1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_version_disabled(struct tlsv1_client * conn,u16 ver)30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
38 }
39
40
tls_process_server_hello_extensions(struct tlsv1_client * conn,const u8 * pos,size_t len)41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
43 {
44 const u8 *end = pos + len;
45
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 pos, len);
48 while (pos < end) {
49 u16 ext, elen;
50
51 if (end - pos < 4) {
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 return -1;
54 }
55
56 ext = WPA_GET_BE16(pos);
57 pos += 2;
58 elen = WPA_GET_BE16(pos);
59 pos += 2;
60
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 return -1;
64 }
65
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 ext);
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 pos, elen);
70
71 pos += elen;
72 }
73
74 return 0;
75 }
76
77
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
80 {
81 const u8 *pos, *end;
82 size_t left, len, i;
83 u16 cipher_suite;
84 u16 tls_version;
85
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
91 return -1;
92 }
93
94 pos = in_data;
95 left = *in_len;
96
97 if (left < 4)
98 goto decode_error;
99
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
106 return -1;
107 }
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 pos++;
110 /* uint24 length */
111 len = WPA_GET_BE24(pos);
112 pos += 3;
113 left -= 4;
114
115 if (len > left)
116 goto decode_error;
117
118 /* body - ServerHello */
119
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 end = pos + len;
122
123 /* ProtocolVersion server_version */
124 if (end - pos < 2)
125 goto decode_error;
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
133 return -1;
134 }
135 pos += 2;
136
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
140
141 /* Random random */
142 if (end - pos < TLS_RANDOM_LEN)
143 goto decode_error;
144
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
149
150 /* SessionID session_id */
151 if (end - pos < 1)
152 goto decode_error;
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 goto decode_error;
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
160 } else {
161 conn->session_id_len = *pos;
162 pos++;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
165 }
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
168
169 /* CipherSuite cipher_suite */
170 if (end - pos < 2)
171 goto decode_error;
172 cipher_suite = WPA_GET_BE16(pos);
173 pos += 2;
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
176 break;
177 }
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
183 return -1;
184 }
185
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
192 return -1;
193 }
194
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 "record layer");
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
200 return -1;
201 }
202
203 conn->prev_cipher_suite = cipher_suite;
204
205 /* CompressionMethod compression_method */
206 if (end - pos < 1)
207 goto decode_error;
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
213 return -1;
214 }
215 pos++;
216
217 if (end - pos >= 2) {
218 u16 ext_len;
219
220 ext_len = WPA_GET_BE16(pos);
221 pos += 2;
222 if (end - pos < ext_len) {
223 wpa_printf(MSG_INFO,
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
226 goto decode_error;
227 }
228
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 goto decode_error;
231 pos += ext_len;
232 }
233
234 if (end != pos) {
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
237 goto decode_error;
238 }
239
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
242 * ServerHello */
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
247 if (res < 0) {
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
252 return -1;
253 }
254 conn->use_session_ticket = !!res;
255 }
256
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
262 return -1;
263 }
264
265 *in_len = end - in_data;
266
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269
270 return 0;
271
272 decode_error:
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 return -1;
276 }
277
278
tls_peer_cert_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert)279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
281 {
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 char subject[128];
288
289 if (!conn->event_cb)
290 return;
291
292 os_memset(&ev, 0, sizeof(ev));
293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 cert->cert_len);
296 ev.peer_cert.cert = cert_buf;
297 }
298 #ifdef CONFIG_SHA256
299 if (cert_buf) {
