xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision 7aa383846770374466b1dcb2cefd71bde9acf463)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "x509v3.h"
21 #include "tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_client.h"
25 #include "tlsv1_client_i.h"
26 
27 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
28 					   const u8 *in_data, size_t *in_len);
29 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
30 					   const u8 *in_data, size_t *in_len);
31 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
32 					 const u8 *in_data, size_t *in_len);
33 
34 
35 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
36 				    const u8 *in_data, size_t *in_len)
37 {
38 	const u8 *pos, *end;
39 	size_t left, len, i;
40 	u16 cipher_suite;
41 
42 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
43 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
44 			   "received content type 0x%x", ct);
45 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
46 			  TLS_ALERT_UNEXPECTED_MESSAGE);
47 		return -1;
48 	}
49 
50 	pos = in_data;
51 	left = *in_len;
52 
53 	if (left < 4)
54 		goto decode_error;
55 
56 	/* HandshakeType msg_type */
57 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
58 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
59 			   "message %d (expected ServerHello)", *pos);
60 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
61 			  TLS_ALERT_UNEXPECTED_MESSAGE);
62 		return -1;
63 	}
64 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
65 	pos++;
66 	/* uint24 length */
67 	len = WPA_GET_BE24(pos);
68 	pos += 3;
69 	left -= 4;
70 
71 	if (len > left)
72 		goto decode_error;
73 
74 	/* body - ServerHello */
75 
76 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
77 	end = pos + len;
78 
79 	/* ProtocolVersion server_version */
80 	if (end - pos < 2)
81 		goto decode_error;
82 	if (WPA_GET_BE16(pos) != TLS_VERSION) {
83 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
84 			   "ServerHello");
85 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
86 			  TLS_ALERT_PROTOCOL_VERSION);
87 		return -1;
88 	}
89 	pos += 2;
90 
91 	/* Random random */
92 	if (end - pos < TLS_RANDOM_LEN)
93 		goto decode_error;
94 
95 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
96 	pos += TLS_RANDOM_LEN;
97 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
98 		    conn->server_random, TLS_RANDOM_LEN);
99 
100 	/* SessionID session_id */
101 	if (end - pos < 1)
102 		goto decode_error;
103 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
104 		goto decode_error;
105 	if (conn->session_id_len && conn->session_id_len == *pos &&
106 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
107 		pos += 1 + conn->session_id_len;
108 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
109 		conn->session_resumed = 1;
110 	} else {
111 		conn->session_id_len = *pos;
112 		pos++;
113 		os_memcpy(conn->session_id, pos, conn->session_id_len);
114 		pos += conn->session_id_len;
115 	}
116 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
117 		    conn->session_id, conn->session_id_len);
118 
119 	/* CipherSuite cipher_suite */
120 	if (end - pos < 2)
121 		goto decode_error;
122 	cipher_suite = WPA_GET_BE16(pos);
123 	pos += 2;
124 	for (i = 0; i < conn->num_cipher_suites; i++) {
125 		if (cipher_suite == conn->cipher_suites[i])
126 			break;
127 	}
128 	if (i == conn->num_cipher_suites) {
129 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
130 			   "cipher suite 0x%04x", cipher_suite);
131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 			  TLS_ALERT_ILLEGAL_PARAMETER);
133 		return -1;
134 	}
135 
136 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
137 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
138 			   "cipher suite for a resumed connection (0x%04x != "
139 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
140 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
141 			  TLS_ALERT_ILLEGAL_PARAMETER);
142 		return -1;
143 	}
144 
145 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
146 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
147 			   "record layer");
148 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
149 			  TLS_ALERT_INTERNAL_ERROR);
150 		return -1;
151 	}
152 
153 	conn->prev_cipher_suite = cipher_suite;
154 
155 	/* CompressionMethod compression_method */
156 	if (end - pos < 1)
157 		goto decode_error;
158 	if (*pos != TLS_COMPRESSION_NULL) {
159 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
160 			   "compression 0x%02x", *pos);
161 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
162 			  TLS_ALERT_ILLEGAL_PARAMETER);
163 		return -1;
164 	}
165 	pos++;
166 
167 	if (end != pos) {
168 		/* TODO: ServerHello extensions */
169 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
170 			    "end of ServerHello", pos, end - pos);
