xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision 56b17de1e8360fe131d425de20b5e75ff3ea897c)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 	return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 		 ver == TLS_VERSION_1) ||
34 		((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 		 ver == TLS_VERSION_1_1) ||
36 		((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 		 ver == TLS_VERSION_1_2));
38 }
39 
40 
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 					       const u8 *pos, size_t len)
43 {
44 	const u8 *end = pos + len;
45 
46 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 		    pos, len);
48 	while (pos < end) {
49 		u16 ext, elen;
50 
51 		if (end - pos < 4) {
52 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 			return -1;
54 		}
55 
56 		ext = WPA_GET_BE16(pos);
57 		pos += 2;
58 		elen = WPA_GET_BE16(pos);
59 		pos += 2;
60 
61 		if (elen > end - pos) {
62 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 			return -1;
64 		}
65 
66 		wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 			   ext);
68 		wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 			    pos, elen);
70 
71 		pos += elen;
72 	}
73 
74 	return 0;
75 }
76 
77 
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 				    const u8 *in_data, size_t *in_len)
80 {
81 	const u8 *pos, *end;
82 	size_t left, len, i;
83 	u16 cipher_suite;
84 	u16 tls_version;
85 
86 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 			   "received content type 0x%x", ct);
89 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 			  TLS_ALERT_UNEXPECTED_MESSAGE);
91 		return -1;
92 	}
93 
94 	pos = in_data;
95 	left = *in_len;
96 
97 	if (left < 4)
98 		goto decode_error;
99 
100 	/* HandshakeType msg_type */
101 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 			   "message %d (expected ServerHello)", *pos);
104 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 			  TLS_ALERT_UNEXPECTED_MESSAGE);
106 		return -1;
107 	}
108 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 	pos++;
110 	/* uint24 length */
111 	len = WPA_GET_BE24(pos);
112 	pos += 3;
113 	left -= 4;
114 
115 	if (len > left)
116 		goto decode_error;
117 
118 	/* body - ServerHello */
119 
120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 	end = pos + len;
122 
123 	/* ProtocolVersion server_version */
124 	if (end - pos < 2)
125 		goto decode_error;
126 	tls_version = WPA_GET_BE16(pos);
127 	if (!tls_version_ok(tls_version) ||
128 	    tls_version_disabled(conn, tls_version)) {
129 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 			   "ServerHello %u.%u", pos[0], pos[1]);
131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 			  TLS_ALERT_PROTOCOL_VERSION);
133 		return -1;
134 	}
135 	pos += 2;
136 
137 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 		   tls_version_str(tls_version));
139 	conn->rl.tls_version = tls_version;
140 
141 	/* Random random */
142 	if (end - pos < TLS_RANDOM_LEN)
143 		goto decode_error;
144 
145 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 	pos += TLS_RANDOM_LEN;
147 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 		    conn->server_random, TLS_RANDOM_LEN);
149 
150 	/* SessionID session_id */
151 	if (end - pos < 1)
152 		goto decode_error;
153 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 		goto decode_error;
155 	if (conn->session_id_len && conn->session_id_len == *pos &&
156 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 		pos += 1 + conn->session_id_len;
158 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 		conn->session_resumed = 1;
160 	} else {
161 		conn->session_id_len = *pos;
162 		pos++;
163 		os_memcpy(conn->session_id, pos, conn->session_id_len);
164 		pos += conn->session_id_len;
165 	}
166 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 		    conn->session_id, conn->session_id_len);
168 
169 	/* CipherSuite cipher_suite */
170 	if (end - pos < 2)
171 		goto decode_error;
172 	cipher_suite = WPA_GET_BE16(pos);
173 	pos += 2;
174 	for (i = 0; i < conn->num_cipher_suites; i++) {
175 		if (cipher_suite == conn->cipher_suites[i])
176 			break;
177 	}
178 	if (i == conn->num_cipher_suites) {
179 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 			   "cipher suite 0x%04x", cipher_suite);
181 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 			  TLS_ALERT_ILLEGAL_PARAMETER);
183 		return -1;
184 	}
185 
186 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 			   "cipher suite for a resumed connection (0x%04x != "
189 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 			  TLS_ALERT_ILLEGAL_PARAMETER);
192 		return -1;
193 	}
194 
195 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 			   "record layer");
198 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 			  TLS_ALERT_INTERNAL_ERROR);
200 		return -1;
201 	}
202 
203 	conn->prev_cipher_suite = cipher_suite;
204 
205 	/* CompressionMethod compression_method */
206 	if (end - pos < 1)
207 		goto decode_error;
208 	if (*pos != TLS_COMPRESSION_NULL) {
209 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 			   "compression 0x%02x", *pos);
211 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 			  TLS_ALERT_ILLEGAL_PARAMETER);
213 		return -1;
214 	}
215 	pos++;
216 
217 	if (end - pos >= 2) {
218 		u16 ext_len;
219 
