Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-12-01 19:58:22 -05:00
Code Issues Projects Releases Wiki Activity
7a69fad7ad
fragattacks/src/tls/tlsv1_client_read.c

1557 lines
40 KiB
C
Raw Normal View History

Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
/*
TLS: Update file headers to include TLS v1.2 support Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 15:13:52 -05:00
* TLSv1 client - read handshake message
TLS: Parse ServerHello extensions This prints the received ServerHello extensions into the debug log and allows handshake to continue even if such extensions are included. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 15:45:35 -05:00
* Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
*
Remove the GPL notification from files contributed by Jouni Malinen Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 09:46:35 -05:00
* This software may be distributed under the terms of the BSD license.
* See README for more details.
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
*/
#include "includes.h"
#include "common.h"
Remove src/crypto from default include path In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
2009-11-29 16:04:43 -05:00
#include "crypto/md5.h"
#include "crypto/sha1.h"
TLS: Add SHA256-based verify_data derivation for TLS v1.2 Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:54:15 -05:00
#include "crypto/sha256.h"
Remove src/crypto from default include path In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
2009-11-29 16:04:43 -05:00
#include "crypto/tls.h"
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
#include "x509v3.h"
#include "tlsv1_common.h"
#include "tlsv1_record.h"
#include "tlsv1_client.h"
#include "tlsv1_client_i.h"
static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len);
TLS client: Add support for disabling TLS versions The internal TLS client implementation in wpa_supplicant can now be used with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1, and tls_disable_tlsv1_2=1 to disable the specified TLS version(s). Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:03:11 -05:00
static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
{
return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
ver == TLS_VERSION_1) ||
((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
ver == TLS_VERSION_1_1) ||
((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
ver == TLS_VERSION_1_2));
}
TLS: Parse ServerHello extensions This prints the received ServerHello extensions into the debug log and allows handshake to continue even if such extensions are included. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 15:45:35 -05:00
static int tls_process_server_hello_extensions(struct tlsv1_client *conn,
const u8 *pos, size_t len)
{
const u8 *end = pos + len;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello extensions",
pos, len);
while (pos < end) {
u16 ext, elen;
if (end - pos < 4) {
wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension header");
return -1;
}
ext = WPA_GET_BE16(pos);
pos += 2;
elen = WPA_GET_BE16(pos);
pos += 2;
if (elen > end - pos) {
wpa_printf(MSG_INFO, "TLSv1: Truncated ServerHello extension");
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: ServerHello ExtensionType %u",
ext);
wpa_hexdump(MSG_DEBUG, "TLSv1: ServerHello extension data",
pos, elen);
pos += elen;
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, i;
u16 cipher_suite;
TLS: Add support for TLS v1.1 (RFC 4346) with internal TLS This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
2011-09-25 10:24:46 -04:00
u16 tls_version;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4)
goto decode_error;
/* HandshakeType msg_type */
if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerHello)", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
pos++;
/* uint24 length */
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left)
goto decode_error;
/* body - ServerHello */
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
end = pos + len;
/* ProtocolVersion server_version */
if (end - pos < 2)
goto decode_error;
TLS: Add support for TLS v1.1 (RFC 4346) with internal TLS This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
2011-09-25 10:24:46 -04:00
tls_version = WPA_GET_BE16(pos);
TLS client: Add support for disabling TLS versions The internal TLS client implementation in wpa_supplicant can now be used with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1, and tls_disable_tlsv1_2=1 to disable the specified TLS version(s). Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:03:11 -05:00
if (!tls_version_ok(tls_version) ||
tls_version_disabled(conn, tls_version)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
TLS: Add support for TLS v1.1 (RFC 4346) with internal TLS This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
2011-09-25 10:24:46 -04:00
"ServerHello %u.%u", pos[0], pos[1]);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_PROTOCOL_VERSION);
return -1;
}
pos += 2;
