1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21
22
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 u8 ct, const u8 *in_data,
27 size_t *in_len);
28
29
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 if ((conn->test_flags &
34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44
45 return 0;
46 }
47
48
tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50 const u8 *req, size_t req_len)
51 {
52 const u8 *pos, *end;
53 u8 status_type;
54
55 pos = req;
56 end = req + req_len;
57
58 /*
59 * RFC 6961, 2.2:
60 * struct {
61 * CertificateStatusType status_type;
62 * uint16 request_length;
63 * select (status_type) {
64 * case ocsp: OCSPStatusRequest;
65 * case ocsp_multi: OCSPStatusRequest;
66 * } request;
67 * } CertificateStatusRequestItemV2;
68 *
69 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70 */
71
72 if (end - pos < 1)
73 return; /* Truncated data */
74
75 status_type = *pos++;
76 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77 if (status_type != 1 && status_type != 2)
78 return; /* Unsupported status type */
79 /*
80 * For now, only OCSP stapling is supported, so ignore the specific
81 * request, if any.
82 */
83 wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84
85 if (status_type == 2)
86 conn->status_request_multi = 1;
87 }
88
89
tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91 const u8 *ext, size_t ext_len)
92 {
93 const u8 *pos, *end;
94
95 conn->status_request_v2 = 1;
96
97 pos = ext;
98 end = ext + ext_len;
99
100 /*
101 * RFC 6961, 2.2:
102 * struct {
103 * CertificateStatusRequestItemV2
104 * certificate_status_req_list<1..2^16-1>;
105 * } CertificateStatusRequestListV2;
106 */
107
108 while (end - pos >= 2) {
109 u16 len;
110
111 len = WPA_GET_BE16(pos);
112 pos += 2;
113 if (len > end - pos)
114 break; /* Truncated data */
115 tls_process_status_request_item(conn, pos, len);
116 pos += len;
117 }
118 }
119
120
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122 const u8 *in_data, size_t *in_len)
123 {
124 const u8 *pos, *end, *c;
125 size_t left, len, i, j;
126 u16 cipher_suite;
127 u16 num_suites;
128 int compr_null_found;
129 u16 ext_type, ext_len;
130
131 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
133 ct);
134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 TLS_ALERT_UNEXPECTED_MESSAGE);
136 return -1;
137 }
138
139 pos = in_data;
140 left = *in_len;
141
142 if (left < 4) {
143 tlsv1_server_log(conn,
144 "Truncated handshake message (expected ClientHello)");
145 goto decode_error;
146 }
147
148 /* HandshakeType msg_type */
149 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
150 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
151 *pos);
152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 TLS_ALERT_UNEXPECTED_MESSAGE);
154 return -1;
155 }
156 tlsv1_server_log(conn, "Received ClientHello");
157 pos++;
158 /* uint24 length */
159 len = WPA_GET_BE24(pos);
160 pos += 3;
161 left -= 4;
162
163 if (len > left) {
164 tlsv1_server_log(conn,
165 "Truncated ClientHello (len=%d left=%d)",
166 (int) len, (int) left);
167 goto decode_error;
168 }
169
170 /* body - ClientHello */
171
172 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
173 end = pos + len;
174
175 /* ProtocolVersion client_version */
176 if (end - pos < 2) {
177 tlsv1_server_log(conn, "Truncated ClientHello/client_version");
178 goto decode_error;
179 }
180 conn->client_version = WPA_GET_BE16(pos);
181 tlsv1_server_log(conn, "Client version %d.%d",
182 conn->client_version >> 8,
183 conn->client_version & 0xff);
184 if (conn->client_version < TLS_VERSION_1) {
185 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
186 conn->client_version >> 8,
187 conn->client_version & 0xff);
188 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
189 TLS_ALERT_PROTOCOL_VERSION);
190 return -1;
191 }
192 pos += 2;
193
194 if (TLS_VERSION == TLS_VERSION_1)
195 conn->rl.tls_version = TLS_VERSION_1;
196 #ifdef CONFIG_TLSV12
197 else if (conn->client_version >= TLS_VERSION_1_2)
198 conn->rl.tls_version = TLS_VERSION_1_2;
199 #endif /* CONFIG_TLSV12 */
200 else if (conn->client_version > TLS_VERSION_1_1)
