1 /* 2 * wpa_supplicant: TLSv1 client (RFC 2246) 3 * Copyright (c) 2006, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "base64.h" 19 #include "md5.h" 20 #include "sha1.h" 21 #include "crypto.h" 22 #include "tls.h" 23 #include "tlsv1_common.h" 24 #include "tlsv1_client.h" 25 #include "x509v3.h" 26 27 /* TODO: 28 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 29 */ 30 31 struct tlsv1_client { 32 enum { 33 CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE, 34 SERVER_KEY_EXCHANGE, SERVER_CERTIFICATE_REQUEST, 35 SERVER_HELLO_DONE, CLIENT_KEY_EXCHANGE, CHANGE_CIPHER_SPEC, 36 SERVER_CHANGE_CIPHER_SPEC, SERVER_FINISHED, ACK_FINISHED, 37 ESTABLISHED, FAILED 38 } state; 39 40 struct tlsv1_record_layer rl; 41 42 u8 session_id[TLS_SESSION_ID_MAX_LEN]; 43 size_t session_id_len; 44 u8 client_random[TLS_RANDOM_LEN]; 45 u8 server_random[TLS_RANDOM_LEN]; 46 u8 master_secret[TLS_MASTER_SECRET_LEN]; 47 48 u8 alert_level; 49 u8 alert_description; 50 51 unsigned int certificate_requested:1; 52 unsigned int session_resumed:1; 53 unsigned int ticket:1; 54 unsigned int ticket_key:1; 55 56 struct crypto_public_key *server_rsa_key; 57 58 struct crypto_hash *verify_md5_client; 59 struct crypto_hash *verify_sha1_client; 60 struct crypto_hash *verify_md5_server; 61 struct crypto_hash *verify_sha1_server; 62 struct crypto_hash *verify_md5_cert; 63 struct crypto_hash *verify_sha1_cert; 64 65 #define MAX_CIPHER_COUNT 30 66 u16 cipher_suites[MAX_CIPHER_COUNT]; 67 size_t num_cipher_suites; 68 69 u16 prev_cipher_suite; 70 71 u8 *client_hello_ext; 72 size_t client_hello_ext_len; 73 74 /* The prime modulus used for Diffie-Hellman */ 75 u8 *dh_p; 76 size_t dh_p_len; 77 /* The generator used for Diffie-Hellman */ 78 u8 *dh_g; 79 size_t dh_g_len; 80 /* The server's Diffie-Hellman public value */ 81 u8 *dh_ys; 82 size_t dh_ys_len; 83 84 struct x509_certificate *trusted_certs; 85 struct x509_certificate *client_cert; 86 struct crypto_private_key *client_key; 87 }; 88 89 90 static int tls_derive_keys(struct tlsv1_client *conn, 91 const u8 *pre_master_secret, 92 size_t pre_master_secret_len); 93 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 94 const u8 *in_data, size_t *in_len); 95 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 96 const u8 *in_data, size_t *in_len); 97 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 98 const u8 *in_data, size_t *in_len); 99 100 101 static void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) 102 { 103 conn->alert_level = level; 104 conn->alert_description = description; 105 } 106 107 108 static void tls_verify_hash_add(struct tlsv1_client *conn, const u8 *buf, 109 size_t len) 110 { 111 if (conn->verify_md5_client && conn->verify_sha1_client) { 112 crypto_hash_update(conn->verify_md5_client, buf, len); 113 crypto_hash_update(conn->verify_sha1_client, buf, len); 114 } 115 if (conn->verify_md5_server && conn->verify_sha1_server) { 116 crypto_hash_update(conn->verify_md5_server, buf, len); 117 crypto_hash_update(conn->verify_sha1_server, buf, len); 118 } 119 if (conn->verify_md5_cert && conn->verify_sha1_cert) { 120 crypto_hash_update(conn->verify_md5_cert, buf, len); 121 crypto_hash_update(conn->verify_sha1_cert, buf, len); 122 } 123 } 124 125 126 static u8 * tls_send_alert(struct tlsv1_client *conn, 127 u8 level, u8 description, 128 size_t *out_len) 129 { 130 u8 *alert, *pos, *length; 131 132 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 133 *out_len = 0; 134 135 alert = os_malloc(10); 136 if (alert == NULL) 137 return NULL; 138 139 pos = alert; 140 141 /* TLSPlaintext */ 142 /* ContentType type */ 143 *pos++ = TLS_CONTENT_TYPE_ALERT; 144 /* ProtocolVersion version */ 145 WPA_PUT_BE16(pos, TLS_VERSION); 146 pos += 2; 147 /* uint16 length (to be filled) */ 148 length = pos; 149 pos += 2; 150 /* opaque fragment[TLSPlaintext.length] */ 151 152 /* Alert */ 153 /* AlertLevel level */ 154 *pos++ = level; 155 /* AlertDescription description */ 156 *pos++ = description; 157 158 WPA_PUT_BE16(length, pos - length - 2); 159 *out_len = pos - alert; 160 161 return alert; 162 } 163 164 165 static u8 * tls_send_client_hello(struct tlsv1_client *conn, 166 size_t *out_len) 167 { 168 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 169 struct os_time now; 170 size_t len, i; 171 172 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 173 *out_len = 0; 174 175 os_get_time(&now); 176 WPA_PUT_BE32(conn->client_random, now.sec); 177 if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 178 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 179 "client_random"); 180 return NULL; 181 } 182 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 183 conn->client_random, TLS_RANDOM_LEN); 184 185 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 186 hello = os_malloc(len); 187 if (hello == NULL) 188 return NULL; 189 end = hello + len; 190 191 rhdr = hello; 192 pos = rhdr + TLS_RECORD_HEADER_LEN; 193 194 /* opaque fragment[TLSPlaintext.length] */ 195 196 /* Handshake */ 197 hs_start = pos; 198 /* HandshakeType msg_type */ 199 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 200 /* uint24 length (to be filled) */ 201 hs_length = pos; 202 pos += 3; 203 /* body - ClientHello */ 204 /* ProtocolVersion client_version */ 205 WPA_PUT_BE16(pos, TLS_VERSION); 206 pos += 2; 207 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 208 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 209 pos += TLS_RANDOM_LEN; 210 /* SessionID session_id */ 211 *pos++ = conn->session_id_len; 212 os_memcpy(pos, conn->session_id, conn->session_id_len); 213 pos += conn->session_id_len; 214 /* CipherSuite cipher_suites<2..2^16-1> */ 215 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 216 pos += 2; 217 for (i = 0; i < conn->num_cipher_suites; i++) { 218 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 219 pos += 2; 220 } 221 /* CompressionMethod compression_methods<1..2^8-1> */ 222 *pos++ = 1; 223 *pos++ = TLS_COMPRESSION_NULL; 224 225 if (conn->client_hello_ext) { 226 os_memcpy(pos, conn->client_hello_ext, 227 conn->client_hello_ext_len); 228 pos += conn->client_hello_ext_len; 229 } 230 231 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 232 tls_verify_hash_add(conn, hs_start, pos - hs_start); 233 234 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 235 rhdr, end - rhdr, pos - hs_start, out_len) < 0) { 236 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 238 TLS_ALERT_INTERNAL_ERROR); 239 os_free(hello); 240 return NULL; 241 } 242 243 conn->state = SERVER_HELLO; 244 245 return hello; 246 } 247 248 249 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 250 const u8 *in_data, size_t *in_len) 251 { 252 const u8 *pos, *end; 253 size_t left, len, i; 254 u16 cipher_suite; 255 256 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 257 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 258 "received content type 0x%x", ct); 259 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 260 TLS_ALERT_UNEXPECTED_MESSAGE); 261 return -1; 262 } 263 264 pos = in_data; 265 left = *in_len; 266 267 if (left < 4) 268 goto decode_error; 269 270 /* HandshakeType msg_type */ 271 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 272 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 273 "message %d (expected ServerHello)", *pos); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 275 TLS_ALERT_UNEXPECTED_MESSAGE); 276 return -1; 277 } 278 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 279 pos++; 280 /* uint24 length */ 281 len = WPA_GET_BE24(pos); 282 pos += 3; 283 left -= 4; 284 285 if (len > left) 286 goto decode_error; 287 288 /* body - ServerHello */ 289 290 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 291 end = pos + len; 292 293 /* ProtocolVersion server_version */ 294 if (end - pos < 2) 295 goto decode_error; 296 if (WPA_GET_BE16(pos) != TLS_VERSION) { 297 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 298 "ServerHello"); 299 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 300 TLS_ALERT_PROTOCOL_VERSION); 301 return -1; 302 } 303 pos += 2; 304 305 /* Random random */ 306 if (end - pos < TLS_RANDOM_LEN) 307 goto decode_error; 308 309 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 310 pos += TLS_RANDOM_LEN; 311 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 312 conn->server_random, TLS_RANDOM_LEN); 313 314 /* SessionID session_id */ 315 if (end - pos < 1) 316 goto decode_error; 317 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 318 goto decode_error; 319 if (conn->session_id_len && conn->session_id_len == *pos && 320 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 321 pos += 1 + conn->session_id_len; 322 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 323 conn->session_resumed = 1; 324 } else { 325 conn->session_id_len = *pos; 326 pos++; 327 os_memcpy(conn->session_id, pos, conn->session_id_len); 328 pos += conn->session_id_len; 329 } 330 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 331 conn->session_id, conn->session_id_len); 332 333 /* CipherSuite cipher_suite */ 334 if (end - pos < 2) 335 goto decode_error; 336 cipher_suite = WPA_GET_BE16(pos); 337 pos += 2; 338 for (i = 0; i < conn->num_cipher_suites; i++) { 339 if (cipher_suite == conn->cipher_suites[i]) 340 break; 341 } 342 if (i == conn->num_cipher_suites) { 343 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 344 "cipher suite 0x%04x", cipher_suite); 345 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 346 TLS_ALERT_ILLEGAL_PARAMETER); 347 return -1; 348 } 349 350 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 351 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 352 "cipher suite for a resumed connection (0x%04x != " 353 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 354 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 355 TLS_ALERT_ILLEGAL_PARAMETER); 356 return -1; 357 } 358 359 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 360 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 361 "record layer"); 362 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 363 TLS_ALERT_INTERNAL_ERROR); 364 return -1; 365 } 366 367 conn->prev_cipher_suite = cipher_suite; 368 369 if (conn->session_resumed || conn->ticket_key) 370 tls_derive_keys(conn, NULL, 0); 371 372 /* CompressionMethod compression_method */ 373 if (end - pos < 1) 374 goto decode_error; 375 if (*pos != TLS_COMPRESSION_NULL) { 376 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 377 "compression 0x%02x", *pos); 378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 379 TLS_ALERT_ILLEGAL_PARAMETER); 380 return -1; 381 } 382 pos++; 383 384 if (end != pos) { 385 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 386 "end of ServerHello", pos, end - pos); 387 goto decode_error; 388 } 389 390 *in_len = end - in_data; 391 392 conn->state = (conn->session_resumed || conn->ticket) ? 