1 /*
2 * TLSv1 client - read handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 const u8 *in_data, size_t *in_len);
28
29
tls_version_disabled(struct tlsv1_client * conn,u16 ver)30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
31 {
32 return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
33 ver == TLS_VERSION_1) ||
34 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
35 ver == TLS_VERSION_1_1) ||
36 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
37 ver == TLS_VERSION_1_2));
38 }
39
40
tls_process_server_hello_extensions(struct tlsv1_client * conn,const u8 * pos,size_t len)41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
42 const u8 *pos, size_t len)
43 {
44 const u8 *end = pos + len;
45
46 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
47 pos, len);
48 while (pos < end) {
49 u16 ext, elen;
50
51 if (end - pos < 4) {
52 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
53 return -1;
54 }
55
56 ext = WPA_GET_BE16(pos);
57 pos += 2;
58 elen = WPA_GET_BE16(pos);
59 pos += 2;
60
61 if (elen > end - pos) {
62 wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
63 return -1;
64 }
65
66 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
67 ext);
68 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
69 pos, elen);
70
71 pos += elen;
72 }
73
74 return 0;
75 }
76
77
tls_process_server_hello(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
79 const u8 *in_data, size_t *in_len)
80 {
81 const u8 *pos, *end;
82 size_t left, len, i;
83 u16 cipher_suite;
84 u16 tls_version;
85
86 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
87 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
88 "received content type 0x%x", ct);
89 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
90 TLS_ALERT_UNEXPECTED_MESSAGE);
91 return -1;
92 }
93
94 pos = in_data;
95 left = *in_len;
96
97 if (left < 4)
98 goto decode_error;
99
100 /* HandshakeType msg_type */
101 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
102 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
103 "message %d (expected ServerHello)", *pos);
104 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
105 TLS_ALERT_UNEXPECTED_MESSAGE);
106 return -1;
107 }
108 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
109 pos++;
110 /* uint24 length */
111 len = WPA_GET_BE24(pos);
112 pos += 3;
113 left -= 4;
114
115 if (len > left)
116 goto decode_error;
117
118 /* body - ServerHello */
119
120 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
121 end = pos + len;
122
123 /* ProtocolVersion server_version */
124 if (end - pos < 2)
125 goto decode_error;
126 tls_version = WPA_GET_BE16(pos);
127 if (!tls_version_ok(tls_version) ||
128 tls_version_disabled(conn, tls_version)) {
129 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
130 "ServerHello %u.%u", pos[0], pos[1]);
131 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
132 TLS_ALERT_PROTOCOL_VERSION);
133 return -1;
134 }
135 pos += 2;
136
137 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
138 tls_version_str(tls_version));
139 conn->rl.tls_version = tls_version;
140
141 /* Random random */
142 if (end - pos < TLS_RANDOM_LEN)
143 goto decode_error;
144
145 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
146 pos += TLS_RANDOM_LEN;
147 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
148 conn->server_random, TLS_RANDOM_LEN);
149
150 /* SessionID session_id */
151 if (end - pos < 1)
152 goto decode_error;
153 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
154 goto decode_error;
155 if (conn->session_id_len && conn->session_id_len == *pos &&
156 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
157 pos += 1 + conn->session_id_len;
158 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
159 conn->session_resumed = 1;
160 } else {
161 conn->session_id_len = *pos;
162 pos++;
163 os_memcpy(conn->session_id, pos, conn->session_id_len);
164 pos += conn->session_id_len;
165 }
166 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
167 conn->session_id, conn->session_id_len);
168
169 /* CipherSuite cipher_suite */
170 if (end - pos < 2)
171 goto decode_error;
172 cipher_suite = WPA_GET_BE16(pos);
173 pos += 2;
174 for (i = 0; i < conn->num_cipher_suites; i++) {
175 if (cipher_suite == conn->cipher_suites[i])
176 break;
177 }
178 if (i == conn->num_cipher_suites) {
179 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
180 "cipher suite 0x%04x", cipher_suite);
181 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
182 TLS_ALERT_ILLEGAL_PARAMETER);
183 return -1;
184 }
185
186 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
187 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
188 "cipher suite for a resumed connection (0x%04x != "
189 "0x%04x)", cipher_suite, conn->prev_cipher_suite);
190 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
191 TLS_ALERT_ILLEGAL_PARAMETER);
192 return -1;
193 }
194
195 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
197 "record layer");
198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
199 TLS_ALERT_INTERNAL_ERROR);
200 return -1;
201 }
202
203 conn->prev_cipher_suite = cipher_suite;
204
