1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 31 const u8 *in_data, size_t *in_len) 32 { 33 const u8 *pos, *end; 34 size_t left, len, i; 35 u16 cipher_suite; 36 u16 tls_version; 37 38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 40 "received content type 0x%x", ct); 41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 42 TLS_ALERT_UNEXPECTED_MESSAGE); 43 return -1; 44 } 45 46 pos = in_data; 47 left = *in_len; 48 49 if (left < 4) 50 goto decode_error; 51 52 /* HandshakeType msg_type */ 53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 55 "message %d (expected ServerHello)", *pos); 56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 57 TLS_ALERT_UNEXPECTED_MESSAGE); 58 return -1; 59 } 60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 61 pos++; 62 /* uint24 length */ 63 len = WPA_GET_BE24(pos); 64 pos += 3; 65 left -= 4; 66 67 if (len > left) 68 goto decode_error; 69 70 /* body - ServerHello */ 71 72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 73 end = pos + len; 74 75 /* ProtocolVersion server_version */ 76 if (end - pos < 2) 77 goto decode_error; 78 tls_version = WPA_GET_BE16(pos); 79 if (!tls_version_ok(tls_version)) { 80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 81 "ServerHello %u.%u", pos[0], pos[1]); 82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 83 TLS_ALERT_PROTOCOL_VERSION); 84 return -1; 85 } 86 pos += 2; 87 88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 89 tls_version_str(tls_version)); 90 conn->rl.tls_version = tls_version; 91 92 /* Random random */ 93 if (end - pos < TLS_RANDOM_LEN) 94 goto decode_error; 95 96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 97 pos += TLS_RANDOM_LEN; 98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 99 conn->server_random, TLS_RANDOM_LEN); 100 101 /* SessionID session_id */ 102 if (end - pos < 1) 103 goto decode_error; 104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 105 goto decode_error; 106 if (conn->session_id_len && conn->session_id_len == *pos && 107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 108 pos += 1 + conn->session_id_len; 109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 110 conn->session_resumed = 1; 111 } else { 112 conn->session_id_len = *pos; 113 pos++; 114 os_memcpy(conn->session_id, pos, conn->session_id_len); 115 pos += conn->session_id_len; 116 } 117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 118 conn->session_id, conn->session_id_len); 119 120 /* CipherSuite cipher_suite */ 121 if (end - pos < 2) 122 goto decode_error; 123 cipher_suite = WPA_GET_BE16(pos); 124 pos += 2; 125 for (i = 0; i < conn->num_cipher_suites; i++) { 126 if (cipher_suite == conn->cipher_suites[i]) 127 break; 128 } 129 if (i == conn->num_cipher_suites) { 130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 131 "cipher suite 0x%04x", cipher_suite); 132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 133 TLS_ALERT_ILLEGAL_PARAMETER); 134 return -1; 135 } 136 137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 139 "cipher suite for a resumed connection (0x%04x != " 140 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 142 TLS_ALERT_ILLEGAL_PARAMETER); 143 return -1; 144 } 145 146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 148 "record layer"); 149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_INTERNAL_ERROR); 151 return -1; 152 } 153 154 conn->prev_cipher_suite = cipher_suite; 155 156 /* CompressionMethod compression_method */ 157 if (end - pos < 1) 158 goto decode_error; 159 if (*pos != TLS_COMPRESSION_NULL) { 160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 161 "compression 0x%02x", *pos); 162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_ILLEGAL_PARAMETER); 164 return -1; 165 } 166 pos++; 167 168 if (end != pos) { 169 /* TODO: ServerHello extensions */ 170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 171 "end of ServerHello", pos, end - pos); 172 goto decode_error; 173 } 174 175 if (conn->session_ticket_included && conn->session_ticket_cb) { 176 /* TODO: include SessionTicket extension if one was included in 177 * ServerHello */ 178 int res = conn->session_ticket_cb( 179 conn->session_ticket_cb_ctx, NULL, 0, 180 conn->client_random, conn->server_random, 181 conn->master_secret); 182 if (res < 0) { 183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 184 "indicated failure"); 185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 186 TLS_ALERT_HANDSHAKE_FAILURE); 187 return -1; 188 } 189 conn->use_session_ticket = !!res; 190 } 191 192 if ((conn->session_resumed || conn->use_session_ticket) && 193 tls_derive_keys(conn, NULL, 0)) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 196 TLS_ALERT_INTERNAL_ERROR); 197 return -1; 198 } 199 200 *in_len = end - in_data; 201 202 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 204 205 return 0; 206 207 