1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_version_disabled(struct tlsv1_client * conn,u16 ver)30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
38 }
39
40
tls_process_server_hello_extensions(struct tlsv1_client * conn,const u8 * pos,size_t len)41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
43 {
44 const u8 *end = pos + len;
45
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 pos, len);
48 while (pos < end) {
49 u16 ext, elen;
50
51 if (end - pos < 4) {
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 return -1;
54 }
55
56 ext = WPA_GET_BE16(pos);
57 pos += 2;
58 elen = WPA_GET_BE16(pos);
59 pos += 2;
60
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 return -1;
64 }
65
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 ext);
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 pos, elen);
70
71 pos += elen;
72 }
73
74 return 0;
75 }
76
77
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
80 {
81 const u8 *pos, *end;
82 size_t left, len, i;
83 u16 cipher_suite;
84 u16 tls_version;
85
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
91 return -1;
92 }
93
94 pos = in_data;
95 left = *in_len;
96
97 if (left < 4)
98 goto decode_error;
99
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
106 return -1;
107 }
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 pos++;
110 /* uint24 length */
111 len = WPA_GET_BE24(pos);
112 pos += 3;
113 left -= 4;
114
115 if (len > left)
116 goto decode_error;
117
118 /* body - ServerHello */
119
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 end = pos + len;
122
123 /* ProtocolVersion server_version */
124 if (end - pos < 2)
125 goto decode_error;
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
133 return -1;
134 }
135 pos += 2;
136
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
140
141 /* Random random */
142 if (end - pos < TLS_RANDOM_LEN)
143 goto decode_error;
144
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
149
150 /* SessionID session_id */
151 if (end - pos < 1)
152 goto decode_error;
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 goto decode_error;
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
160 } else {
161 conn->session_id_len = *pos;
162 pos++;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
165 }
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
168
169 /* CipherSuite cipher_suite */
170 if (end - pos < 2)
171 goto decode_error;
172 cipher_suite = WPA_GET_BE16(pos);
173 pos += 2;
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
176 break;
177 }
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
183 return -1;
184 }
185
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
192 return -1;
193 }
194
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 "record layer");
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
200 return -1;
201 }
202
203 conn->prev_cipher_suite = cipher_suite;
204
205 /* CompressionMethod compression_method */
206 if (end - pos < 1)
207 goto decode_error;
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
213 return -1;
214 }
215 pos++;
216
217 if (end - pos >= 2) {
218 u16 ext_len;
219
220 ext_len = WPA_GET_BE16(pos);
221 pos += 2;
222 if (end - pos < ext_len) {
223 wpa_printf(MSG_INFO,
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
226 goto decode_error;
227 }
228
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 goto decode_error;
231 pos += ext_len;
232 }
233
234 if (end != pos) {
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
237 goto decode_error;
238 }
239
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
242 * ServerHello */
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
247 if (res < 0) {
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
252 return -1;
253 }
254 conn->use_session_ticket = !!res;
255 }
256
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
262 return -1;
263 }
264
265 *in_len = end - in_data;
266
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269
270 return 0;
271
272 decode_error:
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 return -1;
276 }
277
278
tls_peer_cert_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert)279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
281 {
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 char subject[128];
288
289 if (!conn->event_cb)
290 return;
291
292 os_memset(&ev, 0, sizeof(ev));
293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 cert->cert_len);
296 ev.peer_cert.cert = cert_buf;
297 }
298 #ifdef CONFIG_SHA256
299 if (cert_buf) {
300 const u8 *addr[1];
301 size_t len[1];
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
307 }
308 }
309 #endif /* CONFIG_SHA256 */
310
