1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver) 31 { 32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 33 ver == TLS_VERSION_1) || 34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 35 ver == TLS_VERSION_1_1) || 36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 37 ver == TLS_VERSION_1_2)); 38 } 39 40 41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn, 42 const u8 *pos, size_t len) 43 { 44 const u8 *end = pos + len; 45 46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions", 47 pos, len); 48 while (pos < end) { 49 u16 ext, elen; 50 51 if (end - pos < 4) { 52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header"); 53 return -1; 54 } 55 56 ext = WPA_GET_BE16(pos); 57 pos += 2; 58 elen = WPA_GET_BE16(pos); 59 pos += 2; 60 61 if (elen > end - pos) { 62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension"); 63 return -1; 64 } 65 66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u", 67 ext); 68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data", 69 pos, elen); 70 71 pos += elen; 72 } 73 74 return 0; 75 } 76 77 78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 79 const u8 *in_data, size_t *in_len) 80 { 81 const u8 *pos, *end; 82 size_t left, len, i; 83 u16 cipher_suite; 84 u16 tls_version; 85 86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 88 "received content type 0x%x", ct); 89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 90 TLS_ALERT_UNEXPECTED_MESSAGE); 91 return -1; 92 } 93 94 pos = in_data; 95 left = *in_len; 96 97 if (left < 4) 98 goto decode_error; 99 100 /* HandshakeType msg_type */ 101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 103 "message %d (expected ServerHello)", *pos); 104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 105 TLS_ALERT_UNEXPECTED_MESSAGE); 106 return -1; 107 } 108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 109 pos++; 110 /* uint24 length */ 111 len = WPA_GET_BE24(pos); 112 pos += 3; 113 left -= 4; 114 115 if (len > left) 116 goto decode_error; 117 118 /* body - ServerHello */ 119 120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 121 end = pos + len; 122 123 /* ProtocolVersion server_version */ 124 if (end - pos < 2) 125 goto decode_error; 126 tls_version = WPA_GET_BE16(pos); 127 if (!tls_version_ok(tls_version) || 128 tls_version_disabled(conn, tls_version)) { 129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 130 "ServerHello %u.%u", pos[0], pos[1]); 131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 132 TLS_ALERT_PROTOCOL_VERSION); 133 return -1; 134 } 135 pos += 2; 136 137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 138 tls_version_str(tls_version)); 139 conn->rl.tls_version = tls_version; 140 141 /* Random random */ 142 if (end - pos < TLS_RANDOM_LEN) 143 goto decode_error; 144 145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 146 pos += TLS_RANDOM_LEN; 147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 148 conn->server_random, TLS_RANDOM_LEN); 149 150 /* SessionID session_id */ 151 if (end - pos < 1) 152 goto decode_error; 153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 154 goto decode_error; 155 if (conn->session_id_len && conn->session_id_len == *pos && 156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 157 pos += 1 + conn->session_id_len; 158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 159 conn->session_resumed = 1; 160 } else { 161 conn->session_id_len = *pos; 162 pos++; 163 os_memcpy(conn->session_id, pos, conn->session_id_len); 164 pos += conn->session_id_len; 165 } 166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 167 conn->session_id, conn->session_id_len); 168 169 /* CipherSuite cipher_suite */ 170 if (end - pos < 2) 171 goto decode_error; 172 cipher_suite = WPA_GET_BE16(pos); 173 pos += 2; 174 for (i = 0; i < conn->num_cipher_suites; i++) { 175 if (cipher_suite == conn->cipher_suites[i]) 176 break; 177 } 178 if (i == conn->num_cipher_suites) { 179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 180 "cipher suite 0x%04x", cipher_suite); 181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 182 TLS_ALERT_ILLEGAL_PARAMETER); 183 return -1; 184 } 185 186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 188 "cipher suite for a resumed connection (0x%04x != " 189 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 191 TLS_ALERT_ILLEGAL_PARAMETER); 192 return -1; 193 } 194 195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 197 "record layer"); 198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 199 TLS_ALERT_INTERNAL_ERROR); 200 return -1; 201 } 202 203 conn->prev_cipher_suite = cipher_suite; 204 205 /* CompressionMethod compression_method */ 206 if (end - pos < 1) 207 goto decode_error; 208 if (*pos != TLS_COMPRESSION_NULL) { 209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 210 "compression 0x%02x", *pos); 211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 212 TLS_ALERT_ILLEGAL_PARAMETER); 213 return -1; 214 } 215 pos++; 216 217 if (end - pos >= 2) { 218 u16 ext_len; 219 220 ext_len = WPA_GET_BE16(pos); 221 pos += 2; 222 if (end - pos < ext_len) { 223 wpa_printf(MSG_INFO, 224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)", 225 ext_len, (unsigned int) (end - pos)); 226 goto decode_error; 227 } 228 229 if (tls_process_server_hello_extensions(conn, pos, ext_len)) 