xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision d3d381b2b194b4d24853e92eecef55f262688d1a)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 	return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 		 ver == TLS_VERSION_1) ||
34 		((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 		 ver == TLS_VERSION_1_1) ||
36 		((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 		 ver == TLS_VERSION_1_2));
38 }
39 
40 
41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 					       const u8 *pos, size_t len)
43 {
44 	const u8 *end = pos + len;
45 
46 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 		    pos, len);
48 	while (pos < end) {
49 		u16 ext, elen;
50 
51 		if (end - pos < 4) {
52 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 			return -1;
54 		}
55 
56 		ext = WPA_GET_BE16(pos);
57 		pos += 2;
58 		elen = WPA_GET_BE16(pos);
59 		pos += 2;
60 
61 		if (elen > end - pos) {
62 			wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 			return -1;
64 		}
65 
66 		wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 			   ext);
68 		wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 			    pos, elen);
70 
71 		pos += elen;
72 	}
73 
74 	return 0;
75 }
76 
77 
78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 				    const u8 *in_data, size_t *in_len)
80 {
81 	const u8 *pos, *end;
82 	size_t left, len, i;
83 	u16 cipher_suite;
84 	u16 tls_version;
85 
86 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 			   "received content type 0x%x", ct);
89 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 			  TLS_ALERT_UNEXPECTED_MESSAGE);
91 		return -1;
92 	}
93 
94 	pos = in_data;
95 	left = *in_len;
96 
97 	if (left < 4)
98 		goto decode_error;
99 
100 	/* HandshakeType msg_type */
101 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 			   "message %d (expected ServerHello)", *pos);
104 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 			  TLS_ALERT_UNEXPECTED_MESSAGE);
106 		return -1;
107 	}
108 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 	pos++;
110 	/* uint24 length */
111 	len = WPA_GET_BE24(pos);
112 	pos += 3;
113 	left -= 4;
114 
115 	if (len > left)
116 		goto decode_error;
117 
118 	/* body - ServerHello */
119 
120 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 	end = pos + len;
122 
123 	/* ProtocolVersion server_version */
124 	if (end - pos < 2)
125 		goto decode_error;
126 	tls_version = WPA_GET_BE16(pos);
127 	if (!tls_version_ok(tls_version) ||
128 	    tls_version_disabled(conn, tls_version)) {
129 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 			   "ServerHello %u.%u", pos[0], pos[1]);
131 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 			  TLS_ALERT_PROTOCOL_VERSION);
133 		return -1;
134 	}
135 	pos += 2;
136 
137 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 		   tls_version_str(tls_version));
139 	conn->rl.tls_version = tls_version;
140 
141 	/* Random random */
142 	if (end - pos < TLS_RANDOM_LEN)
143 		goto decode_error;
144 
145 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 	pos += TLS_RANDOM_LEN;
147 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 		    conn->server_random, TLS_RANDOM_LEN);
149 
150 	/* SessionID session_id */
151 	if (end - pos < 1)
152 		goto decode_error;
153 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 		goto decode_error;
155 	if (conn->session_id_len && conn->session_id_len == *pos &&
156 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 		pos += 1 + conn->session_id_len;
158 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 		conn->session_resumed = 1;
160 	} else {
161 		conn->session_id_len = *pos;
162 		pos++;
163 		os_memcpy(conn->session_id, pos, conn->session_id_len);
164 		pos += conn->session_id_len;
165 	}
166 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 		    conn->session_id, conn->session_id_len);
168 
169 	/* CipherSuite cipher_suite */
170 	if (end - pos < 2)
171 		goto decode_error;
172 	cipher_suite = WPA_GET_BE16(pos);
173 	pos += 2;
174 	for (i = 0; i < conn->num_cipher_suites; i++) {
175 		if (cipher_suite == conn->cipher_suites[i])
176 			break;
177 	}
178 	if (i == conn->num_cipher_suites) {
179 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 			   "cipher suite 0x%04x", cipher_suite);
181 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 			  TLS_ALERT_ILLEGAL_PARAMETER);
183 		return -1;
184 	}
185 
186 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 			   "cipher suite for a resumed connection (0x%04x != "
189 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 			  TLS_ALERT_ILLEGAL_PARAMETER);
192 		return -1;
193 	}
194 
195 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 			   "record layer");
198 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 			  TLS_ALERT_INTERNAL_ERROR);
200 		return -1;
201 	}
202 
203 	conn->prev_cipher_suite = cipher_suite;
204 
205 	/* CompressionMethod compression_method */
206 	if (end - pos < 1)
207 		goto decode_error;
208 	if (*pos != TLS_COMPRESSION_NULL) {
209 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 			   "compression 0x%02x", *pos);