201 conn->rl.tls_version = TLS_VERSION_1_1;
202 else
203 conn->rl.tls_version = conn->client_version;
204 tlsv1_server_log(conn, "Using TLS v%s",
205 tls_version_str(conn->rl.tls_version));
206
207 /* Random random */
208 if (end - pos < TLS_RANDOM_LEN) {
209 tlsv1_server_log(conn, "Truncated ClientHello/client_random");
210 goto decode_error;
211 }
212
213 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
214 pos += TLS_RANDOM_LEN;
215 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
216 conn->client_random, TLS_RANDOM_LEN);
217
218 /* SessionID session_id */
219 if (end - pos < 1) {
220 tlsv1_server_log(conn, "Truncated ClientHello/session_id len");
221 goto decode_error;
222 }
223 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) {
224 tlsv1_server_log(conn, "Truncated ClientHello/session_id");
225 goto decode_error;
226 }
227 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
228 pos += 1 + *pos;
229 /* TODO: add support for session resumption */
230
231 /* CipherSuite cipher_suites<2..2^16-1> */
232 if (end - pos < 2) {
233 tlsv1_server_log(conn,
234 "Truncated ClientHello/cipher_suites len");
235 goto decode_error;
236 }
237 num_suites = WPA_GET_BE16(pos);
238 pos += 2;
239 if (end - pos < num_suites) {
240 tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites");
241 goto decode_error;
242 }
243 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
244 pos, num_suites);
245 if (num_suites & 1) {
246 tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites");
247 goto decode_error;
248 }
249 num_suites /= 2;
250
251 cipher_suite = 0;
252 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
253 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
254 continue;
255 c = pos;
256 for (j = 0; j < num_suites; j++) {
257 u16 tmp = WPA_GET_BE16(c);
258 c += 2;
259 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
260 cipher_suite = tmp;
261 break;
262 }
263 }
264 }
265 pos += num_suites * 2;
266 if (!cipher_suite) {
267 tlsv1_server_log(conn, "No supported cipher suite available");
268 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 TLS_ALERT_ILLEGAL_PARAMETER);
270 return -1;
271 }
272
273 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
274 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
275 "record layer");
276 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 TLS_ALERT_INTERNAL_ERROR);
278 return -1;
279 }
280
281 conn->cipher_suite = cipher_suite;
282
283 /* CompressionMethod compression_methods<1..2^8-1> */
284 if (end - pos < 1) {
285 tlsv1_server_log(conn,
286 "Truncated ClientHello/compression_methods len");
287 goto decode_error;
288 }
289 num_suites = *pos++;
290 if (end - pos < num_suites) {
291 tlsv1_server_log(conn,
292 "Truncated ClientHello/compression_methods");
293 goto decode_error;
294 }
295 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
296 pos, num_suites);
297 compr_null_found = 0;
298 for (i = 0; i < num_suites; i++) {
299 if (*pos++ == TLS_COMPRESSION_NULL)
300 compr_null_found = 1;
301 }
302 if (!compr_null_found) {
303 tlsv1_server_log(conn, "Client does not accept NULL compression");
304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 TLS_ALERT_ILLEGAL_PARAMETER);
306 return -1;
307 }
308
309 if (end - pos == 1) {
310 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
311 *pos);
312 goto decode_error;
313 }
314
315 if (end - pos >= 2) {
316 /* Extension client_hello_extension_list<0..2^16-1> */
317 ext_len = WPA_GET_BE16(pos);
318 pos += 2;
319
320 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
321 ext_len);
322 if (end - pos != ext_len) {
323 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
324 ext_len, (unsigned int) (end - pos));
325 goto decode_error;
326 }
327
328 /*
329 * struct {
330 * ExtensionType extension_type (0..65535)
331 * opaque extension_data<0..2^16-1>
332 * } Extension;
333 */
334
335 while (pos < end) {
336 if (end - pos < 2) {
337 tlsv1_server_log(conn, "Invalid extension_type field");
338 goto decode_error;
339 }
340
341 ext_type = WPA_GET_BE16(pos);
342 pos += 2;
343
344 if (end - pos < 2) {
345 tlsv1_server_log(conn, "Invalid extension_data length field");
