2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
28 static int tls_process_client_key_exchange(struct tlsv1_server
*conn
, u8 ct
,
29 const u8
*in_data
, size_t *in_len
);
30 static int tls_process_change_cipher_spec(struct tlsv1_server
*conn
,
31 u8 ct
, const u8
*in_data
,
35 static int tls_process_client_hello(struct tlsv1_server
*conn
, u8 ct
,
36 const u8
*in_data
, size_t *in_len
)
38 const u8
*pos
, *end
, *c
;
39 size_t left
, len
, i
, j
;
43 u16 ext_type
, ext_len
;
45 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
46 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
47 "received content type 0x%x", ct
);
48 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
49 TLS_ALERT_UNEXPECTED_MESSAGE
);
59 /* HandshakeType msg_type */
60 if (*pos
!= TLS_HANDSHAKE_TYPE_CLIENT_HELLO
) {
61 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
62 "message %d (expected ClientHello)", *pos
);
63 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
64 TLS_ALERT_UNEXPECTED_MESSAGE
);
67 wpa_printf(MSG_DEBUG
, "TLSv1: Received ClientHello");
70 len
= WPA_GET_BE24(pos
);
77 /* body - ClientHello */
79 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ClientHello", pos
, len
);
82 /* ProtocolVersion client_version */
85 conn
->client_version
= WPA_GET_BE16(pos
);
86 wpa_printf(MSG_DEBUG
, "TLSv1: Client version %d.%d",
87 conn
->client_version
>> 8, conn
->client_version
& 0xff);
88 if (conn
->client_version
< TLS_VERSION
) {
89 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected protocol version in "
91 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
92 TLS_ALERT_PROTOCOL_VERSION
);
98 if (end
- pos
< TLS_RANDOM_LEN
)
101 os_memcpy(conn
->client_random
, pos
, TLS_RANDOM_LEN
);
102 pos
+= TLS_RANDOM_LEN
;
103 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: client_random",
104 conn
->client_random
, TLS_RANDOM_LEN
);
106 /* SessionID session_id */
109 if (end
- pos
< 1 + *pos
|| *pos
> TLS_SESSION_ID_MAX_LEN
)
111 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: client session_id", pos
+ 1, *pos
);
113 /* TODO: add support for session resumption */
115 /* CipherSuite cipher_suites<2..2^16-1> */
118 num_suites
= WPA_GET_BE16(pos
);
120 if (end
- pos
< num_suites
)
122 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: client cipher suites",
129 for (i
= 0; !cipher_suite
&& i
< conn
->num_cipher_suites
; i
++) {
131 for (j
= 0; j
< num_suites
; j
++) {
132 u16 tmp
= WPA_GET_BE16(c
);
134 if (!cipher_suite
&& tmp
== conn
->cipher_suites
[i
]) {
140 pos
+= num_suites
* 2;
142 wpa_printf(MSG_INFO
, "TLSv1: No supported cipher suite "
144 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
145 TLS_ALERT_ILLEGAL_PARAMETER
);
149 if (tlsv1_record_set_cipher_suite(&conn
->rl
, cipher_suite
) < 0) {
150 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to set CipherSuite for "
152 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
153 TLS_ALERT_INTERNAL_ERROR
);
157 conn
->cipher_suite
= cipher_suite
;
159 /* CompressionMethod compression_methods<1..2^8-1> */
163 if (end
- pos
< num_suites
)
165 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: client compression_methods",
167 compr_null_found
= 0;
168 for (i
= 0; i
< num_suites
; i
++) {
169 if (*pos
++ == TLS_COMPRESSION_NULL
)
170 compr_null_found
= 1;
172 if (!compr_null_found
) {
173 wpa_printf(MSG_INFO
, "TLSv1: Client does not accept NULL "
175 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
176 TLS_ALERT_ILLEGAL_PARAMETER
);
180 if (end
- pos
== 1) {
181 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected extra octet in the "
182 "end of ClientHello: 0x%02x", *pos