TLS: Add support for TLS v1.1 (RFC 4346) with internal TLS This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
2011-09-25 10:24:46 -04:00
wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
TLS: Add helper functions for version number handling Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:20:18 -05:00
tls_version_str(tls_version));
TLS: Add support for TLS v1.1 (RFC 4346) with internal TLS This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
2011-09-25 10:24:46 -04:00
conn->rl.tls_version = tls_version;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
/* Random random */
if (end - pos < TLS_RANDOM_LEN)
goto decode_error;
os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
pos += TLS_RANDOM_LEN;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
conn->server_random, TLS_RANDOM_LEN);
/* SessionID session_id */
if (end - pos < 1)
goto decode_error;
if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
goto decode_error;
if (conn->session_id_len && conn->session_id_len == *pos &&
os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
pos += 1 + conn->session_id_len;
wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
conn->session_resumed = 1;
} else {
conn->session_id_len = *pos;
pos++;
os_memcpy(conn->session_id, pos, conn->session_id_len);
pos += conn->session_id_len;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
conn->session_id, conn->session_id_len);
/* CipherSuite cipher_suite */
if (end - pos < 2)
goto decode_error;
cipher_suite = WPA_GET_BE16(pos);
pos += 2;
for (i = 0; i < conn->num_cipher_suites; i++) {
if (cipher_suite == conn->cipher_suites[i])
break;
}
if (i == conn->num_cipher_suites) {
wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
"cipher suite 0x%04x", cipher_suite);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
"cipher suite for a resumed connection (0x%04x != "
"0x%04x)", cipher_suite, conn->prev_cipher_suite);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
"record layer");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->prev_cipher_suite = cipher_suite;
/* CompressionMethod compression_method */
if (end - pos < 1)
goto decode_error;
if (*pos != TLS_COMPRESSION_NULL) {
wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
"compression 0x%02x", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
pos++;
TLS: Parse ServerHello extensions This prints the received ServerHello extensions into the debug log and allows handshake to continue even if such extensions are included. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 15:45:35 -05:00
if (end - pos >= 2) {
u16 ext_len;
ext_len = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < ext_len) {
wpa_printf(MSG_INFO,
"TLSv1: Invalid ServerHello extension length: %u (left: %u)",
ext_len, (unsigned int) (end - pos));
goto decode_error;
}
if (tls_process_server_hello_extensions(conn, pos, ext_len))
goto decode_error;
pos += ext_len;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
if (end != pos) {
wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
"end of ServerHello", pos, end - pos);
goto decode_error;
}
if (conn->session_ticket_included && conn->session_ticket_cb) {
/* TODO: include SessionTicket extension if one was included in
* ServerHello */
int res = conn->session_ticket_cb(
conn->session_ticket_cb_ctx, NULL, 0,
conn->client_random, conn->server_random,
conn->master_secret);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
"indicated failure");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_HANDSHAKE_FAILURE);
return -1;
}
conn->use_session_ticket = !!res;
}
if ((conn->session_resumed || conn->use_session_ticket) &&
tls_derive_keys(conn, NULL, 0)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*in_len = end - in_data;
conn->state = (conn->session_resumed || conn->use_session_ticket) ?
SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
return 0;
decode_error:
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
TLS client: Add support for server certificate probing The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:59:27 -05:00
static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
struct x509_certificate *cert)
{
union tls_event_data ev;
struct wpabuf *cert_buf = NULL;
#ifdef CONFIG_SHA256
u8 hash[32];
#endif /* CONFIG_SHA256 */
char subject[128];
if (!conn->event_cb)
return;
os_memset(&ev, 0, sizeof(ev));
if (conn->cred->cert_probe || conn->cert_in_cb) {
cert_buf = wpabuf_alloc_copy(cert->cert_start,
cert->cert_len);
ev.peer_cert.cert = cert_buf;
}
#ifdef CONFIG_SHA256
if (cert_buf) {
const u8 *addr[1];
size_t len[1];
addr[0] = wpabuf_head(cert_buf);
len[0] = wpabuf_len(cert_buf);
if (sha256_vector(1, addr, len, hash) == 0) {
ev.peer_cert.hash = hash;
ev.peer_cert.hash_len = sizeof(hash);
}
}
#endif /* CONFIG_SHA256 */
ev.peer_cert.depth = depth;
x509_name_string(&cert->subject, subject, sizeof(subject));
ev.peer_cert.subject = subject;
conn->event_cb(conn->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
wpabuf_free(cert_buf);
}
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
struct x509_certificate *cert,
