blob: 9df56c257b317392d2e3b2b9a653723f9de42095 [file] [log] [blame]
/*
* TLSv1 client - read handshake message
* Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "crypto/md5.h"
#include "crypto/sha1.h"
#include "crypto/sha256.h"
#include "crypto/tls.h"
#include "x509v3.h"
#include "tlsv1_common.h"
#include "tlsv1_record.h"
#include "tlsv1_client.h"
#include "tlsv1_client_i.h"
static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
{
return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
ver == TLS_VERSION_1) ||
((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
ver == TLS_VERSION_1_1) ||
((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
ver == TLS_VERSION_1_2));
}
static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
const u8 *pos, size_t len)
{
const u8 *end = pos + len;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
pos, len);
while (pos < end) {
u16 ext, elen;
if (end - pos < 4) {
wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
return -1;
}
ext = WPA_GET_BE16(pos);
pos += 2;
elen = WPA_GET_BE16(pos);
pos += 2;
if (elen > end - pos) {
wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
ext);
wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
pos, elen);
pos += elen;
}
return 0;
}
static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, i;
u16 cipher_suite;
u16 tls_version;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4)
goto decode_error;
/* HandshakeType msg_type */
if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerHello)", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
pos++;
/* uint24 length */
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left)
goto decode_error;
/* body - ServerHello */
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
end = pos + len;
/* ProtocolVersion server_version */
if (end - pos < 2)
goto decode_error;
tls_version = WPA_GET_BE16(pos);
if (!tls_version_ok(tls_version) ||
tls_version_disabled(conn, tls_version)) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
"ServerHello %u.%u", pos[0], pos[1]);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_PROTOCOL_VERSION);
return -1;
}
pos += 2;
wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
tls_version_str(tls_version));
conn->rl.tls_version = tls_version;
/* Random random */
if (end - pos < TLS_RANDOM_LEN)
goto decode_error;
os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
pos += TLS_RANDOM_LEN;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
conn->server_random, TLS_RANDOM_LEN);
/* SessionID session_id */
if (end - pos < 1)
goto decode_error;
if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
goto decode_error;
if (conn->session_id_len && conn->session_id_len == *pos &&
os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
pos += 1 + conn->session_id_len;
wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
conn->session_resumed = 1;
} else {
conn->session_id_len = *pos;
pos++;
os_memcpy(conn->session_id, pos, conn->session_id_len);
pos += conn->session_id_len;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
conn->session_id, conn->session_id_len);
/* CipherSuite cipher_suite */
if (end - pos < 2)
goto decode_error;
cipher_suite = WPA_GET_BE16(pos);
pos += 2;
for (i = 0; i < conn->num_cipher_suites; i++) {
if (cipher_suite == conn->cipher_suites[i])
break;
}
if (i == conn->num_cipher_suites) {
wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
"cipher suite 0x%04x", cipher_suite);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
"cipher suite for a resumed connection (0x%04x != "
"0x%04x)", cipher_suite, conn->prev_cipher_suite);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
"record layer");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->prev_cipher_suite = cipher_suite;
/* CompressionMethod compression_method */
if (end - pos < 1)
goto decode_error;
if (*pos != TLS_COMPRESSION_NULL) {
wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
"compression 0x%02x", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
pos++;
if (end - pos >= 2) {
u16 ext_len;
ext_len = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < ext_len) {
wpa_printf(MSG_INFO,
"TLSv1: Invalid ServerHello extension length: %u (left: %u)",
ext_len, (unsigned int) (end - pos));
goto decode_error;
}
if (tls_process_server_hello_extensions(conn, pos, ext_len))
goto decode_error;
pos += ext_len;
}
if (end != pos) {
wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
"end of ServerHello", pos, end - pos);
goto decode_error;
}
if (conn->session_ticket_included && conn->session_ticket_cb) {
/* TODO: include SessionTicket extension if one was included in
* ServerHello */
int res = conn->session_ticket_cb(
conn->session_ticket_cb_ctx, NULL, 0,
conn->client_random, conn->server_random,
conn->master_secret);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
"indicated failure");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_HANDSHAKE_FAILURE);
return -1;
}
conn->use_session_ticket = !!res;
}
if ((conn->session_resumed || conn->use_session_ticket) &&
tls_derive_keys(conn, NULL, 0)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*in_len = end - in_data;
conn->state = (conn->session_resumed || conn->use_session_ticket) ?
SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
return 0;
decode_error:
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
struct x509_certificate *cert)
{
union tls_event_data ev;
struct wpabuf *cert_buf = NULL;
#ifdef CONFIG_SHA256
u8 hash[32];
#endif /* CONFIG_SHA256 */
char subject[128];
if (!conn->event_cb)
return;
os_memset(&ev, 0, sizeof(ev));
if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
cert_buf = wpabuf_alloc_copy(cert->cert_start,
cert->cert_len);
ev.peer_cert.cert = cert_buf;
}
#ifdef CONFIG_SHA256
if (cert_buf) {
const u8 *addr[1];
size_t len[1];
addr[0] = wpabuf_head(cert_buf);
len[0] = wpabuf_len(cert_buf);
if (sha256_vector(1, addr, len, hash) == 0) {
ev.peer_cert.hash = hash;
ev.peer_cert.hash_len = sizeof(hash);
}
}
#endif /* CONFIG_SHA256 */
ev.peer_cert.depth = depth;
x509_name_string(&cert->subject, subject, sizeof(subject));
ev.peer_cert.subject = subject;
if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
ev.peer_cert.tod = 1;
else if (cert->certificate_policy &
X509_EXT_CERT_POLICY_TOD_TOFU)
ev.peer_cert.tod = 2;
}
conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
wpabuf_free(cert_buf);
}
static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
struct x509_certificate *cert,
enum tls_fail_reason reason,
const char *reason_txt)
{
struct wpabuf *cert_buf = NULL;
union tls_event_data ev;
char subject[128];
if (!conn->event_cb || !cert)
return;
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.depth = depth;
x509_name_string(&cert->subject, subject, sizeof(subject));
ev.peer_cert.subject = subject;
ev.cert_fail.reason = reason;
ev.cert_fail.reason_txt = reason_txt;
cert_buf = wpabuf_alloc_copy(cert->cert_start,
cert->cert_len);
ev.cert_fail.cert = cert_buf;
conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
wpabuf_free(cert_buf);
}
static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, list_len, cert_len, idx;
u8 type;
struct x509_certificate *chain = NULL, *last = NULL, *cert;
int reason;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
"(len=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
return tls_process_server_key_exchange(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
return tls_process_certificate_request(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected Certificate/"
"ServerKeyExchange/CertificateRequest/"
"ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG,
"TLSv1: Received Certificate (certificate_list len %lu)",
(unsigned long) len);
/*
* opaque ASN.1Cert<2^24-1>;
*
* struct {
* ASN.1Cert certificate_list<1..2^24-1>;
* } Certificate;
*/
end = pos + len;
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
list_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) != list_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
"length (len=%lu left=%lu)",
(unsigned long) list_len,
(unsigned long) (end - pos));
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
idx = 0;
while (pos < end) {
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"certificate_list");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
cert_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) < cert_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
"length (len=%lu left=%lu)",
(unsigned long) cert_len,
(unsigned long) (end - pos));
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
(unsigned long) idx, (unsigned long) cert_len);
if (idx == 0) {
crypto_public_key_free(conn->server_rsa_key);
if (tls_parse_cert(pos, cert_len,
&conn->server_rsa_key)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
}
cert = x509_certificate_parse(pos, cert_len);
if (cert == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
tls_peer_cert_event(conn, idx, cert);
if (last == NULL)
chain = cert;
else
last->next = cert;
last = cert;
idx++;
pos += cert_len;
}
if (conn->cred && conn->cred->server_cert_only && chain) {
u8 hash[SHA256_MAC_LEN];
char buf[128];
wpa_printf(MSG_DEBUG,
"TLSv1: Validate server certificate hash");
x509_name_string(&chain->subject, buf, sizeof(buf));
wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
hash) < 0 ||
os_memcmp(conn->cred->srv_cert_hash, hash,
SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG,
"TLSv1: Server certificate hash mismatch");
wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
hash, SHA256_MAC_LEN);
if (conn->event_cb) {
union tls_event_data ev;
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
ev.cert_fail.reason_txt =
"Server certificate mismatch";
