2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 u8 ct, const u8 *in_data,
35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 const u8 *in_data, size_t *in_len)
38 const u8 *pos, *end, *c;
39 size_t left, len, i, j;
43 u16 ext_type, ext_len;
45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47 "received content type 0x%x", ct);
48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49 TLS_ALERT_UNEXPECTED_MESSAGE);
59 /* HandshakeType msg_type */
60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
62 "message %d (expected ClientHello)", *pos);
63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
64 TLS_ALERT_UNEXPECTED_MESSAGE);
67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
70 len = WPA_GET_BE24(pos);
77 /* body - ClientHello */
79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
82 /* ProtocolVersion client_version */
85 conn->client_version = WPA_GET_BE16(pos);
86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
87 conn->client_version >> 8, conn->client_version & 0xff);
88 if (conn->client_version < TLS_VERSION_1) {
89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
91 conn->client_version >> 8,
92 conn->client_version & 0xff);
93 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
94 TLS_ALERT_PROTOCOL_VERSION);
99 if (TLS_VERSION == TLS_VERSION_1)
100 conn->rl.tls_version = TLS_VERSION_1;
101 else if (conn->client_version > TLS_VERSION_1_1)
102 conn->rl.tls_version = TLS_VERSION_1_1;
104 conn->rl.tls_version = conn->client_version;
105 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
106 conn->rl.tls_version == TLS_VERSION_1_1 ? "1.1" : "1.0");
109 if (end - pos < TLS_RANDOM_LEN)
112 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
113 pos += TLS_RANDOM_LEN;
114 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
115 conn->client_random, TLS_RANDOM_LEN);
117 /* SessionID session_id */
120 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
124 /* TODO: add support for session resumption */
126 /* CipherSuite cipher_suites<2..2^16-1> */
129 num_suites = WPA_GET_BE16(pos);
131 if (end - pos < num_suites)
133 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
140 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
142 for (j = 0; j < num_suites; j++) {
143 u16 tmp = WPA_GET_BE16(c);
145 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
151 pos += num_suites * 2;
153 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
155 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
156 TLS_ALERT_ILLEGAL_PARAMETER);
160 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
163 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
164 TLS_ALERT_INTERNAL_ERROR);
168 conn->cipher_suite = cipher_suite;
170 /* CompressionMethod compression_methods<1..2^8-1> */
174 if (end - pos < num_suites)
176 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
178 compr_null_found = 0;
179 for (i = 0; i < num_suites; i++) {
180 if (*pos++ == TLS_COMPRESSION_NULL)
181 compr_null_found = 1;
183 if (!compr_null_found) {
184 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
186 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
187 TLS_ALERT_ILLEGAL_PARAMETER);
191 if (end - pos == 1) {
192 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
193 "end of ClientHello: 0x%02x", *pos);
197 if (end - pos >= 2) {
198 /* Extension client_hello_extension_list<0..2^16-1> */
199 ext_len = WPA_GET_BE16(pos);
202 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
203 "extensions", ext_len);
204 if (end - pos != ext_len) {
205 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
206 "extension list length %u (expected %u)",
207 ext_len, (unsigned int) (end - pos));
213 * ExtensionType extension_type (0..65535)
214 * opaque extension_data<0..2^16-1>
220 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
221 "extension_type field");
225 ext_type = WPA_GET_BE16(pos);
229 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
230 "extension_data length field");
234 ext_len = WPA_GET_BE16(pos);
237 if (end - pos < ext_len) {
238 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
239 "extension_data field");
243 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
244 "type %u", ext_type);
245 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
246 "Extension data", pos, ext_len);
248 if (ext_type == TLS_EXT_SESSION_TICKET) {
249 os_free(conn->session_ticket);
250 conn->session_ticket = os_malloc(ext_len);
251 if (conn->session_ticket) {
252 os_memcpy(conn->session_ticket, pos,
254 conn->session_ticket_len = ext_len;
262 *in_len = end - in_data;
264 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
266 conn->state = SERVER_HELLO;
271 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
272 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
273 TLS_ALERT_DECODE_ERROR);
278 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
279 const u8 *in_data, size_t *in_len)
282 size_t left, len, list_len, cert_len, idx;
284 struct x509_certificate *chain = NULL, *last = NULL, *cert;
287 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
289 "received content type 0x%x", ct);
290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_UNEXPECTED_MESSAGE);
299 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
300 "(len=%lu)", (unsigned long) left);
301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
302 TLS_ALERT_DECODE_ERROR);
307 len = WPA_GET_BE24(pos);
312 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
313 "length (len=%lu != left=%lu)",
314 (unsigned long) len, (unsigned long) left);
315 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
316 TLS_ALERT_DECODE_ERROR);
320 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
321 if (conn->verify_peer) {
322 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
324 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
325 TLS_ALERT_UNEXPECTED_MESSAGE);