enum tls_fail_reason reason,
const char *reason_txt)
{
struct wpabuf *cert_buf = NULL;
union tls_event_data ev;
char subject[128];
TLS: Make tls_cert_chain_failure_event() more robust Explicitly check for the failure event to include a certificate before trying to build the event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-28 11:31:11 -05:00
if (!conn->event_cb || !cert)
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
return;
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.depth = depth;
x509_name_string(&cert->subject, subject, sizeof(subject));
ev.peer_cert.subject = subject;
ev.cert_fail.reason = reason;
ev.cert_fail.reason_txt = reason_txt;
cert_buf = wpabuf_alloc_copy(cert->cert_start,
cert->cert_len);
ev.cert_fail.cert = cert_buf;
conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
wpabuf_free(cert_buf);
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, list_len, cert_len, idx;
u8 type;
struct x509_certificate *chain = NULL, *last = NULL, *cert;
int reason;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
"(len=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
return tls_process_server_key_exchange(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
return tls_process_certificate_request(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected Certificate/"
"ServerKeyExchange/CertificateRequest/"
"ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG,
"TLSv1: Received Certificate (certificate_list len %lu)",
(unsigned long) len);
/*
* opaque ASN.1Cert<2^24-1>;
*
* struct {
* ASN.1Cert certificate_list<1..2^24-1>;
* } Certificate;
*/
end = pos + len;
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
list_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) != list_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
"length (len=%lu left=%lu)",
(unsigned long) list_len,
(unsigned long) (end - pos));
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
idx = 0;
while (pos < end) {
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"certificate_list");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
cert_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) < cert_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
"length (len=%lu left=%lu)",
(unsigned long) cert_len,
(unsigned long) (end - pos));
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
(unsigned long) idx, (unsigned long) cert_len);
if (idx == 0) {
crypto_public_key_free(conn->server_rsa_key);
if (tls_parse_cert(pos, cert_len,
&conn->server_rsa_key)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
}
cert = x509_certificate_parse(pos, cert_len);
if (cert == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
TLS client: Add support for server certificate probing The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:59:27 -05:00
tls_peer_cert_event(conn, idx, cert);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
if (last == NULL)
chain = cert;
else
last->next = cert;
last = cert;
idx++;
pos += cert_len;
}
TLS client: Add support for validating server certificate hash This commit adds support for "hash://server/sha256/cert_hash_in_hex" scheme in ca_cert property for the internal TLS implementation. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-21 20:02:56 -05:00
if (conn->cred && conn->cred->server_cert_only && chain) {
u8 hash[SHA256_MAC_LEN];
char buf[128];
wpa_printf(MSG_DEBUG,
"TLSv1: Validate server certificate hash");
x509_name_string(&chain->subject, buf, sizeof(buf));
wpa_printf(MSG_DEBUG, "TLSv1: 0: %s", buf);
if (sha256_vector(1, &chain->cert_start, &chain->cert_len,
hash) < 0 ||
os_memcmp(conn->cred->srv_cert_hash, hash,
SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG,
"TLSv1: Server certificate hash mismatch");
wpa_hexdump(MSG_MSGDUMP, "TLSv1: SHA256 hash",
hash, SHA256_MAC_LEN);
TLS client: Add support for server certificate probing The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:59:27 -05:00
if (conn->event_cb) {
union tls_event_data ev;
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.reason = TLS_FAIL_UNSPECIFIED;
ev.cert_fail.reason_txt =
"Server certificate mismatch";
ev.cert_fail.subject = buf;
conn->event_cb(conn->cb_ctx,
TLS_CERT_CHAIN_FAILURE, &ev);
}
TLS client: Add support for validating server certificate hash This commit adds support for "hash://server/sha256/cert_hash_in_hex" scheme in ca_cert property for the internal TLS implementation. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-21 20:02:56 -05:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
TLS client: Add support for server certificate probing The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:59:27 -05:00
} else if (conn->cred && conn->cred->cert_probe) {
wpa_printf(MSG_DEBUG,
"TLSv1: Reject server certificate on probe-only rune");
if (conn->event_cb) {
union tls_event_data ev;
char buf[128];
os_memset(&ev, 0, sizeof(ev));
ev.cert_fail.reason = TLS_FAIL_SERVER_CHAIN_PROBE;
ev.cert_fail.reason_txt =
"Server certificate chain probe";
if (chain) {
x509_name_string(&chain->subject, buf,