211 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 			  TLS_ALERT_ILLEGAL_PARAMETER);
213 		return -1;
214 	}
215 	pos++;
216 
217 	if (end - pos >= 2) {
218 		u16 ext_len;
219 
220 		ext_len = WPA_GET_BE16(pos);
221 		pos += 2;
222 		if (end - pos < ext_len) {
223 			wpa_printf(MSG_INFO,
224 				   "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 				   ext_len, (unsigned int) (end - pos));
226 			goto decode_error;
227 		}
228 
229 		if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 			goto decode_error;
231 		pos += ext_len;
232 	}
233 
234 	if (end != pos) {
235 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 			    "end of ServerHello", pos, end - pos);
237 		goto decode_error;
238 	}
239 
240 	if (conn->session_ticket_included && conn->session_ticket_cb) {
241 		/* TODO: include SessionTicket extension if one was included in
242 		 * ServerHello */
243 		int res = conn->session_ticket_cb(
244 			conn->session_ticket_cb_ctx, NULL, 0,
245 			conn->client_random, conn->server_random,
246 			conn->master_secret);
247 		if (res < 0) {
248 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 				   "indicated failure");
250 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 				  TLS_ALERT_HANDSHAKE_FAILURE);
252 			return -1;
253 		}
254 		conn->use_session_ticket = !!res;
255 	}
256 
257 	if ((conn->session_resumed || conn->use_session_ticket) &&
258 	    tls_derive_keys(conn, NULL, 0)) {
259 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 			  TLS_ALERT_INTERNAL_ERROR);
262 		return -1;
263 	}
264 
265 	*in_len = end - in_data;
266 
267 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269 
270 	return 0;
271 
272 decode_error:
273 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 	return -1;
276 }
277 
278 
279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 				struct x509_certificate *cert)
281 {
282 	union tls_event_data ev;
283 	struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 	u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 	char subject[128];
288 
289 	if (!conn->event_cb)
290 		return;
291 
292 	os_memset(&ev, 0, sizeof(ev));
293 	if (conn->cred->cert_probe || conn->cert_in_cb) {
294 		cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 					     cert->cert_len);
296 		ev.peer_cert.cert = cert_buf;
297 	}
298 #ifdef CONFIG_SHA256
299 	if (cert_buf) {
300 		const u8 *addr[1];
301 		size_t len[1];
302 		addr[0] = wpabuf_head(cert_buf);
303 		len[0] = wpabuf_len(cert_buf);
304 		if (sha256_vector(1, addr, len, hash) == 0) {
305 			ev.peer_cert.hash = hash;
306 			ev.peer_cert.hash_len = sizeof(hash);
307 		}
308 	}
309 #endif /* CONFIG_SHA256 */
310 
311 	ev.peer_cert.depth = depth;
312 	x509_name_string(&cert->subject, subject, sizeof(subject));
313 	ev.peer_cert.subject = subject;
314 
315 	conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 	wpabuf_free(cert_buf);
317 }
318 
319 
320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 					 struct x509_certificate *cert,
322 					 enum tls_fail_reason reason,
323 					 const char *reason_txt)
324 {
325 	struct wpabuf *cert_buf = NULL;
326 	union tls_event_data ev;
327 	char subject[128];
328 
329 	if (!conn->event_cb || !cert)
330 		return;
331 
332 	os_memset(&ev, 0, sizeof(ev));
333 	ev.cert_fail.depth = depth;
334 	x509_name_string(&cert->subject, subject, sizeof(subject));
335 	ev.peer_cert.subject = subject;
336 	ev.cert_fail.reason = reason;
337 	ev.cert_fail.reason_txt = reason_txt;
338 	cert_buf = wpabuf_alloc_copy(cert->cert_start,
339 				     cert->cert_len);
340 	ev.cert_fail.cert = cert_buf;
341 	conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 	wpabuf_free(cert_buf);
343 }
344 
345 
346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 				   const u8 *in_data, size_t *in_len)
348 {
349 	const u8 *pos, *end;
350 	size_t left, len, list_len, cert_len, idx;
351 	u8 type;
352 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
353 	int reason;
354 
355 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 			   "received content type 0x%x", ct);
358 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 			  TLS_ALERT_UNEXPECTED_MESSAGE);
360 		return -1;
361 	}
362 
363 	pos = in_data;
364 	left = *in_len;
365 
366 	if (left < 4) {
367 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 			   "(len=%lu)", (unsigned long) left);
369 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
370 		return -1;
371 	}
372 
373 	type = *pos++;
374 	len = WPA_GET_BE24(pos);
375 	pos += 3;
376 	left -= 4;
377 
378 	if (len > left) {
379 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 			   "length (len=%lu != left=%lu)",
381 			   (unsigned long) len, (unsigned long) left);
382 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
383 		return -1;
384 	}
385 
386 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 		return tls_process_server_key_exchange(conn, ct, in_data,
388 						       in_len);
389 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 		return tls_process_certificate_request(conn, ct, in_data,
391 						       in_len);
392 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 		return tls_process_server_hello_done(conn, ct, in_data,
