]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/tls/tlsv1_client_read.c
projects / thirdparty / hostap.git / blob
? search:


a2cd478e87729199ce4f56a86a724e3cc1049638
[thirdparty/hostap.git] / src / tls / tlsv1_client_read.c
1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
32 {
33 const u8 *pos, *end;
34 size_t left, len, i;
35 u16 cipher_suite;
36 u16 tls_version;
37
38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct);
41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 TLS_ALERT_UNEXPECTED_MESSAGE);
43 return -1;
44 }
45
46 pos = in_data;
47 left = *in_len;
48
49 if (left < 4)
50 goto decode_error;
51
52 /* HandshakeType msg_type */
53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos);
56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 TLS_ALERT_UNEXPECTED_MESSAGE);
58 return -1;
59 }
60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 pos++;
62 /* uint24 length */
63 len = WPA_GET_BE24(pos);
64 pos += 3;
65 left -= 4;
66
67 if (len > left)
68 goto decode_error;
69
70 /* body - ServerHello */
71
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 end = pos + len;
74
75 /* ProtocolVersion server_version */
76 if (end - pos < 2)
77 goto decode_error;
78 tls_version = WPA_GET_BE16(pos);
79 if (!tls_version_ok(tls_version)) {
80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos[0], pos[1]);
82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 TLS_ALERT_PROTOCOL_VERSION);
84 return -1;
85 }
86 pos += 2;
87
88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version));
90 conn->rl.tls_version = tls_version;
91
92 /* Random random */
93 if (end - pos < TLS_RANDOM_LEN)
94 goto decode_error;
95
96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 pos += TLS_RANDOM_LEN;
98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 conn->server_random, TLS_RANDOM_LEN);
100
101 /* SessionID session_id */
102 if (end - pos < 1)
103 goto decode_error;
104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 goto decode_error;
106 if (conn->session_id_len && conn->session_id_len == *pos &&
107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 pos += 1 + conn->session_id_len;
109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 conn->session_resumed = 1;
111 } else {
112 conn->session_id_len = *pos;
113 pos++;
114 os_memcpy(conn->session_id, pos, conn->session_id_len);
115 pos += conn->session_id_len;
116 }
117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 conn->session_id, conn->session_id_len);
119
120 /* CipherSuite cipher_suite */
121 if (end - pos < 2)
122 goto decode_error;
123 cipher_suite = WPA_GET_BE16(pos);
124 pos += 2;
125 for (i = 0; i < conn->num_cipher_suites; i++) {
126 if (cipher_suite == conn->cipher_suites[i])
127 break;
128 }
129 if (i == conn->num_cipher_suites) {
130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite);
132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 TLS_ALERT_ILLEGAL_PARAMETER);
134 return -1;
135 }
136
137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 TLS_ALERT_ILLEGAL_PARAMETER);
143 return -1;
144 }
145
146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 "record layer");
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
151 return -1;
152 }
153
154 conn->prev_cipher_suite = cipher_suite;
155
156 /* CompressionMethod compression_method */
157 if (end - pos < 1)
158 goto decode_error;
159 if (*pos != TLS_COMPRESSION_NULL) {
160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos);
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_ILLEGAL_PARAMETER);
164 return -1;
165 }
166 pos++;
167
168 if (end != pos) {
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos, end - pos);
172 goto decode_error;
173 }
174
175 if (conn->session_ticket_included && conn->session_ticket_cb) {
176 /* TODO: include SessionTicket extension if one was included in
177 * ServerHello */
178 int res = conn->session_ticket_cb(
179 conn->session_ticket_cb_ctx, NULL, 0,
180 conn->client_random, conn->server_random,
181 conn->master_secret);
182 if (res < 0) {
183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_HANDSHAKE_FAILURE);
187 return -1;
188 }
189 conn->use_session_ticket = !!res;
190 }
191
192 if ((conn->session_resumed || conn->use_session_ticket) &&
193 tls_derive_keys(conn, NULL, 0)) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 TLS_ALERT_INTERNAL_ERROR);
197 return -1;
198 }
199
200 *in_len = end - in_data;
201
202 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204
205 return 0;
206
207 decode_error:
208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 return -1;
211 }
212
213