393 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 394 395 return 0; 396 397 decode_error: 398 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 399 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 400 return -1; 401 } 402 403 404 static int tls_server_key_exchange_allowed(struct tlsv1_client *conn) 405 { 406 const struct tls_cipher_suite *suite; 407 408 /* RFC 2246, Section 7.4.3 */ 409 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 410 if (suite == NULL) 411 return 0; 412 413 switch (suite->key_exchange) { 414 case TLS_KEY_X_DHE_DSS: 415 case TLS_KEY_X_DHE_DSS_EXPORT: 416 case TLS_KEY_X_DHE_RSA: 417 case TLS_KEY_X_DHE_RSA_EXPORT: 418 case TLS_KEY_X_DH_anon_EXPORT: 419 case TLS_KEY_X_DH_anon: 420 return 1; 421 case TLS_KEY_X_RSA_EXPORT: 422 return 1 /* FIX: public key len > 512 bits */; 423 default: 424 return 0; 425 } 426 } 427 428 429 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 430 const u8 *in_data, size_t *in_len) 431 { 432 const u8 *pos, *end; 433 size_t left, len, list_len, cert_len, idx; 434 u8 type; 435 struct x509_certificate *chain = NULL, *last = NULL, *cert; 436 int reason; 437 438 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 439 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 440 "received content type 0x%x", ct); 441 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 442 TLS_ALERT_UNEXPECTED_MESSAGE); 443 return -1; 444 } 445 446 pos = in_data; 447 left = *in_len; 448 449 if (left < 4) { 450 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 451 "(len=%lu)", (unsigned long) left); 452 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 453 return -1; 454 } 455 456 type = *pos++; 457 len = WPA_GET_BE24(pos); 458 pos += 3; 459 left -= 4; 460 461 if (len > left) { 462 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 463 "length (len=%lu != left=%lu)", 464 (unsigned long) len, (unsigned long) left); 465 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 466 return -1; 467 } 468 469 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 470 return tls_process_server_key_exchange(conn, ct, in_data, 471 in_len); 472 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 473 return tls_process_certificate_request(conn, ct, in_data, 474 in_len); 475 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 476 return tls_process_server_hello_done(conn, ct, in_data, 477 in_len); 478 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 479 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 480 "message %d (expected Certificate/" 481 "ServerKeyExchange/CertificateRequest/" 482 "ServerHelloDone)", type); 483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 484 TLS_ALERT_UNEXPECTED_MESSAGE); 485 return -1; 486 } 487 488 wpa_printf(MSG_DEBUG, 489 "TLSv1: Received Certificate (certificate_list len %lu)", 490 (unsigned long) len); 491 492 /* 493 * opaque ASN.1Cert<2^24-1>; 494 * 495 * struct { 496 * ASN.1Cert certificate_list<1..2^24-1>; 497 * } Certificate; 498 */ 499 500 end = pos + len; 501 502 if (end - pos < 3) { 503 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 504 "(left=%lu)", (unsigned long) left); 505 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 506 return -1; 507 } 508 509 list_len = WPA_GET_BE24(pos); 510 pos += 3; 511 512 if ((size_t) (end - pos) != list_len) { 513 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 514 "length (len=%lu left=%lu)", 515 (unsigned long) list_len, 516 (unsigned long) (end - pos)); 517 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 518 return -1; 519 } 520 521 idx = 0; 522 while (pos < end) { 523 if (end - pos < 3) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 525 "certificate_list"); 526 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 527 TLS_ALERT_DECODE_ERROR); 528 x509_certificate_chain_free(chain); 529 return -1; 530 } 531 532 cert_len = WPA_GET_BE24(pos); 533 pos += 3; 534 535 if ((size_t) (end - pos) < cert_len) { 536 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 537 "length (len=%lu left=%lu)", 538 (unsigned long) cert_len, 539 (unsigned long) (end - pos)); 540 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 541 TLS_ALERT_DECODE_ERROR); 542 x509_certificate_chain_free(chain); 543 return -1; 544 } 545 546 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 547 (unsigned long) idx, (unsigned long) cert_len); 548 549 if (idx == 0) { 550 crypto_public_key_free(conn->server_rsa_key); 551 if (tls_parse_cert(pos, cert_len, 552 &conn->server_rsa_key)) { 553 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 554 "the certificate"); 555 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 556 TLS_ALERT_BAD_CERTIFICATE); 557 x509_certificate_chain_free(chain); 558 return -1; 559 } 560 } 561 562 cert = x509_certificate_parse(pos, cert_len); 563 if (cert == NULL) { 564 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 565 "the certificate"); 566 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 567 TLS_ALERT_BAD_CERTIFICATE); 568 x509_certificate_chain_free(chain); 569 return -1; 570 } 571 572 if (last == NULL) 573 chain = cert; 574 else 575 last->next = cert; 576 last = cert; 577 578 idx++; 579 pos += cert_len; 580 } 581 582 if (x509_certificate_chain_validate(conn->trusted_certs, chain, 583 &reason) < 0) { 584 int tls_reason; 585 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 586 "validation failed (reason=%d)", reason); 587 switch (reason) { 588 case X509_VALIDATE_BAD_CERTIFICATE: 589 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 590 break; 591 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 592 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 593 break; 594 case X509_VALIDATE_CERTIFICATE_REVOKED: 595 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 596 break; 597 case X509_VALIDATE_CERTIFICATE_EXPIRED: 598 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 599 break; 600 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 601 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 602 break; 603 case X509_VALIDATE_UNKNOWN_CA: 604 tls_reason = TLS_ALERT_UNKNOWN_CA; 605 break; 606 default: 607 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 608 break; 609 } 610 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 611 x509_certificate_chain_free(chain); 612 return -1; 613 } 614 615 x509_certificate_chain_free(chain); 616 617 *in_len = end - in_data; 618 619 conn->state = SERVER_KEY_EXCHANGE; 620 621 return 0; 622 } 623 624 625 static void tlsv1_client_free_dh(struct tlsv1_client *conn) 626 { 627 os_free(conn->dh_p); 628 os_free(conn->dh_g); 629 os_free(conn->dh_ys); 630 conn->dh_p = conn->dh_g = conn->dh_ys = NULL; 631 } 632 633 634 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 635 const u8 *buf, size_t len) 636 { 637 const u8 *pos, *end; 638 639 tlsv1_client_free_dh(conn); 640 641 pos = buf; 642 end = buf + len; 643 644 if (end - pos < 3) 645 goto fail; 646 conn->dh_p_len = WPA_GET_BE16(pos); 647 pos += 2; 648 if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) 649 goto fail; 650 conn->dh_p = os_malloc(conn->dh_p_len); 651 if (conn->dh_p == NULL) 652 goto fail; 653 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 654 pos += conn->dh_p_len; 655 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 656 conn->dh_p, conn->dh_p_len); 657 658 if (end - pos < 3) 659 goto fail; 660 conn->dh_g_len = WPA_GET_BE16(pos); 661 pos += 2; 662 if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len) 663 goto fail; 664 conn->dh_g = os_malloc(conn->dh_g_len); 665 if (conn->dh_g == NULL) 666 goto fail; 667 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 668 pos += conn->dh_g_len; 669 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 670 conn->dh_g, conn->dh_g_len); 671 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 672 goto fail; 673 674 if (end - pos < 3) 675 goto fail; 676 conn->dh_ys_len = WPA_GET_BE16(pos); 677 pos += 2; 678 if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len) 679 goto fail; 680 conn->dh_ys = os_malloc(conn->dh_ys_len); 681 if (conn->dh_ys == NULL) 682 