sizeof(buf));
ev.cert_fail.subject = buf;
}
conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE,
&ev);
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
TLS client: Add support for validating server certificate hash This commit adds support for "hash://server/sha256/cert_hash_in_hex" scheme in ca_cert property for the internal TLS implementation. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-21 20:02:56 -05:00
} else if (conn->cred && conn->cred->ca_cert_verify &&
TLS client: Use TLS_CONN_* flags This makes it simpler to add support for new TLS_CONN_* flags without having to add a new configuration function for each flag. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 12:48:17 -05:00
x509_certificate_chain_validate(
conn->cred->trusted_certs, chain, &reason,
!!(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS))
TLS client: Add support for validating server certificate hash This commit adds support for "hash://server/sha256/cert_hash_in_hex" scheme in ca_cert property for the internal TLS implementation. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-21 20:02:56 -05:00
< 0) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason);
switch (reason) {
case X509_VALIDATE_BAD_CERTIFICATE:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
"bad certificate");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
break;
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case X509_VALIDATE_CERTIFICATE_REVOKED:
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_REVOKED,
"certificate revoked");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
break;
case X509_VALIDATE_CERTIFICATE_EXPIRED:
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_EXPIRED,
"certificate has expired or is not yet valid");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
break;
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
break;
case X509_VALIDATE_UNKNOWN_CA:
tls_reason = TLS_ALERT_UNKNOWN_CA;
TLS client: Add certificate chain validation failure callbacks This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 13:32:52 -05:00
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_UNTRUSTED,
"unknown CA");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
break;
default:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
break;
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
x509_certificate_chain_free(chain);
return -1;
}
TLS: Add support for extKeyUsage X.509v3 extension If the server/client certificate includes the extKeyUsage extension, verify that the listed key purposes include either the anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth, respectively. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 14:53:23 -05:00
if (conn->cred && !conn->cred->server_cert_only && chain &&
(chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
!(chain->ext_key_usage &
(X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_SERVER_AUTH))) {
tls_cert_chain_failure_event(
conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
"certificate not allowed for server authentication");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
if (conn->flags & TLS_CONN_REQUEST_OCSP) {
x509_certificate_chain_free(conn->server_cert);
conn->server_cert = chain;
} else {
x509_certificate_chain_free(chain);
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
*in_len = end - in_data;
conn->state = SERVER_KEY_EXCHANGE;
return 0;
}
TLS client: Reject RSA-DHE prime if it shorter than 768 bits Such short primes cannot really be considered secure enough for authentication purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 06:27:52 -04:00
static unsigned int count_bits(const u8 *val, size_t len)
{
size_t i;
unsigned int bits;
u8 tmp;
for (i = 0; i < len; i++) {
if (val[i])
break;
}
if (i == len)
return 0;
bits = (len - i - 1) * 8;
tmp = val[i];
while (tmp) {
bits++;
tmp >>= 1;
}
return bits;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
const u8 *buf, size_t len,
tls_key_exchange key_exchange)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
{
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
const u8 *pos, *end, *server_params, *server_params_end;
TLS: Share a helper function for verifying Signature This same design is used in both the server and the client roles in the internal TLS implementation. Instead of duplicated implementation, use a helper function. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 11:11:58 -04:00
u8 alert;
TLS client: Reject RSA-DHE prime if it shorter than 768 bits Such short primes cannot really be considered secure enough for authentication purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 06:27:52 -04:00
unsigned int bits;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
u16 val;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
tlsv1_client_free_dh(conn);
pos = buf;
end = buf + len;
if (end - pos < 3)
goto fail;
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
server_params = pos;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
