1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
32 {
33 const u8 *pos, *end;
34 size_t left, len, i;
35 u16 cipher_suite;
36 u16 tls_version;
37
38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct);
41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 TLS_ALERT_UNEXPECTED_MESSAGE);
43 return -1;
44 }
45
46 pos = in_data;
47 left = *in_len;
48
49 if (left < 4)
50 goto decode_error;
51
52 /* HandshakeType msg_type */
53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos);
56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 TLS_ALERT_UNEXPECTED_MESSAGE);
58 return -1;
59 }
60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 pos++;
62 /* uint24 length */
63 len = WPA_GET_BE24(pos);
64 pos += 3;
65 left -= 4;
66
67 if (len > left)
68 goto decode_error;
69
70 /* body - ServerHello */
71
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 end = pos + len;
74
75 /* ProtocolVersion server_version */
76 if (end - pos < 2)
77 goto decode_error;
78 tls_version = WPA_GET_BE16(pos);
79 if (!tls_version_ok(tls_version)) {
80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos[0], pos[1]);
82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 TLS_ALERT_PROTOCOL_VERSION);
84 return -1;
85 }
86 pos += 2;
87
88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version));
90 conn->rl.tls_version = tls_version;
91
92 /* Random random */
93 if (end - pos < TLS_RANDOM_LEN)
94 goto decode_error;
95
96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 pos += TLS_RANDOM_LEN;
98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 conn->server_random, TLS_RANDOM_LEN);
100
101 /* SessionID session_id */
102 if (end - pos < 1)
103 goto decode_error;
104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 goto decode_error;
106 if (conn->session_id_len && conn->session_id_len == *pos &&
107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 pos += 1 + conn->session_id_len;
109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 conn->session_resumed = 1;
111 } else {
112 conn->session_id_len = *pos;
113 pos++;
114 os_memcpy(conn->session_id, pos, conn->session_id_len);
115 pos += conn->session_id_len;
116 }
117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 conn->session_id, conn->session_id_len);
119
120 /* CipherSuite cipher_suite */
121 if (end - pos < 2)
122 goto decode_error;
123 cipher_suite = WPA_GET_BE16(pos);
124 pos += 2;
125 for (i = 0; i < conn->num_cipher_suites; i++) {
126 if (cipher_suite == conn->cipher_suites[i])
127 break;
128 }
129 if (i == conn->num_cipher_suites) {
130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite);
132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 TLS_ALERT_ILLEGAL_PARAMETER);
134 return -1;
135 }
136
137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 TLS_ALERT_ILLEGAL_PARAMETER);
143 return -1;
144 }
145
146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 "record layer");
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
151 return -1;
152 }
153
154 conn->prev_cipher_suite = cipher_suite;
155
156 /* CompressionMethod compression_method */
157 if (end - pos < 1)
158 goto decode_error;
159 if (*pos != TLS_COMPRESSION_NULL) {
160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos);
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_ILLEGAL_PARAMETER);
164 return -1;
165 }
166 pos++;
167
168 if (end != pos) {
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos, end - pos);
172 goto decode_error;
173 }
174
175 if (conn->session_ticket_included && conn->session_ticket_cb) {
176 /* TODO: include SessionTicket extension if one was included in
177 * ServerHello */
178 int res = conn->session_ticket_cb(
179 conn->session_ticket_cb_ctx, NULL, 0,
180 conn->client_random, conn->server_random,
181 conn->master_secret);
182 if (res < 0) {
183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_HANDSHAKE_FAILURE);
187 return -1;
188 }
189 conn->use_session_ticket = !!res;
190 }
191
192 if ((conn->session_resumed || conn->use_session_ticket) &&
193 tls_derive_keys(conn, NULL, 0)) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 TLS_ALERT_INTERNAL_ERROR);
197 return -1;
198 }
199
200 *in_len = end - in_data;
201
202 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204
205 return 0;
206
207 decode_error:
208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 return -1;
211 }
212
213
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 const u8 *in_data, size_t *in_len)
216 {
217 const u8 *pos, *end;
218 size_t left, len, list_len, cert_len, idx;
219 u8 type;
220 struct x509_certificate *chain = NULL, *last = NULL, *cert;
221 int reason;
222
223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 "received content type 0x%x", ct);
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 TLS_ALERT_UNEXPECTED_MESSAGE);
