xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision 6966ac055c3b7a39266fb982493330df7a097997)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 	return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 		 ver == TLS_VERSION_1) ||
34 		((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 		 ver == TLS_VERSION_1_1) ||
36 		((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 		 ver == TLS_VERSION_1_2));
38 }
39 
40 
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 					       const u8 *pos, size_t len)
43 {
44 	const u8 *end = pos + len;
45 
46 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 		    pos, len);
48 	while (pos < end) {
49 		u16 ext, elen;
50 
51 		if (end - pos < 4) {
52 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 			return -1;
54 		}
55 
56 		ext = WPA_GET_BE16(pos);
57 		pos += 2;
58 		elen = WPA_GET_BE16(pos);
59 		pos += 2;
60 
61 		if (elen > end - pos) {
62 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 			return -1;
64 		}
65 
66 		wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 			   ext);
68 		wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 			    pos, elen);
70 
71 		pos += elen;
72 	}
73 
74 	return 0;
75 }
76 
77 
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 				    const u8 *in_data, size_t *in_len)
80 {
81 	const u8 *pos, *end;
82 	size_t left, len, i;
83 	u16 cipher_suite;
84 	u16 tls_version;
85 
86 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 			   "received content type 0x%x", ct);
89 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 			  TLS_ALERT_UNEXPECTED_MESSAGE);
91 		return -1;
92 	}
93 
94 	pos = in_data;
95 	left = *in_len;
96 
97 	if (left < 4)
98 		goto decode_error;
99 
100 	/* HandshakeType msg_type */
101 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 			   "message %d (expected ServerHello)", *pos);
104 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 			  TLS_ALERT_UNEXPECTED_MESSAGE);
106 		return -1;
107 	}
108 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 	pos++;
110 	/* uint24 length */
111 	len = WPA_GET_BE24(pos);
112 	pos += 3;
113 	left -= 4;
114 
115 	if (len > left)
116 		goto decode_error;
117 
118 	/* body - ServerHello */
119 
120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 	end = pos + len;
122 
123 	/* ProtocolVersion server_version */
124 	if (end - pos < 2)
125 		goto decode_error;
126 	tls_version = WPA_GET_BE16(pos);
127 	if (!tls_version_ok(tls_version) ||
128 	    tls_version_disabled(conn, tls_version)) {
129 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 			   "ServerHello %u.%u", pos[0], pos[1]);
131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 			  TLS_ALERT_PROTOCOL_VERSION);
133 		return -1;
134 	}
135 	pos += 2;
136 
137 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 		   tls_version_str(tls_version));
139 	conn->rl.tls_version = tls_version;
140 
141 	/* Random random */
142 	if (end - pos < TLS_RANDOM_LEN)
143 		goto decode_error;
144 
145 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 	pos += TLS_RANDOM_LEN;
147 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 		    conn->server_random, TLS_RANDOM_LEN);
149 
150 	/* SessionID session_id */
151 	if (end - pos < 1)
152 		goto decode_error;
153 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 		goto decode_error;
155 	if (conn->session_id_len && conn->session_id_len == *pos &&
156 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 		pos += 1 + conn->session_id_len;
158 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 		conn->session_resumed = 1;
160 	} else {
161 		conn->session_id_len = *pos;
162 		pos++;
163 		os_memcpy(conn->session_id, pos, conn->session_id_len);
164 		pos += conn->session_id_len;
165 	}
166 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 		    conn->session_id, conn->session_id_len);
168 
169 	/* CipherSuite cipher_suite */
170 	if (end - pos < 2)
171 		goto decode_error;
172 	cipher_suite = WPA_GET_BE16(pos);
173 	pos += 2;
174 	for (i = 0; i < conn->num_cipher_suites; i++) {
175 		if (cipher_suite == conn->cipher_suites[i])
176 			break;
177 	}
178 	if (i == conn->num_cipher_suites) {
179 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 			   "cipher suite 0x%04x", cipher_suite);
181 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 			  TLS_ALERT_ILLEGAL_PARAMETER);
183 		return -1;
184 	}
185 
186 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 			   "cipher suite for a resumed connection (0x%04x != "
189 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 			  TLS_ALERT_ILLEGAL_PARAMETER);
192 		return -1;
193 	}
194 
195 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 			   "record layer");
198 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 			  TLS_ALERT_INTERNAL_ERROR);
200 		return -1;
201 	}
202 
203 	conn->prev_cipher_suite = cipher_suite;
204 
205 	/* CompressionMethod compression_method */
206 	if (end - pos < 1)
207 		goto decode_error;
208 	if (*pos != TLS_COMPRESSION_NULL) {
209 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 			   "compression 0x%02x", *pos);