329 return tls_process_client_key_exchange(conn, ct, in_data,
332 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
333 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
334 "message %d (expected Certificate/"
335 "ClientKeyExchange)", type);
336 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
337 TLS_ALERT_UNEXPECTED_MESSAGE);
341 wpa_printf(MSG_DEBUG,
342 "TLSv1: Received Certificate (certificate_list len %lu)",
343 (unsigned long) len);
346 * opaque ASN.1Cert<2^24-1>;
349 * ASN.1Cert certificate_list<1..2^24-1>;
356 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
357 "(left=%lu)", (unsigned long) left);
358 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 TLS_ALERT_DECODE_ERROR);
363 list_len = WPA_GET_BE24(pos);
366 if ((size_t) (end - pos) != list_len) {
367 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
368 "length (len=%lu left=%lu)",
369 (unsigned long) list_len,
370 (unsigned long) (end - pos));
371 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
372 TLS_ALERT_DECODE_ERROR);
379 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
381 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
382 TLS_ALERT_DECODE_ERROR);
383 x509_certificate_chain_free(chain);
387 cert_len = WPA_GET_BE24(pos);
390 if ((size_t) (end - pos) < cert_len) {
391 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
392 "length (len=%lu left=%lu)",
393 (unsigned long) cert_len,
394 (unsigned long) (end - pos));
395 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
396 TLS_ALERT_DECODE_ERROR);
397 x509_certificate_chain_free(chain);
401 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
402 (unsigned long) idx, (unsigned long) cert_len);
405 crypto_public_key_free(conn->client_rsa_key);
406 if (tls_parse_cert(pos, cert_len,
407 &conn->client_rsa_key)) {
408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 TLS_ALERT_BAD_CERTIFICATE);
412 x509_certificate_chain_free(chain);
417 cert = x509_certificate_parse(pos, cert_len);
419 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
421 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
422 TLS_ALERT_BAD_CERTIFICATE);
423 x509_certificate_chain_free(chain);
437 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
440 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
441 "validation failed (reason=%d)", reason);
443 case X509_VALIDATE_BAD_CERTIFICATE:
444 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
446 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
447 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
449 case X509_VALIDATE_CERTIFICATE_REVOKED:
450 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
452 case X509_VALIDATE_CERTIFICATE_EXPIRED:
453 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
455 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
456 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
458 case X509_VALIDATE_UNKNOWN_CA:
459 tls_reason = TLS_ALERT_UNKNOWN_CA;
462 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
465 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
466 x509_certificate_chain_free(chain);
470 x509_certificate_chain_free(chain);
472 *in_len = end - in_data;
474 conn->state = CLIENT_KEY_EXCHANGE;
480 static int tls_process_client_key_exchange_rsa(
481 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
484 size_t outlen, outbuflen;
490 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
491 TLS_ALERT_DECODE_ERROR);
495 encr_len = WPA_GET_BE16(pos);
497 if (pos + encr_len > end) {
498 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
499 "format: encr_len=%u left=%u",
500 encr_len, (unsigned int) (end - pos));
501 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
502 TLS_ALERT_DECODE_ERROR);
506 outbuflen = outlen = end - pos;
507 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
508 outlen : TLS_PRE_MASTER_SECRET_LEN);
510 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
511 TLS_ALERT_INTERNAL_ERROR);
517 * ProtocolVersion client_version;
522 * public-key-encrypted PreMasterSecret pre_master_secret;
523 * } EncryptedPreMasterSecret;
527 * Note: To avoid Bleichenbacher attack, we do not report decryption or
528 * parsing errors from EncryptedPreMasterSecret processing to the
529 * client. Instead, a random pre-master secret is used to force the
533 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
536 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
537 "PreMasterSecret (encr_len=%u outlen=%lu)",
538 encr_len, (unsigned long) outlen);
542 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
543 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
544 "length %lu", (unsigned long) outlen);
548 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
549 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
550 "ClientKeyExchange does not match with version in "
556 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
557 "to avoid revealing information about private key");
558 outlen = TLS_PRE_MASTER_SECRET_LEN;
559 if (os_get_random(out, outlen)) {
560 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
562 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
563 TLS_ALERT_INTERNAL_ERROR);
569 res = tlsv1_server_derive_keys(conn, out, outlen);
571 /* Clear the pre-master secret since it is not needed anymore */
572 os_memset(out, 0, outbuflen);
576 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
577 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
578 TLS_ALERT_INTERNAL_ERROR);
586 static int tls_process_client_key_exchange_dh_anon(
587 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
597 * select (PublicValueEncoding) {
598 * case implicit: struct { };
599 * case explicit: opaque dh_Yc<1..2^16-1>;
601 * } ClientDiffieHellmanPublic;
604 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
608 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
611 TLS_ALERT_INTERNAL_ERROR);
616 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
