1 /*
2 * TLS v1.0/v1.1/v1.2 server (RFC 2246, RFC 4346, RFC 5246)
3 * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "tlsv1_common.h"
15 #include "tlsv1_record.h"
16 #include "tlsv1_server.h"
17 #include "tlsv1_server_i.h"
18
19 /* TODO:
20 * Support for a message fragmented across several records (RFC 2246, 6.2.1)
21 */
22
23
tlsv1_server_log(struct tlsv1_server * conn,const char * fmt,...)24 void tlsv1_server_log(struct tlsv1_server *conn, const char *fmt, ...)
25 {
26 va_list ap;
27 char *buf;
28 int buflen;
29
30 va_start(ap, fmt);
31 buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
32 va_end(ap);
33
34 buf = os_malloc(buflen);
35 if (buf == NULL)
36 return;
37 va_start(ap, fmt);
38 vsnprintf(buf, buflen, fmt, ap);
39 va_end(ap);
40
41 wpa_printf(MSG_DEBUG, "TLSv1: %s", buf);
42 if (conn->log_cb)
43 conn->log_cb(conn->log_cb_ctx, buf);
44
45 os_free(buf);
46 }
47
48
tlsv1_server_alert(struct tlsv1_server * conn,u8 level,u8 description)49 void tlsv1_server_alert(struct tlsv1_server *conn, u8 level, u8 description)
50 {
51 conn->alert_level = level;
52 conn->alert_description = description;
53 }
54
55
tlsv1_server_derive_keys(struct tlsv1_server * conn,const u8 * pre_master_secret,size_t pre_master_secret_len)56 int tlsv1_server_derive_keys(struct tlsv1_server *conn,
57 const u8 *pre_master_secret,
58 size_t pre_master_secret_len)
59 {
60 u8 seed[2 * TLS_RANDOM_LEN];
61 u8 key_block[TLS_MAX_KEY_BLOCK_LEN];
62 u8 *pos;
63 size_t key_block_len;
64
65 if (pre_master_secret) {
66 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret",
67 pre_master_secret, pre_master_secret_len);
68 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
69 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
70 TLS_RANDOM_LEN);
71 if (tls_prf(conn->rl.tls_version,
72 pre_master_secret, pre_master_secret_len,
73 "master secret", seed, 2 * TLS_RANDOM_LEN,
74 conn->master_secret, TLS_MASTER_SECRET_LEN)) {
75 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
76 "master_secret");
77 return -1;
78 }
79 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret",
80 conn->master_secret, TLS_MASTER_SECRET_LEN);
81 }
82
83 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
84 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
85 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
86 conn->rl.iv_size);
87 if (tls_prf(conn->rl.tls_version,
88 conn->master_secret, TLS_MASTER_SECRET_LEN,
89 "key expansion", seed, 2 * TLS_RANDOM_LEN,
90 key_block, key_block_len)) {
91 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
92 return -1;
93 }
94 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block",
95 key_block, key_block_len);
96
97 pos = key_block;
98
99 /* client_write_MAC_secret */
100 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size);
101 pos += conn->rl.hash_size;
102 /* server_write_MAC_secret */
103 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size);
104 pos += conn->rl.hash_size;
105
106 /* client_write_key */
107 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len);
108 pos += conn->rl.key_material_len;
109 /* server_write_key */
110 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len);
111 pos += conn->rl.key_material_len;
112
113 /* client_write_IV */
114 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size);
115 pos += conn->rl.iv_size;
116 /* server_write_IV */
117 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size);
118 pos += conn->rl.iv_size;
119
120 return 0;
121 }
122
123
124 /**
125 * tlsv1_server_handshake - Process TLS handshake
126 * @conn: TLSv1 server connection data from tlsv1_server_init()
127 * @in_data: Input data from TLS peer
128 * @in_len: Input data length
129 * @out_len: Length of the output buffer.
