2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 "received content type 0x%x", ct);
41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 TLS_ALERT_UNEXPECTED_MESSAGE);
52 /* HandshakeType msg_type */
53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 "message %d (expected ServerHello)", *pos);
56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 TLS_ALERT_UNEXPECTED_MESSAGE);
60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
63 len = WPA_GET_BE24(pos);
70 /* body - ServerHello */
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
75 /* ProtocolVersion server_version */
78 tls_version = WPA_GET_BE16(pos);
79 if (!tls_version_ok(tls_version)) {
80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 "ServerHello %u.%u", pos[0], pos[1]);
82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 TLS_ALERT_PROTOCOL_VERSION);
88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 tls_version_str(tls_version));
90 conn->rl.tls_version = tls_version;
93 if (end - pos < TLS_RANDOM_LEN)
96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 pos += TLS_RANDOM_LEN;
98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 conn->server_random, TLS_RANDOM_LEN);
101 /* SessionID session_id */
104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
106 if (conn->session_id_len && conn->session_id_len == *pos &&
107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 pos += 1 + conn->session_id_len;
109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 conn->session_resumed = 1;
112 conn->session_id_len = *pos;
114 os_memcpy(conn->session_id, pos, conn->session_id_len);
115 pos += conn->session_id_len;
117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 conn->session_id, conn->session_id_len);
120 /* CipherSuite cipher_suite */
123 cipher_suite = WPA_GET_BE16(pos);
125 for (i = 0; i < conn->num_cipher_suites; i++) {
126 if (cipher_suite == conn->cipher_suites[i])
129 if (i == conn->num_cipher_suites) {
130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 "cipher suite 0x%04x", cipher_suite);
132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 TLS_ALERT_ILLEGAL_PARAMETER);
137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 "cipher suite for a resumed connection (0x%04x != "
140 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 TLS_ALERT_ILLEGAL_PARAMETER);
146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
154 conn->prev_cipher_suite = cipher_suite;
156 /* CompressionMethod compression_method */
159 if (*pos != TLS_COMPRESSION_NULL) {
160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 "compression 0x%02x", *pos);
162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_ILLEGAL_PARAMETER);
169 /* TODO: ServerHello extensions */
170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 "end of ServerHello", pos, end - pos);
175 if (conn->session_ticket_included && conn->session_ticket_cb) {
176 /* TODO: include SessionTicket extension if one was included in
178 int res = conn->session_ticket_cb(
179 conn->session_ticket_cb_ctx, NULL, 0,
180 conn->client_random, conn->server_random,
181 conn->master_secret);
183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 "indicated failure");
185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_HANDSHAKE_FAILURE);
189 conn->use_session_ticket = !!res;
192 if ((conn->session_resumed || conn->use_session_ticket) &&
193 tls_derive_keys(conn, NULL, 0)) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 TLS_ALERT_INTERNAL_ERROR);
200 *in_len = end - in_data;
202 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 const u8 *in_data, size_t *in_len)
218 size_t left, len, list_len, cert_len, idx;
220 struct x509_certificate *chain = NULL, *last = NULL, *cert;
223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 "received content type 0x%x", ct);
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 TLS_ALERT_UNEXPECTED_MESSAGE);
235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 "(len=%lu)", (unsigned long) left);
237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
242 len = WPA_GET_BE24(pos);
247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 "length (len=%lu != left=%lu)",
249 (unsigned long) len, (unsigned long) left);
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 return tls_process_server_key_exchange(conn, ct, in_data,
257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 return tls_process_certificate_request(conn, ct, in_data,
260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 return tls_process_server_hello_done(conn, ct, in_data,
263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 "message %d (expected Certificate/"
266 "ServerKeyExchange/CertificateRequest/"
267 "ServerHelloDone)", type);
268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_UNEXPECTED_MESSAGE);
273 wpa_printf(MSG_DEBUG,
274 "TLSv1: Received Certificate (certificate_list len %lu)",
275 (unsigned long) len);
278 * opaque ASN.1Cert<2^24-1>;
281 * ASN.1Cert certificate_list<1..2^24-1>;
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 "(left=%lu)", (unsigned long) left);
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
294 list_len = WPA_GET_BE24(pos);
297 if ((size_t) (end - pos) != list_len) {
298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 "length (len=%lu left=%lu)",
300 (unsigned long) list_len,
301 (unsigned long) (end - pos));
302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 TLS_ALERT_DECODE_ERROR);
313 x509_certificate_chain_free(chain);
317 cert_len = WPA_GET_BE24(pos);
320 if ((size_t) (end - pos) < cert_len) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 "length (len=%lu left=%lu)",
323 (unsigned long) cert_len,
324 (unsigned long) (end - pos));
325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_DECODE_ERROR);
327 x509_certificate_chain_free(chain);
331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 (unsigned long) idx, (unsigned long) cert_len);
