tlsv1_client_read.c revision 818ea489ef32dcdc7c098d8a336d6e1dd8996112
1/* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "x509v3.h" 17#include "tlsv1_common.h" 18#include "tlsv1_record.h" 19#include "tlsv1_client.h" 20#include "tlsv1_client_i.h" 21 22static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 31 const u8 *in_data, size_t *in_len) 32{ 33 const u8 *pos, *end; 34 size_t left, len, i; 35 u16 cipher_suite; 36 u16 tls_version; 37 38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 40 "received content type 0x%x", ct); 41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 42 TLS_ALERT_UNEXPECTED_MESSAGE); 43 return -1; 44 } 45 46 pos = in_data; 47 left = *in_len; 48 49 if (left < 4) 50 goto decode_error; 51 52 /* HandshakeType msg_type */ 53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 55 "message %d (expected ServerHello)", *pos); 56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 57 TLS_ALERT_UNEXPECTED_MESSAGE); 58 return -1; 59 } 60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 61 pos++; 62 /* uint24 length */ 63 len = WPA_GET_BE24(pos); 64 pos += 3; 65 left -= 4; 66 67 if (len > left) 68 goto decode_error; 69 70 /* body - ServerHello */ 71 72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 73 end = pos + len; 74 75 /* ProtocolVersion server_version */ 76 if (end - pos < 2) 77 goto decode_error; 78 tls_version = WPA_GET_BE16(pos); 79 if (!tls_version_ok(tls_version)) { 80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 81 "ServerHello %u.%u", pos[0], pos[1]); 82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 83 TLS_ALERT_PROTOCOL_VERSION); 84 return -1; 85 } 86 pos += 2; 87 88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 89 tls_version_str(tls_version)); 90 conn->rl.tls_version = tls_version; 91 92 /* Random random */ 93 if (end - pos < TLS_RANDOM_LEN) 94 goto decode_error; 95 96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 97 pos += TLS_RANDOM_LEN; 98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 99 conn->server_random, TLS_RANDOM_LEN); 100 101 /* SessionID session_id */ 102 if (end - pos < 1) 103 goto decode_error; 104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 105 goto decode_error; 106 if (conn->session_id_len && conn->session_id_len == *pos && 107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 108 pos += 1 + conn->session_id_len; 109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 110 conn->session_resumed = 1; 111 } else { 112 conn->session_id_len = *pos; 113 pos++; 114 os_memcpy(conn->session_id, pos, conn->session_id_len); 115 pos += conn->session_id_len; 116 } 117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 118 conn->session_id, conn->session_id_len); 119 120 /* CipherSuite cipher_suite */ 121 if (end - pos < 2) 122 goto decode_error; 123 cipher_suite = WPA_GET_BE16(pos); 124 pos += 2; 125 for (i = 0; i < conn->num_cipher_suites; i++) { 126 if (cipher_suite == conn->cipher_suites[i]) 127 break; 128 } 129 if (i == conn->num_cipher_suites) { 130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 131 "cipher suite 0x%04x", cipher_suite); 132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 133 TLS_ALERT_ILLEGAL_PARAMETER); 134 return -1; 135 } 136 137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 139 "cipher suite for a resumed connection (0x%04x != " 140 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 142 TLS_ALERT_ILLEGAL_PARAMETER); 143 return -1; 144 } 145 146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 148 "record layer"); 149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_INTERNAL_ERROR); 151 return -1; 152 } 153 154 conn->prev_cipher_suite = cipher_suite; 155 156 /* CompressionMethod compression_method */ 157 if (end - pos < 1) 158 goto decode_error; 159 if (*pos != TLS_COMPRESSION_NULL) { 160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 161 "compression 0x%02x", *pos); 162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_ILLEGAL_PARAMETER); 164 return -1; 165 } 166 pos++; 167 168 if (end != pos) { 169 /* TODO: ServerHello extensions */ 170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 171 "end of ServerHello", pos, end - pos); 172 goto decode_error; 173 } 174 175 if (conn->session_ticket_included && conn->session_ticket_cb) { 176 /* TODO: include SessionTicket extension if one was included in 177 * ServerHello */ 178 int res = conn->session_ticket_cb( 179 conn->session_ticket_cb_ctx, NULL, 0, 180 conn->client_random, conn->server_random, 181 conn->master_secret); 182 if (res < 0) { 183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 184 "indicated failure"); 185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 186 TLS_ALERT_HANDSHAKE_FAILURE); 187 return -1; 188 } 189 conn->use_session_ticket = !!res; 190 } 191 192 if ((conn->session_resumed || conn->use_session_ticket) && 193 tls_derive_keys(conn, NULL, 0)) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 196 TLS_ALERT_INTERNAL_ERROR); 197 return -1; 198 } 199 200 *in_len = end - in_data; 201 202 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 204 205 return 0; 206 207decode_error: 208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 210 return -1; 211} 212 213 214static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 215 const u8 *in_data, size_t *in_len) 216{ 217 const u8 *pos, *end; 218 size_t left, len, list_len, cert_len, idx; 219 u8 type; 220 struct x509_certificate *chain = NULL, *last = NULL, *cert; 221 int reason; 222 223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 225 "received content type 0x%x", ct); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_UNEXPECTED_MESSAGE); 228 return -1; 229 } 230 231 pos = in_data; 232 left = *in_len; 233 234 if (left < 4) { 235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 236 "(len=%lu)", (unsigned long) left); 237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 238 return -1; 239 } 240 241 type = *pos++; 242 len = WPA_GET_BE24(pos); 243 pos += 3; 244 left -= 4; 245 246 if (len > left) { 247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 248 "length (len=%lu != left=%lu)", 249 (unsigned long) len, (unsigned long) left); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 251 return -1; 252 } 253 254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 255 return tls_process_server_key_exchange(conn, ct, in_data, 256 in_len); 257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 258 return tls_process_certificate_request(conn, ct, in_data, 259 in_len); 260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 261 return tls_process_server_hello_done(conn, ct, in_data, 262 in_len); 263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 265 "message %d (expected Certificate/" 266 "ServerKeyExchange/CertificateRequest/" 267 "ServerHelloDone)", type); 268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 269 TLS_ALERT_UNEXPECTED_MESSAGE); 270 return -1; 271 } 272 273 wpa_printf(MSG_DEBUG, 274 "TLSv1: Received Certificate (certificate_list len %lu)", 275 (unsigned long) len); 276 277 /* 278 * opaque ASN.1Cert<2^24-1>; 279 * 280 * struct { 281 * ASN.1Cert certificate_list<1..2^24-1>; 282 * } Certificate; 283 */ 284 285 end = pos + len; 286 287 if (end - pos < 3) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 289 "(left=%lu)", (unsigned long) left); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 291 return -1; 292 } 293 294 list_len = WPA_GET_BE24(pos); 295 pos += 3; 296 297 if ((size_t) (end - pos) != list_len) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 299 "length (len=%lu left=%lu)", 300 (unsigned long) list_len, 301 (unsigned long) (end - pos)); 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 303 return -1; 304 } 305 306 idx = 0; 307 while (pos < end) { 308 if (end - pos < 3) { 309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 310 "certificate_list"); 311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 312 TLS_ALERT_DECODE_ERROR); 313 x509_certificate_chain_free(chain); 314 return -1; 315 } 316 317 cert_len = WPA_GET_BE24(pos); 318 pos += 3; 319 320 if ((size_t) (end - pos) < cert_len) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 322 "length (len=%lu left=%lu)", 323 (unsigned long) cert_len, 324 (unsigned long) (end - pos)); 325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_DECODE_ERROR); 327 x509_certificate_chain_free(chain); 328 return -1; 329 } 330 331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 332 (unsigned long) idx, (unsigned long) cert_len); 333 334 if (idx == 0) { 335 crypto_public_key_free(conn->server_rsa_key); 336 if (tls_parse_cert(pos, cert_len, 337 &conn->server_rsa_key)) { 338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 339 "the certificate"); 340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 341 TLS_ALERT_BAD_CERTIFICATE); 342 x509_certificate_chain_free(chain); 343 return -1; 344 } 345 } 346 347 cert = x509_certificate_parse(pos, cert_len); 348 if (cert == NULL) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 350 "the certificate"); 351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 352 TLS_ALERT_BAD_CERTIFICATE); 353 x509_certificate_chain_free(chain); 354 return -1; 355 } 356 357 if (last == NULL) 358 chain = cert; 359 else 360 last->next = cert; 361 last = cert; 362 363 idx++; 364 pos += cert_len; 365 } 366 367 if (conn->cred && 368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 369 &reason, conn->disable_time_checks) 370 < 0) { 371 int tls_reason; 372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 373 "validation failed (reason=%d)", reason); 374 