230 goto decode_error; 231 pos += ext_len; 232 } 233 234 if (end != pos) { 235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 236 "end of ServerHello", pos, end - pos); 237 goto decode_error; 238 } 239 240 if (conn->session_ticket_included && conn->session_ticket_cb) { 241 /* TODO: include SessionTicket extension if one was included in 242 * ServerHello */ 243 int res = conn->session_ticket_cb( 244 conn->session_ticket_cb_ctx, NULL, 0, 245 conn->client_random, conn->server_random, 246 conn->master_secret); 247 if (res < 0) { 248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 249 "indicated failure"); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 251 TLS_ALERT_HANDSHAKE_FAILURE); 252 return -1; 253 } 254 conn->use_session_ticket = !!res; 255 } 256 257 if ((conn->session_resumed || conn->use_session_ticket) && 258 tls_derive_keys(conn, NULL, 0)) { 259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 261 TLS_ALERT_INTERNAL_ERROR); 262 return -1; 263 } 264 265 *in_len = end - in_data; 266 267 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 269 270 return 0; 271 272 decode_error: 273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 275 return -1; 276 } 277 278 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth, 280 struct x509_certificate *cert) 281 { 282 union tls_event_data ev; 283 struct wpabuf *cert_buf = NULL; 284 #ifdef CONFIG_SHA256 285 u8 hash[32]; 286 #endif /* CONFIG_SHA256 */ 287 char subject[128]; 288 289 if (!conn->event_cb) 290 return; 291 292 os_memset(&ev, 0, sizeof(ev)); 293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) { 294 cert_buf = wpabuf_alloc_copy(cert->cert_start, 295 cert->cert_len); 296 ev.peer_cert.cert = cert_buf; 297 } 298 #ifdef CONFIG_SHA256 299 if (cert_buf) { 300 const u8 *addr[1]; 301 size_t len[1]; 302 addr[0] = wpabuf_head(cert_buf); 303 len[0] = wpabuf_len(cert_buf); 304 if (sha256_vector(1, addr, len, hash) == 0) { 305 ev.peer_cert.hash = hash; 306 ev.peer_cert.hash_len = sizeof(hash); 307 } 308 } 309 #endif /* CONFIG_SHA256 */ 310 311 ev.peer_cert.depth = depth; 312 x509_name_string(&cert->subject, subject, sizeof(subject)); 313 ev.peer_cert.subject = subject; 314 315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev); 316 wpabuf_free(cert_buf); 317 } 318 319 320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth, 321 struct x509_certificate *cert, 322 enum tls_fail_reason reason, 323 const char *reason_txt) 324 { 325 struct wpabuf *cert_buf = NULL; 326 union tls_event_data ev; 327 char subject[128]; 328 329 if (!conn->event_cb || !cert) 330 return; 331 332 os_memset(&ev, 0, sizeof(ev)); 333 ev.cert_fail.depth = depth; 334 x509_name_string(&cert->subject, subject, sizeof(subject)); 335 ev.peer_cert.subject = subject; 336 ev.cert_fail.reason = reason; 337 ev.cert_fail.reason_txt = reason_txt; 338 cert_buf = wpabuf_alloc_copy(cert->cert_start, 339 cert->cert_len); 340 ev.cert_fail.cert = cert_buf; 341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); 342 wpabuf_free(cert_buf); 343 } 344 345 346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 347 const u8 *in_data, size_t *in_len) 348 { 349 const u8 *pos, *end; 350 size_t left, len, list_len, cert_len, idx; 351 u8 type; 352 struct x509_certificate *chain = NULL, *last = NULL, *cert; 353 int reason; 354 355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 357 "received content type 0x%x", ct); 358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 359 TLS_ALERT_UNEXPECTED_MESSAGE); 360 return -1; 361 } 362 363 pos = in_data; 364 left = *in_len; 365 366 if (left < 4) { 367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 368 "(len=%lu)", (unsigned long) left); 369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 370 return -1; 371 } 372 373 type = *pos++; 374 len = WPA_GET_BE24(pos); 375 pos += 3; 376 left -= 4; 377 378 if (len > left) { 379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 380 "length (len=%lu != left=%lu)", 381 (unsigned long) len, (unsigned long) left); 382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 383 return -1; 384 } 385 386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 387 return tls_process_server_key_exchange(conn, ct, in_data, 388 in_len); 389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 390 return tls_process_certificate_request(conn, ct, in_data, 391 in_len); 392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 393 return tls_process_server_hello_done(conn, ct, in_data, 394 in_len); 395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 397 "message %d (expected Certificate/" 398 "ServerKeyExchange/CertificateRequest/" 399 "ServerHelloDone)", type); 400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 401 TLS_ALERT_UNEXPECTED_MESSAGE); 402 return -1; 403 } 404 405 wpa_printf(MSG_DEBUG, 406 "TLSv1: Received Certificate (certificate_list len %lu)", 407 (unsigned long) len); 408 409 /* 410 * opaque ASN.1Cert<2^24-1>; 411 * 412 * struct { 413 * ASN.1Cert certificate_list<1..2^24-1>; 414 * } Certificate; 415 */ 416 417 end = pos + len; 418 419 if (end - pos < 3) { 420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 421 "(left=%lu)", (unsigned long) left); 422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 423 return -1; 424 } 425 426 