619 TLS_ALERT_DECODE_ERROR);
623 dh_yc_len = WPA_GET_BE16(pos);
626 if (dh_yc + dh_yc_len > end) {
627 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
628 "(length %d)", dh_yc_len);
629 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
630 TLS_ALERT_DECODE_ERROR);
634 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
637 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
638 conn->dh_secret == NULL) {
639 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
640 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
641 TLS_ALERT_INTERNAL_ERROR);
645 shared_len = conn->cred->dh_p_len;
646 shared = os_malloc(shared_len);
647 if (shared == NULL) {
648 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
650 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
651 TLS_ALERT_INTERNAL_ERROR);
655 /* shared = Yc^secret mod p */
656 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
658 conn->cred->dh_p, conn->cred->dh_p_len,
659 shared, &shared_len)) {
661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
662 TLS_ALERT_INTERNAL_ERROR);
665 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
668 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
669 os_free(conn->dh_secret);
670 conn->dh_secret = NULL;
672 res = tlsv1_server_derive_keys(conn, shared, shared_len);
674 /* Clear the pre-master secret since it is not needed anymore */
675 os_memset(shared, 0, shared_len);
679 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
680 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
681 TLS_ALERT_INTERNAL_ERROR);
689 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
690 const u8 *in_data, size_t *in_len)
695 tls_key_exchange keyx;
696 const struct tls_cipher_suite *suite;
698 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
699 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
700 "received content type 0x%x", ct);
701 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
702 TLS_ALERT_UNEXPECTED_MESSAGE);
710 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
711 "(Left=%lu)", (unsigned long) left);
712 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
713 TLS_ALERT_DECODE_ERROR);
718 len = WPA_GET_BE24(pos);
723 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
724 "length (len=%lu != left=%lu)",
725 (unsigned long) len, (unsigned long) left);
726 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
727 TLS_ALERT_DECODE_ERROR);
733 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
734 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
735 "message %d (expected ClientKeyExchange)", type);
736 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
737 TLS_ALERT_UNEXPECTED_MESSAGE);
741 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
743 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
745 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
747 keyx = TLS_KEY_X_NULL;
749 keyx = suite->key_exchange;
751 if (keyx == TLS_KEY_X_DH_anon &&
752 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
755 if (keyx != TLS_KEY_X_DH_anon &&
756 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
759 *in_len = end - in_data;
761 conn->state = CERTIFICATE_VERIFY;
767 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
768 const u8 *in_data, size_t *in_len)
774 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
775 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
778 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
779 if (conn->verify_peer) {
780 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
781 "CertificateVerify");
782 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
783 TLS_ALERT_UNEXPECTED_MESSAGE);
787 return tls_process_change_cipher_spec(conn, ct, in_data,
791 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
792 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
793 "received content type 0x%x", ct);
794 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
795 TLS_ALERT_UNEXPECTED_MESSAGE);
803 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
804 "message (len=%lu)", (unsigned long) left);
805 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
806 TLS_ALERT_DECODE_ERROR);
811 len = WPA_GET_BE24(pos);
816 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
817 "message length (len=%lu != left=%lu)",
818 (unsigned long) len, (unsigned long) left);
819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 TLS_ALERT_DECODE_ERROR);
826 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
827 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
828 "message %d (expected CertificateVerify)", type);
829 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 TLS_ALERT_UNEXPECTED_MESSAGE);
834 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
838 * Signature signature;
839 * } CertificateVerify;
844 if (alg == SIGN_ALG_RSA) {
846 if (conn->verify.md5_cert == NULL ||
847 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
849 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
850 TLS_ALERT_INTERNAL_ERROR);
851 conn->verify.md5_cert = NULL;
852 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
853 conn->verify.sha1_cert = NULL;
858 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
860 conn->verify.md5_cert = NULL;
862 if (conn->verify.sha1_cert == NULL ||
863 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
864 conn->verify.sha1_cert = NULL;
865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866 TLS_ALERT_INTERNAL_ERROR);
869 conn->verify.sha1_cert = NULL;
871 if (alg == SIGN_ALG_RSA)
874 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
877 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
878 TLS_ALERT_DECODE_ERROR);
881 slen = WPA_GET_BE16(pos);
883 if (end - pos < slen) {
884 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
885 TLS_ALERT_DECODE_ERROR);
889 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
890 if (conn->client_rsa_key == NULL) {
