libeap/src/tls/tlsv1_client_read.c

   1 /*
   2  * TLSv1 client - read handshake message
   3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/tls.h"
  16 #include "x509v3.h"
  17 #include "tlsv1_common.h"
  18 #include "tlsv1_record.h"
  19 #include "tlsv1_client.h"
  20 #include "tlsv1_client_i.h"
  21
  22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  23                                            const u8 *in_data, size_t *in_len);
  24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  25                                            const u8 *in_data, size_t *in_len);
  26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  27                                          const u8 *in_data, size_t *in_len);
  28
  29
  30 static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
  31 {
  32         return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
  33                  ver == TLS_VERSION_1) ||
  34                 ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
  35                  ver == TLS_VERSION_1_1) ||
  36                 ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
  37                  ver == TLS_VERSION_1_2));
  38 }
  39
  40
  41 static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
  42                                                const u8 *pos, size_t len)
  43 {
  44         const u8 *end = pos + len;
  45
  46         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
  47                     pos, len);
  48         while (pos < end) {
  49                 u16 ext, elen;
  50
  51                 if (end - pos < 4) {
  52                         wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
  53                         return -1;
  54                 }
  55
  56                 ext = WPA_GET_BE16(pos);
  57                 pos += 2;
  58                 elen = WPA_GET_BE16(pos);
  59                 pos += 2;
  60
  61                 if (elen > end - pos) {
  62                         wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
  63                         return -1;
  64                 }
  65
  66                 wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
  67                            ext);
  68                 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
  69                             pos, elen);
  70
  71                 pos += elen;
  72         }
  73
  74         return 0;
  75 }
  76
  77
  78 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
  79                                     const u8 *in_data, size_t *in_len)
  80 {
  81         const u8 *pos, *end;
  82         size_t left, len, i;
  83         u16 cipher_suite;
  84         u16 tls_version;
  85
  86         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  87                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  88                            "received content type 0x%x", ct);
  89                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
  90                           TLS_ALERT_UNEXPECTED_MESSAGE);
  91                 return -1;
  92         }
  93
  94         pos = in_data;
  95         left = *in_len;
  96
  97         if (left < 4)
  98                 goto decode_error;
  99
 100         /* HandshakeType msg_type */
 101         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
 102                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 103                            "message %d (expected ServerHello)", *pos);
 104                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 105                           TLS_ALERT_UNEXPECTED_MESSAGE);
 106                 return -1;
 107         }
 108         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
 109         pos++;
 110         /* uint24 length */
 111         len = WPA_GET_BE24(pos);
 112         pos += 3;
 113         left -= 4;
 114
 115         if (len > left)
 116                 goto decode_error;
 117
 118         /* body - ServerHello */
 119
 120         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
 121         end = pos + len;
 122
 123         /* ProtocolVersion server_version */
 124         if (end - pos < 2)
 125                 goto decode_error;
 126         tls_version = WPA_GET_BE16(pos);
 127         if (!tls_version_ok(tls_version) ||
 128             tls_version_disabled(conn, tls_version)) {
 129                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 130                            "ServerHello %u.%u", pos[0], pos[1]);
 131                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 132                           TLS_ALERT_PROTOCOL_VERSION);
 133                 return -1;
 134         }
 135         pos += 2;
 136
 137         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
 138                    tls_version_str(tls_version));
 139         conn->rl.tls_version = tls_version;
 140
 141         /* Random random */
 142         if (end - pos < TLS_RANDOM_LEN)
 143                 goto decode_error;
 144
 145         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
 146         pos += TLS_RANDOM_LEN;
 147         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
 148                     conn->server_random, TLS_RANDOM_LEN);
 149
 150         /* SessionID session_id */
 151         if (end - pos < 1)
 152                 goto decode_error;
 153         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 154                 goto decode_error;
 155         if (conn->session_id_len && conn->session_id_len == *pos &&
 156             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 157                 pos += 1 + conn->session_id_len;
 158                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 159                 conn->session_resumed = 1;
 160         } else {
 161                 conn->session_id_len = *pos;
 162                 pos++;
 163                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 164                 pos += conn->session_id_len;
 165         }
 166         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 167                     conn->session_id, conn->session_id_len);
 168
 169         /* CipherSuite cipher_suite */
 170         if (end - pos < 2)
 171                 goto decode_error;
 172         cipher_suite = WPA_GET_BE16(pos);
 173         pos += 2;
 174         for (i = 0; i < conn->num_cipher_suites; i++) {
 175                 if (cipher_suite == conn->cipher_suites[i])
 176                         break;
 177         }
 178         if (i == conn->num_cipher_suites) {
 179                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 180                            "cipher suite 0x%04x", cipher_suite);
 181                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 182                           TLS_ALERT_ILLEGAL_PARAMETER);
 183                 return -1;
 184         }
 185
 186         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 187                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 188                            "cipher suite for a resumed connection (0x%04x != "
 189                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 190                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 191                           TLS_ALERT_ILLEGAL_PARAMETER);
 192                 return -1;
 193         }
 194
 195         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 196                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 197                            "record layer");
 198                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 199                           TLS_ALERT_INTERNAL_ERROR);
 200                 return -1;
 201         }
 202
 203         conn->prev_cipher_suite = cipher_suite;
