1 /* 2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) client - read handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "x509v3.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_client.h" 25 #include "tlsv1_client_i.h" 26 27 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 28 const u8 *in_data, size_t *in_len); 29 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 30 const u8 *in_data, size_t *in_len); 31 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 32 const u8 *in_data, size_t *in_len); 33 34 35 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end; 39 size_t left, len, i; 40 u16 cipher_suite; 41 u16 tls_version; 42 43 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 44 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 45 "received content type 0x%x", ct); 46 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 47 TLS_ALERT_UNEXPECTED_MESSAGE); 48 return -1; 49 } 50 51 pos = in_data; 52 left = *in_len; 53 54 if (left < 4) 55 goto decode_error; 56 57 /* HandshakeType msg_type */ 58 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 59 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 60 "message %d (expected ServerHello)", *pos); 61 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 62 TLS_ALERT_UNEXPECTED_MESSAGE); 63 return -1; 64 } 65 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 66 pos++; 67 /* uint24 length */ 68 len = WPA_GET_BE24(pos); 69 pos += 3; 70 left -= 4; 71 72 if (len > left) 73 goto decode_error; 74 75 /* body - ServerHello */ 76 77 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 78 end = pos + len; 79 80 /* ProtocolVersion server_version */ 81 if (end - pos < 2) 82 goto decode_error; 83 tls_version = WPA_GET_BE16(pos); 84 if (tls_version != TLS_VERSION_1 && 85 (tls_version != TLS_VERSION_1_1 || 86 TLS_VERSION == TLS_VERSION_1)) { 87 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 88 "ServerHello %u.%u", pos[0], pos[1]); 89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 90 TLS_ALERT_PROTOCOL_VERSION); 91 return -1; 92 } 93 pos += 2; 94 95 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 96 tls_version == TLS_VERSION_1_1 ? "1.1" : "1.0"); 97 conn->rl.tls_version = tls_version; 98 99 /* Random random */ 100 if (end - pos < TLS_RANDOM_LEN) 101 goto decode_error; 102 103 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 104 pos += TLS_RANDOM_LEN; 105 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 106 conn->server_random, TLS_RANDOM_LEN); 107 108 /* SessionID session_id */ 109 if (end - pos < 1) 110 goto decode_error; 111 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 112 goto decode_error; 113 if (conn->session_id_len && conn->session_id_len == *pos && 114 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 115 pos += 1 + conn->session_id_len; 116 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 117 conn->session_resumed = 1; 118 } else { 119 conn->session_id_len = *pos; 120 pos++; 121 os_memcpy(conn->session_id, pos, conn->session_id_len); 122 pos += conn->session_id_len; 123 } 124 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 125 conn->session_id, conn->session_id_len); 126 127 /* CipherSuite cipher_suite */ 128 if (end - pos < 2) 129 goto decode_error; 130 cipher_suite = WPA_GET_BE16(pos); 131 pos += 2; 132 for (i = 0; i < conn->num_cipher_suites; i++) { 133 if (cipher_suite == conn->cipher_suites[i]) 134 break; 135 } 136 if (i == conn->num_cipher_suites) { 137 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 138 "cipher suite 0x%04x", cipher_suite); 139 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 140 TLS_ALERT_ILLEGAL_PARAMETER); 141 return -1; 142 } 143 144 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 145 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 146 "cipher suite for a resumed connection (0x%04x != " 147 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 148 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 149 TLS_ALERT_ILLEGAL_PARAMETER); 150 return -1; 151 } 152 153 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 154 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 155 "record layer"); 156 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 157 TLS_ALERT_INTERNAL_ERROR); 158 return -1; 159 } 160 161 conn->prev_cipher_suite = cipher_suite; 162 163 /* CompressionMethod compression_method */ 164 if (end - pos < 1) 165 goto decode_error; 166 if (*pos != TLS_COMPRESSION_NULL) { 167 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 168 "compression 0x%02x", *pos); 169 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 