1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver) 31 { 32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 33 ver == TLS_VERSION_1) || 34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 35 ver == TLS_VERSION_1_1) || 36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 37 ver == TLS_VERSION_1_2)); 38 } 39 40 41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn, 42 const u8 *pos, size_t len) 43 { 44 const u8 *end = pos + len; 45 46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions", 47 pos, len); 48 while (pos < end) { 49 u16 ext, elen; 50 51 if (end - pos < 4) { 52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header"); 53 return -1; 54 } 55 56 ext = WPA_GET_BE16(pos); 57 pos += 2; 58 elen = WPA_GET_BE16(pos); 59 pos += 2; 60 61 if (elen > end - pos) { 62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension"); 63 return -1; 64 } 65 66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u", 67 ext); 68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data", 69 pos, elen); 70 71 pos += elen; 72 } 73 74 return 0; 75 } 76 77 78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 79 const u8 *in_data, size_t *in_len) 80 { 81 const u8 *pos, *end; 82 size_t left, len, i; 83 u16 cipher_suite; 84 u16 tls_version; 85 86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 88 "received content type 0x%x", ct); 89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 90 TLS_ALERT_UNEXPECTED_MESSAGE); 91 return -1; 92 } 93 94 pos = in_data; 95 left = *in_len; 96 97 if (left < 4) 98 goto decode_error; 99 100 /* HandshakeType msg_type */ 101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 103 "message %d (expected ServerHello)", *pos); 104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 105 TLS_ALERT_UNEXPECTED_MESSAGE); 106 return -1; 107 } 108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 109 pos++; 110 /* uint24 length */ 111 len = WPA_GET_BE24(pos); 112 pos += 3; 113 left -= 4; 114 115 if (len > left) 116 goto decode_error; 117 118 /* body - ServerHello */ 119 120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 121 end = pos + len; 122 123 /* ProtocolVersion server_version */ 124 if (end - pos < 2) 125 goto decode_error; 126 tls_version = WPA_GET_BE16(pos); 127 if (!tls_version_ok(tls_version) || 128 tls_version_disabled(conn, tls_version)) { 129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 130 "ServerHello %u.%u", pos[0], pos[1]); 131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 132 TLS_ALERT_PROTOCOL_VERSION); 133 return -1; 134 } 135 pos += 2; 136 137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 138 tls_version_str(tls_version)); 139 conn->rl.tls_version = tls_version; 140 141 /* Random random */ 142 if (end - pos < TLS_RANDOM_LEN) 143 goto decode_error; 144 145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 146 pos += TLS_RANDOM_LEN; 147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 148 conn->server_random, TLS_RANDOM_LEN); 149 150 /* SessionID session_id */ 151 if (end - pos < 1) 152 goto decode_error; 153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 154 goto decode_error; 155 if (conn->session_id_len && conn->session_id_len == *pos && 156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 157 pos += 1 + conn->session_id_len; 158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 159 conn->session_resumed = 1; 160 } else { 161 conn->session_id_len = *pos; 162 pos++; 163 os_memcpy(conn->session_id, pos, conn->session_id_len); 164 pos += conn->session_id_len; 165 } 166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 167 conn->session_id, conn->session_id_len); 168 169 /* CipherSuite cipher_suite */ 170 if (end - pos < 2) 171 goto decode_error; 172 cipher_suite = WPA_GET_BE16(pos); 173 pos += 2; 174 for (i = 0; i < conn->num_cipher_suites; i++) { 175 if (cipher_suite == conn->cipher_suites[i]) 176 break; 177 } 178 if (i == conn->num_cipher_suites) { 179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 180 "cipher suite 0x%04x", cipher_suite); 181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 182 TLS_ALERT_ILLEGAL_PARAMETER); 183 return -1; 184 } 185 186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 188 "cipher suite for a resumed connection (0x%04x != " 189 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 191 TLS_ALERT_ILLEGAL_PARAMETER); 192 return -1; 193 } 194 195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 197 "record layer"); 198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 199 TLS_ALERT_INTERNAL_ERROR); 200 return -1; 201 } 202 203 conn->prev_cipher_suite = cipher_suite; 204 205 /* CompressionMethod compression_method */ 206 if (end - pos < 1) 207 goto decode_error; 208 if (*pos != TLS_COMPRESSION_NULL) { 209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 210 "compression 0x%02x", *pos); 211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 212 TLS_ALERT_ILLEGAL_PARAMETER); 213 return -1; 214 } 215 pos++; 216 217 if (end - pos >= 2) { 218 u16 ext_len; 219 220 ext_len = WPA_GET_BE16(pos); 221 pos += 2; 222 if (end - pos < ext_len) { 223 wpa_printf(MSG_INFO, 224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)", 225 ext_len, (unsigned int) (end - pos)); 226 goto decode_error; 227 } 228 229 if (tls_process_server_hello_extensions(conn, pos, ext_len)) 