 204
 205         /* CompressionMethod compression_method */
 206         if (end - pos < 1)
 207                 goto decode_error;
 208         if (*pos != TLS_COMPRESSION_NULL) {
 209                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 210                            "compression 0x%02x", *pos);
 211                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 212                           TLS_ALERT_ILLEGAL_PARAMETER);
 213                 return -1;
 214         }
 215         pos++;
 216
 217         if (end - pos >= 2) {
 218                 u16 ext_len;
 219
 220                 ext_len = WPA_GET_BE16(pos);
 221                 pos += 2;
 222                 if (end - pos < ext_len) {
 223                         wpa_printf(MSG_INFO,
 224                                    "TLSv1: Invalid ServerHello extension length: %u (left: %u)",
 225                                    ext_len, (unsigned int) (end - pos));
 226                         goto decode_error;
 227                 }
 228
 229                 if (tls_process_server_hello_extensions(conn, pos, ext_len))
 230                         goto decode_error;
 231                 pos += ext_len;
 232         }
 233
 234         if (end != pos) {
 235                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 236                             "end of ServerHello", pos, end - pos);
 237                 goto decode_error;
 238         }
 239
 240         if (conn->session_ticket_included && conn->session_ticket_cb) {
 241                 /* TODO: include SessionTicket extension if one was included in
 242                  * ServerHello */
 243                 int res = conn->session_ticket_cb(
 244                         conn->session_ticket_cb_ctx, NULL, 0,
 245                         conn->client_random, conn->server_random,
 246                         conn->master_secret);
 247                 if (res < 0) {
 248                         wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
 249                                    "indicated failure");
 250                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 251                                   TLS_ALERT_HANDSHAKE_FAILURE);
 252                         return -1;
 253                 }
 254                 conn->use_session_ticket = !!res;
 255         }
 256
 257         if ((conn->session_resumed || conn->use_session_ticket) &&
 258             tls_derive_keys(conn, NULL, 0)) {
 259                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 260                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 261                           TLS_ALERT_INTERNAL_ERROR);
 262                 return -1;
 263         }
 264
 265         *in_len = end - in_data;
 266
 267         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
 268                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 269
 270         return 0;
 271
 272 decode_error:
 273         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 274         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 275         return -1;
 276 }
 277
 278
 279 static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
 280                                 struct x509_certificate *cert)
 281 {
 282         union tls_event_data ev;
 283         struct wpabuf *cert_buf = NULL;
 284 #ifdef CONFIG_SHA256
 285         u8 hash[32];
 286 #endif /* CONFIG_SHA256 */
 287         char subject[128];
 288
 289         if (!conn->event_cb)
 290                 return;
 291
 292         os_memset(&ev, 0, sizeof(ev));
 293         if (conn->cred->cert_probe || conn->cert_in_cb) {
 294                 cert_buf = wpabuf_alloc_copy(cert->cert_start,
 295                                              cert->cert_len);
 296                 ev.peer_cert.cert = cert_buf;
 297         }
 298 #ifdef CONFIG_SHA256
 299         if (cert_buf) {
 300                 const u8 *addr[1];
 301                 size_t len[1];
 302                 addr[0] = wpabuf_head(cert_buf);
 303                 len[0] = wpabuf_len(cert_buf);
 304                 if (sha256_vector(1, addr, len, hash) == 0) {
 305                         ev.peer_cert.hash = hash;
 306                         ev.peer_cert.hash_len = sizeof(hash);
 307                 }
 308         }
 309 #endif /* CONFIG_SHA256 */
 310
 311         ev.peer_cert.depth = depth;
 312         x509_name_string(&cert->subject, subject, sizeof(subject));
 313         ev.peer_cert.subject = subject;
 314
 315         conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
 316         wpabuf_free(cert_buf);
 317 }
 318
 319
 320 static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
 321                                          struct x509_certificate *cert,
 322                                          enum tls_fail_reason reason,
 323                                          const char *reason_txt)
 324 {
 325         struct wpabuf *cert_buf = NULL;
 326         union tls_event_data ev;
 327         char subject[128];
 328
 329         if (!conn->event_cb || !cert)
 330                 return;
 331
 332         os_memset(&ev, 0, sizeof(ev));
 333         ev.cert_fail.depth = depth;
 334         x509_name_string(&cert->subject, subject, sizeof(subject));
 335         ev.peer_cert.subject = subject;
 336         ev.cert_fail.reason = reason;
 337         ev.cert_fail.reason_txt = reason_txt;
 338         cert_buf = wpabuf_alloc_copy(cert->cert_start,
 339                                      cert->cert_len);
 340         ev.cert_fail.cert = cert_buf;
 341         conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
 342         wpabuf_free(cert_buf);
 343 }
 344
 345
 346 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 347                                    const u8 *in_data, size_t *in_len)
 348 {
 349         const u8 *pos, *end;
 350         size_t left, len, list_len, cert_len, idx;
 351         u8 type;
 352         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 353         int reason;
 354
 355         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 356                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 357                            "received content type 0x%x", ct);
 358                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 359                           TLS_ALERT_UNEXPECTED_MESSAGE);
 360                 return -1;
 361         }
 362
 363         pos = in_data;
 364         left = *in_len;
 365
 366         if (left < 4) {
 367                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 368                            "(len=%lu)", (unsigned long) left);
 369                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 370                 return -1;
 371         }
 372
 373         type = *pos++;
 374         len = WPA_GET_BE24(pos);
 375         pos += 3;
 376         left -= 4;
 377
 378         if (len > left) {
 379                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 380                            "length (len=%lu != left=%lu)",
 381                            (unsigned long) len, (unsigned long) left);
 382                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 383                 return -1;
 384         }
 385
 386         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 387                 return tls_process_server_key_exchange(conn, ct, in_data,
 388                                                        in_len);
 389         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 390                 return tls_process_certificate_request(conn, ct, in_data,
 391                                                        in_len);
 392         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 393                 return tls_process_server_hello_done(conn, ct, in_data,
