1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_version_disabled(struct tlsv1_client * conn,u16 ver)30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
38 }
39
40
tls_process_server_hello_extensions(struct tlsv1_client * conn,const u8 * pos,size_t len)41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
43 {
44 const u8 *end = pos + len;
45
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 pos, len);
48 while (pos < end) {
49 u16 ext, elen;
50
51 if (end - pos < 4) {
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 return -1;
54 }
55
56 ext = WPA_GET_BE16(pos);
57 pos += 2;
58 elen = WPA_GET_BE16(pos);
59 pos += 2;
60
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 return -1;
64 }
65
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 ext);
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 pos, elen);
70
71 pos += elen;
72 }
73
74 return 0;
75 }
76
77
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
80 {
81 const u8 *pos, *end;
82 size_t left, len, i;
83 u16 cipher_suite;
84 u16 tls_version;
85
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
91 return -1;
92 }
93
94 pos = in_data;
95 left = *in_len;
96
97 if (left < 4)
98 goto decode_error;
99
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
106 return -1;
107 }
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 pos++;
110 /* uint24 length */
111 len = WPA_GET_BE24(pos);
112 pos += 3;
113 left -= 4;
114
115 if (len > left)
116 goto decode_error;
117
118 /* body - ServerHello */
119
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 end = pos + len;
122
123 /* ProtocolVersion server_version */
124 if (end - pos < 2)
125 goto decode_error;
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
133 return -1;
134 }
135 pos += 2;
136
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
140
141 /* Random random */
142 if (end - pos < TLS_RANDOM_LEN)
143 goto decode_error;
144
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
149
150 /* SessionID session_id */
151 if (end - pos < 1)
152 goto decode_error;
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 goto decode_error;
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
160 } else {
161 conn->session_id_len = *pos;
162 pos++;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
165 }
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
168
169 /* CipherSuite cipher_suite */
170 if (end - pos < 2)
171 goto decode_error;
172 cipher_suite = WPA_GET_BE16(pos);
173 pos += 2;
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
176 break;
177 }
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
183 return -1;
184 }
185
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
192 return -1;
193 }
194
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 "record layer");
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
200 return -1;
201 }
202
203 conn->prev_cipher_suite = cipher_suite;
204
205 /* CompressionMethod compression_method */
206 if (end - pos < 1)
207 goto decode_error;
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
213 return -1;
214 }
215 pos++;
216
217 if (end - pos >= 2) {
218 u16 ext_len;
219
220 ext_len = WPA_GET_BE16(pos);
221 pos += 2;
222 if (end - pos < ext_len) {
223 wpa_printf(MSG_INFO,
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
226 goto decode_error;
227 }
228
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 goto decode_error;
231 pos += ext_len;
232 }
233
234 if (end != pos) {
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
237 goto decode_error;
238 }
239
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
242 * ServerHello */
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
247 if (res < 0) {
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
252 return -1;
253 }
254 conn->use_session_ticket = !!res;
255 }
256
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
262 return -1;
263 }
264
265 *in_len = end - in_data;
266
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269
270 return 0;
271
272 decode_error:
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 return -1;
276 }
277
278
tls_peer_cert_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert)279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
281 {
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 char subject[128];
288
289 if (!conn->event_cb)
290 return;
291
292 os_memset(&ev, 0, sizeof(ev));
293 if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 cert->cert_len);
296 ev.peer_cert.cert = cert_buf;
297 }
298 #ifdef CONFIG_SHA256
299 if (cert_buf) {
300 const u8 *addr[1];
301 size_t len[1];
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
307 }
308 }
309 #endif /* CONFIG_SHA256 */
310
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
