Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * TLSv1 client (RFC 2246) |
| 3 | * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | */ |
| 14 | |
| 15 | #include "includes.h" |
| 16 | |
| 17 | #include "common.h" |
| 18 | #include "crypto/sha1.h" |
| 19 | #include "crypto/tls.h" |
| 20 | #include "tlsv1_common.h" |
| 21 | #include "tlsv1_record.h" |
| 22 | #include "tlsv1_client.h" |
| 23 | #include "tlsv1_client_i.h" |
| 24 | |
| 25 | /* TODO: |
| 26 | * Support for a message fragmented across several records (RFC 2246, 6.2.1) |
| 27 | */ |
| 28 | |
| 29 | |
| 30 | void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) |
| 31 | { |
| 32 | conn->alert_level = level; |
| 33 | conn->alert_description = description; |
| 34 | } |
| 35 | |
| 36 | |
| 37 | void tlsv1_client_free_dh(struct tlsv1_client *conn) |
| 38 | { |
| 39 | os_free(conn->dh_p); |
| 40 | os_free(conn->dh_g); |
| 41 | os_free(conn->dh_ys); |
| 42 | conn->dh_p = conn->dh_g = conn->dh_ys = NULL; |
| 43 | } |
| 44 | |
| 45 | |
| 46 | int tls_derive_pre_master_secret(u8 *pre_master_secret) |
| 47 | { |
| 48 | WPA_PUT_BE16(pre_master_secret, TLS_VERSION); |
| 49 | if (os_get_random(pre_master_secret + 2, |
| 50 | TLS_PRE_MASTER_SECRET_LEN - 2)) |
| 51 | return -1; |
| 52 | return 0; |
| 53 | } |
| 54 | |
| 55 | |
| 56 | int tls_derive_keys(struct tlsv1_client *conn, |
| 57 | const u8 *pre_master_secret, size_t pre_master_secret_len) |
| 58 | { |
| 59 | u8 seed[2 * TLS_RANDOM_LEN]; |
| 60 | u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; |
| 61 | u8 *pos; |
| 62 | size_t key_block_len; |
| 63 | |
| 64 | if (pre_master_secret) { |
| 65 | wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", |
| 66 | pre_master_secret, pre_master_secret_len); |
| 67 | os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); |
| 68 | os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, |
| 69 | TLS_RANDOM_LEN); |
| 70 | if (tls_prf(pre_master_secret, pre_master_secret_len, |
| 71 | "master secret", seed, 2 * TLS_RANDOM_LEN, |
| 72 | conn->master_secret, TLS_MASTER_SECRET_LEN)) { |
| 73 | wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " |
| 74 | "master_secret"); |
| 75 | return -1; |
| 76 | } |
| 77 | wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", |
| 78 | conn->master_secret, TLS_MASTER_SECRET_LEN); |
| 79 | } |
| 80 | |
| 81 | os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); |
| 82 | os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); |
| 83 | key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len + |
| 84 | conn->rl.iv_size); |
| 85 | if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, |
| 86 | "key expansion", seed, 2 * TLS_RANDOM_LEN, |
| 87 | key_block, key_block_len)) { |
| 88 | wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); |
| 89 | return -1; |
| 90 | } |
| 91 | wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", |
| 92 | key_block, key_block_len); |
| 93 | |
| 94 | pos = key_block; |
| 95 | |
| 96 | /* client_write_MAC_secret */ |
| 97 | os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); |
| 98 | pos += conn->rl.hash_size; |
| 99 | /* server_write_MAC_secret */ |
| 100 | os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); |
| 101 | pos += conn->rl.hash_size; |
| 102 | |
| 103 | /* client_write_key */ |
| 104 | os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); |
| 105 | pos += conn->rl.key_material_len; |
| 106 | /* server_write_key */ |
| 107 | os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); |
| 108 | pos += conn->rl.key_material_len; |
| 109 | |
| 110 | /* client_write_IV */ |
| 111 | os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); |
| 112 | pos += conn->rl.iv_size; |
| 113 | /* server_write_IV */ |
| 114 | os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); |
| 115 | pos += conn->rl.iv_size; |
| 116 | |
| 117 | return 0; |