 394                                                      in_len);
 395         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 396                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 397                            "message %d (expected Certificate/"
 398                            "ServerKeyExchange/CertificateRequest/"
 399                            "ServerHelloDone)", type);
 400                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 401                           TLS_ALERT_UNEXPECTED_MESSAGE);
 402                 return -1;
 403         }
 404
 405         wpa_printf(MSG_DEBUG,
 406                    "TLSv1: Received Certificate (certificate_list len %lu)",
 407                    (unsigned long) len);
 408
 409         /*
 410          * opaque ASN.1Cert<2^24-1>;
 411          *
 412          * struct {
 413          *     ASN.1Cert certificate_list<1..2^24-1>;
 414          * } Certificate;
 415          */
 416
 417         end = pos + len;
 418
 419         if (end - pos < 3) {
 420                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 421                            "(left=%lu)", (unsigned long) left);
 422                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 423                 return -1;
 424         }
 425
 426         list_len = WPA_GET_BE24(pos);
 427         pos += 3;
 428
 429         if ((size_t) (end - pos) != list_len) {
 430                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 431                            "length (len=%lu left=%lu)",
 432                            (unsigned long) list_len,
 433                            (unsigned long) (end - pos));
 434                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 435                 return -1;
 436         }
 437
 438         idx = 0;
 439         while (pos < end) {
 440                 if (end - pos < 3) {
 441                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 442                                    "certificate_list");
 443                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 444                                   TLS_ALERT_DECODE_ERROR);
 445                         x509_certificate_chain_free(chain);
 446                         return -1;
 447                 }
 448
 449                 cert_len = WPA_GET_BE24(pos);
 450                 pos += 3;
 451
 452                 if ((size_t) (end - pos) < cert_len) {
 453                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 454                                    "length (len=%lu left=%lu)",
 455                                    (unsigned long) cert_len,
 456                                    (unsigned long) (end - pos));
 457                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 458                                   TLS_ALERT_DECODE_ERROR);
 459                         x509_certificate_chain_free(chain);
 460                         return -1;
 461                 }
 462
 463                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 464                            (unsigned long) idx, (unsigned long) cert_len);
 465
 466                 if (idx == 0) {
 467                         crypto_public_key_free(conn->server_rsa_key);
 468                         if (tls_parse_cert(pos, cert_len,
 469                                            &conn->server_rsa_key)) {
 470                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 471                                            "the certificate");
 472                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 473                                           TLS_ALERT_BAD_CERTIFICATE);
 474                                 x509_certificate_chain_free(chain);
 475                                 return -1;
 476                         }
 477                 }
 478
 479                 cert = x509_certificate_parse(pos, cert_len);
 480                 if (cert == NULL) {
 481                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 482                                    "the certificate");
 483                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 484                                   TLS_ALERT_BAD_CERTIFICATE);
 485                         x509_certificate_chain_free(chain);
 486                         return -1;
 487                 }
 488
 489                 tls_peer_cert_event(conn, idx, cert);
 490
 491                 if (last == NULL)
 492                         chain = cert;
 493                 else
 494                         last->next = cert;
 495                 last = cert;
 496
 497                 idx++;
 498                 pos += cert_len;
 499         }
 500
 501         if (conn->cred && conn->cred->server_cert_only && chain) {
 502                 u8 hash[SHA256_MAC_LEN];
 503                 char buf[128];
 504
 505                 wpa_printf(MSG_DEBUG,
 506                            "TLSv1: Validate server certificate hash");
 507                 x509_name_string(&chain->subject, buf, sizeof(buf));
 508                 wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
 509                 if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
 510                                   hash) < 0 ||
 511                     os_memcmp(conn->cred->srv_cert_hash, hash,
 512                               SHA256_MAC_LEN) != 0) {
 513                         wpa_printf(MSG_DEBUG,
 514                                    "TLSv1: Server certificate hash mismatch");
 515                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
 516                                     hash, SHA256_MAC_LEN);
 517                         if (conn->event_cb) {
 518                                 union tls_event_data ev;
 519
 520                                 os_memset(&ev, 0, sizeof(ev));
 521                                 ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
 522                                 ev.cert_fail.reason_txt =
 523                                         "Server certificate mismatch";
 524                                 ev.cert_fail.subject = buf;
 525                                 conn->event_cb(conn->cb_ctx,
 526                                                TLS_CERT_CHAIN_FAILURE, &ev);
 527                         }
 528                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 529                                   TLS_ALERT_BAD_CERTIFICATE);
 530                         x509_certificate_chain_free(chain);
 531                         return -1;
 532                 }
 533         } else if (conn->cred && conn->cred->cert_probe) {
 534                 wpa_printf(MSG_DEBUG,
 535                            "TLSv1: Reject server certificate on probe-only rune");
 536                 if (conn->event_cb) {
 537                         union tls_event_data ev;
 538                         char buf[128];
 539
 540                         os_memset(&ev, 0, sizeof(ev));
 541                         ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
 542                         ev.cert_fail.reason_txt =
 543                                 "Server certificate chain probe";
 544                         if (chain) {
 545                                 x509_name_string(&chain->subject, buf,
 546                                                  sizeof(buf));
 547                                 ev.cert_fail.subject = buf;
 548                         }
 549                         conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
 550                                        &ev);
 551                 }
 552                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 553                           TLS_ALERT_BAD_CERTIFICATE);