230 goto decode_error; 231 pos += ext_len; 232 } 233 234 if (end != pos) { 235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 236 "end of ServerHello", pos, end - pos); 237 goto decode_error; 238 } 239 240 if (conn->session_ticket_included && conn->session_ticket_cb) { 241 /* TODO: include SessionTicket extension if one was included in 242 * ServerHello */ 243 int res = conn->session_ticket_cb( 244 conn->session_ticket_cb_ctx, NULL, 0, 245 conn->client_random, conn->server_random, 246 conn->master_secret); 247 if (res < 0) { 248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 249 "indicated failure"); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 251 TLS_ALERT_HANDSHAKE_FAILURE); 252 return -1; 253 } 254 conn->use_session_ticket = !!res; 255 } 256 257 if ((conn->session_resumed || conn->use_session_ticket) && 258 tls_derive_keys(conn, NULL, 0)) { 259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 261 TLS_ALERT_INTERNAL_ERROR); 262 return -1; 263 } 264 265 *in_len = end - in_data; 266 267 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 269 270 return 0; 271 272 decode_error: 273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 275 return -1; 276 } 277 278 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth, 280 struct x509_certificate *cert) 281 { 282 union tls_event_data ev; 283 struct wpabuf *cert_buf = NULL; 284 #ifdef CONFIG_SHA256 285 u8 hash[32]; 286 #endif /* CONFIG_SHA256 */ 287 char subject[128]; 288 289 if (!conn->event_cb) 290 return; 291 292 os_memset(&ev, 0, sizeof(ev)); 293 if (conn->cred->cert_probe || conn->cert_in_cb) { 294 cert_buf = wpabuf_alloc_copy(cert->cert_start, 295 cert->cert_len); 296 ev.peer_cert.cert = cert_buf; 297 } 298 #ifdef CONFIG_SHA256 299 if (cert_buf) { 300 const u8 *addr[1]; 301 size_t len[1]; 302 addr[0] = wpabuf_head(cert_buf); 303 len[0] = wpabuf_len(cert_buf); 304 if (sha256_vector(1, addr, len, hash) == 0) { 305 ev.peer_cert.hash = hash; 306 ev.peer_cert.hash_len = sizeof(hash); 307 } 308 } 309 #endif /* CONFIG_SHA256 */ 310 311 ev.peer_cert.depth = depth; 312 x509_name_string(&cert->subject, subject, sizeof(subject)); 313 ev.peer_cert.subject = subject; 314 315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev); 316 wpabuf_free(cert_buf); 317 } 318 319 320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth, 321 struct x509_certificate *cert, 322 enum tls_fail_reason reason, 323 const char *reason_txt) 324 { 325 struct wpabuf *cert_buf = NULL; 326 union tls_event_data ev; 327 char subject[128]; 328 329 if (!conn->event_cb || !cert) 330 return; 331 332 os_memset(&ev, 0, sizeof(ev)); 333 ev.cert_fail.depth = depth; 334 x509_name_string(&cert->subject, subject, sizeof(subject)); 335 ev.peer_cert.subject = subject; 336 ev.cert_fail.reason = reason; 337 ev.cert_fail.reason_txt = reason_txt; 338 cert_buf = wpabuf_alloc_copy(cert->cert_start, 339 cert->cert_len); 340 ev.cert_fail.cert = cert_buf; 341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); 342 wpabuf_free(cert_buf); 343 } 344 345 346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 347 const u8 *in_data, size_t *in_len) 348 { 349 const u8 *pos, *end; 350 size_t left, len, list_len, cert_len, idx; 351 u8 type; 352 struct x509_certificate *chain = NULL, *last = NULL, *cert; 353 int reason; 354 355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 357 "received content type 0x%x", ct); 358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 359 TLS_ALERT_UNEXPECTED_MESSAGE); 360 return -1; 361 } 362 363 pos = in_data; 364 left = *in_len; 365 366 if (left < 4) { 367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 368 "(len=%lu)", (unsigned long) left); 369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 370 return -1; 371 } 372 373 type = *pos++; 374 len = WPA_GET_BE24(pos); 375 pos += 3; 376 left -= 4; 377 378 if (len > left) { 379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 380 "length (len=%lu != left=%lu)", 381 (unsigned long) len, (unsigned long) left); 382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 383 return -1; 384 } 385 386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 387 return tls_process_server_key_exchange(conn, ct, in_data, 388 in_len); 389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 390 return tls_process_certificate_request(conn, ct, in_data, 391 in_len); 392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 393 return tls_process_server_hello_done(conn, ct, in_data, 394 in_len); 395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 397 "message %d (expected Certificate/" 398 "ServerKeyExchange/CertificateRequest/" 399 "ServerHelloDone)", type); 400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 401 TLS_ALERT_UNEXPECTED_MESSAGE); 402 return -1; 403 } 404 405 wpa_printf(MSG_DEBUG, 406 "TLSv1: Received Certificate (certificate_list len %lu)", 407 (unsigned long) len); 408 409 /* 410 * opaque ASN.1Cert<2^24-1>; 411 * 412 * struct { 413 * ASN.1Cert certificate_list<1..2^24-1>; 414 * } Certificate; 415 */ 416 417 end = pos + len; 418 419 if (end - pos < 3) { 420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 421 "(left=%lu)", (unsigned long) left); 422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 423 return -1; 424 } 425 426 list_len = WPA_GET_BE24(pos); 427 pos += 3; 