171 		goto decode_error;
172 	}
173 
174 	if (conn->session_ticket_included && conn->session_ticket_cb) {
175 		/* TODO: include SessionTicket extension if one was included in
176 		 * ServerHello */
177 		int res = conn->session_ticket_cb(
178 			conn->session_ticket_cb_ctx, NULL, 0,
179 			conn->client_random, conn->server_random,
180 			conn->master_secret);
181 		if (res < 0) {
182 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
183 				   "indicated failure");
184 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
185 				  TLS_ALERT_HANDSHAKE_FAILURE);
186 			return -1;
187 		}
188 		conn->use_session_ticket = !!res;
189 	}
190 
191 	if ((conn->session_resumed || conn->use_session_ticket) &&
192 	    tls_derive_keys(conn, NULL, 0)) {
193 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
194 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
195 			  TLS_ALERT_INTERNAL_ERROR);
196 		return -1;
197 	}
198 
199 	*in_len = end - in_data;
200 
201 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
202 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
203 
204 	return 0;
205 
206 decode_error:
207 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
208 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
209 	return -1;
210 }
211 
212 
213 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
214 				   const u8 *in_data, size_t *in_len)
215 {
216 	const u8 *pos, *end;
217 	size_t left, len, list_len, cert_len, idx;
218 	u8 type;
219 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
220 	int reason;
221 
222 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
223 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
224 			   "received content type 0x%x", ct);
225 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
226 			  TLS_ALERT_UNEXPECTED_MESSAGE);
227 		return -1;
228 	}
229 
230 	pos = in_data;
231 	left = *in_len;
232 
233 	if (left < 4) {
234 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
235 			   "(len=%lu)", (unsigned long) left);
236 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
237 		return -1;
238 	}
239 
240 	type = *pos++;
241 	len = WPA_GET_BE24(pos);
242 	pos += 3;
243 	left -= 4;
244 
245 	if (len > left) {
246 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
247 			   "length (len=%lu != left=%lu)",
248 			   (unsigned long) len, (unsigned long) left);
249 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
250 		return -1;
251 	}
252 
253 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
254 		return tls_process_server_key_exchange(conn, ct, in_data,
255 						       in_len);
256 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
257 		return tls_process_certificate_request(conn, ct, in_data,
258 						       in_len);
259 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
260 		return tls_process_server_hello_done(conn, ct, in_data,
261 						     in_len);
262 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
263 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
264 			   "message %d (expected Certificate/"
265 			   "ServerKeyExchange/CertificateRequest/"
266 			   "ServerHelloDone)", type);
267 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
268 			  TLS_ALERT_UNEXPECTED_MESSAGE);
269 		return -1;
270 	}
271 
272 	wpa_printf(MSG_DEBUG,
273 		   "TLSv1: Received Certificate (certificate_list len %lu)",
274 		   (unsigned long) len);
275 
276 	/*
277 	 * opaque ASN.1Cert<2^24-1>;
278 	 *
279 	 * struct {
280 	 *     ASN.1Cert certificate_list<1..2^24-1>;
281 	 * } Certificate;
282 	 */
283 
284 	end = pos + len;
285 
286 	if (end - pos < 3) {
287 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
288 			   "(left=%lu)", (unsigned long) left);
289 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
290 		return -1;
291 	}
292 
293 	list_len = WPA_GET_BE24(pos);
294 	pos += 3;
295 
296 	if ((size_t) (end - pos) != list_len) {
297 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
298 			   "length (len=%lu left=%lu)",
299 			   (unsigned long) list_len,
300 			   (unsigned long) (end - pos));
301 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
302 		return -1;
303 	}
304 
305 	idx = 0;
306 	while (pos < end) {
307 		if (end - pos < 3) {
308 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
309 				   "certificate_list");
310 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
311 				  TLS_ALERT_DECODE_ERROR);
312 			x509_certificate_chain_free(chain);
313 			return -1;
314 		}
315 
316 		cert_len = WPA_GET_BE24(pos);
317 		pos += 3;
318 
319 		if ((size_t) (end - pos) < cert_len) {
320 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
321 				   "length (len=%lu left=%lu)",
322 				   (unsigned long) cert_len,
323 				   (unsigned long) (end - pos));
324 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
325 				  TLS_ALERT_DECODE_ERROR);
