1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "tls/tls.h"
16 #include "tls/x509v3.h"
17 #include "tls/tlsv1_common.h"
18 #include "tls/tlsv1_record.h"
19 #include "tls/tlsv1_client.h"
20 #include "tls/tlsv1_client_i.h"
21 #include "eap_peer/eap_i.h"
22
23 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
26 const u8 *in_data, size_t *in_len);
27 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
28 const u8 *in_data, size_t *in_len);
29
30
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)31 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
32 const u8 *in_data, size_t *in_len)
33 {
34 const u8 *pos, *end;
35 size_t left, len, i;
36 u16 cipher_suite;
37 u16 tls_version;
38
39 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
40 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
41 "received content type 0x%x", ct);
42 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
43 TLS_ALERT_UNEXPECTED_MESSAGE);
44 return -1;
45 }
46
47 pos = in_data;
48 left = *in_len;
49
50 if (left < 4)
51 goto decode_error;
52
53 /* HandshakeType msg_type */
54 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
55 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
56 "message %d (expected ServerHello)", *pos);
57 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
58 TLS_ALERT_UNEXPECTED_MESSAGE);
59 return -1;
60 }
61 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
62 pos++;
63 /* uint24 length */
64 len = WPA_GET_BE24(pos);
65 pos += 3;
66 left -= 4;
67
68 if (len > left)
69 goto decode_error;
70
71 /* body - ServerHello */
72
73 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
74 end = pos + len;
75
76 /* ProtocolVersion server_version */
77 if (end - pos < 2)
78 goto decode_error;
79 tls_version = WPA_GET_BE16(pos);
80 if (!tls_version_ok(tls_version)) {
81 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
82 "ServerHello %u.%u", pos[0], pos[1]);
83 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
84 TLS_ALERT_PROTOCOL_VERSION);
85 return -1;
86 }
87 pos += 2;
88
89 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
90 tls_version_str(tls_version));
91 conn->rl.tls_version = tls_version;
92
93 /* Random random */
94 if (end - pos < TLS_RANDOM_LEN)
95 goto decode_error;
96
97 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
98 pos += TLS_RANDOM_LEN;
99 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
100 conn->server_random, TLS_RANDOM_LEN);
101
102 /* SessionID session_id */
103 if (end - pos < 1)
104 goto decode_error;
105 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
106 goto decode_error;
107 if (conn->session_id_len && conn->session_id_len == *pos &&
108 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
109 pos += 1 + conn->session_id_len;
110 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
111 conn->session_resumed = 1;
112 } else {
113 conn->session_id_len = *pos;
114 pos++;
115 os_memcpy(conn->session_id, pos, conn->session_id_len);
116 pos += conn->session_id_len;
117 }
118 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
119 conn->session_id, conn->session_id_len);
120
121 /* CipherSuite cipher_suite */
122 if (end - pos < 2)
123 goto decode_error;
124 cipher_suite = WPA_GET_BE16(pos);
125 pos += 2;
126 for (i = 0; i < conn->num_cipher_suites; i++) {
127 if (cipher_suite == conn->cipher_suites[i])
128 break;
129 }
130 if (i == conn->num_cipher_suites) {
131 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
132 "cipher suite 0x%04x", cipher_suite);
133 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
134 TLS_ALERT_ILLEGAL_PARAMETER);
135 return -1;
136 }
137
138 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
139 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
140 "cipher suite for a resumed connection (0x%04x != "
141 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
142 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
143 TLS_ALERT_ILLEGAL_PARAMETER);
144 return -1;
145 }
146
147 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
148 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
149 "record layer");
150 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
151 TLS_ALERT_INTERNAL_ERROR);
152 return -1;
153 }
154
155 conn->prev_cipher_suite = cipher_suite;
156
157 /* CompressionMethod compression_method */
158 if (end - pos < 1)
159 goto decode_error;
160 if (*pos != TLS_COMPRESSION_NULL) {
161 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
162 "compression 0x%02x", *pos);
