2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
22 static int tls_process_server_key_exchange(struct tlsv1_client
*conn
, u8 ct
,
23 const u8
*in_data
, size_t *in_len
);
24 static int tls_process_certificate_request(struct tlsv1_client
*conn
, u8 ct
,
25 const u8
*in_data
, size_t *in_len
);
26 static int tls_process_server_hello_done(struct tlsv1_client
*conn
, u8 ct
,
27 const u8
*in_data
, size_t *in_len
);
30 static int tls_version_disabled(struct tlsv1_client
*conn
, u16 ver
)
32 return (((conn
->flags
& TLS_CONN_DISABLE_TLSv1_0
) &&
33 ver
== TLS_VERSION_1
) ||
34 ((conn
->flags
& TLS_CONN_DISABLE_TLSv1_1
) &&
35 ver
== TLS_VERSION_1_1
) ||
36 ((conn
->flags
& TLS_CONN_DISABLE_TLSv1_2
) &&
37 ver
== TLS_VERSION_1_2
));
41 static int tls_process_server_hello_extensions(struct tlsv1_client
*conn
,
42 const u8
*pos
, size_t len
)
44 const u8
*end
= pos
+ len
;
46 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ServerHello extensions",
52 wpa_printf(MSG_INFO
, "TLSv1: Truncated ServerHello extension header");
56 ext
= WPA_GET_BE16(pos
);
58 elen
= WPA_GET_BE16(pos
);
61 if (elen
> end
- pos
) {
62 wpa_printf(MSG_INFO
, "TLSv1: Truncated ServerHello extension");
66 wpa_printf(MSG_DEBUG
, "TLSv1: ServerHello ExtensionType %u",
68 wpa_hexdump(MSG_DEBUG
, "TLSv1: ServerHello extension data",
78 static int tls_process_server_hello(struct tlsv1_client
*conn
, u8 ct
,
79 const u8
*in_data
, size_t *in_len
)
86 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
87 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct
);
89 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
90 TLS_ALERT_UNEXPECTED_MESSAGE
);
100 /* HandshakeType msg_type */
101 if (*pos
!= TLS_HANDSHAKE_TYPE_SERVER_HELLO
) {
102 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos
);
104 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
105 TLS_ALERT_UNEXPECTED_MESSAGE
);
108 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerHello");
111 len
= WPA_GET_BE24(pos
);
118 /* body - ServerHello */
120 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ServerHello", pos
, len
);
123 /* ProtocolVersion server_version */
126 tls_version
= WPA_GET_BE16(pos
);
127 if (!tls_version_ok(tls_version
) ||
128 tls_version_disabled(conn
, tls_version
)) {
129 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos
[0], pos
[1]);
131 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
132 TLS_ALERT_PROTOCOL_VERSION
);
137 wpa_printf(MSG_DEBUG
, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version
));
139 conn
->rl
.tls_version
= tls_version
;
142 if (end
- pos
< TLS_RANDOM_LEN
)
145 os_memcpy(conn
->server_random
, pos
, TLS_RANDOM_LEN
);
146 pos
+= TLS_RANDOM_LEN
;
147 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: server_random",
148 conn
->server_random
, TLS_RANDOM_LEN
);
150 /* SessionID session_id */
153 if (end
- pos
< 1 + *pos
|| *pos
> TLS_SESSION_ID_MAX_LEN
)
155 if (conn
->session_id_len
&& conn
->session_id_len
== *pos
&&
156 os_memcmp(conn
->session_id
, pos
+ 1, conn
->session_id_len
) == 0) {
157 pos
+= 1 + conn
->session_id_len
;
158 wpa_printf(MSG_DEBUG
, "TLSv1: Resuming old session");
159 conn
->session_resumed
= 1;
161 conn
->session_id_len
= *pos
;
163 os_memcpy(conn
->session_id
, pos
, conn
->session_id_len
);
164 pos
+= conn
->session_id_len
;
166 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: session_id",
167 conn
->session_id
, conn
->session_id_len
);
169 /* CipherSuite cipher_suite */
172 cipher_suite
= WPA_GET_BE16(pos
);
174 for (i
= 0; i
< conn
->num_cipher_suites
; i
++) {
175 if (cipher_suite
== conn
->cipher_suites
[i
])
178 if (i
== conn
->num_cipher_suites
) {
179 wpa_printf(MSG_INFO
, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite
);
181 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
182 TLS_ALERT_ILLEGAL_PARAMETER
);
186 if (conn
->session_resumed
&& cipher_suite
!= conn
->prev_cipher_suite
) {
187 wpa_printf(MSG_DEBUG
, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite
, conn
->prev_cipher_suite
);
190 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
191 TLS_ALERT_ILLEGAL_PARAMETER
);
195 if (tlsv1_record_set_cipher_suite(&conn
->rl
, cipher_suite
) < 0) {
196 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to set CipherSuite for "
198 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
199 TLS_ALERT_INTERNAL_ERROR
);
203 conn
->prev_cipher_suite
= cipher_suite
;
205 /* CompressionMethod compression_method */
208 if (*pos
!= TLS_COMPRESSION_NULL
) {
209 wpa_printf(MSG_INFO
, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos
);
211 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
212 TLS_ALERT_ILLEGAL_PARAMETER
);
217 if (end
- pos
>= 2) {
220 ext_len
= WPA_GET_BE16(pos
);
222 if (end
- pos
< ext_len
) {
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len
, (unsigned int) (end
- pos
));
229 if (tls_process_server_hello_extensions(conn
, pos
, ext_len
))
235 wpa_hexdump(MSG_DEBUG
, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos
, end
- pos
);
240 if (conn
->session_ticket_included
&& conn
->session_ticket_cb
) {
241 /* TODO: include SessionTicket extension if one was included in
243 int res
= conn
->session_ticket_cb(
244 conn
->session_ticket_cb_ctx
, NULL
, 0,
245 conn
->client_random
, conn
->server_random
,
246 conn
->master_secret
);
248 wpa_printf(MSG_DEBUG
, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
251 TLS_ALERT_HANDSHAKE_FAILURE
);
254 conn
->use_session_ticket
= !!res
;
257 if ((conn
->session_resumed
|| conn
->use_session_ticket
) &&
258 tls_derive_keys(conn
, NULL
, 0)) {
259 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive keys");
260 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
261 TLS_ALERT_INTERNAL_ERROR
);
265 *in_len
= end
- in_data
;
267 conn
->state
= (conn
->session_resumed
|| conn
->use_session_ticket
) ?
