2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 u8 ct, const u8 *in_data,
30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
32 #ifdef CONFIG_TESTING_OPTIONS
33 if ((conn->test_flags &
34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
43 #endif /* CONFIG_TESTING_OPTIONS */
49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50 const u8 *req, size_t req_len)
61 * CertificateStatusType status_type;
62 * uint16 request_length;
63 * select (status_type) {
64 * case ocsp: OCSPStatusRequest;
65 * case ocsp_multi: OCSPStatusRequest;
67 * } CertificateStatusRequestItemV2;
69 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
73 return; /* Truncated data */
76 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77 if (status_type != 1 && status_type != 2)
78 return; /* Unsupported status type */
80 * For now, only OCSP stapling is supported, so ignore the specific
83 wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
86 conn->status_request_multi = 1;
90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91 const u8 *ext, size_t ext_len)
95 conn->status_request_v2 = 1;
103 * CertificateStatusRequestItemV2
104 * certificate_status_req_list<1..2^16-1>;
105 * } CertificateStatusRequestListV2;
108 while (end - pos >= 2) {
111 len = WPA_GET_BE16(pos);
114 break; /* Truncated data */
115 tls_process_status_request_item(conn, pos, len);
121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122 const u8 *in_data, size_t *in_len)
124 const u8 *pos, *end, *c;
125 size_t left, len, i, j;
128 int compr_null_found;
129 u16 ext_type, ext_len;
131 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 TLS_ALERT_UNEXPECTED_MESSAGE);
143 tlsv1_server_log(conn,
144 "Truncated handshake message (expected ClientHello)");
148 /* HandshakeType msg_type */
149 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
150 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 TLS_ALERT_UNEXPECTED_MESSAGE);
156 tlsv1_server_log(conn, "Received ClientHello");
159 len = WPA_GET_BE24(pos);
164 tlsv1_server_log(conn,
165 "Truncated ClientHello (len=%d left=%d)",
166 (int) len, (int) left);
170 /* body - ClientHello */
172 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
175 /* ProtocolVersion client_version */
177 tlsv1_server_log(conn, "Truncated ClientHello/client_version");
180 conn->client_version = WPA_GET_BE16(pos);
181 tlsv1_server_log(conn, "Client version %d.%d",
182 conn->client_version >> 8,
183 conn->client_version & 0xff);
184 if (conn->client_version < TLS_VERSION_1) {
185 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
186 conn->client_version >> 8,
187 conn->client_version & 0xff);
188 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
189 TLS_ALERT_PROTOCOL_VERSION);
194 if (TLS_VERSION == TLS_VERSION_1)
195 conn->rl.tls_version = TLS_VERSION_1;
197 else if (conn->client_version >= TLS_VERSION_1_2)
198 conn->rl.tls_version = TLS_VERSION_1_2;
199 #endif /* CONFIG_TLSV12 */
200 else if (conn->client_version > TLS_VERSION_1_1)
201 conn->rl.tls_version = TLS_VERSION_1_1;
203 conn->rl.tls_version = conn->client_version;
204 tlsv1_server_log(conn, "Using TLS v%s",
205 tls_version_str(conn->rl.tls_version));
208 if (end - pos < TLS_RANDOM_LEN) {
209 tlsv1_server_log(conn, "Truncated ClientHello/client_random");
213 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
214 pos += TLS_RANDOM_LEN;
215 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
216 conn->client_random, TLS_RANDOM_LEN);
218 /* SessionID session_id */
220 tlsv1_server_log(conn, "Truncated ClientHello/session_id len");
223 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) {
224 tlsv1_server_log(conn, "Truncated ClientHello/session_id");
227 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
229 /* TODO: add support for session resumption */
231 /* CipherSuite cipher_suites<2..2^16-1> */
233 tlsv1_server_log(conn,
234 "Truncated ClientHello/cipher_suites len");
237 num_suites = WPA_GET_BE16(pos);
239 if (end - pos < num_suites) {
240 tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites");
243 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
245 if (num_suites & 1) {
246 tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites");
252 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
253 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
256 for (j = 0; j < num_suites; j++) {
257 u16 tmp = WPA_GET_BE16(c);
259 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
265 pos += num_suites * 2;
267 tlsv1_server_log(conn, "No supported cipher suite available");
268 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_ILLEGAL_PARAMETER);
273 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
274 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
276 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 TLS_ALERT_INTERNAL_ERROR);
281 conn->cipher_suite = cipher_suite;
283 /* CompressionMethod compression_methods<1..2^8-1> */
285 tlsv1_server_log(conn,
286 "Truncated ClientHello/compression_methods len");
290 if (end - pos < num_suites) {
291 tlsv1_server_log(conn,
292 "Truncated ClientHello/compression_methods");
295 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
297 compr_null_found = 0;
298 for (i = 0; i < num_suites; i++) {
299 if (*pos++ == TLS_COMPRESSION_NULL)
300 compr_null_found = 1;
302 if (!compr_null_found) {
303 tlsv1_server_log(conn, "Client does not accept NULL compression");
304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 TLS_ALERT_ILLEGAL_PARAMETER);