314
315 if (cert->extensions_present & X509_EXT_CERTIFICATE_POLICY) {
316 if (cert->certificate_policy & X509_EXT_CERT_POLICY_TOD_STRICT)
317 ev.peer_cert.tod = 1;
318 else if (cert->certificate_policy &
319 X509_EXT_CERT_POLICY_TOD_TOFU)
320 ev.peer_cert.tod = 2;
321 }
322
323 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
324 wpabuf_free(cert_buf);
325 }
326
327
tls_cert_chain_failure_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert,enum tls_fail_reason reason,const char * reason_txt)328 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
329 struct x509_certificate *cert,
330 enum tls_fail_reason reason,
331 const char *reason_txt)
332 {
333 struct wpabuf *cert_buf = NULL;
334 union tls_event_data ev;
335 char subject[128];
336
337 if (!conn->event_cb || !cert)
338 return;
339
340 os_memset(&ev, 0, sizeof(ev));
341 ev.cert_fail.depth = depth;
342 x509_name_string(&cert->subject, subject, sizeof(subject));
343 ev.peer_cert.subject = subject;
344 ev.cert_fail.reason = reason;
345 ev.cert_fail.reason_txt = reason_txt;
346 cert_buf = wpabuf_alloc_copy(cert->cert_start,
347 cert->cert_len);
348 ev.cert_fail.cert = cert_buf;
349 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
350 wpabuf_free(cert_buf);
351 }
352
353
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)354 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
355 const u8 *in_data, size_t *in_len)
356 {
357 const u8 *pos, *end;
358 size_t left, len, list_len, cert_len, idx;
359 u8 type;
360 struct x509_certificate *chain = NULL, *last = NULL, *cert;
361 int reason;
362
363 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
364 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
365 "received content type 0x%x", ct);
366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 TLS_ALERT_UNEXPECTED_MESSAGE);
368 return -1;
369 }
370
371 pos = in_data;
372 left = *in_len;
373
374 if (left < 4) {
375 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
376 "(len=%lu)", (unsigned long) left);
377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
378 return -1;
379 }
380
381 type = *pos++;
382 len = WPA_GET_BE24(pos);
383 pos += 3;
384 left -= 4;
385
386 if (len > left) {
387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
388 "length (len=%lu != left=%lu)",
389 (unsigned long) len, (unsigned long) left);
390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
391 return -1;
392 }
393
394 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
395 return tls_process_server_key_exchange(conn, ct, in_data,
396 in_len);
397 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
398 return tls_process_certificate_request(conn, ct, in_data,
399 in_len);
400 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
401 return tls_process_server_hello_done(conn, ct, in_data,
402 in_len);
403 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
404 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
405 "message %d (expected Certificate/"
406 "ServerKeyExchange/CertificateRequest/"
407 "ServerHelloDone)", type);
408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 TLS_ALERT_UNEXPECTED_MESSAGE);
410 return -1;
411 }
412
413 wpa_printf(MSG_DEBUG,
414 "TLSv1: Received Certificate (certificate_list len %lu)",
415 (unsigned long) len);
416
417 /*
418 * opaque ASN.1Cert<2^24-1>;
419 *
420 * struct {
421 * ASN.1Cert certificate_list<1..2^24-1>;
422 * } Certificate;
423 */
424
425 end = pos + len;
426
427 if (end - pos < 3) {
428 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
429 "(left=%lu)", (unsigned long) left);
430 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
431 return -1;
432 }
433
434 list_len = WPA_GET_BE24(pos);
435 pos += 3;
436
437 if ((size_t) (end - pos) != list_len) {
438 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
439 "length (len=%lu left=%lu)",
440 (unsigned long) list_len,
441 (unsigned long) (end - pos));
442 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
443 return -1;
444 }
445
446 idx = 0;
447 while (pos < end) {
448 if (end - pos < 3) {
449 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
450 "certificate_list");
451 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 TLS_ALERT_DECODE_ERROR);
453 x509_certificate_chain_free(chain);
454 return -1;
455 }
456
457 cert_len = WPA_GET_BE24(pos);
458 pos += 3;
459
460 if ((size_t) (end - pos) < cert_len) {
461 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
462 "length (len=%lu left=%lu)",
463 (unsigned long) cert_len,
464 (unsigned long) (end - pos));
465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
466 TLS_ALERT_DECODE_ERROR);
467 x509_certificate_chain_free(chain);
468 return -1;
469 }
470
471 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