170 TLS_ALERT_ILLEGAL_PARAMETER); 171 return -1; 172 } 173 pos++; 174 175 if (end != pos) { 176 /* TODO: ServerHello extensions */ 177 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 178 "end of ServerHello", pos, end - pos); 179 goto decode_error; 180 } 181 182 if (conn->session_ticket_included && conn->session_ticket_cb) { 183 /* TODO: include SessionTicket extension if one was included in 184 * ServerHello */ 185 int res = conn->session_ticket_cb( 186 conn->session_ticket_cb_ctx, NULL, 0, 187 conn->client_random, conn->server_random, 188 conn->master_secret); 189 if (res < 0) { 190 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 191 "indicated failure"); 192 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 193 TLS_ALERT_HANDSHAKE_FAILURE); 194 return -1; 195 } 196 conn->use_session_ticket = !!res; 197 } 198 199 if ((conn->session_resumed || conn->use_session_ticket) && 200 tls_derive_keys(conn, NULL, 0)) { 201 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 202 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_INTERNAL_ERROR); 204 return -1; 205 } 206 207 *in_len = end - in_data; 208 209 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 210 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 211 212 return 0; 213 214 decode_error: 215 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 217 return -1; 218 } 219 220 221 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 222 const u8 *in_data, size_t *in_len) 223 { 224 const u8 *pos, *end; 225 size_t left, len, list_len, cert_len, idx; 226 u8 type; 227 struct x509_certificate *chain = NULL, *last = NULL, *cert; 228 int reason; 229 230 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 231 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 232 "received content type 0x%x", ct); 233 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 234 TLS_ALERT_UNEXPECTED_MESSAGE); 235 return -1; 236 } 237 238 pos = in_data; 239 left = *in_len; 240 241 if (left < 4) { 242 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 243 "(len=%lu)", (unsigned long) left); 244 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 245 return -1; 246 } 247 248 type = *pos++; 249 len = WPA_GET_BE24(pos); 250 pos += 3; 251 left -= 4; 252 253 if (len > left) { 254 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 255 "length (len=%lu != left=%lu)", 256 (unsigned long) len, (unsigned long) left); 257 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 258 return -1; 259 } 260 261 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 262 return tls_process_server_key_exchange(conn, ct, in_data, 263 in_len); 264 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 265 return tls_process_certificate_request(conn, ct, in_data, 266 in_len); 267 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 268 return tls_process_server_hello_done(conn, ct, in_data, 269 in_len); 270 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 271 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 272 "message %d (expected Certificate/" 273 "ServerKeyExchange/CertificateRequest/" 274 "ServerHelloDone)", type); 275 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 276 TLS_ALERT_UNEXPECTED_MESSAGE); 277 return -1; 278 } 279 280 wpa_printf(MSG_DEBUG, 281 "TLSv1: Received Certificate (certificate_list len %lu)", 282 (unsigned long) len); 283 284 /* 285 * opaque ASN.1Cert<2^24-1>; 286 * 287 * struct { 288 * ASN.1Cert certificate_list<1..2^24-1>; 289 * } Certificate; 290 */ 291 292 end = pos + len; 293 294 if (end - pos < 3) { 295 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 296 "(left=%lu)", (unsigned long) left); 297 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 298 return -1; 299 } 300 301 list_len = WPA_GET_BE24(pos); 302 pos += 3; 303 304 if ((size_t) (end - pos) != list_len) { 305 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 306 "length (len=%lu left=%lu)", 307 (unsigned long) list_len, 308 (unsigned long) (end - pos)); 309 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 310 return -1; 311 } 312 313 idx = 0; 314 while (pos < end) { 315 if (end - pos < 3) { 316 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 317 "certificate_list"); 318 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 319 TLS_ALERT_DECODE_ERROR); 320 x509_certificate_chain_free(chain); 321 return -1; 322 } 323 324 cert_len = WPA_GET_BE24(pos); 325 pos += 3; 326 327 if ((size_t) (end - pos) < cert_len) { 328 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 329 "length (len=%lu left=%lu)", 330 (unsigned long) cert_len, 