309 if (end - pos == 1) {
310 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
315 if (end - pos >= 2) {
316 /* Extension client_hello_extension_list<0..2^16-1> */
317 ext_len = WPA_GET_BE16(pos);
320 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
322 if (end - pos != ext_len) {
323 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
324 ext_len, (unsigned int) (end - pos));
330 * ExtensionType extension_type (0..65535)
331 * opaque extension_data<0..2^16-1>
337 tlsv1_server_log(conn, "Invalid extension_type field");
341 ext_type = WPA_GET_BE16(pos);
345 tlsv1_server_log(conn, "Invalid extension_data length field");
349 ext_len = WPA_GET_BE16(pos);
352 if (end - pos < ext_len) {
353 tlsv1_server_log(conn, "Invalid extension_data field");
357 tlsv1_server_log(conn, "ClientHello Extension type %u",
359 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
360 "Extension data", pos, ext_len);
362 if (ext_type == TLS_EXT_SESSION_TICKET) {
363 os_free(conn->session_ticket);
364 conn->session_ticket = os_malloc(ext_len);
365 if (conn->session_ticket) {
366 os_memcpy(conn->session_ticket, pos,
368 conn->session_ticket_len = ext_len;
370 } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
371 conn->status_request = 1;
372 } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
373 tls_process_status_request_v2(conn, pos,
381 *in_len = end - in_data;
383 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
384 conn->state = SERVER_HELLO;
389 tlsv1_server_log(conn, "Failed to decode ClientHello");
390 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 TLS_ALERT_DECODE_ERROR);
396 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
397 const u8 *in_data, size_t *in_len)
400 size_t left, len, list_len, cert_len, idx;
402 struct x509_certificate *chain = NULL, *last = NULL, *cert;
405 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
406 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
408 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 TLS_ALERT_UNEXPECTED_MESSAGE);
417 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
418 (unsigned long) left);
419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420 TLS_ALERT_DECODE_ERROR);
425 len = WPA_GET_BE24(pos);
430 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
431 (unsigned long) len, (unsigned long) left);
432 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
433 TLS_ALERT_DECODE_ERROR);
437 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
438 if (conn->verify_peer) {
439 tlsv1_server_log(conn, "Client did not include Certificate");
440 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
441 TLS_ALERT_UNEXPECTED_MESSAGE);
445 return tls_process_client_key_exchange(conn, ct, in_data,
448 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
449 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
451 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 TLS_ALERT_UNEXPECTED_MESSAGE);
456 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
457 (unsigned long) len);
460 * opaque ASN.1Cert<2^24-1>;
463 * ASN.1Cert certificate_list<1..2^24-1>;
470 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
471 (unsigned long) left);
472 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_DECODE_ERROR);
477 list_len = WPA_GET_BE24(pos);
480 if ((size_t) (end - pos) != list_len) {
481 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
482 (unsigned long) list_len,
483 (unsigned long) (end - pos));
484 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
485 TLS_ALERT_DECODE_ERROR);
492 tlsv1_server_log(conn, "Failed to parse certificate_list");
493 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
494 TLS_ALERT_DECODE_ERROR);
495 x509_certificate_chain_free(chain);
499 cert_len = WPA_GET_BE24(pos);
502 if ((size_t) (end - pos) < cert_len) {
503 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
504 (unsigned long) cert_len,
505 (unsigned long) (end - pos));
506 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
507 TLS_ALERT_DECODE_ERROR);
508 x509_certificate_chain_free(chain);
512 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
513 (unsigned long) idx, (unsigned long) cert_len);
516 crypto_public_key_free(conn->client_rsa_key);
517 if (tls_parse_cert(pos, cert_len,
518 &conn->client_rsa_key)) {
519 tlsv1_server_log(conn, "Failed to parse the certificate");
520 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
521 TLS_ALERT_BAD_CERTIFICATE);
522 x509_certificate_chain_free(chain);
527 cert = x509_certificate_parse(pos, cert_len);
529 tlsv1_server_log(conn, "Failed to parse the certificate");
530 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
531 TLS_ALERT_BAD_CERTIFICATE);
532 x509_certificate_chain_free(chain);
546 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
549 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
552 case X509_VALIDATE_BAD_CERTIFICATE:
553 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
555 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
556 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
558 case X509_VALIDATE_CERTIFICATE_REVOKED:
559 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
561 case X509_VALIDATE_CERTIFICATE_EXPIRED:
562 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
564 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
565 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
567 case X509_VALIDATE_UNKNOWN_CA:
568 tls_reason = TLS_ALERT_UNKNOWN_CA;
