1/*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/md5.h"
13#include "crypto/sha1.h"
14#include "crypto/sha256.h"
15#include "crypto/tls.h"
16#include "x509v3.h"
17#include "tlsv1_common.h"
18#include "tlsv1_record.h"
19#include "tlsv1_client.h"
20#include "tlsv1_client_i.h"
21
22static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23					   const u8 *in_data, size_t *in_len);
24static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25					   const u8 *in_data, size_t *in_len);
26static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27					 const u8 *in_data, size_t *in_len);
28
29
30static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31				    const u8 *in_data, size_t *in_len)
32{
33	const u8 *pos, *end;
34	size_t left, len, i;
35	u16 cipher_suite;
36	u16 tls_version;
37
38	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40			   "received content type 0x%x", ct);
41		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42			  TLS_ALERT_UNEXPECTED_MESSAGE);
43		return -1;
44	}
45
46	pos = in_data;
47	left = *in_len;
48
49	if (left < 4)
50		goto decode_error;
51
52	/* HandshakeType msg_type */
53	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55			   "message %d (expected ServerHello)", *pos);
56		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57			  TLS_ALERT_UNEXPECTED_MESSAGE);
58		return -1;
59	}
60	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61	pos++;
62	/* uint24 length */
63	len = WPA_GET_BE24(pos);
64	pos += 3;
65	left -= 4;
66
67	if (len > left)
68		goto decode_error;
69
70	/* body - ServerHello */
71
72	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73	end = pos + len;
74
75	/* ProtocolVersion server_version */
76	if (end - pos < 2)
77		goto decode_error;
78	tls_version = WPA_GET_BE16(pos);
79	if (!tls_version_ok(tls_version)) {
80		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81			   "ServerHello %u.%u", pos[0], pos[1]);
82		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83			  TLS_ALERT_PROTOCOL_VERSION);
84		return -1;
85	}
86	pos += 2;
87
88	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89		   tls_version_str(tls_version));
90	conn->rl.tls_version = tls_version;
91
92	/* Random random */
93	if (end - pos < TLS_RANDOM_LEN)
94		goto decode_error;
95
96	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97	pos += TLS_RANDOM_LEN;
98	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99		    conn->server_random, TLS_RANDOM_LEN);
100
101	/* SessionID session_id */
102	if (end - pos < 1)
103		goto decode_error;
104	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105		goto decode_error;
106	if (conn->session_id_len && conn->session_id_len == *pos &&
107	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108		pos += 1 + conn->session_id_len;
109		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110		conn->session_resumed = 1;
111	} else {
112		conn->session_id_len = *pos;
113		pos++;
114		os_memcpy(conn->session_id, pos, conn->session_id_len);
115		pos += conn->session_id_len;
116	}
117	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118		    conn->session_id, conn->session_id_len);
119
120	/* CipherSuite cipher_suite */
121	if (end - pos < 2)
122		goto decode_error;
123	cipher_suite = WPA_GET_BE16(pos);
124	pos += 2;
125	for (i = 0; i < conn->num_cipher_suites; i++) {
126		if (cipher_suite == conn->cipher_suites[i])
127			break;
128	}
129	if (i == conn->num_cipher_suites) {
130		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131			   "cipher suite 0x%04x", cipher_suite);
132		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133			  TLS_ALERT_ILLEGAL_PARAMETER);
134		return -1;
135	}
136
137	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139			   "cipher suite for a resumed connection (0x%04x != "
140			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142			  TLS_ALERT_ILLEGAL_PARAMETER);
143		return -1;
144	}
145
146	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148			   "record layer");
149		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150			  TLS_ALERT_INTERNAL_ERROR);
151		return -1;
152	}
153
154	conn->prev_cipher_suite = cipher_suite;
155
156	/* CompressionMethod compression_method */
157	if (end - pos < 1)
158		goto decode_error;
159	if (*pos != TLS_COMPRESSION_NULL) {
160		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161			   "compression 0x%02x", *pos);
162		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163			  TLS_ALERT_ILLEGAL_PARAMETER);