decode_error: 208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 210 return -1; 211 } 212 213 214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 215 const u8 *in_data, size_t *in_len) 216 { 217 const u8 *pos, *end; 218 size_t left, len, list_len, cert_len, idx; 219 u8 type; 220 struct x509_certificate *chain = NULL, *last = NULL, *cert; 221 int reason; 222 223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 225 "received content type 0x%x", ct); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_UNEXPECTED_MESSAGE); 228 return -1; 229 } 230 231 pos = in_data; 232 left = *in_len; 233 234 if (left < 4) { 235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 236 "(len=%lu)", (unsigned long) left); 237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 238 return -1; 239 } 240 241 type = *pos++; 242 len = WPA_GET_BE24(pos); 243 pos += 3; 244 left -= 4; 245 246 if (len > left) { 247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 248 "length (len=%lu != left=%lu)", 249 (unsigned long) len, (unsigned long) left); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 251 return -1; 252 } 253 254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 255 return tls_process_server_key_exchange(conn, ct, in_data, 256 in_len); 257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 258 return tls_process_certificate_request(conn, ct, in_data, 259 in_len); 260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 261 return tls_process_server_hello_done(conn, ct, in_data, 262 in_len); 263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 265 "message %d (expected Certificate/" 266 "ServerKeyExchange/CertificateRequest/" 267 "ServerHelloDone)", type); 268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 269 TLS_ALERT_UNEXPECTED_MESSAGE); 270 return -1; 271 } 272 273 wpa_printf(MSG_DEBUG, 274 "TLSv1: Received Certificate (certificate_list len %lu)", 275 (unsigned long) len); 276 277 /* 278 * opaque ASN.1Cert<2^24-1>; 279 * 280 * struct { 281 * ASN.1Cert certificate_list<1..2^24-1>; 282 * } Certificate; 283 */ 284 285 end = pos + len; 286 287 if (end - pos < 3) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 289 "(left=%lu)", (unsigned long) left); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 291 return -1; 292 } 293 294 list_len = WPA_GET_BE24(pos); 295 pos += 3; 296 297 if ((size_t) (end - pos) != list_len) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 299 "length (len=%lu left=%lu)", 300 (unsigned long) list_len, 301 (unsigned long) (end - pos)); 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 303 return -1; 304 } 305 306 idx = 0; 307 while (pos < end) { 308 if (end - pos < 3) { 309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 310 "certificate_list"); 311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 312 TLS_ALERT_DECODE_ERROR); 313 x509_certificate_chain_free(chain); 314 return -1; 315 } 316 317 cert_len = WPA_GET_BE24(pos); 318 pos += 3; 319 320 if ((size_t) (end - pos) < cert_len) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 322 "length (len=%lu left=%lu)", 323 (unsigned long) cert_len, 324 (unsigned long) (end - pos)); 325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_DECODE_ERROR); 327 x509_certificate_chain_free(chain); 328 return -1; 329 } 330 331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 332 (unsigned long) idx, (unsigned long) cert_len); 333 334 if (idx == 0) { 335 crypto_public_key_free(conn->server_rsa_key); 336 if (tls_parse_cert(pos, cert_len, 337 &conn->server_rsa_key)) { 338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 339 "the certificate"); 340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 341 TLS_ALERT_BAD_CERTIFICATE); 342 x509_certificate_chain_free(chain); 343 return -1; 344 } 345 } 346 347 cert = x509_certificate_parse(pos, cert_len); 348 if (cert == NULL) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 350 "the certificate"); 351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 352 TLS_ALERT_BAD_CERTIFICATE); 353 x509_certificate_chain_free(chain); 354 return -1; 355 } 356 357 if (last == NULL) 358 chain = cert; 359 else 360 last->next = cert; 361 last = cert; 362 363 idx++; 364 pos += cert_len; 365 } 366 367 if (conn->cred && 368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 369 &reason, conn->disable_time_checks) 370 < 0) { 371 int tls_reason; 372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 373 "validation failed (reason=%d)", reason); 374 switch (reason) { 375 case X509_VALIDATE_BAD_CERTIFICATE: 376 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 377 break; 378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 380 break; 381 case X509_VALIDATE_CERTIFICATE_REVOKED: 382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 383 break; 384 case X509_VALIDATE_CERTIFICATE_EXPIRED: 385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 