268 SERVER_CHANGE_CIPHER_SPEC
: SERVER_CERTIFICATE
;
273 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
279 static void tls_peer_cert_event(struct tlsv1_client
*conn
, int depth
,
280 struct x509_certificate
*cert
)
282 union tls_event_data ev
;
283 struct wpabuf
*cert_buf
= NULL
;
286 #endif /* CONFIG_SHA256 */
292 os_memset(&ev
, 0, sizeof(ev
));
293 if (conn
->cred
->cert_probe
|| conn
->cert_in_cb
) {
294 cert_buf
= wpabuf_alloc_copy(cert
->cert_start
,
296 ev
.peer_cert
.cert
= cert_buf
;
302 addr
[0] = wpabuf_head(cert_buf
);
303 len
[0] = wpabuf_len(cert_buf
);
304 if (sha256_vector(1, addr
, len
, hash
) == 0) {
305 ev
.peer_cert
.hash
= hash
;
306 ev
.peer_cert
.hash_len
= sizeof(hash
);
309 #endif /* CONFIG_SHA256 */
311 ev
.peer_cert
.depth
= depth
;
312 x509_name_string(&cert
->subject
, subject
, sizeof(subject
));
313 ev
.peer_cert
.subject
= subject
;
315 conn
->event_cb(conn
->cb_ctx
, TLS_PEER_CERTIFICATE
, &ev
);
316 wpabuf_free(cert_buf
);
320 static void tls_cert_chain_failure_event(struct tlsv1_client
*conn
, int depth
,
321 struct x509_certificate
*cert
,
322 enum tls_fail_reason reason
,
323 const char *reason_txt
)
325 struct wpabuf
*cert_buf
= NULL
;
326 union tls_event_data ev
;
329 if (!conn
->event_cb
|| !cert
)
332 os_memset(&ev
, 0, sizeof(ev
));
333 ev
.cert_fail
.depth
= depth
;
334 x509_name_string(&cert
->subject
, subject
, sizeof(subject
));
335 ev
.peer_cert
.subject
= subject
;
336 ev
.cert_fail
.reason
= reason
;
337 ev
.cert_fail
.reason_txt
= reason_txt
;
338 cert_buf
= wpabuf_alloc_copy(cert
->cert_start
,
340 ev
.cert_fail
.cert
= cert_buf
;
341 conn
->event_cb(conn
->cb_ctx
, TLS_CERT_CHAIN_FAILURE
, &ev
);
342 wpabuf_free(cert_buf
);
346 static int tls_process_certificate(struct tlsv1_client
*conn
, u8 ct
,
347 const u8
*in_data
, size_t *in_len
)
350 size_t left
, len
, list_len
, cert_len
, idx
;
352 struct x509_certificate
*chain
= NULL
, *last
= NULL
, *cert
;
355 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
356 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
357 "received content type 0x%x", ct
);
358 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
359 TLS_ALERT_UNEXPECTED_MESSAGE
);
367 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate message "
368 "(len=%lu)", (unsigned long) left
);
369 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
374 len
= WPA_GET_BE24(pos
);
379 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected Certificate message "
380 "length (len=%lu != left=%lu)",
381 (unsigned long) len
, (unsigned long) left
);
382 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
386 if (type
== TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE
)
387 return tls_process_server_key_exchange(conn
, ct
, in_data
,
389 if (type
== TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
)
390 return tls_process_certificate_request(conn
, ct
, in_data
,
392 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
393 return tls_process_server_hello_done(conn
, ct
, in_data
,
395 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE
) {
396 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
397 "message %d (expected Certificate/"
398 "ServerKeyExchange/CertificateRequest/"
399 "ServerHelloDone)", type
);
400 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
401 TLS_ALERT_UNEXPECTED_MESSAGE
);
405 wpa_printf(MSG_DEBUG
,
406 "TLSv1: Received Certificate (certificate_list len %lu)",
407 (unsigned long) len
);
410 * opaque ASN.1Cert<2^24-1>;
413 * ASN.1Cert certificate_list<1..2^24-1>;
420 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate "
421 "(left=%lu)", (unsigned long) left
);
422 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
426 list_len
= WPA_GET_BE24(pos
);
429 if ((size_t) (end