ev.cert_fail.subject = buf;
conn->event_cb(conn->cb_ctx,
TLS_CERT_CHAIN_FAILURE, &ev);
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
} else if (conn->cred && conn->cred->cert_probe) {
wpa_printf(MSG_DEBUG,
"TLSv1: Reject server certificate on probe-only run");
if (conn->event_cb) {
union tls_event_data ev;
char buf[128];
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
ev.cert_fail.reason_txt =
"Server certificate chain probe";
if (chain) {
x509_name_string(&chain->subject, buf,
sizeof(buf));
ev.cert_fail.subject = buf;
}
conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
&ev);
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
} else if (conn->cred && conn->cred->ca_cert_verify &&
x509_certificate_chain_validate(
conn->cred->trusted_certs, chain, &reason,
!!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
< 0) {
int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason);
switch (reason) {
case X509_VALIDATE_BAD_CERTIFICATE:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
"bad certificate");
break;
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case X509_VALIDATE_CERTIFICATE_REVOKED:
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_REVOKED,
"certificate revoked");
break;
case X509_VALIDATE_CERTIFICATE_EXPIRED:
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_EXPIRED,
"certificate has expired or is not yet valid");
break;
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
break;
case X509_VALIDATE_UNKNOWN_CA:
tls_reason = TLS_ALERT_UNKNOWN_CA;
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_UNTRUSTED,
"unknown CA");
break;
default:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
break;
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
x509_certificate_chain_free(chain);
return -1;
}
if (conn->cred && !conn->cred->server_cert_only && chain &&
(chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
!(chain->ext_key_usage &
(X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
"certificate not allowed for server authentication");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
if (conn->flags & TLS_CONN_REQUEST_OCSP) {
x509_certificate_chain_free(conn->server_cert);
conn->server_cert = chain;
} else {
x509_certificate_chain_free(chain);
}
*in_len = end - in_data;
conn->state = SERVER_KEY_EXCHANGE;
return 0;
}
static unsigned int count_bits(const u8 *val, size_t len)
{
size_t i;
unsigned int bits;
u8 tmp;
for (i = 0; i < len; i++) {
if (val[i])
break;
}
if (i == len)
return 0;
bits = (len - i - 1) * 8;
tmp = val[i];
while (tmp) {
bits++;
tmp >>= 1;
}
return bits;
}
static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
const u8 *buf, size_t len,
tls_key_exchange key_exchange)
{
const u8 *pos, *end, *server_params, *server_params_end;
u8 alert;
unsigned int bits;
u16 val;
tlsv1_client_free_dh(conn);
pos = buf;
end = buf + len;
if (end - pos < 3)
goto fail;
server_params = pos;
val = WPA_GET_BE16(pos);
pos += 2;
if (val == 0 || val > (size_t) (end - pos)) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
goto fail;
}
conn->dh_p_len = val;
bits = count_bits(pos, conn->dh_p_len);
if (bits < 768) {
wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
bits);
wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
pos, conn->dh_p_len);
goto fail;
}
conn->dh_p = os_memdup(pos, conn->dh_p_len);
if (conn->dh_p == NULL)
goto fail;
pos += conn->dh_p_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
conn->dh_p, conn->dh_p_len);
if (end - pos < 3)
goto fail;
val = WPA_GET_BE16(pos);
pos += 2;
if (val == 0 || val > (size_t) (end - pos))
goto fail;
conn->dh_g_len = val;
conn->dh_g = os_memdup(pos, conn->dh_g_len);
if (conn->dh_g == NULL)
goto fail;
pos += conn->dh_g_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
conn->dh_g, conn->dh_g_len);
if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
goto fail;
if (end - pos < 3)
goto fail;
val = WPA_GET_BE16(pos);
pos += 2;
if (val == 0 || val > (size_t) (end - pos))
goto fail;
conn->dh_ys_len = val;
conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
if (conn->dh_ys == NULL)
goto fail;
pos += conn->dh_ys_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
conn->dh_ys, conn->dh_ys_len);
server_params_end = pos;
if (key_exchange == TLS_KEY_X_DHE_RSA) {
u8 hash[64];
int hlen;
if (conn->rl.tls_version == TLS_VERSION_1_2) {
#ifdef CONFIG_TLSV12
/*
* RFC 5246, 4.7:
* TLS v1.2 adds explicit indication of the used
* signature and hash algorithms.