428 429 if ((size_t) (end - pos) != list_len) { 430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 431 "length (len=%lu left=%lu)", 432 (unsigned long) list_len, 433 (unsigned long) (end - pos)); 434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 435 return -1; 436 } 437 438 idx = 0; 439 while (pos < end) { 440 if (end - pos < 3) { 441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 442 "certificate_list"); 443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 444 TLS_ALERT_DECODE_ERROR); 445 x509_certificate_chain_free(chain); 446 return -1; 447 } 448 449 cert_len = WPA_GET_BE24(pos); 450 pos += 3; 451 452 if ((size_t) (end - pos) < cert_len) { 453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 454 "length (len=%lu left=%lu)", 455 (unsigned long) cert_len, 456 (unsigned long) (end - pos)); 457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 458 TLS_ALERT_DECODE_ERROR); 459 x509_certificate_chain_free(chain); 460 return -1; 461 } 462 463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 464 (unsigned long) idx, (unsigned long) cert_len); 465 466 if (idx == 0) { 467 crypto_public_key_free(conn->server_rsa_key); 468 if (tls_parse_cert(pos, cert_len, 469 &conn->server_rsa_key)) { 470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 471 "the certificate"); 472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 473 TLS_ALERT_BAD_CERTIFICATE); 474 x509_certificate_chain_free(chain); 475 return -1; 476 } 477 } 478 479 cert = x509_certificate_parse(pos, cert_len); 480 if (cert == NULL) { 481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 482 "the certificate"); 483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 484 TLS_ALERT_BAD_CERTIFICATE); 485 x509_certificate_chain_free(chain); 486 return -1; 487 } 488 489 tls_peer_cert_event(conn, idx, cert); 490 491 if (last == NULL) 492 chain = cert; 493 else 494 last->next = cert; 495 last = cert; 496 497 idx++; 498 pos += cert_len; 499 } 500 501 if (conn->cred && conn->cred->server_cert_only && chain) { 502 u8 hash[SHA256_MAC_LEN]; 503 char buf[128]; 504 505 wpa_printf(MSG_DEBUG, 506 "TLSv1: Validate server certificate hash"); 507 x509_name_string(&chain->subject, buf, sizeof(buf)); 508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf); 509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len, 510 hash) < 0 || 511 os_memcmp(conn->cred->srv_cert_hash, hash, 512 SHA256_MAC_LEN) != 0) { 513 wpa_printf(MSG_DEBUG, 514 "TLSv1: Server certificate hash mismatch"); 515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash", 516 hash, SHA256_MAC_LEN); 517 if (conn->event_cb) { 518 union tls_event_data ev; 519 520 os_memset(&ev, 0, sizeof(ev)); 521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED; 522 ev.cert_fail.reason_txt = 523 "Server certificate mismatch"; 524 ev.cert_fail.subject = buf; 525 conn->event_cb(conn->cb_ctx, 526 TLS_CERT_CHAIN_FAILURE, &ev); 527 } 528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 529 TLS_ALERT_BAD_CERTIFICATE); 530 x509_certificate_chain_free(chain); 531 return -1; 532 } 533 } else if (conn->cred && conn->cred->cert_probe) { 534 wpa_printf(MSG_DEBUG, 535 "TLSv1: Reject server certificate on probe-only rune"); 536 if (conn->event_cb) { 537 union tls_event_data ev; 538 char buf[128]; 539 540 os_memset(&ev, 0, sizeof(ev)); 541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE; 542 ev.cert_fail.reason_txt = 543 "Server certificate chain probe"; 544 if (chain) { 545 x509_name_string(&chain->subject, buf, 546 sizeof(buf)); 547 ev.cert_fail.subject = buf; 548 } 549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, 550 &ev); 551 } 552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 553 TLS_ALERT_BAD_CERTIFICATE); 554 x509_certificate_chain_free(chain); 555 return -1; 556 } else if (conn->cred && conn->cred->ca_cert_verify && 557 x509_certificate_chain_validate( 558 conn->cred->trusted_certs, chain, &reason, 559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) 560 < 0) { 561 int tls_reason; 562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 563 "validation failed (reason=%d)", reason); 564 switch (reason) { 565 case X509_VALIDATE_BAD_CERTIFICATE: 566 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 567 tls_cert_chain_failure_event( 568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 569 "bad certificate"); 570 break; 571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 573 break; 574 case X509_VALIDATE_CERTIFICATE_REVOKED: 575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 576 tls_cert_chain_failure_event( 577 conn, 0, chain, TLS_FAIL_REVOKED, 578 "certificate revoked"); 579 break; 580 case X509_VALIDATE_CERTIFICATE_EXPIRED: 581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 582 tls_cert_chain_failure_event( 583 conn, 0, chain, TLS_FAIL_EXPIRED, 584 "certificate has expired or is not yet valid"); 585 break; 586 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 588 break; 589 case X509_VALIDATE_UNKNOWN_CA: 590 tls_reason = TLS_ALERT_UNKNOWN_CA; 591 tls_cert_chain_failure_event( 592 conn, 0, chain, TLS_FAIL_UNTRUSTED, 593 "unknown CA"); 594 break; 595 default: 596 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 597 break; 598 } 599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 600 x509_certificate_chain_free(chain); 601 return -1; 602 } 603 604 if (conn->cred && !conn->cred->server_cert_only && chain && 605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 606 !