- pos
) != list_len
) {
430 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate_list "
431 "length (len=%lu left=%lu)",
432 (unsigned long) list_len
,
433 (unsigned long) (end
- pos
));
434 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
441 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
443 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
444 TLS_ALERT_DECODE_ERROR
);
445 x509_certificate_chain_free(chain
);
449 cert_len
= WPA_GET_BE24(pos
);
452 if ((size_t) (end
- pos
) < cert_len
) {
453 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate "
454 "length (len=%lu left=%lu)",
455 (unsigned long) cert_len
,
456 (unsigned long) (end
- pos
));
457 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
458 TLS_ALERT_DECODE_ERROR
);
459 x509_certificate_chain_free(chain
);
463 wpa_printf(MSG_DEBUG
, "TLSv1: Certificate %lu (len %lu)",
464 (unsigned long) idx
, (unsigned long) cert_len
);
467 crypto_public_key_free(conn
->server_rsa_key
);
468 if (tls_parse_cert(pos
, cert_len
,
469 &conn
->server_rsa_key
)) {
470 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
472 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
473 TLS_ALERT_BAD_CERTIFICATE
);
474 x509_certificate_chain_free(chain
);
479 cert
= x509_certificate_parse(pos
, cert_len
);
481 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
483 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
484 TLS_ALERT_BAD_CERTIFICATE
);
485 x509_certificate_chain_free(chain
);
489 tls_peer_cert_event(conn
, idx
, cert
);
501 if (conn
->cred
&& conn
->cred
->server_cert_only
&& chain
) {
502 u8 hash
[SHA256_MAC_LEN
];
505 wpa_printf(MSG_DEBUG
,
506 "TLSv1: Validate server certificate hash");
507 x509_name_string(&chain
->subject
, buf
, sizeof(buf
));
508 wpa_printf(MSG_DEBUG
, "TLSv1: 0: %s", buf
);
509 if (sha256_vector(1, &chain
->cert_start
, &chain
->cert_len
,
511 os_memcmp(conn
->cred
->srv_cert_hash
, hash
,
512 SHA256_MAC_LEN
) != 0) {
513 wpa_printf(MSG_DEBUG
,
514 "TLSv1: Server certificate hash mismatch");
515 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: SHA256 hash",
516 hash
, SHA256_MAC_LEN
);
517 if (conn
->event_cb
) {
518 union tls_event_data ev
;
520 os_memset(&ev
, 0, sizeof(ev
));
521 ev
.cert_fail
.reason
= TLS_FAIL_UNSPECIFIED
;
522 ev
.cert_fail
.reason_txt
=
523 "Server certificate mismatch";
524 ev
.cert_fail
.subject
= buf
;
525 conn
->event_cb(conn
->cb_ctx
,
526 TLS_CERT_CHAIN_FAILURE
, &ev
);
528 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
529 TLS_ALERT_BAD_CERTIFICATE
);
530 x509_certificate_chain_free(chain
);
533 } else if (conn
->cred
&& conn
->cred
->cert_probe
) {
534 wpa_printf(MSG_DEBUG
,
535 "TLSv1: Reject server certificate on probe-only rune");
536 if (conn
->event_cb
) {
537 union tls_event_data ev
;
540 os_memset(&ev
, 0, sizeof(ev
));
541 ev
.cert_fail
.reason
= TLS_FAIL_SERVER_CHAIN_PROBE
;
542 ev
.cert_fail
.reason_txt
=
543 "Server certificate chain probe";
545 x509_name_string(&chain
->subject
, buf
,
547 ev
.cert_fail
.subject
= buf
;
549 conn
->event_cb(conn
->cb_ctx
, TLS_CERT_CHAIN_FAILURE
,
552 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
553 TLS_ALERT_BAD_CERTIFICATE
);
554 x509_certificate_chain_free(chain
);
556 } else if (conn
->cred
&& conn
->cred
->ca_cert_verify
&&
557 x509_certificate_chain_validate(
558 conn
->cred
->trusted_certs
, chain
, &reason
,
559 !!(conn
->flags
& TLS_CONN_DISABLE_TIME_CHECKS
))
562 wpa_printf(MSG_DEBUG
, "TLSv1: Server certificate chain "
563 "validation failed (reason=%d)", reason
);
565 case X509_VALIDATE_BAD_CERTIFICATE
:
566 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
567 tls_cert_chain_failure_event(
568 conn
, 0, chain
, TLS_FAIL_BAD_CERTIFICATE
,