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
314
315 if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
316 if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
317 ev.peer_cert.tod = 1;
318 else if (cert->certificate_policy &
319 X509_EXT_CERT_POLICY_TOD_TOFU)
320 ev.peer_cert.tod = 2;
321 }
322
323 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
324 wpabuf_free(cert_buf);
325 }
326
327
tls_cert_chain_failure_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert,enum tls_fail_reason reason,const char * reason_txt)328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
329 struct x509_certificate *cert,
330 enum tls_fail_reason reason,
331 const char *reason_txt)
332 {
333 struct wpabuf *cert_buf = NULL;
334 union tls_event_data ev;
335 char subject[128];
336
337 if (!conn->event_cb || !cert)
338 return;
339
340 os_memset(&ev, 0, sizeof(ev));
341 ev.cert_fail.depth = depth;
342 x509_name_string(&cert->subject, subject, sizeof(subject));
343 ev.peer_cert.subject = subject;
344 ev.cert_fail.reason = reason;
345 ev.cert_fail.reason_txt = reason_txt;
346 cert_buf = wpabuf_alloc_copy(cert->cert_start,
347 cert->cert_len);
348 ev.cert_fail.cert = cert_buf;
349 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
350 wpabuf_free(cert_buf);
351 }
352
353
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
355 const u8 *in_data, size_t *in_len)
356 {
357 const u8 *pos, *end;
358 size_t left, len, list_len, cert_len, idx;
359 u8 type;
360 struct x509_certificate *chain = NULL, *last = NULL, *cert;
361 int reason;
362
363 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
364 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
365 "received content type 0x%x", ct);
366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 TLS_ALERT_UNEXPECTED_MESSAGE);
368 return -1;
369 }
370
371 pos = in_data;
372 left = *in_len;
373
374 if (left < 4) {
375 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
376 "(len=%lu)", (unsigned long) left);
377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
378 return -1;
379 }
380
381 type = *pos++;
382 len = WPA_GET_BE24(pos);
383 pos += 3;
384 left -= 4;
385
386 if (len > left) {
387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
388 "length (len=%lu != left=%lu)",
389 (unsigned long) len, (unsigned long) left);
390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
391 return -1;
392 }
393
394 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
395 return tls_process_server_key_exchange(conn, ct, in_data,
396 in_len);
397 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
398 return tls_process_certificate_request(conn, ct, in_data,
399 in_len);
400 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
401 return tls_process_server_hello_done(conn, ct, in_data,
402 in_len);
403 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
404 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
405 "message %d (expected Certificate/"
406 "ServerKeyExchange/CertificateRequest/"
407 "ServerHelloDone)", type);
408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 TLS_ALERT_UNEXPECTED_MESSAGE);
410 return -1;
411 }
412
413 wpa_printf(MSG_DEBUG,
414 "TLSv1: Received Certificate (certificate_list len %lu)",
415 (unsigned long) len);
416
417 /*
418 * opaque ASN.1Cert<2^24-1>;
419 *
420 * struct {
421 * ASN.1Cert certificate_list<1..2^24-1>;
422 * } Certificate;
423 */
424
425 end = pos + len;
426
427 if (end - pos < 3) {
428 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
429 "(left=%lu)", (unsigned long) left);
430 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
431 return -1;
432 }
433
434 list_len = WPA_GET_BE24(pos);
435 pos += 3;
436
437 if ((size_t) (end - pos) != list_len) {
438 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
439 "length (len=%lu left=%lu)",
440 (unsigned long) list_len,
441 (unsigned long) (end - pos));
442 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
443 return -1;
444 }
445
446 idx = 0;
447 while (pos < end) {
448 if (end - pos < 3) {
449 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
450 "certificate_list");
451 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 TLS_ALERT_DECODE_ERROR);
453 x509_certificate_chain_free(chain);
454 return -1;
455 }
456
457 cert_len = WPA_GET_BE24(pos);
458 pos += 3;
459
460 if ((size_t) (end - pos) < cert_len) {
461 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
462 "length (len=%lu left=%lu)",
463 (unsigned long) cert_len,
464 (unsigned long) (end - pos));
465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 TLS_ALERT_DECODE_ERROR);
467 x509_certificate_chain_free(chain);
468 return -1;
469 }
470
471 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