300 const u8 *addr[1];
301 size_t len[1];
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
307 }
308 }
309 #endif /* CONFIG_SHA256 */
310
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
314
315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 wpabuf_free(cert_buf);
317 }
318
319
tls_cert_chain_failure_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert,enum tls_fail_reason reason,const char * reason_txt)320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 struct x509_certificate *cert,
322 enum tls_fail_reason reason,
323 const char *reason_txt)
324 {
325 struct wpabuf *cert_buf = NULL;
326 union tls_event_data ev;
327 char subject[128];
328
329 if (!conn->event_cb || !cert)
330 return;
331
332 os_memset(&ev, 0, sizeof(ev));
333 ev.cert_fail.depth = depth;
334 x509_name_string(&cert->subject, subject, sizeof(subject));
335 ev.peer_cert.subject = subject;
336 ev.cert_fail.reason = reason;
337 ev.cert_fail.reason_txt = reason_txt;
338 cert_buf = wpabuf_alloc_copy(cert->cert_start,
339 cert->cert_len);
340 ev.cert_fail.cert = cert_buf;
341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 wpabuf_free(cert_buf);
343 }
344
345
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 const u8 *in_data, size_t *in_len)
348 {
349 const u8 *pos, *end;
350 size_t left, len, list_len, cert_len, idx;
351 u8 type;
352 struct x509_certificate *chain = NULL, *last = NULL, *cert;
353 int reason;
354
355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 "received content type 0x%x", ct);
358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 TLS_ALERT_UNEXPECTED_MESSAGE);
360 return -1;
361 }
362
363 pos = in_data;
364 left = *in_len;
365
366 if (left < 4) {
367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 "(len=%lu)", (unsigned long) left);
369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
370 return -1;
371 }
372
373 type = *pos++;
374 len = WPA_GET_BE24(pos);
375 pos += 3;
376 left -= 4;
377
378 if (len > left) {
379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 "length (len=%lu != left=%lu)",
381 (unsigned long) len, (unsigned long) left);
382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
383 return -1;
384 }
385
386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 return tls_process_server_key_exchange(conn, ct, in_data,
388 in_len);
389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 return tls_process_certificate_request(conn, ct, in_data,
391 in_len);
392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 return tls_process_server_hello_done(conn, ct, in_data,
394 in_len);
395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 "message %d (expected Certificate/"
398 "ServerKeyExchange/CertificateRequest/"
399 "ServerHelloDone)", type);
400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 TLS_ALERT_UNEXPECTED_MESSAGE);
402 return -1;
403 }
404
405 wpa_printf(MSG_DEBUG,
406 "TLSv1: Received Certificate (certificate_list len %lu)",
407 (unsigned long) len);
408
409 /*
410 * opaque ASN.1Cert<2^24-1>;
411 *
412 * struct {
413 * ASN.1Cert certificate_list<1..2^24-1>;
414 * } Certificate;
415 */
416
417 end = pos + len;
418
419 if (end - pos < 3) {
420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 "(left=%lu)", (unsigned long) left);
422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
423 return -1;
424 }
425
426 list_len = WPA_GET_BE24(pos);
427 pos += 3;
428
429 if ((size_t) (end - pos) != list_len) {
430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 "length (len=%lu left=%lu)",
432 (unsigned long) list_len,
433 (unsigned long) (end - pos));
434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
435 return -1;
436 }
437
438 idx = 0;
439 while (pos < end) {
440 if (end - pos < 3) {
441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
442 "certificate_list");
443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 TLS_ALERT_DECODE_ERROR);
445 x509_certificate_chain_free(chain);
446 return -1;
447 }
448
449 cert_len = WPA_GET_BE24(pos);
450 pos += 3;
451
452 if ((size_t) (end - pos) < cert_len) {
453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 "length (len=%lu left=%lu)",
455 (unsigned long) cert_len,
456 (unsigned long) (end - pos));
457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 TLS_ALERT_DECODE_ERROR);
459 x509_certificate_chain_free(chain);
460 return -1;
461 }
462
463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 (unsigned long) idx, (unsigned long) cert_len);
465
466 if (idx == 0) {
467 crypto_public_key_free(conn->server_rsa_key);
468 if (tls_parse_cert(pos, cert_len,
