contrib/wpa/src/tls/tlsv1_client_read.c

   1 /*
   2  * TLSv1 client - read handshake message
   3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_client.h"
  20 #include "tlsv1_client_i.h"
  21
  22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  23                                            const u8 *in_data, size_t *in_len);
  24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  25                                            const u8 *in_data, size_t *in_len);
  26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  27                                          const u8 *in_data, size_t *in_len);
  28
  29
  30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
  31 {
  32         return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
  33                  ver == TLS_VERSION_1) ||
  34                 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
  35                  ver == TLS_VERSION_1_1) ||
  36                 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
  37                  ver == TLS_VERSION_1_2));
  38 }
  39
  40
  41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
  42                                                const u8 *pos, size_t len)
  43 {
  44         const u8 *end = pos + len;
  45
  46         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
  47                     pos, len);
  48         while (pos < end) {
  49                 u16 ext, elen;
  50
  51                 if (end - pos < 4) {
  52                         wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
  53                         return -1;
  54                 }
  55
  56                 ext = WPA_GET_BE16(pos);
  57                 pos += 2;
  58                 elen = WPA_GET_BE16(pos);
  59                 pos += 2;
  60
  61                 if (elen > end - pos) {
  62                         wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
  63                         return -1;
  64                 }
  65
  66                 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
  67                            ext);
  68                 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
  69                             pos, elen);
  70
  71                 pos += elen;
  72         }
  73
  74         return 0;
  75 }
  76
  77
  78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
  79                                     const u8 *in_data, size_t *in_len)
  80 {
  81         const u8 *pos, *end;
  82         size_t left, len, i;
  83         u16 cipher_suite;
  84         u16 tls_version;
  85
  86         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  87                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  88                            "received content type 0x%x", ct);
  89                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  90                           TLS_ALERT_UNEXPECTED_MESSAGE);
  91                 return -1;
  92         }
  93
  94         pos = in_data;
  95         left = *in_len;
  96
  97         if (left < 4)
  98                 goto decode_error;
  99
 100         /* HandshakeType msg_type */
 101         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
 102                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 103                            "message %d (expected ServerHello)", *pos);
 104                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 105                           TLS_ALERT_UNEXPECTED_MESSAGE);
 106                 return -1;
 107         }
 108         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
 109         pos++;
 110         /* uint24 length */
 111         len = WPA_GET_BE24(pos);
 112         pos += 3;
 113         left -= 4;
 114
 115         if (len > left)
 116                 goto decode_error;
 117
 118         /* body - ServerHello */
 119
 120         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
 121         end = pos + len;
 122
 123         /* ProtocolVersion server_version */
 124         if (end - pos < 2)
 125                 goto decode_error;
 126         tls_version = WPA_GET_BE16(pos);
 127         if (!tls_version_ok(tls_version) ||
 128             tls_version_disabled(conn, tls_version)) {
 129                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 130                            "ServerHello %u.%u", pos[0], pos[1]);
 131                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 132                           TLS_ALERT_PROTOCOL_VERSION);
 133                 return -1;
 134         }
 135         pos += 2;
 136
 137         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
 138                    tls_version_str(tls_version));
 139         conn->rl.tls_version = tls_version;
 140
 141         /* Random random */
 142         if (end - pos < TLS_RANDOM_LEN)
 143                 goto decode_error;
 144
 145         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
 146         pos += TLS_RANDOM_LEN;
 147         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
 148                     conn->server_random, TLS_RANDOM_LEN);
 149
 150         /* SessionID session_id */
 151         if (end - pos < 1)
 152                 goto decode_error;
 153         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 154                 goto decode_error;
 155         if (conn->session_id_len && conn->session_id_len == *pos &&
 156             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 157                 pos += 1 + conn->session_id_len;
 158                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 159                 conn->session_resumed = 1;
 160         } else {
 161                 conn->session_id_len = *pos;
 162                 pos++;
 163                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 164                 pos += conn->session_id_len;
 165         }
 166         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 167                     conn->session_id, conn->session_id_len);
 168
 169         /* CipherSuite cipher_suite */
 170         if (end - pos < 2)
 171                 goto decode_error;
 172         cipher_suite = WPA_GET_BE16(pos);
 173         pos += 2;
 174         for (i = 0; i < conn->num_cipher_suites; i++) {
 175                 if (cipher_suite == conn->cipher_suites[i])
 176                         break;
 177         }
 178         if (i == conn->num_cipher_suites) {
 179                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 180                            "cipher suite 0x%04x", cipher_suite);
 181                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 182                           TLS_ALERT_ILLEGAL_PARAMETER);
 183                 return -1;
 184         }
 185
 186         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 187                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 188                            "cipher suite for a resumed connection (0x%04x != "
 189                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 190                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 191                           TLS_ALERT_ILLEGAL_PARAMETER);
 192                 return -1;
 193         }
 194
 195         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 196                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 197                            "record layer");
 198                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 199                           TLS_ALERT_INTERNAL_ERROR);
 200                 return -1;
 201         }
 202
 203         conn->prev_cipher_suite = cipher_suite;
 204
 205         /* CompressionMethod compression_method */
