contrib/hostapd/src/tls/tlsv1_client_read.c

   1 /*
   2  * TLSv1 client - read handshake message
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "md5.h"
  19 #include "sha1.h"
  20 #include "x509v3.h"
  21 #include "tls.h"
  22 #include "tlsv1_common.h"
  23 #include "tlsv1_record.h"
  24 #include "tlsv1_client.h"
  25 #include "tlsv1_client_i.h"
  26
  27 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  28                                            const u8 *in_data, size_t *in_len);
  29 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  30                                            const u8 *in_data, size_t *in_len);
  31 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  32                                          const u8 *in_data, size_t *in_len);
  33
  34
  35 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
  36                                     const u8 *in_data, size_t *in_len)
  37 {
  38         const u8 *pos, *end;
  39         size_t left, len, i;
  40         u16 cipher_suite;
  41
  42         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  43                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  44                            "received content type 0x%x", ct);
  45                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  46                           TLS_ALERT_UNEXPECTED_MESSAGE);
  47                 return -1;
  48         }
  49
  50         pos = in_data;
  51         left = *in_len;
  52
  53         if (left < 4)
  54                 goto decode_error;
  55
  56         /* HandshakeType msg_type */
  57         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
  58                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  59                            "message %d (expected ServerHello)", *pos);
  60                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  61                           TLS_ALERT_UNEXPECTED_MESSAGE);
  62                 return -1;
  63         }
  64         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
  65         pos++;
  66         /* uint24 length */
  67         len = WPA_GET_BE24(pos);
  68         pos += 3;
  69         left -= 4;
  70
  71         if (len > left)
  72                 goto decode_error;
  73
  74         /* body - ServerHello */
  75
  76         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
  77         end = pos + len;
  78
  79         /* ProtocolVersion server_version */
  80         if (end - pos < 2)
  81                 goto decode_error;
  82         if (WPA_GET_BE16(pos) != TLS_VERSION) {
  83                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  84                            "ServerHello");
  85                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  86                           TLS_ALERT_PROTOCOL_VERSION);
  87                 return -1;
  88         }
  89         pos += 2;
  90
  91         /* Random random */
  92         if (end - pos < TLS_RANDOM_LEN)
  93                 goto decode_error;
  94
  95         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
  96         pos += TLS_RANDOM_LEN;
  97         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
  98                     conn->server_random, TLS_RANDOM_LEN);
  99
 100         /* SessionID session_id */
 101         if (end - pos < 1)
 102                 goto decode_error;
 103         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 104                 goto decode_error;
 105         if (conn->session_id_len && conn->session_id_len == *pos &&
 106             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 107                 pos += 1 + conn->session_id_len;
 108                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 109                 conn->session_resumed = 1;
 110         } else {
 111                 conn->session_id_len = *pos;
 112                 pos++;
 113                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 114                 pos += conn->session_id_len;
 115         }
 116         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 117                     conn->session_id, conn->session_id_len);
 118
 119         /* CipherSuite cipher_suite */
 120         if (end - pos < 2)
 121                 goto decode_error;
 122         cipher_suite = WPA_GET_BE16(pos);
 123         pos += 2;
 124         for (i = 0; i < conn->num_cipher_suites; i++) {
 125                 if (cipher_suite == conn->cipher_suites[i])
 126                         break;
 127         }
 128         if (i == conn->num_cipher_suites) {
 129                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 130                            "cipher suite 0x%04x", cipher_suite);
 131                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 132                           TLS_ALERT_ILLEGAL_PARAMETER);
 133                 return -1;
 134         }
 135
 136         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 137                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 138                            "cipher suite for a resumed connection (0x%04x != "
 139                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 140                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 141                           TLS_ALERT_ILLEGAL_PARAMETER);
 142                 return -1;
 143         }
 144
 145         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 146                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 147                            "record layer");
 148                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 149                           TLS_ALERT_INTERNAL_ERROR);
 150                 return -1;
 151         }
 152
 153         conn->prev_cipher_suite = cipher_suite;
 154
 155         /* CompressionMethod compression_method */
 156         if (end - pos < 1)
 157                 goto decode_error;
 158         if (*pos != TLS_COMPRESSION_NULL) {
 159                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 160                            "compression 0x%02x", *pos);
 161                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 162                           TLS_ALERT_ILLEGAL_PARAMETER);
 163                 return -1;
 164         }
 165         pos++;
 166
 167         if (end != pos) {
 168                 /* TODO: ServerHello extensions */
 169                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 170                             "end of ServerHello", pos, end - pos);
 171                 goto decode_error;
 172         }
 173
 174         if (conn->session_ticket_included && conn->session_ticket_cb) {