*
* struct {
* HashAlgorithm hash;
* SignatureAlgorithm signature;
* } SignatureAndHashAlgorithm;
*/
if (end - pos < 2)
goto fail;
if ((pos[0] != TLS_HASH_ALG_SHA256 &&
pos[0] != TLS_HASH_ALG_SHA384 &&
pos[0] != TLS_HASH_ALG_SHA512) ||
pos[1] != TLS_SIGN_ALG_RSA) {
wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
pos[0], pos[1]);
goto fail;
}
hlen = tlsv12_key_x_server_params_hash(
conn->rl.tls_version, pos[0],
conn->client_random,
conn->server_random, server_params,
server_params_end - server_params, hash);
pos += 2;
#else /* CONFIG_TLSV12 */
goto fail;
#endif /* CONFIG_TLSV12 */
} else {
hlen = tls_key_x_server_params_hash(
conn->rl.tls_version, conn->client_random,
conn->server_random, server_params,
server_params_end - server_params, hash,
sizeof(hash));
}
if (hlen < 0)
goto fail;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
hash, hlen);
if (tls_verify_signature(conn->rl.tls_version,
conn->server_rsa_key,
hash, hlen, pos, end - pos,
&alert) < 0)
goto fail;
}
return 0;
fail:
wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
tlsv1_client_free_dh(conn);
return -1;
}
static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
const u8 *pos, size_t len)
{
const u8 *end = pos + len;
u32 ocsp_resp_len;
/* opaque OCSPResponse<1..2^24-1>; */
if (end - pos < 3) {
wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return TLS_OCSP_INVALID;
}
ocsp_resp_len = WPA_GET_BE24(pos);
pos += 3;
if (end - pos < ocsp_resp_len) {
wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return TLS_OCSP_INVALID;
}
return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
}
static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type, status_type;
enum tls_ocsp_result res;
struct x509_certificate *cert;
int depth;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG,
"TLSv1: Expected Handshake; received content type 0x%x",
ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG,
"TLSv1: Too short CertificateStatus (left=%lu)",
(unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG,
"TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
wpa_printf(MSG_DEBUG,
"TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
/*
* struct {
* CertificateStatusType status_type;
* select (status_type) {
* case ocsp: OCSPResponse;
* case ocsp_multi: OCSPResponseList;
* } response;
* } CertificateStatus;
*/
if (end - pos < 1) {
wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
status_type = *pos++;
wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
status_type);
if (status_type == 1 /* ocsp */) {
res = tls_process_certificate_status_ocsp_response(
conn, pos, end - pos);
} else if (status_type == 2 /* ocsp_multi */) {
int good = 0, revoked = 0;
u32 resp_len;
res = TLS_OCSP_NO_RESPONSE;
/*
* opaque OCSPResponse<0..2^24-1>;
*
* struct {
* OCSPResponse ocsp_response_list<1..2^24-1>;
* } OCSPResponseList;
*/
if (end - pos < 3) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponseList");
res = TLS_OCSP_INVALID;
goto done;
}
resp_len = WPA_GET_BE24(pos);
pos += 3;
if (end - pos < resp_len) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponseList(len=%u)",
resp_len);
res = TLS_OCSP_INVALID;
goto done;
}
end = pos + resp_len;
while (end - pos >= 3) {
resp_len = WPA_GET_BE24(pos);
pos += 3;
if (resp_len > end - pos) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
resp_len, (int) (end - pos));
res = TLS_OCSP_INVALID;
break;
}
if (!resp_len)
continue; /* Skip an empty response */
res = tls_process_certificate_status_ocsp_response(
conn, pos - 3, resp_len + 3);
if (res == TLS_OCSP_REVOKED)
revoked++;
else if (res == TLS_OCSP_GOOD)
good++;
pos += resp_len;
}
if (revoked)
res = TLS_OCSP_REVOKED;
else if (good)
res = TLS_OCSP_GOOD;
} else {
wpa_printf(MSG_DEBUG,
"TLSv1: Ignore unsupported CertificateStatus");
goto skip;
}
done:
