1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_version_disabled(struct tlsv1_client * conn,u16 ver)30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
38 }
39
40
tls_process_server_hello_extensions(struct tlsv1_client * conn,const u8 * pos,size_t len)41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
43 {
44 const u8 *end = pos + len;
45
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 pos, len);
48 while (pos < end) {
49 u16 elen;
50
51 if (end - pos < 4) {
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 return -1;
54 }
55
56 #ifdef DEBUG_PRINT
57 u16 ext;
58 ext = WPA_GET_BE16(pos);
59 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
60 ext);
61 #endif
62 pos += 2;
63 elen = WPA_GET_BE16(pos);
64 pos += 2;
65
66 if (elen > end - pos) {
67 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
68 return -1;
69 }
70
71 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
72 pos, elen);
73
74 pos += elen;
75 }
76
77 return 0;
78 }
79
80
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)81 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
82 const u8 *in_data, size_t *in_len)
83 {
84 const u8 *pos, *end;
85 size_t left, len, i;
86 u16 cipher_suite;
87 u16 tls_version;
88
89 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
90 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
91 "received content type 0x%x", ct);
92 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
93 TLS_ALERT_UNEXPECTED_MESSAGE);
94 return -1;
95 }
96
97 pos = in_data;
98 left = *in_len;
99
100 if (left < 4)
101 goto decode_error;
102
103 /* HandshakeType msg_type */
104 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
105 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
106 "message %d (expected ServerHello)", *pos);
107 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
108 TLS_ALERT_UNEXPECTED_MESSAGE);
109 return -1;
110 }
111 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
112 pos++;
113 /* uint24 length */
114 len = WPA_GET_BE24(pos);
115 pos += 3;
116 left -= 4;
117
118 if (len > left)
119 goto decode_error;
120
121 /* body - ServerHello */
122
123 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
124 end = pos + len;
125
126 /* ProtocolVersion server_version */
127 if (end - pos < 2)
128 goto decode_error;
129 tls_version = WPA_GET_BE16(pos);
130 if (!tls_version_ok(tls_version) ||
131 tls_version_disabled(conn, tls_version)) {
132 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
133 "ServerHello %u.%u", pos[0], pos[1]);
134 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 TLS_ALERT_PROTOCOL_VERSION);
136 return -1;
137 }
138 pos += 2;
139
140 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
141 tls_version_str(tls_version));
142 conn->rl.tls_version = tls_version;
143
144 /* Random random */
145 if (end - pos < TLS_RANDOM_LEN)
146 goto decode_error;
147
148 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
149 pos += TLS_RANDOM_LEN;
150 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
151 conn->server_random, TLS_RANDOM_LEN);
152
153 /* SessionID session_id */
154 if (end - pos < 1)
155 goto decode_error;
156 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
157 goto decode_error;
158 if (conn->session_id_len && conn->session_id_len == *pos &&
159 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
160 pos += 1 + conn->session_id_len;
161 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
162 conn->session_resumed = 1;
163 } else {
164 conn->session_id_len = *pos;
165 pos++;
166 os_memcpy(conn->session_id, pos, conn->session_id_len);
167 pos += conn->session_id_len;
168 }
169 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
170 conn->session_id, conn->session_id_len);
171
172 /* CipherSuite cipher_suite */
173 if (end - pos < 2)
174 goto decode_error;
175 cipher_suite = WPA_GET_BE16(pos);
176 pos += 2;
177 for (i = 0; i < conn->num_cipher_suites; i++) {
178 if (cipher_suite == conn->cipher_suites[i])
179 break;
180 }
181 if (i == conn->num_cipher_suites) {
182 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
183 "cipher suite 0x%04x", cipher_suite);
184 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
185 TLS_ALERT_ILLEGAL_PARAMETER);
186 return -1;
187 }
188
189 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
190 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
191 "cipher suite for a resumed connection (0x%04x != "
192 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
193 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
194 TLS_ALERT_ILLEGAL_PARAMETER);
195 return -1;
196 }
197
198 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
199 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
200 "record layer");
201 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
202 TLS_ALERT_INTERNAL_ERROR);
203 return -1;
204 }
205
206 conn->prev_cipher_suite = cipher_suite;
207
208 /* CompressionMethod compression_method */
209 if (end - pos < 1)
210 goto decode_error;
211 if (*pos != TLS_COMPRESSION_NULL) {
212 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
213 "compression 0x%02x", *pos);
214 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
