2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 u8 ct, const u8 *in_data,
30 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
31 const u8 *in_data, size_t *in_len)
33 const u8 *pos, *end, *c;
34 size_t left, len, i, j;
38 u16 ext_type, ext_len;
40 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
41 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
42 "received content type 0x%x", ct);
43 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
44 TLS_ALERT_UNEXPECTED_MESSAGE);
54 /* HandshakeType msg_type */
55 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
56 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
57 "message %d (expected ClientHello)", *pos);
58 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
59 TLS_ALERT_UNEXPECTED_MESSAGE);
62 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
65 len = WPA_GET_BE24(pos);
72 /* body - ClientHello */
74 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
77 /* ProtocolVersion client_version */
80 conn->client_version = WPA_GET_BE16(pos);
81 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
82 conn->client_version >> 8, conn->client_version & 0xff);
83 if (conn->client_version < TLS_VERSION_1) {
84 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
86 conn->client_version >> 8,
87 conn->client_version & 0xff);
88 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
89 TLS_ALERT_PROTOCOL_VERSION);
94 if (TLS_VERSION == TLS_VERSION_1)
95 conn->rl.tls_version = TLS_VERSION_1;
97 else if (conn->client_version >= TLS_VERSION_1_2)
98 conn->rl.tls_version = TLS_VERSION_1_2;
99 #endif /* CONFIG_TLSV12 */
100 else if (conn->client_version > TLS_VERSION_1_1)
101 conn->rl.tls_version = TLS_VERSION_1_1;
103 conn->rl.tls_version = conn->client_version;
104 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
105 tls_version_str(conn->rl.tls_version));
108 if (end - pos < TLS_RANDOM_LEN)
111 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
112 pos += TLS_RANDOM_LEN;
113 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
114 conn->client_random, TLS_RANDOM_LEN);
116 /* SessionID session_id */
119 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
121 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
123 /* TODO: add support for session resumption */
125 /* CipherSuite cipher_suites<2..2^16-1> */
128 num_suites = WPA_GET_BE16(pos);
130 if (end - pos < num_suites)
132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
139 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
141 for (j = 0; j < num_suites; j++) {
142 u16 tmp = WPA_GET_BE16(c);
144 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
150 pos += num_suites * 2;
152 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
154 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
155 TLS_ALERT_ILLEGAL_PARAMETER);
159 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
160 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
162 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 TLS_ALERT_INTERNAL_ERROR);
167 conn->cipher_suite = cipher_suite;
169 /* CompressionMethod compression_methods<1..2^8-1> */
173 if (end - pos < num_suites)
175 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
177 compr_null_found = 0;
178 for (i = 0; i < num_suites; i++) {
179 if (*pos++ == TLS_COMPRESSION_NULL)
180 compr_null_found = 1;
182 if (!compr_null_found) {
183 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
185 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 TLS_ALERT_ILLEGAL_PARAMETER);
190 if (end - pos == 1) {
191 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
192 "end of ClientHello: 0x%02x", *pos);
196 if (end - pos >= 2) {
197 /* Extension client_hello_extension_list<0..2^16-1> */
198 ext_len = WPA_GET_BE16(pos);
201 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
202 "extensions", ext_len);
203 if (end - pos != ext_len) {
204 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
205 "extension list length %u (expected %u)",
206 ext_len, (unsigned int) (end - pos));
212 * ExtensionType extension_type (0..65535)
213 * opaque extension_data<0..2^16-1>
219 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
220 "extension_type field");
224 ext_type = WPA_GET_BE16(pos);
228 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
229 "extension_data length field");
233 ext_len = WPA_GET_BE16(pos);
236 if (end - pos < ext_len) {
237 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
238 "extension_data field");
242 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
243 "type %u", ext_type);
244 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
245 "Extension data", pos, ext_len);
247 if (ext_type == TLS_EXT_SESSION_TICKET) {
248 os_free(conn->session_ticket);
249 conn->session_ticket = os_malloc(ext_len);
250 if (conn->session_ticket) {
251 os_memcpy(conn->session_ticket, pos,
253 conn->session_ticket_len = ext_len;
261 *in_len = end - in_data;
263 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
265 conn->state = SERVER_HELLO;
270 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
271 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
272 TLS_ALERT_DECODE_ERROR);
277 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
278 const u8 *in_data, size_t *in_len)
281 size_t left, len, list_len, cert_len, idx;