 175                 /* TODO: include SessionTicket extension if one was included in
 176                  * ServerHello */
 177                 int res = conn->session_ticket_cb(
 178                         conn->session_ticket_cb_ctx, NULL, 0,
 179                         conn->client_random, conn->server_random,
 180                         conn->master_secret);
 181                 if (res < 0) {
 182                         wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
 183                                    "indicated failure");
 184                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 185                                   TLS_ALERT_HANDSHAKE_FAILURE);
 186                         return -1;
 187                 }
 188                 conn->use_session_ticket = !!res;
 189         }
 190
 191         if ((conn->session_resumed || conn->use_session_ticket) &&
 192             tls_derive_keys(conn, NULL, 0)) {
 193                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 194                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 195                           TLS_ALERT_INTERNAL_ERROR);
 196                 return -1;
 197         }
 198
 199         *in_len = end - in_data;
 200
 201         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 202                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 203
 204         return 0;
 205
 206 decode_error:
 207         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 208         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 209         return -1;
 210 }
 211
 212
 213 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 214                                    const u8 *in_data, size_t *in_len)
 215 {
 216         const u8 *pos, *end;
 217         size_t left, len, list_len, cert_len, idx;
 218         u8 type;
 219         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 220         int reason;
 221
 222         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 223                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 224                            "received content type 0x%x", ct);
 225                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 226                           TLS_ALERT_UNEXPECTED_MESSAGE);
 227                 return -1;
 228         }
 229
 230         pos = in_data;
 231         left = *in_len;
 232
 233         if (left < 4) {
 234                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 235                            "(len=%lu)", (unsigned long) left);
 236                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 237                 return -1;
 238         }
 239
 240         type = *pos++;
 241         len = WPA_GET_BE24(pos);
 242         pos += 3;
 243         left -= 4;
 244
 245         if (len > left) {
 246                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 247                            "length (len=%lu != left=%lu)",
 248                            (unsigned long) len, (unsigned long) left);
 249                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 250                 return -1;
 251         }
 252
 253         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 254                 return tls_process_server_key_exchange(conn, ct, in_data,
 255                                                        in_len);
 256         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 257                 return tls_process_certificate_request(conn, ct, in_data,
 258                                                        in_len);
 259         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 260                 return tls_process_server_hello_done(conn, ct, in_data,
 261                                                      in_len);
 262         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 263                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 264                            "message %d (expected Certificate/"
 265                            "ServerKeyExchange/CertificateRequest/"
 266                            "ServerHelloDone)", type);
 267                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 268                           TLS_ALERT_UNEXPECTED_MESSAGE);
 269                 return -1;
 270         }
 271
 272         wpa_printf(MSG_DEBUG,
 273                    "TLSv1: Received Certificate (certificate_list len %lu)",
 274                    (unsigned long) len);
 275
 276         /*
 277          * opaque ASN.1Cert<2^24-1>;
 278          *
 279          * struct {
 280          *     ASN.1Cert certificate_list<1..2^24-1>;
 281          * } Certificate;
 282          */
 283
 284         end = pos + len;
 285
 286         if (end - pos < 3) {
 287                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 288                            "(left=%lu)", (unsigned long) left);
 289                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 290                 return -1;
 291         }
 292
 293         list_len = WPA_GET_BE24(pos);
 294         pos += 3;
 295
 296         if ((size_t) (end - pos) != list_len) {
 297                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 298                            "length (len=%lu left=%lu)",
 299                            (unsigned long) list_len,
 300                            (unsigned long) (end - pos));
 301                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 302                 return -1;
 303         }
 304
 305         idx = 0;
 306         while (pos < end) {
 307                 if (end - pos < 3) {
 308                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 309                                    "certificate_list");
 310                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 311                                   TLS_ALERT_DECODE_ERROR);
 312                         x509_certificate_chain_free(chain);
 313                         return -1;
 314                 }
 315
 316                 cert_len = WPA_GET_BE24(pos);
 317                 pos += 3;
 318
 319                 if ((size_t) (end - pos) < cert_len) {
 320                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 321                                    "length (len=%lu left=%lu)",
 322                                    (unsigned long) cert_len,
 323                                    (unsigned long) (end - pos));
 324                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 325                                   TLS_ALERT_DECODE_ERROR);
 326                         x509_certificate_chain_free(chain);
 327                         return -1;
 328                 }
 329