571 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
574 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
575 x509_certificate_chain_free(chain);
579 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
580 !(chain->ext_key_usage &
581 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
582 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
583 TLS_ALERT_BAD_CERTIFICATE);
584 x509_certificate_chain_free(chain);
588 x509_certificate_chain_free(chain);
590 *in_len = end - in_data;
592 conn->state = CLIENT_KEY_EXCHANGE;
598 static int tls_process_client_key_exchange_rsa(
599 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
602 size_t outlen, outbuflen;
608 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
609 TLS_ALERT_DECODE_ERROR);
613 encr_len = WPA_GET_BE16(pos);
615 if (pos + encr_len > end) {
616 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
617 encr_len, (unsigned int) (end - pos));
618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
619 TLS_ALERT_DECODE_ERROR);
623 outbuflen = outlen = end - pos;
624 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
625 outlen : TLS_PRE_MASTER_SECRET_LEN);
627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 TLS_ALERT_INTERNAL_ERROR);
634 * ProtocolVersion client_version;
639 * public-key-encrypted PreMasterSecret pre_master_secret;
640 * } EncryptedPreMasterSecret;
644 * Note: To avoid Bleichenbacher attack, we do not report decryption or
645 * parsing errors from EncryptedPreMasterSecret processing to the
646 * client. Instead, a random pre-master secret is used to force the
650 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
653 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
654 "PreMasterSecret (encr_len=%u outlen=%lu)",
655 encr_len, (unsigned long) outlen);
659 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
660 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
661 (unsigned long) outlen);
665 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
666 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
671 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
672 "to avoid revealing information about private key");
673 outlen = TLS_PRE_MASTER_SECRET_LEN;
674 if (os_get_random(out, outlen)) {
675 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
677 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
678 TLS_ALERT_INTERNAL_ERROR);
684 res = tlsv1_server_derive_keys(conn, out, outlen);
686 /* Clear the pre-master secret since it is not needed anymore */
687 os_memset(out, 0, outbuflen);
691 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
692 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
693 TLS_ALERT_INTERNAL_ERROR);
701 static int tls_process_client_key_exchange_dh(
702 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
714 * select (PublicValueEncoding) {
715 * case implicit: struct { };
716 * case explicit: opaque dh_Yc<1..2^16-1>;
718 * } ClientDiffieHellmanPublic;
721 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
722 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
726 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
728 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
729 TLS_ALERT_INTERNAL_ERROR);
734 tlsv1_server_log(conn, "Invalid client public value length");
735 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 TLS_ALERT_DECODE_ERROR);
740 dh_yc_len = WPA_GET_BE16(pos);
743 if (dh_yc_len > end - dh_yc) {
744 tlsv1_server_log(conn, "Client public value overflow (length %d)",
746 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
747 TLS_ALERT_DECODE_ERROR);
751 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
754 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
755 conn->dh_secret == NULL) {
756 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
757 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
758 TLS_ALERT_INTERNAL_ERROR);
762 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
764 shared_len = dh_p_len;
765 shared = os_malloc(shared_len);
766 if (shared == NULL) {
767 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
769 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
770 TLS_ALERT_INTERNAL_ERROR);
774 /* shared = Yc^secret mod p */
775 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
776 conn->dh_secret_len, dh_p, dh_p_len,
777 shared, &shared_len)) {
779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780 TLS_ALERT_INTERNAL_ERROR);
783 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
786 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
787 os_free(conn->dh_secret);
788 conn->dh_secret = NULL;
790 res = tlsv1_server_derive_keys(conn, shared, shared_len);
792 /* Clear the pre-master secret since it is not needed anymore */
793 os_memset(shared, 0, shared_len);
797 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
798 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
799 TLS_ALERT_INTERNAL_ERROR);
807 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
808 const u8 *in_data, size_t *in_len)
813 tls_key_exchange keyx;
814 const struct tls_cipher_suite *suite;
816 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
817 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 TLS_ALERT_UNEXPECTED_MESSAGE);
828 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
829 (unsigned long) left);
830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 TLS_ALERT_DECODE_ERROR);
836 len = WPA_GET_BE24(pos);
841 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