283 struct x509_certificate *chain = NULL, *last = NULL, *cert;
286 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
287 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
288 "received content type 0x%x", ct);
289 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
290 TLS_ALERT_UNEXPECTED_MESSAGE);
298 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
299 "(len=%lu)", (unsigned long) left);
300 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
301 TLS_ALERT_DECODE_ERROR);
306 len = WPA_GET_BE24(pos);
311 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
312 "length (len=%lu != left=%lu)",
313 (unsigned long) len, (unsigned long) left);
314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
315 TLS_ALERT_DECODE_ERROR);
319 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
320 if (conn->verify_peer) {
321 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
323 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
324 TLS_ALERT_UNEXPECTED_MESSAGE);
328 return tls_process_client_key_exchange(conn, ct, in_data,
331 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
332 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
333 "message %d (expected Certificate/"
334 "ClientKeyExchange)", type);
335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 TLS_ALERT_UNEXPECTED_MESSAGE);
340 wpa_printf(MSG_DEBUG,
341 "TLSv1: Received Certificate (certificate_list len %lu)",
342 (unsigned long) len);
345 * opaque ASN.1Cert<2^24-1>;
348 * ASN.1Cert certificate_list<1..2^24-1>;
355 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
356 "(left=%lu)", (unsigned long) left);
357 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
358 TLS_ALERT_DECODE_ERROR);
362 list_len = WPA_GET_BE24(pos);
365 if ((size_t) (end - pos) != list_len) {
366 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
367 "length (len=%lu left=%lu)",
368 (unsigned long) list_len,
369 (unsigned long) (end - pos));
370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 TLS_ALERT_DECODE_ERROR);
378 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
380 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
381 TLS_ALERT_DECODE_ERROR);
382 x509_certificate_chain_free(chain);
386 cert_len = WPA_GET_BE24(pos);
389 if ((size_t) (end - pos) < cert_len) {
390 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
391 "length (len=%lu left=%lu)",
392 (unsigned long) cert_len,
393 (unsigned long) (end - pos));
394 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
395 TLS_ALERT_DECODE_ERROR);
396 x509_certificate_chain_free(chain);
400 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
401 (unsigned long) idx, (unsigned long) cert_len);
404 crypto_public_key_free(conn->client_rsa_key);
405 if (tls_parse_cert(pos, cert_len,
406 &conn->client_rsa_key)) {
407 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
409 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
410 TLS_ALERT_BAD_CERTIFICATE);
411 x509_certificate_chain_free(chain);
416 cert = x509_certificate_parse(pos, cert_len);
418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
420 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
421 TLS_ALERT_BAD_CERTIFICATE);
422 x509_certificate_chain_free(chain);
436 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
439 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
440 "validation failed (reason=%d)", reason);
442 case X509_VALIDATE_BAD_CERTIFICATE:
443 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
445 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
446 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
448 case X509_VALIDATE_CERTIFICATE_REVOKED:
449 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
451 case X509_VALIDATE_CERTIFICATE_EXPIRED:
452 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
454 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
455 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
457 case X509_VALIDATE_UNKNOWN_CA:
458 tls_reason = TLS_ALERT_UNKNOWN_CA;
461 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
464 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
465 x509_certificate_chain_free(chain);
469 x509_certificate_chain_free(chain);
471 *in_len = end - in_data;
473 conn->state = CLIENT_KEY_EXCHANGE;
479 static int tls_process_client_key_exchange_rsa(
480 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
483 size_t outlen, outbuflen;
489 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
490 TLS_ALERT_DECODE_ERROR);
494 encr_len = WPA_GET_BE16(pos);
496 if (pos + encr_len > end) {
497 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
498 "format: encr_len=%u left=%u",
499 encr_len, (unsigned int) (end - pos));
500 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
501 TLS_ALERT_DECODE_ERROR);
505 outbuflen = outlen = end - pos;
506 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
507 outlen : TLS_PRE_MASTER_SECRET_LEN);
509 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
510 TLS_ALERT_INTERNAL_ERROR);
516 * ProtocolVersion client_version;
521 * public-key-encrypted PreMasterSecret pre_master_secret;
522 * } EncryptedPreMasterSecret;
526 * Note: To avoid Bleichenbacher attack, we do not report decryption or
527 * parsing errors from EncryptedPreMasterSecret processing to the
528 * client. Instead, a random pre-master secret is used to force the