346 goto decode_error;
347 }
348
349 ext_len = WPA_GET_BE16(pos);
350 pos += 2;
351
352 if (end - pos < ext_len) {
353 tlsv1_server_log(conn, "Invalid extension_data field");
354 goto decode_error;
355 }
356
357 tlsv1_server_log(conn, "ClientHello Extension type %u",
358 ext_type);
359 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
360 "Extension data", pos, ext_len);
361
362 if (ext_type == TLS_EXT_SESSION_TICKET) {
363 os_free(conn->session_ticket);
364 conn->session_ticket = os_malloc(ext_len);
365 if (conn->session_ticket) {
366 os_memcpy(conn->session_ticket, pos,
367 ext_len);
368 conn->session_ticket_len = ext_len;
369 }
370 } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
371 conn->status_request = 1;
372 } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
373 tls_process_status_request_v2(conn, pos,
374 ext_len);
375 }
376
377 pos += ext_len;
378 }
379 }
380
381 *in_len = end - in_data;
382
383 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
384 conn->state = SERVER_HELLO;
385
386 return 0;
387
388 decode_error:
389 tlsv1_server_log(conn, "Failed to decode ClientHello");
390 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 TLS_ALERT_DECODE_ERROR);
392 return -1;
393 }
394
395
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)396 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
397 const u8 *in_data, size_t *in_len)
398 {
399 const u8 *pos, *end;
400 size_t left, len, list_len, cert_len, idx;
401 u8 type;
402 struct x509_certificate *chain = NULL, *last = NULL, *cert;
403 int reason;
404
405 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
406 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
407 ct);
408 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 TLS_ALERT_UNEXPECTED_MESSAGE);
410 return -1;
411 }
412
413 pos = in_data;
414 left = *in_len;
415
416 if (left < 4) {
417 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
418 (unsigned long) left);
419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420 TLS_ALERT_DECODE_ERROR);
421 return -1;
422 }
423
424 type = *pos++;
425 len = WPA_GET_BE24(pos);
426 pos += 3;
427 left -= 4;
428
429 if (len > left) {
430 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
431 (unsigned long) len, (unsigned long) left);
432 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
433 TLS_ALERT_DECODE_ERROR);
434 return -1;
435 }
436
437 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
438 if (conn->verify_peer) {
439 tlsv1_server_log(conn, "Client did not include Certificate");
440 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
441 TLS_ALERT_UNEXPECTED_MESSAGE);
442 return -1;
443 }
444
445 return tls_process_client_key_exchange(conn, ct, in_data,
446 in_len);
447 }
448 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
449 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
450 type);
451 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 TLS_ALERT_UNEXPECTED_MESSAGE);
453 return -1;
454 }
455
456 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
457 (unsigned long) len);
458
459 /*
460 * opaque ASN.1Cert<2^24-1>;
461 *
462 * struct {
463 * ASN.1Cert certificate_list<1..2^24-1>;
464 * } Certificate;
465 */
466
467 end = pos + len;
468
469 if (end - pos < 3) {
470 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
471 (unsigned long) left);
472 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 TLS_ALERT_DECODE_ERROR);
474 return -1;
475 }
476
477 list_len = WPA_GET_BE24(pos);
478 pos += 3;
479
480 if ((size_t) (end - pos) != list_len) {
481 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
482 (unsigned long) list_len,
483 (unsigned long) (end - pos));
484 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
485 TLS_ALERT_DECODE_ERROR);
486 return -1;
487 }
488
489 idx = 0;
490 while (pos < end) {
491 if (end - pos < 3) {
492 tlsv1_server_log(conn, "Failed to parse certificate_list");
493 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
494 TLS_ALERT_DECODE_ERROR);
495 x509_certificate_chain_free(chain);
496 return -1;
497 }
498
499 cert_len = WPA_GET_BE24(pos);
500 pos += 3;
501
502 if ((size_t) (end - pos) < cert_len) {