205 /* CompressionMethod compression_method */
206 if (end - pos < 1)
207 goto decode_error;
208 if (*pos != TLS_COMPRESSION_NULL) {
209 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
210 "compression 0x%02x", *pos);
211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
212 TLS_ALERT_ILLEGAL_PARAMETER);
213 return -1;
214 }
215 pos++;
216
217 if (end - pos >= 2) {
218 u16 ext_len;
219
220 ext_len = WPA_GET_BE16(pos);
221 pos += 2;
222 if (end - pos < ext_len) {
223 wpa_printf(MSG_INFO,
224 "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
225 ext_len, (unsigned int) (end - pos));
226 goto decode_error;
227 }
228
229 if (tls_process_server_hello_extensions(conn, pos, ext_len))
230 goto decode_error;
231 pos += ext_len;
232 }
233
234 if (end != pos) {
235 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
236 "end of ServerHello", pos, end - pos);
237 goto decode_error;
238 }
239
240 if (conn->session_ticket_included && conn->session_ticket_cb) {
241 /* TODO: include SessionTicket extension if one was included in
242 * ServerHello */
243 int res = conn->session_ticket_cb(
244 conn->session_ticket_cb_ctx, NULL, 0,
245 conn->client_random, conn->server_random,
246 conn->master_secret);
247 if (res < 0) {
248 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
249 "indicated failure");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_HANDSHAKE_FAILURE);
252 return -1;
253 }
254 conn->use_session_ticket = !!res;
255 }
256
257 if ((conn->session_resumed || conn->use_session_ticket) &&
258 tls_derive_keys(conn, NULL, 0)) {
259 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 TLS_ALERT_INTERNAL_ERROR);
262 return -1;
263 }
264
265 *in_len = end - in_data;
266
267 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
268 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
269
270 return 0;
271
272 decode_error:
273 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
275 return -1;
276 }
277
278
tls_peer_cert_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert)279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
280 struct x509_certificate *cert)
281 {
282 union tls_event_data ev;
283 struct wpabuf *cert_buf = NULL;
284 #ifdef CONFIG_SHA256
285 u8 hash[32];
286 #endif /* CONFIG_SHA256 */
287 char subject[128];
288
289 if (!conn->event_cb)
290 return;
291
292 os_memset(&ev, 0, sizeof(ev));
293 if (conn->cred->cert_probe || conn->cert_in_cb) {
294 cert_buf = wpabuf_alloc_copy(cert->cert_start,
295 cert->cert_len);
296 ev.peer_cert.cert = cert_buf;
297 }
298 #ifdef CONFIG_SHA256
299 if (cert_buf) {
300 const u8 *addr[1];
301 size_t len[1];
302 addr[0] = wpabuf_head(cert_buf);
303 len[0] = wpabuf_len(cert_buf);
304 if (sha256_vector(1, addr, len, hash) == 0) {
305 ev.peer_cert.hash = hash;
306 ev.peer_cert.hash_len = sizeof(hash);
307 }
308 }
309 #endif /* CONFIG_SHA256 */
310
311 ev.peer_cert.depth = depth;
312 x509_name_string(&cert->subject, subject, sizeof(subject));
313 ev.peer_cert.subject = subject;
314
315 conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
316 wpabuf_free(cert_buf);
317 }
318
319
tls_cert_chain_failure_event(struct tlsv1_client * conn,int depth,struct x509_certificate * cert,enum tls_fail_reason reason,const char * reason_txt)320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
321 struct x509_certificate *cert,
322 enum tls_fail_reason reason,
323 const char *reason_txt)
324 {
325 struct wpabuf *cert_buf = NULL;
326 union tls_event_data ev;
327 char subject[128];
328
329 if (!conn->event_cb || !cert)
330 return;
331
332 os_memset(&ev, 0, sizeof(ev));
333 ev.cert_fail.depth = depth;
334 x509_name_string(&cert->subject, subject, sizeof(subject));
335 ev.peer_cert.subject = subject;
336 ev.cert_fail.reason = reason;
337 ev.cert_fail.reason_txt = reason_txt;
338 cert_buf = wpabuf_alloc_copy(cert->cert_start,
339 cert->cert_len);
340 ev.cert_fail.cert = cert_buf;
341 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
342 wpabuf_free(cert_buf);
343 }
344
345
tls_process_certificate(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
347 const u8 *in_data, size_t *in_len)
348 {
349 const u8 *pos, *end;
350 size_t left, len, list_len, cert_len, idx;
351 u8 type;
352 struct x509_certificate *chain = NULL, *last = NULL, *cert;
353 int reason;
354
355 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
357 "received content type 0x%x", ct);
358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
359 TLS_ALERT_UNEXPECTED_MESSAGE);
360 return -1;
361 }
362
363 pos = in_data;
364 left = *in_len;
365
366 if (left < 4) {
367 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
368 "(len=%lu)", (unsigned long) left);
369 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
370 return -1;
371 }
372
373 type = *pos++;
374 len = WPA_GET_BE24(pos);
375 pos += 3;
376 left -= 4;
377
378 if (len > left) {
379 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
380 "length (len=%lu != left=%lu)",
381 (unsigned long) len, (unsigned long) left);
382 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
383 return -1;
384 }
385
386 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
