1 /* 2 * TLS v1.0/v1.1/v1.2 client (RFC 2246, RFC 4346, RFC 5246) 3 * Copyright (c) 2006-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "tlsv1_common.h" 15 #include "tlsv1_record.h" 16 #include "tlsv1_client.h" 17 #include "tlsv1_client_i.h" 18 19 /* TODO: 20 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 21 */ 22 23 24 void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) 25 { 26 conn->alert_level = level; 27 conn->alert_description = description; 28 } 29 30 31 void tlsv1_client_free_dh(struct tlsv1_client *conn) 32 { 33 os_free(conn->dh_p); 34 os_free(conn->dh_g); 35 os_free(conn->dh_ys); 36 conn->dh_p = conn->dh_g = conn->dh_ys = NULL; 37 } 38 39 40 int tls_derive_pre_master_secret(u8 *pre_master_secret) 41 { 42 WPA_PUT_BE16(pre_master_secret, TLS_VERSION); 43 if (os_get_random(pre_master_secret + 2, 44 TLS_PRE_MASTER_SECRET_LEN - 2)) 45 return -1; 46 return 0; 47 } 48 49 50 int tls_derive_keys(struct tlsv1_client *conn, 51 const u8 *pre_master_secret, size_t pre_master_secret_len) 52 { 53 u8 seed[2 * TLS_RANDOM_LEN]; 54 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 55 u8 *pos; 56 size_t key_block_len; 57 58 if (pre_master_secret) { 59 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 60 pre_master_secret, pre_master_secret_len); 61 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 62 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 63 TLS_RANDOM_LEN); 64 if (tls_prf(conn->rl.tls_version, 65 pre_master_secret, pre_master_secret_len, 66 "master secret", seed, 2 * TLS_RANDOM_LEN, 67 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 68 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 69 "master_secret"); 70 return -1; 71 } 72 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 73 conn->master_secret, TLS_MASTER_SECRET_LEN); 74 } 75 76 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 77 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 78 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len); 79 if (conn->rl.tls_version == TLS_VERSION_1) 80 key_block_len += 2 * conn->rl.iv_size; 81 if (tls_prf(conn->rl.tls_version, 82 conn->master_secret, TLS_MASTER_SECRET_LEN, 83 "key expansion", seed, 2 * TLS_RANDOM_LEN, 84 key_block, key_block_len)) { 85 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 86 return -1; 87 } 88 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 89 key_block, key_block_len); 90 91 pos = key_block; 92 93 /* client_write_MAC_secret */ 94 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 95 pos += conn->rl.hash_size; 96 /* server_write_MAC_secret */ 97 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 98 pos += conn->rl.hash_size; 99 100 /* client_write_key */ 101 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 102 pos += conn->rl.key_material_len; 103 /* server_write_key */ 104 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 105 pos += conn->rl.key_material_len; 106 107 if (conn->rl.tls_version == TLS_VERSION_1) { 108 /* client_write_IV */ 109 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 110 pos += conn->rl.iv_size; 111 /* server_write_IV */ 112 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 113 pos += conn->rl.iv_size; 114 } else { 115 /* 116 * Use IV field to set the mask value for TLS v1.1. A fixed 117 * mask of zero is used per the RFC 4346, 6.2.3.2 CBC Block 118 * Cipher option 2a. 119 */ 120 os_memset(conn->rl.write_iv, 0, conn->rl.iv_size); 121 } 122 123 return 0; 124 } 125 126 127 /** 128 * tlsv1_client_handshake - Process TLS handshake 129 * @conn: TLSv1 client connection data from tlsv1_client_init() 130 * @in_data: Input data from TLS peer 131 * @in_len: Input data length 132 * @out_len: Length of the output buffer. 