tlsv1_client_read.c revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "crypto/md5.h" 19#include "crypto/sha1.h" 20#include "crypto/sha256.h" 21#include "crypto/tls.h" 22#include "x509v3.h" 23#include "tlsv1_common.h" 24#include "tlsv1_record.h" 25#include "tlsv1_client.h" 26#include "tlsv1_client_i.h" 27 28static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 29 const u8 *in_data, size_t *in_len); 30static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 31 const u8 *in_data, size_t *in_len); 32static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 33 const u8 *in_data, size_t *in_len); 34 35 36static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 37 const u8 *in_data, size_t *in_len) 38{ 39 const u8 *pos, *end; 40 size_t left, len, i; 41 u16 cipher_suite; 42 u16 tls_version; 43 44 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 45 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 46 "received content type 0x%x", ct); 47 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 48 TLS_ALERT_UNEXPECTED_MESSAGE); 49 return -1; 50 } 51 52 pos = in_data; 53 left = *in_len; 54 55 if (left < 4) 56 goto decode_error; 57 58 /* HandshakeType msg_type */ 59 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 60 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 61 "message %d (expected ServerHello)", *pos); 62 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 63 TLS_ALERT_UNEXPECTED_MESSAGE); 64 return -1; 65 } 66 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 67 pos++; 68 /* uint24 length */ 69 len = WPA_GET_BE24(pos); 70 pos += 3; 71 left -= 4; 72 73 if (len > left) 74 goto decode_error; 75 76 /* body - ServerHello */ 77 78 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 79 end = pos + len; 80 81 /* ProtocolVersion server_version */ 82 if (end - pos < 2) 83 goto decode_error; 84 tls_version = WPA_GET_BE16(pos); 85 if (!tls_version_ok(tls_version)) { 86 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 87 "ServerHello %u.%u", pos[0], pos[1]); 88 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 89 TLS_ALERT_PROTOCOL_VERSION); 90 return -1; 91 } 92 pos += 2; 93 94 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 95 tls_version_str(tls_version)); 96 conn->rl.tls_version = tls_version; 97 98 /* Random random */ 99 if (end - pos < TLS_RANDOM_LEN) 100 goto decode_error; 101 102 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 103 pos += TLS_RANDOM_LEN; 104 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 105 conn->server_random, TLS_RANDOM_LEN); 106 107 /* SessionID session_id */ 108 if (end - pos < 1) 109 goto decode_error; 110 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 111 goto decode_error; 112 if (conn->session_id_len && conn->session_id_len == *pos && 113 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 114 pos += 1 + conn->session_id_len; 115 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 116 conn->session_resumed = 1; 117 } else { 118 conn->session_id_len = *pos; 119 pos++; 120 os_memcpy(conn->session_id, pos, conn->session_id_len); 121 pos += conn->session_id_len; 122 } 123 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 124 conn->session_id, conn->session_id_len); 125 126 /* CipherSuite cipher_suite */ 127 if (end - pos < 2) 128 goto decode_error; 129 cipher_suite = WPA_GET_BE16(pos); 130 pos += 2; 131 for (i = 0; i < conn->num_cipher_suites; i++) { 132 if (cipher_suite == conn->cipher_suites[i]) 133 break; 134 } 135 if (i == conn->num_cipher_suites) { 136 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 137 "cipher suite 0x%04x", cipher_suite); 138 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 139 TLS_ALERT_ILLEGAL_PARAMETER); 140 return -1; 141 } 142 143 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 144 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 145 "cipher suite for a resumed connection (0x%04x != " 146 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 147 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 148 TLS_ALERT_ILLEGAL_PARAMETER); 149 return -1; 150 } 151 152 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 153 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 154 "record layer"); 155 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 156 TLS_ALERT_INTERNAL_ERROR); 157 return -1; 158 } 159 160 conn->prev_cipher_suite = cipher_suite; 161 162 /* CompressionMethod compression_method */ 163 if (end - pos < 1) 164 goto decode_error; 165 if (*pos != TLS_COMPRESSION_NULL) { 166 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 167 "compression 0x%02x", *pos); 168 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 169 