1 /* 2 * TLS v1.0/v1.1/v1.2 client (RFC 2246, RFC 4346, RFC 5246) 3 * Copyright (c) 2006-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "tlsv1_common.h" 15 #include "tlsv1_record.h" 16 #include "tlsv1_client.h" 17 #include "tlsv1_client_i.h" 18 19 /* TODO: 20 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 21 */ 22 23 24 void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) 25 { 26 conn->alert_level = level; 27 conn->alert_description = description; 28 } 29 30 31 void tlsv1_client_free_dh(struct tlsv1_client *conn) 32 { 33 os_free(conn->dh_p); 34 os_free(conn->dh_g); 35 os_free(conn->dh_ys); 36 conn->dh_p = conn->dh_g = conn->dh_ys = NULL; 37 } 38 39 40 int tls_derive_pre_master_secret(u8 *pre_master_secret) 41 { 42 WPA_PUT_BE16(pre_master_secret, TLS_VERSION); 43 if (os_get_random(pre_master_secret + 2, 44 TLS_PRE_MASTER_SECRET_LEN - 2)) 45 return -1; 46 return 0; 47 } 48 49 50 int tls_derive_keys(struct tlsv1_client *conn, 51 const u8 *pre_master_secret, size_t pre_master_secret_len) 52 { 53 u8 seed[2 * TLS_RANDOM_LEN]; 54 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 55 u8 *pos; 56 size_t key_block_len; 57 58 if (pre_master_secret) { 59 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 60 pre_master_secret, pre_master_secret_len); 61 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 62 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 63 TLS_RANDOM_LEN); 64 if (tls_prf(conn->rl.tls_version, 65 pre_master_secret, pre_master_secret_len, 66 "master secret", seed, 2 * TLS_RANDOM_LEN, 67 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 68 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 69 "master_secret"); 70 return -1; 71 } 72 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 73 conn->master_secret, TLS_MASTER_SECRET_LEN); 74 } 75 76 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 77 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 78 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len); 79 if (conn->rl.tls_version == TLS_VERSION_1) 80 key_block_len += 2 * conn->rl.iv_size; 81 if (tls_prf(conn->rl.tls_version, 82 conn->master_secret, TLS_MASTER_SECRET_LEN, 83 "key expansion", seed, 2 * TLS_RANDOM_LEN, 84 key_block, key_block_len)) { 85 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 86 return -1; 87 } 88 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 89 key_block, key_block_len); 90 91 pos = key_block; 92 93 /* client_write_MAC_secret */ 94 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 95 pos += conn->rl.hash_size; 96 /* server_write_MAC_secret */ 97 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 98 pos += conn->rl.hash_size; 99 100 /* client_write_key */ 101 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 102 pos += conn->rl.key_material_len; 103 /* server_write_key */ 104 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 105 pos += conn->rl.key_material_len; 106 107 if (conn->rl.tls_version == TLS_VERSION_1) { 108 /* client_write_IV */ 109 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 110 pos += conn->rl.iv_size; 111 /* server_write_IV */ 112 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 113 pos += conn->rl.iv_size; 114 } else { 115 /* 116 * Use IV field to set the mask value for TLS v1.1. A fixed 117 * mask of zero is used per the RFC 4346, 6.2.3.2 CBC Block 118 * Cipher option 2a. 119 */ 120 os_memset(conn->rl.write_iv, 0, conn->rl.iv_size); 121 } 122 123 return 0; 124 } 125 126 127 /** 128 * tlsv1_client_handshake - Process TLS handshake 129 * @conn: TLSv1 client connection data from tlsv1_client_init() 130 * @in_data: Input data from TLS peer 131 * @in_len: Input data length 132 * @out_len: Length of the output buffer. 