1 /* 2 * TLS v1.0/v1.1/v1.2 client (RFC 2246, RFC 4346, RFC 5246) 3 * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "x509v3.h" 15 #include "tlsv1_common.h" 16 #include "tlsv1_record.h" 17 #include "tlsv1_client.h" 18 #include "tlsv1_client_i.h" 19 20 /* TODO: 21 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 22 */ 23 24 tls_alert(struct tlsv1_client * conn,u8 level,u8 description)25 void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) 26 { 27 conn->alert_level = level; 28 conn->alert_description = description; 29 } 30 31 tlsv1_client_free_dh(struct tlsv1_client * conn)32 void tlsv1_client_free_dh(struct tlsv1_client *conn) 33 { 34 os_free(conn->dh_p); 35 os_free(conn->dh_g); 36 os_free(conn->dh_ys); 37 conn->dh_p = conn->dh_g = conn->dh_ys = NULL; 38 } 39 40 tls_client_highest_ver(struct tlsv1_client * conn)41 u16 tls_client_highest_ver(struct tlsv1_client *conn) 42 { 43 u16 tls_version = TLS_VERSION; 44 45 /* Pick the highest locally enabled TLS version */ 46 #ifdef CONFIG_TLSV12 47 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 48 tls_version == TLS_VERSION_1_2) 49 tls_version = TLS_VERSION_1_1; 50 #endif /* CONFIG_TLSV12 */ 51 #ifdef CONFIG_TLSV11 52 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 53 tls_version == TLS_VERSION_1_1) 54 tls_version = TLS_VERSION_1; 55 #endif /* CONFIG_TLSV11 */ 56 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 57 tls_version == TLS_VERSION_1) 58 return 0; 59 60 return tls_version; 61 } 62 63 tls_derive_pre_master_secret(struct tlsv1_client * conn,u8 * pre_master_secret)64 int tls_derive_pre_master_secret(struct tlsv1_client *conn, 65 u8 *pre_master_secret) 66 { 67 WPA_PUT_BE16(pre_master_secret, tls_client_highest_ver(conn)); 68 if (os_get_random(pre_master_secret + 2, 69 TLS_PRE_MASTER_SECRET_LEN - 2)) 70 return -1; 71 return 0; 72 } 73 74 tls_derive_keys(struct tlsv1_client * conn,const u8 * pre_master_secret,size_t pre_master_secret_len)75 int tls_derive_keys(struct tlsv1_client *conn, 76 const u8 *pre_master_secret, size_t pre_master_secret_len) 77 { 78 u8 seed[2 * TLS_RANDOM_LEN]; 79 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 80 u8 *pos; 81 size_t key_block_len; 82 83 if (pre_master_secret) { 84 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 85 pre_master_secret, pre_master_secret_len); 86 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 87 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 88 TLS_RANDOM_LEN); 89 if (tls_prf(conn->rl.tls_version, 90 pre_master_secret, pre_master_secret_len, 91 "master secret", seed, 2 * TLS_RANDOM_LEN, 92 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 93 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 94 "master_secret"); 95 return -1; 96 } 97 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 98 conn->master_secret, TLS_MASTER_SECRET_LEN); 99 } 100 101 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 102 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 103 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len); 104 if (conn->rl.tls_version == TLS_VERSION_1) 105 key_block_len += 2 * conn->rl.iv_size; 106 if (tls_prf(conn->rl.tls_version, 107 conn->master_secret, TLS_MASTER_SECRET_LEN, 108 "key expansion", seed, 2 * TLS_RANDOM_LEN, 109 key_block, key_block_len)) { 110 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 111 return -1; 112 } 113 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 114 key_block, key_block_len); 115 116 pos = key_block; 117 118 /* client_write_MAC_secret */ 119 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 120 pos += conn->rl.hash_size; 121 /* server_write_MAC_secret */ 122 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 123 pos += conn->rl.hash_size; 124 125 /* client_write_key */ 126 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 127 pos += conn->rl.key_material_len; 128 /* server_write_key */ 129 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 130 pos += conn->rl.key_material_len; 131 132 if (conn->rl.tls_version == TLS_VERSION_1) { 133 /* client_write_IV */ 134 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 135 pos += conn->rl.iv_size; 136 /* server_write_IV */ 137 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 138 } else { 139 /* 140 * Use IV field to set the mask value for TLS v1.1. A fixed 141 * mask of zero is used per the RFC 4346, 6.2.3.2 CBC Block 142 * Cipher option 2a. 143 */ 144 os_memset(conn->rl.write_iv, 0, conn->rl.iv_size); 145 } 146 147 return 0; 148 } 149 150 151 /** 152 * tlsv1_client_handshake - Process TLS handshake 153 * @conn: TLSv1 client connection data from tlsv1_client_init() 154 * @in_data: Input data from TLS peer 155 * @in_len: Input data length 156 * @out_len: Length of the output buffer. 157 * @appl_data: Pointer to application data pointer, or %NULL if dropped 158 * @appl_data_len: Pointer to variable that is set to appl_data length 159 * @need_more_data: Set to 1 if more data would be needed to complete 160 * processing 161 * Returns: Pointer to output data, %NULL on failure 162 */ tlsv1_client_handshake(struct tlsv1_client * conn,const u8 * in_data,size_t in_len,size_t * out_len,u8 ** appl_data,size_t * appl_data_len,int * need_more_data)163 u8 * tlsv1_client_handshake(struct tlsv1_client *conn, 164 const u8 *in_data, size_t in_len, 165 size_t *out_len, u8 **appl_data, 166 size_t *appl_data_len, int *need_more_data) 167 { 168 const u8 *pos, *end; 169 u8 *msg = NULL, *in_msg = NULL, *in_pos, *in_end, alert, ct; 170 size_t in_msg_len; 171 int no_appl_data; 172 int used; 173 174 if (need_more_data) 175 *need_more_data = 0; 176 177 if (conn->state == CLIENT_HELLO) { 178 if (in_len) 179 return NULL; 180 return tls_send_client_hello(conn, out_len); 181 } 182 183 if (conn->partial_input) { 184 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 185 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 186 "memory for pending record"); 187 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 188 TLS_ALERT_INTERNAL_ERROR); 189 goto failed; 190 } 191 wpabuf_put_data(conn->partial_input, in_data, in_len); 192 in_data = wpabuf_head(conn->partial_input); 193 in_len = wpabuf_len(conn->partial_input); 194 } 195 196 if (in_data == NULL || in_len == 0) 197 return NULL; 198 199 pos = in_data; 200 end = in_data + in_len; 201 in_msg = os_malloc(in_len); 202 if (in_msg == NULL) 203 return NULL; 204 205 /* Each received packet may include multiple records */ 206 while (pos < end) { 207 in_msg_len = in_len; 208 used = tlsv1_record_receive(&conn->rl, pos, end - pos, 209 in_msg, &in_msg_len, &alert); 210 if (used < 0) { 211 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 212 "record failed"); 213 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 214 goto failed; 215 } 216 if (used == 0) { 217 struct wpabuf *partial; 218 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 219 partial = wpabuf_alloc_copy(pos, end - pos); 220 wpabuf_free(conn->partial_input); 221 conn->partial_input = partial; 222 if (conn->partial_input == NULL) { 223 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 224 "allocate memory for pending " 225 "record"); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_INTERNAL_ERROR); 228 goto failed; 229 } 230 os_free(in_msg); 231 if (need_more_data) 232 *need_more_data = 1; 233 return NULL; 234 } 235 ct = pos[0]; 236 237 in_pos = in_msg; 238 in_end = in_msg + in_msg_len; 239 240 /* Each received record may include multiple messages of the 241 * same ContentType. */ 242 while (in_pos < in_end) { 243 in_msg_len = in_end - in_pos; 244 if (tlsv1_client_process_handshake(conn, ct, in_pos, 245 &in_msg_len, 246 appl_data, 247 appl_data_len) < 0) 248 goto failed; 249 in_pos += in_msg_len; 250 } 251 252 pos += used; 253 } 254 255 os_free(in_msg); 256 in_msg = NULL; 257 258 no_appl_data = appl_data == NULL || *appl_data == NULL; 259 msg = tlsv1_client_handshake_write(conn, out_len, no_appl_data); 260 261 failed: 262 os_free(in_msg); 263 if (conn->alert_level) { 264 wpabuf_free(conn->partial_input); 265 conn->partial_input = NULL; 266 conn->state = FAILED; 267 os_free(msg); 268 msg = tlsv1_client_send_alert(conn, conn->alert_level, 269 conn->alert_description, 270 out_len); 271 } else if (msg == NULL) { 272 msg = os_zalloc(1); 273 *out_len = 0; 274 } 275 276 if (need_more_data == NULL || !