TLS_ALERT_ILLEGAL_PARAMETER); 170 return -1; 171 } 172 pos++; 173 174 if (end != pos) { 175 /* TODO: ServerHello extensions */ 176 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 177 "end of ServerHello", pos, end - pos); 178 goto decode_error; 179 } 180 181 if (conn->session_ticket_included && conn->session_ticket_cb) { 182 /* TODO: include SessionTicket extension if one was included in 183 * ServerHello */ 184 int res = conn->session_ticket_cb( 185 conn->session_ticket_cb_ctx, NULL, 0, 186 conn->client_random, conn->server_random, 187 conn->master_secret); 188 if (res < 0) { 189 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 190 "indicated failure"); 191 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 192 TLS_ALERT_HANDSHAKE_FAILURE); 193 return -1; 194 } 195 conn->use_session_ticket = !!res; 196 } 197 198 if ((conn->session_resumed || conn->use_session_ticket) && 199 tls_derive_keys(conn, NULL, 0)) { 200 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 201 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 202 TLS_ALERT_INTERNAL_ERROR); 203 return -1; 204 } 205 206 *in_len = end - in_data; 207 208 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 209 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 210 211 return 0; 212 213decode_error: 214 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 215 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 216 return -1; 217} 218 219 220static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 221 const u8 *in_data, size_t *in_len) 222{ 223 const u8 *pos, *end; 224 size_t left, len, list_len, cert_len, idx; 225 u8 type; 226 struct x509_certificate *chain = NULL, *last = NULL, *cert; 227 int reason; 228 229 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 230 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 231 "received content type 0x%x", ct); 232 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 233 TLS_ALERT_UNEXPECTED_MESSAGE); 234 return -1; 235 } 236 237 pos = in_data; 238 left = *in_len; 239 240 if (left < 4) { 241 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 242 "(len=%lu)", (unsigned long) left); 243 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 244 return -1; 245 } 246 247 type = *pos++; 248 len = WPA_GET_BE24(pos); 249 pos += 3; 250 left -= 4; 251 252 if (len > left) { 253 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 254 "length (len=%lu != left=%lu)", 255 (unsigned long) len, (unsigned long) left); 256 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 257 return -1; 258 } 259 260 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 261 return tls_process_server_key_exchange(conn, ct, in_data, 262 in_len); 263 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 264 return tls_process_certificate_request(conn, ct, in_data, 265 in_len); 266 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 267 return tls_process_server_hello_done(conn, ct, in_data, 268 in_len); 269 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 270 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 271 "message %d (expected Certificate/" 272 "ServerKeyExchange/CertificateRequest/" 273 "ServerHelloDone)", type); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 275 TLS_ALERT_UNEXPECTED_MESSAGE); 276 return -1; 277 } 278 279 wpa_printf(MSG_DEBUG, 280 "TLSv1: Received Certificate (certificate_list len %lu)", 281 (unsigned long) len); 282 283 /* 284 * opaque ASN.1Cert<2^24-1>; 285 * 286 * struct { 287 * ASN.1Cert certificate_list<1..2^24-1>; 288 * } Certificate; 289 */ 290 291 end = pos + len; 292 293 if (end - pos < 3) { 294 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 295 "(left=%lu)", (unsigned long) left); 296 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 297 return -1; 298 } 299 300 list_len = WPA_GET_BE24(pos); 301 pos += 3; 302 303 if ((size_t) (end - pos) != list_len) { 304 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 305 "length (len=%lu left=%lu)", 306 (unsigned long) list_len, 307 (unsigned long) (end - pos)); 308 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 309 return -1; 310 } 311 312 idx = 0; 313 while (pos < end) { 314 if (end - pos < 3) { 315 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 316 "certificate_list"); 317 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 318 TLS_ALERT_DECODE_ERROR); 319 x509_certificate_chain_free(chain); 320 return -1; 321 } 322 323 cert_len = WPA_GET_BE24(pos); 324 pos += 3; 325 326 if ((size_t) (end - pos) < cert_len) { 327 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 328 "length (len=%lu left=%lu)", 329 (unsigned long) cert_len, 330 (unsigned long) (end - pos)); 