571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE
:
572 tls_reason
= TLS_ALERT_UNSUPPORTED_CERTIFICATE
;
574 case X509_VALIDATE_CERTIFICATE_REVOKED
:
575 tls_reason
= TLS_ALERT_CERTIFICATE_REVOKED
;
576 tls_cert_chain_failure_event(
577 conn
, 0, chain
, TLS_FAIL_REVOKED
,
578 "certificate revoked");
580 case X509_VALIDATE_CERTIFICATE_EXPIRED
:
581 tls_reason
= TLS_ALERT_CERTIFICATE_EXPIRED
;
582 tls_cert_chain_failure_event(
583 conn
, 0, chain
, TLS_FAIL_EXPIRED
,
584 "certificate has expired or is not yet valid");
586 case X509_VALIDATE_CERTIFICATE_UNKNOWN
:
587 tls_reason
= TLS_ALERT_CERTIFICATE_UNKNOWN
;
589 case X509_VALIDATE_UNKNOWN_CA
:
590 tls_reason
= TLS_ALERT_UNKNOWN_CA
;
591 tls_cert_chain_failure_event(
592 conn
, 0, chain
, TLS_FAIL_UNTRUSTED
,
596 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
599 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, tls_reason
);
600 x509_certificate_chain_free(chain
);
604 if (conn
->cred
&& !conn
->cred
->server_cert_only
&& chain
&&
605 (chain
->extensions_present
& X509_EXT_EXT_KEY_USAGE
) &&
606 !(chain
->ext_key_usage
&
607 (X509_EXT_KEY_USAGE_ANY
| X509_EXT_KEY_USAGE_SERVER_AUTH
))) {
608 tls_cert_chain_failure_event(
609 conn
, 0, chain
, TLS_FAIL_BAD_CERTIFICATE
,
610 "certificate not allowed for server authentication");
611 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
612 TLS_ALERT_BAD_CERTIFICATE
);
613 x509_certificate_chain_free(chain
);
617 if (conn
->flags
& TLS_CONN_REQUEST_OCSP
) {
618 x509_certificate_chain_free(conn
->server_cert
);
619 conn
->server_cert
= chain
;
621 x509_certificate_chain_free(chain
);
624 *in_len
= end
- in_data
;
626 conn
->state
= SERVER_KEY_EXCHANGE
;
632 static unsigned int count_bits(const u8
*val
, size_t len
)
638 for (i
= 0; i
< len
; i
++) {
645 bits
= (len
- i
- 1) * 8;
656 static int tlsv1_process_diffie_hellman(struct tlsv1_client
*conn
,
657 const u8
*buf
, size_t len
,
658 tls_key_exchange key_exchange
)
660 const u8
*pos
, *end
, *server_params
, *server_params_end
;
665 tlsv1_client_free_dh(conn
);
673 val
= WPA_GET_BE16(pos
);
675 if (val
== 0 || val
> (size_t) (end
- pos
)) {
676 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid dh_p length %u", val
);
679 conn
->dh_p_len
= val
;
680 bits
= count_bits(pos
, conn
->dh_p_len
);
682 wpa_printf(MSG_INFO
, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
684 wpa_hexdump(MSG_DEBUG
, "TLSv1: Rejected DH prime",
685 pos
, conn
->dh_p_len
);
688 conn
->dh_p
= os_malloc(conn
->dh_p_len
);
689 if (conn
->dh_p
== NULL
)
691 os_memcpy(conn
->dh_p
, pos
, conn
->dh_p_len
);
692 pos
+= conn
->dh_p_len
;
693 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH p (prime)",
694 conn
->dh_p
, conn
->dh_p_len
);
698 val
= WPA_GET_BE16(pos
);
700 if (val
== 0 || val
> (size_t) (end
- pos
))
702 conn
->dh_g_len
= val
;
703 conn
->dh_g
= os_malloc(conn
->dh_g_len
);
704 if (conn
->dh_g
== NULL
)
706 os_memcpy(conn
->dh_g
, pos
, conn
->dh_g_len
);
707 pos
+= conn
->dh_g_len
;
708 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH g (generator)",
709 conn
->dh_g
, conn
->dh_g_len
);
710 if (conn
->dh_g_len
== 1 && conn
->dh_g
[0] < 2)
715 val
= WPA_GET_BE16(pos
);
717 if (val
== 0 || val
> (size_t) (end
- pos
))
719 conn
->dh_ys_len
= val
;
720 conn
->dh_ys
= os_malloc(conn
->dh_ys_len
);
721 if (conn
->dh_ys
== NULL
)
723 os_memcpy(conn
->dh_ys
, pos
, conn
->dh_ys_len
);
724 pos
+= conn
->dh_ys_len
;
725 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH Ys (server's public value)",
726 conn
->dh_ys
, conn
->dh_ys_len
);
727 server_params_end
= pos
;
729 if (key_exchange
== TLS_KEY_X_DHE_RSA
) {
733 if (conn
->rl
.tls_version
== TLS_VERSION_1_2
) {
737 * TLS v1.2 adds explicit indication of the used
738 * signature and hash algorithms.
