2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
22 static int tls_process_server_key_exchange(struct tlsv1_client
*conn
, u8 ct
,
23 const u8
*in_data
, size_t *in_len
);
24 static int tls_process_certificate_request(struct tlsv1_client
*conn
, u8 ct
,
25 const u8
*in_data
, size_t *in_len
);
26 static int tls_process_server_hello_done(struct tlsv1_client
*conn
, u8 ct
,
27 const u8
*in_data
, size_t *in_len
);
30 static int tls_process_server_hello(struct tlsv1_client
*conn
, u8 ct
,
31 const u8
*in_data
, size_t *in_len
)
38 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
39 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct
);
41 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
42 TLS_ALERT_UNEXPECTED_MESSAGE
);
52 /* HandshakeType msg_type */
53 if (*pos
!= TLS_HANDSHAKE_TYPE_SERVER_HELLO
) {
54 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos
);
56 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
57 TLS_ALERT_UNEXPECTED_MESSAGE
);
60 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerHello");
63 len
= WPA_GET_BE24(pos
);
70 /* body - ServerHello */
72 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ServerHello", pos
, len
);
75 /* ProtocolVersion server_version */
78 tls_version
= WPA_GET_BE16(pos
);
79 if (!tls_version_ok(tls_version
)) {
80 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos
[0], pos
[1]);
82 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
83 TLS_ALERT_PROTOCOL_VERSION
);
88 wpa_printf(MSG_DEBUG
, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version
));
90 conn
->rl
.tls_version
= tls_version
;
93 if (end
- pos
< TLS_RANDOM_LEN
)
96 os_memcpy(conn
->server_random
, pos
, TLS_RANDOM_LEN
);
97 pos
+= TLS_RANDOM_LEN
;
98 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: server_random",
99 conn
->server_random
, TLS_RANDOM_LEN
);
101 /* SessionID session_id */
104 if (end
- pos
< 1 + *pos
|| *pos
> TLS_SESSION_ID_MAX_LEN
)
106 if (conn
->session_id_len
&& conn
->session_id_len
== *pos
&&
107 os_memcmp(conn
->session_id
, pos
+ 1, conn
->session_id_len
) == 0) {
108 pos
+= 1 + conn
->session_id_len
;
109 wpa_printf(MSG_DEBUG
, "TLSv1: Resuming old session");
110 conn
->session_resumed
= 1;
112 conn
->session_id_len
= *pos
;
114 os_memcpy(conn
->session_id
, pos
, conn
->session_id_len
);
115 pos
+= conn
->session_id_len
;
117 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: session_id",
118 conn
->session_id
, conn
->session_id_len
);
120 /* CipherSuite cipher_suite */
123 cipher_suite
= WPA_GET_BE16(pos
);
125 for (i
= 0; i
< conn
->num_cipher_suites
; i
++) {
126 if (cipher_suite
== conn
->cipher_suites
[i
])
129 if (i
== conn
->num_cipher_suites
) {
130 wpa_printf(MSG_INFO
, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite
);
132 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
133 TLS_ALERT_ILLEGAL_PARAMETER
);
137 if (conn
->session_resumed
&& cipher_suite
!= conn
->prev_cipher_suite
) {
138 wpa_printf(MSG_DEBUG
, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite
, conn
->prev_cipher_suite
);
141 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
142 TLS_ALERT_ILLEGAL_PARAMETER
);
146 if (tlsv1_record_set_cipher_suite(&conn
->rl
, cipher_suite
) < 0) {
147 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to set CipherSuite for "
149 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
150 TLS_ALERT_INTERNAL_ERROR
);
154 conn
->prev_cipher_suite
= cipher_suite
;
156 /* CompressionMethod compression_method */
159 if (*pos
!= TLS_COMPRESSION_NULL
) {
160 wpa_printf(MSG_INFO
, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos
);
162 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
163 TLS_ALERT_ILLEGAL_PARAMETER
);
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG
, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos
, end
- pos
);
175 if (conn
->session_ticket_included
&& conn
->session_ticket_cb
) {
176 /* TODO: include SessionTicket extension if one was included in
178 int res
= conn
->session_ticket_cb(
179 conn
->session_ticket_cb_ctx
, NULL
, 0,
180 conn
->client_random
, conn
->server_random
,
181 conn
->master_secret
);
183 wpa_printf(MSG_DEBUG
, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
186 TLS_ALERT_HANDSHAKE_FAILURE
);
189 conn
->use_session_ticket
= !!res
;
192 if ((conn
->session_resumed
|| conn
->use_session_ticket
) &&
193 tls_derive_keys(conn
, NULL
, 0)) {
194 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive keys");
195 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
196 TLS_ALERT_INTERNAL_ERROR
);
200 *in_len
= end
- in_data
;
202 conn
->state
= (conn
->session_resumed
|| conn
->use_session_ticket
) ?