 330                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 331                            (unsigned long) idx, (unsigned long) cert_len);
 332
 333                 if (idx == 0) {
 334                         crypto_public_key_free(conn->server_rsa_key);
 335                         if (tls_parse_cert(pos, cert_len,
 336                                            &conn->server_rsa_key)) {
 337                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 338                                            "the certificate");
 339                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 340                                           TLS_ALERT_BAD_CERTIFICATE);
 341                                 x509_certificate_chain_free(chain);
 342                                 return -1;
 343                         }
 344                 }
 345
 346                 cert = x509_certificate_parse(pos, cert_len);
 347                 if (cert == NULL) {
 348                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 349                                    "the certificate");
 350                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 351                                   TLS_ALERT_BAD_CERTIFICATE);
 352                         x509_certificate_chain_free(chain);
 353                         return -1;
 354                 }
 355
 356                 if (last == NULL)
 357                         chain = cert;
 358                 else
 359                         last->next = cert;
 360                 last = cert;
 361
 362                 idx++;
 363                 pos += cert_len;
 364         }
 365
 366         if (conn->cred &&
 367             x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 368                                             &reason) < 0) {
 369                 int tls_reason;
 370                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 371                            "validation failed (reason=%d)", reason);
 372                 switch (reason) {
 373                 case X509_VALIDATE_BAD_CERTIFICATE:
 374                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 375                         break;
 376                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 377                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 378                         break;
 379                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 380                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 381                         break;
 382                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 383                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 384                         break;
 385                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 386                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 387                         break;
 388                 case X509_VALIDATE_UNKNOWN_CA:
 389                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 390                         break;
 391                 default:
 392                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 393                         break;
 394                 }
 395                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 396                 x509_certificate_chain_free(chain);
 397                 return -1;
 398         }
 399
 400         x509_certificate_chain_free(chain);
 401
 402         *in_len = end - in_data;
 403
 404         conn->state = SERVER_KEY_EXCHANGE;
 405
 406         return 0;
 407 }
 408
 409
 410 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 411                                         const u8 *buf, size_t len)
 412 {
 413         const u8 *pos, *end;
 414
 415         tlsv1_client_free_dh(conn);
 416
 417         pos = buf;
 418         end = buf + len;
 419
 420         if (end - pos < 3)
 421                 goto fail;
 422         conn->dh_p_len = WPA_GET_BE16(pos);
 423         pos += 2;
 424         if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
 425                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
 426                            (unsigned long) conn->dh_p_len);
 427                 goto fail;
 428         }
 429         conn->dh_p = os_malloc(conn->dh_p_len);
 430         if (conn->dh_p == NULL)
 431                 goto fail;
 432         os_memcpy(conn->dh_p, pos, conn->dh_p_len);
 433         pos += conn->dh_p_len;
 434         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 435                     conn->dh_p, conn->dh_p_len);
 436
 437         if (end - pos < 3)
 438                 goto fail;
 439         conn->dh_g_len = WPA_GET_BE16(pos);
 440         pos += 2;
 441         if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
 442                 goto fail;
 443         conn->dh_g = os_malloc(conn->dh_g_len);
 444         if (conn->dh_g == NULL)
 445                 goto fail;
 446         os_memcpy(conn->dh_g, pos, conn->dh_g_len);
 447         pos += conn->dh_g_len;
 448         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 449                     conn->dh_g, conn->dh_g_len);
 450         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 451                 goto fail;
 452
 453         if (end - pos < 3)
 454                 goto fail;
 455         conn->dh_ys_len = WPA_GET_BE16(pos);
 456         pos += 2;
 457         if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
 458                 goto fail;
 459         conn->dh_ys = os_malloc(conn->dh_ys_len);
 460         if (conn->dh_ys == NULL)
 461                 goto fail;
 462         os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
 463         pos += conn->dh_ys_len;
 464         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 465                     conn->dh_ys, conn->dh_ys_len);
 466
 467         return 0;
 468
 469 fail:
 470         wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
 471         tlsv1_client_free_dh(conn);
 472         return -1;
 473 }
 474
 475
 476 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
 477                                            const u8 *in_data, size_t *in_len)
 478 {
 479         const u8 *pos, *end;
 480         size_t left, len;
 481         u8 type;
 482         const struct tls_cipher_suite *suite;
 483
 484         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 485                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 486                            "received content type 0x%x", ct);
 487                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 488                           TLS_ALERT_UNEXPECTED_MESSAGE);
 489                 return -1;