211 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 			  TLS_ALERT_ILLEGAL_PARAMETER);
213 		return -1;
214 	}
215 	pos++;
216 
217 	if (end - pos >= 2) {
218 		u16 ext_len;
219 
220 		ext_len = WPA_GET_BE16(pos);
221 		pos += 2;
222 		if (end - pos < ext_len) {
223 			wpa_printf(MSG_INFO,
224 				   "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 				   ext_len, (unsigned int) (end - pos));
226 			goto decode_error;
227 		}
228 
229 		if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 			goto decode_error;
231 		pos += ext_len;
232 	}
233 
234 	if (end != pos) {
235 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 			    "end of ServerHello", pos, end - pos);
237 		goto decode_error;
238 	}
239 
240 	if (conn->session_ticket_included && conn->session_ticket_cb) {
241 		/* TODO: include SessionTicket extension if one was included in
242 		 * ServerHello */
243 		int res = conn->session_ticket_cb(
244 			conn->session_ticket_cb_ctx, NULL, 0,
245 			conn->client_random, conn->server_random,
246 			conn->master_secret);
247 		if (res < 0) {
248 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 				   "indicated failure");
250 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 				  TLS_ALERT_HANDSHAKE_FAILURE);
252 			return -1;
253 		}
254 		conn->use_session_ticket = !!res;
255 	}
256 
257 	if ((conn->session_resumed || conn->use_session_ticket) &&
258 	    tls_derive_keys(conn, NULL, 0)) {
259 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 			  TLS_ALERT_INTERNAL_ERROR);
262 		return -1;
263 	}
264 
265 	*in_len = end - in_data;
266 
267 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269 
270 	return 0;
271 
272 decode_error:
273 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 	return -1;
276 }
277 
278 
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 				struct x509_certificate *cert)
281 {
282 	union tls_event_data ev;
283 	struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 	u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 	char subject[128];
288 
289 	if (!conn->event_cb)
290 		return;
291 
292 	os_memset(&ev, 0, sizeof(ev));
293 	if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 		cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 					     cert->cert_len);
296 		ev.peer_cert.cert = cert_buf;
297 	}
298 #ifdef CONFIG_SHA256
299 	if (cert_buf) {
300 		const u8 *addr[1];
301 		size_t len[1];
302 		addr[0] = wpabuf_head(cert_buf);
303 		len[0] = wpabuf_len(cert_buf);
304 		if (sha256_vector(1, addr, len, hash) == 0) {
305 			ev.peer_cert.hash = hash;
306 			ev.peer_cert.hash_len = sizeof(hash);
307 		}
308 	}
309 #endif /* CONFIG_SHA256 */
310 
311 	ev.peer_cert.depth = depth;
312 	x509_name_string(&cert->subject, subject, sizeof(subject));
313 	ev.peer_cert.subject = subject;
314 
315 	conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 	wpabuf_free(cert_buf);
317 }
318 
319 
320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 					 struct x509_certificate *cert,
322 					 enum tls_fail_reason reason,
323 					 const char *reason_txt)
324 {
325 	struct wpabuf *cert_buf = NULL;
326 	union tls_event_data ev;
327 	char subject[128];
328 
329 	if (!conn->event_cb || !cert)
330 		return;
331 
332 	os_memset(&ev, 0, sizeof(ev));
333 	ev.cert_fail.depth = depth;
334 	x509_name_string(&cert->subject, subject, sizeof(subject));
335 	ev.peer_cert.subject = subject;
336 	ev.cert_fail.reason = reason;
337 	ev.cert_fail.reason_txt = reason_txt;
338 	cert_buf = wpabuf_alloc_copy(cert->cert_start,
339 				     cert->cert_len);
340 	ev.cert_fail.cert = cert_buf;
341 	conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 	wpabuf_free(cert_buf);
343 }
344 
345 
346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 				   const u8 *in_data, size_t *in_len)
348 {
349 	const u8 *pos, *end;
350 	size_t left, len, list_len, cert_len, idx;
351 	u8 type;
352 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
353 	int reason;
354 
355 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 			   "received content type 0x%x", ct);
358 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 			  TLS_ALERT_UNEXPECTED_MESSAGE);
360 		return -1;
361 	}
362 
363 	pos = in_data;
364 	left = *in_len;
365 
366 	if (left < 4) {
367 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 			   "(len=%lu)", (unsigned long) left);
369 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
370 		return -1;
371 	}
372 
373 	type = *pos++;
374 	len = WPA_GET_BE24(pos);
375 	pos += 3;
376 	left -= 4;
377 
378 	if (len > left) {
379 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 			   "length (len=%lu != left=%lu)",
381 			   (unsigned long) len, (unsigned long) left);
382 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
383 		return -1;
384 	}
385 
386 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 		return tls_process_server_key_exchange(conn, ct, in_data,
388 						       in_len);
389 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 		return tls_process_certificate_request(conn, ct, in_data,
391 						       in_len);
392 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 		return tls_process_server_hello_done(conn, ct, in_data,
