2
* TLSv1 server - read handshake message
3
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
22
#include "tlsv1_common.h"
23
#include "tlsv1_record.h"
24
#include "tlsv1_server.h"
25
#include "tlsv1_server_i.h"
28
static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29
const u8 *in_data, size_t *in_len);
30
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31
u8 ct, const u8 *in_data,
35
static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36
const u8 *in_data, size_t *in_len)
38
const u8 *pos, *end, *c;
39
size_t left, len, i, j;
44
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
45
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
46
"received content type 0x%x", ct);
47
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
48
TLS_ALERT_UNEXPECTED_MESSAGE);
58
/* HandshakeType msg_type */
59
if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
60
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
61
"message %d (expected ClientHello)", *pos);
62
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
63
TLS_ALERT_UNEXPECTED_MESSAGE);
66
wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
69
len = WPA_GET_BE24(pos);
76
/* body - ClientHello */
78
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
81
/* ProtocolVersion client_version */
84
conn->client_version = WPA_GET_BE16(pos);
85
wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
86
conn->client_version >> 8, conn->client_version & 0xff);
87
if (conn->client_version < TLS_VERSION) {
88
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
90
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
91
TLS_ALERT_PROTOCOL_VERSION);
97
if (end - pos < TLS_RANDOM_LEN)
100
os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
101
pos += TLS_RANDOM_LEN;
102
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
103
conn->client_random, TLS_RANDOM_LEN);
105
/* SessionID session_id */
108
if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
110
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
112
/* TODO: add support for session resumption */
114
/* CipherSuite cipher_suites<2..2^16-1> */
117
num_suites = WPA_GET_BE16(pos);
119
if (end - pos < num_suites)
121
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
128
for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
130
for (j = 0; j < num_suites; j++) {
131
u16 tmp = WPA_GET_BE16(c);
133
if (!cipher_suite && tmp == conn->cipher_suites[i]) {
139
pos += num_suites * 2;
141
wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
143
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
144
TLS_ALERT_ILLEGAL_PARAMETER);
148
if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
149
wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
151
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
152
TLS_ALERT_INTERNAL_ERROR);
156
conn->cipher_suite = cipher_suite;
158
/* CompressionMethod compression_methods<1..2^8-1> */
162
if (end - pos < num_suites)
164
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
166
compr_null_found = 0;
167
for (i = 0; i < num_suites; i++) {
168
if (*pos++ == TLS_COMPRESSION_NULL)
169
compr_null_found = 1;
171
if (!compr_null_found) {
172
wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
174
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
175
TLS_ALERT_ILLEGAL_PARAMETER);
179
if (end - pos == 1) {
180
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
181
"end of ClientHello: 0x%02x", *pos);
185
if (end - pos >= 2) {
188
/* Extension client_hello_extension_list<0..2^16-1> */
190
ext_len = WPA_GET_BE16(pos);
193
wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
194
"extensions", ext_len);
195
if (end - pos != ext_len) {
196
wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
197
"extension list length %u (expected %u)",
204
* ExtensionType extension_type (0..65535)
205
* opaque extension_data<0..2^16-1>
210
u16 ext_type, ext_len;
213
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
214
"extension_type field");
218
ext_type = WPA_GET_BE16(pos);
222
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
223
"extension_data length field");
227
ext_len = WPA_GET_BE16(pos);
230
if (end - pos < ext_len) {
231
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
232
"extension_data field");
236
wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
237
"type %u", ext_type);
238
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
239
"Extension data", pos, ext_len);
241
if (ext_type == TLS_EXT_SESSION_TICKET) {
242
os_free(conn->session_ticket);
243
conn->session_ticket = os_malloc(ext_len);
244
if (conn->session_ticket) {
245
os_memcpy(conn->session_ticket, pos,
247
conn->session_ticket_len = ext_len;
255
*in_len = end - in_data;
257
wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
259
conn->state = SERVER_HELLO;
264
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
265
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
266
TLS_ALERT_DECODE_ERROR);
271
static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
272
const u8 *in_data, size_t *in_len)
275
size_t left, len, list_len, cert_len, idx;
277
struct x509_certificate *chain = NULL, *last = NULL, *cert;
280
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
281
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
282
"received content type 0x%x", ct);
283
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
284
TLS_ALERT_UNEXPECTED_MESSAGE);
292
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
293
"(len=%lu)", (unsigned long) left);
294
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
295
TLS_ALERT_DECODE_ERROR);
300
len = WPA_GET_BE24(pos);
305
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
306
"length (len=%lu != left=%lu)",
307
(unsigned long) len, (unsigned long) left);
308
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
309
TLS_ALERT_DECODE_ERROR);
313
if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
314
if (conn->verify_peer) {
315
wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