220 		ext_len = WPA_GET_BE16(pos);
221 		pos += 2;
222 		if (end - pos < ext_len) {
223 			wpa_printf(MSG_INFO,
224 				   "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 				   ext_len, (unsigned int) (end - pos));
226 			goto decode_error;
227 		}
228 
229 		if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 			goto decode_error;
231 		pos += ext_len;
232 	}
233 
234 	if (end != pos) {
235 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 			    "end of ServerHello", pos, end - pos);
237 		goto decode_error;
238 	}
239 
240 	if (conn->session_ticket_included && conn->session_ticket_cb) {
241 		/* TODO: include SessionTicket extension if one was included in
242 		 * ServerHello */
243 		int res = conn->session_ticket_cb(
244 			conn->session_ticket_cb_ctx, NULL, 0,
245 			conn->client_random, conn->server_random,
246 			conn->master_secret);
247 		if (res < 0) {
248 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 				   "indicated failure");
250 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 				  TLS_ALERT_HANDSHAKE_FAILURE);
252 			return -1;
253 		}
254 		conn->use_session_ticket = !!res;
255 	}
256 
257 	if ((conn->session_resumed || conn->use_session_ticket) &&
258 	    tls_derive_keys(conn, NULL, 0)) {
259 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 			  TLS_ALERT_INTERNAL_ERROR);
262 		return -1;
263 	}
264 
265 	*in_len = end - in_data;
266 
267 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269 
270 	return 0;
271 
272 decode_error:
273 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 	return -1;
276 }
277 
278 
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 				struct x509_certificate *cert)
281 {
282 	union tls_event_data ev;
283 	struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 	u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 	char subject[128];
288 
289 	if (!conn->event_cb)
290 		return;
291 
292 	os_memset(&ev, 0, sizeof(ev));
293 	if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 		cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 					     cert->cert_len);
296 		ev.peer_cert.cert = cert_buf;
297 	}
298 #ifdef CONFIG_SHA256
299 	if (cert_buf) {
300 		const u8 *addr[1];
301 		size_t len[1];
302 		addr[0] = wpabuf_head(cert_buf);
303 		len[0] = wpabuf_len(cert_buf);
304 		if (sha256_vector(1, addr, len, hash) == 0) {
305 			ev.peer_cert.hash = hash;
306 			ev.peer_cert.hash_len = sizeof(hash);
307 		}
308 	}
309 #endif /* CONFIG_SHA256 */
310 
311 	ev.peer_cert.depth = depth;
312 	x509_name_string(&cert->subject, subject, sizeof(subject));
313 	ev.peer_cert.subject = subject;
314 
315 	if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
316 		if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
317 			ev.peer_cert.tod = 1;
318 		else if (cert->certificate_policy &
319 			 X509_EXT_CERT_POLICY_TOD_TOFU)
320 			ev.peer_cert.tod = 2;
321 	}
322 
323 	conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
324 	wpabuf_free(cert_buf);
325 }
326 
327 
328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
329 					 struct x509_certificate *cert,
330 					 enum tls_fail_reason reason,
331 					 const char *reason_txt)
332 {
333 	struct wpabuf *cert_buf = NULL;
334 	union tls_event_data ev;
335 	char subject[128];
336 
337 	if (!conn->event_cb || !cert)
338 		return;
339 
340 	os_memset(&ev, 0, sizeof(ev));
341 	ev.cert_fail.depth = depth;
342 	x509_name_string(&cert->subject, subject, sizeof(subject));
343 	ev.peer_cert.subject = subject;
344 	ev.cert_fail.reason = reason;
345 	ev.cert_fail.reason_txt = reason_txt;
346 	cert_buf = wpabuf_alloc_copy(cert->cert_start,
347 				     cert->cert_len);
348 	ev.cert_fail.cert = cert_buf;
349 	conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
350 	wpabuf_free(cert_buf);
351 }
352 
353 
354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
355 				   const u8 *in_data, size_t *in_len)
356 {
357 	const u8 *pos, *end;
358 	size_t left, len, list_len, cert_len, idx;
359 	u8 type;
360 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
361 	int reason;
362 
363 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
364 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
365 			   "received content type 0x%x", ct);
366 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 			  TLS_ALERT_UNEXPECTED_MESSAGE);
368 		return -1;
369 	}
370 
371 	pos = in_data;
372 	left = *in_len;
373 
374 	if (left < 4) {
375 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
376 			   "(len=%lu)", (unsigned long) left);
377 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
378 		return -1;
379 	}
380 
381 	type = *pos++;
382 	len = WPA_GET_BE24(pos);
383 	pos += 3;
384 	left -= 4;
385 
386 	if (len > left) {
387 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
388 			   "length (len=%lu != left=%lu)",
389 			   (unsigned long) len, (unsigned long) left);
390 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
391 		return -1;
392 	}
393 
394 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
395 		return tls_process_server_key_exchange(conn, ct, in_data,
396 						       in_len);
397 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
398 		return tls_process_certificate_request(conn, ct, in_data,
399 						       in_len);
400 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
