contrib/wpa_supplicant-0.5.8/tlsv1_client.c

   1 /*
   2  * wpa_supplicant: TLSv1 client (RFC 2246)
   3  * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "base64.h"
  19 #include "md5.h"
  20 #include "sha1.h"
  21 #include "crypto.h"
  22 #include "tls.h"
  23 #include "tlsv1_common.h"
  24 #include "tlsv1_client.h"
  25 #include "x509v3.h"
  26
  27 /* TODO:
  28  * Support for a message fragmented across several records (RFC 2246, 6.2.1)
  29  */
  30
  31 struct tlsv1_client {
  32         enum {
  33                 CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE,
  34                 SERVER_KEY_EXCHANGE, SERVER_CERTIFICATE_REQUEST,
  35                 SERVER_HELLO_DONE, CLIENT_KEY_EXCHANGE, CHANGE_CIPHER_SPEC,
  36                 SERVER_CHANGE_CIPHER_SPEC, SERVER_FINISHED, ACK_FINISHED,
  37                 ESTABLISHED, FAILED
  38         } state;
  39
  40         struct tlsv1_record_layer rl;
  41
  42         u8 session_id[TLS_SESSION_ID_MAX_LEN];
  43         size_t session_id_len;
  44         u8 client_random[TLS_RANDOM_LEN];
  45         u8 server_random[TLS_RANDOM_LEN];
  46         u8 master_secret[TLS_MASTER_SECRET_LEN];
  47
  48         u8 alert_level;
  49         u8 alert_description;
  50
  51         unsigned int certificate_requested:1;
  52         unsigned int session_resumed:1;
  53         unsigned int ticket:1;
  54         unsigned int ticket_key:1;
  55
  56         struct crypto_public_key *server_rsa_key;
  57
  58         struct crypto_hash *verify_md5_client;
  59         struct crypto_hash *verify_sha1_client;
  60         struct crypto_hash *verify_md5_server;
  61         struct crypto_hash *verify_sha1_server;
  62         struct crypto_hash *verify_md5_cert;
  63         struct crypto_hash *verify_sha1_cert;
  64
  65 #define MAX_CIPHER_COUNT 30
  66         u16 cipher_suites[MAX_CIPHER_COUNT];
  67         size_t num_cipher_suites;
  68
  69         u16 prev_cipher_suite;
  70
  71         u8 *client_hello_ext;
  72         size_t client_hello_ext_len;
  73
  74         /* The prime modulus used for Diffie-Hellman */
  75         u8 *dh_p;
  76         size_t dh_p_len;
  77         /* The generator used for Diffie-Hellman */
  78         u8 *dh_g;
  79         size_t dh_g_len;
  80         /* The server's Diffie-Hellman public value */
  81         u8 *dh_ys;
  82         size_t dh_ys_len;
  83
  84         struct x509_certificate *trusted_certs;
  85         struct x509_certificate *client_cert;
  86         struct crypto_private_key *client_key;
  87 };
  88
  89
  90 static int tls_derive_keys(struct tlsv1_client *conn,
  91                            const u8 *pre_master_secret,
  92                            size_t pre_master_secret_len);
  93 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
  94                                            const u8 *in_data, size_t *in_len);
  95 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
  96                                            const u8 *in_data, size_t *in_len);
  97 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
  98                                          const u8 *in_data, size_t *in_len);
  99
 100
 101 static void tls_alert(struct tlsv1_client *conn, u8 level, u8 description)
 102 {
 103         conn->alert_level = level;
 104         conn->alert_description = description;
 105 }
 106
 107
 108 static void tls_verify_hash_add(struct tlsv1_client *conn, const u8 *buf,
 109                                 size_t len)
 110 {
 111         if (conn->verify_md5_client && conn->verify_sha1_client) {
 112                 crypto_hash_update(conn->verify_md5_client, buf, len);
 113                 crypto_hash_update(conn->verify_sha1_client, buf, len);
 114         }
 115         if (conn->verify_md5_server && conn->verify_sha1_server) {
 116                 crypto_hash_update(conn->verify_md5_server, buf, len);
 117                 crypto_hash_update(conn->verify_sha1_server, buf, len);
 118         }
 119         if (conn->verify_md5_cert && conn->verify_sha1_cert) {
 120                 crypto_hash_update(conn->verify_md5_cert, buf, len);
 121                 crypto_hash_update(conn->verify_sha1_cert, buf, len);
 122         }
 123 }
 124
 125
 126 static u8 * tls_send_alert(struct tlsv1_client *conn,
 127                            u8 level, u8 description,
 128                            size_t *out_len)
 129 {
 130         u8 *alert, *pos, *length;
 131
 132         wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
 133         *out_len = 0;
 134
 135         alert = os_malloc(10);
 136         if (alert == NULL)
 137                 return NULL;
 138
 139         pos = alert;
 140
 141         /* TLSPlaintext */
 142         /* ContentType type */
 143         *pos++ = TLS_CONTENT_TYPE_ALERT;
 144         /* ProtocolVersion version */
 145         WPA_PUT_BE16(pos, TLS_VERSION);
 146         pos += 2;
 147         /* uint16 length (to be filled) */
 148         length = pos;
 149         pos += 2;
 150         /* opaque fragment[TLSPlaintext.length] */
 151
 152         /* Alert */
 153         /* AlertLevel level */
 154         *pos++ = level;
 155         /* AlertDescription description */
 156         *pos++ = description;
 157
 158         WPA_PUT_BE16(length, pos - length - 2);
 159         *out_len = pos - alert;
 160
 161         return alert;
 162 }
 163
 164
 165 static u8 * tls_send_client_hello(struct tlsv1_client *conn,
 166                                   size_t *out_len)
 167 {
 168         u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
 169         struct os_time now;
 170         size_t len, i;
 171
 172         wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello");
 173         *out_len = 0;
 174
 175         os_get_time(&now);
 176         WPA_PUT_BE32(conn->client_random, now.sec);
 177         if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
 178                 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
 179                            "client_random");
 180                 return NULL;
 181         }
 182         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 183                     conn->client_random, TLS_RANDOM_LEN);
 184
 185         len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
 186         hello = os_malloc(len);
 187         if (hello == NULL)
 188                 return NULL;
 189         end = hello + len;
 190
 191         rhdr = hello;
 192         pos = rhdr + TLS_RECORD_HEADER_LEN;
 193
 194         /* opaque fragment[TLSPlaintext.length] */
 195
 196         /* Handshake */
 197         hs_start = pos;
 198         /* HandshakeType msg_type */
 199         *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
 200         /* uint24 length (to be filled) */
 201         hs_length = pos;
 202         pos += 3;
 203         /* body - ClientHello */
 204         /* ProtocolVersion client_version */
 205         WPA_PUT_BE16(pos, TLS_VERSION);
 206         pos += 2;
 207         /* Random random: uint32 gmt_unix_time, opaque random_bytes */
 208         os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
 209         pos += TLS_RANDOM_LEN;
 210         /* SessionID session_id */
 211         *pos++ = conn->session_id_len;
 212         os_memcpy(pos, conn->session_id, conn->session_id_len);
 213         pos += conn->session_id_len;
 214         /* CipherSuite cipher_suites<2..2^16-1> */
 215         WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
 216         pos += 2;
 217         for (i = 0; i < conn->num_cipher_suites; i++) {
 218                 WPA_PUT_BE16(pos, conn->cipher_suites[i]);
 219                 pos += 2;
 220         }
 221         /* CompressionMethod compression_methods<1..2^8-1> */
 222         *pos++ = 1;
 223         *pos++ = TLS_COMPRESSION_NULL;
 224
 225         if (conn->client_hello_ext) {
 226                 os_memcpy(pos, conn->client_hello_ext,
 227                           conn->client_hello_ext_len);
 228                 pos += conn->client_hello_ext_len;
 229         }
 230
 231         WPA_PUT_BE24(hs_length, pos - hs_length - 3);
 232         tls_verify_hash_add(conn, hs_start, pos - hs_start);
 233
 234         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
 235                               rhdr, end - rhdr, pos - hs_start, out_len) < 0) {
 236                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
 237                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 238                           TLS_ALERT_INTERNAL_ERROR);
 239                 os_free(hello);
 240                 return NULL;
 241         }
 242
 243         conn->state = SERVER_HELLO;
 244
 245         return hello;
 246 }
 247
 248
 249 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
 250                                     const u8 *in_data, size_t *in_len)
 251 {
 252         const u8 *pos, *end;
 253         size_t left, len, i;
 254         u16 cipher_suite;
 255
 256         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 257                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 258                            "received content type 0x%x", ct);
 259                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 260                           TLS_ALERT_UNEXPECTED_MESSAGE);
 261                 return -1;
 262         }
 263
 264         pos = in_data;
 265         left = *in_len;
 266
 267         if (left < 4)
 268                 goto decode_error;
 269
 270         /* HandshakeType msg_type */
 271         if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
 272                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 273                            "message %d (expected ServerHello)", *pos);
 274                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 275                           TLS_ALERT_UNEXPECTED_MESSAGE);
 276                 return -1;
 277         }
 278         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
 279         pos++;
 280         /* uint24 length */
 281         len = WPA_GET_BE24(pos);
 282         pos += 3;
 283         left -= 4;
 284
 285         if (len > left)
 286                 goto decode_error;
 287
 288         /* body - ServerHello */
 289
 290         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
 291         end = pos + len;
 292
 293         /* ProtocolVersion server_version */
 294         if (end - pos < 2)
 295                 goto decode_error;
 296         if (WPA_GET_BE16(pos) != TLS_VERSION) {
 297                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 298                            "ServerHello");
 299                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 300                           TLS_ALERT_PROTOCOL_VERSION);
 301                 return -1;
 302         }
 303         pos += 2;
 304
 305         /* Random random */
 306         if (end - pos < TLS_RANDOM_LEN)
 307                 goto decode_error;
 308
 309         os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
 310         pos += TLS_RANDOM_LEN;
 311         wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
 312                     conn->server_random, TLS_RANDOM_LEN);
 313
 314         /* SessionID session_id */
 315         if (end - pos < 1)
 316                 goto decode_error;
 317         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 318                 goto decode_error;
 319         if (conn->session_id_len && conn->session_id_len == *pos &&
 320             os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
 321                 pos += 1 + conn->session_id_len;
 322                 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
 323                 conn->session_resumed = 1;
 324         } else {
 325                 conn->session_id_len = *pos;
 326                 pos++;
 327                 os_memcpy(conn->session_id, pos, conn->session_id_len);
 328                 pos += conn->session_id_len;
 329         }
 330         wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
 331                     conn->session_id, conn->session_id_len);
 332
 333         /* CipherSuite cipher_suite */
 334         if (end - pos < 2)
 335                 goto decode_error;
 336         cipher_suite = WPA_GET_BE16(pos);
 337         pos += 2;
 338         for (i = 0; i < conn->num_cipher_suites; i++) {
 339                 if (cipher_suite == conn->cipher_suites[i])
 340                         break;
 341         }
 342         if (i == conn->num_cipher_suites) {
 343                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 344                            "cipher suite 0x%04x", cipher_suite);
 345                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 346                           TLS_ALERT_ILLEGAL_PARAMETER);
 347                 return -1;
 348         }
 349
 350         if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
 351                 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
 352                            "cipher suite for a resumed connection (0x%04x != "
 353                            "0x%04x)", cipher_suite, conn->prev_cipher_suite);
 354                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 355                           TLS_ALERT_ILLEGAL_PARAMETER);
 356                 return -1;
 357         }
 358
 359         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 360                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 361                            "record layer");
 362                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 363                           TLS_ALERT_INTERNAL_ERROR);
 364                 return -1;
 365         }
 366
 367         conn->prev_cipher_suite = cipher_suite;
 368
 369         if (conn->session_resumed || conn->ticket_key)
 370                 tls_derive_keys(conn, NULL, 0);
 371
 372         /* CompressionMethod compression_method */
 373         if (end - pos < 1)
 374                 goto decode_error;
 375         if (*pos != TLS_COMPRESSION_NULL) {
 376                 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
 377                            "compression 0x%02x", *pos);
 378                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 379                           TLS_ALERT_ILLEGAL_PARAMETER);
 380                 return -1;
 381         }
 382         pos++;
 383
 384         if (end != pos) {
 385                 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
 386                             "end of ServerHello", pos, end - pos);
 387                 goto decode_error;
 388         }
 389
 390         *in_len = end - in_data;
 391
 392         conn->state = (conn->session_resumed || conn->ticket) ?
