xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision cc9e6590773dba57440750c124173ed531349a06)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 	return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 		 ver == TLS_VERSION_1) ||
34 		((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 		 ver == TLS_VERSION_1_1) ||
36 		((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 		 ver == TLS_VERSION_1_2));
38 }
39 
40 
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 					       const u8 *pos, size_t len)
43 {
44 	const u8 *end = pos + len;
45 
46 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 		    pos, len);
48 	while (pos < end) {
49 		u16 ext, elen;
50 
51 		if (end - pos < 4) {
52 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 			return -1;
54 		}
55 
56 		ext = WPA_GET_BE16(pos);
57 		pos += 2;
58 		elen = WPA_GET_BE16(pos);
59 		pos += 2;
60 
61 		if (elen > end - pos) {
62 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 			return -1;
64 		}
65 
66 		wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 			   ext);
68 		wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 			    pos, elen);
70 
71 		pos += elen;
72 	}
73 
74 	return 0;
75 }
76 
77 
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 				    const u8 *in_data, size_t *in_len)
80 {
81 	const u8 *pos, *end;
82 	size_t left, len, i;
83 	u16 cipher_suite;
84 	u16 tls_version;
85 
86 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 			   "received content type 0x%x", ct);
89 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 			  TLS_ALERT_UNEXPECTED_MESSAGE);
91 		return -1;
92 	}
93 
94 	pos = in_data;
95 	left = *in_len;
96 
97 	if (left < 4)
98 		goto decode_error;
99 
100 	/* HandshakeType msg_type */
101 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 			   "message %d (expected ServerHello)", *pos);
104 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 			  TLS_ALERT_UNEXPECTED_MESSAGE);
106 		return -1;
107 	}
108 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 	pos++;
110 	/* uint24 length */
111 	len = WPA_GET_BE24(pos);
112 	pos += 3;
113 	left -= 4;
114 
115 	if (len > left)
116 		goto decode_error;
117 
118 	/* body - ServerHello */
119 
120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 	end = pos + len;
122 
123 	/* ProtocolVersion server_version */
124 	if (end - pos < 2)
125 		goto decode_error;
126 	tls_version = WPA_GET_BE16(pos);
127 	if (!tls_version_ok(tls_version) ||
128 	    tls_version_disabled(conn, tls_version)) {
129 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 			   "ServerHello %u.%u", pos[0], pos[1]);
131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 			  TLS_ALERT_PROTOCOL_VERSION);
133 		return -1;
134 	}
135 	pos += 2;
136 
137 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 		   tls_version_str(tls_version));
139 	conn->rl.tls_version = tls_version;
140 
141 	/* Random random */
142 	if (end - pos < TLS_RANDOM_LEN)
143 		goto decode_error;
144 
145 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 	pos += TLS_RANDOM_LEN;
147 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 		    conn->server_random, TLS_RANDOM_LEN);
149 
150 	/* SessionID session_id */
151 	if (end - pos < 1)
152 		goto decode_error;
153 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 		goto decode_error;
155 	if (conn->session_id_len && conn->session_id_len == *pos &&
156 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 		pos += 1 + conn->session_id_len;
158 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 		conn->session_resumed = 1;
160 	} else {
161 		conn->session_id_len = *pos;
162 		pos++;
163 		os_memcpy(conn->session_id, pos, conn->session_id_len);
164 		pos += conn->session_id_len;
165 	}
166 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 		    conn->session_id, conn->session_id_len);
168 
169 	/* CipherSuite cipher_suite */
170 	if (end - pos < 2)
171 		goto decode_error;
172 	cipher_suite = WPA_GET_BE16(pos);
173 	pos += 2;
174 	for (i = 0; i < conn->num_cipher_suites; i++) {
175 		if (cipher_suite == conn->cipher_suites[i])
176 			break;
177 	}
178 	if (i == conn->num_cipher_suites) {
179 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 			   "cipher suite 0x%04x", cipher_suite);
181 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 			  TLS_ALERT_ILLEGAL_PARAMETER);
183 		return -1;
184 	}
185 
186 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 			   "cipher suite for a resumed connection (0x%04x != "
189 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 			  TLS_ALERT_ILLEGAL_PARAMETER);
192 		return -1;
193 	}
194 
195 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 			   "record layer");
198 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 			  TLS_ALERT_INTERNAL_ERROR);
200 		return -1;
201 	}
202 
203 	conn->prev_cipher_suite = cipher_suite;
204 
205 	/* CompressionMethod compression_method */
206 	if (end - pos < 1)
207 		goto decode_error;
208 	if (*pos != TLS_COMPRESSION_NULL) {
209 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 			   "compression 0x%02x", *pos);
211 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 			  TLS_ALERT_ILLEGAL_PARAMETER);
213 		return -1;
214 	}
215 	pos++;
216 
217 	if (end - pos >= 2) {
218 		u16 ext_len;
219 