472 (unsigned long) idx, (unsigned long) cert_len);
473
474 if (idx == 0) {
475 crypto_public_key_free(conn->server_rsa_key);
476 if (tls_parse_cert(pos, cert_len,
477 &conn->server_rsa_key)) {
478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
479 "the certificate");
480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
481 TLS_ALERT_BAD_CERTIFICATE);
482 x509_certificate_chain_free(chain);
483 return -1;
484 }
485 }
486
487 cert = x509_certificate_parse(pos, cert_len);
488 if (cert == NULL) {
489 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
490 "the certificate");
491 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 TLS_ALERT_BAD_CERTIFICATE);
493 x509_certificate_chain_free(chain);
494 return -1;
495 }
496
497 tls_peer_cert_event(conn, idx, cert);
498
499 if (last == NULL)
500 chain = cert;
501 else
502 last->next = cert;
503 last = cert;
504
505 idx++;
506 pos += cert_len;
507 }
508
509 if (conn->cred && conn->cred->server_cert_only && chain) {
510 u8 hash[SHA256_MAC_LEN];
511 char buf[128];
512
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Validate server certificate hash");
515 x509_name_string(&chain->subject, buf, sizeof(buf));
516 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
517 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
518 hash) < 0 ||
519 os_memcmp(conn->cred->srv_cert_hash, hash,
520 SHA256_MAC_LEN) != 0) {
521 wpa_printf(MSG_DEBUG,
522 "TLSv1: Server certificate hash mismatch");
523 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
524 hash, SHA256_MAC_LEN);
525 if (conn->event_cb) {
526 union tls_event_data ev;
527
528 os_memset(&ev, 0, sizeof(ev));
529 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
530 ev.cert_fail.reason_txt =
531 "Server certificate mismatch";
532 ev.cert_fail.subject = buf;
533 conn->event_cb(conn->cb_ctx,
534 TLS_CERT_CHAIN_FAILURE, &ev);
535 }
536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
537 TLS_ALERT_BAD_CERTIFICATE);
538 x509_certificate_chain_free(chain);
539 return -1;
540 }
541 } else if (conn->cred && conn->cred->cert_probe) {
542 wpa_printf(MSG_DEBUG,
543 "TLSv1: Reject server certificate on probe-only run");
544 if (conn->event_cb) {
545 union tls_event_data ev;
546 char buf[128];
547
548 os_memset(&ev, 0, sizeof(ev));
549 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
550 ev.cert_fail.reason_txt =
551 "Server certificate chain probe";
552 if (chain) {
553 x509_name_string(&chain->subject, buf,
554 sizeof(buf));
555 ev.cert_fail.subject = buf;
556 }
557 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
558 &ev);
559 }
560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 TLS_ALERT_BAD_CERTIFICATE);
562 x509_certificate_chain_free(chain);
563 return -1;
564 } else if (conn->cred && conn->cred->ca_cert_verify &&
565 x509_certificate_chain_validate(
566 conn->cred->trusted_certs, chain, &reason,
567 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
568 < 0) {
569 int tls_reason;
570 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
571 "validation failed (reason=%d)", reason);
572 switch (reason) {
573 case X509_VALIDATE_BAD_CERTIFICATE:
574 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
575 tls_cert_chain_failure_event(
576 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
577 "bad certificate");
578 break;
579 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
580 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
581 break;
582 case X509_VALIDATE_CERTIFICATE_REVOKED:
583 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
584 tls_cert_chain_failure_event(
585 conn, 0, chain, TLS_FAIL_REVOKED,
586 "certificate revoked");
587 break;
588 case X509_VALIDATE_CERTIFICATE_EXPIRED:
589 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
590 tls_cert_chain_failure_event(
591 conn, 0, chain, TLS_FAIL_EXPIRED,
592 "certificate has expired or is not yet valid");
593 break;
594 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
595 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
596 break;
597 case X509_VALIDATE_UNKNOWN_CA:
598 tls_reason = TLS_ALERT_UNKNOWN_CA;
599 tls_cert_chain_failure_event(
600 conn, 0, chain, TLS_FAIL_UNTRUSTED,
601 "unknown CA");
602 break;
603 default:
604 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
605 break;
606 }
607 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
608 x509_certificate_chain_free(chain);
609 return -1;
610 }
611
612 if (conn->cred && !conn->cred->server_cert_only && chain &&
613 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
614 !(chain->ext_key_usage &
615 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
616 tls_cert_chain_failure_event(
617 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