203 SERVER_CHANGE_CIPHER_SPEC
: SERVER_CERTIFICATE
;
208 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
214 static void tls_peer_cert_event(struct tlsv1_client
*conn
, int depth
,
215 struct x509_certificate
*cert
)
217 union tls_event_data ev
;
218 struct wpabuf
*cert_buf
= NULL
;
221 #endif /* CONFIG_SHA256 */
227 os_memset(&ev
, 0, sizeof(ev
));
228 if (conn
->cred
->cert_probe
|| conn
->cert_in_cb
) {
229 cert_buf
= wpabuf_alloc_copy(cert
->cert_start
,
231 ev
.peer_cert
.cert
= cert_buf
;
237 addr
[0] = wpabuf_head(cert_buf
);
238 len
[0] = wpabuf_len(cert_buf
);
239 if (sha256_vector(1, addr
, len
, hash
) == 0) {
240 ev
.peer_cert
.hash
= hash
;
241 ev
.peer_cert
.hash_len
= sizeof(hash
);
244 #endif /* CONFIG_SHA256 */
246 ev
.peer_cert
.depth
= depth
;
247 x509_name_string(&cert
->subject
, subject
, sizeof(subject
));
248 ev
.peer_cert
.subject
= subject
;
250 conn
->event_cb(conn
->cb_ctx
, TLS_PEER_CERTIFICATE
, &ev
);
251 wpabuf_free(cert_buf
);
255 static int tls_process_certificate(struct tlsv1_client
*conn
, u8 ct
,
256 const u8
*in_data
, size_t *in_len
)
259 size_t left
, len
, list_len
, cert_len
, idx
;
261 struct x509_certificate
*chain
= NULL
, *last
= NULL
, *cert
;
264 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
265 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
266 "received content type 0x%x", ct
);
267 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
268 TLS_ALERT_UNEXPECTED_MESSAGE
);
276 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate message "
277 "(len=%lu)", (unsigned long) left
);
278 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
283 len
= WPA_GET_BE24(pos
);
288 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected Certificate message "
289 "length (len=%lu != left=%lu)",
290 (unsigned long) len
, (unsigned long) left
);
291 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
295 if (type
== TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE
)
296 return tls_process_server_key_exchange(conn
, ct
, in_data
,
298 if (type
== TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
)
299 return tls_process_certificate_request(conn
, ct
, in_data
,
301 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
302 return tls_process_server_hello_done(conn
, ct
, in_data
,
304 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE
) {
305 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
306 "message %d (expected Certificate/"
307 "ServerKeyExchange/CertificateRequest/"
308 "ServerHelloDone)", type
);
309 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
310 TLS_ALERT_UNEXPECTED_MESSAGE
);
314 wpa_printf(MSG_DEBUG
,
315 "TLSv1: Received Certificate (certificate_list len %lu)",
316 (unsigned long) len
);
319 * opaque ASN.1Cert<2^24-1>;
322 * ASN.1Cert certificate_list<1..2^24-1>;
329 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate "
330 "(left=%lu)", (unsigned long) left
);
331 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
335 list_len
= WPA_GET_BE24(pos
);
338 if ((size_t) (end
- pos
) != list_len
) {
339 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate_list "
340 "length (len=%lu left=%lu)",