472 (unsigned long) idx, (unsigned long) cert_len);
473
474 if (idx == 0) {
475 crypto_public_key_free(conn->server_rsa_key);
476 if (tls_parse_cert(pos, cert_len,
477 &conn->server_rsa_key)) {
478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
479 "the certificate");
480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
481 TLS_ALERT_BAD_CERTIFICATE);
482 x509_certificate_chain_free(chain);
483 return -1;
484 }
485 }
486
487 cert = x509_certificate_parse(pos, cert_len);
488 if (cert == NULL) {
489 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
490 "the certificate");
491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 TLS_ALERT_BAD_CERTIFICATE);
493 x509_certificate_chain_free(chain);
494 return -1;
495 }
496
497 tls_peer_cert_event(conn, idx, cert);
498
499 if (last == NULL)
500 chain = cert;
501 else
502 last->next = cert;
503 last = cert;
504
505 idx++;
506 pos += cert_len;
507 }
508
509 if (conn->cred && conn->cred->server_cert_only && chain) {
510 u8 hash[SHA256_MAC_LEN];
511 char buf[128];
512
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Validate server certificate hash");
515 x509_name_string(&chain->subject, buf, sizeof(buf));
516 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
517 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
518 hash) < 0 ||
519 os_memcmp(conn->cred->srv_cert_hash, hash,
520 SHA256_MAC_LEN) != 0) {
521 wpa_printf(MSG_DEBUG,
522 "TLSv1: Server certificate hash mismatch");
523 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
524 hash, SHA256_MAC_LEN);
525 if (conn->event_cb) {
526 union tls_event_data ev;
527
528 os_memset(&ev, 0, sizeof(ev));
529 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
530 ev.cert_fail.reason_txt =
531 "Server certificate mismatch";
532 ev.cert_fail.subject = buf;
533 conn->event_cb(conn->cb_ctx,
534 TLS_CERT_CHAIN_FAILURE, &ev);
535 }
536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
537 TLS_ALERT_BAD_CERTIFICATE);
538 x509_certificate_chain_free(chain);
539 return -1;
540 }
541 } else if (conn->cred && conn->cred->cert_probe) {
542 wpa_printf(MSG_DEBUG,
543 "TLSv1: Reject server certificate on probe-only run");
544 if (conn->event_cb) {
545 union tls_event_data ev;
546 char buf[128];
547
548 os_memset(&ev, 0, sizeof(ev));
549 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
550 ev.cert_fail.reason_txt =
551 "Server certificate chain probe";
552 if (chain) {
553 x509_name_string(&chain->subject, buf,
554 sizeof(buf));
555 ev.cert_fail.subject = buf;
556 }
557 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
558 &ev);
559 }
560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 TLS_ALERT_BAD_CERTIFICATE);
562 x509_certificate_chain_free(chain);
563 return -1;
564 } else if (conn->cred && conn->cred->ca_cert_verify &&
565 x509_certificate_chain_validate(
566 conn->cred->trusted_certs, chain, &reason,
567 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
568 < 0) {
569 int tls_reason;
570 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
571 "validation failed (reason=%d)", reason);
572 switch (reason) {
573 case X509_VALIDATE_BAD_CERTIFICATE:
574 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
575 tls_cert_chain_failure_event(
576 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
577 "bad certificate");
578 break;
579 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
580 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
581 break;
582 case X509_VALIDATE_CERTIFICATE_REVOKED:
583 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
584 tls_cert_chain_failure_event(
585 conn, 0, chain, TLS_FAIL_REVOKED,
586 "certificate revoked");
587 break;
588 case X509_VALIDATE_CERTIFICATE_EXPIRED:
589 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
590 tls_cert_chain_failure_event(
591 conn, 0, chain, TLS_FAIL_EXPIRED,
592 "certificate has expired or is not yet valid");
593 break;
594 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
595 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
596 break;
597 case X509_VALIDATE_UNKNOWN_CA:
598 tls_reason = TLS_ALERT_UNKNOWN_CA;
599 tls_cert_chain_failure_event(
600 conn, 0, chain, TLS_FAIL_UNTRUSTED,
601 "unknown CA");
602 break;
603 default:
604 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
605 break;
606 }
607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
608 x509_certificate_chain_free(chain);
609 return -1;
610 }
611
612 if (conn->cred && !conn->cred->server_cert_only && chain &&
613 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
614 !(chain->ext_key_usage &
615 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
616 tls_cert_chain_failure_event(
617 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
