1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver) 31 { 32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 33 ver == TLS_VERSION_1) || 34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 35 ver == TLS_VERSION_1_1) || 36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 37 ver == TLS_VERSION_1_2)); 38 } 39 40 41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn, 42 const u8 *pos, size_t len) 43 { 44 const u8 *end = pos + len; 45 46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions", 47 pos, len); 48 while (pos < end) { 49 u16 ext, elen; 50 51 if (end - pos < 4) { 52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header"); 53 return -1; 54 } 55 56 ext = WPA_GET_BE16(pos); 57 pos += 2; 58 elen = WPA_GET_BE16(pos); 59 pos += 2; 60 61 if (elen > end - pos) { 62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension"); 63 return -1; 64 } 65 66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u", 67 ext); 68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data", 69 pos, elen); 70 71 pos += elen; 72 } 73 74 return 0; 75 } 76 77 78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 79 const u8 *in_data, size_t *in_len) 80 { 81 const u8 *pos, *end; 82 size_t left, len, i; 83 u16 cipher_suite; 84 u16 tls_version; 85 86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 88 "received content type 0x%x", ct); 89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 90 TLS_ALERT_UNEXPECTED_MESSAGE); 91 return -1; 92 } 93 94 pos = in_data; 95 left = *in_len; 96 97 if (left < 4) 98 goto decode_error; 99 100 /* HandshakeType msg_type */ 101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 103 "message %d (expected ServerHello)", *pos); 104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 105 TLS_ALERT_UNEXPECTED_MESSAGE); 106 return -1; 107 } 108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 109 pos++; 110 /* uint24 length */ 111 len = WPA_GET_BE24(pos); 112 pos += 3; 113 left -= 4; 114 115 if (len > left) 116 goto decode_error; 117 118 /* body - ServerHello */ 119 120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 121 end = pos + len; 122 123 /* ProtocolVersion server_version */ 124 if (end - pos < 2) 125 goto decode_error; 126 tls_version = WPA_GET_BE16(pos); 127 if (!tls_version_ok(tls_version) || 128 tls_version_disabled(conn, tls_version)) { 129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 130 "ServerHello %u.%u", pos[0], pos[1]); 131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 132 TLS_ALERT_PROTOCOL_VERSION); 133 return -1; 134 } 135 pos += 2; 136 137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 138 tls_version_str(tls_version)); 139 conn->rl.tls_version = tls_version; 140 141 /* Random random */ 142 if (end - pos < TLS_RANDOM_LEN) 143 goto decode_error; 144 145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 146 pos += TLS_RANDOM_LEN; 147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 148 conn->server_random, TLS_RANDOM_LEN); 149 150 /* SessionID session_id */ 151 if (end - pos < 1) 152 goto decode_error; 153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 154 goto decode_error; 155 if (conn->session_id_len && conn->session_id_len == *pos && 156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 157 pos += 1 + conn->session_id_len; 158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 159 conn->session_resumed = 1; 160 } else { 161 conn->session_id_len = *pos; 162 pos++; 163 os_memcpy(conn->session_id, pos, conn->session_id_len); 164 pos += conn->session_id_len; 165 } 166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 167 conn->session_id, conn->session_id_len); 168 169 /* CipherSuite cipher_suite */ 170 if (end - pos < 2) 171 goto decode_error; 172 cipher_suite = WPA_GET_BE16(pos); 173 pos += 2; 174 for (i = 0; i < conn->num_cipher_suites; i++) { 175 if (cipher_suite == conn->cipher_suites[i]) 176 break; 177 } 178 if (i == conn->num_cipher_suites) { 179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 180 "cipher suite 0x%04x", cipher_suite); 181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 182 TLS_ALERT_ILLEGAL_PARAMETER); 183 return -1; 184 } 185 186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 188 "cipher suite for a resumed connection (0x%04x != " 189 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 191 TLS_ALERT_ILLEGAL_PARAMETER); 192 return -1; 193 } 194 195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 197 "record layer"); 198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 199 TLS_ALERT_INTERNAL_ERROR); 200 return -1; 201 } 202 203 conn->prev_cipher_suite = cipher_suite; 204 205 /* CompressionMethod compression_method */ 206 if (end - pos < 1) 207 goto decode_error; 208 if (*pos != TLS_COMPRESSION_NULL) { 209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 210 "compression 0x%02x", *pos); 211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 212 TLS_ALERT_ILLEGAL_PARAMETER); 213 return -1; 214 } 215 pos++; 216 217 if (end - pos >= 2) { 218 u16 ext_len; 219 220 ext_len = WPA_GET_BE16(pos); 221 pos += 2; 222 if (end - pos < ext_len) { 223 wpa_printf(MSG_INFO, 224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)", 225 ext_len, (unsigned int) (end - pos)); 226 goto decode_error; 227 } 228 229 if (tls_process_server_hello_extensions(conn, pos, ext_len)) 230 goto decode_error; 231 pos += ext_len; 232 } 233 