401 		return tls_process_server_hello_done(conn, ct, in_data,
402 						     in_len);
403 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
404 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
405 			   "message %d (expected Certificate/"
406 			   "ServerKeyExchange/CertificateRequest/"
407 			   "ServerHelloDone)", type);
408 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 			  TLS_ALERT_UNEXPECTED_MESSAGE);
410 		return -1;
411 	}
412 
413 	wpa_printf(MSG_DEBUG,
414 		   "TLSv1: Received Certificate (certificate_list len %lu)",
415 		   (unsigned long) len);
416 
417 	/*
418 	 * opaque ASN.1Cert<2^24-1>;
419 	 *
420 	 * struct {
421 	 *     ASN.1Cert certificate_list<1..2^24-1>;
422 	 * } Certificate;
423 	 */
424 
425 	end = pos + len;
426 
427 	if (end - pos < 3) {
428 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
429 			   "(left=%lu)", (unsigned long) left);
430 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
431 		return -1;
432 	}
433 
434 	list_len = WPA_GET_BE24(pos);
435 	pos += 3;
436 
437 	if ((size_t) (end - pos) != list_len) {
438 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
439 			   "length (len=%lu left=%lu)",
440 			   (unsigned long) list_len,
441 			   (unsigned long) (end - pos));
442 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
443 		return -1;
444 	}
445 
446 	idx = 0;
447 	while (pos < end) {
448 		if (end - pos < 3) {
449 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
450 				   "certificate_list");
451 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 				  TLS_ALERT_DECODE_ERROR);
453 			x509_certificate_chain_free(chain);
454 			return -1;
455 		}
456 
457 		cert_len = WPA_GET_BE24(pos);
458 		pos += 3;
459 
460 		if ((size_t) (end - pos) < cert_len) {
461 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
462 				   "length (len=%lu left=%lu)",
463 				   (unsigned long) cert_len,
464 				   (unsigned long) (end - pos));
465 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 				  TLS_ALERT_DECODE_ERROR);
467 			x509_certificate_chain_free(chain);
468 			return -1;
469 		}
470 
471 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
472 			   (unsigned long) idx, (unsigned long) cert_len);
473 
474 		if (idx == 0) {
475 			crypto_public_key_free(conn->server_rsa_key);
476 			if (tls_parse_cert(pos, cert_len,
477 					   &conn->server_rsa_key)) {
478 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
479 					   "the certificate");
480 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
481 					  TLS_ALERT_BAD_CERTIFICATE);
482 				x509_certificate_chain_free(chain);
483 				return -1;
484 			}
485 		}
486 
487 		cert = x509_certificate_parse(pos, cert_len);
488 		if (cert == NULL) {
489 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
490 				   "the certificate");
491 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 				  TLS_ALERT_BAD_CERTIFICATE);
493 			x509_certificate_chain_free(chain);
494 			return -1;
495 		}
496 
497 		tls_peer_cert_event(conn, idx, cert);
498 
499 		if (last == NULL)
500 			chain = cert;
501 		else
502 			last->next = cert;
503 		last = cert;
504 
505 		idx++;
506 		pos += cert_len;
507 	}
508 
509 	if (conn->cred && conn->cred->server_cert_only && chain) {
510 		u8 hash[SHA256_MAC_LEN];
511 		char buf[128];
512 
513 		wpa_printf(MSG_DEBUG,
514 			   "TLSv1: Validate server certificate hash");
515 		x509_name_string(&chain->subject, buf, sizeof(buf));
516 		wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
517 		if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
518 				  hash) < 0 ||
519 		    os_memcmp(conn->cred->srv_cert_hash, hash,
520 			      SHA256_MAC_LEN) != 0) {
521 			wpa_printf(MSG_DEBUG,
522 				   "TLSv1: Server certificate hash mismatch");
523 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
524 				    hash, SHA256_MAC_LEN);
525 			if (conn->event_cb) {
526 				union tls_event_data ev;
527 
528 				os_memset(&ev, 0, sizeof(ev));
529 				ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
530 				ev.cert_fail.reason_txt =
531 					"Server certificate mismatch";
532 				ev.cert_fail.subject = buf;
533 				conn->event_cb(conn->cb_ctx,
534 					       TLS_CERT_CHAIN_FAILURE, &ev);
535 			}
536 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
537 				  TLS_ALERT_BAD_CERTIFICATE);
538 			x509_certificate_chain_free(chain);
539 			return -1;
540 		}
541 	} else if (conn->cred && conn->cred->cert_probe) {
542 		wpa_printf(MSG_DEBUG,
543 			   "TLSv1: Reject server certificate on probe-only run");
544 		if (conn->event_cb) {
545 			union tls_event_data ev;
546 			char buf[128];
547 
548 			os_memset(&ev, 0, sizeof(ev));
549 			ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
550 			ev.cert_fail.reason_txt =
551 				"Server certificate chain probe";
552 			if (chain) {
553 				x509_name_string(&chain->subject, buf,
554 						 sizeof(buf));
555 				ev.cert_fail.subject = buf;
556 			}
557 			conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
558 				       &ev);
559 		}
560 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 			  TLS_ALERT_BAD_CERTIFICATE);
562 		x509_certificate_chain_free(chain);
563 		return -1;
564 	} else if (conn->cred && conn->cred->ca_cert_verify &&
565 		   x509_certificate_chain_validate(