394 						     in_len);
395 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 			   "message %d (expected Certificate/"
398 			   "ServerKeyExchange/CertificateRequest/"
399 			   "ServerHelloDone)", type);
400 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 			  TLS_ALERT_UNEXPECTED_MESSAGE);
402 		return -1;
403 	}
404 
405 	wpa_printf(MSG_DEBUG,
406 		   "TLSv1: Received Certificate (certificate_list len %lu)",
407 		   (unsigned long) len);
408 
409 	/*
410 	 * opaque ASN.1Cert<2^24-1>;
411 	 *
412 	 * struct {
413 	 *     ASN.1Cert certificate_list<1..2^24-1>;
414 	 * } Certificate;
415 	 */
416 
417 	end = pos + len;
418 
419 	if (end - pos < 3) {
420 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 			   "(left=%lu)", (unsigned long) left);
422 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
423 		return -1;
424 	}
425 
426 	list_len = WPA_GET_BE24(pos);
427 	pos += 3;
428 
429 	if ((size_t) (end - pos) != list_len) {
430 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 			   "length (len=%lu left=%lu)",
432 			   (unsigned long) list_len,
433 			   (unsigned long) (end - pos));
434 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
435 		return -1;
436 	}
437 
438 	idx = 0;
439 	while (pos < end) {
440 		if (end - pos < 3) {
441 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
442 				   "certificate_list");
443 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 				  TLS_ALERT_DECODE_ERROR);
445 			x509_certificate_chain_free(chain);
446 			return -1;
447 		}
448 
449 		cert_len = WPA_GET_BE24(pos);
450 		pos += 3;
451 
452 		if ((size_t) (end - pos) < cert_len) {
453 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 				   "length (len=%lu left=%lu)",
455 				   (unsigned long) cert_len,
456 				   (unsigned long) (end - pos));
457 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 				  TLS_ALERT_DECODE_ERROR);
459 			x509_certificate_chain_free(chain);
460 			return -1;
461 		}
462 
463 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 			   (unsigned long) idx, (unsigned long) cert_len);
465 
466 		if (idx == 0) {
467 			crypto_public_key_free(conn->server_rsa_key);
468 			if (tls_parse_cert(pos, cert_len,
469 					   &conn->server_rsa_key)) {
470 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
471 					   "the certificate");
472 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 					  TLS_ALERT_BAD_CERTIFICATE);
474 				x509_certificate_chain_free(chain);
475 				return -1;
476 			}
477 		}
478 
479 		cert = x509_certificate_parse(pos, cert_len);
480 		if (cert == NULL) {
481 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
482 				   "the certificate");
483 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 				  TLS_ALERT_BAD_CERTIFICATE);
485 			x509_certificate_chain_free(chain);
486 			return -1;
487 		}
488 
489 		tls_peer_cert_event(conn, idx, cert);
490 
491 		if (last == NULL)
492 			chain = cert;
493 		else
494 			last->next = cert;
495 		last = cert;
496 
497 		idx++;
498 		pos += cert_len;
499 	}
500 
501 	if (conn->cred && conn->cred->server_cert_only && chain) {
502 		u8 hash[SHA256_MAC_LEN];
503 		char buf[128];
504 
505 		wpa_printf(MSG_DEBUG,
506 			   "TLSv1: Validate server certificate hash");
507 		x509_name_string(&chain->subject, buf, sizeof(buf));
508 		wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 		if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
510 				  hash) < 0 ||
511 		    os_memcmp(conn->cred->srv_cert_hash, hash,
512 			      SHA256_MAC_LEN) != 0) {
513 			wpa_printf(MSG_DEBUG,
514 				   "TLSv1: Server certificate hash mismatch");
515 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 				    hash, SHA256_MAC_LEN);
517 			if (conn->event_cb) {
518 				union tls_event_data ev;
519 
520 				os_memset(&ev, 0, sizeof(ev));
521 				ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 				ev.cert_fail.reason_txt =
523 					"Server certificate mismatch";
524 				ev.cert_fail.subject = buf;
525 				conn->event_cb(conn->cb_ctx,
526 					       TLS_CERT_CHAIN_FAILURE, &ev);
527 			}
528 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 				  TLS_ALERT_BAD_CERTIFICATE);
530 			x509_certificate_chain_free(chain);
531 			return -1;
532 		}
533 	} else if (conn->cred && conn->cred->cert_probe) {
534 		wpa_printf(MSG_DEBUG,
535 			   "TLSv1: Reject server certificate on probe-only rune");
536 		if (conn->event_cb) {
537 			union tls_event_data ev;
538 			char buf[128];
539 
540 			os_memset(&ev, 0, sizeof(ev));
541 			ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 			ev.cert_fail.reason_txt =
543 				"Server certificate chain probe";
544 			if (chain) {
545 				x509_name_string(&chain->subject, buf,
546 						 sizeof(buf));
547 				ev.cert_fail.subject = buf;
548 			}
549 			conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
550 				       &ev);
551 		}
552 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 			  TLS_ALERT_BAD_CERTIFICATE);
554 		x509_certificate_chain_free(chain);
555 		return -1;
556 	} else if (conn->cred && conn->cred->ca_cert_verify &&
557 		   x509_certificate_chain_validate(
558 			   conn->cred->trusted_certs, chain, &reason,