130 * Returns: Pointer to output data, %NULL on failure
131 */
tlsv1_server_handshake(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,size_t * out_len)132 u8 * tlsv1_server_handshake(struct tlsv1_server *conn,
133 const u8 *in_data, size_t in_len,
134 size_t *out_len)
135 {
136 const u8 *pos, *end;
137 u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct;
138 size_t in_msg_len;
139 int used;
140
141 if (in_data == NULL || in_len == 0) {
142 wpa_printf(MSG_DEBUG, "TLSv1: No input data to server");
143 return NULL;
144 }
145
146 pos = in_data;
147 end = in_data + in_len;
148 in_msg = os_malloc(in_len);
149 if (in_msg == NULL)
150 return NULL;
151
152 /* Each received packet may include multiple records */
153 while (pos < end) {
154 in_msg_len = in_len;
155 used = tlsv1_record_receive(&conn->rl, pos, end - pos,
156 in_msg, &in_msg_len, &alert);
157 if (used < 0) {
158 wpa_printf(MSG_DEBUG, "TLSv1: Processing received "
159 "record failed");
160 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
161 goto failed;
162 }
163 if (used == 0) {
164 /* need more data */
165 wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
166 "yet supported");
167 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
168 TLS_ALERT_INTERNAL_ERROR);
169 goto failed;
170 }
171 ct = pos[0];
172
173 in_pos = in_msg;
174 in_end = in_msg + in_msg_len;
175
176 /* Each received record may include multiple messages of the
177 * same ContentType. */
178 while (in_pos < in_end) {
179 in_msg_len = in_end - in_pos;
180 if (tlsv1_server_process_handshake(conn, ct, in_pos,
181 &in_msg_len) < 0)
182 goto failed;
183 in_pos += in_msg_len;
184 }
185
186 pos += used;
187 }
188
189 os_free(in_msg);
190 in_msg = NULL;
191
192 msg = tlsv1_server_handshake_write(conn, out_len);
193
194 failed:
195 os_free(in_msg);
196 if (conn->alert_level) {
197 if (conn->state == FAILED) {
198 /* Avoid alert loops */
199 wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop");
200 os_free(msg);
201 return NULL;
202 }
203 conn->state = FAILED;
204 os_free(msg);
205 msg = tlsv1_server_send_alert(conn, conn->alert_level,
206 conn->alert_description,
207 out_len);
208 conn->write_alerts++;
209 }
210
211 return msg;
212 }
213
214
215 /**
216 * tlsv1_server_encrypt - Encrypt data into TLS tunnel
217 * @conn: TLSv1 server connection data from tlsv1_server_init()
218 * @in_data: Pointer to plaintext data to be encrypted
219 * @in_len: Input buffer length
220 * @out_data: Pointer to output buffer (encrypted TLS data)
221 * @out_len: Maximum out_data length
222 * Returns: Number of bytes written to out_data, -1 on failure
223 *
224 * This function is used after TLS handshake has been completed successfully to
225 * send data in the encrypted tunnel.
226 */
tlsv1_server_encrypt(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,u8 * out_data,size_t out_len)227 int tlsv1_server_encrypt(struct tlsv1_server *conn,
228 const u8 *in_data, size_t in_len,
229 u8 *out_data, size_t out_len)
230 {
231 size_t rlen;
232
233 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData",
234 in_data, in_len);
235
236 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA,
237 out_data, out_len, in_data, in_len, &rlen) < 0) {
238 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
239 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
240 TLS_ALERT_INTERNAL_ERROR);
241 return -1;
242 }
243
244 return rlen;
245 }
246
247
248 /**
249 * tlsv1_server_decrypt - Decrypt data from TLS tunnel
250 * @conn: TLSv1 server connection data from tlsv1_server_init()
251 * @in_data: Pointer to input buffer (encrypted TLS data)
252 * @in_len: Input buffer length
253 * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
254 * @out_len: Maximum out_data length
255 * Returns: Number of bytes written to out_data, -1 on failure
256 *
257 * This function is used after TLS handshake has been completed successfully to
258 * receive data from the encrypted tunnel.