741 * HashAlgorithm hash;
742 * SignatureAlgorithm signature;
743 * } SignatureAndHashAlgorithm;
747 if ((pos
[0] != TLS_HASH_ALG_SHA256
&&
748 pos
[0] != TLS_HASH_ALG_SHA384
&&
749 pos
[0] != TLS_HASH_ALG_SHA512
) ||
750 pos
[1] != TLS_SIGN_ALG_RSA
) {
751 wpa_printf(MSG_DEBUG
, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
756 hlen
= tlsv12_key_x_server_params_hash(
757 conn
->rl
.tls_version
, pos
[0],
759 conn
->server_random
, server_params
,
760 server_params_end
- server_params
, hash
);
762 #else /* CONFIG_TLSV12 */
764 #endif /* CONFIG_TLSV12 */
766 hlen
= tls_key_x_server_params_hash(
767 conn
->rl
.tls_version
, conn
->client_random
,
768 conn
->server_random
, server_params
,
769 server_params_end
- server_params
, hash
);
774 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ServerKeyExchange hash",
777 if (tls_verify_signature(conn
->rl
.tls_version
,
778 conn
->server_rsa_key
,
779 hash
, hlen
, pos
, end
- pos
,
787 wpa_printf(MSG_DEBUG
, "TLSv1: Processing DH params failed");
788 tlsv1_client_free_dh(conn
);
793 static enum tls_ocsp_result
794 tls_process_certificate_status_ocsp_response(struct tlsv1_client
*conn
,
795 const u8
*pos
, size_t len
)
797 const u8
*end
= pos
+ len
;
800 /* opaque OCSPResponse<1..2^24-1>; */
802 wpa_printf(MSG_INFO
, "TLSv1: Too short OCSPResponse");
803 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
804 return TLS_OCSP_INVALID
;
806 ocsp_resp_len
= WPA_GET_BE24(pos
);
808 if (end
- pos
< ocsp_resp_len
) {
809 wpa_printf(MSG_INFO
, "TLSv1: Truncated OCSPResponse");
810 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
811 return TLS_OCSP_INVALID
;
814 return tls_process_ocsp_response(conn
, pos
, ocsp_resp_len
);
818 static int tls_process_certificate_status(struct tlsv1_client
*conn
, u8 ct
,
819 const u8
*in_data
, size_t *in_len
)
823 u8 type
, status_type
;
824 enum tls_ocsp_result res
;
825 struct x509_certificate
*cert
;
828 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
829 wpa_printf(MSG_DEBUG
,
830 "TLSv1: Expected Handshake; received content type 0x%x",
832 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
833 TLS_ALERT_UNEXPECTED_MESSAGE
);
841 wpa_printf(MSG_DEBUG
,
842 "TLSv1: Too short CertificateStatus (left=%lu)",
843 (unsigned long) left
);
844 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
849 len
= WPA_GET_BE24(pos
);
854 wpa_printf(MSG_DEBUG
,
855 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
856 (unsigned long) len
, (unsigned long) left
);
857 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
863 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS
) {
864 wpa_printf(MSG_DEBUG
,
865 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
867 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
868 TLS_ALERT_UNEXPECTED_MESSAGE
);
872 wpa_printf(MSG_DEBUG
, "TLSv1: Received CertificateStatus");
876 * CertificateStatusType status_type;
877 * select (status_type) {
878 * case ocsp: OCSPResponse;
879 * case ocsp_multi: OCSPResponseList;
881 * } CertificateStatus;
884 wpa_printf(MSG_INFO
, "TLSv1: Too short CertificateStatus");
885 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
888 status_type
= *pos
++;
889 wpa_printf(MSG_DEBUG
, "TLSv1: CertificateStatus status_type %u",
892 if (status_type
== 1 /* ocsp */) {
893 res
= tls_process_certificate_status_ocsp_response(
894 conn
, pos
, end
- pos
);
895 } else if (status_type
== 2 /* ocsp_multi */) {
896 int good
= 0, revoked
= 0;
899 res
= TLS_OCSP_NO_RESPONSE
;
902 * opaque OCSPResponse<0..2^24-1>;
905 * OCSPResponse ocsp_response_list<1..2^24-1>;
906 * } OCSPResponseList;
909 wpa_printf(MSG_DEBUG
,
910 "TLSv1: Truncated OCSPResponseList");
911 res
= TLS_OCSP_INVALID
;
914 resp_len
= WPA_GET_BE24(pos
);
916 if (end
- pos
< resp_len
) {
917 wpa_printf(MSG_DEBUG
,
918 "TLSv1: Truncated OCSPResponseList(len=%u)",
920 res
= TLS_OCSP_INVALID
;
923 end
= pos
+ resp_len
;
925 while (end
- pos
>= 3) {
926 resp_len
= WPA_GET_BE24(pos
);
928 if (resp_len
> end
- pos
) {
929 wpa_printf(MSG_DEBUG
,
930 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
931 resp_len
, (int) (end
- pos
));
932 res
= TLS_OCSP_INVALID
;
936 continue; /* Skip an empty response */
937 res
= tls_process_certificate_status_ocsp_response(
938 conn
, pos
- 3, resp_len
+ 3);
939 if (res
== TLS_OCSP_REVOKED
)
941 else if (res
== TLS_OCSP_GOOD
)
947 res
= TLS_OCSP_REVOKED
;
951 wpa_printf(MSG_DEBUG
,
952 "TLSv1: Ignore unsupported CertificateStatus");
957 if (res
== TLS_OCSP_REVOKED
) {
958 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
959 TLS_ALERT_CERTIFICATE_REVOKED
);
960 for (cert
= conn
->server_cert
, depth
= 0; cert
;
961 cert
= cert
->next
, depth
++) {
962 if (cert
->ocsp_revoked
) {
963 tls_cert_chain_failure_event(
964 conn
, depth
, cert
, TLS_FAIL_REVOKED
,
965 "certificate revoked");
971 if (conn
->flags
& TLS_CONN_REQUIRE_OCSP_ALL
) {
973 * Verify that each certificate on the chain that is not part
974 * of the trusted certificates has a good status. If not,
975 * terminate handshake.
