2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 u8 ct, const u8 *in_data,
35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 const u8 *in_data, size_t *in_len)
38 const u8 *pos, *end, *c;
39 size_t left, len, i, j;
43 u16 ext_type, ext_len;
45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47 "received content type 0x%x", ct);
48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49 TLS_ALERT_UNEXPECTED_MESSAGE);
59 /* HandshakeType msg_type */
60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
62 "message %d (expected ClientHello)", *pos);
63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
64 TLS_ALERT_UNEXPECTED_MESSAGE);
67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
70 len = WPA_GET_BE24(pos);
77 /* body - ClientHello */
79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
82 /* ProtocolVersion client_version */
85 conn->client_version = WPA_GET_BE16(pos);
86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
87 conn->client_version >> 8, conn->client_version & 0xff);
88 if (conn->client_version < TLS_VERSION) {
89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
91 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
92 TLS_ALERT_PROTOCOL_VERSION);
98 if (end - pos < TLS_RANDOM_LEN)
101 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
102 pos += TLS_RANDOM_LEN;
103 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
104 conn->client_random, TLS_RANDOM_LEN);
106 /* SessionID session_id */
109 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
111 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
113 /* TODO: add support for session resumption */
115 /* CipherSuite cipher_suites<2..2^16-1> */
118 num_suites = WPA_GET_BE16(pos);
120 if (end - pos < num_suites)
122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
129 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
131 for (j = 0; j < num_suites; j++) {
132 u16 tmp = WPA_GET_BE16(c);
134 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
140 pos += num_suites * 2;
142 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 TLS_ALERT_ILLEGAL_PARAMETER);
149 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
150 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 TLS_ALERT_INTERNAL_ERROR);
157 conn->cipher_suite = cipher_suite;
159 /* CompressionMethod compression_methods<1..2^8-1> */
163 if (end - pos < num_suites)
165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
167 compr_null_found = 0;
168 for (i = 0; i < num_suites; i++) {
169 if (*pos++ == TLS_COMPRESSION_NULL)
170 compr_null_found = 1;
172 if (!compr_null_found) {
173 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
175 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
176 TLS_ALERT_ILLEGAL_PARAMETER);
180 if (end - pos == 1) {
181 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
182 "end of ClientHello: 0x%02x", *pos);
186 if (end - pos >= 2) {
187 /* Extension client_hello_extension_list<0..2^16-1> */
188 ext_len = WPA_GET_BE16(pos);
191 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
192 "extensions", ext_len);
193 if (end - pos != ext_len) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
195 "extension list length %u (expected %u)",
196 ext_len, (unsigned int) (end - pos));
202 * ExtensionType extension_type (0..65535)
203 * opaque extension_data<0..2^16-1>
209 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
210 "extension_type field");
214 ext_type = WPA_GET_BE16(pos);
218 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
219 "extension_data length field");
223 ext_len = WPA_GET_BE16(pos);
226 if (end - pos < ext_len) {
227 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
228 "extension_data field");
232 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
233 "type %u", ext_type);
234 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
235 "Extension data", pos, ext_len);
237 if (ext_type == TLS_EXT_SESSION_TICKET) {
238 os_free(conn->session_ticket);
239 conn->session_ticket = os_malloc(ext_len);
240 if (conn->session_ticket) {
241 os_memcpy(conn->session_ticket, pos,
243 conn->session_ticket_len = ext_len;
251 *in_len = end - in_data;
253 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
255 conn->state = SERVER_HELLO;
260 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
261 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
262 TLS_ALERT_DECODE_ERROR);
267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
268 const u8 *in_data, size_t *in_len)
271 size_t left, len, list_len, cert_len, idx;
273 struct x509_certificate *chain = NULL, *last = NULL, *cert;
276 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
277 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
278 "received content type 0x%x", ct);
279 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
280 TLS_ALERT_UNEXPECTED_MESSAGE);
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
289 "(len=%lu)", (unsigned long) left);
290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_DECODE_ERROR);
296 len = WPA_GET_BE24(pos);
301 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
302 "length (len=%lu != left=%lu)",
303 (unsigned long) len, (unsigned long) left);
304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 TLS_ALERT_DECODE_ERROR);
309 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
310 if (conn->verify_peer) {
311 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
313 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
314 TLS_ALERT_UNEXPECTED_MESSAGE);