386 break; 387 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 389 break; 390 case X509_VALIDATE_UNKNOWN_CA: 391 tls_reason = TLS_ALERT_UNKNOWN_CA; 392 break; 393 default: 394 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 395 break; 396 } 397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 398 x509_certificate_chain_free(chain); 399 return -1; 400 } 401 402 x509_certificate_chain_free(chain); 403 404 *in_len = end - in_data; 405 406 conn->state = SERVER_KEY_EXCHANGE; 407 408 return 0; 409 } 410 411 412 static unsigned int count_bits(const u8 *val, size_t len) 413 { 414 size_t i; 415 unsigned int bits; 416 u8 tmp; 417 418 for (i = 0; i < len; i++) { 419 if (val[i]) 420 break; 421 } 422 if (i == len) 423 return 0; 424 425 bits = (len - i - 1) * 8; 426 tmp = val[i]; 427 while (tmp) { 428 bits++; 429 tmp >>= 1; 430 } 431 432 return bits; 433 } 434 435 436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 437 const u8 *buf, size_t len, 438 tls_key_exchange key_exchange) 439 { 440 const u8 *pos, *end, *server_params, *server_params_end; 441 u8 alert; 442 unsigned int bits; 443 444 tlsv1_client_free_dh(conn); 445 446 pos = buf; 447 end = buf + len; 448 449 if (end - pos < 3) 450 goto fail; 451 server_params = pos; 452 conn->dh_p_len = WPA_GET_BE16(pos); 453 pos += 2; 454 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 455 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 456 (unsigned long) conn->dh_p_len); 457 goto fail; 458 } 459 bits = count_bits(pos, conn->dh_p_len); 460 if (bits < 768) { 461 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 462 bits); 463 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 464 pos, conn->dh_p_len); 465 goto fail; 466 } 467 conn->dh_p = os_malloc(conn->dh_p_len); 468 if (conn->dh_p == NULL) 469 goto fail; 470 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 471 pos += conn->dh_p_len; 472 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 473 conn->dh_p, conn->dh_p_len); 474 475 if (end - pos < 3) 476 goto fail; 477 conn->dh_g_len = WPA_GET_BE16(pos); 478 pos += 2; 479 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 480 goto fail; 481 conn->dh_g = os_malloc(conn->dh_g_len); 482 if (conn->dh_g == NULL) 483 goto fail; 484 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 485 pos += conn->dh_g_len; 486 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 487 conn->dh_g, conn->dh_g_len); 488 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 489 goto fail; 490 491 if (end - pos < 3) 492 goto fail; 493 conn->dh_ys_len = WPA_GET_BE16(pos); 494 pos += 2; 495 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 496 goto fail; 497 conn->dh_ys = os_malloc(conn->dh_ys_len); 498 if (conn->dh_ys == NULL) 499 goto fail; 500 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 501 pos += conn->dh_ys_len; 502 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 503 conn->dh_ys, conn->dh_ys_len); 504 server_params_end = pos; 505 506 if (key_exchange == TLS_KEY_X_DHE_RSA) { 507 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 508 int hlen; 509 510 if (conn->rl.tls_version == TLS_VERSION_1_2) { 511 #ifdef CONFIG_TLSV12 512 /* 513 * RFC 5246, 4.7: 514 * TLS v1.2 adds explicit indication of the used 515 * signature and hash algorithms. 516 * 517 * struct { 518 * HashAlgorithm hash; 519 * SignatureAlgorithm signature; 520 * } SignatureAndHashAlgorithm; 521 */ 522 if (end - pos < 2) 523 goto fail; 524 if (pos[0] != TLS_HASH_ALG_SHA256 || 525 pos[1] != TLS_SIGN_ALG_RSA) { 526 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 527 pos[0], pos[1]); 528 goto fail; 529 } 530 pos += 2; 531 532 hlen = tlsv12_key_x_server_params_hash( 533 conn->rl.tls_version, conn->client_random, 534 conn->server_random, server_params, 535 server_params_end - server_params, hash); 536 #else /* CONFIG_TLSV12 */ 537 goto fail; 538 #endif /* CONFIG_TLSV12 */ 539 } else { 540 hlen = tls_key_x_server_params_hash( 541 conn->rl.tls_version, conn->client_random, 542 conn->server_random, server_params, 543 server_params_end - server_params, hash); 544 } 545 546 if (hlen < 0) 547 goto fail; 548 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 549 hash, hlen); 550 551 if (tls_verify_signature(conn->rl.tls_version, 552 conn->server_rsa_key, 553 hash, hlen, pos, end - pos, 554 &alert) < 0) 555 goto fail; 556 } 557 558 return 0; 559 560 fail: 561 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 562 tlsv1_client_free_dh(conn); 563 return -1; 564 } 565 566 567 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 568 const u8 *in_data, size_t *in_len) 569 { 570 const u8 *pos, *end; 571 size_t left, len; 572 u8 type; 573 const struct tls_cipher_suite *suite; 574 575 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 576 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 577 "received