387 return tls_process_server_key_exchange(conn, ct, in_data,
388 in_len);
389 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
390 return tls_process_certificate_request(conn, ct, in_data,
391 in_len);
392 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
393 return tls_process_server_hello_done(conn, ct, in_data,
394 in_len);
395 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
396 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
397 "message %d (expected Certificate/"
398 "ServerKeyExchange/CertificateRequest/"
399 "ServerHelloDone)", type);
400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
401 TLS_ALERT_UNEXPECTED_MESSAGE);
402 return -1;
403 }
404
405 wpa_printf(MSG_DEBUG,
406 "TLSv1: Received Certificate (certificate_list len %lu)",
407 (unsigned long) len);
408
409 /*
410 * opaque ASN.1Cert<2^24-1>;
411 *
412 * struct {
413 * ASN.1Cert certificate_list<1..2^24-1>;
414 * } Certificate;
415 */
416
417 end = pos + len;
418
419 if (end - pos < 3) {
420 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
421 "(left=%lu)", (unsigned long) left);
422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
423 return -1;
424 }
425
426 list_len = WPA_GET_BE24(pos);
427 pos += 3;
428
429 if ((size_t) (end - pos) != list_len) {
430 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
431 "length (len=%lu left=%lu)",
432 (unsigned long) list_len,
433 (unsigned long) (end - pos));
434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
435 return -1;
436 }
437
438 idx = 0;
439 while (pos < end) {
440 if (end - pos < 3) {
441 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
442 "certificate_list");
443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
444 TLS_ALERT_DECODE_ERROR);
445 x509_certificate_chain_free(chain);
446 return -1;
447 }
448
449 cert_len = WPA_GET_BE24(pos);
450 pos += 3;
451
452 if ((size_t) (end - pos) < cert_len) {
453 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
454 "length (len=%lu left=%lu)",
455 (unsigned long) cert_len,
456 (unsigned long) (end - pos));
457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 TLS_ALERT_DECODE_ERROR);
459 x509_certificate_chain_free(chain);
460 return -1;
461 }
462
463 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
464 (unsigned long) idx, (unsigned long) cert_len);
465
466 if (idx == 0) {
467 crypto_public_key_free(conn->server_rsa_key);
468 if (tls_parse_cert(pos, cert_len,
469 &conn->server_rsa_key)) {
470 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
471 "the certificate");
472 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_BAD_CERTIFICATE);
474 x509_certificate_chain_free(chain);
475 return -1;
476 }
477 }
478
479 cert = x509_certificate_parse(pos, cert_len);
480 if (cert == NULL) {
481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
482 "the certificate");
483 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 TLS_ALERT_BAD_CERTIFICATE);
485 x509_certificate_chain_free(chain);
486 return -1;
487 }
488
489 tls_peer_cert_event(conn, idx, cert);
490
491 if (last == NULL)
492 chain = cert;
493 else
494 last->next = cert;
495 last = cert;
496
497 idx++;
498 pos += cert_len;
499 }
500
501 if (conn->cred && conn->cred->server_cert_only && chain) {
502 u8 hash[SHA256_MAC_LEN];
503 char buf[128];
504
505 wpa_printf(MSG_DEBUG,
506 "TLSv1: Validate server certificate hash");
507 x509_name_string(&chain->subject, buf, sizeof(buf));
508 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
509 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
510 hash) < 0 ||
511 os_memcmp(conn->cred->srv_cert_hash, hash,
512 SHA256_MAC_LEN) != 0) {
513 wpa_printf(MSG_DEBUG,
514 "TLSv1: Server certificate hash mismatch");
515 wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
516 hash, SHA256_MAC_LEN);
517 if (conn->event_cb) {
518 union tls_event_data ev;
519
520 os_memset(&ev, 0, sizeof(ev));
521 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
522 ev.cert_fail.reason_txt =
523 "Server certificate mismatch";
524 ev.cert_fail.subject = buf;
525 conn->event_cb(conn->cb_ctx,
526 TLS_CERT_CHAIN_FAILURE, &ev);
527 }
528 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
529 TLS_ALERT_BAD_CERTIFICATE);
530 x509_certificate_chain_free(chain);
531 return -1;
532 }
533 } else if (conn->cred && conn->cred->cert_probe) {
534 wpa_printf(MSG_DEBUG,
535 "TLSv1: Reject server certificate on probe-only rune");
536 if (conn->event_cb) {
537 union tls_event_data ev;
538 char buf[128];
539
540 os_memset(&ev, 0, sizeof(ev));
541 ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
542 ev.cert_fail.reason_txt =
543 "Server certificate chain probe";
544 if (chain) {
545 x509_name_string(&chain->subject, buf,
546 sizeof(buf));
547 ev.cert_fail.subject = buf;
548 }
549 conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
550 &ev);
551 }
552 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 TLS_ALERT_BAD_CERTIFICATE);
554 x509_certificate_chain_free(chain);
555 return -1;
556 } else if (conn->cred && conn->cred->ca_cert_verify &&
557 x509_certificate_chain_validate(
558 conn->cred->trusted_certs, chain, &reason,
559 !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
