libeap/src/tls/tlsv1_client_read.c

   1 /*
   2  * TLSv1 client - read handshake message
   3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_client.h"
  20 #include "tlsv1_client_i.h"
  21
  22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  23                                            const u8 *in_data, size_t *in_len);
  24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  25                                            const u8 *in_data, size_t *in_len);
  26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  27                                          const u8 *in_data, size_t *in_len);
  28
  29
  30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
  31                                     const u8 *in_data, size_t *in_len)
  32 {
  33         const u8 *pos, *end;
  34         size_t left, len, i;
  35         u16 cipher_suite;
  36         u16 tls_version;
  37
  38         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  39                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  40                            "received content type 0x%x", ct);
  41                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  42                           TLS_ALERT_UNEXPECTED_MESSAGE);
  43                 return -1;
  44         }
  45
  46         pos = in_data;
  47         left = *in_len;
  48
  49         if (left < 4)
  50                 goto decode_error;
  51
  52         /* HandshakeType msg_type */
  53         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
  54                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  55                            "message %d (expected ServerHello)", *pos);
  56                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  57                           TLS_ALERT_UNEXPECTED_MESSAGE);
  58                 return -1;
  59         }
  60         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
  61         pos++;
  62         /* uint24 length */
  63         len = WPA_GET_BE24(pos);
  64         pos += 3;
  65         left -= 4;
  66
  67         if (len > left)
  68                 goto decode_error;
  69
  70         /* body - ServerHello */
  71
  72         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
  73         end = pos + len;
  74
  75         /* ProtocolVersion server_version */
  76         if (end - pos < 2)
  77                 goto decode_error;
  78         tls_version = WPA_GET_BE16(pos);
  79         if (!tls_version_ok(tls_version)) {
  80                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  81                            "ServerHello %u.%u", pos[0], pos[1]);
  82                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  83                           TLS_ALERT_PROTOCOL_VERSION);
  84                 return -1;
  85         }
  86         pos += 2;
  87
  88         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
  89                    tls_version_str(tls_version));
  90         conn->rl.tls_version = tls_version;
  91
  92         /* Random random */
  93         if (end - pos < TLS_RANDOM_LEN)
  94                 goto decode_error;
  95
  96         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
  97         pos += TLS_RANDOM_LEN;
  98         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
  99                     conn->server_random, TLS_RANDOM_LEN);
 100
 101         /* SessionID session_id */
 102         if (end - pos < 1)
 103                 goto decode_error;
 104         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 105                 goto decode_error;
 106         if (conn->session_id_len && conn->session_id_len == *pos &&
 107             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 108                 pos += 1 + conn->session_id_len;
 109                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 110                 conn->session_resumed = 1;
 111         } else {
 112                 conn->session_id_len = *pos;
 113                 pos++;
 114                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 115                 pos += conn->session_id_len;
 116         }
 117         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 118                     conn->session_id, conn->session_id_len);
 119
 120         /* CipherSuite cipher_suite */
 121         if (end - pos < 2)
 122                 goto decode_error;
 123         cipher_suite = WPA_GET_BE16(pos);
 124         pos += 2;
 125         for (i = 0; i < conn->num_cipher_suites; i++) {
 126                 if (cipher_suite == conn->cipher_suites[i])
 127                         break;
 128         }
 129         if (i == conn->num_cipher_suites) {
 130                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 131                            "cipher suite 0x%04x", cipher_suite);
 132                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 133                           TLS_ALERT_ILLEGAL_PARAMETER);
 134                 return -1;
 135         }
 136
 137         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 138                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 139                            "cipher suite for a resumed connection (0x%04x != "
 140                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 141                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 142                           TLS_ALERT_ILLEGAL_PARAMETER);
 143                 return -1;
 144         }
 145
 146         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 147                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 148                            "record layer");
 149                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 150                           TLS_ALERT_INTERNAL_ERROR);
 151                 return -1;
 152         }
 153
 154         conn->prev_cipher_suite = cipher_suite;
 155
 156         /* CompressionMethod compression_method */
 157         if (end - pos < 1)
 158                 goto decode_error;
 159         if (*pos != TLS_COMPRESSION_NULL) {
 160                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 161                            "compression 0x%02x", *pos);
 162                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 163                           TLS_ALERT_ILLEGAL_PARAMETER);
 164                 return -1;
 165         }
 166         pos++;
 167
 168         if (end != pos) {