| 118 | } |
| 119 | |
| 120 | |
| 121 | /** |
| 122 | * tlsv1_client_handshake - Process TLS handshake |
| 123 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 124 | * @in_data: Input data from TLS peer |
| 125 | * @in_len: Input data length |
| 126 | * @out_len: Length of the output buffer. |
| 127 | * @appl_data: Pointer to application data pointer, or %NULL if dropped |
| 128 | * @appl_data_len: Pointer to variable that is set to appl_data length |
| 129 | * Returns: Pointer to output data, %NULL on failure |
| 130 | */ |
| 131 | u8 * tlsv1_client_handshake(struct tlsv1_client *conn, |
| 132 | const u8 *in_data, size_t in_len, |
| 133 | size_t *out_len, u8 **appl_data, |
| 134 | size_t *appl_data_len) |
| 135 | { |
| 136 | const u8 *pos, *end; |
| 137 | u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct; |
| 138 | size_t in_msg_len; |
| 139 | int no_appl_data; |
| 140 | |
| 141 | if (conn->state == CLIENT_HELLO) { |
| 142 | if (in_len) |
| 143 | return NULL; |
| 144 | return tls_send_client_hello(conn, out_len); |
| 145 | } |
| 146 | |
| 147 | if (in_data == NULL || in_len == 0) |
| 148 | return NULL; |
| 149 | |
| 150 | pos = in_data; |
| 151 | end = in_data + in_len; |
| 152 | in_msg = os_malloc(in_len); |
| 153 | if (in_msg == NULL) |
| 154 | return NULL; |
| 155 | |
| 156 | /* Each received packet may include multiple records */ |
| 157 | while (pos < end) { |
| 158 | in_msg_len = in_len; |
| 159 | if (tlsv1_record_receive(&conn->rl, pos, end - pos, |
| 160 | in_msg, &in_msg_len, &alert)) { |
| 161 | wpa_printf(MSG_DEBUG, "TLSv1: Processing received " |
| 162 | "record failed"); |
| 163 | tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); |
| 164 | goto failed; |
| 165 | } |
| 166 | ct = pos[0]; |
| 167 | |
| 168 | in_pos = in_msg; |
| 169 | in_end = in_msg + in_msg_len; |
| 170 | |
| 171 | /* Each received record may include multiple messages of the |
| 172 | * same ContentType. */ |
| 173 | while (in_pos < in_end) { |
| 174 | in_msg_len = in_end - in_pos; |
| 175 | if (tlsv1_client_process_handshake(conn, ct, in_pos, |
| 176 | &in_msg_len, |
| 177 | appl_data, |
| 178 | appl_data_len) < 0) |
| 179 | goto failed; |
| 180 | in_pos += in_msg_len; |
| 181 | } |
| 182 | |
| 183 | pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); |
| 184 | } |
| 185 | |
| 186 | os_free(in_msg); |
| 187 | in_msg = NULL; |
| 188 | |
| 189 | no_appl_data = appl_data == NULL || *appl_data == NULL; |
| 190 | msg = tlsv1_client_handshake_write(conn, out_len, no_appl_data); |
| 191 | |
| 192 | failed: |
| 193 | os_free(in_msg); |
| 194 | if (conn->alert_level) { |
| 195 | conn->state = FAILED; |
| 196 | os_free(msg); |
| 197 | msg = tlsv1_client_send_alert(conn, conn->alert_level, |
| 198 | conn->alert_description, |
| 199 | out_len); |
| 200 | } else if (msg == NULL) { |
| 201 | msg = os_zalloc(1); |
| 202 | *out_len = 0; |
| 203 | } |
| 204 | |
| 205 | return msg; |
| 206 | } |
| 207 | |
| 208 | |
| 209 | /** |
| 210 | * tlsv1_client_encrypt - Encrypt data into TLS tunnel |
| 211 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 212 | * @in_data: Pointer to plaintext data to be encrypted |
| 213 | * @in_len: Input buffer length |
| 214 | * @out_data: Pointer to output buffer (encrypted TLS data) |
| 215 | * @out_len: Maximum out_data length |
| 216 | * Returns: Number of bytes written to out_data, -1 on failure |
| 217 | * |
| 218 | * This function is used after TLS handshake has been completed successfully to |
| 219 | * send data in the encrypted tunnel. |
| 220 | */ |
| 221 | int tlsv1_client_encrypt(struct tlsv1_client *conn, |
| 222 | const u8 *in_data, size_t in_len, |
| 223 | u8 *out_data, size_t out_len) |
| 224 | { |
| 225 | size_t rlen; |
| 226 | |
| 227 | wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", |
| 228 | in_data, in_len); |
| 229 | |
| 230 | os_memcpy(out_data + TLS_RECORD_HEADER_LEN, in_data, in_len); |