214 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
215 struct x509_certificate *cert)
216 {
217 union tls_event_data ev;
218 struct wpabuf *cert_buf = NULL;
219 #ifdef CONFIG_SHA256
220 u8 hash[32];
221 #endif /* CONFIG_SHA256 */
222 char subject[128];
223
224 if (!conn->event_cb)
225 return;
226
227 os_memset(&ev, 0, sizeof(ev));
228 if (conn->cred->cert_probe || conn->cert_in_cb) {
229 cert_buf = wpabuf_alloc_copy(cert->cert_start,
230 cert->cert_len);
231 ev.peer_cert.cert = cert_buf;
232 }
233 #ifdef CONFIG_SHA256
234 if (cert_buf) {
235 const u8 *addr[1];
236 size_t len[1];
237 addr[0] = wpabuf_head(cert_buf);
238 len[0] = wpabuf_len(cert_buf);
239 if (sha256_vector(1, addr, len, hash) == 0) {
240 ev.peer_cert.hash = hash;
241 ev.peer_cert.hash_len = sizeof(hash);
242 }
243 }
244 #endif /* CONFIG_SHA256 */
245
246 ev.peer_cert.depth = depth;
247 x509_name_string(&cert->subject, subject, sizeof(subject));
248 ev.peer_cert.subject = subject;
249
250 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
251 wpabuf_free(cert_buf);
252 }
253
254
255 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
256 const u8 *in_data, size_t *in_len)
257 {
258 const u8 *pos, *end;
259 size_t left, len, list_len, cert_len, idx;
260 u8 type;
261 struct x509_certificate *chain = NULL, *last = NULL, *cert;
262 int reason;
263
264 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
265 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
266 "received content type 0x%x", ct);
267 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
268 TLS_ALERT_UNEXPECTED_MESSAGE);
269 return -1;
270 }
271
272 pos = in_data;
273 left = *in_len;
274
275 if (left < 4) {
276 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
277 "(len=%lu)", (unsigned long) left);
278 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
279 return -1;
280 }
281
282 type = *pos++;
283 len = WPA_GET_BE24(pos);
284 pos += 3;
285 left -= 4;
286
287 if (len > left) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
289 "length (len=%lu != left=%lu)",
290 (unsigned long) len, (unsigned long) left);
291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
292 return -1;
293 }
294
295 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
296 return tls_process_server_key_exchange(conn, ct, in_data,
297 in_len);
298 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
299 return tls_process_certificate_request(conn, ct, in_data,
300 in_len);
301 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
302 return tls_process_server_hello_done(conn, ct, in_data,
303 in_len);
304 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
305 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
306 "message %d (expected Certificate/"
307 "ServerKeyExchange/CertificateRequest/"
308 "ServerHelloDone)", type);
309 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
310 TLS_ALERT_UNEXPECTED_MESSAGE);
311 return -1;
312 }
313
314 wpa_printf(MSG_DEBUG,
315 "TLSv1: Received Certificate (certificate_list len %lu)",
316 (unsigned long) len);
317
318 /*
319 * opaque ASN.1Cert<2^24-1>;
320 *
321 * struct {
322 * ASN.1Cert certificate_list<1..2^24-1>;
323 * } Certificate;
324 */
325
326 end = pos + len;
327
328 if (end - pos < 3) {
329 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
330 "(left=%lu)", (unsigned long) left);
331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
332 return -1;
333 }
334
335 list_len = WPA_GET_BE24(pos);
336 pos += 3;
337
338 if ((size_t) (end - pos) != list_len) {
339 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
340 "length (len=%lu left=%lu)",
341 (unsigned long) list_len,
342 (unsigned long) (end - pos));
343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
344 return -1;
345 }
346
347 idx = 0;
348 while (pos < end) {
349 if (end - pos < 3) {
350 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
351 "certificate_list");
352 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
353 TLS_ALERT_DECODE_ERROR);
354 x509_certificate_chain_free(chain);
355 return -1;
356 }
357
358 cert_len = WPA_GET_BE24(pos);
359 pos += 3;
360
361 if ((size_t) (end - pos) < cert_len) {
362 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
363 "length (len=%lu left=%lu)",
364 (unsigned long) cert_len,
365 (unsigned long) (end - pos));
366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 TLS_ALERT_DECODE_ERROR);
368 x509_certificate_chain_free(chain);
369 return -1;
370 }
371
372 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
373 (unsigned long) idx, (unsigned long) cert_len);
374
375 if (idx == 0) {
376 crypto_public_key_free(conn->server_rsa_key);