 206         if (end - pos < 1)
 207                 goto decode_error;
 208         if (*pos != TLS_COMPRESSION_NULL) {
 209                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 210                            "compression 0x%02x", *pos);
 211                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 212                           TLS_ALERT_ILLEGAL_PARAMETER);
 213                 return -1;
 214         }
 215         pos++;
 216
 217         if (end - pos >= 2) {
 218                 u16 ext_len;
 219
 220                 ext_len = WPA_GET_BE16(pos);
 221                 pos += 2;
 222                 if (end - pos < ext_len) {
 223                         wpa_printf(MSG_INFO,
 224                                    "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
 225                                    ext_len, (unsigned int) (end - pos));
 226                         goto decode_error;
 227                 }
 228
 229                 if (tls_process_server_hello_extensions(conn, pos, ext_len))
 230                         goto decode_error;
 231                 pos += ext_len;
 232         }
 233
 234         if (end != pos) {
 235                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 236                             "end of ServerHello", pos, end - pos);
 237                 goto decode_error;
 238         }
 239
 240         if (conn->session_ticket_included && conn->session_ticket_cb) {
 241                 /* TODO: include SessionTicket extension if one was included in
 242                  * ServerHello */
 243                 int res = conn->session_ticket_cb(
 244                         conn->session_ticket_cb_ctx, NULL, 0,
 245                         conn->client_random, conn->server_random,
 246                         conn->master_secret);
 247                 if (res < 0) {
 248                         wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
 249                                    "indicated failure");
 250                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 251                                   TLS_ALERT_HANDSHAKE_FAILURE);
 252                         return -1;
 253                 }
 254                 conn->use_session_ticket = !!res;
 255         }
 256
 257         if ((conn->session_resumed || conn->use_session_ticket) &&
 258             tls_derive_keys(conn, NULL, 0)) {
 259                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 260                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 261                           TLS_ALERT_INTERNAL_ERROR);
 262                 return -1;
 263         }
 264
 265         *in_len = end - in_data;
 266
 267         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 268                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 269
 270         return 0;
 271
 272 decode_error:
 273         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 274         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 275         return -1;
 276 }
 277
 278
 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
 280                                 struct x509_certificate *cert)
 281 {
 282         union tls_event_data ev;
 283         struct wpabuf *cert_buf = NULL;
 284 #ifdef CONFIG_SHA256
 285         u8 hash[32];
 286 #endif /* CONFIG_SHA256 */
 287         char subject[128];
 288
 289         if (!conn->event_cb)
 290                 return;
 291
 292         os_memset(&ev, 0, sizeof(ev));
 293         if ((conn->cred && conn->cred->cert_probe) || conn->cert_in_cb) {
 294                 cert_buf = wpabuf_alloc_copy(cert->cert_start,
 295                                              cert->cert_len);
 296                 ev.peer_cert.cert = cert_buf;
 297         }
 298 #ifdef CONFIG_SHA256
 299         if (cert_buf) {
 300                 const u8 *addr[1];
 301                 size_t len[1];
 302                 addr[0] = wpabuf_head(cert_buf);
 303                 len[0] = wpabuf_len(cert_buf);
 304                 if (sha256_vector(1, addr, len, hash) == 0) {
 305                         ev.peer_cert.hash = hash;
 306                         ev.peer_cert.hash_len = sizeof(hash);
 307                 }
 308         }
 309 #endif /* CONFIG_SHA256 */
 310
 311         ev.peer_cert.depth = depth;
 312         x509_name_string(&cert->subject, subject, sizeof(subject));
 313         ev.peer_cert.subject = subject;
 314
 315         conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
 316         wpabuf_free(cert_buf);
 317 }
 318
 319
 320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
 321                                          struct x509_certificate *cert,
 322                                          enum tls_fail_reason reason,
 323                                          const char *reason_txt)
 324 {
 325         struct wpabuf *cert_buf = NULL;
 326         union tls_event_data ev;
 327         char subject[128];
 328
 329         if (!conn->event_cb || !cert)
 330                 return;
 331
 332         os_memset(&ev, 0, sizeof(ev));
 333         ev.cert_fail.depth = depth;
 334         x509_name_string(&cert->subject, subject, sizeof(subject));
 335         ev.peer_cert.subject = subject;
 336         ev.cert_fail.reason = reason;
 337         ev.cert_fail.reason_txt = reason_txt;
 338         cert_buf = wpabuf_alloc_copy(cert->cert_start,
 339                                      cert->cert_len);
 340         ev.cert_fail.cert = cert_buf;
 341         conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
 342         wpabuf_free(cert_buf);
 343 }
 344
 345
 346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 347                                    const u8 *in_data, size_t *in_len)
 348 {
 349         const u8 *pos, *end;
 350         size_t left, len, list_len, cert_len, idx;
 351         u8 type;
 352         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 353         int reason;
 354
 355         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 356                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 357                            "received content type 0x%x", ct);
 358                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 359                           TLS_ALERT_UNEXPECTED_MESSAGE);
 360                 return -1;
 361         }
 362
 363         pos = in_data;
 364         left = *in_len;
 365
 366         if (left < 4) {
 367                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 368                            "(len=%lu)", (unsigned long) left);
 369                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 370                 return -1;
 371         }
 372
 373         type = *pos++;
 374         len = WPA_GET_BE24(pos);
 375         pos += 3;
 376         left -= 4;
 377
 378         if (len > left) {
 379                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 380                            "length (len=%lu != left=%lu)",
 381                            (unsigned long) len, (unsigned long) left);
 382                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 383                 return -1;
 384         }
 385
 386         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 387                 return tls_process_server_key_exchange(conn, ct, in_data,
 388                                                        in_len);
 389         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 390                 return tls_process_certificate_request(conn, ct, in_data,
 391                                                        in_len);
 392         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 393                 return tls_process_server_hello_done(conn, ct, in_data,