394 						     in_len);
395 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 			   "message %d (expected Certificate/"
398 			   "ServerKeyExchange/CertificateRequest/"
399 			   "ServerHelloDone)", type);
400 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 			  TLS_ALERT_UNEXPECTED_MESSAGE);
402 		return -1;
403 	}
404 
405 	wpa_printf(MSG_DEBUG,
406 		   "TLSv1: Received Certificate (certificate_list len %lu)",
407 		   (unsigned long) len);
408 
409 	/*
410 	 * opaque ASN.1Cert<2^24-1>;
411 	 *
412 	 * struct {
413 	 *     ASN.1Cert certificate_list<1..2^24-1>;
414 	 * } Certificate;
415 	 */
416 
417 	end = pos + len;
418 
419 	if (end - pos < 3) {
420 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 			   "(left=%lu)", (unsigned long) left);
422 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
423 		return -1;
424 	}
425 
426 	list_len = WPA_GET_BE24(pos);
427 	pos += 3;
428 
429 	if ((size_t) (end - pos) != list_len) {
430 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 			   "length (len=%lu left=%lu)",
432 			   (unsigned long) list_len,
433 			   (unsigned long) (end - pos));
434 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
435 		return -1;
436 	}
437 
438 	idx = 0;
439 	while (pos < end) {
440 		if (end - pos < 3) {
441 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
442 				   "certificate_list");
443 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 				  TLS_ALERT_DECODE_ERROR);
445 			x509_certificate_chain_free(chain);
446 			return -1;
447 		}
448 
449 		cert_len = WPA_GET_BE24(pos);
450 		pos += 3;
451 
452 		if ((size_t) (end - pos) < cert_len) {
453 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 				   "length (len=%lu left=%lu)",
455 				   (unsigned long) cert_len,
456 				   (unsigned long) (end - pos));
457 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 				  TLS_ALERT_DECODE_ERROR);
459 			x509_certificate_chain_free(chain);
460 			return -1;
461 		}
462 
463 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 			   (unsigned long) idx, (unsigned long) cert_len);
465 
466 		if (idx == 0) {
467 			crypto_public_key_free(conn->server_rsa_key);
468 			if (tls_parse_cert(pos, cert_len,
469 					   &conn->server_rsa_key)) {
470 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
471 					   "the certificate");
472 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 					  TLS_ALERT_BAD_CERTIFICATE);
474 				x509_certificate_chain_free(chain);
475 				return -1;
476 			}
477 		}
478 
479 		cert = x509_certificate_parse(pos, cert_len);
480 		if (cert == NULL) {
481 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
482 				   "the certificate");
483 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 				  TLS_ALERT_BAD_CERTIFICATE);
485 			x509_certificate_chain_free(chain);
486 			return -1;
487 		}
488 
489 		tls_peer_cert_event(conn, idx, cert);
490 
491 		if (last == NULL)
492 			chain = cert;
493 		else
494 			last->next = cert;
495 		last = cert;
496 
497 		idx++;
498 		pos += cert_len;
499 	}
500 
501 	if (conn->cred && conn->cred->server_cert_only && chain) {
502 		u8 hash[SHA256_MAC_LEN];
503 		char buf[128];
504 
505 		wpa_printf(MSG_DEBUG,
506 			   "TLSv1: Validate server certificate hash");
507 		x509_name_string(&chain->subject, buf, sizeof(buf));
508 		wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 		if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
510 				  hash) < 0 ||
511 		    os_memcmp(conn->cred->srv_cert_hash, hash,
512 			      SHA256_MAC_LEN) != 0) {
513 			wpa_printf(MSG_DEBUG,
514 				   "TLSv1: Server certificate hash mismatch");
515 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 				    hash, SHA256_MAC_LEN);
517 			if (conn->event_cb) {
518 				union tls_event_data ev;
519 
520 				os_memset(&ev, 0, sizeof(ev));
521 				ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 				ev.cert_fail.reason_txt =
523 					"Server certificate mismatch";
524 				ev.cert_fail.subject = buf;
525 				conn->event_cb(conn->cb_ctx,
526 					       TLS_CERT_CHAIN_FAILURE, &ev);
527 			}
528 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 				  TLS_ALERT_BAD_CERTIFICATE);
530 			x509_certificate_chain_free(chain);
531 			return -1;
532 		}
533 	} else if (conn->cred && conn->cred->cert_probe) {
534 		wpa_printf(MSG_DEBUG,
535 			   "TLSv1: Reject server certificate on probe-only rune");
536 		if (conn->event_cb) {
537 			union tls_event_data ev;
538 			char buf[128];
539 
540 			os_memset(&ev, 0, sizeof(ev));
541 			ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 			ev.cert_fail.reason_txt =
543 				"Server certificate chain probe";
544 			if (chain) {
545 				x509_name_string(&chain->subject, buf,
546 						 sizeof(buf));
547 				ev.cert_fail.subject = buf;
548 			}
549 			conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
550 				       &ev);
551 		}
552 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 			  TLS_ALERT_BAD_CERTIFICATE);
554 		x509_certificate_chain_free(chain);
555 		return -1;
556 	} else if (conn->cred && conn->cred->ca_cert_verify &&
