 } 239 240 type = *pos++; 241 len = WPA_GET_BE24(pos); 242 pos += 3; 243 left -= 4; 244 245 if (len > left) { 246 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 247 "length (len=%lu != left=%lu)", 248 (unsigned long) len, (unsigned long) left); 249 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 250 return -1; 251 } 252 253 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 254 return tls_process_server_key_exchange(conn, ct, in_data, 255 in_len); 256 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 257 return tls_process_certificate_request(conn, ct, in_data, 258 in_len); 259 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 260 return tls_process_server_hello_done(conn, ct, in_data, 261 in_len); 262 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 263 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 264 "message %d (expected Certificate/" 265 "ServerKeyExchange/CertificateRequest/" 266 "ServerHelloDone)", type); 267 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 268 TLS_ALERT_UNEXPECTED_MESSAGE); 269 return -1; 270 } 271 272 wpa_printf(MSG_DEBUG, 273 "TLSv1: Received Certificate (certificate_list len %lu)", 274 (unsigned long) len); 275 276 /* 277 * opaque ASN.1Cert<2^24-1>; 278 * 279 * struct { 280 * ASN.1Cert certificate_list<1..2^24-1>; 281 * } Certificate; 282 */ 283 284 end = pos + len; 285 286 if (end - pos < 3) { 287 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 288 "(left=%lu)", (unsigned long) left); 289 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 290 return -1; 291 } 292 293 list_len = WPA_GET_BE24(pos); 294 pos += 3; 295 296 if ((size_t) (end - pos) != list_len) { 297 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 298 "length (len=%lu left=%lu)", 299 (unsigned long) list_len, 300 (unsigned long) (end - pos)); 301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 302 return -1; 303 } 304 305 idx = 0; 306 while (pos < end) { 307 if (end - pos < 3) { 308 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 309 "certificate_list"); 310 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 311 TLS_ALERT_DECODE_ERROR); 312 x509_certificate_chain_free(chain); 313 return -1; 314 } 315 316 cert_len = WPA_GET_BE24(pos); 317 pos += 3; 318 319 if ((size_t) (end - pos) < cert_len) { 320 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 321 "length (len=%lu left=%lu)", 322 (unsigned long) cert_len, 323 (unsigned long) (end - pos)); 324 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 325 TLS_ALERT_DECODE_ERROR); 326 x509_certificate_chain_free(chain); 327 return -1; 328 } 329 330 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 331 (unsigned long) idx, (unsigned long) cert_len); 332 333 if (idx == 0) { 334 crypto_public_key_free(conn->server_rsa_key); 335 if (tls_parse_cert(pos, cert_len, 336 &conn->server_rsa_key)) { 337 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 338 "the certificate"); 339 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 340 TLS_ALERT_BAD_CERTIFICATE); 341 x509_certificate_chain_free(chain); 342 return -1; 343 } 344 } 345 346 cert = x509_certificate_parse(pos, cert_len); 347 if (cert == NULL) { 348 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 349 "the certificate"); 350 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 351 TLS_ALERT_BAD_CERTIFICATE); 352 x509_certificate_chain_free(chain); 353 return -1; 354 } 355 356 if (last == NULL) 357 chain = cert; 358 else 359 last->next = cert; 360 last = cert; 361 362 idx++; 363 pos += cert_len; 364 } 365 366 if (conn->cred && 367 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 368 &reason) < 0) { 369 int tls_reason; 370 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 371 "validation failed (reason=%d)", reason); 372 switch (reason) { 373 case X509_VALIDATE_BAD_CERTIFICATE: 374 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 375 break; 376 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 377 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 378 break; 379 case X509_VALIDATE_CERTIFICATE_REVOKED: 380 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 381 break; 382 case X509_VALIDATE_CERTIFICATE_EXPIRED: 383 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 384 break; 385 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 386 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 387 break; 388 case X509_VALIDATE_UNKNOWN_CA: 389 tls_reason = TLS_ALERT_UNKNOWN_CA; 390 break; 391 default: 392 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 393 break; 394 } 395 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 396 x509_certificate_chain_free(chain); 397 return -1; 398 } 399 400 x509_certificate_chain_free(chain); 401 402 *in_len = end - in_data; 403 404 conn->state = SERVER_KEY_EXCHANGE; 405 406 return 0; 407 } 408 409 410 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 411 const u8 *buf, size_t len) 412 { 413 const u8 *pos, *end; 414 415 tlsv1_client_free_dh(conn); 416 417 pos = buf; 418 end = buf + len; 419 420 if (end - pos < 3) 421 goto fail; 422 conn->dh_p_len = WPA_GET_BE16(pos); 423 pos += 2; 424 