goto fail; 683 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 684 pos += conn->dh_ys_len; 685 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 686 conn->dh_ys, conn->dh_ys_len); 687 688 return 0; 689 690 fail: 691 tlsv1_client_free_dh(conn); 692 return -1; 693 } 694 695 696 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 697 const u8 *in_data, size_t *in_len) 698 { 699 const u8 *pos, *end; 700 size_t left, len; 701 u8 type; 702 const struct tls_cipher_suite *suite; 703 704 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 705 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 706 "received content type 0x%x", ct); 707 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 708 TLS_ALERT_UNEXPECTED_MESSAGE); 709 return -1; 710 } 711 712 pos = in_data; 713 left = *in_len; 714 715 if (left < 4) { 716 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 717 "(Left=%lu)", (unsigned long) left); 718 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 719 return -1; 720 } 721 722 type = *pos++; 723 len = WPA_GET_BE24(pos); 724 pos += 3; 725 left -= 4; 726 727 if (len > left) { 728 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 729 "length (len=%lu != left=%lu)", 730 (unsigned long) len, (unsigned long) left); 731 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 732 return -1; 733 } 734 735 end = pos + len; 736 737 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 738 return tls_process_certificate_request(conn, ct, in_data, 739 in_len); 740 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 741 return tls_process_server_hello_done(conn, ct, in_data, 742 in_len); 743 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 744 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 745 "message %d (expected ServerKeyExchange/" 746 "CertificateRequest/ServerHelloDone)", type); 747 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 748 TLS_ALERT_UNEXPECTED_MESSAGE); 749 return -1; 750 } 751 752 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 753 754 if (!tls_server_key_exchange_allowed(conn)) { 755 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 756 "with the selected cipher suite"); 757 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 758 TLS_ALERT_UNEXPECTED_MESSAGE); 759 return -1; 760 } 761 762 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 763 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 764 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 765 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) { 766 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 767 TLS_ALERT_DECODE_ERROR); 768 return -1; 769 } 770 } else { 771 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 772 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 773 TLS_ALERT_UNEXPECTED_MESSAGE); 774 return -1; 775 } 776 777 *in_len = end - in_data; 778 779 conn->state = SERVER_CERTIFICATE_REQUEST; 780 781 return 0; 782 } 783 784 785 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 786 const u8 *in_data, size_t *in_len) 787 { 788 const u8 *pos, *end; 789 size_t left, len; 790 u8 type; 791 792 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 793 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 794 "received content type 0x%x", ct); 795 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 796 TLS_ALERT_UNEXPECTED_MESSAGE); 797 return -1; 798 } 799 800 pos = in_data; 801 left = *in_len; 802 803 if (left < 4) { 804 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 805 "(left=%lu)", (unsigned long) left); 806 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 807 return -1; 808 } 809 810 type = *pos++; 811 len = WPA_GET_BE24(pos); 812 pos += 3; 813 left -= 4; 814 815 if (len > left) { 816 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 817 "length (len=%lu != left=%lu)", 818 (unsigned long) len, (unsigned long) left); 819 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 820 return -1; 821 } 822 823 end = pos + len; 824 825 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 826 return tls_process_server_hello_done(conn, ct, in_data, 827 in_len); 828 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 829 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 830 "message %d (expected CertificateRequest/" 831 "ServerHelloDone)", type); 832 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 833 TLS_ALERT_UNEXPECTED_MESSAGE); 834 return -1; 835 } 836 837 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 838 839 conn->certificate_requested = 1; 840 841 *in_len = end - in_data; 842 843 conn->state = SERVER_HELLO_DONE; 844 845 return 0; 846 } 847 848 849 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 850 const u8 *in_data, size_t *in_len) 851 { 852 const u8 *pos, *end; 853 size_t left, len; 854 u8 type; 855 856 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 857 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 858 "received content type 0x%x", ct); 859 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 860 TLS_ALERT_UNEXPECTED_MESSAGE); 861 return -1; 862 } 863 864 pos = in_data; 865 left = *in_len; 866 867 if (left < 4) { 868 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 869 "(left=%lu)", (unsigned long) left); 870 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 871 return -1; 872 } 873 874 type = *pos++; 875 len = WPA_GET_BE24(pos); 876 pos += 3; 877 left -= 4; 878 879 if (len > left) { 880 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 881 "length (len=%lu != left=%lu)", 882 (unsigned long) len, (unsigned long) left); 883 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 884 return -1; 885 } 886 end = pos + len; 887 888 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 889 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 890 "message %d (expected ServerHelloDone)", type); 891 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 892 TLS_ALERT_UNEXPECTED_MESSAGE); 893 return -1; 894 } 895 896 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 897 898 *in_len = end - in_data; 899 900 conn->state = CLIENT_KEY_EXCHANGE; 901 902 return 0; 903 } 904 905 906 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 907 u8 ct, const u8 *in_data, 908 size_t *in_len) 909 { 910 const u8 *pos; 911 size_t left; 912 913 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 914 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 915 "received content type 0x%x", ct); 916 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 917 TLS_ALERT_UNEXPECTED_MESSAGE); 918 return -1; 919 } 920 921 pos = in_data; 922 left = *in_len; 923 924 if (left < 1) { 925 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 926 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 927 return -1; 928 } 929 930 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 931 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 932 "received data 0x%x", *pos); 933 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 934 TLS_ALERT_UNEXPECTED_MESSAGE); 935 return -1; 936 } 937 938 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 939 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 940 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 941 "for record layer"); 942 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_INTERNAL_ERROR); 944 return -1; 945 } 946 947 *in_len = pos + 1 - in_data; 948 949 conn->state = SERVER_FINISHED; 950 951 return 0; 952 } 953 954 955 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 956 const u8 *in_data, size_t *in_len) 957 { 958 const u8 *pos, *end; 959 size_t left, len, hlen; 960 u8 verify_data[TLS_VERIFY_DATA_LEN]; 961 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 962 963 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 964 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 965 "received content type 0x%x", ct); 966 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 967 TLS_ALERT_UNEXPECTED_MESSAGE); 968 return -1; 969 } 970 971 pos = in_data; 972 left = *in_len; 973 974 if (left < 4) { 975 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 976 "Finished", 977 (unsigned long) left); 978 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 979 TLS_ALERT_DECODE_ERROR); 980 return -1; 981 } 982 983 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 984 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 985 "type 0x%x", pos[0]); 986 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 987 TLS_ALERT_UNEXPECTED_MESSAGE); 988 return -1; 989 } 990 991 len = WPA_GET_BE24(pos + 1); 992 993 pos += 4; 994 left -= 4; 995 996 if (len > left) { 997 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 998 "(len=%lu > left=%lu)", 999 (unsigned long) len, (unsigned long) left); 1000 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1001 TLS_ALERT_DECODE_ERROR); 1002 return -1; 1003 } 1004 end = pos + len; 1005 if (len != TLS_VERIFY_DATA_LEN) { 1006 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1007 "in Finished: %lu (expected %d)", 1008 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1009 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1010 TLS_ALERT_DECODE_ERROR); 1011 return -1; 1012 } 1013 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1014 pos, TLS_VERIFY_DATA_LEN); 1015 1016 hlen = MD5_MAC_LEN; 1017 if (conn->verify_md5_server == NULL || 1018 crypto_hash_finish(conn->verify_md5_server, hash, &hlen) < 0) { 1019 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1020 TLS_ALERT_INTERNAL_ERROR); 1021 conn->verify_md5_server = NULL; 1022 crypto_hash_finish(conn->verify_sha1_server, NULL, NULL); 1023 conn->verify_sha1_server = NULL; 1024 return -1; 1025 } 1026 conn->verify_md5_server = NULL; 1027 hlen = SHA1_MAC_LEN; 1028 if (conn->verify_sha1_server == NULL || 1029 crypto_hash_finish(conn->verify_sha1_server, hash + MD5_MAC_LEN, 1030 &hlen) < 0) { 1031 conn->verify_sha1_server = NULL; 1032 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1033 TLS_ALERT_INTERNAL_ERROR); 1034 return -1; 1035 } 1036 conn->verify_sha1_server = NULL; 1037 1038 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1039 "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1040 verify_data, TLS_VERIFY_DATA_LEN)) { 1041 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1042 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1043 TLS_ALERT_DECRYPT_ERROR); 1044 return -1; 1045 } 1046 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 1047 verify_data, TLS_VERIFY_DATA_LEN); 1048 1049 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1050 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1051 return -1; 1052 } 1053 1054 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1055 1056 *in_len = end - in_data; 1057 1058 conn->state = (conn->session_resumed || conn->ticket) ? 