www.project-moonshot.org Git - mech_eap.orig/blob - src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/md5.h"
  19 #include "crypto/sha1.h"
  20 #include "crypto/tls.h"
  21 #include "x509v3.h"
  22 #include "tlsv1_common.h"
  23 #include "tlsv1_record.h"
  24 #include "tlsv1_server.h"
  25 #include "tlsv1_server_i.h"
  26
  27
  28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  29                                            const u8 *in_data, size_t *in_len);
  30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  31                                           u8 ct, const u8 *in_data,
  32                                           size_t *in_len);
  33
  34
  35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  36                                     const u8 *in_data, size_t *in_len)
  37 {
  38         const u8 *pos, *end, *c;
  39         size_t left, len, i, j;
  40         u16 cipher_suite;
  41         u16 num_suites;
  42         int compr_null_found;
  43         u16 ext_type, ext_len;
  44
  45         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  46                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  47                            "received content type 0x%x", ct);
  48                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  49                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  50                 return -1;
  51         }
  52
  53         pos = in_data;
  54         left = *in_len;
  55
  56         if (left < 4)
  57                 goto decode_error;
  58
  59         /* HandshakeType msg_type */
  60         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  61                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  62                            "message %d (expected ClientHello)", *pos);
  63                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  64                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  65                 return -1;
  66         }
  67         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
  68         pos++;
  69         /* uint24 length */
  70         len = WPA_GET_BE24(pos);
  71         pos += 3;
  72         left -= 4;
  73
  74         if (len > left)
  75                 goto decode_error;
  76
  77         /* body - ClientHello */
  78
  79         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  80         end = pos + len;
  81
  82         /* ProtocolVersion client_version */
  83         if (end - pos < 2)
  84                 goto decode_error;
  85         conn->client_version = WPA_GET_BE16(pos);
  86         wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
  87                    conn->client_version >> 8, conn->client_version & 0xff);
  88         if (conn->client_version < TLS_VERSION) {
  89                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  90                            "ClientHello");
  91                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  92                                    TLS_ALERT_PROTOCOL_VERSION);
  93                 return -1;
  94         }
  95         pos += 2;
  96
  97         /* Random random */
  98         if (end - pos < TLS_RANDOM_LEN)
  99                 goto decode_error;
 100
 101         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 102         pos += TLS_RANDOM_LEN;
 103         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 104                     conn->client_random, TLS_RANDOM_LEN);
 105
 106         /* SessionID session_id */
 107         if (end - pos < 1)
 108                 goto decode_error;
 109         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 110                 goto decode_error;
 111         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 112         pos += 1 + *pos;
 113         /* TODO: add support for session resumption */
 114
 115         /* CipherSuite cipher_suites<2..2^16-1> */
 116         if (end - pos < 2)
 117                 goto decode_error;
 118         num_suites = WPA_GET_BE16(pos);
 119         pos += 2;
 120         if (end - pos < num_suites)
 121                 goto decode_error;
 122         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 123                     pos, num_suites);
 124         if (num_suites & 1)
 125                 goto decode_error;
 126         num_suites /= 2;
 127
 128         cipher_suite = 0;
 129         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 130                 c = pos;
 131                 for (j = 0; j < num_suites; j++) {
 132                         u16 tmp = WPA_GET_BE16(c);
 133                         c += 2;
 134                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 135                                 cipher_suite = tmp;
 136                                 break;
 137                         }
 138                 }
 139         }
 140         pos += num_suites * 2;
 141         if (!cipher_suite) {
 142                 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 143                            "available");
 144                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 145                                    TLS_ALERT_ILLEGAL_PARAMETER);
 146                 return -1;
 147         }
 148
 149         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 150                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 151                            "record layer");
 152                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 153                                    TLS_ALERT_INTERNAL_ERROR);
 154                 return -1;
 155         }
 156
 157         conn->cipher_suite = cipher_suite;
 158
 159         /* CompressionMethod compression_methods<1..2^8-1> */
 160         if (end - pos < 1)
 161                 goto decode_error;
 162         num_suites = *pos++;
 163         if (end - pos < num_suites)
 164                 goto decode_error;
 165         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 166                     pos, num_suites);
 167         compr_null_found = 0;
 168         for (i = 0; i < num_suites; i++) {
 169                 if (*pos++ == TLS_COMPRESSION_NULL)
 170                         compr_null_found = 1;
 171         }
 172         if (!compr_null_found) {
 173                 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 174                            "compression");
 175                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 176                                    TLS_ALERT_ILLEGAL_PARAMETER);
 177                 return -1;
 178         }
 179
 180         if (end - pos == 1) {
 181                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 182                             "end of ClientHello: 0x%02x", *pos);
 183                 goto decode_error;
 184         }
 185
 186         if (end - pos >= 2) {
 187                 /* Extension client_hello_extension_list<0..2^16-1> */