228 return -1;
229 }
230
231 pos = in_data;
232 left = *in_len;
233
234 if (left < 4) {
235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 "(len=%lu)", (unsigned long) left);
237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238 return -1;
239 }
240
241 type = *pos++;
242 len = WPA_GET_BE24(pos);
243 pos += 3;
244 left -= 4;
245
246 if (len > left) {
247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 "length (len=%lu != left=%lu)",
249 (unsigned long) len, (unsigned long) left);
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251 return -1;
252 }
253
254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 return tls_process_server_key_exchange(conn, ct, in_data,
256 in_len);
257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 return tls_process_certificate_request(conn, ct, in_data,
259 in_len);
260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 return tls_process_server_hello_done(conn, ct, in_data,
262 in_len);
263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 "message %d (expected Certificate/"
266 "ServerKeyExchange/CertificateRequest/"
267 "ServerHelloDone)", type);
268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_UNEXPECTED_MESSAGE);
270 return -1;
271 }
272
273 wpa_printf(MSG_DEBUG,
274 "TLSv1: Received Certificate (certificate_list len %lu)",
275 (unsigned long) len);
276
277 /*
278 * opaque ASN.1Cert<2^24-1>;
279 *
280 * struct {
281 * ASN.1Cert certificate_list<1..2^24-1>;
282 * } Certificate;
283 */
284
285 end = pos + len;
286
287 if (end - pos < 3) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 "(left=%lu)", (unsigned long) left);
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 return -1;
292 }
293
294 list_len = WPA_GET_BE24(pos);
295 pos += 3;
296
297 if ((size_t) (end - pos) != list_len) {
298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 "length (len=%lu left=%lu)",
300 (unsigned long) list_len,
301 (unsigned long) (end - pos));
302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 return -1;
304 }
305
306 idx = 0;
307 while (pos < end) {
308 if (end - pos < 3) {
309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 "certificate_list");
311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 TLS_ALERT_DECODE_ERROR);
313 x509_certificate_chain_free(chain);
314 return -1;
315 }
316
317 cert_len = WPA_GET_BE24(pos);
318 pos += 3;
319
320 if ((size_t) (end - pos) < cert_len) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 "length (len=%lu left=%lu)",
323 (unsigned long) cert_len,
324 (unsigned long) (end - pos));
325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_DECODE_ERROR);
327 x509_certificate_chain_free(chain);
328 return -1;
329 }
330
331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 (unsigned long) idx, (unsigned long) cert_len);
333
334 if (idx == 0) {
335 crypto_public_key_free(conn->server_rsa_key);
336 if (tls_parse_cert(pos, cert_len,
337 &conn->server_rsa_key)) {
338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 "the certificate");
340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 TLS_ALERT_BAD_CERTIFICATE);
342 x509_certificate_chain_free(chain);
343 return -1;
344 }
345 }
346
347 cert = x509_certificate_parse(pos, cert_len);
348 if (cert == NULL) {
349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 "the certificate");
351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_BAD_CERTIFICATE);
353 x509_certificate_chain_free(chain);
354 return -1;
355 }
356
357 if (last == NULL)
358 chain = cert;
359 else
360 last->next = cert;
361 last = cert;
362
363 idx++;
364 pos += cert_len;
365 }
366
367 if (conn->cred &&
368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 &reason, conn->disable_time_checks)
370 < 0) {
371 int tls_reason;
372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 "validation failed (reason=%d)", reason);
374 switch (reason) {
375 case X509_VALIDATE_BAD_CERTIFICATE:
376 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 break;
378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 break;
381 case X509_VALIDATE_CERTIFICATE_REVOKED:
382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 break;
384 case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 break;
387 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 break;
390 case X509_VALIDATE_UNKNOWN_CA:
391 tls_reason = TLS_ALERT_UNKNOWN_CA;
392 break;
393 default:
394 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 break;
396 }
397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 x509_certificate_chain_free(chain);
399 return -1;
400 }
401
402 x509_certificate_chain_free(chain);
403
404 *in_len = end - in_data;
405
406 conn->state = SERVER_KEY_EXCHANGE;
407
408 return 0;
409 }
410
411
count_bits(const u8 * val,size_t len)412 static unsigned int count_bits(const u8 *val, size_t len)