(chain->ext_key_usage & 607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) { 608 tls_cert_chain_failure_event( 609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE, 610 "certificate not allowed for server authentication"); 611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 612 TLS_ALERT_BAD_CERTIFICATE); 613 x509_certificate_chain_free(chain); 614 return -1; 615 } 616 617 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 618 x509_certificate_chain_free(conn->server_cert); 619 conn->server_cert = chain; 620 } else { 621 x509_certificate_chain_free(chain); 622 } 623 624 *in_len = end - in_data; 625 626 conn->state = SERVER_KEY_EXCHANGE; 627 628 return 0; 629 } 630 631 632 static unsigned int count_bits(const u8 *val, size_t len) 633 { 634 size_t i; 635 unsigned int bits; 636 u8 tmp; 637 638 for (i = 0; i < len; i++) { 639 if (val[i]) 640 break; 641 } 642 if (i == len) 643 return 0; 644 645 bits = (len - i - 1) * 8; 646 tmp = val[i]; 647 while (tmp) { 648 bits++; 649 tmp >>= 1; 650 } 651 652 return bits; 653 } 654 655 656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 657 const u8 *buf, size_t len, 658 tls_key_exchange key_exchange) 659 { 660 const u8 *pos, *end, *server_params, *server_params_end; 661 u8 alert; 662 unsigned int bits; 663 u16 val; 664 665 tlsv1_client_free_dh(conn); 666 667 pos = buf; 668 end = buf + len; 669 670 if (end - pos < 3) 671 goto fail; 672 server_params = pos; 673 val = WPA_GET_BE16(pos); 674 pos += 2; 675 if (val == 0 || val > (size_t) (end - pos)) { 676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val); 677 goto fail; 678 } 679 conn->dh_p_len = val; 680 bits = count_bits(pos, conn->dh_p_len); 681 if (bits < 768) { 682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 683 bits); 684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 685 pos, conn->dh_p_len); 686 goto fail; 687 } 688 conn->dh_p = os_malloc(conn->dh_p_len); 689 if (conn->dh_p == NULL) 690 goto fail; 691 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 692 pos += conn->dh_p_len; 693 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 694 conn->dh_p, conn->dh_p_len); 695 696 if (end - pos < 3) 697 goto fail; 698 val = WPA_GET_BE16(pos); 699 pos += 2; 700 if (val == 0 || val > (size_t) (end - pos)) 701 goto fail; 702 conn->dh_g_len = val; 703 conn->dh_g = os_malloc(conn->dh_g_len); 704 if (conn->dh_g == NULL) 705 goto fail; 706 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 707 pos += conn->dh_g_len; 708 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 709 conn->dh_g, conn->dh_g_len); 710 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 711 goto fail; 712 713 if (end - pos < 3) 714 goto fail; 715 val = WPA_GET_BE16(pos); 716 pos += 2; 717 if (val == 0 || val > (size_t) (end - pos)) 718 goto fail; 719 conn->dh_ys_len = val; 720 conn->dh_ys = os_malloc(conn->dh_ys_len); 721 if (conn->dh_ys == NULL) 722 goto fail; 723 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 724 pos += conn->dh_ys_len; 725 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 726 conn->dh_ys, conn->dh_ys_len); 727 server_params_end = pos; 728 729 if (key_exchange == TLS_KEY_X_DHE_RSA) { 730 u8 hash[64]; 731 int hlen; 732 733 if (conn->rl.tls_version == TLS_VERSION_1_2) { 734 #ifdef CONFIG_TLSV12 735 /* 736 * RFC 5246, 4.7: 737 * TLS v1.2 adds explicit indication of the used 738 * signature and hash algorithms. 739 * 740 * struct { 741 * HashAlgorithm hash; 742 * SignatureAlgorithm signature; 743 * } SignatureAndHashAlgorithm; 744 */ 745 if (end - pos < 2) 746 goto fail; 747 if ((pos[0] != TLS_HASH_ALG_SHA256 && 748 pos[0] != TLS_HASH_ALG_SHA384 && 749 pos[0] != TLS_HASH_ALG_SHA512) || 750 pos[1] != TLS_SIGN_ALG_RSA) { 751 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 752 pos[0], pos[1]); 753 goto fail; 754 } 755 756 hlen = tlsv12_key_x_server_params_hash( 757 conn->rl.tls_version, pos[0], 758 conn->client_random, 759 conn->server_random, server_params, 760 server_params_end - server_params, hash); 761 pos += 2; 762 #else /* CONFIG_TLSV12 */ 763 goto fail; 764 #endif /* CONFIG_TLSV12 */ 765 } else { 766 hlen = tls_key_x_server_params_hash( 767 conn->rl.tls_version, conn->client_random, 768 conn->server_random, server_params, 769 server_params_end - server_params, hash); 770 } 771 772 if (hlen < 0) 773 goto fail; 774 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 775 hash, hlen); 776 777 if (tls_verify_signature(conn->rl.tls_version, 778 conn->server_rsa_key, 779 hash, hlen, pos, end - pos, 780 &alert) < 0) 781 goto fail; 782 } 783 784 return 0; 785 786 fail: 787 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 788 tlsv1_client_free_dh(conn); 789 return -1; 790 } 791 792 793 static enum tls_ocsp_result 794 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn, 795 const u8 *pos, size_t len) 796 { 797 const u8 *end = pos + len; 798 u32 ocsp_resp_len; 799 800 /* opaque OCSPResponse<1..2^24-1>; */ 801 if (end - pos < 3) { 802 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse"); 803 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 804 return TLS_OCSP_INVALID; 805 } 806 ocsp_resp_len = WPA_GET_BE24(pos); 807 pos += 3; 