1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver) 31 { 32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 33 ver == TLS_VERSION_1) || 34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 35 ver == TLS_VERSION_1_1) || 36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 37 ver == TLS_VERSION_1_2)); 38 } 39 40 41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn, 42 const u8 *pos, size_t len) 43 { 44 const u8 *end = pos + len; 45 46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions", 47 pos, len); 48 while (pos < end) { 49 u16 ext, elen; 50 51 if (end - pos < 4) { 52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header"); 53 return -1; 54 } 55 56 ext = WPA_GET_BE16(pos); 57 pos += 2; 58 elen = WPA_GET_BE16(pos); 59 pos += 2; 60 61 if (elen > end - pos) { 62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension"); 63 return -1; 64 } 65 66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u", 67 ext); 68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data", 69 pos, elen); 70 71 pos += elen; 72 } 73 74 return 0; 75 } 76 77 78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 79 const u8 *in_data, size_t *in_len) 80 { 81 const u8 *pos, *end; 82 size_t left, len, i; 83 u16 cipher_suite; 84 u16 tls_version; 85 86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 88 "received content type 0x%x", ct); 89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 90 TLS_ALERT_UNEXPECTED_MESSAGE); 91 return -1; 92 } 93 94 pos = in_data; 95 left = *in_len; 96 97 if (left < 4) 98 goto decode_error; 99 100 /* HandshakeType msg_type */ 101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 103 "message %d (expected ServerHello)", *pos); 104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 105 TLS_ALERT_UNEXPECTED_MESSAGE); 106 return -1; 107 } 108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 109 pos++; 110 /* uint24 length */ 111 len = WPA_GET_BE24(pos); 112 pos += 3; 113 left -= 4; 114 115 if (len > left) 116 goto decode_error; 117 118 /* body - ServerHello */ 119 120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 121 end = pos + len; 122 123 /* ProtocolVersion server_version */ 124 if (end - pos < 2) 125 goto decode_error; 126 tls_version = WPA_GET_BE16(pos); 127 if (!tls_version_ok(tls_version) || 128 tls_version_disabled(conn, tls_version)) { 129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 130 "ServerHello %u.%u", pos[0], pos[1]); 131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 132 TLS_ALERT_PROTOCOL_VERSION); 133 return -1; 134 } 135 pos += 2; 136 137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 138 tls_version_str(tls_version)); 139 conn->rl.tls_version = tls_version; 140 141 /* Random random */ 142 if (end - pos < TLS_RANDOM_LEN) 143 goto decode_error; 144 145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 146 pos += TLS_RANDOM_LEN; 147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 148 conn->server_random, TLS_RANDOM_LEN); 149 150 /* SessionID session_id */ 151 if (end - pos < 1) 152 goto decode_error; 153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 154 goto decode_error; 155 if (conn->session_id_len && conn->session_id_len == *pos && 156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 157 pos += 1 + conn->session_id_len; 158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 159 conn->session_resumed = 1; 160 } else { 161 conn->session_id_len = *pos; 162 pos++; 163 os_memcpy(conn->session_id, pos, conn->session_id_len); 164 pos += conn->session_id_len; 165 } 166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 167 conn->session_id, conn->session_id_len); 168 169 /* CipherSuite cipher_suite */ 170 if (end - pos < 2) 171 goto decode_error; 172 cipher_suite = WPA_GET_BE16(pos); 173 pos += 2; 174 for (i = 0; i < conn->num_cipher_suites; i++) { 175 if (cipher_suite == conn->cipher_suites[i]) 176 break; 177 } 178 if (i == conn->num_cipher_suites) { 179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 180 "cipher suite 0x%04x", cipher_suite); 181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 182 TLS_ALERT_ILLEGAL_PARAMETER); 183 return -1; 184 } 185 186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 188 "cipher suite for a resumed connection (0x%04x != " 189 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 191 TLS_ALERT_ILLEGAL_PARAMETER); 192 return -1; 193 } 194 195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 197 "record layer"); 198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 199 TLS_ALERT_INTERNAL_ERROR); 200 return -1; 201 } 202 203 conn->prev_cipher_suite = cipher_suite; 204 205 /* CompressionMethod compression_method */ 206 if (end - pos < 1) 207 goto decode_error; 208 if (*pos != TLS_COMPRESSION_NULL) { 209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 210 "compression 0x%02x", *pos); 211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 212 TLS_ALERT_ILLEGAL_PARAMETER); 213 return -1; 214 } 215 pos++; 216 217 if (end - pos >= 2) { 218 u16 ext_len; 219 220 ext_len = WPA_GET_BE16(pos); 221 pos += 2; 222 if (end - pos < ext_len) { 223 wpa_printf(MSG_INFO, 224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)", 225 ext_len, (unsigned int) (end - pos)); 226 goto decode_error; 227 } 228 229 if (tls_process_server_hello_extensions(conn, pos, ext_len)) 230 goto decode_error; 231 pos += ext_len; 232 } 233 234 if (end != pos) { 235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 236 "end of ServerHello", pos, end - pos); 237 goto decode_error; 238 } 239 240 if (conn->session_ticket_included && conn->session_ticket_cb) { 241 /* TODO: include SessionTicket extension if one was included in 242 * ServerHello */ 243 int res = conn->session_ticket_cb( 244 conn->session_ticket_cb_ctx, NULL, 0, 245 conn->client_random, conn->server_random, 246 conn->master_secret); 247 if (res < 0) { 248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 249 "indicated failure"); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 251 TLS_ALERT_HANDSHAKE_FAILURE); 252 return -1; 253 } 254 conn->use_session_ticket = !!res; 255 } 256 257 if ((conn->session_resumed || conn->use_session_ticket) && 258 tls_derive_keys(conn, NULL, 0)) { 259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 261 TLS_ALERT_INTERNAL_ERROR); 262 return -1; 263 } 264 265 *in_len = end - in_data; 266 267 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 269 270 return 0; 271 272 decode_error: 273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 275 return -1; 276 } 277 278 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth, 280 struct x509_certificate *cert) 281 { 282 union tls_event_data ev; 283 struct wpabuf *cert_buf = NULL; 284 #ifdef CONFIG_SHA256 285 u8 hash[32]; 286 #endif /* CONFIG_SHA256 */ 287 char subject[128]; 288 289 if (!conn->event_cb) 290 return; 291 292 os_memset(&ev, 0, sizeof(ev)); 293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) { 294 cert_buf = wpabuf_alloc_copy(cert->cert_start, 295 cert->cert_len); 296 ev.peer_cert.cert = cert_buf; 297 } 298 #ifdef CONFIG_SHA256 299 if (cert_buf) { 300 const u8 *addr[1]; 301 size_t len[1]; 302 addr[0] = wpabuf_head(cert_buf); 303 len[0] = wpabuf_len(cert_buf); 304 if (sha256_vector(1, addr, len, hash) == 0) { 305 ev.peer_cert.hash = hash; 306 ev.peer_cert.hash_len = sizeof(hash); 307 } 308 } 309 #endif /* CONFIG_SHA256 */ 310 311 ev.peer_cert.depth = depth; 312 x509_name_string(&cert->subject, subject, sizeof(subject)); 313 ev.peer_cert.subject = subject; 314 315 if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) { 316 if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT) 317 ev.peer_cert.tod = 1; 318 else if (cert->certificate_policy & 319 X509_EXT_CERT_POLICY_TOD_TOFU) 320 ev.peer_cert.tod = 2; 321 } 322 323 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev); 324 wpabuf_free(cert_buf); 325 } 326 327 328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth, 329 struct x509_certificate *cert, 330 enum tls_fail_reason reason, 331 const char *reason_txt) 332 { 333 struct wpabuf *cert_buf = NULL; 334 union tls_event_data ev; 335 char subject[128]; 336 337 if (!conn->event_cb || !cert) 338 return; 339 340 os_memset(&ev, 0, sizeof(ev)); 341 ev.cert_fail.depth = depth; 342 x509_name_string(&cert->subject, subject, sizeof(subject)); 343 ev.peer_cert.subject = subject; 344 ev.cert_fail.reason = reason; 345 ev.cert_fail.reason_txt = reason_txt; 346 cert_buf = wpabuf_alloc_copy(cert->cert_start, 347 cert->cert_len); 348 ev.cert_fail.cert = cert_buf; 349 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); 350 wpabuf_free(cert_buf); 351 } 352 353 354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 355 const u8 *in_data, size_t *in_len) 356 { 357 const u8 *pos, *end; 358 size_t left, len, list_len, cert_len, idx; 359 u8 type; 360 struct x509_certificate *chain = NULL, *last = NULL, *cert; 361 int reason; 362 363 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 364 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 365 "received content type 0x%x", ct); 366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 367 TLS_ALERT_UNEXPECTED_MESSAGE); 368 return -1; 369 } 370 371 pos = in_data; 372 left = *in_len; 373 374 if (left < 4) { 375 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 376 "(len=%lu)", (unsigned long) left); 377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 378 return -1; 379 } 380 381 type = *pos++; 382 len = WPA_GET_BE24(pos); 383 pos += 3; 384 left -= 4; 385 386 if (len > left) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 388 "length (len=%lu != left=%lu)", 389 (unsigned long) len, (unsigned long) left); 390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 391 return -1; 392 } 393 394 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 395 return tls_process_server_key_exchange(conn, ct, in_data, 396 in_len); 397 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 398 return tls_process_certificate_request(conn, ct, in_data, 399 in_len); 400 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 401 return tls_process_server_hello_done(conn, ct, in_data, 402 in_len); 403 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 404 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 405 "message %d (expected Certificate/" 406 "ServerKeyExchange/CertificateRequest/" 407 "ServerHelloDone)", type); 408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 409 TLS_ALERT_UNEXPECTED_MESSAGE); 410 return -1; 411 } 412 413 wpa_printf(MSG_DEBUG, 414 "TLSv1: Received Certificate (certificate_list len %lu)", 415 (unsigned long) len); 416 417 /* 418 * opaque ASN.1Cert<2^24-1>; 419 * 420 * struct { 421 * ASN.1Cert certificate_list<1..2^24-1>; 422 * } Certificate; 