(*need_more_data)) { 277 wpabuf_free(conn->partial_input); 278 conn->partial_input = NULL; 279 } 280 281 return msg; 282 } 283 284 285 /** 286 * tlsv1_client_encrypt - Encrypt data into TLS tunnel 287 * @conn: TLSv1 client connection data from tlsv1_client_init() 288 * @in_data: Pointer to plaintext data to be encrypted 289 * @in_len: Input buffer length 290 * @out_data: Pointer to output buffer (encrypted TLS data) 291 * @out_len: Maximum out_data length 292 * Returns: Number of bytes written to out_data, -1 on failure 293 * 294 * This function is used after TLS handshake has been completed successfully to 295 * send data in the encrypted tunnel. 296 */ tlsv1_client_encrypt(struct tlsv1_client * conn,const u8 * in_data,size_t in_len,u8 * out_data,size_t out_len)297 int tlsv1_client_encrypt(struct tlsv1_client *conn, 298 const u8 *in_data, size_t in_len, 299 u8 *out_data, size_t out_len) 300 { 301 size_t rlen; 302 303 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 304 in_data, in_len); 305 306 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 307 out_data, out_len, in_data, in_len, &rlen) < 0) { 308 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 309 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 310 TLS_ALERT_INTERNAL_ERROR); 311 return -1; 312 } 313 314 return rlen; 315 } 316 317 318 /** 319 * tlsv1_client_decrypt - Decrypt data from TLS tunnel 320 * @conn: TLSv1 client connection data from tlsv1_client_init() 321 * @in_data: Pointer to input buffer (encrypted TLS data) 322 * @in_len: Input buffer length 323 * @need_more_data: Set to 1 if more data would be needed to complete 324 * processing 325 * Returns: Decrypted data or %NULL on failure 326 * 327 * This function is used after TLS handshake has been completed successfully to 328 * receive data from the encrypted tunnel. 329 */ tlsv1_client_decrypt(struct tlsv1_client * conn,const u8 * in_data,size_t in_len,int * need_more_data)330 struct wpabuf * tlsv1_client_decrypt(struct tlsv1_client *conn, 331 const u8 *in_data, size_t in_len, 332 int *need_more_data) 333 { 334 const u8 *in_end, *pos; 335 int used; 336 u8 alert, *out_pos, ct; 337 size_t olen; 338 struct wpabuf *buf = NULL; 339 340 if (need_more_data) 341 *need_more_data = 0; 342 343 if (conn->partial_input) { 344 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 346 "memory for pending record"); 347 alert = TLS_ALERT_INTERNAL_ERROR; 348 goto fail; 349 } 350 wpabuf_put_data(conn->partial_input, in_data, in_len); 351 in_data = wpabuf_head(conn->partial_input); 352 in_len = wpabuf_len(conn->partial_input); 353 } 354 355 pos = in_data; 356 in_end = in_data + in_len; 357 358 while (pos < in_end) { 359 ct = pos[0]; 360 if (wpabuf_resize(&buf, in_end - pos) < 0) { 361 alert = TLS_ALERT_INTERNAL_ERROR; 362 goto fail; 363 } 364 out_pos = wpabuf_put(buf, 0); 365 olen = wpabuf_tailroom(buf); 366 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 367 out_pos, &olen, &alert); 368 if (used < 0) { 369 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 370 "failed"); 371 goto fail; 372 } 373 if (used == 0) { 374 struct wpabuf *partial; 375 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 376 partial = wpabuf_alloc_copy(pos, in_end - pos); 377 wpabuf_free(conn->partial_input); 378 conn->partial_input = partial; 379 if (conn->partial_input == NULL) { 380 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 381 "allocate memory for pending " 382 "record"); 383 alert = TLS_ALERT_INTERNAL_ERROR; 384 goto fail; 385 } 386 if (need_more_data) 387 *need_more_data = 1; 388 return buf; 389 } 390 391 if (ct == TLS_CONTENT_TYPE_ALERT) { 392 if (olen < 2) { 393 wpa_printf(MSG_DEBUG, "TLSv1: Alert " 394 "underflow"); 395 alert = TLS_ALERT_DECODE_ERROR; 396 goto fail; 397 } 398 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 399 out_pos[0], out_pos[1]); 400 