259 */
tlsv1_server_decrypt(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,u8 * out_data,size_t out_len)260 int tlsv1_server_decrypt(struct tlsv1_server *conn,
261 const u8 *in_data, size_t in_len,
262 u8 *out_data, size_t out_len)
263 {
264 const u8 *in_end, *pos;
265 int used;
266 u8 alert, *out_end, *out_pos, ct;
267 size_t olen;
268
269 pos = in_data;
270 in_end = in_data + in_len;
271 out_pos = out_data;
272 out_end = out_data + out_len;
273
274 while (pos < in_end) {
275 ct = pos[0];
276 olen = out_end - out_pos;
277 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
278 out_pos, &olen, &alert);
279 if (used < 0) {
280 tlsv1_server_log(conn, "Record layer processing failed");
281 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
282 return -1;
283 }
284 if (used == 0) {
285 /* need more data */
286 wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
287 "yet supported");
288 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
289 return -1;
290 }
291
292 if (ct == TLS_CONTENT_TYPE_ALERT) {
293 if (olen < 2) {
294 tlsv1_server_log(conn, "Alert underflow");
295 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
296 TLS_ALERT_DECODE_ERROR);
297 return -1;
298 }
299 tlsv1_server_log(conn, "Received alert %d:%d",
300 out_pos[0], out_pos[1]);
301 conn->read_alerts++;
302 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) {
303 /* Continue processing */
304 pos += used;
305 continue;
306 }
307
308 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
309 out_pos[1]);
310 return -1;
311 }
312
313 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
314 tlsv1_server_log(conn, "Unexpected content type 0x%x",
315 pos[0]);
316 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
317 TLS_ALERT_UNEXPECTED_MESSAGE);
318 return -1;
319 }
320
321 #ifdef CONFIG_TESTING_OPTIONS
322 if ((conn->test_flags &
323 (TLS_BREAK_VERIFY_DATA | TLS_BREAK_SRV_KEY_X_HASH |
324 TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
325 !conn->test_failure_reported) {
326 tlsv1_server_log(conn, "TEST-FAILURE: Client ApplData received after invalid handshake");
327 conn->test_failure_reported = 1;
328 }
329 #endif /* CONFIG_TESTING_OPTIONS */
330
331 out_pos += olen;
332 if (out_pos > out_end) {
333 wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
334 "for processing the received record");
335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 TLS_ALERT_INTERNAL_ERROR);
337 return -1;
338 }
339
340 pos += used;
341 }
342
343 return out_pos - out_data;
344 }
345
346
347 /**
348 * tlsv1_server_global_init - Initialize TLSv1 server
349 * Returns: 0 on success, -1 on failure
350 *
351 * This function must be called before using any other TLSv1 server functions.
352 */
tlsv1_server_global_init(void)353 int tlsv1_server_global_init(void)
354 {
355 return crypto_global_init();
356 }
357
358
359 /**
360 * tlsv1_server_global_deinit - Deinitialize TLSv1 server
361 *
362 * This function can be used to deinitialize the TLSv1 server that was
363 * initialized by calling tlsv1_server_global_init(). No TLSv1 server functions
364 * can be called after this before calling tlsv1_server_global_init() again.