618 "certificate not allowed for server authentication");
619 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
620 TLS_ALERT_BAD_CERTIFICATE);
621 x509_certificate_chain_free(chain);
622 return -1;
623 }
624
625 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
626 x509_certificate_chain_free(conn->server_cert);
627 conn->server_cert = chain;
628 } else {
629 x509_certificate_chain_free(chain);
630 }
631
632 *in_len = end - in_data;
633
634 conn->state = SERVER_KEY_EXCHANGE;
635
636 return 0;
637 }
638
639
count_bits(const u8 * val,size_t len)640 static unsigned int count_bits(const u8 *val, size_t len)
641 {
642 size_t i;
643 unsigned int bits;
644 u8 tmp;
645
646 for (i = 0; i < len; i++) {
647 if (val[i])
648 break;
649 }
650 if (i == len)
651 return 0;
652
653 bits = (len - i - 1) * 8;
654 tmp = val[i];
655 while (tmp) {
656 bits++;
657 tmp >>= 1;
658 }
659
660 return bits;
661 }
662
663
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
665 const u8 *buf, size_t len,
666 tls_key_exchange key_exchange)
667 {
668 const u8 *pos, *end, *server_params, *server_params_end;
669 u8 alert;
670 unsigned int bits;
671 u16 val;
672
673 tlsv1_client_free_dh(conn);
674
675 pos = buf;
676 end = buf + len;
677
678 if (end - pos < 3)
679 goto fail;
680 server_params = pos;
681 val = WPA_GET_BE16(pos);
682 pos += 2;
683 if (val == 0 || val > (size_t) (end - pos)) {
684 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
685 goto fail;
686 }
687 conn->dh_p_len = val;
688 bits = count_bits(pos, conn->dh_p_len);
689 if (bits < 768) {
690 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
691 bits);
692 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
693 pos, conn->dh_p_len);
694 goto fail;
695 }
696 conn->dh_p = os_memdup(pos, conn->dh_p_len);
697 if (conn->dh_p == NULL)
698 goto fail;
699 pos += conn->dh_p_len;
700 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
701 conn->dh_p, conn->dh_p_len);
702
703 if (end - pos < 3)
704 goto fail;
705 val = WPA_GET_BE16(pos);
706 pos += 2;
707 if (val == 0 || val > (size_t) (end - pos))
708 goto fail;
709 conn->dh_g_len = val;
710 conn->dh_g = os_memdup(pos, conn->dh_g_len);
711 if (conn->dh_g == NULL)
712 goto fail;
713 pos += conn->dh_g_len;
714 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
715 conn->dh_g, conn->dh_g_len);
716 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
717 goto fail;
718
719 if (end - pos < 3)
720 goto fail;
721 val = WPA_GET_BE16(pos);
722 pos += 2;
723 if (val == 0 || val > (size_t) (end - pos))
724 goto fail;
725 conn->dh_ys_len = val;
726 conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
727 if (conn->dh_ys == NULL)
728 goto fail;
729 pos += conn->dh_ys_len;
730 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
731 conn->dh_ys, conn->dh_ys_len);
732 server_params_end = pos;
733
734 if (key_exchange == TLS_KEY_X_DHE_RSA) {
735 u8 hash[64];
736 int hlen;
737
738 if (conn->rl.tls_version == TLS_VERSION_1_2) {
739 #ifdef CONFIG_TLSV12
740 /*
741 * RFC 5246, 4.7:
742 * TLS v1.2 adds explicit indication of the used
743 * signature and hash algorithms.
744 *
745 * struct {
746 * HashAlgorithm hash;
747 * SignatureAlgorithm signature;
748 * } SignatureAndHashAlgorithm;
749 */
750 if (end - pos < 2)
751 goto fail;
752 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
753 pos[0] != TLS_HASH_ALG_SHA384 &&
754 pos[0] != TLS_HASH_ALG_SHA512) ||
755 pos[1] != TLS_SIGN_ALG_RSA) {
756 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
757 pos[0], pos[1]);
758 goto fail;
759 }
760
761 hlen = tlsv12_key_x_server_params_hash(
762 conn->rl.tls_version, pos[0],
763 conn->client_random,
764 conn->server_random, server_params,
765 server_params_end - server_params, hash);
766 pos += 2;
767 #else /* CONFIG_TLSV12 */
768 goto fail;
769 #endif /* CONFIG_TLSV12 */
770 } else {
771 hlen = tls_key_x_server_params_hash(
772 conn->rl.tls_version, conn->client_random,
773 conn->server_random, server_params,
774 server_params_end - server_params, hash,
775 sizeof(hash));
776 }
777
778 if (hlen < 0)
779 goto fail;
780 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
781 hash, hlen);
782
783 if (tls_verify_signature(conn->rl.tls_version,
784 conn->server_rsa_key,
785 hash, hlen, pos, end - pos,
786 &alert) < 0)
787 goto fail;
788 }
789
790 return 0;
791
792 fail:
793 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
794 tlsv1_client_free_dh(conn);
795 return -1;
796 }
797
798
799 static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client * conn,const u8 * pos,size_t len)800 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
801 const u8 *pos, size_t len)
802 {
803 const u8 *end = pos + len;
804 u32 ocsp_resp_len;
805
806 /* opaque OCSPResponse<1..2^24-1>; */