list_len = WPA_GET_BE24(pos); 427 pos += 3; 428 429 if ((size_t) (end - pos) != list_len) { 430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 431 "length (len=%lu left=%lu)", 432 (unsigned long) list_len, 433 (unsigned long) (end - pos)); 434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 435 return -1; 436 } 437 438 idx = 0; 439 while (pos < end) { 440 if (end - pos < 3) { 441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 442 "certificate_list"); 443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 444 TLS_ALERT_DECODE_ERROR); 445 x509_certificate_chain_free(chain); 446 return -1; 447 } 448 449 cert_len = WPA_GET_BE24(pos); 450 pos += 3; 451 452 if ((size_t) (end - pos) < cert_len) { 453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 454 "length (len=%lu left=%lu)", 455 (unsigned long) cert_len, 456 (unsigned long) (end - pos)); 457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 458 TLS_ALERT_DECODE_ERROR); 459 x509_certificate_chain_free(chain); 460 return -1; 461 } 462 463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 464 (unsigned long) idx, (unsigned long) cert_len); 465 466 if (idx == 0) { 467 crypto_public_key_free(conn->server_rsa_key); 468 if (tls_parse_cert(pos, cert_len, 469 &conn->server_rsa_key)) { 470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 471 "the certificate"); 472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 473 TLS_ALERT_BAD_CERTIFICATE); 474 x509_certificate_chain_free(chain); 475 return -1; 476 } 477 } 478 479 cert = x509_certificate_parse(pos, cert_len); 480 if (cert == NULL) { 481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 482 "the certificate"); 483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 484 TLS_ALERT_BAD_CERTIFICATE); 485 x509_certificate_chain_free(chain); 486 return -1; 487 } 488 489 tls_peer_cert_event(conn, idx, cert); 490 491 if (last == NULL) 492 chain = cert; 493 else 494 last->next = cert; 495 last = cert; 496 497 idx++; 498 pos += cert_len; 499 } 500 501 if (conn->cred && conn->cred->server_cert_only && chain) { 502 u8 hash[SHA256_MAC_LEN]; 503 char buf[128]; 504 505 wpa_printf(MSG_DEBUG, 506 "TLSv1: Validate server certificate hash"); 507 x509_name_string(&chain->subject, buf, sizeof(buf)); 508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf); 509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len, 510 hash) < 0 || 511 os_memcmp(conn->cred->srv_cert_hash, hash, 512 SHA256_MAC_LEN) != 0) { 513 wpa_printf(MSG_DEBUG, 514 "TLSv1: Server certificate hash mismatch"); 515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash", 516 hash, SHA256_MAC_LEN); 517 if (conn->event_cb) { 518 union tls_event_data ev; 519 520 os_memset(&ev, 0, sizeof(ev)); 521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED; 522 ev.cert_fail.reason_txt = 523 "Server certificate mismatch"; 524 ev.cert_fail.subject = buf; 525 conn->event_cb(conn->cb_ctx, 526 TLS_CERT_CHAIN_FAILURE, &ev); 527 } 528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 529 TLS_ALERT_BAD_CERTIFICATE); 530 x509_certificate_chain_free(chain); 531 return -1; 532 } 533 } else if (conn->cred && conn->cred->cert_probe) { 534 wpa_printf(MSG_DEBUG, 535 "TLSv1: Reject server certificate on probe-only rune"); 536 if (conn->event_cb) { 537 union tls_event_data ev; 538 char buf[128]; 539 540 os_memset(&ev, 0, sizeof(ev)); 541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE; 542 ev.cert_fail.reason_txt = 543 "Server certificate chain probe"; 544 if (chain) { 545 x509_name_string(&chain->subject, buf, 546 sizeof(buf)); 547 ev.cert_fail.subject = buf; 548 } 549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, 550 &ev); 551 } 552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 553 TLS_ALERT_BAD_CERTIFICATE); 554 x509_certificate_chain_free(chain); 555 return -1; 556 } else if (conn->cred && conn->cred->ca_cert_verify && 557 x509_certificate_chain_validate( 558 conn->cred->trusted_certs, chain, &reason, 559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) 560 < 0) { 561 int tls_reason; 562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 563 "validation failed (reason=%d)", reason); 564 switch (reason) { 565 case X509_VALIDATE_BAD_CERTIFICATE: 566 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 567 tls_cert_chain_failure_event( 568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 569 "bad certificate"); 570 break; 571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 573 break; 574 case X509_VALIDATE_CERTIFICATE_REVOKED: 575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 576 tls_cert_chain_failure_event( 577 conn, 0, chain, TLS_FAIL_REVOKED, 578 "certificate revoked"); 579 break; 580 case X509_VALIDATE_CERTIFICATE_EXPIRED: 581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 582 tls_cert_chain_failure_event( 583 conn, 0, chain, TLS_FAIL_EXPIRED, 584 "certificate has expired or is not yet valid"); 585 break; 586 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 588 break; 589 case X509_VALIDATE_UNKNOWN_CA: 590 tls_reason = TLS_ALERT_UNKNOWN_CA; 591 tls_cert_chain_failure_event( 592 conn, 0, chain, TLS_FAIL_UNTRUSTED, 593 "unknown CA"); 594 break; 595 default: 596 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 597 break; 598 } 599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 600 x509_certificate_chain_free(chain); 601 return -1; 602 } 603 604 if (conn->cred && !conn->cred->server_cert_only && chain && 605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 606 !