331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 332 TLS_ALERT_DECODE_ERROR); 333 x509_certificate_chain_free(chain); 334 return -1; 335 } 336 337 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 338 (unsigned long) idx, (unsigned long) cert_len); 339 340 if (idx == 0) { 341 crypto_public_key_free(conn->server_rsa_key); 342 if (tls_parse_cert(pos, cert_len, 343 &conn->server_rsa_key)) { 344 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 345 "the certificate"); 346 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_BAD_CERTIFICATE); 348 x509_certificate_chain_free(chain); 349 return -1; 350 } 351 } 352 353 cert = x509_certificate_parse(pos, cert_len); 354 if (cert == NULL) { 355 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 356 "the certificate"); 357 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 358 TLS_ALERT_BAD_CERTIFICATE); 359 x509_certificate_chain_free(chain); 360 return -1; 361 } 362 363 if (last == NULL) 364 chain = cert; 365 else 366 last->next = cert; 367 last = cert; 368 369 idx++; 370 pos += cert_len; 371 } 372 373 if (conn->cred && 374 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 375 &reason, conn->disable_time_checks) 376 < 0) { 377 int tls_reason; 378 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 379 "validation failed (reason=%d)", reason); 380 switch (reason) { 381 case X509_VALIDATE_BAD_CERTIFICATE: 382 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 383 break; 384 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 385 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 386 break; 387 case X509_VALIDATE_CERTIFICATE_REVOKED: 388 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 389 break; 390 case X509_VALIDATE_CERTIFICATE_EXPIRED: 391 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 392 break; 393 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 394 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 395 break; 396 case X509_VALIDATE_UNKNOWN_CA: 397 tls_reason = TLS_ALERT_UNKNOWN_CA; 398 break; 399 default: 400 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 401 break; 402 } 403 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 404 x509_certificate_chain_free(chain); 405 return -1; 406 } 407 408 x509_certificate_chain_free(chain); 409 410 *in_len = end - in_data; 411 412 conn->state = SERVER_KEY_EXCHANGE; 413 414 return 0; 415} 416 417 418static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 419 const u8 *buf, size_t len) 420{ 421 const u8 *pos, *end; 422 423 tlsv1_client_free_dh(conn); 424 425 pos = buf; 426 end = buf + len; 427 428 if (end - pos < 3) 429 goto fail; 430 conn->dh_p_len = WPA_GET_BE16(pos); 431 pos += 2; 432 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 433 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 434 (unsigned long) conn->dh_p_len); 435 goto fail; 436 } 437 conn->dh_p = os_malloc(conn->dh_p_len); 438 if (conn->dh_p == NULL) 439 goto fail; 440 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 441 pos += conn->dh_p_len; 442 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 443 conn->dh_p, conn->dh_p_len); 444 445 if (end - pos < 3) 446 goto fail; 447 conn->dh_g_len = WPA_GET_BE16(pos); 448 pos += 2; 449 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 450 goto fail; 451 conn->dh_g = os_malloc(conn->dh_g_len); 452 if (conn->dh_g == NULL) 453 goto fail; 454 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 455 pos += conn->dh_g_len; 456 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 457 conn->dh_g, conn->dh_g_len); 458 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 459 goto fail; 460 461 if (end - pos < 3) 462 goto fail; 463 conn->dh_ys_len = WPA_GET_BE16(pos); 464 pos += 2; 465 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 466 goto fail; 467 conn->dh_ys = os_malloc(conn->dh_ys_len); 468 if (conn->dh_ys == NULL) 469 goto fail; 470 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 471 pos += conn->dh_ys_len; 472 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 473 conn->dh_ys, conn->dh_ys_len); 474 475 return 0; 476 477fail: 478 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 479 tlsv1_client_free_dh(conn); 480 return -1; 481} 482 483 484static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 485 const u8 *in_data, size_t *in_len) 486{ 487 const u8 *pos, *end; 488 size_t left, len; 489 u8 type; 490 const struct tls_cipher_suite *suite; 491 492 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 493 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 494 "received content type 0x%x", ct); 495 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 496 TLS_ALERT_UNEXPECTED_MESSAGE); 497 return -1; 