content type 0x%x", ct); 578 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 579 TLS_ALERT_UNEXPECTED_MESSAGE); 580 return -1; 581 } 582 583 pos = in_data; 584 left = *in_len; 585 586 if (left < 4) { 587 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 588 "(Left=%lu)", (unsigned long) left); 589 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 590 return -1; 591 } 592 593 type = *pos++; 594 len = WPA_GET_BE24(pos); 595 pos += 3; 596 left -= 4; 597 598 if (len > left) { 599 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 600 "length (len=%lu != left=%lu)", 601 (unsigned long) len, (unsigned long) left); 602 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 603 return -1; 604 } 605 606 end = pos + len; 607 608 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 609 return tls_process_certificate_request(conn, ct, in_data, 610 in_len); 611 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 612 return tls_process_server_hello_done(conn, ct, in_data, 613 in_len); 614 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 615 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 616 "message %d (expected ServerKeyExchange/" 617 "CertificateRequest/ServerHelloDone)", type); 618 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 619 TLS_ALERT_UNEXPECTED_MESSAGE); 620 return -1; 621 } 622 623 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 624 625 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 626 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 627 "with the selected cipher suite"); 628 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 629 TLS_ALERT_UNEXPECTED_MESSAGE); 630 return -1; 631 } 632 633 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 634 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 635 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 636 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 637 if (tlsv1_process_diffie_hellman(conn, pos, len, 638 suite->key_exchange) < 0) { 639 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 640 TLS_ALERT_DECODE_ERROR); 641 return -1; 642 } 643 } else { 644 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 645 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 646 TLS_ALERT_UNEXPECTED_MESSAGE); 647 return -1; 648 } 649 650 *in_len = end - in_data; 651 652 conn->state = SERVER_CERTIFICATE_REQUEST; 653 654 return 0; 655 } 656 657 658 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 659 const u8 *in_data, size_t *in_len) 660 { 661 const u8 *pos, *end; 662 size_t left, len; 663 u8 type; 664 665 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 666 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 667 "received content type 0x%x", ct); 668 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 669 TLS_ALERT_UNEXPECTED_MESSAGE); 670 return -1; 671 } 672 673 pos = in_data; 674 left = *in_len; 675 676 if (left < 4) { 677 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 678 "(left=%lu)", (unsigned long) left); 679 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 680 return -1; 681 } 682 683 type = *pos++; 684 len = WPA_GET_BE24(pos); 685 pos += 3; 686 left -= 4; 687 688 if (len > left) { 689 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 690 "length (len=%lu != left=%lu)", 691 (unsigned long) len, (unsigned long) left); 692 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 693 return -1; 694 } 695 696 end = pos + len; 697 698 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 699 return tls_process_server_hello_done(conn, ct, in_data, 700 in_len); 701 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 702 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 703 "message %d (expected CertificateRequest/" 704 "ServerHelloDone)", type); 705 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 706 TLS_ALERT_UNEXPECTED_MESSAGE); 707 return -1; 708 } 709 710 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 711 712 conn->certificate_requested = 1; 713 714 *in_len = end - in_data; 715 716 conn->state = SERVER_HELLO_DONE; 717 718 return 0; 719 } 720 721 722 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 723 const u8 *in_data, size_t *in_len) 724 { 725 const u8 *pos, *end; 726 size_t left, len; 727 u8 type; 728 729 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 730 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 731 "received content type 0x%x", ct); 732 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 733 TLS_ALERT_UNEXPECTED_MESSAGE); 734 return -1; 735 } 736 737 pos = in_data; 738 left = *in_len; 739 740 if (left < 4) { 741 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 742 "(left=%lu)", (unsigned long) left); 743 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 744 return -1; 745 } 746 747 type = *pos++; 748 len = WPA_GET_BE24(pos); 749 pos += 3; 750 left -= 4; 751 752 if (len > left) { 753 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 754 "length (len=%lu != left=%lu)", 755 (unsigned long) len, (unsigned long) left); 756 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 757 return -1; 758 } 759 end = pos + len; 760 761 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 762 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 763 "message %d (expected ServerHelloDone)", type); 764 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 765 TLS_ALERT_UNEXPECTED_MESSAGE); 766 return -1; 767 } 768 769 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 770 771 *in_len = end - in_data; 772 773 conn->state = CLIENT_KEY_EXCHANGE; 774 775 return 0; 776 } 777 778 779 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 780 u8 ct, const u8 *in_data, 781 size_t *in_len) 782 { 783 const u8 *pos; 784 size_t left; 785 786 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 787 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 788 "received content type 0x%x", ct); 789 if (conn->use_session_ticket) { 790 int res; 791 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 792 "rejected SessionTicket"); 793 conn->use_session_ticket = 0; 794 795 /* Notify upper layers that SessionTicket failed */ 796 res = conn->session_ticket_cb( 797 conn->session_ticket_cb_ctx, NULL, 0, NULL, 798 NULL, NULL); 799 if (res < 0) { 800 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 801 "callback indicated failure"); 802 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 803 TLS_ALERT_HANDSHAKE_FAILURE); 804 return -1; 805 } 806 807 conn->state = SERVER_CERTIFICATE; 808 return tls_process_certificate(conn, ct, in_data, 809 in_len); 810 } 811 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 812 TLS_ALERT_UNEXPECTED_MESSAGE); 813 return -1; 814 } 815 816 pos = in_data; 817 left = *in_len; 818 819 if (left < 1) { 820 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 821 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 822 return -1; 823 } 824 825 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 826 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 827 "received data 0x%x", *pos); 828 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 829 TLS_ALERT_UNEXPECTED_MESSAGE); 830 return -1; 831 } 832 833 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 834 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 835 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 836 "for record layer"); 837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 838 TLS_ALERT_INTERNAL_ERROR); 839 return -1; 840 } 841 842 *in_len = pos + 1 - in_data; 843 844 conn->state = SERVER_FINISHED; 845 846 return 0; 847 } 848 849 850 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 851 const u8 *in_data, size_t *in_len) 852 { 853 const u8 *pos, *end; 854 size_t left, len, hlen; 855 u8 verify_data[TLS_VERIFY_DATA_LEN]; 856 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 857 858 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 859 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 860 "received content type 0x%x", ct); 861 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 862 TLS_ALERT_UNEXPECTED_MESSAGE); 863 return -1; 864 } 865 866 pos = in_data; 867 left = *in_len; 868 869 if (left < 4) { 870 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 871 "Finished", 872 (unsigned long) left); 873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 874 TLS_ALERT_DECODE_ERROR); 875 return -1; 876 } 877 878 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 879 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 880 "type 0x%x", pos[0]); 881 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 882 TLS_ALERT_UNEXPECTED_MESSAGE); 883 return -1; 884 } 885 886 len = WPA_GET_BE24(pos + 1); 887 888 pos += 4; 889 left -= 4; 890 891 if (len > left) { 892 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 893 "(len=%lu > left=%lu)", 894 (unsigned long) len, (unsigned long) left); 895 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 896 TLS_ALERT_DECODE_ERROR); 897 return -1; 898 } 899 end = pos + len; 900 if (len != TLS_VERIFY_DATA_LEN) { 901 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 902 "in Finished: %lu (expected %d)", 903 (unsigned long) len, TLS_VERIFY_DATA_LEN); 904 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 905 TLS_ALERT_DECODE_ERROR); 906 return -1; 907 } 908 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 909 pos, TLS_VERIFY_DATA_LEN); 910 911 #ifdef CONFIG_TLSV12 912 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 913 hlen = SHA256_MAC_LEN; 914 if (conn->verify.sha256_server == NULL || 915 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 916 < 0) { 917 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 918 TLS_ALERT_INTERNAL_ERROR); 919 conn->verify.sha256_server = NULL; 