163 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
164 TLS_ALERT_ILLEGAL_PARAMETER);
165 return -1;
166 }
167 pos++;
168
169 if (end != pos) {
170 /* TODO: ServerHello extensions */
171 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
172 "end of ServerHello", pos, end - pos);
173 goto decode_error;
174 }
175
176 if (conn->session_ticket_included && conn->session_ticket_cb) {
177 /* TODO: include SessionTicket extension if one was included in
178 * ServerHello */
179 int res = conn->session_ticket_cb(
180 conn->session_ticket_cb_ctx, NULL, 0,
181 conn->client_random, conn->server_random,
182 conn->master_secret);
183 if (res < 0) {
184 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
185 "indicated failure");
186 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
187 TLS_ALERT_HANDSHAKE_FAILURE);
188 return -1;
189 }
190 conn->use_session_ticket = !!res;
191 }
192
193 if ((conn->session_resumed || conn->use_session_ticket) &&
194 tls_derive_keys(conn, NULL, 0)) {
195 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
196 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
197 TLS_ALERT_INTERNAL_ERROR);
198 return -1;
199 }
200
201 *in_len = end - in_data;
202
203 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
204 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
205
206 return 0;
207
208 decode_error:
209 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
210 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
211 return -1;
212 }
213
214
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)215 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
216 const u8 *in_data, size_t *in_len)
217 {
218 const u8 *pos, *end;
219 size_t left, len, list_len, cert_len, idx;
220 u8 type;
221 struct x509_certificate *chain = NULL, *last = NULL, *cert;
222 int reason;
223
224 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
225 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
226 "received content type 0x%x", ct);
227 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
228 TLS_ALERT_UNEXPECTED_MESSAGE);
229 return -1;
230 }
231
232 pos = in_data;
233 left = *in_len;
234
235 if (left < 4) {
236 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
237 "(len=%lu)", (unsigned long) left);
238 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
239 return -1;
240 }
241
242 type = *pos++;
243 len = WPA_GET_BE24(pos);
244 pos += 3;
245 left -= 4;
246
247 if (len > left) {
248 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
249 "length (len=%lu != left=%lu)",
250 (unsigned long) len, (unsigned long) left);
251 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
252 return -1;
253 }
254
255 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
256 return tls_process_server_key_exchange(conn, ct, in_data,
257 in_len);
258 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
259 return tls_process_certificate_request(conn, ct, in_data,
260 in_len);
261 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
262 return tls_process_server_hello_done(conn, ct, in_data,
263 in_len);
264 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
265 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
266 "message %d (expected Certificate/"
267 "ServerKeyExchange/CertificateRequest/"
268 "ServerHelloDone)", type);
269 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
270 TLS_ALERT_UNEXPECTED_MESSAGE);
271 return -1;
272 }
273
274 wpa_printf(MSG_DEBUG, "TLSv1: Received Certificate (certificate_list len %lu)",
275 (unsigned long) len);
276
277 /*
278 * opaque ASN.1Cert<2^24-1>;
279 *
280 * struct {
281 * ASN.1Cert certificate_list<1..2^24-1>;
282 * } Certificate;
283 */
284
285 end = pos + len;
286
287 if (end - pos < 3) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 "(left=%lu)", (unsigned long) left);
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 return -1;
292 }
293
294 list_len = WPA_GET_BE24(pos);
295 pos += 3;
296
297 if ((size_t) (end - pos) != list_len) {
298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 "length (len=%lu left=%lu)",
300 (unsigned long) list_len,
301 (unsigned long) (end - pos));
302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 return -1;
304 }
305
306 idx = 0;
307 while (pos < end) {
308 if (end - pos < 3) {
309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 "certificate_list");
311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 TLS_ALERT_DECODE_ERROR);
313 x509_certificate_chain_free(chain);
314 return -1;
315 }
316
317 cert_len = WPA_GET_BE24(pos);
