xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision 3823d5e198425b4f5e5a80267d195769d1063773)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 				    const u8 *in_data, size_t *in_len)
32 {
33 	const u8 *pos, *end;
34 	size_t left, len, i;
35 	u16 cipher_suite;
36 	u16 tls_version;
37 
38 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 			   "received content type 0x%x", ct);
41 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 			  TLS_ALERT_UNEXPECTED_MESSAGE);
43 		return -1;
44 	}
45 
46 	pos = in_data;
47 	left = *in_len;
48 
49 	if (left < 4)
50 		goto decode_error;
51 
52 	/* HandshakeType msg_type */
53 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 			   "message %d (expected ServerHello)", *pos);
56 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 			  TLS_ALERT_UNEXPECTED_MESSAGE);
58 		return -1;
59 	}
60 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 	pos++;
62 	/* uint24 length */
63 	len = WPA_GET_BE24(pos);
64 	pos += 3;
65 	left -= 4;
66 
67 	if (len > left)
68 		goto decode_error;
69 
70 	/* body - ServerHello */
71 
72 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 	end = pos + len;
74 
75 	/* ProtocolVersion server_version */
76 	if (end - pos < 2)
77 		goto decode_error;
78 	tls_version = WPA_GET_BE16(pos);
79 	if (!tls_version_ok(tls_version)) {
80 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 			   "ServerHello %u.%u", pos[0], pos[1]);
82 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 			  TLS_ALERT_PROTOCOL_VERSION);
84 		return -1;
85 	}
86 	pos += 2;
87 
88 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 		   tls_version_str(tls_version));
90 	conn->rl.tls_version = tls_version;
91 
92 	/* Random random */
93 	if (end - pos < TLS_RANDOM_LEN)
94 		goto decode_error;
95 
96 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 	pos += TLS_RANDOM_LEN;
98 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 		    conn->server_random, TLS_RANDOM_LEN);
100 
101 	/* SessionID session_id */
102 	if (end - pos < 1)
103 		goto decode_error;
104 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 		goto decode_error;
106 	if (conn->session_id_len && conn->session_id_len == *pos &&
107 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 		pos += 1 + conn->session_id_len;
109 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 		conn->session_resumed = 1;
111 	} else {
112 		conn->session_id_len = *pos;
113 		pos++;
114 		os_memcpy(conn->session_id, pos, conn->session_id_len);
115 		pos += conn->session_id_len;
116 	}
117 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 		    conn->session_id, conn->session_id_len);
119 
120 	/* CipherSuite cipher_suite */
121 	if (end - pos < 2)
122 		goto decode_error;
123 	cipher_suite = WPA_GET_BE16(pos);
124 	pos += 2;
125 	for (i = 0; i < conn->num_cipher_suites; i++) {
126 		if (cipher_suite == conn->cipher_suites[i])
127 			break;
128 	}
129 	if (i == conn->num_cipher_suites) {
130 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 			   "cipher suite 0x%04x", cipher_suite);
132 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 			  TLS_ALERT_ILLEGAL_PARAMETER);
134 		return -1;
135 	}
136 
137 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 			   "cipher suite for a resumed connection (0x%04x != "
140 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 			  TLS_ALERT_ILLEGAL_PARAMETER);
143 		return -1;
144 	}
145 
146 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 			   "record layer");
149 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 			  TLS_ALERT_INTERNAL_ERROR);
151 		return -1;
152 	}
153 
154 	conn->prev_cipher_suite = cipher_suite;
155 
156 	/* CompressionMethod compression_method */
157 	if (end - pos < 1)
158 		goto decode_error;
159 	if (*pos != TLS_COMPRESSION_NULL) {
160 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 			   "compression 0x%02x", *pos);
162 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 			  TLS_ALERT_ILLEGAL_PARAMETER);
164 		return -1;
165 	}
166 	pos++;
167 
168 	if (end != pos) {
169 		/* TODO: ServerHello extensions */
170 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 			    "end of ServerHello", pos, end - pos);
172 		goto decode_error;
173 	}
174 
175 	if (conn->session_ticket_included && conn->session_ticket_cb) {
176 		/* TODO: include SessionTicket extension if one was included in
177 		 * ServerHello */
178 		int res = conn->session_ticket_cb(
179 			conn->session_ticket_cb_ctx, NULL, 0,
180 			conn->client_random, conn->server_random,
181 			conn->master_secret);
182 		if (res < 0) {
183 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 				   "indicated failure");
185 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 				  TLS_ALERT_HANDSHAKE_FAILURE);