498 } 499 500 pos = in_data; 501 left = *in_len; 502 503 if (left < 4) { 504 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 505 "(Left=%lu)", (unsigned long) left); 506 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 507 return -1; 508 } 509 510 type = *pos++; 511 len = WPA_GET_BE24(pos); 512 pos += 3; 513 left -= 4; 514 515 if (len > left) { 516 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 517 "length (len=%lu != left=%lu)", 518 (unsigned long) len, (unsigned long) left); 519 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 520 return -1; 521 } 522 523 end = pos + len; 524 525 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 526 return tls_process_certificate_request(conn, ct, in_data, 527 in_len); 528 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 529 return tls_process_server_hello_done(conn, ct, in_data, 530 in_len); 531 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 532 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 533 "message %d (expected ServerKeyExchange/" 534 "CertificateRequest/ServerHelloDone)", type); 535 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 536 TLS_ALERT_UNEXPECTED_MESSAGE); 537 return -1; 538 } 539 540 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 541 542 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 543 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 544 "with the selected cipher suite"); 545 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 546 TLS_ALERT_UNEXPECTED_MESSAGE); 547 return -1; 548 } 549 550 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 551 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 552 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 553 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) { 554 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 555 TLS_ALERT_DECODE_ERROR); 556 return -1; 557 } 558 } else { 559 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_UNEXPECTED_MESSAGE); 562 return -1; 563 } 564 565 *in_len = end - in_data; 566 567 conn->state = SERVER_CERTIFICATE_REQUEST; 568 569 return 0; 570} 571 572 573static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 574 const u8 *in_data, size_t *in_len) 575{ 576 const u8 *pos, *end; 577 size_t left, len; 578 u8 type; 579 580 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 581 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 582 "received content type 0x%x", ct); 583 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 584 TLS_ALERT_UNEXPECTED_MESSAGE); 585 return -1; 586 } 587 588 pos = in_data; 589 left = *in_len; 590 591 if (left < 4) { 592 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 593 "(left=%lu)", (unsigned long) left); 594 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 595 return -1; 596 } 597 598 type = *pos++; 599 len = WPA_GET_BE24(pos); 600 pos += 3; 601 left -= 4; 602 603 if (len > left) { 604 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 605 "length (len=%lu != left=%lu)", 606 (unsigned long) len, (unsigned long) left); 607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 608 return -1; 609 } 610 611 end = pos + len; 612 613 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 614 return tls_process_server_hello_done(conn, ct, in_data, 615 in_len); 616 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 617 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 618 "message %d (expected CertificateRequest/" 619 "ServerHelloDone)", type); 620 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 621 TLS_ALERT_UNEXPECTED_MESSAGE); 622 return -1; 623 } 624 625 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 626 627 conn->certificate_requested = 1; 628 629 *in_len = end - in_data; 630 631 conn->state = SERVER_HELLO_DONE; 632 633 return 0; 634} 635 636 637static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 638 const u8 *in_data, size_t *in_len) 639{ 640 const u8 *pos, *end; 641 size_t left, len; 642 u8 type; 643 644 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 645 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 646 "received content type 0x%x", ct); 647 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 648 TLS_ALERT_UNEXPECTED_MESSAGE); 649 return -1; 650 } 651 652 pos = in_data; 653 left = *in_len; 654 655 if (left < 4) { 656 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 657 "(left=%lu)", (unsigned long) left); 658 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 659 return -1; 660 } 661 662 type = *pos++; 663 len = WPA_GET_BE24(pos); 664 pos += 3; 665 left -= 4; 666 667 if (len > left) { 668 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 669 "length (len=%lu != left=%lu)", 