if (res == TLS_OCSP_REVOKED) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_CERTIFICATE_REVOKED);
for (cert = conn->server_cert, depth = 0; cert;
cert = cert->next, depth++) {
if (cert->ocsp_revoked) {
tls_cert_chain_failure_event(
conn, depth, cert, TLS_FAIL_REVOKED,
"certificate revoked");
}
}
return -1;
}
if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
/*
* Verify that each certificate on the chain that is not part
* of the trusted certificates has a good status. If not,
* terminate handshake.
*/
for (cert = conn->server_cert, depth = 0; cert;
cert = cert->next, depth++) {
if (!cert->ocsp_good) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
tls_cert_chain_failure_event(
conn, depth, cert,
TLS_FAIL_UNSPECIFIED,
"bad certificate status response");
return -1;
}
if (cert->issuer_trusted)
break;
}
}
if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
if (conn->server_cert)
tls_cert_chain_failure_event(
conn, 0, conn->server_cert,
TLS_FAIL_UNSPECIFIED,
"bad certificate status response");
return -1;
}
conn->ocsp_resp_received = 1;
skip:
*in_len = end - in_data;
conn->state = SERVER_KEY_EXCHANGE;
return 0;
}
static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
const struct tls_cipher_suite *suite;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
"(Left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
return tls_process_certificate_status(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
return tls_process_certificate_request(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerKeyExchange/"
"CertificateRequest/ServerHelloDone%s)", type,
(conn->flags & TLS_CONN_REQUEST_OCSP) ?
"/CertificateStatus" : "");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
"with the selected cipher suite");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
if (tlsv1_process_diffie_hellman(conn, pos, len,
suite->key_exchange) < 0) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
} else {
wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
*in_len = end - in_data;
conn->state = SERVER_CERTIFICATE_REQUEST;
return 0;
}
static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected CertificateRequest/"
"ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
conn->certificate_requested = 1;
*in_len = end - in_data;
conn->state = SERVER_HELLO_DONE;
return 0;
}
static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
!conn->ocsp_resp_received) {
wpa_printf(MSG_INFO,
"TLSv1: No OCSP response received - reject handshake");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
return -1;
}
*in_len = end - in_data;
conn->state = CLIENT_KEY_EXCHANGE;
return 0;
}
static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
u8 ct, const u8 *in_data,
size_t *in_len)
{
const u8 *pos;
size_t left;
if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received content type 0x%x", ct);
if (conn->use_session_ticket) {
int res;
wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
"rejected SessionTicket");
conn->use_session_ticket = 0;
/* Notify upper layers that SessionTicket failed */
res = conn->session_ticket_cb(
conn->session_ticket_cb_ctx, NULL, 0, NULL,
NULL, NULL);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
"callback indicated failure");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_HANDSHAKE_FAILURE);
return -1;
}
conn->state = SERVER_CERTIFICATE;
return tls_process_certificate(conn, ct, in_data,
in_len);
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 1) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
if (*pos != TLS_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received data 0x%x", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
"for record layer");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*in_len = pos + 1 - in_data;
conn->state = SERVER_FINISHED;
return 0;
}
static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, hlen;