 394                                                      in_len);
 395         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 396                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 397                            "message %d (expected Certificate/"
 398                            "ServerKeyExchange/CertificateRequest/"
 399                            "ServerHelloDone)", type);
 400                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 401                           TLS_ALERT_UNEXPECTED_MESSAGE);
 402                 return -1;
 403         }
 404
 405         wpa_printf(MSG_DEBUG,
 406                    "TLSv1: Received Certificate (certificate_list len %lu)",
 407                    (unsigned long) len);
 408
 409         /*
 410          * opaque ASN.1Cert<2^24-1>;
 411          *
 412          * struct {
 413          *     ASN.1Cert certificate_list<1..2^24-1>;
 414          * } Certificate;
 415          */
 416
 417         end = pos + len;
 418
 419         if (end - pos < 3) {
 420                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 421                            "(left=%lu)", (unsigned long) left);
 422                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 423                 return -1;
 424         }
 425
 426         list_len = WPA_GET_BE24(pos);
 427         pos += 3;
 428
 429         if ((size_t) (end - pos) != list_len) {
 430                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 431                            "length (len=%lu left=%lu)",
 432                            (unsigned long) list_len,
 433                            (unsigned long) (end - pos));
 434                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 435                 return -1;
 436         }
 437
 438         idx = 0;
 439         while (pos < end) {
 440                 if (end - pos < 3) {
 441                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 442                                    "certificate_list");
 443                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 444                                   TLS_ALERT_DECODE_ERROR);
 445                         x509_certificate_chain_free(chain);
 446                         return -1;
 447                 }
 448
 449                 cert_len = WPA_GET_BE24(pos);
 450                 pos += 3;
 451
 452                 if ((size_t) (end - pos) < cert_len) {
 453                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 454                                    "length (len=%lu left=%lu)",
 455                                    (unsigned long) cert_len,
 456                                    (unsigned long) (end - pos));
 457                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 458                                   TLS_ALERT_DECODE_ERROR);
 459                         x509_certificate_chain_free(chain);
 460                         return -1;
 461                 }
 462
 463                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 464                            (unsigned long) idx, (unsigned long) cert_len);
 465
 466                 if (idx == 0) {
 467                         crypto_public_key_free(conn->server_rsa_key);
 468                         if (tls_parse_cert(pos, cert_len,
 469                                            &conn->server_rsa_key)) {
 470                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 471                                            "the certificate");
 472                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 473                                           TLS_ALERT_BAD_CERTIFICATE);
 474                                 x509_certificate_chain_free(chain);
 475                                 return -1;
 476                         }
 477                 }
 478
 479                 cert = x509_certificate_parse(pos, cert_len);
 480                 if (cert == NULL) {
 481                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 482                                    "the certificate");
 483                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 484                                   TLS_ALERT_BAD_CERTIFICATE);
 485                         x509_certificate_chain_free(chain);
 486                         return -1;
 487                 }
 488
 489                 tls_peer_cert_event(conn, idx, cert);
 490
 491                 if (last == NULL)
 492                         chain = cert;
 493                 else
 494                         last->next = cert;
 495                 last = cert;
 496
 497                 idx++;
 498                 pos += cert_len;
 499         }
 500
 501         if (conn->cred && conn->cred->server_cert_only && chain) {
 502                 u8 hash[SHA256_MAC_LEN];
 503                 char buf[128];
 504
 505                 wpa_printf(MSG_DEBUG,
 506                            "TLSv1: Validate server certificate hash");
 507                 x509_name_string(&chain->subject, buf, sizeof(buf));
 508                 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
 509                 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
 510                                   hash) < 0 ||
 511                     os_memcmp(conn->cred->srv_cert_hash, hash,
 512                               SHA256_MAC_LEN) != 0) {
 513                         wpa_printf(MSG_DEBUG,
 514                                    "TLSv1: Server certificate hash mismatch");
 515                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
 516                                     hash, SHA256_MAC_LEN);
 517                         if (conn->event_cb) {
 518                                 union tls_event_data ev;
 519
 520                                 os_memset(&ev, 0, sizeof(ev));
 521                                 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
 522                                 ev.cert_fail.reason_txt =
 523                                         "Server certificate mismatch";
 524                                 ev.cert_fail.subject = buf;
 525                                 conn->event_cb(conn->cb_ctx,
 526                                                TLS_CERT_CHAIN_FAILURE, &ev);
 527                         }
 528                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 529                                   TLS_ALERT_BAD_CERTIFICATE);
 530                         x509_certificate_chain_free(chain);
 531                         return -1;
 532                 }
 533         } else if (conn->cred && conn->cred->cert_probe) {
 534                 wpa_printf(MSG_DEBUG,
 535                            "TLSv1: Reject server certificate on probe-only rune");
 536                 if (conn->event_cb) {
 537                         union tls_event_data ev;
 538                         char buf[128];
 539
 540                         os_memset(&ev, 0, sizeof(ev));
 541                         ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
 542                         ev.cert_fail.reason_txt =
 543                                 "Server certificate chain probe";
 544                         if (chain) {
 545                                 x509_name_string(&chain->subject, buf,
 546                                                  sizeof(buf));
 547                                 ev.cert_fail.subject = buf;
 548                         }
 549                         conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
 550                                        &ev);
 551                 }