318 return tls_process_client_key_exchange(conn, ct, in_data,
321 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
322 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
323 "message %d (expected Certificate/"
324 "ClientKeyExchange)", type);
325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_UNEXPECTED_MESSAGE);
330 wpa_printf(MSG_DEBUG,
331 "TLSv1: Received Certificate (certificate_list len %lu)",
332 (unsigned long) len);
335 * opaque ASN.1Cert<2^24-1>;
338 * ASN.1Cert certificate_list<1..2^24-1>;
345 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
346 "(left=%lu)", (unsigned long) left);
347 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
348 TLS_ALERT_DECODE_ERROR);
352 list_len = WPA_GET_BE24(pos);
355 if ((size_t) (end - pos) != list_len) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
357 "length (len=%lu left=%lu)",
358 (unsigned long) list_len,
359 (unsigned long) (end - pos));
360 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
361 TLS_ALERT_DECODE_ERROR);
368 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 TLS_ALERT_DECODE_ERROR);
372 x509_certificate_chain_free(chain);
376 cert_len = WPA_GET_BE24(pos);
379 if ((size_t) (end - pos) < cert_len) {
380 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
381 "length (len=%lu left=%lu)",
382 (unsigned long) cert_len,
383 (unsigned long) (end - pos));
384 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
385 TLS_ALERT_DECODE_ERROR);
386 x509_certificate_chain_free(chain);
390 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
391 (unsigned long) idx, (unsigned long) cert_len);
394 crypto_public_key_free(conn->client_rsa_key);
395 if (tls_parse_cert(pos, cert_len,
396 &conn->client_rsa_key)) {
397 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
400 TLS_ALERT_BAD_CERTIFICATE);
401 x509_certificate_chain_free(chain);
406 cert = x509_certificate_parse(pos, cert_len);
408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 TLS_ALERT_BAD_CERTIFICATE);
412 x509_certificate_chain_free(chain);
426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
430 "validation failed (reason=%d)", reason);
432 case X509_VALIDATE_BAD_CERTIFICATE:
433 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
438 case X509_VALIDATE_CERTIFICATE_REVOKED:
439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
441 case X509_VALIDATE_CERTIFICATE_EXPIRED:
442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
444 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
447 case X509_VALIDATE_UNKNOWN_CA:
448 tls_reason = TLS_ALERT_UNKNOWN_CA;
451 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
455 x509_certificate_chain_free(chain);
459 x509_certificate_chain_free(chain);
461 *in_len = end - in_data;
463 conn->state = CLIENT_KEY_EXCHANGE;
469 static int tls_process_client_key_exchange_rsa(
470 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
473 size_t outlen, outbuflen;
479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
480 TLS_ALERT_DECODE_ERROR);
484 encr_len = WPA_GET_BE16(pos);
487 outbuflen = outlen = end - pos;
488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
489 outlen : TLS_PRE_MASTER_SECRET_LEN);
491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 TLS_ALERT_INTERNAL_ERROR);
498 * ProtocolVersion client_version;
503 * public-key-encrypted PreMasterSecret pre_master_secret;
504 * } EncryptedPreMasterSecret;
508 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509 * parsing errors from EncryptedPreMasterSecret processing to the
510 * client. Instead, a random pre-master secret is used to force the
514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
518 "PreMasterSecret (encr_len=%d outlen=%lu)",
519 (int) (end - pos), (unsigned long) outlen);
523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
525 "length %lu", (unsigned long) outlen);
529 if (WPA_GET_BE16(out) != conn->client_version) {
530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
531 "ClientKeyExchange does not match with version in "
537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
538 "to avoid revealing information about private key");
539 outlen = TLS_PRE_MASTER_SECRET_LEN;
540 if (os_get_random(out, outlen)) {
541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
544 TLS_ALERT_INTERNAL_ERROR);
550 res = tlsv1_server_derive_keys(conn, out, outlen);
552 /* Clear the pre-master secret since it is not needed anymore */
553 os_memset(out, 0, outbuflen);
557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 TLS_ALERT_INTERNAL_ERROR);
567 static int tls_process_client_key_exchange_dh_anon(
568 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
578 * select (PublicValueEncoding) {
579 * case implicit: struct { };
580 * case explicit: opaque dh_Yc<1..2^16-1>;
582 * } ClientDiffieHellmanPublic;
585 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
589 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
591 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
592 TLS_ALERT_INTERNAL_ERROR);
597 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
600 TLS_ALERT_DECODE_ERROR);
604 dh_yc_len = WPA_GET_BE16(pos);
607 if (dh_yc + dh_yc_len > end) {
608 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
609 "(length %d)", dh_yc_len);
610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
611 TLS_ALERT_DECODE_ERROR);
615 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
618 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
619 conn->dh_secret == NULL) {
620 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 TLS_ALERT_INTERNAL_ERROR);