| 231 | |
| 232 | if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, |
| 233 | out_data, out_len, in_len, &rlen) < 0) { |
| 234 | wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); |
| 235 | tls_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| 236 | TLS_ALERT_INTERNAL_ERROR); |
| 237 | return -1; |
| 238 | } |
| 239 | |
| 240 | return rlen; |
| 241 | } |
| 242 | |
| 243 | |
| 244 | /** |
| 245 | * tlsv1_client_decrypt - Decrypt data from TLS tunnel |
| 246 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 247 | * @in_data: Pointer to input buffer (encrypted TLS data) |
| 248 | * @in_len: Input buffer length |
| 249 | * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) |
| 250 | * @out_len: Maximum out_data length |
| 251 | * Returns: Number of bytes written to out_data, -1 on failure |
| 252 | * |
| 253 | * This function is used after TLS handshake has been completed successfully to |
| 254 | * receive data from the encrypted tunnel. |
| 255 | */ |
| 256 | int tlsv1_client_decrypt(struct tlsv1_client *conn, |
| 257 | const u8 *in_data, size_t in_len, |
| 258 | u8 *out_data, size_t out_len) |
| 259 | { |
| 260 | const u8 *in_end, *pos; |
| 261 | int res; |
| 262 | u8 alert, *out_end, *out_pos; |
| 263 | size_t olen; |
| 264 | |
| 265 | pos = in_data; |
| 266 | in_end = in_data + in_len; |
| 267 | out_pos = out_data; |
| 268 | out_end = out_data + out_len; |
| 269 | |
| 270 | while (pos < in_end) { |
| 271 | if (pos[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) { |
| 272 | wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " |
| 273 | "0x%x", pos[0]); |
| 274 | tls_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| 275 | TLS_ALERT_UNEXPECTED_MESSAGE); |
| 276 | return -1; |
| 277 | } |
| 278 | |
| 279 | olen = out_end - out_pos; |
| 280 | res = tlsv1_record_receive(&conn->rl, pos, in_end - pos, |
| 281 | out_pos, &olen, &alert); |
| 282 | if (res < 0) { |
| 283 | wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " |
| 284 | "failed"); |
| 285 | tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); |
| 286 | return -1; |
| 287 | } |
| 288 | out_pos += olen; |
| 289 | if (out_pos > out_end) { |
| 290 | wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough " |
| 291 | "for processing the received record"); |
| 292 | tls_alert(conn, TLS_ALERT_LEVEL_FATAL, |
| 293 | TLS_ALERT_INTERNAL_ERROR); |
| 294 | return -1; |
| 295 | } |
| 296 | |
| 297 | pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); |
| 298 | } |
| 299 | |
| 300 | return out_pos - out_data; |
| 301 | } |
| 302 | |
| 303 | |
| 304 | /** |
| 305 | * tlsv1_client_global_init - Initialize TLSv1 client |
| 306 | * Returns: 0 on success, -1 on failure |
| 307 | * |
| 308 | * This function must be called before using any other TLSv1 client functions. |
| 309 | */ |
| 310 | int tlsv1_client_global_init(void) |
| 311 | { |
| 312 | return crypto_global_init(); |
| 313 | } |
| 314 | |
| 315 | |
| 316 | /** |
| 317 | * tlsv1_client_global_deinit - Deinitialize TLSv1 client |
| 318 | * |
| 319 | * This function can be used to deinitialize the TLSv1 client that was |
| 320 | * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions |
| 321 | * can be called after this before calling tlsv1_client_global_init() again. |
| 322 | */ |
| 323 | void tlsv1_client_global_deinit(void) |
| 324 | { |
| 325 | crypto_global_deinit(); |
| 326 | } |
| 327 | |
| 328 | |
| 329 | /** |
| 330 | * tlsv1_client_init - Initialize TLSv1 client connection |
| 331 | * Returns: Pointer to TLSv1 client connection data or %NULL on failure |
| 332 | */ |
| 333 | struct tlsv1_client * tlsv1_client_init(void) |
| 334 | { |
| 335 | struct tlsv1_client *conn; |
| 336 | size_t count; |
| 337 | u16 *suites; |
| 338 | |
| 339 | conn = os_zalloc(sizeof(*conn)); |
| 340 | if (conn == NULL) |
| 341 | return NULL; |