377 if (tls_parse_cert(pos, cert_len,
378 &conn->server_rsa_key)) {
379 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
380 "the certificate");
381 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
382 TLS_ALERT_BAD_CERTIFICATE);
383 x509_certificate_chain_free(chain);
384 return -1;
385 }
386 }
387
388 cert = x509_certificate_parse(pos, cert_len);
389 if (cert == NULL) {
390 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
391 "the certificate");
392 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
393 TLS_ALERT_BAD_CERTIFICATE);
394 x509_certificate_chain_free(chain);
395 return -1;
396 }
397
398 tls_peer_cert_event(conn, idx, cert);
399
400 if (last == NULL)
401 chain = cert;
402 else
403 last->next = cert;
404 last = cert;
405
406 idx++;
407 pos += cert_len;
408 }
409
410 if (conn->cred && conn->cred->server_cert_only && chain) {
411 u8 hash[SHA256_MAC_LEN];
412 char buf[128];
413
414 wpa_printf(MSG_DEBUG,
415 "TLSv1: Validate server certificate hash");
416 x509_name_string(&chain->subject, buf, sizeof(buf));
417 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
418 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
419 hash) < 0 ||
420 os_memcmp(conn->cred->srv_cert_hash, hash,
421 SHA256_MAC_LEN) != 0) {
422 wpa_printf(MSG_DEBUG,
423 "TLSv1: Server certificate hash mismatch");
424 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
425 hash, SHA256_MAC_LEN);
426 if (conn->event_cb) {
427 union tls_event_data ev;
428
429 os_memset(&ev, 0, sizeof(ev));
430 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
431 ev.cert_fail.reason_txt =
432 "Server certificate mismatch";
433 ev.cert_fail.subject = buf;
434 conn->event_cb(conn->cb_ctx,
435 TLS_CERT_CHAIN_FAILURE, &ev);
436 }
437 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
438 TLS_ALERT_BAD_CERTIFICATE);
439 x509_certificate_chain_free(chain);
440 return -1;
441 }
442 } else if (conn->cred && conn->cred->cert_probe) {
443 wpa_printf(MSG_DEBUG,
444 "TLSv1: Reject server certificate on probe-only rune");
445 if (conn->event_cb) {
446 union tls_event_data ev;
447 char buf[128];
448
449 os_memset(&ev, 0, sizeof(ev));
450 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
451 ev.cert_fail.reason_txt =
452 "Server certificate chain probe";
453 if (chain) {
454 x509_name_string(&chain->subject, buf,
455 sizeof(buf));
456 ev.cert_fail.subject = buf;
457 }
458 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
459 &ev);
460 }
461 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
462 TLS_ALERT_BAD_CERTIFICATE);
463 x509_certificate_chain_free(chain);
464 return -1;
465 } else if (conn->cred && conn->cred->ca_cert_verify &&
466 x509_certificate_chain_validate(conn->cred->trusted_certs,
467 chain, &reason,
468 conn->disable_time_checks)
469 < 0) {
470 int tls_reason;
471 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
472 "validation failed (reason=%d)", reason);
473 switch (reason) {
474 case X509_VALIDATE_BAD_CERTIFICATE:
475 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
476 break;
477 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
478 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
479 break;
480 case X509_VALIDATE_CERTIFICATE_REVOKED:
481 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
482 break;
483 case X509_VALIDATE_CERTIFICATE_EXPIRED:
484 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
485 break;
486 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
487 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
488 break;
489 case X509_VALIDATE_UNKNOWN_CA:
490 tls_reason = TLS_ALERT_UNKNOWN_CA;
491 break;
492 default:
493 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
494 break;
495 }
496 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
497 x509_certificate_chain_free(chain);
498 return -1;
499 }
500
501 x509_certificate_chain_free(chain);
502
503 *in_len = end - in_data;
504
505 conn->state = SERVER_KEY_EXCHANGE;
506
507 return 0;
508 }
509
510
511 static unsigned int count_bits(const u8 *val, size_t len)
512 {
513 size_t i;
514 unsigned int bits;
515 u8 tmp;
516
517 for (i = 0; i < len; i++) {
518 if (val[i])
519 break;
520 }
521 if (i == len)
522 return 0;
523
524 bits = (len - i - 1) * 8;
525 tmp = val[i];
526 while (tmp) {
527 bits++;
528 tmp >>= 1;
529 }
530
531 return bits;
532 }
533
534
535 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
536 const u8 *buf, size_t len,
537 tls_key_exchange key_exchange)
538 {
539 const u8 *pos, *end, *server_params, *server_params_end;
540 u8 alert;
541 unsigned int bits;
542 u16 val;
543
544 tlsv1_client_free_dh(conn);
545
546 pos = buf;
547 end = buf + len;