670 (unsigned long) len, (unsigned long) left); 671 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 672 return -1; 673 } 674 end = pos + len; 675 676 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 677 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 678 "message %d (expected ServerHelloDone)", type); 679 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 680 TLS_ALERT_UNEXPECTED_MESSAGE); 681 return -1; 682 } 683 684 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 685 686 *in_len = end - in_data; 687 688 conn->state = CLIENT_KEY_EXCHANGE; 689 690 return 0; 691} 692 693 694static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 695 u8 ct, const u8 *in_data, 696 size_t *in_len) 697{ 698 const u8 *pos; 699 size_t left; 700 701 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 702 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 703 "received content type 0x%x", ct); 704 if (conn->use_session_ticket) { 705 int res; 706 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 707 "rejected SessionTicket"); 708 conn->use_session_ticket = 0; 709 710 /* Notify upper layers that SessionTicket failed */ 711 res = conn->session_ticket_cb( 712 conn->session_ticket_cb_ctx, NULL, 0, NULL, 713 NULL, NULL); 714 if (res < 0) { 715 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 716 "callback indicated failure"); 717 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 718 TLS_ALERT_HANDSHAKE_FAILURE); 719 return -1; 720 } 721 722 conn->state = SERVER_CERTIFICATE; 723 return tls_process_certificate(conn, ct, in_data, 724 in_len); 725 } 726 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 727 TLS_ALERT_UNEXPECTED_MESSAGE); 728 return -1; 729 } 730 731 pos = in_data; 732 left = *in_len; 733 734 if (left < 1) { 735 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 736 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 737 return -1; 738 } 739 740 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 741 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 742 "received data 0x%x", *pos); 743 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 744 TLS_ALERT_UNEXPECTED_MESSAGE); 745 return -1; 746 } 747 748 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 749 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 750 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 751 "for record layer"); 752 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 753 TLS_ALERT_INTERNAL_ERROR); 754 return -1; 755 } 756 757 *in_len = pos + 1 - in_data; 758 759 conn->state = SERVER_FINISHED; 760 761 return 0; 762} 763 764 765static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 766 const u8 *in_data, size_t *in_len) 767{ 768 const u8 *pos, *end; 769 size_t left, len, hlen; 770 u8 verify_data[TLS_VERIFY_DATA_LEN]; 771 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 772 773 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 774 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 775 "received content type 0x%x", ct); 776 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 777 TLS_ALERT_UNEXPECTED_MESSAGE); 778 return -1; 779 } 780 781 pos = in_data; 782 left = *in_len; 783 784 if (left < 4) { 785 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 786 "Finished", 787 (unsigned long) left); 788 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 789 TLS_ALERT_DECODE_ERROR); 790 return -1; 791 } 792 793 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 794 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 795 "type 0x%x", pos[0]); 796 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 797 TLS_ALERT_UNEXPECTED_MESSAGE); 798 return -1; 799 } 800 801 len = WPA_GET_BE24(pos + 1); 802 803 pos += 4; 804 left -= 4; 805 806 if (len > left) { 807 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 808 "(len=%lu > left=%lu)", 809 (unsigned long) len, (unsigned long) left); 810 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 811 TLS_ALERT_DECODE_ERROR); 812 return -1; 813 } 814 end = pos + len; 815 if (len != TLS_VERIFY_DATA_LEN) { 816 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 817 "in Finished: %lu (expected %d)", 818 (unsigned long) len, TLS_VERIFY_DATA_LEN); 819 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 820 TLS_ALERT_DECODE_ERROR); 821 return -1; 822 } 823 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 824 pos, TLS_VERIFY_DATA_LEN); 825 826#ifdef CONFIG_TLSV12 827 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 828 hlen = SHA256_MAC_LEN; 829 if (conn->verify.sha256_server == NULL || 830 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 831 < 0) { 832 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 