220 		ext_len = WPA_GET_BE16(pos);
221 		pos += 2;
222 		if (end - pos < ext_len) {
223 			wpa_printf(MSG_INFO,
224 				   "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 				   ext_len, (unsigned int) (end - pos));
226 			goto decode_error;
227 		}
228 
229 		if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 			goto decode_error;
231 		pos += ext_len;
232 	}
233 
234 	if (end != pos) {
235 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 			    "end of ServerHello", pos, end - pos);
237 		goto decode_error;
238 	}
239 
240 	if (conn->session_ticket_included && conn->session_ticket_cb) {
241 		/* TODO: include SessionTicket extension if one was included in
242 		 * ServerHello */
243 		int res = conn->session_ticket_cb(
244 			conn->session_ticket_cb_ctx, NULL, 0,
245 			conn->client_random, conn->server_random,
246 			conn->master_secret);
247 		if (res < 0) {
248 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 				   "indicated failure");
250 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 				  TLS_ALERT_HANDSHAKE_FAILURE);
252 			return -1;
253 		}
254 		conn->use_session_ticket = !!res;
255 	}
256 
257 	if ((conn->session_resumed || conn->use_session_ticket) &&
258 	    tls_derive_keys(conn, NULL, 0)) {
259 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 			  TLS_ALERT_INTERNAL_ERROR);
262 		return -1;
263 	}
264 
265 	*in_len = end - in_data;
266 
267 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269 
270 	return 0;
271 
272 decode_error:
273 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 	return -1;
276 }
277 
278 
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 				struct x509_certificate *cert)
281 {
282 	union tls_event_data ev;
283 	struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 	u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 	char subject[128];
288 
289 	if (!conn->event_cb)
290 		return;
291 
292 	os_memset(&ev, 0, sizeof(ev));
293 	if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 		cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 					     cert->cert_len);
296 		ev.peer_cert.cert = cert_buf;
297 	}
298 #ifdef CONFIG_SHA256
299 	if (cert_buf) {
300 		const u8 *addr[1];
301 		size_t len[1];
302 		addr[0] = wpabuf_head(cert_buf);
303 		len[0] = wpabuf_len(cert_buf);
304 		if (sha256_vector(1, addr, len, hash) == 0) {
305 			ev.peer_cert.hash = hash;
306 			ev.peer_cert.hash_len = sizeof(hash);
307 		}
308 	}
309 #endif /* CONFIG_SHA256 */
310 
311 	ev.peer_cert.depth = depth;
312 	x509_name_string(&cert->subject, subject, sizeof(subject));
313 	ev.peer_cert.subject = subject;
314 
315 	if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
316 		if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
317 			ev.peer_cert.tod = 1;
318 		else if (cert->certificate_policy &
319 			 X509_EXT_CERT_POLICY_TOD_TOFU)
320 			ev.peer_cert.tod = 2;
321 	}
322 
323 	conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
324 	wpabuf_free(cert_buf);
325 }
326 
327 
328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
329 					 struct x509_certificate *cert,
330 					 enum tls_fail_reason reason,
331 					 const char *reason_txt)
332 {
333 	struct wpabuf *cert_buf = NULL;
334 	union tls_event_data ev;
335 	char subject[128];
336 
337 	if (!conn->event_cb || !cert)
338 		return;
339 
340 	os_memset(&ev, 0, sizeof(ev));
341 	ev.cert_fail.depth = depth;
342 	x509_name_string(&cert->subject, subject, sizeof(subject));
343 	ev.peer_cert.subject = subject;
344 	ev.cert_fail.reason = reason;
345 	ev.cert_fail.reason_txt = reason_txt;
346 	cert_buf = wpabuf_alloc_copy(cert->cert_start,
347 				     cert->cert_len);
348 	ev.cert_fail.cert = cert_buf;
349 	conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
350 	wpabuf_free(cert_buf);
351 }
352 
353 
354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
355 				   const u8 *in_data, size_t *in_len)
356 {
357 	const u8 *pos, *end;
358 	size_t left, len, list_len, cert_len, idx;
359 	u8 type;
360 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
361 	int reason;
362 
363 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
364 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
365 			   "received content type 0x%x", ct);
366 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 			  TLS_ALERT_UNEXPECTED_MESSAGE);
368 		return -1;
369 	}
370 
371 	pos = in_data;
372 	left = *in_len;
373 
374 	if (left < 4) {
375 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
376 			   "(len=%lu)", (unsigned long) left);
377 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
378 		return -1;
379 	}
380 
381 	type = *pos++;
382 	len = WPA_GET_BE24(pos);
383 	pos += 3;
384 	left -= 4;
385 
386 	if (len > left) {
387 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
388 			   "length (len=%lu != left=%lu)",
389 			   (unsigned long) len, (unsigned long) left);
390 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
391 		return -1;
392 	}
393 
394 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
395 		return tls_process_server_key_exchange(conn, ct, in_data,
396 						       in_len);
397 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
398 		return tls_process_certificate_request(conn, ct, in_data,
399 						       in_len);
400 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