808 if (end - pos < ocsp_resp_len) { 809 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse"); 810 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 811 return TLS_OCSP_INVALID; 812 } 813 814 return tls_process_ocsp_response(conn, pos, ocsp_resp_len); 815 } 816 817 818 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct, 819 const u8 *in_data, size_t *in_len) 820 { 821 const u8 *pos, *end; 822 size_t left, len; 823 u8 type, status_type; 824 enum tls_ocsp_result res; 825 struct x509_certificate *cert; 826 int depth; 827 828 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 829 wpa_printf(MSG_DEBUG, 830 "TLSv1: Expected Handshake; received content type 0x%x", 831 ct); 832 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 833 TLS_ALERT_UNEXPECTED_MESSAGE); 834 return -1; 835 } 836 837 pos = in_data; 838 left = *in_len; 839 840 if (left < 4) { 841 wpa_printf(MSG_DEBUG, 842 "TLSv1: Too short CertificateStatus (left=%lu)", 843 (unsigned long) left); 844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 845 return -1; 846 } 847 848 type = *pos++; 849 len = WPA_GET_BE24(pos); 850 pos += 3; 851 left -= 4; 852 853 if (len > left) { 854 wpa_printf(MSG_DEBUG, 855 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)", 856 (unsigned long) len, (unsigned long) left); 857 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 858 return -1; 859 } 860 861 end = pos + len; 862 863 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) { 864 wpa_printf(MSG_DEBUG, 865 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)", 866 type); 867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 868 TLS_ALERT_UNEXPECTED_MESSAGE); 869 return -1; 870 } 871 872 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus"); 873 874 /* 875 * struct { 876 * CertificateStatusType status_type; 877 * select (status_type) { 878 * case ocsp: OCSPResponse; 879 * case ocsp_multi: OCSPResponseList; 880 * } response; 881 * } CertificateStatus; 882 */ 883 if (end - pos < 1) { 884 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus"); 885 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 886 return -1; 887 } 888 status_type = *pos++; 889 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u", 890 status_type); 891 892 if (status_type == 1 /* ocsp */) { 893 res = tls_process_certificate_status_ocsp_response( 894 conn, pos, end - pos); 895 } else if (status_type == 2 /* ocsp_multi */) { 896 int good = 0, revoked = 0; 897 u32 resp_len; 898 899 res = TLS_OCSP_NO_RESPONSE; 900 901 /* 902 * opaque OCSPResponse<0..2^24-1>; 903 * 904 * struct { 905 * OCSPResponse ocsp_response_list<1..2^24-1>; 906 * } OCSPResponseList; 907 */ 908 if (end - pos < 3) { 909 wpa_printf(MSG_DEBUG, 910 "TLSv1: Truncated OCSPResponseList"); 911 res = TLS_OCSP_INVALID; 912 goto done; 913 } 914 resp_len = WPA_GET_BE24(pos); 915 pos += 3; 916 if (end - pos < resp_len) { 917 wpa_printf(MSG_DEBUG, 918 "TLSv1: Truncated OCSPResponseList(len=%u)", 919 resp_len); 920 res = TLS_OCSP_INVALID; 921 goto done; 922 } 923 end = pos + resp_len; 924 925 while (end - pos >= 3) { 926 resp_len = WPA_GET_BE24(pos); 927 pos += 3; 928 if (resp_len > end - pos) { 929 wpa_printf(MSG_DEBUG, 930 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi", 931 resp_len, (int) (end - pos)); 932 res = TLS_OCSP_INVALID; 933 break; 934 } 935 if (!resp_len) 936 continue; /* Skip an empty response */ 937 res = tls_process_certificate_status_ocsp_response( 938 conn, pos - 3, resp_len + 3); 939 if (res == TLS_OCSP_REVOKED) 940 revoked++; 941 else if (res == TLS_OCSP_GOOD) 942 good++; 943 pos += resp_len; 944 } 945 946 if (revoked) 947 res = TLS_OCSP_REVOKED; 948 else if (good) 949 res = TLS_OCSP_GOOD; 950 } else { 951 wpa_printf(MSG_DEBUG, 952 "TLSv1: Ignore unsupported CertificateStatus"); 953 goto skip; 954 } 955 956 done: 957 if (res == TLS_OCSP_REVOKED) { 958 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 959 TLS_ALERT_CERTIFICATE_REVOKED); 960 for (cert = conn->server_cert, depth = 0; cert; 961 cert = cert->next, depth++) { 962 if (cert->ocsp_revoked) { 963 tls_cert_chain_failure_event( 964 conn, depth, cert, TLS_FAIL_REVOKED, 965 "certificate revoked"); 966 } 967 } 968 return -1; 969 } 970 971 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) { 972 /* 973 * Verify that each certificate on the chain that is not part 974 * of the trusted certificates has a good status. If not, 975 * terminate handshake. 976 */ 977 for (cert = conn->server_cert, depth = 0; cert; 978 cert = cert->next, depth++) { 979 if (!cert->ocsp_good) { 980 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 981 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 982 tls_cert_chain_failure_event( 983 conn, depth, cert, 984 TLS_FAIL_UNSPECIFIED, 985 "bad certificate status response"); 986 return -1; 987 } 988 if (cert->issuer_trusted) 989 break; 990 } 991 } 992 993 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) { 994 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 995 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR : 996 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 997 if (conn->server_cert) 998 tls_cert_chain_failure_event( 999 conn, 0, conn->server_cert, 1000 TLS_FAIL_UNSPECIFIED, 1001 "bad certificate status response"); 1002 return -1; 1003 } 1004 1005 conn->ocsp_resp_received = 1; 1006 1007 skip: 1008 *in_len = end - in_data; 1009 1010 conn->state = SERVER_KEY_EXCHANGE; 1011 1012 return 0; 1013 } 1014 1015 1016 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 1017 const u8 *in_data, size_t *in_len) 1018 { 1019 const u8 *pos, *end; 1020 size_t left, len; 1021 u8 type; 1022 const struct tls_cipher_suite *suite; 1023 1024 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1025 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1026 "received content type 0x%x", ct); 1027 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1028 TLS_ALERT_UNEXPECTED_MESSAGE); 1029 return -1; 1030 } 1031 1032 pos = in_data; 1033 left = *in_len; 1034 1035 if (left < 4) { 1036 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 1037 "(Left=%lu)", (unsigned long) left); 1038 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1039 return -1; 1040 } 1041 1042 type = *pos++; 1043 len = WPA_GET_BE24(pos); 1044 pos += 3; 1045 left -= 4; 1046 1047 if (len > left) { 1048 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 1049 "length (len=%lu != left=%lu)", 1050 (unsigned long) len, (unsigned long) left); 1051 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1052 return -1; 1053 } 1054 1055 end = pos + len; 1056 1057 if ((conn->flags & TLS_CONN_REQUEST_OCSP) && 1058 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) 1059 return tls_process_certificate_status(conn, ct, in_data, 1060 in_len); 1061 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 1062 return tls_process_certificate_request(conn, ct, in_data, 1063 in_len); 1064 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1065 return tls_process_server_hello_done(conn, ct, in_data, 1066 in_len); 1067 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 1068 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1069 "message %d (expected ServerKeyExchange/" 1070 "CertificateRequest/ServerHelloDone%s)", type, 1071 (conn->flags & TLS_CONN_REQUEST_OCSP) ? 1072 "/CertificateStatus" : ""); 1073 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1074 TLS_ALERT_UNEXPECTED_MESSAGE); 1075 return -1; 1076 } 1077 1078 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 1079 1080 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 1081 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 1082 "with the selected cipher suite"); 1083 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1084 TLS_ALERT_UNEXPECTED_MESSAGE); 1085 return -1; 1086 } 1087 1088 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 1089 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 1090 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 1091 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 1092 if (tlsv1_process_diffie_hellman(conn, pos, len, 1093 suite->key_exchange) < 0) { 1094 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1095 TLS_ALERT_DECODE_ERROR); 1096 return -1; 1097 } 1098 } else { 1099 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1101 TLS_ALERT_UNEXPECTED_MESSAGE); 1102 return -1; 1103 } 1104 1105 *in_len = end - in_data; 1106 1107 conn->state = SERVER_CERTIFICATE_REQUEST; 1108 1109 return 0; 1110 } 1111 1112 1113 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 1114 const u8 *in_data, size_t *in_len) 1115 { 1116 const u8 *pos, *end; 1117 size_t left, len; 1118 u8 type; 1119 1120 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1121 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1122 "received content type 0x%x", ct); 1123 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1124 TLS_ALERT_UNEXPECTED_MESSAGE); 1125 return -1; 1126 } 1127 1128 pos = in_data; 1129 left = *in_len; 1130 1131 if (left < 4) { 1132 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 1133 "(left=%lu)", (unsigned long) left); 1134 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1135 return -1; 1136 } 1137 1138 type = *pos++; 1139 len = WPA_GET_BE24(pos); 1140 pos += 3; 1141 left -= 4; 1142 1143 if (len > left) { 1144 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 1145 "length (len=%lu != left=%lu)", 1146 (unsigned long) len, (unsigned long) left); 1147 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1148 return -1; 1149 } 1150 1151 end = pos + len; 1152 1153 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 1154 return tls_process_server_hello_done(conn, ct, in_data, 1155 in_len); 1156 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 1157 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1158 "message %d (expected CertificateRequest/" 1159 "ServerHelloDone)", type); 1160 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1161 TLS_ALERT_UNEXPECTED_MESSAGE); 1162 return -1; 1163 } 1164 1165 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 1166 1167 conn->certificate_requested = 1; 1168 1169 *in_len = end - in_data; 1170 1171 conn->state = SERVER_HELLO_DONE; 1172 1173 return 0; 1174 } 1175 1176 1177 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 1178 const u8 *in_data, size_t *in_len) 1179 { 1180 const u8 *pos, *end; 1181 size_t left, len; 1182 u8 type; 1183 1184 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1185 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 1186 "received content type 0x%x", ct); 1187 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1188 TLS_ALERT_UNEXPECTED_MESSAGE); 