164		return -1;
165	}
166	pos++;
167
168	if (end != pos) {
169		/* TODO: ServerHello extensions */
170		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171			    "end of ServerHello", pos, end - pos);
172		goto decode_error;
173	}
174
175	if (conn->session_ticket_included && conn->session_ticket_cb) {
176		/* TODO: include SessionTicket extension if one was included in
177		 * ServerHello */
178		int res = conn->session_ticket_cb(
179			conn->session_ticket_cb_ctx, NULL, 0,
180			conn->client_random, conn->server_random,
181			conn->master_secret);
182		if (res < 0) {
183			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184				   "indicated failure");
185			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186				  TLS_ALERT_HANDSHAKE_FAILURE);
187			return -1;
188		}
189		conn->use_session_ticket = !!res;
190	}
191
192	if ((conn->session_resumed || conn->use_session_ticket) &&
193	    tls_derive_keys(conn, NULL, 0)) {
194		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196			  TLS_ALERT_INTERNAL_ERROR);
197		return -1;
198	}
199
200	*in_len = end - in_data;
201
202	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204
205	return 0;
206
207decode_error:
208	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210	return -1;
211}
212
213
214static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215				   const u8 *in_data, size_t *in_len)
216{
217	const u8 *pos, *end;
218	size_t left, len, list_len, cert_len, idx;
219	u8 type;
220	struct x509_certificate *chain = NULL, *last = NULL, *cert;
221	int reason;
222
223	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225			   "received content type 0x%x", ct);
226		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227			  TLS_ALERT_UNEXPECTED_MESSAGE);
228		return -1;
229	}
230
231	pos = in_data;
232	left = *in_len;
233
234	if (left < 4) {
235		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236			   "(len=%lu)", (unsigned long) left);
237		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238		return -1;
239	}
240
241	type = *pos++;
242	len = WPA_GET_BE24(pos);
243	pos += 3;
244	left -= 4;
245
246	if (len > left) {
247		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248			   "length (len=%lu != left=%lu)",
249			   (unsigned long) len, (unsigned long) left);
250		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251		return -1;
252	}
253
254	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255		return tls_process_server_key_exchange(conn, ct, in_data,
256						       in_len);
257	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258		return tls_process_certificate_request(conn, ct, in_data,
259						       in_len);
260	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261		return tls_process_server_hello_done(conn, ct, in_data,
262						     in_len);
263	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265			   "message %d (expected Certificate/"
266			   "ServerKeyExchange/CertificateRequest/"
267			   "ServerHelloDone)", type);
268		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269			  TLS_ALERT_UNEXPECTED_MESSAGE);
270		return -1;
271	}
272
273	wpa_printf(MSG_DEBUG,
274		   "TLSv1: Received Certificate (certificate_list len %lu)",
275		   (unsigned long) len);
276
277	/*
278	 * opaque ASN.1Cert<2^24-1>;
279	 *
280	 * struct {
281	 *     ASN.1Cert certificate_list<1..2^24-1>;
282	 * } Certificate;
283	 */
284
285	end = pos + len;
286
287	if (end - pos < 3) {
288		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289			   "(left=%lu)", (unsigned long) left);
290		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291		return -1;
292	}
293
294	list_len = WPA_GET_BE24(pos);
295	pos += 3;
296
297	if ((size_t) (end - pos) != list_len) {
298		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299			   "length (len=%lu left=%lu)",
300			   (unsigned long) list_len,
301			   (unsigned long) (end - pos));
302		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303		return -1;
304	}
305
306	idx = 0;
307	while (pos < end) {
308		if (end - pos < 3) {
309			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310				   "certificate_list");
311			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312				  TLS_ALERT_DECODE_ERROR);
313			x509_certificate_chain_free(chain);
314			return -1;
315		}
316
317		cert_len = WPA_GET_BE24(pos);
318		pos += 3;
319
320		if ((size_t) (end - pos) < cert_len) {