215 TLS_ALERT_ILLEGAL_PARAMETER);
216 return -1;
217 }
218 pos++;
219
220 if (end - pos >= 2) {
221 u16 ext_len;
222
223 ext_len = WPA_GET_BE16(pos);
224 pos += 2;
225 if (end - pos < ext_len) {
226 wpa_printf(MSG_INFO,
227 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
228 ext_len, (unsigned int) (end - pos));
229 goto decode_error;
230 }
231
232 if (tls_process_server_hello_extensions(conn, pos, ext_len))
233 goto decode_error;
234 pos += ext_len;
235 }
236
237 if (end != pos) {
238 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
239 "end of ServerHello", pos, end - pos);
240 goto decode_error;
241 }
242
243 if (conn->session_ticket_included && conn->session_ticket_cb) {
244 /* TODO: include SessionTicket extension if one was included in
245 * ServerHello */
246 int res = conn->session_ticket_cb(
247 conn->session_ticket_cb_ctx, NULL, 0,
248 conn->client_random, conn->server_random,
249 conn->master_secret);
250 if (res < 0) {
251 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
252 "indicated failure");
253 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
254 TLS_ALERT_HANDSHAKE_FAILURE);
255 return -1;
256 }
257 conn->use_session_ticket = !!res;
258 }
259
260 if ((conn->session_resumed || conn->use_session_ticket) &&
261 tls_derive_keys(conn, NULL, 0)) {
262 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
264 TLS_ALERT_INTERNAL_ERROR);
265 return -1;
266 }
267
268 *in_len = end - in_data;
269
270 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
271 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
272
273 return 0;
274
275 decode_error:
276 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
277 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
278 return -1;
279 }
280
281
tls_peer_cert_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert)282 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
283 struct x509_certificate *cert)
284 {
285 union tls_event_data ev;
286 struct wpabuf *cert_buf = NULL;
287 #ifdef CONFIG_SHA256
288 u8 hash[32];
289 #endif /* CONFIG_SHA256 */
290 char subject[128];
291
292 if (!conn->event_cb)
293 return;
294
295 os_memset(&ev, 0, sizeof(ev));
296 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
297 cert_buf = wpabuf_alloc_copy(cert->cert_start,
298 cert->cert_len);
299 ev.peer_cert.cert = cert_buf;
300 }
301 #ifdef CONFIG_SHA256
302 if (cert_buf) {
303 const u8 *addr[1];
304 size_t len[1];
305 addr[0] = wpabuf_head(cert_buf);
306 len[0] = wpabuf_len(cert_buf);
307 if (sha256_vector(1, addr, len, hash) == 0) {
308 ev.peer_cert.hash = hash;
309 ev.peer_cert.hash_len = sizeof(hash);
310 }
311 }
312 #endif /* CONFIG_SHA256 */
313
314 ev.peer_cert.depth = depth;
315 x509_name_string(&cert->subject, subject, sizeof(subject));
316 ev.peer_cert.subject = subject;
317
318 if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
319 if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
320 ev.peer_cert.tod = 1;
321 else if (cert->certificate_policy &
322 X509_EXT_CERT_POLICY_TOD_TOFU)
323 ev.peer_cert.tod = 2;
324 }
325
326 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
327 wpabuf_free(cert_buf);
328 }
329
330
tls_cert_chain_failure_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert,enum tls_fail_reason reason,const char * reason_txt)331 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
332 struct x509_certificate *cert,
333 enum tls_fail_reason reason,
334 const char *reason_txt)
335 {
336 #ifndef ESP_SUPPLICANT
337 struct wpabuf *cert_buf = NULL;
338 union tls_event_data ev;
339 char subject[128];
340
341 if (!conn->event_cb || !cert)
342 return;
343
344 os_memset(&ev, 0, sizeof(ev));
345 ev.cert_fail.depth = depth;
346 x509_name_string(&cert->subject, subject, sizeof(subject));
347 ev.peer_cert.subject = subject;
348 ev.cert_fail.reason = reason;
349 ev.cert_fail.reason_txt = reason_txt;
350 cert_buf = wpabuf_alloc_copy(cert->cert_start,
351 cert->cert_len);
352 ev.cert_fail.cert = cert_buf;
353 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
354 wpabuf_free(cert_buf);
355 #endif
356 }
357
358
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)359 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
360 const u8 *in_data, size_t *in_len)
361 {
362 const u8 *pos, *end;
363 size_t left, len, list_len, cert_len, idx;
364 u8 type;
365 struct x509_certificate *chain = NULL, *last = NULL, *cert;
366 int reason;
367
368 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
369 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
370 "received content type 0x%x", ct);
371 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
372 TLS_ALERT_UNEXPECTED_MESSAGE);
373 return -1;
374 }
375
376 pos = in_data;
377 left = *in_len;
378
379 if (left < 4) {
380 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
381 "(len=%lu)", (unsigned long) left);
382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
383 return -1;
384 }
385
386 type = *pos++;
387 len = WPA_GET_BE24(pos);
388 pos += 3;
389 left -= 4;
390
391 if (len > left) {
392 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
393 "length (len=%lu != left=%lu)",
394 (unsigned long) len, (unsigned long) left);