);
186 if (end
- pos
>= 2) {
187 /* Extension client_hello_extension_list<0..2^16-1> */
188 ext_len
= WPA_GET_BE16(pos
);
191 wpa_printf(MSG_DEBUG
, "TLSv1: %u bytes of ClientHello "
192 "extensions", ext_len
);
193 if (end
- pos
!= ext_len
) {
194 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid ClientHello "
195 "extension list length %u (expected %u)",
196 ext_len
, (unsigned int) (end
- pos
));
202 * ExtensionType extension_type (0..65535)
203 * opaque extension_data<0..2^16-1>
209 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid "
210 "extension_type field");
214 ext_type
= WPA_GET_BE16(pos
);
218 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid "
219 "extension_data length field");
223 ext_len
= WPA_GET_BE16(pos
);
226 if (end
- pos
< ext_len
) {
227 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid "
228 "extension_data field");
232 wpa_printf(MSG_DEBUG
, "TLSv1: ClientHello Extension "
233 "type %u", ext_type
);
234 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ClientHello "
235 "Extension data", pos
, ext_len
);
237 if (ext_type
== TLS_EXT_SESSION_TICKET
) {
238 os_free(conn
->session_ticket
);
239 conn
->session_ticket
= os_malloc(ext_len
);
240 if (conn
->session_ticket
) {
241 os_memcpy(conn
->session_ticket
, pos
,
243 conn
->session_ticket_len
= ext_len
;
251 *in_len
= end
- in_data
;
253 wpa_printf(MSG_DEBUG
, "TLSv1: ClientHello OK - proceed to "
255 conn
->state
= SERVER_HELLO
;
260 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to decode ClientHello");
261 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
262 TLS_ALERT_DECODE_ERROR
);
267 static int tls_process_certificate(struct tlsv1_server
*conn
, u8 ct
,
268 const u8
*in_data
, size_t *in_len
)
271 size_t left
, len
, list_len
, cert_len
, idx
;
273 struct x509_certificate
*chain
= NULL
, *last
= NULL
, *cert
;
276 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
277 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
278 "received content type 0x%x", ct
);
279 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
280 TLS_ALERT_UNEXPECTED_MESSAGE
);
288 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate message "
289 "(len=%lu)", (unsigned long) left
);
290 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
291 TLS_ALERT_DECODE_ERROR
);
296 len
= WPA_GET_BE24(pos
);
301 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected Certificate message "
302 "length (len=%lu != left=%lu)",
303 (unsigned long) len
, (unsigned long) left
);
304 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
305 TLS_ALERT_DECODE_ERROR
);
309 if (type
== TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE
) {
310 if (conn
->verify_peer
) {
311 wpa_printf(MSG_DEBUG
, "TLSv1: Client did not include "
313 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
314 TLS_ALERT_UNEXPECTED_MESSAGE
);
318 return tls_process_client_key_exchange(conn
, ct
, in_data
,
321 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE
) {
322 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
323 "message %d (expected Certificate/"
324 "ClientKeyExchange)", type
);
325 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
326 TLS_ALERT_UNEXPECTED_MESSAGE
);
330 wpa_printf(MSG_DEBUG
,
331 "TLSv1: Received Certificate (certificate_list len %lu)",
332 (unsigned long) len
);
335 * opaque ASN.1Cert<2^24-1>;
338 * ASN.1Cert certificate_list<1..2^24-1>;
345 wpa_printf(MSG_DEBUG
, "TLSv1: Too short Certificate "
346 "(left=%lu)", (unsigned long) left
);
347 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
348 TLS_ALERT_DECODE_ERROR
);
352 list_len
= WPA_GET_BE24(pos