331 (unsigned long) (end - pos)); 332 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 333 TLS_ALERT_DECODE_ERROR); 334 x509_certificate_chain_free(chain); 335 return -1; 336 } 337 338 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 339 (unsigned long) idx, (unsigned long) cert_len); 340 341 if (idx == 0) { 342 crypto_public_key_free(conn->server_rsa_key); 343 if (tls_parse_cert(pos, cert_len, 344 &conn->server_rsa_key)) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 346 "the certificate"); 347 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 348 TLS_ALERT_BAD_CERTIFICATE); 349 x509_certificate_chain_free(chain); 350 return -1; 351 } 352 } 353 354 cert = x509_certificate_parse(pos, cert_len); 355 if (cert == NULL) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 357 "the certificate"); 358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 359 TLS_ALERT_BAD_CERTIFICATE); 360 x509_certificate_chain_free(chain); 361 return -1; 362 } 363 364 if (last == NULL) 365 chain = cert; 366 else 367 last->next = cert; 368 last = cert; 369 370 idx++; 371 pos += cert_len; 372 } 373 374 if (conn->cred && 375 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 376 &reason, conn->disable_time_checks) 377 < 0) { 378 int tls_reason; 379 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 380 "validation failed (reason=%d)", reason); 381 switch (reason) { 382 case X509_VALIDATE_BAD_CERTIFICATE: 383 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 384 break; 385 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 386 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 387 break; 388 case X509_VALIDATE_CERTIFICATE_REVOKED: 389 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 390 break; 391 case X509_VALIDATE_CERTIFICATE_EXPIRED: 392 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 393 break; 394 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 395 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 396 break; 397 case X509_VALIDATE_UNKNOWN_CA: 398 tls_reason = TLS_ALERT_UNKNOWN_CA; 399 break; 400 default: 401 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 402 break; 403 } 404 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 405 x509_certificate_chain_free(chain); 406 return -1; 407 } 408 409 x509_certificate_chain_free(chain); 410 411 *in_len = end - in_data; 412 413 conn->state = SERVER_KEY_EXCHANGE; 414 415 return 0; 416 } 417 418 419 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 420 const u8 *buf, size_t len) 421 { 422 const u8 *pos, *end; 423 424 tlsv1_client_free_dh(conn); 425 426 pos = buf; 427 end = buf + len; 428 429 if (end - pos < 3) 430 goto fail; 431 conn->dh_p_len = WPA_GET_BE16(pos); 432 pos += 2; 433 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) { 434 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu", 435 (unsigned long) conn->dh_p_len); 436 goto fail; 437 } 438 conn->dh_p = os_malloc(conn->dh_p_len); 439 if (conn->dh_p == NULL) 440 goto fail; 441 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 442 pos += conn->dh_p_len; 443 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 444 conn->dh_p, conn->dh_p_len); 445 446 if (end - pos < 3) 447 goto fail; 448 conn->dh_g_len = WPA_GET_BE16(pos); 449 pos += 2; 450 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 451 goto fail; 452 conn->dh_g = os_malloc(conn->dh_g_len); 453 if (conn->dh_g == NULL) 454 goto fail; 455 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 456 pos += conn->dh_g_len; 457 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 458 conn->dh_g, conn->dh_g_len); 459 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 460 goto fail; 461 462 if (end - pos < 3) 463 goto fail; 464 conn->dh_ys_len = WPA_GET_BE16(pos); 465 pos += 2; 466 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 467 goto fail; 468 conn->dh_ys = os_malloc(conn->dh_ys_len); 469 if (conn->dh_ys == NULL) 470 goto fail; 471 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 472 pos += conn->dh_ys_len; 473 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 474 conn->dh_ys, conn->dh_ys_len); 475 476 return 0; 477 478 fail: 479 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 480 tlsv1_client_free_dh(conn); 481 return -1; 482 } 483 484 485 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 486 const u8 *in_data, size_t *in_len) 487 { 488 const u8 *pos, *end; 489 size_t left, len; 490 u8 type; 491 const struct tls_cipher_suite *suite; 492 493 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 494 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 