395 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
396 return -1;
397 }
398
399 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
400 return tls_process_server_key_exchange(conn, ct, in_data,
401 in_len);
402 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
403 return tls_process_certificate_request(conn, ct, in_data,
404 in_len);
405 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
406 return tls_process_server_hello_done(conn, ct, in_data,
407 in_len);
408 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
409 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
410 "message %d (expected Certificate/"
411 "ServerKeyExchange/CertificateRequest/"
412 "ServerHelloDone)", type);
413 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
414 TLS_ALERT_UNEXPECTED_MESSAGE);
415 return -1;
416 }
417
418 wpa_printf(MSG_DEBUG,
419 "TLSv1: Received Certificate (certificate_list len %lu)",
420 (unsigned long) len);
421
422 /*
423 * opaque ASN.1Cert<2^24-1>;
424 *
425 * struct {
426 * ASN.1Cert certificate_list<1..2^24-1>;
427 * } Certificate;
428 */
429
430 end = pos + len;
431
432 if (end - pos < 3) {
433 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
434 "(left=%lu)", (unsigned long) left);
435 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
436 return -1;
437 }
438
439 list_len = WPA_GET_BE24(pos);
440 pos += 3;
441
442 if ((size_t) (end - pos) != list_len) {
443 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
444 "length (len=%lu left=%lu)",
445 (unsigned long) list_len,
446 (unsigned long) (end - pos));
447 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
448 return -1;
449 }
450
451 idx = 0;
452 while (pos < end) {
453 if (end - pos < 3) {
454 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
455 "certificate_list");
456 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
457 TLS_ALERT_DECODE_ERROR);
458 x509_certificate_chain_free(chain);
459 return -1;
460 }
461
462 cert_len = WPA_GET_BE24(pos);
463 pos += 3;
464
465 if ((size_t) (end - pos) < cert_len) {
466 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
467 "length (len=%lu left=%lu)",
468 (unsigned long) cert_len,
469 (unsigned long) (end - pos));
470 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
471 TLS_ALERT_DECODE_ERROR);
472 x509_certificate_chain_free(chain);
473 return -1;
474 }
475
476 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
477 (unsigned long) idx, (unsigned long) cert_len);
478
479 if (idx == 0) {
480 crypto_public_key_free(conn->server_rsa_key);
481 if (tls_parse_cert(pos, cert_len,
482 &conn->server_rsa_key)) {
483 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
484 "the certificate");
485 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
486 TLS_ALERT_BAD_CERTIFICATE);
487 x509_certificate_chain_free(chain);
488 return -1;
489 }
490 }
491
492 cert = x509_certificate_parse(pos, cert_len);
493 if (cert == NULL) {
494 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
495 "the certificate");
496 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
497 TLS_ALERT_BAD_CERTIFICATE);
498 x509_certificate_chain_free(chain);
499 return -1;
500 }
501
502 tls_peer_cert_event(conn, idx, cert);
503
504 if (last == NULL)
505 chain = cert;
506 else
507 last->next = cert;
508 last = cert;
509
510 idx++;
511 pos += cert_len;
512 }
513
514 if (conn->cred && conn->cred->server_cert_only && chain) {
515 u8 hash[SHA256_MAC_LEN];
516 char buf[128];
517
518 wpa_printf(MSG_DEBUG,
519 "TLSv1: Validate server certificate hash");
520 x509_name_string(&chain->subject, buf, sizeof(buf));
521 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
522 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
523 hash) < 0 ||
524 os_memcmp(conn->cred->srv_cert_hash, hash,
525 SHA256_MAC_LEN) != 0) {
526 wpa_printf(MSG_DEBUG,
527 "TLSv1: Server certificate hash mismatch");
528 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
529 hash, SHA256_MAC_LEN);
530 if (conn->event_cb) {
531 union tls_event_data ev;
532
533 os_memset(&ev, 0, sizeof(ev));
534 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
535 ev.cert_fail.reason_txt =
536 "Server certificate mismatch";
537 ev.cert_fail.subject = buf;
538 conn->event_cb(conn->cb_ctx,
539 TLS_CERT_CHAIN_FAILURE, &ev);
540 }
541 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
542 TLS_ALERT_BAD_CERTIFICATE);
543 x509_certificate_chain_free(chain);
544 return -1;
545 }
546 } else if (conn->cred && conn->cred->cert_probe) {
547 wpa_printf(MSG_DEBUG,
548 "TLSv1: Reject server certificate on probe-only run");
549 if (conn->event_cb) {
550 union tls_event_data ev;
551 char buf[128];
552
553 os_memset(&ev, 0, sizeof(ev));
554 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
555 ev.cert_fail.reason_txt =
556 "Server certificate chain probe";
557 if (chain) {
558 x509_name_string(&chain->subject, buf,
559 sizeof(buf));
560 ev.cert_fail.subject = buf;
561 }
562 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
563 &ev);
564 }
565 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
566 TLS_ALERT_BAD_CERTIFICATE);
567 x509_certificate_chain_free(chain);