557 		   x509_certificate_chain_validate(
558 			   conn->cred->trusted_certs, chain, &reason,
559 			   !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
560 		   < 0) {
561 		int tls_reason;
562 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 			   "validation failed (reason=%d)", reason);
564 		switch (reason) {
565 		case X509_VALIDATE_BAD_CERTIFICATE:
566 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 			tls_cert_chain_failure_event(
568 				conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
569 				"bad certificate");
570 			break;
571 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
573 			break;
574 		case X509_VALIDATE_CERTIFICATE_REVOKED:
575 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 			tls_cert_chain_failure_event(
577 				conn, 0, chain, TLS_FAIL_REVOKED,
578 				"certificate revoked");
579 			break;
580 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 			tls_cert_chain_failure_event(
583 				conn, 0, chain, TLS_FAIL_EXPIRED,
584 				"certificate has expired or is not yet valid");
585 			break;
586 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
588 			break;
589 		case X509_VALIDATE_UNKNOWN_CA:
590 			tls_reason = TLS_ALERT_UNKNOWN_CA;
591 			tls_cert_chain_failure_event(
592 				conn, 0, chain, TLS_FAIL_UNTRUSTED,
593 				"unknown CA");
594 			break;
595 		default:
596 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
597 			break;
598 		}
599 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 		x509_certificate_chain_free(chain);
601 		return -1;
602 	}
603 
604 	if (conn->cred && !conn->cred->server_cert_only && chain &&
605 	    (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 	    !(chain->ext_key_usage &
607 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 		tls_cert_chain_failure_event(
609 			conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 			"certificate not allowed for server authentication");
611 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 			  TLS_ALERT_BAD_CERTIFICATE);
613 		x509_certificate_chain_free(chain);
614 		return -1;
615 	}
616 
617 	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 		x509_certificate_chain_free(conn->server_cert);
619 		conn->server_cert = chain;
620 	} else {
621 		x509_certificate_chain_free(chain);
622 	}
623 
624 	*in_len = end - in_data;
625 
626 	conn->state = SERVER_KEY_EXCHANGE;
627 
628 	return 0;
629 }
630 
631 
632 static unsigned int count_bits(const u8 *val, size_t len)
633 {
634 	size_t i;
635 	unsigned int bits;
636 	u8 tmp;
637 
638 	for (i = 0; i < len; i++) {
639 		if (val[i])
640 			break;
641 	}
642 	if (i == len)
643 		return 0;
644 
645 	bits = (len - i - 1) * 8;
646 	tmp = val[i];
647 	while (tmp) {
648 		bits++;
649 		tmp >>= 1;
650 	}
651 
652 	return bits;
653 }
654 
655 
656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 					const u8 *buf, size_t len,
658 					tls_key_exchange key_exchange)
659 {
660 	const u8 *pos, *end, *server_params, *server_params_end;
661 	u8 alert;
662 	unsigned int bits;
663 	u16 val;
664 
665 	tlsv1_client_free_dh(conn);
666 
667 	pos = buf;
668 	end = buf + len;
669 
670 	if (end - pos < 3)
671 		goto fail;
672 	server_params = pos;
673 	val = WPA_GET_BE16(pos);
674 	pos += 2;
675 	if (val == 0 || val > (size_t) (end - pos)) {
676 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
677 		goto fail;
678 	}
679 	conn->dh_p_len = val;
680 	bits = count_bits(pos, conn->dh_p_len);
681 	if (bits < 768) {
682 		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
683 			   bits);
684 		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 			    pos, conn->dh_p_len);
686 		goto fail;
687 	}
688 	conn->dh_p = os_memdup(pos, conn->dh_p_len);
689 	if (conn->dh_p == NULL)
690 		goto fail;
691 	pos += conn->dh_p_len;
692 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
693 		    conn->dh_p, conn->dh_p_len);
694 
695 	if (end - pos < 3)
696 		goto fail;
697 	val = WPA_GET_BE16(pos);
698 	pos += 2;
699 	if (val == 0 || val > (size_t) (end - pos))
700 		goto fail;
701 	conn->dh_g_len = val;
702 	conn->dh_g = os_memdup(pos, conn->dh_g_len);
703 	if (conn->dh_g == NULL)
704 		goto fail;
705 	pos += conn->dh_g_len;
706 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
707 		    conn->dh_g, conn->dh_g_len);
708 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
709 		goto fail;
710 
711 	if (end - pos < 3)
712 		goto fail;
713 	val = WPA_GET_BE16(pos);
714 	pos += 2;
715 	if (val == 0 || val > (size_t) (end - pos))
716 		goto fail;
717 	conn->dh_ys_len = val;
718 	conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
719 	if (conn->dh_ys == NULL)
720 		goto fail;
721 	pos += conn->dh_ys_len;
722 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
723 		    conn->dh_ys, conn->dh_ys_len);
724 	server_params_end = pos;
725 
726 	if (key_exchange == TLS_KEY_X_DHE_RSA) {
727 		u8 hash[64];
728 		int hlen;
729 
730 		if (conn->rl.tls_version == TLS_VERSION_1_2) {
731 #ifdef CONFIG_TLSV12
732 			/*
733 			 * RFC 5246, 4.7:
734 			 * TLS v1.2 adds explicit indication of the used
735 			 * signature and hash algorithms.