341 (unsigned long) list_len
,
342 (unsigned long) (end
- pos
));
343 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
350 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
352 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
353 TLS_ALERT_DECODE_ERROR
);
354 x509_certificate_chain_free(chain
);
358 cert_len
= WPA_GET_BE24(pos
);
361 if ((size_t) (end
- pos
) < cert_len
) {
362 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate "
363 "length (len=%lu left=%lu)",
364 (unsigned long) cert_len
,
365 (unsigned long) (end
- pos
));
366 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
367 TLS_ALERT_DECODE_ERROR
);
368 x509_certificate_chain_free(chain
);
372 wpa_printf(MSG_DEBUG
, "TLSv1: Certificate %lu (len %lu)",
373 (unsigned long) idx
, (unsigned long) cert_len
);
376 crypto_public_key_free(conn
->server_rsa_key
);
377 if (tls_parse_cert(pos
, cert_len
,
378 &conn
->server_rsa_key
)) {
379 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
381 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
382 TLS_ALERT_BAD_CERTIFICATE
);
383 x509_certificate_chain_free(chain
);
388 cert
= x509_certificate_parse(pos
, cert_len
);
390 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
392 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
393 TLS_ALERT_BAD_CERTIFICATE
);
394 x509_certificate_chain_free(chain
);
398 tls_peer_cert_event(conn
, idx
, cert
);
410 if (conn
->cred
&& conn
->cred
->server_cert_only
&& chain
) {
411 u8 hash
[SHA256_MAC_LEN
];
414 wpa_printf(MSG_DEBUG
,
415 "TLSv1: Validate server certificate hash");
416 x509_name_string(&chain
->subject
, buf
, sizeof(buf
));
417 wpa_printf(MSG_DEBUG
, "TLSv1: 0: %s", buf
);
418 if (sha256_vector(1, &chain
->cert_start
, &chain
->cert_len
,
420 os_memcmp(conn
->cred
->srv_cert_hash
, hash
,
421 SHA256_MAC_LEN
) != 0) {
422 wpa_printf(MSG_DEBUG
,
423 "TLSv1: Server certificate hash mismatch");
424 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: SHA256 hash",
425 hash
, SHA256_MAC_LEN
);
426 if (conn
->event_cb
) {
427 union tls_event_data ev
;
429 os_memset(&ev
, 0, sizeof(ev
));
430 ev
.cert_fail
.reason
= TLS_FAIL_UNSPECIFIED
;
431 ev
.cert_fail
.reason_txt
=
432 "Server certificate mismatch";
433 ev
.cert_fail
.subject
= buf
;
434 conn
->event_cb(conn
->cb_ctx
,
435 TLS_CERT_CHAIN_FAILURE
, &ev
);
437 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
438 TLS_ALERT_BAD_CERTIFICATE
);
439 x509_certificate_chain_free(chain
);
442 } else if (conn
->cred
&& conn
->cred
->cert_probe
) {
443 wpa_printf(MSG_DEBUG
,
444 "TLSv1: Reject server certificate on probe-only rune");
445 if (conn
->event_cb
) {
446 union tls_event_data ev
;
449 os_memset(&ev
, 0, sizeof(ev
));
450 ev
.cert_fail
.reason
= TLS_FAIL_SERVER_CHAIN_PROBE
;
451 ev
.cert_fail
.reason_txt
=
452 "Server certificate chain probe";
454 x509_name_string(&chain
->subject
, buf
,
456 ev
.cert_fail
.subject
= buf
;
458 conn
->event_cb(conn
->cb_ctx
, TLS_CERT_CHAIN_FAILURE
,
461 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
462 TLS_ALERT_BAD_CERTIFICATE
);
463 x509_certificate_chain_free(chain
);
465 } else if (conn
->cred
&& conn
->cred
->ca_cert_verify