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 425 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 426 (unsigned long) conn->dh_p_len); 427 goto fail; 428 } 429 conn->dh_p = os_malloc(conn->dh_p_len); 430 if (conn->dh_p == NULL) 431 goto fail; 432 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 433 pos += conn->dh_p_len; 434 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 435 conn->dh_p, conn->dh_p_len); 436 437 if (end - pos < 3) 438 goto fail; 439 conn->dh_g_len = WPA_GET_BE16(pos); 440 pos += 2; 441 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 442 goto fail; 443 conn->dh_g = os_malloc(conn->dh_g_len); 444 if (conn->dh_g == NULL) 445 goto fail; 446 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 447 pos += conn->dh_g_len; 448 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 449 conn->dh_g, conn->dh_g_len); 450 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 451 goto fail; 452 453 if (end - pos < 3) 454 goto fail; 455 conn->dh_ys_len = WPA_GET_BE16(pos); 456 pos += 2; 457 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 458 goto fail; 459 conn->dh_ys = os_malloc(conn->dh_ys_len); 460 if (conn->dh_ys == NULL) 461 goto fail; 462 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 463 pos += conn->dh_ys_len; 464 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 465 conn->dh_ys, conn->dh_ys_len); 466 467 return 0; 468 469 fail: 470 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 471 tlsv1_client_free_dh(conn); 472 return -1; 473 } 474 475 476 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 477 const u8 *in_data, size_t *in_len) 478 { 479 const u8 *pos, *end; 480 size_t left, len; 481 u8 type; 482 const struct tls_cipher_suite *suite; 483 484 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 485 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 486 "received content type 0x%x", ct); 487 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 488 TLS_ALERT_UNEXPECTED_MESSAGE); 489 return -1; 490 } 491 492 pos = in_data; 493 left = *in_len; 494 495 if (left < 4) { 496 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 497 "(Left=%lu)", (unsigned long) left); 498 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 499 return -1; 500 } 501 502 type = *pos++; 503 len = WPA_GET_BE24(pos); 504 pos += 3; 505 left -= 4; 506 507 if (len > left) { 508 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 509 "length (len=%lu != left=%lu)", 510 (unsigned long) len, (unsigned long) left); 511 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 512 return -1; 513 } 514 515 end = pos + len; 516 517 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 518 return tls_process_certificate_request(conn, ct, in_data, 519 in_len); 520 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 521 return tls_process_server_hello_done(conn, ct, in_data, 522 in_len); 523 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 525 "message %d (expected ServerKeyExchange/" 526 "CertificateRequest/ServerHelloDone)", type); 527 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 528 TLS_ALERT_UNEXPECTED_MESSAGE); 529 return -1; 530 } 531 532 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 533 534 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 535 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 536 "with the selected cipher suite"); 537 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 538 TLS_ALERT_UNEXPECTED_MESSAGE); 539 return -1; 540 } 541 542 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 543 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 544 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 545 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) { 546 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 547 TLS_ALERT_DECODE_ERROR); 548 return -1; 549 } 550 } else { 551 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 553 TLS_ALERT_UNEXPECTED_MESSAGE); 554 return -1; 555 } 556 557 *in_len = end - in_data; 558 559 conn->state = SERVER_CERTIFICATE_REQUEST; 560 561 return 0; 562 } 563 564 565 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 566 const u8 *in_data, size_t *in_len) 567 { 568 const u8 *pos, *end; 569 size_t left, len; 570 u8 type; 571 572 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 573 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 574 "received content type 0x%x", ct); 575 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 576 TLS_ALERT_UNEXPECTED_MESSAGE); 577 return -1; 578 } 579 580 pos = in_data; 581 left = *in_len; 582 583 if (left < 4) { 584 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 585 "(left=%lu)", (unsigned long) left); 586 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 587 return -1; 588 } 589 590 type = *pos++; 591 len = WPA_GET_BE24(pos); 592 pos += 3; 593 left -= 4; 594 595 if (len > left) { 596 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 597 "length (len=%lu != left=%lu)", 598 (unsigned long) len, (unsigned long) left); 599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 600 return -1; 601 } 602 603 end = pos + len; 604 605 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 