| 342 | |
| 343 | conn->state = CLIENT_HELLO; |
| 344 | |
| 345 | if (tls_verify_hash_init(&conn->verify) < 0) { |
| 346 | wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " |
| 347 | "hash"); |
| 348 | os_free(conn); |
| 349 | return NULL; |
| 350 | } |
| 351 | |
| 352 | count = 0; |
| 353 | suites = conn->cipher_suites; |
| 354 | #ifndef CONFIG_CRYPTO_INTERNAL |
| 355 | suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; |
| 356 | #endif /* CONFIG_CRYPTO_INTERNAL */ |
| 357 | suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; |
| 358 | suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; |
| 359 | suites[count++] = TLS_RSA_WITH_RC4_128_SHA; |
| 360 | suites[count++] = TLS_RSA_WITH_RC4_128_MD5; |
| 361 | conn->num_cipher_suites = count; |
| 362 | |
| 363 | return conn; |
| 364 | } |
| 365 | |
| 366 | |
| 367 | /** |
| 368 | * tlsv1_client_deinit - Deinitialize TLSv1 client connection |
| 369 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 370 | */ |
| 371 | void tlsv1_client_deinit(struct tlsv1_client *conn) |
| 372 | { |
| 373 | crypto_public_key_free(conn->server_rsa_key); |
| 374 | tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); |
| 375 | tlsv1_record_change_write_cipher(&conn->rl); |
| 376 | tlsv1_record_change_read_cipher(&conn->rl); |
| 377 | tls_verify_hash_free(&conn->verify); |
| 378 | os_free(conn->client_hello_ext); |
| 379 | tlsv1_client_free_dh(conn); |
| 380 | tlsv1_cred_free(conn->cred); |
| 381 | os_free(conn); |
| 382 | } |
| 383 | |
| 384 | |
| 385 | /** |
| 386 | * tlsv1_client_established - Check whether connection has been established |
| 387 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 388 | * Returns: 1 if connection is established, 0 if not |
| 389 | */ |
| 390 | int tlsv1_client_established(struct tlsv1_client *conn) |
| 391 | { |
| 392 | return conn->state == ESTABLISHED; |
| 393 | } |
| 394 | |
| 395 | |
| 396 | /** |
| 397 | * tlsv1_client_prf - Use TLS-PRF to derive keying material |
| 398 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 399 | * @label: Label (e.g., description of the key) for PRF |
| 400 | * @server_random_first: seed is 0 = client_random|server_random, |
| 401 | * 1 = server_random|client_random |
| 402 | * @out: Buffer for output data from TLS-PRF |
| 403 | * @out_len: Length of the output buffer |
| 404 | * Returns: 0 on success, -1 on failure |
| 405 | */ |
| 406 | int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, |
| 407 | int server_random_first, u8 *out, size_t out_len) |
| 408 | { |
| 409 | u8 seed[2 * TLS_RANDOM_LEN]; |
| 410 | |
| 411 | if (conn->state != ESTABLISHED) |
| 412 | return -1; |
| 413 | |
| 414 | if (server_random_first) { |
| 415 | os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); |
| 416 | os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, |
| 417 | TLS_RANDOM_LEN); |
| 418 | } else { |
| 419 | os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); |
| 420 | os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, |
| 421 | TLS_RANDOM_LEN); |
| 422 | } |
| 423 | |
| 424 | return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, |
| 425 | label, seed, 2 * TLS_RANDOM_LEN, out, out_len); |
| 426 | } |
| 427 | |
| 428 | |
| 429 | /** |
| 430 | * tlsv1_client_get_cipher - Get current cipher name |
| 431 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 432 | * @buf: Buffer for the cipher name |
| 433 | * @buflen: buf size |
| 434 | * Returns: 0 on success, -1 on failure |
| 435 | * |
| 436 | * Get the name of the currently used cipher. |
| 437 | */ |
| 438 | int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, |
| 439 | size_t buflen) |
| 440 | { |
| 441 | char *cipher; |
| 442 | |
| 443 | switch (conn->rl.cipher_suite) { |
| 444 | case TLS_RSA_WITH_RC4_128_MD5: |
| 445 | cipher = "RC4-MD5"; |
| 446 | break; |
| 447 | case TLS_RSA_WITH_RC4_128_SHA: |