618 "certificate not allowed for server authentication");
619 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
620 TLS_ALERT_BAD_CERTIFICATE);
621 x509_certificate_chain_free(chain);
622 return -1;
623 }
624
625 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
626 x509_certificate_chain_free(conn->server_cert);
627 conn->server_cert = chain;
628 } else {
629 x509_certificate_chain_free(chain);
630 }
631
632 *in_len = end - in_data;
633
634 conn->state = SERVER_KEY_EXCHANGE;
635
636 return 0;
637 }
638
639
count_bits(const u8 * val,size_t len)640 static unsigned int count_bits(const u8 *val, size_t len)
641 {
642 size_t i;
643 unsigned int bits;
644 u8 tmp;
645
646 for (i = 0; i < len; i++) {
647 if (val[i])
648 break;
649 }
650 if (i == len)
651 return 0;
652
653 bits = (len - i - 1) * 8;
654 tmp = val[i];
655 while (tmp) {
656 bits++;
657 tmp >>= 1;
658 }
659
660 return bits;
661 }
662
663
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)664 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
665 const u8 *buf, size_t len,
666 tls_key_exchange key_exchange)
667 {
668 const u8 *pos, *end, *server_params, *server_params_end;
669 u8 alert;
670 unsigned int bits;
671 u16 val;
672
673 tlsv1_client_free_dh(conn);
674
675 pos = buf;
676 end = buf + len;
677
678 if (end - pos < 3)
679 goto fail;
680 server_params = pos;
681 val = WPA_GET_BE16(pos);
682 pos += 2;
683 if (val == 0 || val > (size_t) (end - pos)) {
684 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
685 goto fail;
686 }
687 conn->dh_p_len = val;
688 bits = count_bits(pos, conn->dh_p_len);
689 if (bits < 768) {
690 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
691 bits);
692 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
693 pos, conn->dh_p_len);
694 goto fail;
695 }
696 conn->dh_p = os_memdup(pos, conn->dh_p_len);
697 if (conn->dh_p == NULL)
698 goto fail;
699 pos += conn->dh_p_len;
700 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
701 conn->dh_p, conn->dh_p_len);
702
703 if (end - pos < 3)
704 goto fail;
705 val = WPA_GET_BE16(pos);
706 pos += 2;
707 if (val == 0 || val > (size_t) (end - pos))
708 goto fail;
709 conn->dh_g_len = val;
710 conn->dh_g = os_memdup(pos, conn->dh_g_len);
711 if (conn->dh_g == NULL)
712 goto fail;
713 pos += conn->dh_g_len;
714 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
715 conn->dh_g, conn->dh_g_len);
716 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
717 goto fail;
718
719 if (end - pos < 3)
720 goto fail;
721 val = WPA_GET_BE16(pos);
722 pos += 2;
723 if (val == 0 || val > (size_t) (end - pos))
724 goto fail;
725 conn->dh_ys_len = val;
726 conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
727 if (conn->dh_ys == NULL)
728 goto fail;
729 pos += conn->dh_ys_len;
730 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
731 conn->dh_ys, conn->dh_ys_len);
732 server_params_end = pos;
733
734 if (key_exchange == TLS_KEY_X_DHE_RSA) {
735 u8 hash[64];
736 int hlen;
737
738 if (conn->rl.tls_version == TLS_VERSION_1_2) {
739 #ifdef CONFIG_TLSV12
740 /*
741 * RFC 5246, 4.7:
742 * TLS v1.2 adds explicit indication of the used
743 * signature and hash algorithms.
744 *
745 * struct {
746 * HashAlgorithm hash;
747 * SignatureAlgorithm signature;
748 * } SignatureAndHashAlgorithm;
749 */
750 if (end - pos < 2)
751 goto fail;
752 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
753 pos[0] != TLS_HASH_ALG_SHA384 &&
754 pos[0] != TLS_HASH_ALG_SHA512) ||
755 pos[1] != TLS_SIGN_ALG_RSA) {
756 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
757 pos[0], pos[1]);
758 goto fail;
759 }
760
761 hlen = tlsv12_key_x_server_params_hash(
762 conn->rl.tls_version, pos[0],
763 conn->client_random,
764 conn->server_random, server_params,
765 server_params_end - server_params, hash);
766 pos += 2;
767 #else /* CONFIG_TLSV12 */
768 goto fail;
769 #endif /* CONFIG_TLSV12 */
770 } else {
771 hlen = tls_key_x_server_params_hash(
772 conn->rl.tls_version, conn->client_random,
773 conn->server_random, server_params,
774 server_params_end - server_params, hash);
775 }
776
777 if (hlen < 0)
778 goto fail;
779 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
780 hash, hlen);
781
782 if (tls_verify_signature(conn->rl.tls_version,
783 conn->server_rsa_key,
784 hash, hlen, pos, end - pos,
785 &alert) < 0)
786 goto fail;
787 }
788
789 return 0;
790
791 fail:
792 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
793 tlsv1_client_free_dh(conn);
794 return -1;
795 }
796
797
798 static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client * conn,const u8 * pos,size_t len)799 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
800 const u8 *pos, size_t len)
801 {
802 const u8 *end = pos + len;
803 u32 ocsp_resp_len;
804