317
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
318
TLS_ALERT_UNEXPECTED_MESSAGE);
322
return tls_process_client_key_exchange(conn, ct, in_data,
325
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
326
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
327
"message %d (expected Certificate/"
328
"ClientKeyExchange)", type);
329
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
330
TLS_ALERT_UNEXPECTED_MESSAGE);
334
wpa_printf(MSG_DEBUG,
335
"TLSv1: Received Certificate (certificate_list len %lu)",
336
(unsigned long) len);
339
* opaque ASN.1Cert<2^24-1>;
342
* ASN.1Cert certificate_list<1..2^24-1>;
349
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
350
"(left=%lu)", (unsigned long) left);
351
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
352
TLS_ALERT_DECODE_ERROR);
356
list_len = WPA_GET_BE24(pos);
359
if ((size_t) (end - pos) != list_len) {
360
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
361
"length (len=%lu left=%lu)",
362
(unsigned long) list_len,
363
(unsigned long) (end - pos));
364
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
365
TLS_ALERT_DECODE_ERROR);
372
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
374
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
375
TLS_ALERT_DECODE_ERROR);
376
x509_certificate_chain_free(chain);
380
cert_len = WPA_GET_BE24(pos);
383
if ((size_t) (end - pos) < cert_len) {
384
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
385
"length (len=%lu left=%lu)",
386
(unsigned long) cert_len,
387
(unsigned long) (end - pos));
388
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
389
TLS_ALERT_DECODE_ERROR);
390
x509_certificate_chain_free(chain);
394
wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
395
(unsigned long) idx, (unsigned long) cert_len);
398
crypto_public_key_free(conn->client_rsa_key);
399
if (tls_parse_cert(pos, cert_len,
400
&conn->client_rsa_key)) {
401
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
403
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
404
TLS_ALERT_BAD_CERTIFICATE);
405
x509_certificate_chain_free(chain);
410
cert = x509_certificate_parse(pos, cert_len);
412
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
414
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
415
TLS_ALERT_BAD_CERTIFICATE);
416
x509_certificate_chain_free(chain);
430
if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
433
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
434
"validation failed (reason=%d)", reason);
436
case X509_VALIDATE_BAD_CERTIFICATE:
437
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
439
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
440
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
442
case X509_VALIDATE_CERTIFICATE_REVOKED:
443
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
445
case X509_VALIDATE_CERTIFICATE_EXPIRED:
446
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
448
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
449
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
451
case X509_VALIDATE_UNKNOWN_CA:
452
tls_reason = TLS_ALERT_UNKNOWN_CA;
455
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
458
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
459
x509_certificate_chain_free(chain);
463
x509_certificate_chain_free(chain);
465
*in_len = end - in_data;
467
conn->state = CLIENT_KEY_EXCHANGE;
473
static int tls_process_client_key_exchange_rsa(
474
struct tlsv1_server *conn, const u8 *pos, const u8 *end)
477
size_t outlen, outbuflen;
483
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
484
TLS_ALERT_DECODE_ERROR);
488
encr_len = WPA_GET_BE16(pos);
491
outbuflen = outlen = end - pos;
492
out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
493
outlen : TLS_PRE_MASTER_SECRET_LEN);
495
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
496
TLS_ALERT_INTERNAL_ERROR);
502
* ProtocolVersion client_version;
507
* public-key-encrypted PreMasterSecret pre_master_secret;
508
* } EncryptedPreMasterSecret;
512
* Note: To avoid Bleichenbacher attack, we do not report decryption or
513
* parsing errors from EncryptedPreMasterSecret processing to the
514
* client. Instead, a random pre-master secret is used to force the
518
if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
521
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
522
"PreMasterSecret (encr_len=%d outlen=%lu)",
523
end - pos, (unsigned long) outlen);
527
if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
528
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
529
"length %lu", (unsigned long) outlen);
533
if (WPA_GET_BE16(out) != conn->client_version) {
534
wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
535
"ClientKeyExchange does not match with version in "
541
wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
542
"to avoid revealing information about private key");
543
outlen = TLS_PRE_MASTER_SECRET_LEN;
544
if (os_get_random(out, outlen)) {
545
wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
547
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
548
TLS_ALERT_INTERNAL_ERROR);
554
res = tlsv1_server_derive_keys(conn, out, outlen);
556
/* Clear the pre-master secret since it is not needed anymore */
557
os_memset(out, 0, outbuflen);
561
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
562
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
563
TLS_ALERT_INTERNAL_ERROR);
571
static int tls_process_client_key_exchange_dh_anon(
572
struct tlsv1_server *conn, const u8 *pos, const u8 *end)
583
* select (PublicValueEncoding) {
584
* case implicit: struct { };
585
* case explicit: opaque dh_Yc<1..2^16-1>;
587
* } ClientDiffieHellmanPublic;
590
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
594
wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
596
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
597
TLS_ALERT_INTERNAL_ERROR);
602
wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
604
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