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) { 401 /* Continue processing */ 402 pos += used; 403 continue; 404 } 405 406 alert = out_pos[1]; 407 goto fail; 408 } 409 410 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 411 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 412 "0x%x when decrypting application data", 413 pos[0]); 414 alert = TLS_ALERT_UNEXPECTED_MESSAGE; 415 goto fail; 416 } 417 418 wpabuf_put(buf, olen); 419 420 pos += used; 421 } 422 423 wpabuf_free(conn->partial_input); 424 conn->partial_input = NULL; 425 return buf; 426 427 fail: 428 wpabuf_free(buf); 429 wpabuf_free(conn->partial_input); 430 conn->partial_input = NULL; 431 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 432 return NULL; 433 } 434 435 436 /** 437 * tlsv1_client_global_init - Initialize TLSv1 client 438 * Returns: 0 on success, -1 on failure 439 * 440 * This function must be called before using any other TLSv1 client functions. 441 */ tlsv1_client_global_init(void)442 int tlsv1_client_global_init(void) 443 { 444 return crypto_global_init(); 445 } 446 447 448 /** 449 * tlsv1_client_global_deinit - Deinitialize TLSv1 client 450 * 451 * This function can be used to deinitialize the TLSv1 client that was 452 * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions 453 * can be called after this before calling tlsv1_client_global_init() again. 454 */ tlsv1_client_global_deinit(void)455 void tlsv1_client_global_deinit(void) 456 { 457 crypto_global_deinit(); 458 } 459 460 461 /** 462 * tlsv1_client_init - Initialize TLSv1 client connection 463 * Returns: Pointer to TLSv1 client connection data or %NULL on failure 464 */ tlsv1_client_init(void)465 struct tlsv1_client * tlsv1_client_init(void) 466 { 467 struct tlsv1_client *conn; 468 size_t count; 469 u16 *suites; 470 471 conn = os_zalloc(sizeof(*conn)); 472 if (conn == NULL) 473 return NULL; 474 475 conn->state = CLIENT_HELLO; 476 477 if (tls_verify_hash_init(&conn->verify) < 0) { 478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 479 "hash"); 480 os_free(conn); 481 return NULL; 482 } 483 484 count = 0; 485 suites = conn->cipher_suites; 486 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; 487 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256; 488 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; 489 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 490 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; 491 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256; 492 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; 493 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 494 suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; 495 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 496 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 497 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 498 conn->num_cipher_suites = count; 499 500 conn->rl.tls_version = TLS_VERSION; 501 502 return conn; 503 } 504 505 506 /** 507 * tlsv1_client_deinit - Deinitialize TLSv1 client connection 508 * @conn: TLSv1 client connection data from tlsv1_client_init() 509 */ tlsv1_client_deinit(struct tlsv1_client * conn)510 void tlsv1_client_deinit(struct tlsv1_client *conn) 511 { 512 crypto_public_key_free(conn->server_rsa_key); 513 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 514 tlsv1_record_change_write_cipher(&conn->rl); 515 tlsv1_record_change_read_cipher(&conn->rl); 516 tls_verify_hash_free(&conn->verify); 517 os_free(conn->client_hello_ext); 518 tlsv1_client_free_dh(conn); 519 tlsv1_cred_free(conn->cred); 520 wpabuf_free(conn->partial_input); 521 x509_certificate_chain_free(conn->server_cert); 522 os_free(conn); 523 } 524 525 526 /** 527 * tlsv1_client_established - Check whether connection has been established 528 * @conn: TLSv1 client connection data from tlsv1_client_init() 529 * Returns: 1 if connection is established, 0 if not 530 */ tlsv1_client_established(struct tlsv1_client * conn)531 int tlsv1_client_established(struct tlsv1_client *conn) 532 { 533 return conn->state == ESTABLISHED; 