234 if (end != pos) { 235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 236 "end of ServerHello", pos, end - pos); 237 goto decode_error; 238 } 239 240 if (conn->session_ticket_included && conn->session_ticket_cb) { 241 /* TODO: include SessionTicket extension if one was included in 242 * ServerHello */ 243 int res = conn->session_ticket_cb( 244 conn->session_ticket_cb_ctx, NULL, 0, 245 conn->client_random, conn->server_random, 246 conn->master_secret); 247 if (res < 0) { 248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 249 "indicated failure"); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 251 TLS_ALERT_HANDSHAKE_FAILURE); 252 return -1; 253 } 254 conn->use_session_ticket = !!res; 255 } 256 257 if ((conn->session_resumed || conn->use_session_ticket) && 258 tls_derive_keys(conn, NULL, 0)) { 259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 261 TLS_ALERT_INTERNAL_ERROR); 262 return -1; 263 } 264 265 *in_len = end - in_data; 266 267 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 269 270 return 0; 271 272 decode_error: 273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 275 return -1; 276 } 277 278 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth, 280 struct x509_certificate *cert) 281 { 282 union tls_event_data ev; 283 struct wpabuf *cert_buf = NULL; 284 #ifdef CONFIG_SHA256 285 u8 hash[32]; 286 #endif /* CONFIG_SHA256 */ 287 char subject[128]; 288 289 if (!conn->event_cb) 290 return; 291 292 os_memset(&ev, 0, sizeof(ev)); 293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) { 294 cert_buf = wpabuf_alloc_copy(cert->cert_start, 295 cert->cert_len); 296 ev.peer_cert.cert = cert_buf; 297 } 298 #ifdef CONFIG_SHA256 299 if (cert_buf) { 300 const u8 *addr[1]; 301 size_t len[1]; 302 addr[0] = wpabuf_head(cert_buf); 303 len[0] = wpabuf_len(cert_buf); 304 if (sha256_vector(1, addr, len, hash) == 0) { 305 ev.peer_cert.hash = hash; 306 ev.peer_cert.hash_len = sizeof(hash); 307 } 308 } 309 #endif /* CONFIG_SHA256 */ 310 311 ev.peer_cert.depth = depth; 312 x509_name_string(&cert->subject, subject, sizeof(subject)); 313 ev.peer_cert.subject = subject; 314 315 if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) { 316 if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT) 317 ev.peer_cert.tod = 1; 318 else if (cert->certificate_policy & 319 X509_EXT_CERT_POLICY_TOD_TOFU) 320 ev.peer_cert.tod = 2; 321 } 322 323 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev); 324 wpabuf_free(cert_buf); 325 } 326 327 328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth, 329 struct x509_certificate *cert, 330 enum tls_fail_reason reason, 331 const char *reason_txt) 332 { 333 struct wpabuf *cert_buf = NULL; 334 union tls_event_data ev; 335 char subject[128]; 336 337 if (!conn->event_cb || !cert) 338 return; 339 340 os_memset(&ev, 0, sizeof(ev)); 341 ev.cert_fail.depth = depth; 342 x509_name_string(&cert->subject, subject, sizeof(subject)); 343 ev.peer_cert.subject = subject; 344 ev.cert_fail.reason = reason; 345 ev.cert_fail.reason_txt = reason_txt; 346 cert_buf = wpabuf_alloc_copy(cert->cert_start, 347 cert->cert_len); 348 ev.cert_fail.cert = cert_buf; 349 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); 350 wpabuf_free(cert_buf); 351 } 352 353 354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 355 const u8 *in_data, size_t *in_len) 356 { 357 const u8 *pos, *end; 358 size_t left, len, list_len, cert_len, idx; 359 u8 type; 360 struct x509_certificate *chain = NULL, *last = NULL, *cert; 361 int reason; 362 363 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 364 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 365 "received content type 0x%x", ct); 366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 367 TLS_ALERT_UNEXPECTED_MESSAGE); 368 return -1; 369 } 370 371 pos = in_data; 372 left = *in_len; 373 374 if (left < 4) { 375 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 376 "(len=%lu)", (unsigned long) left); 377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 378 return -1; 379 } 380 381 type = *pos++; 382 len = WPA_GET_BE24(pos); 383 pos += 3; 384 left -= 4; 385 386 if (len > left) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 388 "length (len=%lu != left=%lu)", 389 (unsigned long) len, (unsigned long) left); 390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 391 return -1; 392 } 393 394 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 395 return tls_process_server_key_exchange(conn, ct, in_data, 396 in_len); 397 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 398 return tls_process_certificate_request(conn, ct, in_data, 399 in_len); 400 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 401 return tls_process_server_hello_done(conn, ct, in_data, 402 in_len); 403 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 404 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 405 "message %d (expected Certificate/" 406 "ServerKeyExchange/CertificateRequest/" 407 "ServerHelloDone)", type); 408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 409 TLS_ALERT_UNEXPECTED_MESSAGE); 410 return -1; 411 } 412 413 wpa_printf(MSG_DEBUG, 414 "TLSv1: Received Certificate (certificate_list len %lu)", 415 (unsigned long) len); 416 417 /* 418 * opaque ASN.1Cert<2^24-1>; 419 * 420 * struct { 421 * ASN.1Cert certificate_list<1..2^24-1>; 422 * } Certificate; 423 */ 424 425 end = pos + len; 426 427 if (end - pos < 3) { 428 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 429 "(left=%lu)", (unsigned long) left); 430 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 431 return -1; 432 } 433 434 list_len = WPA_GET_BE24(pos); 435 pos += 3; 436 437 if ((size_t) (end - pos) != list_len) { 438 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 439 "length (len=%lu left=%lu)", 440 (unsigned long) list_len, 441 (unsigned long) (end - pos)); 442 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 443 return -1; 444 } 445 446 idx = 0; 447 while (pos < end) { 448 if (end - pos < 3) { 449 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 450 "certificate_list"); 451 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 452 TLS_ALERT_DECODE_ERROR); 453 x509_certificate_chain_free(chain); 454 return -1; 455 } 456 457 cert_len = WPA_GET_BE24(pos); 458 pos += 3; 459 460 if ((size_t) (end - pos) < cert_len) { 461 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 462 "length (len=%lu left=%lu)", 463 (unsigned long) cert_len, 464 (unsigned long) (end - pos)); 465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 466 TLS_ALERT_DECODE_ERROR); 467 x509_certificate_chain_free(chain); 468 return -1; 469 } 470 471 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 472 (unsigned long) idx, (unsigned long) cert_len); 473 474 if (idx == 0) { 475 crypto_public_key_free(conn->server_rsa_key); 476 if (tls_parse_cert(pos, cert_len, 477 &conn->server_rsa_key)) { 478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 479 "the certificate"); 480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 481 TLS_ALERT_BAD_CERTIFICATE); 482 x509_certificate_chain_free(chain); 483 return -1; 484 } 485 } 486 487 cert = x509_certificate_parse(pos, cert_len); 488 if (cert == NULL) { 489 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 490 "the certificate"); 491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 492 TLS_ALERT_BAD_CERTIFICATE); 493 x509_certificate_chain_free(chain); 494 return -1; 495 } 496 497 tls_peer_cert_event(conn, idx, cert); 498 499 if (last == NULL) 500 chain = cert; 501 else 502 last->next = cert; 503 last = cert; 504 505 idx++; 506 pos += cert_len; 507 } 508 509 if (conn->cred && conn->cred->server_cert_only && chain) { 510 u8 hash[SHA256_MAC_LEN]; 511 char buf[128]; 512 513 wpa_printf(MSG_DEBUG, 514 "TLSv1: Validate server certificate hash"); 515 x509_name_string(&chain->subject, buf, sizeof(buf)); 516 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf); 517 if (sha256_vector(1, &chain->cert_start, &chain->cert_len, 518 hash) < 0 || 519 os_memcmp(conn->cred->srv_cert_hash, hash, 520 SHA256_MAC_LEN) != 0) { 521 wpa_printf(MSG_DEBUG, 522 "TLSv1: Server certificate hash mismatch"); 523 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash", 524 hash, SHA256_MAC_LEN); 525 if (conn->event_cb) { 526 union tls_event_data ev; 527 528 os_memset(&ev, 0, sizeof(ev)); 529 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED; 530 ev.cert_fail.reason_txt = 531 "Server certificate mismatch"; 532 ev.cert_fail.subject = buf; 533 conn->event_cb(conn->cb_ctx, 534 TLS_CERT_CHAIN_FAILURE, &ev); 535 } 536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 537 TLS_ALERT_BAD_CERTIFICATE); 538 x509_certificate_chain_free(chain); 539 return -1; 540 } 541 } else if (conn->cred && conn->cred->cert_probe) { 542 wpa_printf(MSG_DEBUG, 543 "TLSv1: Reject server certificate on probe-only run"); 544 if (conn->event_cb) { 545 union tls_event_data ev; 546 char buf[128]; 547 548 os_memset(&ev, 0, sizeof(ev)); 549 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE; 550 ev.cert_fail.reason_txt = 551 "Server certificate chain probe"; 552 if (chain) { 553 x509_name_string(&chain->subject, buf, 554 sizeof(buf)); 555 ev.cert_fail.subject = buf; 556 } 557 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, 558 &ev); 559 } 560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_BAD_CERTIFICATE); 562 x509_certificate_chain_free(chain); 563 return -1; 564 } else if (conn->cred && conn->cred->ca_cert_verify && 565 x509_certificate_chain_validate( 566 conn->cred->trusted_certs, chain, &reason, 567 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) 568 < 0) { 569 int tls_reason; 570 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 571 "validation failed (reason=%d)", reason); 572 switch (reason) { 573 case X509_VALIDATE_BAD_CERTIFICATE: 574 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 575 tls_cert_chain_failure_event( 576 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 577 "bad certificate"); 578 break; 579 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 580 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 581 break; 582 case X509_VALIDATE_CERTIFICATE_REVOKED: 583 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 584 tls_cert_chain_failure_event( 585 conn, 0, chain, TLS_FAIL_REVOKED, 586 "certificate revoked"); 587 break; 588 case X509_VALIDATE_CERTIFICATE_EXPIRED: 589 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 590 tls_cert_chain_failure_event( 591 conn, 0, chain, TLS_FAIL_EXPIRED, 592 "certificate has expired or is not yet valid"); 593 break; 594 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 595 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 596 break; 597 case X509_VALIDATE_UNKNOWN_CA: 598 tls_reason = TLS_ALERT_UNKNOWN_CA; 599 tls_cert_chain_failure_event( 600 conn, 0, chain, TLS_FAIL_UNTRUSTED, 601 "unknown CA"); 602 break; 603 default: 604 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 605 break; 606 } 607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 608 x509_certificate_chain_free(chain); 609 return -1; 610 } 611 612 if (conn->cred && !conn->cred->server_cert_only && chain && 613 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 614 !