 554                 x509_certificate_chain_free(chain);
 555                 return -1;
 556         } else if (conn->cred && conn->cred->ca_cert_verify &&
 557                    x509_certificate_chain_validate(
 558                            conn->cred->trusted_certs, chain, &reason,
 559                            !!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
 560                    < 0) {
 561                 int tls_reason;
 562                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 563                            "validation failed (reason=%d)", reason);
 564                 switch (reason) {
 565                 case X509_VALIDATE_BAD_CERTIFICATE:
 566                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 567                         tls_cert_chain_failure_event(
 568                                 conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
 569                                 "bad certificate");
 570                         break;
 571                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 572                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 573                         break;
 574                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 575                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 576                         tls_cert_chain_failure_event(
 577                                 conn, 0, chain, TLS_FAIL_REVOKED,
 578                                 "certificate revoked");
 579                         break;
 580                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 581                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 582                         tls_cert_chain_failure_event(
 583                                 conn, 0, chain, TLS_FAIL_EXPIRED,
 584                                 "certificate has expired or is not yet valid");
 585                         break;
 586                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 587                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 588                         break;
 589                 case X509_VALIDATE_UNKNOWN_CA:
 590                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 591                         tls_cert_chain_failure_event(
 592                                 conn, 0, chain, TLS_FAIL_UNTRUSTED,
 593                                 "unknown CA");
 594                         break;
 595                 default:
 596                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 597                         break;
 598                 }
 599                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 600                 x509_certificate_chain_free(chain);
 601                 return -1;
 602         }
 603
 604         if (conn->cred && !conn->cred->server_cert_only && chain &&
 605             (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
 606             !(chain->ext_key_usage &
 607               (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
 608                 tls_cert_chain_failure_event(
 609                         conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
 610                         "certificate not allowed for server authentication");
 611                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 612                           TLS_ALERT_BAD_CERTIFICATE);
 613                 x509_certificate_chain_free(chain);
 614                 return -1;
 615         }
 616
 617         if (conn->flags & TLS_CONN_REQUEST_OCSP) {
 618                 x509_certificate_chain_free(conn->server_cert);
 619                 conn->server_cert = chain;
 620         } else {
 621                 x509_certificate_chain_free(chain);
 622         }
 623
 624         *in_len = end - in_data;
 625
 626         conn->state = SERVER_KEY_EXCHANGE;
 627
 628         return 0;
 629 }
 630
 631
 632 static unsigned int count_bits(const u8 *val, size_t len)
 633 {
 634         size_t i;
 635         unsigned int bits;
 636         u8 tmp;
 637
 638         for (i = 0; i < len; i++) {
 639                 if (val[i])
 640                         break;
 641         }
 642         if (i == len)
 643                 return 0;
 644
 645         bits = (len - i - 1) * 8;
 646         tmp = val[i];
 647         while (tmp) {
 648                 bits++;
 649                 tmp >>= 1;
 650         }
 651
 652         return bits;
 653 }
 654
 655
 656 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 657                                         const u8 *buf, size_t len,
 658                                         tls_key_exchange key_exchange)
 659 {
 660         const u8 *pos, *end, *server_params, *server_params_end;
 661         u8 alert;
 662         unsigned int bits;
 663         u16 val;
 664
 665         tlsv1_client_free_dh(conn);
 666
 667         pos = buf;
 668         end = buf + len;
 669
 670         if (end - pos < 3)
 671                 goto fail;
 672         server_params = pos;
 673         val = WPA_GET_BE16(pos);
 674         pos += 2;
 675         if (val == 0 || val > (size_t) (end - pos)) {
 676                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
 677                 goto fail;
 678         }
 679         conn->dh_p_len = val;
 680         bits = count_bits(pos, conn->dh_p_len);
 681         if (bits < 768) {
 682                 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
 683                            bits);
 684                 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
 685                             pos, conn->dh_p_len);
 686                 goto fail;
 687         }
 688         conn->dh_p = os_malloc(conn->dh_p_len);
 689         if (conn->dh_p == NULL)
 690                 goto fail;
 691         os_memcpy(conn->dh_p, pos, conn->dh_p_len);
 692         pos += conn->dh_p_len;
 693         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 694                     conn->dh_p, conn->dh_p_len);
 695
 696         if (end - pos < 3)
 697                 goto fail;
 698         val = WPA_GET_BE16(pos);
 699         pos += 2;
 700         if (val == 0 || val > (size_t) (end - pos))
 701                 goto fail;
 702         conn->dh_g_len = val;
 703         conn->dh_g = os_malloc(conn->dh_g_len);
 704         if (conn->dh_g == NULL)
 705                 goto fail;
 706         os_memcpy(conn->dh_g, pos, conn->dh_g_len);
 707         pos += conn->dh_g_len;
 708         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 709                     conn->dh_g, conn->dh_g_len);
 710         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 711                 goto fail;
 712
 713         if (end - pos < 3)
 714                 goto fail;
 715         val = WPA_GET_BE16(pos);
 716         pos += 2;
 717         if (val == 0 || val > (size_t) (end - pos))
 718                 goto fail;
 719         conn->dh_ys_len = val;
 720         conn->dh_ys = os_malloc(conn->dh_ys_len);
 721         if (conn->dh_ys == NULL)
 722                 goto fail;
 723         os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
 724         pos += conn->dh_ys_len;
 725         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 726                     conn->dh_ys, conn->dh_ys_len);
 727         server_params_end = pos;
 728
 729         if (key_exchange == TLS_KEY_X_DHE_RSA) {
 730                 u8 hash[64];
 731                 int hlen;
 732
 733                 if (conn->rl.tls_version == TLS_VERSION_1_2) {
 734 #ifdef CONFIG_TLSV12
 735                         /*
 736                          * RFC 5246, 4.7:
 737                          * TLS v1.2 adds explicit indication of the used
 738                          * signature and hash algorithms.