 490         }
 491
 492         pos = in_data;
 493         left = *in_len;
 494
 495         if (left < 4) {
 496                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
 497                            "(Left=%lu)", (unsigned long) left);
 498                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 499                 return -1;
 500         }
 501
 502         type = *pos++;
 503         len = WPA_GET_BE24(pos);
 504         pos += 3;
 505         left -= 4;
 506
 507         if (len > left) {
 508                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
 509                            "length (len=%lu != left=%lu)",
 510                            (unsigned long) len, (unsigned long) left);
 511                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 512                 return -1;
 513         }
 514
 515         end = pos + len;
 516
 517         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 518                 return tls_process_certificate_request(conn, ct, in_data,
 519                                                        in_len);
 520         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 521                 return tls_process_server_hello_done(conn, ct, in_data,
 522                                                      in_len);
 523         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
 524                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 525                            "message %d (expected ServerKeyExchange/"
 526                            "CertificateRequest/ServerHelloDone)", type);
 527                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 528                           TLS_ALERT_UNEXPECTED_MESSAGE);
 529                 return -1;
 530         }
 531
 532         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
 533
 534         if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
 535                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
 536                            "with the selected cipher suite");
 537                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 538                           TLS_ALERT_UNEXPECTED_MESSAGE);
 539                 return -1;
 540         }
 541
 542         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
 543         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 544         if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
 545                 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
 546                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 547                                   TLS_ALERT_DECODE_ERROR);
 548                         return -1;
 549                 }
 550         } else {
 551                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
 552                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 553                           TLS_ALERT_UNEXPECTED_MESSAGE);
 554                 return -1;
 555         }
 556
 557         *in_len = end - in_data;
 558
 559         conn->state = SERVER_CERTIFICATE_REQUEST;
 560
 561         return 0;
 562 }
 563
 564
 565 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
 566                                            const u8 *in_data, size_t *in_len)
 567 {
 568         const u8 *pos, *end;
 569         size_t left, len;
 570         u8 type;
 571
 572         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 573                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 574                            "received content type 0x%x", ct);
 575                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 576                           TLS_ALERT_UNEXPECTED_MESSAGE);
 577                 return -1;
 578         }
 579
 580         pos = in_data;
 581         left = *in_len;
 582
 583         if (left < 4) {
 584                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
 585                            "(left=%lu)", (unsigned long) left);
 586                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 587                 return -1;
 588         }
 589
 590         type = *pos++;
 591         len = WPA_GET_BE24(pos);
 592         pos += 3;
 593         left -= 4;
 594
 595         if (len > left) {
 596                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
 597                            "length (len=%lu != left=%lu)",
 598                            (unsigned long) len, (unsigned long) left);
 599                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 600                 return -1;
 601         }
 602
 603         end = pos + len;
 604
 605         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 606                 return tls_process_server_hello_done(conn, ct, in_data,
 607                                                      in_len);
 608         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
 609                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 610                            "message %d (expected CertificateRequest/"
 611                            "ServerHelloDone)", type);
 612                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 613                           TLS_ALERT_UNEXPECTED_MESSAGE);
 614                 return -1;
 615         }
 616
 617         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
 618
 619         conn->certificate_requested = 1;
 620
 621         *in_len = end - in_data;
 622
 623         conn->state = SERVER_HELLO_DONE;
 624
 625         return 0;
 626 }
 627
 628
 629 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
 630                                          const u8 *in_data, size_t *in_len)
 631 {
 632         const u8 *pos, *end;
 633         size_t left, len;
 634         u8 type;
 635
 636         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 637                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 638                            "received content type 0x%x", ct);
 639                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 640                           TLS_ALERT_UNEXPECTED_MESSAGE);
 641                 return -1;
 642         }
 643
 644         pos = in_data;
 645         left = *in_len;
 646
 647         if (left < 4) {
 648                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
 649                            "(left=%lu)", (unsigned long) left);
 650                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 651                 return -1;
 652         }
 653
 654         type = *pos++;
 655         len = WPA_GET_BE24(pos);
 656         pos += 3;
 657         left -= 4;
 658
 659         if (len > left) {