&&
466 x509_certificate_chain_validate(conn
->cred
->trusted_certs
,
468 conn
->disable_time_checks
)
471 wpa_printf(MSG_DEBUG
, "TLSv1: Server certificate chain "
472 "validation failed (reason=%d)", reason
);
474 case X509_VALIDATE_BAD_CERTIFICATE
:
475 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
477 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE
:
478 tls_reason
= TLS_ALERT_UNSUPPORTED_CERTIFICATE
;
480 case X509_VALIDATE_CERTIFICATE_REVOKED
:
481 tls_reason
= TLS_ALERT_CERTIFICATE_REVOKED
;
483 case X509_VALIDATE_CERTIFICATE_EXPIRED
:
484 tls_reason
= TLS_ALERT_CERTIFICATE_EXPIRED
;
486 case X509_VALIDATE_CERTIFICATE_UNKNOWN
:
487 tls_reason
= TLS_ALERT_CERTIFICATE_UNKNOWN
;
489 case X509_VALIDATE_UNKNOWN_CA
:
490 tls_reason
= TLS_ALERT_UNKNOWN_CA
;
493 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
496 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, tls_reason
);
497 x509_certificate_chain_free(chain
);
501 x509_certificate_chain_free(chain
);
503 *in_len
= end
- in_data
;
505 conn
->state
= SERVER_KEY_EXCHANGE
;
511 static unsigned int count_bits(const u8
*val
, size_t len
)
517 for (i
= 0; i
< len
; i
++) {
524 bits
= (len
- i
- 1) * 8;
535 static int tlsv1_process_diffie_hellman(struct tlsv1_client
*conn
,
536 const u8
*buf
, size_t len
,
537 tls_key_exchange key_exchange
)
539 const u8
*pos
, *end
, *server_params
, *server_params_end
;
544 tlsv1_client_free_dh(conn
);
552 val
= WPA_GET_BE16(pos
);
554 if (val
== 0 || val
> (size_t) (end
- pos
)) {
555 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid dh_p length %u", val
);
558 conn
->dh_p_len
= val
;
559 bits
= count_bits(pos
, conn
->dh_p_len
);
561 wpa_printf(MSG_INFO
, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
563 wpa_hexdump(MSG_DEBUG
, "TLSv1: Rejected DH prime",
564 pos
, conn
->dh_p_len
);
567 conn
->dh_p
= os_malloc(conn
->dh_p_len
);
568 if (conn
->dh_p
== NULL
)
570 os_memcpy(conn
->dh_p
, pos
, conn
->dh_p_len
);
571 pos
+= conn
->dh_p_len
;
572 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH p (prime)",
573 conn
->dh_p
, conn
->dh_p_len
);
577 val
= WPA_GET_BE16(pos
);
579 if (val
== 0 || val
> (size_t) (end
- pos
))
581 conn
->dh_g_len
= val
;
582 conn
->dh_g
= os_malloc(conn
->dh_g_len
);
583 if (conn
->dh_g
== NULL
)
585 os_memcpy(conn
->dh_g
, pos
, conn
->dh_g_len
);
586 pos
+= conn
->dh_g_len
;
587 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH g (generator)",
588 conn
->dh_g
, conn
->dh_g_len
);
589 if (conn
->dh_g_len
== 1 && conn
->dh_g
[0] < 2)
594 val
= WPA_GET_BE16(pos
);
596 if (val
== 0 || val
> (size_t) (end
- pos
))
598 conn
->dh_ys_len
= val
;
599 conn
->dh_ys
= os_malloc(conn
->dh_ys_len
);
600 if (conn
->dh_ys
== NULL
)
602 os_memcpy(conn
->dh_ys
, pos
, conn
->dh_ys_len
);
603 pos
+= conn
->dh_ys_len
;
604 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH Ys (server's public value)",
605 conn
->dh_ys
, conn
->dh_ys_len
);
606 server_params_end
= pos
;
608 if (key_exchange
== TLS_KEY_X_DHE_RSA
) {
612 if (conn
->rl
.tls_version
== TLS_VERSION_1_2
) {
616 * TLS v1.2 adds explicit indication of the used
617 * signature and hash algorithms.