 188                 ext_len = WPA_GET_BE16(pos);
 189                 pos += 2;
 190
 191                 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 192                            "extensions", ext_len);
 193                 if (end - pos != ext_len) {
 194                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 195                                    "extension list length %u (expected %u)",
 196                                    ext_len, (unsigned int) (end - pos));
 197                         goto decode_error;
 198                 }
 199
 200                 /*
 201                  * struct {
 202                  *   ExtensionType extension_type (0..65535)
 203                  *   opaque extension_data<0..2^16-1>
 204                  * } Extension;
 205                  */
 206
 207                 while (pos < end) {
 208                         if (end - pos < 2) {
 209                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 210                                            "extension_type field");
 211                                 goto decode_error;
 212                         }
 213
 214                         ext_type = WPA_GET_BE16(pos);
 215                         pos += 2;
 216
 217                         if (end - pos < 2) {
 218                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 219                                            "extension_data length field");
 220                                 goto decode_error;
 221                         }
 222
 223                         ext_len = WPA_GET_BE16(pos);
 224                         pos += 2;
 225
 226                         if (end - pos < ext_len) {
 227                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 228                                            "extension_data field");
 229                                 goto decode_error;
 230                         }
 231
 232                         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 233                                    "type %u", ext_type);
 234                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 235                                     "Extension data", pos, ext_len);
 236
 237                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 238                                 os_free(conn->session_ticket);
 239                                 conn->session_ticket = os_malloc(ext_len);
 240                                 if (conn->session_ticket) {
 241                                         os_memcpy(conn->session_ticket, pos,
 242                                                   ext_len);
 243                                         conn->session_ticket_len = ext_len;
 244                                 }
 245                         }
 246
 247                         pos += ext_len;
 248                 }
 249         }
 250
 251         *in_len = end - in_data;
 252
 253         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 254                    "ServerHello");
 255         conn->state = SERVER_HELLO;
 256
 257         return 0;
 258
 259 decode_error:
 260         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 261         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 262                            TLS_ALERT_DECODE_ERROR);
 263         return -1;
 264 }
 265
 266
 267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 268                                    const u8 *in_data, size_t *in_len)
 269 {
 270         const u8 *pos, *end;
 271         size_t left, len, list_len, cert_len, idx;
 272         u8 type;
 273         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 274         int reason;
 275
 276         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 277                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 278                            "received content type 0x%x", ct);
 279                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 280                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 281                 return -1;
 282         }
 283
 284         pos = in_data;
 285         left = *in_len;
 286
 287         if (left < 4) {
 288                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 289                            "(len=%lu)", (unsigned long) left);
 290                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 291                                    TLS_ALERT_DECODE_ERROR);
 292                 return -1;
 293         }
 294
 295         type = *pos++;
 296         len = WPA_GET_BE24(pos);
 297         pos += 3;
 298         left -= 4;
 299
 300         if (len > left) {
 301                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 302                            "length (len=%lu != left=%lu)",
 303                            (unsigned long) len, (unsigned long) left);
 304                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 305                                    TLS_ALERT_DECODE_ERROR);
 306                 return -1;
 307         }
 308
 309         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 310                 if (conn->verify_peer) {
 311                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 312                                    "Certificate");
 313                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 314                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 315                         return -1;
 316                 }
 317
 318                 return tls_process_client_key_exchange(conn, ct, in_data,
 319                                                        in_len);
 320         }
 321         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 322                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 323                            "message %d (expected Certificate/"
 324                            "ClientKeyExchange)", type);
 325                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 326                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 327                 return -1;
 328         }
 329
 330         wpa_printf(MSG_DEBUG,
 331                    "TLSv1: Received Certificate (certificate_list len %lu)",
 332                    (unsigned long) len);
 333
 334         /*
 335          * opaque ASN.1Cert<2^24-1>;
 336          *
 337          * struct {
 338          *     ASN.1Cert certificate_list<1..2^24-1>;
 339          * } Certificate;
 340          */
 341
 342         end = pos + len;
 343
 344         if (end - pos < 3) {
 345                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 346                            "(left=%lu)", (unsigned long) left);
 347                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 348                                    TLS_ALERT_DECODE_ERROR);
 349                 return -1;
 350         }
 351