(chain->ext_key_usage & 607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) { 608 tls_cert_chain_failure_event( 609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 610 "certificate not allowed for server authentication"); 611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 612 TLS_ALERT_BAD_CERTIFICATE); 613 x509_certificate_chain_free(chain); 614 return -1; 615 } 616 617 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 618 x509_certificate_chain_free(conn->server_cert); 619 conn->server_cert = chain; 620 } else { 621 x509_certificate_chain_free(chain); 622 } 623 624 *in_len = end - in_data; 625 626 conn->state = SERVER_KEY_EXCHANGE; 627 628 return 0; 629 } 630 631 632 static unsigned int count_bits(const u8 *val, size_t len) 633 { 634 size_t i; 635 unsigned int bits; 636 u8 tmp; 637 638 for (i = 0; i < len; i++) { 639 if (val[i]) 640 break; 641 } 642 if (i == len) 643 return 0; 644 645 bits = (len - i - 1) * 8; 646 tmp = val[i]; 647 while (tmp) { 648 bits++; 649 tmp >>= 1; 650 } 651 652 return bits; 653 } 654 655 656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 657 const u8 *buf, size_t len, 658 tls_key_exchange key_exchange) 659 { 660 const u8 *pos, *end, *server_params, *server_params_end; 661 u8 alert; 662 unsigned int bits; 663 u16 val; 664 665 tlsv1_client_free_dh(conn); 666 667 pos = buf; 668 end = buf + len; 669 670 if (end - pos < 3) 671 goto fail; 672 server_params = pos; 673 val = WPA_GET_BE16(pos); 674 pos += 2; 675 if (val == 0 || val > (size_t) (end - pos)) { 676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val); 677 goto fail; 678 } 679 conn->dh_p_len = val; 680 bits = count_bits(pos, conn->dh_p_len); 681 if (bits < 768) { 682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 683 bits); 684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 685 pos, conn->dh_p_len); 686 goto fail; 687 } 688 conn->dh_p = os_memdup(pos, conn->dh_p_len); 689 if (conn->dh_p == NULL) 690 goto fail; 691 pos += conn->dh_p_len; 692 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 693 conn->dh_p, conn->dh_p_len); 694 695 if (end - pos < 3) 696 goto fail; 697 val = WPA_GET_BE16(pos); 698 pos += 2; 699 if (val == 0 || val > (size_t) (end - pos)) 700 goto fail; 701 conn->dh_g_len = val; 702 conn->dh_g = os_memdup(pos, conn->dh_g_len); 703 if (conn->dh_g == NULL) 704 goto fail; 705 pos += conn->dh_g_len; 706 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 707 conn->dh_g, conn->dh_g_len); 708 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 709 goto fail; 710 711 if (end - pos < 3) 712 goto fail; 713 val = WPA_GET_BE16(pos); 714 pos += 2; 715 if (val == 0 || val > (size_t) (end - pos)) 716 goto fail; 717 conn->dh_ys_len = val; 718 conn->dh_ys = os_memdup(pos, conn->dh_ys_len); 719 if (conn->dh_ys == NULL) 720 goto fail; 721 pos += conn->dh_ys_len; 722 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 723 conn->dh_ys, conn->dh_ys_len); 724 server_params_end = pos; 725 726 if (key_exchange == TLS_KEY_X_DHE_RSA) { 727 u8 hash[64]; 728 int hlen; 729 730 if (conn->rl.tls_version == TLS_VERSION_1_2) { 731 #ifdef CONFIG_TLSV12 732 /* 733 * RFC 5246, 4.7: 734 * TLS v1.2 adds explicit indication of the used 735 * signature and hash algorithms. 736 * 737 * struct { 738 * HashAlgorithm hash; 739 * SignatureAlgorithm signature; 740 * } SignatureAndHashAlgorithm; 741 */ 742 if (end - pos < 2) 743 goto fail; 744 if ((pos[0] != TLS_HASH_ALG_SHA256 && 745 pos[0] != TLS_HASH_ALG_SHA384 && 746 pos[0] != TLS_HASH_ALG_SHA512) || 747 pos[1] != TLS_SIGN_ALG_RSA) { 748 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 749 pos[0], pos[1]); 750 goto fail; 751 } 752 753 hlen = tlsv12_key_x_server_params_hash( 754 conn->rl.tls_version, pos[0], 755 conn->client_random, 756 conn->server_random, server_params, 757 server_params_end - server_params, hash); 758 pos += 2; 759 #else /* CONFIG_TLSV12 */ 760 goto fail; 761 #endif /* CONFIG_TLSV12 */ 762 } else { 763 hlen = tls_key_x_server_params_hash( 764 conn->rl.tls_version, conn->client_random, 765 conn->server_random, server_params, 766 server_params_end - server_params, hash); 767 } 768 769 if (hlen < 0) 770 goto fail; 771 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 772 hash, hlen); 773 774 if (tls_verify_signature(conn->rl.tls_version, 775 conn->server_rsa_key, 776 hash, hlen, pos, end - pos, 777 &alert) < 0) 778 goto fail; 779 } 780 781 return 0; 782 783 fail: 784 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 785 tlsv1_client_free_dh(conn); 786 return -1; 787 } 788 789 790 static enum tls_ocsp_result 791 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn, 792 const u8 *pos, size_t len) 793 { 794 const u8 *end = pos + len; 795 u32 ocsp_resp_len; 796 797 /* opaque OCSPResponse<1..2^24-1>; */ 798 if (end - pos < 3) { 799 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse"); 800 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 801 return TLS_OCSP_INVALID; 802 } 803 ocsp_resp_len = WPA_GET_BE24(pos); 804 pos += 3; 805 if (end - pos < ocsp_resp_len) { 806 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse"); 