807 if (end - pos < 3) {
808 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
809 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
810 return TLS_OCSP_INVALID;
811 }
812 ocsp_resp_len = WPA_GET_BE24(pos);
813 pos += 3;
814 if (end - pos < ocsp_resp_len) {
815 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
816 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
817 return TLS_OCSP_INVALID;
818 }
819
820 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
821 }
822
823
tls_process_certificate_status(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)824 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
825 const u8 *in_data, size_t *in_len)
826 {
827 const u8 *pos, *end;
828 size_t left, len;
829 u8 type, status_type;
830 enum tls_ocsp_result res;
831 struct x509_certificate *cert;
832 int depth;
833
834 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
835 wpa_printf(MSG_DEBUG,
836 "TLSv1: Expected Handshake; received content type 0x%x",
837 ct);
838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 TLS_ALERT_UNEXPECTED_MESSAGE);
840 return -1;
841 }
842
843 pos = in_data;
844 left = *in_len;
845
846 if (left < 4) {
847 wpa_printf(MSG_DEBUG,
848 "TLSv1: Too short CertificateStatus (left=%lu)",
849 (unsigned long) left);
850 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
851 return -1;
852 }
853
854 type = *pos++;
855 len = WPA_GET_BE24(pos);
856 pos += 3;
857 left -= 4;
858
859 if (len > left) {
860 wpa_printf(MSG_DEBUG,
861 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
862 (unsigned long) len, (unsigned long) left);
863 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
864 return -1;
865 }
866
867 end = pos + len;
868
869 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
870 wpa_printf(MSG_DEBUG,
871 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
872 type);
873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
874 TLS_ALERT_UNEXPECTED_MESSAGE);
875 return -1;
876 }
877
878 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
879
880 /*
881 * struct {
882 * CertificateStatusType status_type;
883 * select (status_type) {
884 * case ocsp: OCSPResponse;
885 * case ocsp_multi: OCSPResponseList;
886 * } response;
887 * } CertificateStatus;
888 */
889 if (end - pos < 1) {
890 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
891 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
892 return -1;
893 }
894 status_type = *pos++;
895 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
896 status_type);
897
898 if (status_type == 1 /* ocsp */) {
899 res = tls_process_certificate_status_ocsp_response(
900 conn, pos, end - pos);
901 } else if (status_type == 2 /* ocsp_multi */) {
902 int good = 0, revoked = 0;
903 u32 resp_len;
904
905 res = TLS_OCSP_NO_RESPONSE;
906
907 /*
908 * opaque OCSPResponse<0..2^24-1>;
909 *
910 * struct {
911 * OCSPResponse ocsp_response_list<1..2^24-1>;
912 * } OCSPResponseList;
913 */
914 if (end - pos < 3) {
915 wpa_printf(MSG_DEBUG,
916 "TLSv1: Truncated OCSPResponseList");
917 res = TLS_OCSP_INVALID;
918 goto done;
919 }
920 resp_len = WPA_GET_BE24(pos);
921 pos += 3;
922 if (end - pos < resp_len) {
923 wpa_printf(MSG_DEBUG,
924 "TLSv1: Truncated OCSPResponseList(len=%u)",
925 resp_len);
926 res = TLS_OCSP_INVALID;
927 goto done;
928 }
929 end = pos + resp_len;
930
931 while (end - pos >= 3) {
932 resp_len = WPA_GET_BE24(pos);
933 pos += 3;
934 if (resp_len > end - pos) {
935 wpa_printf(MSG_DEBUG,
936 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
937 resp_len, (int) (end - pos));
938 res = TLS_OCSP_INVALID;
939 break;
940 }
941 if (!resp_len)
942 continue; /* Skip an empty response */
943 res = tls_process_certificate_status_ocsp_response(
944 conn, pos - 3, resp_len + 3);
945 if (res == TLS_OCSP_REVOKED)
946 revoked++;
947 else if (res == TLS_OCSP_GOOD)
948 good++;
949 pos += resp_len;
950 }
951
952 if (revoked)
953 res = TLS_OCSP_REVOKED;
954 else if (good)
955 res = TLS_OCSP_GOOD;
956 } else {
957 wpa_printf(MSG_DEBUG,
958 "TLSv1: Ignore unsupported CertificateStatus");
959 goto skip;
960 }
961
962 done:
963 if (res == TLS_OCSP_REVOKED) {
964 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
965 TLS_ALERT_CERTIFICATE_REVOKED);
966 for (cert = conn->server_cert, depth = 0; cert;
967 cert = cert->next, depth++) {
968 if (cert->ocsp_revoked) {
969 tls_cert_chain_failure_event(
970 conn, depth, cert, TLS_FAIL_REVOKED,
971 "certificate revoked");
972 }
973 }
974 return -1;
975 }
976
977 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
978 /*
979 * Verify that each certificate on the chain that is not part
980 * of the trusted certificates has a good status. If not,
981 * terminate handshake.