842 (unsigned long) len, (unsigned long) left);
843 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
844 TLS_ALERT_DECODE_ERROR);
850 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
851 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
853 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
854 TLS_ALERT_UNEXPECTED_MESSAGE);
858 tlsv1_server_log(conn, "Received ClientKeyExchange");
860 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
862 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
864 keyx = TLS_KEY_X_NULL;
866 keyx = suite->key_exchange;
868 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
869 tls_process_client_key_exchange_dh(conn, pos, end) < 0)
872 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
873 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
876 *in_len = end - in_data;
878 conn->state = CERTIFICATE_VERIFY;
884 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
885 const u8 *in_data, size_t *in_len)
891 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
894 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
895 if (conn->verify_peer) {
896 tlsv1_server_log(conn, "Client did not include CertificateVerify");
897 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
898 TLS_ALERT_UNEXPECTED_MESSAGE);
902 return tls_process_change_cipher_spec(conn, ct, in_data,
906 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
907 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
909 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
910 TLS_ALERT_UNEXPECTED_MESSAGE);
918 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
919 (unsigned long) left);
920 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
921 TLS_ALERT_DECODE_ERROR);
926 len = WPA_GET_BE24(pos);
931 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
932 (unsigned long) len, (unsigned long) left);
933 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
934 TLS_ALERT_DECODE_ERROR);
940 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
941 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 TLS_ALERT_UNEXPECTED_MESSAGE);
948 tlsv1_server_log(conn, "Received CertificateVerify");
952 * Signature signature;
953 * } CertificateVerify;
959 if (conn->rl.tls_version == TLS_VERSION_1_2) {
962 * TLS v1.2 adds explicit indication of the used signature and
966 * HashAlgorithm hash;
967 * SignatureAlgorithm signature;
968 * } SignatureAndHashAlgorithm;
971 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
972 TLS_ALERT_DECODE_ERROR);
975 if (pos[0] != TLS_HASH_ALG_SHA256 ||
976 pos[1] != TLS_SIGN_ALG_RSA) {
977 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
978 "signature(%u) algorithm",
980 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 TLS_ALERT_INTERNAL_ERROR);
986 hlen = SHA256_MAC_LEN;
987 if (conn->verify.sha256_cert == NULL ||
988 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
990 conn->verify.sha256_cert = NULL;
991 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 TLS_ALERT_INTERNAL_ERROR);
995 conn->verify.sha256_cert = NULL;
997 #endif /* CONFIG_TLSV12 */
1000 if (conn->verify.md5_cert == NULL ||
1001 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
1002 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003 TLS_ALERT_INTERNAL_ERROR);
1004 conn->verify.md5_cert = NULL;
1005 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
1006 conn->verify.sha1_cert = NULL;
1009 hpos += MD5_MAC_LEN;
1011 conn->verify.md5_cert = NULL;
1012 hlen = SHA1_MAC_LEN;
1013 if (conn->verify.sha1_cert == NULL ||
1014 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
1015 conn->verify.sha1_cert = NULL;
1016 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1017 TLS_ALERT_INTERNAL_ERROR);
1020 conn->verify.sha1_cert = NULL;
1022 hlen += MD5_MAC_LEN;
1024 #ifdef CONFIG_TLSV12
1026 #endif /* CONFIG_TLSV12 */
1028 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1030 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1031 hash, hlen, pos, end - pos, &alert) < 0) {
1032 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1033 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1037 *in_len = end - in_data;
1039 conn->state = CHANGE_CIPHER_SPEC;
1045 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1046 u8 ct, const u8 *in_data,
1052 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1053 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056 TLS_ALERT_UNEXPECTED_MESSAGE);
1064 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1065 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1066 TLS_ALERT_DECODE_ERROR);
1070 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1071 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1073 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 TLS_ALERT_UNEXPECTED_MESSAGE);
1078 tlsv1_server_log(conn, "Received ChangeCipherSpec");
1079 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1080 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1081 "for record layer");
1082 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1083 TLS_ALERT_INTERNAL_ERROR);
1087 *in_len = pos + 1 - in_data;
1089 conn->state = CLIENT_FINISHED;
1095 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1096 const u8 *in_data, size_t *in_len)
1098 const u8 *pos, *end;
1099 size_t left, len, hlen;
1100 u8 verify_data[TLS_VERIFY_DATA_LEN];
1101 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1103 #ifdef CONFIG_TESTING_OPTIONS
1104 if ((conn->test_flags &