807 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 808 return TLS_OCSP_INVALID; 809 } 810 811 return tls_process_ocsp_response(conn, pos, ocsp_resp_len); 812 } 813 814 815 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct, 816 const u8 *in_data, size_t *in_len) 817 { 818 const u8 *pos, *end; 819 size_t left, len; 820 u8 type, status_type; 821 enum tls_ocsp_result res; 822 struct x509_certificate *cert; 823 int depth; 824 825 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 826 wpa_printf(MSG_DEBUG, 827 "TLSv1: Expected Handshake; received content type 0x%x", 828 ct); 829 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 830 TLS_ALERT_UNEXPECTED_MESSAGE); 831 return -1; 832 } 833 834 pos = in_data; 835 left = *in_len; 836 837 if (left < 4) { 838 wpa_printf(MSG_DEBUG, 839 "TLSv1: Too short CertificateStatus (left=%lu)", 840 (unsigned long) left); 841 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 842 return -1; 843 } 844 845 type = *pos++; 846 len = WPA_GET_BE24(pos); 847 pos += 3; 848 left -= 4; 849 850 if (len > left) { 851 wpa_printf(MSG_DEBUG, 852 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)", 853 (unsigned long) len, (unsigned long) left); 854 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 855 return -1; 856 } 857 858 end = pos + len; 859 860 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) { 861 wpa_printf(MSG_DEBUG, 862 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)", 863 type); 864 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 865 TLS_ALERT_UNEXPECTED_MESSAGE); 866 return -1; 867 } 868 869 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus"); 870 871 /* 872 * struct { 873 * CertificateStatusType status_type; 874 * select (status_type) { 875 * case ocsp: OCSPResponse; 876 * case ocsp_multi: OCSPResponseList; 877 * } response; 878 * } CertificateStatus; 879 */ 880 if (end - pos < 1) { 881 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus"); 882 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 883 return -1; 884 } 885 status_type = *pos++; 886 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u", 887 status_type); 888 889 if (status_type == 1 /* ocsp */) { 890 res = tls_process_certificate_status_ocsp_response( 891 conn, pos, end - pos); 892 } else if (status_type == 2 /* ocsp_multi */) { 893 int good = 0, revoked = 0; 894 u32 resp_len; 895 896 res = TLS_OCSP_NO_RESPONSE; 897 898 /* 899 * opaque OCSPResponse<0..2^24-1>; 900 * 901 * struct { 902 * OCSPResponse ocsp_response_list<1..2^24-1>; 903 * } OCSPResponseList; 904 */ 905 if (end - pos < 3) { 906 wpa_printf(MSG_DEBUG, 907 "TLSv1: Truncated OCSPResponseList"); 908 res = TLS_OCSP_INVALID; 909 goto done; 910 } 911 resp_len = WPA_GET_BE24(pos); 912 pos += 3; 913 if (end - pos < resp_len) { 914 wpa_printf(MSG_DEBUG, 915 "TLSv1: Truncated OCSPResponseList(len=%u)", 916 resp_len); 917 res = TLS_OCSP_INVALID; 918 goto done; 919 } 920 end = pos + resp_len; 921 922 while (end - pos >= 3) { 923 resp_len = WPA_GET_BE24(pos); 924 pos += 3; 925 if (resp_len > end - pos) { 926 wpa_printf(MSG_DEBUG, 927 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi", 928 resp_len, (int) (end - pos)); 929 res = TLS_OCSP_INVALID; 930 break; 931 } 932 if (!resp_len) 933 continue; /* Skip an empty response */ 934 res = tls_process_certificate_status_ocsp_response( 935 conn, pos - 3, resp_len + 3); 936 if (res == TLS_OCSP_REVOKED) 937 revoked++; 938 else if (res == TLS_OCSP_GOOD) 939 good++; 940 pos += resp_len; 941 } 942 943 if (revoked) 944 res = TLS_OCSP_REVOKED; 945 else if (good) 946 res = TLS_OCSP_GOOD; 947 } else { 948 wpa_printf(MSG_DEBUG, 949 "TLSv1: Ignore unsupported CertificateStatus"); 950 goto skip; 951 } 952 953 done: 954 if (res == TLS_OCSP_REVOKED) { 955 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 956 TLS_ALERT_CERTIFICATE_REVOKED); 957 for (cert = conn->server_cert, depth = 0; cert; 958 cert = cert->next, depth++) { 959 if (cert->ocsp_revoked) { 960 tls_cert_chain_failure_event( 961 conn, depth, cert, TLS_FAIL_REVOKED, 962 "certificate revoked"); 963 } 964 } 965 return -1; 966 } 967 968 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) { 969 /* 970 * Verify that each certificate on the chain that is not part 971 * of the trusted certificates has a good status. If not, 972 * terminate handshake. 973 */ 974 for (cert = conn->server_cert, depth = 0; cert; 975 cert = cert->next, depth++) { 976 if (!cert->ocsp_good) { 977 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 978 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 979 tls_cert_chain_failure_event( 980 conn, depth, cert, 981 TLS_FAIL_UNSPECIFIED, 982 "bad certificate status response"); 983 return -1; 984 } 985 if (cert->issuer_trusted) 986 break; 987 } 988 } 989 990 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) { 991 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 992 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR : 993 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 994 if (conn->server_cert) 995 tls_cert_chain_failure_event( 996 conn, 0, conn->server_cert, 997 TLS_FAIL_UNSPECIFIED, 998 "bad certificate status response"); 999 return -1; 1000 } 1001 1002 conn->ocsp_resp_received = 1; 1003 1004 skip: 1005 *in_len = end - in_data; 