326 			x509_certificate_chain_free(chain);
327 			return -1;
328 		}
329 
330 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
331 			   (unsigned long) idx, (unsigned long) cert_len);
332 
333 		if (idx == 0) {
334 			crypto_public_key_free(conn->server_rsa_key);
335 			if (tls_parse_cert(pos, cert_len,
336 					   &conn->server_rsa_key)) {
337 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
338 					   "the certificate");
339 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
340 					  TLS_ALERT_BAD_CERTIFICATE);
341 				x509_certificate_chain_free(chain);
342 				return -1;
343 			}
344 		}
345 
346 		cert = x509_certificate_parse(pos, cert_len);
347 		if (cert == NULL) {
348 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
349 				   "the certificate");
350 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
351 				  TLS_ALERT_BAD_CERTIFICATE);
352 			x509_certificate_chain_free(chain);
353 			return -1;
354 		}
355 
356 		if (last == NULL)
357 			chain = cert;
358 		else
359 			last->next = cert;
360 		last = cert;
361 
362 		idx++;
363 		pos += cert_len;
364 	}
365 
366 	if (conn->cred &&
367 	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
368 					    &reason) < 0) {
369 		int tls_reason;
370 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
371 			   "validation failed (reason=%d)", reason);
372 		switch (reason) {
373 		case X509_VALIDATE_BAD_CERTIFICATE:
374 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
375 			break;
376 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
377 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
378 			break;
379 		case X509_VALIDATE_CERTIFICATE_REVOKED:
380 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
381 			break;
382 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
383 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
384 			break;
385 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
386 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
387 			break;
388 		case X509_VALIDATE_UNKNOWN_CA:
389 			tls_reason = TLS_ALERT_UNKNOWN_CA;
390 			break;
391 		default:
392 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
393 			break;
394 		}
395 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
396 		x509_certificate_chain_free(chain);
397 		return -1;
398 	}
399 
400 	x509_certificate_chain_free(chain);
401 
402 	*in_len = end - in_data;
403 
404 	conn->state = SERVER_KEY_EXCHANGE;
405 
406 	return 0;
407 }
408 
409 
410 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
411 					const u8 *buf, size_t len)
412 {
413 	const u8 *pos, *end;
414 
415 	tlsv1_client_free_dh(conn);
416 
417 	pos = buf;
418 	end = buf + len;
419 
420 	if (end - pos < 3)
421 		goto fail;
422 	conn->dh_p_len = WPA_GET_BE16(pos);
423 	pos += 2;
424 	if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
425 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
426 			   (unsigned long) conn->dh_p_len);
427 		goto fail;
428 	}
429 	conn->dh_p = os_malloc(conn->dh_p_len);
430 	if (conn->dh_p == NULL)
431 		goto fail;
432 	os_memcpy(conn->dh_p, pos, conn->dh_p_len);
433 	pos += conn->dh_p_len;
434 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
435 		    conn->dh_p, conn->dh_p_len);
436 
437 	if (end - pos < 3)
438 		goto fail;
439 	conn->dh_g_len = WPA_GET_BE16(pos);
440 	pos += 2;
441 	if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
442 		goto fail;
443 	conn->dh_g = os_malloc(conn->dh_g_len);
444 	if (conn->dh_g == NULL)
445 		goto fail;
446 	os_memcpy(conn->dh_g, pos, conn->dh_g_len);
447 	pos += conn->dh_g_len;
448 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
449 		    conn->dh_g, conn->dh_g_len);
450 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
451 		goto fail;
452 
453 	if (end - pos < 3)
454 		goto fail;
455 	conn->dh_ys_len = WPA_GET_BE16(pos);
456 	pos += 2;
457 	if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
458 		goto fail;
459 	conn->dh_ys = os_malloc(conn->dh_ys_len);
460 	if (conn->dh_ys == NULL)
461 		goto fail;
462 	os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
463 	pos += conn->dh_ys_len;
464 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
465 		    conn->dh_ys, conn->dh_ys_len);
466 
467 	return 0;
468 
469 fail:
470 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
471 	tlsv1_client_free_dh(conn);
472 	return -1;
473 }
474 
475 
476 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
477 					   const u8 *in_data, size_t *in_len)
478 {
479 	const u8 *pos, *end;
480 	size_t left, len;
481 	u8 type;
482 	const struct tls_cipher_suite *suite;
483 
484 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
485 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
486 			   "received content type 0x%x", ct);
487 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
488 			  TLS_ALERT_UNEXPECTED_MESSAGE);