423 */ 424 425 end = pos + len; 426 427 if (end - pos < 3) { 428 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 429 "(left=%lu)", (unsigned long) left); 430 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 431 return -1; 432 } 433 434 list_len = WPA_GET_BE24(pos); 435 pos += 3; 436 437 if ((size_t) (end - pos) != list_len) { 438 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 439 "length (len=%lu left=%lu)", 440 (unsigned long) list_len, 441 (unsigned long) (end - pos)); 442 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 443 return -1; 444 } 445 446 idx = 0; 447 while (pos < end) { 448 if (end - pos < 3) { 449 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 450 "certificate_list"); 451 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 452 TLS_ALERT_DECODE_ERROR); 453 x509_certificate_chain_free(chain); 454 return -1; 455 } 456 457 cert_len = WPA_GET_BE24(pos); 458 pos += 3; 459 460 if ((size_t) (end - pos) < cert_len) { 461 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 462 "length (len=%lu left=%lu)", 463 (unsigned long) cert_len, 464 (unsigned long) (end - pos)); 465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 466 TLS_ALERT_DECODE_ERROR); 467 x509_certificate_chain_free(chain); 468 return -1; 469 } 470 471 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 472 (unsigned long) idx, (unsigned long) cert_len); 473 474 if (idx == 0) { 475 crypto_public_key_free(conn->server_rsa_key); 476 if (tls_parse_cert(pos, cert_len, 477 &conn->server_rsa_key)) { 478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 479 "the certificate"); 480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 481 TLS_ALERT_BAD_CERTIFICATE); 482 x509_certificate_chain_free(chain); 483 return -1; 484 } 485 } 486 487 cert = x509_certificate_parse(pos, cert_len); 488 if (cert == NULL) { 489 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 490 "the certificate"); 491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 492 TLS_ALERT_BAD_CERTIFICATE); 493 x509_certificate_chain_free(chain); 494 return -1; 495 } 496 497 tls_peer_cert_event(conn, idx, cert); 498 499 if (last == NULL) 500 chain = cert; 501 else 502 last->next = cert; 503 last = cert; 504 505 idx++; 506 pos += cert_len; 507 } 508 509 if (conn->cred && conn->cred->server_cert_only && chain) { 510 u8 hash[SHA256_MAC_LEN]; 511 char buf[128]; 512 513 wpa_printf(MSG_DEBUG, 514 "TLSv1: Validate server certificate hash"); 515 x509_name_string(&chain->subject, buf, sizeof(buf)); 516 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf); 517 if (sha256_vector(1, &chain->cert_start, &chain->cert_len, 518 hash) < 0 || 519 os_memcmp(conn->cred->srv_cert_hash, hash, 520 SHA256_MAC_LEN) != 0) { 521 wpa_printf(MSG_DEBUG, 522 "TLSv1: Server certificate hash mismatch"); 523 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash", 524 hash, SHA256_MAC_LEN); 525 if (conn->event_cb) { 526 union tls_event_data ev; 527 528 os_memset(&ev, 0, sizeof(ev)); 529 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED; 530 ev.cert_fail.reason_txt = 531 "Server certificate mismatch"; 532 ev.cert_fail.subject = buf; 533 conn->event_cb(conn->cb_ctx, 534 TLS_CERT_CHAIN_FAILURE, &ev); 535 } 536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 537 TLS_ALERT_BAD_CERTIFICATE); 538 x509_certificate_chain_free(chain); 539 return -1; 540 } 541 } else if (conn->cred && conn->cred->cert_probe) { 542 wpa_printf(MSG_DEBUG, 543 "TLSv1: Reject server certificate on probe-only run"); 544 if (conn->event_cb) { 545 union tls_event_data ev; 546 char buf[128]; 547 548 os_memset(&ev, 0, sizeof(ev)); 549 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE; 550 ev.cert_fail.reason_txt = 551 "Server certificate chain probe"; 552 if (chain) { 553 x509_name_string(&chain->subject, buf, 554 sizeof(buf)); 555 ev.cert_fail.subject = buf; 556 } 557 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, 558 &ev); 559 } 560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_BAD_CERTIFICATE); 562 x509_certificate_chain_free(chain); 563 return -1; 564 } else if (conn->cred && conn->cred->ca_cert_verify && 565 x509_certificate_chain_validate( 566 conn->cred->trusted_certs, chain, &reason, 567 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) 568 < 0) { 569 int tls_reason; 570 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 571 "validation failed (reason=%d)", reason); 572 switch (reason) { 573 case X509_VALIDATE_BAD_CERTIFICATE: 574 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 575 tls_cert_chain_failure_event( 576 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 577 "bad certificate"); 578 break; 579 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 580 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 581 break; 582 case X509_VALIDATE_CERTIFICATE_REVOKED: 583 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 584 tls_cert_chain_failure_event( 585 conn, 0, chain, TLS_FAIL_REVOKED, 586 "certificate revoked"); 587 break; 588 case X509_VALIDATE_CERTIFICATE_EXPIRED: 589 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 590 tls_cert_chain_failure_event( 591 conn, 0, chain, TLS_FAIL_EXPIRED, 592 "certificate has expired or is not yet valid"); 593 break; 594 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 595 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 596 break; 597 case X509_VALIDATE_UNKNOWN_CA: 598 tls_reason = TLS_ALERT_UNKNOWN_CA; 599 tls_cert_chain_failure_event( 600 conn, 0, chain, TLS_FAIL_UNTRUSTED, 601 "unknown CA"); 602 break; 603 default: 604 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 605 break; 606 } 607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 608 x509_certificate_chain_free(chain); 609 return -1; 610 } 611 612 if (conn->cred && !conn->cred->server_cert_only && chain && 613 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 614 !