503 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
504 (unsigned long) cert_len,
505 (unsigned long) (end - pos));
506 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
507 TLS_ALERT_DECODE_ERROR);
508 x509_certificate_chain_free(chain);
509 return -1;
510 }
511
512 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
513 (unsigned long) idx, (unsigned long) cert_len);
514
515 if (idx == 0) {
516 crypto_public_key_free(conn->client_rsa_key);
517 if (tls_parse_cert(pos, cert_len,
518 &conn->client_rsa_key)) {
519 tlsv1_server_log(conn, "Failed to parse the certificate");
520 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
521 TLS_ALERT_BAD_CERTIFICATE);
522 x509_certificate_chain_free(chain);
523 return -1;
524 }
525 }
526
527 cert = x509_certificate_parse(pos, cert_len);
528 if (cert == NULL) {
529 tlsv1_server_log(conn, "Failed to parse the certificate");
530 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
531 TLS_ALERT_BAD_CERTIFICATE);
532 x509_certificate_chain_free(chain);
533 return -1;
534 }
535
536 if (last == NULL)
537 chain = cert;
538 else
539 last->next = cert;
540 last = cert;
541
542 idx++;
543 pos += cert_len;
544 }
545
546 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
547 &reason, 0) < 0) {
548 int tls_reason;
549 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
550 reason);
551 switch (reason) {
552 case X509_VALIDATE_BAD_CERTIFICATE:
553 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
554 break;
555 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
556 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
557 break;
558 case X509_VALIDATE_CERTIFICATE_REVOKED:
559 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
560 break;
561 case X509_VALIDATE_CERTIFICATE_EXPIRED:
562 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
563 break;
564 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
565 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
566 break;
567 case X509_VALIDATE_UNKNOWN_CA:
568 tls_reason = TLS_ALERT_UNKNOWN_CA;
569 break;
570 default:
571 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
572 break;
573 }
574 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
575 x509_certificate_chain_free(chain);
576 return -1;
577 }
578
579 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
580 !(chain->ext_key_usage &
581 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
582 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
583 TLS_ALERT_BAD_CERTIFICATE);
584 x509_certificate_chain_free(chain);
585 return -1;
586 }
587
588 x509_certificate_chain_free(chain);
589
590 *in_len = end - in_data;
591
592 conn->state = CLIENT_KEY_EXCHANGE;
593
594 return 0;
595 }
596
597
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)598 static int tls_process_client_key_exchange_rsa(
599 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
600 {
601 u8 *out;
602 size_t outlen, outbuflen;
603 u16 encr_len;
604 int res;
605 int use_random = 0;
606
607 if (end - pos < 2) {
608 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
609 TLS_ALERT_DECODE_ERROR);
610 return -1;
611 }
612
613 encr_len = WPA_GET_BE16(pos);
614 pos += 2;
615 if (pos + encr_len > end) {
616 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
617 encr_len, (unsigned int) (end - pos));
618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
619 TLS_ALERT_DECODE_ERROR);
620 return -1;
621 }
622
623 outbuflen = outlen = end - pos;
624 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
625 outlen : TLS_PRE_MASTER_SECRET_LEN);
626 if (out == NULL) {
627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 TLS_ALERT_INTERNAL_ERROR);
629 return -1;
630 }
631
632 /*
633 * struct {
634 * ProtocolVersion client_version;
635 * opaque random[46];
636 * } PreMasterSecret;
637 *
638 * struct {
639 * public-key-encrypted PreMasterSecret pre_master_secret;
640 * } EncryptedPreMasterSecret;
641 */
642
643 /*
644 * Note: To avoid Bleichenbacher attack, we do not report decryption or
645 * parsing errors from EncryptedPreMasterSecret processing to the
646 * client. Instead, a random pre-master secret is used to force the
647 * handshake to fail.