switch (reason) { 375 case X509_VALIDATE_BAD_CERTIFICATE: 376 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 377 break; 378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 380 break; 381 case X509_VALIDATE_CERTIFICATE_REVOKED: 382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 383 break; 384 case X509_VALIDATE_CERTIFICATE_EXPIRED: 385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 386 break; 387 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 389 break; 390 case X509_VALIDATE_UNKNOWN_CA: 391 tls_reason = TLS_ALERT_UNKNOWN_CA; 392 break; 393 default: 394 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 395 break; 396 } 397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 398 x509_certificate_chain_free(chain); 399 return -1; 400 } 401 402 x509_certificate_chain_free(chain); 403 404 *in_len = end - in_data; 405 406 conn->state = SERVER_KEY_EXCHANGE; 407 408 return 0; 409} 410 411 412static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 413 const u8 *buf, size_t len, 414 tls_key_exchange key_exchange) 415{ 416 const u8 *pos, *end, *server_params, *server_params_end; 417 u8 alert; 418 419 tlsv1_client_free_dh(conn); 420 421 pos = buf; 422 end = buf + len; 423 424 if (end - pos < 3) 425 goto fail; 426 server_params = pos; 427 conn->dh_p_len = WPA_GET_BE16(pos); 428 pos += 2; 429 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 430 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 431 (unsigned long) conn->dh_p_len); 432 goto fail; 433 } 434 conn->dh_p = os_malloc(conn->dh_p_len); 435 if (conn->dh_p == NULL) 436 goto fail; 437 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 438 pos += conn->dh_p_len; 439 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 440 conn->dh_p, conn->dh_p_len); 441 442 if (end - pos < 3) 443 goto fail; 444 conn->dh_g_len = WPA_GET_BE16(pos); 445 pos += 2; 446 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 447 goto fail; 448 conn->dh_g = os_malloc(conn->dh_g_len); 449 if (conn->dh_g == NULL) 450 goto fail; 451 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 452 pos += conn->dh_g_len; 453 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 454 conn->dh_g, conn->dh_g_len); 455 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 456 goto fail; 457 458 if (end - pos < 3) 459 goto fail; 460 conn->dh_ys_len = WPA_GET_BE16(pos); 461 pos += 2; 462 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 463 goto fail; 464 conn->dh_ys = os_malloc(conn->dh_ys_len); 465 if (conn->dh_ys == NULL) 466 goto fail; 467 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 468 pos += conn->dh_ys_len; 469 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 470 conn->dh_ys, conn->dh_ys_len); 471 server_params_end = pos; 472 473 if (key_exchange == TLS_KEY_X_DHE_RSA) { 474 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 475 int hlen; 476 477 if (conn->rl.tls_version == TLS_VERSION_1_2) { 478#ifdef CONFIG_TLSV12 479 /* 480 * RFC 5246, 4.7: 481 * TLS v1.2 adds explicit indication of the used 482 * signature and hash algorithms. 483 * 484 * struct { 485 * HashAlgorithm hash; 486 * SignatureAlgorithm signature; 487 * } SignatureAndHashAlgorithm; 488 */ 489 if (end - pos < 2) 490 goto fail; 491 if (pos[0] != TLS_HASH_ALG_SHA256 || 492 pos[1] != TLS_SIGN_ALG_RSA) { 493 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 494 pos[0], pos[1]); 495 goto fail; 496 } 497 pos += 2; 498 499 hlen = tlsv12_key_x_server_params_hash( 500 conn->rl.tls_version, conn->client_random, 501 conn->server_random, server_params, 502 server_params_end - server_params, hash); 503#else /* CONFIG_TLSV12 */ 504 goto fail; 505#endif /* CONFIG_TLSV12 */ 506 } else { 507 hlen = tls_key_x_server_params_hash( 508 conn->rl.tls_version, conn->client_random, 509 conn->server_random, server_params, 510 server_params_end - server_params, hash); 511 } 512 513 if (hlen < 0) 514 goto fail; 515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 516 hash, hlen); 517 518 if (tls_verify_signature(conn->rl.tls_version, 519 conn->server_rsa_key, 520 hash, hlen, pos, end - pos, 521 &alert) < 0) 522 goto fail; 523 } 524 525 return 0; 526 527fail: 528 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 529 tlsv1_client_free_dh(conn); 530 return -1; 531} 532 533 534static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 535 const u8 *in_data, size_t *in_len) 536{ 537 const u8 *pos, *end; 538 size_t left, len; 539 u8 type; 540 const struct tls_cipher_suite *suite; 541 542 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 543 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 544 "received content type 0x%x", ct); 545 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 546 TLS_ALERT_UNEXPECTED_MESSAGE); 547 return -1; 548 } 549 550 pos = in_data; 551 left = *in_len; 