133 * @appl_data: Pointer to application data pointer, or %NULL if dropped 134 * @appl_data_len: Pointer to variable that is set to appl_data length 135 * @need_more_data: Set to 1 if more data would be needed to complete 136 * processing 137 * Returns: Pointer to output data, %NULL on failure 138 */ 139 u8 * tlsv1_client_handshake(struct tlsv1_client *conn, 140 const u8 *in_data, size_t in_len, 141 size_t *out_len, u8 **appl_data, 142 size_t *appl_data_len, int *need_more_data) 143 { 144 const u8 *pos, *end; 145 u8 *msg = NULL, *in_msg = NULL, *in_pos, *in_end, alert, ct; 146 size_t in_msg_len; 147 int no_appl_data; 148 int used; 149 150 if (need_more_data) 151 *need_more_data = 0; 152 153 if (conn->state == CLIENT_HELLO) { 154 if (in_len) 155 return NULL; 156 return tls_send_client_hello(conn, out_len); 157 } 158 159 if (conn->partial_input) { 160 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 162 "memory for pending record"); 163 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 164 TLS_ALERT_INTERNAL_ERROR); 165 goto failed; 166 } 167 wpabuf_put_data(conn->partial_input, in_data, in_len); 168 in_data = wpabuf_head(conn->partial_input); 169 in_len = wpabuf_len(conn->partial_input); 170 } 171 172 if (in_data == NULL || in_len == 0) 173 return NULL; 174 175 pos = in_data; 176 end = in_data + in_len; 177 in_msg = os_malloc(in_len); 178 if (in_msg == NULL) 179 return NULL; 180 181 /* Each received packet may include multiple records */ 182 while (pos < end) { 183 in_msg_len = in_len; 184 used = tlsv1_record_receive(&conn->rl, pos, end - pos, 185 in_msg, &in_msg_len, &alert); 186 if (used < 0) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 188 "record failed"); 189 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 190 goto failed; 191 } 192 if (used == 0) { 193 struct wpabuf *partial; 194 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 195 partial = wpabuf_alloc_copy(pos, end - pos); 196 wpabuf_free(conn->partial_input); 197 conn->partial_input = partial; 198 if (conn->partial_input == NULL) { 199 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 200 "allocate memory for pending " 201 "record"); 202 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_INTERNAL_ERROR); 204 goto failed; 205 } 206 os_free(in_msg); 207 if (need_more_data) 208 *need_more_data = 1; 209 return NULL; 210 } 211 ct = pos[0]; 212 213 in_pos = in_msg; 214 in_end = in_msg + in_msg_len; 215 216 /* Each received record may include multiple messages of the 217 * same ContentType. */ 218 while (in_pos < in_end) { 219 in_msg_len = in_end - in_pos; 220 if (tlsv1_client_process_handshake(conn, ct, in_pos, 221 &in_msg_len, 222 appl_data, 223 appl_data_len) < 0) 224 goto failed; 225 in_pos += in_msg_len; 226 } 227 228 pos += used; 229 } 230 231 os_free(in_msg); 232 in_msg = NULL; 233 234 no_appl_data = appl_data == NULL || *appl_data == NULL; 235 msg = tlsv1_client_handshake_write(conn, out_len, no_appl_data); 236 237 failed: 238 os_free(in_msg); 239 if (conn->alert_level) { 240 wpabuf_free(conn->partial_input); 241 conn->partial_input = NULL; 242 conn->state = FAILED; 243 os_free(msg); 244 msg = tlsv1_client_send_alert(conn, conn->alert_level, 245 conn->alert_description, 246 out_len); 247 } else if (msg == NULL) { 248 msg = os_zalloc(1); 249 *out_len = 0; 250 } 251 252 if (need_more_data == NULL || !(*need_more_data)) { 253 wpabuf_free(conn->partial_input); 254 conn->partial_input = NULL; 255 } 256 257 return msg; 258 } 259 260 261 /** 262 * tlsv1_client_encrypt - Encrypt data into TLS tunnel 263 * @conn: TLSv1 client connection data from tlsv1_client_init() 264 * @in_data: Pointer to plaintext data to be encrypted 265 * @in_len: Input buffer length 266 * @out_data: Pointer to output buffer (encrypted TLS data) 267 * @out_len: Maximum out_data length 268 * Returns: Number of bytes written to out_data, -1 on failure 269 * 270 * This function is used after TLS handshake has been completed successfully to 271 * send data in the encrypted tunnel. 