548
549 if (end - pos < 3)
550 goto fail;
551 server_params = pos;
552 val = WPA_GET_BE16(pos);
553 pos += 2;
554 if (val == 0 || val > (size_t) (end - pos)) {
555 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
556 goto fail;
557 }
558 conn->dh_p_len = val;
559 bits = count_bits(pos, conn->dh_p_len);
560 if (bits < 768) {
561 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
562 bits);
563 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
564 pos, conn->dh_p_len);
565 goto fail;
566 }
567 conn->dh_p = os_malloc(conn->dh_p_len);
568 if (conn->dh_p == NULL)
569 goto fail;
570 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
571 pos += conn->dh_p_len;
572 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
573 conn->dh_p, conn->dh_p_len);
574
575 if (end - pos < 3)
576 goto fail;
577 val = WPA_GET_BE16(pos);
578 pos += 2;
579 if (val == 0 || val > (size_t) (end - pos))
580 goto fail;
581 conn->dh_g_len = val;
582 conn->dh_g = os_malloc(conn->dh_g_len);
583 if (conn->dh_g == NULL)
584 goto fail;
585 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
586 pos += conn->dh_g_len;
587 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
588 conn->dh_g, conn->dh_g_len);
589 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
590 goto fail;
591
592 if (end - pos < 3)
593 goto fail;
594 val = WPA_GET_BE16(pos);
595 pos += 2;
596 if (val == 0 || val > (size_t) (end - pos))
597 goto fail;
598 conn->dh_ys_len = val;
599 conn->dh_ys = os_malloc(conn->dh_ys_len);
600 if (conn->dh_ys == NULL)
601 goto fail;
602 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
603 pos += conn->dh_ys_len;
604 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
605 conn->dh_ys, conn->dh_ys_len);
606 server_params_end = pos;
607
608 if (key_exchange == TLS_KEY_X_DHE_RSA) {
609 u8 hash[64];
610 int hlen;
611
612 if (conn->rl.tls_version == TLS_VERSION_1_2) {
613 #ifdef CONFIG_TLSV12
614 /*
615 * RFC 5246, 4.7:
616 * TLS v1.2 adds explicit indication of the used
617 * signature and hash algorithms.
618 *
619 * struct {
620 * HashAlgorithm hash;
621 * SignatureAlgorithm signature;
622 * } SignatureAndHashAlgorithm;
623 */
624 if (end - pos < 2)
625 goto fail;
626 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
627 pos[0] != TLS_HASH_ALG_SHA384 &&
628 pos[0] != TLS_HASH_ALG_SHA512) ||
629 pos[1] != TLS_SIGN_ALG_RSA) {
630 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
631 pos[0], pos[1]);
632 goto fail;
633 }
634
635 hlen = tlsv12_key_x_server_params_hash(
636 conn->rl.tls_version, pos[0],
637 conn->client_random,
638 conn->server_random, server_params,
639 server_params_end - server_params, hash);
640 pos += 2;
641 #else /* CONFIG_TLSV12 */
642 goto fail;
643 #endif /* CONFIG_TLSV12 */
644 } else {
645 hlen = tls_key_x_server_params_hash(
646 conn->rl.tls_version, conn->client_random,
647 conn->server_random, server_params,
648 server_params_end - server_params, hash);
649 }
650
651 if (hlen < 0)
652 goto fail;
653 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
654 hash, hlen);
655
656 if (tls_verify_signature(conn->rl.tls_version,
657 conn->server_rsa_key,
658 hash, hlen, pos, end - pos,
659 &alert) < 0)
660 goto fail;
661 }
662
663 return 0;
664
665 fail:
666 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
667 tlsv1_client_free_dh(conn);
668 return -1;
669 }
670
671
672 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
673 const u8 *in_data, size_t *in_len)
674 {
675 const u8 *pos, *end;
676 size_t left, len;
677 u8 type;
678 const struct tls_cipher_suite *suite;
679
680 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
681 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
682 "received content type 0x%x", ct);
683 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
684 TLS_ALERT_UNEXPECTED_MESSAGE);
685 return -1;
686 }
687
688 pos = in_data;
689 left = *in_len;
690
691 if (left < 4) {
692 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
693 "(Left=%lu)", (unsigned long) left);
694 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
695 return -1;
696 }
697
698 type = *pos++;
699 len = WPA_GET_BE24(pos);
700 pos += 3;
701 left -= 4;
702
703 if (len > left) {
704 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
705 "length (len=%lu != left=%lu)",
706 (unsigned long) len, (unsigned long) left);
707 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
708 return -1;
709 }
710
711 end = pos + len;
712
713 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
714 return tls_process_certificate_request(conn, ct, in_data,
715 in_len);
716 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