133 * @appl_data: Pointer to application data pointer, or %NULL if dropped 134 * @appl_data_len: Pointer to variable that is set to appl_data length 135 * @need_more_data: Set to 1 if more data would be needed to complete 136 * processing 137 * Returns: Pointer to output data, %NULL on failure 138 */ 139 u8 * tlsv1_client_handshake(struct tlsv1_client *conn, 140 const u8 *in_data, size_t in_len, 141 size_t *out_len, u8 **appl_data, 142 size_t *appl_data_len, int *need_more_data) 143 { 144 const u8 *pos, *end; 145 u8 *msg = NULL, *in_msg = NULL, *in_pos, *in_end, alert, ct; 146 size_t in_msg_len; 147 int no_appl_data; 148 int used; 149 150 if (need_more_data) 151 *need_more_data = 0; 152 153 if (conn->state == CLIENT_HELLO) { 154 if (in_len) 155 return NULL; 156 return tls_send_client_hello(conn, out_len); 157 } 158 159 if (conn->partial_input) { 160 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 162 "memory for pending record"); 163 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 164 TLS_ALERT_INTERNAL_ERROR); 165 goto failed; 166 } 167 wpabuf_put_data(conn->partial_input, in_data, in_len); 168 in_data = wpabuf_head(conn->partial_input); 169 in_len = wpabuf_len(conn->partial_input); 170 } 171 172 if (in_data == NULL || in_len == 0) 173 return NULL; 174 175 pos = in_data; 176 end = in_data + in_len; 177 in_msg = os_malloc(in_len); 178 if (in_msg == NULL) 179 return NULL; 180 181 /* Each received packet may include multiple records */ 182 while (pos < end) { 183 in_msg_len = in_len; 184 used = tlsv1_record_receive(&conn->rl, pos, end - pos, 185 in_msg, &in_msg_len, &alert); 186 if (used < 0) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 188 "record failed"); 189 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 190 goto failed; 191 } 192 if (used == 0) { 193 struct wpabuf *partial; 194 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 195 partial = wpabuf_alloc_copy(pos, end - pos); 196 wpabuf_free(conn->partial_input); 197 conn->partial_input = partial; 198 if (conn->partial_input == NULL) { 199 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 200 "allocate memory for pending " 201 "record"); 202 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_INTERNAL_ERROR); 204 goto failed; 205 } 206 os_free(in_msg); 207 if (need_more_data) 208 *need_more_data = 1; 209 return NULL; 210 } 211 ct = pos[0]; 212 213 in_pos = in_msg; 214 in_end = in_msg + in_msg_len; 215 216 /* Each received record may include multiple messages of the 217 * same ContentType. */ 218 while (in_pos < in_end) { 219 in_msg_len = in_end - in_pos; 220 if (tlsv1_client_process_handshake(conn, ct, in_pos, 221 &in_msg_len, 222 appl_data, 223 appl_data_len) < 0) 224 goto failed; 225 in_pos += in_msg_len; 226 } 227 228 pos += used; 229 } 230 231 os_free(in_msg); 232 in_msg = NULL; 233 234 no_appl_data = appl_data == NULL || *appl_data == NULL; 235 msg = tlsv1_client_handshake_write(conn, out_len, no_appl_data); 236 237 failed: 238 os_free(in_msg); 239 if (conn->alert_level) { 240 wpabuf_free(conn->partial_input); 241 conn->partial_input = NULL; 242 conn->state = FAILED; 243 os_free(msg); 244 msg = tlsv1_client_send_alert(conn, conn->alert_level, 245 conn->alert_description, 246 out_len); 247 } else if (msg == NULL) { 248 msg = os_zalloc(1); 249 *out_len = 0; 250 } 251 252 if (need_more_data == NULL || !(*need_more_data)) { 253 wpabuf_free(conn->partial_input); 254 conn->partial_input = NULL; 255 } 256 257 return msg; 258 } 259 260 261 /** 262 * tlsv1_client_encrypt - Encrypt data into TLS tunnel 263 * @conn: TLSv1 client connection data from tlsv1_client_init() 264 * @in_data: Pointer to plaintext data to be encrypted 265 * @in_len: Input buffer length 266 * @out_data: Pointer to output buffer (encrypted TLS data) 267 * @out_len: Maximum out_data length 268 * Returns: Number of bytes written to out_data, -1 on failure 269 * 270 * This function is used after TLS handshake has been completed successfully to 271 * send data in the encrypted tunnel. 