1059 CHANGE_CIPHER_SPEC : ACK_FINISHED; 1060 1061 return 0; 1062 } 1063 1064 1065 static int tls_derive_pre_master_secret(u8 *pre_master_secret) 1066 { 1067 WPA_PUT_BE16(pre_master_secret, TLS_VERSION); 1068 if (os_get_random(pre_master_secret + 2, 1069 TLS_PRE_MASTER_SECRET_LEN - 2)) 1070 return -1; 1071 return 0; 1072 } 1073 1074 1075 static int tls_derive_keys(struct tlsv1_client *conn, 1076 const u8 *pre_master_secret, 1077 size_t pre_master_secret_len) 1078 { 1079 u8 seed[2 * TLS_RANDOM_LEN]; 1080 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 1081 u8 *pos; 1082 size_t key_block_len; 1083 1084 if (pre_master_secret) { 1085 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 1086 pre_master_secret, pre_master_secret_len); 1087 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 1088 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 1089 TLS_RANDOM_LEN); 1090 if (tls_prf(pre_master_secret, pre_master_secret_len, 1091 "master secret", seed, 2 * TLS_RANDOM_LEN, 1092 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 1093 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 1094 "master_secret"); 1095 return -1; 1096 } 1097 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 1098 conn->master_secret, TLS_MASTER_SECRET_LEN); 1099 } 1100 1101 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 1102 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 1103 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len + 1104 conn->rl.iv_size); 1105 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1106 "key expansion", seed, 2 * TLS_RANDOM_LEN, 1107 key_block, key_block_len)) { 1108 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 1109 return -1; 1110 } 1111 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 1112 key_block, key_block_len); 1113 1114 pos = key_block; 1115 1116 /* client_write_MAC_secret */ 1117 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 1118 pos += conn->rl.hash_size; 1119 /* server_write_MAC_secret */ 1120 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 1121 pos += conn->rl.hash_size; 1122 1123 /* client_write_key */ 1124 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 1125 pos += conn->rl.key_material_len; 1126 /* server_write_key */ 1127 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 1128 pos += conn->rl.key_material_len; 1129 1130 /* client_write_IV */ 1131 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 1132 pos += conn->rl.iv_size; 1133 /* server_write_IV */ 1134 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 1135 pos += conn->rl.iv_size; 1136 1137 return 0; 1138 } 1139 1140 1141 static int tls_write_client_certificate(struct tlsv1_client *conn, 1142 u8 **msgpos, u8 *end) 1143 { 1144 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 1145 size_t rlen; 1146 struct x509_certificate *cert; 1147 1148 pos = *msgpos; 1149 1150 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 1151 rhdr = pos; 1152 pos += TLS_RECORD_HEADER_LEN; 1153 1154 /* opaque fragment[TLSPlaintext.length] */ 1155 1156 /* Handshake */ 1157 hs_start = pos; 1158 /* HandshakeType msg_type */ 1159 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 1160 /* uint24 length (to be filled) */ 1161 hs_length = pos; 1162 pos += 3; 1163 /* body - Certificate */ 1164 /* uint24 length (to be filled) */ 1165 cert_start = pos; 1166 pos += 3; 1167 cert = conn->client_cert; 1168 while (cert) { 1169 if (pos + 3 + cert->cert_len > end) { 1170 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 1171 "for Certificate (cert_len=%lu left=%lu)", 1172 (unsigned long) cert->cert_len, 1173 (unsigned long) (end - pos)); 1174 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1175 TLS_ALERT_INTERNAL_ERROR); 1176 return -1; 1177 } 1178 WPA_PUT_BE24(pos, cert->cert_len); 1179 pos += 3; 1180 os_memcpy(pos, cert->cert_start, cert->cert_len); 1181 pos += cert->cert_len; 1182 1183 if (x509_certificate_self_signed(cert)) 1184 break; 1185 cert = x509_certificate_get_subject(conn->trusted_certs, 1186 &cert->issuer); 1187 } 1188 if (cert == conn->client_cert || cert == NULL) { 1189 /* 1190 * Client was not configured with all the needed certificates 1191 * to form a full certificate chain. The server may fail to 1192 * validate the chain unless it is configured with all the 1193 * missing CA certificates. 1194 */ 1195 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 1196 "not configured - validation may fail"); 1197 } 1198 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 1199 1200 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 1201 1202 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 1203 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 1204 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 1205 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1206 TLS_ALERT_INTERNAL_ERROR); 1207 return -1; 1208 } 1209 pos = rhdr + rlen; 1210 1211 tls_verify_hash_add(conn, hs_start, pos - hs_start); 1212 1213 *msgpos = pos; 1214 1215 return 0; 1216 } 1217 1218 1219 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 1220 { 1221 #ifdef EAP_FAST 1222 /* ClientDiffieHellmanPublic */ 1223 u8 *csecret, *csecret_start, *dh_yc, *shared; 1224 size_t csecret_len, dh_yc_len, shared_len; 1225 1226 csecret_len = conn->dh_p_len; 1227 csecret = os_malloc(csecret_len); 1228 if (csecret == NULL) { 1229 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 1230 "memory for Yc (Diffie-Hellman)"); 1231 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1232 TLS_ALERT_INTERNAL_ERROR); 1233 return -1; 1234 } 1235 if (os_get_random(csecret, csecret_len)) { 1236 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 1237 "data for Diffie-Hellman"); 1238 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1239 TLS_ALERT_INTERNAL_ERROR); 1240 os_free(csecret); 1241 return -1; 1242 } 1243 1244 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 1245 csecret[0] = 0; /* make sure Yc < p */ 1246 1247 csecret_start = csecret; 1248 while (csecret_len > 1 && *csecret_start == 0) { 1249 csecret_start++; 1250 csecret_len--; 1251 } 1252 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 1253 csecret_start, csecret_len); 1254 1255 /* Yc = g^csecret mod p */ 1256 dh_yc_len = conn->dh_p_len; 1257 dh_yc = os_malloc(dh_yc_len); 1258 if (dh_yc == NULL) { 1259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 1260 "memory for Diffie-Hellman"); 1261 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1262 TLS_ALERT_INTERNAL_ERROR); 1263 os_free(csecret); 1264 return -1; 1265 } 1266 crypto_mod_exp(conn->dh_g, conn->dh_g_len, 1267 csecret_start, csecret_len, 1268 conn->dh_p, conn->dh_p_len, 1269 dh_yc, &dh_yc_len); 1270 1271 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 1272 dh_yc, dh_yc_len); 1273 1274 WPA_PUT_BE16(*pos, dh_yc_len); 1275 *pos += 2; 1276 if (*pos + dh_yc_len > end) { 1277 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 1278 "message buffer for Yc"); 1279 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1280 TLS_ALERT_INTERNAL_ERROR); 1281 os_free(csecret); 1282 os_free(dh_yc); 1283 return -1; 1284 } 1285 os_memcpy(*pos, dh_yc, dh_yc_len); 1286 *pos += dh_yc_len; 1287 os_free(dh_yc); 1288 1289 shared_len = conn->dh_p_len; 1290 shared = os_malloc(shared_len); 1291 if (shared == NULL) { 1292 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 1293 "DH"); 1294 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1295 TLS_ALERT_INTERNAL_ERROR); 1296 os_free(csecret); 1297 return -1; 1298 } 1299 1300 /* shared = Ys^csecret mod p */ 1301 crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 1302 csecret_start, csecret_len, 1303 conn->dh_p, conn->dh_p_len, 1304 shared, &shared_len); 1305 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 1306 shared, shared_len); 1307 1308 os_memset(csecret_start, 0, csecret_len); 1309 os_free(csecret); 1310 if (tls_derive_keys(conn, shared, shared_len)) { 1311 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 1312 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1313 TLS_ALERT_INTERNAL_ERROR); 1314 os_free(shared); 1315 return -1; 1316 } 1317 os_memset(shared, 0, shared_len); 1318 os_free(shared); 1319 tlsv1_client_free_dh(conn); 