489 		return -1;
490 	}
491 
492 	pos = in_data;
493 	left = *in_len;
494 
495 	if (left < 4) {
496 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
497 			   "(Left=%lu)", (unsigned long) left);
498 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
499 		return -1;
500 	}
501 
502 	type = *pos++;
503 	len = WPA_GET_BE24(pos);
504 	pos += 3;
505 	left -= 4;
506 
507 	if (len > left) {
508 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
509 			   "length (len=%lu != left=%lu)",
510 			   (unsigned long) len, (unsigned long) left);
511 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
512 		return -1;
513 	}
514 
515 	end = pos + len;
516 
517 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
518 		return tls_process_certificate_request(conn, ct, in_data,
519 						       in_len);
520 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
521 		return tls_process_server_hello_done(conn, ct, in_data,
522 						     in_len);
523 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
524 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
525 			   "message %d (expected ServerKeyExchange/"
526 			   "CertificateRequest/ServerHelloDone)", type);
527 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
528 			  TLS_ALERT_UNEXPECTED_MESSAGE);
529 		return -1;
530 	}
531 
532 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
533 
534 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
535 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
536 			   "with the selected cipher suite");
537 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
538 			  TLS_ALERT_UNEXPECTED_MESSAGE);
539 		return -1;
540 	}
541 
542 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
543 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
544 	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
545 		if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
546 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
547 				  TLS_ALERT_DECODE_ERROR);
548 			return -1;
549 		}
550 	} else {
551 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
552 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 			  TLS_ALERT_UNEXPECTED_MESSAGE);
554 		return -1;
555 	}
556 
557 	*in_len = end - in_data;
558 
559 	conn->state = SERVER_CERTIFICATE_REQUEST;
560 
561 	return 0;
562 }
563 
564 
565 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
566 					   const u8 *in_data, size_t *in_len)
567 {
568 	const u8 *pos, *end;
569 	size_t left, len;
570 	u8 type;
571 
572 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
573 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
574 			   "received content type 0x%x", ct);
575 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
576 			  TLS_ALERT_UNEXPECTED_MESSAGE);
577 		return -1;
578 	}
579 
580 	pos = in_data;
581 	left = *in_len;
582 
583 	if (left < 4) {
584 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
585 			   "(left=%lu)", (unsigned long) left);
586 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
587 		return -1;
588 	}
589 
590 	type = *pos++;
591 	len = WPA_GET_BE24(pos);
592 	pos += 3;
593 	left -= 4;
594 
595 	if (len > left) {
596 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
597 			   "length (len=%lu != left=%lu)",
598 			   (unsigned long) len, (unsigned long) left);
599 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
600 		return -1;
601 	}
602 
603 	end = pos + len;
604 
605 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
606 		return tls_process_server_hello_done(conn, ct, in_data,
607 						     in_len);
608 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
609 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
610 			   "message %d (expected CertificateRequest/"
611 			   "ServerHelloDone)", type);
612 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
613 			  TLS_ALERT_UNEXPECTED_MESSAGE);
614 		return -1;
615 	}
616 
617 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
618 
619 	conn->certificate_requested = 1;
620 
621 	*in_len = end - in_data;
622 
623 	conn->state = SERVER_HELLO_DONE;
624 
625 	return 0;
626 }
627 
628 
629 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
630 					 const u8 *in_data, size_t *in_len)
631 {
632 	const u8 *pos, *end;
633 	size_t left, len;
634 	u8 type;
635 
636 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
637 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
638 			   "received content type 0x%x", ct);
639 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
640 			  TLS_ALERT_UNEXPECTED_MESSAGE);
641 		return -1;
642 	}
643 
644 	pos = in_data;
645 	left = *in_len;
646 
647 	if (left < 4) {
648 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
649 			   "(left=%lu)", (unsigned long) left);
650 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
651 		return -1;