977 for (cert
= conn
->server_cert
, depth
= 0; cert
;
978 cert
= cert
->next
, depth
++) {
979 if (!cert
->ocsp_good
) {
980 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
981 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE
);
982 tls_cert_chain_failure_event(
984 TLS_FAIL_UNSPECIFIED
,
985 "bad certificate status response");
988 if (cert
->issuer_trusted
)
993 if ((conn
->flags
& TLS_CONN_REQUIRE_OCSP
) && res
!= TLS_OCSP_GOOD
) {
994 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
995 res
== TLS_OCSP_INVALID
? TLS_ALERT_DECODE_ERROR
:
996 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE
);
997 if (conn
->server_cert
)
998 tls_cert_chain_failure_event(
999 conn
, 0, conn
->server_cert
,
1000 TLS_FAIL_UNSPECIFIED
,
1001 "bad certificate status response");
1005 conn
->ocsp_resp_received
= 1;
1008 *in_len
= end
- in_data
;
1010 conn
->state
= SERVER_KEY_EXCHANGE
;
1016 static int tls_process_server_key_exchange(struct tlsv1_client
*conn
, u8 ct
,
1017 const u8
*in_data
, size_t *in_len
)
1019 const u8
*pos
, *end
;
1022 const struct tls_cipher_suite
*suite
;
1024 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
1025 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
1026 "received content type 0x%x", ct
);
1027 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1028 TLS_ALERT_UNEXPECTED_MESSAGE
);
1036 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ServerKeyExchange "
1037 "(Left=%lu)", (unsigned long) left
);
1038 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1043 len
= WPA_GET_BE24(pos
);
1048 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in ServerKeyExchange "
1049 "length (len=%lu != left=%lu)",
1050 (unsigned long) len
, (unsigned long) left
);
1051 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1057 if ((conn
->flags
& TLS_CONN_REQUEST_OCSP
) &&
1058 type
== TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS
)
1059 return tls_process_certificate_status(conn
, ct
, in_data
,
1061 if (type
== TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
)
1062 return tls_process_certificate_request(conn
, ct
, in_data
,
1064 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
1065 return tls_process_server_hello_done(conn
, ct
, in_data
,
1067 if (type
!= TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE
) {
1068 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
1069 "message %d (expected ServerKeyExchange/"
1070 "CertificateRequest/ServerHelloDone%s)", type
,
1071 (conn
->flags
& TLS_CONN_REQUEST_OCSP
) ?
1072 "/CertificateStatus" : "");
1073 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1074 TLS_ALERT_UNEXPECTED_MESSAGE
);
1078 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerKeyExchange");
1080 if (!tls_server_key_exchange_allowed(conn
->rl
.cipher_suite
)) {
1081 wpa_printf(MSG_DEBUG
, "TLSv1: ServerKeyExchange not allowed "
1082 "with the selected cipher suite");
1083 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1084 TLS_ALERT_UNEXPECTED_MESSAGE
);
1088 wpa_hexdump(MSG_DEBUG
, "TLSv1: ServerKeyExchange", pos
, len
);
1089 suite
= tls_get_cipher_suite(conn
->rl
.cipher_suite
);
1090 if (suite
&& (suite
->key_exchange
== TLS_KEY_X_DH_anon
||
1091 suite
->key_exchange
== TLS_KEY_X_DHE_RSA
)) {
1092 if (tlsv1_process_diffie_hellman(conn
, pos
, len
,
1093 suite
->key_exchange
) < 0) {
1094 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1095 TLS_ALERT_DECODE_ERROR
);
1099 wpa_printf(MSG_DEBUG
, "TLSv1: UnexpectedServerKeyExchange");
1100 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1101 TLS_ALERT_UNEXPECTED_MESSAGE
);
1105 *in_len
= end
- in_data
;
1107 conn
->state
= SERVER_CERTIFICATE_REQUEST
;
1113 static int tls_process_certificate_request(struct tlsv1_client
*conn
, u8 ct
,
1114 const u8
*in_data
, size_t *in_len
)
1116 const u8
*pos
, *end
;
1120 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
1121 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
1122 "received content type 0x%x", ct
);
1123 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1124 TLS_ALERT_UNEXPECTED_MESSAGE
);
1132 wpa_printf(MSG_DEBUG
, "TLSv1: Too short CertificateRequest "
1133 "(left=%lu)", (unsigned long) left
);
1134 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1139 len
= WPA_GET_BE24(pos
);
1144 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in CertificateRequest "
1145 "length (len=%lu != left=%lu)",
1146 (unsigned long) len
, (unsigned long) left
);
1147 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1153 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
1154 return tls_process_server_hello_done(conn
, ct
, in_data
,
1156 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
) {
1157 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
1158 "message %d (expected CertificateRequest/"
1159 "ServerHelloDone)", type
);