);
355 if ((size_t) (end
- pos
) != list_len
) {
356 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate_list "
357 "length (len=%lu left=%lu)",
358 (unsigned long) list_len
,
359 (unsigned long) (end
- pos
));
360 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
361 TLS_ALERT_DECODE_ERROR
);
368 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
370 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
371 TLS_ALERT_DECODE_ERROR
);
372 x509_certificate_chain_free(chain
);
376 cert_len
= WPA_GET_BE24(pos
);
379 if ((size_t) (end
- pos
) < cert_len
) {
380 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected certificate "
381 "length (len=%lu left=%lu)",
382 (unsigned long) cert_len
,
383 (unsigned long) (end
- pos
));
384 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
385 TLS_ALERT_DECODE_ERROR
);
386 x509_certificate_chain_free(chain
);
390 wpa_printf(MSG_DEBUG
, "TLSv1: Certificate %lu (len %lu)",
391 (unsigned long) idx
, (unsigned long) cert_len
);
394 crypto_public_key_free(conn
->client_rsa_key
);
395 if (tls_parse_cert(pos
, cert_len
,
396 &conn
->client_rsa_key
)) {
397 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
399 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
400 TLS_ALERT_BAD_CERTIFICATE
);
401 x509_certificate_chain_free(chain
);
406 cert
= x509_certificate_parse(pos
, cert_len
);
408 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse "
410 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
411 TLS_ALERT_BAD_CERTIFICATE
);
412 x509_certificate_chain_free(chain
);
426 if (x509_certificate_chain_validate(conn
->cred
->trusted_certs
, chain
,
429 wpa_printf(MSG_DEBUG
, "TLSv1: Server certificate chain "
430 "validation failed (reason=%d)", reason
);
432 case X509_VALIDATE_BAD_CERTIFICATE
:
433 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE
:
436 tls_reason
= TLS_ALERT_UNSUPPORTED_CERTIFICATE
;
438 case X509_VALIDATE_CERTIFICATE_REVOKED
:
439 tls_reason
= TLS_ALERT_CERTIFICATE_REVOKED
;
441 case X509_VALIDATE_CERTIFICATE_EXPIRED
:
442 tls_reason
= TLS_ALERT_CERTIFICATE_EXPIRED
;
444 case X509_VALIDATE_CERTIFICATE_UNKNOWN
:
445 tls_reason
= TLS_ALERT_CERTIFICATE_UNKNOWN
;
447 case X509_VALIDATE_UNKNOWN_CA
:
448 tls_reason
= TLS_ALERT_UNKNOWN_CA
;
451 tls_reason
= TLS_ALERT_BAD_CERTIFICATE
;
454 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
, tls_reason
);
455 x509_certificate_chain_free(chain
);
459 x509_certificate_chain_free(chain
);
461 *in_len
= end
- in_data
;
463 conn
->state
= CLIENT_KEY_EXCHANGE
;
469 static int tls_process_client_key_exchange_rsa(
470 struct tlsv1_server
*conn
, const u8
*pos
, const u8
*end
)
473 size_t outlen
, outbuflen
;
479 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
480 TLS_ALERT_DECODE_ERROR
);
484 encr_len
= WPA_GET_BE16(pos
);
487 outbuflen
= outlen
= end
- pos
;
488 out
= os_malloc(outlen
>= TLS_PRE_MASTER_SECRET_LEN
?
489 outlen
: TLS_PRE_MASTER_SECRET_LEN
);
491 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
492 TLS_ALERT_INTERNAL_ERROR
);
498 * ProtocolVersion client_version;
503 * public-key-encrypted PreMasterSecret pre_master_secret;
504 * } EncryptedPreMasterSecret;
508 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509 * parsing errors from EncryptedPreMasterSecret processing to the
510 * client. Instead, a random pre-master secret is used to force the
514 if (crypto_private_key_decrypt_pkcs1_v15(conn
->cred
->key
,
517 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to decrypt "
518 "PreMasterSecret (encr_len=%d outlen=%lu)",
519 (int) (end
- pos
), (unsigned long) outlen
);
523 if (outlen
!= TLS_PRE_MASTER_SECRET_LEN