559 			   !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
560 		   < 0) {
561 		int tls_reason;
562 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 			   "validation failed (reason=%d)", reason);
564 		switch (reason) {
565 		case X509_VALIDATE_BAD_CERTIFICATE:
566 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 			tls_cert_chain_failure_event(
568 				conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
569 				"bad certificate");
570 			break;
571 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
573 			break;
574 		case X509_VALIDATE_CERTIFICATE_REVOKED:
575 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 			tls_cert_chain_failure_event(
577 				conn, 0, chain, TLS_FAIL_REVOKED,
578 				"certificate revoked");
579 			break;
580 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 			tls_cert_chain_failure_event(
583 				conn, 0, chain, TLS_FAIL_EXPIRED,
584 				"certificate has expired or is not yet valid");
585 			break;
586 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
588 			break;
589 		case X509_VALIDATE_UNKNOWN_CA:
590 			tls_reason = TLS_ALERT_UNKNOWN_CA;
591 			tls_cert_chain_failure_event(
592 				conn, 0, chain, TLS_FAIL_UNTRUSTED,
593 				"unknown CA");
594 			break;
595 		default:
596 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
597 			break;
598 		}
599 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 		x509_certificate_chain_free(chain);
601 		return -1;
602 	}
603 
604 	if (conn->cred && !conn->cred->server_cert_only && chain &&
605 	    (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 	    !(chain->ext_key_usage &
607 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 		tls_cert_chain_failure_event(
609 			conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 			"certificate not allowed for server authentication");
611 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 			  TLS_ALERT_BAD_CERTIFICATE);
613 		x509_certificate_chain_free(chain);
614 		return -1;
615 	}
616 
617 	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 		x509_certificate_chain_free(conn->server_cert);
619 		conn->server_cert = chain;
620 	} else {
621 		x509_certificate_chain_free(chain);
622 	}
623 
624 	*in_len = end - in_data;
625 
626 	conn->state = SERVER_KEY_EXCHANGE;
627 
628 	return 0;
629 }
630 
631 
632 static unsigned int count_bits(const u8 *val, size_t len)
633 {
634 	size_t i;
635 	unsigned int bits;
636 	u8 tmp;
637 
638 	for (i = 0; i < len; i++) {
639 		if (val[i])
640 			break;
641 	}
642 	if (i == len)
643 		return 0;
644 
645 	bits = (len - i - 1) * 8;
646 	tmp = val[i];
647 	while (tmp) {
648 		bits++;
649 		tmp >>= 1;
650 	}
651 
652 	return bits;
653 }
654 
655 
656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 					const u8 *buf, size_t len,
658 					tls_key_exchange key_exchange)
659 {
660 	const u8 *pos, *end, *server_params, *server_params_end;
661 	u8 alert;
662 	unsigned int bits;
663 	u16 val;
664 
665 	tlsv1_client_free_dh(conn);
666 
667 	pos = buf;
668 	end = buf + len;
669 
670 	if (end - pos < 3)
671 		goto fail;
672 	server_params = pos;
673 	val = WPA_GET_BE16(pos);
674 	pos += 2;
675 	if (val == 0 || val > (size_t) (end - pos)) {
676 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
677 		goto fail;
678 	}
679 	conn->dh_p_len = val;
680 	bits = count_bits(pos, conn->dh_p_len);
681 	if (bits < 768) {
682 		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
683 			   bits);
684 		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 			    pos, conn->dh_p_len);
686 		goto fail;
687 	}
688 	conn->dh_p = os_malloc(conn->dh_p_len);
689 	if (conn->dh_p == NULL)
690 		goto fail;
691 	os_memcpy(conn->dh_p, pos, conn->dh_p_len);
692 	pos += conn->dh_p_len;
693 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
694 		    conn->dh_p, conn->dh_p_len);
695 
696 	if (end - pos < 3)
697 		goto fail;
698 	val = WPA_GET_BE16(pos);
699 	pos += 2;
700 	if (val == 0 || val > (size_t) (end - pos))
701 		goto fail;
702 	conn->dh_g_len = val;
703 	conn->dh_g = os_malloc(conn->dh_g_len);
704 	if (conn->dh_g == NULL)
705 		goto fail;
706 	os_memcpy(conn->dh_g, pos, conn->dh_g_len);
707 	pos += conn->dh_g_len;
708 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
709 		    conn->dh_g, conn->dh_g_len);
710 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
711 		goto fail;
712 
713 	if (end - pos < 3)
714 		goto fail;
715 	val = WPA_GET_BE16(pos);
716 	pos += 2;
717 	if (val == 0 || val > (size_t) (end - pos))
718 		goto fail;
719 	conn->dh_ys_len = val;
720 	conn->dh_ys = os_malloc(conn->dh_ys_len);
721 	if (conn->dh_ys == NULL)
722 		goto fail;
723 	os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
724 	pos += conn->dh_ys_len;
725 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
726 		    conn->dh_ys, conn->dh_ys_len);
727 	server_params_end = pos;
728 
729 	if (key_exchange == TLS_KEY_X_DHE_RSA) {
730 		u8 hash[64];
731 		int hlen;
732 
733 		if (conn->rl.tls_version == TLS_VERSION_1_2) {
734 #ifdef CONFIG_TLSV12
735 			/*
736 			 * RFC 5246, 4.7:
737 			 * TLS v1.2 adds explicit indication of the used
738 			 * signature and hash algorithms.