560 < 0) {
561 int tls_reason;
562 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
563 "validation failed (reason=%d)", reason);
564 switch (reason) {
565 case X509_VALIDATE_BAD_CERTIFICATE:
566 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
567 tls_cert_chain_failure_event(
568 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
569 "bad certificate");
570 break;
571 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
572 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
573 break;
574 case X509_VALIDATE_CERTIFICATE_REVOKED:
575 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
576 tls_cert_chain_failure_event(
577 conn, 0, chain, TLS_FAIL_REVOKED,
578 "certificate revoked");
579 break;
580 case X509_VALIDATE_CERTIFICATE_EXPIRED:
581 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
582 tls_cert_chain_failure_event(
583 conn, 0, chain, TLS_FAIL_EXPIRED,
584 "certificate has expired or is not yet valid");
585 break;
586 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
587 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
588 break;
589 case X509_VALIDATE_UNKNOWN_CA:
590 tls_reason = TLS_ALERT_UNKNOWN_CA;
591 tls_cert_chain_failure_event(
592 conn, 0, chain, TLS_FAIL_UNTRUSTED,
593 "unknown CA");
594 break;
595 default:
596 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
597 break;
598 }
599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
600 x509_certificate_chain_free(chain);
601 return -1;
602 }
603
604 if (conn->cred && !conn->cred->server_cert_only && chain &&
605 (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
606 !(chain->ext_key_usage &
607 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
608 tls_cert_chain_failure_event(
609 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
610 "certificate not allowed for server authentication");
611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_BAD_CERTIFICATE);
613 x509_certificate_chain_free(chain);
614 return -1;
615 }
616
617 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
618 x509_certificate_chain_free(conn->server_cert);
619 conn->server_cert = chain;
620 } else {
621 x509_certificate_chain_free(chain);
622 }
623
624 *in_len = end - in_data;
625
626 conn->state = SERVER_KEY_EXCHANGE;
627
628 return 0;
629 }
630
631
count_bits(const u8 * val,size_t len)632 static unsigned int count_bits(const u8 *val, size_t len)
633 {
634 size_t i;
635 unsigned int bits;
636 u8 tmp;
637
638 for (i = 0; i < len; i++) {
639 if (val[i])
640 break;
641 }
642 if (i == len)
643 return 0;
644
645 bits = (len - i - 1) * 8;
646 tmp = val[i];
647 while (tmp) {
648 bits++;
649 tmp >>= 1;
650 }
651
652 return bits;
653 }
654
655
tlsv1_process_diffie_hellman(struct tlsv1_client * conn,const u8 * buf,size_t len,tls_key_exchange key_exchange)656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
657 const u8 *buf, size_t len,
658 tls_key_exchange key_exchange)
659 {
660 const u8 *pos, *end, *server_params, *server_params_end;
661 u8 alert;
662 unsigned int bits;
663 u16 val;
664
665 tlsv1_client_free_dh(conn);
666
667 pos = buf;
668 end = buf + len;
669
670 if (end - pos < 3)
671 goto fail;
672 server_params = pos;
673 val = WPA_GET_BE16(pos);
674 pos += 2;
675 if (val == 0 || val > (size_t) (end - pos)) {
676 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
677 goto fail;
678 }
679 conn->dh_p_len = val;
680 bits = count_bits(pos, conn->dh_p_len);
681 if (bits < 768) {
682 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
683 bits);
684 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
685 pos, conn->dh_p_len);
686 goto fail;
687 }
688 conn->dh_p = os_malloc(conn->dh_p_len);
689 if (conn->dh_p == NULL)
690 goto fail;
691 os_memcpy(conn->dh_p, pos, conn->dh_p_len);
692 pos += conn->dh_p_len;
693 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
694 conn->dh_p, conn->dh_p_len);
695
696 if (end - pos < 3)
697 goto fail;
698 val = WPA_GET_BE16(pos);
699 pos += 2;
700 if (val == 0 || val > (size_t) (end - pos))
701 goto fail;
702 conn->dh_g_len = val;
703 conn->dh_g = os_malloc(conn->dh_g_len);
704 if (conn->dh_g == NULL)
705 goto fail;
706 os_memcpy(conn->dh_g, pos, conn->dh_g_len);
707 pos += conn->dh_g_len;
708 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
709 conn->dh_g, conn->dh_g_len);
710 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
711 goto fail;
712
713 if (end - pos < 3)
714 goto fail;
715 val = WPA_GET_BE16(pos);
716 pos += 2;
717 if (val == 0 || val > (size_t) (end - pos))
718 goto fail;
719 conn->dh_ys_len = val;
720 conn->dh_ys = os_malloc(conn->dh_ys_len);
721 if (conn->dh_ys == NULL)
722 goto fail;
723 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
724 pos += conn->dh_ys_len;
725 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
726 conn->dh_ys, conn->dh_ys_len);
727 server_params_end = pos;
728
729 if (key_exchange == TLS_KEY_X_DHE_RSA) {
730 u8 hash[64];
731 int hlen;
732
733 if (conn->rl.tls_version == TLS_VERSION_1_2) {
734 #ifdef CONFIG_TLSV12
735 /*
736 * RFC 5246, 4.7:
737 * TLS v1.2 adds explicit indication of the used
738 * signature and hash algorithms.