1320 return 0; 1321 #else /* EAP_FAST */ 1322 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR); 1323 return -1; 1324 #endif /* EAP_FAST */ 1325 } 1326 1327 1328 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 1329 { 1330 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 1331 size_t clen; 1332 int res; 1333 1334 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 1335 tls_derive_keys(conn, pre_master_secret, 1336 TLS_PRE_MASTER_SECRET_LEN)) { 1337 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 1338 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1339 TLS_ALERT_INTERNAL_ERROR); 1340 return -1; 1341 } 1342 1343 /* EncryptedPreMasterSecret */ 1344 if (conn->server_rsa_key == NULL) { 1345 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 1346 "use for encrypting pre-master secret"); 1347 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1348 TLS_ALERT_INTERNAL_ERROR); 1349 return -1; 1350 } 1351 1352 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 1353 *pos += 2; 1354 clen = end - *pos; 1355 res = crypto_public_key_encrypt_pkcs1_v15( 1356 conn->server_rsa_key, 1357 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 1358 *pos, &clen); 1359 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 1360 if (res < 0) { 1361 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 1362 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1363 TLS_ALERT_INTERNAL_ERROR); 1364 return -1; 1365 } 1366 WPA_PUT_BE16(*pos - 2, clen); 1367 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 1368 *pos, clen); 1369 *pos += clen; 1370 1371 return 0; 1372 } 1373 1374 1375 static int tls_write_client_key_exchange(struct tlsv1_client *conn, 1376 u8 **msgpos, u8 *end) 1377 { 1378 u8 *pos, *rhdr, *hs_start, *hs_length; 1379 size_t rlen; 1380 tls_key_exchange keyx; 1381 const struct tls_cipher_suite *suite; 1382 1383 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 1384 if (suite == NULL) 1385 keyx = TLS_KEY_X_NULL; 1386 else 1387 keyx = suite->key_exchange; 1388 1389 pos = *msgpos; 1390 1391 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 1392 1393 rhdr = pos; 1394 pos += TLS_RECORD_HEADER_LEN; 1395 1396 /* opaque fragment[TLSPlaintext.length] */ 1397 1398 /* Handshake */ 1399 hs_start = pos; 1400 /* HandshakeType msg_type */ 1401 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 1402 /* uint24 length (to be filled) */ 1403 hs_length = pos; 1404 pos += 3; 1405 /* body - ClientKeyExchange */ 1406 if (keyx == TLS_KEY_X_DH_anon) { 1407 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 1408 return -1; 1409 } else { 1410 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 1411 return -1; 1412 } 1413 1414 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 1415 1416 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 1417 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 1418 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 1419 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1420 TLS_ALERT_INTERNAL_ERROR); 1421 return -1; 1422 } 1423 pos = rhdr + rlen; 1424 tls_verify_hash_add(conn, hs_start, pos - hs_start); 1425 1426 *msgpos = pos; 1427 1428 return 0; 1429 } 1430 1431 1432 static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 1433 u8 **msgpos, u8 *end) 1434 { 1435 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 1436 size_t rlen, hlen, clen; 1437 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 1438 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 1439 1440 pos = *msgpos; 1441 1442 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 1443 rhdr = pos; 1444 pos += TLS_RECORD_HEADER_LEN; 1445 1446 /* Handshake */ 1447 hs_start = pos; 1448 /* HandshakeType msg_type */ 1449 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 1450 /* uint24 length (to be filled) */ 1451 hs_length = pos; 1452 pos += 3; 1453 1454 /* 1455 * RFC 2246: 7.4.3 and 7.4.8: 1456 * Signature signature 1457 * 1458 * RSA: 1459 * digitally-signed struct { 1460 * opaque md5_hash[16]; 1461 * opaque sha_hash[20]; 1462 * }; 1463 * 1464 * DSA: 1465 * digitally-signed struct { 1466 * opaque sha_hash[20]; 1467 * }; 1468 * 1469 * The hash values are calculated over all handshake messages sent or 1470 * received starting at ClientHello up to, but not including, this 1471 * CertificateVerify message, including the type and length fields of 1472 * the handshake messages. 1473 */ 1474 1475 hpos = hash; 1476 1477 if (alg == SIGN_ALG_RSA) { 1478 hlen = MD5_MAC_LEN; 1479 if (conn->verify_md5_cert == NULL || 1480 crypto_hash_finish(conn->verify_md5_cert, hpos, &hlen) < 0) 1481 { 1482 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1483 TLS_ALERT_INTERNAL_ERROR); 1484 conn->verify_md5_cert = NULL; 1485 crypto_hash_finish(conn->verify_sha1_cert, NULL, NULL); 1486 conn->verify_sha1_cert = NULL; 1487 return -1; 1488 } 1489 hpos += MD5_MAC_LEN; 1490 } else 1491 crypto_hash_finish(conn->verify_md5_cert, NULL, NULL); 1492 1493 conn->verify_md5_cert = NULL; 1494 hlen = SHA1_MAC_LEN; 1495 if (conn->verify_sha1_cert == NULL || 1496 crypto_hash_finish(conn->verify_sha1_cert, hpos, &hlen) < 0) { 1497 conn->verify_sha1_cert = NULL; 1498 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1499 TLS_ALERT_INTERNAL_ERROR); 1500 return -1; 1501 } 1502 conn->verify_sha1_cert = NULL; 1503 1504 if (alg == SIGN_ALG_RSA) 1505 hlen += MD5_MAC_LEN; 1506 1507 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 1508 1509 /* 1510 * RFC 2246, 4.7: 1511 * In digital signing, one-way hash functions are used as input for a 1512 * signing algorithm. A digitally-signed element is encoded as an 1513 * opaque vector <0..2^16-1>, where the length is specified by the 1514 * signing algorithm and key. 1515 * 1516 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 1517 * MD5) is signed (encrypted with the private key). It is encoded with 1518 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 1519 */ 1520 signed_start = pos; /* length to be filled */ 1521 pos += 2; 1522 clen = end - pos; 1523 if (crypto_private_key_sign_pkcs1(conn->client_key, hash, hlen, 1524 pos, &clen) < 0) { 1525 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 1526 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1527 TLS_ALERT_INTERNAL_ERROR); 1528 return -1; 1529 } 1530 WPA_PUT_BE16(signed_start, clen); 1531 1532 pos += clen; 1533 1534 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 1535 1536 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 1537 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 1538 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 1539 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1540 TLS_ALERT_INTERNAL_ERROR); 1541 return -1; 1542 } 1543 pos = rhdr + rlen; 1544 1545 tls_verify_hash_add(conn, hs_start, pos - hs_start); 1546 1547 *msgpos = pos; 1548 1549 return 0; 1550 } 1551 1552 1553 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 1554 u8 **msgpos, u8 *end) 1555 { 1556 u8 *pos, *rhdr; 1557 size_t rlen; 1558 1559 pos = *msgpos; 1560 1561 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 1562 rhdr = pos; 1563 pos += TLS_RECORD_HEADER_LEN; 1564 *pos = TLS_CHANGE_CIPHER_SPEC; 1565 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 1566 rhdr, end - rhdr, 1, &rlen) < 0) { 1567 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 1568 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1569 TLS_ALERT_INTERNAL_ERROR); 1570 return -1; 1571 } 1572 1573 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 1574 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 1575 "record layer"); 1576 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1577 TLS_ALERT_INTERNAL_ERROR); 1578 return -1; 1579 } 1580 1581 *msgpos = rhdr + rlen; 1582 1583 return 0; 1584 } 1585 1586 1587 static int tls_write_client_finished(struct tlsv1_client *conn, 1588 u8 **msgpos, u8 *end) 1589 { 1590 u8 *pos, *rhdr, *hs_start, *hs_length; 1591 size_t rlen, hlen; 1592 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1593 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1594 1595 pos = *msgpos; 1596 1597 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 1598 1599 /* Encrypted Handshake Message: Finished */ 1600 1601 hlen = MD5_MAC_LEN; 1602 if (conn->verify_md5_client == NULL || 1603 crypto_hash_finish(conn->verify_md5_client, hash, &hlen) < 0) { 1604 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1605 TLS_ALERT_INTERNAL_ERROR); 1606 conn->verify_md5_client = NULL; 1607 crypto_hash_finish(conn->verify_sha1_client, NULL, NULL); 1608 conn->verify_sha1_client = NULL; 1609 return -1; 1610 } 1611 conn->verify_md5_client = NULL; 1612 hlen = SHA1_MAC_LEN; 1613 if (conn->verify_sha1_client == NULL || 1614 crypto_hash_finish(conn->verify_sha1_client, hash + MD5_MAC_LEN, 1615 &hlen) < 0) { 1616 conn->verify_sha1_client = NULL; 1617 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1618 TLS_ALERT_INTERNAL_ERROR); 1619 return -1; 1620 } 1621 conn->verify_sha1_client = NULL; 1622 1623 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1624 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1625 verify_data, TLS_VERIFY_DATA_LEN)) { 1626 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 1627 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1628 TLS_ALERT_INTERNAL_ERROR); 1629 return -1; 1630 } 1631 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1632 verify_data, TLS_VERIFY_DATA_LEN); 1633 1634 rhdr = pos; 1635 pos += TLS_RECORD_HEADER_LEN; 1636 /* Handshake */ 1637 hs_start = pos; 1638 /* HandshakeType msg_type */ 1639 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 1640 /* uint24 length (to be filled) */ 1641 hs_length = pos; 1642 pos += 3; 1643 os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN); 1644 pos += TLS_VERIFY_DATA_LEN; 1645 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 1646 tls_verify_hash_add(conn, hs_start, pos - hs_start); 1647 1648 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 1649 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 1650 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 1651 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1652 TLS_ALERT_INTERNAL_ERROR); 1653 return -1; 1654 } 1655 1656 pos = rhdr + rlen; 1657 1658 *msgpos = pos; 1659 1660 return 0; 1661 } 1662 1663 1664 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 1665 { 1666 size_t len = 0; 1667 struct x509_certificate *cert; 1668 1669 cert = conn->client_cert; 1670 while (cert) { 1671 len += 3 + cert->cert_len; 1672 if (x509_certificate_self_signed(cert)) 1673 break; 1674 cert = x509_certificate_get_subject(conn->trusted_certs, 1675 &cert->issuer); 1676 } 1677 1678 return len; 1679 } 1680 1681 1682 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 1683 size_t *out_len) 1684 { 1685 u8 *msg, *end, *pos; 1686 size_t msglen; 1687 1688 *out_len = 0; 1689 1690 msglen = 1000; 1691 if (conn->certificate_requested) 1692 msglen += tls_client_cert_chain_der_len(conn); 1693 1694 msg = os_malloc(msglen); 1695 if (msg == NULL) 1696 return NULL; 1697 1698 pos = msg; 1699 end = msg + msglen; 1700 1701 if (conn->certificate_requested) { 1702 if (tls_write_client_certificate(conn, &pos, end) < 0) { 1703 os_free(msg); 1704 return NULL; 1705 } 1706 } 1707 1708 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 1709 (conn->certificate_requested && conn->client_key && 1710 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 1711 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 1712 tls_write_client_finished(conn, &pos, end) < 0) { 1713 os_free(msg); 1714 return NULL; 1715 } 1716 1717 *out_len = pos - msg; 1718 1719 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1720 1721 return msg; 1722 } 1723 1724 1725 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 1726 size_t *out_len) 1727 { 1728 u8 *msg, *end, *pos; 1729 1730 *out_len = 0; 1731 1732 msg = os_malloc(1000); 1733 if (msg == NULL) 1734 return NULL; 1735 1736 pos = msg; 1737 end = msg + 1000; 1738 1739 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 1740 tls_write_client_finished(conn, &pos, end) < 0) { 1741 os_free(msg); 1742 return NULL; 1743 } 1744 1745 *out_len = pos - msg; 1746 1747 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 1748 "successfully"); 1749 conn->state = ESTABLISHED; 1750 1751 return msg; 1752 } 1753 1754 1755 static int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1756 const u8 *buf, size_t *len) 1757 { 1758 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1759 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1760 size_t hr_len = WPA_GET_BE24(buf + 1); 1761 if (hr_len > *len - 4) { 1762 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1763 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1764 TLS_ALERT_DECODE_ERROR); 1765 return -1; 1766 } 1767 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1768 *len = 4 + hr_len; 1769 return 0; 1770 } 1771 1772 switch (conn->state) { 1773 case SERVER_HELLO: 1774 if (tls_process_server_hello(conn, ct, buf, len)) 1775 return -1; 1776 break; 1777 case SERVER_CERTIFICATE: 1778 if (tls_process_certificate(conn, ct, buf, len)) 1779 return -1; 1780 break; 1781 case SERVER_KEY_EXCHANGE: 1782 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1783 return -1; 1784 break; 1785 case SERVER_CERTIFICATE_REQUEST: 1786 if (tls_process_certificate_request(conn, ct, buf, len)) 1787 return -1; 1788 break; 1789 case SERVER_HELLO_DONE: 1790 if (tls_process_server_hello_done(conn, ct, buf, len)) 1791 return -1; 1792 break; 1793 case SERVER_CHANGE_CIPHER_SPEC: 1794 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1795 return -1; 1796 break; 1797 case SERVER_FINISHED: 1798 if (tls_process_server_finished(conn, ct, buf, len)) 1799 return -1; 1800 break; 1801 default: 1802 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1803 "while processing received message", 1804 conn->state); 1805 return -1; 1806 } 1807 1808 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1809 tls_verify_hash_add(conn, buf, *len); 1810 1811 return 0; 1812 } 1813 1814 1815 /** 1816 * tlsv1_client_handshake - Process TLS handshake 1817 * @conn: TLSv1 client connection data from tlsv1_client_init() 1818 * @in_data: Input data from TLS peer 1819 * @in_len: Input data length 1820 * @out_len: Length of the output buffer. 1821 * Returns: Pointer to output data, %NULL on failure 1822 */ 1823 u8 * tlsv1_client_handshake(struct tlsv1_client *conn, 1824 const u8 *in_data, size_t in_len, 1825 size_t *out_len) 1826 { 1827 const u8 *pos, *end; 1828 u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct; 1829 size_t in_msg_len; 1830 1831 if (conn->state == CLIENT_HELLO) { 1832 if (in_len) 1833 return NULL; 1834 return tls_send_client_hello(conn, out_len); 1835 } 1836 1837 if (in_data == NULL || in_len == 0) 1838 return NULL; 1839 1840 pos = in_data; 1841 end = in_data + in_len; 1842 in_msg = os_malloc(in_len); 1843 if (in_msg == NULL) 1844 return NULL; 1845 1846 /* Each received packet may include multiple records */ 1847 while (pos < end) { 1848 in_msg_len = in_len; 1849 if (tlsv1_record_receive(&conn->rl, pos, end - pos, 1850 in_msg, &in_msg_len, &alert)) { 1851 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 1852 "record failed"); 1853 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 1854 goto failed; 1855 } 1856 ct = pos[0]; 1857 1858 in_pos = in_msg; 1859 in_end = in_msg + in_msg_len; 1860 1861 /* Each received record may include multiple messages of the 1862 * same ContentType. */ 1863 while (in_pos < in_end) { 1864 in_msg_len = in_end - in_pos; 1865 if (tlsv1_client_process_handshake(conn, ct, in_pos, 1866 &in_msg_len) < 0) 1867 goto failed; 1868 in_pos += in_msg_len; 1869 } 1870 1871 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); 1872 } 1873 1874 os_free(in_msg); 1875 in_msg = NULL; 1876 1877 switch (conn->state) { 1878 case CLIENT_KEY_EXCHANGE: 1879 msg = tls_send_client_key_exchange(conn, out_len); 1880 break; 1881 case CHANGE_CIPHER_SPEC: 1882 msg = tls_send_change_cipher_spec(conn, out_len); 1883 break; 1884 case ACK_FINISHED: 1885 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 1886 "successfully"); 1887 conn->state = ESTABLISHED; 1888 /* Need to return something to get final TLS ACK. */ 1889 msg = os_malloc(1); 1890 *out_len = 0; 1891 break; 1892 default: 1893 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 1894 "generating reply", conn->state); 1895 break; 1896 } 1897 1898 failed: 1899 os_free(in_msg); 1900 if (conn->alert_level) { 1901 conn->state = FAILED; 1902 os_free(msg); 1903 msg = tls_send_alert(conn, conn->alert_level, 1904 conn->alert_description, out_len); 1905 } 1906 1907 return msg; 1908 } 1909 1910 1911 /** 1912 * tlsv1_client_encrypt - Encrypt data into TLS tunnel 1913 * @conn: TLSv1 client connection data from tlsv1_client_init() 1914 * @in_data: Pointer to plaintext data to be encrypted 1915 * @in_len: Input buffer length 1916 * @out_data: Pointer to output buffer (encrypted TLS data) 1917 * @out_len: Maximum out_data length 1918 * Returns: Number of bytes written to out_data, -1 on failure 1919 * 1920 * This function is used after TLS handshake has been completed successfully to 1921 * send data in the encrypted tunnel. 1922 */ 1923 int tlsv1_client_encrypt(struct tlsv1_client *conn, 1924 const u8 *in_data, size_t in_len, 1925 u8 *out_data, size_t out_len) 1926 { 1927 size_t rlen; 1928 1929 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 1930 in_data, in_len); 1931 1932 os_memcpy(out_data + TLS_RECORD_HEADER_LEN, in_data, in_len); 1933 1934 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 1935 out_data, out_len, in_len, &rlen) < 0) { 1936 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 1937 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1938 TLS_ALERT_INTERNAL_ERROR); 1939 return -1; 1940 } 1941 1942 return rlen; 1943 } 1944 1945 1946 /** 1947 * tlsv1_client_decrypt - Decrypt data from TLS tunnel 1948 * @conn: TLSv1 client connection data from tlsv1_client_init() 1949 * @in_data: Pointer to input buffer (encrypted TLS data) 1950 * @in_len: Input buffer length 1951 * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) 1952 * @out_len: Maximum out_data length 1953 * Returns: Number of bytes written to out_data, -1 on failure 1954 * 1955 * This function is used after TLS handshake has been completed successfully to 1956 * receive data from the encrypted tunnel. 