335 crypto_public_key_free(conn->server_rsa_key);
336 if (tls_parse_cert(pos, cert_len,
337 &conn->server_rsa_key)) {
338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 TLS_ALERT_BAD_CERTIFICATE);
342 x509_certificate_chain_free(chain);
347 cert = x509_certificate_parse(pos, cert_len);
349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_BAD_CERTIFICATE);
353 x509_certificate_chain_free(chain);
368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 &reason, conn->disable_time_checks)
372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 "validation failed (reason=%d)", reason);
375 case X509_VALIDATE_BAD_CERTIFICATE:
376 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
381 case X509_VALIDATE_CERTIFICATE_REVOKED:
382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
384 case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
387 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
390 case X509_VALIDATE_UNKNOWN_CA:
391 tls_reason = TLS_ALERT_UNKNOWN_CA;
394 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 x509_certificate_chain_free(chain);
402 x509_certificate_chain_free(chain);
404 *in_len = end - in_data;
406 conn->state = SERVER_KEY_EXCHANGE;
412 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
413 const u8 *buf, size_t len,
414 tls_key_exchange key_exchange)
416 const u8 *pos, *end, *server_params, *server_params_end;
418 tlsv1_client_free_dh(conn);
426 conn->dh_p_len = WPA_GET_BE16(pos);
428 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
429 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
430 (unsigned long) conn->dh_p_len);
433 conn->dh_p = os_malloc(conn->dh_p_len);
434 if (conn->dh_p == NULL)
436 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
437 pos += conn->dh_p_len;
438 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
439 conn->dh_p, conn->dh_p_len);
443 conn->dh_g_len = WPA_GET_BE16(pos);
445 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
447 conn->dh_g = os_malloc(conn->dh_g_len);
448 if (conn->dh_g == NULL)
450 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
451 pos += conn->dh_g_len;
452 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
453 conn->dh_g, conn->dh_g_len);
454 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
459 conn->dh_ys_len = WPA_GET_BE16(pos);
461 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
463 conn->dh_ys = os_malloc(conn->dh_ys_len);
464 if (conn->dh_ys == NULL)
466 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
467 pos += conn->dh_ys_len;
468 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
469 conn->dh_ys, conn->dh_ys_len);
470 server_params_end = pos;
472 if (key_exchange == TLS_KEY_X_DHE_RSA) {
473 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *sbuf;
475 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
477 struct crypto_hash *ctx;
482 if (conn->rl.tls_version == TLS_VERSION_1_2) {
485 * TLS v1.2 adds explicit indication of the used
486 * signature and hash algorithms.
489 * HashAlgorithm hash;
490 * SignatureAlgorithm signature;
491 * } SignatureAndHashAlgorithm;
495 if (pos[0] != TLS_HASH_ALG_SHA256 ||
496 pos[1] != TLS_SIGN_ALG_RSA) {
497 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
503 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0);
506 crypto_hash_update(ctx, conn->client_random,
508 crypto_hash_update(ctx, conn->server_random,
510 crypto_hash_update(ctx, server_params,
511 server_params_end - server_params);
512 hlen = SHA256_MAC_LEN;
513 if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
516 #endif /* CONFIG_TLSV12 */
517 if (alg == SIGN_ALG_RSA) {
518 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
521 crypto_hash_update(ctx, conn->client_random,
523 crypto_hash_update(ctx, conn->server_random,
525 crypto_hash_update(ctx, server_params,
526 server_params_end - server_params);
528 if (crypto_hash_finish(ctx, hash, &hlen) < 0)
532 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
535 crypto_hash_update(ctx, conn->client_random, TLS_RANDOM_LEN);
536 crypto_hash_update(ctx, conn->server_random, TLS_RANDOM_LEN);
537 crypto_hash_update(ctx, server_params,
538 server_params_end - server_params);
539 hlen = hash + sizeof(hash) - hpos;
540 if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
546 #endif /* CONFIG_TLSV12 */
548 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
553 slen = WPA_GET_BE16(pos);
555 if (end - pos < slen)
558 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
559 if (conn->server_rsa_key == NULL) {
560 wpa_printf(MSG_DEBUG, "TLSv1: No server public key to verify signature");
565 sbuf = os_malloc(end - pos);
566 if (crypto_public_key_decrypt_pkcs1(conn->server_rsa_key,
567 pos, end - pos, sbuf,
569 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
574 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
578 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
580 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
582 * DigestInfo ::= SEQUENCE {
583 * digestAlgorithm DigestAlgorithm,
584 * digest OCTET STRING
587 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
589 * DER encoded DigestInfo for SHA256 per RFC 3447:
590 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
593 if (buflen >= 19 + 32 &&
595 "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
596 "\x65\x03\x04\x02\x01\x05\x00\x04\x20",
598 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-256");
599 os_memmove(sbuf, sbuf + 19, buflen - 19);
602 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
607 #endif /* CONFIG_TLSV12 */
609 if (buflen != hlen || os_memcmp(sbuf, hash, buflen) != 0) {
610 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in ServerKeyExchange - did not match calculated hash");
621 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
622 tlsv1_client_free_dh(conn);
627 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