 393                 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
 394
 395         return 0;
 396
 397 decode_error:
 398         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
 399         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 400         return -1;
 401 }
 402
 403
 404 static int tls_server_key_exchange_allowed(struct tlsv1_client *conn)
 405 {
 406         const struct tls_cipher_suite *suite;
 407
 408         /* RFC 2246, Section 7.4.3 */
 409         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 410         if (suite == NULL)
 411                 return 0;
 412
 413         switch (suite->key_exchange) {
 414         case TLS_KEY_X_DHE_DSS:
 415         case TLS_KEY_X_DHE_DSS_EXPORT:
 416         case TLS_KEY_X_DHE_RSA:
 417         case TLS_KEY_X_DHE_RSA_EXPORT:
 418         case TLS_KEY_X_DH_anon_EXPORT:
 419         case TLS_KEY_X_DH_anon:
 420                 return 1;
 421         case TLS_KEY_X_RSA_EXPORT:
 422                 return 1 /* FIX: public key len > 512 bits */;
 423         default:
 424                 return 0;
 425         }
 426 }
 427
 428
 429 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 430                                    const u8 *in_data, size_t *in_len)
 431 {
 432         const u8 *pos, *end;
 433         size_t left, len, list_len, cert_len, idx;
 434         u8 type;
 435         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 436         int reason;
 437
 438         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 439                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 440                            "received content type 0x%x", ct);
 441                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 442                           TLS_ALERT_UNEXPECTED_MESSAGE);
 443                 return -1;
 444         }
 445
 446         pos = in_data;
 447         left = *in_len;
 448
 449         if (left < 4) {
 450                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 451                            "(len=%lu)", (unsigned long) left);
 452                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 453                 return -1;
 454         }
 455
 456         type = *pos++;
 457         len = WPA_GET_BE24(pos);
 458         pos += 3;
 459         left -= 4;
 460
 461         if (len > left) {
 462                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 463                            "length (len=%lu != left=%lu)",
 464                            (unsigned long) len, (unsigned long) left);
 465                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 466                 return -1;
 467         }
 468
 469         if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
 470                 return tls_process_server_key_exchange(conn, ct, in_data,
 471                                                        in_len);
 472         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 473                 return tls_process_certificate_request(conn, ct, in_data,
 474                                                        in_len);
 475         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 476                 return tls_process_server_hello_done(conn, ct, in_data,
 477                                                      in_len);
 478         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 479                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 480                            "message %d (expected Certificate/"
 481                            "ServerKeyExchange/CertificateRequest/"
 482                            "ServerHelloDone)", type);
 483                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 484                           TLS_ALERT_UNEXPECTED_MESSAGE);
 485                 return -1;
 486         }
 487
 488         wpa_printf(MSG_DEBUG,
 489                    "TLSv1: Received Certificate (certificate_list len %lu)",
 490                    (unsigned long) len);
 491
 492         /*
 493          * opaque ASN.1Cert<2^24-1>;
 494          *
 495          * struct {
 496          *     ASN.1Cert certificate_list<1..2^24-1>;
 497          * } Certificate;
 498          */
 499
 500         end = pos + len;
 501
 502         if (end - pos < 3) {
 503                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 504                            "(left=%lu)", (unsigned long) left);
 505                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 506                 return -1;
 507         }
 508
 509         list_len = WPA_GET_BE24(pos);
 510         pos += 3;
 511
 512         if ((size_t) (end - pos) != list_len) {
 513                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 514                            "length (len=%lu left=%lu)",
 515                            (unsigned long) list_len,
 516                            (unsigned long) (end - pos));
 517                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 518                 return -1;
 519         }
 520
 521         idx = 0;
 522         while (pos < end) {
 523                 if (end - pos < 3) {
 524                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 525                                    "certificate_list");
 526                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 527                                   TLS_ALERT_DECODE_ERROR);
 528                         x509_certificate_chain_free(chain);
 529                         return -1;
 530                 }
 531
 532                 cert_len = WPA_GET_BE24(pos);
 533                 pos += 3;
 534
 535                 if ((size_t) (end - pos) < cert_len) {
 536                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 537                                    "length (len=%lu left=%lu)",
 538                                    (unsigned long) cert_len,
 539                                    (unsigned long) (end - pos));
 540                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 541                                   TLS_ALERT_DECODE_ERROR);
 542                         x509_certificate_chain_free(chain);
 543                         return -1;
 544                 }
 545
 546                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 547                            (unsigned long) idx, (unsigned long) cert_len);
 548
 549                 if (idx == 0) {
 550                         crypto_public_key_free(conn->server_rsa_key);
 551                         if (tls_parse_cert(pos, cert_len,
 552                                            &conn->server_rsa_key)) {
 553                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 554                                            "the certificate");
 555                                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 556                                           TLS_ALERT_BAD_CERTIFICATE);
 557                                 x509_certificate_chain_free(chain);
 558                                 return -1;
 559                         }
 560                 }
 561
 562                 cert = x509_certificate_parse(pos, cert_len);
 563                 if (cert == NULL) {
 564                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 565                                    "the certificate");
 566                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 567                                   TLS_ALERT_BAD_CERTIFICATE);
 568                         x509_certificate_chain_free(chain);
 569                         return -1;
 570                 }
 571
 572                 if (last == NULL)
 573                         chain = cert;
 574                 else
 575                         last->next = cert;
 576                 last = cert;
 577
 578                 idx++;
 579                 pos += cert_len;
 580         }
 581
 582         if (x509_certificate_chain_validate(conn->trusted_certs, chain,
 583                                             &reason) < 0) {
 584                 int tls_reason;
 585                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 586                            "validation failed (reason=%d)", reason);
 587                 switch (reason) {
 588                 case X509_VALIDATE_BAD_CERTIFICATE:
 589                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 590                         break;
 591                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 592                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 593                         break;
 594                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 595                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 596                         break;
 597                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 598                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 599                         break;
 600                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 601                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 602                         break;
 603                 case X509_VALIDATE_UNKNOWN_CA:
 604                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 605                         break;
 606                 default:
 607                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 608                         break;
 609                 }
 610                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 611                 x509_certificate_chain_free(chain);
 612                 return -1;
 613         }
 614
 615         x509_certificate_chain_free(chain);
 616
 617         *in_len = end - in_data;
 618
 619         conn->state = SERVER_KEY_EXCHANGE;
 620
 621         return 0;
 622 }
 623
 624
 625 static void tlsv1_client_free_dh(struct tlsv1_client *conn)
 626 {
 627         os_free(conn->dh_p);
 628         os_free(conn->dh_g);
 629         os_free(conn->dh_ys);
 630         conn->dh_p = conn->dh_g = conn->dh_ys = NULL;
 631 }
 632
 633
 634 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 635                                         const u8 *buf, size_t len)
 636 {
 637         const u8 *pos, *end;
 638
 639         tlsv1_client_free_dh(conn);
 640
 641         pos = buf;
 642         end = buf + len;
 643
 644         if (end - pos < 3)
 645                 goto fail;
 646         conn->dh_p_len = WPA_GET_BE16(pos);
 647         pos += 2;
 648         if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len)
 649                 goto fail;
 650         conn->dh_p = os_malloc(conn->dh_p_len);
 651         if (conn->dh_p == NULL)
 652                 goto fail;
 653         os_memcpy(conn->dh_p, pos, conn->dh_p_len);
 654         pos += conn->dh_p_len;
 655         wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
 656                     conn->dh_p, conn->dh_p_len);
 657
 658         if (end - pos < 3)
 659                 goto fail;
 660         conn->dh_g_len = WPA_GET_BE16(pos);
 661         pos += 2;
 662         if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
 663                 goto fail;
 664         conn->dh_g = os_malloc(conn->dh_g_len);
 665         if (conn->dh_g == NULL)
 666                 goto fail;
 667         os_memcpy(conn->dh_g, pos, conn->dh_g_len);
 668         pos += conn->dh_g_len;
 669         wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
 670                     conn->dh_g, conn->dh_g_len);
 671         if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
 672                 goto fail;
 673
 674         if (end - pos < 3)
 675                 goto fail;
 676         conn->dh_ys_len = WPA_GET_BE16(pos);
 677         pos += 2;
 678         if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
 679                 goto fail;
 680         conn->dh_ys = os_malloc(conn->dh_ys_len);
 681         if (conn->dh_ys == NULL)
 682                 goto fail;
 683         os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
 684         pos += conn->dh_ys_len;
 685         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
 686                     conn->dh_ys, conn->dh_ys_len);
 687
 688         return 0;
 689
 690 fail:
 691         tlsv1_client_free_dh(conn);
 692         return -1;
 693 }
 694
 695
 696 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
 697                                            const u8 *in_data, size_t *in_len)
 698 {
 699         const u8 *pos, *end;
 700         size_t left, len;
 701         u8 type;
 702         const struct tls_cipher_suite *suite;
 703
 704         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 705                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 706                            "received content type 0x%x", ct);
 707                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 708                           TLS_ALERT_UNEXPECTED_MESSAGE);
 709                 return -1;
 710         }
 711
 712         pos = in_data;
 713         left = *in_len;
 714
 715         if (left < 4) {
 716                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
 717                            "(Left=%lu)", (unsigned long) left);
 718                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 719                 return -1;
 720         }
 721
 722         type = *pos++;
 723         len = WPA_GET_BE24(pos);
 724         pos += 3;
 725         left -= 4;
 726
 727         if (len > left) {
 728                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