272 */ 273 int tlsv1_client_encrypt(struct tlsv1_client *conn, 274 const u8 *in_data, size_t in_len, 275 u8 *out_data, size_t out_len) 276 { 277 size_t rlen; 278 279 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 280 in_data, in_len); 281 282 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 283 out_data, out_len, in_data, in_len, &rlen) < 0) { 284 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_INTERNAL_ERROR); 287 return -1; 288 } 289 290 return rlen; 291 } 292 293 294 /** 295 * tlsv1_client_decrypt - Decrypt data from TLS tunnel 296 * @conn: TLSv1 client connection data from tlsv1_client_init() 297 * @in_data: Pointer to input buffer (encrypted TLS data) 298 * @in_len: Input buffer length 299 * @need_more_data: Set to 1 if more data would be needed to complete 300 * processing 301 * Returns: Decrypted data or %NULL on failure 302 * 303 * This function is used after TLS handshake has been completed successfully to 304 * receive data from the encrypted tunnel. 305 */ 306 struct wpabuf * tlsv1_client_decrypt(struct tlsv1_client *conn, 307 const u8 *in_data, size_t in_len, 308 int *need_more_data) 309 { 310 const u8 *in_end, *pos; 311 int used; 312 u8 alert, *out_pos, ct; 313 size_t olen; 314 struct wpabuf *buf = NULL; 315 316 if (need_more_data) 317 *need_more_data = 0; 318 319 if (conn->partial_input) { 320 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 322 "memory for pending record"); 323 alert = TLS_ALERT_INTERNAL_ERROR; 324 goto fail; 325 } 326 wpabuf_put_data(conn->partial_input, in_data, in_len); 327 in_data = wpabuf_head(conn->partial_input); 328 in_len = wpabuf_len(conn->partial_input); 329 } 330 331 pos = in_data; 332 in_end = in_data + in_len; 333 334 while (pos < in_end) { 335 ct = pos[0]; 336 if (wpabuf_resize(&buf, in_end - pos) < 0) { 337 alert = TLS_ALERT_INTERNAL_ERROR; 338 goto fail; 339 } 340 out_pos = wpabuf_put(buf, 0); 341 olen = wpabuf_tailroom(buf); 342 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 343 out_pos, &olen, &alert); 344 if (used < 0) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 346 "failed"); 347 goto fail; 348 } 349 if (used == 0) { 350 struct wpabuf *partial; 351 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 352 partial = wpabuf_alloc_copy(pos, in_end - pos); 353 wpabuf_free(conn->partial_input); 354 conn->partial_input = partial; 355 if (conn->partial_input == NULL) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 357 "allocate memory for pending " 358 "record"); 359 alert = TLS_ALERT_INTERNAL_ERROR; 360 goto fail; 361 } 362 if (need_more_data) 363 *need_more_data = 1; 364 return buf; 365 } 366 367 if (ct == TLS_CONTENT_TYPE_ALERT) { 368 if (olen < 2) { 369 wpa_printf(MSG_DEBUG, "TLSv1: Alert " 370 "underflow"); 371 alert = TLS_ALERT_DECODE_ERROR; 372 goto fail; 373 } 374 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 375 out_pos[0], out_pos[1]); 376 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) { 377 /* Continue processing */ 378 pos += used; 379 continue; 380 } 381 382 alert = out_pos[1]; 383 goto fail; 384 } 385 386 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 388 "0x%x when decrypting application data", 389 pos[0]); 390 alert = TLS_ALERT_UNEXPECTED_MESSAGE; 391 goto fail; 392 } 393 394 wpabuf_put(buf, olen); 395 396 pos += used; 397 } 398 399 wpabuf_free(conn->partial_input); 400 conn->partial_input = NULL; 401 return buf; 402 403 fail: 404 wpabuf_free(buf); 405 wpabuf_free(conn->partial_input); 406 conn->partial_input = NULL; 407 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 408 return NULL; 409 } 410 411 412 /** 413 * tlsv1_client_global_init - Initialize TLSv1 client 414 * Returns: 0 on success, -1 on failure 415 * 416 * This function must be called before using any other TLSv1 client functions. 