401 		return tls_process_server_hello_done(conn, ct, in_data,
402 						     in_len);
403 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
404 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
405 			   "message %d (expected Certificate/"
406 			   "ServerKeyExchange/CertificateRequest/"
407 			   "ServerHelloDone)", type);
408 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 			  TLS_ALERT_UNEXPECTED_MESSAGE);
410 		return -1;
411 	}
412 
413 	wpa_printf(MSG_DEBUG,
414 		   "TLSv1: Received Certificate (certificate_list len %lu)",
415 		   (unsigned long) len);
416 
417 	/*
418 	 * opaque ASN.1Cert<2^24-1>;
419 	 *
420 	 * struct {
421 	 *     ASN.1Cert certificate_list<1..2^24-1>;
422 	 * } Certificate;
423 	 */
424 
425 	end = pos + len;
426 
427 	if (end - pos < 3) {
428 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
429 			   "(left=%lu)", (unsigned long) left);
430 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
431 		return -1;
432 	}
433 
434 	list_len = WPA_GET_BE24(pos);
435 	pos += 3;
436 
437 	if ((size_t) (end - pos) != list_len) {
438 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
439 			   "length (len=%lu left=%lu)",
440 			   (unsigned long) list_len,
441 			   (unsigned long) (end - pos));
442 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
443 		return -1;
444 	}
445 
446 	idx = 0;
447 	while (pos < end) {
448 		if (end - pos < 3) {
449 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
450 				   "certificate_list");
451 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 				  TLS_ALERT_DECODE_ERROR);
453 			x509_certificate_chain_free(chain);
454 			return -1;
455 		}
456 
457 		cert_len = WPA_GET_BE24(pos);
458 		pos += 3;
459 
460 		if ((size_t) (end - pos) < cert_len) {
461 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
462 				   "length (len=%lu left=%lu)",
463 				   (unsigned long) cert_len,
464 				   (unsigned long) (end - pos));
465 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 				  TLS_ALERT_DECODE_ERROR);
467 			x509_certificate_chain_free(chain);
468 			return -1;
469 		}
470 
471 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
472 			   (unsigned long) idx, (unsigned long) cert_len);
473 
474 		if (idx == 0) {
475 			crypto_public_key_free(conn->server_rsa_key);
476 			if (tls_parse_cert(pos, cert_len,
477 					   &conn->server_rsa_key)) {
478 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
479 					   "the certificate");
480 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
481 					  TLS_ALERT_BAD_CERTIFICATE);
482 				x509_certificate_chain_free(chain);
483 				return -1;
484 			}
485 		}
486 
487 		cert = x509_certificate_parse(pos, cert_len);
488 		if (cert == NULL) {
489 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
490 				   "the certificate");
491 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 				  TLS_ALERT_BAD_CERTIFICATE);
493 			x509_certificate_chain_free(chain);
494 			return -1;
495 		}
496 
497 		tls_peer_cert_event(conn, idx, cert);
498 
499 		if (last == NULL)
500 			chain = cert;
501 		else
502 			last->next = cert;
503 		last = cert;
504 
505 		idx++;
506 		pos += cert_len;
507 	}
508 
509 	if (conn->cred && conn->cred->server_cert_only && chain) {
510 		u8 hash[SHA256_MAC_LEN];
511 		char buf[128];
512 
513 		wpa_printf(MSG_DEBUG,
514 			   "TLSv1: Validate server certificate hash");
515 		x509_name_string(&chain->subject, buf, sizeof(buf));
516 		wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
517 		if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
518 				  hash) < 0 ||
519 		    os_memcmp(conn->cred->srv_cert_hash, hash,
520 			      SHA256_MAC_LEN) != 0) {
521 			wpa_printf(MSG_DEBUG,
522 				   "TLSv1: Server certificate hash mismatch");
523 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
524 				    hash, SHA256_MAC_LEN);
525 			if (conn->event_cb) {
526 				union tls_event_data ev;
527 
528 				os_memset(&ev, 0, sizeof(ev));
529 				ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
530 				ev.cert_fail.reason_txt =
531 					"Server certificate mismatch";
532 				ev.cert_fail.subject = buf;
533 				conn->event_cb(conn->cb_ctx,
534 					       TLS_CERT_CHAIN_FAILURE, &ev);
535 			}
536 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
537 				  TLS_ALERT_BAD_CERTIFICATE);
538 			x509_certificate_chain_free(chain);
539 			return -1;
540 		}
541 	} else if (conn->cred && conn->cred->cert_probe) {
542 		wpa_printf(MSG_DEBUG,
543 			   "TLSv1: Reject server certificate on probe-only run");
544 		if (conn->event_cb) {
545 			union tls_event_data ev;
546 			char buf[128];
547 
548 			os_memset(&ev, 0, sizeof(ev));
549 			ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
550 			ev.cert_fail.reason_txt =
551 				"Server certificate chain probe";
552 			if (chain) {
553 				x509_name_string(&chain->subject, buf,
554 						 sizeof(buf));
555 				ev.cert_fail.subject = buf;
556 			}
557 			conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
558 				       &ev);
559 		}
560 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 			  TLS_ALERT_BAD_CERTIFICATE);
562 		x509_certificate_chain_free(chain);
563 		return -1;
564 	} else if (conn->cred && conn->cred->ca_cert_verify &&
565 		   x509_certificate_chain_validate(