 169                 /* TODO: ServerHello extensions */
 170                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 171                             "end of ServerHello", pos, end - pos);
 172                 goto decode_error;
 173         }
 174
 175         if (conn->session_ticket_included && conn->session_ticket_cb) {
 176                 /* TODO: include SessionTicket extension if one was included in
 177                  * ServerHello */
 178                 int res = conn->session_ticket_cb(
 179                         conn->session_ticket_cb_ctx, NULL, 0,
 180                         conn->client_random, conn->server_random,
 181                         conn->master_secret);
 182                 if (res < 0) {
 183                         wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
 184                                    "indicated failure");
 185                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 186                                   TLS_ALERT_HANDSHAKE_FAILURE);
 187                         return -1;
 188                 }
 189                 conn->use_session_ticket = !!res;
 190         }
 191
 192         if ((conn->session_resumed || conn->use_session_ticket) &&
 193             tls_derive_keys(conn, NULL, 0)) {
 194                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 195                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 196                           TLS_ALERT_INTERNAL_ERROR);
 197                 return -1;
 198         }
 199
 200         *in_len = end - in_data;
 201
 202         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 203                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 204
 205         return 0;
 206
 207 decode_error:
 208         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 209         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 210         return -1;
 211 }
 212
 213
 214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 215                                    const u8 *in_data, size_t *in_len)
 216 {
 217         const u8 *pos, *end;
 218         size_t left, len, list_len, cert_len, idx;
 219         u8 type;
 220         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 221         int reason;
 222
 223         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 224                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 225                            "received content type 0x%x", ct);
 226                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 227                           TLS_ALERT_UNEXPECTED_MESSAGE);
 228                 return -1;
 229         }
 230
 231         pos = in_data;
 232         left = *in_len;
 233
 234         if (left < 4) {
 235                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 236                            "(len=%lu)", (unsigned long) left);
 237                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 238                 return -1;
 239         }
 240
 241         type = *pos++;
 242         len = WPA_GET_BE24(pos);
 243         pos += 3;
 244         left -= 4;
 245
 246         if (len > left) {
 247                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 248                            "length (len=%lu != left=%lu)",
 249                            (unsigned long) len, (unsigned long) left);
 250                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 251                 return -1;
 252         }
 253
 254         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 255                 return tls_process_server_key_exchange(conn, ct, in_data,
 256                                                        in_len);
 257         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 258                 return tls_process_certificate_request(conn, ct, in_data,
 259                                                        in_len);
 260         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 261                 return tls_process_server_hello_done(conn, ct, in_data,
 262                                                      in_len);
 263         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 264                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 265                            "message %d (expected Certificate/"
 266                            "ServerKeyExchange/CertificateRequest/"
 267                            "ServerHelloDone)", type);
 268                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 269                           TLS_ALERT_UNEXPECTED_MESSAGE);
 270                 return -1;
 271         }
 272
 273         wpa_printf(MSG_DEBUG,
 274                    "TLSv1: Received Certificate (certificate_list len %lu)",
 275                    (unsigned long) len);
 276
 277         /*
 278          * opaque ASN.1Cert<2^24-1>;
 279          *
 280          * struct {
 281          *     ASN.1Cert certificate_list<1..2^24-1>;
 282          * } Certificate;
 283          */
 284
 285         end = pos + len;
 286
 287         if (end - pos < 3) {
 288                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 289                            "(left=%lu)", (unsigned long) left);
 290                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 291                 return -1;
 292         }
 293
 294         list_len = WPA_GET_BE24(pos);
 295         pos += 3;
 296
 297         if ((size_t) (end - pos) != list_len) {
 298                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 299                            "length (len=%lu left=%lu)",
 300                            (unsigned long) list_len,
 301                            (unsigned long) (end - pos));
 302                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 303                 return -1;
 304         }
 305
 306         idx = 0;
 307         while (pos < end) {
 308                 if (end - pos < 3) {
 309                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 310                                    "certificate_list");
 311                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 312                                   TLS_ALERT_DECODE_ERROR);
 313                         x509_certificate_chain_free(chain);
 314                         return -1;
 315                 }
 316
 317                 cert_len = WPA_GET_BE24(pos);
 318                 pos += 3;
 319