417 */ 418 int tlsv1_client_global_init(void) 419 { 420 return crypto_global_init(); 421 } 422 423 424 /** 425 * tlsv1_client_global_deinit - Deinitialize TLSv1 client 426 * 427 * This function can be used to deinitialize the TLSv1 client that was 428 * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions 429 * can be called after this before calling tlsv1_client_global_init() again. 430 */ 431 void tlsv1_client_global_deinit(void) 432 { 433 crypto_global_deinit(); 434 } 435 436 437 /** 438 * tlsv1_client_init - Initialize TLSv1 client connection 439 * Returns: Pointer to TLSv1 client connection data or %NULL on failure 440 */ 441 struct tlsv1_client * tlsv1_client_init(void) 442 { 443 struct tlsv1_client *conn; 444 size_t count; 445 u16 *suites; 446 447 conn = os_zalloc(sizeof(*conn)); 448 if (conn == NULL) 449 return NULL; 450 451 conn->state = CLIENT_HELLO; 452 453 if (tls_verify_hash_init(&conn->verify) < 0) { 454 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 455 "hash"); 456 os_free(conn); 457 return NULL; 458 } 459 460 count = 0; 461 suites = conn->cipher_suites; 462 #ifndef CONFIG_CRYPTO_INTERNAL 463 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256; 464 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 465 #endif /* CONFIG_CRYPTO_INTERNAL */ 466 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256; 467 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 468 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 469 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 470 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 471 conn->num_cipher_suites = count; 472 473 conn->rl.tls_version = TLS_VERSION; 474 475 return conn; 476 } 477 478 479 /** 480 * tlsv1_client_deinit - Deinitialize TLSv1 client connection 481 * @conn: TLSv1 client connection data from tlsv1_client_init() 482 */ 483 void tlsv1_client_deinit(struct tlsv1_client *conn) 484 { 485 crypto_public_key_free(conn->server_rsa_key); 486 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 487 tlsv1_record_change_write_cipher(&conn->rl); 488 tlsv1_record_change_read_cipher(&conn->rl); 489 tls_verify_hash_free(&conn->verify); 490 os_free(conn->client_hello_ext); 491 tlsv1_client_free_dh(conn); 492 tlsv1_cred_free(conn->cred); 493 wpabuf_free(conn->partial_input); 494 os_free(conn); 495 } 496 497 498 /** 499 * tlsv1_client_established - Check whether connection has been established 500 * @conn: TLSv1 client connection data from tlsv1_client_init() 501 * Returns: 1 if connection is established, 0 if not 502 */ 503 int tlsv1_client_established(struct tlsv1_client *conn) 504 { 505 return conn->state == ESTABLISHED; 506 } 507 508 509 /** 510 * tlsv1_client_prf - Use TLS-PRF to derive keying material 511 * @conn: TLSv1 client connection data from tlsv1_client_init() 512 * @label: Label (e.g., description of the key) for PRF 513 * @server_random_first: seed is 0 = client_random|server_random, 514 * 1 = server_random|client_random 515 * @out: Buffer for output data from TLS-PRF 516 * @out_len: Length of the output buffer 517 * Returns: 0 on success, -1 on failure 518 */ 519 int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, 520 int server_random_first, u8 *out, size_t out_len) 521 { 522 u8 seed[2 * TLS_RANDOM_LEN]; 523 524 if (conn->state != ESTABLISHED) 525 return -1; 526 527 if (server_random_first) { 528 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 529 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 530 TLS_RANDOM_LEN); 531 } else { 532 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 533 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 534 TLS_RANDOM_LEN); 535 } 536 537 return tls_prf(conn->rl.tls_version, 538 conn->master_secret, TLS_MASTER_SECRET_LEN, 539 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 540 } 541 542 543 /** 544 * tlsv1_client_get_cipher - Get current cipher name 545 * @conn: TLSv1 client connection data from tlsv1_client_init() 546 * @buf: Buffer for the cipher name 547 * @buflen: buf size 548 * Returns: 0 on success, -1 on failure 549 * 550 * Get the name of the currently used cipher. 