272 */ 273 int tlsv1_client_encrypt(struct tlsv1_client *conn, 274 const u8 *in_data, size_t in_len, 275 u8 *out_data, size_t out_len) 276 { 277 size_t rlen; 278 279 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 280 in_data, in_len); 281 282 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 283 out_data, out_len, in_data, in_len, &rlen) < 0) { 284 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_INTERNAL_ERROR); 287 return -1; 288 } 289 290 return rlen; 291 } 292 293 294 /** 295 * tlsv1_client_decrypt - Decrypt data from TLS tunnel 296 * @conn: TLSv1 client connection data from tlsv1_client_init() 297 * @in_data: Pointer to input buffer (encrypted TLS data) 298 * @in_len: Input buffer length 299 * @need_more_data: Set to 1 if more data would be needed to complete 300 * processing 301 * Returns: Decrypted data or %NULL on failure 302 * 303 * This function is used after TLS handshake has been completed successfully to 304 * receive data from the encrypted tunnel. 305 */ 306 struct wpabuf * tlsv1_client_decrypt(struct tlsv1_client *conn, 307 const u8 *in_data, size_t in_len, 308 int *need_more_data) 309 { 310 const u8 *in_end, *pos; 311 int used; 312 u8 alert, *out_pos, ct; 313 size_t olen; 314 struct wpabuf *buf = NULL; 315 316 if (need_more_data) 317 *need_more_data = 0; 318 319 if (conn->partial_input) { 320 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 322 "memory for pending record"); 323 alert = TLS_ALERT_INTERNAL_ERROR; 324 goto fail; 325 } 326 wpabuf_put_data(conn->partial_input, in_data, in_len); 327 in_data = wpabuf_head(conn->partial_input); 328 in_len = wpabuf_len(conn->partial_input); 329 } 330 331 pos = in_data; 332 in_end = in_data + in_len; 333 334 while (pos < in_end) { 335 ct = pos[0]; 336 if (wpabuf_resize(&buf, in_end - pos) < 0) { 337 alert = TLS_ALERT_INTERNAL_ERROR; 338 goto fail; 339 } 340 out_pos = wpabuf_put(buf, 0); 341 olen = wpabuf_tailroom(buf); 342 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 343 out_pos, &olen, &alert); 344 if (used < 0) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 346 "failed"); 347 goto fail; 348 } 349 if (used == 0) { 350 struct wpabuf *partial; 351 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 352 partial = wpabuf_alloc_copy(pos, in_end - pos); 353 wpabuf_free(conn->partial_input); 354 conn->partial_input = partial; 355 if (conn->partial_input == NULL) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 357 "allocate memory for pending " 358 "record"); 359 alert = TLS_ALERT_INTERNAL_ERROR; 360 goto fail; 361 } 362 if (need_more_data) 363 *need_more_data = 1; 364 return buf; 365 } 366 367 if (ct == TLS_CONTENT_TYPE_ALERT) { 368 if (olen < 2) { 369 wpa_printf(MSG_DEBUG, "TLSv1: Alert " 370 "underflow"); 371 alert = TLS_ALERT_DECODE_ERROR; 372 goto fail; 373 } 374 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 375 out_pos[0], out_pos[1]); 376 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) { 377 /* Continue processing */ 378 pos += used; 379 continue; 380 } 381 382 alert = out_pos[1]; 383 goto fail; 384 } 385 386 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 388 "0x%x when decrypting application data", 389 pos[0]); 390 alert = TLS_ALERT_UNEXPECTED_MESSAGE; 391 goto fail; 392 } 393 394 wpabuf_put(buf, olen); 395 396 pos += used; 397 } 398 399 wpabuf_free(conn->partial_input); 400 conn->partial_input = NULL; 401 return buf; 402 403 fail: 404 wpabuf_free(buf); 405 wpabuf_free(conn->partial_input); 406 conn->partial_input = NULL; 407 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 408 return NULL; 409 } 410 411 412 /** 413 * tlsv1_client_global_init - Initialize TLSv1 client 414 * Returns: 0 on success, -1 on failure 415 * 416 * This function must be called before using any other TLSv1 client functions. 