566 			   conn->cred->trusted_certs, chain, &reason,
567 			   !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
568 		   < 0) {
569 		int tls_reason;
570 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
571 			   "validation failed (reason=%d)", reason);
572 		switch (reason) {
573 		case X509_VALIDATE_BAD_CERTIFICATE:
574 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
575 			tls_cert_chain_failure_event(
576 				conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
577 				"bad certificate");
578 			break;
579 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
580 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
581 			break;
582 		case X509_VALIDATE_CERTIFICATE_REVOKED:
583 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
584 			tls_cert_chain_failure_event(
585 				conn, 0, chain, TLS_FAIL_REVOKED,
586 				"certificate revoked");
587 			break;
588 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
589 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
590 			tls_cert_chain_failure_event(
591 				conn, 0, chain, TLS_FAIL_EXPIRED,
592 				"certificate has expired or is not yet valid");
593 			break;
594 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
595 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
596 			break;
597 		case X509_VALIDATE_UNKNOWN_CA:
598 			tls_reason = TLS_ALERT_UNKNOWN_CA;
599 			tls_cert_chain_failure_event(
600 				conn, 0, chain, TLS_FAIL_UNTRUSTED,
601 				"unknown CA");
602 			break;
603 		default:
604 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
605 			break;
606 		}
607 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
608 		x509_certificate_chain_free(chain);
609 		return -1;
610 	}
611 
612 	if (conn->cred && !conn->cred->server_cert_only && chain &&
613 	    (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
614 	    !(chain->ext_key_usage &
615 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
616 		tls_cert_chain_failure_event(
617 			conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
618 			"certificate not allowed for server authentication");
619 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
620 			  TLS_ALERT_BAD_CERTIFICATE);
621 		x509_certificate_chain_free(chain);
622 		return -1;
623 	}
624 
625 	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
626 		x509_certificate_chain_free(conn->server_cert);
627 		conn->server_cert = chain;
628 	} else {
629 		x509_certificate_chain_free(chain);
630 	}
631 
632 	*in_len = end - in_data;
633 
634 	conn->state = SERVER_KEY_EXCHANGE;
635 
636 	return 0;
637 }
638 
639 
640 static unsigned int count_bits(const u8 *val, size_t len)
641 {
642 	size_t i;
643 	unsigned int bits;
644 	u8 tmp;
645 
646 	for (i = 0; i < len; i++) {
647 		if (val[i])
648 			break;
649 	}
650 	if (i == len)
651 		return 0;
652 
653 	bits = (len - i - 1) * 8;
654 	tmp = val[i];
655 	while (tmp) {
656 		bits++;
657 		tmp >>= 1;
658 	}
659 
660 	return bits;
661 }
662 
663 
664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
665 					const u8 *buf, size_t len,
666 					tls_key_exchange key_exchange)
667 {
668 	const u8 *pos, *end, *server_params, *server_params_end;
669 	u8 alert;
670 	unsigned int bits;
671 	u16 val;
672 
673 	tlsv1_client_free_dh(conn);
674 
675 	pos = buf;
676 	end = buf + len;
677 
678 	if (end - pos < 3)
679 		goto fail;
680 	server_params = pos;
681 	val = WPA_GET_BE16(pos);
682 	pos += 2;
683 	if (val == 0 || val > (size_t) (end - pos)) {
684 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
685 		goto fail;
686 	}
687 	conn->dh_p_len = val;
688 	bits = count_bits(pos, conn->dh_p_len);
689 	if (bits < 768) {
690 		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
691 			   bits);
692 		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
693 			    pos, conn->dh_p_len);
694 		goto fail;
695 	}
696 	conn->dh_p = os_memdup(pos, conn->dh_p_len);
697 	if (conn->dh_p == NULL)
698 		goto fail;
699 	pos += conn->dh_p_len;
700 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
701 		    conn->dh_p, conn->dh_p_len);
702 
703 	if (end - pos < 3)
704 		goto fail;
705 	val = WPA_GET_BE16(pos);
706 	pos += 2;
707 	if (val == 0 || val > (size_t) (end - pos))
708 		goto fail;
709 	conn->dh_g_len = val;
710 	conn->dh_g = os_memdup(pos, conn->dh_g_len);
711 	if (conn->dh_g == NULL)
712 		goto fail;
713 	pos += conn->dh_g_len;
714 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
715 		    conn->dh_g, conn->dh_g_len);
716 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
717 		goto fail;
718 
719 	if (end - pos < 3)
720 		goto fail;
721 	val = WPA_GET_BE16(pos);
722 	pos += 2;
723 	if (val == 0 || val > (size_t) (end - pos))
724 		goto fail;
725 	conn->dh_ys_len = val;
726 	conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
727 	if (conn->dh_ys == NULL)
728 		goto fail;
729 	pos += conn->dh_ys_len;
730 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
731 		    conn->dh_ys, conn->dh_ys_len);
732 	server_params_end = pos;
733 
734 	if (key_exchange == TLS_KEY_X_DHE_RSA) {
735 		u8 hash[64];
736 		int hlen;
737 
738 		if (conn->rl.tls_version == TLS_VERSION_1_2) {
739 #ifdef CONFIG_TLSV12
740 			/*
741 			 * RFC 5246, 4.7:
742 			 * TLS v1.2 adds explicit indication of the used
743 			 * signature and hash algorithms.