 729                            "length (len=%lu != left=%lu)",
 730                            (unsigned long) len, (unsigned long) left);
 731                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 732                 return -1;
 733         }
 734
 735         end = pos + len;
 736
 737         if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
 738                 return tls_process_certificate_request(conn, ct, in_data,
 739                                                        in_len);
 740         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 741                 return tls_process_server_hello_done(conn, ct, in_data,
 742                                                      in_len);
 743         if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
 744                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 745                            "message %d (expected ServerKeyExchange/"
 746                            "CertificateRequest/ServerHelloDone)", type);
 747                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 748                           TLS_ALERT_UNEXPECTED_MESSAGE);
 749                 return -1;
 750         }
 751
 752         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
 753
 754         if (!tls_server_key_exchange_allowed(conn)) {
 755                 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
 756                            "with the selected cipher suite");
 757                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 758                           TLS_ALERT_UNEXPECTED_MESSAGE);
 759                 return -1;
 760         }
 761
 762         wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
 763         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 764         if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
 765                 if (tlsv1_process_diffie_hellman(conn, pos, len) < 0) {
 766                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 767                                   TLS_ALERT_DECODE_ERROR);
 768                         return -1;
 769                 }
 770         } else {
 771                 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
 772                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 773                           TLS_ALERT_UNEXPECTED_MESSAGE);
 774                 return -1;
 775         }
 776
 777         *in_len = end - in_data;
 778
 779         conn->state = SERVER_CERTIFICATE_REQUEST;
 780
 781         return 0;
 782 }
 783
 784
 785 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
 786                                            const u8 *in_data, size_t *in_len)
 787 {
 788         const u8 *pos, *end;
 789         size_t left, len;
 790         u8 type;
 791
 792         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 793                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 794                            "received content type 0x%x", ct);
 795                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 796                           TLS_ALERT_UNEXPECTED_MESSAGE);
 797                 return -1;
 798         }
 799
 800         pos = in_data;
 801         left = *in_len;
 802
 803         if (left < 4) {
 804                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
 805                            "(left=%lu)", (unsigned long) left);
 806                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 807                 return -1;
 808         }
 809
 810         type = *pos++;
 811         len = WPA_GET_BE24(pos);
 812         pos += 3;
 813         left -= 4;
 814
 815         if (len > left) {
 816                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
 817                            "length (len=%lu != left=%lu)",
 818                            (unsigned long) len, (unsigned long) left);
 819                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 820                 return -1;
 821         }
 822
 823         end = pos + len;
 824
 825         if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
 826                 return tls_process_server_hello_done(conn, ct, in_data,
 827                                                      in_len);
 828         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
 829                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 830                            "message %d (expected CertificateRequest/"
 831                            "ServerHelloDone)", type);
 832                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 833                           TLS_ALERT_UNEXPECTED_MESSAGE);
 834                 return -1;
 835         }
 836
 837         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
 838
 839         conn->certificate_requested = 1;
 840
 841         *in_len = end - in_data;
 842
 843         conn->state = SERVER_HELLO_DONE;
 844
 845         return 0;
 846 }
 847
 848
 849 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
 850                                          const u8 *in_data, size_t *in_len)
 851 {
 852         const u8 *pos, *end;
 853         size_t left, len;
 854         u8 type;
 855
 856         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 857                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 858                            "received content type 0x%x", ct);
 859                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 860                           TLS_ALERT_UNEXPECTED_MESSAGE);
 861                 return -1;
 862         }
 863
 864         pos = in_data;
 865         left = *in_len;
 866
 867         if (left < 4) {
 868                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
 869                            "(left=%lu)", (unsigned long) left);
 870                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 871                 return -1;
 872         }
 873
 874         type = *pos++;
 875         len = WPA_GET_BE24(pos);
 876         pos += 3;
 877         left -= 4;
 878
 879         if (len > left) {
 880                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
 881                            "length (len=%lu != left=%lu)",
 882                            (unsigned long) len, (unsigned long) left);
 883                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 884                 return -1;
 885         }
 886         end = pos + len;
 887
 888         if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
 889                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 890                            "message %d (expected ServerHelloDone)", type);
 891                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 892                           TLS_ALERT_UNEXPECTED_MESSAGE);
 893                 return -1;
 894         }
 895
 896         wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
 897
 898         *in_len = end - in_data;
 899
 900         conn->state = CLIENT_KEY_EXCHANGE;
 901
 902         return 0;
 903 }
 904
 905
 906 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
 907                                                  u8 ct, const u8 *in_data,
 908                                                  size_t *in_len)
 909 {
 910         const u8 *pos;
 911         size_t left;
 912
 913         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 914                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 915                            "received content type 0x%x", ct);
 916                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 917                           TLS_ALERT_UNEXPECTED_MESSAGE);
 918                 return -1;
 919         }
 920
 921         pos = in_data;
 922         left = *in_len;
 923
 924         if (left < 1) {
 925                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 926                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
 927                 return -1;
 928         }
 929
 930         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 931                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 932                            "received data 0x%x", *pos);
 933                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 934                           TLS_ALERT_UNEXPECTED_MESSAGE);
 935                 return -1;
 936         }
 937
 938         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 939         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 940                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 941                            "for record layer");
 942                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 943                           TLS_ALERT_INTERNAL_ERROR);
 944                 return -1;
 945         }
 946
 947         *in_len = pos + 1 - in_data;
 948
 949         conn->state = SERVER_FINISHED;
 950
 951         return 0;
 952 }
 953
 954
 955 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 956                                        const u8 *in_data, size_t *in_len)
 957 {
 958         const u8 *pos, *end;
 959         size_t left, len, hlen;
 960         u8 verify_data[TLS_VERIFY_DATA_LEN];
 961         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 962
 963         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 964                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 965                            "received content type 0x%x", ct);
 966                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 967                           TLS_ALERT_UNEXPECTED_MESSAGE);
 968                 return -1;
 969         }
 970
 971         pos = in_data;
 972         left = *in_len;
 973
 974         if (left < 4) {
 975                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 976                            "Finished",
 977                            (unsigned long) left);
 978                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 979                           TLS_ALERT_DECODE_ERROR);
 980                 return -1;
 981         }
 982
 983         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 984                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 985                            "type 0x%x", pos[0]);
 986                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 987                           TLS_ALERT_UNEXPECTED_MESSAGE);
 988                 return -1;
 989         }
 990
 991         len = WPA_GET_BE24(pos + 1);
 992
 993         pos += 4;
 994         left -= 4;
 995
 996         if (len > left) {
 997                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
 998                            "(len=%lu > left=%lu)",
 999                            (unsigned long) len, (unsigned long) left);
1000                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1001                           TLS_ALERT_DECODE_ERROR);
1002                 return -1;
1003         }
1004         end = pos + len;
1005         if (len != TLS_VERIFY_DATA_LEN) {
1006                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1007                            "in Finished: %lu (expected %d)",
1008                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1009                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010                           TLS_ALERT_DECODE_ERROR);
1011                 return -1;
1012         }
1013         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1014                     pos, TLS_VERIFY_DATA_LEN);
1015
1016         hlen = MD5_MAC_LEN;
1017         if (conn->verify_md5_server == NULL ||
1018             crypto_hash_finish(conn->verify_md5_server, hash, &hlen) < 0) {
1019                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1020                           TLS_ALERT_INTERNAL_ERROR);
1021                 conn->verify_md5_server = NULL;
1022                 crypto_hash_finish(conn->verify_sha1_server, NULL, NULL);
1023                 conn->verify_sha1_server = NULL;
1024                 return -1;
1025         }
1026         conn->verify_md5_server = NULL;
1027         hlen = SHA1_MAC_LEN;
1028         if (conn->verify_sha1_server == NULL ||
1029             crypto_hash_finish(conn->verify_sha1_server, hash + MD5_MAC_LEN,
1030                                &hlen) < 0) {
1031                 conn->verify_sha1_server = NULL;
1032                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033                           TLS_ALERT_INTERNAL_ERROR);
1034                 return -1;
1035         }
1036         conn->verify_sha1_server = NULL;
1037
1038         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1039                     "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1040                     verify_data, TLS_VERIFY_DATA_LEN)) {
1041                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1042                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1043                           TLS_ALERT_DECRYPT_ERROR);
1044                 return -1;
1045         }
1046         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
1047                         verify_data, TLS_VERIFY_DATA_LEN);
1048
1049         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1050                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1051                 return -1;
1052         }
1053
1054         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1055
1056         *in_len = end - in_data;
1057
1058         conn->state = (conn->session_resumed || conn->ticket) ?