717 return tls_process_server_hello_done(conn, ct, in_data,
718 in_len);
719 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
720 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
721 "message %d (expected ServerKeyExchange/"
722 "CertificateRequest/ServerHelloDone)", type);
723 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
724 TLS_ALERT_UNEXPECTED_MESSAGE);
725 return -1;
726 }
727
728 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
729
730 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
731 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
732 "with the selected cipher suite");
733 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
734 TLS_ALERT_UNEXPECTED_MESSAGE);
735 return -1;
736 }
737
738 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
739 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
740 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
741 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
742 if (tlsv1_process_diffie_hellman(conn, pos, len,
743 suite->key_exchange) < 0) {
744 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
745 TLS_ALERT_DECODE_ERROR);
746 return -1;
747 }
748 } else {
749 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
750 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
751 TLS_ALERT_UNEXPECTED_MESSAGE);
752 return -1;
753 }
754
755 *in_len = end - in_data;
756
757 conn->state = SERVER_CERTIFICATE_REQUEST;
758
759 return 0;
760 }
761
762
763 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
764 const u8 *in_data, size_t *in_len)
765 {
766 const u8 *pos, *end;
767 size_t left, len;
768 u8 type;
769
770 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
771 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
772 "received content type 0x%x", ct);
773 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
774 TLS_ALERT_UNEXPECTED_MESSAGE);
775 return -1;
776 }
777
778 pos = in_data;
779 left = *in_len;
780
781 if (left < 4) {
782 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
783 "(left=%lu)", (unsigned long) left);
784 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
785 return -1;
786 }
787
788 type = *pos++;
789 len = WPA_GET_BE24(pos);
790 pos += 3;
791 left -= 4;
792
793 if (len > left) {
794 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
795 "length (len=%lu != left=%lu)",
796 (unsigned long) len, (unsigned long) left);
797 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
798 return -1;
799 }
800
801 end = pos + len;
802
803 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
804 return tls_process_server_hello_done(conn, ct, in_data,
805 in_len);
806 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
807 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
808 "message %d (expected CertificateRequest/"
809 "ServerHelloDone)", type);
810 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
811 TLS_ALERT_UNEXPECTED_MESSAGE);
812 return -1;
813 }
814
815 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
816
817 conn->certificate_requested = 1;
818
819 *in_len = end - in_data;
820
821 conn->state = SERVER_HELLO_DONE;
822
823 return 0;
824 }
825
826
827 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
828 const u8 *in_data, size_t *in_len)
829 {
830 const u8 *pos, *end;
831 size_t left, len;
832 u8 type;
833
834 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
835 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
836 "received content type 0x%x", ct);
837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
838 TLS_ALERT_UNEXPECTED_MESSAGE);
839 return -1;
840 }
841
842 pos = in_data;
843 left = *in_len;
844
845 if (left < 4) {
846 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
847 "(left=%lu)", (unsigned long) left);
848 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
849 return -1;
850 }
851
852 type = *pos++;
853 len = WPA_GET_BE24(pos);
854 pos += 3;
855 left -= 4;
856
857 if (len > left) {
858 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
859 "length (len=%lu != left=%lu)",
860 (unsigned long) len, (unsigned long) left);
861 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
862 return -1;
863 }
864 end = pos + len;
865
866 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
867 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
868 "message %d (expected ServerHelloDone)", type);
869 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
870 TLS_ALERT_UNEXPECTED_MESSAGE);
871 return -1;
872 }
873
874 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
875
876 *in_len = end - in_data;
877
878 conn->state = CLIENT_KEY_EXCHANGE;