744 			 *
745 			 * struct {
746 			 *   HashAlgorithm hash;
747 			 *   SignatureAlgorithm signature;
748 			 * } SignatureAndHashAlgorithm;
749 			 */
750 			if (end - pos < 2)
751 				goto fail;
752 			if ((pos[0] != TLS_HASH_ALG_SHA256 &&
753 			     pos[0] != TLS_HASH_ALG_SHA384 &&
754 			     pos[0] != TLS_HASH_ALG_SHA512) ||
755 			    pos[1] != TLS_SIGN_ALG_RSA) {
756 				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
757 					   pos[0], pos[1]);
758 				goto fail;
759 			}
760 
761 			hlen = tlsv12_key_x_server_params_hash(
762 				conn->rl.tls_version, pos[0],
763 				conn->client_random,
764 				conn->server_random, server_params,
765 				server_params_end - server_params, hash);
766 			pos += 2;
767 #else /* CONFIG_TLSV12 */
768 			goto fail;
769 #endif /* CONFIG_TLSV12 */
770 		} else {
771 			hlen = tls_key_x_server_params_hash(
772 				conn->rl.tls_version, conn->client_random,
773 				conn->server_random, server_params,
774 				server_params_end - server_params, hash,
775 				sizeof(hash));
776 		}
777 
778 		if (hlen < 0)
779 			goto fail;
780 		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
781 			    hash, hlen);
782 
783 		if (tls_verify_signature(conn->rl.tls_version,
784 					 conn->server_rsa_key,
785 					 hash, hlen, pos, end - pos,
786 					 &alert) < 0)
787 			goto fail;
788 	}
789 
790 	return 0;
791 
792 fail:
793 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
794 	tlsv1_client_free_dh(conn);
795 	return -1;
796 }
797 
798 
799 static enum tls_ocsp_result
800 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
801 					     const u8 *pos, size_t len)
802 {
803 	const u8 *end = pos + len;
804 	u32 ocsp_resp_len;
805 
806 	/* opaque OCSPResponse<1..2^24-1>; */
807 	if (end - pos < 3) {
808 		wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
809 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
810 		return TLS_OCSP_INVALID;
811 	}
812 	ocsp_resp_len = WPA_GET_BE24(pos);
813 	pos += 3;
814 	if (end - pos < ocsp_resp_len) {
815 		wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
816 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
817 		return TLS_OCSP_INVALID;
818 	}
819 
820 	return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
821 }
822 
823 
824 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
825 					   const u8 *in_data, size_t *in_len)
826 {
827 	const u8 *pos, *end;
828 	size_t left, len;
829 	u8 type, status_type;
830 	enum tls_ocsp_result res;
831 	struct x509_certificate *cert;
832 	int depth;
833 
834 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
835 		wpa_printf(MSG_DEBUG,
836 			   "TLSv1: Expected Handshake; received content type 0x%x",
837 			   ct);
838 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 			  TLS_ALERT_UNEXPECTED_MESSAGE);
840 		return -1;
841 	}
842 
843 	pos = in_data;
844 	left = *in_len;
845 
846 	if (left < 4) {
847 		wpa_printf(MSG_DEBUG,
848 			   "TLSv1: Too short CertificateStatus (left=%lu)",
849 			   (unsigned long) left);
850 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
851 		return -1;
852 	}
853 
854 	type = *pos++;
855 	len = WPA_GET_BE24(pos);
856 	pos += 3;
857 	left -= 4;
858 
859 	if (len > left) {
860 		wpa_printf(MSG_DEBUG,
861 			   "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
862 			   (unsigned long) len, (unsigned long) left);
863 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
864 		return -1;
865 	}
866 
867 	end = pos + len;
868 
869 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
870 		wpa_printf(MSG_DEBUG,
871 			   "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
872 			   type);
873 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
874 			  TLS_ALERT_UNEXPECTED_MESSAGE);
875 		return -1;
876 	}
877 
878 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
879 
880 	/*
881 	 * struct {
882 	 *     CertificateStatusType status_type;
883 	 *     select (status_type) {
884 	 *         case ocsp: OCSPResponse;
885 	 *         case ocsp_multi: OCSPResponseList;
886 	 *     } response;
887 	 * } CertificateStatus;
888 	 */
889 	if (end - pos < 1) {
890 		wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
891 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
892 		return -1;
893 	}
894 	status_type = *pos++;
895 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
896 		   status_type);
897 
898 	if (status_type == 1 /* ocsp */) {
899 		res = tls_process_certificate_status_ocsp_response(
900 			conn, pos, end - pos);
901 	} else if (status_type == 2 /* ocsp_multi */) {
902 		int good = 0, revoked = 0;
903 		u32 resp_len;
904 
905 		res = TLS_OCSP_NO_RESPONSE;
906 
907 		/*
908 		 * opaque OCSPResponse<0..2^24-1>;
909 		 *
910 		 * struct {
911 		 *   OCSPResponse ocsp_response_list<1..2^24-1>;
912 		 * } OCSPResponseList;
913 		 */
914 		if (end - pos < 3) {
915 			wpa_printf(MSG_DEBUG,
916 				   "TLSv1: Truncated OCSPResponseList");
917 			res = TLS_OCSP_INVALID;
918 			goto done;
919 		}
920 		resp_len = WPA_GET_BE24(pos);
921 		pos += 3;
922 		if (end - pos < resp_len) {
923 			wpa_printf(MSG_DEBUG,
924 				   "TLSv1: Truncated OCSPResponseList(len=%u)",
925 				   resp_len);
926 			res = TLS_OCSP_INVALID;
927 			goto done;
928 		}
929 		end = pos + resp_len;
930 
931 		while (end - pos >= 3) {
932 			resp_len = WPA_GET_BE24(pos);
933 			pos += 3;
934 			if (resp_len > end - pos) {
935 				wpa_printf(MSG_DEBUG,
936 					   "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
937 					   resp_len, (int) (end - pos));
938 				res = TLS_OCSP_INVALID;
939 				break;
940 			}
941 			if (!resp_len)
942 				continue; /* Skip an empty response */
943 			res = tls_process_certificate_status_ocsp_response(
944 				conn, pos - 3, resp_len + 3);
945 			if (res == TLS_OCSP_REVOKED)
946 				revoked++;
947 			else if (res == TLS_OCSP_GOOD)
948 				good++;
949 			pos += resp_len;
950 		}
951 
952 		if (revoked)
953 			res = TLS_OCSP_REVOKED;
954 		else if (good)
955 			res = TLS_OCSP_GOOD;
956 	} else {
957 		wpa_printf(MSG_DEBUG,
958 			   "TLSv1: Ignore unsupported CertificateStatus");
959 		goto skip;
960 	}
961 
962 done:
963 	if (res == TLS_OCSP_REVOKED) {
964 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
965 			  TLS_ALERT_CERTIFICATE_REVOKED);
966 		for (cert = conn->server_cert, depth = 0; cert;
967 		     cert = cert->next, depth++) {
968 			if (cert->ocsp_revoked) {
969 				tls_cert_chain_failure_event(
970 					conn, depth, cert, TLS_FAIL_REVOKED,
971 					"certificate revoked");
972 			}
973 		}
974 		return -1;
975 	}
976 
977 	if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
978 		/*
979 		 * Verify that each certificate on the chain that is not part
980 		 * of the trusted certificates has a good status. If not,
981 		 * terminate handshake.