u8 verify_data[TLS_VERIFY_DATA_LEN];
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
"Finished",
(unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
"type 0x%x", pos[0]);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
len = WPA_GET_BE24(pos + 1);
pos += 4;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
"(len=%lu > left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (len != TLS_VERIFY_DATA_LEN) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
"in Finished: %lu (expected %d)",
(unsigned long) len, TLS_VERIFY_DATA_LEN);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
pos, TLS_VERIFY_DATA_LEN);
#ifdef CONFIG_TLSV12
if (conn->rl.tls_version >= TLS_VERSION_1_2) {
hlen = SHA256_MAC_LEN;
if (conn->verify.sha256_server == NULL ||
crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
< 0) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.sha256_server = NULL;
return -1;
}
conn->verify.sha256_server = NULL;
} else {
#endif /* CONFIG_TLSV12 */
hlen = MD5_MAC_LEN;
if (conn->verify.md5_server == NULL ||
crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.md5_server = NULL;
crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
conn->verify.sha1_server = NULL;
return -1;
}
conn->verify.md5_server = NULL;
hlen = SHA1_MAC_LEN;
if (conn->verify.sha1_server == NULL ||
crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
&hlen) < 0) {
conn->verify.sha1_server = NULL;
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->verify.sha1_server = NULL;
hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
#ifdef CONFIG_TLSV12
}
#endif /* CONFIG_TLSV12 */
if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
"server finished", hash, hlen,
verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
verify_data, TLS_VERIFY_DATA_LEN);
if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
*in_len = end - in_data;
conn->state = (conn->session_resumed || conn->use_session_ticket) ?
CHANGE_CIPHER_SPEC : ACK_FINISHED;
return 0;
}
static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len,
u8 **out_data, size_t *out_len)
{
const u8 *pos;
size_t left;
if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
pos, left);
*out_data = os_malloc(left);
if (*out_data) {
os_memcpy(*out_data, pos, left);
*out_len = left;
}
return 0;
}
int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
const u8 *buf, size_t *len,
u8 **out_data, size_t *out_len)
{
if (ct == TLS_CONTENT_TYPE_ALERT) {
if (*len < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
buf[0], buf[1]);
*len = 2;
conn->state = FAILED;
return -1;
}
if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
size_t hr_len = WPA_GET_BE24(buf + 1);
if (hr_len > *len - 4) {
wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
*len = 4 + hr_len;
return 0;
}
switch (conn->state) {
case SERVER_HELLO:
if (tls_process_server_hello(conn, ct, buf, len))
return -1;
break;
case SERVER_CERTIFICATE:
if (tls_process_certificate(conn, ct, buf, len))
return -1;
break;
case SERVER_KEY_EXCHANGE:
if (tls_process_server_key_exchange(conn, ct, buf, len))
return -1;
break;
case SERVER_CERTIFICATE_REQUEST:
if (tls_process_certificate_request(conn, ct, buf, len))
return -1;
break;
case SERVER_HELLO_DONE:
if (tls_process_server_hello_done(conn, ct, buf, len))
return -1;
break;
case SERVER_CHANGE_CIPHER_SPEC:
if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
return -1;
break;
case SERVER_FINISHED:
if (tls_process_server_finished(conn, ct, buf, len))
return -1;
break;
case ACK_FINISHED:
if (out_data &&
tls_process_application_data(conn, ct, buf, len, out_data,
out_len))
return -1;
break;
default:
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
"while processing received message",
conn->state);
return -1;
}
if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
tls_verify_hash_add(&conn->verify, buf, *len);
return 0;
}