 320                 if ((size_t) (end - pos) < cert_len) {
 321                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 322                                    "length (len=%lu left=%lu)",
 323                                    (unsigned long) cert_len,
 324                                    (unsigned long) (end - pos));
 325                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 326                                   TLS_ALERT_DECODE_ERROR);
 327                         x509_certificate_chain_free(chain);
 328                         return -1;
 329                 }
 330
 331                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 332                            (unsigned long) idx, (unsigned long) cert_len);
 333
 334                 if (idx == 0) {
 335                         crypto_public_key_free(conn->server_rsa_key);
 336                         if (tls_parse_cert(pos, cert_len,
 337                                            &conn->server_rsa_key)) {
 338                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 339                                            "the certificate");
 340                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 341                                           TLS_ALERT_BAD_CERTIFICATE);
 342                                 x509_certificate_chain_free(chain);
 343                                 return -1;
 344                         }
 345                 }
 346
 347                 cert = x509_certificate_parse(pos, cert_len);
 348                 if (cert == NULL) {
 349                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 350                                    "the certificate");
 351                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 352                                   TLS_ALERT_BAD_CERTIFICATE);
 353                         x509_certificate_chain_free(chain);
 354                         return -1;
 355                 }
 356
 357                 if (last == NULL)
 358                         chain = cert;
 359                 else
 360                         last->next = cert;
 361                 last = cert;
 362
 363                 idx++;
 364                 pos += cert_len;
 365         }
 366
 367         if (conn->cred &&
 368             x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 369                                             &reason, conn->disable_time_checks)
 370             < 0) {
 371                 int tls_reason;
 372                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 373                            "validation failed (reason=%d)", reason);
 374                 switch (reason) {
 375                 case X509_VALIDATE_BAD_CERTIFICATE:
 376                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 377                         break;
 378                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 379                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 380                         break;
 381                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 382                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 383                         break;
 384                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 385                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 386                         break;
 387                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 388                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 389                         break;
 390                 case X509_VALIDATE_UNKNOWN_CA:
 391                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 392                         break;
 393                 default:
 394                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 395                         break;
 396                 }
 397                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 398                 x509_certificate_chain_free(chain);
 399                 return -1;
 400         }
 401
 402         x509_certificate_chain_free(chain);
 403
 404         *in_len = end - in_data;
 405
 406         conn->state = SERVER_KEY_EXCHANGE;
 407
 408         return 0;
 409 }
 410
 411
 412 static unsigned int count_bits(const u8 *val, size_t len)
 413 {
 414         size_t i;
 415         unsigned int bits;
 416         u8 tmp;
 417
 418         for (i = 0; i < len; i++) {
 419                 if (val[i])
 420                         break;
 421         }
 422         if (i == len)
 423                 return 0;
 424
 425         bits = (len - i - 1) * 8;
 426         tmp = val[i];
 427         while (tmp) {
 428                 bits++;
 429                 tmp >>= 1;
 430         }
 431
 432         return bits;
 433 }
 434
 435
 436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 437                                         const u8 *buf, size_t len,
 438                                         tls_key_exchange key_exchange)
 439 {
 440         const u8 *pos, *end, *server_params, *server_params_end;
 441         u8 alert;
 442         unsigned int bits;
 443         u16 val;
 444
 445         tlsv1_client_free_dh(conn);
 446
 447         pos = buf;
 448         end = buf + len;
 449
 450         if (end - pos < 3)
 451                 goto fail;
 452         server_params = pos;
 453         val = WPA_GET_BE16(pos);
 454         pos += 2;
 455         if (val == 0 || val > (size_t) (end - pos)) {
 456                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
 457                 goto fail;
 458         }
 459         conn->dh_p_len = val;
 460         bits = count_bits(pos, conn->dh_p_len);
 461         if (bits < 768) {
 462                 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
 463                            bits);
 464                 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
 465                             pos, conn->dh_p_len);
 466                 goto fail;
 467         }
 468         conn->dh_p = os_malloc(conn->dh_p_len);
 469         if (conn->dh_p == NULL)
 470                 goto fail;
 471         os_memcpy(conn->dh_p, pos, conn->dh_p_len);
 472         pos += conn->dh_p_len;
 473         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 474                     conn->dh_p, conn->dh_p_len);
 475
 476         if (end - pos < 3)
 477                 goto fail;
 478         val = WPA_GET_BE16(pos);
 479         pos += 2;