648 */
649
650 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
651 pos, encr_len,
652 out, &outlen) < 0) {
653 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
654 "PreMasterSecret (encr_len=%u outlen=%lu)",
655 encr_len, (unsigned long) outlen);
656 use_random = 1;
657 }
658
659 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
660 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
661 (unsigned long) outlen);
662 use_random = 1;
663 }
664
665 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
666 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
667 use_random = 1;
668 }
669
670 if (use_random) {
671 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
672 "to avoid revealing information about private key");
673 outlen = TLS_PRE_MASTER_SECRET_LEN;
674 if (os_get_random(out, outlen)) {
675 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
676 "data");
677 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
678 TLS_ALERT_INTERNAL_ERROR);
679 os_free(out);
680 return -1;
681 }
682 }
683
684 res = tlsv1_server_derive_keys(conn, out, outlen);
685
686 /* Clear the pre-master secret since it is not needed anymore */
687 os_memset(out, 0, outbuflen);
688 os_free(out);
689
690 if (res) {
691 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
692 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
693 TLS_ALERT_INTERNAL_ERROR);
694 return -1;
695 }
696
697 return 0;
698 }
699
700
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)701 static int tls_process_client_key_exchange_dh(
702 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
703 {
704 const u8 *dh_yc;
705 u16 dh_yc_len;
706 u8 *shared;
707 size_t shared_len;
708 int res;
709 const u8 *dh_p;
710 size_t dh_p_len;
711
712 /*
713 * struct {
714 * select (PublicValueEncoding) {
715 * case implicit: struct { };
716 * case explicit: opaque dh_Yc<1..2^16-1>;
717 * } dh_public;
718 * } ClientDiffieHellmanPublic;
719 */
720
721 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
722 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
723 pos, end - pos);
724
725 if (end == pos) {
726 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
727 "not supported");
728 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
729 TLS_ALERT_INTERNAL_ERROR);
730 return -1;
731 }
732
733 if (end - pos < 3) {
734 tlsv1_server_log(conn, "Invalid client public value length");
735 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 TLS_ALERT_DECODE_ERROR);
737 return -1;
738 }
739
740 dh_yc_len = WPA_GET_BE16(pos);
741 dh_yc = pos + 2;
742
743 if (dh_yc_len > end - dh_yc) {
744 tlsv1_server_log(conn, "Client public value overflow (length %d)",
745 dh_yc_len);
746 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
747 TLS_ALERT_DECODE_ERROR);
748 return -1;
749 }
750
751 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
752 dh_yc, dh_yc_len);
753
754 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
755 conn->dh_secret == NULL) {
756 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
757 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
758 TLS_ALERT_INTERNAL_ERROR);
759 return -1;
760 }
761
762 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
763
764 shared_len = dh_p_len;
765 shared = os_malloc(shared_len);
766 if (shared == NULL) {
767 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
768 "DH");
769 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
770 TLS_ALERT_INTERNAL_ERROR);
771 return -1;
772 }
773
774 /* shared = Yc^secret mod p */
775 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
776 conn->dh_secret_len, dh_p, dh_p_len,
777 shared, &shared_len)) {
778 os_free(shared);
779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780 TLS_ALERT_INTERNAL_ERROR);
781 return -1;
782 }
783 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
784 shared, shared_len);
785
786 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
787 os_free(conn->dh_secret);
788 conn->dh_secret = NULL;
789
790 res = tlsv1_server_derive_keys(conn, shared, shared_len);
791
792 /* Clear the pre-master secret since it is not needed anymore */
793 os_memset(shared, 0, shared_len);
794 os_free(shared);
795
796 if (res) {
797 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
798 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
799 TLS_ALERT_INTERNAL_ERROR);
800 return -1;
801 }
802
803 return 0;
804 }
805
806
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)807 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
808 const u8 *in_data, size_t *in_len)
809 {
810 const u8 *pos, *end;
811 size_t left, len;
812 u8 type;
813 tls_key_exchange keyx;
814 const struct tls_cipher_suite *suite;
815
816 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
817 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