605
TLS_ALERT_DECODE_ERROR);
609
dh_yc_len = WPA_GET_BE16(pos);
612
if (dh_yc + dh_yc_len > end) {
613
wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
614
"(length %d)", dh_yc_len);
615
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
616
TLS_ALERT_DECODE_ERROR);
620
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
623
if (conn->cred == NULL || conn->cred->dh_p == NULL ||
624
conn->dh_secret == NULL) {
625
wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
626
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
627
TLS_ALERT_INTERNAL_ERROR);
631
shared_len = conn->cred->dh_p_len;
632
shared = os_malloc(shared_len);
633
if (shared == NULL) {
634
wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
636
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
637
TLS_ALERT_INTERNAL_ERROR);
641
/* shared = Yc^secret mod p */
642
if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
644
conn->cred->dh_p, conn->cred->dh_p_len,
645
shared, &shared_len)) {
647
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
648
TLS_ALERT_INTERNAL_ERROR);
651
wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
654
os_memset(conn->dh_secret, 0, conn->dh_secret_len);
655
os_free(conn->dh_secret);
656
conn->dh_secret = NULL;
658
res = tlsv1_server_derive_keys(conn, shared, shared_len);
660
/* Clear the pre-master secret since it is not needed anymore */
661
os_memset(shared, 0, shared_len);
665
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
666
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
667
TLS_ALERT_INTERNAL_ERROR);
674
#endif /* EAP_FAST */
678
static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
679
const u8 *in_data, size_t *in_len)
684
tls_key_exchange keyx;
685
const struct tls_cipher_suite *suite;
687
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
688
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
689
"received content type 0x%x", ct);
690
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
691
TLS_ALERT_UNEXPECTED_MESSAGE);
699
wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
700
"(Left=%lu)", (unsigned long) left);
701
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
702
TLS_ALERT_DECODE_ERROR);
707
len = WPA_GET_BE24(pos);
712
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
713
"length (len=%lu != left=%lu)",
714
(unsigned long) len, (unsigned long) left);
715
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
716
TLS_ALERT_DECODE_ERROR);
722
if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
723
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
724
"message %d (expected ClientKeyExchange)", type);
725
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
726
TLS_ALERT_UNEXPECTED_MESSAGE);
730
wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
732
wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
734
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
736
keyx = TLS_KEY_X_NULL;
738
keyx = suite->key_exchange;
740
if (keyx == TLS_KEY_X_DH_anon &&
741
tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
744
if (keyx != TLS_KEY_X_DH_anon &&
745
tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
748
*in_len = end - in_data;
750
conn->state = CERTIFICATE_VERIFY;
756
static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
757
const u8 *in_data, size_t *in_len)
763
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
764
enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
767
if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
768
if (conn->verify_peer) {
769
wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
770
"CertificateVerify");
771
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
772
TLS_ALERT_UNEXPECTED_MESSAGE);
776
return tls_process_change_cipher_spec(conn, ct, in_data,
780
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
781
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
782
"received content type 0x%x", ct);
783
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
784
TLS_ALERT_UNEXPECTED_MESSAGE);
792
wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
793
"message (len=%lu)", (unsigned long) left);
794
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
795
TLS_ALERT_DECODE_ERROR);
800
len = WPA_GET_BE24(pos);
805
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
806
"message length (len=%lu != left=%lu)",
807
(unsigned long) len, (unsigned long) left);
808
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
809
TLS_ALERT_DECODE_ERROR);
815
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
816
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
817
"message %d (expected CertificateVerify)", type);
818
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
819
TLS_ALERT_UNEXPECTED_MESSAGE);
823
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
827
* Signature signature;
828
* } CertificateVerify;
833
if (alg == SIGN_ALG_RSA) {
835
if (conn->verify.md5_cert == NULL ||
836
crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
838
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
839
TLS_ALERT_INTERNAL_ERROR);
840
conn->verify.md5_cert = NULL;
841
crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
842
conn->verify.sha1_cert = NULL;
847
crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
849
conn->verify.md5_cert = NULL;
851
if (conn->verify.sha1_cert == NULL ||
852
crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
853
conn->verify.sha1_cert = NULL;
854
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
855
TLS_ALERT_INTERNAL_ERROR);
858
conn->verify.sha1_cert = NULL;
860
if (alg == SIGN_ALG_RSA)
863
wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
866
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
867
TLS_ALERT_DECODE_ERROR);
870
slen = WPA_GET_BE16(pos);
872
if (end - pos < slen) {
873
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
874
TLS_ALERT_DECODE_ERROR);
878
wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
879
if (conn->client_rsa_key == NULL) {
880
wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
882
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
883
TLS_ALERT_INTERNAL_ERROR);
888
buf = os_malloc(end - pos);
889
if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
890
pos, end - pos, buf, &buflen) < 0)
892
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
894
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
895
TLS_ALERT_DECRYPT_ERROR);
899
wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
902
if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
903
wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
904
"CertificateVerify - did not match with calculated "
907
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
908
TLS_ALERT_DECRYPT_ERROR);
914
*in_len = end - in_data;
916
conn->state = CHANGE_CIPHER_SPEC;
922
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
923
u8 ct, const u8 *in_data,
929
if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
930
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
931
"received content type 0x%x", ct);
932
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
933
TLS_ALERT_UNEXPECTED_MESSAGE);
941
wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
942
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
943
TLS_ALERT_DECODE_ERROR);
947
if (*pos != TLS_CHANGE_CIPHER_SPEC) {
948
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
949
"received data 0x%x", *pos);
950
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
951
TLS_ALERT_UNEXPECTED_MESSAGE);
955
wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
956
if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
957
wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
959
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
960
TLS_ALERT_INTERNAL_ERROR);
964
*in_len = pos + 1 - in_data;
966
conn->state = CLIENT_FINISHED;
972
static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
973
const u8 *in_data, size_t *in_len)
976
size_t left, len, hlen;
977
u8 verify_data[TLS_VERIFY_DATA_LEN];
978
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
980
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
981
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
982
"received content type 0x%x", ct);
983
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
984
TLS_ALERT_UNEXPECTED_MESSAGE);
992
wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
994
(unsigned long) left);
995
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
996
TLS_ALERT_DECODE_ERROR);
1000
if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1001
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1002
"type 0x%x", pos[0]);
1003
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1004
TLS_ALERT_UNEXPECTED_MESSAGE);
1008
len = WPA_GET_BE24(pos + 1);
1014
wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1015
"(len=%lu > left=%lu)",
1016
(unsigned long) len, (unsigned long) left);
1017
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1018
TLS_ALERT_DECODE_ERROR);
1022
if (len != TLS_VERIFY_DATA_LEN) {
1023
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1024
"in Finished: %lu (expected %d)",
1025
(unsigned long) len, TLS_VERIFY_DATA_LEN);
1026
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1027
TLS_ALERT_DECODE_ERROR);
1030
wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1031
pos, TLS_VERIFY_DATA_LEN);
1034
if (conn->verify.md5_client == NULL ||
1035
crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1036
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1037
TLS_ALERT_INTERNAL_ERROR);
1038
conn->verify.md5_client = NULL;
1039
crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1040
conn->verify.sha1_client = NULL;
1043
conn->verify.md5_client = NULL;
1044
hlen = SHA1_MAC_LEN;
1045
if (conn->verify.sha1_client == NULL ||
1046
crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1048
conn->verify.sha1_client = NULL;
1049
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050
TLS_ALERT_INTERNAL_ERROR);
1053
conn->verify.sha1_client = NULL;
1055
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1056
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1057
verify_data, TLS_VERIFY_DATA_LEN)) {
1058
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1059
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1060
TLS_ALERT_DECRYPT_ERROR);
1063
wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1064
verify_data, TLS_VERIFY_DATA_LEN);
1066
if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1067
wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1071
wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1073
*in_len = end - in_data;
1075
if (conn->use_session_ticket) {
1076
/* Abbreviated handshake using session ticket; RFC 4507 */
1077
wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1079
conn->state = ESTABLISHED;
1081
/* Full handshake */
1082
conn->state = SERVER_CHANGE_CIPHER_SPEC;
1089
int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1090
const u8 *buf, size_t *len)
1092
if (ct == TLS_CONTENT_TYPE_ALERT) {
1094
wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1095
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1096
TLS_ALERT_DECODE_ERROR);
1099
wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1102
conn->state = FAILED;
1106
switch (conn->state) {
1108
if (tls_process_client_hello(conn, ct, buf, len))
1111
case CLIENT_CERTIFICATE:
1112
if (tls_process_certificate(conn, ct, buf, len))
1115
case CLIENT_KEY_EXCHANGE:
1116
if (tls_process_client_key_exchange(conn, ct, buf, len))
1119
case CERTIFICATE_VERIFY:
1120
if (tls_process_certificate_verify(conn, ct, buf, len))
1123
case CHANGE_CIPHER_SPEC:
1124
if (tls_process_change_cipher_spec(conn, ct, buf, len))
1127
case CLIENT_FINISHED:
1128
if (tls_process_client_finished(conn, ct, buf, len))
1132
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1133
"while processing received message",
1138
if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1139
tls_verify_hash_add(&conn->verify, buf, *len);