739 *
740 * struct {
741 * HashAlgorithm hash;
742 * SignatureAlgorithm signature;
743 * } SignatureAndHashAlgorithm;
744 */
745 if (end - pos < 2)
746 goto fail;
747 if ((pos[0] != TLS_HASH_ALG_SHA256 &&
748 pos[0] != TLS_HASH_ALG_SHA384 &&
749 pos[0] != TLS_HASH_ALG_SHA512) ||
750 pos[1] != TLS_SIGN_ALG_RSA) {
751 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
752 pos[0], pos[1]);
753 goto fail;
754 }
755
756 hlen = tlsv12_key_x_server_params_hash(
757 conn->rl.tls_version, pos[0],
758 conn->client_random,
759 conn->server_random, server_params,
760 server_params_end - server_params, hash);
761 pos += 2;
762 #else /* CONFIG_TLSV12 */
763 goto fail;
764 #endif /* CONFIG_TLSV12 */
765 } else {
766 hlen = tls_key_x_server_params_hash(
767 conn->rl.tls_version, conn->client_random,
768 conn->server_random, server_params,
769 server_params_end - server_params, hash);
770 }
771
772 if (hlen < 0)
773 goto fail;
774 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
775 hash, hlen);
776
777 if (tls_verify_signature(conn->rl.tls_version,
778 conn->server_rsa_key,
779 hash, hlen, pos, end - pos,
780 &alert) < 0)
781 goto fail;
782 }
783
784 return 0;
785
786 fail:
787 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
788 tlsv1_client_free_dh(conn);
789 return -1;
790 }
791
792
793 static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client * conn,const u8 * pos,size_t len)794 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
795 const u8 *pos, size_t len)
796 {
797 const u8 *end = pos + len;
798 u32 ocsp_resp_len;
799
800 /* opaque OCSPResponse<1..2^24-1>; */
801 if (end - pos < 3) {
802 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
803 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
804 return TLS_OCSP_INVALID;
805 }
806 ocsp_resp_len = WPA_GET_BE24(pos);
807 pos += 3;
808 if (end - pos < ocsp_resp_len) {
809 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
810 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
811 return TLS_OCSP_INVALID;
812 }
813
814 return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
815 }
816
817
tls_process_certificate_status(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)818 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
819 const u8 *in_data, size_t *in_len)
820 {
821 const u8 *pos, *end;
822 size_t left, len;
823 u8 type, status_type;
824 enum tls_ocsp_result res;
825 struct x509_certificate *cert;
826 int depth;
827
828 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
829 wpa_printf(MSG_DEBUG,
830 "TLSv1: Expected Handshake; received content type 0x%x",
831 ct);
832 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
833 TLS_ALERT_UNEXPECTED_MESSAGE);
834 return -1;
835 }
836
837 pos = in_data;
838 left = *in_len;
839
840 if (left < 4) {
841 wpa_printf(MSG_DEBUG,
842 "TLSv1: Too short CertificateStatus (left=%lu)",
843 (unsigned long) left);
844 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
845 return -1;
846 }
847
848 type = *pos++;
849 len = WPA_GET_BE24(pos);
850 pos += 3;
851 left -= 4;
852
853 if (len > left) {
854 wpa_printf(MSG_DEBUG,
855 "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
856 (unsigned long) len, (unsigned long) left);
857 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
858 return -1;
859 }
860
861 end = pos + len;
862
863 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
864 wpa_printf(MSG_DEBUG,
865 "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
866 type);
867 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 TLS_ALERT_UNEXPECTED_MESSAGE);
869 return -1;
870 }
871
872 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
873
874 /*
875 * struct {
876 * CertificateStatusType status_type;
877 * select (status_type) {
878 * case ocsp: OCSPResponse;
879 * case ocsp_multi: OCSPResponseList;
880 * } response;
881 * } CertificateStatus;
882 */
883 if (end - pos < 1) {
884 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
885 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
886 return -1;
887 }
888 status_type = *pos++;
889 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
890 status_type);
891
892 if (status_type == 1 /* ocsp */) {
893 res = tls_process_certificate_status_ocsp_response(
894 conn, pos, end - pos);
895 } else if (status_type == 2 /* ocsp_multi */) {
896 int good = 0, revoked = 0;
897 u32 resp_len;
898
899 res = TLS_OCSP_NO_RESPONSE;
900
901 /*
902 * opaque OCSPResponse<0..2^24-1>;
903 *
904 * struct {
905 * OCSPResponse ocsp_response_list<1..2^24-1>;
906 * } OCSPResponseList;
907 */
908 if (end - pos < 3) {
909 wpa_printf(MSG_DEBUG,
910 "TLSv1: Truncated OCSPResponseList");
911 res = TLS_OCSP_INVALID;
912 goto done;
913 }
914 resp_len = WPA_GET_BE24(pos);
915 pos += 3;
916 if (end - pos < resp_len) {
917 wpa_printf(MSG_DEBUG,
918 "TLSv1: Truncated OCSPResponseList(len=%u)",
919 resp_len);
920 res = TLS_OCSP_INVALID;
921 goto done;
922 }
923 end = pos + resp_len;
924
925 while (end - pos >= 3) {
926 resp_len = WPA_GET_BE24(pos);
927 pos += 3;
928 if (resp_len > end - pos) {
929 wpa_printf(MSG_DEBUG,
930 "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
931 resp_len, (int) (end - pos));
932 res = TLS_OCSP_INVALID;
933 break;
934 }
935 if (!resp_len)
936 continue; /* Skip an empty response */
937 res = tls_process_certificate_status_ocsp_response(
938 conn, pos - 3, resp_len + 3);
939 if (res == TLS_OCSP_REVOKED)
940 revoked++;
941 else if (res == TLS_OCSP_GOOD)
942 good++;
943 pos += resp_len;
944 }
945
946 if (revoked)
947 res = TLS_OCSP_REVOKED;
948 else if (good)
949 res = TLS_OCSP_GOOD;
950 } else {
951 wpa_printf(MSG_DEBUG,
952 "TLSv1: Ignore unsupported CertificateStatus");
953 goto skip;
954 }
955
956 done:
957 if (res == TLS_OCSP_REVOKED) {
958 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
959 TLS_ALERT_CERTIFICATE_REVOKED);
960 for (cert = conn->server_cert, depth = 0; cert;
961 cert = cert->next, depth++) {
962 if (cert->ocsp_revoked) {
963 tls_cert_chain_failure_event(
964 conn, depth, cert, TLS_FAIL_REVOKED,
965 "certificate revoked");
966 }
967 }
968 return -1;
969 }
970
971 if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
972 /*
973 * Verify that each certificate on the chain that is not part
974 * of the trusted certificates has a good status. If not,
975 * terminate handshake.