1160 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1161 TLS_ALERT_UNEXPECTED_MESSAGE
);
1165 wpa_printf(MSG_DEBUG
, "TLSv1: Received CertificateRequest");
1167 conn
->certificate_requested
= 1;
1169 *in_len
= end
- in_data
;
1171 conn
->state
= SERVER_HELLO_DONE
;
1177 static int tls_process_server_hello_done(struct tlsv1_client
*conn
, u8 ct
,
1178 const u8
*in_data
, size_t *in_len
)
1180 const u8
*pos
, *end
;
1184 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
1185 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
1186 "received content type 0x%x", ct
);
1187 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1188 TLS_ALERT_UNEXPECTED_MESSAGE
);
1196 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ServerHelloDone "
1197 "(left=%lu)", (unsigned long) left
);
1198 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1203 len
= WPA_GET_BE24(pos
);
1208 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in ServerHelloDone "
1209 "length (len=%lu != left=%lu)",
1210 (unsigned long) len
, (unsigned long) left
);
1211 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1216 if (type
!= TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
) {
1217 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
1218 "message %d (expected ServerHelloDone)", type
);
1219 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1220 TLS_ALERT_UNEXPECTED_MESSAGE
);
1224 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerHelloDone");
1226 if ((conn
->flags
& TLS_CONN_REQUIRE_OCSP
) &&
1227 !conn
->ocsp_resp_received
) {
1228 wpa_printf(MSG_INFO
,
1229 "TLSv1: No OCSP response received - reject handshake");
1230 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1231 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE
);
1235 *in_len
= end
- in_data
;
1237 conn
->state
= CLIENT_KEY_EXCHANGE
;
1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client
*conn
,
1244 u8 ct
, const u8
*in_data
,
1250 if (ct
!= TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC
) {
1251 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
1252 "received content type 0x%x", ct
);
1253 if (conn
->use_session_ticket
) {
1255 wpa_printf(MSG_DEBUG
, "TLSv1: Server may have "
1256 "rejected SessionTicket");
1257 conn
->use_session_ticket
= 0;
1259 /* Notify upper layers that SessionTicket failed */
1260 res
= conn
->session_ticket_cb(
1261 conn
->session_ticket_cb_ctx
, NULL
, 0, NULL
,
1264 wpa_printf(MSG_DEBUG
, "TLSv1: SessionTicket "
1265 "callback indicated failure");
1266 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1267 TLS_ALERT_HANDSHAKE_FAILURE
);
1271 conn
->state
= SERVER_CERTIFICATE
;
1272 return tls_process_certificate(conn
, ct
, in_data
,
1275 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1276 TLS_ALERT_UNEXPECTED_MESSAGE
);
1284 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ChangeCipherSpec");
1285 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
1289 if (*pos
!= TLS_CHANGE_CIPHER_SPEC
) {
1290 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
1291 "received data 0x%x", *pos
);
1292 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1293 TLS_ALERT_UNEXPECTED_MESSAGE
);
1297 wpa_printf(MSG_DEBUG
, "TLSv1: Received ChangeCipherSpec");
1298 if (tlsv1_record_change_read_cipher(&conn
->rl
) < 0) {
1299 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to change read cipher "
1300 "for record layer");
1301 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1302 TLS_ALERT_INTERNAL_ERROR
);
1306 *in_len
= pos
+ 1 - in_data
;
1308 conn
->state
= SERVER_FINISHED
;
1314 static int tls_process_server_finished(struct tlsv1_client
*conn
, u8 ct
,
1315 const u8
*in_data
, size_t *in_len
)
1317 const u8
*pos
, *end
;
1318 size_t left
, len
, hlen
;
1319 u8 verify_data
[TLS_VERIFY_DATA_LEN
];
1320 u8 hash
[MD5_MAC_LEN
+ SHA1_MAC_LEN
];
1322 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
1323 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; "
1324 "received content type 0x%x", ct
);
1325 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1326 TLS_ALERT_UNEXPECTED_MESSAGE
);
1334 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record (left=%lu) for "
1336 (unsigned long) left
);
1337 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1338 TLS_ALERT_DECODE_ERROR
);
1342 if (pos
[0] != TLS_HANDSHAKE_TYPE_FINISHED
) {
1343 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; received "
1344 "type 0x%x", pos
[0]);
1345 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1346 TLS_ALERT_UNEXPECTED_MESSAGE
);
1350 len
= WPA_GET_BE24(pos
+ 1);
1356 wpa_printf(MSG_DEBUG
, "TLSv1: Too short buffer for Finished "
1357 "(len=%lu > left=%lu)",
1358 (unsigned long) len
, (unsigned long) left
);
1359 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1360 TLS_ALERT_DECODE_ERROR
);
1364 if (len
!= TLS_VERIFY_DATA_LEN
) {