 552                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 553                           TLS_ALERT_BAD_CERTIFICATE);
 554                 x509_certificate_chain_free(chain);
 555                 return -1;
 556         } else if (conn->cred && conn->cred->ca_cert_verify &&
 557                    x509_certificate_chain_validate(
 558                            conn->cred->trusted_certs, chain, &reason,
 559                            !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
 560                    < 0) {
 561                 int tls_reason;
 562                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 563                            "validation failed (reason=%d)", reason);
 564                 switch (reason) {
 565                 case X509_VALIDATE_BAD_CERTIFICATE:
 566                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 567                         tls_cert_chain_failure_event(
 568                                 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
 569                                 "bad certificate");
 570                         break;
 571                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 572                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 573                         break;
 574                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 575                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 576                         tls_cert_chain_failure_event(
 577                                 conn, 0, chain, TLS_FAIL_REVOKED,
 578                                 "certificate revoked");
 579                         break;
 580                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 581                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 582                         tls_cert_chain_failure_event(
 583                                 conn, 0, chain, TLS_FAIL_EXPIRED,
 584                                 "certificate has expired or is not yet valid");
 585                         break;
 586                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 587                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 588                         break;
 589                 case X509_VALIDATE_UNKNOWN_CA:
 590                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 591                         tls_cert_chain_failure_event(
 592                                 conn, 0, chain, TLS_FAIL_UNTRUSTED,
 593                                 "unknown CA");
 594                         break;
 595                 default:
 596                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 597                         break;
 598                 }
 599                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 600                 x509_certificate_chain_free(chain);
 601                 return -1;
 602         }
 603
 604         if (conn->cred && !conn->cred->server_cert_only && chain &&
 605             (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
 606             !(chain->ext_key_usage &
 607               (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
 608                 tls_cert_chain_failure_event(
 609                         conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
 610                         "certificate not allowed for server authentication");
 611                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 612                           TLS_ALERT_BAD_CERTIFICATE);
 613                 x509_certificate_chain_free(chain);
 614                 return -1;
 615         }
 616
 617         if (conn->flags & TLS_CONN_REQUEST_OCSP) {
 618                 x509_certificate_chain_free(conn->server_cert);
 619                 conn->server_cert = chain;
 620         } else {
 621                 x509_certificate_chain_free(chain);
 622         }
 623
 624         *in_len = end - in_data;
 625
 626         conn->state = SERVER_KEY_EXCHANGE;
 627
 628         return 0;
 629 }
 630
 631
 632 static unsigned int count_bits(const u8 *val, size_t len)
 633 {
 634         size_t i;
 635         unsigned int bits;
 636         u8 tmp;
 637
 638         for (i = 0; i < len; i++) {
 639                 if (val[i])
 640                         break;
 641         }
 642         if (i == len)
 643                 return 0;
 644
 645         bits = (len - i - 1) * 8;
 646         tmp = val[i];
 647         while (tmp) {
 648                 bits++;
 649                 tmp >>= 1;
 650         }
 651
 652         return bits;
 653 }
 654
 655
 656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 657                                         const u8 *buf, size_t len,
 658                                         tls_key_exchange key_exchange)
 659 {
 660         const u8 *pos, *end, *server_params, *server_params_end;
 661         u8 alert;
 662         unsigned int bits;
 663         u16 val;
 664
 665         tlsv1_client_free_dh(conn);
 666
 667         pos = buf;
 668         end = buf + len;
 669
 670         if (end - pos < 3)
 671                 goto fail;
 672         server_params = pos;
 673         val = WPA_GET_BE16(pos);
 674         pos += 2;
 675         if (val == 0 || val > (size_t) (end - pos)) {
 676                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
 677                 goto fail;
 678         }
 679         conn->dh_p_len = val;
 680         bits = count_bits(pos, conn->dh_p_len);
 681         if (bits < 768) {
 682                 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
 683                            bits);
 684                 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
 685                             pos, conn->dh_p_len);
 686                 goto fail;
 687         }
 688         conn->dh_p = os_memdup(pos, conn->dh_p_len);
 689         if (conn->dh_p == NULL)
 690                 goto fail;
 691         pos += conn->dh_p_len;
 692         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 693                     conn->dh_p, conn->dh_p_len);
 694
 695         if (end - pos < 3)
 696                 goto fail;
 697         val = WPA_GET_BE16(pos);
 698         pos += 2;
 699         if (val == 0 || val > (size_t) (end - pos))
 700                 goto fail;
 701         conn->dh_g_len = val;
 702         conn->dh_g = os_memdup(pos, conn->dh_g_len);
 703         if (conn->dh_g == NULL)
 704                 goto fail;
 705         pos += conn->dh_g_len;
 706         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 707                     conn->dh_g, conn->dh_g_len);
 708         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 709                 goto fail;
 710
 711         if (end - pos < 3)
 712                 goto fail;
 713         val = WPA_GET_BE16(pos);
 714         pos += 2;
 715         if (val == 0 || val > (size_t) (end - pos))
 716                 goto fail;
 717         conn->dh_ys_len = val;
 718         conn->dh_ys = os_memdup(pos, conn->dh_ys_len);
 719         if (conn->dh_ys == NULL)
 720                 goto fail;
 721         pos += conn->dh_ys_len;
 722         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 723                     conn->dh_ys, conn->dh_ys_len);
 724         server_params_end = pos;
 725
 726         if (key_exchange == TLS_KEY_X_DHE_RSA) {
 727                 u8 hash[64];
 728                 int hlen;
 729
 730                 if (conn->rl.tls_version == TLS_VERSION_1_2) {
 731 #ifdef CONFIG_TLSV12
 732                         /*
 733                          * RFC 5246, 4.7:
 734                          * TLS v1.2 adds explicit indication of the used
 735                          * signature and hash algorithms.