532 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
535 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
536 "PreMasterSecret (encr_len=%u outlen=%lu)",
537 encr_len, (unsigned long) outlen);
541 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
542 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
543 "length %lu", (unsigned long) outlen);
547 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
548 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
549 "ClientKeyExchange does not match with version in "
555 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
556 "to avoid revealing information about private key");
557 outlen = TLS_PRE_MASTER_SECRET_LEN;
558 if (os_get_random(out, outlen)) {
559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
561 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
562 TLS_ALERT_INTERNAL_ERROR);
568 res = tlsv1_server_derive_keys(conn, out, outlen);
570 /* Clear the pre-master secret since it is not needed anymore */
571 os_memset(out, 0, outbuflen);
575 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
576 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
577 TLS_ALERT_INTERNAL_ERROR);
585 static int tls_process_client_key_exchange_dh_anon(
586 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
596 * select (PublicValueEncoding) {
597 * case implicit: struct { };
598 * case explicit: opaque dh_Yc<1..2^16-1>;
600 * } ClientDiffieHellmanPublic;
603 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
607 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
609 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
610 TLS_ALERT_INTERNAL_ERROR);
615 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
617 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
618 TLS_ALERT_DECODE_ERROR);
622 dh_yc_len = WPA_GET_BE16(pos);
625 if (dh_yc + dh_yc_len > end) {
626 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
627 "(length %d)", dh_yc_len);
628 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
629 TLS_ALERT_DECODE_ERROR);
633 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
636 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
637 conn->dh_secret == NULL) {
638 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
639 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 TLS_ALERT_INTERNAL_ERROR);
644 shared_len = conn->cred->dh_p_len;
645 shared = os_malloc(shared_len);
646 if (shared == NULL) {
647 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
650 TLS_ALERT_INTERNAL_ERROR);
654 /* shared = Yc^secret mod p */
655 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
657 conn->cred->dh_p, conn->cred->dh_p_len,
658 shared, &shared_len)) {
660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661 TLS_ALERT_INTERNAL_ERROR);
664 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
667 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
668 os_free(conn->dh_secret);
669 conn->dh_secret = NULL;
671 res = tlsv1_server_derive_keys(conn, shared, shared_len);
673 /* Clear the pre-master secret since it is not needed anymore */
674 os_memset(shared, 0, shared_len);
678 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
679 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
680 TLS_ALERT_INTERNAL_ERROR);
688 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
689 const u8 *in_data, size_t *in_len)
694 tls_key_exchange keyx;
695 const struct tls_cipher_suite *suite;
697 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
698 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
699 "received content type 0x%x", ct);
700 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
701 TLS_ALERT_UNEXPECTED_MESSAGE);
709 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
710 "(Left=%lu)", (unsigned long) left);
711 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 TLS_ALERT_DECODE_ERROR);
717 len = WPA_GET_BE24(pos);
722 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
723 "length (len=%lu != left=%lu)",
724 (unsigned long) len, (unsigned long) left);
725 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
726 TLS_ALERT_DECODE_ERROR);
732 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
733 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
734 "message %d (expected ClientKeyExchange)", type);
735 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 TLS_ALERT_UNEXPECTED_MESSAGE);
740 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
742 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
744 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
746 keyx = TLS_KEY_X_NULL;
748 keyx = suite->key_exchange;
750 if (keyx == TLS_KEY_X_DH_anon &&
751 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
754 if (keyx != TLS_KEY_X_DH_anon &&
755 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
758 *in_len = end - in_data;
760 conn->state = CERTIFICATE_VERIFY;
766 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
767 const u8 *in_data, size_t *in_len)
773 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
774 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
777 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
778 if (conn->verify_peer) {
779 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
780 "CertificateVerify");
781 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