606 return tls_process_server_hello_done(conn, ct, in_data, 607 in_len); 608 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 609 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 610 "message %d (expected CertificateRequest/" 611 "ServerHelloDone)", type); 612 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 613 TLS_ALERT_UNEXPECTED_MESSAGE); 614 return -1; 615 } 616 617 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 618 619 conn->certificate_requested = 1; 620 621 *in_len = end - in_data; 622 623 conn->state = SERVER_HELLO_DONE; 624 625 return 0; 626 } 627 628 629 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 630 const u8 *in_data, size_t *in_len) 631 { 632 const u8 *pos, *end; 633 size_t left, len; 634 u8 type; 635 636 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 637 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 638 "received content type 0x%x", ct); 639 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 640 TLS_ALERT_UNEXPECTED_MESSAGE); 641 return -1; 642 } 643 644 pos = in_data; 645 left = *in_len; 646 647 if (left < 4) { 648 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 649 "(left=%lu)", (unsigned long) left); 650 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 651 return -1; 652 } 653 654 type = *pos++; 655 len = WPA_GET_BE24(pos); 656 pos += 3; 657 left -= 4; 658 659 if (len > left) { 660 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 661 "length (len=%lu != left=%lu)", 662 (unsigned long) len, (unsigned long) left); 663 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 664 return -1; 665 } 666 end = pos + len; 667 668 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 669 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 670 "message %d (expected ServerHelloDone)", type); 671 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 672 TLS_ALERT_UNEXPECTED_MESSAGE); 673 return -1; 674 } 675 676 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 677 678 *in_len = end - in_data; 679 680 conn->state = CLIENT_KEY_EXCHANGE; 681 682 return 0; 683 } 684 685 686 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 687 u8 ct, const u8 *in_data, 688 size_t *in_len) 689 { 690 const u8 *pos; 691 size_t left; 692 693 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 694 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 695 "received content type 0x%x", ct); 696 if (conn->use_session_ticket) { 697 int res; 698 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 699 "rejected SessionTicket"); 700 conn->use_session_ticket = 0; 701 702 /* Notify upper layers that SessionTicket failed */ 703 res = conn->session_ticket_cb( 704 conn->session_ticket_cb_ctx, NULL, 0, NULL, 705 NULL, NULL); 706 if (res < 0) { 707 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 708 "callback indicated failure"); 709 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 710 TLS_ALERT_HANDSHAKE_FAILURE); 711 return -1; 712 } 713 714 conn->state = SERVER_CERTIFICATE; 715 return tls_process_certificate(conn, ct, in_data, 716 in_len); 717 } 718 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 719 TLS_ALERT_UNEXPECTED_MESSAGE); 720 return -1; 721 } 722 723 pos = in_data; 724 left = *in_len; 725 726 if (left < 1) { 727 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 728 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 729 return -1; 730 } 731 732 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 733 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 734 "received data 0x%x", *pos); 735 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 736 TLS_ALERT_UNEXPECTED_MESSAGE); 737 return -1; 738 } 739 740 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 741 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 742 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 743 "for record layer"); 744 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 745 TLS_ALERT_INTERNAL_ERROR); 746 return -1; 747 } 748 749 *in_len = pos + 1 - in_data; 750 751 conn->state = SERVER_FINISHED; 752 753 return 0; 754 } 755 756 757 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 758 const u8 *in_data, size_t *in_len) 759 { 760 const u8 *pos, *end; 761 size_t left, len, hlen; 762 u8 verify_data[TLS_VERIFY_DATA_LEN]; 763 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 764 765 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 766 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 767 "received content type 0x%x", ct); 768 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 769 TLS_ALERT_UNEXPECTED_MESSAGE); 770 return -1; 771 } 772 773 pos = in_data; 774 left = *in_len; 775 776 if (left < 4) { 777 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 778 "Finished", 779 (unsigned long) left); 780 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 781 TLS_ALERT_DECODE_ERROR); 782 return -1; 783 } 784 785 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 786 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 787 "type 0x%x", pos[0]); 788 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 789 TLS_ALERT_UNEXPECTED_MESSAGE); 790 return -1; 791 } 792 793 len = WPA_GET_BE24(pos + 1); 794 795 pos += 4; 796 left -= 4; 797 798 if (len > left) { 799 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 800 "(len=%lu > left=%lu)", 801 (unsigned long) len, (unsigned long) left); 802 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 803 TLS_ALERT_DECODE_ERROR); 804 return -1; 805 } 806 end = pos + len; 807 if (len != TLS_VERIFY_DATA_LEN) { 808 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 809 "in Finished: %lu (expected %d)", 810 (unsigned long) len, TLS_VERIFY_DATA_LEN); 811 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 812 TLS_ALERT_DECODE_ERROR); 813 return -1; 814 } 815 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 816 pos, TLS_VERIFY_DATA_LEN); 817 818 hlen = MD5_MAC_LEN; 819 if (conn->verify.md5_server == NULL || 820 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 821 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 822 TLS_ALERT_INTERNAL_ERROR); 823 conn->verify.md5_server = NULL; 824 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 825 conn->verify.sha1_server = NULL; 826 return -1; 827 } 828 conn->verify.md5_server = NULL; 829 hlen = SHA1_MAC_LEN; 830 if (conn->verify.sha1_server == NULL || 831 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 832 &hlen) < 0) { 833 conn->verify.sha1_server = NULL; 834 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 835 TLS_ALERT_INTERNAL_ERROR); 836 return -1; 837 } 838 conn->verify.sha1_server = NULL; 839 840 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 841 "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 842 verify_data, TLS_VERIFY_DATA_LEN)) { 843 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 845 TLS_ALERT_DECRYPT_ERROR); 846 return -1; 847 } 848 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 849 verify_data, TLS_VERIFY_DATA_LEN); 850 851 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 852 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 853 return -1; 854 } 855 856 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 857 858 *in_len = end - in_data; 859 860 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 861 CHANGE_CIPHER_SPEC : ACK_FINISHED; 862 863 return 0; 864 } 865 866 867 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 868 const u8 *in_data, size_t *in_len, 869 u8 **out_data, size_t *out_len) 870 { 871 const u8 *pos; 872 size_t left; 873 874 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 875 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 876 "received content type 0x%x", ct); 877 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 878 TLS_ALERT_UNEXPECTED_MESSAGE); 879 return -1; 880 } 881 882 pos = in_data; 883 left = *in_len; 884 885 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 886 pos, left); 887 888 *out_data = os_malloc(left); 889 if (*out_data) { 890 os_memcpy(*out_data, pos, left); 891 *out_len = left; 892 } 893 894 return 0; 895 } 896 897 898 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 899 const u8 *buf, size_t *len, 900 u8 **out_data, size_t *out_len) 901 { 902 if (ct == TLS_CONTENT_TYPE_ALERT) { 903 if (*len < 2) { 904 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 905 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 906 TLS_ALERT_DECODE_ERROR); 907 return -1; 908 } 909 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 910 buf[0], buf[1]); 911 *len = 2; 912 conn->state = FAILED; 913 return -1; 914 } 915 916 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 917 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 918 size_t hr_len = WPA_GET_BE24(buf + 1); 919 if (hr_len > *len - 4) { 920 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 921 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 922 TLS_ALERT_DECODE_ERROR); 923 return -1; 924 } 925 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 926 *len = 4 + hr_len; 927 return 0; 928 } 929 930 switch (conn->state) { 931 case SERVER_HELLO: 932 if (tls_process_server_hello(conn, ct, buf, len)) 933 return -1; 934 break; 935 case SERVER_CERTIFICATE: 936 if (tls_process_certificate(conn, ct, buf, len)) 937 return -1; 938 break; 939 case SERVER_KEY_EXCHANGE: 940 if (tls_process_server_key_exchange(conn, ct, buf, len)) 941 return -1; 942 break; 943 case SERVER_CERTIFICATE_REQUEST: 944 if (tls_process_certificate_request(conn, ct, buf, len)) 945 return -1; 946 break; 947 case SERVER_HELLO_DONE: 948 if (tls_process_server_hello_done(conn, ct, buf, len)) 949 return -1; 950 break; 951 case SERVER_CHANGE_CIPHER_SPEC: 952 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 953 return -1; 954 break; 955 case SERVER_FINISHED: 956 if (tls_process_server_finished(conn, ct, buf, len)) 957 return -1; 958 break; 959 case ACK_FINISHED: 960 if (out_data && 961 tls_process_application_data(conn, ct, buf, len, out_data, 962 out_len)) 963 return -1; 964 break; 965 default: 966 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 967 "while processing received message", 968 conn->state); 969 return -1; 970 } 971 972 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 973 tls_verify_hash_add(&conn->verify, buf, *len); 974 975 return 0; 976 } 977