1189 return -1; 1190 } 1191 1192 pos = in_data; 1193 left = *in_len; 1194 1195 if (left < 4) { 1196 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 1197 "(left=%lu)", (unsigned long) left); 1198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1199 return -1; 1200 } 1201 1202 type = *pos++; 1203 len = WPA_GET_BE24(pos); 1204 pos += 3; 1205 left -= 4; 1206 1207 if (len > left) { 1208 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 1209 "length (len=%lu != left=%lu)", 1210 (unsigned long) len, (unsigned long) left); 1211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1212 return -1; 1213 } 1214 end = pos + len; 1215 1216 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 1217 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 1218 "message %d (expected ServerHelloDone)", type); 1219 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1220 TLS_ALERT_UNEXPECTED_MESSAGE); 1221 return -1; 1222 } 1223 1224 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 1225 1226 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && 1227 !conn->ocsp_resp_received) { 1228 wpa_printf(MSG_INFO, 1229 "TLSv1: No OCSP response received - reject handshake"); 1230 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1231 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE); 1232 return -1; 1233 } 1234 1235 *in_len = end - in_data; 1236 1237 conn->state = CLIENT_KEY_EXCHANGE; 1238 1239 return 0; 1240 } 1241 1242 1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 1244 u8 ct, const u8 *in_data, 1245 size_t *in_len) 1246 { 1247 const u8 *pos; 1248 size_t left; 1249 1250 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1251 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1252 "received content type 0x%x", ct); 1253 if (conn->use_session_ticket) { 1254 int res; 1255 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 1256 "rejected SessionTicket"); 1257 conn->use_session_ticket = 0; 1258 1259 /* Notify upper layers that SessionTicket failed */ 1260 res = conn->session_ticket_cb( 1261 conn->session_ticket_cb_ctx, NULL, 0, NULL, 1262 NULL, NULL); 1263 if (res < 0) { 1264 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 1265 "callback indicated failure"); 1266 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1267 TLS_ALERT_HANDSHAKE_FAILURE); 1268 return -1; 1269 } 1270 1271 conn->state = SERVER_CERTIFICATE; 1272 return tls_process_certificate(conn, ct, in_data, 1273 in_len); 1274 } 1275 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1276 TLS_ALERT_UNEXPECTED_MESSAGE); 1277 return -1; 1278 } 1279 1280 pos = in_data; 1281 left = *in_len; 1282 1283 if (left < 1) { 1284 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 1285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 1286 return -1; 1287 } 1288 1289 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1290 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 1291 "received data 0x%x", *pos); 1292 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1293 TLS_ALERT_UNEXPECTED_MESSAGE); 1294 return -1; 1295 } 1296 1297 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 1298 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1299 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1300 "for record layer"); 1301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1302 TLS_ALERT_INTERNAL_ERROR); 1303 return -1; 1304 } 1305 1306 *in_len = pos + 1 - in_data; 1307 1308 conn->state = SERVER_FINISHED; 1309 1310 return 0; 1311 } 1312 1313 1314 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 1315 const u8 *in_data, size_t *in_len) 1316 { 1317 const u8 *pos, *end; 1318 size_t left, len, hlen; 1319 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1320 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1321 1322 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1323 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 1324 "received content type 0x%x", ct); 1325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1326 TLS_ALERT_UNEXPECTED_MESSAGE); 1327 return -1; 1328 } 1329 1330 pos = in_data; 1331 left = *in_len; 1332 1333 if (left < 4) { 1334 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1335 "Finished", 1336 (unsigned long) left); 1337 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1338 TLS_ALERT_DECODE_ERROR); 1339 return -1; 1340 } 1341 1342 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1343 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1344 "type 0x%x", pos[0]); 1345 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1346 TLS_ALERT_UNEXPECTED_MESSAGE); 1347 return -1; 1348 } 1349 1350 len = WPA_GET_BE24(pos + 1); 1351 1352 pos += 4; 1353 left -= 4; 1354 1355 if (len > left) { 1356 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1357 "(len=%lu > left=%lu)", 1358 (unsigned long) len, (unsigned long) left); 1359 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1360 TLS_ALERT_DECODE_ERROR); 1361 return -1; 1362 } 1363 end = pos + len; 1364 if (len != TLS_VERIFY_DATA_LEN) { 1365 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1366 "in Finished: %lu (expected %d)", 1367 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1368 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1369 TLS_ALERT_DECODE_ERROR); 1370 return -1; 1371 } 1372 