 739                          *
 740                          * struct {
 741                          *   HashAlgorithm hash;
 742                          *   SignatureAlgorithm signature;
 743                          * } SignatureAndHashAlgorithm;
 744                          */
 745                         if (end - pos < 2)
 746                                 goto fail;
 747                         if ((pos[0] != TLS_HASH_ALG_SHA256 &&
 748                              pos[0] != TLS_HASH_ALG_SHA384 &&
 749                              pos[0] != TLS_HASH_ALG_SHA512) ||
 750                             pos[1] != TLS_SIGN_ALG_RSA) {
 751                                 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
 752                                            pos[0], pos[1]);
 753                                 goto fail;
 754                         }
 755
 756                         hlen = tlsv12_key_x_server_params_hash(
 757                                 conn->rl.tls_version, pos[0],
 758                                 conn->client_random,
 759                                 conn->server_random, server_params,
 760                                 server_params_end - server_params, hash);
 761                         pos += 2;
 762 #else /* CONFIG_TLSV12 */
 763                         goto fail;
 764 #endif /* CONFIG_TLSV12 */
 765                 } else {
 766                         hlen = tls_key_x_server_params_hash(
 767                                 conn->rl.tls_version, conn->client_random,
 768                                 conn->server_random, server_params,
 769                                 server_params_end - server_params, hash);
 770                 }
 771
 772                 if (hlen < 0)
 773                         goto fail;
 774                 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
 775                             hash, hlen);
 776
 777                 if (tls_verify_signature(conn->rl.tls_version,
 778                                          conn->server_rsa_key,
 779                                          hash, hlen, pos, end - pos,
 780                                          &alert) < 0)
 781                         goto fail;
 782         }
 783
 784         return 0;
 785
 786 fail:
 787         wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
 788         tlsv1_client_free_dh(conn);
 789         return -1;
 790 }
 791
 792
 793 static enum tls_ocsp_result
 794 tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
 795                                              const u8 *pos, size_t len)
 796 {
 797         const u8 *end = pos + len;
 798         u32 ocsp_resp_len;
 799
 800         /* opaque OCSPResponse<1..2^24-1>; */
 801         if (end - pos < 3) {
 802                 wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
 803                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 804                 return TLS_OCSP_INVALID;
 805         }
 806         ocsp_resp_len = WPA_GET_BE24(pos);
 807         pos += 3;
 808         if (end - pos < ocsp_resp_len) {
 809                 wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
 810                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 811                 return TLS_OCSP_INVALID;
 812         }
 813
 814         return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
 815 }
 816
 817
 818 static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
 819                                            const u8 *in_data, size_t *in_len)
 820 {
 821         const u8 *pos, *end;
 822         size_t left, len;
 823         u8 type, status_type;
 824         enum tls_ocsp_result res;
 825         struct x509_certificate *cert;
 826         int depth;
 827
 828         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 829                 wpa_printf(MSG_DEBUG,
 830                            "TLSv1: Expected Handshake; received content type 0x%x",
 831                            ct);
 832                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 833                           TLS_ALERT_UNEXPECTED_MESSAGE);
 834                 return -1;
 835         }
 836
 837         pos = in_data;
 838         left = *in_len;
 839
 840         if (left < 4) {
 841                 wpa_printf(MSG_DEBUG,
 842                            "TLSv1: Too short CertificateStatus (left=%lu)",
 843                            (unsigned long) left);
 844                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 845                 return -1;
 846         }
 847
 848         type = *pos++;
 849         len = WPA_GET_BE24(pos);
 850         pos += 3;
 851         left -= 4;
 852
 853         if (len > left) {
 854                 wpa_printf(MSG_DEBUG,
 855                            "TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
 856                            (unsigned long) len, (unsigned long) left);
 857                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 858                 return -1;
 859         }
 860
 861         end = pos + len;
 862
 863         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
 864                 wpa_printf(MSG_DEBUG,
 865                            "TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
 866                            type);
 867                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 868                           TLS_ALERT_UNEXPECTED_MESSAGE);
 869                 return -1;
 870         }
 871
 872         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
 873
 874         /*
 875          * struct {
 876          *     CertificateStatusType status_type;
 877          *     select (status_type) {
 878          *         case ocsp: OCSPResponse;
 879          *         case ocsp_multi: OCSPResponseList;
 880          *     } response;
 881          * } CertificateStatus;
 882          */
 883         if (end - pos < 1) {
 884                 wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
 885                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 886                 return -1;
 887         }
 888         status_type = *pos++;
 889         wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
 890                    status_type);
 891
 892         if (status_type == 1 /* ocsp */) {
 893                 res = tls_process_certificate_status_ocsp_response(
 894                         conn, pos, end - pos);
 895         } else if (status_type == 2 /* ocsp_multi */) {
 896                 int good = 0, revoked = 0;
 897                 u32 resp_len;
 898
 899                 res = TLS_OCSP_NO_RESPONSE;
 900
 901                 /*
 902                  * opaque OCSPResponse<0..2^24-1>;
 903                  *
 904                  * struct {
 905                  *   OCSPResponse ocsp_response_list<1..2^24-1>;
 906                  * } OCSPResponseList;
 907                  */
 908                 if (end - pos < 3) {
 909                         wpa_printf(MSG_DEBUG,
 910                                    "TLSv1: Truncated OCSPResponseList");
 911                         res = TLS_OCSP_INVALID;
 912                         goto done;
 913                 }
 914                 resp_len = WPA_GET_BE24(pos);
 915                 pos += 3;
 916                 if (end - pos < resp_len) {
 917                         wpa_printf(MSG_DEBUG,
 918                                    "TLSv1: Truncated OCSPResponseList(len=%u)",
 919                                    resp_len);
 920                         res = TLS_OCSP_INVALID;
 921                         goto done;
 922                 }
 923                 end = pos + resp_len;
 924
 925                 while (end - pos >= 3) {
 926                         resp_len = WPA_GET_BE24(pos);
 927                         pos += 3;
 928                         if (resp_len > end - pos) {
 929                                 wpa_printf(MSG_DEBUG,
 930                                            "TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
 931                                            resp_len, (int) (end - pos));
 932                                 res = TLS_OCSP_INVALID;
 933                                 break;
 934                         }
 935                         if (!resp_len)
 936                                 continue; /* Skip an empty response */
 937                         res = tls_process_certificate_status_ocsp_response(
 938                                 conn, pos - 3, resp_len + 3);
 939                         if (res == TLS_OCSP_REVOKED)
 940                                 revoked++;
 941                         else if (res == TLS_OCSP_GOOD)
 942                                 good++;
 943                         pos += resp_len;
 944                 }
 945
 946                 if (revoked)
 947                         res = TLS_OCSP_REVOKED;
 948                 else if (good)
 949                         res = TLS_OCSP_GOOD;
 950         } else {
 951                 wpa_printf(MSG_DEBUG,
 952                            "TLSv1: Ignore unsupported CertificateStatus");
 953                 goto skip;
 954         }
 955
 956 done:
 957         if (res == TLS_OCSP_REVOKED) {
 958                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 959                           TLS_ALERT_CERTIFICATE_REVOKED);
 960                 for (cert = conn->server_cert, depth = 0; cert;
 961                      cert = cert->next, depth++) {
 962                         if (cert->ocsp_revoked) {
 963                                 tls_cert_chain_failure_event(
 964                                         conn, depth, cert, TLS_FAIL_REVOKED,
 965                                         "certificate revoked");
 966                         }
 967                 }
 968                 return -1;
 969         }
 970
 971         if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
 972                 /*
 973                  * Verify that each certificate on the chain that is not part
 974                  * of the trusted certificates has a good status. If not,
 975                  * terminate handshake.