(chain->ext_key_usage & 615 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) { 616 tls_cert_chain_failure_event( 617 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 618 "certificate not allowed for server authentication"); 619 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 620 TLS_ALERT_BAD_CERTIFICATE); 621 x509_certificate_chain_free(chain); 622 return -1; 623 } 624 625 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 626 x509_certificate_chain_free(conn->server_cert); 627 conn->server_cert = chain; 628 } else { 629 x509_certificate_chain_free(chain); 630 } 631 632 *in_len = end - in_data; 633 634 conn->state = SERVER_KEY_EXCHANGE; 635 636 return 0; 637 } 638 639 640 static unsigned int count_bits(const u8 *val, size_t len) 641 { 642 size_t i; 643 unsigned int bits; 644 u8 tmp; 645 646 for (i = 0; i < len; i++) { 647 if (val[i]) 648 break; 649 } 650 if (i == len) 651 return 0; 652 653 bits = (len - i - 1) * 8; 654 tmp = val[i]; 655 while (tmp) { 656 bits++; 657 tmp >>= 1; 658 } 659 660 return bits; 661 } 662 663 664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 665 const u8 *buf, size_t len, 666 tls_key_exchange key_exchange) 667 { 668 const u8 *pos, *end, *server_params, *server_params_end; 669 u8 alert; 670 unsigned int bits; 671 u16 val; 672 673 tlsv1_client_free_dh(conn); 674 675 pos = buf; 676 end = buf + len; 677 678 if (end - pos < 3) 679 goto fail; 680 server_params = pos; 681 val = WPA_GET_BE16(pos); 682 pos += 2; 683 if (val == 0 || val > (size_t) (end - pos)) { 684 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val); 685 goto fail; 686 } 687 conn->dh_p_len = val; 688 bits = count_bits(pos, conn->dh_p_len); 689 if (bits < 768) { 690 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 691 bits); 692 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 693 pos, conn->dh_p_len); 694 goto fail; 695 } 696 conn->dh_p = os_memdup(pos, conn->dh_p_len); 697 if (conn->dh_p == NULL) 698 goto fail; 699 pos += conn->dh_p_len; 700 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 701 conn->dh_p, conn->dh_p_len); 702 703 if (end - pos < 3) 704 goto fail; 705 val = WPA_GET_BE16(pos); 706 pos += 2; 707 if (val == 0 || val > (size_t) (end - pos)) 708 goto fail; 709 conn->dh_g_len = val; 710 conn->dh_g = os_memdup(pos, conn->dh_g_len); 711 if (conn->dh_g == NULL) 712 goto fail; 713 pos += conn->dh_g_len; 714 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 715 conn->dh_g, conn->dh_g_len); 716 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 717 goto fail; 718 719 if (end - pos < 3) 720 goto fail; 721 val = WPA_GET_BE16(pos); 722 pos += 2; 723 if (val == 0 || val > (size_t) (end - pos)) 724 goto fail; 725 conn->dh_ys_len = val; 726 conn->dh_ys = os_memdup(pos, conn->dh_ys_len); 727 if (conn->dh_ys == NULL) 728 goto fail; 729 pos += conn->dh_ys_len; 730 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 731 conn->dh_ys, conn->dh_ys_len); 732 server_params_end = pos; 733 734 if (key_exchange == TLS_KEY_X_DHE_RSA) { 735 u8 hash[64]; 736 int hlen; 737 738 if (conn->rl.tls_version == TLS_VERSION_1_2) { 739 #ifdef CONFIG_TLSV12 740 /* 741 * RFC 5246, 4.7: 742 * TLS v1.2 adds explicit indication of the used 743 * signature and hash algorithms. 744 * 745 * struct { 746 * HashAlgorithm hash; 747 * SignatureAlgorithm signature; 748 * } SignatureAndHashAlgorithm; 749 */ 750 if (end - pos < 2) 751 goto fail; 752 if ((pos[0] != TLS_HASH_ALG_SHA256 && 753 pos[0] != TLS_HASH_ALG_SHA384 && 754 pos[0] != TLS_HASH_ALG_SHA512) || 755 pos[1] != TLS_SIGN_ALG_RSA) { 756 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 757 pos[0], pos[1]); 758 goto fail; 759 } 760 761 hlen = tlsv12_key_x_server_params_hash( 762 conn->rl.tls_version, pos[0], 763 conn->client_random, 764 conn->server_random, server_params, 765 server_params_end - server_params, hash); 766 pos += 2; 767 #else /* CONFIG_TLSV12 */ 768 goto fail; 769 #endif /* CONFIG_TLSV12 */ 770 } else { 771 hlen = tls_key_x_server_params_hash( 772 conn->rl.tls_version, conn->client_random, 773 conn->server_random, server_params, 774 server_params_end - server_params, hash, 775 sizeof(hash)); 776 } 777 778 if (hlen < 0) 779 goto fail; 780 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 781 hash, hlen); 782 783 if (tls_verify_signature(conn->rl.tls_version, 784 conn->server_rsa_key, 785 hash, hlen, pos, end - pos, 786 &alert) < 0) 787 goto fail; 788 } 789 790 return 0; 791 792 fail: 793 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 794 tlsv1_client_free_dh(conn); 795 return -1; 796 } 797 798 799 static enum tls_ocsp_result 800 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn, 801 const u8 *pos, size_t len) 802 { 803 const u8 *end = pos + len; 804 u32 ocsp_resp_len; 805 806 /* opaque OCSPResponse<1..2^24-1>; */ 807 if (end - pos < 3) { 808 