 480         if (val == 0 || val > (size_t) (end - pos))
 481                 goto fail;
 482         conn->dh_g_len = val;
 483         conn->dh_g = os_malloc(conn->dh_g_len);
 484         if (conn->dh_g == NULL)
 485                 goto fail;
 486         os_memcpy(conn->dh_g, pos, conn->dh_g_len);
 487         pos += conn->dh_g_len;
 488         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 489                     conn->dh_g, conn->dh_g_len);
 490         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 491                 goto fail;
 492
 493         if (end - pos < 3)
 494                 goto fail;
 495         val = WPA_GET_BE16(pos);
 496         pos += 2;
 497         if (val == 0 || val > (size_t) (end - pos))
 498                 goto fail;
 499         conn->dh_ys_len = val;
 500         conn->dh_ys = os_malloc(conn->dh_ys_len);
 501         if (conn->dh_ys == NULL)
 502                 goto fail;
 503         os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
 504         pos += conn->dh_ys_len;
 505         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 506                     conn->dh_ys, conn->dh_ys_len);
 507         server_params_end = pos;
 508
 509         if (key_exchange == TLS_KEY_X_DHE_RSA) {
 510                 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 511                 int hlen;
 512
 513                 if (conn->rl.tls_version == TLS_VERSION_1_2) {
 514 #ifdef CONFIG_TLSV12
 515                         /*
 516                          * RFC 5246, 4.7:
 517                          * TLS v1.2 adds explicit indication of the used
 518                          * signature and hash algorithms.
 519                          *
 520                          * struct {
 521                          *   HashAlgorithm hash;
 522                          *   SignatureAlgorithm signature;
 523                          * } SignatureAndHashAlgorithm;
 524                          */
 525                         if (end - pos < 2)
 526                                 goto fail;
 527                         if (pos[0] != TLS_HASH_ALG_SHA256 ||
 528                             pos[1] != TLS_SIGN_ALG_RSA) {
 529                                 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
 530                                            pos[0], pos[1]);
 531                                 goto fail;
 532                         }
 533                         pos += 2;
 534
 535                         hlen = tlsv12_key_x_server_params_hash(
 536                                 conn->rl.tls_version, conn->client_random,
 537                                 conn->server_random, server_params,
 538                                 server_params_end - server_params, hash);
 539 #else /* CONFIG_TLSV12 */
 540                         goto fail;
 541 #endif /* CONFIG_TLSV12 */
 542                 } else {
 543                         hlen = tls_key_x_server_params_hash(
 544                                 conn->rl.tls_version, conn->client_random,
 545                                 conn->server_random, server_params,
 546                                 server_params_end - server_params, hash);
 547                 }
 548
 549                 if (hlen < 0)
 550                         goto fail;
 551                 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
 552                             hash, hlen);
 553
 554                 if (tls_verify_signature(conn->rl.tls_version,
 555                                          conn->server_rsa_key,
 556                                          hash, hlen, pos, end - pos,
 557                                          &alert) < 0)
 558                         goto fail;
 559         }
 560
 561         return 0;
 562
 563 fail:
 564         wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
 565         tlsv1_client_free_dh(conn);
 566         return -1;
 567 }
 568
 569
 570 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
 571                                            const u8 *in_data, size_t *in_len)
 572 {
 573         const u8 *pos, *end;
 574         size_t left, len;
 575         u8 type;
 576         const struct tls_cipher_suite *suite;
 577
 578         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 579                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 580                            "received content type 0x%x", ct);
 581                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 582                           TLS_ALERT_UNEXPECTED_MESSAGE);
 583                 return -1;
 584         }
 585
 586         pos = in_data;
 587         left = *in_len;
 588
 589         if (left < 4) {
 590                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
 591                            "(Left=%lu)", (unsigned long) left);
 592                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 593                 return -1;
 594         }
 595
 596         type = *pos++;
 597         len = WPA_GET_BE24(pos);
 598         pos += 3;
 599         left -= 4;
 600
 601         if (len > left) {
 602                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
 603                            "length (len=%lu != left=%lu)",
 604                            (unsigned long) len, (unsigned long) left);
 605                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 606                 return -1;
 607         }
 608
 609         end = pos + len;
 610
 611         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 612                 return tls_process_certificate_request(conn, ct, in_data,
 613                                                        in_len);
 614         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 615                 return tls_process_server_hello_done(conn, ct, in_data,
 616                                                      in_len);
 617         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
 618                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 619                            "message %d (expected ServerKeyExchange/"
 620                            "CertificateRequest/ServerHelloDone)", type);
 621                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 622                           TLS_ALERT_UNEXPECTED_MESSAGE);
 623                 return -1;
 624         }
 625
 626         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
 627