495 "received content type 0x%x", ct); 496 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 497 TLS_ALERT_UNEXPECTED_MESSAGE); 498 return -1; 499 } 500 501 pos = in_data; 502 left = *in_len; 503 504 if (left < 4) { 505 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 506 "(Left=%lu)", (unsigned long) left); 507 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 508 return -1; 509 } 510 511 type = *pos++; 512 len = WPA_GET_BE24(pos); 513 pos += 3; 514 left -= 4; 515 516 if (len > left) { 517 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 518 "length (len=%lu != left=%lu)", 519 (unsigned long) len, (unsigned long) left); 520 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 521 return -1; 522 } 523 524 end = pos + len; 525 526 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 527 return tls_process_certificate_request(conn, ct, in_data, 528 in_len); 529 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 530 return tls_process_server_hello_done(conn, ct, in_data, 531 in_len); 532 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 533 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 534 "message %d (expected ServerKeyExchange/" 535 "CertificateRequest/ServerHelloDone)", type); 536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 537 TLS_ALERT_UNEXPECTED_MESSAGE); 538 return -1; 539 } 540 541 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 542 543 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 544 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 545 "with the selected cipher suite"); 546 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 547 TLS_ALERT_UNEXPECTED_MESSAGE); 548 return -1; 549 } 550 551 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 552 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 553 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 554 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) { 555 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 556 TLS_ALERT_DECODE_ERROR); 557 return -1; 558 } 559 } else { 560 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 561 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 562 TLS_ALERT_UNEXPECTED_MESSAGE); 563 return -1; 564 } 565 566 *in_len = end - in_data; 567 568 conn->state = SERVER_CERTIFICATE_REQUEST; 569 570 return 0; 571 } 572 573 574 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 575 const u8 *in_data, size_t *in_len) 576 { 577 const u8 *pos, *end; 578 size_t left, len; 579 u8 type; 580 581 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 582 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 583 "received content type 0x%x", ct); 584 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 585 TLS_ALERT_UNEXPECTED_MESSAGE); 586 return -1; 587 } 588 589 pos = in_data; 590 left = *in_len; 591 592 if (left < 4) { 593 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 594 "(left=%lu)", (unsigned long) left); 595 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 596 return -1; 597 } 598 599 type = *pos++; 600 len = WPA_GET_BE24(pos); 601 pos += 3; 602 left -= 4; 603 604 if (len > left) { 605 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 606 "length (len=%lu != left=%lu)", 607 (unsigned long) len, (unsigned long) left); 608 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 609 return -1; 610 } 611 612 end = pos + len; 613 614 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 615 return tls_process_server_hello_done(conn, ct, in_data, 616 in_len); 617 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 618 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 619 "message %d (expected CertificateRequest/" 620 "ServerHelloDone)", type); 621 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_UNEXPECTED_MESSAGE); 623 return -1; 624 } 625 626 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 627 628 conn->certificate_requested = 1; 629 630 *in_len = end - in_data; 631 632 conn->state = SERVER_HELLO_DONE; 633 634 return 0; 635 } 636 637 638 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 639 const u8 *in_data, size_t *in_len) 640 { 641 const u8 *pos, *end; 642 size_t left, len; 643 u8 type; 644 645 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 646 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 647 "received content type 0x%x", ct); 648 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 649 TLS_ALERT_UNEXPECTED_MESSAGE); 650 return -1; 651 } 652 653 pos = in_data; 654 left = *in_len; 655 656 if (left < 4) { 657 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 658 "(left=%lu)", (unsigned