| 448 | cipher = "RC4-SHA"; |
| 449 | break; |
| 450 | case TLS_RSA_WITH_DES_CBC_SHA: |
| 451 | cipher = "DES-CBC-SHA"; |
| 452 | break; |
| 453 | case TLS_RSA_WITH_3DES_EDE_CBC_SHA: |
| 454 | cipher = "DES-CBC3-SHA"; |
| 455 | break; |
| 456 | case TLS_DH_anon_WITH_AES_128_CBC_SHA: |
| 457 | cipher = "ADH-AES-128-SHA"; |
| 458 | break; |
| 459 | case TLS_RSA_WITH_AES_256_CBC_SHA: |
| 460 | cipher = "AES-256-SHA"; |
| 461 | break; |
| 462 | case TLS_RSA_WITH_AES_128_CBC_SHA: |
| 463 | cipher = "AES-128-SHA"; |
| 464 | break; |
| 465 | default: |
| 466 | return -1; |
| 467 | } |
| 468 | |
| 469 | if (os_strlcpy(buf, cipher, buflen) >= buflen) |
| 470 | return -1; |
| 471 | return 0; |
| 472 | } |
| 473 | |
| 474 | |
| 475 | /** |
| 476 | * tlsv1_client_shutdown - Shutdown TLS connection |
| 477 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 478 | * Returns: 0 on success, -1 on failure |
| 479 | */ |
| 480 | int tlsv1_client_shutdown(struct tlsv1_client *conn) |
| 481 | { |
| 482 | conn->state = CLIENT_HELLO; |
| 483 | |
| 484 | if (tls_verify_hash_init(&conn->verify) < 0) { |
| 485 | wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " |
| 486 | "hash"); |
| 487 | return -1; |
| 488 | } |
| 489 | |
| 490 | tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); |
| 491 | tlsv1_record_change_write_cipher(&conn->rl); |
| 492 | tlsv1_record_change_read_cipher(&conn->rl); |
| 493 | |
| 494 | conn->certificate_requested = 0; |
| 495 | crypto_public_key_free(conn->server_rsa_key); |
| 496 | conn->server_rsa_key = NULL; |
| 497 | conn->session_resumed = 0; |
| 498 | |
| 499 | return 0; |
| 500 | } |
| 501 | |
| 502 | |
| 503 | /** |
| 504 | * tlsv1_client_resumed - Was session resumption used |
| 505 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 506 | * Returns: 1 if current session used session resumption, 0 if not |
| 507 | */ |
| 508 | int tlsv1_client_resumed(struct tlsv1_client *conn) |
| 509 | { |
| 510 | return !!conn->session_resumed; |
| 511 | } |
| 512 | |
| 513 | |
| 514 | /** |
| 515 | * tlsv1_client_hello_ext - Set TLS extension for ClientHello |
| 516 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 517 | * @ext_type: Extension type |
| 518 | * @data: Extension payload (%NULL to remove extension) |
| 519 | * @data_len: Extension payload length |
| 520 | * Returns: 0 on success, -1 on failure |
| 521 | */ |
| 522 | int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, |
| 523 | const u8 *data, size_t data_len) |
| 524 | { |
| 525 | u8 *pos; |
| 526 | |
| 527 | conn->session_ticket_included = 0; |
| 528 | os_free(conn->client_hello_ext); |
| 529 | conn->client_hello_ext = NULL; |
| 530 | conn->client_hello_ext_len = 0; |
| 531 | |
| 532 | if (data == NULL || data_len == 0) |
| 533 | return 0; |
| 534 | |
| 535 | pos = conn->client_hello_ext = os_malloc(6 + data_len); |
| 536 | if (pos == NULL) |
| 537 | return -1; |
| 538 | |
| 539 | WPA_PUT_BE16(pos, 4 + data_len); |
| 540 | pos += 2; |
| 541 | WPA_PUT_BE16(pos, ext_type); |
| 542 | pos += 2; |
| 543 | WPA_PUT_BE16(pos, data_len); |
| 544 | pos += 2; |
| 545 | os_memcpy(pos, data, data_len); |
| 546 | conn->client_hello_ext_len = 6 + data_len; |
| 547 | |
| 548 | if (ext_type == TLS_EXT_PAC_OPAQUE) { |
| 549 | conn->session_ticket_included = 1; |
| 550 | wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); |
| 551 | } |
| 552 | |
| 553 | return 0; |
| 554 | } |
| 555 | |
| 556 | |
| 557 | /** |
| 558 | * tlsv1_client_get_keys - Get master key and random data from TLS connection |
| 559 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 560 | * @keys: Structure of key/random data (filled on success) |
| 561 | * Returns: 0 on success, -1 on failure |
| 562 | */ |
| 563 | int tlsv1_client_get_keys(struct tlsv1_client *conn, struct tls_keys *keys) |
| 564 | { |
| 565 | os_memset(keys, 0, sizeof(*keys)); |