739 			 *
740 			 * struct {
741 			 *   HashAlgorithm hash;
742 			 *   SignatureAlgorithm signature;
743 			 * } SignatureAndHashAlgorithm;
744 			 */
745 			if (end - pos < 2)
746 				goto fail;
747 			if ((pos[0] != TLS_HASH_ALG_SHA256 &&
748 			     pos[0] != TLS_HASH_ALG_SHA384 &&
749 			     pos[0] != TLS_HASH_ALG_SHA512) ||
750 			    pos[1] != TLS_SIGN_ALG_RSA) {
751 				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
752 					   pos[0], pos[1]);
753 				goto fail;
754 			}
755 
756 			hlen = tlsv12_key_x_server_params_hash(
757 				conn->rl.tls_version, pos[0],
758 				conn->client_random,
759 				conn->server_random, server_params,
760 				server_params_end - server_params, hash);
761 			pos += 2;
762 #else /* CONFIG_TLSV12 */
763 			goto fail;
764 #endif /* CONFIG_TLSV12 */
765 		} else {
766 			hlen = tls_key_x_server_params_hash(
767 				conn->rl.tls_version, conn->client_random,
768 				conn->server_random, server_params,
769 				server_params_end - server_params, hash);
770 		}
771 
772 		if (hlen < 0)
773 			goto fail;
774 		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
775 			    hash, hlen);
776 
777 		if (tls_verify_signature(conn->rl.tls_version,
778 					 conn->server_rsa_key,
779 					 hash, hlen, pos, end - pos,
780 					 &alert) < 0)
781 			goto fail;
782 	}
783 
784 	return 0;
785 
786 fail:
787 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
788 	tlsv1_client_free_dh(conn);
789 	return -1;
790 }
791 
792 
793 static enum tls_ocsp_result
794 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
795 					     const u8 *pos, size_t len)
796 {
797 	const u8 *end = pos + len;
798 	u32 ocsp_resp_len;
799 
800 	/* opaque OCSPResponse<1..2^24-1>; */
801 	if (end - pos < 3) {
802 		wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
803 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
804 		return TLS_OCSP_INVALID;
805 	}
806 	ocsp_resp_len = WPA_GET_BE24(pos);
807 	pos += 3;
808 	if (end - pos < ocsp_resp_len) {
809 		wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
810 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
811 		return TLS_OCSP_INVALID;
812 	}
813 
814 	return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
815 }
816 
817 
818 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
819 					   const u8 *in_data, size_t *in_len)
820 {
821 	const u8 *pos, *end;
822 	size_t left, len;
823 	u8 type, status_type;
824 	enum tls_ocsp_result res;
825 	struct x509_certificate *cert;
826 	int depth;
827 
828 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
829 		wpa_printf(MSG_DEBUG,
830 			   "TLSv1: Expected Handshake; received content type 0x%x",
831 			   ct);
832 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
833 			  TLS_ALERT_UNEXPECTED_MESSAGE);
834 		return -1;
835 	}
836 
837 	pos = in_data;
838 	left = *in_len;
839 
840 	if (left < 4) {
841 		wpa_printf(MSG_DEBUG,
842 			   "TLSv1: Too short CertificateStatus (left=%lu)",
843 			   (unsigned long) left);
844 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
845 		return -1;
846 	}
847 
848 	type = *pos++;
849 	len = WPA_GET_BE24(pos);
850 	pos += 3;
851 	left -= 4;
852 
853 	if (len > left) {
854 		wpa_printf(MSG_DEBUG,
855 			   "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
856 			   (unsigned long) len, (unsigned long) left);
857 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
858 		return -1;
859 	}
860 
861 	end = pos + len;
862 
863 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
864 		wpa_printf(MSG_DEBUG,
865 			   "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
866 			   type);
867 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 			  TLS_ALERT_UNEXPECTED_MESSAGE);
869 		return -1;
870 	}
871 
872 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
873 
874 	/*
875 	 * struct {
876 	 *     CertificateStatusType status_type;
877 	 *     select (status_type) {
878 	 *         case ocsp: OCSPResponse;
879 	 *         case ocsp_multi: OCSPResponseList;
880 	 *     } response;
881 	 * } CertificateStatus;
882 	 */
883 	if (end - pos < 1) {
884 		wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
885 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
886 		return -1;
887 	}
888 	status_type = *pos++;
889 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
890 		   status_type);
891 
892 	if (status_type == 1 /* ocsp */) {
893 		res = tls_process_certificate_status_ocsp_response(
894 			conn, pos, end - pos);
895 	} else if (status_type == 2 /* ocsp_multi */) {
896 		int good = 0, revoked = 0;
897 		u32 resp_len;
898 
899 		res = TLS_OCSP_NO_RESPONSE;
900 
901 		/*
902 		 * opaque OCSPResponse<0..2^24-1>;
903 		 *
904 		 * struct {
905 		 *   OCSPResponse ocsp_response_list<1..2^24-1>;
906 		 * } OCSPResponseList;
907 		 */
908 		if (end - pos < 3) {
909 			wpa_printf(MSG_DEBUG,
910 				   "TLSv1: Truncated OCSPResponseList");
911 			res = TLS_OCSP_INVALID;
912 			goto done;
913 		}
914 		resp_len = WPA_GET_BE24(pos);
915 		pos += 3;
916 		if (end - pos < resp_len) {
917 			wpa_printf(MSG_DEBUG,
918 				   "TLSv1: Truncated OCSPResponseList(len=%u)",
919 				   resp_len);
920 			res = TLS_OCSP_INVALID;
921 			goto done;
922 		}
923 		end = pos + resp_len;
924 
925 		while (end - pos >= 3) {
926 			resp_len = WPA_GET_BE24(pos);
927 			pos += 3;
928 			if (resp_len > end - pos) {
929 				wpa_printf(MSG_DEBUG,
930 					   "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
931 					   resp_len, (int) (end - pos));
932 				res = TLS_OCSP_INVALID;
933 				break;
934 			}
935 			if (!resp_len)
936 				continue; /* Skip an empty response */
937 			res = tls_process_certificate_status_ocsp_response(
938 				conn, pos - 3, resp_len + 3);
939 			if (res == TLS_OCSP_REVOKED)
940 				revoked++;
941 			else if (res == TLS_OCSP_GOOD)
942 				good++;
943 			pos += resp_len;
944 		}
945 
946 		if (revoked)
947 			res = TLS_OCSP_REVOKED;
948 		else if (good)
949 			res = TLS_OCSP_GOOD;
950 	} else {
951 		wpa_printf(MSG_DEBUG,
952 			   "TLSv1: Ignore unsupported CertificateStatus");
953 		goto skip;
954 	}
955 
956 done:
957 	if (res == TLS_OCSP_REVOKED) {
958 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
959 			  TLS_ALERT_CERTIFICATE_REVOKED);
960 		for (cert = conn->server_cert, depth = 0; cert;
961 		     cert = cert->next, depth++) {
962 			if (cert->ocsp_revoked) {
963 				tls_cert_chain_failure_event(
964 					conn, depth, cert, TLS_FAIL_REVOKED,
965 					"certificate revoked");
966 			}
967 		}
968 		return -1;
969 	}
970 
971 	if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
972 		/*
973 		 * Verify that each certificate on the chain that is not part
974 		 * of the trusted certificates has a good status. If not,
975 		 * terminate handshake.