) {
524 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected PreMasterSecret "
525 "length %lu", (unsigned long) outlen
);
529 if (WPA_GET_BE16(out
) != conn
->client_version
) {
530 wpa_printf(MSG_DEBUG
, "TLSv1: Client version in "
531 "ClientKeyExchange does not match with version in "
537 wpa_printf(MSG_DEBUG
, "TLSv1: Using random premaster secret "
538 "to avoid revealing information about private key");
539 outlen
= TLS_PRE_MASTER_SECRET_LEN
;
540 if (os_get_random(out
, outlen
)) {
541 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to get random "
543 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
544 TLS_ALERT_INTERNAL_ERROR
);
550 res
= tlsv1_server_derive_keys(conn
, out
, outlen
);
552 /* Clear the pre-master secret since it is not needed anymore */
553 os_memset(out
, 0, outbuflen
);
557 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive keys");
558 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
559 TLS_ALERT_INTERNAL_ERROR
);
567 static int tls_process_client_key_exchange_dh_anon(
568 struct tlsv1_server
*conn
, const u8
*pos
, const u8
*end
)
579 * select (PublicValueEncoding) {
580 * case implicit: struct { };
581 * case explicit: opaque dh_Yc<1..2^16-1>;
583 * } ClientDiffieHellmanPublic;
586 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: ClientDiffieHellmanPublic",
590 wpa_printf(MSG_DEBUG
, "TLSv1: Implicit public value encoding "
592 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
593 TLS_ALERT_INTERNAL_ERROR
);
598 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid client public value "
600 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
601 TLS_ALERT_DECODE_ERROR
);
605 dh_yc_len
= WPA_GET_BE16(pos
);
608 if (dh_yc
+ dh_yc_len
> end
) {
609 wpa_printf(MSG_DEBUG
, "TLSv1: Client public value overflow "
610 "(length %d)", dh_yc_len
);
611 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
612 TLS_ALERT_DECODE_ERROR
);
616 wpa_hexdump(MSG_DEBUG
, "TLSv1: DH Yc (client's public value)",
619 if (conn
->cred
== NULL
|| conn
->cred
->dh_p
== NULL
||
620 conn
->dh_secret
== NULL
) {
621 wpa_printf(MSG_DEBUG
, "TLSv1: No DH parameters available");
622 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
623 TLS_ALERT_INTERNAL_ERROR
);
627 shared_len
= conn
->cred
->dh_p_len
;
628 shared
= os_malloc(shared_len
);
629 if (shared
== NULL
) {
630 wpa_printf(MSG_DEBUG
, "TLSv1: Could not allocate memory for "
632 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
633 TLS_ALERT_INTERNAL_ERROR
);
637 /* shared = Yc^secret mod p */
638 if (crypto_mod_exp(dh_yc
, dh_yc_len
, conn
->dh_secret
,
640 conn
->cred
->dh_p
, conn
->cred
->dh_p_len
,
641 shared
, &shared_len
)) {
643 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
644 TLS_ALERT_INTERNAL_ERROR
);
647 wpa_hexdump_key(MSG_DEBUG
, "TLSv1: Shared secret from DH key exchange",
650 os_memset(conn
->dh_secret
, 0, conn
->dh_secret_len
);
651 os_free(conn
->dh_secret
);
652 conn
->dh_secret
= NULL
;
654 res
= tlsv1_server_derive_keys(conn
, shared
, shared_len
);
656 /* Clear the pre-master secret since it is not needed anymore */
657 os_memset(shared
, 0, shared_len
);
661 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive keys");
662 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
663 TLS_ALERT_INTERNAL_ERROR
);
670 #endif /* EAP_FAST */
674 static int tls_process_client_key_exchange(struct tlsv1_server
*conn
, u8 ct
,
675 const u8
*in_data
, size_t *in_len
)
680 tls_key_exchange keyx
;
681 const struct tls_cipher_suite
*suite
;
683 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
684 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