413 {
414 size_t i;
415 unsigned int bits;
416 u8 tmp;
417
418 for (i = 0; i < len; i++) {
419 if (val[i])
420 break;
421 }
422 if (i == len)
423 return 0;
424
425 bits = (len - i - 1) * 8;
426 tmp = val[i];
427 while (tmp) {
428 bits++;
429 tmp >>= 1;
430 }
431
432 return bits;
433 }
434
435
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
437 const u8 *buf, size_t len,
438 tls_key_exchange key_exchange)
439 {
440 const u8 *pos, *end, *server_params, *server_params_end;
441 u8 alert;
442 unsigned int bits;
443 u16 val;
444
445 tlsv1_client_free_dh(conn);
446
447 pos = buf;
448 end = buf + len;
449
450 if (end - pos < 3)
451 goto fail;
452 server_params = pos;
453 val = WPA_GET_BE16(pos);
454 pos += 2;
455 if (val == 0 || val > (size_t) (end - pos)) {
456 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
457 goto fail;
458 }
459 conn->dh_p_len = val;
460 bits = count_bits(pos, conn->dh_p_len);
461 if (bits < 768) {
462 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
463 bits);
464 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
465 pos, conn->dh_p_len);
466 goto fail;
467 }
468 conn->dh_p = os_malloc(conn->dh_p_len);
469 if (conn->dh_p == NULL)
470 goto fail;
471 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
472 pos += conn->dh_p_len;
473 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
474 conn->dh_p, conn->dh_p_len);
475
476 if (end - pos < 3)
477 goto fail;
478 val = WPA_GET_BE16(pos);
479 pos += 2;
480 if (val == 0 || val > (size_t) (end - pos))
481 goto fail;
482 conn->dh_g_len = val;
483 conn->dh_g = os_malloc(conn->dh_g_len);
484 if (conn->dh_g == NULL)
485 goto fail;
486 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
487 pos += conn->dh_g_len;
488 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
489 conn->dh_g, conn->dh_g_len);
490 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
491 goto fail;
492
493 if (end - pos < 3)
494 goto fail;
495 val = WPA_GET_BE16(pos);
496 pos += 2;
497 if (val == 0 || val > (size_t) (end - pos))
498 goto fail;
499 conn->dh_ys_len = val;
500 conn->dh_ys = os_malloc(conn->dh_ys_len);
501 if (conn->dh_ys == NULL)
502 goto fail;
503 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
504 pos += conn->dh_ys_len;
505 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
506 conn->dh_ys, conn->dh_ys_len);
507 server_params_end = pos;
508
509 if (key_exchange == TLS_KEY_X_DHE_RSA) {
510 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
511 int hlen;
512
513 if (conn->rl.tls_version == TLS_VERSION_1_2) {
514 #ifdef CONFIG_TLSV12
515 /*
516 * RFC 5246, 4.7:
517 * TLS v1.2 adds explicit indication of the used
518 * signature and hash algorithms.
519 *
520 * struct {
521 * HashAlgorithm hash;
522 * SignatureAlgorithm signature;
523 * } SignatureAndHashAlgorithm;
524 */
525 if (end - pos < 2)
526 goto fail;
527 if (pos[0] != TLS_HASH_ALG_SHA256 ||
528 pos[1] != TLS_SIGN_ALG_RSA) {
529 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
530 pos[0], pos[1]);
531 goto fail;
532 }
533 pos += 2;
534
535 hlen = tlsv12_key_x_server_params_hash(
536 conn->rl.tls_version, conn->client_random,
537 conn->server_random, server_params,
538 server_params_end - server_params, hash);
539 #else /* CONFIG_TLSV12 */
540 goto fail;
541 #endif /* CONFIG_TLSV12 */
542 } else {
543 hlen = tls_key_x_server_params_hash(
544 conn->rl.tls_version, conn->client_random,
545 conn->server_random, server_params,
546 server_params_end - server_params, hash);
547 }
548
549 if (hlen < 0)
550 goto fail;
551 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
552 hash, hlen);
553
554 if (tls_verify_signature(conn->rl.tls_version,
555 conn->server_rsa_key,
556 hash, hlen, pos, end - pos,
557 &alert) < 0)
558 goto fail;
559 }
560
561 return 0;
562
563 fail:
564 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
565 tlsv1_client_free_dh(conn);
566 return -1;
567 }
568
569
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)570 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
571 const u8 *in_data, size_t *in_len)
572 {
573 const u8 *pos, *end;
574 size_t left, len;
575 u8 type;
576 const struct tls_cipher_suite *suite;
577
578 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
579 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
580 "received content type 0x%x", ct);
581 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
582 TLS_ALERT_UNEXPECTED_MESSAGE);
583 return -1;
584 }
585
586 pos = in_data;
587 left = *in_len;
588
589 if (left < 4) {
590 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
591 "(Left=%lu)", (unsigned long) left);
592 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
593 return -1;
594 }
595
596 type = *pos++;
597 len = WPA_GET_BE24(pos);
598 pos += 3;
599 left -= 4;
600
601 if (len > left) {