long) left); 659 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 660 return -1; 661 } 662 663 type = *pos++; 664 len = WPA_GET_BE24(pos); 665 pos += 3; 666 left -= 4; 667 668 if (len > left) { 669 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 670 "length (len=%lu != left=%lu)", 671 (unsigned long) len, (unsigned long) left); 672 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 673 return -1; 674 } 675 end = pos + len; 676 677 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 678 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 679 "message %d (expected ServerHelloDone)", type); 680 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 681 TLS_ALERT_UNEXPECTED_MESSAGE); 682 return -1; 683 } 684 685 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 686 687 *in_len = end - in_data; 688 689 conn->state = CLIENT_KEY_EXCHANGE; 690 691 return 0; 692 } 693 694 695 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 696 u8 ct, const u8 *in_data, 697 size_t *in_len) 698 { 699 const u8 *pos; 700 size_t left; 701 702 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 703 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 704 "received content type 0x%x", ct); 705 if (conn->use_session_ticket) { 706 int res; 707 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 708 "rejected SessionTicket"); 709 conn->use_session_ticket = 0; 710 711 /* Notify upper layers that SessionTicket failed */ 712 res = conn->session_ticket_cb( 713 conn->session_ticket_cb_ctx, NULL, 0, NULL, 714 NULL, NULL); 715 if (res < 0) { 716 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 717 "callback indicated failure"); 718 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 719 TLS_ALERT_HANDSHAKE_FAILURE); 720 return -1; 721 } 722 723 conn->state = SERVER_CERTIFICATE; 724 return tls_process_certificate(conn, ct, in_data, 725 in_len); 726 } 727 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 728 TLS_ALERT_UNEXPECTED_MESSAGE); 729 return -1; 730 } 731 732 pos = in_data; 733 left = *in_len; 734 735 if (left < 1) { 736 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 737 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 738 return -1; 739 } 740 741 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 742 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 743 "received data 0x%x", *pos); 744 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 745 TLS_ALERT_UNEXPECTED_MESSAGE); 746 return -1; 747 } 748 749 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 750 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 751 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 752 "for record layer"); 753 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 754 TLS_ALERT_INTERNAL_ERROR); 755 return -1; 756 } 757 758 *in_len = pos + 1 - in_data; 759 760 conn->state = SERVER_FINISHED; 761 762 return 0; 763 } 764 765 766 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 767 const u8 *in_data, size_t *in_len) 768 { 769 const u8 *pos, *end; 770 size_t left, len, hlen; 771 u8 verify_data[TLS_VERIFY_DATA_LEN]; 772 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 773 774 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 775 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 776 "received content type 0x%x", ct); 777 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 778 TLS_ALERT_UNEXPECTED_MESSAGE); 779 return -1; 780 } 781 782 pos = in_data; 783 left = *in_len; 784 785 if (left < 4) { 786 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 787 "Finished", 788 (unsigned long) left); 789 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 790 TLS_ALERT_DECODE_ERROR); 791 return -1; 792 } 793 794 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 795 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 796 "type 0x%x", pos[0]); 797 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 798 TLS_ALERT_UNEXPECTED_MESSAGE); 799 return -1; 800 } 801 802 len = WPA_GET_BE24(pos + 1); 803 804 pos += 4; 805 left -= 4; 806 807 if (len > left) { 808 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 809 "(len=%lu > left=%lu)", 810 (unsigned long) len, (unsigned long) left); 811 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 812 TLS_ALERT_DECODE_ERROR); 813 return -1; 814 } 815 end = pos + len; 816 if (len != TLS_VERIFY_DATA_LEN) { 817 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 818 "in Finished: %lu (expected %d)", 819 (unsigned long) len, TLS_VERIFY_DATA_LEN); 820 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 821 TLS_ALERT_DECODE_ERROR); 