976 		 */
977 		for (cert = conn->server_cert, depth = 0; cert;
978 		     cert = cert->next, depth++) {
979 			if (!cert->ocsp_good) {
980 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 					  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
982 				tls_cert_chain_failure_event(
983 					conn, depth, cert,
984 					TLS_FAIL_UNSPECIFIED,
985 					"bad certificate status response");
986 				return -1;
987 			}
988 			if (cert->issuer_trusted)
989 				break;
990 		}
991 	}
992 
993 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
994 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
995 			  res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
996 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
997 		if (conn->server_cert)
998 			tls_cert_chain_failure_event(
999 				conn, 0, conn->server_cert,
1000 				TLS_FAIL_UNSPECIFIED,
1001 				"bad certificate status response");
1002 		return -1;
1003 	}
1004 
1005 	conn->ocsp_resp_received = 1;
1006 
1007 skip:
1008 	*in_len = end - in_data;
1009 
1010 	conn->state = SERVER_KEY_EXCHANGE;
1011 
1012 	return 0;
1013 }
1014 
1015 
1016 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1017 					   const u8 *in_data, size_t *in_len)
1018 {
1019 	const u8 *pos, *end;
1020 	size_t left, len;
1021 	u8 type;
1022 	const struct tls_cipher_suite *suite;
1023 
1024 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1025 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1026 			   "received content type 0x%x", ct);
1027 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1029 		return -1;
1030 	}
1031 
1032 	pos = in_data;
1033 	left = *in_len;
1034 
1035 	if (left < 4) {
1036 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1037 			   "(Left=%lu)", (unsigned long) left);
1038 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1039 		return -1;
1040 	}
1041 
1042 	type = *pos++;
1043 	len = WPA_GET_BE24(pos);
1044 	pos += 3;
1045 	left -= 4;
1046 
1047 	if (len > left) {
1048 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1049 			   "length (len=%lu != left=%lu)",
1050 			   (unsigned long) len, (unsigned long) left);
1051 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1052 		return -1;
1053 	}
1054 
1055 	end = pos + len;
1056 
1057 	if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1058 	    type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1059 		return tls_process_certificate_status(conn, ct, in_data,
1060 						      in_len);
1061 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1062 		return tls_process_certificate_request(conn, ct, in_data,
1063 						       in_len);
1064 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1065 		return tls_process_server_hello_done(conn, ct, in_data,
1066 						     in_len);
1067 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1068 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1069 			   "message %d (expected ServerKeyExchange/"
1070 			   "CertificateRequest/ServerHelloDone%s)", type,
1071 			   (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1072 			   "/CertificateStatus" : "");
1073 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1075 		return -1;
1076 	}
1077 
1078 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1079 
1080 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1081 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1082 			   "with the selected cipher suite");
1083 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1084 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1085 		return -1;
1086 	}
1087 
1088 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1089 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1090 	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1091 		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1092 		if (tlsv1_process_diffie_hellman(conn, pos, len,
1093 						 suite->key_exchange) < 0) {
1094 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1095 				  TLS_ALERT_DECODE_ERROR);
1096 			return -1;
1097 		}
1098 	} else {
1099 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1100 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1102 		return -1;
1103 	}
1104 
1105 	*in_len = end - in_data;
1106 
1107 	conn->state = SERVER_CERTIFICATE_REQUEST;
1108 
1109 	return 0;
1110 }
1111 
1112 
1113 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1114 					   const u8 *in_data, size_t *in_len)
1115 {
1116 	const u8 *pos, *end;
1117 	size_t left, len;
1118 	u8 type;
1119 
1120 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1121 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1122 			   "received content type 0x%x", ct);
1123 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1124 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1125 		return -1;
1126 	}
1127 
1128 	pos = in_data;
1129 	left = *in_len;
1130 
1131 	if (left < 4) {
1132 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1133 			   "(left=%lu)", (unsigned long) left);
1134 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1135 		return -1;
1136 	}
1137 
1138 	type = *pos++;
1139 	len = WPA_GET_BE24(pos);
1140 	pos += 3;
1141 	left -= 4;
1142 
1143 	if (len > left) {
1144 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1145 			   "length (len=%lu != left=%lu)",
1146 			   (unsigned long) len, (unsigned long) left);
1147 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1148 		return -1;
1149 	}
1150 
1151 	end = pos + len;
1152 
1153 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1154 		return tls_process_server_hello_done(conn, ct, in_data,
1155 						     in_len);
1156 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1157 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1158 			   "message %d (expected CertificateRequest/"
1159 			   "ServerHelloDone)", type);
1160 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1162 		return -1;
1163 	}
1164 
1165 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1166 
1167 	conn->certificate_requested = 1;