 736                          *
 737                          * struct {
 738                          *   HashAlgorithm hash;
 739                          *   SignatureAlgorithm signature;
 740                          * } SignatureAndHashAlgorithm;
 741                          */
 742                         if (end - pos < 2)
 743                                 goto fail;
 744                         if ((pos[0] != TLS_HASH_ALG_SHA256 &&
 745                              pos[0] != TLS_HASH_ALG_SHA384 &&
 746                              pos[0] != TLS_HASH_ALG_SHA512) ||
 747                             pos[1] != TLS_SIGN_ALG_RSA) {
 748                                 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
 749                                            pos[0], pos[1]);
 750                                 goto fail;
 751                         }
 752
 753                         hlen = tlsv12_key_x_server_params_hash(
 754                                 conn->rl.tls_version, pos[0],
 755                                 conn->client_random,
 756                                 conn->server_random, server_params,
 757                                 server_params_end - server_params, hash);
 758                         pos += 2;
 759 #else /* CONFIG_TLSV12 */
 760                         goto fail;
 761 #endif /* CONFIG_TLSV12 */
 762                 } else {
 763                         hlen = tls_key_x_server_params_hash(
 764                                 conn->rl.tls_version, conn->client_random,
 765                                 conn->server_random, server_params,
 766                                 server_params_end - server_params, hash);
 767                 }
 768
 769                 if (hlen < 0)
 770                         goto fail;
 771                 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
 772                             hash, hlen);
 773
 774                 if (tls_verify_signature(conn->rl.tls_version,
 775                                          conn->server_rsa_key,
 776                                          hash, hlen, pos, end - pos,
 777                                          &alert) < 0)
 778                         goto fail;
 779         }
 780
 781         return 0;
 782
 783 fail:
 784         wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
 785         tlsv1_client_free_dh(conn);
 786         return -1;
 787 }
 788
 789
 790 static enum tls_ocsp_result
 791 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
 792                                              const u8 *pos, size_t len)
 793 {
 794         const u8 *end = pos + len;
 795         u32 ocsp_resp_len;
 796
 797         /* opaque OCSPResponse<1..2^24-1>; */
 798         if (end - pos < 3) {
 799                 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
 800                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 801                 return TLS_OCSP_INVALID;
 802         }
 803         ocsp_resp_len = WPA_GET_BE24(pos);
 804         pos += 3;
 805         if (end - pos < ocsp_resp_len) {
 806                 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
 807                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 808                 return TLS_OCSP_INVALID;
 809         }
 810
 811         return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
 812 }
 813
 814
 815 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
 816                                            const u8 *in_data, size_t *in_len)
 817 {
 818         const u8 *pos, *end;
 819         size_t left, len;
 820         u8 type, status_type;
 821         enum tls_ocsp_result res;
 822         struct x509_certificate *cert;
 823         int depth;
 824
 825         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 826                 wpa_printf(MSG_DEBUG,
 827                            "TLSv1: Expected Handshake; received content type 0x%x",
 828                            ct);
 829                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 830                           TLS_ALERT_UNEXPECTED_MESSAGE);
 831                 return -1;
 832         }
 833
 834         pos = in_data;
 835         left = *in_len;
 836
 837         if (left < 4) {
 838                 wpa_printf(MSG_DEBUG,
 839                            "TLSv1: Too short CertificateStatus (left=%lu)",
 840                            (unsigned long) left);
 841                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 842                 return -1;
 843         }
 844
 845         type = *pos++;
 846         len = WPA_GET_BE24(pos);
 847         pos += 3;
 848         left -= 4;
 849
 850         if (len > left) {
 851                 wpa_printf(MSG_DEBUG,
 852                            "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
 853                            (unsigned long) len, (unsigned long) left);
 854                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 855                 return -1;
 856         }
 857
 858         end = pos + len;
 859
 860         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
 861                 wpa_printf(MSG_DEBUG,
 862                            "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
 863                            type);
 864                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 865                           TLS_ALERT_UNEXPECTED_MESSAGE);
 866                 return -1;
 867         }
 868
 869         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
 870
 871         /*
 872          * struct {
 873          *     CertificateStatusType status_type;
 874          *     select (status_type) {
 875          *         case ocsp: OCSPResponse;
 876          *         case ocsp_multi: OCSPResponseList;
 877          *     } response;
 878          * } CertificateStatus;
 879          */
 880         if (end - pos < 1) {
 881                 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
 882                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 883                 return -1;
 884         }
 885         status_type = *pos++;
 886         wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
 887                    status_type);
 888
 889         if (status_type == 1 /* ocsp */) {
 890                 res = tls_process_certificate_status_ocsp_response(
 891                         conn, pos, end - pos);
 892         } else if (status_type == 2 /* ocsp_multi */) {
 893                 int good = 0, revoked = 0;
 894                 u32 resp_len;
 895
 896                 res = TLS_OCSP_NO_RESPONSE;
 897
 898                 /*
 899                  * opaque OCSPResponse<0..2^24-1>;
 900                  *
 901                  * struct {
 902                  *   OCSPResponse ocsp_response_list<1..2^24-1>;
 903                  * } OCSPResponseList;
 904                  */
 905                 if (end - pos < 3) {
 906                         wpa_printf(MSG_DEBUG,
 907                                    "TLSv1: Truncated OCSPResponseList");
 908                         res = TLS_OCSP_INVALID;
 909                         goto done;
 910                 }
 911                 resp_len = WPA_GET_BE24(pos);
 912                 pos += 3;
 913                 if (end - pos < resp_len) {
 914                         wpa_printf(MSG_DEBUG,
 915                                    "TLSv1: Truncated OCSPResponseList(len=%u)",
 916                                    resp_len);
 917                         res = TLS_OCSP_INVALID;
 918                         goto done;
 919                 }
 920                 end = pos + resp_len;
 921
 922                 while (end - pos >= 3) {
 923                         resp_len = WPA_GET_BE24(pos);
 924                         pos += 3;
 925                         if (resp_len > end - pos) {
 926                                 wpa_printf(MSG_DEBUG,
 927                                            "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
 928                                            resp_len, (int) (end - pos));
 929                                 res = TLS_OCSP_INVALID;
 930                                 break;
 931                         }
 932                         if (!resp_len)
 933                                 continue; /* Skip an empty response */
 934                         res = tls_process_certificate_status_ocsp_response(
 935                                 conn, pos - 3, resp_len + 3);
 936                         if (res == TLS_OCSP_REVOKED)
 937                                 revoked++;
 938                         else if (res == TLS_OCSP_GOOD)
 939                                 good++;
 940                         pos += resp_len;
 941                 }
 942
 943                 if (revoked)
 944                         res = TLS_OCSP_REVOKED;
 945                 else if (good)
 946                         res = TLS_OCSP_GOOD;
 947         } else {
 948                 wpa_printf(MSG_DEBUG,
 949                            "TLSv1: Ignore unsupported CertificateStatus");
 950                 goto skip;
 951         }
 952
 953 done:
 954         if (res == TLS_OCSP_REVOKED) {
 955                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 956                           TLS_ALERT_CERTIFICATE_REVOKED);
 957                 for (cert = conn->server_cert, depth = 0; cert;
 958                      cert = cert->next, depth++) {
 959                         if (cert->ocsp_revoked) {
 960                                 tls_cert_chain_failure_event(
 961                                         conn, depth, cert, TLS_FAIL_REVOKED,
 962                                         "certificate revoked");
 963                         }
 964                 }
 965                 return -1;
 966         }
 967
 968         if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
 969                 /*
 970                  * Verify that each certificate on the chain that is not part
 971                  * of the trusted certificates has a good status. If not,
 972                  * terminate handshake.