 352         list_len = WPA_GET_BE24(pos);
 353         pos += 3;
 354
 355         if ((size_t) (end - pos) != list_len) {
 356                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 357                            "length (len=%lu left=%lu)",
 358                            (unsigned long) list_len,
 359                            (unsigned long) (end - pos));
 360                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 361                                    TLS_ALERT_DECODE_ERROR);
 362                 return -1;
 363         }
 364
 365         idx = 0;
 366         while (pos < end) {
 367                 if (end - pos < 3) {
 368                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 369                                    "certificate_list");
 370                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 371                                            TLS_ALERT_DECODE_ERROR);
 372                         x509_certificate_chain_free(chain);
 373                         return -1;
 374                 }
 375
 376                 cert_len = WPA_GET_BE24(pos);
 377                 pos += 3;
 378
 379                 if ((size_t) (end - pos) < cert_len) {
 380                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 381                                    "length (len=%lu left=%lu)",
 382                                    (unsigned long) cert_len,
 383                                    (unsigned long) (end - pos));
 384                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 385                                            TLS_ALERT_DECODE_ERROR);
 386                         x509_certificate_chain_free(chain);
 387                         return -1;
 388                 }
 389
 390                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 391                            (unsigned long) idx, (unsigned long) cert_len);
 392
 393                 if (idx == 0) {
 394                         crypto_public_key_free(conn->client_rsa_key);
 395                         if (tls_parse_cert(pos, cert_len,
 396                                            &conn->client_rsa_key)) {
 397                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 398                                            "the certificate");
 399                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 400                                                    TLS_ALERT_BAD_CERTIFICATE);
 401                                 x509_certificate_chain_free(chain);
 402                                 return -1;
 403                         }
 404                 }
 405
 406                 cert = x509_certificate_parse(pos, cert_len);
 407                 if (cert == NULL) {
 408                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 409                                    "the certificate");
 410                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 411                                            TLS_ALERT_BAD_CERTIFICATE);
 412                         x509_certificate_chain_free(chain);
 413                         return -1;
 414                 }
 415
 416                 if (last == NULL)
 417                         chain = cert;
 418                 else
 419                         last->next = cert;
 420                 last = cert;
 421
 422                 idx++;
 423                 pos += cert_len;
 424         }
 425
 426         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 427                                             &reason) < 0) {
 428                 int tls_reason;
 429                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 430                            "validation failed (reason=%d)", reason);
 431                 switch (reason) {
 432                 case X509_VALIDATE_BAD_CERTIFICATE:
 433                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 434                         break;
 435                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 436                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 437                         break;
 438                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 439                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 440                         break;
 441                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 442                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 443                         break;
 444                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 445                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 446                         break;
 447                 case X509_VALIDATE_UNKNOWN_CA:
 448                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 449                         break;
 450                 default:
 451                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 452                         break;
 453                 }
 454                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 455                 x509_certificate_chain_free(chain);
 456                 return -1;
 457         }
 458
 459         x509_certificate_chain_free(chain);
 460
 461         *in_len = end - in_data;
 462
 463         conn->state = CLIENT_KEY_EXCHANGE;
 464
 465         return 0;
 466 }
 467
 468
 469 static int tls_process_client_key_exchange_rsa(
 470         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 471 {
 472         u8 *out;
 473         size_t outlen, outbuflen;
 474         u16 encr_len;
 475         int res;
 476         int use_random = 0;
 477
 478         if (end - pos < 2) {
 479                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 480                                    TLS_ALERT_DECODE_ERROR);
 481                 return -1;
 482         }
 483
 484         encr_len = WPA_GET_BE16(pos);
 485         pos += 2;
 486
 487         outbuflen = outlen = end - pos;
 488         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 489                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 490         if (out == NULL) {
 491                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 492                                    TLS_ALERT_INTERNAL_ERROR);
 493                 return -1;
 494         }
 495
 496         /*
 497          * struct {
 498          *   ProtocolVersion client_version;
 499          *   opaque random[46];
 500          * } PreMasterSecret;
 501          *
 502          * struct {
 503          *   public-key-encrypted PreMasterSecret pre_master_secret;
 504          * } EncryptedPreMasterSecret;
 505          */
 506
 507         /*
 508          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 509          * parsing errors from EncryptedPreMasterSecret processing to the
 510          * client. Instead, a random pre-master secret is used to force the
 511          * handshake to fail.