566 			   conn->cred->trusted_certs, chain, &reason,
567 			   !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
568 		   < 0) {
569 		int tls_reason;
570 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
571 			   "validation failed (reason=%d)", reason);
572 		switch (reason) {
573 		case X509_VALIDATE_BAD_CERTIFICATE:
574 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
575 			tls_cert_chain_failure_event(
576 				conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
577 				"bad certificate");
578 			break;
579 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
580 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
581 			break;
582 		case X509_VALIDATE_CERTIFICATE_REVOKED:
583 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
584 			tls_cert_chain_failure_event(
585 				conn, 0, chain, TLS_FAIL_REVOKED,
586 				"certificate revoked");
587 			break;
588 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
589 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
590 			tls_cert_chain_failure_event(
591 				conn, 0, chain, TLS_FAIL_EXPIRED,
592 				"certificate has expired or is not yet valid");
593 			break;
594 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
595 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
596 			break;
597 		case X509_VALIDATE_UNKNOWN_CA:
598 			tls_reason = TLS_ALERT_UNKNOWN_CA;
599 			tls_cert_chain_failure_event(
600 				conn, 0, chain, TLS_FAIL_UNTRUSTED,
601 				"unknown CA");
602 			break;
603 		default:
604 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
605 			break;
606 		}
607 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
608 		x509_certificate_chain_free(chain);
609 		return -1;
610 	}
611 
612 	if (conn->cred && !conn->cred->server_cert_only && chain &&
613 	    (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
614 	    !(chain->ext_key_usage &
615 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
616 		tls_cert_chain_failure_event(
617 			conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
618 			"certificate not allowed for server authentication");
619 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
620 			  TLS_ALERT_BAD_CERTIFICATE);
621 		x509_certificate_chain_free(chain);
622 		return -1;
623 	}
624 
625 	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
626 		x509_certificate_chain_free(conn->server_cert);
627 		conn->server_cert = chain;
628 	} else {
629 		x509_certificate_chain_free(chain);
630 	}
631 
632 	*in_len = end - in_data;
633 
634 	conn->state = SERVER_KEY_EXCHANGE;
635 
636 	return 0;
637 }
638 
639 
640 static unsigned int count_bits(const u8 *val, size_t len)
641 {
642 	size_t i;
643 	unsigned int bits;
644 	u8 tmp;
645 
646 	for (i = 0; i < len; i++) {
647 		if (val[i])
648 			break;
649 	}
650 	if (i == len)
651 		return 0;
652 
653 	bits = (len - i - 1) * 8;
654 	tmp = val[i];
655 	while (tmp) {
656 		bits++;
657 		tmp >>= 1;
658 	}
659 
660 	return bits;
661 }
662 
663 
664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
665 					const u8 *buf, size_t len,
666 					tls_key_exchange key_exchange)
667 {
668 	const u8 *pos, *end, *server_params, *server_params_end;
669 	u8 alert;
670 	unsigned int bits;
671 	u16 val;
672 
673 	tlsv1_client_free_dh(conn);
674 
675 	pos = buf;
676 	end = buf + len;
677 
678 	if (end - pos < 3)
679 		goto fail;
680 	server_params = pos;
681 	val = WPA_GET_BE16(pos);
682 	pos += 2;
683 	if (val == 0 || val > (size_t) (end - pos)) {
684 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
685 		goto fail;
686 	}
687 	conn->dh_p_len = val;
688 	bits = count_bits(pos, conn->dh_p_len);
689 	if (bits < 768) {
690 		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
691 			   bits);
692 		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
693 			    pos, conn->dh_p_len);
694 		goto fail;
695 	}
696 	conn->dh_p = os_memdup(pos, conn->dh_p_len);
697 	if (conn->dh_p == NULL)
698 		goto fail;
699 	pos += conn->dh_p_len;
700 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
701 		    conn->dh_p, conn->dh_p_len);
702 
703 	if (end - pos < 3)
704 		goto fail;
705 	val = WPA_GET_BE16(pos);
706 	pos += 2;
707 	if (val == 0 || val > (size_t) (end - pos))
708 		goto fail;
709 	conn->dh_g_len = val;
710 	conn->dh_g = os_memdup(pos, conn->dh_g_len);
711 	if (conn->dh_g == NULL)
712 		goto fail;
713 	pos += conn->dh_g_len;
714 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
715 		    conn->dh_g, conn->dh_g_len);
716 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
717 		goto fail;
718 
719 	if (end - pos < 3)
720 		goto fail;
721 	val = WPA_GET_BE16(pos);
722 	pos += 2;
723 	if (val == 0 || val > (size_t) (end - pos))
724 		goto fail;
725 	conn->dh_ys_len = val;
726 	conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
727 	if (conn->dh_ys == NULL)
728 		goto fail;
729 	pos += conn->dh_ys_len;
730 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
731 		    conn->dh_ys, conn->dh_ys_len);
732 	server_params_end = pos;
733 
734 	if (key_exchange == TLS_KEY_X_DHE_RSA) {
735 		u8 hash[64];
736 		int hlen;
737 
738 		if (conn->rl.tls_version == TLS_VERSION_1_2) {
739 #ifdef CONFIG_TLSV12
740 			/*
741 			 * RFC 5246, 4.7:
742 			 * TLS v1.2 adds explicit indication of the used
743 			 * signature and hash algorithms.