469 &conn->server_rsa_key)) {
470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
471 "the certificate");
472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_BAD_CERTIFICATE);
474 x509_certificate_chain_free(chain);
475 return -1;
476 }
477 }
478
479 cert = x509_certificate_parse(pos, cert_len);
480 if (cert == NULL) {
481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
482 "the certificate");
483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 TLS_ALERT_BAD_CERTIFICATE);
485 x509_certificate_chain_free(chain);
486 return -1;
487 }
488
489 tls_peer_cert_event(conn, idx, cert);
490
491 if (last == NULL)
492 chain = cert;
493 else
494 last->next = cert;
495 last = cert;
496
497 idx++;
498 pos += cert_len;
499 }
500
501 if (conn->cred && conn->cred->server_cert_only && chain) {
502 u8 hash[SHA256_MAC_LEN];
503 char buf[128];
504
505 wpa_printf(MSG_DEBUG,
506 "TLSv1: Validate server certificate hash");
507 x509_name_string(&chain->subject, buf, sizeof(buf));
508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
510 hash) < 0 ||
511 os_memcmp(conn->cred->srv_cert_hash, hash,
512 SHA256_MAC_LEN) != 0) {
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Server certificate hash mismatch");
515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 hash, SHA256_MAC_LEN);
517 if (conn->event_cb) {
518 union tls_event_data ev;
519
520 os_memset(&ev, 0, sizeof(ev));
521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 ev.cert_fail.reason_txt =
523 "Server certificate mismatch";
524 ev.cert_fail.subject = buf;
525 conn->event_cb(conn->cb_ctx,
526 TLS_CERT_CHAIN_FAILURE, &ev);
527 }
528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 TLS_ALERT_BAD_CERTIFICATE);
530 x509_certificate_chain_free(chain);
531 return -1;
532 }
533 } else if (conn->cred && conn->cred->cert_probe) {
534 wpa_printf(MSG_DEBUG,
535 "TLSv1: Reject server certificate on probe-only rune");
536 if (conn->event_cb) {
537 union tls_event_data ev;
538 char buf[128];
539
540 os_memset(&ev, 0, sizeof(ev));
541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 ev.cert_fail.reason_txt =
543 "Server certificate chain probe";
544 if (chain) {
545 x509_name_string(&chain->subject, buf,
546 sizeof(buf));
547 ev.cert_fail.subject = buf;
548 }
549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
550 &ev);
551 }
552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 TLS_ALERT_BAD_CERTIFICATE);
554 x509_certificate_chain_free(chain);
555 return -1;
556 } else if (conn->cred && conn->cred->ca_cert_verify &&
557 x509_certificate_chain_validate(
558 conn->cred->trusted_certs, chain, &reason,
559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
560 < 0) {
561 int tls_reason;
562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 "validation failed (reason=%d)", reason);
564 switch (reason) {
565 case X509_VALIDATE_BAD_CERTIFICATE:
566 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 tls_cert_chain_failure_event(
568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
569 "bad certificate");
570 break;
571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
573 break;
574 case X509_VALIDATE_CERTIFICATE_REVOKED:
575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 tls_cert_chain_failure_event(
577 conn, 0, chain, TLS_FAIL_REVOKED,
578 "certificate revoked");
579 break;
580 case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 tls_cert_chain_failure_event(
583 conn, 0, chain, TLS_FAIL_EXPIRED,
584 "certificate has expired or is not yet valid");
585 break;
586 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
588 break;
589 case X509_VALIDATE_UNKNOWN_CA:
590 tls_reason = TLS_ALERT_UNKNOWN_CA;
591 tls_cert_chain_failure_event(
592 conn, 0, chain, TLS_FAIL_UNTRUSTED,
593 "unknown CA");
594 break;
595 default:
596 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
597 break;
598 }
599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 x509_certificate_chain_free(chain);
601 return -1;
602 }
603
604 if (conn->cred && !conn->cred->server_cert_only && chain &&
605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 !(chain->ext_key_usage &
607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 tls_cert_chain_failure_event(
609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 "certificate not allowed for server authentication");
611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_BAD_CERTIFICATE);
613 x509_certificate_chain_free(chain);
614 return -1;
615 }
616
617 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 x509_certificate_chain_free(conn->server_cert);