568 return -1;
569 } else if (conn->cred && conn->cred->ca_cert_verify &&
570 x509_certificate_chain_validate(
571 conn->cred->trusted_certs, chain, &reason,
572 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
573 < 0) {
574 int tls_reason;
575 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
576 "validation failed (reason=%d)", reason);
577 switch (reason) {
578 case X509_VALIDATE_BAD_CERTIFICATE:
579 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
580 tls_cert_chain_failure_event(
581 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
582 "bad certificate");
583 break;
584 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
585 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
586 break;
587 case X509_VALIDATE_CERTIFICATE_REVOKED:
588 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
589 tls_cert_chain_failure_event(
590 conn, 0, chain, TLS_FAIL_REVOKED,
591 "certificate revoked");
592 break;
593 case X509_VALIDATE_CERTIFICATE_EXPIRED:
594 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
595 tls_cert_chain_failure_event(
596 conn, 0, chain, TLS_FAIL_EXPIRED,
597 "certificate has expired or is not yet valid");
598 break;
599 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
600 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
601 break;
602 case X509_VALIDATE_UNKNOWN_CA:
603 tls_reason = TLS_ALERT_UNKNOWN_CA;
604 tls_cert_chain_failure_event(
605 conn, 0, chain, TLS_FAIL_UNTRUSTED,
606 "unknown CA");
607 break;
608 default:
609 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
610 break;
611 }
612 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
613 x509_certificate_chain_free(chain);
614 return -1;
615 }
616
617 if (conn->cred && !conn->cred->server_cert_only && chain &&
618 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
619 !(chain->ext_key_usage &
620 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
621 tls_cert_chain_failure_event(
622 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
623 "certificate not allowed for server authentication");
624 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
625 TLS_ALERT_BAD_CERTIFICATE);
626 x509_certificate_chain_free(chain);
627 return -1;
628 }
629
630 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
631 x509_certificate_chain_free(conn->server_cert);
632 conn->server_cert = chain;
633 } else {
634 x509_certificate_chain_free(chain);
635 }
636
637 *in_len = end - in_data;
638
639 conn->state = SERVER_KEY_EXCHANGE;
640
641 return 0;
642 }
643
644
count_bits(const u8 * val,size_t len)645 static unsigned int count_bits(const u8 *val, size_t len)
646 {
647 size_t i;
648 unsigned int bits;
649 u8 tmp;
650
651 for (i = 0; i < len; i++) {
652 if (val[i])
653 break;
654 }
655 if (i == len)
656 return 0;
657
658 bits = (len - i - 1) * 8;
659 tmp = val[i];
660 while (tmp) {
661 bits++;
662 tmp >>= 1;
663 }
664
665 return bits;
666 }
667
668
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)669 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
670 const u8 *buf, size_t len,
671 tls_key_exchange key_exchange)
672 {
673 const u8 *pos, *end, *server_params, *server_params_end;
674 u8 alert;
675 unsigned int bits;
676 u16 val;
677
678 tlsv1_client_free_dh(conn);
679
680 pos = buf;
681 end = buf + len;
682
683 if (end - pos < 3)
684 goto fail;
685 server_params = pos;
686 val = WPA_GET_BE16(pos);
687 pos += 2;
688 if (val == 0 || val > (size_t) (end - pos)) {
689 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
690 goto fail;
691 }
692 conn->dh_p_len = val;
693 bits = count_bits(pos, conn->dh_p_len);
694 if (bits < 768) {
695 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
696 bits);
697 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
698 pos, conn->dh_p_len);
699 goto fail;
700 }
701 conn->dh_p = os_memdup(pos, conn->dh_p_len);
702 if (conn->dh_p == NULL)
703 goto fail;
704 pos += conn->dh_p_len;
705 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
706 conn->dh_p, conn->dh_p_len);
707
708 if (end - pos < 3)
709 goto fail;
710 val = WPA_GET_BE16(pos);
711 pos += 2;
712 if (val == 0 || val > (size_t) (end - pos))
713 goto fail;
714 conn->dh_g_len = val;
715 conn->dh_g = os_memdup(pos, conn->dh_g_len);
716 if (conn->dh_g == NULL)
717 goto fail;
718 pos += conn->dh_g_len;
719 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
720 conn->dh_g, conn->dh_g_len);
721 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
722 goto fail;
723
724 if (end - pos < 3)
725 goto fail;
726 val = WPA_GET_BE16(pos);
727 pos += 2;
728 if (val == 0 || val > (size_t) (end - pos))
729 goto fail;
730 conn->dh_ys_len = val;
731 conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
732 if (conn->dh_ys == NULL)
733 goto fail;
734 pos += conn->dh_ys_len;
735 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
736 conn->dh_ys, conn->dh_ys_len);
737 server_params_end = pos;
738
739 if (key_exchange == TLS_KEY_X_DHE_RSA) {
740 u8 hash[64];
741 int hlen;
742
743 if (conn->rl.tls_version == TLS_VERSION_1_2) {
744 #ifdef CONFIG_TLSV12
745 /*
746 * RFC 5246, 4.7:
747 * TLS v1.2 adds explicit indication of the used
748 * signature and hash algorithms.