626 shared_len = conn->cred->dh_p_len;
627 shared = os_malloc(shared_len);
628 if (shared == NULL) {
629 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
631 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
632 TLS_ALERT_INTERNAL_ERROR);
636 /* shared = Yc^secret mod p */
637 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
639 conn->cred->dh_p, conn->cred->dh_p_len,
640 shared, &shared_len)) {
642 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
643 TLS_ALERT_INTERNAL_ERROR);
646 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
649 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
650 os_free(conn->dh_secret);
651 conn->dh_secret = NULL;
653 res = tlsv1_server_derive_keys(conn, shared, shared_len);
655 /* Clear the pre-master secret since it is not needed anymore */
656 os_memset(shared, 0, shared_len);
660 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
662 TLS_ALERT_INTERNAL_ERROR);
670 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
671 const u8 *in_data, size_t *in_len)
676 tls_key_exchange keyx;
677 const struct tls_cipher_suite *suite;
679 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
680 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
681 "received content type 0x%x", ct);
682 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
683 TLS_ALERT_UNEXPECTED_MESSAGE);
691 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
692 "(Left=%lu)", (unsigned long) left);
693 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
694 TLS_ALERT_DECODE_ERROR);
699 len = WPA_GET_BE24(pos);
704 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
705 "length (len=%lu != left=%lu)",
706 (unsigned long) len, (unsigned long) left);
707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
708 TLS_ALERT_DECODE_ERROR);
714 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
715 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
716 "message %d (expected ClientKeyExchange)", type);
717 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
718 TLS_ALERT_UNEXPECTED_MESSAGE);
722 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
724 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
726 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
728 keyx = TLS_KEY_X_NULL;
730 keyx = suite->key_exchange;
732 if (keyx == TLS_KEY_X_DH_anon &&
733 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
736 if (keyx != TLS_KEY_X_DH_anon &&
737 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
740 *in_len = end - in_data;
742 conn->state = CERTIFICATE_VERIFY;
748 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
749 const u8 *in_data, size_t *in_len)
755 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
756 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
759 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
760 if (conn->verify_peer) {
761 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
762 "CertificateVerify");
763 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
764 TLS_ALERT_UNEXPECTED_MESSAGE);
768 return tls_process_change_cipher_spec(conn, ct, in_data,
772 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
773 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
774 "received content type 0x%x", ct);
775 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
776 TLS_ALERT_UNEXPECTED_MESSAGE);
784 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
785 "message (len=%lu)", (unsigned long) left);
786 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
787 TLS_ALERT_DECODE_ERROR);
792 len = WPA_GET_BE24(pos);
797 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
798 "message length (len=%lu != left=%lu)",
799 (unsigned long) len, (unsigned long) left);
800 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
801 TLS_ALERT_DECODE_ERROR);
807 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
808 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
809 "message %d (expected CertificateVerify)", type);
810 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
811 TLS_ALERT_UNEXPECTED_MESSAGE);
815 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
819 * Signature signature;
820 * } CertificateVerify;
825 if (alg == SIGN_ALG_RSA) {
827 if (conn->verify.md5_cert == NULL ||
828 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 TLS_ALERT_INTERNAL_ERROR);
832 conn->verify.md5_cert = NULL;
833 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
834 conn->verify.sha1_cert = NULL;
839 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
841 conn->verify.md5_cert = NULL;
843 if (conn->verify.sha1_cert == NULL ||
844 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
845 conn->verify.sha1_cert = NULL;
846 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
847 TLS_ALERT_INTERNAL_ERROR);
850 conn->verify.sha1_cert = NULL;
852 if (alg == SIGN_ALG_RSA)
855 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
859 TLS_ALERT_DECODE_ERROR);
862 slen = WPA_GET_BE16(pos);
864 if (end - pos < slen) {
865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866 TLS_ALERT_DECODE_ERROR);
870 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
871 if (conn->client_rsa_key == NULL) {
872 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
874 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
875 TLS_ALERT_INTERNAL_ERROR);
880 buf = os_malloc(end - pos);
881 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
882 pos, end - pos, buf, &buflen) < 0)
884 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
887 TLS_ALERT_DECRYPT_ERROR);