417 */ 418 int tlsv1_client_global_init(void) 419 { 420 return crypto_global_init(); 421 } 422 423 424 /** 425 * tlsv1_client_global_deinit - Deinitialize TLSv1 client 426 * 427 * This function can be used to deinitialize the TLSv1 client that was 428 * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions 429 * can be called after this before calling tlsv1_client_global_init() again. 430 */ 431 void tlsv1_client_global_deinit(void) 432 { 433 crypto_global_deinit(); 434 } 435 436 437 /** 438 * tlsv1_client_init - Initialize TLSv1 client connection 439 * Returns: Pointer to TLSv1 client connection data or %NULL on failure 440 */ 441 struct tlsv1_client * tlsv1_client_init(void) 442 { 443 struct tlsv1_client *conn; 444 size_t count; 445 u16 *suites; 446 447 conn = os_zalloc(sizeof(*conn)); 448 if (conn == NULL) 449 return NULL; 450 451 conn->state = CLIENT_HELLO; 452 453 if (tls_verify_hash_init(&conn->verify) < 0) { 454 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 455 "hash"); 456 os_free(conn); 457 return NULL; 458 } 459 460 count = 0; 461 suites = conn->cipher_suites; 462 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256; 463 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 464 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256; 465 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 466 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 467 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 468 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 469 conn->num_cipher_suites = count; 470 471 conn->rl.tls_version = TLS_VERSION; 472 473 return conn; 474 } 475 476 477 /** 478 * tlsv1_client_deinit - Deinitialize TLSv1 client connection 479 * @conn: TLSv1 client connection data from tlsv1_client_init() 480 */ 481 void tlsv1_client_deinit(struct tlsv1_client *conn) 482 { 483 crypto_public_key_free(conn->server_rsa_key); 484 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 485 tlsv1_record_change_write_cipher(&conn->rl); 486 tlsv1_record_change_read_cipher(&conn->rl); 487 tls_verify_hash_free(&conn->verify); 488 os_free(conn->client_hello_ext); 489 tlsv1_client_free_dh(conn); 490 tlsv1_cred_free(conn->cred); 491 wpabuf_free(conn->partial_input); 492 os_free(conn); 493 } 494 495 496 /** 497 * tlsv1_client_established - Check whether connection has been established 498 * @conn: TLSv1 client connection data from tlsv1_client_init() 499 * Returns: 1 if connection is established, 0 if not 500 */ 501 int tlsv1_client_established(struct tlsv1_client *conn) 502 { 503 return conn->state == ESTABLISHED; 504 } 505 506 507 /** 508 * tlsv1_client_prf - Use TLS-PRF to derive keying material 509 * @conn: TLSv1 client connection data from tlsv1_client_init() 510 * @label: Label (e.g., description of the key) for PRF 511 * @server_random_first: seed is 0 = client_random|server_random, 512 * 1 = server_random|client_random 513 * @out: Buffer for output data from TLS-PRF 514 * @out_len: Length of the output buffer 515 * Returns: 0 on success, -1 on failure 516 */ 517 int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, 518 int server_random_first, u8 *out, size_t out_len) 519 { 520 u8 seed[2 * TLS_RANDOM_LEN]; 521 522 if (conn->state != ESTABLISHED) 523 return -1; 524 525 if (server_random_first) { 526 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 527 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 528 TLS_RANDOM_LEN); 529 } else { 530 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 531 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 532 TLS_RANDOM_LEN); 533 } 534 535 return tls_prf(conn->rl.tls_version, 536 conn->master_secret, TLS_MASTER_SECRET_LEN, 537 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 538 } 539 540 541 /** 542 * tlsv1_client_get_cipher - Get current cipher name 543 * @conn: TLSv1 client connection data from tlsv1_client_init() 544 * @buf: Buffer for the cipher name 545 * @buflen: buf size 546 * Returns: 0 on success, -1 on failure 547 * 548 * Get the name of the currently used cipher. 