628 const u8 *in_data, size_t *in_len)
633 const struct tls_cipher_suite *suite;
635 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
636 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
637 "received content type 0x%x", ct);
638 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
639 TLS_ALERT_UNEXPECTED_MESSAGE);
647 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
648 "(Left=%lu)", (unsigned long) left);
649 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
654 len = WPA_GET_BE24(pos);
659 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
660 "length (len=%lu != left=%lu)",
661 (unsigned long) len, (unsigned long) left);
662 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
668 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
669 return tls_process_certificate_request(conn, ct, in_data,
671 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
672 return tls_process_server_hello_done(conn, ct, in_data,
674 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
675 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
676 "message %d (expected ServerKeyExchange/"
677 "CertificateRequest/ServerHelloDone)", type);
678 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
679 TLS_ALERT_UNEXPECTED_MESSAGE);
683 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
685 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
686 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
687 "with the selected cipher suite");
688 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
689 TLS_ALERT_UNEXPECTED_MESSAGE);
693 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
694 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
695 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
696 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
697 if (tlsv1_process_diffie_hellman(conn, pos, len,
698 suite->key_exchange) < 0) {
699 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
700 TLS_ALERT_DECODE_ERROR);
704 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
705 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
706 TLS_ALERT_UNEXPECTED_MESSAGE);
710 *in_len = end - in_data;
712 conn->state = SERVER_CERTIFICATE_REQUEST;
718 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
719 const u8 *in_data, size_t *in_len)
725 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
726 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
727 "received content type 0x%x", ct);
728 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
729 TLS_ALERT_UNEXPECTED_MESSAGE);
737 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
738 "(left=%lu)", (unsigned long) left);
739 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
744 len = WPA_GET_BE24(pos);
749 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
750 "length (len=%lu != left=%lu)",
751 (unsigned long) len, (unsigned long) left);
752 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
758 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
759 return tls_process_server_hello_done(conn, ct, in_data,
761 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
762 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
763 "message %d (expected CertificateRequest/"
764 "ServerHelloDone)", type);
765 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
766 TLS_ALERT_UNEXPECTED_MESSAGE);
770 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
772 conn->certificate_requested = 1;
774 *in_len = end - in_data;
776 conn->state = SERVER_HELLO_DONE;
782 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
783 const u8 *in_data, size_t *in_len)
789 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
790 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
791 "received content type 0x%x", ct);
792 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
793 TLS_ALERT_UNEXPECTED_MESSAGE);
801 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
802 "(left=%lu)", (unsigned long) left);
803 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
808 len = WPA_GET_BE24(pos);
813 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
814 "length (len=%lu != left=%lu)",
815 (unsigned long) len, (unsigned long) left);
816 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
821 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
822 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
823 "message %d (expected ServerHelloDone)", type);
824 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
825 TLS_ALERT_UNEXPECTED_MESSAGE);
829 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
831 *in_len = end - in_data;
833 conn->state = CLIENT_KEY_EXCHANGE;
839 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
840 u8 ct, const u8 *in_data,
846 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
847 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
848 "received content type 0x%x", ct);
849 if (conn->use_session_ticket) {
851 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
852 "rejected SessionTicket");
853 conn->use_session_ticket = 0;
855 /* Notify upper layers that SessionTicket failed */
856 res = conn->session_ticket_cb(
857 conn->session_ticket_cb_ctx, NULL, 0, NULL,
860 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
861 "callback indicated failure");
862 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
863 TLS_ALERT_HANDSHAKE_FAILURE);
867 conn->state = SERVER_CERTIFICATE;
868 return tls_process_certificate(conn, ct, in_data,
871 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
872 TLS_ALERT_UNEXPECTED_MESSAGE);
880 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
881 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
885 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
886 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
887 "received data 0x%x", *pos);
888 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
889 TLS_ALERT_UNEXPECTED_MESSAGE);