val = WPA_GET_BE16(pos);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
pos += 2;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
if (val == 0 || val > (size_t) (end - pos)) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
goto fail;
}
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
conn->dh_p_len = val;
TLS client: Reject RSA-DHE prime if it shorter than 768 bits Such short primes cannot really be considered secure enough for authentication purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 06:27:52 -04:00
bits = count_bits(pos, conn->dh_p_len);
if (bits < 768) {
wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
bits);
wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
pos, conn->dh_p_len);
goto fail;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
conn->dh_p = os_malloc(conn->dh_p_len);
if (conn->dh_p == NULL)
goto fail;
os_memcpy(conn->dh_p, pos, conn->dh_p_len);
pos += conn->dh_p_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
conn->dh_p, conn->dh_p_len);
if (end - pos < 3)
goto fail;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
val = WPA_GET_BE16(pos);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
pos += 2;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
if (val == 0 || val > (size_t) (end - pos))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
goto fail;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
conn->dh_g_len = val;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
conn->dh_g = os_malloc(conn->dh_g_len);
if (conn->dh_g == NULL)
goto fail;
os_memcpy(conn->dh_g, pos, conn->dh_g_len);
pos += conn->dh_g_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
conn->dh_g, conn->dh_g_len);
if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
goto fail;
if (end - pos < 3)
goto fail;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
val = WPA_GET_BE16(pos);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
pos += 2;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
if (val == 0 || val > (size_t) (end - pos))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
goto fail;
TLS client: Check DH parameters using a local variable Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 10:48:34 -05:00
conn->dh_ys_len = val;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
conn->dh_ys = os_malloc(conn->dh_ys_len);
if (conn->dh_ys == NULL)
goto fail;
os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
pos += conn->dh_ys_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
conn->dh_ys, conn->dh_ys_len);
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
server_params_end = pos;
if (key_exchange == TLS_KEY_X_DHE_RSA) {
TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512 This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:16:07 -05:00
u8 hash[64];
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
int hlen;
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
if (conn->rl.tls_version == TLS_VERSION_1_2) {
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
#ifdef CONFIG_TLSV12
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
/*
* RFC 5246, 4.7:
* TLS v1.2 adds explicit indication of the used
* signature and hash algorithms.
*
* struct {
* HashAlgorithm hash;
* SignatureAlgorithm signature;
* } SignatureAndHashAlgorithm;
*/
if (end - pos < 2)
goto fail;
TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512 This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:16:07 -05:00
if ((pos[0] != TLS_HASH_ALG_SHA256 &&
pos[0] != TLS_HASH_ALG_SHA384 &&
pos[0] != TLS_HASH_ALG_SHA512) ||
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
pos[1] != TLS_SIGN_ALG_RSA) {
wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
pos[0], pos[1]);
goto fail;
}
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
hlen = tlsv12_key_x_server_params_hash(
TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512 This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:16:07 -05:00
conn->rl.tls_version, pos[0],
conn->client_random,
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
conn->server_random, server_params,
server_params_end - server_params, hash);
TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512 This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 11:16:07 -05:00
pos += 2;
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
#else /* CONFIG_TLSV12 */
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
goto fail;
#endif /* CONFIG_TLSV12 */
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
} else {
hlen = tls_key_x_server_params_hash(
conn->rl.tls_version, conn->client_random,
conn->server_random, server_params,
server_params_end - server_params, hash);
}
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
TLS: Use a helper function for calculating ServerKeyExchange hash Instead of separate server and client side implementations, use a common set of helper functions for calculating the ServerParams hash for ServerKeyExchange. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 10:26:27 -04:00
if (hlen < 0)
goto fail;