1059                 CHANGE_CIPHER_SPEC : ACK_FINISHED;
1060
1061         return 0;
1062 }
1063
1064
1065 static int tls_derive_pre_master_secret(u8 *pre_master_secret)
1066 {
1067         WPA_PUT_BE16(pre_master_secret, TLS_VERSION);
1068         if (os_get_random(pre_master_secret + 2,
1069                           TLS_PRE_MASTER_SECRET_LEN - 2))
1070                 return -1;
1071         return 0;
1072 }
1073
1074
1075 static int tls_derive_keys(struct tlsv1_client *conn,
1076                            const u8 *pre_master_secret,
1077                            size_t pre_master_secret_len)
1078 {
1079         u8 seed[2 * TLS_RANDOM_LEN];
1080         u8 key_block[TLS_MAX_KEY_BLOCK_LEN];
1081         u8 *pos;
1082         size_t key_block_len;
1083
1084         if (pre_master_secret) {
1085                 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret",
1086                                 pre_master_secret, pre_master_secret_len);
1087                 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
1088                 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
1089                           TLS_RANDOM_LEN);
1090                 if (tls_prf(pre_master_secret, pre_master_secret_len,
1091                             "master secret", seed, 2 * TLS_RANDOM_LEN,
1092                             conn->master_secret, TLS_MASTER_SECRET_LEN)) {
1093                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
1094                                    "master_secret");
1095                         return -1;
1096                 }
1097                 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret",
1098                                 conn->master_secret, TLS_MASTER_SECRET_LEN);
1099         }
1100
1101         os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
1102         os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
1103         key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
1104                              conn->rl.iv_size);
1105         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1106                     "key expansion", seed, 2 * TLS_RANDOM_LEN,
1107                     key_block, key_block_len)) {
1108                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
1109                 return -1;
1110         }
1111         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block",
1112                         key_block, key_block_len);
1113
1114         pos = key_block;
1115
1116         /* client_write_MAC_secret */
1117         os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size);
1118         pos += conn->rl.hash_size;
1119         /* server_write_MAC_secret */
1120         os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size);
1121         pos += conn->rl.hash_size;
1122
1123         /* client_write_key */
1124         os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len);
1125         pos += conn->rl.key_material_len;
1126         /* server_write_key */
1127         os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len);
1128         pos += conn->rl.key_material_len;
1129
1130         /* client_write_IV */
1131         os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size);
1132         pos += conn->rl.iv_size;
1133         /* server_write_IV */
1134         os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size);
1135         pos += conn->rl.iv_size;
1136
1137         return 0;
1138 }
1139
1140
1141 static int tls_write_client_certificate(struct tlsv1_client *conn,
1142                                         u8 **msgpos, u8 *end)
1143 {
1144         u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
1145         size_t rlen;
1146         struct x509_certificate *cert;
1147
1148         pos = *msgpos;
1149
1150         wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
1151         rhdr = pos;
1152         pos += TLS_RECORD_HEADER_LEN;
1153
1154         /* opaque fragment[TLSPlaintext.length] */
1155
1156         /* Handshake */
1157         hs_start = pos;
1158         /* HandshakeType msg_type */
1159         *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
1160         /* uint24 length (to be filled) */
1161         hs_length = pos;
1162         pos += 3;
1163         /* body - Certificate */
1164         /* uint24 length (to be filled) */
1165         cert_start = pos;
1166         pos += 3;
1167         cert = conn->client_cert;
1168         while (cert) {
1169                 if (pos + 3 + cert->cert_len > end) {
1170                         wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
1171                                    "for Certificate (cert_len=%lu left=%lu)",
1172                                    (unsigned long) cert->cert_len,
1173                                    (unsigned long) (end - pos));
1174                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1175                                   TLS_ALERT_INTERNAL_ERROR);
1176                         return -1;
1177                 }
1178                 WPA_PUT_BE24(pos, cert->cert_len);
1179                 pos += 3;
1180                 os_memcpy(pos, cert->cert_start, cert->cert_len);
1181                 pos += cert->cert_len;
1182
1183                 if (x509_certificate_self_signed(cert))
1184                         break;
1185                 cert = x509_certificate_get_subject(conn->trusted_certs,
1186                                                     &cert->issuer);
1187         }
1188         if (cert == conn->client_cert || cert == NULL) {
1189                 /*
1190                  * Client was not configured with all the needed certificates
1191                  * to form a full certificate chain. The server may fail to
1192                  * validate the chain unless it is configured with all the
1193                  * missing CA certificates.
1194                  */
1195                 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
1196                            "not configured - validation may fail");
1197         }
1198         WPA_PUT_BE24(cert_start, pos - cert_start - 3);
1199
1200         WPA_PUT_BE24(hs_length, pos - hs_length - 3);
1201
1202         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
1203                               rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
1204                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
1205                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1206                           TLS_ALERT_INTERNAL_ERROR);
1207                 return -1;
1208         }
1209         pos = rhdr + rlen;
1210
1211         tls_verify_hash_add(conn, hs_start, pos - hs_start);
1212
1213         *msgpos = pos;
1214
1215         return 0;
1216 }
1217
1218
1219 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
1220 {
1221 #ifdef EAP_FAST
1222         /* ClientDiffieHellmanPublic */
1223         u8 *csecret, *csecret_start, *dh_yc, *shared;
1224         size_t csecret_len, dh_yc_len, shared_len;
1225
1226         csecret_len = conn->dh_p_len;
1227         csecret = os_malloc(csecret_len);
1228         if (csecret == NULL) {
1229                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
1230                            "memory for Yc (Diffie-Hellman)");
1231                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1232                           TLS_ALERT_INTERNAL_ERROR);
1233                 return -1;
1234         }
1235         if (os_get_random(csecret, csecret_len)) {
1236                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
1237                            "data for Diffie-Hellman");
1238                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1239                           TLS_ALERT_INTERNAL_ERROR);
1240                 os_free(csecret);
1241                 return -1;
1242         }
1243
1244         if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
1245                 csecret[0] = 0; /* make sure Yc < p */
1246
1247         csecret_start = csecret;
1248         while (csecret_len > 1 && *csecret_start == 0) {
1249                 csecret_start++;
1250                 csecret_len--;
1251         }
1252         wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
1253                         csecret_start, csecret_len);
1254
1255         /* Yc = g^csecret mod p */
1256         dh_yc_len = conn->dh_p_len;
1257         dh_yc = os_malloc(dh_yc_len);
1258         if (dh_yc == NULL) {
1259                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
1260                            "memory for Diffie-Hellman");
1261                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1262                           TLS_ALERT_INTERNAL_ERROR);
1263                 os_free(csecret);
1264                 return -1;
1265         }
1266         crypto_mod_exp(conn->dh_g, conn->dh_g_len,
1267                        csecret_start, csecret_len,
1268                        conn->dh_p, conn->dh_p_len,
1269                        dh_yc, &dh_yc_len);
1270
1271         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
1272                     dh_yc, dh_yc_len);
1273
1274         WPA_PUT_BE16(*pos, dh_yc_len);
1275         *pos += 2;
1276         if (*pos + dh_yc_len > end) {
1277                 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
1278                            "message buffer for Yc");
1279                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1280                           TLS_ALERT_INTERNAL_ERROR);
1281                 os_free(csecret);
1282                 os_free(dh_yc);
1283                 return -1;
1284         }
1285         os_memcpy(*pos, dh_yc, dh_yc_len);
1286         *pos += dh_yc_len;
1287         os_free(dh_yc);
1288
1289         shared_len = conn->dh_p_len;
1290         shared = os_malloc(shared_len);
1291         if (shared == NULL) {
1292                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
1293                            "DH");
1294                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1295                           TLS_ALERT_INTERNAL_ERROR);
1296                 os_free(csecret);
1297                 return -1;
1298         }
1299
1300         /* shared = Ys^csecret mod p */
1301         crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
1302                        csecret_start, csecret_len,
1303                        conn->dh_p, conn->dh_p_len,
1304                        shared, &shared_len);
1305         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
1306                         shared, shared_len);
1307
1308         os_memset(csecret_start, 0, csecret_len);
1309         os_free(csecret);
1310         if (tls_derive_keys(conn, shared, shared_len)) {
1311                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
1312                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1313                           TLS_ALERT_INTERNAL_ERROR);
1314                 os_free(shared);
1315                 return -1;
1316         }
1317         os_memset(shared, 0, shared_len);
1318         os_free(shared);
1319         tlsv1_client_free_dh(conn);
1320         return 0;
1321 #else /* EAP_FAST */
1322         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR);
1323         return -1;
1324 #endif /* EAP_FAST */
1325 }
1326
1327
1328 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
1329 {
1330         u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
1331         size_t clen;
1332         int res;
1333
1334         if (tls_derive_pre_master_secret(pre_master_secret) < 0 ||
1335             tls_derive_keys(conn, pre_master_secret,
1336                             TLS_PRE_MASTER_SECRET_LEN)) {
1337                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
1338                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1339                           TLS_ALERT_INTERNAL_ERROR);
1340                 return -1;
1341         }
1342
1343         /* EncryptedPreMasterSecret */
1344         if (conn->server_rsa_key == NULL) {
1345                 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
1346                            "use for encrypting pre-master secret");
1347                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1348                           TLS_ALERT_INTERNAL_ERROR);
1349                 return -1;
1350         }
1351
1352         /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
1353         *pos += 2;
1354         clen = end - *pos;
1355         res = crypto_public_key_encrypt_pkcs1_v15(
1356                 conn->server_rsa_key,
1357                 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