782 TLS_ALERT_UNEXPECTED_MESSAGE);
786 return tls_process_change_cipher_spec(conn, ct, in_data,
790 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
791 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
792 "received content type 0x%x", ct);
793 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
794 TLS_ALERT_UNEXPECTED_MESSAGE);
802 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
803 "message (len=%lu)", (unsigned long) left);
804 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 TLS_ALERT_DECODE_ERROR);
810 len = WPA_GET_BE24(pos);
815 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
816 "message length (len=%lu != left=%lu)",
817 (unsigned long) len, (unsigned long) left);
818 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
819 TLS_ALERT_DECODE_ERROR);
825 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
826 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
827 "message %d (expected CertificateVerify)", type);
828 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
829 TLS_ALERT_UNEXPECTED_MESSAGE);
833 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
837 * Signature signature;
838 * } CertificateVerify;
844 if (conn->rl.tls_version == TLS_VERSION_1_2) {
847 * TLS v1.2 adds explicit indication of the used signature and
851 * HashAlgorithm hash;
852 * SignatureAlgorithm signature;
853 * } SignatureAndHashAlgorithm;
856 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
857 TLS_ALERT_DECODE_ERROR);
860 if (pos[0] != TLS_HASH_ALG_SHA256 ||
861 pos[1] != TLS_SIGN_ALG_RSA) {
862 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
863 "signature(%u) algorithm",
865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866 TLS_ALERT_INTERNAL_ERROR);
871 hlen = SHA256_MAC_LEN;
872 if (conn->verify.sha256_cert == NULL ||
873 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
875 conn->verify.sha256_cert = NULL;
876 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 TLS_ALERT_INTERNAL_ERROR);
880 conn->verify.sha256_cert = NULL;
882 #endif /* CONFIG_TLSV12 */
884 if (alg == SIGN_ALG_RSA) {
886 if (conn->verify.md5_cert == NULL ||
887 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
889 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
890 TLS_ALERT_INTERNAL_ERROR);
891 conn->verify.md5_cert = NULL;
892 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
893 conn->verify.sha1_cert = NULL;
898 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
900 conn->verify.md5_cert = NULL;
902 if (conn->verify.sha1_cert == NULL ||
903 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
904 conn->verify.sha1_cert = NULL;
905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 TLS_ALERT_INTERNAL_ERROR);
909 conn->verify.sha1_cert = NULL;
911 if (alg == SIGN_ALG_RSA)
916 #endif /* CONFIG_TLSV12 */
918 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
921 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
922 TLS_ALERT_DECODE_ERROR);
925 slen = WPA_GET_BE16(pos);
927 if (end - pos < slen) {
928 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 TLS_ALERT_DECODE_ERROR);
933 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
934 if (conn->client_rsa_key == NULL) {
935 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
937 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
938 TLS_ALERT_INTERNAL_ERROR);
943 buf = os_malloc(end - pos);
944 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
945 pos, end - pos, buf, &buflen) < 0)
947 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
949 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
950 TLS_ALERT_DECRYPT_ERROR);
954 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
958 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
960 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
962 * DigestInfo ::= SEQUENCE {
963 * digestAlgorithm DigestAlgorithm,
964 * digest OCTET STRING
967 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
969 * DER encoded DigestInfo for SHA256 per RFC 3447:
970 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
973 if (buflen >= 19 + 32 &&
974 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
975 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
977 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = "
979 os_memmove(buf, buf + 19, buflen - 19);
982 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized "
985 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
986 TLS_ALERT_DECRYPT_ERROR);
990 #endif /* CONFIG_TLSV12 */
992 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
993 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
994 "CertificateVerify - did not match with calculated "
997 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
998 TLS_ALERT_DECRYPT_ERROR);
1004 *in_len = end - in_data;
1006 conn->state = CHANGE_CIPHER_SPEC;
1012 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1013 u8 ct, const u8 *in_data,
1019 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1020 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1021 "received content type 0x%x", ct);
1022 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023 TLS_ALERT_UNEXPECTED_MESSAGE);
1031 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1032 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 TLS_ALERT_DECODE_ERROR);