 976                  */
 977                 for (cert = conn->server_cert, depth = 0; cert;
 978                      cert = cert->next, depth++) {
 979                         if (!cert->ocsp_good) {
 980                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 981                                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
 982                                 tls_cert_chain_failure_event(
 983                                         conn, depth, cert,
 984                                         TLS_FAIL_UNSPECIFIED,
 985                                         "bad certificate status response");
 986                                 return -1;
 987                         }
 988                         if (cert->issuer_trusted)
 989                                 break;
 990                 }
 991         }
 992
 993         if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
 994                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 995                           res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
 996                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
 997                 if (conn->server_cert)
 998                         tls_cert_chain_failure_event(
 999                                 conn, 0, conn->server_cert,
1000                                 TLS_FAIL_UNSPECIFIED,
1001                                 "bad certificate status response");
1002                 return -1;
1003         }
1004
1005         conn->ocsp_resp_received = 1;
1006
1007 skip:
1008         *in_len = end - in_data;
1009
1010         conn->state = SERVER_KEY_EXCHANGE;
1011
1012         return 0;
1013 }
1014
1015
1016 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
1017                                            const u8 *in_data, size_t *in_len)
1018 {
1019         const u8 *pos, *end;
1020         size_t left, len;
1021         u8 type;
1022         const struct tls_cipher_suite *suite;
1023
1024         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1025                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1026                            "received content type 0x%x", ct);
1027                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1028                           TLS_ALERT_UNEXPECTED_MESSAGE);
1029                 return -1;
1030         }
1031
1032         pos = in_data;
1033         left = *in_len;
1034
1035         if (left < 4) {
1036                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
1037                            "(Left=%lu)", (unsigned long) left);
1038                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1039                 return -1;
1040         }
1041
1042         type = *pos++;
1043         len = WPA_GET_BE24(pos);
1044         pos += 3;
1045         left -= 4;
1046
1047         if (len > left) {
1048                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
1049                            "length (len=%lu != left=%lu)",
1050                            (unsigned long) len, (unsigned long) left);
1051                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1052                 return -1;
1053         }
1054
1055         end = pos + len;
1056
1057         if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
1058             type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
1059                 return tls_process_certificate_status(conn, ct, in_data,
1060                                                       in_len);
1061         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
1062                 return tls_process_certificate_request(conn, ct, in_data,
1063                                                        in_len);
1064         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1065                 return tls_process_server_hello_done(conn, ct, in_data,
1066                                                      in_len);
1067         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
1068                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1069                            "message %d (expected ServerKeyExchange/"
1070                            "CertificateRequest/ServerHelloDone%s)", type,
1071                            (conn->flags & TLS_CONN_REQUEST_OCSP) ?