749 *
750 * struct {
751 * HashAlgorithm hash;
752 * SignatureAlgorithm signature;
753 * } SignatureAndHashAlgorithm;
754 */
755 if (end - pos < 2)
756 goto fail;
757 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
758 pos[0] != TLS_HASH_ALG_SHA384 &&
759 pos[0] != TLS_HASH_ALG_SHA512) ||
760 pos[1] != TLS_SIGN_ALG_RSA) {
761 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
762 pos[0], pos[1]);
763 goto fail;
764 }
765
766 hlen = tlsv12_key_x_server_params_hash(
767 conn->rl.tls_version, pos[0],
768 conn->client_random,
769 conn->server_random, server_params,
770 server_params_end - server_params, hash);
771 pos += 2;
772 #else /* CONFIG_TLSV12 */
773 goto fail;
774 #endif /* CONFIG_TLSV12 */
775 } else {
776 hlen = tls_key_x_server_params_hash(
777 conn->rl.tls_version, conn->client_random,
778 conn->server_random, server_params,
779 server_params_end - server_params, hash);
780 }
781
782 if (hlen < 0)
783 goto fail;
784 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
785 hash, hlen);
786
787 if (tls_verify_signature(conn->rl.tls_version,
788 conn->server_rsa_key,
789 hash, hlen, pos, end - pos,
790 &alert) < 0)
791 goto fail;
792 }
793
794 return 0;
795
796 fail:
797 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
798 tlsv1_client_free_dh(conn);
799 return -1;
800 }
801
802
803 static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client * conn,const u8 * pos,size_t len)804 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
805 const u8 *pos, size_t len)
806 {
807 const u8 *end = pos + len;
808 u32 ocsp_resp_len;
809
810 /* opaque OCSPResponse<1..2^24-1>; */
811 if (end - pos < 3) {
812 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
813 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
814 return TLS_OCSP_INVALID;
815 }
816 ocsp_resp_len = WPA_GET_BE24(pos);
817 pos += 3;
818 if (end - pos < ocsp_resp_len) {
819 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
820 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
821 return TLS_OCSP_INVALID;
822 }
823
824 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
825 }
826
827
tls_process_certificate_status(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)828 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
829 const u8 *in_data, size_t *in_len)
830 {
831 const u8 *pos, *end;
832 size_t left, len;
833 u8 type, status_type;
834 enum tls_ocsp_result res;
835 struct x509_certificate *cert;
836 int depth;
837
838 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
839 wpa_printf(MSG_DEBUG,
840 "TLSv1: Expected Handshake; received content type 0x%x",
841 ct);
842 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
843 TLS_ALERT_UNEXPECTED_MESSAGE);
844 return -1;
845 }
846
847 pos = in_data;
848 left = *in_len;
849
850 if (left < 4) {
851 wpa_printf(MSG_DEBUG,
852 "TLSv1: Too short CertificateStatus (left=%lu)",
853 (unsigned long) left);
854 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
855 return -1;
856 }
857
858 type = *pos++;
859 len = WPA_GET_BE24(pos);
860 pos += 3;
861 left -= 4;
862
863 if (len > left) {
864 wpa_printf(MSG_DEBUG,
865 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
866 (unsigned long) len, (unsigned long) left);
867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
868 return -1;
869 }
870
871 end = pos + len;
872
873 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
874 wpa_printf(MSG_DEBUG,
875 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
876 type);
877 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
878 TLS_ALERT_UNEXPECTED_MESSAGE);
879 return -1;
880 }
881
882 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
883
884 /*
885 * struct {
886 * CertificateStatusType status_type;
887 * select (status_type) {
888 * case ocsp: OCSPResponse;
889 * case ocsp_multi: OCSPResponseList;
890 * } response;
891 * } CertificateStatus;
892 */
893 if (end - pos < 1) {
894 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
895 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
896 return -1;
897 }
898 status_type = *pos++;
899 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
900 status_type);
901
902 if (status_type == 1 /* ocsp */) {
903 res = tls_process_certificate_status_ocsp_response(
904 conn, pos, end - pos);
905 } else if (status_type == 2 /* ocsp_multi */) {
906 int good = 0, revoked = 0;
907 u32 resp_len;
908
909 res = TLS_OCSP_NO_RESPONSE;
910
911 /*
912 * opaque OCSPResponse<0..2^24-1>;
913 *
914 * struct {
915 * OCSPResponse ocsp_response_list<1..2^24-1>;
916 * } OCSPResponseList;
917 */
918 if (end - pos < 3) {
919 wpa_printf(MSG_DEBUG,
920 "TLSv1: Truncated OCSPResponseList");
921 res = TLS_OCSP_INVALID;
922 goto done;
923 }
924 resp_len = WPA_GET_BE24(pos);
925 pos += 3;
926 if (end - pos < resp_len) {
927 wpa_printf(MSG_DEBUG,
928 "TLSv1: Truncated OCSPResponseList(len=%u)",
929 resp_len);
930 res = TLS_OCSP_INVALID;
931 goto done;
932 }
933 end = pos + resp_len;
934
935 while (end - pos >= 3) {
936 resp_len = WPA_GET_BE24(pos);
937 pos += 3;
938 if (resp_len > end - pos) {
939 wpa_printf(MSG_DEBUG,
940 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
941 resp_len, (int) (end - pos));
942 res = TLS_OCSP_INVALID;
943 break;
944 }
945 if (!resp_len)
946 continue; /* Skip an empty response */
947 res = tls_process_certificate_status_ocsp_response(
948 conn, pos - 3, resp_len + 3);
949 if (res == TLS_OCSP_REVOKED)
950 revoked++;
951 else if (res == TLS_OCSP_GOOD)
952 good++;
953 pos += resp_len;
954 }
955
956 if (revoked)
957 res = TLS_OCSP_REVOKED;
958 else if (good)
959 res = TLS_OCSP_GOOD;
960 } else {
961 wpa_printf(MSG_DEBUG,
962 "TLSv1: Ignore unsupported CertificateStatus");
963 goto skip;
964 }
965
966 done:
967 if (res == TLS_OCSP_REVOKED) {
968 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
969 TLS_ALERT_CERTIFICATE_REVOKED);
970 for (cert = conn->server_cert, depth = 0; cert;
971 cert = cert->next, depth++) {
972 if (cert->ocsp_revoked) {
973 tls_cert_chain_failure_event(
974 conn, depth, cert, TLS_FAIL_REVOKED,
975 "certificate revoked");
976 }
977 }
978 return -1;
979 }
980
981 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
982 /*
983 * Verify that each certificate on the chain that is not part
984 * of the trusted certificates has a good status. If not,
985 * terminate handshake.