187 			return -1;
188 		}
189 		conn->use_session_ticket = !!res;
190 	}
191 
192 	if ((conn->session_resumed || conn->use_session_ticket) &&
193 	    tls_derive_keys(conn, NULL, 0)) {
194 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 			  TLS_ALERT_INTERNAL_ERROR);
197 		return -1;
198 	}
199 
200 	*in_len = end - in_data;
201 
202 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204 
205 	return 0;
206 
207 decode_error:
208 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 	return -1;
211 }
212 
213 
214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 				   const u8 *in_data, size_t *in_len)
216 {
217 	const u8 *pos, *end;
218 	size_t left, len, list_len, cert_len, idx;
219 	u8 type;
220 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
221 	int reason;
222 
223 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 			   "received content type 0x%x", ct);
226 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 			  TLS_ALERT_UNEXPECTED_MESSAGE);
228 		return -1;
229 	}
230 
231 	pos = in_data;
232 	left = *in_len;
233 
234 	if (left < 4) {
235 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 			   "(len=%lu)", (unsigned long) left);
237 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238 		return -1;
239 	}
240 
241 	type = *pos++;
242 	len = WPA_GET_BE24(pos);
243 	pos += 3;
244 	left -= 4;
245 
246 	if (len > left) {
247 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 			   "length (len=%lu != left=%lu)",
249 			   (unsigned long) len, (unsigned long) left);
250 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251 		return -1;
252 	}
253 
254 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 		return tls_process_server_key_exchange(conn, ct, in_data,
256 						       in_len);
257 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 		return tls_process_certificate_request(conn, ct, in_data,
259 						       in_len);
260 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 		return tls_process_server_hello_done(conn, ct, in_data,
262 						     in_len);
263 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 			   "message %d (expected Certificate/"
266 			   "ServerKeyExchange/CertificateRequest/"
267 			   "ServerHelloDone)", type);
268 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 			  TLS_ALERT_UNEXPECTED_MESSAGE);
270 		return -1;
271 	}
272 
273 	wpa_printf(MSG_DEBUG,
274 		   "TLSv1: Received Certificate (certificate_list len %lu)",
275 		   (unsigned long) len);
276 
277 	/*
278 	 * opaque ASN.1Cert<2^24-1>;
279 	 *
280 	 * struct {
281 	 *     ASN.1Cert certificate_list<1..2^24-1>;
282 	 * } Certificate;
283 	 */
284 
285 	end = pos + len;
286 
287 	if (end - pos < 3) {
288 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 			   "(left=%lu)", (unsigned long) left);
290 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 		return -1;
292 	}
293 
294 	list_len = WPA_GET_BE24(pos);
295 	pos += 3;
296 
297 	if ((size_t) (end - pos) != list_len) {
298 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 			   "length (len=%lu left=%lu)",
300 			   (unsigned long) list_len,
301 			   (unsigned long) (end - pos));
302 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 		return -1;
304 	}
305 
306 	idx = 0;
307 	while (pos < end) {
308 		if (end - pos < 3) {
309 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 				   "certificate_list");
311 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 				  TLS_ALERT_DECODE_ERROR);
313 			x509_certificate_chain_free(chain);
314 			return -1;
315 		}
316 
317 		cert_len = WPA_GET_BE24(pos);
318 		pos += 3;
319 
320 		if ((size_t) (end - pos) < cert_len) {
321 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 				   "length (len=%lu left=%lu)",
323 				   (unsigned long) cert_len,
324 				   (unsigned long) (end - pos));
325 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 				  TLS_ALERT_DECODE_ERROR);
327 			x509_certificate_chain_free(chain);
328 			return -1;
329 		}
330 
331 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 			   (unsigned long) idx, (unsigned long) cert_len);
333 
334 		if (idx == 0) {
335 			crypto_public_key_free(conn->server_rsa_key);
336 			if (tls_parse_cert(pos, cert_len,
337 					   &conn->server_rsa_key)) {
338 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 					   "the certificate");
340 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 					  TLS_ALERT_BAD_CERTIFICATE);
342 				x509_certificate_chain_free(chain);
343 				return -1;
344 			}
345 		}
346 
347 		cert = x509_certificate_parse(pos, cert_len);
348 		if (cert == NULL) {
349 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 				   "the certificate");
351 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 				  TLS_ALERT_BAD_CERTIFICATE);