1006 1007 conn->state = SERVER_KEY_EXCHANGE; 1008 1009 return 0; 1010 } 1011 1012 1013 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 1014 const u8 *in_data, size_t *in_len) 1015 { 1016 const u8 *pos, *end; 1017 size_t left, len; 1018 u8 type; 1019 const struct tls_cipher_suite *suite; 1020 1021 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1022 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1023 "received content type 0x%x", ct); 1024 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1025 TLS_ALERT_UNEXPECTED_MESSAGE); 1026 return -1; 1027 } 1028 1029 pos = in_data; 1030 left = *in_len; 1031 1032 if (left < 4) { 1033 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 1034 "(Left=%lu)", (unsigned long) left); 1035 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1036 return -1; 1037 } 1038 1039 type = *pos++; 1040 len = WPA_GET_BE24(pos); 1041 pos += 3; 1042 left -= 4; 1043 1044 if (len > left) { 1045 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 1046 "length (len=%lu != left=%lu)", 1047 (unsigned long) len, (unsigned long) left); 1048 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1049 return -1; 1050 } 1051 1052 end = pos + len; 1053 1054 if ((conn->flags & TLS_CONN_REQUEST_OCSP) && 1055 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) 1056 return tls_process_certificate_status(conn, ct, in_data, 1057 in_len); 1058 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 1059 return tls_process_certificate_request(conn, ct, in_data, 1060 in_len); 1061 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1062 return tls_process_server_hello_done(conn, ct, in_data, 1063 in_len); 1064 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 1065 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1066 "message %d (expected ServerKeyExchange/" 1067 "CertificateRequest/ServerHelloDone%s)", type, 1068 (conn->flags & TLS_CONN_REQUEST_OCSP) ? 1069 "/CertificateStatus" : ""); 1070 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1071 TLS_ALERT_UNEXPECTED_MESSAGE); 1072 return -1; 1073 } 1074 1075 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 1076 1077 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 1078 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 1079 "with the selected cipher suite"); 1080 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1081 TLS_ALERT_UNEXPECTED_MESSAGE); 1082 return -1; 1083 } 1084 1085 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 1086 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 1087 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 1088 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 1089 if (tlsv1_process_diffie_hellman(conn, pos, len, 1090 suite->key_exchange) < 0) { 1091 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1092 TLS_ALERT_DECODE_ERROR); 1093 return -1; 1094 } 1095 } else { 1096 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 1097 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1098 TLS_ALERT_UNEXPECTED_MESSAGE); 1099 return -1; 1100 } 1101 1102 *in_len = end - in_data; 1103 1104 conn->state = SERVER_CERTIFICATE_REQUEST; 1105 1106 return 0; 1107 } 1108 1109 1110 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 1111 const u8 *in_data, size_t *in_len) 1112 { 1113 const u8 *pos, *end; 1114 size_t left, len; 1115 u8 type; 1116 1117 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1118 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1119 "received content type 0x%x", ct); 1120 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1121 TLS_ALERT_UNEXPECTED_MESSAGE); 1122 return -1; 1123 } 1124 1125 pos = in_data; 1126 left = *in_len; 1127 1128 if (left < 4) { 1129 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 1130 "(left=%lu)", (unsigned long) left); 1131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1132 return -1; 1133 } 1134 1135 type = *pos++; 1136 len = WPA_GET_BE24(pos); 1137 pos += 3; 1138 left -= 4; 1139 1140 if (len > left) { 1141 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 1142 "length (len=%lu != left=%lu)", 1143 (unsigned long) len, (unsigned long) left); 1144 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1145 return -1; 1146 } 1147 1148 end = pos + len; 1149 1150 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1151 return tls_process_server_hello_done(conn, ct, in_data, 1152 in_len); 1153 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 1154 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1155 "message %d (expected CertificateRequest/" 1156 "ServerHelloDone)", type); 1157 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1158 TLS_ALERT_UNEXPECTED_MESSAGE); 1159 return -1; 1160 } 1161 1162 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 1163 1164 conn->certificate_requested = 1; 1165 1166 *in_len = end - in_data; 1167 1168 conn->state = SERVER_HELLO_DONE; 1169 1170 return 0; 1171 } 1172 1173 1174 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 1175 const u8 *in_data, size_t *in_len) 1176 { 1177 const u8 *pos, *end; 1178 size_t left, len; 1179 u8 type; 1180 1181 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1182 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1183 "received content type 0x%x", ct); 1184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1185 