 660                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
 661                            "length (len=%lu != left=%lu)",
 662                            (unsigned long) len, (unsigned long) left);
 663                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 664                 return -1;
 665         }
 666         end = pos + len;
 667
 668         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
 669                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 670                            "message %d (expected ServerHelloDone)", type);
 671                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 672                           TLS_ALERT_UNEXPECTED_MESSAGE);
 673                 return -1;
 674         }
 675
 676         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
 677
 678         *in_len = end - in_data;
 679
 680         conn->state = CLIENT_KEY_EXCHANGE;
 681
 682         return 0;
 683 }
 684
 685
 686 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
 687                                                  u8 ct, const u8 *in_data,
 688                                                  size_t *in_len)
 689 {
 690         const u8 *pos;
 691         size_t left;
 692
 693         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 694                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 695                            "received content type 0x%x", ct);
 696                 if (conn->use_session_ticket) {
 697                         int res;
 698                         wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
 699                                    "rejected SessionTicket");
 700                         conn->use_session_ticket = 0;
 701
 702                         /* Notify upper layers that SessionTicket failed */
 703                         res = conn->session_ticket_cb(
 704                                 conn->session_ticket_cb_ctx, NULL, 0, NULL,
 705                                 NULL, NULL);
 706                         if (res < 0) {
 707                                 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
 708                                            "callback indicated failure");
 709                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 710                                           TLS_ALERT_HANDSHAKE_FAILURE);
 711                                 return -1;
 712                         }
 713
 714                         conn->state = SERVER_CERTIFICATE;
 715                         return tls_process_certificate(conn, ct, in_data,
 716                                                        in_len);
 717                 }
 718                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 719                           TLS_ALERT_UNEXPECTED_MESSAGE);
 720                 return -1;
 721         }
 722
 723         pos = in_data;
 724         left = *in_len;
 725
 726         if (left < 1) {
 727                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 728                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 729                 return -1;
 730         }
 731
 732         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 733                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 734                            "received data 0x%x", *pos);
 735                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 736                           TLS_ALERT_UNEXPECTED_MESSAGE);
 737                 return -1;
 738         }
 739
 740         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 741         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 742                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 743                            "for record layer");
 744                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 745                           TLS_ALERT_INTERNAL_ERROR);
 746                 return -1;
 747         }
 748
 749         *in_len = pos + 1 - in_data;
 750
 751         conn->state = SERVER_FINISHED;
 752
 753         return 0;
 754 }
 755
 756
 757 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 758                                        const u8 *in_data, size_t *in_len)
 759 {
 760         const u8 *pos, *end;
 761         size_t left, len, hlen;
 762         u8 verify_data[TLS_VERIFY_DATA_LEN];
 763         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 764
 765         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 766                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 767                            "received content type 0x%x", ct);
 768                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 769                           TLS_ALERT_UNEXPECTED_MESSAGE);
 770                 return -1;
 771         }
 772
 773         pos = in_data;
 774         left = *in_len;
 775
 776         if (left < 4) {
 777                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 778                            "Finished",
 779                            (unsigned long) left);
 780                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 781                           TLS_ALERT_DECODE_ERROR);
 782                 return -1;
 783         }
 784
 785         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 786                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 787                            "type 0x%x", pos[0]);
 788                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 789                           TLS_ALERT_UNEXPECTED_MESSAGE);
 790                 return -1;
 791         }
 792
 793         len = WPA_GET_BE24(pos + 1);
 794
 795         pos += 4;
 796         left -= 4;
 797
 798         if (len > left) {
 799                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
 800                            "(len=%lu > left=%lu)",
 801                            (unsigned long) len, (unsigned long) left);
 802                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 803                           TLS_ALERT_DECODE_ERROR);
 804                 return -1;
 805         }
 806         end = pos + len;
 807         if (len != TLS_VERIFY_DATA_LEN) {
 808                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
 809                            "in Finished: %lu (expected %d)",
 810                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
 811                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 812                           TLS_ALERT_DECODE_ERROR);
 813                 return -1;
 814         }
 815         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