619 conn->server_cert = chain;
620 } else {
621 x509_certificate_chain_free(chain);
622 }
623
624 *in_len = end - in_data;
625
626 conn->state = SERVER_KEY_EXCHANGE;
627
628 return 0;
629 }
630
631
count_bits(const u8 * val,size_t len)632 static unsigned int count_bits(const u8 *val, size_t len)
633 {
634 size_t i;
635 unsigned int bits;
636 u8 tmp;
637
638 for (i = 0; i < len; i++) {
639 if (val[i])
640 break;
641 }
642 if (i == len)
643 return 0;
644
645 bits = (len - i - 1) * 8;
646 tmp = val[i];
647 while (tmp) {
648 bits++;
649 tmp >>= 1;
650 }
651
652 return bits;
653 }
654
655
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 const u8 *buf, size_t len,
658 tls_key_exchange key_exchange)
659 {
660 const u8 *pos, *end, *server_params, *server_params_end;
661 u8 alert;
662 unsigned int bits;
663 u16 val;
664
665 tlsv1_client_free_dh(conn);
666
667 pos = buf;
668 end = buf + len;
669
670 if (end - pos < 3)
671 goto fail;
672 server_params = pos;
673 val = WPA_GET_BE16(pos);
674 pos += 2;
675 if (val == 0 || val > (size_t) (end - pos)) {
676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
677 goto fail;
678 }
679 conn->dh_p_len = val;
680 bits = count_bits(pos, conn->dh_p_len);
681 if (bits < 768) {
682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
683 bits);
684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 pos, conn->dh_p_len);
686 goto fail;
687 }
688 conn->dh_p = os_memdup(pos, conn->dh_p_len);
689 if (conn->dh_p == NULL)
690 goto fail;
691 pos += conn->dh_p_len;
692 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
693 conn->dh_p, conn->dh_p_len);
694
695 if (end - pos < 3)
696 goto fail;
697 val = WPA_GET_BE16(pos);
698 pos += 2;
699 if (val == 0 || val > (size_t) (end - pos))
700 goto fail;
701 conn->dh_g_len = val;
702 conn->dh_g = os_memdup(pos, conn->dh_g_len);
703 if (conn->dh_g == NULL)
704 goto fail;
705 pos += conn->dh_g_len;
706 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
707 conn->dh_g, conn->dh_g_len);
708 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
709 goto fail;
710
711 if (end - pos < 3)
712 goto fail;
713 val = WPA_GET_BE16(pos);
714 pos += 2;
715 if (val == 0 || val > (size_t) (end - pos))
716 goto fail;
717 conn->dh_ys_len = val;
718 conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
719 if (conn->dh_ys == NULL)
720 goto fail;
721 pos += conn->dh_ys_len;
722 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
723 conn->dh_ys, conn->dh_ys_len);
724 server_params_end = pos;
725
726 if (key_exchange == TLS_KEY_X_DHE_RSA) {
727 u8 hash[64];
728 int hlen;
729
730 if (conn->rl.tls_version == TLS_VERSION_1_2) {
731 #ifdef CONFIG_TLSV12
732 /*
733 * RFC 5246, 4.7:
734 * TLS v1.2 adds explicit indication of the used
735 * signature and hash algorithms.
736 *
737 * struct {
738 * HashAlgorithm hash;
739 * SignatureAlgorithm signature;
740 * } SignatureAndHashAlgorithm;
741 */
742 if (end - pos < 2)
743 goto fail;
744 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
745 pos[0] != TLS_HASH_ALG_SHA384 &&
746 pos[0] != TLS_HASH_ALG_SHA512) ||
747 pos[1] != TLS_SIGN_ALG_RSA) {
748 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
749 pos[0], pos[1]);
750 goto fail;
751 }
752
753 hlen = tlsv12_key_x_server_params_hash(
754 conn->rl.tls_version, pos[0],
755 conn->client_random,
756 conn->server_random, server_params,
757 server_params_end - server_params, hash);
758 pos += 2;
759 #else /* CONFIG_TLSV12 */
760 goto fail;
761 #endif /* CONFIG_TLSV12 */
762 } else {
763 hlen = tls_key_x_server_params_hash(
764 conn->rl.tls_version, conn->client_random,
765 conn->server_random, server_params,
766 server_params_end - server_params, hash);
767 }
768
769 if (hlen < 0)
770 goto fail;
771 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
772 hash, hlen);
773
774 if (tls_verify_signature(conn->rl.tls_version,
775 conn->server_rsa_key,
776 hash, hlen, pos, end - pos,
777 &alert) < 0)
778 goto fail;
779 }
780
781 return 0;
782
783 fail:
784 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
785 tlsv1_client_free_dh(conn);
786 return -1;
787 }
788
789
790 static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client * conn,const u8 * pos,size_t len)791 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
792 const u8 *pos, size_t len)
793 {
794 const u8 *end = pos + len;
795 u32 ocsp_resp_len;
796
797 /* opaque OCSPResponse<1..2^24-1>; */
798 if (end - pos < 3) {
799 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
800 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