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse"); 809 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 810 return TLS_OCSP_INVALID; 811 } 812 ocsp_resp_len = WPA_GET_BE24(pos); 813 pos += 3; 814 if (end - pos < ocsp_resp_len) { 815 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse"); 816 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 817 return TLS_OCSP_INVALID; 818 } 819 820 return tls_process_ocsp_response(conn, pos, ocsp_resp_len); 821 } 822 823 824 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct, 825 const u8 *in_data, size_t *in_len) 826 { 827 const u8 *pos, *end; 828 size_t left, len; 829 u8 type, status_type; 830 enum tls_ocsp_result res; 831 struct x509_certificate *cert; 832 int depth; 833 834 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 835 wpa_printf(MSG_DEBUG, 836 "TLSv1: Expected Handshake; received content type 0x%x", 837 ct); 838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 839 TLS_ALERT_UNEXPECTED_MESSAGE); 840 return -1; 841 } 842 843 pos = in_data; 844 left = *in_len; 845 846 if (left < 4) { 847 wpa_printf(MSG_DEBUG, 848 "TLSv1: Too short CertificateStatus (left=%lu)", 849 (unsigned long) left); 850 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 851 return -1; 852 } 853 854 type = *pos++; 855 len = WPA_GET_BE24(pos); 856 pos += 3; 857 left -= 4; 858 859 if (len > left) { 860 wpa_printf(MSG_DEBUG, 861 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)", 862 (unsigned long) len, (unsigned long) left); 863 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 864 return -1; 865 } 866 867 end = pos + len; 868 869 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) { 870 wpa_printf(MSG_DEBUG, 871 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)", 872 type); 873 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 874 TLS_ALERT_UNEXPECTED_MESSAGE); 875 return -1; 876 } 877 878 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus"); 879 880 /* 881 * struct { 882 * CertificateStatusType status_type; 883 * select (status_type) { 884 * case ocsp: OCSPResponse; 885 * case ocsp_multi: OCSPResponseList; 886 * } response; 887 * } CertificateStatus; 888 */ 889 if (end - pos < 1) { 890 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus"); 891 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 892 return -1; 893 } 894 status_type = *pos++; 895 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u", 896 status_type); 897 898 if (status_type == 1 /* ocsp */) { 899 res = tls_process_certificate_status_ocsp_response( 900 conn, pos, end - pos); 901 } else if (status_type == 2 /* ocsp_multi */) { 902 int good = 0, revoked = 0; 903 u32 resp_len; 904 905 res = TLS_OCSP_NO_RESPONSE; 906 907 /* 908 * opaque OCSPResponse<0..2^24-1>; 909 * 910 * struct { 911 * OCSPResponse ocsp_response_list<1..2^24-1>; 912 * } OCSPResponseList; 913 */ 914 if (end - pos < 3) { 915 wpa_printf(MSG_DEBUG, 916 "TLSv1: Truncated OCSPResponseList"); 917 res = TLS_OCSP_INVALID; 918 goto done; 919 } 920 resp_len = WPA_GET_BE24(pos); 921 pos += 3; 922 if (end - pos < resp_len) { 923 wpa_printf(MSG_DEBUG, 924 "TLSv1: Truncated OCSPResponseList(len=%u)", 925 resp_len); 926 res = TLS_OCSP_INVALID; 927 goto done; 928 } 929 end = pos + resp_len; 930 931 while (end - pos >= 3) { 932 resp_len = WPA_GET_BE24(pos); 933 pos += 3; 934 if (resp_len > end - pos) { 935 wpa_printf(MSG_DEBUG, 936 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi", 937 resp_len, (int) (end - pos)); 938 res = TLS_OCSP_INVALID; 939 break; 940 } 941 if (!resp_len) 942 continue; /* Skip an empty response */ 943 res = tls_process_certificate_status_ocsp_response( 944 conn, pos - 3, resp_len + 3); 945 if (res == TLS_OCSP_REVOKED) 946 revoked++; 947 else if (res == TLS_OCSP_GOOD) 948 good++; 949 pos += resp_len; 950 } 951 952 if (revoked) 953 res = TLS_OCSP_REVOKED; 954 else if (good) 955 res = TLS_OCSP_GOOD; 956 } else { 957 wpa_printf(MSG_DEBUG, 958 "TLSv1: Ignore unsupported CertificateStatus"); 959 goto skip; 960 } 961 962 done: 963 if (res == TLS_OCSP_REVOKED) { 964 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 965 TLS_ALERT_CERTIFICATE_REVOKED); 966 for (cert = conn->server_cert, depth = 0; cert; 967 cert = cert->next, depth++) { 968 if (cert->ocsp_revoked) { 969 tls_cert_chain_failure_event( 970 conn, depth, cert, TLS_FAIL_REVOKED, 971 "certificate revoked"); 972 } 973 } 974 return -1; 975 } 976 977 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) { 978 /* 979 * Verify that each certificate on the chain that is not part 980 * of the trusted certificates has a good status. If not, 981 * terminate handshake. 