321			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322				   "length (len=%lu left=%lu)",
323				   (unsigned long) cert_len,
324				   (unsigned long) (end - pos));
325			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326				  TLS_ALERT_DECODE_ERROR);
327			x509_certificate_chain_free(chain);
328			return -1;
329		}
330
331		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332			   (unsigned long) idx, (unsigned long) cert_len);
333
334		if (idx == 0) {
335			crypto_public_key_free(conn->server_rsa_key);
336			if (tls_parse_cert(pos, cert_len,
337					   &conn->server_rsa_key)) {
338				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339					   "the certificate");
340				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341					  TLS_ALERT_BAD_CERTIFICATE);
342				x509_certificate_chain_free(chain);
343				return -1;
344			}
345		}
346
347		cert = x509_certificate_parse(pos, cert_len);
348		if (cert == NULL) {
349			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350				   "the certificate");
351			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352				  TLS_ALERT_BAD_CERTIFICATE);
353			x509_certificate_chain_free(chain);
354			return -1;
355		}
356
357		if (last == NULL)
358			chain = cert;
359		else
360			last->next = cert;
361		last = cert;
362
363		idx++;
364		pos += cert_len;
365	}
366
367	if (conn->cred &&
368	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369					    &reason, conn->disable_time_checks)
370	    < 0) {
371		int tls_reason;
372		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373			   "validation failed (reason=%d)", reason);
374		switch (reason) {
375		case X509_VALIDATE_BAD_CERTIFICATE:
376			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377			break;
378		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380			break;
381		case X509_VALIDATE_CERTIFICATE_REVOKED:
382			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383			break;
384		case X509_VALIDATE_CERTIFICATE_EXPIRED:
385			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386			break;
387		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389			break;
390		case X509_VALIDATE_UNKNOWN_CA:
391			tls_reason = TLS_ALERT_UNKNOWN_CA;
392			break;
393		default:
394			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395			break;
396		}
397		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398		x509_certificate_chain_free(chain);
399		return -1;
400	}
401
402	x509_certificate_chain_free(chain);
403
404	*in_len = end - in_data;
405
406	conn->state = SERVER_KEY_EXCHANGE;
407
408	return 0;
409}
410
411
412static unsigned int count_bits(const u8 *val, size_t len)
413{
414	size_t i;
415	unsigned int bits;
416	u8 tmp;
417
418	for (i = 0; i < len; i++) {
419		if (val[i])
420			break;
421	}
422	if (i == len)
423		return 0;
424
425	bits = (len - i - 1) * 8;
426	tmp = val[i];
427	while (tmp) {
428		bits++;
429		tmp >>= 1;
430	}
431
432	return bits;
433}
434
435
436static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
437					const u8 *buf, size_t len,
438					tls_key_exchange key_exchange)
439{
440	const u8 *pos, *end, *server_params, *server_params_end;
441	u8 alert;
442	unsigned int bits;
443	u16 val;
444
445	tlsv1_client_free_dh(conn);
446
447	pos = buf;
448	end = buf + len;
449
450	if (end - pos < 3)
451		goto fail;
452	server_params = pos;
453	val = WPA_GET_BE16(pos);
454	pos += 2;
455	if (val == 0 || val > (size_t) (end - pos)) {
456		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
457		goto fail;
458	}
459	conn->dh_p_len = val;
460	bits = count_bits(pos, conn->dh_p_len);
461	if (bits < 768) {
462		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
463			   bits);
464		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
465			    pos, conn->dh_p_len);
466		goto fail;
467	}
468	conn->dh_p = os_malloc(conn->dh_p_len);
469	if (conn->dh_p == NULL)
470		goto fail;
471	os_memcpy(conn->dh_p, pos, conn->dh_p_len);
472	pos += conn->dh_p_len;
473	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
474		    conn->dh_p, conn->dh_p_len);
475
476	if (end - pos < 3)
477		goto fail;
478	val = WPA_GET_BE16(pos);
479	pos += 2;
480	if (val == 0 || val > (size_t) (end - pos))
481		goto fail;
482	conn->dh_g_len = val;
483	conn->dh_g = os_malloc(conn->dh_g_len);
484	if (conn->dh_g == NULL)
485		goto fail;
486	os_memcpy(conn->dh_g, pos, conn->dh_g_len);
487	pos += conn->dh_g_len;
488	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
489		    conn->dh_g, conn->dh_g_len);