365 */
tlsv1_server_global_deinit(void)366 void tlsv1_server_global_deinit(void)
367 {
368 crypto_global_deinit();
369 }
370
371
372 /**
373 * tlsv1_server_init - Initialize TLSv1 server connection
374 * @cred: Pointer to server credentials from tlsv1_server_cred_alloc()
375 * Returns: Pointer to TLSv1 server connection data or %NULL on failure
376 */
tlsv1_server_init(struct tlsv1_credentials * cred)377 struct tlsv1_server * tlsv1_server_init(struct tlsv1_credentials *cred)
378 {
379 struct tlsv1_server *conn;
380 size_t count;
381 u16 *suites;
382
383 conn = os_zalloc(sizeof(*conn));
384 if (conn == NULL)
385 return NULL;
386
387 conn->cred = cred;
388
389 conn->state = CLIENT_HELLO;
390
391 if (tls_verify_hash_init(&conn->verify) < 0) {
392 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify "
393 "hash");
394 os_free(conn);
395 return NULL;
396 }
397
398 count = 0;
399 suites = conn->cipher_suites;
400 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
401 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
402 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
403 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
404 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
405 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
406 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
407 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
408 suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
409 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
410 suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
411 suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
412 conn->num_cipher_suites = count;
413
414 return conn;
415 }
416
417
tlsv1_server_clear_data(struct tlsv1_server * conn)418 static void tlsv1_server_clear_data(struct tlsv1_server *conn)
419 {
420 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL);
421 tlsv1_record_change_write_cipher(&conn->rl);
422 tlsv1_record_change_read_cipher(&conn->rl);
423 tls_verify_hash_free(&conn->verify);
424
425 crypto_public_key_free(conn->client_rsa_key);
426 conn->client_rsa_key = NULL;
427
428 os_free(conn->session_ticket);
429 conn->session_ticket = NULL;
430 conn->session_ticket_len = 0;
431 conn->use_session_ticket = 0;
432
433 os_free(conn->dh_secret);
434 conn->dh_secret = NULL;
435 conn->dh_secret_len = 0;
436 }
437
438
439 /**
440 * tlsv1_server_deinit - Deinitialize TLSv1 server connection
441 * @conn: TLSv1 server connection data from tlsv1_server_init()
442 */
tlsv1_server_deinit(struct tlsv1_server * conn)443 void tlsv1_server_deinit(struct tlsv1_server *conn)
444 {
445 tlsv1_server_clear_data(conn);
446 os_free(conn);
447 }
448
449
450 /**
451 * tlsv1_server_established - Check whether connection has been established
452 * @conn: TLSv1 server connection data from tlsv1_server_init()
453 * Returns: 1 if connection is established, 0 if not
454 */
tlsv1_server_established(struct tlsv1_server * conn)455 int tlsv1_server_established(struct tlsv1_server *conn)
456 {
457 return conn->state == ESTABLISHED;
458 }
459
460
461 /**
462 * tlsv1_server_prf - Use TLS-PRF to derive keying material
463 * @conn: TLSv1 server connection data from tlsv1_server_init()
464 * @label: Label (e.g., description of the key) for PRF
465 * @context: Optional extra upper-layer context (max len 2^16)
466 * @context_len: The length of the context value
467 * @server_random_first: seed is 0 = client_random|server_random,
468 * 1 = server_random|client_random
469 * @out: Buffer for output data from TLS-PRF
470 * @out_len: Length of the output buffer
471 * Returns: 0 on success, -1 on failure
472 */
tlsv1_server_prf(struct tlsv1_server * conn,const char * label,const u8 * context,size_t context_len,int server_random_first,u8 * out,size_t out_len)473 int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
474 const u8 *context, size_t context_len,
475 int server_random_first, u8 *out, size_t out_len)
476 {
477 u8 *seed, *pos;
478 size_t seed_len = 2 * TLS_RANDOM_LEN;
479 int res;
480
481 if (conn->state != ESTABLISHED)
482 return -1;
483
484 if (context_len > 65535)
485 return -1;
486
487 if (context)
488 seed_len += 2 + context_len;
489
490 seed = os_malloc(seed_len);
491 if (!seed)
492 return -1;
493
494 if (server_random_first) {
495 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
496 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random,
497 TLS_RANDOM_LEN);
498 } else {
499 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
500 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
501 TLS_RANDOM_LEN);
502 }
503
504 if (context) {
505 pos = seed + 2 * TLS_RANDOM_LEN;
506 WPA_PUT_BE16(pos, context_len);
507 pos += 2;
508 os_memcpy(pos, context, context_len);
509 }
510
511 res = tls_prf(conn->rl.tls_version,
512 conn->master_secret, TLS_MASTER_SECRET_LEN,
513 label, seed, seed_len, out, out_len);
514 os_free(seed);
515 return res;
516 }
517
518
519 /**
520 * tlsv1_server_get_cipher - Get current cipher name
521 * @conn: TLSv1 server connection data from tlsv1_server_init()
522 * @buf: Buffer for the cipher name
523 * @buflen: buf size
524 * Returns: 0 on success, -1 on failure
525 *
526 * Get the name of the currently used cipher.