976 */
977 for (cert = conn->server_cert, depth = 0; cert;
978 cert = cert->next, depth++) {
979 if (!cert->ocsp_good) {
980 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
982 tls_cert_chain_failure_event(
983 conn, depth, cert,
984 TLS_FAIL_UNSPECIFIED,
985 "bad certificate status response");
986 return -1;
987 }
988 if (cert->issuer_trusted)
989 break;
990 }
991 }
992
993 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
994 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
995 res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
996 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
997 if (conn->server_cert)
998 tls_cert_chain_failure_event(
999 conn, 0, conn->server_cert,
1000 TLS_FAIL_UNSPECIFIED,
1001 "bad certificate status response");
1002 return -1;
1003 }
1004
1005 conn->ocsp_resp_received = 1;
1006
1007 skip:
1008 *in_len = end - in_data;
1009
1010 conn->state = SERVER_KEY_EXCHANGE;
1011
1012 return 0;
1013 }
1014
1015
tls_process_server_key_exchange(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1016 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1017 const u8 *in_data, size_t *in_len)
1018 {
1019 const u8 *pos, *end;
1020 size_t left, len;
1021 u8 type;
1022 const struct tls_cipher_suite *suite;
1023
1024 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1025 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1026 "received content type 0x%x", ct);
1027 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028 TLS_ALERT_UNEXPECTED_MESSAGE);
1029 return -1;
1030 }
1031
1032 pos = in_data;
1033 left = *in_len;
1034
1035 if (left < 4) {
1036 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1037 "(Left=%lu)", (unsigned long) left);
1038 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1039 return -1;
1040 }
1041
1042 type = *pos++;
1043 len = WPA_GET_BE24(pos);
1044 pos += 3;
1045 left -= 4;
1046
1047 if (len > left) {
1048 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1049 "length (len=%lu != left=%lu)",
1050 (unsigned long) len, (unsigned long) left);
1051 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1052 return -1;
1053 }
1054
1055 end = pos + len;
1056
1057 if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1058 type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1059 return tls_process_certificate_status(conn, ct, in_data,
1060 in_len);
1061 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1062 return tls_process_certificate_request(conn, ct, in_data,
1063 in_len);
1064 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1065 return tls_process_server_hello_done(conn, ct, in_data,
1066 in_len);
1067 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1068 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1069 "message %d (expected ServerKeyExchange/"
1070 "CertificateRequest/ServerHelloDone%s)", type,
1071 (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1072 "/CertificateStatus" : "");
1073 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 TLS_ALERT_UNEXPECTED_MESSAGE);
1075 return -1;
1076 }
1077
1078 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1079
1080 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1081 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1082 "with the selected cipher suite");
1083 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1084 TLS_ALERT_UNEXPECTED_MESSAGE);
1085 return -1;
1086 }
1087
1088 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1089 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1090 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1091 suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1092 if (tlsv1_process_diffie_hellman(conn, pos, len,
1093 suite->key_exchange) < 0) {
1094 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1095 TLS_ALERT_DECODE_ERROR);
1096 return -1;
1097 }
1098 } else {
1099 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1100 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101 TLS_ALERT_UNEXPECTED_MESSAGE);
1102 return -1;
1103 }
1104
1105 *in_len = end - in_data;
1106
1107 conn->state = SERVER_CERTIFICATE_REQUEST;
1108
1109 return 0;
1110 }
1111
1112
tls_process_certificate_request(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1113 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1114 const u8 *in_data, size_t *in_len)
1115 {
1116 const u8 *pos, *end;
1117 size_t left, len;
1118 u8 type;
1119
1120 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1121 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1122 "received content type 0x%x", ct);
1123 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1124 TLS_ALERT_UNEXPECTED_MESSAGE);
1125 return -1;
1126 }
1127
1128 pos = in_data;
1129 left = *in_len;
1130
1131 if (left < 4) {
1132 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1133 "(left=%lu)", (unsigned long) left);
1134 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1135 return -1;
1136 }
1137
1138 type = *pos++;
1139 len = WPA_GET_BE24(pos);
1140 pos += 3;
1141 left -= 4;
1142
1143 if (len > left) {
1144 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1145 "length (len=%lu != left=%lu)",
1146 (unsigned long) len, (unsigned long) left);
1147 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1148 return -1;
1149 }
1150
1151 end = pos + len;
1152
1153 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1154 return tls_process_server_hello_done(conn, ct, in_data,
1155 in_len);
1156 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1157 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1158 "message %d (expected CertificateRequest/"
1159 "ServerHelloDone)", type);
1160 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161 TLS_ALERT_UNEXPECTED_MESSAGE);
1162 return -1;
1163 }
1164
1165 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1166