1358                 *pos, &clen);
1359         os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
1360         if (res < 0) {
1361                 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
1362                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1363                           TLS_ALERT_INTERNAL_ERROR);
1364                 return -1;
1365         }
1366         WPA_PUT_BE16(*pos - 2, clen);
1367         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
1368                     *pos, clen);
1369         *pos += clen;
1370
1371         return 0;
1372 }
1373
1374
1375 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
1376                                          u8 **msgpos, u8 *end)
1377 {
1378         u8 *pos, *rhdr, *hs_start, *hs_length;
1379         size_t rlen;
1380         tls_key_exchange keyx;
1381         const struct tls_cipher_suite *suite;
1382
1383         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
1384         if (suite == NULL)
1385                 keyx = TLS_KEY_X_NULL;
1386         else
1387                 keyx = suite->key_exchange;
1388
1389         pos = *msgpos;
1390
1391         wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
1392
1393         rhdr = pos;
1394         pos += TLS_RECORD_HEADER_LEN;
1395
1396         /* opaque fragment[TLSPlaintext.length] */
1397
1398         /* Handshake */
1399         hs_start = pos;
1400         /* HandshakeType msg_type */
1401         *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
1402         /* uint24 length (to be filled) */
1403         hs_length = pos;
1404         pos += 3;
1405         /* body - ClientKeyExchange */
1406         if (keyx == TLS_KEY_X_DH_anon) {
1407                 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0)
1408                         return -1;
1409         } else {
1410                 if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
1411                         return -1;
1412         }
1413
1414         WPA_PUT_BE24(hs_length, pos - hs_length - 3);
1415
1416         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
1417                               rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
1418                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
1419                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1420                           TLS_ALERT_INTERNAL_ERROR);
1421                 return -1;
1422         }
1423         pos = rhdr + rlen;
1424         tls_verify_hash_add(conn, hs_start, pos - hs_start);
1425
1426         *msgpos = pos;
1427
1428         return 0;
1429 }
1430
1431
1432 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
1433                                                u8 **msgpos, u8 *end)
1434 {
1435         u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
1436         size_t rlen, hlen, clen;
1437         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
1438         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
1439
1440         pos = *msgpos;
1441
1442         wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
1443         rhdr = pos;
1444         pos += TLS_RECORD_HEADER_LEN;
1445
1446         /* Handshake */
1447         hs_start = pos;
1448         /* HandshakeType msg_type */
1449         *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
1450         /* uint24 length (to be filled) */
1451         hs_length = pos;
1452         pos += 3;
1453
1454         /*
1455          * RFC 2246: 7.4.3 and 7.4.8:
1456          * Signature signature
1457          *
1458          * RSA:
1459          * digitally-signed struct {
1460          *     opaque md5_hash[16];
1461          *     opaque sha_hash[20];
1462          * };
1463          *
1464          * DSA:
1465          * digitally-signed struct {
1466          *     opaque sha_hash[20];
1467          * };
1468          *
1469          * The hash values are calculated over all handshake messages sent or
1470          * received starting at ClientHello up to, but not including, this
1471          * CertificateVerify message, including the type and length fields of
1472          * the handshake messages.
1473          */
1474
1475         hpos = hash;
1476
1477         if (alg == SIGN_ALG_RSA) {
1478                 hlen = MD5_MAC_LEN;
1479                 if (conn->verify_md5_cert == NULL ||
1480                     crypto_hash_finish(conn->verify_md5_cert, hpos, &hlen) < 0)
1481                 {
1482                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1483                                   TLS_ALERT_INTERNAL_ERROR);
1484                         conn->verify_md5_cert = NULL;
1485                         crypto_hash_finish(conn->verify_sha1_cert, NULL, NULL);
1486                         conn->verify_sha1_cert = NULL;
1487                         return -1;
1488                 }
1489                 hpos += MD5_MAC_LEN;
1490         } else
1491                 crypto_hash_finish(conn->verify_md5_cert, NULL, NULL);
1492
1493         conn->verify_md5_cert = NULL;
1494         hlen = SHA1_MAC_LEN;
1495         if (conn->verify_sha1_cert == NULL ||
1496             crypto_hash_finish(conn->verify_sha1_cert, hpos, &hlen) < 0) {
1497                 conn->verify_sha1_cert = NULL;
1498                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1499                           TLS_ALERT_INTERNAL_ERROR);
1500                 return -1;
1501         }
1502         conn->verify_sha1_cert = NULL;
1503
1504         if (alg == SIGN_ALG_RSA)
1505                 hlen += MD5_MAC_LEN;
1506
1507         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1508
1509         /*
1510          * RFC 2246, 4.7:
1511          * In digital signing, one-way hash functions are used as input for a
1512          * signing algorithm. A digitally-signed element is encoded as an
1513          * opaque vector <0..2^16-1>, where the length is specified by the
1514          * signing algorithm and key.
1515          *
1516          * In RSA signing, a 36-byte structure of two hashes (one SHA and one
1517          * MD5) is signed (encrypted with the private key). It is encoded with
1518          * PKCS #1 block type 0 or type 1 as described in [PKCS1].
1519          */
1520         signed_start = pos; /* length to be filled */
1521         pos += 2;
1522         clen = end - pos;
1523         if (crypto_private_key_sign_pkcs1(conn->client_key, hash, hlen,
1524                                           pos, &clen) < 0) {
1525                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
1526                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1527                           TLS_ALERT_INTERNAL_ERROR);
1528                 return -1;
1529         }
1530         WPA_PUT_BE16(signed_start, clen);
1531
1532         pos += clen;
1533
1534         WPA_PUT_BE24(hs_length, pos - hs_length - 3);
1535
1536         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
1537                               rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
1538                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
1539                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1540                           TLS_ALERT_INTERNAL_ERROR);
1541                 return -1;
1542         }
1543         pos = rhdr + rlen;
1544
1545         tls_verify_hash_add(conn, hs_start, pos - hs_start);
1546
1547         *msgpos = pos;
1548
1549         return 0;
1550 }
1551
1552
1553 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
1554                                                u8 **msgpos, u8 *end)
1555 {
1556         u8 *pos, *rhdr;
1557         size_t rlen;
1558
1559         pos = *msgpos;
1560
1561         wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
1562         rhdr = pos;
1563         pos += TLS_RECORD_HEADER_LEN;
1564         *pos = TLS_CHANGE_CIPHER_SPEC;
1565         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
1566                               rhdr, end - rhdr, 1, &rlen) < 0) {
1567                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
1568                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1569                           TLS_ALERT_INTERNAL_ERROR);
1570                 return -1;
1571         }
1572
1573         if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
1574                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
1575                            "record layer");
1576                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1577                           TLS_ALERT_INTERNAL_ERROR);
1578                 return -1;
1579         }
1580
1581         *msgpos = rhdr + rlen;
1582
1583         return 0;
1584 }
1585
1586
1587 static int tls_write_client_finished(struct tlsv1_client *conn,
1588                                      u8 **msgpos, u8 *end)
1589 {
1590         u8 *pos, *rhdr, *hs_start, *hs_length;
1591         size_t rlen, hlen;
1592         u8 verify_data[TLS_VERIFY_DATA_LEN];
1593         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1594
1595         pos = *msgpos;
1596
1597         wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
1598
1599         /* Encrypted Handshake Message: Finished */
1600
1601         hlen = MD5_MAC_LEN;
1602         if (conn->verify_md5_client == NULL ||
1603             crypto_hash_finish(conn->verify_md5_client, hash, &hlen) < 0) {
1604                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1605                           TLS_ALERT_INTERNAL_ERROR);
1606                 conn->verify_md5_client = NULL;
1607                 crypto_hash_finish(conn->verify_sha1_client, NULL, NULL);
1608                 conn->verify_sha1_client = NULL;
1609                 return -1;
1610         }
1611         conn->verify_md5_client = NULL;
1612         hlen = SHA1_MAC_LEN;
1613         if (conn->verify_sha1_client == NULL ||
1614             crypto_hash_finish(conn->verify_sha1_client, hash + MD5_MAC_LEN,
1615                                &hlen) < 0) {
1616                 conn->verify_sha1_client = NULL;
1617                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1618                           TLS_ALERT_INTERNAL_ERROR);
1619                 return -1;
1620         }
1621         conn->verify_sha1_client = NULL;
1622
1623         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1624                     "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1625                     verify_data, TLS_VERIFY_DATA_LEN)) {
1626                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
1627                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1628                           TLS_ALERT_INTERNAL_ERROR);
1629                 return -1;
1630         }
1631         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1632                         verify_data, TLS_VERIFY_DATA_LEN);
1633
1634         rhdr = pos;
1635         pos += TLS_RECORD_HEADER_LEN;
1636         /* Handshake */
1637         hs_start = pos;
1638         /* HandshakeType msg_type */
1639         *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
1640         /* uint24 length (to be filled) */
1641         hs_length = pos;
1642         pos += 3;
1643         os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN);
1644         pos += TLS_VERIFY_DATA_LEN;
1645         WPA_PUT_BE24(hs_length, pos - hs_length - 3);
1646         tls_verify_hash_add(conn, hs_start, pos - hs_start);
1647
1648         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
1649                               rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
1650                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
1651                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1652                           TLS_ALERT_INTERNAL_ERROR);
1653                 return -1;
1654         }
1655
1656         pos = rhdr + rlen;
1657
1658         *msgpos = pos;
1659
1660         return 0;
1661 }
1662
1663
1664 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
1665 {
1666         size_t len = 0;
1667         struct x509_certificate *cert;
1668
1669         cert = conn->client_cert;
1670         while (cert) {
1671                 len += 3 + cert->cert_len;
1672                 if (x509_certificate_self_signed(cert))
1673                         break;
1674                 cert = x509_certificate_get_subject(conn->trusted_certs,
1675                                                     &cert->issuer);
1676         }
1677
1678         return len;
1679 }
1680
1681
1682 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