744 			 *
745 			 * struct {
746 			 *   HashAlgorithm hash;
747 			 *   SignatureAlgorithm signature;
748 			 * } SignatureAndHashAlgorithm;
749 			 */
750 			if (end - pos < 2)
751 				goto fail;
752 			if ((pos[0] != TLS_HASH_ALG_SHA256 &&
753 			     pos[0] != TLS_HASH_ALG_SHA384 &&
754 			     pos[0] != TLS_HASH_ALG_SHA512) ||
755 			    pos[1] != TLS_SIGN_ALG_RSA) {
756 				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
757 					   pos[0], pos[1]);
758 				goto fail;
759 			}
760 
761 			hlen = tlsv12_key_x_server_params_hash(
762 				conn->rl.tls_version, pos[0],
763 				conn->client_random,
764 				conn->server_random, server_params,
765 				server_params_end - server_params, hash);
766 			pos += 2;
767 #else /* CONFIG_TLSV12 */
768 			goto fail;
769 #endif /* CONFIG_TLSV12 */
770 		} else {
771 			hlen = tls_key_x_server_params_hash(
772 				conn->rl.tls_version, conn->client_random,
773 				conn->server_random, server_params,
774 				server_params_end - server_params, hash);
775 		}
776 
777 		if (hlen < 0)
778 			goto fail;
779 		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
780 			    hash, hlen);
781 
782 		if (tls_verify_signature(conn->rl.tls_version,
783 					 conn->server_rsa_key,
784 					 hash, hlen, pos, end - pos,
785 					 &alert) < 0)
786 			goto fail;
787 	}
788 
789 	return 0;
790 
791 fail:
792 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
793 	tlsv1_client_free_dh(conn);
794 	return -1;
795 }
796 
797 
798 static enum tls_ocsp_result
799 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
800 					     const u8 *pos, size_t len)
801 {
802 	const u8 *end = pos + len;
803 	u32 ocsp_resp_len;
804 
805 	/* opaque OCSPResponse<1..2^24-1>; */
806 	if (end - pos < 3) {
807 		wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
808 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
809 		return TLS_OCSP_INVALID;
810 	}
811 	ocsp_resp_len = WPA_GET_BE24(pos);
812 	pos += 3;
813 	if (end - pos < ocsp_resp_len) {
814 		wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
815 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
816 		return TLS_OCSP_INVALID;
817 	}
818 
819 	return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
820 }
821 
822 
823 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
824 					   const u8 *in_data, size_t *in_len)
825 {
826 	const u8 *pos, *end;
827 	size_t left, len;
828 	u8 type, status_type;
829 	enum tls_ocsp_result res;
830 	struct x509_certificate *cert;
831 	int depth;
832 
833 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
834 		wpa_printf(MSG_DEBUG,
835 			   "TLSv1: Expected Handshake; received content type 0x%x",
836 			   ct);
837 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
838 			  TLS_ALERT_UNEXPECTED_MESSAGE);
839 		return -1;
840 	}
841 
842 	pos = in_data;
843 	left = *in_len;
844 
845 	if (left < 4) {
846 		wpa_printf(MSG_DEBUG,
847 			   "TLSv1: Too short CertificateStatus (left=%lu)",
848 			   (unsigned long) left);
849 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
850 		return -1;
851 	}
852 
853 	type = *pos++;
854 	len = WPA_GET_BE24(pos);
855 	pos += 3;
856 	left -= 4;
857 
858 	if (len > left) {
859 		wpa_printf(MSG_DEBUG,
860 			   "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
861 			   (unsigned long) len, (unsigned long) left);
862 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
863 		return -1;
864 	}
865 
866 	end = pos + len;
867 
868 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
869 		wpa_printf(MSG_DEBUG,
870 			   "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
871 			   type);
872 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
873 			  TLS_ALERT_UNEXPECTED_MESSAGE);
874 		return -1;
875 	}
876 
877 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
878 
879 	/*
880 	 * struct {
881 	 *     CertificateStatusType status_type;
882 	 *     select (status_type) {
883 	 *         case ocsp: OCSPResponse;
884 	 *         case ocsp_multi: OCSPResponseList;
885 	 *     } response;
886 	 * } CertificateStatus;
887 	 */
888 	if (end - pos < 1) {
889 		wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
890 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
891 		return -1;
892 	}
893 	status_type = *pos++;
894 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
895 		   status_type);
896 
897 	if (status_type == 1 /* ocsp */) {
898 		res = tls_process_certificate_status_ocsp_response(
899 			conn, pos, end - pos);
900 	} else if (status_type == 2 /* ocsp_multi */) {
901 		int good = 0, revoked = 0;
902 		u32 resp_len;
903 
904 		res = TLS_OCSP_NO_RESPONSE;
905 
906 		/*
907 		 * opaque OCSPResponse<0..2^24-1>;
908 		 *
909 		 * struct {
910 		 *   OCSPResponse ocsp_response_list<1..2^24-1>;
911 		 * } OCSPResponseList;
912 		 */
913 		if (end - pos < 3) {
914 			wpa_printf(MSG_DEBUG,
915 				   "TLSv1: Truncated OCSPResponseList");
916 			res = TLS_OCSP_INVALID;
917 			goto done;
918 		}
919 		resp_len = WPA_GET_BE24(pos);
920 		pos += 3;
921 		if (end - pos < resp_len) {
922 			wpa_printf(MSG_DEBUG,
923 				   "TLSv1: Truncated OCSPResponseList(len=%u)",
924 				   resp_len);
925 			res = TLS_OCSP_INVALID;
926 			goto done;
927 		}
928 		end = pos + resp_len;
929 
930 		while (end - pos >= 3) {
931 			resp_len = WPA_GET_BE24(pos);
932 			pos += 3;
933 			if (resp_len > end - pos) {
934 				wpa_printf(MSG_DEBUG,
935 					   "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
936 					   resp_len, (int) (end - pos));
937 				res = TLS_OCSP_INVALID;
938 				break;
939 			}
940 			if (!resp_len)
941 				continue; /* Skip an empty response */
942 			res = tls_process_certificate_status_ocsp_response(
943 				conn, pos - 3, resp_len + 3);
944 			if (res == TLS_OCSP_REVOKED)
945 				revoked++;
946 			else if (res == TLS_OCSP_GOOD)
947 				good++;
948 			pos += resp_len;
949 		}
950 
951 		if (revoked)
952 			res = TLS_OCSP_REVOKED;
953 		else if (good)
954 			res = TLS_OCSP_GOOD;
955 	} else {
956 		wpa_printf(MSG_DEBUG,
957 			   "TLSv1: Ignore unsupported CertificateStatus");
958 		goto skip;
959 	}
960 
961 done:
962 	if (res == TLS_OCSP_REVOKED) {
963 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
964 			  TLS_ALERT_CERTIFICATE_REVOKED);
965 		for (cert = conn->server_cert, depth = 0; cert;
966 		     cert = cert->next, depth++) {
967 			if (cert->ocsp_revoked) {
968 				tls_cert_chain_failure_event(
969 					conn, depth, cert, TLS_FAIL_REVOKED,
970 					"certificate revoked");
971 			}
972 		}
973 		return -1;
974 	}
975 
976 	if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
977 		/*
978 		 * Verify that each certificate on the chain that is not part
979 		 * of the trusted certificates has a good status. If not,
980 		 * terminate handshake.