1167 conn->certificate_requested = 1;
1168
1169 *in_len = end - in_data;
1170
1171 conn->state = SERVER_HELLO_DONE;
1172
1173 return 0;
1174 }
1175
1176
tls_process_server_hello_done(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1177 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1178 const u8 *in_data, size_t *in_len)
1179 {
1180 const u8 *pos, *end;
1181 size_t left, len;
1182 u8 type;
1183
1184 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1185 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1186 "received content type 0x%x", ct);
1187 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1188 TLS_ALERT_UNEXPECTED_MESSAGE);
1189 return -1;
1190 }
1191
1192 pos = in_data;
1193 left = *in_len;
1194
1195 if (left < 4) {
1196 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1197 "(left=%lu)", (unsigned long) left);
1198 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1199 return -1;
1200 }
1201
1202 type = *pos++;
1203 len = WPA_GET_BE24(pos);
1204 pos += 3;
1205 left -= 4;
1206
1207 if (len > left) {
1208 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1209 "length (len=%lu != left=%lu)",
1210 (unsigned long) len, (unsigned long) left);
1211 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1212 return -1;
1213 }
1214 end = pos + len;
1215
1216 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1217 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1218 "message %d (expected ServerHelloDone)", type);
1219 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1220 TLS_ALERT_UNEXPECTED_MESSAGE);
1221 return -1;
1222 }
1223
1224 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1225
1226 if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1227 !conn->ocsp_resp_received) {
1228 wpa_printf(MSG_INFO,
1229 "TLSv1: No OCSP response received - reject handshake");
1230 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1231 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1232 return -1;
1233 }
1234
1235 *in_len = end - in_data;
1236
1237 conn->state = CLIENT_KEY_EXCHANGE;
1238
1239 return 0;
1240 }
1241
1242
tls_process_server_change_cipher_spec(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1244 u8 ct, const u8 *in_data,
1245 size_t *in_len)
1246 {
1247 const u8 *pos;
1248 size_t left;
1249
1250 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1251 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1252 "received content type 0x%x", ct);
1253 if (conn->use_session_ticket) {
1254 int res;
1255 wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1256 "rejected SessionTicket");
1257 conn->use_session_ticket = 0;
1258
1259 /* Notify upper layers that SessionTicket failed */
1260 res = conn->session_ticket_cb(
1261 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1262 NULL, NULL);
1263 if (res < 0) {
1264 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1265 "callback indicated failure");
1266 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1267 TLS_ALERT_HANDSHAKE_FAILURE);
1268 return -1;
1269 }
1270
1271 conn->state = SERVER_CERTIFICATE;
1272 return tls_process_certificate(conn, ct, in_data,
1273 in_len);
1274 }
1275 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 TLS_ALERT_UNEXPECTED_MESSAGE);
1277 return -1;
1278 }
1279
1280 pos = in_data;
1281 left = *in_len;
1282
1283 if (left < 1) {
1284 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1286 return -1;
1287 }
1288
1289 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1290 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1291 "received data 0x%x", *pos);
1292 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1293 TLS_ALERT_UNEXPECTED_MESSAGE);
1294 return -1;
1295 }
1296
1297 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1298 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1299 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1300 "for record layer");
1301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1302 TLS_ALERT_INTERNAL_ERROR);
1303 return -1;
1304 }
1305
1306 *in_len = pos + 1 - in_data;
1307
1308 conn->state = SERVER_FINISHED;
1309
1310 return 0;
1311 }
1312
1313
tls_process_server_finished(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len)1314 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1315 const u8 *in_data, size_t *in_len)
1316 {
1317 const u8 *pos, *end;
1318 size_t left, len, hlen;
1319 u8 verify_data[TLS_VERIFY_DATA_LEN];
1320 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1321
1322 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1323 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1324 "received content type 0x%x", ct);
1325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1326 TLS_ALERT_UNEXPECTED_MESSAGE);
1327 return -1;
1328 }
1329
1330 pos = in_data;
1331 left = *in_len;
1332
1333 if (left < 4) {
1334 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1335 "Finished",
1336 (unsigned long) left);
1337 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1338 TLS_ALERT_DECODE_ERROR);
1339 return -1;
1340 }
1341
1342 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1343 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1344 "type 0x%x", pos[0]);
1345 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1346 TLS_ALERT_UNEXPECTED_MESSAGE);
1347 return -1;
1348 }
1349
1350 len = WPA_GET_BE24(pos + 1);
1351
1352 pos += 4;
1353 left -= 4;
1354
1355 if (len > left) {
1356 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1357 "(len=%lu > left=%lu)",
1358 (unsigned long) len, (unsigned long) left);
1359 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1360 TLS_ALERT_DECODE_ERROR);
1361 return -1;
1362 }
1363 end = pos + len;
1364 if (len != TLS_VERIFY_DATA_LEN) {
1365 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1366 "in Finished: %lu (expected %d)",