986 */
987 for (cert = conn->server_cert, depth = 0; cert;
988 cert = cert->next, depth++) {
989 if (!cert->ocsp_good) {
990 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
991 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
992 tls_cert_chain_failure_event(
993 conn, depth, cert,
994 TLS_FAIL_UNSPECIFIED,
995 "bad certificate status response");
996 return -1;
997 }
998 if (cert->issuer_trusted)
999 break;
1000 }
1001 }
1002
1003 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
1004 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1005 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
1006 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1007 if (conn->server_cert)
1008 tls_cert_chain_failure_event(
1009 conn, 0, conn->server_cert,
1010 TLS_FAIL_UNSPECIFIED,
1011 "bad certificate status response");
1012 return -1;
1013 }
1014
1015 conn->ocsp_resp_received = 1;
1016
1017 skip:
1018 *in_len = end - in_data;
1019
1020 conn->state = SERVER_KEY_EXCHANGE;
1021
1022 return 0;
1023 }
1024
1025
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1026 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1027 const u8 *in_data, size_t *in_len)
1028 {
1029 const u8 *pos, *end;
1030 size_t left, len;
1031 u8 type;
1032 const struct tls_cipher_suite *suite;
1033
1034 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1035 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1036 "received content type 0x%x", ct);
1037 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 TLS_ALERT_UNEXPECTED_MESSAGE);
1039 return -1;
1040 }
1041
1042 pos = in_data;
1043 left = *in_len;
1044
1045 if (left < 4) {
1046 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1047 "(Left=%lu)", (unsigned long) left);
1048 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1049 return -1;
1050 }
1051
1052 type = *pos++;
1053 len = WPA_GET_BE24(pos);
1054 pos += 3;
1055 left -= 4;
1056
1057 if (len > left) {
1058 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1059 "length (len=%lu != left=%lu)",
1060 (unsigned long) len, (unsigned long) left);
1061 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1062 return -1;
1063 }
1064
1065 end = pos + len;
1066
1067 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1068 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1069 return tls_process_certificate_status(conn, ct, in_data,
1070 in_len);
1071 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1072 return tls_process_certificate_request(conn, ct, in_data,
1073 in_len);
1074 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1075 return tls_process_server_hello_done(conn, ct, in_data,
1076 in_len);
1077 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1078 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1079 "message %d (expected ServerKeyExchange/"
1080 "CertificateRequest/ServerHelloDone%s)", type,
1081 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1082 "/CertificateStatus" : "");
1083 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1084 TLS_ALERT_UNEXPECTED_MESSAGE);
1085 return -1;
1086 }
1087
1088 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1089
1090 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1091 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1092 "with the selected cipher suite");
1093 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1094 TLS_ALERT_UNEXPECTED_MESSAGE);
1095 return -1;
1096 }
1097
1098 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1099 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1100 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1101 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1102 if (tlsv1_process_diffie_hellman(conn, pos, len,
1103 suite->key_exchange) < 0) {
1104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1105 TLS_ALERT_DECODE_ERROR);
1106 return -1;
1107 }
1108 } else {
1109 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1110 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1111 TLS_ALERT_UNEXPECTED_MESSAGE);
1112 return -1;
1113 }
1114
1115 *in_len = end - in_data;
1116
1117 conn->state = SERVER_CERTIFICATE_REQUEST;
1118
1119 return 0;
1120 }
1121
1122
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1123 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1124 const u8 *in_data, size_t *in_len)
1125 {
1126 const u8 *pos, *end;
1127 size_t left, len;
1128 u8 type;
1129
1130 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1131 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1132 "received content type 0x%x", ct);
1133 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1134 TLS_ALERT_UNEXPECTED_MESSAGE);
1135 return -1;
1136 }
1137
1138 pos = in_data;
1139 left = *in_len;
1140
1141 if (left < 4) {
1142 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1143 "(left=%lu)", (unsigned long) left);
1144 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1145 return -1;
1146 }
1147
1148 type = *pos++;
1149 len = WPA_GET_BE24(pos);
1150 pos += 3;
1151 left -= 4;
1152
1153 if (len > left) {
1154 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1155 "length (len=%lu != left=%lu)",
1156 (unsigned long) len, (unsigned long) left);
1157 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1158 return -1;
1159 }
1160
1161 end = pos + len;
1162
1163 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1164 return tls_process_server_hello_done(conn, ct, in_data,
1165 in_len);
1166 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1167 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1168 "message %d (expected CertificateRequest/"
1169 "ServerHelloDone)", type);
1170 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1171 TLS_ALERT_UNEXPECTED_MESSAGE);
1172 return -1;