602 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
603 "length (len=%lu != left=%lu)",
604 (unsigned long) len, (unsigned long) left);
605 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
606 return -1;
607 }
608
609 end = pos + len;
610
611 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
612 return tls_process_certificate_request(conn, ct, in_data,
613 in_len);
614 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
615 return tls_process_server_hello_done(conn, ct, in_data,
616 in_len);
617 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
618 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
619 "message %d (expected ServerKeyExchange/"
620 "CertificateRequest/ServerHelloDone)", type);
621 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 TLS_ALERT_UNEXPECTED_MESSAGE);
623 return -1;
624 }
625
626 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
627
628 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
629 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
630 "with the selected cipher suite");
631 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
632 TLS_ALERT_UNEXPECTED_MESSAGE);
633 return -1;
634 }
635
636 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
637 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
638 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
639 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
640 if (tlsv1_process_diffie_hellman(conn, pos, len,
641 suite->key_exchange) < 0) {
642 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
643 TLS_ALERT_DECODE_ERROR);
644 return -1;
645 }
646 } else {
647 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
648 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
649 TLS_ALERT_UNEXPECTED_MESSAGE);
650 return -1;
651 }
652
653 *in_len = end - in_data;
654
655 conn->state = SERVER_CERTIFICATE_REQUEST;
656
657 return 0;
658 }
659
660
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)661 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
662 const u8 *in_data, size_t *in_len)
663 {
664 const u8 *pos, *end;
665 size_t left, len;
666 u8 type;
667
668 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
669 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
670 "received content type 0x%x", ct);
671 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 TLS_ALERT_UNEXPECTED_MESSAGE);
673 return -1;
674 }
675
676 pos = in_data;
677 left = *in_len;
678
679 if (left < 4) {
680 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
681 "(left=%lu)", (unsigned long) left);
682 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
683 return -1;
684 }
685
686 type = *pos++;
687 len = WPA_GET_BE24(pos);
688 pos += 3;
689 left -= 4;
690
691 if (len > left) {
692 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
693 "length (len=%lu != left=%lu)",
694 (unsigned long) len, (unsigned long) left);
695 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
696 return -1;
697 }
698
699 end = pos + len;
700
701 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
702 return tls_process_server_hello_done(conn, ct, in_data,
703 in_len);
704 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
705 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
706 "message %d (expected CertificateRequest/"
707 "ServerHelloDone)", type);
708 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
709 TLS_ALERT_UNEXPECTED_MESSAGE);
710 return -1;
711 }
712
713 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
714
715 conn->certificate_requested = 1;
716
717 *in_len = end - in_data;
718
719 conn->state = SERVER_HELLO_DONE;
720
721 return 0;
722 }
723
724
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)725 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
726 const u8 *in_data, size_t *in_len)
727 {
728 const u8 *pos, *end;
729 size_t left, len;
730 u8 type;
731
732 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
733 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
734 "received content type 0x%x", ct);
735 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 TLS_ALERT_UNEXPECTED_MESSAGE);
737 return -1;
738 }
739
740 pos = in_data;
741 left = *in_len;
742
743 if (left < 4) {
744 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
745 "(left=%lu)", (unsigned long) left);
746 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
747 return -1;
748 }
749
750 type = *pos++;
751 len = WPA_GET_BE24(pos);
752 pos += 3;
753 left -= 4;
754
755 if (len > left) {
756 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
757 "length (len=%lu != left=%lu)",
758 (unsigned long) len, (unsigned long) left);
759 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
760 return -1;
761 }
762 end = pos + len;
763
764 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
765 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