818 ct);
819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 TLS_ALERT_UNEXPECTED_MESSAGE);
821 return -1;
822 }
823
824 pos = in_data;
825 left = *in_len;
826
827 if (left < 4) {
828 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
829 (unsigned long) left);
830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 TLS_ALERT_DECODE_ERROR);
832 return -1;
833 }
834
835 type = *pos++;
836 len = WPA_GET_BE24(pos);
837 pos += 3;
838 left -= 4;
839
840 if (len > left) {
841 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
842 (unsigned long) len, (unsigned long) left);
843 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
844 TLS_ALERT_DECODE_ERROR);
845 return -1;
846 }
847
848 end = pos + len;
849
850 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
851 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
852 type);
853 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
854 TLS_ALERT_UNEXPECTED_MESSAGE);
855 return -1;
856 }
857
858 tlsv1_server_log(conn, "Received ClientKeyExchange");
859
860 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
861
862 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
863 if (suite == NULL)
864 keyx = TLS_KEY_X_NULL;
865 else
866 keyx = suite->key_exchange;
867
868 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
869 tls_process_client_key_exchange_dh(conn, pos, end) < 0)
870 return -1;
871
872 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
873 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
874 return -1;
875
876 *in_len = end - in_data;
877
878 conn->state = CERTIFICATE_VERIFY;
879
880 return 0;
881 }
882
883
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)884 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
885 const u8 *in_data, size_t *in_len)
886 {
887 const u8 *pos, *end;
888 size_t left, len;
889 u8 type;
890 size_t hlen;
891 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
892 u8 alert;
893
894 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
895 if (conn->verify_peer) {
896 tlsv1_server_log(conn, "Client did not include CertificateVerify");
897 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
898 TLS_ALERT_UNEXPECTED_MESSAGE);
899 return -1;
900 }
901
902 return tls_process_change_cipher_spec(conn, ct, in_data,
903 in_len);
904 }
905
906 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
907 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
908 ct);
909 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
910 TLS_ALERT_UNEXPECTED_MESSAGE);
911 return -1;
912 }
913
914 pos = in_data;
915 left = *in_len;
916
917 if (left < 4) {
918 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
919 (unsigned long) left);
920 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
921 TLS_ALERT_DECODE_ERROR);
922 return -1;
923 }
924
925 type = *pos++;
926 len = WPA_GET_BE24(pos);
927 pos += 3;
928 left -= 4;
929
930 if (len > left) {
931 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
932 (unsigned long) len, (unsigned long) left);
933 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
934 TLS_ALERT_DECODE_ERROR);
935 return -1;
936 }
937
938 end = pos + len;
939
940 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
941 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
942 type);
943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 TLS_ALERT_UNEXPECTED_MESSAGE);
945 return -1;
946 }
947
948 tlsv1_server_log(conn, "Received CertificateVerify");
949
950 /*
951 * struct {
952 * Signature signature;
953 * } CertificateVerify;
954 */
955
956 hpos = hash;
957
958 #ifdef CONFIG_TLSV12
959 if (conn->rl.tls_version == TLS_VERSION_1_2) {
960 /*
961 * RFC 5246, 4.7:
962 * TLS v1.2 adds explicit indication of the used signature and
963 * hash algorithms.
964 *
965 * struct {
966 * HashAlgorithm hash;
967 * SignatureAlgorithm signature;
968 * } SignatureAndHashAlgorithm;
969 */
970 if (end - pos < 2) {
971 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
972 TLS_ALERT_DECODE_ERROR);
973 return -1;
974 }
975 if (pos[0] != TLS_HASH_ALG_SHA256 ||
976 pos[1] != TLS_SIGN_ALG_RSA) {
977 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
978 "signature(%u) algorithm",
979 pos[0], pos[1]);
980 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 TLS_ALERT_INTERNAL_ERROR);
982 return -1;
983 }
984 pos += 2;
985
986 hlen = SHA256_MAC_LEN;
987 if (conn->verify.sha256_cert == NULL ||
988 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
989 0) {
990 conn->verify.sha256_cert = NULL;
991 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 TLS_ALERT_INTERNAL_ERROR);
993 return -1;
994 }
995 conn->verify.sha256_cert = NULL;
996 } else {
997 #endif /* CONFIG_TLSV12 */
998
999 hlen = MD5_MAC_LEN;
1000 if (conn->verify.md5_cert == NULL ||