490	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
491		goto fail;
492
493	if (end - pos < 3)
494		goto fail;
495	val = WPA_GET_BE16(pos);
496	pos += 2;
497	if (val == 0 || val > (size_t) (end - pos))
498		goto fail;
499	conn->dh_ys_len = val;
500	conn->dh_ys = os_malloc(conn->dh_ys_len);
501	if (conn->dh_ys == NULL)
502		goto fail;
503	os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
504	pos += conn->dh_ys_len;
505	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
506		    conn->dh_ys, conn->dh_ys_len);
507	server_params_end = pos;
508
509	if (key_exchange == TLS_KEY_X_DHE_RSA) {
510		u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
511		int hlen;
512
513		if (conn->rl.tls_version == TLS_VERSION_1_2) {
514#ifdef CONFIG_TLSV12
515			/*
516			 * RFC 5246, 4.7:
517			 * TLS v1.2 adds explicit indication of the used
518			 * signature and hash algorithms.
519			 *
520			 * struct {
521			 *   HashAlgorithm hash;
522			 *   SignatureAlgorithm signature;
523			 * } SignatureAndHashAlgorithm;
524			 */
525			if (end - pos < 2)
526				goto fail;
527			if (pos[0] != TLS_HASH_ALG_SHA256 ||
528			    pos[1] != TLS_SIGN_ALG_RSA) {
529				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
530					   pos[0], pos[1]);
531				goto fail;
532			}
533			pos += 2;
534
535			hlen = tlsv12_key_x_server_params_hash(
536				conn->rl.tls_version, conn->client_random,
537				conn->server_random, server_params,
538				server_params_end - server_params, hash);
539#else /* CONFIG_TLSV12 */
540			goto fail;
541#endif /* CONFIG_TLSV12 */
542		} else {
543			hlen = tls_key_x_server_params_hash(
544				conn->rl.tls_version, conn->client_random,
545				conn->server_random, server_params,
546				server_params_end - server_params, hash);
547		}
548
549		if (hlen < 0)
550			goto fail;
551		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
552			    hash, hlen);
553
554		if (tls_verify_signature(conn->rl.tls_version,
555					 conn->server_rsa_key,
556					 hash, hlen, pos, end - pos,
557					 &alert) < 0)
558			goto fail;
559	}
560
561	return 0;
562
563fail:
564	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
565	tlsv1_client_free_dh(conn);
566	return -1;
567}
568
569
570static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
571					   const u8 *in_data, size_t *in_len)
572{
573	const u8 *pos, *end;
574	size_t left, len;
575	u8 type;
576	const struct tls_cipher_suite *suite;
577
578	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
579		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
580			   "received content type 0x%x", ct);
581		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
582			  TLS_ALERT_UNEXPECTED_MESSAGE);
583		return -1;
584	}
585
586	pos = in_data;
587	left = *in_len;
588
589	if (left < 4) {
590		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
591			   "(Left=%lu)", (unsigned long) left);
592		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
593		return -1;
594	}
595
596	type = *pos++;
597	len = WPA_GET_BE24(pos);
598	pos += 3;
599	left -= 4;
600
601	if (len > left) {
602		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
603			   "length (len=%lu != left=%lu)",
604			   (unsigned long) len, (unsigned long) left);
605		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
606		return -1;
607	}
608
609	end = pos + len;
610
611	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
612		return tls_process_certificate_request(conn, ct, in_data,
613						       in_len);
614	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
615		return tls_process_server_hello_done(conn, ct, in_data,
616						     in_len);
617	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
618		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
619			   "message %d (expected ServerKeyExchange/"
620			   "CertificateRequest/ServerHelloDone)", type);
621		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
622			  TLS_ALERT_UNEXPECTED_MESSAGE);
623		return -1;
624	}
625
626	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
627
628	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
629		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
630			   "with the selected cipher suite");
631		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
632			  TLS_ALERT_UNEXPECTED_MESSAGE);
633		return -1;
634	}
635
636	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
637	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