1957 */ 1958 int tlsv1_client_decrypt(struct tlsv1_client *conn, 1959 const u8 *in_data, size_t in_len, 1960 u8 *out_data, size_t out_len) 1961 { 1962 const u8 *in_end, *pos; 1963 int res; 1964 u8 alert, *out_end, *out_pos; 1965 size_t olen; 1966 1967 pos = in_data; 1968 in_end = in_data + in_len; 1969 out_pos = out_data; 1970 out_end = out_data + out_len; 1971 1972 while (pos < in_end) { 1973 if (pos[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) { 1974 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 1975 "0x%x", pos[0]); 1976 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1977 TLS_ALERT_UNEXPECTED_MESSAGE); 1978 return -1; 1979 } 1980 1981 olen = out_end - out_pos; 1982 res = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 1983 out_pos, &olen, &alert); 1984 if (res < 0) { 1985 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 1986 "failed"); 1987 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 1988 return -1; 1989 } 1990 out_pos += olen; 1991 if (out_pos > out_end) { 1992 wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough " 1993 "for processing the received record"); 1994 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1995 TLS_ALERT_INTERNAL_ERROR); 1996 return -1; 1997 } 1998 1999 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); 2000 } 2001 2002 return out_pos - out_data; 2003 } 2004 2005 2006 /** 2007 * tlsv1_client_global_init - Initialize TLSv1 client 2008 * Returns: 0 on success, -1 on failure 2009 * 2010 * This function must be called before using any other TLSv1 client functions. 2011 */ 2012 int tlsv1_client_global_init(void) 2013 { 2014 return crypto_global_init(); 2015 } 2016 2017 2018 /** 2019 * tlsv1_client_global_deinit - Deinitialize TLSv1 client 2020 * 2021 * This function can be used to deinitialize the TLSv1 client that was 2022 * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions 2023 * can be called after this before calling tlsv1_client_global_init() again. 2024 */ 2025 void tlsv1_client_global_deinit(void) 2026 { 2027 crypto_global_deinit(); 2028 } 2029 2030 2031 static void tlsv1_client_free_verify_hashes(struct tlsv1_client *conn) 2032 { 2033 crypto_hash_finish(conn->verify_md5_client, NULL, NULL); 2034 crypto_hash_finish(conn->verify_md5_server, NULL, NULL); 2035 crypto_hash_finish(conn->verify_md5_cert, NULL, NULL); 2036 crypto_hash_finish(conn->verify_sha1_client, NULL, NULL); 2037 crypto_hash_finish(conn->verify_sha1_server, NULL, NULL); 2038 crypto_hash_finish(conn->verify_sha1_cert, NULL, NULL); 2039 conn->verify_md5_client = NULL; 2040 conn->verify_md5_server = NULL; 2041 conn->verify_md5_cert = NULL; 2042 conn->verify_sha1_client = NULL; 2043 conn->verify_sha1_server = NULL; 2044 conn->verify_sha1_cert = NULL; 2045 } 2046 2047 2048 static int tlsv1_client_init_verify_hashes(struct tlsv1_client *conn) 2049 { 2050 conn->verify_md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 2051 0); 2052 conn->verify_md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 2053 0); 2054 conn->verify_md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 2055 conn->verify_sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 2056 0); 2057 conn->verify_sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 2058 0); 2059 conn->verify_sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 2060 0); 2061 if (conn->verify_md5_client == NULL || 2062 conn->verify_md5_server == NULL || 2063 conn->verify_md5_cert == NULL || 2064 conn->verify_sha1_client == NULL || 2065 conn->verify_sha1_server == NULL || 2066 conn->verify_sha1_cert == NULL) { 2067 tlsv1_client_free_verify_hashes(conn); 2068 return -1; 2069 } 2070 return 0; 2071 } 2072 2073 2074 /** 2075 * tlsv1_client_init - Initialize TLSv1 client connection 2076 * Returns: Pointer to TLSv1 client connection data or %NULL on failure 2077 */ 2078 struct tlsv1_client * tlsv1_client_init(void) 2079 { 2080 struct tlsv1_client *conn; 2081 size_t count; 2082 u16 *suites; 2083 2084 conn = os_zalloc(sizeof(*conn)); 2085 if (conn == NULL) 2086 return NULL; 2087 2088 conn->state = CLIENT_HELLO; 2089 2090 if (tlsv1_client_init_verify_hashes(conn) < 0) { 2091 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 2092 "hash"); 2093 os_free(conn); 2094 return NULL; 2095 } 2096 2097 count = 0; 2098 suites = conn->cipher_suites; 2099 #ifndef CONFIG_CRYPTO_INTERNAL 2100 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 2101 #endif /* CONFIG_CRYPTO_INTERNAL */ 2102 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 2103 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 2104 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 2105 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 2106 conn->num_cipher_suites = count; 2107 2108 return conn; 2109 } 2110 2111 2112 /** 2113 * tlsv1_client_deinit - Deinitialize TLSv1 client connection 2114 * @conn: TLSv1 client connection data from tlsv1_client_init() 2115 */ 2116 void tlsv1_client_deinit(struct tlsv1_client *conn) 2117 { 2118 crypto_public_key_free(conn->server_rsa_key); 2119 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 2120 tlsv1_record_change_write_cipher(&conn->rl); 2121 tlsv1_record_change_read_cipher(&conn->rl); 2122 tlsv1_client_free_verify_hashes(conn); 2123 os_free(conn->client_hello_ext); 2124 tlsv1_client_free_dh(conn); 2125 x509_certificate_chain_free(conn->trusted_certs); 2126 x509_certificate_chain_free(conn->client_cert); 2127 crypto_private_key_free(conn->client_key); 2128 os_free(conn); 2129 } 2130 2131 2132 /** 2133 * tlsv1_client_established - Check whether connection has been established 2134 * @conn: TLSv1 client connection data from tlsv1_client_init() 2135 * Returns: 1 if connection is established, 0 if not 2136 */ 2137 int tlsv1_client_established(struct tlsv1_client *conn) 2138 { 2139 return conn->state == ESTABLISHED; 2140 } 2141 2142 2143 /** 2144 * tlsv1_client_prf - Use TLS-PRF to derive keying material 2145 * @conn: TLSv1 client connection data from tlsv1_client_init() 2146 * @label: Label (e.g., description of the key) for PRF 2147 * @server_random_first: seed is 0 = client_random|server_random, 2148 * 1 = server_random|client_random 2149 * @out: Buffer for output data from TLS-PRF 2150 * @out_len: Length of the output buffer 2151 * Returns: 0 on success, -1 on failure 2152 */ 2153 int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, 2154 int server_random_first, u8 *out, size_t out_len) 2155 { 2156 u8 seed[2 * TLS_RANDOM_LEN]; 2157 2158 if (conn->state != ESTABLISHED) 2159 return -1; 2160 2161 if (server_random_first) { 2162 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 2163 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 2164 TLS_RANDOM_LEN); 2165 } else { 2166 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 2167 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 2168 TLS_RANDOM_LEN); 2169 } 2170 2171 return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 2172 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 2173 } 2174 2175 2176 /** 2177 * tlsv1_client_get_cipher - Get current cipher name 2178 * @conn: TLSv1 client connection data from tlsv1_client_init() 2179 * @buf: Buffer for the cipher name 2180 * @buflen: buf size 2181 * Returns: 0 on success, -1 on failure 2182 * 2183 * Get the name of the currently used cipher. 2184 */ 2185 int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, 2186 size_t buflen) 2187 { 2188 char *cipher; 2189 2190 switch (conn->rl.cipher_suite) { 2191 case TLS_RSA_WITH_RC4_128_MD5: 2192 cipher = "RC4-MD5"; 2193 break; 2194 case TLS_RSA_WITH_RC4_128_SHA: 2195 cipher = "RC4-SHA"; 2196 break; 2197 case TLS_RSA_WITH_DES_CBC_SHA: 2198 cipher = "DES-CBC-SHA"; 2199 break; 2200 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 2201 cipher = "DES-CBC3-SHA"; 2202 break; 2203 default: 2204 return -1; 2205 } 2206 2207 os_snprintf(buf, buflen, "%s", cipher); 2208 return 0; 2209 } 2210 2211 2212 /** 2213 * tlsv1_client_shutdown - Shutdown TLS connection 2214 * @conn: TLSv1 client connection data from tlsv1_client_init() 2215 * Returns: 0 on success, -1 on failure 2216 */ 2217 int tlsv1_client_shutdown(struct tlsv1_client *conn) 2218 { 2219 conn->state = CLIENT_HELLO; 2220 2221 tlsv1_client_free_verify_hashes(conn); 2222 if (tlsv1_client_init_verify_hashes(conn) < 0) { 2223 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 2224 "hash"); 2225 return -1; 2226 } 2227 2228 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 2229 tlsv1_record_change_write_cipher(&conn->rl); 2230 tlsv1_record_change_read_cipher(&conn->rl); 2231 2232 conn->certificate_requested = 0; 2233 crypto_public_key_free(conn->server_rsa_key); 2234 conn->server_rsa_key = NULL; 2235 conn->session_resumed = 0; 2236 2237 return 0; 2238 } 2239 2240 2241 /** 2242 * tlsv1_client_resumed - Was session resumption used 2243 * @conn: TLSv1 client connection data from tlsv1_client_init() 2244 * Returns: 1 if current session used session resumption, 0 if not 2245 */ 2246 int tlsv1_client_resumed(struct tlsv1_client *conn) 2247 { 2248 return !!conn->session_resumed; 2249 } 2250 2251 2252 /** 2253 * tlsv1_client_hello_ext - Set TLS extension for ClientHello 2254 * @conn: TLSv1 client connection data from tlsv1_client_init() 2255 * @ext_type: Extension type 2256 * @data: Extension payload (%NULL to remove extension) 2257 * @data_len: Extension payload length 2258 * Returns: 0 on success, -1 on failure 2259 */ 2260 int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, 2261 const u8 *data, size_t data_len) 2262 { 2263 u8 *pos; 2264 2265 conn->ticket = 0; 2266 os_free(conn->client_hello_ext); 2267 conn->client_hello_ext = NULL; 2268 conn->client_hello_ext_len = 0; 2269 2270 if (data == NULL || data_len == 0) 2271 return 0; 2272 2273 pos = conn->client_hello_ext = os_malloc(6 + data_len); 2274 if (pos == NULL) 2275 return -1; 2276 2277 WPA_PUT_BE16(pos, 4 + data_len); 2278 pos += 2; 2279 WPA_PUT_BE16(pos, ext_type); 2280 pos += 2; 2281 WPA_PUT_BE16(pos, data_len); 2282 pos += 2; 2283 