1168 
1169 	*in_len = end - in_data;
1170 
1171 	conn->state = SERVER_HELLO_DONE;
1172 
1173 	return 0;
1174 }
1175 
1176 
1177 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1178 					 const u8 *in_data, size_t *in_len)
1179 {
1180 	const u8 *pos, *end;
1181 	size_t left, len;
1182 	u8 type;
1183 
1184 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1185 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1186 			   "received content type 0x%x", ct);
1187 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1188 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1189 		return -1;
1190 	}
1191 
1192 	pos = in_data;
1193 	left = *in_len;
1194 
1195 	if (left < 4) {
1196 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1197 			   "(left=%lu)", (unsigned long) left);
1198 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1199 		return -1;
1200 	}
1201 
1202 	type = *pos++;
1203 	len = WPA_GET_BE24(pos);
1204 	pos += 3;
1205 	left -= 4;
1206 
1207 	if (len > left) {
1208 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1209 			   "length (len=%lu != left=%lu)",
1210 			   (unsigned long) len, (unsigned long) left);
1211 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1212 		return -1;
1213 	}
1214 	end = pos + len;
1215 
1216 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1217 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1218 			   "message %d (expected ServerHelloDone)", type);
1219 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1220 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1221 		return -1;
1222 	}
1223 
1224 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1225 
1226 	if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1227 	    !conn->ocsp_resp_received) {
1228 		wpa_printf(MSG_INFO,
1229 			   "TLSv1: No OCSP response received - reject handshake");
1230 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1231 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1232 		return -1;
1233 	}
1234 
1235 	*in_len = end - in_data;
1236 
1237 	conn->state = CLIENT_KEY_EXCHANGE;
1238 
1239 	return 0;
1240 }
1241 
1242 
1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1244 						 u8 ct, const u8 *in_data,
1245 						 size_t *in_len)
1246 {
1247 	const u8 *pos;
1248 	size_t left;
1249 
1250 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1251 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1252 			   "received content type 0x%x", ct);
1253 		if (conn->use_session_ticket) {
1254 			int res;
1255 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1256 				   "rejected SessionTicket");
1257 			conn->use_session_ticket = 0;
1258 
1259 			/* Notify upper layers that SessionTicket failed */
1260 			res = conn->session_ticket_cb(
1261 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
1262 				NULL, NULL);
1263 			if (res < 0) {
1264 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1265 					   "callback indicated failure");
1266 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1267 					  TLS_ALERT_HANDSHAKE_FAILURE);
1268 				return -1;
1269 			}
1270 
1271 			conn->state = SERVER_CERTIFICATE;
1272 			return tls_process_certificate(conn, ct, in_data,
1273 						       in_len);
1274 		}
1275 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1277 		return -1;
1278 	}
1279 
1280 	pos = in_data;
1281 	left = *in_len;
1282 
1283 	if (left < 1) {
1284 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1285 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1286 		return -1;
1287 	}
1288 
1289 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1290 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1291 			   "received data 0x%x", *pos);
1292 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1293 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1294 		return -1;
1295 	}
1296 
1297 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1298 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1299 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1300 			   "for record layer");
1301 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1302 			  TLS_ALERT_INTERNAL_ERROR);
1303 		return -1;
1304 	}
1305 
1306 	*in_len = pos + 1 - in_data;
1307 
1308 	conn->state = SERVER_FINISHED;
1309 
1310 	return 0;
1311 }
1312 
1313 
1314 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1315 				       const u8 *in_data, size_t *in_len)
1316 {
1317 	const u8 *pos, *end;
1318 	size_t left, len, hlen;
1319 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1320 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1321 
1322 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1323 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1324 			   "received content type 0x%x", ct);
1325 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1326 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1327 		return -1;
1328 	}
1329 
1330 	pos = in_data;
1331 	left = *in_len;
1332 
1333 	if (left < 4) {
1334 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1335 			   "Finished",
1336 			   (unsigned long) left);
1337 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1338 			  TLS_ALERT_DECODE_ERROR);
1339 		return -1;
1340 	}
1341 
1342 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1343 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1344 			   "type 0x%x", pos[0]);
1345 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1346 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1347 		return -1;
1348 	}
1349 
1350 	len = WPA_GET_BE24(pos + 1);
1351 
1352 	pos += 4;
1353 	left -= 4;
1354 
1355 	if (len > left) {
1356 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1357 			   "(len=%lu > left=%lu)",
1358 			   (unsigned long) len, (unsigned long) left);
1359 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1360 			  TLS_ALERT_DECODE_ERROR);
1361 		return -1;
1362 	}
1363 	end = pos + len;
1364 	if (len != TLS_VERIFY_DATA_LEN) {
1365 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1366 			   "in Finished: %lu (expected %d)",