549 */ 550 int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, 551 size_t buflen) 552 { 553 char *cipher; 554 555 switch (conn->rl.cipher_suite) { 556 case TLS_RSA_WITH_RC4_128_MD5: 557 cipher = "RC4-MD5"; 558 break; 559 case TLS_RSA_WITH_RC4_128_SHA: 560 cipher = "RC4-SHA"; 561 break; 562 case TLS_RSA_WITH_DES_CBC_SHA: 563 cipher = "DES-CBC-SHA"; 564 break; 565 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 566 cipher = "DES-CBC3-SHA"; 567 break; 568 case TLS_DH_anon_WITH_AES_128_CBC_SHA256: 569 cipher = "ADH-AES-128-SHA256"; 570 break; 571 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 572 cipher = "ADH-AES-128-SHA"; 573 break; 574 case TLS_RSA_WITH_AES_256_CBC_SHA: 575 cipher = "AES-256-SHA"; 576 break; 577 case TLS_RSA_WITH_AES_256_CBC_SHA256: 578 cipher = "AES-256-SHA256"; 579 break; 580 case TLS_RSA_WITH_AES_128_CBC_SHA: 581 cipher = "AES-128-SHA"; 582 break; 583 case TLS_RSA_WITH_AES_128_CBC_SHA256: 584 cipher = "AES-128-SHA256"; 585 break; 586 default: 587 return -1; 588 } 589 590 if (os_strlcpy(buf, cipher, buflen) >= buflen) 591 return -1; 592 return 0; 593 } 594 595 596 /** 597 * tlsv1_client_shutdown - Shutdown TLS connection 598 * @conn: TLSv1 client connection data from tlsv1_client_init() 599 * Returns: 0 on success, -1 on failure 600 */ 601 int tlsv1_client_shutdown(struct tlsv1_client *conn) 602 { 603 conn->state = CLIENT_HELLO; 604 605 if (tls_verify_hash_init(&conn->verify) < 0) { 606 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 607 "hash"); 608 return -1; 609 } 610 611 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 612 tlsv1_record_change_write_cipher(&conn->rl); 613 tlsv1_record_change_read_cipher(&conn->rl); 614 615 conn->certificate_requested = 0; 616 crypto_public_key_free(conn->server_rsa_key); 617 conn->server_rsa_key = NULL; 618 conn->session_resumed = 0; 619 620 return 0; 621 } 622 623 624 /** 625 * tlsv1_client_resumed - Was session resumption used 626 * @conn: TLSv1 client connection data from tlsv1_client_init() 627 * Returns: 1 if current session used session resumption, 0 if not 628 */ 629 int tlsv1_client_resumed(struct tlsv1_client *conn) 630 { 631 return !!conn->session_resumed; 632 } 633 634 635 /** 636 * tlsv1_client_hello_ext - Set TLS extension for ClientHello 637 * @conn: TLSv1 client connection data from tlsv1_client_init() 638 * @ext_type: Extension type 639 * @data: Extension payload (%NULL to remove extension) 640 * @data_len: Extension payload length 641 * Returns: 0 on success, -1 on failure 642 */ 643 int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, 644 const u8 *data, size_t data_len) 645 { 646 u8 *pos; 647 648 conn->session_ticket_included = 0; 649 os_free(conn->client_hello_ext); 650 conn->client_hello_ext = NULL; 651 conn->client_hello_ext_len = 0; 652 653 if (data == NULL || data_len == 0) 654 return 0; 655 656 pos = conn->client_hello_ext = os_malloc(6 + data_len); 657 if (pos == NULL) 658 return -1; 659 660 WPA_PUT_BE16(pos, 4 + data_len); 661 pos += 2; 662 WPA_PUT_BE16(pos, ext_type); 663 pos += 2; 664 WPA_PUT_BE16(pos, data_len); 665 pos += 2; 666 os_memcpy(pos, data, data_len); 667 conn->client_hello_ext_len = 6 + data_len; 668 669 if (ext_type == TLS_EXT_PAC_OPAQUE) { 670 conn->session_ticket_included = 1; 671 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); 672 } 673 674 return 0; 675 } 676 677 678 /** 679 * tlsv1_client_get_keys - Get master key and random data from TLS connection 680 * @conn: TLSv1 client connection data from tlsv1_client_init() 681 * @keys: Structure of key/random data (filled on success) 682 * Returns: 0 on success, -1 on failure 683 */ 684 int tlsv1_client_get_keys(struct tlsv1_client *conn, struct tls_keys *keys) 685 { 686 os_memset(keys, 0, sizeof(*keys)); 687 if (conn->state == CLIENT_HELLO) 688 return -1; 689 690 keys->client_random = conn->client_random; 691 keys->client_random_len = TLS_RANDOM_LEN; 692 693 if (conn->state != SERVER_HELLO) { 694 keys->server_random = conn->server_random; 695 keys->server_random_len = TLS_RANDOM_LEN; 696 keys->master_key = conn->master_secret; 697 keys->master_key_len = TLS_MASTER_SECRET_LEN; 698 } 699 700 return 0; 701 } 702 703 704 /** 705 * tlsv1_client_get_keyblock_size - Get TLS key_block size 706 * @conn: TLSv1 client connection data from tlsv1_client_init() 707 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 708 * failure 709 */ 710 int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) 711 { 712 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 713 return -1; 714 715 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 716 conn->rl.iv_size); 717 } 718 719 720 /** 721 * tlsv1_client_set_cipher_list - Configure acceptable cipher suites 722 * @conn: TLSv1 client connection data from tlsv1_client_init() 723 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 724 * (TLS_CIPHER_*). 725 * Returns: 0 on success, -1 on failure 726 */ 727 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) 728 { 729 size_t count; 730 u16 *suites; 731 732 /* TODO: implement proper configuration of cipher suites */ 733 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 734 count = 0; 735 suites = conn->cipher_suites; 736 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA256; 737 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 738 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA256; 739 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 740 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 741 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 742 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 743 744 /* 745 * Cisco AP (at least 350 and 1200 series) local authentication 746 * server does not know how to search cipher suites from the 747 * list and seem to require that the last entry in the list is 748 * the one that it wants to use. However, TLS specification 749 * requires the list to be in the client preference order. As a 750 * workaround, add anon-DH AES-128-SHA1 again at the end of the 751 * list to allow the Cisco code to find it. 752 */ 753 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 754 conn->num_cipher_suites = count; 755 } 756 757 return 0; 758 } 759 760 761 /** 762 * tlsv1_client_set_cred - Set client credentials 763 * @conn: TLSv1 client connection data from tlsv1_client_init() 764 * @cred: Credentials from tlsv1_cred_alloc() 765 * Returns: 0 on success, -1 on failure 766 * 767 * On success, the client takes ownership of the credentials block and caller 768 * must not free it. On failure, caller is responsible for freeing the 769 * credential block. 770 */ 771 int tlsv1_client_set_cred(struct tlsv1_client *conn, 772 struct tlsv1_credentials *cred) 773 { 774 tlsv1_cred_free(conn->cred); 775 conn->cred = cred; 776 return 0; 777 } 778 779 780 void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled) 781 { 782 conn->disable_time_checks = !enabled; 783 } 784 785 786 void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, 787 tlsv1_client_session_ticket_cb cb, 788 void *ctx) 789 { 790 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 791 cb, ctx); 792 conn->session_ticket_cb = cb; 793 conn->session_ticket_cb_ctx = ctx; 794 } 795