 973                  */
 974                 for (cert = conn->server_cert, depth = 0; cert;
 975                      cert = cert->next, depth++) {
 976                         if (!cert->ocsp_good) {
 977                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 978                                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
 979                                 tls_cert_chain_failure_event(
 980                                         conn, depth, cert,
 981                                         TLS_FAIL_UNSPECIFIED,
 982                                         "bad certificate status response");
 983                                 return -1;
 984                         }
 985                         if (cert->issuer_trusted)
 986                                 break;
 987                 }
 988         }
 989
 990         if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
 991                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 992                           res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
 993                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
 994                 if (conn->server_cert)
 995                         tls_cert_chain_failure_event(
 996                                 conn, 0, conn->server_cert,
 997                                 TLS_FAIL_UNSPECIFIED,
 998                                 "bad certificate status response");
 999                 return -1;
1000         }
1001
1002         conn->ocsp_resp_received = 1;
1003
1004 skip:
1005         *in_len = end - in_data;
1006
1007         conn->state = SERVER_KEY_EXCHANGE;
1008
1009         return 0;
1010 }
1011
1012
1013 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1014                                            const u8 *in_data, size_t *in_len)
1015 {
1016         const u8 *pos, *end;
1017         size_t left, len;
1018         u8 type;
1019         const struct tls_cipher_suite *suite;
1020
1021         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1022                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1023                            "received content type 0x%x", ct);
1024                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025                           TLS_ALERT_UNEXPECTED_MESSAGE);
1026                 return -1;
1027         }
1028
1029         pos = in_data;
1030         left = *in_len;
1031
1032         if (left < 4) {
1033                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1034                            "(Left=%lu)", (unsigned long) left);
1035                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1036                 return -1;
1037         }
1038
1039         type = *pos++;
1040         len = WPA_GET_BE24(pos);
1041         pos += 3;
1042         left -= 4;
1043
1044         if (len > left) {
1045                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1046                            "length (len=%lu != left=%lu)",
1047                            (unsigned long) len, (unsigned long) left);
1048                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1049                 return -1;
1050         }
1051
1052         end = pos + len;
1053
1054         if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1055             type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1056                 return tls_process_certificate_status(conn, ct, in_data,
1057                                                       in_len);
1058         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1059                 return tls_process_certificate_request(conn, ct, in_data,
1060                                                        in_len);
1061         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1062                 return tls_process_server_hello_done(conn, ct, in_data,
1063                                                      in_len);
1064         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1065                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1066                            "message %d (expected ServerKeyExchange/"
1067                            "CertificateRequest/ServerHelloDone%s)", type,
1068                            (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1069                            "/CertificateStatus" : "");
1070                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071                           TLS_ALERT_UNEXPECTED_MESSAGE);
1072                 return -1;
1073         }
1074
1075         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1076
1077         if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1078                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1079                            "with the selected cipher suite");
1080                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1081                           TLS_ALERT_UNEXPECTED_MESSAGE);
1082                 return -1;
1083         }
1084
1085         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1086         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1087         if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1088                       suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1089                 if (tlsv1_process_diffie_hellman(conn, pos, len,
1090                                                  suite->key_exchange) < 0) {
1091                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092                                   TLS_ALERT_DECODE_ERROR);
1093                         return -1;
1094                 }
1095         } else {
1096                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1097                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1098                           TLS_ALERT_UNEXPECTED_MESSAGE);
1099                 return -1;
1100         }
1101
1102         *in_len = end - in_data;
1103
1104         conn->state = SERVER_CERTIFICATE_REQUEST;
1105
1106         return 0;
1107 }
1108
1109
1110 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1111                                            const u8 *in_data, size_t *in_len)
1112 {
1113         const u8 *pos, *end;
1114         size_t left, len;
1115         u8 type;
1116
1117         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1118                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1119                            "received content type 0x%x", ct);
1120                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1121                           TLS_ALERT_UNEXPECTED_MESSAGE);
1122                 return -1;
1123         }
1124
1125         pos = in_data;
1126         left = *in_len;
1127
1128         if (left < 4) {
1129                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1130                            "(left=%lu)", (unsigned long) left);
1131                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1132                 return -1;
1133         }
1134
1135         type = *pos++;
1136         len = WPA_GET_BE24(pos);
1137         pos += 3;
1138         left -= 4;
1139
1140         if (len > left) {
1141                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1142                            "length (len=%lu != left=%lu)",
1143                            (unsigned long) len, (unsigned long) left);
1144                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1145                 return -1;
1146         }
1147
1148         end = pos + len;
1149
1150         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1151                 return tls_process_server_hello_done(conn, ct, in_data,
1152                                                      in_len);
1153         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1154                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1155                            "message %d (expected CertificateRequest/"
1156                            "ServerHelloDone)", type);
1157                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1158                           TLS_ALERT_UNEXPECTED_MESSAGE);