(chain->ext_key_usage & 615 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) { 616 tls_cert_chain_failure_event( 617 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 618 "certificate not allowed for server authentication"); 619 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 620 TLS_ALERT_BAD_CERTIFICATE); 621 x509_certificate_chain_free(chain); 622 return -1; 623 } 624 625 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 626 x509_certificate_chain_free(conn->server_cert); 627 conn->server_cert = chain; 628 } else { 629 x509_certificate_chain_free(chain); 630 } 631 632 *in_len = end - in_data; 633 634 conn->state = SERVER_KEY_EXCHANGE; 635 636 return 0; 637 } 638 639 640 static unsigned int count_bits(const u8 *val, size_t len) 641 { 642 size_t i; 643 unsigned int bits; 644 u8 tmp; 645 646 for (i = 0; i < len; i++) { 647 if (val[i]) 648 break; 649 } 650 if (i == len) 651 return 0; 652 653 bits = (len - i - 1) * 8; 654 tmp = val[i]; 655 while (tmp) { 656 bits++; 657 tmp >>= 1; 658 } 659 660 return bits; 661 } 662 663 664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 665 const u8 *buf, size_t len, 666 tls_key_exchange key_exchange) 667 { 668 const u8 *pos, *end, *server_params, *server_params_end; 669 u8 alert; 670 unsigned int bits; 671 u16 val; 672 673 tlsv1_client_free_dh(conn); 674 675 pos = buf; 676 end = buf + len; 677 678 if (end - pos < 3) 679 goto fail; 680 server_params = pos; 681 val = WPA_GET_BE16(pos); 682 pos += 2; 683 if (val == 0 || val > (size_t) (end - pos)) { 684 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val); 685 goto fail; 686 } 687 conn->dh_p_len = val; 688 bits = count_bits(pos, conn->dh_p_len); 689 if (bits < 768) { 690 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 691 bits); 692 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 693 pos, conn->dh_p_len); 694 goto fail; 695 } 696 conn->dh_p = os_memdup(pos, conn->dh_p_len); 697 if (conn->dh_p == NULL) 698 goto fail; 699 pos += conn->dh_p_len; 700 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 701 conn->dh_p, conn->dh_p_len); 702 703 if (end - pos < 3) 704 goto fail; 705 val = WPA_GET_BE16(pos); 706 pos += 2; 707 if (val == 0 || val > (size_t) (end - pos)) 708 goto fail; 709 conn->dh_g_len = val; 710 conn->dh_g = os_memdup(pos, conn->dh_g_len); 711 if (conn->dh_g == NULL) 712 goto fail; 713 pos += conn->dh_g_len; 714 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 715 conn->dh_g, conn->dh_g_len); 716 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 717 goto fail; 718 719 if (end - pos < 3) 720 goto fail; 721 val = WPA_GET_BE16(pos); 722 pos += 2; 723 if (val == 0 || val > (size_t) (end - pos)) 724 goto fail; 725 conn->dh_ys_len = val; 726 conn->dh_ys = os_memdup(pos, conn->dh_ys_len); 727 if (conn->dh_ys == NULL) 728 goto fail; 729 pos += conn->dh_ys_len; 730 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 731 conn->dh_ys, conn->dh_ys_len); 732 server_params_end = pos; 733 734 if (key_exchange == TLS_KEY_X_DHE_RSA) { 735 u8 hash[64]; 736 int hlen; 737 738 if (conn->rl.tls_version == TLS_VERSION_1_2) { 739 #ifdef CONFIG_TLSV12 740 /* 741 * RFC 5246, 4.7: 742 * TLS v1.2 adds explicit indication of the used 743 * signature and hash algorithms. 744 * 745 * struct { 746 * HashAlgorithm hash; 747 * SignatureAlgorithm signature; 748 * } SignatureAndHashAlgorithm; 749 */ 750 if (end - pos < 2) 751 goto fail; 752 if ((pos[0] != TLS_HASH_ALG_SHA256 && 753 pos[0] != TLS_HASH_ALG_SHA384 && 754 pos[0] != TLS_HASH_ALG_SHA512) || 755 pos[1] != TLS_SIGN_ALG_RSA) { 756 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 757 pos[0], pos[1]); 758 goto fail; 759 } 760 761 hlen = tlsv12_key_x_server_params_hash( 762 conn->rl.tls_version, pos[0], 763 conn->client_random, 764 conn->server_random, server_params, 765 server_params_end - server_params, hash); 766 pos += 2; 767 #else /* CONFIG_TLSV12 */ 768 goto fail; 769 #endif /* CONFIG_TLSV12 */ 770 } else { 771 hlen = tls_key_x_server_params_hash( 772 conn->rl.tls_version, conn->client_random, 773 conn->server_random, server_params, 774 server_params_end - server_params, hash); 775 } 776 777 if (hlen < 0) 778 goto fail; 779 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 780 hash, hlen); 781 782 if (tls_verify_signature(conn->rl.tls_version, 783 conn->server_rsa_key, 784 hash, hlen, pos, end - pos, 785 &alert) < 0) 786 goto fail; 787 } 788 789 return 0; 790 791 fail: 792 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 793 tlsv1_client_free_dh(conn); 794 return -1; 795 } 796 797 798 static enum tls_ocsp_result 799 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn, 800 const u8 *pos, size_t len) 801 { 802 const u8 *end = pos + len; 803 u32 ocsp_resp_len; 804 805 /* opaque OCSPResponse<1..2^24-1>; */ 806 if (end - pos < 3) { 807 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse"); 808 