982 */
983 for (cert = conn->server_cert, depth = 0; cert;
984 cert = cert->next, depth++) {
985 if (!cert->ocsp_good) {
986 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
987 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
988 tls_cert_chain_failure_event(
989 conn, depth, cert,
990 TLS_FAIL_UNSPECIFIED,
991 "bad certificate status response");
992 return -1;
993 }
994 if (cert->issuer_trusted)
995 break;
996 }
997 }
998
999 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
1000 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1001 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
1002 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1003 if (conn->server_cert)
1004 tls_cert_chain_failure_event(
1005 conn, 0, conn->server_cert,
1006 TLS_FAIL_UNSPECIFIED,
1007 "bad certificate status response");
1008 return -1;
1009 }
1010
1011 conn->ocsp_resp_received = 1;
1012
1013 skip:
1014 *in_len = end - in_data;
1015
1016 conn->state = SERVER_KEY_EXCHANGE;
1017
1018 return 0;
1019 }
1020
1021
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1022 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1023 const u8 *in_data, size_t *in_len)
1024 {
1025 const u8 *pos, *end;
1026 size_t left, len;
1027 u8 type;
1028 const struct tls_cipher_suite *suite;
1029
1030 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1031 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1032 "received content type 0x%x", ct);
1033 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1034 TLS_ALERT_UNEXPECTED_MESSAGE);
1035 return -1;
1036 }
1037
1038 pos = in_data;
1039 left = *in_len;
1040
1041 if (left < 4) {
1042 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1043 "(Left=%lu)", (unsigned long) left);
1044 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1045 return -1;
1046 }
1047
1048 type = *pos++;
1049 len = WPA_GET_BE24(pos);
1050 pos += 3;
1051 left -= 4;
1052
1053 if (len > left) {
1054 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1055 "length (len=%lu != left=%lu)",
1056 (unsigned long) len, (unsigned long) left);
1057 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1058 return -1;
1059 }
1060
1061 end = pos + len;
1062
1063 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1064 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1065 return tls_process_certificate_status(conn, ct, in_data,
1066 in_len);
1067 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1068 return tls_process_certificate_request(conn, ct, in_data,
1069 in_len);
1070 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1071 return tls_process_server_hello_done(conn, ct, in_data,
1072 in_len);
1073 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1074 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1075 "message %d (expected ServerKeyExchange/"
1076 "CertificateRequest/ServerHelloDone%s)", type,
1077 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1078 "/CertificateStatus" : "");
1079 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1080 TLS_ALERT_UNEXPECTED_MESSAGE);
1081 return -1;
1082 }
1083
1084 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1085
1086 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1087 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1088 "with the selected cipher suite");
1089 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1090 TLS_ALERT_UNEXPECTED_MESSAGE);
1091 return -1;
1092 }
1093
1094 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1095 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1096 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1097 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1098 if (tlsv1_process_diffie_hellman(conn, pos, len,
1099 suite->key_exchange) < 0) {
1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101 TLS_ALERT_DECODE_ERROR);
1102 return -1;
1103 }
1104 } else {
1105 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1106 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1107 TLS_ALERT_UNEXPECTED_MESSAGE);
1108 return -1;
1109 }
1110
1111 *in_len = end - in_data;
1112
1113 conn->state = SERVER_CERTIFICATE_REQUEST;
1114
1115 return 0;
1116 }
1117
1118
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1119 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1120 const u8 *in_data, size_t *in_len)
1121 {
1122 const u8 *pos, *end;
1123 size_t left, len;
1124 u8 type;
1125
1126 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1127 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1128 "received content type 0x%x", ct);
1129 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1130 TLS_ALERT_UNEXPECTED_MESSAGE);
1131 return -1;
1132 }
1133
1134 pos = in_data;
1135 left = *in_len;
1136
1137 if (left < 4) {
1138 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1139 "(left=%lu)", (unsigned long) left);
1140 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1141 return -1;
1142 }
1143
1144 type = *pos++;
1145 len = WPA_GET_BE24(pos);
1146 pos += 3;
1147 left -= 4;
1148
1149 if (len > left) {
1150 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1151 "length (len=%lu != left=%lu)",
1152 (unsigned long) len, (unsigned long) left);
1153 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1154 return -1;
1155 }
1156
1157 end = pos + len;
1158
1159 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1160 return tls_process_server_hello_done(conn, ct, in_data,
1161 in_len);
1162 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1163 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1164 "message %d (expected CertificateRequest/"
1165 "ServerHelloDone)", type);
1166 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1167 TLS_ALERT_UNEXPECTED_MESSAGE);