353 			x509_certificate_chain_free(chain);
354 			return -1;
355 		}
356 
357 		if (last == NULL)
358 			chain = cert;
359 		else
360 			last->next = cert;
361 		last = cert;
362 
363 		idx++;
364 		pos += cert_len;
365 	}
366 
367 	if (conn->cred &&
368 	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 					    &reason, conn->disable_time_checks)
370 	    < 0) {
371 		int tls_reason;
372 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 			   "validation failed (reason=%d)", reason);
374 		switch (reason) {
375 		case X509_VALIDATE_BAD_CERTIFICATE:
376 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 			break;
378 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 			break;
381 		case X509_VALIDATE_CERTIFICATE_REVOKED:
382 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 			break;
384 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 			break;
387 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 			break;
390 		case X509_VALIDATE_UNKNOWN_CA:
391 			tls_reason = TLS_ALERT_UNKNOWN_CA;
392 			break;
393 		default:
394 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 			break;
396 		}
397 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 		x509_certificate_chain_free(chain);
399 		return -1;
400 	}
401 
402 	x509_certificate_chain_free(chain);
403 
404 	*in_len = end - in_data;
405 
406 	conn->state = SERVER_KEY_EXCHANGE;
407 
408 	return 0;
409 }
410 
411 
412 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
413 					const u8 *buf, size_t len)
414 {
415 	const u8 *pos, *end;
416 
417 	tlsv1_client_free_dh(conn);
418 
419 	pos = buf;
420 	end = buf + len;
421 
422 	if (end - pos < 3)
423 		goto fail;
424 	conn->dh_p_len = WPA_GET_BE16(pos);
425 	pos += 2;
426 	if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
427 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
428 			   (unsigned long) conn->dh_p_len);
429 		goto fail;
430 	}
431 	conn->dh_p = os_malloc(conn->dh_p_len);
432 	if (conn->dh_p == NULL)
433 		goto fail;
434 	os_memcpy(conn->dh_p, pos, conn->dh_p_len);
435 	pos += conn->dh_p_len;
436 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
437 		    conn->dh_p, conn->dh_p_len);
438 
439 	if (end - pos < 3)
440 		goto fail;
441 	conn->dh_g_len = WPA_GET_BE16(pos);
442 	pos += 2;
443 	if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
444 		goto fail;
445 	conn->dh_g = os_malloc(conn->dh_g_len);
446 	if (conn->dh_g == NULL)
447 		goto fail;
448 	os_memcpy(conn->dh_g, pos, conn->dh_g_len);
449 	pos += conn->dh_g_len;
450 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
451 		    conn->dh_g, conn->dh_g_len);
452 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
453 		goto fail;
454 
455 	if (end - pos < 3)
456 		goto fail;
457 	conn->dh_ys_len = WPA_GET_BE16(pos);
458 	pos += 2;
459 	if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
460 		goto fail;
461 	conn->dh_ys = os_malloc(conn->dh_ys_len);
462 	if (conn->dh_ys == NULL)
463 		goto fail;
464 	os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
465 	pos += conn->dh_ys_len;
466 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
467 		    conn->dh_ys, conn->dh_ys_len);
468 
469 	return 0;
470 
471 fail:
472 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
473 	tlsv1_client_free_dh(conn);
474 	return -1;
475 }
476 
477 
478 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
479 					   const u8 *in_data, size_t *in_len)
480 {
481 	const u8 *pos, *end;
482 	size_t left, len;
483 	u8 type;
484 	const struct tls_cipher_suite *suite;
485 
486 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
487 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
488 			   "received content type 0x%x", ct);
489 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
490 			  TLS_ALERT_UNEXPECTED_MESSAGE);
491 		return -1;
492 	}
493 
494 	pos = in_data;
495 	left = *in_len;
496 
497 	if (left < 4) {
498 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
499 			   "(Left=%lu)", (unsigned long) left);
500 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
501 		return -1;
502 	}
503 
504 	type = *pos++;
505 	len = WPA_GET_BE24(pos);
506 	pos += 3;
507 	left -= 4;
508 
509 	if (len > left) {
510 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
511 			   "length (len=%lu != left=%lu)",
512 			   (unsigned long) len, (unsigned long) left);
513 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
514 		return -1;
515 	}
516 
517 	end = pos + len;
518 
519 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
520 		return tls_process_certificate_request(conn, ct, in_data,
521 						       in_len);
522 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
523 		return tls_process_server_hello_done(conn, ct, in_data,