652 	}
653 
654 	type = *pos++;
655 	len = WPA_GET_BE24(pos);
656 	pos += 3;
657 	left -= 4;
658 
659 	if (len > left) {
660 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
661 			   "length (len=%lu != left=%lu)",
662 			   (unsigned long) len, (unsigned long) left);
663 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
664 		return -1;
665 	}
666 	end = pos + len;
667 
668 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
669 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
670 			   "message %d (expected ServerHelloDone)", type);
671 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 			  TLS_ALERT_UNEXPECTED_MESSAGE);
673 		return -1;
674 	}
675 
676 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
677 
678 	*in_len = end - in_data;
679 
680 	conn->state = CLIENT_KEY_EXCHANGE;
681 
682 	return 0;
683 }
684 
685 
686 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
687 						 u8 ct, const u8 *in_data,
688 						 size_t *in_len)
689 {
690 	const u8 *pos;
691 	size_t left;
692 
693 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
694 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
695 			   "received content type 0x%x", ct);
696 		if (conn->use_session_ticket) {
697 			int res;
698 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
699 				   "rejected SessionTicket");
700 			conn->use_session_ticket = 0;
701 
702 			/* Notify upper layers that SessionTicket failed */
703 			res = conn->session_ticket_cb(
704 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
705 				NULL, NULL);
706 			if (res < 0) {
707 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
708 					   "callback indicated failure");
709 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
710 					  TLS_ALERT_HANDSHAKE_FAILURE);
711 				return -1;
712 			}
713 
714 			conn->state = SERVER_CERTIFICATE;
715 			return tls_process_certificate(conn, ct, in_data,
716 						       in_len);
717 		}
718 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
719 			  TLS_ALERT_UNEXPECTED_MESSAGE);
720 		return -1;
721 	}
722 
723 	pos = in_data;
724 	left = *in_len;
725 
726 	if (left < 1) {
727 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
728 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
729 		return -1;
730 	}
731 
732 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
733 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
734 			   "received data 0x%x", *pos);
735 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 			  TLS_ALERT_UNEXPECTED_MESSAGE);
737 		return -1;
738 	}
739 
740 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
741 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
742 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
743 			   "for record layer");
744 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
745 			  TLS_ALERT_INTERNAL_ERROR);
746 		return -1;
747 	}
748 
749 	*in_len = pos + 1 - in_data;
750 
751 	conn->state = SERVER_FINISHED;
752 
753 	return 0;
754 }
755 
756 
757 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
758 				       const u8 *in_data, size_t *in_len)
759 {
760 	const u8 *pos, *end;
761 	size_t left, len, hlen;
762 	u8 verify_data[TLS_VERIFY_DATA_LEN];
763 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
764 
765 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
766 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
767 			   "received content type 0x%x", ct);
768 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
769 			  TLS_ALERT_UNEXPECTED_MESSAGE);
770 		return -1;
771 	}
772 
773 	pos = in_data;
774 	left = *in_len;
775 
776 	if (left < 4) {
777 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
778 			   "Finished",
779 			   (unsigned long) left);
780 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
781 			  TLS_ALERT_DECODE_ERROR);
782 		return -1;
783 	}
784 
785 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
786 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
787 			   "type 0x%x", pos[0]);
788 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
789 			  TLS_ALERT_UNEXPECTED_MESSAGE);
790 		return -1;
791 	}
792 
793 	len = WPA_GET_BE24(pos + 1);
794 
795 	pos += 4;
796 	left -= 4;
797 
798 	if (len > left) {
799 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
800 			   "(len=%lu > left=%lu)",
801 			   (unsigned long) len, (unsigned long) left);
802 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
803 			  TLS_ALERT_DECODE_ERROR);
804 		return -1;
805 	}
806 	end = pos + len;
807 	if (len != TLS_VERIFY_DATA_LEN) {
808 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
809 			   "in Finished: %lu (expected %d)",
810 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
811 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
812 			  TLS_ALERT_DECODE_ERROR);
813 		return -1;
814 	}