 628         if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
 629                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
 630                            "with the selected cipher suite");
 631                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 632                           TLS_ALERT_UNEXPECTED_MESSAGE);
 633                 return -1;
 634         }
 635
 636         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
 637         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 638         if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
 639                       suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
 640                 if (tlsv1_process_diffie_hellman(conn, pos, len,
 641                                                  suite->key_exchange) < 0) {
 642                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 643                                   TLS_ALERT_DECODE_ERROR);
 644                         return -1;
 645                 }
 646         } else {
 647                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
 648                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 649                           TLS_ALERT_UNEXPECTED_MESSAGE);
 650                 return -1;
 651         }
 652
 653         *in_len = end - in_data;
 654
 655         conn->state = SERVER_CERTIFICATE_REQUEST;
 656
 657         return 0;
 658 }
 659
 660
 661 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
 662                                            const u8 *in_data, size_t *in_len)
 663 {
 664         const u8 *pos, *end;
 665         size_t left, len;
 666         u8 type;
 667
 668         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 669                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 670                            "received content type 0x%x", ct);
 671                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 672                           TLS_ALERT_UNEXPECTED_MESSAGE);
 673                 return -1;
 674         }
 675
 676         pos = in_data;
 677         left = *in_len;
 678
 679         if (left < 4) {
 680                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
 681                            "(left=%lu)", (unsigned long) left);
 682                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 683                 return -1;
 684         }
 685
 686         type = *pos++;
 687         len = WPA_GET_BE24(pos);
 688         pos += 3;
 689         left -= 4;
 690
 691         if (len > left) {
 692                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
 693                            "length (len=%lu != left=%lu)",
 694                            (unsigned long) len, (unsigned long) left);
 695                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 696                 return -1;
 697         }
 698
 699         end = pos + len;
 700
 701         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 702                 return tls_process_server_hello_done(conn, ct, in_data,
 703                                                      in_len);
 704         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
 705                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 706                            "message %d (expected CertificateRequest/"
 707                            "ServerHelloDone)", type);
 708                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 709                           TLS_ALERT_UNEXPECTED_MESSAGE);
 710                 return -1;
 711         }
 712
 713         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
 714
 715         conn->certificate_requested = 1;
 716
 717         *in_len = end - in_data;
 718
 719         conn->state = SERVER_HELLO_DONE;
 720
 721         return 0;
 722 }
 723
 724
 725 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
 726                                          const u8 *in_data, size_t *in_len)
 727 {
 728         const u8 *pos, *end;
 729         size_t left, len;
 730         u8 type;
 731
 732         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 733                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 734                            "received content type 0x%x", ct);
 735                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 736                           TLS_ALERT_UNEXPECTED_MESSAGE);
 737                 return -1;
 738         }
 739
 740         pos = in_data;
 741         left = *in_len;
 742
 743         if (left < 4) {
 744                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
 745                            "(left=%lu)", (unsigned long) left);
 746                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 747                 return -1;
 748         }
 749
 750         type = *pos++;
 751         len = WPA_GET_BE24(pos);
 752         pos += 3;
 753         left -= 4;
 754
 755         if (len > left) {
 756                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
 757                            "length (len=%lu != left=%lu)",
 758                            (unsigned long) len, (unsigned long) left);
 759                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 760                 return -1;
 761         }
 762         end = pos + len;
 763
 764         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
 765                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 766                            "message %d (expected ServerHelloDone)", type);
 767                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 768                           TLS_ALERT_UNEXPECTED_MESSAGE);
 769                 return -1;
 770         }
 771
 772         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
 773
 774         *in_len = end - in_data;
 775
 776         conn->state = CLIENT_KEY_EXCHANGE;
 777
 778         return 0;
 779 }
 780
 781
 782 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
 783                                                  u8 ct, const u8 *in_data,
 784                                                  size_t *in_len)
 785 {
 786         const u8 *pos;
 787         size_t left;
 788
 789         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 790                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 791                            "received content type 0x%x", ct);
 792                 if (conn->use_session_ticket) {