620 * HashAlgorithm hash;
621 * SignatureAlgorithm signature;
622 * } SignatureAndHashAlgorithm;
626 if ((pos
[0] != TLS_HASH_ALG_SHA256
&&
627 pos
[0] != TLS_HASH_ALG_SHA384
&&
628 pos
[0] != TLS_HASH_ALG_SHA512
) ||
629 pos
[1] != TLS_SIGN_ALG_RSA
) {
630 wpa_printf(MSG_DEBUG
, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
635 hlen
= tlsv12_key_x_server_params_hash(
636 conn
->rl
.tls_version
, pos
[0],
638 conn
->server_random
, server_params
,
639 server_params_end
- server_params
, hash
);
641 #else /* CONFIG_TLSV12 */
643 #endif /* CONFIG_TLSV12 */
645 hlen
= tls_key_x_server_params_hash(
646 conn
->rl
.tls_version
, conn
->client_random
,
647 conn
->server_random
, server_params
,
648 server_params_end
- server_params
, hash
);
653 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ServerKeyExchange hash",
656 if (tls_verify_signature(conn
->rl
.tls_version
,
657 conn
->server_rsa_key
,
658 hash
, hlen
, pos
, end
- pos
,
666 wpa_printf(MSG_DEBUG
, "TLSv1: Processing DH params failed");
667 tlsv1_client_free_dh(conn
);
672 static int tls_process_server_key_exchange(struct tlsv1_client
*conn
, u8 ct
,
673 const u8
*in_data
, size_t *in_len
)
678 const struct tls_cipher_suite
*suite
;
680 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
681 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
682 "received content type 0x%x", ct
);
683 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
684 TLS_ALERT_UNEXPECTED_MESSAGE
);
692 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ServerKeyExchange "
693 "(Left=%lu)", (unsigned long) left
);
694 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
699 len
= WPA_GET_BE24(pos
);
704 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in ServerKeyExchange "
705 "length (len=%lu != left=%lu)",
706 (unsigned long) len
, (unsigned long) left
);
707 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
713 if (type
== TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
)
714 return tls_process_certificate_request(conn
, ct
, in_data
,
716 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
717 return tls_process_server_hello_done(conn
, ct
, in_data
,
719 if (type
!= TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE
) {
720 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
721 "message %d (expected ServerKeyExchange/"
722 "CertificateRequest/ServerHelloDone)", type
);
723 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
724 TLS_ALERT_UNEXPECTED_MESSAGE
);
728 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerKeyExchange");
730 if (!tls_server_key_exchange_allowed(conn
->rl
.cipher_suite
)) {
731 wpa_printf(MSG_DEBUG
, "TLSv1: ServerKeyExchange not allowed "
732 "with the selected cipher suite");
733 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
734 TLS_ALERT_UNEXPECTED_MESSAGE
);
738 wpa_hexdump(MSG_DEBUG
, "TLSv1: ServerKeyExchange", pos
, len
);
739 suite
= tls_get_cipher_suite(conn
->rl
.cipher_suite
);
740 if (suite
&& (suite
->key_exchange
== TLS_KEY_X_DH_anon
||
741 suite
->key_exchange
== TLS_KEY_X_DHE_RSA
)) {
742 if (tlsv1_process_diffie_hellman(conn
, pos
, len
,
743 suite
->key_exchange
) < 0) {
744 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
745 TLS_ALERT_DECODE_ERROR
);
749 wpa_printf(MSG_DEBUG
, "TLSv1: UnexpectedServerKeyExchange");
750 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
751 TLS_ALERT_UNEXPECTED_MESSAGE
);
755 *in_len
= end
- in_data
;
757 conn
->state
= SERVER_CERTIFICATE_REQUEST
;
763 static int tls_process_certificate_request(struct tlsv1_client
*conn
, u8 ct
,
764 const u8
*in_data
, size_t *in_len
)
770 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
771 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
772 "received content type 0x%x", ct
);
773 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
774 TLS_ALERT_UNEXPECTED_MESSAGE