1072                            "/CertificateStatus" : "");
1073                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074                           TLS_ALERT_UNEXPECTED_MESSAGE);
1075                 return -1;
1076         }
1077
1078         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
1079
1080         if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
1081                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
1082                            "with the selected cipher suite");
1083                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1084                           TLS_ALERT_UNEXPECTED_MESSAGE);
1085                 return -1;
1086         }
1087
1088         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
1089         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1090         if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
1091                       suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
1092                 if (tlsv1_process_diffie_hellman(conn, pos, len,
1093                                                  suite->key_exchange) < 0) {
1094                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1095                                   TLS_ALERT_DECODE_ERROR);
1096                         return -1;
1097                 }
1098         } else {
1099                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
1100                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1101                           TLS_ALERT_UNEXPECTED_MESSAGE);
1102                 return -1;
1103         }
1104
1105         *in_len = end - in_data;
1106
1107         conn->state = SERVER_CERTIFICATE_REQUEST;
1108
1109         return 0;
1110 }
1111
1112
1113 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
1114                                            const u8 *in_data, size_t *in_len)
1115 {
1116         const u8 *pos, *end;
1117         size_t left, len;
1118         u8 type;
1119
1120         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1121                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1122                            "received content type 0x%x", ct);
1123                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1124                           TLS_ALERT_UNEXPECTED_MESSAGE);
1125                 return -1;
1126         }
1127
1128         pos = in_data;
1129         left = *in_len;
1130
1131         if (left < 4) {
1132                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
1133                            "(left=%lu)", (unsigned long) left);
1134                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1135                 return -1;
1136         }
1137
1138         type = *pos++;
1139         len = WPA_GET_BE24(pos);
1140         pos += 3;
1141         left -= 4;
1142
1143         if (len > left) {
1144                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
1145                            "length (len=%lu != left=%lu)",
1146                            (unsigned long) len, (unsigned long) left);
1147                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1148                 return -1;
1149         }
1150
1151         end = pos + len;
1152
1153         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
1154                 return tls_process_server_hello_done(conn, ct, in_data,
1155                                                      in_len);
1156         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
1157                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1158                            "message %d (expected CertificateRequest/"
1159                            "ServerHelloDone)", type);
1160                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1161                           TLS_ALERT_UNEXPECTED_MESSAGE);
1162                 return -1;
1163         }
1164
1165         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
1166
1167         conn->certificate_requested = 1;
1168
1169         *in_len = end - in_data;
1170
1171         conn->state = SERVER_HELLO_DONE;
1172
1173         return 0;
1174 }
1175
1176
1177 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
1178                                          const u8 *in_data, size_t *in_len)
1179 {
1180         const u8 *pos, *end;
1181         size_t left, len;
1182         u8 type;
1183
1184         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1185                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
1186                            "received content type 0x%x", ct);
1187                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1188                           TLS_ALERT_UNEXPECTED_MESSAGE);
1189                 return -1;
1190         }
1191
1192         pos = in_data;
1193         left = *in_len;
1194
1195         if (left < 4) {
1196                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
1197                            "(left=%lu)", (unsigned long) left);
1198                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1199                 return -1;
1200         }
1201
1202         type = *pos++;
1203         len = WPA_GET_BE24(pos);
1204         pos += 3;
1205         left -= 4;
1206
1207         if (len > left) {
1208                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
1209                            "length (len=%lu != left=%lu)",
1210                            (unsigned long) len, (unsigned long) left);
1211                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1212                 return -1;
1213         }
1214         end = pos + len;
1215
1216         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
1217                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
1218                            "message %d (expected ServerHelloDone)", type);
1219                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1220                           TLS_ALERT_UNEXPECTED_MESSAGE);
1221                 return -1;
1222         }
1223
1224         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
1225
1226         if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
1227             !conn->ocsp_resp_received) {
1228                 wpa_printf(MSG_INFO,
1229                            "TLSv1: No OCSP response received - reject handshake");
1230                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1231                           TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
1232                 return -1;
1233         }
1234
1235         *in_len = end - in_data;
1236
1237         conn->state = CLIENT_KEY_EXCHANGE;
1238
1239         return 0;
1240 }
1241
1242
1243 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
1244                                                  u8 ct, const u8 *in_data,
1245                                                  size_t *in_len)
1246 {
1247         const u8 *pos;
1248         size_t left;
1249
1250         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1251                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1252                            "received content type 0x%x", ct);
1253                 if (conn->use_session_ticket) {
1254                         int res;
1255                         wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
1256                                    "rejected SessionTicket");
1257                         conn->use_session_ticket = 0;
1258
1259                         /* Notify upper layers that SessionTicket failed */
1260                         res = conn->session_ticket_cb(
1261                                 conn->session_ticket_cb_ctx, NULL, 0, NULL,
1262                                 NULL, NULL);
1263                         if (res < 0) {
1264                                 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
1265                                            "callback indicated failure");
1266                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1267                                           TLS_ALERT_HANDSHAKE_FAILURE);
1268                                 return -1;
1269                         }
1270
1271                         conn->state = SERVER_CERTIFICATE;
1272                         return tls_process_certificate(conn, ct, in_data,
1273                                                        in_len);
1274                 }
1275                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276                           TLS_ALERT_UNEXPECTED_MESSAGE);
1277                 return -1;
1278         }
1279
1280         pos = in_data;
1281         left = *in_len;
1282
1283         if (left < 1) {
1284                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
1285                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
1286                 return -1;
1287         }
1288
1289         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1290                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
1291                            "received data 0x%x", *pos);
1292                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1293                           TLS_ALERT_UNEXPECTED_MESSAGE);
1294                 return -1;
1295         }
1296
1297         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
1298         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1299                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1300                            "for record layer");
1301                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1302                           TLS_ALERT_INTERNAL_ERROR);
1303                 return -1;
1304         }
1305
1306         *in_len = pos + 1 - in_data;
1307
1308         conn->state = SERVER_FINISHED;
1309
1310         return 0;
1311 }
1312
1313
1314 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
1315                                        const u8 *in_data, size_t *in_len)
1316 {
1317         const u8 *pos, *end;
1318         size_t left, len, hlen;