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1373 pos, TLS_VERIFY_DATA_LEN); 1374 1375 #ifdef CONFIG_TLSV12 1376 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1377 hlen = SHA256_MAC_LEN; 1378 if (conn->verify.sha256_server == NULL || 1379 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 1380 < 0) { 1381 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1382 TLS_ALERT_INTERNAL_ERROR); 1383 conn->verify.sha256_server = NULL; 1384 return -1; 1385 } 1386 conn->verify.sha256_server = NULL; 1387 } else { 1388 #endif /* CONFIG_TLSV12 */ 1389 1390 hlen = MD5_MAC_LEN; 1391 if (conn->verify.md5_server == NULL || 1392 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 1393 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1394 TLS_ALERT_INTERNAL_ERROR); 1395 conn->verify.md5_server = NULL; 1396 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 1397 conn->verify.sha1_server = NULL; 1398 return -1; 1399 } 1400 conn->verify.md5_server = NULL; 1401 hlen = SHA1_MAC_LEN; 1402 if (conn->verify.sha1_server == NULL || 1403 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 1404 &hlen) < 0) { 1405 conn->verify.sha1_server = NULL; 1406 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1407 TLS_ALERT_INTERNAL_ERROR); 1408 return -1; 1409 } 1410 conn->verify.sha1_server = NULL; 1411 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1412 1413 #ifdef CONFIG_TLSV12 1414 } 1415 #endif /* CONFIG_TLSV12 */ 1416 1417 if (tls_prf(conn->rl.tls_version, 1418 conn->master_secret, TLS_MASTER_SECRET_LEN, 1419 "server finished", hash, hlen, 1420 verify_data, TLS_VERIFY_DATA_LEN)) { 1421 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1423 TLS_ALERT_DECRYPT_ERROR); 1424 return -1; 1425 } 1426 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 1427 verify_data, TLS_VERIFY_DATA_LEN); 1428 1429 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1430 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1431 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1432 TLS_ALERT_DECRYPT_ERROR); 1433 return -1; 1434 } 1435 1436 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1437 1438 *in_len = end - in_data; 1439 1440 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 1441 CHANGE_CIPHER_SPEC : ACK_FINISHED; 1442 1443 return 0; 1444 } 1445 1446 1447 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 1448 const u8 *in_data, size_t *in_len, 1449 u8 **out_data, size_t *out_len) 1450 { 1451 const u8 *pos; 1452 size_t left; 1453 1454 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 1455 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 1456 "received content type 0x%x", ct); 1457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1458 TLS_ALERT_UNEXPECTED_MESSAGE); 1459 return -1; 1460 } 1461 1462 pos = in_data; 1463 left = *in_len; 1464 1465 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1466 pos, left); 1467 1468 *out_data = os_malloc(left); 1469 if (*out_data) { 1470 os_memcpy(*out_data, pos, left); 1471 *out_len = left; 1472 } 1473 1474 return 0; 1475 } 1476 1477 1478 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1479 const u8 *buf, size_t *len, 1480 u8 **out_data, size_t *out_len) 1481 { 1482 if (ct == TLS_CONTENT_TYPE_ALERT) { 1483 if (*len < 2) { 1484 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1485 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1486 TLS_ALERT_DECODE_ERROR); 1487 return -1; 1488 } 1489 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1490 buf[0], buf[1]); 1491 *len = 2; 1492 conn->state = FAILED; 1493 return -1; 1494 } 1495 1496 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1497 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1498 size_t hr_len = WPA_GET_BE24(buf + 1); 1499 if (hr_len > *len - 4) { 1500 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1501 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1502 TLS_ALERT_DECODE_ERROR); 1503 return -1; 1504 } 1505 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1506 *len = 4 + hr_len; 1507 return 0; 1508 } 1509 1510 switch (conn->state) { 1511 case SERVER_HELLO: 1512 if (tls_process_server_hello(conn, ct, buf, len)) 1513 return -1; 1514 break; 1515 case SERVER_CERTIFICATE: 1516 if (tls_process_certificate(conn, ct, buf, len)) 1517 return -1; 1518 break; 1519 case SERVER_KEY_EXCHANGE: 1520 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1521 return -1; 1522 break; 1523 case SERVER_CERTIFICATE_REQUEST: 1524 if (tls_process_certificate_request(conn, ct, buf, len)) 1525 return -1; 1526 break; 1527 case SERVER_HELLO_DONE: 1528 if (tls_process_server_hello_done(conn, ct, buf, len)) 1529 return -1; 1530 break; 1531 case SERVER_CHANGE_CIPHER_SPEC: 1532 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1533 return -1; 1534 break; 1535 case SERVER_FINISHED: 1536 if (tls_process_server_finished(conn, ct, buf, len)) 1537 return -1; 1538 break; 1539 case ACK_FINISHED: 1540 if (out_data && 1541 tls_process_application_data(conn, ct, buf, len, out_data, 1542 out_len)) 1543 return -1; 1544 break; 1545 default: 1546 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1547 "while processing received message", 1548 conn->state); 1549 return -1; 1550 } 1551 1552 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1553 tls_verify_hash_add(&conn->verify, buf, *len); 1554 1555 return 0; 1556 } 1557