os_memcpy(pos, data, data_len); 2284 conn->client_hello_ext_len = 6 + data_len; 2285 2286 if (ext_type == TLS_EXT_PAC_OPAQUE) { 2287 conn->ticket = 1; 2288 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); 2289 } 2290 2291 return 0; 2292 } 2293 2294 2295 /** 2296 * tlsv1_client_get_keys - Get master key and random data from TLS connection 2297 * @conn: TLSv1 client connection data from tlsv1_client_init() 2298 * @keys: Structure of key/random data (filled on success) 2299 * Returns: 0 on success, -1 on failure 2300 */ 2301 int tlsv1_client_get_keys(struct tlsv1_client *conn, struct tls_keys *keys) 2302 { 2303 os_memset(keys, 0, sizeof(*keys)); 2304 if (conn->state == CLIENT_HELLO) 2305 return -1; 2306 2307 keys->client_random = conn->client_random; 2308 keys->client_random_len = TLS_RANDOM_LEN; 2309 2310 if (conn->state != SERVER_HELLO) { 2311 keys->server_random = conn->server_random; 2312 keys->server_random_len = TLS_RANDOM_LEN; 2313 keys->master_key = conn->master_secret; 2314 keys->master_key_len = TLS_MASTER_SECRET_LEN; 2315 } 2316 2317 return 0; 2318 } 2319 2320 2321 /** 2322 * tlsv1_client_set_master_key - Configure master secret for TLS connection 2323 * @conn: TLSv1 client connection data from tlsv1_client_init() 2324 * @key: TLS pre-master-secret 2325 * @key_len: length of key in bytes 2326 * Returns: 0 on success, -1 on failure 2327 */ 2328 int tlsv1_client_set_master_key(struct tlsv1_client *conn, 2329 const u8 *key, size_t key_len) 2330 { 2331 if (key_len > TLS_MASTER_SECRET_LEN) 2332 return -1; 2333 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret from session " 2334 "ticket", key, key_len); 2335 os_memcpy(conn->master_secret, key, key_len); 2336 conn->ticket_key = 1; 2337 2338 return 0; 2339 } 2340 2341 2342 /** 2343 * tlsv1_client_get_keyblock_size - Get TLS key_block size 2344 * @conn: TLSv1 client connection data from tlsv1_client_init() 2345 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 2346 * failure 2347 */ 2348 int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) 2349 { 2350 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 2351 return -1; 2352 2353 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 2354 conn->rl.iv_size); 2355 } 2356 2357 2358 /** 2359 * tlsv1_client_set_cipher_list - Configure acceptable cipher suites 2360 * @conn: TLSv1 client connection data from tlsv1_client_init() 2361 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 2362 * (TLS_CIPHER_*). 2363 * Returns: 0 on success, -1 on failure 2364 */ 2365 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) 2366 { 2367 #ifdef EAP_FAST 2368 size_t count; 2369 u16 *suites; 2370 2371 /* TODO: implement proper configuration of cipher suites */ 2372 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 2373 count = 0; 2374 suites = conn->cipher_suites; 2375 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 2376 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 2377 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 2378 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 2379 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 2380 conn->num_cipher_suites = count; 2381 } 2382 2383 return 0; 2384 #else /* EAP_FAST */ 2385 return -1; 2386 #endif /* EAP_FAST */ 2387 } 2388 2389 2390 static int tlsv1_client_add_cert_der(struct x509_certificate **chain, 2391 const u8 *buf, size_t len) 2392 { 2393 struct x509_certificate *cert; 2394 char name[128]; 2395 2396 cert = x509_certificate_parse(buf, len); 2397 if (cert == NULL) { 2398 wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate", 2399 __func__); 2400 return -1; 2401 } 2402 2403 cert->next = *chain; 2404 *chain = cert; 2405 2406 x509_name_string(&cert->subject, name, sizeof(name)); 2407 wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name); 2408 2409 return 0; 2410 } 2411 2412 2413 static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----"; 2414 static const char *pem_cert_end = "-----END CERTIFICATE-----"; 2415 2416 2417 static const u8 * search_tag(const char *tag, const u8 *buf, size_t len) 2418 { 2419 size_t i, plen; 2420 2421 plen = os_strlen(tag); 2422 if (len < plen) 2423 return NULL; 2424 2425 for (i = 0; i < len - plen; i++) { 2426 if (os_memcmp(buf + i, tag, plen) == 0) 2427 return buf + i; 2428 } 2429 2430 return NULL; 2431 } 2432 2433 2434 static int tlsv1_client_add_cert(struct x509_certificate **chain, 2435 const u8 *buf, size_t len) 2436 { 2437 const u8 *pos, *end; 2438 unsigned char *der; 2439 size_t der_len; 2440 2441 pos = search_tag(pem_cert_begin, buf, len); 2442 if (!pos) { 2443 wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - " 2444 "assume DER format"); 2445 return tlsv1_client_add_cert_der(chain, buf, len); 2446 } 2447 2448 wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into " 2449 "DER format"); 2450 2451 while (pos) { 2452 pos += os_strlen(pem_cert_begin); 2453 end = search_tag(pem_cert_end, pos, buf + len - pos); 2454 if (end == NULL) { 2455 wpa_printf(MSG_INFO, "TLSv1: Could not find PEM " 2456 "certificate end tag (%s)", pem_cert_end); 2457 return -1; 2458 } 2459 2460 der = base64_decode(pos, end - pos, &der_len); 2461 if (der == NULL) { 2462 wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM " 2463 "certificate"); 2464 return -1; 2465 } 2466 2467 if (tlsv1_client_add_cert_der(chain, der, der_len) < 0) { 2468 wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM " 2469 "certificate after DER conversion"); 2470 os_free(der); 2471 return -1; 2472 } 2473 2474 os_free(der); 2475 2476 end += os_strlen(pem_cert_end); 2477 pos = search_tag(pem_cert_begin, end, buf + len - end); 2478 } 2479 2480 return 0; 2481 } 2482 2483 2484 static int tlsv1_client_set_cert_chain(struct x509_certificate **chain, 2485 const char *cert, const u8 *cert_blob, 2486 size_t cert_blob_len) 2487 { 2488 if (cert_blob) 2489 return tlsv1_client_add_cert(chain, cert_blob, cert_blob_len); 2490 2491 if (cert) { 2492 u8 *buf; 2493 size_t len; 2494 int ret; 2495 2496 buf = (u8 *) os_readfile(cert, &len); 2497 if (buf == NULL) { 2498 wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", 2499 cert); 2500 return -1; 2501 } 2502 2503 ret = tlsv1_client_add_cert(chain, buf, len); 2504 os_free(buf); 2505 return ret; 2506 } 2507 2508 return 0; 2509 } 2510 2511 2512 /** 2513 * tlsv1_client_set_ca_cert - Set trusted CA certificate(s) 2514 * @conn: TLSv1 client connection data from tlsv1_client_init() 2515 * @cert: File or reference name for X.509 certificate in PEM or DER format 2516 * @cert_blob: cert as inlined data or %NULL if not used 2517 * @cert_blob_len: ca_cert_blob length 2518 * @path: Path to CA certificates (not yet supported) 2519 * Returns: 0 on success, -1 on failure 2520 */ 2521 int tlsv1_client_set_ca_cert(struct tlsv1_client *conn, const char *cert, 2522 const u8 *cert_blob, size_t cert_blob_len, 2523 const char *path) 2524 { 2525 if (tlsv1_client_set_cert_chain(&conn->trusted_certs, cert, 2526 cert_blob, cert_blob_len) < 0) 2527 return -1; 2528 2529 if (path) { 2530 /* TODO: add support for reading number of certificate files */ 2531 wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory " 2532 "not yet supported"); 2533 return -1; 2534 } 2535 2536 return 0; 2537 } 2538 2539 2540 /** 2541 * tlsv1_client_set_client_cert - Set client certificate 2542 * @conn: TLSv1 client connection data from tlsv1_client_init() 2543 * @cert: File or reference name for X.509 certificate in PEM or DER format 2544 * @cert_blob: cert as inlined data or %NULL if not used 2545 * @cert_blob_len: ca_cert_blob length 2546 * Returns: 0 on success, -1 on failure 2547 */ 2548 int tlsv1_client_set_client_cert(struct tlsv1_client *conn, const char *cert, 2549 const u8 *cert_blob, size_t cert_blob_len) 2550 { 2551 return tlsv1_client_set_cert_chain(&conn->client_cert, cert, 2552 cert_blob, cert_blob_len); 2553 } 2554 2555 2556 static int tlsv1_client_set_key(struct tlsv1_client *conn, 2557 const u8 *key, size_t len) 2558 { 2559 conn->client_key = crypto_private_key_import(key, len); 2560 if (conn->client_key == NULL) { 2561 wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key"); 2562 return -1; 2563 } 2564 return 0; 2565 } 2566 2567 2568 /** 2569 * tlsv1_client_set_private_key - Set client private key 2570 * @conn: TLSv1 client connection data from tlsv1_client_init() 2571 * @private_key: File or reference name for the key in PEM or DER format 2572 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no 2573 * passphrase is used. 2574 * @private_key_blob: private_key as inlined data or %NULL if not used 2575 * @private_key_blob_len: private_key_blob length 2576 * Returns: 0 on success, -1 on failure 2577 */ 2578 int tlsv1_client_set_private_key(struct tlsv1_client *conn, 2579 const char *private_key, 2580 const char *private_key_passwd, 2581 const u8 *private_key_blob, 2582 size_t private_key_blob_len) 2583 { 2584 crypto_private_key_free(conn->client_key); 2585 conn->client_key = NULL; 2586 2587 if (private_key_blob) 2588 return tlsv1_client_set_key(conn, private_key_blob, 2589 private_key_blob_len); 2590 2591 if (private_key) { 2592 u8 *buf; 2593 size_t len; 2594 int ret; 2595 2596 buf = (u8 *) os_readfile(private_key, &len); 2597 if (buf == NULL) { 2598 wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", 2599 private_key); 2600 return -1; 2601 } 2602 2603 ret = tlsv1_client_set_key(conn, buf, len); 2604 os_free(buf); 2605 return ret; 2606 } 2607 2608 return 0; 2609 } 2610