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
hash, hlen);
TLS: Share a helper function for verifying Signature This same design is used in both the server and the client roles in the internal TLS implementation. Instead of duplicated implementation, use a helper function. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 11:11:58 -04:00
if (tls_verify_signature(conn->rl.tls_version,
conn->server_rsa_key,
hash, hlen, pos, end - pos,
&alert) < 0)
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
goto fail;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
return 0;
fail:
wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
tlsv1_client_free_dh(conn);
return -1;
}
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
static enum tls_ocsp_result
tls_process_certificate_status_ocsp_response(struct tlsv1_client *conn,
const u8 *pos, size_t len)
{
const u8 *end = pos + len;
u32 ocsp_resp_len;
/* opaque OCSPResponse<1..2^24-1>; */
if (end - pos < 3) {
wpa_printf(MSG_INFO, "TLSv1: Too short OCSPResponse");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return TLS_OCSP_INVALID;
}
ocsp_resp_len = WPA_GET_BE24(pos);
pos += 3;
if (end - pos < ocsp_resp_len) {
wpa_printf(MSG_INFO, "TLSv1: Truncated OCSPResponse");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return TLS_OCSP_INVALID;
}
return tls_process_ocsp_response(conn, pos, ocsp_resp_len);
}
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type, status_type;
enum tls_ocsp_result res;
TLS client: Multi-OCSP check to cover intermediate CAs This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:00:13 -05:00
struct x509_certificate *cert;
int depth;
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG,
"TLSv1: Expected Handshake; received content type 0x%x",
ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG,
"TLSv1: Too short CertificateStatus (left=%lu)",
(unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG,
"TLSv1: Mismatch in CertificateStatus length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS) {
wpa_printf(MSG_DEBUG,
"TLSv1: Received unexpected handshake message %d (expected CertificateStatus)",
type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateStatus");
/*
* struct {
* CertificateStatusType status_type;
* select (status_type) {
* case ocsp: OCSPResponse;
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
* case ocsp_multi: OCSPResponseList;
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
* } response;
* } CertificateStatus;
*/
if (end - pos < 1) {
wpa_printf(MSG_INFO, "TLSv1: Too short CertificateStatus");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
status_type = *pos++;
wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatus status_type %u",
status_type);
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
if (status_type == 1 /* ocsp */) {
res = tls_process_certificate_status_ocsp_response(
conn, pos, end - pos);
} else if (status_type == 2 /* ocsp_multi */) {
int good = 0, revoked = 0;
u32 resp_len;
res = TLS_OCSP_NO_RESPONSE;
/*
* opaque OCSPResponse<0..2^24-1>;
*
* struct {
* OCSPResponse ocsp_response_list<1..2^24-1>;
* } OCSPResponseList;
*/
if (end - pos < 3) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponseList");
res = TLS_OCSP_INVALID;
goto done;
}
resp_len = WPA_GET_BE24(pos);
pos += 3;
if (end - pos < resp_len) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponseList(len=%u)",
resp_len);
res = TLS_OCSP_INVALID;
goto done;
}
end = pos + resp_len;
while (end - pos >= 3) {
resp_len = WPA_GET_BE24(pos);
pos += 3;
if (resp_len > end - pos) {
wpa_printf(MSG_DEBUG,
"TLSv1: Truncated OCSPResponse(len=%u; left=%d) in ocsp_multi",
resp_len, (int) (end - pos));
res = TLS_OCSP_INVALID;
break;
}
if (!resp_len)
continue; /* Skip an empty response */
res = tls_process_certificate_status_ocsp_response(
conn, pos - 3, resp_len + 3);
if (res == TLS_OCSP_REVOKED)
revoked++;
else if (res == TLS_OCSP_GOOD)
good++;
pos += resp_len;
}
if (revoked)
res = TLS_OCSP_REVOKED;
else if (good)
res = TLS_OCSP_GOOD;
} else {
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
wpa_printf(MSG_DEBUG,
"TLSv1: Ignore unsupported CertificateStatus");
goto skip;
}
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
done:
if (res == TLS_OCSP_REVOKED) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_CERTIFICATE_REVOKED);
TLS client: Multi-OCSP check to cover intermediate CAs This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:00:13 -05:00
for (cert = conn->server_cert, depth = 0; cert;
cert = cert->next, depth++) {
if (cert->ocsp_revoked) {
tls_cert_chain_failure_event(
conn, depth, cert, TLS_FAIL_REVOKED,
"certificate revoked");
}
}
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
return -1;
}
TLS client: Multi-OCSP check to cover intermediate CAs This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:00:13 -05:00
if (conn->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
/*
* Verify that each certificate on the chain that is not part
* of the trusted certificates has a good status. If not,
* terminate handshake.