981 		 */
982 		for (cert = conn->server_cert, depth = 0; cert;
983 		     cert = cert->next, depth++) {
984 			if (!cert->ocsp_good) {
985 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
986 					  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
987 				tls_cert_chain_failure_event(
988 					conn, depth, cert,
989 					TLS_FAIL_UNSPECIFIED,
990 					"bad certificate status response");
991 				return -1;
992 			}
993 			if (cert->issuer_trusted)
994 				break;
995 		}
996 	}
997 
998 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
999 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1000 			  res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
1001 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1002 		if (conn->server_cert)
1003 			tls_cert_chain_failure_event(
1004 				conn, 0, conn->server_cert,
1005 				TLS_FAIL_UNSPECIFIED,
1006 				"bad certificate status response");
1007 		return -1;
1008 	}
1009 
1010 	conn->ocsp_resp_received = 1;
1011 
1012 skip:
1013 	*in_len = end - in_data;
1014 
1015 	conn->state = SERVER_KEY_EXCHANGE;
1016 
1017 	return 0;
1018 }
1019 
1020 
1021 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1022 					   const u8 *in_data, size_t *in_len)
1023 {
1024 	const u8 *pos, *end;
1025 	size_t left, len;
1026 	u8 type;
1027 	const struct tls_cipher_suite *suite;
1028 
1029 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1030 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1031 			   "received content type 0x%x", ct);
1032 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1034 		return -1;
1035 	}
1036 
1037 	pos = in_data;
1038 	left = *in_len;
1039 
1040 	if (left < 4) {
1041 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1042 			   "(Left=%lu)", (unsigned long) left);
1043 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1044 		return -1;
1045 	}
1046 
1047 	type = *pos++;
1048 	len = WPA_GET_BE24(pos);
1049 	pos += 3;
1050 	left -= 4;
1051 
1052 	if (len > left) {
1053 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1054 			   "length (len=%lu != left=%lu)",
1055 			   (unsigned long) len, (unsigned long) left);
1056 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1057 		return -1;
1058 	}
1059 
1060 	end = pos + len;
1061 
1062 	if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1063 	    type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1064 		return tls_process_certificate_status(conn, ct, in_data,
1065 						      in_len);
1066 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1067 		return tls_process_certificate_request(conn, ct, in_data,
1068 						       in_len);
1069 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1070 		return tls_process_server_hello_done(conn, ct, in_data,
1071 						     in_len);
1072 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1073 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1074 			   "message %d (expected ServerKeyExchange/"
1075 			   "CertificateRequest/ServerHelloDone%s)", type,
1076 			   (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1077 			   "/CertificateStatus" : "");
1078 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1079 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1080 		return -1;
1081 	}
1082 
1083 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1084 
1085 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1086 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1087 			   "with the selected cipher suite");
1088 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1089 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1090 		return -1;
1091 	}
1092 
1093 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1094 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1095 	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1096 		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1097 		if (tlsv1_process_diffie_hellman(conn, pos, len,
1098 						 suite->key_exchange) < 0) {
1099 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1100 				  TLS_ALERT_DECODE_ERROR);
1101 			return -1;
1102 		}
1103 	} else {
1104 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1105 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1106 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1107 		return -1;
1108 	}
1109 
1110 	*in_len = end - in_data;
1111 
1112 	conn->state = SERVER_CERTIFICATE_REQUEST;
1113 
1114 	return 0;
1115 }
1116 
1117 
1118 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1119 					   const u8 *in_data, size_t *in_len)
1120 {
1121 	const u8 *pos, *end;
1122 	size_t left, len;
1123 	u8 type;
1124 
1125 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1126 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1127 			   "received content type 0x%x", ct);
1128 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1129 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1130 		return -1;
1131 	}
1132 
1133 	pos = in_data;
1134 	left = *in_len;
1135 
1136 	if (left < 4) {
1137 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1138 			   "(left=%lu)", (unsigned long) left);
1139 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1140 		return -1;
1141 	}
1142 
1143 	type = *pos++;
1144 	len = WPA_GET_BE24(pos);
1145 	pos += 3;
1146 	left -= 4;
1147 
1148 	if (len > left) {
1149 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1150 			   "length (len=%lu != left=%lu)",
1151 			   (unsigned long) len, (unsigned long) left);
1152 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1153 		return -1;
1154 	}
1155 
1156 	end = pos + len;
1157 
1158 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1159 		return tls_process_server_hello_done(conn, ct, in_data,
1160 						     in_len);
1161 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1162 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1163 			   "message %d (expected CertificateRequest/"
1164 			   "ServerHelloDone)", type);
1165 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1166 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1167 		return -1;
1168 	}
1169 