 793                         int res;
 794                         wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
 795                                    "rejected SessionTicket");
 796                         conn->use_session_ticket = 0;
 797
 798                         /* Notify upper layers that SessionTicket failed */
 799                         res = conn->session_ticket_cb(
 800                                 conn->session_ticket_cb_ctx, NULL, 0, NULL,
 801                                 NULL, NULL);
 802                         if (res < 0) {
 803                                 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
 804                                            "callback indicated failure");
 805                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 806                                           TLS_ALERT_HANDSHAKE_FAILURE);
 807                                 return -1;
 808                         }
 809
 810                         conn->state = SERVER_CERTIFICATE;
 811                         return tls_process_certificate(conn, ct, in_data,
 812                                                        in_len);
 813                 }
 814                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 815                           TLS_ALERT_UNEXPECTED_MESSAGE);
 816                 return -1;
 817         }
 818
 819         pos = in_data;
 820         left = *in_len;
 821
 822         if (left < 1) {
 823                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 824                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 825                 return -1;
 826         }
 827
 828         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 829                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 830                            "received data 0x%x", *pos);
 831                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 832                           TLS_ALERT_UNEXPECTED_MESSAGE);
 833                 return -1;
 834         }
 835
 836         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 837         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 838                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 839                            "for record layer");
 840                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 841                           TLS_ALERT_INTERNAL_ERROR);
 842                 return -1;
 843         }
 844
 845         *in_len = pos + 1 - in_data;
 846
 847         conn->state = SERVER_FINISHED;
 848
 849         return 0;
 850 }
 851
 852
 853 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 854                                        const u8 *in_data, size_t *in_len)
 855 {
 856         const u8 *pos, *end;
 857         size_t left, len, hlen;
 858         u8 verify_data[TLS_VERIFY_DATA_LEN];
 859         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 860
 861         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 862                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 863                            "received content type 0x%x", ct);
 864                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 865                           TLS_ALERT_UNEXPECTED_MESSAGE);
 866                 return -1;
 867         }
 868
 869         pos = in_data;
 870         left = *in_len;
 871
 872         if (left < 4) {
 873                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 874                            "Finished",
 875                            (unsigned long) left);
 876                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 877                           TLS_ALERT_DECODE_ERROR);
 878                 return -1;
 879         }
 880
 881         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 882                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 883                            "type 0x%x", pos[0]);
 884                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 885                           TLS_ALERT_UNEXPECTED_MESSAGE);
 886                 return -1;
 887         }
 888
 889         len = WPA_GET_BE24(pos + 1);
 890
 891         pos += 4;
 892         left -= 4;
 893
 894         if (len > left) {
 895                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
 896                            "(len=%lu > left=%lu)",
 897                            (unsigned long) len, (unsigned long) left);
 898                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 899                           TLS_ALERT_DECODE_ERROR);
 900                 return -1;
 901         }
 902         end = pos + len;
 903         if (len != TLS_VERIFY_DATA_LEN) {
 904                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
 905                            "in Finished: %lu (expected %d)",
 906                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
 907                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 908                           TLS_ALERT_DECODE_ERROR);
 909                 return -1;
 910         }
 911         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
 912                     pos, TLS_VERIFY_DATA_LEN);
 913
 914 #ifdef CONFIG_TLSV12
 915         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
 916                 hlen = SHA256_MAC_LEN;
 917                 if (conn->verify.sha256_server == NULL ||
 918                     crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
 919                     < 0) {
 920                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 921                                   TLS_ALERT_INTERNAL_ERROR);
 922                         conn->verify.sha256_server = NULL;
 923                         return -1;
 924                 }
 925                 conn->verify.sha256_server = NULL;
 926         } else {
 927 #endif /* CONFIG_TLSV12 */
 928
 929         hlen = MD5_MAC_LEN;
 930         if (conn->verify.md5_server == NULL ||
 931             crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
 932                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 933                           TLS_ALERT_INTERNAL_ERROR);
 934                 conn->verify.md5_server = NULL;
 935                 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
 936                 conn->verify.sha1_server = NULL;
 937                 return -1;