685 "received content type 0x%x", ct
);
686 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
687 TLS_ALERT_UNEXPECTED_MESSAGE
);
695 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ClientKeyExchange "
696 "(Left=%lu)", (unsigned long) left
);
697 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
698 TLS_ALERT_DECODE_ERROR
);
703 len
= WPA_GET_BE24(pos
);
708 wpa_printf(MSG_DEBUG
, "TLSv1: Mismatch in ClientKeyExchange "
709 "length (len=%lu != left=%lu)",
710 (unsigned long) len
, (unsigned long) left
);
711 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
712 TLS_ALERT_DECODE_ERROR
);
718 if (type
!= TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE
) {
719 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
720 "message %d (expected ClientKeyExchange)", type
);
721 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
722 TLS_ALERT_UNEXPECTED_MESSAGE
);
726 wpa_printf(MSG_DEBUG
, "TLSv1: Received ClientKeyExchange");
728 wpa_hexdump(MSG_DEBUG
, "TLSv1: ClientKeyExchange", pos
, len
);
730 suite
= tls_get_cipher_suite(conn
->rl
.cipher_suite
);
732 keyx
= TLS_KEY_X_NULL
;
734 keyx
= suite
->key_exchange
;
736 if (keyx
== TLS_KEY_X_DH_anon
&&
737 tls_process_client_key_exchange_dh_anon(conn
, pos
, end
) < 0)
740 if (keyx
!= TLS_KEY_X_DH_anon
&&
741 tls_process_client_key_exchange_rsa(conn
, pos
, end
) < 0)
744 *in_len
= end
- in_data
;
746 conn
->state
= CERTIFICATE_VERIFY
;
752 static int tls_process_certificate_verify(struct tlsv1_server
*conn
, u8 ct
,
753 const u8
*in_data
, size_t *in_len
)
759 u8 hash
[MD5_MAC_LEN
+ SHA1_MAC_LEN
], *hpos
, *buf
;
760 enum { SIGN_ALG_RSA
, SIGN_ALG_DSA
} alg
= SIGN_ALG_RSA
;
763 if (ct
== TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC
) {
764 if (conn
->verify_peer
) {
765 wpa_printf(MSG_DEBUG
, "TLSv1: Client did not include "
766 "CertificateVerify");
767 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
768 TLS_ALERT_UNEXPECTED_MESSAGE
);
772 return tls_process_change_cipher_spec(conn
, ct
, in_data
,
776 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
777 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Handshake; "
778 "received content type 0x%x", ct
);
779 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
780 TLS_ALERT_UNEXPECTED_MESSAGE
);
788 wpa_printf(MSG_DEBUG
, "TLSv1: Too short CertificateVerify "
789 "message (len=%lu)", (unsigned long) left
);
790 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
791 TLS_ALERT_DECODE_ERROR
);
796 len
= WPA_GET_BE24(pos
);
801 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected CertificateVerify "
802 "message length (len=%lu != left=%lu)",
803 (unsigned long) len
, (unsigned long) left
);
804 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
805 TLS_ALERT_DECODE_ERROR
);
811 if (type
!= TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY
) {
812 wpa_printf(MSG_DEBUG
, "TLSv1: Received unexpected handshake "
813 "message %d (expected CertificateVerify)", type
);
814 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
815 TLS_ALERT_UNEXPECTED_MESSAGE
);
819 wpa_printf(MSG_DEBUG
, "TLSv1: Received CertificateVerify");
823 * Signature signature;
824 * } CertificateVerify;
829 if (alg
== SIGN_ALG_RSA
) {
831 if (conn
->verify
.md5_cert
== NULL
||
832 crypto_hash_finish(conn
->verify
.md5_cert
, hpos
, &hlen
) < 0)
834 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
835 TLS_ALERT_INTERNAL_ERROR
);
836 conn
->verify
.md5_cert
= NULL
;
837 crypto_hash_finish(conn
->verify
.sha1_cert
, NULL
, NULL
);
838 conn
->verify
.sha1_cert
= NULL
;
843 crypto_hash_finish(conn
->verify
.md5_cert
, NULL