982 */ 983 for (cert = conn->server_cert, depth = 0; cert; 984 cert = cert->next, depth++) { 985 if (!cert->ocsp_good) { 986 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 987 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 988 tls_cert_chain_failure_event( 989 conn, depth, cert, 990 TLS_FAIL_UNSPECIFIED, 991 "bad certificate status response"); 992 return -1; 993 } 994 if (cert->issuer_trusted) 995 break; 996 } 997 } 998 999 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) { 1000 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1001 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR : 1002 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1003 if (conn->server_cert) 1004 tls_cert_chain_failure_event( 1005 conn, 0, conn->server_cert, 1006 TLS_FAIL_UNSPECIFIED, 1007 "bad certificate status response"); 1008 return -1; 1009 } 1010 1011 conn->ocsp_resp_received = 1; 1012 1013 skip: 1014 *in_len = end - in_data; 1015 1016 conn->state = SERVER_KEY_EXCHANGE; 1017 1018 return 0; 1019 } 1020 1021 1022 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 1023 const u8 *in_data, size_t *in_len) 1024 { 1025 const u8 *pos, *end; 1026 size_t left, len; 1027 u8 type; 1028 const struct tls_cipher_suite *suite; 1029 1030 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1031 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1032 "received content type 0x%x", ct); 1033 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1034 TLS_ALERT_UNEXPECTED_MESSAGE); 1035 return -1; 1036 } 1037 1038 pos = in_data; 1039 left = *in_len; 1040 1041 if (left < 4) { 1042 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 1043 "(Left=%lu)", (unsigned long) left); 1044 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1045 return -1; 1046 } 1047 1048 type = *pos++; 1049 len = WPA_GET_BE24(pos); 1050 pos += 3; 1051 left -= 4; 1052 1053 if (len > left) { 1054 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 1055 "length (len=%lu != left=%lu)", 1056 (unsigned long) len, (unsigned long) left); 1057 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1058 return -1; 1059 } 1060 1061 end = pos + len; 1062 1063 if ((conn->flags & TLS_CONN_REQUEST_OCSP) && 1064 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) 1065 return tls_process_certificate_status(conn, ct, in_data, 1066 in_len); 1067 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 1068 return tls_process_certificate_request(conn, ct, in_data, 1069 in_len); 1070 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1071 return tls_process_server_hello_done(conn, ct, in_data, 1072 in_len); 1073 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 1074 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1075 "message %d (expected ServerKeyExchange/" 1076 "CertificateRequest/ServerHelloDone%s)", type, 1077 (conn->flags & TLS_CONN_REQUEST_OCSP) ? 1078 "/CertificateStatus" : ""); 1079 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1080 TLS_ALERT_UNEXPECTED_MESSAGE); 1081 return -1; 1082 } 1083 1084 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 1085 1086 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 1087 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 1088 "with the selected cipher suite"); 1089 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1090 TLS_ALERT_UNEXPECTED_MESSAGE); 1091 return -1; 1092 } 1093 1094 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 1095 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 1096 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 1097 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 1098 if (tlsv1_process_diffie_hellman(conn, pos, len, 1099 suite->key_exchange) < 0) { 1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1101 TLS_ALERT_DECODE_ERROR); 1102 return -1; 1103 } 1104 } else { 1105 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 1106 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1107 TLS_ALERT_UNEXPECTED_MESSAGE); 1108 return -1; 1109 } 1110 1111 *in_len = end - in_data; 1112 1113 conn->state = SERVER_CERTIFICATE_REQUEST; 1114 1115 return 0; 1116 } 1117 1118 1119 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 1120 const u8 *in_data, size_t *in_len) 1121 { 1122 const u8 *pos, *end; 1123 size_t left, len; 1124 u8 type; 1125 1126 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1127 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1128 "received content type 0x%x", ct); 1129 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1130 TLS_ALERT_UNEXPECTED_MESSAGE); 1131 return -1; 1132 } 1133 1134 pos = in_data; 1135 left = *in_len; 1136 1137 if (left < 4) { 1138 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 1139 "(left=%lu)", (unsigned long) left); 1140 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1141 return -1; 1142 } 1143 1144 type = *pos++; 1145 len = WPA_GET_BE24(pos); 1146 pos += 3; 1147 left -= 4; 1148 1149 if (len > left) { 1150 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 1151 "length (len=%lu != left=%lu)", 1152 (unsigned long) len, (unsigned long) left); 1153 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1154 return -1; 1155 } 1156 1157 end = pos + len; 1158 1159 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1160 return tls_process_server_hello_done(conn, ct, in_data, 1161 in_len); 1162 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 1163 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1164 "message %d (expected CertificateRequest/" 1165 "ServerHelloDone)", type); 1166 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1167 TLS_ALERT_UNEXPECTED_MESSAGE); 1168 return -1; 1169 } 1170 1171 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 1172 1173 conn->certificate_requested = 1; 1174 1175 *in_len = end - in_data; 1176 1177 conn->state = SERVER_HELLO_DONE; 1178 1179 return 0; 1180 } 1181 1182 1183 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 1184 const u8 *in_data, size_t *in_len) 1185 { 1186 const u8 *pos, *end; 1187 size_t left, len; 1188 u8 type; 1189 1190 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1191 