920 return -1; 921 } 922 conn->verify.sha256_server = NULL; 923 } else { 924 #endif /* CONFIG_TLSV12 */ 925 926 hlen = MD5_MAC_LEN; 927 if (conn->verify.md5_server == NULL || 928 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 929 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 930 TLS_ALERT_INTERNAL_ERROR); 931 conn->verify.md5_server = NULL; 932 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 933 conn->verify.sha1_server = NULL; 934 return -1; 935 } 936 conn->verify.md5_server = NULL; 937 hlen = SHA1_MAC_LEN; 938 if (conn->verify.sha1_server == NULL || 939 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 940 &hlen) < 0) { 941 conn->verify.sha1_server = NULL; 942 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_INTERNAL_ERROR); 944 return -1; 945 } 946 conn->verify.sha1_server = NULL; 947 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 948 949 #ifdef CONFIG_TLSV12 950 } 951 #endif /* CONFIG_TLSV12 */ 952 953 if (tls_prf(conn->rl.tls_version, 954 conn->master_secret, TLS_MASTER_SECRET_LEN, 955 "server finished", hash, hlen, 956 verify_data, TLS_VERIFY_DATA_LEN)) { 957 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 958 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 959 TLS_ALERT_DECRYPT_ERROR); 960 return -1; 961 } 962 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 963 verify_data, TLS_VERIFY_DATA_LEN); 964 965 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 966 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 967 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 968 TLS_ALERT_DECRYPT_ERROR); 969 return -1; 970 } 971 972 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 973 974 *in_len = end - in_data; 975 976 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 977 CHANGE_CIPHER_SPEC : ACK_FINISHED; 978 979 return 0; 980 } 981 982 983 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 984 const u8 *in_data, size_t *in_len, 985 u8 **out_data, size_t *out_len) 986 { 987 const u8 *pos; 988 size_t left; 989 990 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 991 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 992 "received content type 0x%x", ct); 993 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 994 TLS_ALERT_UNEXPECTED_MESSAGE); 995 return -1; 996 } 997 998 pos = in_data; 999 left = *in_len; 1000 1001 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1002 pos, left); 1003 1004 *out_data = os_malloc(left); 1005 if (*out_data) { 1006 os_memcpy(*out_data, pos, left); 1007 *out_len = left; 1008 } 1009 1010 return 0; 1011 } 1012 1013 1014 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1015 const u8 *buf, size_t *len, 1016 u8 **out_data, size_t *out_len) 1017 { 1018 if (ct == TLS_CONTENT_TYPE_ALERT) { 1019 if (*len < 2) { 1020 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1021 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1022 TLS_ALERT_DECODE_ERROR); 1023 return -1; 1024 } 1025 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1026 buf[0], buf[1]); 1027 *len = 2; 1028 conn->state = FAILED; 1029 return -1; 1030 } 1031 1032 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1033 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1034 size_t hr_len = WPA_GET_BE24(buf + 1); 1035 if (hr_len > *len - 4) { 1036 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1037 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1038 TLS_ALERT_DECODE_ERROR); 1039 return -1; 1040 } 1041 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1042 *len = 4 + hr_len; 1043 return 0; 1044 } 1045 1046 switch (conn->state) { 1047 case SERVER_HELLO: 1048 if (tls_process_server_hello(conn, ct, buf, len)) 1049 return -1; 1050 break; 1051 case SERVER_CERTIFICATE: 1052 if (tls_process_certificate(conn, ct, buf, len)) 1053 return -1; 1054 break; 1055 case SERVER_KEY_EXCHANGE: 1056 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1057 return -1; 1058 break; 1059 case SERVER_CERTIFICATE_REQUEST: 1060 if (tls_process_certificate_request(conn, ct, buf, len)) 1061 return -1; 1062 break; 1063 case SERVER_HELLO_DONE: 1064 if (tls_process_server_hello_done(conn, ct, buf, len)) 1065 return -1; 1066 break; 1067 case SERVER_CHANGE_CIPHER_SPEC: 1068 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1069 return -1; 1070 break; 1071 case SERVER_FINISHED: 1072 if (tls_process_server_finished(conn, ct, buf, len)) 1073 return -1; 1074 break; 1075 case ACK_FINISHED: 1076 if (out_data && 1077 tls_process_application_data(conn, ct, buf, len, out_data, 1078 out_len)) 1079 return -1; 1080 break; 1081 default: 1082 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1083 "while processing received message", 1084 conn->state); 1085 return -1; 1086 } 1087 1088 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1089 tls_verify_hash_add(&conn->verify, buf, *len); 1090 1091 return 0; 1092 } 1093