);
782 wpa_printf(MSG_DEBUG
, "TLSv1: Too short CertificateRequest "
783 "(left=%lu)", (unsigned long) left
);
784 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
789 len
= WPA_GET_BE24(pos
);
794 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in CertificateRequest "
795 "length (len=%lu != left=%lu)",
796 (unsigned long) len
, (unsigned long) left
);
797 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
803 if (type
== TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
)
804 return tls_process_server_hello_done(conn
, ct
, in_data
,
806 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
) {
807 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
808 "message %d (expected CertificateRequest/"
809 "ServerHelloDone)", type
);
810 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
811 TLS_ALERT_UNEXPECTED_MESSAGE
);
815 wpa_printf(MSG_DEBUG
, "TLSv1: Received CertificateRequest");
817 conn
->certificate_requested
= 1;
819 *in_len
= end
- in_data
;
821 conn
->state
= SERVER_HELLO_DONE
;
827 static int tls_process_server_hello_done(struct tlsv1_client
*conn
, u8 ct
,
828 const u8
*in_data
, size_t *in_len
)
834 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
835 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
836 "received content type 0x%x", ct
);
837 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
838 TLS_ALERT_UNEXPECTED_MESSAGE
);
846 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ServerHelloDone "
847 "(left=%lu)", (unsigned long) left
);
848 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
853 len
= WPA_GET_BE24(pos
);
858 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in ServerHelloDone "
859 "length (len=%lu != left=%lu)",
860 (unsigned long) len
, (unsigned long) left
);
861 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
866 if (type
!= TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
) {
867 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
868 "message %d (expected ServerHelloDone)", type
);
869 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
870 TLS_ALERT_UNEXPECTED_MESSAGE
);
874 wpa_printf(MSG_DEBUG
, "TLSv1: Received ServerHelloDone");
876 *in_len
= end
- in_data
;
878 conn
->state
= CLIENT_KEY_EXCHANGE
;
884 static int tls_process_server_change_cipher_spec(struct tlsv1_client
*conn
,
885 u8 ct
, const u8
*in_data
,
891 if (ct
!= TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC
) {
892 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
893 "received content type 0x%x", ct
);
894 if (conn
->use_session_ticket
) {
896 wpa_printf(MSG_DEBUG
, "TLSv1: Server may have "
897 "rejected SessionTicket");
898 conn
->use_session_ticket
= 0;
900 /* Notify upper layers that SessionTicket failed */
901 res
= conn
->session_ticket_cb(
902 conn
->session_ticket_cb_ctx
, NULL
, 0, NULL
,
905 wpa_printf(MSG_DEBUG
, "TLSv1: SessionTicket "
906 "callback indicated failure");
907 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
908 TLS_ALERT_HANDSHAKE_FAILURE
);
912 conn
->state
= SERVER_CERTIFICATE
;
913 return tls_process_certificate(conn
, ct
, in_data
,
916 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
917 TLS_ALERT_UNEXPECTED_MESSAGE
);
925 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ChangeCipherSpec");
926 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
, TLS_ALERT_DECODE_ERROR
);
930 if (*pos
!= TLS_CHANGE_CIPHER_SPEC
) {
931 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
932 "received data 0x%x", *pos
);
933 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
934 TLS_ALERT_UNEXPECTED_MESSAGE
);
938 wpa_printf(MSG_DEBUG
, "TLSv1: Received ChangeCipherSpec");
939 if (tlsv1_record_change_read_cipher(&conn
->rl
) < 0) {
940 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to change read cipher "
942 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