 512          */
 513
 514         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 515                                                  pos, end - pos,
 516                                                  out, &outlen) < 0) {
 517                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 518                            "PreMasterSecret (encr_len=%d outlen=%lu)",
 519                            (int) (end - pos), (unsigned long) outlen);
 520                 use_random = 1;
 521         }
 522
 523         if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
 524                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 525                            "length %lu", (unsigned long) outlen);
 526                 use_random = 1;
 527         }
 528
 529         if (WPA_GET_BE16(out) != conn->client_version) {
 530                 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 531                            "ClientKeyExchange does not match with version in "
 532                            "ClientHello");
 533                 use_random = 1;
 534         }
 535
 536         if (use_random) {
 537                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 538                            "to avoid revealing information about private key");
 539                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 540                 if (os_get_random(out, outlen)) {
 541                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 542                                    "data");
 543                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 544                                            TLS_ALERT_INTERNAL_ERROR);
 545                         os_free(out);
 546                         return -1;
 547                 }
 548         }
 549
 550         res = tlsv1_server_derive_keys(conn, out, outlen);
 551
 552         /* Clear the pre-master secret since it is not needed anymore */
 553         os_memset(out, 0, outbuflen);
 554         os_free(out);
 555
 556         if (res) {
 557                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 558                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 559                                    TLS_ALERT_INTERNAL_ERROR);
 560                 return -1;
 561         }
 562
 563         return 0;
 564 }
 565
 566
 567 static int tls_process_client_key_exchange_dh_anon(
 568         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 569 {
 570         const u8 *dh_yc;
 571         u16 dh_yc_len;
 572         u8 *shared;
 573         size_t shared_len;
 574         int res;
 575
 576         /*
 577          * struct {
 578          *   select (PublicValueEncoding) {
 579          *     case implicit: struct { };
 580          *     case explicit: opaque dh_Yc<1..2^16-1>;
 581          *   } dh_public;
 582          * } ClientDiffieHellmanPublic;
 583          */
 584
 585         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 586                     pos, end - pos);
 587
 588         if (end == pos) {
 589                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 590                            "not supported");
 591                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 592                                    TLS_ALERT_INTERNAL_ERROR);
 593                 return -1;
 594         }
 595
 596         if (end - pos < 3) {
 597                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 598                            "length");
 599                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 600                                    TLS_ALERT_DECODE_ERROR);
 601                 return -1;
 602         }
 603
 604         dh_yc_len = WPA_GET_BE16(pos);
 605         dh_yc = pos + 2;
 606
 607         if (dh_yc + dh_yc_len > end) {
 608                 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 609                            "(length %d)", dh_yc_len);
 610                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 611                                    TLS_ALERT_DECODE_ERROR);
 612                 return -1;
 613         }
 614
 615         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 616                     dh_yc, dh_yc_len);
 617
 618         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 619             conn->dh_secret == NULL) {
 620                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 621                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 622                                    TLS_ALERT_INTERNAL_ERROR);
 623                 return -1;
 624         }
 625
 626         shared_len = conn->cred->dh_p_len;
 627         shared = os_malloc(shared_len);
 628         if (shared == NULL) {
 629                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 630                            "DH");
 631                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 632                                    TLS_ALERT_INTERNAL_ERROR);
 633                 return -1;
 634         }
 635
 636         /* shared = Yc^secret mod p */
 637         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 638                            conn->dh_secret_len,
 639                            conn->cred->dh_p, conn->cred->dh_p_len,
 640                            shared, &shared_len)) {
 641                 os_free(shared);
 642                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 643                                    TLS_ALERT_INTERNAL_ERROR);
 644                 return -1;
 645         }
 646         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 647                         shared, shared_len);
 648
 649         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 650         os_free(conn->dh_secret);
 651         conn->dh_secret = NULL;
 652
 653         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 654
 655         /* Clear the pre-master secret since it is not needed anymore */
 656         os_memset(shared, 0, shared_len);
 657         os_free(shared);
 658
 659         if (res) {
 660                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 661                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 662                                    TLS_ALERT_INTERNAL_ERROR);
 663                 return -1;
 664         }
 665