 816                     pos, TLS_VERIFY_DATA_LEN);
 817
 818         hlen = MD5_MAC_LEN;
 819         if (conn->verify.md5_server == NULL ||
 820             crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
 821                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 822                           TLS_ALERT_INTERNAL_ERROR);
 823                 conn->verify.md5_server = NULL;
 824                 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
 825                 conn->verify.sha1_server = NULL;
 826                 return -1;
 827         }
 828         conn->verify.md5_server = NULL;
 829         hlen = SHA1_MAC_LEN;
 830         if (conn->verify.sha1_server == NULL ||
 831             crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
 832                                &hlen) < 0) {
 833                 conn->verify.sha1_server = NULL;
 834                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 835                           TLS_ALERT_INTERNAL_ERROR);
 836                 return -1;
 837         }
 838         conn->verify.sha1_server = NULL;
 839
 840         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
 841                     "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 842                     verify_data, TLS_VERIFY_DATA_LEN)) {
 843                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
 844                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 845                           TLS_ALERT_DECRYPT_ERROR);
 846                 return -1;
 847         }
 848         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
 849                         verify_data, TLS_VERIFY_DATA_LEN);
 850
 851         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
 852                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
 853                 return -1;
 854         }
 855
 856         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
 857
 858         *in_len = end - in_data;
 859
 860         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 861                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
 862
 863         return 0;
 864 }
 865
 866
 867 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
 868                                         const u8 *in_data, size_t *in_len,
 869                                         u8 **out_data, size_t *out_len)
 870 {
 871         const u8 *pos;
 872         size_t left;
 873
 874         if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
 875                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
 876                            "received content type 0x%x", ct);
 877                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 878                           TLS_ALERT_UNEXPECTED_MESSAGE);
 879                 return -1;
 880         }
 881
 882         pos = in_data;
 883         left = *in_len;
 884
 885         wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
 886                     pos, left);
 887
 888         *out_data = os_malloc(left);
 889         if (*out_data) {
 890                 os_memcpy(*out_data, pos, left);
 891                 *out_len = left;
 892         }
 893
 894         return 0;
 895 }
 896
 897
 898 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
 899                                    const u8 *buf, size_t *len,
 900                                    u8 **out_data, size_t *out_len)
 901 {
 902         if (ct == TLS_CONTENT_TYPE_ALERT) {
 903                 if (*len < 2) {
 904                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
 905                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 906                                   TLS_ALERT_DECODE_ERROR);
 907                         return -1;
 908                 }
 909                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
 910                            buf[0], buf[1]);
 911                 *len = 2;
 912                 conn->state = FAILED;
 913                 return -1;
 914         }
 915
 916         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
 917             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
 918                 size_t hr_len = WPA_GET_BE24(buf + 1);
 919                 if (hr_len > *len - 4) {
 920                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
 921                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 922                                   TLS_ALERT_DECODE_ERROR);
 923                         return -1;
 924                 }
 925                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
 926                 *len = 4 + hr_len;
 927                 return 0;
 928         }
 929
 930         switch (conn->state) {
 931         case SERVER_HELLO:
 932                 if (tls_process_server_hello(conn, ct, buf, len))
 933                         return -1;
 934                 break;
 935         case SERVER_CERTIFICATE:
 936                 if (tls_process_certificate(conn, ct, buf, len))
 937                         return -1;
 938                 break;
 939         case SERVER_KEY_EXCHANGE:
 940                 if (tls_process_server_key_exchange(conn, ct, buf, len))
 941                         return -1;
 942                 break;
 943         case SERVER_CERTIFICATE_REQUEST:
 944                 if (tls_process_certificate_request(conn, ct, buf, len))
 945                         return -1;
 946                 break;
 947         case SERVER_HELLO_DONE:
 948                 if (tls_process_server_hello_done(conn, ct, buf, len))
 949                         return -1;
 950                 break;
 951         case SERVER_CHANGE_CIPHER_SPEC:
 952                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
 953                         return -1;
 954                 break;
 955         case SERVER_FINISHED:
 956                 if (tls_process_server_finished(conn, ct, buf, len))
 957                         return -1;
 958                 break;
 959         case ACK_FINISHED:
 960                 if (out_data &&
 961                     tls_process_application_data(conn, ct, buf, len, out_data,
 962                                                  out_len))
 963                         return -1;
 964                 break;
 965         default:
 966                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
 967                            "while processing received message",
 968                            conn->state);
 969                 return -1;
 970         }
 971
 972         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
 973                 tls_verify_hash_add(&conn->verify, buf, *len);
 974
 975         return 0;
 976 }