943 TLS_ALERT_INTERNAL_ERROR
);
947 *in_len
= pos
+ 1 - in_data
;
949 conn
->state
= SERVER_FINISHED
;
955 static int tls_process_server_finished(struct tlsv1_client
*conn
, u8 ct
,
956 const u8
*in_data
, size_t *in_len
)
959 size_t left
, len
, hlen
;
960 u8 verify_data
[TLS_VERIFY_DATA_LEN
];
961 u8 hash
[MD5_MAC_LEN
+ SHA1_MAC_LEN
];
963 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
964 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; "
965 "received content type 0x%x", ct
);
966 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
967 TLS_ALERT_UNEXPECTED_MESSAGE
);
975 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record (left=%lu) for "
977 (unsigned long) left
);
978 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
979 TLS_ALERT_DECODE_ERROR
);
983 if (pos
[0] != TLS_HANDSHAKE_TYPE_FINISHED
) {
984 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; received "
985 "type 0x%x", pos
[0]);
986 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
987 TLS_ALERT_UNEXPECTED_MESSAGE
);
991 len
= WPA_GET_BE24(pos
+ 1);
997 wpa_printf(MSG_DEBUG
, "TLSv1: Too short buffer for Finished "
998 "(len=%lu > left=%lu)",
999 (unsigned long) len
, (unsigned long) left
);
1000 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1001 TLS_ALERT_DECODE_ERROR
);
1005 if (len
!= TLS_VERIFY_DATA_LEN
) {
1006 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected verify_data length "
1007 "in Finished: %lu (expected %d)",
1008 (unsigned long) len
, TLS_VERIFY_DATA_LEN
);
1009 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1010 TLS_ALERT_DECODE_ERROR
);
1013 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: verify_data in Finished",
1014 pos
, TLS_VERIFY_DATA_LEN
);
1016 #ifdef CONFIG_TLSV12
1017 if (conn
->rl
.tls_version
>= TLS_VERSION_1_2
) {
1018 hlen
= SHA256_MAC_LEN
;
1019 if (conn
->verify
.sha256_server
== NULL
||
1020 crypto_hash_finish(conn
->verify
.sha256_server
, hash
, &hlen
)
1022 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1023 TLS_ALERT_INTERNAL_ERROR
);
1024 conn
->verify
.sha256_server
= NULL
;
1027 conn
->verify
.sha256_server
= NULL
;
1029 #endif /* CONFIG_TLSV12 */
1032 if (conn
->verify
.md5_server
== NULL
||
1033 crypto_hash_finish(conn
->verify
.md5_server
, hash
, &hlen
) < 0) {
1034 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1035 TLS_ALERT_INTERNAL_ERROR
);
1036 conn
->verify
.md5_server
= NULL
;
1037 crypto_hash_finish(conn
->verify
.sha1_server
, NULL
, NULL
);
1038 conn
->verify
.sha1_server
= NULL
;
1041 conn
->verify
.md5_server
= NULL
;
1042 hlen
= SHA1_MAC_LEN
;
1043 if (conn
->verify
.sha1_server
== NULL
||
1044 crypto_hash_finish(conn
->verify
.sha1_server
, hash
+ MD5_MAC_LEN
,
1046 conn
->verify
.sha1_server
= NULL
;
1047 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1048 TLS_ALERT_INTERNAL_ERROR
);
1051 conn
->verify
.sha1_server
= NULL
;
1052 hlen
= MD5_MAC_LEN
+ SHA1_MAC_LEN
;
1054 #ifdef CONFIG_TLSV12
1056 #endif /* CONFIG_TLSV12 */
1058 if (tls_prf(conn
->rl
.tls_version
,
1059 conn
->master_secret
, TLS_MASTER_SECRET_LEN
,
1060 "server finished", hash
, hlen
,
1061 verify_data
, TLS_VERIFY_DATA_LEN
)) {
1062 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive verify_data");
1063 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1064 TLS_ALERT_DECRYPT_ERROR
);
1067 wpa_hexdump_key(MSG_DEBUG
, "TLSv1: verify_data (server)",
1068 verify_data
, TLS_VERIFY_DATA_LEN
);
1070 if (os_memcmp_const(pos
, verify_data
, TLS_VERIFY_DATA_LEN
) != 0) {
1071 wpa_printf(MSG_INFO
, "TLSv1: Mismatch in verify_data");
1072 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1073 TLS_ALERT_DECRYPT_ERROR
);
1077 wpa_printf(MSG_DEBUG
, "TLSv1: Received Finished");
1079 *in_len
= end
- in_data
;
1081 conn
->state
= (conn
->session_resumed
|| conn
->use_session_ticket
) ?