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1192 "received content type 0x%x", ct); 1193 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1194 TLS_ALERT_UNEXPECTED_MESSAGE); 1195 return -1; 1196 } 1197 1198 pos = in_data; 1199 left = *in_len; 1200 1201 if (left < 4) { 1202 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 1203 "(left=%lu)", (unsigned long) left); 1204 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1205 return -1; 1206 } 1207 1208 type = *pos++; 1209 len = WPA_GET_BE24(pos); 1210 pos += 3; 1211 left -= 4; 1212 1213 if (len > left) { 1214 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 1215 "length (len=%lu != left=%lu)", 1216 (unsigned long) len, (unsigned long) left); 1217 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1218 return -1; 1219 } 1220 end = pos + len; 1221 1222 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 1223 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1224 "message %d (expected ServerHelloDone)", type); 1225 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1226 TLS_ALERT_UNEXPECTED_MESSAGE); 1227 return -1; 1228 } 1229 1230 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 1231 1232 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && 1233 !conn->ocsp_resp_received) { 1234 wpa_printf(MSG_INFO, 1235 "TLSv1: No OCSP response received - reject handshake"); 1236 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1237 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1238 return -1; 1239 } 1240 1241 *in_len = end - in_data; 1242 1243 conn->state = CLIENT_KEY_EXCHANGE; 1244 1245 return 0; 1246 } 1247 1248 1249 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 1250 u8 ct, const u8 *in_data, 1251 size_t *in_len) 1252 { 1253 const u8 *pos; 1254 size_t left; 1255 1256 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1257 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1258 "received content type 0x%x", ct); 1259 if (conn->use_session_ticket) { 1260 int res; 1261 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 1262 "rejected SessionTicket"); 1263 conn->use_session_ticket = 0; 1264 1265 /* Notify upper layers that SessionTicket failed */ 1266 res = conn->session_ticket_cb( 1267 conn->session_ticket_cb_ctx, NULL, 0, NULL, 1268 NULL, NULL); 1269 if (res < 0) { 1270 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 1271 "callback indicated failure"); 1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1273 TLS_ALERT_HANDSHAKE_FAILURE); 1274 return -1; 1275 } 1276 1277 conn->state = SERVER_CERTIFICATE; 1278 return tls_process_certificate(conn, ct, in_data, 1279 in_len); 1280 } 1281 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1282 TLS_ALERT_UNEXPECTED_MESSAGE); 1283 return -1; 1284 } 1285 1286 pos = in_data; 1287 left = *in_len; 1288 1289 if (left < 1) { 1290 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 1291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1292 return -1; 1293 } 1294 1295 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1296 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1297 "received data 0x%x", *pos); 1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1299 TLS_ALERT_UNEXPECTED_MESSAGE); 1300 return -1; 1301 } 1302 1303 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 1304 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1305 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1306 "for record layer"); 1307 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1308 TLS_ALERT_INTERNAL_ERROR); 1309 return -1; 1310 } 1311 1312 *in_len = pos + 1 - in_data; 1313 1314 conn->state = SERVER_FINISHED; 1315 1316 return 0; 1317 } 1318 1319 1320 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 1321 const u8 *in_data, size_t *in_len) 1322 { 1323 const u8 *pos, *end; 1324 size_t left, len, hlen; 1325 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1326 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1327 1328 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1329 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 1330 "received content type 0x%x", ct); 1331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1332 TLS_ALERT_UNEXPECTED_MESSAGE); 1333 return -1; 1334 } 1335 1336 pos = in_data; 1337 left = *in_len; 1338 1339 if (left < 4) { 1340 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1341 "Finished", 1342 (unsigned long) left); 1343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1344 TLS_ALERT_DECODE_ERROR); 1345 return -1; 1346 } 1347 1348 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1349 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1350 "type 0x%x", pos[0]); 1351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1352 TLS_ALERT_UNEXPECTED_MESSAGE); 1353 return -1; 1354 } 1355 1356 len = WPA_GET_BE24(pos + 1); 1357 1358 pos += 4; 1359 left -= 4; 1360 1361 if (len > left) { 1362 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1363 "(len=%lu > left=%lu)", 1364 (unsigned long) len, (unsigned long) left); 1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1366 TLS_ALERT_DECODE_ERROR); 1367 return -1; 1368 } 1369 end = pos + len; 1370 if (len != TLS_VERIFY_DATA_LEN) { 1371 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1372 "in Finished: %lu (expected %d)", 1373 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1374 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1375 