524 						     in_len);
525 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
526 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
527 			   "message %d (expected ServerKeyExchange/"
528 			   "CertificateRequest/ServerHelloDone)", type);
529 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
530 			  TLS_ALERT_UNEXPECTED_MESSAGE);
531 		return -1;
532 	}
533 
534 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
535 
536 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
537 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
538 			   "with the selected cipher suite");
539 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
540 			  TLS_ALERT_UNEXPECTED_MESSAGE);
541 		return -1;
542 	}
543 
544 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
545 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
546 	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
547 		if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
548 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
549 				  TLS_ALERT_DECODE_ERROR);
550 			return -1;
551 		}
552 	} else {
553 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
554 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
555 			  TLS_ALERT_UNEXPECTED_MESSAGE);
556 		return -1;
557 	}
558 
559 	*in_len = end - in_data;
560 
561 	conn->state = SERVER_CERTIFICATE_REQUEST;
562 
563 	return 0;
564 }
565 
566 
567 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
568 					   const u8 *in_data, size_t *in_len)
569 {
570 	const u8 *pos, *end;
571 	size_t left, len;
572 	u8 type;
573 
574 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
575 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
576 			   "received content type 0x%x", ct);
577 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
578 			  TLS_ALERT_UNEXPECTED_MESSAGE);
579 		return -1;
580 	}
581 
582 	pos = in_data;
583 	left = *in_len;
584 
585 	if (left < 4) {
586 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
587 			   "(left=%lu)", (unsigned long) left);
588 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
589 		return -1;
590 	}
591 
592 	type = *pos++;
593 	len = WPA_GET_BE24(pos);
594 	pos += 3;
595 	left -= 4;
596 
597 	if (len > left) {
598 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
599 			   "length (len=%lu != left=%lu)",
600 			   (unsigned long) len, (unsigned long) left);
601 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
602 		return -1;
603 	}
604 
605 	end = pos + len;
606 
607 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
608 		return tls_process_server_hello_done(conn, ct, in_data,
609 						     in_len);
610 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
611 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
612 			   "message %d (expected CertificateRequest/"
613 			   "ServerHelloDone)", type);
614 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
615 			  TLS_ALERT_UNEXPECTED_MESSAGE);
616 		return -1;
617 	}
618 
619 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
620 
621 	conn->certificate_requested = 1;
622 
623 	*in_len = end - in_data;
624 
625 	conn->state = SERVER_HELLO_DONE;
626 
627 	return 0;
628 }
629 
630 
631 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
632 					 const u8 *in_data, size_t *in_len)
633 {
634 	const u8 *pos, *end;
635 	size_t left, len;
636 	u8 type;
637 
638 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
639 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
640 			   "received content type 0x%x", ct);
641 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
642 			  TLS_ALERT_UNEXPECTED_MESSAGE);
643 		return -1;
644 	}
645 
646 	pos = in_data;
647 	left = *in_len;
648 
649 	if (left < 4) {
650 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
651 			   "(left=%lu)", (unsigned long) left);
652 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
653 		return -1;
654 	}
655 
656 	type = *pos++;
657 	len = WPA_GET_BE24(pos);
658 	pos += 3;
659 	left -= 4;
660 
661 	if (len > left) {
662 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
663 			   "length (len=%lu != left=%lu)",
664 			   (unsigned long) len, (unsigned long) left);
665 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
666 		return -1;
667 	}
668 	end = pos + len;
669 
670 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
671 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
672 			   "message %d (expected ServerHelloDone)", type);
673 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
674 			  TLS_ALERT_UNEXPECTED_MESSAGE);
675 		return -1;
676 	}
677 
678 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
679 
680 	*in_len = end - in_data;
681 
682 	conn->state = CLIENT_KEY_EXCHANGE;