1001 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
1002 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003 TLS_ALERT_INTERNAL_ERROR);
1004 conn->verify.md5_cert = NULL;
1005 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
1006 conn->verify.sha1_cert = NULL;
1007 return -1;
1008 }
1009 hpos += MD5_MAC_LEN;
1010
1011 conn->verify.md5_cert = NULL;
1012 hlen = SHA1_MAC_LEN;
1013 if (conn->verify.sha1_cert == NULL ||
1014 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
1015 conn->verify.sha1_cert = NULL;
1016 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1017 TLS_ALERT_INTERNAL_ERROR);
1018 return -1;
1019 }
1020 conn->verify.sha1_cert = NULL;
1021
1022 hlen += MD5_MAC_LEN;
1023
1024 #ifdef CONFIG_TLSV12
1025 }
1026 #endif /* CONFIG_TLSV12 */
1027
1028 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1029
1030 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1031 hash, hlen, pos, end - pos, &alert) < 0) {
1032 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1033 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1034 return -1;
1035 }
1036
1037 *in_len = end - in_data;
1038
1039 conn->state = CHANGE_CIPHER_SPEC;
1040
1041 return 0;
1042 }
1043
1044
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1045 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1046 u8 ct, const u8 *in_data,
1047 size_t *in_len)
1048 {
1049 const u8 *pos;
1050 size_t left;
1051
1052 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1053 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1054 ct);
1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056 TLS_ALERT_UNEXPECTED_MESSAGE);
1057 return -1;
1058 }
1059
1060 pos = in_data;
1061 left = *in_len;
1062
1063 if (left < 1) {
1064 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1065 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1066 TLS_ALERT_DECODE_ERROR);
1067 return -1;
1068 }
1069
1070 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1071 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1072 *pos);
1073 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 TLS_ALERT_UNEXPECTED_MESSAGE);
1075 return -1;
1076 }
1077
1078 tlsv1_server_log(conn, "Received ChangeCipherSpec");
1079 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1080 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1081 "for record layer");
1082 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1083 TLS_ALERT_INTERNAL_ERROR);
1084 return -1;
1085 }
1086
1087 *in_len = pos + 1 - in_data;
1088
1089 conn->state = CLIENT_FINISHED;
1090
1091 return 0;
1092 }
1093
1094
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1095 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1096 const u8 *in_data, size_t *in_len)
1097 {
1098 const u8 *pos, *end;
1099 size_t left, len, hlen;
1100 u8 verify_data[TLS_VERIFY_DATA_LEN];
1101 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1102
1103 #ifdef CONFIG_TESTING_OPTIONS
1104 if ((conn->test_flags &
1105 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1106 !conn->test_failure_reported) {
1107 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1108 conn->test_failure_reported = 1;
1109 }
1110
1111 if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1112 !conn->test_failure_reported) {
1113 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1114 conn->test_failure_reported = 1;
1115 }
1116
1117 if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1118 !conn->test_failure_reported) {
1119 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1120 conn->test_failure_reported = 1;
1121 }
1122
1123 if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1124 !conn->test_failure_reported) {
1125 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1126 conn->test_failure_reported = 1;
1127 }
1128
1129 if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1130 !conn->test_failure_reported) {
1131 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1132 conn->test_failure_reported = 1;
1133 }
1134
1135 if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1136 !conn->test_failure_reported) {
1137 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1138 conn->test_failure_reported = 1;
1139 }
1140 #endif /* CONFIG_TESTING_OPTIONS */
1141
1142 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1143 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1144 ct);
1145 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1146 TLS_ALERT_UNEXPECTED_MESSAGE);
1147 return -1;
1148 }
1149
1150 pos = in_data;
1151 left = *in_len;
1152
1153 if (left < 4) {
1154 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1155 (unsigned long) left);
1156 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1157 TLS_ALERT_DECODE_ERROR);
1158 return -1;
1159 }
1160