 938         }
 939         conn->verify.md5_server = NULL;
 940         hlen = SHA1_MAC_LEN;
 941         if (conn->verify.sha1_server == NULL ||
 942             crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
 943                                &hlen) < 0) {
 944                 conn->verify.sha1_server = NULL;
 945                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 946                           TLS_ALERT_INTERNAL_ERROR);
 947                 return -1;
 948         }
 949         conn->verify.sha1_server = NULL;
 950         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
 951
 952 #ifdef CONFIG_TLSV12
 953         }
 954 #endif /* CONFIG_TLSV12 */
 955
 956         if (tls_prf(conn->rl.tls_version,
 957                     conn->master_secret, TLS_MASTER_SECRET_LEN,
 958                     "server finished", hash, hlen,
 959                     verify_data, TLS_VERIFY_DATA_LEN)) {
 960                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
 961                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 962                           TLS_ALERT_DECRYPT_ERROR);
 963                 return -1;
 964         }
 965         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
 966                         verify_data, TLS_VERIFY_DATA_LEN);
 967
 968         if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
 969                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
 970                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 971                           TLS_ALERT_DECRYPT_ERROR);
 972                 return -1;
 973         }
 974
 975         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
 976
 977         *in_len = end - in_data;
 978
 979         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 980                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
 981
 982         return 0;
 983 }
 984
 985
 986 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
 987                                         const u8 *in_data, size_t *in_len,
 988                                         u8 **out_data, size_t *out_len)
 989 {
 990         const u8 *pos;
 991         size_t left;
 992
 993         if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
 994                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
 995                            "received content type 0x%x", ct);
 996                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 997                           TLS_ALERT_UNEXPECTED_MESSAGE);
 998                 return -1;
 999         }
1000
1001         pos = in_data;
1002         left = *in_len;
1003
1004         wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1005                     pos, left);
1006
1007         *out_data = os_malloc(left);
1008         if (*out_data) {
1009                 os_memcpy(*out_data, pos, left);
1010                 *out_len = left;
1011         }
1012
1013         return 0;
1014 }
1015
1016
1017 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1018                                    const u8 *buf, size_t *len,
1019                                    u8 **out_data, size_t *out_len)
1020 {
1021         if (ct == TLS_CONTENT_TYPE_ALERT) {
1022                 if (*len < 2) {
1023                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1024                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025                                   TLS_ALERT_DECODE_ERROR);
1026                         return -1;
1027                 }
1028                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1029                            buf[0], buf[1]);
1030                 *len = 2;
1031                 conn->state = FAILED;
1032                 return -1;
1033         }
1034
1035         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1036             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1037                 size_t hr_len = WPA_GET_BE24(buf + 1);
1038                 if (hr_len > *len - 4) {
1039                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1040                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041                                   TLS_ALERT_DECODE_ERROR);
1042                         return -1;
1043                 }
1044                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1045                 *len = 4 + hr_len;
1046                 return 0;
1047         }
1048
1049         switch (conn->state) {
1050         case SERVER_HELLO:
1051                 if (tls_process_server_hello(conn, ct, buf, len))
1052                         return -1;
1053                 break;
1054         case SERVER_CERTIFICATE:
1055                 if (tls_process_certificate(conn, ct, buf, len))
1056                         return -1;
1057                 break;
1058         case SERVER_KEY_EXCHANGE:
1059                 if (tls_process_server_key_exchange(conn, ct, buf, len))
1060                         return -1;
1061                 break;
1062         case SERVER_CERTIFICATE_REQUEST:
1063                 if (tls_process_certificate_request(conn, ct, buf, len))
1064                         return -1;
1065                 break;
1066         case SERVER_HELLO_DONE:
1067                 if (tls_process_server_hello_done(conn, ct, buf, len))
1068                         return -1;
1069                 break;
1070         case SERVER_CHANGE_CIPHER_SPEC:
1071                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1072                         return -1;
1073                 break;
1074         case SERVER_FINISHED:
1075                 if (tls_process_server_finished(conn, ct, buf, len))
1076                         return -1;
1077                 break;
1078         case ACK_FINISHED:
1079                 if (out_data &&
1080                     tls_process_application_data(conn, ct, buf, len, out_data,
1081                                                  out_len))
1082                         return -1;
1083                 break;
1084         default:
1085                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1086                            "while processing received message",
1087                            conn->state);
1088                 return -1;
1089         }
1090
1091         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1092                 tls_verify_hash_add(&conn->verify, buf, *len);
1093
1094         return 0;
1095 }