1037 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1038 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1039 "received data 0x%x", *pos);
1040 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041 TLS_ALERT_UNEXPECTED_MESSAGE);
1045 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1046 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1047 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1048 "for record layer");
1049 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050 TLS_ALERT_INTERNAL_ERROR);
1054 *in_len = pos + 1 - in_data;
1056 conn->state = CLIENT_FINISHED;
1062 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1063 const u8 *in_data, size_t *in_len)
1065 const u8 *pos, *end;
1066 size_t left, len, hlen;
1067 u8 verify_data[TLS_VERIFY_DATA_LEN];
1068 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1070 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1071 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1072 "received content type 0x%x", ct);
1073 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 TLS_ALERT_UNEXPECTED_MESSAGE);
1082 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1084 (unsigned long) left);
1085 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1086 TLS_ALERT_DECODE_ERROR);
1090 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1091 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1092 "type 0x%x", pos[0]);
1093 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1094 TLS_ALERT_UNEXPECTED_MESSAGE);
1098 len = WPA_GET_BE24(pos + 1);
1104 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1105 "(len=%lu > left=%lu)",
1106 (unsigned long) len, (unsigned long) left);
1107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1108 TLS_ALERT_DECODE_ERROR);
1112 if (len != TLS_VERIFY_DATA_LEN) {
1113 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1114 "in Finished: %lu (expected %d)",
1115 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1116 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1117 TLS_ALERT_DECODE_ERROR);
1120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1121 pos, TLS_VERIFY_DATA_LEN);
1123 #ifdef CONFIG_TLSV12
1124 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1125 hlen = SHA256_MAC_LEN;
1126 if (conn->verify.sha256_client == NULL ||
1127 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1129 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1130 TLS_ALERT_INTERNAL_ERROR);
1131 conn->verify.sha256_client = NULL;
1134 conn->verify.sha256_client = NULL;
1136 #endif /* CONFIG_TLSV12 */
1139 if (conn->verify.md5_client == NULL ||
1140 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1141 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1142 TLS_ALERT_INTERNAL_ERROR);
1143 conn->verify.md5_client = NULL;
1144 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1145 conn->verify.sha1_client = NULL;
1148 conn->verify.md5_client = NULL;
1149 hlen = SHA1_MAC_LEN;
1150 if (conn->verify.sha1_client == NULL ||
1151 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1153 conn->verify.sha1_client = NULL;
1154 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1155 TLS_ALERT_INTERNAL_ERROR);
1158 conn->verify.sha1_client = NULL;
1159 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1161 #ifdef CONFIG_TLSV12
1163 #endif /* CONFIG_TLSV12 */
1165 if (tls_prf(conn->rl.tls_version,
1166 conn->master_secret, TLS_MASTER_SECRET_LEN,
1167 "client finished", hash, hlen,
1168 verify_data, TLS_VERIFY_DATA_LEN)) {
1169 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1170 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171 TLS_ALERT_DECRYPT_ERROR);
1174 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1175 verify_data, TLS_VERIFY_DATA_LEN);
1177 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1178 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1182 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1184 *in_len = end - in_data;
1186 if (conn->use_session_ticket) {
1187 /* Abbreviated handshake using session ticket; RFC 4507 */
1188 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1190 conn->state = ESTABLISHED;
1192 /* Full handshake */
1193 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1200 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1201 const u8 *buf, size_t *len)
1203 if (ct == TLS_CONTENT_TYPE_ALERT) {
1205 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1206 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1207 TLS_ALERT_DECODE_ERROR);
1210 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1213 conn->state = FAILED;
1217 switch (conn->state) {
1219 if (tls_process_client_hello(conn, ct, buf, len))
1222 case CLIENT_CERTIFICATE:
1223 if (tls_process_certificate(conn, ct, buf, len))
1226 case CLIENT_KEY_EXCHANGE:
1227 if (tls_process_client_key_exchange(conn, ct, buf, len))
1230 case CERTIFICATE_VERIFY:
1231 if (tls_process_certificate_verify(conn, ct, buf, len))
1234 case CHANGE_CIPHER_SPEC:
1235 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1238 case CLIENT_FINISHED:
1239 if (tls_process_client_finished(conn, ct, buf, len))
1243 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1244 "while processing received message",
1249 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1250 tls_verify_hash_add(&conn->verify, buf, *len);