982 		 */
983 		for (cert = conn->server_cert, depth = 0; cert;
984 		     cert = cert->next, depth++) {
985 			if (!cert->ocsp_good) {
986 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
987 					  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
988 				tls_cert_chain_failure_event(
989 					conn, depth, cert,
990 					TLS_FAIL_UNSPECIFIED,
991 					"bad certificate status response");
992 				return -1;
993 			}
994 			if (cert->issuer_trusted)
995 				break;
996 		}
997 	}
998 
999 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
1000 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1001 			  res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
1002 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1003 		if (conn->server_cert)
1004 			tls_cert_chain_failure_event(
1005 				conn, 0, conn->server_cert,
1006 				TLS_FAIL_UNSPECIFIED,
1007 				"bad certificate status response");
1008 		return -1;
1009 	}
1010 
1011 	conn->ocsp_resp_received = 1;
1012 
1013 skip:
1014 	*in_len = end - in_data;
1015 
1016 	conn->state = SERVER_KEY_EXCHANGE;
1017 
1018 	return 0;
1019 }
1020 
1021 
1022 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1023 					   const u8 *in_data, size_t *in_len)
1024 {
1025 	const u8 *pos, *end;
1026 	size_t left, len;
1027 	u8 type;
1028 	const struct tls_cipher_suite *suite;
1029 
1030 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1031 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1032 			   "received content type 0x%x", ct);
1033 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1034 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1035 		return -1;
1036 	}
1037 
1038 	pos = in_data;
1039 	left = *in_len;
1040 
1041 	if (left < 4) {
1042 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1043 			   "(Left=%lu)", (unsigned long) left);
1044 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1045 		return -1;
1046 	}
1047 
1048 	type = *pos++;
1049 	len = WPA_GET_BE24(pos);
1050 	pos += 3;
1051 	left -= 4;
1052 
1053 	if (len > left) {
1054 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1055 			   "length (len=%lu != left=%lu)",
1056 			   (unsigned long) len, (unsigned long) left);
1057 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1058 		return -1;
1059 	}
1060 
1061 	end = pos + len;
1062 
1063 	if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1064 	    type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1065 		return tls_process_certificate_status(conn, ct, in_data,
1066 						      in_len);
1067 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1068 		return tls_process_certificate_request(conn, ct, in_data,
1069 						       in_len);
1070 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1071 		return tls_process_server_hello_done(conn, ct, in_data,
1072 						     in_len);
1073 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1074 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1075 			   "message %d (expected ServerKeyExchange/"
1076 			   "CertificateRequest/ServerHelloDone%s)", type,
1077 			   (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1078 			   "/CertificateStatus" : "");
1079 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1080 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1081 		return -1;
1082 	}
1083 
1084 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1085 
1086 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1087 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1088 			   "with the selected cipher suite");
1089 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1090 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1091 		return -1;
1092 	}
1093 
1094 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1095 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1096 	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1097 		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1098 		if (tlsv1_process_diffie_hellman(conn, pos, len,
1099 						 suite->key_exchange) < 0) {
1100 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101 				  TLS_ALERT_DECODE_ERROR);
1102 			return -1;
1103 		}
1104 	} else {
1105 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1106 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1107 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1108 		return -1;
1109 	}
1110 
1111 	*in_len = end - in_data;
1112 
1113 	conn->state = SERVER_CERTIFICATE_REQUEST;
1114 
1115 	return 0;
1116 }
1117 
1118 
1119 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1120 					   const u8 *in_data, size_t *in_len)
1121 {
1122 	const u8 *pos, *end;
1123 	size_t left, len;
1124 	u8 type;
1125 
1126 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1127 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1128 			   "received content type 0x%x", ct);
1129 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1130 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1131 		return -1;
1132 	}
1133 
1134 	pos = in_data;
1135 	left = *in_len;
1136 
1137 	if (left < 4) {
1138 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1139 			   "(left=%lu)", (unsigned long) left);
1140 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1141 		return -1;
1142 	}
1143 
1144 	type = *pos++;
1145 	len = WPA_GET_BE24(pos);
1146 	pos += 3;
1147 	left -= 4;
1148 
1149 	if (len > left) {
1150 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1151 			   "length (len=%lu != left=%lu)",
1152 			   (unsigned long) len, (unsigned long) left);
1153 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1154 		return -1;
1155 	}
1156 
1157 	end = pos + len;
1158 
1159 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1160 		return tls_process_server_hello_done(conn, ct, in_data,
1161 						     in_len);
1162 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1163 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1164 			   "message %d (expected CertificateRequest/"
1165 			   "ServerHelloDone)", type);
1166 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1167 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1168 		return -1;