801 return TLS_OCSP_INVALID;
802 }
803 ocsp_resp_len = WPA_GET_BE24(pos);
804 pos += 3;
805 if (end - pos < ocsp_resp_len) {
806 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
807 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
808 return TLS_OCSP_INVALID;
809 }
810
811 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
812 }
813
814
tls_process_certificate_status(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)815 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
816 const u8 *in_data, size_t *in_len)
817 {
818 const u8 *pos, *end;
819 size_t left, len;
820 u8 type, status_type;
821 enum tls_ocsp_result res;
822 struct x509_certificate *cert;
823 int depth;
824
825 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
826 wpa_printf(MSG_DEBUG,
827 "TLSv1: Expected Handshake; received content type 0x%x",
828 ct);
829 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 TLS_ALERT_UNEXPECTED_MESSAGE);
831 return -1;
832 }
833
834 pos = in_data;
835 left = *in_len;
836
837 if (left < 4) {
838 wpa_printf(MSG_DEBUG,
839 "TLSv1: Too short CertificateStatus (left=%lu)",
840 (unsigned long) left);
841 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
842 return -1;
843 }
844
845 type = *pos++;
846 len = WPA_GET_BE24(pos);
847 pos += 3;
848 left -= 4;
849
850 if (len > left) {
851 wpa_printf(MSG_DEBUG,
852 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
853 (unsigned long) len, (unsigned long) left);
854 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
855 return -1;
856 }
857
858 end = pos + len;
859
860 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
861 wpa_printf(MSG_DEBUG,
862 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
863 type);
864 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865 TLS_ALERT_UNEXPECTED_MESSAGE);
866 return -1;
867 }
868
869 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
870
871 /*
872 * struct {
873 * CertificateStatusType status_type;
874 * select (status_type) {
875 * case ocsp: OCSPResponse;
876 * case ocsp_multi: OCSPResponseList;
877 * } response;
878 * } CertificateStatus;
879 */
880 if (end - pos < 1) {
881 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
882 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
883 return -1;
884 }
885 status_type = *pos++;
886 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
887 status_type);
888
889 if (status_type == 1 /* ocsp */) {
890 res = tls_process_certificate_status_ocsp_response(
891 conn, pos, end - pos);
892 } else if (status_type == 2 /* ocsp_multi */) {
893 int good = 0, revoked = 0;
894 u32 resp_len;
895
896 res = TLS_OCSP_NO_RESPONSE;
897
898 /*
899 * opaque OCSPResponse<0..2^24-1>;
900 *
901 * struct {
902 * OCSPResponse ocsp_response_list<1..2^24-1>;
903 * } OCSPResponseList;
904 */
905 if (end - pos < 3) {
906 wpa_printf(MSG_DEBUG,
907 "TLSv1: Truncated OCSPResponseList");
908 res = TLS_OCSP_INVALID;
909 goto done;
910 }
911 resp_len = WPA_GET_BE24(pos);
912 pos += 3;
913 if (end - pos < resp_len) {
914 wpa_printf(MSG_DEBUG,
915 "TLSv1: Truncated OCSPResponseList(len=%u)",
916 resp_len);
917 res = TLS_OCSP_INVALID;
918 goto done;
919 }
920 end = pos + resp_len;
921
922 while (end - pos >= 3) {
923 resp_len = WPA_GET_BE24(pos);
924 pos += 3;
925 if (resp_len > end - pos) {
926 wpa_printf(MSG_DEBUG,
927 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
928 resp_len, (int) (end - pos));
929 res = TLS_OCSP_INVALID;
930 break;
931 }
932 if (!resp_len)
933 continue; /* Skip an empty response */
934 res = tls_process_certificate_status_ocsp_response(
935 conn, pos - 3, resp_len + 3);
936 if (res == TLS_OCSP_REVOKED)
937 revoked++;
938 else if (res == TLS_OCSP_GOOD)
939 good++;
940 pos += resp_len;
941 }
942
943 if (revoked)
944 res = TLS_OCSP_REVOKED;
945 else if (good)
946 res = TLS_OCSP_GOOD;
947 } else {
948 wpa_printf(MSG_DEBUG,
949 "TLSv1: Ignore unsupported CertificateStatus");
950 goto skip;
951 }
952
953 done:
954 if (res == TLS_OCSP_REVOKED) {
955 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 TLS_ALERT_CERTIFICATE_REVOKED);
957 for (cert = conn->server_cert, depth = 0; cert;
958 cert = cert->next, depth++) {
959 if (cert->ocsp_revoked) {
960 tls_cert_chain_failure_event(
961 conn, depth, cert, TLS_FAIL_REVOKED,
962 "certificate revoked");
963 }
964 }
965 return -1;
966 }
967
968 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
969 /*
970 * Verify that each certificate on the chain that is not part
971 * of the trusted certificates has a good status. If not,
972 * terminate handshake.