1367 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1368 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1369 			  TLS_ALERT_DECODE_ERROR);
1370 		return -1;
1371 	}
1372 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1373 		    pos, TLS_VERIFY_DATA_LEN);
1374 
1375 #ifdef CONFIG_TLSV12
1376 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1377 		hlen = SHA256_MAC_LEN;
1378 		if (conn->verify.sha256_server == NULL ||
1379 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1380 		    < 0) {
1381 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1382 				  TLS_ALERT_INTERNAL_ERROR);
1383 			conn->verify.sha256_server = NULL;
1384 			return -1;
1385 		}
1386 		conn->verify.sha256_server = NULL;
1387 	} else {
1388 #endif /* CONFIG_TLSV12 */
1389 
1390 	hlen = MD5_MAC_LEN;
1391 	if (conn->verify.md5_server == NULL ||
1392 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1393 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1394 			  TLS_ALERT_INTERNAL_ERROR);
1395 		conn->verify.md5_server = NULL;
1396 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1397 		conn->verify.sha1_server = NULL;
1398 		return -1;
1399 	}
1400 	conn->verify.md5_server = NULL;
1401 	hlen = SHA1_MAC_LEN;
1402 	if (conn->verify.sha1_server == NULL ||
1403 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1404 			       &hlen) < 0) {
1405 		conn->verify.sha1_server = NULL;
1406 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1407 			  TLS_ALERT_INTERNAL_ERROR);
1408 		return -1;
1409 	}
1410 	conn->verify.sha1_server = NULL;
1411 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1412 
1413 #ifdef CONFIG_TLSV12
1414 	}
1415 #endif /* CONFIG_TLSV12 */
1416 
1417 	if (tls_prf(conn->rl.tls_version,
1418 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1419 		    "server finished", hash, hlen,
1420 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1421 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1422 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1423 			  TLS_ALERT_DECRYPT_ERROR);
1424 		return -1;
1425 	}
1426 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1427 			verify_data, TLS_VERIFY_DATA_LEN);
1428 
1429 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1430 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1431 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1432 			  TLS_ALERT_DECRYPT_ERROR);
1433 		return -1;
1434 	}
1435 
1436 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1437 
1438 	*in_len = end - in_data;
1439 
1440 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1441 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
1442 
1443 	return 0;
1444 }
1445 
1446 
1447 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1448 					const u8 *in_data, size_t *in_len,
1449 					u8 **out_data, size_t *out_len)
1450 {
1451 	const u8 *pos;
1452 	size_t left;
1453 
1454 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1455 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1456 			   "received content type 0x%x", ct);
1457 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1458 			  TLS_ALERT_UNEXPECTED_MESSAGE);
1459 		return -1;
1460 	}
1461 
1462 	pos = in_data;
1463 	left = *in_len;
1464 
1465 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1466 		    pos, left);
1467 
1468 	*out_data = os_malloc(left);
1469 	if (*out_data) {
1470 		os_memcpy(*out_data, pos, left);
1471 		*out_len = left;
1472 	}
1473 
1474 	return 0;
1475 }
1476 
1477 
1478 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1479 				   const u8 *buf, size_t *len,
1480 				   u8 **out_data, size_t *out_len)
1481 {
1482 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1483 		if (*len < 2) {
1484 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1485 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1486 				  TLS_ALERT_DECODE_ERROR);
1487 			return -1;
1488 		}
1489 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1490 			   buf[0], buf[1]);
1491 		*len = 2;
1492 		conn->state = FAILED;
1493 		return -1;
1494 	}
1495 
1496 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1497 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1498 		size_t hr_len = WPA_GET_BE24(buf + 1);
1499 		if (hr_len > *len - 4) {
1500 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1501 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1502 				  TLS_ALERT_DECODE_ERROR);
1503 			return -1;
1504 		}
1505 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1506 		*len = 4 + hr_len;
1507 		return 0;
1508 	}
1509 
1510 	switch (conn->state) {
1511 	case SERVER_HELLO:
1512 		if (tls_process_server_hello(conn, ct, buf, len))
1513 			return -1;
1514 		break;
1515 	case SERVER_CERTIFICATE:
1516 		if (tls_process_certificate(conn, ct, buf, len))
1517 			return -1;
1518 		break;
1519 	case SERVER_KEY_EXCHANGE:
1520 		if (tls_process_server_key_exchange(conn, ct, buf, len))
1521 			return -1;
1522 		break;
1523 	case SERVER_CERTIFICATE_REQUEST:
1524 		if (tls_process_certificate_request(conn, ct, buf, len))
1525 			return -1;
1526 		break;
1527 	case SERVER_HELLO_DONE:
1528 		if (tls_process_server_hello_done(conn, ct, buf, len))
1529 			return -1;
1530 		break;
1531 	case SERVER_CHANGE_CIPHER_SPEC:
1532 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1533 			return -1;
1534 		break;
1535 	case SERVER_FINISHED:
1536 		if (tls_process_server_finished(conn, ct, buf, len))
1537 			return -1;
1538 		break;
1539 	case ACK_FINISHED:
1540 		if (out_data &&
1541 		    tls_process_application_data(conn, ct, buf, len, out_data,
1542 						 out_len))
1543 			return -1;
1544 		break;
1545 	default:
1546 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1547 			   "while processing received message",
1548 			   conn->state);
1549 		return -1;
1550 	}
1551 
1552 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1553 		tls_verify_hash_add(&conn->verify, buf, *len);
1554 
1555 	return 0;
1556 }
1557