1169 	}
1170 
1171 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1172 
1173 	conn->certificate_requested = 1;
1174 
1175 	*in_len = end - in_data;
1176 
1177 	conn->state = SERVER_HELLO_DONE;
1178 
1179 	return 0;
1180 }
1181 
1182 
1183 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1184 					 const u8 *in_data, size_t *in_len)
1185 {
1186 	const u8 *pos, *end;
1187 	size_t left, len;
1188 	u8 type;
1189 
1190 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1191 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1192 			   "received content type 0x%x", ct);
1193 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1194 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1195 		return -1;
1196 	}
1197 
1198 	pos = in_data;
1199 	left = *in_len;
1200 
1201 	if (left < 4) {
1202 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1203 			   "(left=%lu)", (unsigned long) left);
1204 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1205 		return -1;
1206 	}
1207 
1208 	type = *pos++;
1209 	len = WPA_GET_BE24(pos);
1210 	pos += 3;
1211 	left -= 4;
1212 
1213 	if (len > left) {
1214 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1215 			   "length (len=%lu != left=%lu)",
1216 			   (unsigned long) len, (unsigned long) left);
1217 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1218 		return -1;
1219 	}
1220 	end = pos + len;
1221 
1222 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1223 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1224 			   "message %d (expected ServerHelloDone)", type);
1225 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1226 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1227 		return -1;
1228 	}
1229 
1230 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1231 
1232 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1233 	    !conn->ocsp_resp_received) {
1234 		wpa_printf(MSG_INFO,
1235 			   "TLSv1: No OCSP response received - reject handshake");
1236 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1237 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1238 		return -1;
1239 	}
1240 
1241 	*in_len = end - in_data;
1242 
1243 	conn->state = CLIENT_KEY_EXCHANGE;
1244 
1245 	return 0;
1246 }
1247 
1248 
1249 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1250 						 u8 ct, const u8 *in_data,
1251 						 size_t *in_len)
1252 {
1253 	const u8 *pos;
1254 	size_t left;
1255 
1256 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1257 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1258 			   "received content type 0x%x", ct);
1259 		if (conn->use_session_ticket) {
1260 			int res;
1261 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1262 				   "rejected SessionTicket");
1263 			conn->use_session_ticket = 0;
1264 
1265 			/* Notify upper layers that SessionTicket failed */
1266 			res = conn->session_ticket_cb(
1267 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
1268 				NULL, NULL);
1269 			if (res < 0) {
1270 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1271 					   "callback indicated failure");
1272 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273 					  TLS_ALERT_HANDSHAKE_FAILURE);
1274 				return -1;
1275 			}
1276 
1277 			conn->state = SERVER_CERTIFICATE;
1278 			return tls_process_certificate(conn, ct, in_data,
1279 						       in_len);
1280 		}
1281 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1282 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1283 		return -1;
1284 	}
1285 
1286 	pos = in_data;
1287 	left = *in_len;
1288 
1289 	if (left < 1) {
1290 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1291 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1292 		return -1;
1293 	}
1294 
1295 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1296 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1297 			   "received data 0x%x", *pos);
1298 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1300 		return -1;
1301 	}
1302 
1303 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1304 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1305 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1306 			   "for record layer");
1307 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1308 			  TLS_ALERT_INTERNAL_ERROR);
1309 		return -1;
1310 	}
1311 
1312 	*in_len = pos + 1 - in_data;
1313 
1314 	conn->state = SERVER_FINISHED;
1315 
1316 	return 0;
1317 }
1318 
1319 
1320 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1321 				       const u8 *in_data, size_t *in_len)
1322 {
1323 	const u8 *pos, *end;
1324 	size_t left, len, hlen;
1325 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1326 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1327 
1328 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1329 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1330 			   "received content type 0x%x", ct);
1331 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1332 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1333 		return -1;
1334 	}
1335 
1336 	pos = in_data;
1337 	left = *in_len;
1338 
1339 	if (left < 4) {
1340 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1341 			   "Finished",
1342 			   (unsigned long) left);
1343 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1344 			  TLS_ALERT_DECODE_ERROR);
1345 		return -1;
1346 	}
1347 
1348 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1349 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1350 			   "type 0x%x", pos[0]);
1351 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1352 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1353 		return -1;
1354 	}
1355 
1356 	len = WPA_GET_BE24(pos + 1);
1357 
1358 	pos += 4;
1359 	left -= 4;
1360 
1361 	if (len > left) {
1362 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1363 			   "(len=%lu > left=%lu)",
1364 			   (unsigned long) len, (unsigned long) left);
1365 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366 			  TLS_ALERT_DECODE_ERROR);
1367 		return -1;
1368 	}
1369 	end = pos + len;
1370 	if (len != TLS_VERIFY_DATA_LEN) {