TLS_ALERT_UNEXPECTED_MESSAGE); 1186 return -1; 1187 } 1188 1189 pos = in_data; 1190 left = *in_len; 1191 1192 if (left < 4) { 1193 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 1194 "(left=%lu)", (unsigned long) left); 1195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1196 return -1; 1197 } 1198 1199 type = *pos++; 1200 len = WPA_GET_BE24(pos); 1201 pos += 3; 1202 left -= 4; 1203 1204 if (len > left) { 1205 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 1206 "length (len=%lu != left=%lu)", 1207 (unsigned long) len, (unsigned long) left); 1208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1209 return -1; 1210 } 1211 end = pos + len; 1212 1213 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 1214 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1215 "message %d (expected ServerHelloDone)", type); 1216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1217 TLS_ALERT_UNEXPECTED_MESSAGE); 1218 return -1; 1219 } 1220 1221 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 1222 1223 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && 1224 !conn->ocsp_resp_received) { 1225 wpa_printf(MSG_INFO, 1226 "TLSv1: No OCSP response received - reject handshake"); 1227 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1228 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1229 return -1; 1230 } 1231 1232 *in_len = end - in_data; 1233 1234 conn->state = CLIENT_KEY_EXCHANGE; 1235 1236 return 0; 1237 } 1238 1239 1240 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 1241 u8 ct, const u8 *in_data, 1242 size_t *in_len) 1243 { 1244 const u8 *pos; 1245 size_t left; 1246 1247 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1248 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1249 "received content type 0x%x", ct); 1250 if (conn->use_session_ticket) { 1251 int res; 1252 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 1253 "rejected SessionTicket"); 1254 conn->use_session_ticket = 0; 1255 1256 /* Notify upper layers that SessionTicket failed */ 1257 res = conn->session_ticket_cb( 1258 conn->session_ticket_cb_ctx, NULL, 0, NULL, 1259 NULL, NULL); 1260 if (res < 0) { 1261 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 1262 "callback indicated failure"); 1263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1264 TLS_ALERT_HANDSHAKE_FAILURE); 1265 return -1; 1266 } 1267 1268 conn->state = SERVER_CERTIFICATE; 1269 return tls_process_certificate(conn, ct, in_data, 1270 in_len); 1271 } 1272 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1273 TLS_ALERT_UNEXPECTED_MESSAGE); 1274 return -1; 1275 } 1276 1277 pos = in_data; 1278 left = *in_len; 1279 1280 if (left < 1) { 1281 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 1282 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1283 return -1; 1284 } 1285 1286 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1287 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1288 "received data 0x%x", *pos); 1289 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1290 TLS_ALERT_UNEXPECTED_MESSAGE); 1291 return -1; 1292 } 1293 1294 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 1295 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1296 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1297 "for record layer"); 1298 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1299 TLS_ALERT_INTERNAL_ERROR); 1300 return -1; 1301 } 1302 1303 *in_len = pos + 1 - in_data; 1304 1305 conn->state = SERVER_FINISHED; 1306 1307 return 0; 1308 } 1309 1310 1311 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 1312 const u8 *in_data, size_t *in_len) 1313 { 1314 const u8 *pos, *end; 1315 size_t left, len, hlen; 1316 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1317 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1318 1319 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1320 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 1321 "received content type 0x%x", ct); 1322 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1323 TLS_ALERT_UNEXPECTED_MESSAGE); 1324 return -1; 1325 } 1326 1327 pos = in_data; 1328 left = *in_len; 1329 1330 if (left < 4) { 1331 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1332 "Finished", 1333 (unsigned long) left); 1334 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1335 TLS_ALERT_DECODE_ERROR); 1336 return -1; 1337 } 1338 1339 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1340 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1341 "type 0x%x", pos[0]); 1342 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1343 TLS_ALERT_UNEXPECTED_MESSAGE); 1344 return -1; 1345 } 1346 1347 len = WPA_GET_BE24(pos + 1); 1348 1349 pos += 4; 1350 left -= 4; 1351 1352 if (len > left) { 1353 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1354 "(len=%lu > left=%lu)", 1355 (unsigned long) len, (unsigned long) left); 1356 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1357 TLS_ALERT_DECODE_ERROR); 1358 return -1; 1359 } 1360 end = pos + len; 1361 if (len != TLS_VERIFY_DATA_LEN) { 1362 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1363 "in Finished: %lu (expected %d)", 1364 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1366 TLS_ALERT_DECODE_ERROR); 1367 return -1; 1368 } 1369 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1370 