1082 CHANGE_CIPHER_SPEC
: ACK_FINISHED
;
1088 static int tls_process_application_data(struct tlsv1_client
*conn
, u8 ct
,
1089 const u8
*in_data
, size_t *in_len
,
1090 u8
**out_data
, size_t *out_len
)
1095 if (ct
!= TLS_CONTENT_TYPE_APPLICATION_DATA
) {
1096 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Application Data; "
1097 "received content type 0x%x", ct
);
1098 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1099 TLS_ALERT_UNEXPECTED_MESSAGE
);
1106 wpa_hexdump(MSG_DEBUG
, "TLSv1: Application Data included in Handshake",
1109 *out_data
= os_malloc(left
);
1111 os_memcpy(*out_data
, pos
, left
);
1119 int tlsv1_client_process_handshake(struct tlsv1_client
*conn
, u8 ct
,
1120 const u8
*buf
, size_t *len
,
1121 u8
**out_data
, size_t *out_len
)
1123 if (ct
== TLS_CONTENT_TYPE_ALERT
) {
1125 wpa_printf(MSG_DEBUG
, "TLSv1: Alert underflow");
1126 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1127 TLS_ALERT_DECODE_ERROR
);
1130 wpa_printf(MSG_DEBUG
, "TLSv1: Received alert %d:%d",
1133 conn
->state
= FAILED
;
1137 if (ct
== TLS_CONTENT_TYPE_HANDSHAKE
&& *len
>= 4 &&
1138 buf
[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST
) {
1139 size_t hr_len
= WPA_GET_BE24(buf
+ 1);
1140 if (hr_len
> *len
- 4) {
1141 wpa_printf(MSG_DEBUG
, "TLSv1: HelloRequest underflow");
1142 tls_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1143 TLS_ALERT_DECODE_ERROR
);
1146 wpa_printf(MSG_DEBUG
, "TLSv1: Ignored HelloRequest");
1151 switch (conn
->state
) {
1153 if (tls_process_server_hello(conn
, ct
, buf
, len
))
1156 case SERVER_CERTIFICATE
:
1157 if (tls_process_certificate(conn
, ct
, buf
, len
))
1160 case SERVER_KEY_EXCHANGE
:
1161 if (tls_process_server_key_exchange(conn
, ct
, buf
, len
))
1164 case SERVER_CERTIFICATE_REQUEST
:
1165 if (tls_process_certificate_request(conn
, ct
, buf
, len
))
1168 case SERVER_HELLO_DONE
:
1169 if (tls_process_server_hello_done(conn
, ct
, buf
, len
))
1172 case SERVER_CHANGE_CIPHER_SPEC
:
1173 if (tls_process_server_change_cipher_spec(conn
, ct
, buf
, len
))
1176 case SERVER_FINISHED
:
1177 if (tls_process_server_finished(conn
, ct
, buf
, len
))
1182 tls_process_application_data(conn
, ct
, buf
, len
, out_data
,
1187 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected state %d "
1188 "while processing received message",
1193 if (ct
== TLS_CONTENT_TYPE_HANDSHAKE
)
1194 tls_verify_hash_add(&conn
->verify
, buf
, *len
);