1683                                          size_t *out_len)
1684 {
1685         u8 *msg, *end, *pos;
1686         size_t msglen;
1687
1688         *out_len = 0;
1689
1690         msglen = 1000;
1691         if (conn->certificate_requested)
1692                 msglen += tls_client_cert_chain_der_len(conn);
1693
1694         msg = os_malloc(msglen);
1695         if (msg == NULL)
1696                 return NULL;
1697
1698         pos = msg;
1699         end = msg + msglen;
1700
1701         if (conn->certificate_requested) {
1702                 if (tls_write_client_certificate(conn, &pos, end) < 0) {
1703                         os_free(msg);
1704                         return NULL;
1705                 }
1706         }
1707
1708         if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
1709             (conn->certificate_requested && conn->client_key &&
1710              tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
1711             tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
1712             tls_write_client_finished(conn, &pos, end) < 0) {
1713                 os_free(msg);
1714                 return NULL;
1715         }
1716
1717         *out_len = pos - msg;
1718
1719         conn->state = SERVER_CHANGE_CIPHER_SPEC;
1720
1721         return msg;
1722 }
1723
1724
1725 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
1726                                         size_t *out_len)
1727 {
1728         u8 *msg, *end, *pos;
1729
1730         *out_len = 0;
1731
1732         msg = os_malloc(1000);
1733         if (msg == NULL)
1734                 return NULL;
1735
1736         pos = msg;
1737         end = msg + 1000;
1738
1739         if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
1740             tls_write_client_finished(conn, &pos, end) < 0) {
1741                 os_free(msg);
1742                 return NULL;
1743         }
1744
1745         *out_len = pos - msg;
1746
1747         wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
1748                    "successfully");
1749         conn->state = ESTABLISHED;
1750
1751         return msg;
1752 }
1753
1754
1755 static int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1756                                           const u8 *buf, size_t *len)
1757 {
1758         if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1759             buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1760                 size_t hr_len = WPA_GET_BE24(buf + 1);
1761                 if (hr_len > *len - 4) {
1762                         wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1763                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1764                                   TLS_ALERT_DECODE_ERROR);
1765                         return -1;
1766                 }
1767                 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1768                 *len = 4 + hr_len;
1769                 return 0;
1770         }
1771
1772         switch (conn->state) {
1773         case SERVER_HELLO:
1774                 if (tls_process_server_hello(conn, ct, buf, len))
1775                         return -1;
1776                 break;
1777         case SERVER_CERTIFICATE:
1778                 if (tls_process_certificate(conn, ct, buf, len))
1779                         return -1;
1780                 break;
1781         case SERVER_KEY_EXCHANGE:
1782                 if (tls_process_server_key_exchange(conn, ct, buf, len))
1783                         return -1;
1784                 break;
1785         case SERVER_CERTIFICATE_REQUEST:
1786                 if (tls_process_certificate_request(conn, ct, buf, len))
1787                         return -1;
1788                 break;
1789         case SERVER_HELLO_DONE:
1790                 if (tls_process_server_hello_done(conn, ct, buf, len))
1791                         return -1;
1792                 break;
1793         case SERVER_CHANGE_CIPHER_SPEC:
1794                 if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1795                         return -1;
1796                 break;
1797         case SERVER_FINISHED:
1798                 if (tls_process_server_finished(conn, ct, buf, len))
1799                         return -1;
1800                 break;
1801         default:
1802                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1803                            "while processing received message",
1804                            conn->state);
1805                 return -1;
1806         }
1807
1808         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1809                 tls_verify_hash_add(conn, buf, *len);
1810
1811         return 0;
1812 }
1813
1814
1815 /**
1816  * tlsv1_client_handshake - Process TLS handshake
1817  * @conn: TLSv1 client connection data from tlsv1_client_init()
1818  * @in_data: Input data from TLS peer
1819  * @in_len: Input data length
1820  * @out_len: Length of the output buffer.
1821  * Returns: Pointer to output data, %NULL on failure
1822  */
1823 u8 * tlsv1_client_handshake(struct tlsv1_client *conn,
1824                             const u8 *in_data, size_t in_len,
1825                             size_t *out_len)
1826 {
1827         const u8 *pos, *end;
1828         u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct;
1829         size_t in_msg_len;
1830
1831         if (conn->state == CLIENT_HELLO) {
1832                 if (in_len)
1833                         return NULL;
1834                 return tls_send_client_hello(conn, out_len);
1835         }
1836
1837         if (in_data == NULL || in_len == 0)
1838                 return NULL;
1839
1840         pos = in_data;
1841         end = in_data + in_len;
1842         in_msg = os_malloc(in_len);
1843         if (in_msg == NULL)
1844                 return NULL;
1845
1846         /* Each received packet may include multiple records */
1847         while (pos < end) {
1848                 in_msg_len = in_len;
1849                 if (tlsv1_record_receive(&conn->rl, pos, end - pos,
1850                                          in_msg, &in_msg_len, &alert)) {
1851                         wpa_printf(MSG_DEBUG, "TLSv1: Processing received "
1852                                    "record failed");
1853                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1854                         goto failed;
1855                 }
1856                 ct = pos[0];
1857
1858                 in_pos = in_msg;
1859                 in_end = in_msg + in_msg_len;
1860
1861                 /* Each received record may include multiple messages of the
1862                  * same ContentType. */
1863                 while (in_pos < in_end) {
1864                         in_msg_len = in_end - in_pos;
1865                         if (tlsv1_client_process_handshake(conn, ct, in_pos,
1866                                                            &in_msg_len) < 0)
1867                                 goto failed;
1868                         in_pos += in_msg_len;
1869                 }
1870
1871                 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3);
1872         }
1873
1874         os_free(in_msg);
1875         in_msg = NULL;
1876
1877         switch (conn->state) {
1878         case CLIENT_KEY_EXCHANGE:
1879                 msg = tls_send_client_key_exchange(conn, out_len);
1880                 break;
1881         case CHANGE_CIPHER_SPEC:
1882                 msg = tls_send_change_cipher_spec(conn, out_len);
1883                 break;
1884         case ACK_FINISHED:
1885                 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
1886                            "successfully");
1887                 conn->state = ESTABLISHED;
1888                 /* Need to return something to get final TLS ACK. */
1889                 msg = os_malloc(1);
1890                 *out_len = 0;
1891                 break;
1892         default:
1893                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
1894                            "generating reply", conn->state);
1895                 break;
1896         }
1897
1898 failed:
1899         os_free(in_msg);
1900         if (conn->alert_level) {
1901                 conn->state = FAILED;
1902                 os_free(msg);
1903                 msg = tls_send_alert(conn, conn->alert_level,
1904                                      conn->alert_description, out_len);
1905         }
1906
1907         return msg;
1908 }
1909
1910
1911 /**
1912  * tlsv1_client_encrypt - Encrypt data into TLS tunnel
1913  * @conn: TLSv1 client connection data from tlsv1_client_init()
1914  * @in_data: Pointer to plaintext data to be encrypted
1915  * @in_len: Input buffer length
1916  * @out_data: Pointer to output buffer (encrypted TLS data)
1917  * @out_len: Maximum out_data length
1918  * Returns: Number of bytes written to out_data, -1 on failure
1919  *
1920  * This function is used after TLS handshake has been completed successfully to
1921  * send data in the encrypted tunnel.
1922  */
1923 int tlsv1_client_encrypt(struct tlsv1_client *conn,
1924                          const u8 *in_data, size_t in_len,
1925                          u8 *out_data, size_t out_len)
1926 {
1927         size_t rlen;
1928
1929         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData",
1930                         in_data, in_len);
1931
1932         os_memcpy(out_data + TLS_RECORD_HEADER_LEN, in_data, in_len);
1933
1934         if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA,
1935                               out_data, out_len, in_len, &rlen) < 0) {
1936                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
1937                 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1938                           TLS_ALERT_INTERNAL_ERROR);
1939                 return -1;
1940         }
1941
1942         return rlen;
1943 }
1944
1945
1946 /**
1947  * tlsv1_client_decrypt - Decrypt data from TLS tunnel
1948  * @conn: TLSv1 client connection data from tlsv1_client_init()
1949  * @in_data: Pointer to input buffer (encrypted TLS data)
1950  * @in_len: Input buffer length
1951  * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
1952  * @out_len: Maximum out_data length
1953  * Returns: Number of bytes written to out_data, -1 on failure
1954  *
1955  * This function is used after TLS handshake has been completed successfully to
1956  * receive data from the encrypted tunnel.
1957  */
1958 int tlsv1_client_decrypt(struct tlsv1_client *conn,
1959                          const u8 *in_data, size_t in_len,
1960                          u8 *out_data, size_t out_len)
1961 {
1962         const u8 *in_end, *pos;
1963         int res;
1964         u8 alert, *out_end, *out_pos;
1965         size_t olen;
1966
1967         pos = in_data;
1968         in_end = in_data + in_len;
1969         out_pos = out_data;
1970         out_end = out_data + out_len;
1971
1972         while (pos < in_end) {
1973                 if (pos[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) {
1974                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type "
1975                                    "0x%x", pos[0]);
1976                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1977                                   TLS_ALERT_UNEXPECTED_MESSAGE);
1978                         return -1;
1979                 }
1980
1981                 olen = out_end - out_pos;
1982                 res = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
1983                                            out_pos, &olen, &alert);
1984                 if (res < 0) {
1985                         wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing "
1986                                    "failed");
1987                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1988                         return -1;
1989                 }
1990                 out_pos += olen;
1991                 if (out_pos > out_end) {
1992                         wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
1993                                    "for processing the received record");
1994                         tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1995                                   TLS_ALERT_INTERNAL_ERROR);
1996                         return -1;
1997                 }
1998
1999                 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3);
2000         }
2001
2002         return out_pos - out_data;
2003 }
2004
2005
2006 /**
2007  * tlsv1_client_global_init - Initialize TLSv1 client
2008  * Returns: 0 on success, -1 on failure
2009  *
2010  * This function must be called before using any other TLSv1 client functions.