*/
for (cert = conn->server_cert, depth = 0; cert;
cert = cert->next, depth++) {
if (!cert->ocsp_good) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
tls_cert_chain_failure_event(
conn, depth, cert,
TLS_FAIL_UNSPECIFIED,
"bad certificate status response");
return -1;
}
if (cert->issuer_trusted)
break;
}
}
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
if ((conn->flags & TLS_CONN_REQUIRE_OCSP) && res != TLS_OCSP_GOOD) {
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
res == TLS_OCSP_INVALID ? TLS_ALERT_DECODE_ERROR :
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
TLS: Report OCSP rejection cases when no valid response if found This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS messages with 'bad certificate status response' for cases where no valid OCSP response was received, but the network profile requires OCSP to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 04:45:48 -05:00
if (conn->server_cert)
tls_cert_chain_failure_event(
conn, 0, conn->server_cert,
TLS_FAIL_UNSPECIFIED,
"bad certificate status response");
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
return -1;
}
TLS client: OCSP stapling with ocsp_multi option (RFC 6961) This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 12:39:37 -05:00
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
conn->ocsp_resp_received = 1;
skip:
*in_len = end - in_data;
conn->state = SERVER_KEY_EXCHANGE;
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
const struct tls_cipher_suite *suite;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
"(Left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
if ((conn->flags & TLS_CONN_REQUEST_OCSP) &&
type == TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS)
return tls_process_certificate_status(conn, ct, in_data,
in_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
return tls_process_certificate_request(conn, ct, in_data,
in_len);
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerKeyExchange/"
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
"CertificateRequest/ServerHelloDone%s)", type,
(conn->flags & TLS_CONN_REQUEST_OCSP) ?
"/CertificateStatus" : "");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
"with the selected cipher suite");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
TLS: Add support for DHE-RSA cipher suites This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 09:43:50 -04:00
if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
if (tlsv1_process_diffie_hellman(conn, pos, len,
suite->key_exchange) < 0) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
} else {
wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
*in_len = end - in_data;
conn->state = SERVER_CERTIFICATE_REQUEST;
return 0;
}
static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
return tls_process_server_hello_done(conn, ct, in_data,
in_len);
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected CertificateRequest/"
"ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
conn->certificate_requested = 1;
*in_len = end - in_data;
conn->state = SERVER_HELLO_DONE;
return 0;
}
static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len;
u8 type;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
"(left=%lu)", (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ServerHelloDone)", type);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
TLS: Parse CertificateStatus message This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 16:11:32 -05:00
if ((conn->flags & TLS_CONN_REQUIRE_OCSP) &&
!conn->ocsp_resp_received) {
wpa_printf(MSG_INFO,
"TLSv1: No OCSP response received - reject handshake");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
return -1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
*in_len = end - in_data;
conn->state = CLIENT_KEY_EXCHANGE;
return 0;
}
static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
u8 ct, const u8 *in_data,
size_t *in_len)
{
const u8 *pos;
size_t left;
if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received content type 0x%x", ct);
if (conn->use_session_ticket) {
int res;
wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
"rejected SessionTicket");
conn->use_session_ticket = 0;
/* Notify upper layers that SessionTicket failed */
res = conn->session_ticket_cb(
conn->session_ticket_cb_ctx, NULL, 0, NULL,
NULL, NULL);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
"callback indicated failure");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_HANDSHAKE_FAILURE);
return -1;
}
conn->state = SERVER_CERTIFICATE;
return tls_process_certificate(conn, ct, in_data,
in_len);
}
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 1) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
return -1;
}
if (*pos != TLS_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received data 0x%x", *pos);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
"for record layer");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*in_len = pos + 1 - in_data;
conn->state = SERVER_FINISHED;
return 0;
}
static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end;
size_t left, len, hlen;
u8 verify_data[TLS_VERIFY_DATA_LEN];