879
880 return 0;
881 }
882
883
884 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
885 u8 ct, const u8 *in_data,
886 size_t *in_len)
887 {
888 const u8 *pos;
889 size_t left;
890
891 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
892 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
893 "received content type 0x%x", ct);
894 if (conn->use_session_ticket) {
895 int res;
896 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
897 "rejected SessionTicket");
898 conn->use_session_ticket = 0;
899
900 /* Notify upper layers that SessionTicket failed */
901 res = conn->session_ticket_cb(
902 conn->session_ticket_cb_ctx, NULL, 0, NULL,
903 NULL, NULL);
904 if (res < 0) {
905 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
906 "callback indicated failure");
907 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
908 TLS_ALERT_HANDSHAKE_FAILURE);
909 return -1;
910 }
911
912 conn->state = SERVER_CERTIFICATE;
913 return tls_process_certificate(conn, ct, in_data,
914 in_len);
915 }
916 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
917 TLS_ALERT_UNEXPECTED_MESSAGE);
918 return -1;
919 }
920
921 pos = in_data;
922 left = *in_len;
923
924 if (left < 1) {
925 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
926 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
927 return -1;
928 }
929
930 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
931 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
932 "received data 0x%x", *pos);
933 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
934 TLS_ALERT_UNEXPECTED_MESSAGE);
935 return -1;
936 }
937
938 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
939 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
940 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
941 "for record layer");
942 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
943 TLS_ALERT_INTERNAL_ERROR);
944 return -1;
945 }
946
947 *in_len = pos + 1 - in_data;
948
949 conn->state = SERVER_FINISHED;
950
951 return 0;
952 }
953
954
955 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
956 const u8 *in_data, size_t *in_len)
957 {
958 const u8 *pos, *end;
959 size_t left, len, hlen;
960 u8 verify_data[TLS_VERIFY_DATA_LEN];
961 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
962
963 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
964 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
965 "received content type 0x%x", ct);
966 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
967 TLS_ALERT_UNEXPECTED_MESSAGE);
968 return -1;
969 }
970
971 pos = in_data;
972 left = *in_len;
973
974 if (left < 4) {
975 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
976 "Finished",
977 (unsigned long) left);
978 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
979 TLS_ALERT_DECODE_ERROR);
980 return -1;
981 }
982
983 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
984 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
985 "type 0x%x", pos[0]);
986 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
987 TLS_ALERT_UNEXPECTED_MESSAGE);
988 return -1;
989 }
990
991 len = WPA_GET_BE24(pos + 1);
992
993 pos += 4;
994 left -= 4;
995
996 if (len > left) {
997 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
998 "(len=%lu > left=%lu)",
999 (unsigned long) len, (unsigned long) left);
1000 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1001 TLS_ALERT_DECODE_ERROR);
1002 return -1;
1003 }
1004 end = pos + len;
1005 if (len != TLS_VERIFY_DATA_LEN) {
1006 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1007 "in Finished: %lu (expected %d)",
1008 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1009 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010 TLS_ALERT_DECODE_ERROR);
1011 return -1;
1012 }
1013 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1014 pos, TLS_VERIFY_DATA_LEN);
1015
1016 #ifdef CONFIG_TLSV12
1017 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1018 hlen = SHA256_MAC_LEN;
1019 if (conn->verify.sha256_server == NULL ||
1020 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1021 < 0) {
1022 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023 TLS_ALERT_INTERNAL_ERROR);
1024 conn->verify.sha256_server = NULL;
1025 return -1;
1026 }
1027 conn->verify.sha256_server = NULL;
1028 } else {
1029 #endif /* CONFIG_TLSV12 */
1030
1031 hlen = MD5_MAC_LEN;
1032 if (conn->verify.md5_server == NULL ||
1033 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1034 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1035 TLS_ALERT_INTERNAL_ERROR);
1036 conn->verify.md5_server = NULL;