534 } 535 536 537 /** 538 * tlsv1_client_prf - Use TLS-PRF to derive keying material 539 * @conn: TLSv1 client connection data from tlsv1_client_init() 540 * @label: Label (e.g., description of the key) for PRF 541 * @context: Optional extra upper-layer context (max len 2^16) 542 * @context_len: The length of the context value 543 * @server_random_first: seed is 0 = client_random|server_random, 544 * 1 = server_random|client_random 545 * @out: Buffer for output data from TLS-PRF 546 * @out_len: Length of the output buffer 547 * Returns: 0 on success, -1 on failure 548 */ tlsv1_client_prf(struct tlsv1_client * conn,const char * label,const u8 * context,size_t context_len,int server_random_first,u8 * out,size_t out_len)549 int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, 550 const u8 *context, size_t context_len, 551 int server_random_first, u8 *out, size_t out_len) 552 { 553 u8 *seed, *pos; 554 size_t seed_len = 2 * TLS_RANDOM_LEN; 555 int res; 556 557 if (conn->state != ESTABLISHED) 558 return -1; 559 560 if (context_len > 65535) 561 return -1; 562 563 if (context) 564 seed_len += 2 + context_len; 565 566 seed = os_malloc(seed_len); 567 if (!seed) 568 return -1; 569 570 if (server_random_first) { 571 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 572 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 573 TLS_RANDOM_LEN); 574 } else { 575 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 576 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 577 TLS_RANDOM_LEN); 578 } 579 580 if (context) { 581 pos = seed + 2 * TLS_RANDOM_LEN; 582 WPA_PUT_BE16(pos, context_len); 583 pos += 2; 584 os_memcpy(pos, context, context_len); 585 } 586 587 res = tls_prf(conn->rl.tls_version, 588 conn->master_secret, TLS_MASTER_SECRET_LEN, 589 label, seed, seed_len, out, out_len); 590 os_free(seed); 591 return res; 592 } 593 594 595 /** 596 * tlsv1_client_get_cipher - Get current cipher name 597 * @conn: TLSv1 client connection data from tlsv1_client_init() 598 * @buf: Buffer for the cipher name 599 * @buflen: buf size 600 * Returns: 0 on success, -1 on failure 601 * 602 * Get the name of the currently used cipher. 603 */ tlsv1_client_get_cipher(struct tlsv1_client * conn,char * buf,size_t buflen)604 int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, 605 size_t buflen) 606 { 607 char *cipher; 608 609 switch (conn->rl.cipher_suite) { 610 case TLS_RSA_WITH_RC4_128_MD5: 611 cipher = "RC4-MD5"; 612 break; 613 case TLS_RSA_WITH_RC4_128_SHA: 614 cipher = "RC4-SHA"; 615 break; 616 case TLS_RSA_WITH_DES_CBC_SHA: 617 cipher = "DES-CBC-SHA"; 618 break; 619 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 620 cipher = "DES-CBC3-SHA"; 621 break; 622 case TLS_DHE_RSA_WITH_DES_CBC_SHA: 623 cipher = "DHE-RSA-DES-CBC-SHA"; 624 break; 625 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: 626 cipher = "DHE-RSA-DES-CBC3-SHA"; 627 break; 628 case TLS_DH_anon_WITH_RC4_128_MD5: 629 cipher = "ADH-RC4-MD5"; 630 break; 631 case TLS_DH_anon_WITH_DES_CBC_SHA: 632 cipher = "ADH-DES-SHA"; 633 break; 634 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: 635 cipher = "ADH-DES-CBC3-SHA"; 636 break; 637 case TLS_RSA_WITH_AES_128_CBC_SHA: 638 cipher = "AES-128-SHA"; 639 break; 640 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: 641 cipher = "DHE-RSA-AES-128-SHA"; 642 break; 643 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 644 cipher = "ADH-AES-128-SHA"; 645 break; 646 case TLS_RSA_WITH_AES_256_CBC_SHA: 647 cipher = "AES-256-SHA"; 648 break; 649 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: 650 cipher = "DHE-RSA-AES-256-SHA"; 651 break; 652 case TLS_DH_anon_WITH_AES_256_CBC_SHA: 653 cipher = "ADH-AES-256-SHA"; 654 break; 655 case TLS_RSA_WITH_AES_128_CBC_SHA256: 656 cipher = "AES-128-SHA256"; 657 break; 658 case TLS_RSA_WITH_AES_256_CBC_SHA256: 659 cipher = "AES-256-SHA256"; 660 break; 661 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 662 cipher = "DHE-RSA-AES-128-SHA256"; 663 break; 664 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 665 cipher = "DHE-RSA-AES-256-SHA256"; 666 break; 667 case TLS_DH_anon_WITH_AES_128_CBC_SHA256: 668 cipher = "ADH-AES-128-SHA256"; 669 break; 670 case TLS_DH_anon_WITH_AES_256_CBC_SHA256: 671 cipher = "ADH-AES-256-SHA256"; 672 break; 673 default: 674 return -1; 675 } 676 677 if (os_strlcpy(buf, cipher, buflen) >= buflen) 678 return -1; 679 return 0; 680 } 681 682 683 /** 684 * tlsv1_client_shutdown - Shutdown TLS connection 685 * @conn: TLSv1 client connection data from tlsv1_client_init() 686 * Returns: 0 on success, -1 on failure 687 */ tlsv1_client_shutdown(struct tlsv1_client * conn)688 int tlsv1_client_shutdown(struct tlsv1_client *conn) 689 { 690 conn->state = CLIENT_HELLO; 691 692 if (tls_verify_hash_init(&conn->verify) < 0) { 693 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 694 "hash"); 695 return -1; 696 } 697 698 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 699 tlsv1_record_change_write_cipher(&conn->rl); 700 tlsv1_record_change_read_cipher(&conn->rl); 701 702 conn->certificate_requested = 0; 703 crypto_public_key_free(conn->server_rsa_key); 704 conn->server_rsa_key = NULL; 705 conn->session_resumed = 0; 706 707 return 0; 708 } 709 710 711 /** 712 * tlsv1_client_resumed - Was session resumption used 713 * @conn: TLSv1 client connection data from tlsv1_client_init() 714 * Returns: 1 if current session used session resumption, 0 if not 715 */ tlsv1_client_resumed(struct tlsv1_client * conn)716 int tlsv1_client_resumed(struct tlsv1_client *conn) 717 { 718 return !!conn->session_resumed; 719 } 720 721 722 /** 723 * tlsv1_client_hello_ext - Set TLS extension for ClientHello 724 * @conn: TLSv1 client connection data from tlsv1_client_init() 725 * @ext_type: Extension type 726 * @data: Extension payload (%NULL to remove extension) 727 * @data_len: Extension payload length 728 * Returns: 0 on success, -1 on failure 729 */ tlsv1_client_hello_ext(struct tlsv1_client * conn,int ext_type,const u8 * data,size_t data_len)730 int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, 731 const u8 *data, size_t data_len) 732 { 733 u8 *pos; 734 735 conn->session_ticket_included = 0; 736 os_free(conn->client_hello_ext); 737 conn->client_hello_ext = NULL; 738 conn->client_hello_ext_len = 0; 739 740 if (data == NULL || data_len == 0) 741 return 0; 742 743 pos = conn->client_hello_ext = os_malloc(4 + data_len); 744 if (pos == NULL) 745 return -1; 746 747 WPA_PUT_BE16(pos, ext_type); 748 pos += 2; 749 WPA_PUT_BE16(pos, data_len); 750 pos += 2; 751 os_memcpy(pos, data, data_len); 752 conn->client_hello_ext_len = 4 + data_len; 753 754 if (ext_type == TLS_EXT_PAC_OPAQUE) { 755 conn->session_ticket_included = 1; 756 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); 757 } 758 759 return 0; 760 } 761 762 763 /** 764 * tlsv1_client_get_random - Get random data from TLS connection 765 * @conn: TLSv1 client connection data from tlsv1_client_init() 766 * @keys: Structure of random data (filled on success) 767 * Returns: 0 on success, -1 on failure 768 */ tlsv1_client_get_random(struct tlsv1_client * conn,struct tls_random * keys)769 int tlsv1_client_get_random(struct tlsv1_client *conn, struct tls_random *keys) 770 { 771 os_memset(keys, 0, sizeof(*keys)); 772 if (conn->state == CLIENT_HELLO) 773 return -1; 774 775 keys->client_random = conn->client_random; 776 keys->client_random_len = TLS_RANDOM_LEN; 777 778 if (conn->state != SERVER_HELLO) { 779 keys->server_random = conn->server_random; 780 keys->server_random_len = TLS_RANDOM_LEN; 781 } 782 783 return 0; 784 } 785 786 787 /** 788 * tlsv1_client_get_keyblock_size - Get TLS key_block size 789 * @conn: TLSv1 client connection data from tlsv1_client_init() 790 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 791 * failure 792 */ tlsv1_client_get_keyblock_size(struct tlsv1_client * conn)793 int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) 794 { 795 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 796 return -1; 797 798 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 799 conn->rl.iv_size); 800 } 801 802 803 /** 804 * tlsv1_client_set_cipher_list - Configure acceptable cipher suites 805 * @conn: TLSv1 client connection data from tlsv1_client_init() 806 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 807 * (TLS_CIPHER_*). 