, NULL
);
845 conn
->verify
.md5_cert
= NULL
;
847 if (conn
->verify
.sha1_cert
== NULL
||
848 crypto_hash_finish(conn
->verify
.sha1_cert
, hpos
, &hlen
) < 0) {
849 conn
->verify
.sha1_cert
= NULL
;
850 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
851 TLS_ALERT_INTERNAL_ERROR
);
854 conn
->verify
.sha1_cert
= NULL
;
856 if (alg
== SIGN_ALG_RSA
)
859 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: CertificateVerify hash", hash
, hlen
);
862 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
863 TLS_ALERT_DECODE_ERROR
);
866 slen
= WPA_GET_BE16(pos
);
868 if (end
- pos
< slen
) {
869 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
870 TLS_ALERT_DECODE_ERROR
);
874 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: Signature", pos
, end
- pos
);
875 if (conn
->client_rsa_key
== NULL
) {
876 wpa_printf(MSG_DEBUG
, "TLSv1: No client public key to verify "
878 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
879 TLS_ALERT_INTERNAL_ERROR
);
884 buf
= os_malloc(end
- pos
);
885 if (crypto_public_key_decrypt_pkcs1(conn
->client_rsa_key
,
886 pos
, end
- pos
, buf
, &buflen
) < 0)
888 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to decrypt signature");
890 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
891 TLS_ALERT_DECRYPT_ERROR
);
895 wpa_hexdump_key(MSG_MSGDUMP
, "TLSv1: Decrypted Signature",
898 if (buflen
!= hlen
|| os_memcmp(buf
, hash
, buflen
) != 0) {
899 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid Signature in "
900 "CertificateVerify - did not match with calculated "
903 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
904 TLS_ALERT_DECRYPT_ERROR
);
910 *in_len
= end
- in_data
;
912 conn
->state
= CHANGE_CIPHER_SPEC
;
918 static int tls_process_change_cipher_spec(struct tlsv1_server
*conn
,
919 u8 ct
, const u8
*in_data
,
925 if (ct
!= TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC
) {
926 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
927 "received content type 0x%x", ct
);
928 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
929 TLS_ALERT_UNEXPECTED_MESSAGE
);
937 wpa_printf(MSG_DEBUG
, "TLSv1: Too short ChangeCipherSpec");
938 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
939 TLS_ALERT_DECODE_ERROR
);
943 if (*pos
!= TLS_CHANGE_CIPHER_SPEC
) {
944 wpa_printf(MSG_DEBUG
, "TLSv1: Expected ChangeCipherSpec; "
945 "received data 0x%x", *pos
);
946 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
947 TLS_ALERT_UNEXPECTED_MESSAGE
);
951 wpa_printf(MSG_DEBUG
, "TLSv1: Received ChangeCipherSpec");
952 if (tlsv1_record_change_read_cipher(&conn
->rl
) < 0) {
953 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to change read cipher "
955 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
956 TLS_ALERT_INTERNAL_ERROR
);
960 *in_len
= pos
+ 1 - in_data
;
962 conn
->state
= CLIENT_FINISHED
;
968 static int tls_process_client_finished(struct tlsv1_server
*conn
, u8 ct
,
969 const u8
*in_data
, size_t *in_len
)
972 size_t left
, len
, hlen
;
973 u8 verify_data
[TLS_VERIFY_DATA_LEN
];
974 u8 hash
[MD5_MAC_LEN
+ SHA1_MAC_LEN
];
976 if (ct
!= TLS_CONTENT_TYPE_HANDSHAKE
) {
977 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; "
978 "received content type 0x%x", ct
);
979 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
980 TLS_ALERT_UNEXPECTED_MESSAGE
);
988 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record (left=%lu) for "
990 (unsigned long) left
);
991 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
992 TLS_ALERT_DECODE_ERROR
);
996 if (pos
[0] != TLS_HANDSHAKE_TYPE_FINISHED
) {
997 wpa_printf(MSG_DEBUG
, "TLSv1: Expected Finished; received "