1168 return -1;
1169 }
1170
1171 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1172
1173 conn->certificate_requested = 1;
1174
1175 *in_len = end - in_data;
1176
1177 conn->state = SERVER_HELLO_DONE;
1178
1179 return 0;
1180 }
1181
1182
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1183 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1184 const u8 *in_data, size_t *in_len)
1185 {
1186 const u8 *pos, *end;
1187 size_t left, len;
1188 u8 type;
1189
1190 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1191 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1192 "received content type 0x%x", ct);
1193 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1194 TLS_ALERT_UNEXPECTED_MESSAGE);
1195 return -1;
1196 }
1197
1198 pos = in_data;
1199 left = *in_len;
1200
1201 if (left < 4) {
1202 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1203 "(left=%lu)", (unsigned long) left);
1204 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1205 return -1;
1206 }
1207
1208 type = *pos++;
1209 len = WPA_GET_BE24(pos);
1210 pos += 3;
1211 left -= 4;
1212
1213 if (len > left) {
1214 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1215 "length (len=%lu != left=%lu)",
1216 (unsigned long) len, (unsigned long) left);
1217 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1218 return -1;
1219 }
1220 end = pos + len;
1221
1222 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1223 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1224 "message %d (expected ServerHelloDone)", type);
1225 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1226 TLS_ALERT_UNEXPECTED_MESSAGE);
1227 return -1;
1228 }
1229
1230 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1231
1232 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1233 !conn->ocsp_resp_received) {
1234 wpa_printf(MSG_INFO,
1235 "TLSv1: No OCSP response received - reject handshake");
1236 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1237 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1238 return -1;
1239 }
1240
1241 *in_len = end - in_data;
1242
1243 conn->state = CLIENT_KEY_EXCHANGE;
1244
1245 return 0;
1246 }
1247
1248
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1249 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1250 u8 ct, const u8 *in_data,
1251 size_t *in_len)
1252 {
1253 const u8 *pos;
1254 size_t left;
1255
1256 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1257 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1258 "received content type 0x%x", ct);
1259 if (conn->use_session_ticket) {
1260 int res;
1261 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1262 "rejected SessionTicket");
1263 conn->use_session_ticket = 0;
1264
1265 /* Notify upper layers that SessionTicket failed */
1266 res = conn->session_ticket_cb(
1267 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1268 NULL, NULL);
1269 if (res < 0) {
1270 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1271 "callback indicated failure");
1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273 TLS_ALERT_HANDSHAKE_FAILURE);
1274 return -1;
1275 }
1276
1277 conn->state = SERVER_CERTIFICATE;
1278 return tls_process_certificate(conn, ct, in_data,
1279 in_len);
1280 }
1281 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1282 TLS_ALERT_UNEXPECTED_MESSAGE);
1283 return -1;
1284 }
1285
1286 pos = in_data;
1287 left = *in_len;
1288
1289 if (left < 1) {
1290 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1292 return -1;
1293 }
1294
1295 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1296 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1297 "received data 0x%x", *pos);
1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299 TLS_ALERT_UNEXPECTED_MESSAGE);
1300 return -1;
1301 }
1302
1303 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1304 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1305 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1306 "for record layer");
1307 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1308 TLS_ALERT_INTERNAL_ERROR);
1309 return -1;
1310 }
1311
1312 *in_len = pos + 1 - in_data;
1313
1314 conn->state = SERVER_FINISHED;
1315
1316 return 0;
1317 }
1318
1319
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1320 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1321 const u8 *in_data, size_t *in_len)
1322 {
1323 const u8 *pos, *end;
1324 size_t left, len, hlen;
1325 u8 verify_data[TLS_VERIFY_DATA_LEN];
1326 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1327
1328 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1329 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1330 "received content type 0x%x", ct);
1331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1332 TLS_ALERT_UNEXPECTED_MESSAGE);
1333 return -1;
1334 }
1335
1336 pos = in_data;
1337 left = *in_len;
1338
1339 if (left < 4) {
1340 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1341 "Finished",
1342 (unsigned long) left);
1343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1344 TLS_ALERT_DECODE_ERROR);
1345 return -1;
1346 }
1347
1348 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1349 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1350 "type 0x%x", pos[0]);
1351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1352 TLS_ALERT_UNEXPECTED_MESSAGE);
1353 return -1;
1354 }
1355
1356 len = WPA_GET_BE24(pos + 1);
1357
1358 pos += 4;
1359 left -= 4;
1360
1361 if (len > left) {
1362 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1363 "(len=%lu > left=%lu)",
1364 (unsigned long) len, (unsigned long) left);
1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366 TLS_ALERT_DECODE_ERROR);
1367 return -1;
1368 }
1369 end = pos + len;