638	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
639		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
640		if (tlsv1_process_diffie_hellman(conn, pos, len,
641						 suite->key_exchange) < 0) {
642			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
643				  TLS_ALERT_DECODE_ERROR);
644			return -1;
645		}
646	} else {
647		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
648		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
649			  TLS_ALERT_UNEXPECTED_MESSAGE);
650		return -1;
651	}
652
653	*in_len = end - in_data;
654
655	conn->state = SERVER_CERTIFICATE_REQUEST;
656
657	return 0;
658}
659
660
661static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
662					   const u8 *in_data, size_t *in_len)
663{
664	const u8 *pos, *end;
665	size_t left, len;
666	u8 type;
667
668	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
669		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
670			   "received content type 0x%x", ct);
671		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672			  TLS_ALERT_UNEXPECTED_MESSAGE);
673		return -1;
674	}
675
676	pos = in_data;
677	left = *in_len;
678
679	if (left < 4) {
680		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
681			   "(left=%lu)", (unsigned long) left);
682		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
683		return -1;
684	}
685
686	type = *pos++;
687	len = WPA_GET_BE24(pos);
688	pos += 3;
689	left -= 4;
690
691	if (len > left) {
692		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
693			   "length (len=%lu != left=%lu)",
694			   (unsigned long) len, (unsigned long) left);
695		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
696		return -1;
697	}
698
699	end = pos + len;
700
701	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
702		return tls_process_server_hello_done(conn, ct, in_data,
703						     in_len);
704	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
705		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
706			   "message %d (expected CertificateRequest/"
707			   "ServerHelloDone)", type);
708		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
709			  TLS_ALERT_UNEXPECTED_MESSAGE);
710		return -1;
711	}
712
713	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
714
715	conn->certificate_requested = 1;
716
717	*in_len = end - in_data;
718
719	conn->state = SERVER_HELLO_DONE;
720
721	return 0;
722}
723
724
725static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
726					 const u8 *in_data, size_t *in_len)
727{
728	const u8 *pos, *end;
729	size_t left, len;
730	u8 type;
731
732	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
733		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
734			   "received content type 0x%x", ct);
735		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
736			  TLS_ALERT_UNEXPECTED_MESSAGE);
737		return -1;
738	}
739
740	pos = in_data;
741	left = *in_len;
742
743	if (left < 4) {
744		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
745			   "(left=%lu)", (unsigned long) left);
746		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
747		return -1;
748	}
749
750	type = *pos++;
751	len = WPA_GET_BE24(pos);
752	pos += 3;
753	left -= 4;
754
755	if (len > left) {
756		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
757			   "length (len=%lu != left=%lu)",
758			   (unsigned long) len, (unsigned long) left);
759		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
760		return -1;
761	}
762	end = pos + len;
763
764	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
765		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
766			   "message %d (expected ServerHelloDone)", type);
767		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
768			  TLS_ALERT_UNEXPECTED_MESSAGE);
769		return -1;
770	}
771
772	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
773
774	*in_len = end - in_data;
775
776	conn->state = CLIENT_KEY_EXCHANGE;
777
778	return 0;
779}
780
781
782static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
783						 u8 ct, const u8 *in_data,
784						 size_t *in_len)
785{
786	const u8 *pos;
787	size_t left;
788
789	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
790		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
791			   "received content type 0x%x", ct);
792		if (conn->use_session_ticket) {
793			int res;
794			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
795				   "rejected SessionTicket");
796			conn->use_session_ticket = 0;
797