766 "message %d (expected ServerHelloDone)", type);
767 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
768 TLS_ALERT_UNEXPECTED_MESSAGE);
769 return -1;
770 }
771
772 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
773
774 *in_len = end - in_data;
775
776 conn->state = CLIENT_KEY_EXCHANGE;
777
778 return 0;
779 }
780
781
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)782 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
783 u8 ct, const u8 *in_data,
784 size_t *in_len)
785 {
786 const u8 *pos;
787 size_t left;
788
789 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
790 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
791 "received content type 0x%x", ct);
792 if (conn->use_session_ticket) {
793 int res;
794 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
795 "rejected SessionTicket");
796 conn->use_session_ticket = 0;
797
798 /* Notify upper layers that SessionTicket failed */
799 res = conn->session_ticket_cb(
800 conn->session_ticket_cb_ctx, NULL, 0, NULL,
801 NULL, NULL);
802 if (res < 0) {
803 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
804 "callback indicated failure");
805 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
806 TLS_ALERT_HANDSHAKE_FAILURE);
807 return -1;
808 }
809
810 conn->state = SERVER_CERTIFICATE;
811 return tls_process_certificate(conn, ct, in_data,
812 in_len);
813 }
814 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
815 TLS_ALERT_UNEXPECTED_MESSAGE);
816 return -1;
817 }
818
819 pos = in_data;
820 left = *in_len;
821
822 if (left < 1) {
823 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
824 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
825 return -1;
826 }
827
828 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
829 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
830 "received data 0x%x", *pos);
831 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
832 TLS_ALERT_UNEXPECTED_MESSAGE);
833 return -1;
834 }
835
836 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
837 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
838 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
839 "for record layer");
840 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
841 TLS_ALERT_INTERNAL_ERROR);
842 return -1;
843 }
844
845 *in_len = pos + 1 - in_data;
846
847 conn->state = SERVER_FINISHED;
848
849 return 0;
850 }
851
852
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)853 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
854 const u8 *in_data, size_t *in_len)
855 {
856 const u8 *pos, *end;
857 size_t left, len, hlen;
858 u8 verify_data[TLS_VERIFY_DATA_LEN];
859 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
860
861 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
862 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
863 "received content type 0x%x", ct);
864 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865 TLS_ALERT_UNEXPECTED_MESSAGE);
866 return -1;
867 }
868
869 pos = in_data;
870 left = *in_len;
871
872 if (left < 4) {
873 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
874 "Finished",
875 (unsigned long) left);
876 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 TLS_ALERT_DECODE_ERROR);
878 return -1;
879 }
880
881 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
882 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
883 "type 0x%x", pos[0]);
884 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
885 TLS_ALERT_UNEXPECTED_MESSAGE);
886 return -1;
887 }
888
889 len = WPA_GET_BE24(pos + 1);
890
891 pos += 4;
892 left -= 4;
893
894 if (len > left) {
895 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
896 "(len=%lu > left=%lu)",
897 (unsigned long) len, (unsigned long) left);
898 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
899 TLS_ALERT_DECODE_ERROR);
900 return -1;
901 }
902 end = pos + len;
903 if (len != TLS_VERIFY_DATA_LEN) {
904 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
905 "in Finished: %lu (expected %d)",
906 (unsigned long) len, TLS_VERIFY_DATA_LEN);
907 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
908 TLS_ALERT_DECODE_ERROR);
909 return -1;
910 }
911 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
912 pos, TLS_VERIFY_DATA_LEN);
913
914 #ifdef CONFIG_TLSV12
915 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
916 hlen = SHA256_MAC_LEN;
917 if (conn->verify.sha256_server == NULL ||
918 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
919 < 0) {
920 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
921 TLS_ALERT_INTERNAL_ERROR);
922 conn->verify.sha256_server = NULL;
923 return -1;
924 }
925 conn->verify.sha256_server = NULL;
926 } else {
927 #endif /* CONFIG_TLSV12 */
928
929 hlen = MD5_MAC_LEN;
930 if (conn->verify.md5_server == NULL ||