551 */ 552 int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, 553 size_t buflen) 554 { 555 char *cipher; 556 557 switch (conn->rl.cipher_suite) { 558 case TLS_RSA_WITH_RC4_128_MD5: 559 cipher = "RC4-MD5"; 560 break; 561 case TLS_RSA_WITH_RC4_128_SHA: 562 cipher = "RC4-SHA"; 563 break; 564 case TLS_RSA_WITH_DES_CBC_SHA: 565 cipher = "DES-CBC-SHA"; 566 break; 567 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 568 cipher = "DES-CBC3-SHA"; 569 break; 570 case TLS_DH_anon_WITH_AES_128_CBC_SHA256: 571 cipher = "ADH-AES-128-SHA256"; 572 break; 573 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 574 cipher = "ADH-AES-128-SHA"; 575 break; 576 case TLS_RSA_WITH_AES_256_CBC_SHA: 577 cipher = "AES-256-SHA"; 578 break; 579 case TLS_RSA_WITH_AES_256_CBC_SHA256: 580 cipher = "AES-256-SHA256"; 581 break; 582 case TLS_RSA_WITH_AES_128_CBC_SHA: 583 cipher = "AES-128-SHA"; 584 break; 585 case TLS_RSA_WITH_AES_128_CBC_SHA256: 586 cipher = "AES-128-SHA256"; 587 break; 588 default: 589 return -1; 590 } 591 592 if (os_strlcpy(buf, cipher, buflen) >= buflen) 593 return -1; 594 return 0; 595 } 596 597 598 /** 599 * tlsv1_client_shutdown - Shutdown TLS connection 600 * @conn: TLSv1 client connection data from tlsv1_client_init() 601 * Returns: 0 on success, -1 on failure 602 */ 603 int tlsv1_client_shutdown(struct tlsv1_client *conn) 604 { 605 conn->state = CLIENT_HELLO; 606 607 if (tls_verify_hash_init(&conn->verify) < 0) { 608 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 609 "hash"); 610 return -1; 611 } 612 613 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 614 tlsv1_record_change_write_cipher(&conn->rl); 615 tlsv1_record_change_read_cipher(&conn->rl); 616 617 conn->certificate_requested = 0; 618 crypto_public_key_free(conn->server_rsa_key); 619 conn->server_rsa_key = NULL; 620 conn->session_resumed = 0; 621 622 return 0; 623 } 624 625 626 /** 627 * tlsv1_client_resumed - Was session resumption used 628 * @conn: TLSv1 client connection data from tlsv1_client_init() 629 * Returns: 1 if current session used session resumption, 0 if not 630 */ 631 int tlsv1_client_resumed(struct tlsv1_client *conn) 632 { 633 return !!conn->session_resumed; 634 } 635 636 637 /** 638 * tlsv1_client_hello_ext - Set TLS extension for ClientHello 639 * @conn: TLSv1 client connection data from tlsv1_client_init() 640 * @ext_type: Extension type 641 * @data: Extension payload (%NULL to remove extension) 642 * @data_len: Extension payload length 643 * Returns: 0 on success, -1 on failure 644 */ 645 int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, 646 const u8 *data, size_t data_len) 647 { 648 u8 *pos; 649 650 conn->session_ticket_included = 0; 651 os_free(conn->client_hello_ext); 652 conn->client_hello_ext = NULL; 653 conn->client_hello_ext_len = 0; 654 655 if (data == NULL || data_len == 0) 656 return 0; 657 658 pos = conn->client_hello_ext = os_malloc(6 + data_len); 659 if (pos == NULL) 660 return -1; 661 662 WPA_PUT_BE16(pos, 4 + data_len); 663 pos += 2; 664 WPA_PUT_BE16(pos, ext_type); 665 pos += 2; 666 WPA_PUT_BE16(pos, data_len); 667 pos += 2; 668 os_memcpy(pos, data, data_len); 669 conn->client_hello_ext_len = 6 + data_len; 670 671 if (ext_type == TLS_EXT_PAC_OPAQUE) { 672 conn->session_ticket_included = 1; 673 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); 674 } 675 676 return 0; 677 } 678 679 680 /** 681 * tlsv1_client_get_keys - Get master key and random data from TLS connection 