318 pos += 3;
319
320 if ((size_t) (end - pos) < cert_len) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 "length (len=%lu left=%lu)",
323 (unsigned long) cert_len,
324 (unsigned long) (end - pos));
325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_DECODE_ERROR);
327 x509_certificate_chain_free(chain);
328 return -1;
329 }
330
331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 (unsigned long) idx, (unsigned long) cert_len);
333
334 if (idx == 0) {
335 crypto_public_key_free(conn->server_rsa_key);
336 if (tls_parse_cert(pos, cert_len,
337 &conn->server_rsa_key)) {
338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 "the certificate");
340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 TLS_ALERT_BAD_CERTIFICATE);
342 x509_certificate_chain_free(chain);
343 return -1;
344 }
345 }
346
347 cert = x509_certificate_parse(pos, cert_len);
348 if (cert == NULL) {
349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 "the certificate");
351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_BAD_CERTIFICATE);
353 x509_certificate_chain_free(chain);
354 return -1;
355 }
356
357 if (last == NULL)
358 chain = cert;
359 else
360 last->next = cert;
361 last = cert;
362
363 idx++;
364 pos += cert_len;
365 }
366
367 if (conn->cred &&
368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 &reason, conn->disable_time_checks)
370 < 0) {
371 int tls_reason;
372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 "validation failed (reason=%d)", reason);
374 switch (reason) {
375 case X509_VALIDATE_BAD_CERTIFICATE:
376 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 break;
378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 break;
381 case X509_VALIDATE_CERTIFICATE_REVOKED:
382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 break;
384 case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 break;
387 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 break;
390 case X509_VALIDATE_UNKNOWN_CA:
391 tls_reason = TLS_ALERT_UNKNOWN_CA;
392 break;
393 default:
394 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 break;
396 }
397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 x509_certificate_chain_free(chain);
399 return -1;
400 }
401
402 x509_certificate_chain_free(chain);
403
404 *in_len = end - in_data;
405 conn->state = SERVER_KEY_EXCHANGE;
406
407 return 0;
408 }
409
410
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)411 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
412 const u8 *buf, size_t len,
413 tls_key_exchange key_exchange)
414 {
415 const u8 *pos, *end, *server_params, *server_params_end;
416 u8 alert;
417
418 tlsv1_client_free_dh(conn);
419
420 pos = buf;
421 end = buf + len;
422
423 if (end - pos < 3)
424 goto fail;
425 server_params = pos;
426 conn->dh_p_len = WPA_GET_BE16(pos);
427 pos += 2;
428 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
429 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
430 (unsigned long) conn->dh_p_len);
431 goto fail;
432 }
433 conn->dh_p = os_malloc(conn->dh_p_len);
434 if (conn->dh_p == NULL)
435 goto fail;
436 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
437 pos += conn->dh_p_len;
438 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
439 conn->dh_p, conn->dh_p_len);
440
441 if (end - pos < 3)
442 goto fail;
443 conn->dh_g_len = WPA_GET_BE16(pos);
444 pos += 2;
445 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
446 goto fail;
447 conn->dh_g = os_malloc(conn->dh_g_len);
448 if (conn->dh_g == NULL)
449 goto fail;
450 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
451 pos += conn->dh_g_len;
452 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
453 conn->dh_g, conn->dh_g_len);
454 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
455 goto fail;
456
457 if (end - pos < 3)
458 goto fail;
459 conn->dh_ys_len = WPA_GET_BE16(pos);
460 pos += 2;
461 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
462 goto fail;
463 conn->dh_ys = os_malloc(conn->dh_ys_len);
464 if (conn->dh_ys == NULL)
465 goto fail;
466 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
467 pos += conn->dh_ys_len;
468 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
469 conn->dh_ys, conn->dh_ys_len);
470 server_params_end = pos;
471
472 if (key_exchange == TLS_KEY_X_DHE_RSA) {
473 u8 hash[64];
474 int hlen;
475
476 if (conn->rl.tls_version == TLS_VERSION_1_2) {
477 #ifdef CONFIG_TLSV12
478 /*
479 * RFC 5246, 4.7:
480 * TLS v1.2 adds explicit indication of the used
481 * signature and hash algorithms.