805 /* opaque OCSPResponse<1..2^24-1>; */
806 if (end - pos < 3) {
807 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
808 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
809 return TLS_OCSP_INVALID;
810 }
811 ocsp_resp_len = WPA_GET_BE24(pos);
812 pos += 3;
813 if (end - pos < ocsp_resp_len) {
814 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
815 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
816 return TLS_OCSP_INVALID;
817 }
818
819 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
820 }
821
822
tls_process_certificate_status(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)823 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
824 const u8 *in_data, size_t *in_len)
825 {
826 const u8 *pos, *end;
827 size_t left, len;
828 u8 type, status_type;
829 enum tls_ocsp_result res;
830 struct x509_certificate *cert;
831 int depth;
832
833 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
834 wpa_printf(MSG_DEBUG,
835 "TLSv1: Expected Handshake; received content type 0x%x",
836 ct);
837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
838 TLS_ALERT_UNEXPECTED_MESSAGE);
839 return -1;
840 }
841
842 pos = in_data;
843 left = *in_len;
844
845 if (left < 4) {
846 wpa_printf(MSG_DEBUG,
847 "TLSv1: Too short CertificateStatus (left=%lu)",
848 (unsigned long) left);
849 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
850 return -1;
851 }
852
853 type = *pos++;
854 len = WPA_GET_BE24(pos);
855 pos += 3;
856 left -= 4;
857
858 if (len > left) {
859 wpa_printf(MSG_DEBUG,
860 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
861 (unsigned long) len, (unsigned long) left);
862 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
863 return -1;
864 }
865
866 end = pos + len;
867
868 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
869 wpa_printf(MSG_DEBUG,
870 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
871 type);
872 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
873 TLS_ALERT_UNEXPECTED_MESSAGE);
874 return -1;
875 }
876
877 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
878
879 /*
880 * struct {
881 * CertificateStatusType status_type;
882 * select (status_type) {
883 * case ocsp: OCSPResponse;
884 * case ocsp_multi: OCSPResponseList;
885 * } response;
886 * } CertificateStatus;
887 */
888 if (end - pos < 1) {
889 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
890 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
891 return -1;
892 }
893 status_type = *pos++;
894 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
895 status_type);
896
897 if (status_type == 1 /* ocsp */) {
898 res = tls_process_certificate_status_ocsp_response(
899 conn, pos, end - pos);
900 } else if (status_type == 2 /* ocsp_multi */) {
901 int good = 0, revoked = 0;
902 u32 resp_len;
903
904 res = TLS_OCSP_NO_RESPONSE;
905
906 /*
907 * opaque OCSPResponse<0..2^24-1>;
908 *
909 * struct {
910 * OCSPResponse ocsp_response_list<1..2^24-1>;
911 * } OCSPResponseList;
912 */
913 if (end - pos < 3) {
914 wpa_printf(MSG_DEBUG,
915 "TLSv1: Truncated OCSPResponseList");
916 res = TLS_OCSP_INVALID;
917 goto done;
918 }
919 resp_len = WPA_GET_BE24(pos);
920 pos += 3;
921 if (end - pos < resp_len) {
922 wpa_printf(MSG_DEBUG,
923 "TLSv1: Truncated OCSPResponseList(len=%u)",
924 resp_len);
925 res = TLS_OCSP_INVALID;
926 goto done;
927 }
928 end = pos + resp_len;
929
930 while (end - pos >= 3) {
931 resp_len = WPA_GET_BE24(pos);
932 pos += 3;
933 if (resp_len > end - pos) {
934 wpa_printf(MSG_DEBUG,
935 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
936 resp_len, (int) (end - pos));
937 res = TLS_OCSP_INVALID;
938 break;
939 }
940 if (!resp_len)
941 continue; /* Skip an empty response */
942 res = tls_process_certificate_status_ocsp_response(
943 conn, pos - 3, resp_len + 3);
944 if (res == TLS_OCSP_REVOKED)
945 revoked++;
946 else if (res == TLS_OCSP_GOOD)
947 good++;
948 pos += resp_len;
949 }
950
951 if (revoked)
952 res = TLS_OCSP_REVOKED;
953 else if (good)
954 res = TLS_OCSP_GOOD;
955 } else {
956 wpa_printf(MSG_DEBUG,
957 "TLSv1: Ignore unsupported CertificateStatus");
958 goto skip;
959 }
960
961 done:
962 if (res == TLS_OCSP_REVOKED) {
963 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
964 TLS_ALERT_CERTIFICATE_REVOKED);
965 for (cert = conn->server_cert, depth = 0; cert;
966 cert = cert->next, depth++) {
967 if (cert->ocsp_revoked) {
968 tls_cert_chain_failure_event(
969 conn, depth, cert, TLS_FAIL_REVOKED,
970 "certificate revoked");
971 }
972 }
973 return -1;
974 }
975
976 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
977 /*
978 * Verify that each certificate on the chain that is not part
979 * of the trusted certificates has a good status. If not,
980 * terminate handshake.