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
"Finished",
(unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
"type 0x%x", pos[0]);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
len = WPA_GET_BE24(pos + 1);
pos += 4;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
"(len=%lu > left=%lu)",
(unsigned long) len, (unsigned long) left);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (len != TLS_VERIFY_DATA_LEN) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
"in Finished: %lu (expected %d)",
(unsigned long) len, TLS_VERIFY_DATA_LEN);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
pos, TLS_VERIFY_DATA_LEN);
TLS: Add SHA256-based verify_data derivation for TLS v1.2 Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:54:15 -05:00
#ifdef CONFIG_TLSV12
if (conn->rl.tls_version >= TLS_VERSION_1_2) {
hlen = SHA256_MAC_LEN;
if (conn->verify.sha256_server == NULL ||
crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
< 0) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.sha256_server = NULL;
return -1;
}
conn->verify.sha256_server = NULL;
} else {
#endif /* CONFIG_TLSV12 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
hlen = MD5_MAC_LEN;
if (conn->verify.md5_server == NULL ||
crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.md5_server = NULL;
crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
conn->verify.sha1_server = NULL;
return -1;
}
conn->verify.md5_server = NULL;
hlen = SHA1_MAC_LEN;
if (conn->verify.sha1_server == NULL ||
crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
&hlen) < 0) {
conn->verify.sha1_server = NULL;
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->verify.sha1_server = NULL;
TLS: Add SHA256-based verify_data derivation for TLS v1.2 Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:54:15 -05:00
hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
#ifdef CONFIG_TLSV12
}
#endif /* CONFIG_TLSV12 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
TLS: Pass version to tls_prf() in preparation for new PRFs Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:35:11 -05:00
if (tls_prf(conn->rl.tls_version,
conn->master_secret, TLS_MASTER_SECRET_LEN,
TLS: Add SHA256-based verify_data derivation for TLS v1.2 Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 14:54:15 -05:00
"server finished", hash, hlen,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
verify_data, TLS_VERIFY_DATA_LEN);
TLS: Use os_memcmp_const() for hash/password comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 13:18:00 -04:00
if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
TLS client: Send decrypt_error on verify_data validation error Previously, this was silently dropped which left the connection waiting for timeout. decrypt_error alert can be used here to avoid that. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 12:19:32 -04:00
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 20:34:43 -05:00
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
*in_len = end - in_data;
conn->state = (conn->session_resumed || conn->use_session_ticket) ?
CHANGE_CIPHER_SPEC : ACK_FINISHED;
return 0;
}
static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
const u8 *in_data, size_t *in_len,
u8 **out_data, size_t *out_len)
{
const u8 *pos;
size_t left;
if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
"received content type 0x%x", ct);
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
pos, left);
*out_data = os_malloc(left);
if (*out_data) {
os_memcpy(*out_data, pos, left);
*out_len = left;
}
return 0;
}
int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
const u8 *buf, size_t *len,
u8 **out_data, size_t *out_len)
{
if (ct == TLS_CONTENT_TYPE_ALERT) {
if (*len < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
buf[0], buf[1]);
*len = 2;
conn->state = FAILED;
return -1;
}
if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
size_t hr_len = WPA_GET_BE24(buf + 1);
if (hr_len > *len - 4) {
wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
*len = 4 + hr_len;
return 0;
}
switch (conn->state) {
case SERVER_HELLO:
if (tls_process_server_hello(conn, ct, buf, len))
return -1;
break;
case SERVER_CERTIFICATE:
if (tls_process_certificate(conn, ct, buf, len))
return -1;
break;
case SERVER_KEY_EXCHANGE:
if (tls_process_server_key_exchange(conn, ct, buf, len))
return -1;
break;
case SERVER_CERTIFICATE_REQUEST:
if (tls_process_certificate_request(conn, ct, buf, len))
return -1;
break;
case SERVER_HELLO_DONE:
if (tls_process_server_hello_done(conn, ct, buf, len))
return -1;
break;
case SERVER_CHANGE_CIPHER_SPEC:
if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
return -1;
break;
case SERVER_FINISHED:
if (tls_process_server_finished(conn, ct, buf, len))
return -1;
break;
case ACK_FINISHED:
if (out_data &&
tls_process_application_data(conn, ct, buf, len, out_data,
out_len))
return -1;
break;
default:
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
"while processing received message",
conn->state);
return -1;
}
if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
tls_verify_hash_add(&conn->verify, buf, *len);
return 0;
}
Reference in New Issue Copy Permalink