893 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
894 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
895 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
897 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
898 TLS_ALERT_INTERNAL_ERROR);
902 *in_len = pos + 1 - in_data;
904 conn->state = SERVER_FINISHED;
910 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
911 const u8 *in_data, size_t *in_len)
914 size_t left, len, hlen;
915 u8 verify_data[TLS_VERIFY_DATA_LEN];
916 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
918 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
919 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
920 "received content type 0x%x", ct);
921 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
922 TLS_ALERT_UNEXPECTED_MESSAGE);
930 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
932 (unsigned long) left);
933 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
934 TLS_ALERT_DECODE_ERROR);
938 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
939 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
940 "type 0x%x", pos[0]);
941 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
942 TLS_ALERT_UNEXPECTED_MESSAGE);
946 len = WPA_GET_BE24(pos + 1);
952 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
953 "(len=%lu > left=%lu)",
954 (unsigned long) len, (unsigned long) left);
955 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 TLS_ALERT_DECODE_ERROR);
960 if (len != TLS_VERIFY_DATA_LEN) {
961 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
962 "in Finished: %lu (expected %d)",
963 (unsigned long) len, TLS_VERIFY_DATA_LEN);
964 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
965 TLS_ALERT_DECODE_ERROR);
968 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
969 pos, TLS_VERIFY_DATA_LEN);
972 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
973 hlen = SHA256_MAC_LEN;
974 if (conn->verify.sha256_server == NULL ||
975 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
977 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
978 TLS_ALERT_INTERNAL_ERROR);
979 conn->verify.sha256_server = NULL;
982 conn->verify.sha256_server = NULL;
984 #endif /* CONFIG_TLSV12 */
987 if (conn->verify.md5_server == NULL ||
988 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
989 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
990 TLS_ALERT_INTERNAL_ERROR);
991 conn->verify.md5_server = NULL;
992 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
993 conn->verify.sha1_server = NULL;
996 conn->verify.md5_server = NULL;
998 if (conn->verify.sha1_server == NULL ||
999 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1001 conn->verify.sha1_server = NULL;
1002 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003 TLS_ALERT_INTERNAL_ERROR);
1006 conn->verify.sha1_server = NULL;
1007 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1009 #ifdef CONFIG_TLSV12
1011 #endif /* CONFIG_TLSV12 */
1013 if (tls_prf(conn->rl.tls_version,
1014 conn->master_secret, TLS_MASTER_SECRET_LEN,
1015 "server finished", hash, hlen,
1016 verify_data, TLS_VERIFY_DATA_LEN)) {
1017 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1018 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019 TLS_ALERT_DECRYPT_ERROR);
1022 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1023 verify_data, TLS_VERIFY_DATA_LEN);
1025 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1026 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1030 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1032 *in_len = end - in_data;
1034 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1035 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1041 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1042 const u8 *in_data, size_t *in_len,
1043 u8 **out_data, size_t *out_len)
1048 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1049 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1050 "received content type 0x%x", ct);
1051 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052 TLS_ALERT_UNEXPECTED_MESSAGE);
1059 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1062 *out_data = os_malloc(left);
1064 os_memcpy(*out_data, pos, left);
1072 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1073 const u8 *buf, size_t *len,
1074 u8 **out_data, size_t *out_len)
1076 if (ct == TLS_CONTENT_TYPE_ALERT) {
1078 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1079 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1080 TLS_ALERT_DECODE_ERROR);
1083 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1086 conn->state = FAILED;
1090 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1091 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1092 size_t hr_len = WPA_GET_BE24(buf + 1);
1093 if (hr_len > *len - 4) {
1094 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1095 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1096 TLS_ALERT_DECODE_ERROR);
1099 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1104 switch (conn->state) {
1106 if (tls_process_server_hello(conn, ct, buf, len))
1109 case SERVER_CERTIFICATE:
1110 if (tls_process_certificate(conn, ct, buf, len))
1113 case SERVER_KEY_EXCHANGE:
1114 if (tls_process_server_key_exchange(conn, ct, buf, len))
1117 case SERVER_CERTIFICATE_REQUEST:
1118 if (tls_process_certificate_request(conn, ct, buf, len))
1121 case SERVER_HELLO_DONE:
1122 if (tls_process_server_hello_done(conn, ct, buf, len))
1125 case SERVER_CHANGE_CIPHER_SPEC:
1126 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1129 case SERVER_FINISHED:
1130 if (tls_process_server_finished(conn, ct, buf, len))
1135 tls_process_application_data(conn, ct, buf, len, out_data,
1140 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1141 "while processing received message",
1146 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1147 tls_verify_hash_add(&conn->verify, buf, *len);