822 return -1; 823 } 824 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 825 pos, TLS_VERIFY_DATA_LEN); 826 827 hlen = MD5_MAC_LEN; 828 if (conn->verify.md5_server == NULL || 829 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 830 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 831 TLS_ALERT_INTERNAL_ERROR); 832 conn->verify.md5_server = NULL; 833 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 834 conn->verify.sha1_server = NULL; 835 return -1; 836 } 837 conn->verify.md5_server = NULL; 838 hlen = SHA1_MAC_LEN; 839 if (conn->verify.sha1_server == NULL || 840 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 841 &hlen) < 0) { 842 conn->verify.sha1_server = NULL; 843 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 844 TLS_ALERT_INTERNAL_ERROR); 845 return -1; 846 } 847 conn->verify.sha1_server = NULL; 848 849 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 850 "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 851 verify_data, TLS_VERIFY_DATA_LEN)) { 852 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 853 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 854 TLS_ALERT_DECRYPT_ERROR); 855 return -1; 856 } 857 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 858 verify_data, TLS_VERIFY_DATA_LEN); 859 860 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 861 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 862 return -1; 863 } 864 865 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 866 867 *in_len = end - in_data; 868 869 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 870 CHANGE_CIPHER_SPEC : ACK_FINISHED; 871 872 return 0; 873 } 874 875 876 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 877 const u8 *in_data, size_t *in_len, 878 u8 **out_data, size_t *out_len) 879 { 880 const u8 *pos; 881 size_t left; 882 883 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 884 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 885 "received content type 0x%x", ct); 886 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 887 TLS_ALERT_UNEXPECTED_MESSAGE); 888 return -1; 889 } 890 891 pos = in_data; 892 left = *in_len; 893 894 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 895 pos, left); 896 897 *out_data = os_malloc(left); 898 if (*out_data) { 899 os_memcpy(*out_data, pos, left); 900 *out_len = left; 901 } 902 903 return 0; 904 } 905 906 907 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 908 const u8 *buf, size_t *len, 909 u8 **out_data, size_t *out_len) 910 { 911 if (ct == TLS_CONTENT_TYPE_ALERT) { 912 if (*len < 2) { 913 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 914 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 915 TLS_ALERT_DECODE_ERROR); 916 return -1; 917 } 918 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 919 buf[0], buf[1]); 920 *len = 2; 921 conn->state = FAILED; 922 return -1; 923 } 924 925 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 926 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 927 size_t hr_len = WPA_GET_BE24(buf + 1); 928 if (hr_len > *len - 4) { 929 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 930 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 931 TLS_ALERT_DECODE_ERROR); 932 return -1; 933 } 934 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 935 *len = 4 + hr_len; 936 return 0; 937 } 938 939 switch (conn->state) { 940 case SERVER_HELLO: 941 if (tls_process_server_hello(conn, ct, buf, len)) 942 return -1; 943 break; 944 case SERVER_CERTIFICATE: 945 if (tls_process_certificate(conn, ct, buf, len)) 946 return -1; 947 break; 948 case SERVER_KEY_EXCHANGE: 949 if (tls_process_server_key_exchange(conn, ct, buf, len)) 950 return -1; 951 break; 952 case SERVER_CERTIFICATE_REQUEST: 953 if (tls_process_certificate_request(conn, ct, buf, len)) 954 return -1; 955 break; 956 case SERVER_HELLO_DONE: 957 if (tls_process_server_hello_done(conn, ct, buf, len)) 958 return -1; 959 break; 960 case SERVER_CHANGE_CIPHER_SPEC: 961 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 962 return -1; 963 break; 964 case SERVER_FINISHED: 965 if (tls_process_server_finished(conn, ct, buf, len)) 966 return -1; 967 break; 968 case ACK_FINISHED: 969 if (out_data && 970 tls_process_application_data(conn, ct, buf, len, out_data, 971 out_len)) 972 return -1; 973 break; 974 default: 975 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 976 "while processing received message", 977 conn->state); 978 return -1; 979 } 980 981 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 982 tls_verify_hash_add(&conn->verify, buf, *len); 983 984 return 0; 985 } 986