527 */
tlsv1_server_get_cipher(struct tlsv1_server * conn,char * buf,size_t buflen)528 int tlsv1_server_get_cipher(struct tlsv1_server *conn, char *buf,
529 size_t buflen)
530 {
531 char *cipher;
532
533 switch (conn->rl.cipher_suite) {
534 case TLS_RSA_WITH_RC4_128_MD5:
535 cipher = "RC4-MD5";
536 break;
537 case TLS_RSA_WITH_RC4_128_SHA:
538 cipher = "RC4-SHA";
539 break;
540 case TLS_RSA_WITH_DES_CBC_SHA:
541 cipher = "DES-CBC-SHA";
542 break;
543 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
544 cipher = "DES-CBC3-SHA";
545 break;
546 case TLS_DHE_RSA_WITH_DES_CBC_SHA:
547 cipher = "DHE-RSA-DES-CBC-SHA";
548 break;
549 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
550 cipher = "DHE-RSA-DES-CBC3-SHA";
551 break;
552 case TLS_DH_anon_WITH_RC4_128_MD5:
553 cipher = "ADH-RC4-MD5";
554 break;
555 case TLS_DH_anon_WITH_DES_CBC_SHA:
556 cipher = "ADH-DES-SHA";
557 break;
558 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
559 cipher = "ADH-DES-CBC3-SHA";
560 break;
561 case TLS_RSA_WITH_AES_128_CBC_SHA:
562 cipher = "AES-128-SHA";
563 break;
564 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
565 cipher = "DHE-RSA-AES-128-SHA";
566 break;
567 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
568 cipher = "ADH-AES-128-SHA";
569 break;
570 case TLS_RSA_WITH_AES_256_CBC_SHA:
571 cipher = "AES-256-SHA";
572 break;
573 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
574 cipher = "DHE-RSA-AES-256-SHA";
575 break;
576 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
577 cipher = "ADH-AES-256-SHA";
578 break;
579 case TLS_RSA_WITH_AES_128_CBC_SHA256:
580 cipher = "AES-128-SHA256";
581 break;
582 case TLS_RSA_WITH_AES_256_CBC_SHA256:
583 cipher = "AES-256-SHA256";
584 break;
585 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
586 cipher = "DHE-RSA-AES-128-SHA256";
587 break;
588 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
589 cipher = "DHE-RSA-AES-256-SHA256";
590 break;
591 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
592 cipher = "ADH-AES-128-SHA256";
593 break;
594 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
595 cipher = "ADH-AES-256-SHA256";
596 break;
597 default:
598 return -1;
599 }
600
601 if (os_strlcpy(buf, cipher, buflen) >= buflen)
602 return -1;
603 return 0;
604 }
605
606
607 /**
608 * tlsv1_server_shutdown - Shutdown TLS connection
609 * @conn: TLSv1 server connection data from tlsv1_server_init()
610 * Returns: 0 on success, -1 on failure
611 */
tlsv1_server_shutdown(struct tlsv1_server * conn)612 int tlsv1_server_shutdown(struct tlsv1_server *conn)
613 {
614 conn->state = CLIENT_HELLO;
615
616 if (tls_verify_hash_init(&conn->verify) < 0) {
617 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify "
618 "hash");
619 return -1;
620 }
621
622 tlsv1_server_clear_data(conn);
623
624 return 0;
625 }
626
627
628 /**
629 * tlsv1_server_resumed - Was session resumption used
630 * @conn: TLSv1 server connection data from tlsv1_server_init()
631 * Returns: 1 if current session used session resumption, 0 if not
632 */
tlsv1_server_resumed(struct tlsv1_server * conn)633 int tlsv1_server_resumed(struct tlsv1_server *conn)
634 {
635 return 0;
636 }