973 */
974 for (cert = conn->server_cert, depth = 0; cert;
975 cert = cert->next, depth++) {
976 if (!cert->ocsp_good) {
977 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
978 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
979 tls_cert_chain_failure_event(
980 conn, depth, cert,
981 TLS_FAIL_UNSPECIFIED,
982 "bad certificate status response");
983 return -1;
984 }
985 if (cert->issuer_trusted)
986 break;
987 }
988 }
989
990 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
991 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
993 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
994 if (conn->server_cert)
995 tls_cert_chain_failure_event(
996 conn, 0, conn->server_cert,
997 TLS_FAIL_UNSPECIFIED,
998 "bad certificate status response");
999 return -1;
1000 }
1001
1002 conn->ocsp_resp_received = 1;
1003
1004 skip:
1005 *in_len = end - in_data;
1006
1007 conn->state = SERVER_KEY_EXCHANGE;
1008
1009 return 0;
1010 }
1011
1012
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1013 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1014 const u8 *in_data, size_t *in_len)
1015 {
1016 const u8 *pos, *end;
1017 size_t left, len;
1018 u8 type;
1019 const struct tls_cipher_suite *suite;
1020
1021 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1022 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1023 "received content type 0x%x", ct);
1024 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025 TLS_ALERT_UNEXPECTED_MESSAGE);
1026 return -1;
1027 }
1028
1029 pos = in_data;
1030 left = *in_len;
1031
1032 if (left < 4) {
1033 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1034 "(Left=%lu)", (unsigned long) left);
1035 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1036 return -1;
1037 }
1038
1039 type = *pos++;
1040 len = WPA_GET_BE24(pos);
1041 pos += 3;
1042 left -= 4;
1043
1044 if (len > left) {
1045 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1046 "length (len=%lu != left=%lu)",
1047 (unsigned long) len, (unsigned long) left);
1048 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1049 return -1;
1050 }
1051
1052 end = pos + len;
1053
1054 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1055 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1056 return tls_process_certificate_status(conn, ct, in_data,
1057 in_len);
1058 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1059 return tls_process_certificate_request(conn, ct, in_data,
1060 in_len);
1061 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1062 return tls_process_server_hello_done(conn, ct, in_data,
1063 in_len);
1064 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1065 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1066 "message %d (expected ServerKeyExchange/"
1067 "CertificateRequest/ServerHelloDone%s)", type,
1068 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1069 "/CertificateStatus" : "");
1070 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071 TLS_ALERT_UNEXPECTED_MESSAGE);
1072 return -1;
1073 }
1074
1075 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1076
1077 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1078 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1079 "with the selected cipher suite");
1080 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1081 TLS_ALERT_UNEXPECTED_MESSAGE);
1082 return -1;
1083 }
1084
1085 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1086 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1087 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1088 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1089 if (tlsv1_process_diffie_hellman(conn, pos, len,
1090 suite->key_exchange) < 0) {
1091 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092 TLS_ALERT_DECODE_ERROR);
1093 return -1;
1094 }
1095 } else {
1096 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1097 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1098 TLS_ALERT_UNEXPECTED_MESSAGE);
1099 return -1;
1100 }
1101
1102 *in_len = end - in_data;
1103
1104 conn->state = SERVER_CERTIFICATE_REQUEST;
1105
1106 return 0;
1107 }
1108
1109
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1110 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1111 const u8 *in_data, size_t *in_len)
1112 {
1113 const u8 *pos, *end;
1114 size_t left, len;
1115 u8 type;
1116
1117 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1118 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1119 "received content type 0x%x", ct);
1120 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1121 TLS_ALERT_UNEXPECTED_MESSAGE);
1122 return -1;
1123 }
1124
1125 pos = in_data;
1126 left = *in_len;
1127
1128 if (left < 4) {
1129 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1130 "(left=%lu)", (unsigned long) left);
1131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1132 return -1;
1133 }
1134
1135 type = *pos++;
1136 len = WPA_GET_BE24(pos);
1137 pos += 3;
1138 left -= 4;
1139
1140 if (len > left) {
1141 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1142 "length (len=%lu != left=%lu)",
1143 (unsigned long) len, (unsigned long) left);
1144 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1145 return -1;
1146 }
1147
1148 end = pos + len;
1149
1150 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1151 return tls_process_server_hello_done(conn, ct, in_data,
1152 in_len);
1153 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1154 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1155 "message %d (expected CertificateRequest/"
1156 "ServerHelloDone)", type);
1157 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158 TLS_ALERT_UNEXPECTED_MESSAGE);
1159 return -1;
1160 }
1161