891 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
894 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
895 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
896 "CertificateVerify - did not match with calculated "
899 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
900 TLS_ALERT_DECRYPT_ERROR);
906 *in_len = end - in_data;
908 conn->state = CHANGE_CIPHER_SPEC;
914 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
915 u8 ct, const u8 *in_data,
921 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
922 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
923 "received content type 0x%x", ct);
924 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
925 TLS_ALERT_UNEXPECTED_MESSAGE);
933 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
934 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
935 TLS_ALERT_DECODE_ERROR);
939 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
940 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
941 "received data 0x%x", *pos);
942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
943 TLS_ALERT_UNEXPECTED_MESSAGE);
947 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
948 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
949 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
951 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
952 TLS_ALERT_INTERNAL_ERROR);
956 *in_len = pos + 1 - in_data;
958 conn->state = CLIENT_FINISHED;
964 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
965 const u8 *in_data, size_t *in_len)
968 size_t left, len, hlen;
969 u8 verify_data[TLS_VERIFY_DATA_LEN];
970 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
972 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
973 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
974 "received content type 0x%x", ct);
975 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
976 TLS_ALERT_UNEXPECTED_MESSAGE);
984 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
986 (unsigned long) left);
987 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
988 TLS_ALERT_DECODE_ERROR);
992 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
993 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
994 "type 0x%x", pos[0]);
995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
996 TLS_ALERT_UNEXPECTED_MESSAGE);
1000 len = WPA_GET_BE24(pos + 1);
1006 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1007 "(len=%lu > left=%lu)",
1008 (unsigned long) len, (unsigned long) left);
1009 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010 TLS_ALERT_DECODE_ERROR);
1014 if (len != TLS_VERIFY_DATA_LEN) {
1015 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1016 "in Finished: %lu (expected %d)",
1017 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1018 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019 TLS_ALERT_DECODE_ERROR);
1022 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1023 pos, TLS_VERIFY_DATA_LEN);
1026 if (conn->verify.md5_client == NULL ||
1027 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029 TLS_ALERT_INTERNAL_ERROR);
1030 conn->verify.md5_client = NULL;
1031 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1032 conn->verify.sha1_client = NULL;
1035 conn->verify.md5_client = NULL;
1036 hlen = SHA1_MAC_LEN;
1037 if (conn->verify.sha1_client == NULL ||
1038 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1040 conn->verify.sha1_client = NULL;
1041 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1042 TLS_ALERT_INTERNAL_ERROR);
1045 conn->verify.sha1_client = NULL;
1047 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1048 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1049 verify_data, TLS_VERIFY_DATA_LEN)) {
1050 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1051 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052 TLS_ALERT_DECRYPT_ERROR);
1055 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1056 verify_data, TLS_VERIFY_DATA_LEN);
1058 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1059 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1063 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1065 *in_len = end - in_data;
1067 if (conn->use_session_ticket) {
1068 /* Abbreviated handshake using session ticket; RFC 4507 */
1069 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1071 conn->state = ESTABLISHED;
1073 /* Full handshake */
1074 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1081 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1082 const u8 *buf, size_t *len)
1084 if (ct == TLS_CONTENT_TYPE_ALERT) {
1086 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1087 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1088 TLS_ALERT_DECODE_ERROR);
1091 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1094 conn->state = FAILED;
1098 switch (conn->state) {
1100 if (tls_process_client_hello(conn, ct, buf, len))
1103 case CLIENT_CERTIFICATE:
1104 if (tls_process_certificate(conn, ct, buf, len))
1107 case CLIENT_KEY_EXCHANGE:
1108 if (tls_process_client_key_exchange(conn, ct, buf, len))
1111 case CERTIFICATE_VERIFY:
1112 if (tls_process_certificate_verify(conn, ct, buf, len))
1115 case CHANGE_CIPHER_SPEC:
1116 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1119 case CLIENT_FINISHED:
1120 if (tls_process_client_finished(conn, ct, buf, len))
1124 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1125 "while processing received message",
1130 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1131 tls_verify_hash_add(&conn->verify, buf, *len);