1371 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1372 			   "in Finished: %lu (expected %d)",
1373 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1374 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1375 			  TLS_ALERT_DECODE_ERROR);
1376 		return -1;
1377 	}
1378 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1379 		    pos, TLS_VERIFY_DATA_LEN);
1380 
1381 #ifdef CONFIG_TLSV12
1382 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1383 		hlen = SHA256_MAC_LEN;
1384 		if (conn->verify.sha256_server == NULL ||
1385 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1386 		    < 0) {
1387 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1388 				  TLS_ALERT_INTERNAL_ERROR);
1389 			conn->verify.sha256_server = NULL;
1390 			return -1;
1391 		}
1392 		conn->verify.sha256_server = NULL;
1393 	} else {
1394 #endif /* CONFIG_TLSV12 */
1395 
1396 	hlen = MD5_MAC_LEN;
1397 	if (conn->verify.md5_server == NULL ||
1398 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1399 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1400 			  TLS_ALERT_INTERNAL_ERROR);
1401 		conn->verify.md5_server = NULL;
1402 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1403 		conn->verify.sha1_server = NULL;
1404 		return -1;
1405 	}
1406 	conn->verify.md5_server = NULL;
1407 	hlen = SHA1_MAC_LEN;
1408 	if (conn->verify.sha1_server == NULL ||
1409 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1410 			       &hlen) < 0) {
1411 		conn->verify.sha1_server = NULL;
1412 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1413 			  TLS_ALERT_INTERNAL_ERROR);
1414 		return -1;
1415 	}
1416 	conn->verify.sha1_server = NULL;
1417 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1418 
1419 #ifdef CONFIG_TLSV12
1420 	}
1421 #endif /* CONFIG_TLSV12 */
1422 
1423 	if (tls_prf(conn->rl.tls_version,
1424 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1425 		    "server finished", hash, hlen,
1426 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1427 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1428 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429 			  TLS_ALERT_DECRYPT_ERROR);
1430 		return -1;
1431 	}
1432 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1433 			verify_data, TLS_VERIFY_DATA_LEN);
1434 
1435 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1436 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1437 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1438 			  TLS_ALERT_DECRYPT_ERROR);
1439 		return -1;
1440 	}
1441 
1442 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1443 
1444 	*in_len = end - in_data;
1445 
1446 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1447 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
1448 
1449 	return 0;
1450 }
1451 
1452 
1453 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1454 					const u8 *in_data, size_t *in_len,
1455 					u8 **out_data, size_t *out_len)
1456 {
1457 	const u8 *pos;
1458 	size_t left;
1459 
1460 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1461 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1462 			   "received content type 0x%x", ct);
1463 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1464 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1465 		return -1;
1466 	}
1467 
1468 	pos = in_data;
1469 	left = *in_len;
1470 
1471 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1472 		    pos, left);
1473 
1474 	*out_data = os_malloc(left);
1475 	if (*out_data) {
1476 		os_memcpy(*out_data, pos, left);
1477 		*out_len = left;
1478 	}
1479 
1480 	return 0;
1481 }
1482 
1483 
1484 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1485 				   const u8 *buf, size_t *len,
1486 				   u8 **out_data, size_t *out_len)
1487 {
1488 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1489 		if (*len < 2) {
1490 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1491 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1492 				  TLS_ALERT_DECODE_ERROR);
1493 			return -1;
1494 		}
1495 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1496 			   buf[0], buf[1]);
1497 		*len = 2;
1498 		conn->state = FAILED;
1499 		return -1;
1500 	}
1501 
1502 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1503 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1504 		size_t hr_len = WPA_GET_BE24(buf + 1);
1505 		if (hr_len > *len - 4) {
1506 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1507 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1508 				  TLS_ALERT_DECODE_ERROR);
1509 			return -1;
1510 		}
1511 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1512 		*len = 4 + hr_len;
1513 		return 0;
1514 	}
1515 
1516 	switch (conn->state) {
1517 	case SERVER_HELLO:
1518 		if (tls_process_server_hello(conn, ct, buf, len))
1519 			return -1;
1520 		break;
1521 	case SERVER_CERTIFICATE:
1522 		if (tls_process_certificate(conn, ct, buf, len))
1523 			return -1;
1524 		break;
1525 	case SERVER_KEY_EXCHANGE:
1526 		if (tls_process_server_key_exchange(conn, ct, buf, len))
1527 			return -1;
1528 		break;
1529 	case SERVER_CERTIFICATE_REQUEST:
1530 		if (tls_process_certificate_request(conn, ct, buf, len))
1531 			return -1;
1532 		break;
1533 	case SERVER_HELLO_DONE:
1534 		if (tls_process_server_hello_done(conn, ct, buf, len))
1535 			return -1;
1536 		break;
1537 	case SERVER_CHANGE_CIPHER_SPEC:
1538 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1539 			return -1;
1540 		break;
1541 	case SERVER_FINISHED:
1542 		if (tls_process_server_finished(conn, ct, buf, len))
1543 			return -1;
1544 		break;
1545 	case ACK_FINISHED:
1546 		if (out_data &&
1547 		    tls_process_application_data(conn, ct, buf, len, out_data,
1548 						 out_len))
1549 			return -1;
1550 		break;
1551 	default:
1552 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1553 			   "while processing received message",
1554 			   conn->state);
1555 		return -1;
1556 	}
1557 
1558 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1559 		tls_verify_hash_add(&conn->verify, buf, *len);
1560 
1561 	return 0;
1562 }
1563