552 553 if (left < 4) { 554 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 555 "(Left=%lu)", (unsigned long) left); 556 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 557 return -1; 558 } 559 560 type = *pos++; 561 len = WPA_GET_BE24(pos); 562 pos += 3; 563 left -= 4; 564 565 if (len > left) { 566 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 567 "length (len=%lu != left=%lu)", 568 (unsigned long) len, (unsigned long) left); 569 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 570 return -1; 571 } 572 573 end = pos + len; 574 575 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 576 return tls_process_certificate_request(conn, ct, in_data, 577 in_len); 578 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 579 return tls_process_server_hello_done(conn, ct, in_data, 580 in_len); 581 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 582 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 583 "message %d (expected ServerKeyExchange/" 584 "CertificateRequest/ServerHelloDone)", type); 585 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 586 TLS_ALERT_UNEXPECTED_MESSAGE); 587 return -1; 588 } 589 590 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 591 592 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 593 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 594 "with the selected cipher suite"); 595 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 596 TLS_ALERT_UNEXPECTED_MESSAGE); 597 return -1; 598 } 599 600 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 601 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 602 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 603 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 604 if (tlsv1_process_diffie_hellman(conn, pos, len, 605 suite->key_exchange) < 0) { 606 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 607 TLS_ALERT_DECODE_ERROR); 608 return -1; 609 } 610 } else { 611 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 612 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 613 TLS_ALERT_UNEXPECTED_MESSAGE); 614 return -1; 615 } 616 617 *in_len = end - in_data; 618 619 conn->state = SERVER_CERTIFICATE_REQUEST; 620 621 return 0; 622} 623 624 625static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 626 const u8 *in_data, size_t *in_len) 627{ 628 const u8 *pos, *end; 629 size_t left, len; 630 u8 type; 631 632 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 633 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 634 "received content type 0x%x", ct); 635 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 636 TLS_ALERT_UNEXPECTED_MESSAGE); 637 return -1; 638 } 639 640 pos = in_data; 641 left = *in_len; 642 643 if (left < 4) { 644 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 645 "(left=%lu)", (unsigned long) left); 646 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 647 return -1; 648 } 649 650 type = *pos++; 651 len = WPA_GET_BE24(pos); 652 pos += 3; 653 left -= 4; 654 655 if (len > left) { 656 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 657 "length (len=%lu != left=%lu)", 658 (unsigned long) len, (unsigned long) left); 659 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 660 return -1; 661 } 662 663 end = pos + len; 664 665 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 666 return tls_process_server_hello_done(conn, ct, in_data, 667 in_len); 668 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 669 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 670 "message %d (expected CertificateRequest/" 671 "ServerHelloDone)", type); 672 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 673 TLS_ALERT_UNEXPECTED_MESSAGE); 674 return -1; 675 } 676 677 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 678 679 conn->certificate_requested = 1; 680 681 *in_len = end - in_data; 682 683 conn->state = SERVER_HELLO_DONE; 684 685 return 0; 686} 687 688 689static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 690 const u8 *in_data, size_t *in_len) 691{ 692 const u8 *pos, *end; 693 size_t left, len; 694 u8 type; 695 696 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 697 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 698 "received content type 0x%x", ct); 699 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 700 TLS_ALERT_UNEXPECTED_MESSAGE); 701 return -1; 702 } 703 704 pos = in_data; 705 left = *in_len; 706 707 if (left < 4) { 708 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 709 "(left=%lu)", (unsigned long) left); 710 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 711 return -1; 712 } 713 714 type = *pos++; 715 len = WPA_GET_BE24(pos); 716 pos += 3; 717 left -= 4; 718 719 if (len > left) { 720 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 721 "length (len=%lu != left=%lu)", 722 (unsigned long) len, (unsigned long) left); 723 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 724 return -1; 725 } 726 end = pos + len; 727 728 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 729 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 730 "message %d (expected ServerHelloDone)", type); 731 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 732 TLS_ALERT_UNEXPECTED_MESSAGE); 733 return -1; 734 } 735 736 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 737 738 *in_len = end - in_data; 739 740 conn->state = CLIENT_KEY_EXCHANGE; 741 742 return 0; 743} 744 745 746static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 747 u8 ct, const u8 *in_data, 748 size_t *in_len) 749{ 750 const u8 *pos; 751 size_t left; 752 753 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 754 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 755 "received content type 0x%x", ct); 756 if (conn->use_session_ticket) { 757 int res; 758 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 759 "rejected SessionTicket"); 760 conn->use_session_ticket = 0; 761 762 /* Notify upper layers that SessionTicket failed */ 763 res = conn->session_ticket_cb( 764 conn->session_ticket_cb_ctx, NULL, 0, NULL, 765 NULL, NULL); 766 if (res < 0) { 767 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 768 "callback indicated failure"); 769 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 770 TLS_ALERT_HANDSHAKE_FAILURE); 771 return -1; 772 } 773 774 conn->state = SERVER_CERTIFICATE; 775 return tls_process_certificate(conn, ct, in_data, 776 in_len); 777 } 778 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 779 TLS_ALERT_UNEXPECTED_MESSAGE); 780 return -1; 781 } 782 783 pos = in_data; 784 left = *in_len; 785 786 if (left < 1) { 787 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 788 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 789 return -1; 790 } 791 792 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 793 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 794 "received data 0x%x", *pos); 795 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 796 TLS_ALERT_UNEXPECTED_MESSAGE); 797 return -1; 798 } 799 800 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 801 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 802 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 803 "for record layer"); 804 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 805 TLS_ALERT_INTERNAL_ERROR); 806 return -1; 807 } 808 809 *in_len = pos + 1 - in_data; 810 811 conn->state = SERVER_FINISHED; 812 813 return 0; 814} 815 816 817static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 818 const u8 *in_data, size_t *in_len) 819{ 820 const u8 *pos, *end; 821 size_t left, len, hlen; 822 u8 verify_data[TLS_VERIFY_DATA_LEN]; 823 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 824 825 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 826 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 827 "received content type 0x%x", ct); 828 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 829 TLS_ALERT_UNEXPECTED_MESSAGE); 830 return -1; 831 } 832 833 pos = in_data; 834 left = *in_len; 835 836 if (left < 4) { 837 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 838 "Finished", 839 (unsigned long) left); 840 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 841 TLS_ALERT_DECODE_ERROR); 842 return -1; 843 } 844 845 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 846 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 847 "type 0x%x", pos[0]); 848 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 849 TLS_ALERT_UNEXPECTED_MESSAGE); 850 return -1; 851 } 852 853 len = WPA_GET_BE24(pos + 1); 854 855 pos += 4; 856 left -= 4; 857 858 if (len > left) { 859 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 860 "(len=%lu > left=%lu)", 861 (unsigned long) len, (unsigned long) left); 862 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 863 TLS_ALERT_DECODE_ERROR); 864 return -1; 865 } 866 end = pos + len; 867 if (len != TLS_VERIFY_DATA_LEN) { 868 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 869 "in Finished: %lu (expected %d)", 870 (unsigned long) len, TLS_VERIFY_DATA_LEN); 871 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 872 TLS_ALERT_DECODE_ERROR); 873 return -1; 874 } 875 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 876 pos, TLS_VERIFY_DATA_LEN); 877 878#ifdef CONFIG_TLSV12 879 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 880 hlen = SHA256_MAC_LEN; 881 if (conn->verify.sha256_server == NULL || 882 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 883 < 0) { 884 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 885 TLS_ALERT_INTERNAL_ERROR); 886 conn->verify.sha256_server = NULL; 887 return -1; 888 } 889 conn->verify.sha256_server = NULL; 890 } else { 891#endif /* CONFIG_TLSV12 */ 892 893 hlen = MD5_MAC_LEN; 894 if (conn->verify.md5_server == NULL || 895 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 896 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 897 TLS_ALERT_INTERNAL_ERROR); 898 conn->verify.md5_server = NULL; 899 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 900 conn->verify.sha1_server = NULL; 901 return -1; 902 } 903 conn->verify.md5_server = NULL; 904 hlen = SHA1_MAC_LEN; 905 if (conn->verify.sha1_server == NULL || 906 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 907 &hlen) < 0) { 908 conn->verify.sha1_server = NULL; 909 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 910 TLS_ALERT_INTERNAL_ERROR); 911 return -1; 912 } 913 conn->verify.sha1_server = NULL; 914 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 915 916#ifdef CONFIG_TLSV12 917 } 918#endif /* CONFIG_TLSV12 */ 919 920 if (tls_prf(conn->rl.tls_version, 921 conn->master_secret, TLS_MASTER_SECRET_LEN, 922 "server finished", hash, hlen, 923 verify_data, TLS_VERIFY_DATA_LEN)) { 924 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 925 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 926 TLS_ALERT_DECRYPT_ERROR); 927 return -1; 928 } 929 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 930 verify_data, TLS_VERIFY_DATA_LEN); 931 932 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 933 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 934 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 935 TLS_ALERT_DECRYPT_ERROR); 936 return -1; 937 } 938 939 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 940 941 *in_len = end - in_data; 942 943 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 944 CHANGE_CIPHER_SPEC : ACK_FINISHED; 945 946 return 0; 947} 948 949 950static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 951 const u8 *in_data, size_t *in_len, 952 u8 **out_data, size_t *out_len) 953{ 954 const u8 *pos; 955 size_t left; 956 957 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 958 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 959 "received content type 0x%x", ct); 960 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 961 TLS_ALERT_UNEXPECTED_MESSAGE); 962 return -1; 963 } 964 965 pos = in_data; 966 left = *in_len; 967 968 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 969 pos, left); 970 971 *out_data = os_malloc(left); 972 if (*out_data) { 973 os_memcpy(*out_data, pos, left); 974 *out_len = left; 975 } 976 977 return 0; 978} 979 980 981int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 982 const u8 *buf, size_t *len, 983 u8 **out_data, size_t *out_len) 984{ 985 if (ct == TLS_CONTENT_TYPE_ALERT) { 986 if (*len < 2) { 987 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 988 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 989 TLS_ALERT_DECODE_ERROR); 990 return -1; 991 } 992 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 993 buf[0], buf[1]); 994 *len = 2; 995 conn->state = FAILED; 996 return -1; 997 } 998 999 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1000 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1001 size_t hr_len = WPA_GET_BE24(buf + 1); 1002 if (hr_len > *len - 4) { 1003 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1004 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1005 TLS_ALERT_DECODE_ERROR); 1006 return -1; 1007 } 1008 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1009 *len = 4 + hr_len; 1010 return 0; 1011 } 1012 1013 switch (conn->state) { 1014 case SERVER_HELLO: 1015 if (tls_process_server_hello(conn, ct, buf, len)) 1016 return -1; 1017 break; 1018 case SERVER_CERTIFICATE: 1019 if (tls_process_certificate(conn, ct, buf, len)) 1020 return -1; 1021 break; 1022 case SERVER_KEY_EXCHANGE: 1023 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1024 return -1; 1025 break; 1026 case SERVER_CERTIFICATE_REQUEST: 1027 if (tls_process_certificate_request(conn, ct, buf, len)) 1028 return -1; 1029 break; 1030 case SERVER_HELLO_DONE: 1031 if (tls_process_server_hello_done(conn, ct, buf, len)) 1032 return -1; 1033 break; 1034 case SERVER_CHANGE_CIPHER_SPEC: 1035 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1036 return -1; 1037 break; 1038 case SERVER_FINISHED: 1039 if (tls_process_server_finished(conn, ct, buf, len)) 1040 return -1; 1041 break; 1042 case ACK_FINISHED: 1043 if (out_data && 1044 tls_process_application_data(conn, ct, buf, len, out_data, 1045 out_len)) 1046 return -1; 1047 break; 1048 default: 1049 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1050 "while processing received message", 1051 conn->state); 1052 return -1; 1053 } 1054 1055 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1056 tls_verify_hash_add(&conn->verify, buf, *len); 1057 1058 return 0; 1059} 1060