1162 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1163
1164 conn->certificate_requested = 1;
1165
1166 *in_len = end - in_data;
1167
1168 conn->state = SERVER_HELLO_DONE;
1169
1170 return 0;
1171 }
1172
1173
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1174 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1175 const u8 *in_data, size_t *in_len)
1176 {
1177 const u8 *pos, *end;
1178 size_t left, len;
1179 u8 type;
1180
1181 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1182 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1183 "received content type 0x%x", ct);
1184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1185 TLS_ALERT_UNEXPECTED_MESSAGE);
1186 return -1;
1187 }
1188
1189 pos = in_data;
1190 left = *in_len;
1191
1192 if (left < 4) {
1193 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1194 "(left=%lu)", (unsigned long) left);
1195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1196 return -1;
1197 }
1198
1199 type = *pos++;
1200 len = WPA_GET_BE24(pos);
1201 pos += 3;
1202 left -= 4;
1203
1204 if (len > left) {
1205 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1206 "length (len=%lu != left=%lu)",
1207 (unsigned long) len, (unsigned long) left);
1208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1209 return -1;
1210 }
1211 end = pos + len;
1212
1213 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1214 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1215 "message %d (expected ServerHelloDone)", type);
1216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1217 TLS_ALERT_UNEXPECTED_MESSAGE);
1218 return -1;
1219 }
1220
1221 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1222
1223 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1224 !conn->ocsp_resp_received) {
1225 wpa_printf(MSG_INFO,
1226 "TLSv1: No OCSP response received - reject handshake");
1227 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1228 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1229 return -1;
1230 }
1231
1232 *in_len = end - in_data;
1233
1234 conn->state = CLIENT_KEY_EXCHANGE;
1235
1236 return 0;
1237 }
1238
1239
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1240 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1241 u8 ct, const u8 *in_data,
1242 size_t *in_len)
1243 {
1244 const u8 *pos;
1245 size_t left;
1246
1247 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1248 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1249 "received content type 0x%x", ct);
1250 if (conn->use_session_ticket) {
1251 int res;
1252 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1253 "rejected SessionTicket");
1254 conn->use_session_ticket = 0;
1255
1256 /* Notify upper layers that SessionTicket failed */
1257 res = conn->session_ticket_cb(
1258 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1259 NULL, NULL);
1260 if (res < 0) {
1261 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1262 "callback indicated failure");
1263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1264 TLS_ALERT_HANDSHAKE_FAILURE);
1265 return -1;
1266 }
1267
1268 conn->state = SERVER_CERTIFICATE;
1269 return tls_process_certificate(conn, ct, in_data,
1270 in_len);
1271 }
1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273 TLS_ALERT_UNEXPECTED_MESSAGE);
1274 return -1;
1275 }
1276
1277 pos = in_data;
1278 left = *in_len;
1279
1280 if (left < 1) {
1281 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1282 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1283 return -1;
1284 }
1285
1286 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1287 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1288 "received data 0x%x", *pos);
1289 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1290 TLS_ALERT_UNEXPECTED_MESSAGE);
1291 return -1;
1292 }
1293
1294 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1295 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1296 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1297 "for record layer");
1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299 TLS_ALERT_INTERNAL_ERROR);
1300 return -1;
1301 }
1302
1303 *in_len = pos + 1 - in_data;
1304
1305 conn->state = SERVER_FINISHED;
1306
1307 return 0;
1308 }
1309
1310
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1311 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1312 const u8 *in_data, size_t *in_len)
1313 {
1314 const u8 *pos, *end;
1315 size_t left, len, hlen;
1316 u8 verify_data[TLS_VERIFY_DATA_LEN];
1317 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1318
1319 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1320 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1321 "received content type 0x%x", ct);
1322 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1323 TLS_ALERT_UNEXPECTED_MESSAGE);
1324 return -1;
1325 }
1326
1327 pos = in_data;
1328 left = *in_len;
1329
1330 if (left < 4) {
1331 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1332 "Finished",
1333 (unsigned long) left);
1334 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1335 TLS_ALERT_DECODE_ERROR);
1336 return -1;
1337 }
1338
1339 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1340 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1341 "type 0x%x", pos[0]);
1342 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343 TLS_ALERT_UNEXPECTED_MESSAGE);
1344 return -1;
1345 }
1346
1347 len = WPA_GET_BE24(pos + 1);
1348
1349 pos += 4;
1350 left -= 4;
1351
1352 if (len > left) {
1353 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1354 "(len=%lu > left=%lu)",
1355 (unsigned long) len, (unsigned long) left);
1356 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1357 TLS_ALERT_DECODE_ERROR);