1173 }
1174
1175 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1176
1177 conn->certificate_requested = 1;
1178
1179 *in_len = end - in_data;
1180
1181 conn->state = SERVER_HELLO_DONE;
1182
1183 return 0;
1184 }
1185
1186
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1187 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1188 const u8 *in_data, size_t *in_len)
1189 {
1190 const u8 *pos, *end;
1191 size_t left, len;
1192 u8 type;
1193
1194 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1195 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1196 "received content type 0x%x", ct);
1197 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1198 TLS_ALERT_UNEXPECTED_MESSAGE);
1199 return -1;
1200 }
1201
1202 pos = in_data;
1203 left = *in_len;
1204
1205 if (left < 4) {
1206 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1207 "(left=%lu)", (unsigned long) left);
1208 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1209 return -1;
1210 }
1211
1212 type = *pos++;
1213 len = WPA_GET_BE24(pos);
1214 pos += 3;
1215 left -= 4;
1216
1217 if (len > left) {
1218 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1219 "length (len=%lu != left=%lu)",
1220 (unsigned long) len, (unsigned long) left);
1221 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1222 return -1;
1223 }
1224 end = pos + len;
1225
1226 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1227 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1228 "message %d (expected ServerHelloDone)", type);
1229 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1230 TLS_ALERT_UNEXPECTED_MESSAGE);
1231 return -1;
1232 }
1233
1234 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1235
1236 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1237 !conn->ocsp_resp_received) {
1238 wpa_printf(MSG_INFO,
1239 "TLSv1: No OCSP response received - reject handshake");
1240 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1241 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1242 return -1;
1243 }
1244
1245 *in_len = end - in_data;
1246
1247 conn->state = CLIENT_KEY_EXCHANGE;
1248
1249 return 0;
1250 }
1251
1252
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1253 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1254 u8 ct, const u8 *in_data,
1255 size_t *in_len)
1256 {
1257 const u8 *pos;
1258 size_t left;
1259
1260 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1261 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1262 "received content type 0x%x", ct);
1263 if (conn->use_session_ticket) {
1264 int res;
1265 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1266 "rejected SessionTicket");
1267 conn->use_session_ticket = 0;
1268
1269 /* Notify upper layers that SessionTicket failed */
1270 res = conn->session_ticket_cb(
1271 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1272 NULL, NULL);
1273 if (res < 0) {
1274 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1275 "callback indicated failure");
1276 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1277 TLS_ALERT_HANDSHAKE_FAILURE);
1278 return -1;
1279 }
1280
1281 conn->state = SERVER_CERTIFICATE;
1282 return tls_process_certificate(conn, ct, in_data,
1283 in_len);
1284 }
1285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1286 TLS_ALERT_UNEXPECTED_MESSAGE);
1287 return -1;
1288 }
1289
1290 pos = in_data;
1291 left = *in_len;
1292
1293 if (left < 1) {
1294 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1295 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1296 return -1;
1297 }
1298
1299 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1300 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1301 "received data 0x%x", *pos);
1302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1303 TLS_ALERT_UNEXPECTED_MESSAGE);
1304 return -1;
1305 }
1306
1307 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1308 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1310 "for record layer");
1311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1312 TLS_ALERT_INTERNAL_ERROR);
1313 return -1;
1314 }
1315
1316 *in_len = pos + 1 - in_data;
1317
1318 conn->state = SERVER_FINISHED;
1319
1320 return 0;
1321 }
1322
1323
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1324 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1325 const u8 *in_data, size_t *in_len)
1326 {
1327 const u8 *pos, *end;
1328 size_t left, len, hlen;
1329 u8 verify_data[TLS_VERIFY_DATA_LEN];
1330 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1331
1332 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1333 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1334 "received content type 0x%x", ct);
1335 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1336 TLS_ALERT_UNEXPECTED_MESSAGE);
1337 return -1;
1338 }
1339
1340 pos = in_data;
1341 left = *in_len;
1342
1343 if (left < 4) {
1344 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1345 "Finished",
1346 (unsigned long) left);
1347 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1348 TLS_ALERT_DECODE_ERROR);
1349 return -1;
1350 }
1351
1352 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1353 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1354 "type 0x%x", pos[0]);
1355 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1356 TLS_ALERT_UNEXPECTED_MESSAGE);
1357 return -1;
1358 }
1359
1360 len = WPA_GET_BE24(pos + 1);
1361
1362 pos += 4;
1363 left -= 4;
1364
1365 if (len > left) {
1366 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1367 "(len=%lu > left=%lu)",
1368 (unsigned long) len, (unsigned long) left);
1369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1370 TLS_ALERT_DECODE_ERROR);
1371 return -1;
1372 }
1373 end = pos + len;
1374 if (len != TLS_VERIFY_DATA_LEN) {