1161 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1162 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1163 "type 0x%x", pos[0]);
1164 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1165 TLS_ALERT_UNEXPECTED_MESSAGE);
1166 return -1;
1167 }
1168
1169 len = WPA_GET_BE24(pos + 1);
1170
1171 pos += 4;
1172 left -= 4;
1173
1174 if (len > left) {
1175 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1176 (unsigned long) len, (unsigned long) left);
1177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1178 TLS_ALERT_DECODE_ERROR);
1179 return -1;
1180 }
1181 end = pos + len;
1182 if (len != TLS_VERIFY_DATA_LEN) {
1183 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1184 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1185 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1186 TLS_ALERT_DECODE_ERROR);
1187 return -1;
1188 }
1189 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1190 pos, TLS_VERIFY_DATA_LEN);
1191
1192 #ifdef CONFIG_TLSV12
1193 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1194 hlen = SHA256_MAC_LEN;
1195 if (conn->verify.sha256_client == NULL ||
1196 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1197 < 0) {
1198 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1199 TLS_ALERT_INTERNAL_ERROR);
1200 conn->verify.sha256_client = NULL;
1201 return -1;
1202 }
1203 conn->verify.sha256_client = NULL;
1204 } else {
1205 #endif /* CONFIG_TLSV12 */
1206
1207 hlen = MD5_MAC_LEN;
1208 if (conn->verify.md5_client == NULL ||
1209 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1210 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1211 TLS_ALERT_INTERNAL_ERROR);
1212 conn->verify.md5_client = NULL;
1213 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1214 conn->verify.sha1_client = NULL;
1215 return -1;
1216 }
1217 conn->verify.md5_client = NULL;
1218 hlen = SHA1_MAC_LEN;
1219 if (conn->verify.sha1_client == NULL ||
1220 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1221 &hlen) < 0) {
1222 conn->verify.sha1_client = NULL;
1223 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1224 TLS_ALERT_INTERNAL_ERROR);
1225 return -1;
1226 }
1227 conn->verify.sha1_client = NULL;
1228 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1229
1230 #ifdef CONFIG_TLSV12
1231 }
1232 #endif /* CONFIG_TLSV12 */
1233
1234 if (tls_prf(conn->rl.tls_version,
1235 conn->master_secret, TLS_MASTER_SECRET_LEN,
1236 "client finished", hash, hlen,
1237 verify_data, TLS_VERIFY_DATA_LEN)) {
1238 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1239 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1240 TLS_ALERT_DECRYPT_ERROR);
1241 return -1;
1242 }
1243 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1244 verify_data, TLS_VERIFY_DATA_LEN);
1245
1246 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1247 tlsv1_server_log(conn, "Mismatch in verify_data");
1248 conn->state = FAILED;
1249 return -1;
1250 }
1251
1252 tlsv1_server_log(conn, "Received Finished");
1253
1254 *in_len = end - in_data;
1255
1256 if (conn->use_session_ticket) {
1257 /* Abbreviated handshake using session ticket; RFC 4507 */
1258 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1259 conn->state = ESTABLISHED;
1260 } else {
1261 /* Full handshake */
1262 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1263 }
1264
1265 return 0;
1266 }
1267
1268
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1269 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1270 const u8 *buf, size_t *len)
1271 {
1272 if (ct == TLS_CONTENT_TYPE_ALERT) {
1273 if (*len < 2) {
1274 tlsv1_server_log(conn, "Alert underflow");
1275 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 TLS_ALERT_DECODE_ERROR);
1277 return -1;
1278 }
1279 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1280 *len = 2;
1281 conn->state = FAILED;
1282 return -1;
1283 }
1284
1285 switch (conn->state) {
1286 case CLIENT_HELLO:
1287 if (tls_process_client_hello(conn, ct, buf, len))
1288 return -1;
1289 break;
1290 case CLIENT_CERTIFICATE:
1291 if (tls_process_certificate(conn, ct, buf, len))
1292 return -1;
1293 break;
1294 case CLIENT_KEY_EXCHANGE:
1295 if (tls_process_client_key_exchange(conn, ct, buf, len))
1296 return -1;
1297 break;
1298 case CERTIFICATE_VERIFY:
1299 if (tls_process_certificate_verify(conn, ct, buf, len))
1300 return -1;
1301 break;
1302 case CHANGE_CIPHER_SPEC:
1303 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1304 return -1;
1305 break;
1306 case CLIENT_FINISHED:
1307 if (tls_process_client_finished(conn, ct, buf, len))
1308 return -1;
1309 break;
1310 default:
1311 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1312 conn->state);
1313 return -1;
1314 }
1315
1316 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1317 tls_verify_hash_add(&conn->verify, buf, *len);
1318
1319 return 0;
1320 }
1321