pos, TLS_VERIFY_DATA_LEN); 1371 1372 #ifdef CONFIG_TLSV12 1373 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1374 hlen = SHA256_MAC_LEN; 1375 if (conn->verify.sha256_server == NULL || 1376 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 1377 < 0) { 1378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1379 TLS_ALERT_INTERNAL_ERROR); 1380 conn->verify.sha256_server = NULL; 1381 return -1; 1382 } 1383 conn->verify.sha256_server = NULL; 1384 } else { 1385 #endif /* CONFIG_TLSV12 */ 1386 1387 hlen = MD5_MAC_LEN; 1388 if (conn->verify.md5_server == NULL || 1389 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 1390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1391 TLS_ALERT_INTERNAL_ERROR); 1392 conn->verify.md5_server = NULL; 1393 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 1394 conn->verify.sha1_server = NULL; 1395 return -1; 1396 } 1397 conn->verify.md5_server = NULL; 1398 hlen = SHA1_MAC_LEN; 1399 if (conn->verify.sha1_server == NULL || 1400 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 1401 &hlen) < 0) { 1402 conn->verify.sha1_server = NULL; 1403 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1404 TLS_ALERT_INTERNAL_ERROR); 1405 return -1; 1406 } 1407 conn->verify.sha1_server = NULL; 1408 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1409 1410 #ifdef CONFIG_TLSV12 1411 } 1412 #endif /* CONFIG_TLSV12 */ 1413 1414 if (tls_prf(conn->rl.tls_version, 1415 conn->master_secret, TLS_MASTER_SECRET_LEN, 1416 "server finished", hash, hlen, 1417 verify_data, TLS_VERIFY_DATA_LEN)) { 1418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1419 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1420 TLS_ALERT_DECRYPT_ERROR); 1421 return -1; 1422 } 1423 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 1424 verify_data, TLS_VERIFY_DATA_LEN); 1425 1426 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1427 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1429 TLS_ALERT_DECRYPT_ERROR); 1430 return -1; 1431 } 1432 1433 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1434 1435 *in_len = end - in_data; 1436 1437 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 1438 CHANGE_CIPHER_SPEC : ACK_FINISHED; 1439 1440 return 0; 1441 } 1442 1443 1444 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 1445 const u8 *in_data, size_t *in_len, 1446 u8 **out_data, size_t *out_len) 1447 { 1448 const u8 *pos; 1449 size_t left; 1450 1451 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 1452 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 1453 "received content type 0x%x", ct); 1454 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1455 TLS_ALERT_UNEXPECTED_MESSAGE); 1456 return -1; 1457 } 1458 1459 pos = in_data; 1460 left = *in_len; 1461 1462 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1463 pos, left); 1464 1465 *out_data = os_malloc(left); 1466 if (*out_data) { 1467 os_memcpy(*out_data, pos, left); 1468 *out_len = left; 1469 } 1470 1471 return 0; 1472 } 1473 1474 1475 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1476 const u8 *buf, size_t *len, 1477 u8 **out_data, size_t *out_len) 1478 { 1479 if (ct == TLS_CONTENT_TYPE_ALERT) { 1480 if (*len < 2) { 1481 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1482 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1483 TLS_ALERT_DECODE_ERROR); 1484 return -1; 1485 } 1486 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1487 buf[0], buf[1]); 1488 *len = 2; 1489 conn->state = FAILED; 1490 return -1; 1491 } 1492 1493 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1494 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1495 size_t hr_len = WPA_GET_BE24(buf + 1); 1496 if (hr_len > *len - 4) { 1497 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1498 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1499 TLS_ALERT_DECODE_ERROR); 1500 return -1; 1501 } 1502 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1503 *len = 4 + hr_len; 1504 return 0; 1505 } 1506 1507 switch (conn->state) { 1508 case SERVER_HELLO: 1509 if (tls_process_server_hello(conn, ct, buf, len)) 1510 return -1; 1511 break; 1512 case SERVER_CERTIFICATE: 1513 if (tls_process_certificate(conn, ct, buf, len)) 1514 return -1; 1515 break; 1516 case SERVER_KEY_EXCHANGE: 1517 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1518 return -1; 1519 break; 1520 case SERVER_CERTIFICATE_REQUEST: 1521 if (tls_process_certificate_request(conn, ct, buf, len)) 1522 return -1; 1523 break; 1524 case SERVER_HELLO_DONE: 1525 if (tls_process_server_hello_done(conn, ct, buf, len)) 1526 return -1; 1527 break; 1528 case SERVER_CHANGE_CIPHER_SPEC: 1529 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1530 return -1; 1531 break; 1532 case SERVER_FINISHED: 1533 if (tls_process_server_finished(conn, ct, buf, len)) 1534 return -1; 1535 break; 1536 case ACK_FINISHED: 1537 if (out_data && 1538 tls_process_application_data(conn, ct, buf, len, out_data, 1539 out_len)) 1540 return -1; 1541 break; 1542 default: 1543 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1544 "while processing received message", 1545 conn->state); 1546 return -1; 1547 } 1548 1549 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1550 tls_verify_hash_add(&conn->verify, buf, *len); 1551 1552 return 0; 1553 } 1554