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 809 return TLS_OCSP_INVALID; 810 } 811 ocsp_resp_len = WPA_GET_BE24(pos); 812 pos += 3; 813 if (end - pos < ocsp_resp_len) { 814 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse"); 815 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 816 return TLS_OCSP_INVALID; 817 } 818 819 return tls_process_ocsp_response(conn, pos, ocsp_resp_len); 820 } 821 822 823 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct, 824 const u8 *in_data, size_t *in_len) 825 { 826 const u8 *pos, *end; 827 size_t left, len; 828 u8 type, status_type; 829 enum tls_ocsp_result res; 830 struct x509_certificate *cert; 831 int depth; 832 833 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 834 wpa_printf(MSG_DEBUG, 835 "TLSv1: Expected Handshake; received content type 0x%x", 836 ct); 837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 838 TLS_ALERT_UNEXPECTED_MESSAGE); 839 return -1; 840 } 841 842 pos = in_data; 843 left = *in_len; 844 845 if (left < 4) { 846 wpa_printf(MSG_DEBUG, 847 "TLSv1: Too short CertificateStatus (left=%lu)", 848 (unsigned long) left); 849 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 850 return -1; 851 } 852 853 type = *pos++; 854 len = WPA_GET_BE24(pos); 855 pos += 3; 856 left -= 4; 857 858 if (len > left) { 859 wpa_printf(MSG_DEBUG, 860 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)", 861 (unsigned long) len, (unsigned long) left); 862 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 863 return -1; 864 } 865 866 end = pos + len; 867 868 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) { 869 wpa_printf(MSG_DEBUG, 870 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)", 871 type); 872 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 873 TLS_ALERT_UNEXPECTED_MESSAGE); 874 return -1; 875 } 876 877 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus"); 878 879 /* 880 * struct { 881 * CertificateStatusType status_type; 882 * select (status_type) { 883 * case ocsp: OCSPResponse; 884 * case ocsp_multi: OCSPResponseList; 885 * } response; 886 * } CertificateStatus; 887 */ 888 if (end - pos < 1) { 889 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus"); 890 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 891 return -1; 892 } 893 status_type = *pos++; 894 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u", 895 status_type); 896 897 if (status_type == 1 /* ocsp */) { 898 res = tls_process_certificate_status_ocsp_response( 899 conn, pos, end - pos); 900 } else if (status_type == 2 /* ocsp_multi */) { 901 int good = 0, revoked = 0; 902 u32 resp_len; 903 904 res = TLS_OCSP_NO_RESPONSE; 905 906 /* 907 * opaque OCSPResponse<0..2^24-1>; 908 * 909 * struct { 910 * OCSPResponse ocsp_response_list<1..2^24-1>; 911 * } OCSPResponseList; 912 */ 913 if (end - pos < 3) { 914 wpa_printf(MSG_DEBUG, 915 "TLSv1: Truncated OCSPResponseList"); 916 res = TLS_OCSP_INVALID; 917 goto done; 918 } 919 resp_len = WPA_GET_BE24(pos); 920 pos += 3; 921 if (end - pos < resp_len) { 922 wpa_printf(MSG_DEBUG, 923 "TLSv1: Truncated OCSPResponseList(len=%u)", 924 resp_len); 925 res = TLS_OCSP_INVALID; 926 goto done; 927 } 928 end = pos + resp_len; 929 930 while (end - pos >= 3) { 931 resp_len = WPA_GET_BE24(pos); 932 pos += 3; 933 if (resp_len > end - pos) { 934 wpa_printf(MSG_DEBUG, 935 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi", 936 resp_len, (int) (end - pos)); 937 res = TLS_OCSP_INVALID; 938 break; 939 } 940 if (!resp_len) 941 continue; /* Skip an empty response */ 942 res = tls_process_certificate_status_ocsp_response( 943 conn, pos - 3, resp_len + 3); 944 if (res == TLS_OCSP_REVOKED) 945 revoked++; 946 else if (res == TLS_OCSP_GOOD) 947 good++; 948 pos += resp_len; 949 } 950 951 if (revoked) 952 res = TLS_OCSP_REVOKED; 953 else if (good) 954 res = TLS_OCSP_GOOD; 955 } else { 956 wpa_printf(MSG_DEBUG, 957 "TLSv1: Ignore unsupported CertificateStatus"); 958 goto skip; 959 } 960 961 done: 962 if (res == TLS_OCSP_REVOKED) { 963 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 964 TLS_ALERT_CERTIFICATE_REVOKED); 965 for (cert = conn->server_cert, depth = 0; cert; 966 cert = cert->next, depth++) { 967 if (cert->ocsp_revoked) { 968 tls_cert_chain_failure_event( 969 conn, depth, cert, TLS_FAIL_REVOKED, 970 "certificate revoked"); 971 } 972 } 973 return -1; 974 } 975 976 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) { 977 /* 978 * Verify that each certificate on the chain that is not part 979 * of the trusted certificates has a good status. If not, 980 * terminate handshake. 981 */ 982 for (cert = conn->server_cert, depth = 0; cert; 983 cert = cert->next, depth++) { 984 if (!cert->ocsp_good) { 985 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 986 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 987 tls_cert_chain_failure_event( 988 conn, depth, cert, 989 TLS_FAIL_UNSPECIFIED, 990 "bad certificate status response"); 991 return -1; 992 } 993 if (cert->issuer_trusted) 994 break; 995 } 996 } 997 998 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) { 999 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1000 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR : 1001 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1002 if (conn->server_cert) 1003 tls_cert_chain_failure_event( 1004 conn, 0, conn->server_cert, 1005 TLS_FAIL_UNSPECIFIED, 1006 "bad certificate status