683 
684 	return 0;
685 }
686 
687 
688 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
689 						 u8 ct, const u8 *in_data,
690 						 size_t *in_len)
691 {
692 	const u8 *pos;
693 	size_t left;
694 
695 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
696 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
697 			   "received content type 0x%x", ct);
698 		if (conn->use_session_ticket) {
699 			int res;
700 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
701 				   "rejected SessionTicket");
702 			conn->use_session_ticket = 0;
703 
704 			/* Notify upper layers that SessionTicket failed */
705 			res = conn->session_ticket_cb(
706 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
707 				NULL, NULL);
708 			if (res < 0) {
709 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
710 					   "callback indicated failure");
711 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 					  TLS_ALERT_HANDSHAKE_FAILURE);
713 				return -1;
714 			}
715 
716 			conn->state = SERVER_CERTIFICATE;
717 			return tls_process_certificate(conn, ct, in_data,
718 						       in_len);
719 		}
720 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
721 			  TLS_ALERT_UNEXPECTED_MESSAGE);
722 		return -1;
723 	}
724 
725 	pos = in_data;
726 	left = *in_len;
727 
728 	if (left < 1) {
729 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
730 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
731 		return -1;
732 	}
733 
734 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
735 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
736 			   "received data 0x%x", *pos);
737 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
738 			  TLS_ALERT_UNEXPECTED_MESSAGE);
739 		return -1;
740 	}
741 
742 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
743 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
744 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
745 			   "for record layer");
746 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
747 			  TLS_ALERT_INTERNAL_ERROR);
748 		return -1;
749 	}
750 
751 	*in_len = pos + 1 - in_data;
752 
753 	conn->state = SERVER_FINISHED;
754 
755 	return 0;
756 }
757 
758 
759 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
760 				       const u8 *in_data, size_t *in_len)
761 {
762 	const u8 *pos, *end;
763 	size_t left, len, hlen;
764 	u8 verify_data[TLS_VERIFY_DATA_LEN];
765 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
766 
767 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
768 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
769 			   "received content type 0x%x", ct);
770 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
771 			  TLS_ALERT_UNEXPECTED_MESSAGE);
772 		return -1;
773 	}
774 
775 	pos = in_data;
776 	left = *in_len;
777 
778 	if (left < 4) {
779 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
780 			   "Finished",
781 			   (unsigned long) left);
782 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
783 			  TLS_ALERT_DECODE_ERROR);
784 		return -1;
785 	}
786 
787 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
788 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
789 			   "type 0x%x", pos[0]);
790 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
791 			  TLS_ALERT_UNEXPECTED_MESSAGE);
792 		return -1;
793 	}
794 
795 	len = WPA_GET_BE24(pos + 1);
796 
797 	pos += 4;
798 	left -= 4;
799 
800 	if (len > left) {
801 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
802 			   "(len=%lu > left=%lu)",
803 			   (unsigned long) len, (unsigned long) left);
804 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 			  TLS_ALERT_DECODE_ERROR);
806 		return -1;
807 	}
808 	end = pos + len;
809 	if (len != TLS_VERIFY_DATA_LEN) {
810 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
811 			   "in Finished: %lu (expected %d)",
812 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
813 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
814 			  TLS_ALERT_DECODE_ERROR);
815 		return -1;
816 	}
817 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
818 		    pos, TLS_VERIFY_DATA_LEN);
819 
820 #ifdef CONFIG_TLSV12
821 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
822 		hlen = SHA256_MAC_LEN;
823 		if (conn->verify.sha256_server == NULL ||
824 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
825 		    < 0) {
826 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
827 				  TLS_ALERT_INTERNAL_ERROR);
828 			conn->verify.sha256_server = NULL;
829 			return -1;
830 		}
831 		conn->verify.sha256_server = NULL;
832 	} else {
833 #endif /* CONFIG_TLSV12 */
834 
835 	hlen = MD5_MAC_LEN;
836 	if (conn->verify.md5_server == NULL ||
837 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