736 			 *
737 			 * struct {
738 			 *   HashAlgorithm hash;
739 			 *   SignatureAlgorithm signature;
740 			 * } SignatureAndHashAlgorithm;
741 			 */
742 			if (end - pos < 2)
743 				goto fail;
744 			if ((pos[0] != TLS_HASH_ALG_SHA256 &&
745 			     pos[0] != TLS_HASH_ALG_SHA384 &&
746 			     pos[0] != TLS_HASH_ALG_SHA512) ||
747 			    pos[1] != TLS_SIGN_ALG_RSA) {
748 				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
749 					   pos[0], pos[1]);
750 				goto fail;
751 			}
752 
753 			hlen = tlsv12_key_x_server_params_hash(
754 				conn->rl.tls_version, pos[0],
755 				conn->client_random,
756 				conn->server_random, server_params,
757 				server_params_end - server_params, hash);
758 			pos += 2;
759 #else /* CONFIG_TLSV12 */
760 			goto fail;
761 #endif /* CONFIG_TLSV12 */
762 		} else {
763 			hlen = tls_key_x_server_params_hash(
764 				conn->rl.tls_version, conn->client_random,
765 				conn->server_random, server_params,
766 				server_params_end - server_params, hash);
767 		}
768 
769 		if (hlen < 0)
770 			goto fail;
771 		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
772 			    hash, hlen);
773 
774 		if (tls_verify_signature(conn->rl.tls_version,
775 					 conn->server_rsa_key,
776 					 hash, hlen, pos, end - pos,
777 					 &alert) < 0)
778 			goto fail;
779 	}
780 
781 	return 0;
782 
783 fail:
784 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
785 	tlsv1_client_free_dh(conn);
786 	return -1;
787 }
788 
789 
790 static enum tls_ocsp_result
791 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
792 					     const u8 *pos, size_t len)
793 {
794 	const u8 *end = pos + len;
795 	u32 ocsp_resp_len;
796 
797 	/* opaque OCSPResponse<1..2^24-1>; */
798 	if (end - pos < 3) {
799 		wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
800 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
801 		return TLS_OCSP_INVALID;
802 	}
803 	ocsp_resp_len = WPA_GET_BE24(pos);
804 	pos += 3;
805 	if (end - pos < ocsp_resp_len) {
806 		wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
807 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
808 		return TLS_OCSP_INVALID;
809 	}
810 
811 	return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
812 }
813 
814 
815 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
816 					   const u8 *in_data, size_t *in_len)
817 {
818 	const u8 *pos, *end;
819 	size_t left, len;
820 	u8 type, status_type;
821 	enum tls_ocsp_result res;
822 	struct x509_certificate *cert;
823 	int depth;
824 
825 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
826 		wpa_printf(MSG_DEBUG,
827 			   "TLSv1: Expected Handshake; received content type 0x%x",
828 			   ct);
829 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
830 			  TLS_ALERT_UNEXPECTED_MESSAGE);
831 		return -1;
832 	}
833 
834 	pos = in_data;
835 	left = *in_len;
836 
837 	if (left < 4) {
838 		wpa_printf(MSG_DEBUG,
839 			   "TLSv1: Too short CertificateStatus (left=%lu)",
840 			   (unsigned long) left);
841 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
842 		return -1;
843 	}
844 
845 	type = *pos++;
846 	len = WPA_GET_BE24(pos);
847 	pos += 3;
848 	left -= 4;
849 
850 	if (len > left) {
851 		wpa_printf(MSG_DEBUG,
852 			   "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
853 			   (unsigned long) len, (unsigned long) left);
854 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
855 		return -1;
856 	}
857 
858 	end = pos + len;
859 
860 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
861 		wpa_printf(MSG_DEBUG,
862 			   "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
863 			   type);
864 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865 			  TLS_ALERT_UNEXPECTED_MESSAGE);
866 		return -1;
867 	}
868 
869 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
870 
871 	/*
872 	 * struct {
873 	 *     CertificateStatusType status_type;
874 	 *     select (status_type) {
875 	 *         case ocsp: OCSPResponse;
876 	 *         case ocsp_multi: OCSPResponseList;
877 	 *     } response;
878 	 * } CertificateStatus;
879 	 */
880 	if (end - pos < 1) {
881 		wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
882 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
883 		return -1;
884 	}
885 	status_type = *pos++;
886 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
887 		   status_type);
888 
889 	if (status_type == 1 /* ocsp */) {
890 		res = tls_process_certificate_status_ocsp_response(
891 			conn, pos, end - pos);
892 	} else if (status_type == 2 /* ocsp_multi */) {
893 		int good = 0, revoked = 0;
894 		u32 resp_len;
895 
896 		res = TLS_OCSP_NO_RESPONSE;
897 
898 		/*
899 		 * opaque OCSPResponse<0..2^24-1>;
900 		 *
901 		 * struct {
902 		 *   OCSPResponse ocsp_response_list<1..2^24-1>;
903 		 * } OCSPResponseList;
904 		 */
905 		if (end - pos < 3) {
906 			wpa_printf(MSG_DEBUG,
907 				   "TLSv1: Truncated OCSPResponseList");
908 			res = TLS_OCSP_INVALID;
909 			goto done;
910 		}
911 		resp_len = WPA_GET_BE24(pos);
912 		pos += 3;
913 		if (end - pos < resp_len) {
914 			wpa_printf(MSG_DEBUG,
915 				   "TLSv1: Truncated OCSPResponseList(len=%u)",
916 				   resp_len);
917 			res = TLS_OCSP_INVALID;
918 			goto done;
919 		}
920 		end = pos + resp_len;
921 
922 		while (end - pos >= 3) {
923 			resp_len = WPA_GET_BE24(pos);
924 			pos += 3;
925 			if (resp_len > end - pos) {
926 				wpa_printf(MSG_DEBUG,
927 					   "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
928 					   resp_len, (int) (end - pos));
929 				res = TLS_OCSP_INVALID;
930 				break;
931 			}
932 			if (!resp_len)
933 				continue; /* Skip an empty response */
934 			res = tls_process_certificate_status_ocsp_response(
935 				conn, pos - 3, resp_len + 3);
936 			if (res == TLS_OCSP_REVOKED)
937 				revoked++;
938 			else if (res == TLS_OCSP_GOOD)
939 				good++;
940 			pos += resp_len;
941 		}
942 
943 		if (revoked)
944 			res = TLS_OCSP_REVOKED;
945 		else if (good)
946 			res = TLS_OCSP_GOOD;
947 	} else {
948 		wpa_printf(MSG_DEBUG,
949 			   "TLSv1: Ignore unsupported CertificateStatus");
950 		goto skip;
951 	}
952 
953 done:
954 	if (res == TLS_OCSP_REVOKED) {
955 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 			  TLS_ALERT_CERTIFICATE_REVOKED);
957 		for (cert = conn->server_cert, depth = 0; cert;
958 		     cert = cert->next, depth++) {
959 			if (cert->ocsp_revoked) {
960 				tls_cert_chain_failure_event(
961 					conn, depth, cert, TLS_FAIL_REVOKED,
962 					"certificate revoked");
963 			}
964 		}
965 		return -1;
966 	}
967 
968 	if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
969 		/*
970 		 * Verify that each certificate on the chain that is not part
971 		 * of the trusted certificates has a good status. If not,
972 		 * terminate handshake.