response"); 1007 return -1; 1008 } 1009 1010 conn->ocsp_resp_received = 1; 1011 1012 skip: 1013 *in_len = end - in_data; 1014 1015 conn->state = SERVER_KEY_EXCHANGE; 1016 1017 return 0; 1018 } 1019 1020 1021 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 1022 const u8 *in_data, size_t *in_len) 1023 { 1024 const u8 *pos, *end; 1025 size_t left, len; 1026 u8 type; 1027 const struct tls_cipher_suite *suite; 1028 1029 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1030 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1031 "received content type 0x%x", ct); 1032 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1033 TLS_ALERT_UNEXPECTED_MESSAGE); 1034 return -1; 1035 } 1036 1037 pos = in_data; 1038 left = *in_len; 1039 1040 if (left < 4) { 1041 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 1042 "(Left=%lu)", (unsigned long) left); 1043 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1044 return -1; 1045 } 1046 1047 type = *pos++; 1048 len = WPA_GET_BE24(pos); 1049 pos += 3; 1050 left -= 4; 1051 1052 if (len > left) { 1053 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 1054 "length (len=%lu != left=%lu)", 1055 (unsigned long) len, (unsigned long) left); 1056 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1057 return -1; 1058 } 1059 1060 end = pos + len; 1061 1062 if ((conn->flags & TLS_CONN_REQUEST_OCSP) && 1063 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) 1064 return tls_process_certificate_status(conn, ct, in_data, 1065 in_len); 1066 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 1067 return tls_process_certificate_request(conn, ct, in_data, 1068 in_len); 1069 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1070 return tls_process_server_hello_done(conn, ct, in_data, 1071 in_len); 1072 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 1073 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1074 "message %d (expected ServerKeyExchange/" 1075 "CertificateRequest/ServerHelloDone%s)", type, 1076 (conn->flags & TLS_CONN_REQUEST_OCSP) ? 1077 "/CertificateStatus" : ""); 1078 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1079 TLS_ALERT_UNEXPECTED_MESSAGE); 1080 return -1; 1081 } 1082 1083 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 1084 1085 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 1086 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 1087 "with the selected cipher suite"); 1088 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1089 TLS_ALERT_UNEXPECTED_MESSAGE); 1090 return -1; 1091 } 1092 1093 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 1094 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 1095 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 1096 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 1097 if (tlsv1_process_diffie_hellman(conn, pos, len, 1098 suite->key_exchange) < 0) { 1099 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1100 TLS_ALERT_DECODE_ERROR); 1101 return -1; 1102 } 1103 } else { 1104 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 1105 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1106 TLS_ALERT_UNEXPECTED_MESSAGE); 1107 return -1; 1108 } 1109 1110 *in_len = end - in_data; 1111 1112 conn->state = SERVER_CERTIFICATE_REQUEST; 1113 1114 return 0; 1115 } 1116 1117 1118 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 1119 const u8 *in_data, size_t *in_len) 1120 { 1121 const u8 *pos, *end; 1122 size_t left, len; 1123 u8 type; 1124 1125 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1126 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1127 "received content type 0x%x", ct); 1128 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1129 TLS_ALERT_UNEXPECTED_MESSAGE); 1130 return -1; 1131 } 1132 1133 pos = in_data; 1134 left = *in_len; 1135 1136 if (left < 4) { 1137 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 1138 "(left=%lu)", (unsigned long) left); 1139 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1140 return -1; 1141 } 1142 1143 type = *pos++; 1144 len = WPA_GET_BE24(pos); 1145 pos += 3; 1146 left -= 4; 1147 1148 if (len > left) { 1149 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 1150 "length (len=%lu != left=%lu)", 1151 (unsigned long) len, (unsigned long) left); 1152 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1153 return -1; 1154 } 1155 1156 end = pos + len; 1157 1158 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1159 return tls_process_server_hello_done(conn, ct, in_data, 1160 in_len); 1161 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 1162 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1163 "message %d (expected CertificateRequest/" 1164 "ServerHelloDone)", type); 1165 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1166 TLS_ALERT_UNEXPECTED_MESSAGE); 1167 return -1; 1168 } 1169 1170 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 1171 1172 conn->certificate_requested = 1; 1173 1174 *in_len = end - in_data; 1175 1176 conn->state = SERVER_HELLO_DONE; 1177 1178 return 0; 1179 } 1180 1181 1182 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 1183 const u8 *in_data, size_t *in_len) 1184 { 1185 const u8 *pos, *end; 1186 size_t left, len; 1187 u8 type; 1188 1189 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1190 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1191 "received content type 0x%x", ct); 1192 