981 */
982 for (cert = conn->server_cert, depth = 0; cert;
983 cert = cert->next, depth++) {
984 if (!cert->ocsp_good) {
985 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
986 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
987 tls_cert_chain_failure_event(
988 conn, depth, cert,
989 TLS_FAIL_UNSPECIFIED,
990 "bad certificate status response");
991 return -1;
992 }
993 if (cert->issuer_trusted)
994 break;
995 }
996 }
997
998 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
999 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1000 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
1001 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1002 if (conn->server_cert)
1003 tls_cert_chain_failure_event(
1004 conn, 0, conn->server_cert,
1005 TLS_FAIL_UNSPECIFIED,
1006 "bad certificate status response");
1007 return -1;
1008 }
1009
1010 conn->ocsp_resp_received = 1;
1011
1012 skip:
1013 *in_len = end - in_data;
1014
1015 conn->state = SERVER_KEY_EXCHANGE;
1016
1017 return 0;
1018 }
1019
1020
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1021 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1022 const u8 *in_data, size_t *in_len)
1023 {
1024 const u8 *pos, *end;
1025 size_t left, len;
1026 u8 type;
1027 const struct tls_cipher_suite *suite;
1028
1029 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1030 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1031 "received content type 0x%x", ct);
1032 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 TLS_ALERT_UNEXPECTED_MESSAGE);
1034 return -1;
1035 }
1036
1037 pos = in_data;
1038 left = *in_len;
1039
1040 if (left < 4) {
1041 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1042 "(Left=%lu)", (unsigned long) left);
1043 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1044 return -1;
1045 }
1046
1047 type = *pos++;
1048 len = WPA_GET_BE24(pos);
1049 pos += 3;
1050 left -= 4;
1051
1052 if (len > left) {
1053 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1054 "length (len=%lu != left=%lu)",
1055 (unsigned long) len, (unsigned long) left);
1056 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1057 return -1;
1058 }
1059
1060 end = pos + len;
1061
1062 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1063 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1064 return tls_process_certificate_status(conn, ct, in_data,
1065 in_len);
1066 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1067 return tls_process_certificate_request(conn, ct, in_data,
1068 in_len);
1069 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1070 return tls_process_server_hello_done(conn, ct, in_data,
1071 in_len);
1072 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1073 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1074 "message %d (expected ServerKeyExchange/"
1075 "CertificateRequest/ServerHelloDone%s)", type,
1076 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1077 "/CertificateStatus" : "");
1078 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1079 TLS_ALERT_UNEXPECTED_MESSAGE);
1080 return -1;
1081 }
1082
1083 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1084
1085 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1086 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1087 "with the selected cipher suite");
1088 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1089 TLS_ALERT_UNEXPECTED_MESSAGE);
1090 return -1;
1091 }
1092
1093 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1094 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1095 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1096 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1097 if (tlsv1_process_diffie_hellman(conn, pos, len,
1098 suite->key_exchange) < 0) {
1099 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1100 TLS_ALERT_DECODE_ERROR);
1101 return -1;
1102 }
1103 } else {
1104 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1105 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1106 TLS_ALERT_UNEXPECTED_MESSAGE);
1107 return -1;
1108 }
1109
1110 *in_len = end - in_data;
1111
1112 conn->state = SERVER_CERTIFICATE_REQUEST;
1113
1114 return 0;
1115 }
1116
1117
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1118 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1119 const u8 *in_data, size_t *in_len)
1120 {
1121 const u8 *pos, *end;
1122 size_t left, len;
1123 u8 type;
1124
1125 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1126 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1127 "received content type 0x%x", ct);
1128 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1129 TLS_ALERT_UNEXPECTED_MESSAGE);
1130 return -1;
1131 }
1132
1133 pos = in_data;
1134 left = *in_len;
1135
1136 if (left < 4) {
1137 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1138 "(left=%lu)", (unsigned long) left);
1139 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1140 return -1;
1141 }
1142
1143 type = *pos++;
1144 len = WPA_GET_BE24(pos);
1145 pos += 3;
1146 left -= 4;
1147
1148 if (len > left) {
1149 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1150 "length (len=%lu != left=%lu)",
1151 (unsigned long) len, (unsigned long) left);
1152 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1153 return -1;
1154 }
1155
1156 end = pos + len;
1157
1158 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1159 return tls_process_server_hello_done(conn, ct, in_data,
1160 in_len);
1161 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1162 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1163 "message %d (expected CertificateRequest/"
1164 "ServerHelloDone)", type);
1165 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1166 TLS_ALERT_UNEXPECTED_MESSAGE);
1167 return -1;
1168 }
1169