891 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
893 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
894 TLS_ALERT_INTERNAL_ERROR);
899 buf = os_malloc(end - pos);
900 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
901 pos, end - pos, buf, &buflen) < 0)
903 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 TLS_ALERT_DECRYPT_ERROR);
910 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
913 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
914 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
915 "CertificateVerify - did not match with calculated "
918 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
919 TLS_ALERT_DECRYPT_ERROR);
925 *in_len = end - in_data;
927 conn->state = CHANGE_CIPHER_SPEC;
933 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
934 u8 ct, const u8 *in_data,
940 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
941 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
942 "received content type 0x%x", ct);
943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 TLS_ALERT_UNEXPECTED_MESSAGE);
952 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
953 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
954 TLS_ALERT_DECODE_ERROR);
958 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
959 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
960 "received data 0x%x", *pos);
961 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
962 TLS_ALERT_UNEXPECTED_MESSAGE);
966 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
967 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
968 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
970 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
971 TLS_ALERT_INTERNAL_ERROR);
975 *in_len = pos + 1 - in_data;
977 conn->state = CLIENT_FINISHED;
983 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
984 const u8 *in_data, size_t *in_len)
987 size_t left, len, hlen;
988 u8 verify_data[TLS_VERIFY_DATA_LEN];
989 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
991 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
992 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
993 "received content type 0x%x", ct);
994 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
995 TLS_ALERT_UNEXPECTED_MESSAGE);
1003 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1005 (unsigned long) left);
1006 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1007 TLS_ALERT_DECODE_ERROR);
1011 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1012 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1013 "type 0x%x", pos[0]);
1014 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1015 TLS_ALERT_UNEXPECTED_MESSAGE);
1019 len = WPA_GET_BE24(pos + 1);
1025 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1026 "(len=%lu > left=%lu)",
1027 (unsigned long) len, (unsigned long) left);
1028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029 TLS_ALERT_DECODE_ERROR);
1033 if (len != TLS_VERIFY_DATA_LEN) {
1034 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1035 "in Finished: %lu (expected %d)",
1036 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 TLS_ALERT_DECODE_ERROR);
1041 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1042 pos, TLS_VERIFY_DATA_LEN);
1045 if (conn->verify.md5_client == NULL ||
1046 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1047 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1048 TLS_ALERT_INTERNAL_ERROR);
1049 conn->verify.md5_client = NULL;
1050 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1051 conn->verify.sha1_client = NULL;
1054 conn->verify.md5_client = NULL;
1055 hlen = SHA1_MAC_LEN;
1056 if (conn->verify.sha1_client == NULL ||
1057 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1059 conn->verify.sha1_client = NULL;
1060 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1061 TLS_ALERT_INTERNAL_ERROR);
1064 conn->verify.sha1_client = NULL;
1066 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1067 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1068 verify_data, TLS_VERIFY_DATA_LEN)) {
1069 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1070 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071 TLS_ALERT_DECRYPT_ERROR);
1074 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1075 verify_data, TLS_VERIFY_DATA_LEN);
1077 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1078 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1082 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1084 *in_len = end - in_data;
1086 if (conn->use_session_ticket) {
1087 /* Abbreviated handshake using session ticket; RFC 4507 */
1088 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1090 conn->state = ESTABLISHED;
1092 /* Full handshake */
1093 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1100 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1101 const u8 *buf, size_t *len)
1103 if (ct == TLS_CONTENT_TYPE_ALERT) {
1105 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1106 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1107 TLS_ALERT_DECODE_ERROR);
1110 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1113 conn->state = FAILED;
1117 switch (conn->state) {
1119 if (tls_process_client_hello(conn, ct, buf, len))
1122 case CLIENT_CERTIFICATE:
1123 if (tls_process_certificate(conn, ct, buf, len))
1126 case CLIENT_KEY_EXCHANGE:
1127 if (tls_process_client_key_exchange(conn, ct, buf, len))
1130 case CERTIFICATE_VERIFY:
1131 if (tls_process_certificate_verify(conn, ct, buf, len))
1134 case CHANGE_CIPHER_SPEC:
1135 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1138 case CLIENT_FINISHED:
1139 if (tls_process_client_finished(conn, ct, buf, len))
1143 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1144 "while processing received message",
1149 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1150 tls_verify_hash_add(&conn->verify, buf, *len);