838 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 			  TLS_ALERT_INTERNAL_ERROR);
840 		conn->verify.md5_server = NULL;
841 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
842 		conn->verify.sha1_server = NULL;
843 		return -1;
844 	}
845 	conn->verify.md5_server = NULL;
846 	hlen = SHA1_MAC_LEN;
847 	if (conn->verify.sha1_server == NULL ||
848 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
849 			       &hlen) < 0) {
850 		conn->verify.sha1_server = NULL;
851 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
852 			  TLS_ALERT_INTERNAL_ERROR);
853 		return -1;
854 	}
855 	conn->verify.sha1_server = NULL;
856 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
857 
858 #ifdef CONFIG_TLSV12
859 	}
860 #endif /* CONFIG_TLSV12 */
861 
862 	if (tls_prf(conn->rl.tls_version,
863 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
864 		    "server finished", hash, hlen,
865 		    verify_data, TLS_VERIFY_DATA_LEN)) {
866 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
867 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 			  TLS_ALERT_DECRYPT_ERROR);
869 		return -1;
870 	}
871 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
872 			verify_data, TLS_VERIFY_DATA_LEN);
873 
874 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
875 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
876 		return -1;
877 	}
878 
879 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
880 
881 	*in_len = end - in_data;
882 
883 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
884 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
885 
886 	return 0;
887 }
888 
889 
890 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
891 					const u8 *in_data, size_t *in_len,
892 					u8 **out_data, size_t *out_len)
893 {
894 	const u8 *pos;
895 	size_t left;
896 
897 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
898 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
899 			   "received content type 0x%x", ct);
900 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
901 			  TLS_ALERT_UNEXPECTED_MESSAGE);
902 		return -1;
903 	}
904 
905 	pos = in_data;
906 	left = *in_len;
907 
908 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
909 		    pos, left);
910 
911 	*out_data = os_malloc(left);
912 	if (*out_data) {
913 		os_memcpy(*out_data, pos, left);
914 		*out_len = left;
915 	}
916 
917 	return 0;
918 }
919 
920 
921 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
922 				   const u8 *buf, size_t *len,
923 				   u8 **out_data, size_t *out_len)
924 {
925 	if (ct == TLS_CONTENT_TYPE_ALERT) {
926 		if (*len < 2) {
927 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
928 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 				  TLS_ALERT_DECODE_ERROR);
930 			return -1;
931 		}
932 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
933 			   buf[0], buf[1]);
934 		*len = 2;
935 		conn->state = FAILED;
936 		return -1;
937 	}
938 
939 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
940 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
941 		size_t hr_len = WPA_GET_BE24(buf + 1);
942 		if (hr_len > *len - 4) {
943 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
944 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
945 				  TLS_ALERT_DECODE_ERROR);
946 			return -1;
947 		}
948 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
949 		*len = 4 + hr_len;
950 		return 0;
951 	}
952 
953 	switch (conn->state) {
954 	case SERVER_HELLO:
955 		if (tls_process_server_hello(conn, ct, buf, len))
956 			return -1;
957 		break;
958 	case SERVER_CERTIFICATE:
959 		if (tls_process_certificate(conn, ct, buf, len))
960 			return -1;
961 		break;
962 	case SERVER_KEY_EXCHANGE:
963 		if (tls_process_server_key_exchange(conn, ct, buf, len))
964 			return -1;
965 		break;
966 	case SERVER_CERTIFICATE_REQUEST:
967 		if (tls_process_certificate_request(conn, ct, buf, len))
968 			return -1;
969 		break;
970 	case SERVER_HELLO_DONE:
971 		if (tls_process_server_hello_done(conn, ct, buf, len))
972 			return -1;
973 		break;
974 	case SERVER_CHANGE_CIPHER_SPEC:
975 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
976 			return -1;
977 		break;
978 	case SERVER_FINISHED:
979 		if (tls_process_server_finished(conn, ct, buf, len))
980 			return -1;
981 		break;
982 	case ACK_FINISHED:
983 		if (out_data &&
984 		    tls_process_application_data(conn, ct, buf, len, out_data,
985 						 out_len))
986 			return -1;
987 		break;
988 	default:
989 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
990 			   "while processing received message",
991 			   conn->state);
992 		return -1;
993 	}
994 
995 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
996 		tls_verify_hash_add(&conn->verify, buf, *len);
997 
998 	return 0;
999 }
1000