798			/* Notify upper layers that SessionTicket failed */
799			res = conn->session_ticket_cb(
800				conn->session_ticket_cb_ctx, NULL, 0, NULL,
801				NULL, NULL);
802			if (res < 0) {
803				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
804					   "callback indicated failure");
805				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
806					  TLS_ALERT_HANDSHAKE_FAILURE);
807				return -1;
808			}
809
810			conn->state = SERVER_CERTIFICATE;
811			return tls_process_certificate(conn, ct, in_data,
812						       in_len);
813		}
814		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
815			  TLS_ALERT_UNEXPECTED_MESSAGE);
816		return -1;
817	}
818
819	pos = in_data;
820	left = *in_len;
821
822	if (left < 1) {
823		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
824		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
825		return -1;
826	}
827
828	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
829		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
830			   "received data 0x%x", *pos);
831		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
832			  TLS_ALERT_UNEXPECTED_MESSAGE);
833		return -1;
834	}
835
836	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
837	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
838		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
839			   "for record layer");
840		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
841			  TLS_ALERT_INTERNAL_ERROR);
842		return -1;
843	}
844
845	*in_len = pos + 1 - in_data;
846
847	conn->state = SERVER_FINISHED;
848
849	return 0;
850}
851
852
853static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
854				       const u8 *in_data, size_t *in_len)
855{
856	const u8 *pos, *end;
857	size_t left, len, hlen;
858	u8 verify_data[TLS_VERIFY_DATA_LEN];
859	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
860
861	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
862		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
863			   "received content type 0x%x", ct);
864		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865			  TLS_ALERT_UNEXPECTED_MESSAGE);
866		return -1;
867	}
868
869	pos = in_data;
870	left = *in_len;
871
872	if (left < 4) {
873		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
874			   "Finished",
875			   (unsigned long) left);
876		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
877			  TLS_ALERT_DECODE_ERROR);
878		return -1;
879	}
880
881	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
882		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
883			   "type 0x%x", pos[0]);
884		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
885			  TLS_ALERT_UNEXPECTED_MESSAGE);
886		return -1;
887	}
888
889	len = WPA_GET_BE24(pos + 1);
890
891	pos += 4;
892	left -= 4;
893
894	if (len > left) {
895		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
896			   "(len=%lu > left=%lu)",
897			   (unsigned long) len, (unsigned long) left);
898		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
899			  TLS_ALERT_DECODE_ERROR);
900		return -1;
901	}
902	end = pos + len;
903	if (len != TLS_VERIFY_DATA_LEN) {
904		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
905			   "in Finished: %lu (expected %d)",
906			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
907		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
908			  TLS_ALERT_DECODE_ERROR);
909		return -1;
910	}
911	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
912		    pos, TLS_VERIFY_DATA_LEN);
913
914#ifdef CONFIG_TLSV12
915	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
916		hlen = SHA256_MAC_LEN;
917		if (conn->verify.sha256_server == NULL ||
918		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
919		    < 0) {
920			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
921				  TLS_ALERT_INTERNAL_ERROR);
922			conn->verify.sha256_server = NULL;
923			return -1;
924		}
925		conn->verify.sha256_server = NULL;
926	} else {
927#endif /* CONFIG_TLSV12 */
928
929	hlen = MD5_MAC_LEN;
930	if (conn->verify.md5_server == NULL ||
931	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
932		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
933			  TLS_ALERT_INTERNAL_ERROR);
934		conn->verify.md5_server = NULL;
935		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
936		conn->verify.sha1_server = NULL;
937		return -1;
938	}
939	conn->verify.md5_server = NULL;
940	hlen = SHA1_MAC_LEN;
941	if (conn->verify.sha1_server == NULL ||