637
638
639 /**
640 * tlsv1_server_get_random - Get random data from TLS connection
641 * @conn: TLSv1 server connection data from tlsv1_server_init()
642 * @keys: Structure of random data (filled on success)
643 * Returns: 0 on success, -1 on failure
644 */
tlsv1_server_get_random(struct tlsv1_server * conn,struct tls_random * keys)645 int tlsv1_server_get_random(struct tlsv1_server *conn, struct tls_random *keys)
646 {
647 os_memset(keys, 0, sizeof(*keys));
648 if (conn->state == CLIENT_HELLO)
649 return -1;
650
651 keys->client_random = conn->client_random;
652 keys->client_random_len = TLS_RANDOM_LEN;
653
654 if (conn->state != SERVER_HELLO) {
655 keys->server_random = conn->server_random;
656 keys->server_random_len = TLS_RANDOM_LEN;
657 }
658
659 return 0;
660 }
661
662
663 /**
664 * tlsv1_server_get_keyblock_size - Get TLS key_block size
665 * @conn: TLSv1 server connection data from tlsv1_server_init()
666 * Returns: Size of the key_block for the negotiated cipher suite or -1 on
667 * failure
668 */
tlsv1_server_get_keyblock_size(struct tlsv1_server * conn)669 int tlsv1_server_get_keyblock_size(struct tlsv1_server *conn)
670 {
671 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO)
672 return -1;
673
674 return 2 * (conn->rl.hash_size + conn->rl.key_material_len +
675 conn->rl.iv_size);
676 }
677
678
679 /**
680 * tlsv1_server_set_cipher_list - Configure acceptable cipher suites
681 * @conn: TLSv1 server connection data from tlsv1_server_init()
682 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
683 * (TLS_CIPHER_*).
684 * Returns: 0 on success, -1 on failure
685 */
tlsv1_server_set_cipher_list(struct tlsv1_server * conn,u8 * ciphers)686 int tlsv1_server_set_cipher_list(struct tlsv1_server *conn, u8 *ciphers)
687 {
688 size_t count;
689 u16 *suites;
690
691 /* TODO: implement proper configuration of cipher suites */
692 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {
693 count = 0;
694 suites = conn->cipher_suites;
695 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
696 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
697 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
698 suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
699 suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
700 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
701 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
702 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
703 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
704 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
705 conn->num_cipher_suites = count;
706 }
707
708 return 0;
709 }
710
711
tlsv1_server_set_verify(struct tlsv1_server * conn,int verify_peer)712 int tlsv1_server_set_verify(struct tlsv1_server *conn, int verify_peer)
713 {
714 conn->verify_peer = verify_peer;
715 return 0;
716 }
717
718
tlsv1_server_set_session_ticket_cb(struct tlsv1_server * conn,tlsv1_server_session_ticket_cb cb,void * ctx)719 void tlsv1_server_set_session_ticket_cb(struct tlsv1_server *conn,
720 tlsv1_server_session_ticket_cb cb,
721 void *ctx)
722 {
723 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)",
724 cb, ctx);