1319         u8 verify_data[TLS_VERIFY_DATA_LEN];
1320         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1321
1322         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1323                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
1324                            "received content type 0x%x", ct);
1325                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1326                           TLS_ALERT_UNEXPECTED_MESSAGE);
1327                 return -1;
1328         }
1329
1330         pos = in_data;
1331         left = *in_len;
1332
1333         if (left < 4) {
1334                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1335                            "Finished",
1336                            (unsigned long) left);
1337                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1338                           TLS_ALERT_DECODE_ERROR);
1339                 return -1;
1340         }
1341
1342         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1343                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1344                            "type 0x%x", pos[0]);
1345                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1346                           TLS_ALERT_UNEXPECTED_MESSAGE);
1347                 return -1;
1348         }
1349
1350         len = WPA_GET_BE24(pos + 1);
1351
1352         pos += 4;
1353         left -= 4;
1354
1355         if (len > left) {
1356                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1357                            "(len=%lu > left=%lu)",
1358                            (unsigned long) len, (unsigned long) left);
1359                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1360                           TLS_ALERT_DECODE_ERROR);
1361                 return -1;
1362         }
1363         end = pos + len;
1364         if (len != TLS_VERIFY_DATA_LEN) {
1365                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1366                            "in Finished: %lu (expected %d)",
1367                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1368                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1369                           TLS_ALERT_DECODE_ERROR);
1370                 return -1;
1371         }
1372         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1373                     pos, TLS_VERIFY_DATA_LEN);
1374
1375 #ifdef CONFIG_TLSV12
1376         if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1377                 hlen = SHA256_MAC_LEN;
1378                 if (conn->verify.sha256_server == NULL ||
1379                     crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
1380                     < 0) {
1381                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1382                                   TLS_ALERT_INTERNAL_ERROR);
1383                         conn->verify.sha256_server = NULL;
1384                         return -1;
1385                 }
1386                 conn->verify.sha256_server = NULL;
1387         } else {
1388 #endif /* CONFIG_TLSV12 */
1389
1390         hlen = MD5_MAC_LEN;
1391         if (conn->verify.md5_server == NULL ||
1392             crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
1393                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1394                           TLS_ALERT_INTERNAL_ERROR);
1395                 conn->verify.md5_server = NULL;
1396                 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
1397                 conn->verify.sha1_server = NULL;
1398                 return -1;
1399         }
1400         conn->verify.md5_server = NULL;
1401         hlen = SHA1_MAC_LEN;
1402         if (conn->verify.sha1_server == NULL ||
1403             crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
1404                                &hlen) < 0) {
1405                 conn->verify.sha1_server = NULL;
1406                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1407                           TLS_ALERT_INTERNAL_ERROR);
1408                 return -1;
1409         }
1410         conn->verify.sha1_server = NULL;
1411         hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1412
1413 #ifdef CONFIG_TLSV12
1414         }
1415 #endif /* CONFIG_TLSV12 */
1416
1417         if (tls_prf(conn->rl.tls_version,
1418                     conn->master_secret, TLS_MASTER_SECRET_LEN,
1419                     "server finished", hash, hlen,
1420                     verify_data, TLS_VERIFY_DATA_LEN)) {
1421                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1422                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1423                           TLS_ALERT_DECRYPT_ERROR);
1424                 return -1;
1425         }
1426         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1427                         verify_data, TLS_VERIFY_DATA_LEN);
1428
1429         if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1430                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1431                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1432                           TLS_ALERT_DECRYPT_ERROR);
1433                 return -1;
1434         }
1435
1436         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1437
1438         *in_len = end - in_data;
1439
1440         conn->state = (conn->session_resumed || conn->use_session_ticket) ?
1441                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1442
1443         return 0;
1444 }
1445
1446
1447 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
1448                                         const u8 *in_data, size_t *in_len,
1449                                         u8 **out_data, size_t *out_len)
1450 {
1451         const u8 *pos;
1452         size_t left;
1453
1454         if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1455                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
1456                            "received content type 0x%x", ct);
1457                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1458                           TLS_ALERT_UNEXPECTED_MESSAGE);
1459                 return -1;
1460         }
1461
1462         pos = in_data;
1463         left = *in_len;
1464
1465         wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1466                     pos, left);
1467
1468         *out_data = os_malloc(left);
1469         if (*out_data) {
1470                 os_memcpy(*out_data, pos, left);
1471                 *out_len = left;
1472         }
1473
1474         return 0;
1475 }
1476
1477
1478 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1479                                    const u8 *buf, size_t *len,
1480                                    u8 **out_data, size_t *out_len)
1481 {
1482         if (ct == TLS_CONTENT_TYPE_ALERT) {
1483                 if (*len < 2) {
1484                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1485                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1486                                   TLS_ALERT_DECODE_ERROR);
1487                         return -1;
1488                 }
1489                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1490                            buf[0], buf[1]);
1491                 *len = 2;
1492                 conn->state = FAILED;
1493                 return -1;
1494         }
1495
1496         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1497             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1498                 size_t hr_len = WPA_GET_BE24(buf + 1);
1499                 if (hr_len > *len - 4) {
1500                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1501                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1502                                   TLS_ALERT_DECODE_ERROR);
1503                         return -1;
1504                 }
1505                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1506                 *len = 4 + hr_len;
1507                 return 0;
1508         }
1509
1510         switch (conn->state) {
1511         case SERVER_HELLO:
1512                 if (tls_process_server_hello(conn, ct, buf, len))
1513                         return -1;
1514                 break;
1515         case SERVER_CERTIFICATE:
1516                 if (tls_process_certificate(conn, ct, buf, len))
1517                         return -1;
1518                 break;
1519         case SERVER_KEY_EXCHANGE:
1520                 if (tls_process_server_key_exchange(conn, ct, buf, len))
1521                         return -1;
1522                 break;
1523         case SERVER_CERTIFICATE_REQUEST:
1524                 if (tls_process_certificate_request(conn, ct, buf, len))
1525                         return -1;
1526                 break;
1527         case SERVER_HELLO_DONE:
1528                 if (tls_process_server_hello_done(conn, ct, buf, len))
1529                         return -1;
1530                 break;
1531         case SERVER_CHANGE_CIPHER_SPEC:
1532                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1533                         return -1;
1534                 break;
1535         case SERVER_FINISHED:
1536                 if (tls_process_server_finished(conn, ct, buf, len))
1537                         return -1;
1538                 break;
1539         case ACK_FINISHED:
1540                 if (out_data &&
1541                     tls_process_application_data(conn, ct, buf, len, out_data,
1542                                                  out_len))
1543                         return -1;
1544                 break;
1545         default:
1546                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1547                            "while processing received message",
1548                            conn->state);
1549                 return -1;
1550         }
1551
1552         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1553                 tls_verify_hash_add(&conn->verify, buf, *len);
1554
1555         return 0;
1556 }