973 		 */
974 		for (cert = conn->server_cert, depth = 0; cert;
975 		     cert = cert->next, depth++) {
976 			if (!cert->ocsp_good) {
977 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
978 					  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
979 				tls_cert_chain_failure_event(
980 					conn, depth, cert,
981 					TLS_FAIL_UNSPECIFIED,
982 					"bad certificate status response");
983 				return -1;
984 			}
985 			if (cert->issuer_trusted)
986 				break;
987 		}
988 	}
989 
990 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
991 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 			  res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
993 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
994 		if (conn->server_cert)
995 			tls_cert_chain_failure_event(
996 				conn, 0, conn->server_cert,
997 				TLS_FAIL_UNSPECIFIED,
998 				"bad certificate status response");
999 		return -1;
1000 	}
1001 
1002 	conn->ocsp_resp_received = 1;
1003 
1004 skip:
1005 	*in_len = end - in_data;
1006 
1007 	conn->state = SERVER_KEY_EXCHANGE;
1008 
1009 	return 0;
1010 }
1011 
1012 
1013 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1014 					   const u8 *in_data, size_t *in_len)
1015 {
1016 	const u8 *pos, *end;
1017 	size_t left, len;
1018 	u8 type;
1019 	const struct tls_cipher_suite *suite;
1020 
1021 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1022 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1023 			   "received content type 0x%x", ct);
1024 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1026 		return -1;
1027 	}
1028 
1029 	pos = in_data;
1030 	left = *in_len;
1031 
1032 	if (left < 4) {
1033 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1034 			   "(Left=%lu)", (unsigned long) left);
1035 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1036 		return -1;
1037 	}
1038 
1039 	type = *pos++;
1040 	len = WPA_GET_BE24(pos);
1041 	pos += 3;
1042 	left -= 4;
1043 
1044 	if (len > left) {
1045 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1046 			   "length (len=%lu != left=%lu)",
1047 			   (unsigned long) len, (unsigned long) left);
1048 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1049 		return -1;
1050 	}
1051 
1052 	end = pos + len;
1053 
1054 	if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1055 	    type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1056 		return tls_process_certificate_status(conn, ct, in_data,
1057 						      in_len);
1058 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1059 		return tls_process_certificate_request(conn, ct, in_data,
1060 						       in_len);
1061 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1062 		return tls_process_server_hello_done(conn, ct, in_data,
1063 						     in_len);
1064 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1065 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1066 			   "message %d (expected ServerKeyExchange/"
1067 			   "CertificateRequest/ServerHelloDone%s)", type,
1068 			   (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1069 			   "/CertificateStatus" : "");
1070 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1072 		return -1;
1073 	}
1074 
1075 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1076 
1077 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1078 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1079 			   "with the selected cipher suite");
1080 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1081 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1082 		return -1;
1083 	}
1084 
1085 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1086 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1087 	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1088 		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1089 		if (tlsv1_process_diffie_hellman(conn, pos, len,
1090 						 suite->key_exchange) < 0) {
1091 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092 				  TLS_ALERT_DECODE_ERROR);
1093 			return -1;
1094 		}
1095 	} else {
1096 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1097 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1098 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1099 		return -1;
1100 	}
1101 
1102 	*in_len = end - in_data;
1103 
1104 	conn->state = SERVER_CERTIFICATE_REQUEST;
1105 
1106 	return 0;
1107 }
1108 
1109 
1110 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1111 					   const u8 *in_data, size_t *in_len)
1112 {
1113 	const u8 *pos, *end;
1114 	size_t left, len;
1115 	u8 type;
1116 
1117 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1118 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1119 			   "received content type 0x%x", ct);
1120 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1121 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1122 		return -1;
1123 	}
1124 
1125 	pos = in_data;
1126 	left = *in_len;
1127 
1128 	if (left < 4) {
1129 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1130 			   "(left=%lu)", (unsigned long) left);
1131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1132 		return -1;
1133 	}
1134 
1135 	type = *pos++;
1136 	len = WPA_GET_BE24(pos);
1137 	pos += 3;
1138 	left -= 4;
1139 
1140 	if (len > left) {
1141 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1142 			   "length (len=%lu != left=%lu)",
1143 			   (unsigned long) len, (unsigned long) left);
1144 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1145 		return -1;
1146 	}
1147 
1148 	end = pos + len;
1149 
1150 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1151 		return tls_process_server_hello_done(conn, ct, in_data,
1152 						     in_len);
1153 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1154 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1155 			   "message %d (expected CertificateRequest/"
1156 			   "ServerHelloDone)", type);
1157 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1159 		return -1;
1160 	}
1161 
1162 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1163 