931 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
932 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
933 TLS_ALERT_INTERNAL_ERROR);
934 conn->verify.md5_server = NULL;
935 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
936 conn->verify.sha1_server = NULL;
937 return -1;
938 }
939 conn->verify.md5_server = NULL;
940 hlen = SHA1_MAC_LEN;
941 if (conn->verify.sha1_server == NULL ||
942 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
943 &hlen) < 0) {
944 conn->verify.sha1_server = NULL;
945 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
946 TLS_ALERT_INTERNAL_ERROR);
947 return -1;
948 }
949 conn->verify.sha1_server = NULL;
950 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
951
952 #ifdef CONFIG_TLSV12
953 }
954 #endif /* CONFIG_TLSV12 */
955
956 if (tls_prf(conn->rl.tls_version,
957 conn->master_secret, TLS_MASTER_SECRET_LEN,
958 "server finished", hash, hlen,
959 verify_data, TLS_VERIFY_DATA_LEN)) {
960 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
961 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
962 TLS_ALERT_DECRYPT_ERROR);
963 return -1;
964 }
965 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
966 verify_data, TLS_VERIFY_DATA_LEN);
967
968 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
969 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
970 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
971 TLS_ALERT_DECRYPT_ERROR);
972 return -1;
973 }
974
975 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
976
977 *in_len = end - in_data;
978
979 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
980 CHANGE_CIPHER_SPEC : ACK_FINISHED;
981
982 return 0;
983 }
984
985
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)986 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
987 const u8 *in_data, size_t *in_len,
988 u8 **out_data, size_t *out_len)
989 {
990 const u8 *pos;
991 size_t left;
992
993 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
994 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
995 "received content type 0x%x", ct);
996 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
997 TLS_ALERT_UNEXPECTED_MESSAGE);
998 return -1;
999 }
1000
1001 pos = in_data;
1002 left = *in_len;
1003
1004 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1005 pos, left);
1006
1007 *out_data = os_malloc(left);
1008 if (*out_data) {
1009 os_memcpy(*out_data, pos, left);
1010 *out_len = left;
1011 }
1012
1013 return 0;
1014 }
1015
1016
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1017 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1018 const u8 *buf, size_t *len,
1019 u8 **out_data, size_t *out_len)
1020 {
1021 if (ct == TLS_CONTENT_TYPE_ALERT) {
1022 if (*len < 2) {
1023 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1024 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025 TLS_ALERT_DECODE_ERROR);
1026 return -1;
1027 }
1028 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1029 buf[0], buf[1]);
1030 *len = 2;
1031 conn->state = FAILED;
1032 return -1;
1033 }
1034
1035 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1036 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1037 size_t hr_len = WPA_GET_BE24(buf + 1);
1038 if (hr_len > *len - 4) {
1039 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1040 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041 TLS_ALERT_DECODE_ERROR);
1042 return -1;
1043 }
1044 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1045 *len = 4 + hr_len;
1046 return 0;
1047 }
1048
1049 switch (conn->state) {
1050 case SERVER_HELLO:
1051 if (tls_process_server_hello(conn, ct, buf, len))
1052 return -1;
1053 break;
1054 case SERVER_CERTIFICATE:
1055 if (tls_process_certificate(conn, ct, buf, len))
1056 return -1;
1057 break;
1058 case SERVER_KEY_EXCHANGE:
1059 if (tls_process_server_key_exchange(conn, ct, buf, len))
1060 return -1;
1061 break;
1062 case SERVER_CERTIFICATE_REQUEST:
1063 if (tls_process_certificate_request(conn, ct, buf, len))
1064 return -1;
1065 break;
1066 case SERVER_HELLO_DONE:
1067 if (tls_process_server_hello_done(conn, ct, buf, len))
1068 return -1;
1069 break;
1070 case SERVER_CHANGE_CIPHER_SPEC:
1071 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1072 return -1;
1073 break;
1074 case SERVER_FINISHED:
1075 if (tls_process_server_finished(conn, ct, buf, len))
1076 return -1;
1077 break;
1078 case ACK_FINISHED:
1079 if (out_data &&
1080 tls_process_application_data(conn, ct, buf, len, out_data,
1081 out_len))
1082 return -1;
1083 break;
1084 default:
1085 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1086 "while processing received message",
1087 conn->state);
1088 return -1;
1089 }
1090
1091 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1092 tls_verify_hash_add(&conn->verify, buf, *len);
1093
1094 return 0;
1095 }
1096