482 *
483 * struct {
484 * HashAlgorithm hash;
485 * SignatureAlgorithm signature;
486 * } SignatureAndHashAlgorithm;
487 */
488 if (end - pos < 2)
489 goto fail;
490 if ((pos[0] != TLS_HASH_ALG_SHA256) ||
491 pos[1] != TLS_SIGN_ALG_RSA) {
492 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
493 pos[0], pos[1]);
494 goto fail;
495 }
496
497 hlen = tlsv12_key_x_server_params_hash(
498 conn->rl.tls_version, pos[0],
499 conn->client_random,
500 conn->server_random, server_params,
501 server_params_end - server_params, hash);
502 pos += 2;
503 #else /* CONFIG_TLSV12 */
504 goto fail;
505 #endif /* CONFIG_TLSV12 */
506 } else {
507 hlen = tls_key_x_server_params_hash(
508 conn->rl.tls_version, conn->client_random,
509 conn->server_random, server_params,
510 server_params_end - server_params, hash);
511 }
512
513 if (hlen < 0)
514 goto fail;
515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
516 hash, hlen);
517
518 if (tls_verify_signature(conn->rl.tls_version,
519 conn->server_rsa_key,
520 hash, hlen, pos, end - pos,
521 &alert) < 0)
522 goto fail;
523 }
524
525 return 0;
526
527 fail:
528 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
529 tlsv1_client_free_dh(conn);
530 return -1;
531 }
532
533
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)534 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
535 const u8 *in_data, size_t *in_len)
536 {
537 const u8 *pos, *end;
538 size_t left, len;
539 u8 type;
540 const struct tls_cipher_suite *suite;
541
542 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
543 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
544 "received content type 0x%x", ct);
545 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
546 TLS_ALERT_UNEXPECTED_MESSAGE);
547 return -1;
548 }
549
550 pos = in_data;
551 left = *in_len;
552
553 if (left < 4) {
554 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
555 "(Left=%lu)", (unsigned long) left);
556 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
557 return -1;
558 }
559
560 type = *pos++;
561 len = WPA_GET_BE24(pos);
562 pos += 3;
563 left -= 4;
564
565 if (len > left) {
566 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
567 "length (len=%lu != left=%lu)",
568 (unsigned long) len, (unsigned long) left);
569 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
570 return -1;
571 }
572
573 end = pos + len;
574
575 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
576 return tls_process_certificate_request(conn, ct, in_data,
577 in_len);
578 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
579 return tls_process_server_hello_done(conn, ct, in_data,
580 in_len);
581 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
582 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
583 "message %d (expected ServerKeyExchange/"
584 "CertificateRequest/ServerHelloDone)", type);
585 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
586 TLS_ALERT_UNEXPECTED_MESSAGE);
587 return -1;
588 }
589
590 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
591
592 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
593 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
594 "with the selected cipher suite");
595 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
596 TLS_ALERT_UNEXPECTED_MESSAGE);
597 return -1;
598 }
599
600 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
601 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
602 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
603 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
604 if (tlsv1_process_diffie_hellman(conn, pos, len,
605 suite->key_exchange) < 0) {
606 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
607 TLS_ALERT_DECODE_ERROR);
608 return -1;
609 }
610 } else {
611 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
612 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
613 TLS_ALERT_UNEXPECTED_MESSAGE);
614 return -1;
615 }
616
617 *in_len = end - in_data;
618 conn->state = SERVER_CERTIFICATE_REQUEST;
619
620 return 0;
621 }
622
623
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)624 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
625 const u8 *in_data, size_t *in_len)
626 {
627 const u8 *pos, *end;
628 size_t left, len;
629 u8 type;
630
631 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
632 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
633 "received content type 0x%x", ct);
634 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
635 TLS_ALERT_UNEXPECTED_MESSAGE);
636 return -1;
637 }
638
639 pos = in_data;
640 left = *in_len;
641
642 if (left < 4) {
643 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
644 "(left=%lu)", (unsigned long) left);
645 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
646 return -1;
647 }
648
649 type = *pos++;
650 len = WPA_GET_BE24(pos);
651 pos += 3;
652 left -= 4;
653
654 if (len > left) {
655 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
656 "length (len=%lu != left=%lu)",
657 (unsigned long) len, (unsigned long) left);
658 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
659 return -1;
660 }
661
662 end = pos + len;
663
664 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
665 return tls_process_server_hello_done(conn, ct, in_data,
666 in_len);
667 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
668 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
669 "message %d (expected CertificateRequest/"
670 "ServerHelloDone)", type);
671 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 TLS_ALERT_UNEXPECTED_MESSAGE);