1170 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1171
1172 conn->certificate_requested = 1;
1173
1174 *in_len = end - in_data;
1175
1176 conn->state = SERVER_HELLO_DONE;
1177
1178 return 0;
1179 }
1180
1181
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1182 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1183 const u8 *in_data, size_t *in_len)
1184 {
1185 const u8 *pos, *end;
1186 size_t left, len;
1187 u8 type;
1188
1189 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1190 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1191 "received content type 0x%x", ct);
1192 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1193 TLS_ALERT_UNEXPECTED_MESSAGE);
1194 return -1;
1195 }
1196
1197 pos = in_data;
1198 left = *in_len;
1199
1200 if (left < 4) {
1201 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1202 "(left=%lu)", (unsigned long) left);
1203 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1204 return -1;
1205 }
1206
1207 type = *pos++;
1208 len = WPA_GET_BE24(pos);
1209 pos += 3;
1210 left -= 4;
1211
1212 if (len > left) {
1213 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1214 "length (len=%lu != left=%lu)",
1215 (unsigned long) len, (unsigned long) left);
1216 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1217 return -1;
1218 }
1219 end = pos + len;
1220
1221 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1222 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1223 "message %d (expected ServerHelloDone)", type);
1224 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1225 TLS_ALERT_UNEXPECTED_MESSAGE);
1226 return -1;
1227 }
1228
1229 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1230
1231 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1232 !conn->ocsp_resp_received) {
1233 wpa_printf(MSG_INFO,
1234 "TLSv1: No OCSP response received - reject handshake");
1235 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1236 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1237 return -1;
1238 }
1239
1240 *in_len = end - in_data;
1241
1242 conn->state = CLIENT_KEY_EXCHANGE;
1243
1244 return 0;
1245 }
1246
1247
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1248 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1249 u8 ct, const u8 *in_data,
1250 size_t *in_len)
1251 {
1252 const u8 *pos;
1253 size_t left;
1254
1255 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1256 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1257 "received content type 0x%x", ct);
1258 if (conn->use_session_ticket) {
1259 int res;
1260 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1261 "rejected SessionTicket");
1262 conn->use_session_ticket = 0;
1263
1264 /* Notify upper layers that SessionTicket failed */
1265 res = conn->session_ticket_cb(
1266 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1267 NULL, NULL);
1268 if (res < 0) {
1269 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1270 "callback indicated failure");
1271 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1272 TLS_ALERT_HANDSHAKE_FAILURE);
1273 return -1;
1274 }
1275
1276 conn->state = SERVER_CERTIFICATE;
1277 return tls_process_certificate(conn, ct, in_data,
1278 in_len);
1279 }
1280 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1281 TLS_ALERT_UNEXPECTED_MESSAGE);
1282 return -1;
1283 }
1284
1285 pos = in_data;
1286 left = *in_len;
1287
1288 if (left < 1) {
1289 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1291 return -1;
1292 }
1293
1294 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1295 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1296 "received data 0x%x", *pos);
1297 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1298 TLS_ALERT_UNEXPECTED_MESSAGE);
1299 return -1;
1300 }
1301
1302 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1303 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1304 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1305 "for record layer");
1306 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1307 TLS_ALERT_INTERNAL_ERROR);
1308 return -1;
1309 }
1310
1311 *in_len = pos + 1 - in_data;
1312
1313 conn->state = SERVER_FINISHED;
1314
1315 return 0;
1316 }
1317
1318
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1319 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1320 const u8 *in_data, size_t *in_len)
1321 {
1322 const u8 *pos, *end;
1323 size_t left, len, hlen;
1324 u8 verify_data[TLS_VERIFY_DATA_LEN];
1325 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1326
1327 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1328 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1329 "received content type 0x%x", ct);
1330 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1331 TLS_ALERT_UNEXPECTED_MESSAGE);
1332 return -1;
1333 }
1334
1335 pos = in_data;
1336 left = *in_len;
1337
1338 if (left < 4) {
1339 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1340 "Finished",
1341 (unsigned long) left);
1342 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343 TLS_ALERT_DECODE_ERROR);
1344 return -1;
1345 }
1346
1347 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1348 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1349 "type 0x%x", pos[0]);
1350 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1351 TLS_ALERT_UNEXPECTED_MESSAGE);
1352 return -1;
1353 }
1354
1355 len = WPA_GET_BE24(pos + 1);
1356
1357 pos += 4;
1358 left -= 4;
1359
1360 if (len > left) {
1361 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1362 "(len=%lu > left=%lu)",
1363 (unsigned long) len, (unsigned long) left);
1364 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1365 TLS_ALERT_DECODE_ERROR);
1366 return -1;
1367 }
1368 end = pos + len;
1369 if (len != TLS_VERIFY_DATA_LEN) {