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1193 TLS_ALERT_UNEXPECTED_MESSAGE); 1194 return -1; 1195 } 1196 1197 pos = in_data; 1198 left = *in_len; 1199 1200 if (left < 4) { 1201 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 1202 "(left=%lu)", (unsigned long) left); 1203 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1204 return -1; 1205 } 1206 1207 type = *pos++; 1208 len = WPA_GET_BE24(pos); 1209 pos += 3; 1210 left -= 4; 1211 1212 if (len > left) { 1213 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 1214 "length (len=%lu != left=%lu)", 1215 (unsigned long) len, (unsigned long) left); 1216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1217 return -1; 1218 } 1219 end = pos + len; 1220 1221 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 1222 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1223 "message %d (expected ServerHelloDone)", type); 1224 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1225 TLS_ALERT_UNEXPECTED_MESSAGE); 1226 return -1; 1227 } 1228 1229 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 1230 1231 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && 1232 !conn->ocsp_resp_received) { 1233 wpa_printf(MSG_INFO, 1234 "TLSv1: No OCSP response received - reject handshake"); 1235 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1236 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1237 return -1; 1238 } 1239 1240 *in_len = end - in_data; 1241 1242 conn->state = CLIENT_KEY_EXCHANGE; 1243 1244 return 0; 1245 } 1246 1247 1248 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 1249 u8 ct, const u8 *in_data, 1250 size_t *in_len) 1251 { 1252 const u8 *pos; 1253 size_t left; 1254 1255 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1256 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1257 "received content type 0x%x", ct); 1258 if (conn->use_session_ticket) { 1259 int res; 1260 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 1261 "rejected SessionTicket"); 1262 conn->use_session_ticket = 0; 1263 1264 /* Notify upper layers that SessionTicket failed */ 1265 res = conn->session_ticket_cb( 1266 conn->session_ticket_cb_ctx, NULL, 0, NULL, 1267 NULL, NULL); 1268 if (res < 0) { 1269 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 1270 "callback indicated failure"); 1271 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1272 TLS_ALERT_HANDSHAKE_FAILURE); 1273 return -1; 1274 } 1275 1276 conn->state = SERVER_CERTIFICATE; 1277 return tls_process_certificate(conn, ct, in_data, 1278 in_len); 1279 } 1280 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1281 TLS_ALERT_UNEXPECTED_MESSAGE); 1282 return -1; 1283 } 1284 1285 pos = in_data; 1286 left = *in_len; 1287 1288 if (left < 1) { 1289 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 1290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1291 return -1; 1292 } 1293 1294 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1295 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1296 "received data 0x%x", *pos); 1297 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1298 TLS_ALERT_UNEXPECTED_MESSAGE); 1299 return -1; 1300 } 1301 1302 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 1303 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1304 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1305 "for record layer"); 1306 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1307 TLS_ALERT_INTERNAL_ERROR); 1308 return -1; 1309 } 1310 1311 *in_len = pos + 1 - in_data; 1312 1313 conn->state = SERVER_FINISHED; 1314 1315 return 0; 1316 } 1317 1318 1319 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 1320 const u8 *in_data, size_t *in_len) 1321 { 1322 const u8 *pos, *end; 1323 size_t left, len, hlen; 1324 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1325 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1326 1327 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1328 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 1329 "received content type 0x%x", ct); 1330 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1331 TLS_ALERT_UNEXPECTED_MESSAGE); 1332 return -1; 1333 } 1334 1335 pos = in_data; 1336 left = *in_len; 1337 1338 if (left < 4) { 1339 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1340 "Finished", 1341 (unsigned long) left); 1342 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1343 TLS_ALERT_DECODE_ERROR); 1344 return -1; 1345 } 1346 1347 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1348 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1349 "type 0x%x", pos[0]); 1350 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1351 TLS_ALERT_UNEXPECTED_MESSAGE); 1352 return -1; 1353 } 1354 1355 len = WPA_GET_BE24(pos + 1); 1356 1357 pos += 4; 1358 left -= 4; 1359 1360 if (len > left) { 1361 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1362 "(len=%lu > left=%lu)", 1363 (unsigned long) len, (unsigned long) left); 1364 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1365 TLS_ALERT_DECODE_ERROR); 1366 return -1; 1367 } 1368 end = pos + len; 1369 if (len != TLS_VERIFY_DATA_LEN) { 1370 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1371 "in Finished: %lu (expected %d)", 1372 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1373 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1374 TLS_ALERT_DECODE_ERROR); 1375 return -1; 1376 } 1377 