1037 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1038 conn->verify.sha1_server = NULL;
1039 return -1;
1040 }
1041 conn->verify.md5_server = NULL;
1042 hlen = SHA1_MAC_LEN;
1043 if (conn->verify.sha1_server == NULL ||
1044 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1045 &hlen) < 0) {
1046 conn->verify.sha1_server = NULL;
1047 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1048 TLS_ALERT_INTERNAL_ERROR);
1049 return -1;
1050 }
1051 conn->verify.sha1_server = NULL;
1052 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1053
1054 #ifdef CONFIG_TLSV12
1055 }
1056 #endif /* CONFIG_TLSV12 */
1057
1058 if (tls_prf(conn->rl.tls_version,
1059 conn->master_secret, TLS_MASTER_SECRET_LEN,
1060 "server finished", hash, hlen,
1061 verify_data, TLS_VERIFY_DATA_LEN)) {
1062 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1063 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1064 TLS_ALERT_DECRYPT_ERROR);
1065 return -1;
1066 }
1067 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1068 verify_data, TLS_VERIFY_DATA_LEN);
1069
1070 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1071 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1072 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1073 TLS_ALERT_DECRYPT_ERROR);
1074 return -1;
1075 }
1076
1077 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1078
1079 *in_len = end - in_data;
1080
1081 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1082 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1083
1084 return 0;
1085 }
1086
1087
1088 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1089 const u8 *in_data, size_t *in_len,
1090 u8 **out_data, size_t *out_len)
1091 {
1092 const u8 *pos;
1093 size_t left;
1094
1095 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1096 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1097 "received content type 0x%x", ct);
1098 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1099 TLS_ALERT_UNEXPECTED_MESSAGE);
1100 return -1;
1101 }
1102
1103 pos = in_data;
1104 left = *in_len;
1105
1106 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1107 pos, left);
1108
1109 *out_data = os_malloc(left);
1110 if (*out_data) {
1111 os_memcpy(*out_data, pos, left);
1112 *out_len = left;
1113 }
1114
1115 return 0;
1116 }
1117
1118
1119 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1120 const u8 *buf, size_t *len,
1121 u8 **out_data, size_t *out_len)
1122 {
1123 if (ct == TLS_CONTENT_TYPE_ALERT) {
1124 if (*len < 2) {
1125 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1126 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1127 TLS_ALERT_DECODE_ERROR);
1128 return -1;
1129 }
1130 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1131 buf[0], buf[1]);
1132 *len = 2;
1133 conn->state = FAILED;
1134 return -1;
1135 }
1136
1137 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1138 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1139 size_t hr_len = WPA_GET_BE24(buf + 1);
1140 if (hr_len > *len - 4) {
1141 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1142 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1143 TLS_ALERT_DECODE_ERROR);
1144 return -1;
1145 }
1146 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1147 *len = 4 + hr_len;
1148 return 0;
1149 }
1150
1151 switch (conn->state) {
1152 case SERVER_HELLO:
1153 if (tls_process_server_hello(conn, ct, buf, len))
1154 return -1;
1155 break;
1156 case SERVER_CERTIFICATE:
1157 if (tls_process_certificate(conn, ct, buf, len))
1158 return -1;
1159 break;
1160 case SERVER_KEY_EXCHANGE:
1161 if (tls_process_server_key_exchange(conn, ct, buf, len))
1162 return -1;
1163 break;
1164 case SERVER_CERTIFICATE_REQUEST:
1165 if (tls_process_certificate_request(conn, ct, buf, len))
1166 return -1;
1167 break;
1168 case SERVER_HELLO_DONE:
1169 if (tls_process_server_hello_done(conn, ct, buf, len))
1170 return -1;
1171 break;
1172 case SERVER_CHANGE_CIPHER_SPEC:
1173 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1174 return -1;
1175 break;
1176 case SERVER_FINISHED:
1177 if (tls_process_server_finished(conn, ct, buf, len))
1178 return -1;
1179 break;
1180 case ACK_FINISHED:
1181 if (out_data &&
1182 tls_process_application_data(conn, ct, buf, len, out_data,
1183 out_len))
1184 return -1;
1185 break;
1186 default:
1187 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1188 "while processing received message",
1189 conn->state);
1190 return -1;
1191 }
1192
1193 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1194 tls_verify_hash_add(&conn->verify, buf, *len);
1195
1196 return 0;
1197 }
Unnamed repository; edit this file 'description' to name the repository.