1164 	conn->certificate_requested = 1;
1165 
1166 	*in_len = end - in_data;
1167 
1168 	conn->state = SERVER_HELLO_DONE;
1169 
1170 	return 0;
1171 }
1172 
1173 
1174 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1175 					 const u8 *in_data, size_t *in_len)
1176 {
1177 	const u8 *pos, *end;
1178 	size_t left, len;
1179 	u8 type;
1180 
1181 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1182 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1183 			   "received content type 0x%x", ct);
1184 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1185 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1186 		return -1;
1187 	}
1188 
1189 	pos = in_data;
1190 	left = *in_len;
1191 
1192 	if (left < 4) {
1193 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1194 			   "(left=%lu)", (unsigned long) left);
1195 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1196 		return -1;
1197 	}
1198 
1199 	type = *pos++;
1200 	len = WPA_GET_BE24(pos);
1201 	pos += 3;
1202 	left -= 4;
1203 
1204 	if (len > left) {
1205 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1206 			   "length (len=%lu != left=%lu)",
1207 			   (unsigned long) len, (unsigned long) left);
1208 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1209 		return -1;
1210 	}
1211 	end = pos + len;
1212 
1213 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1214 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1215 			   "message %d (expected ServerHelloDone)", type);
1216 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1217 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1218 		return -1;
1219 	}
1220 
1221 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1222 
1223 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1224 	    !conn->ocsp_resp_received) {
1225 		wpa_printf(MSG_INFO,
1226 			   "TLSv1: No OCSP response received - reject handshake");
1227 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1228 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1229 		return -1;
1230 	}
1231 
1232 	*in_len = end - in_data;
1233 
1234 	conn->state = CLIENT_KEY_EXCHANGE;
1235 
1236 	return 0;
1237 }
1238 
1239 
1240 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1241 						 u8 ct, const u8 *in_data,
1242 						 size_t *in_len)
1243 {
1244 	const u8 *pos;
1245 	size_t left;
1246 
1247 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1248 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1249 			   "received content type 0x%x", ct);
1250 		if (conn->use_session_ticket) {
1251 			int res;
1252 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1253 				   "rejected SessionTicket");
1254 			conn->use_session_ticket = 0;
1255 
1256 			/* Notify upper layers that SessionTicket failed */
1257 			res = conn->session_ticket_cb(
1258 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
1259 				NULL, NULL);
1260 			if (res < 0) {
1261 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1262 					   "callback indicated failure");
1263 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1264 					  TLS_ALERT_HANDSHAKE_FAILURE);
1265 				return -1;
1266 			}
1267 
1268 			conn->state = SERVER_CERTIFICATE;
1269 			return tls_process_certificate(conn, ct, in_data,
1270 						       in_len);
1271 		}
1272 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1274 		return -1;
1275 	}
1276 
1277 	pos = in_data;
1278 	left = *in_len;
1279 
1280 	if (left < 1) {
1281 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1282 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1283 		return -1;
1284 	}
1285 
1286 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1287 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1288 			   "received data 0x%x", *pos);
1289 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1290 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1291 		return -1;
1292 	}
1293 
1294 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1295 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1296 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1297 			   "for record layer");
1298 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299 			  TLS_ALERT_INTERNAL_ERROR);
1300 		return -1;
1301 	}
1302 
1303 	*in_len = pos + 1 - in_data;
1304 
1305 	conn->state = SERVER_FINISHED;
1306 
1307 	return 0;
1308 }
1309 
1310 
1311 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1312 				       const u8 *in_data, size_t *in_len)
1313 {
1314 	const u8 *pos, *end;
1315 	size_t left, len, hlen;
1316 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1317 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1318 
1319 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1320 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1321 			   "received content type 0x%x", ct);
1322 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1323 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1324 		return -1;
1325 	}
1326 
1327 	pos = in_data;
1328 	left = *in_len;
1329 
1330 	if (left < 4) {
1331 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1332 			   "Finished",
1333 			   (unsigned long) left);
1334 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1335 			  TLS_ALERT_DECODE_ERROR);
1336 		return -1;
1337 	}
1338 
1339 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1340 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1341 			   "type 0x%x", pos[0]);
1342 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1344 		return -1;
1345 	}
1346 
1347 	len = WPA_GET_BE24(pos + 1);
1348 
1349 	pos += 4;
1350 	left -= 4;
1351 
1352 	if (len > left) {
1353 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1354 			   "(len=%lu > left=%lu)",
1355 			   (unsigned long) len, (unsigned long) left);
1356 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1357 			  TLS_ALERT_DECODE_ERROR);
1358 		return -1;
1359 	}
1360 	end = pos + len;
1361 	if (len != TLS_VERIFY_DATA_LEN) {
1362 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1363 			   "in Finished: %lu (expected %d)",