1370 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1371 "in Finished: %lu (expected %d)",
1372 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1373 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1374 TLS_ALERT_DECODE_ERROR);
1375 return -1;
1376 }
1377 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1378 pos, TLS_VERIFY_DATA_LEN);
1379
1380 #ifdef CONFIG_TLSV12
1381 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1382 hlen = SHA256_MAC_LEN;
1383 if (conn->verify.sha256_server == NULL ||
1384 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1385 < 0) {
1386 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1387 TLS_ALERT_INTERNAL_ERROR);
1388 conn->verify.sha256_server = NULL;
1389 return -1;
1390 }
1391 conn->verify.sha256_server = NULL;
1392 } else {
1393 #endif /* CONFIG_TLSV12 */
1394
1395 hlen = MD5_MAC_LEN;
1396 if (conn->verify.md5_server == NULL ||
1397 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1398 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1399 TLS_ALERT_INTERNAL_ERROR);
1400 conn->verify.md5_server = NULL;
1401 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1402 conn->verify.sha1_server = NULL;
1403 return -1;
1404 }
1405 conn->verify.md5_server = NULL;
1406 hlen = SHA1_MAC_LEN;
1407 if (conn->verify.sha1_server == NULL ||
1408 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1409 &hlen) < 0) {
1410 conn->verify.sha1_server = NULL;
1411 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1412 TLS_ALERT_INTERNAL_ERROR);
1413 return -1;
1414 }
1415 conn->verify.sha1_server = NULL;
1416 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1417
1418 #ifdef CONFIG_TLSV12
1419 }
1420 #endif /* CONFIG_TLSV12 */
1421
1422 if (tls_prf(conn->rl.tls_version,
1423 conn->master_secret, TLS_MASTER_SECRET_LEN,
1424 "server finished", hash, hlen,
1425 verify_data, TLS_VERIFY_DATA_LEN)) {
1426 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1427 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1428 TLS_ALERT_DECRYPT_ERROR);
1429 return -1;
1430 }
1431 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1432 verify_data, TLS_VERIFY_DATA_LEN);
1433
1434 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1435 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1436 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1437 TLS_ALERT_DECRYPT_ERROR);
1438 return -1;
1439 }
1440
1441 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1442
1443 *in_len = end - in_data;
1444
1445 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1446 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1447
1448 return 0;
1449 }
1450
1451
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)1452 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1453 const u8 *in_data, size_t *in_len,
1454 u8 **out_data, size_t *out_len)
1455 {
1456 const u8 *pos;
1457 size_t left;
1458
1459 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1460 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1461 "received content type 0x%x", ct);
1462 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1463 TLS_ALERT_UNEXPECTED_MESSAGE);
1464 return -1;
1465 }
1466
1467 pos = in_data;
1468 left = *in_len;
1469
1470 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1471 pos, left);
1472
1473 *out_data = os_malloc(left);
1474 if (*out_data) {
1475 os_memcpy(*out_data, pos, left);
1476 *out_len = left;
1477 }
1478
1479 return 0;
1480 }
1481
1482
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1483 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1484 const u8 *buf, size_t *len,
1485 u8 **out_data, size_t *out_len)
1486 {
1487 if (ct == TLS_CONTENT_TYPE_ALERT) {
1488 if (*len < 2) {
1489 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1490 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1491 TLS_ALERT_DECODE_ERROR);
1492 return -1;
1493 }
1494 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1495 buf[0], buf[1]);
1496 *len = 2;
1497 conn->state = FAILED;
1498 return -1;
1499 }
1500
1501 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1502 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1503 size_t hr_len = WPA_GET_BE24(buf + 1);
1504 if (hr_len > *len - 4) {
1505 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1506 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1507 TLS_ALERT_DECODE_ERROR);
1508 return -1;
1509 }
1510 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1511 *len = 4 + hr_len;
1512 return 0;
1513 }
1514
1515 switch (conn->state) {
1516 case SERVER_HELLO:
1517 if (tls_process_server_hello(conn, ct, buf, len))
1518 return -1;
1519 break;
1520 case SERVER_CERTIFICATE:
1521 if (tls_process_certificate(conn, ct, buf, len))
1522 return -1;
1523 break;
1524 case SERVER_KEY_EXCHANGE:
1525 if (tls_process_server_key_exchange(conn, ct, buf, len))
1526 return -1;
1527 break;
1528 case SERVER_CERTIFICATE_REQUEST:
1529 if (tls_process_certificate_request(conn, ct, buf, len))
1530 return -1;
1531 break;
1532 case SERVER_HELLO_DONE:
1533 if (tls_process_server_hello_done(conn, ct, buf, len))
1534 return -1;
1535 break;
1536 case SERVER_CHANGE_CIPHER_SPEC:
1537 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1538 return -1;
1539 break;
1540 case SERVER_FINISHED:
1541 if (tls_process_server_finished(conn, ct, buf, len))
1542 return -1;
1543 break;
1544 case ACK_FINISHED:
1545 if (out_data &&
1546 tls_process_application_data(conn, ct, buf, len, out_data,
1547 out_len))
1548 return -1;
1549 break;
1550 default:
1551 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1552 "while processing received message",
1553 conn->state);
1554 return -1;
1555 }
1556
1557 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1558 tls_verify_hash_add(&conn->verify, buf, *len);
1559
1560 return 0;
1561 }
1562