815 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
816 		    pos, TLS_VERIFY_DATA_LEN);
817 
818 	hlen = MD5_MAC_LEN;
819 	if (conn->verify.md5_server == NULL ||
820 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
821 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
822 			  TLS_ALERT_INTERNAL_ERROR);
823 		conn->verify.md5_server = NULL;
824 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
825 		conn->verify.sha1_server = NULL;
826 		return -1;
827 	}
828 	conn->verify.md5_server = NULL;
829 	hlen = SHA1_MAC_LEN;
830 	if (conn->verify.sha1_server == NULL ||
831 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
832 			       &hlen) < 0) {
833 		conn->verify.sha1_server = NULL;
834 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
835 			  TLS_ALERT_INTERNAL_ERROR);
836 		return -1;
837 	}
838 	conn->verify.sha1_server = NULL;
839 
840 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
841 		    "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
842 		    verify_data, TLS_VERIFY_DATA_LEN)) {
843 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
844 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
845 			  TLS_ALERT_DECRYPT_ERROR);
846 		return -1;
847 	}
848 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
849 			verify_data, TLS_VERIFY_DATA_LEN);
850 
851 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
852 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
853 		return -1;
854 	}
855 
856 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
857 
858 	*in_len = end - in_data;
859 
860 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
861 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
862 
863 	return 0;
864 }
865 
866 
867 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
868 					const u8 *in_data, size_t *in_len,
869 					u8 **out_data, size_t *out_len)
870 {
871 	const u8 *pos;
872 	size_t left;
873 
874 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
875 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
876 			   "received content type 0x%x", ct);
877 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
878 			  TLS_ALERT_UNEXPECTED_MESSAGE);
879 		return -1;
880 	}
881 
882 	pos = in_data;
883 	left = *in_len;
884 
885 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
886 		    pos, left);
887 
888 	*out_data = os_malloc(left);
889 	if (*out_data) {
890 		os_memcpy(*out_data, pos, left);
891 		*out_len = left;
892 	}
893 
894 	return 0;
895 }
896 
897 
898 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
899 				   const u8 *buf, size_t *len,
900 				   u8 **out_data, size_t *out_len)
901 {
902 	if (ct == TLS_CONTENT_TYPE_ALERT) {
903 		if (*len < 2) {
904 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
905 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
906 				  TLS_ALERT_DECODE_ERROR);
907 			return -1;
908 		}
909 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
910 			   buf[0], buf[1]);
911 		*len = 2;
912 		conn->state = FAILED;
913 		return -1;
914 	}
915 
916 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
917 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
918 		size_t hr_len = WPA_GET_BE24(buf + 1);
919 		if (hr_len > *len - 4) {
920 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
921 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
922 				  TLS_ALERT_DECODE_ERROR);
923 			return -1;
924 		}
925 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
926 		*len = 4 + hr_len;
927 		return 0;
928 	}
929 
930 	switch (conn->state) {
931 	case SERVER_HELLO:
932 		if (tls_process_server_hello(conn, ct, buf, len))
933 			return -1;
934 		break;
935 	case SERVER_CERTIFICATE:
936 		if (tls_process_certificate(conn, ct, buf, len))
937 			return -1;
938 		break;
939 	case SERVER_KEY_EXCHANGE:
940 		if (tls_process_server_key_exchange(conn, ct, buf, len))
941 			return -1;
942 		break;
943 	case SERVER_CERTIFICATE_REQUEST:
944 		if (tls_process_certificate_request(conn, ct, buf, len))
945 			return -1;
946 		break;
947 	case SERVER_HELLO_DONE:
948 		if (tls_process_server_hello_done(conn, ct, buf, len))
949 			return -1;
950 		break;
951 	case SERVER_CHANGE_CIPHER_SPEC:
952 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
953 			return -1;
954 		break;
955 	case SERVER_FINISHED:
956 		if (tls_process_server_finished(conn, ct, buf, len))
957 			return -1;
958 		break;
959 	case ACK_FINISHED:
960 		if (out_data &&
961 		    tls_process_application_data(conn, ct, buf, len, out_data,
962 						 out_len))
963 			return -1;
964 		break;
965 	default:
966 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
967 			   "while processing received message",
968 			   conn->state);
969 		return -1;
970 	}
971 
972 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
973 		tls_verify_hash_add(&conn->verify, buf, *len);
974 
975 	return 0;
976 }
977