1367 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1368 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1369 TLS_ALERT_DECODE_ERROR);
1370 return -1;
1371 }
1372 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1373 pos, TLS_VERIFY_DATA_LEN);
1374
1375 #ifdef CONFIG_TLSV12
1376 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1377 hlen = SHA256_MAC_LEN;
1378 if (conn->verify.sha256_server == NULL ||
1379 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1380 < 0) {
1381 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1382 TLS_ALERT_INTERNAL_ERROR);
1383 conn->verify.sha256_server = NULL;
1384 return -1;
1385 }
1386 conn->verify.sha256_server = NULL;
1387 } else {
1388 #endif /* CONFIG_TLSV12 */
1389
1390 hlen = MD5_MAC_LEN;
1391 if (conn->verify.md5_server == NULL ||
1392 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1393 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1394 TLS_ALERT_INTERNAL_ERROR);
1395 conn->verify.md5_server = NULL;
1396 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1397 conn->verify.sha1_server = NULL;
1398 return -1;
1399 }
1400 conn->verify.md5_server = NULL;
1401 hlen = SHA1_MAC_LEN;
1402 if (conn->verify.sha1_server == NULL ||
1403 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1404 &hlen) < 0) {
1405 conn->verify.sha1_server = NULL;
1406 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1407 TLS_ALERT_INTERNAL_ERROR);
1408 return -1;
1409 }
1410 conn->verify.sha1_server = NULL;
1411 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1412
1413 #ifdef CONFIG_TLSV12
1414 }
1415 #endif /* CONFIG_TLSV12 */
1416
1417 if (tls_prf(conn->rl.tls_version,
1418 conn->master_secret, TLS_MASTER_SECRET_LEN,
1419 "server finished", hash, hlen,
1420 verify_data, TLS_VERIFY_DATA_LEN)) {
1421 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1423 TLS_ALERT_DECRYPT_ERROR);
1424 return -1;
1425 }
1426 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1427 verify_data, TLS_VERIFY_DATA_LEN);
1428
1429 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1430 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1431 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1432 TLS_ALERT_DECRYPT_ERROR);
1433 return -1;
1434 }
1435
1436 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1437
1438 *in_len = end - in_data;
1439
1440 conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1441 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1442
1443 return 0;
1444 }
1445
1446
tls_process_application_data(struct tlsv1_client * conn,u8 ct,const u8 * in_data,size_t * in_len,u8 ** out_data,size_t * out_len)1447 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1448 const u8 *in_data, size_t *in_len,
1449 u8 **out_data, size_t *out_len)
1450 {
1451 const u8 *pos;
1452 size_t left;
1453
1454 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1455 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1456 "received content type 0x%x", ct);
1457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1458 TLS_ALERT_UNEXPECTED_MESSAGE);
1459 return -1;
1460 }
1461
1462 pos = in_data;
1463 left = *in_len;
1464
1465 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1466 pos, left);
1467
1468 *out_data = os_malloc(left);
1469 if (*out_data) {
1470 os_memcpy(*out_data, pos, left);
1471 *out_len = left;
1472 }
1473
1474 return 0;
1475 }
1476
1477
tlsv1_client_process_handshake(struct tlsv1_client * conn,u8 ct,const u8 * buf,size_t * len,u8 ** out_data,size_t * out_len)1478 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1479 const u8 *buf, size_t *len,
1480 u8 **out_data, size_t *out_len)
1481 {
1482 if (ct == TLS_CONTENT_TYPE_ALERT) {
1483 if (*len < 2) {
1484 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1485 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1486 TLS_ALERT_DECODE_ERROR);
1487 return -1;
1488 }
1489 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1490 buf[0], buf[1]);
1491 *len = 2;
1492 conn->state = FAILED;
1493 return -1;
1494 }
1495
1496 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1497 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1498 size_t hr_len = WPA_GET_BE24(buf + 1);
1499 if (hr_len > *len - 4) {
1500 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1501 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1502 TLS_ALERT_DECODE_ERROR);
1503 return -1;
1504 }
1505 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1506 *len = 4 + hr_len;
1507 return 0;
1508 }
1509
1510 switch (conn->state) {
1511 case SERVER_HELLO:
1512 if (tls_process_server_hello(conn, ct, buf, len))
1513 return -1;
1514 break;
1515 case SERVER_CERTIFICATE:
1516 if (tls_process_certificate(conn, ct, buf, len))
1517 return -1;
1518 break;
1519 case SERVER_KEY_EXCHANGE:
1520 if (tls_process_server_key_exchange(conn, ct, buf, len))
1521 return -1;
1522 break;
1523 case SERVER_CERTIFICATE_REQUEST:
1524 if (tls_process_certificate_request(conn, ct, buf, len))
1525 return -1;
1526 break;
1527 case SERVER_HELLO_DONE:
1528 if (tls_process_server_hello_done(conn, ct, buf, len))
1529 return -1;
1530 break;
1531 case SERVER_CHANGE_CIPHER_SPEC:
1532 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1533 return -1;
1534 break;
1535 case SERVER_FINISHED:
1536 if (tls_process_server_finished(conn, ct, buf, len))
1537 return -1;
1538 break;
1539 case ACK_FINISHED:
1540 if (out_data &&
1541 tls_process_application_data(conn, ct, buf, len, out_data,
1542 out_len))
1543 return -1;
1544 break;
1545 default:
1546 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1547 "while processing received message",
1548 conn->state);
1549 return -1;
1550 }
1551
1552 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1553 tls_verify_hash_add(&conn->verify, buf, *len);
1554
1555 return 0;
1556 }
1557