942	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
943			       &hlen) < 0) {
944		conn->verify.sha1_server = NULL;
945		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
946			  TLS_ALERT_INTERNAL_ERROR);
947		return -1;
948	}
949	conn->verify.sha1_server = NULL;
950	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
951
952#ifdef CONFIG_TLSV12
953	}
954#endif /* CONFIG_TLSV12 */
955
956	if (tls_prf(conn->rl.tls_version,
957		    conn->master_secret, TLS_MASTER_SECRET_LEN,
958		    "server finished", hash, hlen,
959		    verify_data, TLS_VERIFY_DATA_LEN)) {
960		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
961		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
962			  TLS_ALERT_DECRYPT_ERROR);
963		return -1;
964	}
965	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
966			verify_data, TLS_VERIFY_DATA_LEN);
967
968	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
969		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
970		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
971			  TLS_ALERT_DECRYPT_ERROR);
972		return -1;
973	}
974
975	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
976
977	*in_len = end - in_data;
978
979	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
980		CHANGE_CIPHER_SPEC : ACK_FINISHED;
981
982	return 0;
983}
984
985
986static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
987					const u8 *in_data, size_t *in_len,
988					u8 **out_data, size_t *out_len)
989{
990	const u8 *pos;
991	size_t left;
992
993	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
994		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
995			   "received content type 0x%x", ct);
996		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
997			  TLS_ALERT_UNEXPECTED_MESSAGE);
998		return -1;
999	}
1000
1001	pos = in_data;
1002	left = *in_len;
1003
1004	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1005		    pos, left);
1006
1007	*out_data = os_malloc(left);
1008	if (*out_data) {
1009		os_memcpy(*out_data, pos, left);
1010		*out_len = left;
1011	}
1012
1013	return 0;
1014}
1015
1016
1017int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1018				   const u8 *buf, size_t *len,
1019				   u8 **out_data, size_t *out_len)
1020{
1021	if (ct == TLS_CONTENT_TYPE_ALERT) {
1022		if (*len < 2) {
1023			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1024			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025				  TLS_ALERT_DECODE_ERROR);
1026			return -1;
1027		}
1028		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1029			   buf[0], buf[1]);
1030		*len = 2;
1031		conn->state = FAILED;
1032		return -1;
1033	}
1034
1035	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1036	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1037		size_t hr_len = WPA_GET_BE24(buf + 1);
1038		if (hr_len > *len - 4) {
1039			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1040			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041				  TLS_ALERT_DECODE_ERROR);
1042			return -1;
1043		}
1044		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1045		*len = 4 + hr_len;
1046		return 0;
1047	}
1048
1049	switch (conn->state) {
1050	case SERVER_HELLO:
1051		if (tls_process_server_hello(conn, ct, buf, len))
1052			return -1;
1053		break;
1054	case SERVER_CERTIFICATE:
1055		if (tls_process_certificate(conn, ct, buf, len))
1056			return -1;
1057		break;
1058	case SERVER_KEY_EXCHANGE:
1059		if (tls_process_server_key_exchange(conn, ct, buf, len))
1060			return -1;
1061		break;
1062	case SERVER_CERTIFICATE_REQUEST:
1063		if (tls_process_certificate_request(conn, ct, buf, len))
1064			return -1;
1065		break;
1066	case SERVER_HELLO_DONE:
1067		if (tls_process_server_hello_done(conn, ct, buf, len))
1068			return -1;
1069		break;
1070	case SERVER_CHANGE_CIPHER_SPEC:
1071		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1072			return -1;
1073		break;
1074	case SERVER_FINISHED:
1075		if (tls_process_server_finished(conn, ct, buf, len))
1076			return -1;
1077		break;
1078	case ACK_FINISHED:
1079		if (out_data &&
1080		    tls_process_application_data(conn, ct, buf, len, out_data,
1081						 out_len))
1082			return -1;
1083		break;
1084	default:
1085		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1086			   "while processing received message",
1087			   conn->state);
1088		return -1;
1089	}
1090
1091	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1092		tls_verify_hash_add(&conn->verify, buf, *len);
1093
1094	return 0;
1095}
1096