682 * @conn: TLSv1 client connection data from tlsv1_client_init() 683 * @keys: Structure of key/random data (filled on success) 684 * Returns: 0 on success, -1 on failure 685 */ 686 int tlsv1_client_get_keys(struct tlsv1_client *conn, struct tls_keys *keys) 687 { 688 os_memset(keys, 0, sizeof(*keys)); 689 if (conn->state == CLIENT_HELLO) 690 return -1; 691 692 keys->client_random = conn->client_random; 693 keys->client_random_len = TLS_RANDOM_LEN; 694 695 if (conn->state != SERVER_HELLO) { 696 keys->server_random = conn->server_random; 697 keys->server_random_len = TLS_RANDOM_LEN; 698 keys->master_key = conn->master_secret; 699 keys->master_key_len = TLS_MASTER_SECRET_LEN; 700 } 701 702 return 0; 703 } 704 705 706 /** 707 * tlsv1_client_get_keyblock_size - Get TLS key_block size 708 * @conn: TLSv1 client connection data from tlsv1_client_init() 709 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 710 * failure 711 */ 712 int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) 713 { 714 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 715 return -1; 716 717 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 718 conn->rl.iv_size); 719 } 720 721 722 /** 723 * tlsv1_client_set_cipher_list - Configure acceptable cipher suites 724 * @conn: TLSv1 client connection data from tlsv1_client_init() 725 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 726 * (TLS_CIPHER_*). 727 * Returns: 0 on success, -1 on failure 728 */ 729 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) 730 { 731 size_t count; 732 u16 *suites; 733 734 /* TODO: implement proper configuration of cipher suites */ 735 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 736 count = 0; 737 suites = conn->cipher_suites; 738 #ifndef CONFIG_CRYPTO_INTERNAL 739 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA256; 740 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 741 #endif /* CONFIG_CRYPTO_INTERNAL */ 742 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA256; 743 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 744 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 745 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 746 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 747 748 /* 749 * Cisco AP (at least 350 and 1200 series) local authentication 750 * server does not know how to search cipher suites from the 751 * list and seem to require that the last entry in the list is 752 * the one that it wants to use. However, TLS specification 753 * requires the list to be in the client preference order. As a 754 * workaround, add anon-DH AES-128-SHA1 again at the end of the 755 * list to allow the Cisco code to find it. 756 */ 757 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 758 conn->num_cipher_suites = count; 759 } 760 761 return 0; 762 } 763 764 765 /** 766 * tlsv1_client_set_cred - Set client credentials 767 * @conn: TLSv1 client connection data from tlsv1_client_init() 768 * @cred: Credentials from tlsv1_cred_alloc() 769 * Returns: 0 on success, -1 on failure 770 * 771 * On success, the client takes ownership of the credentials block and caller 772 * must not free it. On failure, caller is responsible for freeing the 773 * credential block. 774 */ 775 int tlsv1_client_set_cred(struct tlsv1_client *conn, 776 struct tlsv1_credentials *cred) 777 { 778 tlsv1_cred_free(conn->cred); 779 conn->cred = cred; 780 return 0; 781 } 782 783 784 void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled) 785 { 786 conn->disable_time_checks = !enabled; 787 } 788 789 790 void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, 791 tlsv1_client_session_ticket_cb cb, 792 void *ctx) 793 { 794 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 795 cb, ctx); 796 conn->session_ticket_cb = cb; 797 conn->session_ticket_cb_ctx = ctx; 798 } 799