1159                 return -1;
1160         }
1161
1162         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1163
1164         conn->certificate_requested = 1;
1165
1166         *in_len = end - in_data;
1167
1168         conn->state = SERVER_HELLO_DONE;
1169
1170         return 0;
1171 }
1172
1173
1174 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1175                                          const u8 *in_data, size_t *in_len)
1176 {
1177         const u8 *pos, *end;
1178         size_t left, len;
1179         u8 type;
1180
1181         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1182                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1183                            "received content type 0x%x", ct);
1184                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1185                           TLS_ALERT_UNEXPECTED_MESSAGE);
1186                 return -1;
1187         }
1188
1189         pos = in_data;
1190         left = *in_len;
1191
1192         if (left < 4) {
1193                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1194                            "(left=%lu)", (unsigned long) left);
1195                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1196                 return -1;
1197         }
1198
1199         type = *pos++;
1200         len = WPA_GET_BE24(pos);
1201         pos += 3;
1202         left -= 4;
1203
1204         if (len > left) {
1205                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1206                            "length (len=%lu != left=%lu)",
1207                            (unsigned long) len, (unsigned long) left);
1208                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1209                 return -1;
1210         }
1211         end = pos + len;
1212
1213         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1214                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1215                            "message %d (expected ServerHelloDone)", type);
1216                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1217                           TLS_ALERT_UNEXPECTED_MESSAGE);
1218                 return -1;
1219         }
1220
1221         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1222
1223         if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1224             !conn->ocsp_resp_received) {
1225                 wpa_printf(MSG_INFO,
1226                            "TLSv1: No OCSP response received - reject handshake");
1227                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1228                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1229                 return -1;
1230         }
1231
1232         *in_len = end - in_data;
1233
1234         conn->state = CLIENT_KEY_EXCHANGE;
1235
1236         return 0;
1237 }
1238
1239
1240 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1241                                                  u8 ct, const u8 *in_data,
1242                                                  size_t *in_len)
1243 {
1244         const u8 *pos;
1245         size_t left;
1246
1247         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1248                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1249                            "received content type 0x%x", ct);
1250                 if (conn->use_session_ticket) {
1251                         int res;
1252                         wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1253                                    "rejected SessionTicket");
1254                         conn->use_session_ticket = 0;
1255
1256                         /* Notify upper layers that SessionTicket failed */
1257                         res = conn->session_ticket_cb(
1258                                 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1259                                 NULL, NULL);
1260                         if (res < 0) {
1261                                 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1262                                            "callback indicated failure");
1263                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1264                                           TLS_ALERT_HANDSHAKE_FAILURE);
1265                                 return -1;
1266                         }
1267
1268                         conn->state = SERVER_CERTIFICATE;
1269                         return tls_process_certificate(conn, ct, in_data,
1270                                                        in_len);
1271                 }
1272                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1273                           TLS_ALERT_UNEXPECTED_MESSAGE);
1274                 return -1;
1275         }
1276
1277         pos = in_data;
1278         left = *in_len;
1279
1280         if (left < 1) {
1281                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1282                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1283                 return -1;
1284         }
1285
1286         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1287                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1288                            "received data 0x%x", *pos);
1289                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1290                           TLS_ALERT_UNEXPECTED_MESSAGE);
1291                 return -1;
1292         }
1293
1294         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1295         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1296                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1297                            "for record layer");
1298                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1299                           TLS_ALERT_INTERNAL_ERROR);
1300                 return -1;
1301         }
1302
1303         *in_len = pos + 1 - in_data;
1304
1305         conn->state = SERVER_FINISHED;
1306
1307         return 0;
1308 }
1309
1310
1311 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1312                                        const u8 *in_data, size_t *in_len)
1313 {
1314         const u8 *pos, *end;
1315         size_t left, len, hlen;
1316         u8 verify_data[TLS_VERIFY_DATA_LEN];
1317         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1318
1319         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1320                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1321                            "received content type 0x%x", ct);
1322                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1323                           TLS_ALERT_UNEXPECTED_MESSAGE);
1324                 return -1;
1325         }
1326
1327         pos = in_data;
1328         left = *in_len;
1329
1330         if (left < 4) {
1331                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1332                            "Finished",
1333                            (unsigned long) left);
1334                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1335                           TLS_ALERT_DECODE_ERROR);
1336                 return -1;
1337         }
1338
1339         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1340                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1341                            "type 0x%x", pos[0]);
1342                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1343                           TLS_ALERT_UNEXPECTED_MESSAGE);
1344                 return -1;
1345         }
1346
1347         len = WPA_GET_BE24(pos + 1);
1348
1349         pos += 4;
1350         left -= 4;
1351
1352         if (len > left) {
1353                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1354                            "(len=%lu > left=%lu)",
1355                            (unsigned long) len, (unsigned long) left);
1356                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1357                           TLS_ALERT_DECODE_ERROR);
1358                 return -1;
1359         }
1360         end = pos + len;
1361         if (len != TLS_VERIFY_DATA_LEN) {