1105 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1106 !conn->test_failure_reported) {
1107 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1108 conn->test_failure_reported = 1;
1111 if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1112 !conn->test_failure_reported) {
1113 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1114 conn->test_failure_reported = 1;
1117 if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1118 !conn->test_failure_reported) {
1119 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1120 conn->test_failure_reported = 1;
1123 if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1124 !conn->test_failure_reported) {
1125 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1126 conn->test_failure_reported = 1;
1129 if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1130 !conn->test_failure_reported) {
1131 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1132 conn->test_failure_reported = 1;
1135 if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1136 !conn->test_failure_reported) {
1137 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1138 conn->test_failure_reported = 1;
1140 #endif /* CONFIG_TESTING_OPTIONS */
1142 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1143 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1145 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1146 TLS_ALERT_UNEXPECTED_MESSAGE);
1154 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1155 (unsigned long) left);
1156 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1157 TLS_ALERT_DECODE_ERROR);
1161 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1162 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1163 "type 0x%x", pos[0]);
1164 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1165 TLS_ALERT_UNEXPECTED_MESSAGE);
1169 len = WPA_GET_BE24(pos + 1);
1175 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1176 (unsigned long) len, (unsigned long) left);
1177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1178 TLS_ALERT_DECODE_ERROR);
1182 if (len != TLS_VERIFY_DATA_LEN) {
1183 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1184 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1185 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1186 TLS_ALERT_DECODE_ERROR);
1189 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1190 pos, TLS_VERIFY_DATA_LEN);
1192 #ifdef CONFIG_TLSV12
1193 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1194 hlen = SHA256_MAC_LEN;
1195 if (conn->verify.sha256_client == NULL ||
1196 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1198 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1199 TLS_ALERT_INTERNAL_ERROR);
1200 conn->verify.sha256_client = NULL;
1203 conn->verify.sha256_client = NULL;
1205 #endif /* CONFIG_TLSV12 */
1208 if (conn->verify.md5_client == NULL ||
1209 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1210 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1211 TLS_ALERT_INTERNAL_ERROR);
1212 conn->verify.md5_client = NULL;
1213 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1214 conn->verify.sha1_client = NULL;
1217 conn->verify.md5_client = NULL;
1218 hlen = SHA1_MAC_LEN;
1219 if (conn->verify.sha1_client == NULL ||
1220 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1222 conn->verify.sha1_client = NULL;
1223 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1224 TLS_ALERT_INTERNAL_ERROR);
1227 conn->verify.sha1_client = NULL;
1228 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1230 #ifdef CONFIG_TLSV12
1232 #endif /* CONFIG_TLSV12 */
1234 if (tls_prf(conn->rl.tls_version,
1235 conn->master_secret, TLS_MASTER_SECRET_LEN,
1236 "client finished", hash, hlen,
1237 verify_data, TLS_VERIFY_DATA_LEN)) {
1238 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1239 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1240 TLS_ALERT_DECRYPT_ERROR);
1243 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1244 verify_data, TLS_VERIFY_DATA_LEN);
1246 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1247 tlsv1_server_log(conn, "Mismatch in verify_data");
1248 conn->state = FAILED;
1252 tlsv1_server_log(conn, "Received Finished");
1254 *in_len = end - in_data;
1256 if (conn->use_session_ticket) {
1257 /* Abbreviated handshake using session ticket; RFC 4507 */
1258 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1259 conn->state = ESTABLISHED;
1261 /* Full handshake */
1262 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1269 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1270 const u8 *buf, size_t *len)
1272 if (ct == TLS_CONTENT_TYPE_ALERT) {
1274 tlsv1_server_log(conn, "Alert underflow");
1275 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 TLS_ALERT_DECODE_ERROR);
1279 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1281 conn->state = FAILED;
1285 switch (conn->state) {
1287 if (tls_process_client_hello(conn, ct, buf, len))
1290 case CLIENT_CERTIFICATE:
1291 if (tls_process_certificate(conn, ct, buf, len))
1294 case CLIENT_KEY_EXCHANGE:
1295 if (tls_process_client_key_exchange(conn, ct, buf, len))
1298 case CERTIFICATE_VERIFY:
1299 if (tls_process_certificate_verify(conn, ct, buf, len))
1302 case CHANGE_CIPHER_SPEC:
1303 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1306 case CLIENT_FINISHED:
1307 if (tls_process_client_finished(conn, ct, buf, len))
1311 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1316 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1317 tls_verify_hash_add(&conn->verify, buf, *len);