1170 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1171 
1172 	conn->certificate_requested = 1;
1173 
1174 	*in_len = end - in_data;
1175 
1176 	conn->state = SERVER_HELLO_DONE;
1177 
1178 	return 0;
1179 }
1180 
1181 
1182 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1183 					 const u8 *in_data, size_t *in_len)
1184 {
1185 	const u8 *pos, *end;
1186 	size_t left, len;
1187 	u8 type;
1188 
1189 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1190 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1191 			   "received content type 0x%x", ct);
1192 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1193 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1194 		return -1;
1195 	}
1196 
1197 	pos = in_data;
1198 	left = *in_len;
1199 
1200 	if (left < 4) {
1201 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1202 			   "(left=%lu)", (unsigned long) left);
1203 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1204 		return -1;
1205 	}
1206 
1207 	type = *pos++;
1208 	len = WPA_GET_BE24(pos);
1209 	pos += 3;
1210 	left -= 4;
1211 
1212 	if (len > left) {
1213 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1214 			   "length (len=%lu != left=%lu)",
1215 			   (unsigned long) len, (unsigned long) left);
1216 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1217 		return -1;
1218 	}
1219 	end = pos + len;
1220 
1221 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1222 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1223 			   "message %d (expected ServerHelloDone)", type);
1224 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1225 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1226 		return -1;
1227 	}
1228 
1229 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1230 
1231 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1232 	    !conn->ocsp_resp_received) {
1233 		wpa_printf(MSG_INFO,
1234 			   "TLSv1: No OCSP response received - reject handshake");
1235 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1236 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1237 		return -1;
1238 	}
1239 
1240 	*in_len = end - in_data;
1241 
1242 	conn->state = CLIENT_KEY_EXCHANGE;
1243 
1244 	return 0;
1245 }
1246 
1247 
1248 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1249 						 u8 ct, const u8 *in_data,
1250 						 size_t *in_len)
1251 {
1252 	const u8 *pos;
1253 	size_t left;
1254 
1255 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1256 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1257 			   "received content type 0x%x", ct);
1258 		if (conn->use_session_ticket) {
1259 			int res;
1260 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1261 				   "rejected SessionTicket");
1262 			conn->use_session_ticket = 0;
1263 
1264 			/* Notify upper layers that SessionTicket failed */
1265 			res = conn->session_ticket_cb(
1266 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
1267 				NULL, NULL);
1268 			if (res < 0) {
1269 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1270 					   "callback indicated failure");
1271 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1272 					  TLS_ALERT_HANDSHAKE_FAILURE);
1273 				return -1;
1274 			}
1275 
1276 			conn->state = SERVER_CERTIFICATE;
1277 			return tls_process_certificate(conn, ct, in_data,
1278 						       in_len);
1279 		}
1280 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1281 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1282 		return -1;
1283 	}
1284 
1285 	pos = in_data;
1286 	left = *in_len;
1287 
1288 	if (left < 1) {
1289 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1290 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1291 		return -1;
1292 	}
1293 
1294 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1295 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1296 			   "received data 0x%x", *pos);
1297 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1298 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1299 		return -1;
1300 	}
1301 
1302 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1303 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1304 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1305 			   "for record layer");
1306 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1307 			  TLS_ALERT_INTERNAL_ERROR);
1308 		return -1;
1309 	}
1310 
1311 	*in_len = pos + 1 - in_data;
1312 
1313 	conn->state = SERVER_FINISHED;
1314 
1315 	return 0;
1316 }
1317 
1318 
1319 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1320 				       const u8 *in_data, size_t *in_len)
1321 {
1322 	const u8 *pos, *end;
1323 	size_t left, len, hlen;
1324 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1325 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1326 
1327 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1328 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1329 			   "received content type 0x%x", ct);
1330 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1331 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1332 		return -1;
1333 	}
1334 
1335 	pos = in_data;
1336 	left = *in_len;
1337 
1338 	if (left < 4) {
1339 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1340 			   "Finished",
1341 			   (unsigned long) left);
1342 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343 			  TLS_ALERT_DECODE_ERROR);
1344 		return -1;
1345 	}
1346 
1347 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1348 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1349 			   "type 0x%x", pos[0]);
1350 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1351 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1352 		return -1;
1353 	}
1354 
1355 	len = WPA_GET_BE24(pos + 1);
1356 
1357 	pos += 4;
1358 	left -= 4;
1359 
1360 	if (len > left) {
1361 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1362 			   "(len=%lu > left=%lu)",
1363 			   (unsigned long) len, (unsigned long) left);
1364 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1365 			  TLS_ALERT_DECODE_ERROR);
1366 		return -1;
1367 	}
1368 	end = pos + len;
1369 	if (len != TLS_VERIFY_DATA_LEN) {