833 TLS_ALERT_INTERNAL_ERROR); 834 conn->verify.sha256_server = NULL; 835 return -1; 836 } 837 conn->verify.sha256_server = NULL; 838 } else { 839#endif /* CONFIG_TLSV12 */ 840 841 hlen = MD5_MAC_LEN; 842 if (conn->verify.md5_server == NULL || 843 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 845 TLS_ALERT_INTERNAL_ERROR); 846 conn->verify.md5_server = NULL; 847 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 848 conn->verify.sha1_server = NULL; 849 return -1; 850 } 851 conn->verify.md5_server = NULL; 852 hlen = SHA1_MAC_LEN; 853 if (conn->verify.sha1_server == NULL || 854 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 855 &hlen) < 0) { 856 conn->verify.sha1_server = NULL; 857 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 858 TLS_ALERT_INTERNAL_ERROR); 859 return -1; 860 } 861 conn->verify.sha1_server = NULL; 862 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 863 864#ifdef CONFIG_TLSV12 865 } 866#endif /* CONFIG_TLSV12 */ 867 868 if (tls_prf(conn->rl.tls_version, 869 conn->master_secret, TLS_MASTER_SECRET_LEN, 870 "server finished", hash, hlen, 871 verify_data, TLS_VERIFY_DATA_LEN)) { 872 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 874 TLS_ALERT_DECRYPT_ERROR); 875 return -1; 876 } 877 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 878 verify_data, TLS_VERIFY_DATA_LEN); 879 880 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 881 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 882 return -1; 883 } 884 885 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 886 887 *in_len = end - in_data; 888 889 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 890 CHANGE_CIPHER_SPEC : ACK_FINISHED; 891 892 return 0; 893} 894 895 896static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 897 const u8 *in_data, size_t *in_len, 898 u8 **out_data, size_t *out_len) 899{ 900 const u8 *pos; 901 size_t left; 902 903 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 904 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 905 "received content type 0x%x", ct); 906 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 907 TLS_ALERT_UNEXPECTED_MESSAGE); 908 return -1; 909 } 910 911 pos = in_data; 912 left = *in_len; 913 914 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 915 pos, left); 916 917 *out_data = os_malloc(left); 918 if (*out_data) { 919 os_memcpy(*out_data, pos, left); 920 *out_len = left; 921 } 922 923 return 0; 924} 925 926 927int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 928 const u8 *buf, size_t *len, 929 u8 **out_data, size_t *out_len) 930{ 931 if (ct == TLS_CONTENT_TYPE_ALERT) { 932 if (*len < 2) { 933 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 934 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 935 TLS_ALERT_DECODE_ERROR); 936 return -1; 937 } 938 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 939 buf[0], buf[1]); 940 *len = 2; 941 conn->state = FAILED; 942 return -1; 943 } 944 945 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 946 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 947 size_t hr_len = WPA_GET_BE24(buf + 1); 948 if (hr_len > *len - 4) { 949 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 950 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 951 TLS_ALERT_DECODE_ERROR); 952 return -1; 953 } 954 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 955 *len = 4 + hr_len; 956 return 0; 957 } 958 959 switch (conn->state) { 960 case SERVER_HELLO: 961 if (tls_process_server_hello(conn, ct, buf, len)) 962 return -1; 963 break; 964 case SERVER_CERTIFICATE: 965 if (tls_process_certificate(conn, ct, buf, len)) 966 return -1; 967 break; 968 case SERVER_KEY_EXCHANGE: 969 if (tls_process_server_key_exchange(conn, ct, buf, len)) 970 return -1; 971 break; 972 case SERVER_CERTIFICATE_REQUEST: 973 if (tls_process_certificate_request(conn, ct, buf, len)) 974 return -1; 975 break; 976 case SERVER_HELLO_DONE: 977 if (tls_process_server_hello_done(conn, ct, buf, len)) 978 return -1; 979 break; 980 case SERVER_CHANGE_CIPHER_SPEC: 981 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 982 return -1; 983 break; 984 case SERVER_FINISHED: 985 if (tls_process_server_finished(conn, ct, buf, len)) 986 return -1; 987 break; 988 case ACK_FINISHED: 989 if (out_data && 990 tls_process_application_data(conn, ct, buf, len, out_data, 991 out_len)) 992 return -1; 993 break; 994 default: 995 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 996 "while processing received message", 997 conn->state); 998 return -1; 999 } 1000 1001 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1002 tls_verify_hash_add(&conn->verify, buf, *len); 1003 1004 return 0; 1005} 1006