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1378 pos, TLS_VERIFY_DATA_LEN); 1379 1380 #ifdef CONFIG_TLSV12 1381 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1382 hlen = SHA256_MAC_LEN; 1383 if (conn->verify.sha256_server == NULL || 1384 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 1385 < 0) { 1386 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1387 TLS_ALERT_INTERNAL_ERROR); 1388 conn->verify.sha256_server = NULL; 1389 return -1; 1390 } 1391 conn->verify.sha256_server = NULL; 1392 } else { 1393 #endif /* CONFIG_TLSV12 */ 1394 1395 hlen = MD5_MAC_LEN; 1396 if (conn->verify.md5_server == NULL || 1397 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 1398 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1399 TLS_ALERT_INTERNAL_ERROR); 1400 conn->verify.md5_server = NULL; 1401 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 1402 conn->verify.sha1_server = NULL; 1403 return -1; 1404 } 1405 conn->verify.md5_server = NULL; 1406 hlen = SHA1_MAC_LEN; 1407 if (conn->verify.sha1_server == NULL || 1408 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 1409 &hlen) < 0) { 1410 conn->verify.sha1_server = NULL; 1411 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1412 TLS_ALERT_INTERNAL_ERROR); 1413 return -1; 1414 } 1415 conn->verify.sha1_server = NULL; 1416 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1417 1418 #ifdef CONFIG_TLSV12 1419 } 1420 #endif /* CONFIG_TLSV12 */ 1421 1422 if (tls_prf(conn->rl.tls_version, 1423 conn->master_secret, TLS_MASTER_SECRET_LEN, 1424 "server finished", hash, hlen, 1425 verify_data, TLS_VERIFY_DATA_LEN)) { 1426 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1427 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1428 TLS_ALERT_DECRYPT_ERROR); 1429 return -1; 1430 } 1431 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 1432 verify_data, TLS_VERIFY_DATA_LEN); 1433 1434 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1435 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1436 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1437 TLS_ALERT_DECRYPT_ERROR); 1438 return -1; 1439 } 1440 1441 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1442 1443 *in_len = end - in_data; 1444 1445 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 1446 CHANGE_CIPHER_SPEC : ACK_FINISHED; 1447 1448 return 0; 1449 } 1450 1451 1452 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 1453 const u8 *in_data, size_t *in_len, 1454 u8 **out_data, size_t *out_len) 1455 { 1456 const u8 *pos; 1457 size_t left; 1458 1459 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 1460 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 1461 "received content type 0x%x", ct); 1462 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1463 TLS_ALERT_UNEXPECTED_MESSAGE); 1464 return -1; 1465 } 1466 1467 pos = in_data; 1468 left = *in_len; 1469 1470 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1471 pos, left); 1472 1473 *out_data = os_malloc(left); 1474 if (*out_data) { 1475 os_memcpy(*out_data, pos, left); 1476 *out_len = left; 1477 } 1478 1479 return 0; 1480 } 1481 1482 1483 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1484 const u8 *buf, size_t *len, 1485 u8 **out_data, size_t *out_len) 1486 { 1487 if (ct == TLS_CONTENT_TYPE_ALERT) { 1488 if (*len < 2) { 1489 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1490 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1491 TLS_ALERT_DECODE_ERROR); 1492 return -1; 1493 } 1494 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1495 buf[0], buf[1]); 1496 *len = 2; 1497 conn->state = FAILED; 1498 return -1; 1499 } 1500 1501 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1502 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1503 size_t hr_len = WPA_GET_BE24(buf + 1); 1504 if (hr_len > *len - 4) { 1505 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1506 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1507 TLS_ALERT_DECODE_ERROR); 1508 return -1; 1509 } 1510 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1511 *len = 4 + hr_len; 1512 return 0; 1513 } 1514 1515 switch (conn->state) { 1516 case SERVER_HELLO: 1517 if (tls_process_server_hello(conn, ct, buf, len)) 1518 return -1; 1519 break; 1520 case SERVER_CERTIFICATE: 1521 if (tls_process_certificate(conn, ct, buf, len)) 1522 return -1; 1523 break; 1524 case SERVER_KEY_EXCHANGE: 1525 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1526 return -1; 1527 break; 1528 case SERVER_CERTIFICATE_REQUEST: 1529 if (tls_process_certificate_request(conn, ct, buf, len)) 1530 return -1; 1531 break; 1532 case SERVER_HELLO_DONE: 1533 if (tls_process_server_hello_done(conn, ct, buf, len)) 1534 return -1; 1535 break; 1536 case SERVER_CHANGE_CIPHER_SPEC: 1537 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1538 return -1; 1539 break; 1540 case SERVER_FINISHED: 1541 if (tls_process_server_finished(conn, ct, buf, len)) 1542 return -1; 1543 break; 1544 case ACK_FINISHED: 1545 if (out_data && 1546 tls_process_application_data(conn, ct, buf, len, out_data, 1547 out_len)) 1548 return -1; 1549 break; 1550 default: 1551 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1552 "while processing received message", 1553 conn->state); 1554 return -1; 1555 } 1556 1557 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1558 tls_verify_hash_add(&conn->verify, buf, *len); 1559 1560 return 0; 1561 } 1562