1358 return -1;
1359 }
1360 end = pos + len;
1361 if (len != TLS_VERIFY_DATA_LEN) {
1362 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1363 "in Finished: %lu (expected %d)",
1364 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366 TLS_ALERT_DECODE_ERROR);
1367 return -1;
1368 }
1369 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1370 pos, TLS_VERIFY_DATA_LEN);
1371
1372 #ifdef CONFIG_TLSV12
1373 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1374 hlen = SHA256_MAC_LEN;
1375 if (conn->verify.sha256_server == NULL ||
1376 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1377 < 0) {
1378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1379 TLS_ALERT_INTERNAL_ERROR);
1380 conn->verify.sha256_server = NULL;
1381 return -1;
1382 }
1383 conn->verify.sha256_server = NULL;
1384 } else {
1385 #endif /* CONFIG_TLSV12 */
1386
1387 hlen = MD5_MAC_LEN;
1388 if (conn->verify.md5_server == NULL ||
1389 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1391 TLS_ALERT_INTERNAL_ERROR);
1392 conn->verify.md5_server = NULL;
1393 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1394 conn->verify.sha1_server = NULL;
1395 return -1;
1396 }
1397 conn->verify.md5_server = NULL;
1398 hlen = SHA1_MAC_LEN;
1399 if (conn->verify.sha1_server == NULL ||
1400 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1401 &hlen) < 0) {
1402 conn->verify.sha1_server = NULL;
1403 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1404 TLS_ALERT_INTERNAL_ERROR);
1405 return -1;
1406 }
1407 conn->verify.sha1_server = NULL;
1408 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1409
1410 #ifdef CONFIG_TLSV12
1411 }
1412 #endif /* CONFIG_TLSV12 */
1413
1414 if (tls_prf(conn->rl.tls_version,
1415 conn->master_secret, TLS_MASTER_SECRET_LEN,
1416 "server finished", hash, hlen,
1417 verify_data, TLS_VERIFY_DATA_LEN)) {
1418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1419 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1420 TLS_ALERT_DECRYPT_ERROR);
1421 return -1;
1422 }
1423 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1424 verify_data, TLS_VERIFY_DATA_LEN);
1425
1426 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1427 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429 TLS_ALERT_DECRYPT_ERROR);
1430 return -1;
1431 }
1432
1433 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1434
1435 *in_len = end - in_data;
1436
1437 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1438 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1439
1440 return 0;
1441 }
1442
1443
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)1444 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1445 const u8 *in_data, size_t *in_len,
1446 u8 **out_data, size_t *out_len)
1447 {
1448 const u8 *pos;
1449 size_t left;
1450
1451 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1452 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1453 "received content type 0x%x", ct);
1454 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1455 TLS_ALERT_UNEXPECTED_MESSAGE);
1456 return -1;
1457 }
1458
1459 pos = in_data;
1460 left = *in_len;
1461
1462 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1463 pos, left);
1464
1465 *out_data = os_malloc(left);
1466 if (*out_data) {
1467 os_memcpy(*out_data, pos, left);
1468 *out_len = left;
1469 }
1470
1471 return 0;
1472 }
1473
1474
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1475 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1476 const u8 *buf, size_t *len,
1477 u8 **out_data, size_t *out_len)
1478 {
1479 if (ct == TLS_CONTENT_TYPE_ALERT) {
1480 if (*len < 2) {
1481 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1482 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1483 TLS_ALERT_DECODE_ERROR);
1484 return -1;
1485 }
1486 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1487 buf[0], buf[1]);
1488 *len = 2;
1489 conn->state = FAILED;
1490 return -1;
1491 }
1492
1493 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1494 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1495 size_t hr_len = WPA_GET_BE24(buf + 1);
1496 if (hr_len > *len - 4) {
1497 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1498 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1499 TLS_ALERT_DECODE_ERROR);
1500 return -1;
1501 }
1502 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1503 *len = 4 + hr_len;
1504 return 0;
1505 }
1506
1507 switch (conn->state) {
1508 case SERVER_HELLO:
1509 if (tls_process_server_hello(conn, ct, buf, len))
1510 return -1;
1511 break;
1512 case SERVER_CERTIFICATE:
1513 if (tls_process_certificate(conn, ct, buf, len))
1514 return -1;
1515 break;
1516 case SERVER_KEY_EXCHANGE:
1517 if (tls_process_server_key_exchange(conn, ct, buf, len))
1518 return -1;
1519 break;
1520 case SERVER_CERTIFICATE_REQUEST:
1521 if (tls_process_certificate_request(conn, ct, buf, len))
1522 return -1;
1523 break;
1524 case SERVER_HELLO_DONE:
1525 if (tls_process_server_hello_done(conn, ct, buf, len))
1526 return -1;
1527 break;
1528 case SERVER_CHANGE_CIPHER_SPEC:
1529 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1530 return -1;
1531 break;
1532 case SERVER_FINISHED:
1533 if (tls_process_server_finished(conn, ct, buf, len))
1534 return -1;
1535 break;
1536 case ACK_FINISHED:
1537 if (out_data &&
1538 tls_process_application_data(conn, ct, buf, len, out_data,
1539 out_len))
1540 return -1;
1541 break;
1542 default:
1543 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1544 "while processing received message",
1545 conn->state);
1546 return -1;
1547 }
1548
1549 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1550 tls_verify_hash_add(&conn->verify, buf, *len);
1551
1552 return 0;
1553 }
1554