1375 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1376 "in Finished: %lu (expected %d)",
1377 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1379 TLS_ALERT_DECODE_ERROR);
1380 return -1;
1381 }
1382 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1383 pos, TLS_VERIFY_DATA_LEN);
1384
1385 #ifdef CONFIG_TLSV12
1386 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1387 hlen = SHA256_MAC_LEN;
1388 if (conn->verify.sha256_server == NULL ||
1389 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1390 < 0) {
1391 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1392 TLS_ALERT_INTERNAL_ERROR);
1393 conn->verify.sha256_server = NULL;
1394 return -1;
1395 }
1396 conn->verify.sha256_server = NULL;
1397 } else {
1398 #endif /* CONFIG_TLSV12 */
1399
1400 hlen = MD5_MAC_LEN;
1401 if (conn->verify.md5_server == NULL ||
1402 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1403 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1404 TLS_ALERT_INTERNAL_ERROR);
1405 conn->verify.md5_server = NULL;
1406 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1407 conn->verify.sha1_server = NULL;
1408 return -1;
1409 }
1410 conn->verify.md5_server = NULL;
1411 hlen = SHA1_MAC_LEN;
1412 if (conn->verify.sha1_server == NULL ||
1413 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1414 &hlen) < 0) {
1415 conn->verify.sha1_server = NULL;
1416 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1417 TLS_ALERT_INTERNAL_ERROR);
1418 return -1;
1419 }
1420 conn->verify.sha1_server = NULL;
1421 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1422
1423 #ifdef CONFIG_TLSV12
1424 }
1425 #endif /* CONFIG_TLSV12 */
1426
1427 if (tls_prf(conn->rl.tls_version,
1428 conn->master_secret, TLS_MASTER_SECRET_LEN,
1429 "server finished", hash, hlen,
1430 verify_data, TLS_VERIFY_DATA_LEN)) {
1431 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1432 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1433 TLS_ALERT_DECRYPT_ERROR);
1434 return -1;
1435 }
1436 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1437 verify_data, TLS_VERIFY_DATA_LEN);
1438
1439 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1440 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1441 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1442 TLS_ALERT_DECRYPT_ERROR);
1443 return -1;
1444 }
1445
1446 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1447
1448 *in_len = end - in_data;
1449
1450 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1451 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1452
1453 return 0;
1454 }
1455
1456
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)1457 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1458 const u8 *in_data, size_t *in_len,
1459 u8 **out_data, size_t *out_len)
1460 {
1461 const u8 *pos;
1462 size_t left;
1463
1464 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1465 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1466 "received content type 0x%x", ct);
1467 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1468 TLS_ALERT_UNEXPECTED_MESSAGE);
1469 return -1;
1470 }
1471
1472 pos = in_data;
1473 left = *in_len;
1474
1475 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1476 pos, left);
1477
1478 *out_data = os_malloc(left);
1479 if (*out_data) {
1480 os_memcpy(*out_data, pos, left);
1481 *out_len = left;
1482 }
1483
1484 return 0;
1485 }
1486
1487
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1488 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1489 const u8 *buf, size_t *len,
1490 u8 **out_data, size_t *out_len)
1491 {
1492 if (ct == TLS_CONTENT_TYPE_ALERT) {
1493 if (*len < 2) {
1494 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1495 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1496 TLS_ALERT_DECODE_ERROR);
1497 return -1;
1498 }
1499 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1500 buf[0], buf[1]);
1501 *len = 2;
1502 conn->state = FAILED;
1503 return -1;
1504 }
1505
1506 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1507 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1508 size_t hr_len = WPA_GET_BE24(buf + 1);
1509 if (hr_len > *len - 4) {
1510 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1511 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1512 TLS_ALERT_DECODE_ERROR);
1513 return -1;
1514 }
1515 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1516 *len = 4 + hr_len;
1517 return 0;
1518 }
1519
1520 switch (conn->state) {
1521 case SERVER_HELLO:
1522 if (tls_process_server_hello(conn, ct, buf, len))
1523 return -1;
1524 break;
1525 case SERVER_CERTIFICATE:
1526 if (tls_process_certificate(conn, ct, buf, len))
1527 return -1;
1528 break;
1529 case SERVER_KEY_EXCHANGE:
1530 if (tls_process_server_key_exchange(conn, ct, buf, len))
1531 return -1;
1532 break;
1533 case SERVER_CERTIFICATE_REQUEST:
1534 if (tls_process_certificate_request(conn, ct, buf, len))
1535 return -1;
1536 break;
1537 case SERVER_HELLO_DONE:
1538 if (tls_process_server_hello_done(conn, ct, buf, len))
1539 return -1;
1540 break;
1541 case SERVER_CHANGE_CIPHER_SPEC:
1542 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1543 return -1;
1544 break;
1545 case SERVER_FINISHED:
1546 if (tls_process_server_finished(conn, ct, buf, len))
1547 return -1;
1548 break;
1549 case ACK_FINISHED:
1550 if (out_data &&
1551 tls_process_application_data(conn, ct, buf, len, out_data,
1552 out_len))
1553 return -1;
1554 break;
1555 default:
1556 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1557 "while processing received message",
1558 conn->state);
1559 return -1;
1560 }
1561
1562 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1563 tls_verify_hash_add(&conn->verify, buf, *len);
1564
1565 return 0;
1566 }
1567