 666         return 0;
 667 }
 668
 669
 670 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 671                                            const u8 *in_data, size_t *in_len)
 672 {
 673         const u8 *pos, *end;
 674         size_t left, len;
 675         u8 type;
 676         tls_key_exchange keyx;
 677         const struct tls_cipher_suite *suite;
 678
 679         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 680                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 681                            "received content type 0x%x", ct);
 682                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 683                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 684                 return -1;
 685         }
 686
 687         pos = in_data;
 688         left = *in_len;
 689
 690         if (left < 4) {
 691                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 692                            "(Left=%lu)", (unsigned long) left);
 693                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 694                                    TLS_ALERT_DECODE_ERROR);
 695                 return -1;
 696         }
 697
 698         type = *pos++;
 699         len = WPA_GET_BE24(pos);
 700         pos += 3;
 701         left -= 4;
 702
 703         if (len > left) {
 704                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 705                            "length (len=%lu != left=%lu)",
 706                            (unsigned long) len, (unsigned long) left);
 707                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 708                                    TLS_ALERT_DECODE_ERROR);
 709                 return -1;
 710         }
 711
 712         end = pos + len;
 713
 714         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 715                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 716                            "message %d (expected ClientKeyExchange)", type);
 717                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 718                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 719                 return -1;
 720         }
 721
 722         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 723
 724         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 725
 726         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 727         if (suite == NULL)
 728                 keyx = TLS_KEY_X_NULL;
 729         else
 730                 keyx = suite->key_exchange;
 731
 732         if (keyx == TLS_KEY_X_DH_anon &&
 733             tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 734                 return -1;
 735
 736         if (keyx != TLS_KEY_X_DH_anon &&
 737             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 738                 return -1;
 739
 740         *in_len = end - in_data;
 741
 742         conn->state = CERTIFICATE_VERIFY;
 743
 744         return 0;
 745 }
 746
 747
 748 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 749                                           const u8 *in_data, size_t *in_len)
 750 {
 751         const u8 *pos, *end;
 752         size_t left, len;
 753         u8 type;
 754         size_t hlen, buflen;
 755         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 756         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 757         u16 slen;
 758
 759         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 760                 if (conn->verify_peer) {
 761                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 762                                    "CertificateVerify");
 763                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 764                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 765                         return -1;
 766                 }
 767
 768                 return tls_process_change_cipher_spec(conn, ct, in_data,
 769                                                       in_len);
 770         }
 771
 772         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 773                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 774                            "received content type 0x%x", ct);
 775                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 776                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 777                 return -1;
 778         }
 779
 780         pos = in_data;
 781         left = *in_len;
 782
 783         if (left < 4) {
 784                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 785                            "message (len=%lu)", (unsigned long) left);
 786                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 787                                    TLS_ALERT_DECODE_ERROR);
 788                 return -1;
 789         }
 790
 791         type = *pos++;
 792         len = WPA_GET_BE24(pos);
 793         pos += 3;
 794         left -= 4;
 795
 796         if (len > left) {
 797                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 798                            "message length (len=%lu != left=%lu)",
 799                            (unsigned long) len, (unsigned long) left);
 800                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 801                                    TLS_ALERT_DECODE_ERROR);
 802                 return -1;
 803         }
 804
 805         end = pos + len;
 806
 807         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 808                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 809                            "message %d (expected CertificateVerify)", type);
 810                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 811                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 812                 return -1;
 813         }
 814
 815         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 816
 817         /*
 818          * struct {
 819          *   Signature signature;
 820          * } CertificateVerify;
 821          */
 822
 823         hpos = hash;
 824
 825         if (alg == SIGN_ALG_RSA) {
 826                 hlen = MD5_MAC_LEN;
 827                 if (conn->verify.md5_cert == NULL ||
 828                     crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 829                 {