| 566 | if (conn->state == CLIENT_HELLO) |
| 567 | return -1; |
| 568 | |
| 569 | keys->client_random = conn->client_random; |
| 570 | keys->client_random_len = TLS_RANDOM_LEN; |
| 571 | |
| 572 | if (conn->state != SERVER_HELLO) { |
| 573 | keys->server_random = conn->server_random; |
| 574 | keys->server_random_len = TLS_RANDOM_LEN; |
| 575 | keys->master_key = conn->master_secret; |
| 576 | keys->master_key_len = TLS_MASTER_SECRET_LEN; |
| 577 | } |
| 578 | |
| 579 | return 0; |
| 580 | } |
| 581 | |
| 582 | |
| 583 | /** |
| 584 | * tlsv1_client_get_keyblock_size - Get TLS key_block size |
| 585 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 586 | * Returns: Size of the key_block for the negotiated cipher suite or -1 on |
| 587 | * failure |
| 588 | */ |
| 589 | int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) |
| 590 | { |
| 591 | if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) |
| 592 | return -1; |
| 593 | |
| 594 | return 2 * (conn->rl.hash_size + conn->rl.key_material_len + |
| 595 | conn->rl.iv_size); |
| 596 | } |
| 597 | |
| 598 | |
| 599 | /** |
| 600 | * tlsv1_client_set_cipher_list - Configure acceptable cipher suites |
| 601 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 602 | * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers |
| 603 | * (TLS_CIPHER_*). |
| 604 | * Returns: 0 on success, -1 on failure |
| 605 | */ |
| 606 | int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) |
| 607 | { |
| 608 | size_t count; |
| 609 | u16 *suites; |
| 610 | |
| 611 | /* TODO: implement proper configuration of cipher suites */ |
| 612 | if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { |
| 613 | count = 0; |
| 614 | suites = conn->cipher_suites; |
| 615 | #ifndef CONFIG_CRYPTO_INTERNAL |
| 616 | suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; |
| 617 | #endif /* CONFIG_CRYPTO_INTERNAL */ |
| 618 | suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; |
| 619 | suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; |
| 620 | suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; |
| 621 | suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; |
| 622 | |
| 623 | /* |
| 624 | * Cisco AP (at least 350 and 1200 series) local authentication |
| 625 | * server does not know how to search cipher suites from the |
| 626 | * list and seem to require that the last entry in the list is |
| 627 | * the one that it wants to use. However, TLS specification |
| 628 | * requires the list to be in the client preference order. As a |
| 629 | * workaround, add anon-DH AES-128-SHA1 again at the end of the |
| 630 | * list to allow the Cisco code to find it. |
| 631 | */ |
| 632 | suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; |
| 633 | conn->num_cipher_suites = count; |
| 634 | } |
| 635 | |
| 636 | return 0; |
| 637 | } |
| 638 | |
| 639 | |
| 640 | /** |
| 641 | * tlsv1_client_set_cred - Set client credentials |
| 642 | * @conn: TLSv1 client connection data from tlsv1_client_init() |
| 643 | * @cred: Credentials from tlsv1_cred_alloc() |
| 644 | * Returns: 0 on success, -1 on failure |
| 645 | * |
| 646 | * On success, the client takes ownership of the credentials block and caller |
| 647 | * must not free it. On failure, caller is responsible for freeing the |
| 648 | * credential block. |
| 649 | */ |
| 650 | int tlsv1_client_set_cred(struct tlsv1_client *conn, |
| 651 | struct tlsv1_credentials *cred) |
| 652 | { |
| 653 | tlsv1_cred_free(conn->cred); |
| 654 | conn->cred = cred; |
| 655 | return 0; |
| 656 | } |
| 657 | |
| 658 | |
| 659 | void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, |
| 660 | tlsv1_client_session_ticket_cb cb, |
| 661 | void *ctx) |
| 662 | { |
| 663 | wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", |
| 664 | cb, ctx); |
| 665 | conn->session_ticket_cb = cb; |
| 666 | conn->session_ticket_cb_ctx = ctx; |
| 667 | } |