1365 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected verify_data length "
1366 "in Finished: %lu (expected %d)",
1367 (unsigned long) len
, TLS_VERIFY_DATA_LEN
);
1368 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1369 TLS_ALERT_DECODE_ERROR
);
1372 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: verify_data in Finished",
1373 pos
, TLS_VERIFY_DATA_LEN
);
1375 #ifdef CONFIG_TLSV12
1376 if (conn
->rl
.tls_version
>= TLS_VERSION_1_2
) {
1377 hlen
= SHA256_MAC_LEN
;
1378 if (conn
->verify
.sha256_server
== NULL
||
1379 crypto_hash_finish(conn
->verify
.sha256_server
, hash
, &hlen
)
1381 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1382 TLS_ALERT_INTERNAL_ERROR
);
1383 conn
->verify
.sha256_server
= NULL
;
1386 conn
->verify
.sha256_server
= NULL
;
1388 #endif /* CONFIG_TLSV12 */
1391 if (conn
->verify
.md5_server
== NULL
||
1392 crypto_hash_finish(conn
->verify
.md5_server
, hash
, &hlen
) < 0) {
1393 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1394 TLS_ALERT_INTERNAL_ERROR
);
1395 conn
->verify
.md5_server
= NULL
;
1396 crypto_hash_finish(conn
->verify
.sha1_server
, NULL
, NULL
);
1397 conn
->verify
.sha1_server
= NULL
;
1400 conn
->verify
.md5_server
= NULL
;
1401 hlen
= SHA1_MAC_LEN
;
1402 if (conn
->verify
.sha1_server
== NULL
||
1403 crypto_hash_finish(conn
->verify
.sha1_server
, hash
+ MD5_MAC_LEN
,
1405 conn
->verify
.sha1_server
= NULL
;
1406 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1407 TLS_ALERT_INTERNAL_ERROR
);
1410 conn
->verify
.sha1_server
= NULL
;
1411 hlen
= MD5_MAC_LEN
+ SHA1_MAC_LEN
;
1413 #ifdef CONFIG_TLSV12
1415 #endif /* CONFIG_TLSV12 */
1417 if (tls_prf(conn
->rl
.tls_version
,
1418 conn
->master_secret
, TLS_MASTER_SECRET_LEN
,
1419 "server finished", hash
, hlen
,
1420 verify_data
, TLS_VERIFY_DATA_LEN
)) {
1421 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive verify_data");
1422 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1423 TLS_ALERT_DECRYPT_ERROR
);
1426 wpa_hexdump_key(MSG_DEBUG
, "TLSv1: verify_data (server)",
1427 verify_data
, TLS_VERIFY_DATA_LEN
);
1429 if (os_memcmp_const(pos
, verify_data
, TLS_VERIFY_DATA_LEN
) != 0) {
1430 wpa_printf(MSG_INFO
, "TLSv1: Mismatch in verify_data");
1431 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1432 TLS_ALERT_DECRYPT_ERROR
);
1436 wpa_printf(MSG_DEBUG
, "TLSv1: Received Finished");
1438 *in_len
= end
- in_data
;
1440 conn
->state
= (conn
->session_resumed
|| conn
->use_session_ticket
) ?
1441 CHANGE_CIPHER_SPEC
: ACK_FINISHED
;
1447 static int tls_process_application_data(struct tlsv1_client
*conn
, u8 ct
,
1448 const u8
*in_data
, size_t *in_len
,
1449 u8
**out_data
, size_t *out_len
)
1454 if (ct
!= TLS_CONTENT_TYPE_APPLICATION_DATA
) {
1455 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Application Data; "
1456 "received content type 0x%x", ct
);
1457 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1458 TLS_ALERT_UNEXPECTED_MESSAGE
);
1465 wpa_hexdump(MSG_DEBUG
, "TLSv1: Application Data included in Handshake",
1468 *out_data
= os_malloc(left
);
1470 os_memcpy(*out_data
, pos
, left
);
1478 int tlsv1_client_process_handshake(struct tlsv1_client
*conn
, u8 ct
,
1479 const u8
*buf
, size_t *len
,
1480 u8
**out_data
, size_t *out_len
)
1482 if (ct
== TLS_CONTENT_TYPE_ALERT
) {
1484 wpa_printf(MSG_DEBUG
, "TLSv1: Alert underflow");
1485 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1486 TLS_ALERT_DECODE_ERROR
);
1489 wpa_printf(MSG_DEBUG
, "TLSv1: Received alert %d:%d",
1492 conn
->state
= FAILED
;
1496 if (ct
== TLS_CONTENT_TYPE_HANDSHAKE
&& *len
>= 4 &&
1497 buf
[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST
) {
1498 size_t hr_len
= WPA_GET_BE24(buf
+ 1);
1499 if (hr_len
> *len
- 4) {
1500 wpa_printf(MSG_DEBUG
, "TLSv1: HelloRequest underflow");
1501 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1502 TLS_ALERT_DECODE_ERROR
);
1505 wpa_printf(MSG_DEBUG
, "TLSv1: Ignored HelloRequest");
1510 switch (conn
->state
) {
1512 if (tls_process_server_hello(conn
, ct
, buf
, len
))
1515 case SERVER_CERTIFICATE
:
1516 if (tls_process_certificate(conn
, ct
, buf
, len
))
1519 case SERVER_KEY_EXCHANGE
:
1520 if (tls_process_server_key_exchange(conn
, ct
, buf
, len
))
1523 case SERVER_CERTIFICATE_REQUEST
:
1524 if (tls_process_certificate_request(conn
, ct
, buf
, len
))
1527 case SERVER_HELLO_DONE
:
1528 if (tls_process_server_hello_done(conn
, ct
, buf
, len
))
1531 case SERVER_CHANGE_CIPHER_SPEC
:
1532 if (tls_process_server_change_cipher_spec(conn
, ct
, buf
, len
))
1535 case SERVER_FINISHED
:
1536 if (tls_process_server_finished(conn
, ct
, buf
, len
))
1541 tls_process_application_data(conn
, ct
, buf
, len
, out_data
,
1546 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected state %d "
1547 "while processing received message",
1552 if (ct
== TLS_CONTENT_TYPE_HANDSHAKE
)
1553 tls_verify_hash_add(&conn
->verify
, buf
, *len
);