673 return -1;
674 }
675
676 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
677
678 conn->certificate_requested = 1;
679
680 *in_len = end - in_data;
681 conn->state = SERVER_HELLO_DONE;
682
683 return 0;
684 }
685
686
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)687 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
688 const u8 *in_data, size_t *in_len)
689 {
690 const u8 *pos, *end;
691 size_t left, len;
692 u8 type;
693
694 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
695 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
696 "received content type 0x%x", ct);
697 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
698 TLS_ALERT_UNEXPECTED_MESSAGE);
699 return -1;
700 }
701
702 pos = in_data;
703 left = *in_len;
704
705 if (left < 4) {
706 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
707 "(left=%lu)", (unsigned long) left);
708 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
709 return -1;
710 }
711
712 type = *pos++;
713 len = WPA_GET_BE24(pos);
714 pos += 3;
715 left -= 4;
716
717 if (len > left) {
718 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
719 "length (len=%lu != left=%lu)",
720 (unsigned long) len, (unsigned long) left);
721 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
722 return -1;
723 }
724 end = pos + len;
725
726 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
727 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
728 "message %d (expected ServerHelloDone)", type);
729 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
730 TLS_ALERT_UNEXPECTED_MESSAGE);
731 return -1;
732 }
733
734 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
735
736 *in_len = end - in_data;
737 conn->state = CLIENT_KEY_EXCHANGE;
738
739 return 0;
740 }
741
742
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)743 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
744 u8 ct, const u8 *in_data,
745 size_t *in_len)
746 {
747 const u8 *pos;
748 size_t left;
749
750 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
751 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
752 "received content type 0x%x", ct);
753 if (conn->use_session_ticket) {
754 int res;
755 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
756 "rejected SessionTicket");
757 conn->use_session_ticket = 0;
758
759 /* Notify upper layers that SessionTicket failed */
760 res = conn->session_ticket_cb(
761 conn->session_ticket_cb_ctx, NULL, 0, NULL,
762 NULL, NULL);
763 if (res < 0) {
764 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
765 "callback indicated failure");
766 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
767 TLS_ALERT_HANDSHAKE_FAILURE);
768 return -1;
769 }
770 printf("[Debug] set the state to server certificate \n");
771 conn->state = SERVER_CERTIFICATE;
772 return tls_process_certificate(conn, ct, in_data,
773 in_len);
774 }
775 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
776 TLS_ALERT_UNEXPECTED_MESSAGE);
777 return -1;
778 }
779
780 pos = in_data;
781 left = *in_len;
782
783 if (left < 1) {
784 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
785 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
786 return -1;
787 }
788
789 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
790 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
791 "received data 0x%x", *pos);
792 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
793 TLS_ALERT_UNEXPECTED_MESSAGE);
794 return -1;
795 }
796
797 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
798 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
799 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
800 "for record layer");
801 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
802 TLS_ALERT_INTERNAL_ERROR);
803 return -1;
804 }
805
806 *in_len = pos + 1 - in_data;
807 conn->state = SERVER_FINISHED;
808
809 return 0;
810 }
811
812
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)813 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
814 const u8 *in_data, size_t *in_len)
815 {
816 const u8 *pos, *end;
817 size_t left, len, hlen;
818 u8 verify_data[TLS_VERIFY_DATA_LEN];
819 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
820
821 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
822 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
823 "received content type 0x%x", ct);
824 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
825 TLS_ALERT_UNEXPECTED_MESSAGE);
826 return -1;
827 }
828
829 pos = in_data;
830 left = *in_len;
831
832 if (left < 4) {
833 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
834 "Finished",
835 (unsigned long) left);
836 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
837 TLS_ALERT_DECODE_ERROR);
838 return -1;
839 }
840
841 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
842 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
843 "type 0x%x", pos[0]);
844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
845 TLS_ALERT_UNEXPECTED_MESSAGE);
846 return -1;
847 }
848
849 len = WPA_GET_BE24(pos + 1);
850
851 pos += 4;
852 left -= 4;
853
854 if (len > left) {
855 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
856 "(len=%lu > left=%lu)",
857 (unsigned long) len, (unsigned long) left);
858 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
859 TLS_ALERT_DECODE_ERROR);
860 return -1;
861 }
862 end = pos + len;
863 if (len != TLS_VERIFY_DATA_LEN) {
864 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
865 "in Finished: %lu (expected %d)",