2011  */
2012 int tlsv1_client_global_init(void)
2013 {
2014         return crypto_global_init();
2015 }
2016
2017
2018 /**
2019  * tlsv1_client_global_deinit - Deinitialize TLSv1 client
2020  *
2021  * This function can be used to deinitialize the TLSv1 client that was
2022  * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions
2023  * can be called after this before calling tlsv1_client_global_init() again.
2024  */
2025 void tlsv1_client_global_deinit(void)
2026 {
2027         crypto_global_deinit();
2028 }
2029
2030
2031 static void tlsv1_client_free_verify_hashes(struct tlsv1_client *conn)
2032 {
2033         crypto_hash_finish(conn->verify_md5_client, NULL, NULL);
2034         crypto_hash_finish(conn->verify_md5_server, NULL, NULL);
2035         crypto_hash_finish(conn->verify_md5_cert, NULL, NULL);
2036         crypto_hash_finish(conn->verify_sha1_client, NULL, NULL);
2037         crypto_hash_finish(conn->verify_sha1_server, NULL, NULL);
2038         crypto_hash_finish(conn->verify_sha1_cert, NULL, NULL);
2039         conn->verify_md5_client = NULL;
2040         conn->verify_md5_server = NULL;
2041         conn->verify_md5_cert = NULL;
2042         conn->verify_sha1_client = NULL;
2043         conn->verify_sha1_server = NULL;
2044         conn->verify_sha1_cert = NULL;
2045 }
2046
2047
2048 static int tlsv1_client_init_verify_hashes(struct tlsv1_client *conn)
2049 {
2050         conn->verify_md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL,
2051                                                    0);
2052         conn->verify_md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL,
2053                                                    0);
2054         conn->verify_md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
2055         conn->verify_sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL,
2056                                                     0);
2057         conn->verify_sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL,
2058                                                     0);
2059         conn->verify_sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL,
2060                                                   0);
2061         if (conn->verify_md5_client == NULL ||
2062             conn->verify_md5_server == NULL ||
2063             conn->verify_md5_cert == NULL ||
2064             conn->verify_sha1_client == NULL ||
2065             conn->verify_sha1_server == NULL ||
2066             conn->verify_sha1_cert == NULL) {
2067                 tlsv1_client_free_verify_hashes(conn);
2068                 return -1;
2069         }
2070         return 0;
2071 }
2072
2073
2074 /**
2075  * tlsv1_client_init - Initialize TLSv1 client connection
2076  * Returns: Pointer to TLSv1 client connection data or %NULL on failure
2077  */
2078 struct tlsv1_client * tlsv1_client_init(void)
2079 {
2080         struct tlsv1_client *conn;
2081         size_t count;
2082         u16 *suites;
2083
2084         conn = os_zalloc(sizeof(*conn));
2085         if (conn == NULL)
2086                 return NULL;
2087
2088         conn->state = CLIENT_HELLO;
2089
2090         if (tlsv1_client_init_verify_hashes(conn) < 0) {
2091                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify "
2092                            "hash");
2093                 os_free(conn);
2094                 return NULL;
2095         }
2096
2097         count = 0;
2098         suites = conn->cipher_suites;
2099 #ifndef CONFIG_CRYPTO_INTERNAL
2100         suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
2101 #endif /* CONFIG_CRYPTO_INTERNAL */
2102         suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
2103         suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
2104         suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
2105         suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
2106         conn->num_cipher_suites = count;
2107
2108         return conn;
2109 }
2110
2111
2112 /**
2113  * tlsv1_client_deinit - Deinitialize TLSv1 client connection
2114  * @conn: TLSv1 client connection data from tlsv1_client_init()
2115  */
2116 void tlsv1_client_deinit(struct tlsv1_client *conn)
2117 {
2118         crypto_public_key_free(conn->server_rsa_key);
2119         tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL);
2120         tlsv1_record_change_write_cipher(&conn->rl);
2121         tlsv1_record_change_read_cipher(&conn->rl);
2122         tlsv1_client_free_verify_hashes(conn);
2123         os_free(conn->client_hello_ext);
2124         tlsv1_client_free_dh(conn);
2125         x509_certificate_chain_free(conn->trusted_certs);
2126         x509_certificate_chain_free(conn->client_cert);
2127         crypto_private_key_free(conn->client_key);
2128         os_free(conn);
2129 }
2130
2131
2132 /**
2133  * tlsv1_client_established - Check whether connection has been established
2134  * @conn: TLSv1 client connection data from tlsv1_client_init()
2135  * Returns: 1 if connection is established, 0 if not
2136  */
2137 int tlsv1_client_established(struct tlsv1_client *conn)
2138 {
2139         return conn->state == ESTABLISHED;
2140 }
2141
2142
2143 /**
2144  * tlsv1_client_prf - Use TLS-PRF to derive keying material
2145  * @conn: TLSv1 client connection data from tlsv1_client_init()
2146  * @label: Label (e.g., description of the key) for PRF
2147  * @server_random_first: seed is 0 = client_random|server_random,
2148  * 1 = server_random|client_random
2149  * @out: Buffer for output data from TLS-PRF
2150  * @out_len: Length of the output buffer
2151  * Returns: 0 on success, -1 on failure
2152  */
2153 int tlsv1_client_prf(struct tlsv1_client *conn, const char *label,
2154                      int server_random_first, u8 *out, size_t out_len)
2155 {
2156         u8 seed[2 * TLS_RANDOM_LEN];
2157
2158         if (conn->state != ESTABLISHED)
2159                 return -1;
2160
2161         if (server_random_first) {
2162                 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
2163                 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random,
2164                           TLS_RANDOM_LEN);
2165         } else {
2166                 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
2167                 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
2168                           TLS_RANDOM_LEN);
2169         }
2170
2171         return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
2172                        label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
2173 }
2174
2175
2176 /**
2177  * tlsv1_client_get_cipher - Get current cipher name
2178  * @conn: TLSv1 client connection data from tlsv1_client_init()
2179  * @buf: Buffer for the cipher name
2180  * @buflen: buf size
2181  * Returns: 0 on success, -1 on failure
2182  *
2183  * Get the name of the currently used cipher.
2184  */
2185 int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf,
2186                             size_t buflen)
2187 {
2188         char *cipher;
2189
2190         switch (conn->rl.cipher_suite) {
2191         case TLS_RSA_WITH_RC4_128_MD5:
2192                 cipher = "RC4-MD5";
2193                 break;
2194         case TLS_RSA_WITH_RC4_128_SHA:
2195                 cipher = "RC4-SHA";
2196                 break;
2197         case TLS_RSA_WITH_DES_CBC_SHA:
2198                 cipher = "DES-CBC-SHA";
2199                 break;
2200         case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
2201                 cipher = "DES-CBC3-SHA";
2202                 break;
2203         default:
2204                 return -1;
2205         }
2206
2207         os_snprintf(buf, buflen, "%s", cipher);
2208         return 0;
2209 }
2210
2211
2212 /**
2213  * tlsv1_client_shutdown - Shutdown TLS connection
2214  * @conn: TLSv1 client connection data from tlsv1_client_init()
2215  * Returns: 0 on success, -1 on failure
2216  */
2217 int tlsv1_client_shutdown(struct tlsv1_client *conn)
2218 {
2219         conn->state = CLIENT_HELLO;
2220
2221         tlsv1_client_free_verify_hashes(conn);
2222         if (tlsv1_client_init_verify_hashes(conn) < 0) {
2223                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify "
2224                            "hash");
2225                 return -1;
2226         }
2227
2228         tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL);
2229         tlsv1_record_change_write_cipher(&conn->rl);
2230         tlsv1_record_change_read_cipher(&conn->rl);
2231
2232         conn->certificate_requested = 0;
2233         crypto_public_key_free(conn->server_rsa_key);
2234         conn->server_rsa_key = NULL;
2235         conn->session_resumed = 0;
2236
2237         return 0;
2238 }
2239
2240
2241 /**
2242  * tlsv1_client_resumed - Was session resumption used
2243  * @conn: TLSv1 client connection data from tlsv1_client_init()
2244  * Returns: 1 if current session used session resumption, 0 if not
2245  */
2246 int tlsv1_client_resumed(struct tlsv1_client *conn)
2247 {
2248         return !!conn->session_resumed;
2249 }
2250
2251
2252 /**
2253  * tlsv1_client_hello_ext - Set TLS extension for ClientHello
2254  * @conn: TLSv1 client connection data from tlsv1_client_init()
2255  * @ext_type: Extension type
2256  * @data: Extension payload (%NULL to remove extension)
2257  * @data_len: Extension payload length
2258  * Returns: 0 on success, -1 on failure
2259  */
2260 int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type,
2261                            const u8 *data, size_t data_len)
2262 {
2263         u8 *pos;
2264
2265         conn->ticket = 0;
2266         os_free(conn->client_hello_ext);
2267         conn->client_hello_ext = NULL;
2268         conn->client_hello_ext_len = 0;
2269
2270         if (data == NULL || data_len == 0)
2271                 return 0;
2272
2273         pos = conn->client_hello_ext = os_malloc(6 + data_len);
2274         if (pos == NULL)
2275                 return -1;
2276
2277         WPA_PUT_BE16(pos, 4 + data_len);
2278         pos += 2;
2279         WPA_PUT_BE16(pos, ext_type);
2280         pos += 2;
2281         WPA_PUT_BE16(pos, data_len);
2282         pos += 2;
2283         os_memcpy(pos, data, data_len);
2284         conn->client_hello_ext_len = 6 + data_len;
2285
2286         if (ext_type == TLS_EXT_PAC_OPAQUE) {
2287                 conn->ticket = 1;
2288                 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket");
2289         }
2290
2291         return 0;
2292 }
2293
2294
2295 /**
2296  * tlsv1_client_get_keys - Get master key and random data from TLS connection
2297  * @conn: TLSv1 client connection data from tlsv1_client_init()
2298  * @keys: Structure of key/random data (filled on success)
2299  * Returns: 0 on success, -1 on failure
2300  */
2301 int tlsv1_client_get_keys(struct tlsv1_client *conn, struct tls_keys *keys)
2302 {
2303         os_memset(keys, 0, sizeof(*keys));
2304         if (conn->state == CLIENT_HELLO)
2305                 return -1;
2306
2307         keys->client_random = conn->client_random;
2308         keys->client_random_len = TLS_RANDOM_LEN;
2309
2310         if (conn->state != SERVER_HELLO) {
2311                 keys->server_random = conn->server_random;
2312                 keys->server_random_len = TLS_RANDOM_LEN;
2313                 keys->master_key = conn->master_secret;
2314                 keys->master_key_len = TLS_MASTER_SECRET_LEN;
2315         }
2316
2317         return 0;
2318 }
2319
2320
2321 /**
2322  * tlsv1_client_set_master_key - Configure master secret for TLS connection
2323  * @conn: TLSv1 client connection data from tlsv1_client_init()
2324  * @key: TLS pre-master-secret
2325  * @key_len: length of key in bytes
2326  * Returns: 0 on success, -1 on failure
2327  */
2328 int tlsv1_client_set_master_key(struct tlsv1_client *conn,
2329                                 const u8 *key, size_t key_len)
2330 {
2331         if (key_len > TLS_MASTER_SECRET_LEN)
2332                 return -1;
2333         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret from session "
2334                         "ticket", key, key_len);
2335         os_memcpy(conn->master_secret, key, key_len);
2336         conn->ticket_key = 1;
2337
2338         return 0;
2339 }
2340
2341
2342 /**
2343  * tlsv1_client_get_keyblock_size - Get TLS key_block size
2344  * @conn: TLSv1 client connection data from tlsv1_client_init()
2345  * Returns: Size of the key_block for the negotiated cipher suite or -1 on
2346  * failure
2347  */
2348 int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn)
2349 {
2350         if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO)
2351                 return -1;
2352
2353         return 2 * (conn->rl.hash_size + conn->rl.key_material_len +
2354                     conn->rl.iv_size);
2355 }
2356
2357
2358 /**
2359  * tlsv1_client_set_cipher_list - Configure acceptable cipher suites
2360  * @conn: TLSv1 client connection data from tlsv1_client_init()
2361  * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
2362  * (TLS_CIPHER_*).