 830                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 831                                            TLS_ALERT_INTERNAL_ERROR);
 832                         conn->verify.md5_cert = NULL;
 833                         crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 834                         conn->verify.sha1_cert = NULL;
 835                         return -1;
 836                 }
 837                 hpos += MD5_MAC_LEN;
 838         } else
 839                 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 840
 841         conn->verify.md5_cert = NULL;
 842         hlen = SHA1_MAC_LEN;
 843         if (conn->verify.sha1_cert == NULL ||
 844             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 845                 conn->verify.sha1_cert = NULL;
 846                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 847                                    TLS_ALERT_INTERNAL_ERROR);
 848                 return -1;
 849         }
 850         conn->verify.sha1_cert = NULL;
 851
 852         if (alg == SIGN_ALG_RSA)
 853                 hlen += MD5_MAC_LEN;
 854
 855         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 856
 857         if (end - pos < 2) {
 858                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 859                                    TLS_ALERT_DECODE_ERROR);
 860                 return -1;
 861         }
 862         slen = WPA_GET_BE16(pos);
 863         pos += 2;
 864         if (end - pos < slen) {
 865                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 866                                    TLS_ALERT_DECODE_ERROR);
 867                 return -1;
 868         }
 869
 870         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 871         if (conn->client_rsa_key == NULL) {
 872                 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 873                            "signature");
 874                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 875                                    TLS_ALERT_INTERNAL_ERROR);
 876                 return -1;
 877         }
 878
 879         buflen = end - pos;
 880         buf = os_malloc(end - pos);
 881         if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 882                                             pos, end - pos, buf, &buflen) < 0)
 883         {
 884                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 885                 os_free(buf);
 886                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 887                                    TLS_ALERT_DECRYPT_ERROR);
 888                 return -1;
 889         }
 890
 891         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 892                         buf, buflen);
 893
 894         if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 895                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 896                            "CertificateVerify - did not match with calculated "
 897                            "hash");
 898                 os_free(buf);
 899                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 900                                    TLS_ALERT_DECRYPT_ERROR);
 901                 return -1;
 902         }
 903
 904         os_free(buf);
 905
 906         *in_len = end - in_data;
 907
 908         conn->state = CHANGE_CIPHER_SPEC;
 909
 910         return 0;
 911 }
 912
 913
 914 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 915                                           u8 ct, const u8 *in_data,
 916                                           size_t *in_len)
 917 {
 918         const u8 *pos;
 919         size_t left;
 920
 921         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 922                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 923                            "received content type 0x%x", ct);
 924                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 925                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 926                 return -1;
 927         }
 928
 929         pos = in_data;
 930         left = *in_len;
 931
 932         if (left < 1) {
 933                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 934                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 935                                    TLS_ALERT_DECODE_ERROR);
 936                 return -1;
 937         }
 938
 939         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 940                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 941                            "received data 0x%x", *pos);
 942                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 943                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 944                 return -1;
 945         }
 946
 947         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 948         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 949                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 950                            "for record layer");
 951                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 952                                    TLS_ALERT_INTERNAL_ERROR);
 953                 return -1;
 954         }
 955
 956         *in_len = pos + 1 - in_data;
 957
 958         conn->state = CLIENT_FINISHED;
 959
 960         return 0;
 961 }
 962
 963
 964 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 965                                        const u8 *in_data, size_t *in_len)
 966 {
 967         const u8 *pos, *end;
 968         size_t left, len, hlen;
 969         u8 verify_data[TLS_VERIFY_DATA_LEN];
 970         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 971
 972         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 973                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 974                            "received content type 0x%x", ct);
 975                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 976                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 977                 return -1;
 978         }
 979
 980         pos = in_data;
 981         left = *in_len;
 982
 983         if (left < 4) {
 984                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 985                            "Finished",
 986                            (unsigned long) left);