1370 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1371 			   "in Finished: %lu (expected %d)",
1372 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1373 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1374 			  TLS_ALERT_DECODE_ERROR);
1375 		return -1;
1376 	}
1377 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1378 		    pos, TLS_VERIFY_DATA_LEN);
1379 
1380 #ifdef CONFIG_TLSV12
1381 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1382 		hlen = SHA256_MAC_LEN;
1383 		if (conn->verify.sha256_server == NULL ||
1384 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1385 		    < 0) {
1386 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1387 				  TLS_ALERT_INTERNAL_ERROR);
1388 			conn->verify.sha256_server = NULL;
1389 			return -1;
1390 		}
1391 		conn->verify.sha256_server = NULL;
1392 	} else {
1393 #endif /* CONFIG_TLSV12 */
1394 
1395 	hlen = MD5_MAC_LEN;
1396 	if (conn->verify.md5_server == NULL ||
1397 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1398 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1399 			  TLS_ALERT_INTERNAL_ERROR);
1400 		conn->verify.md5_server = NULL;
1401 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1402 		conn->verify.sha1_server = NULL;
1403 		return -1;
1404 	}
1405 	conn->verify.md5_server = NULL;
1406 	hlen = SHA1_MAC_LEN;
1407 	if (conn->verify.sha1_server == NULL ||
1408 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1409 			       &hlen) < 0) {
1410 		conn->verify.sha1_server = NULL;
1411 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1412 			  TLS_ALERT_INTERNAL_ERROR);
1413 		return -1;
1414 	}
1415 	conn->verify.sha1_server = NULL;
1416 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1417 
1418 #ifdef CONFIG_TLSV12
1419 	}
1420 #endif /* CONFIG_TLSV12 */
1421 
1422 	if (tls_prf(conn->rl.tls_version,
1423 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1424 		    "server finished", hash, hlen,
1425 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1426 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1427 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1428 			  TLS_ALERT_DECRYPT_ERROR);
1429 		return -1;
1430 	}
1431 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1432 			verify_data, TLS_VERIFY_DATA_LEN);
1433 
1434 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1435 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1436 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1437 			  TLS_ALERT_DECRYPT_ERROR);
1438 		return -1;
1439 	}
1440 
1441 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1442 
1443 	*in_len = end - in_data;
1444 
1445 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1446 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
1447 
1448 	return 0;
1449 }
1450 
1451 
1452 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1453 					const u8 *in_data, size_t *in_len,
1454 					u8 **out_data, size_t *out_len)
1455 {
1456 	const u8 *pos;
1457 	size_t left;
1458 
1459 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1460 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1461 			   "received content type 0x%x", ct);
1462 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1463 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1464 		return -1;
1465 	}
1466 
1467 	pos = in_data;
1468 	left = *in_len;
1469 
1470 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1471 		    pos, left);
1472 
1473 	*out_data = os_malloc(left);
1474 	if (*out_data) {
1475 		os_memcpy(*out_data, pos, left);
1476 		*out_len = left;
1477 	}
1478 
1479 	return 0;
1480 }
1481 
1482 
1483 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1484 				   const u8 *buf, size_t *len,
1485 				   u8 **out_data, size_t *out_len)
1486 {
1487 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1488 		if (*len < 2) {
1489 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1490 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1491 				  TLS_ALERT_DECODE_ERROR);
1492 			return -1;
1493 		}
1494 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1495 			   buf[0], buf[1]);
1496 		*len = 2;
1497 		conn->state = FAILED;
1498 		return -1;
1499 	}
1500 
1501 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1502 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1503 		size_t hr_len = WPA_GET_BE24(buf + 1);
1504 		if (hr_len > *len - 4) {
1505 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1506 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1507 				  TLS_ALERT_DECODE_ERROR);
1508 			return -1;
1509 		}
1510 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1511 		*len = 4 + hr_len;
1512 		return 0;
1513 	}
1514 
1515 	switch (conn->state) {
1516 	case SERVER_HELLO:
1517 		if (tls_process_server_hello(conn, ct, buf, len))
1518 			return -1;
1519 		break;
1520 	case SERVER_CERTIFICATE:
1521 		if (tls_process_certificate(conn, ct, buf, len))
1522 			return -1;
1523 		break;
1524 	case SERVER_KEY_EXCHANGE:
1525 		if (tls_process_server_key_exchange(conn, ct, buf, len))
1526 			return -1;
1527 		break;
1528 	case SERVER_CERTIFICATE_REQUEST:
1529 		if (tls_process_certificate_request(conn, ct, buf, len))
1530 			return -1;
1531 		break;
1532 	case SERVER_HELLO_DONE:
1533 		if (tls_process_server_hello_done(conn, ct, buf, len))
1534 			return -1;
1535 		break;
1536 	case SERVER_CHANGE_CIPHER_SPEC:
1537 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1538 			return -1;
1539 		break;
1540 	case SERVER_FINISHED:
1541 		if (tls_process_server_finished(conn, ct, buf, len))
1542 			return -1;
1543 		break;
1544 	case ACK_FINISHED:
1545 		if (out_data &&
1546 		    tls_process_application_data(conn, ct, buf, len, out_data,
1547 						 out_len))
1548 			return -1;
1549 		break;
1550 	default:
1551 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1552 			   "while processing received message",
1553 			   conn->state);
1554 		return -1;
1555 	}
1556 
1557 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1558 		tls_verify_hash_add(&conn->verify, buf, *len);
1559 
1560 	return 0;
1561 }
1562