808 * Returns: 0 on success, -1 on failure 809 */ tlsv1_client_set_cipher_list(struct tlsv1_client * conn,u8 * ciphers)810 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) 811 { 812 size_t count; 813 u16 *suites; 814 815 /* TODO: implement proper configuration of cipher suites */ 816 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 817 count = 0; 818 suites = conn->cipher_suites; 819 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA256; 820 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 821 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA256; 822 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 823 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 824 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 825 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 826 827 /* 828 * Cisco AP (at least 350 and 1200 series) local authentication 829 * server does not know how to search cipher suites from the 830 * list and seem to require that the last entry in the list is 831 * the one that it wants to use. However, TLS specification 832 * requires the list to be in the client preference order. As a 833 * workaround, add anon-DH AES-128-SHA1 again at the end of the 834 * list to allow the Cisco code to find it. 835 */ 836 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 837 conn->num_cipher_suites = count; 838 } 839 840 return 0; 841 } 842 843 844 /** 845 * tlsv1_client_set_cred - Set client credentials 846 * @conn: TLSv1 client connection data from tlsv1_client_init() 847 * @cred: Credentials from tlsv1_cred_alloc() 848 * Returns: 0 on success, -1 on failure 849 * 850 * On success, the client takes ownership of the credentials block and caller 851 * must not free it. On failure, caller is responsible for freeing the 852 * credential block. 853 */ tlsv1_client_set_cred(struct tlsv1_client * conn,struct tlsv1_credentials * cred)854 int tlsv1_client_set_cred(struct tlsv1_client *conn, 855 struct tlsv1_credentials *cred) 856 { 857 tlsv1_cred_free(conn->cred); 858 conn->cred = cred; 859 return 0; 860 } 861 862 863 /** 864 * tlsv1_client_set_flags - Set connection flags 865 * @conn: TLSv1 client connection data from tlsv1_client_init() 866 * @flags: TLS_CONN_* bitfield 867 */ tlsv1_client_set_flags(struct tlsv1_client * conn,unsigned int flags)868 void tlsv1_client_set_flags(struct tlsv1_client *conn, unsigned int flags) 869 { 870 conn->flags = flags; 871 conn->rl.tls_version = tls_client_highest_ver(conn); 872 } 873 874 tlsv1_client_set_session_ticket_cb(struct tlsv1_client * conn,tlsv1_client_session_ticket_cb cb,void * ctx)875 void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, 876 tlsv1_client_session_ticket_cb cb, 877 void *ctx) 878 { 879 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 880 cb, ctx); 881 conn->session_ticket_cb = cb; 882 conn->session_ticket_cb_ctx = ctx; 883 } 884 885 tlsv1_client_set_cb(struct tlsv1_client * conn,void (* event_cb)(void * ctx,enum tls_event ev,union tls_event_data * data),void * cb_ctx,int cert_in_cb)886 void tlsv1_client_set_cb(struct tlsv1_client *conn, 887 void (*event_cb)(void *ctx, enum tls_event ev, 888 union tls_event_data *data), 889 void *cb_ctx, 890 int cert_in_cb) 891 { 892 conn->event_cb = event_cb; 893 conn->cb_ctx = cb_ctx; 894 conn->cert_in_cb = !!cert_in_cb; 895 } 896 897 tlsv1_client_get_version(struct tlsv1_client * conn,char * buf,size_t buflen)898 int tlsv1_client_get_version(struct tlsv1_client *conn, char *buf, 899 size_t buflen) 900 { 901 if (!conn) 902 return -1; 903 switch (conn->rl.tls_version) { 904 case TLS_VERSION_1: 905 os_strlcpy(buf, "TLSv1", buflen); 906 break; 907 case TLS_VERSION_1_1: 908 os_strlcpy(buf, "TLSv1.1", buflen); 909 break; 910 case TLS_VERSION_1_2: 911 os_strlcpy(buf, "TLSv1.2", buflen); 912 break; 913 default: 914 return -1; 915 } 916 917 return 0; 918 } 919