 987                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 988                                    TLS_ALERT_DECODE_ERROR);
 989                 return -1;
 990         }
 991
 992         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 993                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 994                            "type 0x%x", pos[0]);
 995                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 996                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 997                 return -1;
 998         }
 999
1000         len = WPA_GET_BE24(pos + 1);
1001
1002         pos += 4;
1003         left -= 4;
1004
1005         if (len > left) {
1006                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1007                            "(len=%lu > left=%lu)",
1008                            (unsigned long) len, (unsigned long) left);
1009                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010                                    TLS_ALERT_DECODE_ERROR);
1011                 return -1;
1012         }
1013         end = pos + len;
1014         if (len != TLS_VERIFY_DATA_LEN) {
1015                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1016                            "in Finished: %lu (expected %d)",
1017                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1018                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019                                    TLS_ALERT_DECODE_ERROR);
1020                 return -1;
1021         }
1022         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1023                     pos, TLS_VERIFY_DATA_LEN);
1024
1025         hlen = MD5_MAC_LEN;
1026         if (conn->verify.md5_client == NULL ||
1027             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1028                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029                                    TLS_ALERT_INTERNAL_ERROR);
1030                 conn->verify.md5_client = NULL;
1031                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1032                 conn->verify.sha1_client = NULL;
1033                 return -1;
1034         }
1035         conn->verify.md5_client = NULL;
1036         hlen = SHA1_MAC_LEN;
1037         if (conn->verify.sha1_client == NULL ||
1038             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1039                                &hlen) < 0) {
1040                 conn->verify.sha1_client = NULL;
1041                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1042                                    TLS_ALERT_INTERNAL_ERROR);
1043                 return -1;
1044         }
1045         conn->verify.sha1_client = NULL;
1046
1047         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1048                     "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1049                     verify_data, TLS_VERIFY_DATA_LEN)) {
1050                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1051                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052                                    TLS_ALERT_DECRYPT_ERROR);
1053                 return -1;
1054         }
1055         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1056                         verify_data, TLS_VERIFY_DATA_LEN);
1057
1058         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1059                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1060                 return -1;
1061         }
1062
1063         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1064
1065         *in_len = end - in_data;
1066
1067         if (conn->use_session_ticket) {
1068                 /* Abbreviated handshake using session ticket; RFC 4507 */
1069                 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1070                            "successfully");
1071                 conn->state = ESTABLISHED;
1072         } else {
1073                 /* Full handshake */
1074                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1075         }
1076
1077         return 0;
1078 }
1079
1080
1081 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1082                                    const u8 *buf, size_t *len)
1083 {
1084         if (ct == TLS_CONTENT_TYPE_ALERT) {
1085                 if (*len < 2) {
1086                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1087                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1088                                            TLS_ALERT_DECODE_ERROR);
1089                         return -1;
1090                 }
1091                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1092                            buf[0], buf[1]);
1093                 *len = 2;
1094                 conn->state = FAILED;
1095                 return -1;
1096         }
1097
1098         switch (conn->state) {
1099         case CLIENT_HELLO:
1100                 if (tls_process_client_hello(conn, ct, buf, len))
1101                         return -1;
1102                 break;
1103         case CLIENT_CERTIFICATE:
1104                 if (tls_process_certificate(conn, ct, buf, len))
1105                         return -1;
1106                 break;
1107         case CLIENT_KEY_EXCHANGE:
1108                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1109                         return -1;
1110                 break;
1111         case CERTIFICATE_VERIFY:
1112                 if (tls_process_certificate_verify(conn, ct, buf, len))
1113                         return -1;
1114                 break;
1115         case CHANGE_CIPHER_SPEC:
1116                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1117                         return -1;
1118                 break;
1119         case CLIENT_FINISHED:
1120                 if (tls_process_client_finished(conn, ct, buf, len))
1121                         return -1;
1122                 break;
1123         default:
1124                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1125                            "while processing received message",
1126                            conn->state);
1127                 return -1;
1128         }
1129
1130         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1131                 tls_verify_hash_add(&conn->verify, buf, *len);
1132
1133         return 0;
1134 }