998 "type 0x%x", pos
[0]);
999 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1000 TLS_ALERT_UNEXPECTED_MESSAGE
);
1004 len
= WPA_GET_BE24(pos
+ 1);
1010 wpa_printf(MSG_DEBUG
, "TLSv1: Too short buffer for Finished "
1011 "(len=%lu > left=%lu)",
1012 (unsigned long) len
, (unsigned long) left
);
1013 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1014 TLS_ALERT_DECODE_ERROR
);
1018 if (len
!= TLS_VERIFY_DATA_LEN
) {
1019 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected verify_data length "
1020 "in Finished: %lu (expected %d)",
1021 (unsigned long) len
, TLS_VERIFY_DATA_LEN
);
1022 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1023 TLS_ALERT_DECODE_ERROR
);
1026 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: verify_data in Finished",
1027 pos
, TLS_VERIFY_DATA_LEN
);
1030 if (conn
->verify
.md5_client
== NULL
||
1031 crypto_hash_finish(conn
->verify
.md5_client
, hash
, &hlen
) < 0) {
1032 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1033 TLS_ALERT_INTERNAL_ERROR
);
1034 conn
->verify
.md5_client
= NULL
;
1035 crypto_hash_finish(conn
->verify
.sha1_client
, NULL
, NULL
);
1036 conn
->verify
.sha1_client
= NULL
;
1039 conn
->verify
.md5_client
= NULL
;
1040 hlen
= SHA1_MAC_LEN
;
1041 if (conn
->verify
.sha1_client
== NULL
||
1042 crypto_hash_finish(conn
->verify
.sha1_client
, hash
+ MD5_MAC_LEN
,
1044 conn
->verify
.sha1_client
= NULL
;
1045 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1046 TLS_ALERT_INTERNAL_ERROR
);
1049 conn
->verify
.sha1_client
= NULL
;
1051 if (tls_prf(conn
->master_secret
, TLS_MASTER_SECRET_LEN
,
1052 "client finished", hash
, MD5_MAC_LEN
+ SHA1_MAC_LEN
,
1053 verify_data
, TLS_VERIFY_DATA_LEN
)) {
1054 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to derive verify_data");
1055 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1056 TLS_ALERT_DECRYPT_ERROR
);
1059 wpa_hexdump_key(MSG_DEBUG
, "TLSv1: verify_data (client)",
1060 verify_data
, TLS_VERIFY_DATA_LEN
);
1062 if (os_memcmp(pos
, verify_data
, TLS_VERIFY_DATA_LEN
) != 0) {
1063 wpa_printf(MSG_INFO
, "TLSv1: Mismatch in verify_data");
1067 wpa_printf(MSG_DEBUG
, "TLSv1: Received Finished");
1069 *in_len
= end
- in_data
;
1071 if (conn
->use_session_ticket
) {
1072 /* Abbreviated handshake using session ticket; RFC 4507 */
1073 wpa_printf(MSG_DEBUG
, "TLSv1: Abbreviated handshake completed "
1075 conn
->state
= ESTABLISHED
;
1077 /* Full handshake */
1078 conn
->state
= SERVER_CHANGE_CIPHER_SPEC
;
1085 int tlsv1_server_process_handshake(struct tlsv1_server
*conn
, u8 ct
,
1086 const u8
*buf
, size_t *len
)
1088 if (ct
== TLS_CONTENT_TYPE_ALERT
) {
1090 wpa_printf(MSG_DEBUG
, "TLSv1: Alert underflow");
1091 tlsv1_server_alert(conn
, TLS_ALERT_LEVEL_FATAL
,
1092 TLS_ALERT_DECODE_ERROR
);
1095 wpa_printf(MSG_DEBUG
, "TLSv1: Received alert %d:%d",
1098 conn
->state
= FAILED
;
1102 switch (conn
->state
) {
1104 if (tls_process_client_hello(conn
, ct
, buf
, len
))
1107 case CLIENT_CERTIFICATE
:
1108 if (tls_process_certificate(conn
, ct
, buf
, len
))
1111 case CLIENT_KEY_EXCHANGE
:
1112 if (tls_process_client_key_exchange(conn
, ct
, buf
, len
))
1115 case CERTIFICATE_VERIFY
:
1116 if (tls_process_certificate_verify(conn
, ct
, buf
, len
))
1119 case CHANGE_CIPHER_SPEC
:
1120 if (tls_process_change_cipher_spec(conn
, ct
, buf
, len
))
1123 case CLIENT_FINISHED
:
1124 if (tls_process_client_finished(conn
, ct
, buf
, len
))
1128 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected state %d "
1129 "while processing received message",
1134 if (ct
== TLS_CONTENT_TYPE_HANDSHAKE
)
1135 tls_verify_hash_add(&conn
->verify
, buf
, *len
);