1364 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1365 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366 			  TLS_ALERT_DECODE_ERROR);
1367 		return -1;
1368 	}
1369 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1370 		    pos, TLS_VERIFY_DATA_LEN);
1371 
1372 #ifdef CONFIG_TLSV12
1373 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1374 		hlen = SHA256_MAC_LEN;
1375 		if (conn->verify.sha256_server == NULL ||
1376 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1377 		    < 0) {
1378 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1379 				  TLS_ALERT_INTERNAL_ERROR);
1380 			conn->verify.sha256_server = NULL;
1381 			return -1;
1382 		}
1383 		conn->verify.sha256_server = NULL;
1384 	} else {
1385 #endif /* CONFIG_TLSV12 */
1386 
1387 	hlen = MD5_MAC_LEN;
1388 	if (conn->verify.md5_server == NULL ||
1389 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1390 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1391 			  TLS_ALERT_INTERNAL_ERROR);
1392 		conn->verify.md5_server = NULL;
1393 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1394 		conn->verify.sha1_server = NULL;
1395 		return -1;
1396 	}
1397 	conn->verify.md5_server = NULL;
1398 	hlen = SHA1_MAC_LEN;
1399 	if (conn->verify.sha1_server == NULL ||
1400 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1401 			       &hlen) < 0) {
1402 		conn->verify.sha1_server = NULL;
1403 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1404 			  TLS_ALERT_INTERNAL_ERROR);
1405 		return -1;
1406 	}
1407 	conn->verify.sha1_server = NULL;
1408 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1409 
1410 #ifdef CONFIG_TLSV12
1411 	}
1412 #endif /* CONFIG_TLSV12 */
1413 
1414 	if (tls_prf(conn->rl.tls_version,
1415 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1416 		    "server finished", hash, hlen,
1417 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1418 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1419 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1420 			  TLS_ALERT_DECRYPT_ERROR);
1421 		return -1;
1422 	}
1423 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1424 			verify_data, TLS_VERIFY_DATA_LEN);
1425 
1426 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1427 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1428 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429 			  TLS_ALERT_DECRYPT_ERROR);
1430 		return -1;
1431 	}
1432 
1433 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1434 
1435 	*in_len = end - in_data;
1436 
1437 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1438 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
1439 
1440 	return 0;
1441 }
1442 
1443 
1444 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1445 					const u8 *in_data, size_t *in_len,
1446 					u8 **out_data, size_t *out_len)
1447 {
1448 	const u8 *pos;
1449 	size_t left;
1450 
1451 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1452 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1453 			   "received content type 0x%x", ct);
1454 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1455 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1456 		return -1;
1457 	}
1458 
1459 	pos = in_data;
1460 	left = *in_len;
1461 
1462 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1463 		    pos, left);
1464 
1465 	*out_data = os_malloc(left);
1466 	if (*out_data) {
1467 		os_memcpy(*out_data, pos, left);
1468 		*out_len = left;
1469 	}
1470 
1471 	return 0;
1472 }
1473 
1474 
1475 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1476 				   const u8 *buf, size_t *len,
1477 				   u8 **out_data, size_t *out_len)
1478 {
1479 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1480 		if (*len < 2) {
1481 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1482 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1483 				  TLS_ALERT_DECODE_ERROR);
1484 			return -1;
1485 		}
1486 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1487 			   buf[0], buf[1]);
1488 		*len = 2;
1489 		conn->state = FAILED;
1490 		return -1;
1491 	}
1492 
1493 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1494 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1495 		size_t hr_len = WPA_GET_BE24(buf + 1);
1496 		if (hr_len > *len - 4) {
1497 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1498 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1499 				  TLS_ALERT_DECODE_ERROR);
1500 			return -1;
1501 		}
1502 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1503 		*len = 4 + hr_len;
1504 		return 0;
1505 	}
1506 
1507 	switch (conn->state) {
1508 	case SERVER_HELLO:
1509 		if (tls_process_server_hello(conn, ct, buf, len))
1510 			return -1;
1511 		break;
1512 	case SERVER_CERTIFICATE:
1513 		if (tls_process_certificate(conn, ct, buf, len))
1514 			return -1;
1515 		break;
1516 	case SERVER_KEY_EXCHANGE:
1517 		if (tls_process_server_key_exchange(conn, ct, buf, len))
1518 			return -1;
1519 		break;
1520 	case SERVER_CERTIFICATE_REQUEST:
1521 		if (tls_process_certificate_request(conn, ct, buf, len))
1522 			return -1;
1523 		break;
1524 	case SERVER_HELLO_DONE:
1525 		if (tls_process_server_hello_done(conn, ct, buf, len))
1526 			return -1;
1527 		break;
1528 	case SERVER_CHANGE_CIPHER_SPEC:
1529 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1530 			return -1;
1531 		break;
1532 	case SERVER_FINISHED:
1533 		if (tls_process_server_finished(conn, ct, buf, len))
1534 			return -1;
1535 		break;
1536 	case ACK_FINISHED:
1537 		if (out_data &&
1538 		    tls_process_application_data(conn, ct, buf, len, out_data,
1539 						 out_len))
1540 			return -1;
1541 		break;
1542 	default:
1543 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1544 			   "while processing received message",
1545 			   conn->state);
1546 		return -1;
1547 	}
1548 
1549 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1550 		tls_verify_hash_add(&conn->verify, buf, *len);
1551 
1552 	return 0;
1553 }
1554