1370 if (len != TLS_VERIFY_DATA_LEN) {
1371 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1372 "in Finished: %lu (expected %d)",
1373 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1374 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1375 TLS_ALERT_DECODE_ERROR);
1376 return -1;
1377 }
1378 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1379 pos, TLS_VERIFY_DATA_LEN);
1380
1381 #ifdef CONFIG_TLSV12
1382 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1383 hlen = SHA256_MAC_LEN;
1384 if (conn->verify.sha256_server == NULL ||
1385 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1386 < 0) {
1387 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1388 TLS_ALERT_INTERNAL_ERROR);
1389 conn->verify.sha256_server = NULL;
1390 return -1;
1391 }
1392 conn->verify.sha256_server = NULL;
1393 } else {
1394 #endif /* CONFIG_TLSV12 */
1395
1396 hlen = MD5_MAC_LEN;
1397 if (conn->verify.md5_server == NULL ||
1398 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1399 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1400 TLS_ALERT_INTERNAL_ERROR);
1401 conn->verify.md5_server = NULL;
1402 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1403 conn->verify.sha1_server = NULL;
1404 return -1;
1405 }
1406 conn->verify.md5_server = NULL;
1407 hlen = SHA1_MAC_LEN;
1408 if (conn->verify.sha1_server == NULL ||
1409 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1410 &hlen) < 0) {
1411 conn->verify.sha1_server = NULL;
1412 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1413 TLS_ALERT_INTERNAL_ERROR);
1414 return -1;
1415 }
1416 conn->verify.sha1_server = NULL;
1417 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1418
1419 #ifdef CONFIG_TLSV12
1420 }
1421 #endif /* CONFIG_TLSV12 */
1422
1423 if (tls_prf(conn->rl.tls_version,
1424 conn->master_secret, TLS_MASTER_SECRET_LEN,
1425 "server finished", hash, hlen,
1426 verify_data, TLS_VERIFY_DATA_LEN)) {
1427 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429 TLS_ALERT_DECRYPT_ERROR);
1430 return -1;
1431 }
1432 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1433 verify_data, TLS_VERIFY_DATA_LEN);
1434
1435 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1436 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1437 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1438 TLS_ALERT_DECRYPT_ERROR);
1439 return -1;
1440 }
1441
1442 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1443
1444 *in_len = end - in_data;
1445
1446 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1447 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1448
1449 return 0;
1450 }
1451
1452
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)1453 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1454 const u8 *in_data, size_t *in_len,
1455 u8 **out_data, size_t *out_len)
1456 {
1457 const u8 *pos;
1458 size_t left;
1459
1460 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1461 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1462 "received content type 0x%x", ct);
1463 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1464 TLS_ALERT_UNEXPECTED_MESSAGE);
1465 return -1;
1466 }
1467
1468 pos = in_data;
1469 left = *in_len;
1470
1471 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1472 pos, left);
1473
1474 *out_data = os_malloc(left);
1475 if (*out_data) {
1476 os_memcpy(*out_data, pos, left);
1477 *out_len = left;
1478 }
1479
1480 return 0;
1481 }
1482
1483
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1484 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1485 const u8 *buf, size_t *len,
1486 u8 **out_data, size_t *out_len)
1487 {
1488 if (ct == TLS_CONTENT_TYPE_ALERT) {
1489 if (*len < 2) {
1490 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1492 TLS_ALERT_DECODE_ERROR);
1493 return -1;
1494 }
1495 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1496 buf[0], buf[1]);
1497 *len = 2;
1498 conn->state = FAILED;
1499 return -1;
1500 }
1501
1502 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1503 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1504 size_t hr_len = WPA_GET_BE24(buf + 1);
1505 if (hr_len > *len - 4) {
1506 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1507 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1508 TLS_ALERT_DECODE_ERROR);
1509 return -1;
1510 }
1511 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1512 *len = 4 + hr_len;
1513 return 0;
1514 }
1515
1516 switch (conn->state) {
1517 case SERVER_HELLO:
1518 if (tls_process_server_hello(conn, ct, buf, len))
1519 return -1;
1520 break;
1521 case SERVER_CERTIFICATE:
1522 if (tls_process_certificate(conn, ct, buf, len))
1523 return -1;
1524 break;
1525 case SERVER_KEY_EXCHANGE:
1526 if (tls_process_server_key_exchange(conn, ct, buf, len))
1527 return -1;
1528 break;
1529 case SERVER_CERTIFICATE_REQUEST:
1530 if (tls_process_certificate_request(conn, ct, buf, len))
1531 return -1;
1532 break;
1533 case SERVER_HELLO_DONE:
1534 if (tls_process_server_hello_done(conn, ct, buf, len))
1535 return -1;
1536 break;
1537 case SERVER_CHANGE_CIPHER_SPEC:
1538 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1539 return -1;
1540 break;
1541 case SERVER_FINISHED:
1542 if (tls_process_server_finished(conn, ct, buf, len))
1543 return -1;
1544 break;
1545 case ACK_FINISHED:
1546 if (out_data &&
1547 tls_process_application_data(conn, ct, buf, len, out_data,
1548 out_len))
1549 return -1;
1550 break;
1551 default:
1552 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1553 "while processing received message",
1554 conn->state);
1555 return -1;
1556 }
1557
1558 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1559 tls_verify_hash_add(&conn->verify, buf, *len);
1560
1561 return 0;
1562 }
1563