TLS_ALERT_DECODE_ERROR); 1376 return -1; 1377 } 1378 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1379 pos, TLS_VERIFY_DATA_LEN); 1380 1381 #ifdef CONFIG_TLSV12 1382 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1383 hlen = SHA256_MAC_LEN; 1384 if (conn->verify.sha256_server == NULL || 1385 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 1386 < 0) { 1387 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1388 TLS_ALERT_INTERNAL_ERROR); 1389 conn->verify.sha256_server = NULL; 1390 return -1; 1391 } 1392 conn->verify.sha256_server = NULL; 1393 } else { 1394 #endif /* CONFIG_TLSV12 */ 1395 1396 hlen = MD5_MAC_LEN; 1397 if (conn->verify.md5_server == NULL || 1398 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 1399 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1400 TLS_ALERT_INTERNAL_ERROR); 1401 conn->verify.md5_server = NULL; 1402 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 1403 conn->verify.sha1_server = NULL; 1404 return -1; 1405 } 1406 conn->verify.md5_server = NULL; 1407 hlen = SHA1_MAC_LEN; 1408 if (conn->verify.sha1_server == NULL || 1409 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 1410 &hlen) < 0) { 1411 conn->verify.sha1_server = NULL; 1412 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1413 TLS_ALERT_INTERNAL_ERROR); 1414 return -1; 1415 } 1416 conn->verify.sha1_server = NULL; 1417 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1418 1419 #ifdef CONFIG_TLSV12 1420 } 1421 #endif /* CONFIG_TLSV12 */ 1422 1423 if (tls_prf(conn->rl.tls_version, 1424 conn->master_secret, TLS_MASTER_SECRET_LEN, 1425 "server finished", hash, hlen, 1426 verify_data, TLS_VERIFY_DATA_LEN)) { 1427 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1429 TLS_ALERT_DECRYPT_ERROR); 1430 return -1; 1431 } 1432 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 1433 verify_data, TLS_VERIFY_DATA_LEN); 1434 1435 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1436 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1437 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1438 TLS_ALERT_DECRYPT_ERROR); 1439 return -1; 1440 } 1441 1442 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1443 1444 *in_len = end - in_data; 1445 1446 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 1447 CHANGE_CIPHER_SPEC : ACK_FINISHED; 1448 1449 return 0; 1450 } 1451 1452 1453 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 1454 const u8 *in_data, size_t *in_len, 1455 u8 **out_data, size_t *out_len) 1456 { 1457 const u8 *pos; 1458 size_t left; 1459 1460 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 1461 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 1462 "received content type 0x%x", ct); 1463 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1464 TLS_ALERT_UNEXPECTED_MESSAGE); 1465 return -1; 1466 } 1467 1468 pos = in_data; 1469 left = *in_len; 1470 1471 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1472 pos, left); 1473 1474 *out_data = os_malloc(left); 1475 if (*out_data) { 1476 os_memcpy(*out_data, pos, left); 1477 *out_len = left; 1478 } 1479 1480 return 0; 1481 } 1482 1483 1484 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1485 const u8 *buf, size_t *len, 1486 u8 **out_data, size_t *out_len) 1487 { 1488 if (ct == TLS_CONTENT_TYPE_ALERT) { 1489 if (*len < 2) { 1490 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1492 TLS_ALERT_DECODE_ERROR); 1493 return -1; 1494 } 1495 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1496 buf[0], buf[1]); 1497 *len = 2; 1498 conn->state = FAILED; 1499 return -1; 1500 } 1501 1502 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1503 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1504 size_t hr_len = WPA_GET_BE24(buf + 1); 1505 if (hr_len > *len - 4) { 1506 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1507 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1508 TLS_ALERT_DECODE_ERROR); 1509 return -1; 1510 } 1511 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1512 *len = 4 + hr_len; 1513 return 0; 1514 } 1515 1516 switch (conn->state) { 1517 case SERVER_HELLO: 1518 if (tls_process_server_hello(conn, ct, buf, len)) 1519 return -1; 1520 break; 1521 case SERVER_CERTIFICATE: 1522 if (tls_process_certificate(conn, ct, buf, len)) 1523 return -1; 1524 break; 1525 case SERVER_KEY_EXCHANGE: 1526 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1527 return -1; 1528 break; 1529 case SERVER_CERTIFICATE_REQUEST: 1530 if (tls_process_certificate_request(conn, ct, buf, len)) 1531 return -1; 1532 break; 1533 case SERVER_HELLO_DONE: 1534 if (tls_process_server_hello_done(conn, ct, buf, len)) 1535 return -1; 1536 break; 1537 case SERVER_CHANGE_CIPHER_SPEC: 1538 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1539 return -1; 1540 break; 1541 case SERVER_FINISHED: 1542 if (tls_process_server_finished(conn, ct, buf, len)) 1543 return -1; 1544 break; 1545 case ACK_FINISHED: 1546 if (out_data && 1547 tls_process_application_data(conn, ct, buf, len, out_data, 1548 out_len)) 1549 return -1; 1550 break; 1551 default: 1552 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1553 "while processing received message", 1554 conn->state); 1555 return -1; 1556 } 1557 1558 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1559 tls_verify_hash_add(&conn->verify, buf, *len); 1560 1561 return 0; 1562 } 1563