2363  * Returns: 0 on success, -1 on failure
2364  */
2365 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers)
2366 {
2367 #ifdef EAP_FAST
2368         size_t count;
2369         u16 *suites;
2370
2371         /* TODO: implement proper configuration of cipher suites */
2372         if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {
2373                 count = 0;
2374                 suites = conn->cipher_suites;
2375                 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
2376                 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
2377                 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
2378                 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
2379                 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
2380                 conn->num_cipher_suites = count;
2381         }
2382
2383         return 0;
2384 #else /* EAP_FAST */
2385         return -1;
2386 #endif /* EAP_FAST */
2387 }
2388
2389
2390 static int tlsv1_client_add_cert_der(struct x509_certificate **chain,
2391                                      const u8 *buf, size_t len)
2392 {
2393         struct x509_certificate *cert;
2394         char name[128];
2395
2396         cert = x509_certificate_parse(buf, len);
2397         if (cert == NULL) {
2398                 wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
2399                            __func__);
2400                 return -1;
2401         }
2402
2403         cert->next = *chain;
2404         *chain = cert;
2405
2406         x509_name_string(&cert->subject, name, sizeof(name));
2407         wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);
2408
2409         return 0;
2410 }
2411
2412
2413 static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
2414 static const char *pem_cert_end = "-----END CERTIFICATE-----";
2415
2416
2417 static const u8 * search_tag(const char *tag, const u8 *buf, size_t len)
2418 {
2419         size_t i, plen;
2420
2421         plen = os_strlen(tag);
2422         if (len < plen)
2423                 return NULL;
2424
2425         for (i = 0; i < len - plen; i++) {
2426                 if (os_memcmp(buf + i, tag, plen) == 0)
2427                         return buf + i;
2428         }
2429
2430         return NULL;
2431 }
2432
2433
2434 static int tlsv1_client_add_cert(struct x509_certificate **chain,
2435                                  const u8 *buf, size_t len)
2436 {
2437         const u8 *pos, *end;
2438         unsigned char *der;
2439         size_t der_len;
2440
2441         pos = search_tag(pem_cert_begin, buf, len);
2442         if (!pos) {
2443                 wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
2444                            "assume DER format");
2445                 return tlsv1_client_add_cert_der(chain, buf, len);
2446         }
2447
2448         wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
2449                    "DER format");
2450
2451         while (pos) {
2452                 pos += os_strlen(pem_cert_begin);
2453                 end = search_tag(pem_cert_end, pos, buf + len - pos);
2454                 if (end == NULL) {
2455                         wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
2456                                    "certificate end tag (%s)", pem_cert_end);
2457                         return -1;
2458                 }
2459
2460                 der = base64_decode(pos, end - pos, &der_len);
2461                 if (der == NULL) {
2462                         wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
2463                                    "certificate");
2464                         return -1;
2465                 }
2466
2467                 if (tlsv1_client_add_cert_der(chain, der, der_len) < 0) {
2468                         wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
2469                                    "certificate after DER conversion");
2470                         os_free(der);
2471                         return -1;
2472                 }
2473
2474                 os_free(der);
2475
2476                 end += os_strlen(pem_cert_end);
2477                 pos = search_tag(pem_cert_begin, end, buf + len - end);
2478         }
2479
2480         return 0;
2481 }
2482
2483
2484 static int tlsv1_client_set_cert_chain(struct x509_certificate **chain,
2485                                        const char *cert, const u8 *cert_blob,
2486                                        size_t cert_blob_len)
2487 {
2488         if (cert_blob)
2489                 return tlsv1_client_add_cert(chain, cert_blob, cert_blob_len);
2490
2491         if (cert) {
2492                 u8 *buf;
2493                 size_t len;
2494                 int ret;
2495
2496                 buf = (u8 *) os_readfile(cert, &len);
2497                 if (buf == NULL) {
2498                         wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
2499                                    cert);
2500                         return -1;
2501                 }
2502
2503                 ret = tlsv1_client_add_cert(chain, buf, len);
2504                 os_free(buf);
2505                 return ret;
2506         }
2507
2508         return 0;
2509 }
2510
2511
2512 /**
2513  * tlsv1_client_set_ca_cert - Set trusted CA certificate(s)
2514  * @conn: TLSv1 client connection data from tlsv1_client_init()
2515  * @cert: File or reference name for X.509 certificate in PEM or DER format
2516  * @cert_blob: cert as inlined data or %NULL if not used
2517  * @cert_blob_len: ca_cert_blob length
2518  * @path: Path to CA certificates (not yet supported)
2519  * Returns: 0 on success, -1 on failure
2520  */
2521 int tlsv1_client_set_ca_cert(struct tlsv1_client *conn, const char *cert,
2522                              const u8 *cert_blob, size_t cert_blob_len,
2523                              const char *path)
2524 {
2525         if (tlsv1_client_set_cert_chain(&conn->trusted_certs, cert,
2526                                         cert_blob, cert_blob_len) < 0)
2527                 return -1;
2528
2529         if (path) {
2530                 /* TODO: add support for reading number of certificate files */
2531                 wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
2532                            "not yet supported");
2533                 return -1;
2534         }
2535
2536         return 0;
2537 }
2538
2539
2540 /**
2541  * tlsv1_client_set_client_cert - Set client certificate
2542  * @conn: TLSv1 client connection data from tlsv1_client_init()
2543  * @cert: File or reference name for X.509 certificate in PEM or DER format
2544  * @cert_blob: cert as inlined data or %NULL if not used
2545  * @cert_blob_len: ca_cert_blob length
2546  * Returns: 0 on success, -1 on failure
2547  */
2548 int tlsv1_client_set_client_cert(struct tlsv1_client *conn, const char *cert,
2549                                  const u8 *cert_blob, size_t cert_blob_len)
2550 {
2551         return tlsv1_client_set_cert_chain(&conn->client_cert, cert,
2552                                            cert_blob, cert_blob_len);
2553 }
2554
2555
2556 static int tlsv1_client_set_key(struct tlsv1_client *conn,
2557                                 const u8 *key, size_t len)
2558 {
2559         conn->client_key = crypto_private_key_import(key, len);
2560         if (conn->client_key == NULL) {
2561                 wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
2562                 return -1;
2563         }
2564         return 0;
2565 }
2566
2567
2568 /**
2569  * tlsv1_client_set_private_key - Set client private key
2570  * @conn: TLSv1 client connection data from tlsv1_client_init()
2571  * @private_key: File or reference name for the key in PEM or DER format
2572  * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
2573  * passphrase is used.
2574  * @private_key_blob: private_key as inlined data or %NULL if not used
2575  * @private_key_blob_len: private_key_blob length
2576  * Returns: 0 on success, -1 on failure
2577  */
2578 int tlsv1_client_set_private_key(struct tlsv1_client *conn,
2579                                  const char *private_key,
2580                                  const char *private_key_passwd,
2581                                  const u8 *private_key_blob,
2582                                  size_t private_key_blob_len)
2583 {
2584         crypto_private_key_free(conn->client_key);
2585         conn->client_key = NULL;
2586
2587         if (private_key_blob)
2588                 return tlsv1_client_set_key(conn, private_key_blob,
2589                                             private_key_blob_len);
2590
2591         if (private_key) {
2592                 u8 *buf;
2593                 size_t len;
2594                 int ret;
2595
2596                 buf = (u8 *) os_readfile(private_key, &len);
2597                 if (buf == NULL) {
2598                         wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
2599                                    private_key);
2600                         return -1;
2601                 }
2602
2603                 ret = tlsv1_client_set_key(conn, buf, len);
2604                 os_free(buf);
2605                 return ret;
2606         }
2607
2608         return 0;
2609 }