1362                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1363                            "in Finished: %lu (expected %d)",
1364                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1365                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1366                           TLS_ALERT_DECODE_ERROR);
1367                 return -1;
1368         }
1369         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1370                     pos, TLS_VERIFY_DATA_LEN);
1371
1372 #ifdef CONFIG_TLSV12
1373         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1374                 hlen = SHA256_MAC_LEN;
1375                 if (conn->verify.sha256_server == NULL ||
1376                     crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1377                     < 0) {
1378                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1379                                   TLS_ALERT_INTERNAL_ERROR);
1380                         conn->verify.sha256_server = NULL;
1381                         return -1;
1382                 }
1383                 conn->verify.sha256_server = NULL;
1384         } else {
1385 #endif /* CONFIG_TLSV12 */
1386
1387         hlen = MD5_MAC_LEN;
1388         if (conn->verify.md5_server == NULL ||
1389             crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1390                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1391                           TLS_ALERT_INTERNAL_ERROR);
1392                 conn->verify.md5_server = NULL;
1393                 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1394                 conn->verify.sha1_server = NULL;
1395                 return -1;
1396         }
1397         conn->verify.md5_server = NULL;
1398         hlen = SHA1_MAC_LEN;
1399         if (conn->verify.sha1_server == NULL ||
1400             crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1401                                &hlen) < 0) {
1402                 conn->verify.sha1_server = NULL;
1403                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1404                           TLS_ALERT_INTERNAL_ERROR);
1405                 return -1;
1406         }
1407         conn->verify.sha1_server = NULL;
1408         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1409
1410 #ifdef CONFIG_TLSV12
1411         }
1412 #endif /* CONFIG_TLSV12 */
1413
1414         if (tls_prf(conn->rl.tls_version,
1415                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1416                     "server finished", hash, hlen,
1417                     verify_data, TLS_VERIFY_DATA_LEN)) {
1418                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1419                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1420                           TLS_ALERT_DECRYPT_ERROR);
1421                 return -1;
1422         }
1423         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1424                         verify_data, TLS_VERIFY_DATA_LEN);
1425
1426         if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1427                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1428                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1429                           TLS_ALERT_DECRYPT_ERROR);
1430                 return -1;
1431         }
1432
1433         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1434
1435         *in_len = end - in_data;
1436
1437         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1438                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1439
1440         return 0;
1441 }
1442
1443
1444 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1445                                         const u8 *in_data, size_t *in_len,
1446                                         u8 **out_data, size_t *out_len)
1447 {
1448         const u8 *pos;
1449         size_t left;
1450
1451         if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1452                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1453                            "received content type 0x%x", ct);
1454                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1455                           TLS_ALERT_UNEXPECTED_MESSAGE);
1456                 return -1;
1457         }
1458
1459         pos = in_data;
1460         left = *in_len;
1461
1462         wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1463                     pos, left);
1464
1465         *out_data = os_malloc(left);
1466         if (*out_data) {
1467                 os_memcpy(*out_data, pos, left);
1468                 *out_len = left;
1469         }
1470
1471         return 0;
1472 }
1473
1474
1475 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1476                                    const u8 *buf, size_t *len,
1477                                    u8 **out_data, size_t *out_len)
1478 {
1479         if (ct == TLS_CONTENT_TYPE_ALERT) {
1480                 if (*len < 2) {
1481                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1482                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1483                                   TLS_ALERT_DECODE_ERROR);
1484                         return -1;
1485                 }
1486                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1487                            buf[0], buf[1]);
1488                 *len = 2;
1489                 conn->state = FAILED;
1490                 return -1;
1491         }
1492
1493         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1494             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1495                 size_t hr_len = WPA_GET_BE24(buf + 1);
1496                 if (hr_len > *len - 4) {
1497                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1498                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1499                                   TLS_ALERT_DECODE_ERROR);
1500                         return -1;
1501                 }
1502                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1503                 *len = 4 + hr_len;
1504                 return 0;
1505         }
1506
1507         switch (conn->state) {
1508         case SERVER_HELLO:
1509                 if (tls_process_server_hello(conn, ct, buf, len))
1510                         return -1;
1511                 break;
1512         case SERVER_CERTIFICATE:
1513                 if (tls_process_certificate(conn, ct, buf, len))
1514                         return -1;
1515                 break;
1516         case SERVER_KEY_EXCHANGE:
1517                 if (tls_process_server_key_exchange(conn, ct, buf, len))
1518                         return -1;
1519                 break;
1520         case SERVER_CERTIFICATE_REQUEST:
1521                 if (tls_process_certificate_request(conn, ct, buf, len))
1522                         return -1;
1523                 break;
1524         case SERVER_HELLO_DONE:
1525                 if (tls_process_server_hello_done(conn, ct, buf, len))
1526                         return -1;
1527                 break;
1528         case SERVER_CHANGE_CIPHER_SPEC:
1529                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1530                         return -1;
1531                 break;
1532         case SERVER_FINISHED:
1533                 if (tls_process_server_finished(conn, ct, buf, len))
1534                         return -1;
1535                 break;
1536         case ACK_FINISHED:
1537                 if (out_data &&
1538                     tls_process_application_data(conn, ct, buf, len, out_data,
1539                                                  out_len))
1540                         return -1;
1541                 break;
1542         default:
1543                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1544                            "while processing received message",
1545                            conn->state);
1546                 return -1;
1547         }
1548
1549         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1550                 tls_verify_hash_add(&conn->verify, buf, *len);
1551
1552         return 0;
1553 }