866 (unsigned long) len, TLS_VERIFY_DATA_LEN);
867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 TLS_ALERT_DECODE_ERROR);
869 return -1;
870 }
871 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
872 pos, TLS_VERIFY_DATA_LEN);
873
874 #ifdef CONFIG_TLSV12
875 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
876 hlen = SHA256_MAC_LEN;
877 if (conn->verify.sha256_server == NULL ||
878 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) < 0) {
879 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR);
880 conn->verify.sha256_server = NULL;
881 return -1;
882 }
883 conn->verify.sha256_server = NULL;
884 } else {
885 #endif /* CONFIG_TLSV12 */
886
887 hlen = MD5_MAC_LEN;
888 if (conn->verify.md5_server == NULL ||
889 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
890 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
891 TLS_ALERT_INTERNAL_ERROR);
892 conn->verify.md5_server = NULL;
893 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
894 conn->verify.sha1_server = NULL;
895 return -1;
896 }
897 conn->verify.md5_server = NULL;
898 hlen = SHA1_MAC_LEN;
899 if (conn->verify.sha1_server == NULL ||
900 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
901 &hlen) < 0) {
902 conn->verify.sha1_server = NULL;
903 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
904 TLS_ALERT_INTERNAL_ERROR);
905 return -1;
906 }
907 conn->verify.sha1_server = NULL;
908 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
909
910 #ifdef CONFIG_TLSV12
911 }
912 #endif /* CONFIG_TLSV12 */
913
914 if (tls_prf(conn->rl.tls_version,
915 conn->master_secret, TLS_MASTER_SECRET_LEN,
916 "server finished", hash, hlen,
917 verify_data, TLS_VERIFY_DATA_LEN)) {
918 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
919 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
920 TLS_ALERT_DECRYPT_ERROR);
921 return -1;
922 }
923 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
924 verify_data, TLS_VERIFY_DATA_LEN);
925
926 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
927 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
928 return -1;
929 }
930
931 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
932
933 *in_len = end - in_data;
934
935 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
936 CHANGE_CIPHER_SPEC : ACK_FINISHED;
937 return 0;
938 }
939
940
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)941 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
942 const u8 *in_data, size_t *in_len,
943 u8 **out_data, size_t *out_len)
944 {
945 const u8 *pos;
946 size_t left;
947
948 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
949 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
950 "received content type 0x%x", ct);
951 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
952 TLS_ALERT_UNEXPECTED_MESSAGE);
953 return -1;
954 }
955
956 pos = in_data;
957 left = *in_len;
958
959 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
960 pos, left);
961
962 *out_data = os_malloc(left);
963 if (*out_data) {
964 os_memcpy(*out_data, pos, left);
965 *out_len = left;
966 }
967
968 return 0;
969 }
970
971
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)972 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
973 const u8 *buf, size_t *len,
974 u8 **out_data, size_t *out_len)
975 {
976 if (ct == TLS_CONTENT_TYPE_ALERT) {
977 if (*len < 2) {
978 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
979 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
980 TLS_ALERT_DECODE_ERROR);
981 return -1;
982 }
983 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
984 buf[0], buf[1]);
985 *len = 2;
986 conn->state = FAILED;
987 return -1;
988 }
989
990 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
991 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
992 size_t hr_len = WPA_GET_BE24(buf + 1);
993 if (hr_len > *len - 4) {
994 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
995 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
996 TLS_ALERT_DECODE_ERROR);
997 return -1;
998 }
999 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1000 *len = 4 + hr_len;
1001 return 0;
1002 }
1003
1004 switch (conn->state) {
1005 case SERVER_HELLO:
1006 if (tls_process_server_hello(conn, ct, buf, len))
1007 return -1;
1008 break;
1009 case SERVER_CERTIFICATE:
1010 if (tls_process_certificate(conn, ct, buf, len))
1011 return -1;
1012 break;
1013 case SERVER_KEY_EXCHANGE:
1014 if (tls_process_server_key_exchange(conn, ct, buf, len))
1015 return -1;
1016 break;
1017 case SERVER_CERTIFICATE_REQUEST:
1018 if (tls_process_certificate_request(conn, ct, buf, len))
1019 return -1;
1020 break;
1021 case SERVER_HELLO_DONE:
1022 if (tls_process_server_hello_done(conn, ct, buf, len))
1023 return -1;
1024 break;
1025 case SERVER_CHANGE_CIPHER_SPEC:
1026 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1027 return -1;
1028 break;
1029 case SERVER_FINISHED:
1030 if (tls_process_server_finished(conn, ct, buf, len)) {
1031 printf("[debug] server finish process fall \n");
1032 return -1;
1033 }
1034 break;
1035 case ACK_FINISHED:
1036 if (out_data &&
1037 tls_process_application_data(conn, ct, buf, len, out_data,
1038 out_len))
1039 return -1;
1040 break;
1041 default:
1042 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1043 "while processing received message",
1044 conn->state);
1045 return -1;
1046 }
1047
1048 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) {
1049 tls_verify_hash_add(&conn->verify, buf, *len);
1050 }
1051
1052 return 0;
1053 }
1054