725 conn->session_ticket_cb = cb;
726 conn->session_ticket_cb_ctx = ctx;
727 }
728
729
tlsv1_server_set_log_cb(struct tlsv1_server * conn,void (* cb)(void * ctx,const char * msg),void * ctx)730 void tlsv1_server_set_log_cb(struct tlsv1_server *conn,
731 void (*cb)(void *ctx, const char *msg), void *ctx)
732 {
733 conn->log_cb = cb;
734 conn->log_cb_ctx = ctx;
735 }
736
737
tlsv1_server_get_failed(struct tlsv1_server * conn)738 int tlsv1_server_get_failed(struct tlsv1_server *conn)
739 {
740 return conn->state == FAILED;
741 }
742
743
tlsv1_server_get_read_alerts(struct tlsv1_server * conn)744 int tlsv1_server_get_read_alerts(struct tlsv1_server *conn)
745 {
746 return conn->read_alerts;
747 }
748
749
tlsv1_server_get_write_alerts(struct tlsv1_server * conn)750 int tlsv1_server_get_write_alerts(struct tlsv1_server *conn)
751 {
752 return conn->write_alerts;
753 }
754
755
756 #ifdef CONFIG_TESTING_OPTIONS
tlsv1_server_set_test_flags(struct tlsv1_server * conn,u32 flags)757 void tlsv1_server_set_test_flags(struct tlsv1_server *conn, u32 flags)
758 {
759 conn->test_flags = flags;
760 }
761
762
763 static const u8 test_tls_prime15[1] = {
764 15
765 };
766
767 static const u8 test_tls_prime511b[64] = {
768 0x50, 0xfb, 0xf1, 0xae, 0x01, 0xf1, 0xfe, 0xe6,
769 0xe1, 0xae, 0xdc, 0x1e, 0xbe, 0xfb, 0x9e, 0x58,
770 0x9a, 0xd7, 0x54, 0x9d, 0x6b, 0xb3, 0x78, 0xe2,
771 0x39, 0x7f, 0x30, 0x01, 0x25, 0xa1, 0xf9, 0x7c,
772 0x55, 0x0e, 0xa1, 0x15, 0xcc, 0x36, 0x34, 0xbb,
773 0x6c, 0x8b, 0x64, 0x45, 0x15, 0x7f, 0xd3, 0xe7,
774 0x31, 0xc8, 0x8e, 0x56, 0x8e, 0x95, 0xdc, 0xea,
775 0x9e, 0xdf, 0xf7, 0x56, 0xdd, 0xb0, 0x34, 0xdb
776 };
777
778 static const u8 test_tls_prime767b[96] = {
779 0x4c, 0xdc, 0xb8, 0x21, 0x20, 0x9d, 0xe8, 0xa3,
780 0x53, 0xd9, 0x1c, 0x18, 0xc1, 0x3a, 0x58, 0x67,
781 0xa7, 0x85, 0xf9, 0x28, 0x9b, 0xce, 0xc0, 0xd1,
782 0x05, 0x84, 0x61, 0x97, 0xb2, 0x86, 0x1c, 0xd0,
783 0xd1, 0x96, 0x23, 0x29, 0x8c, 0xc5, 0x30, 0x68,
784 0x3e, 0xf9, 0x05, 0xba, 0x60, 0xeb, 0xdb, 0xee,
785 0x2d, 0xdf, 0x84, 0x65, 0x49, 0x87, 0x90, 0x2a,
786 0xc9, 0x8e, 0x34, 0x63, 0x6d, 0x9a, 0x2d, 0x32,
787 0x1c, 0x46, 0xd5, 0x4e, 0x20, 0x20, 0x90, 0xac,
788 0xd5, 0x48, 0x79, 0x99, 0x0c, 0xe6, 0xed, 0xbf,
789 0x79, 0xc2, 0x47, 0x50, 0x95, 0x38, 0x38, 0xbc,
790 0xde, 0xb0, 0xd2, 0xe8, 0x97, 0xcb, 0x22, 0xbb
791 };
792
793 static const u8 test_tls_prime58[128] = {
794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
809 0x03, 0xc1, 0xba, 0xc8, 0x25, 0xbe, 0x2d, 0xf3
810 };
811
812 static const u8 test_tls_non_prime[] = {
813 /*
814 * This is not a prime and the value has the following factors:
815 * 13736783488716579923 * 16254860191773456563 * 18229434976173670763 *
816 * 11112313018289079419 * 10260802278580253339 * 12394009491575311499 *
817 * 12419059668711064739 * 14317973192687985827 * 10498605410533203179 *
818 * 16338688760390249003 * 11128963991123878883 * 12990532258280301419 *
819 * 3
820 */
821 0x0C, 0x8C, 0x36, 0x9C, 0x6F, 0x71, 0x2E, 0xA7,
822 0xAB, 0x32, 0xD3, 0x0F, 0x68, 0x3D, 0xB2, 0x6D,
823 0x81, 0xDD, 0xC4, 0x84, 0x0D, 0x9C, 0x6E, 0x36,
824 0x29, 0x70, 0xF3, 0x1E, 0x9A, 0x42, 0x0B, 0x67,
825 0x82, 0x6B, 0xB1, 0xF2, 0xAF, 0x55, 0x28, 0xE7,
826 0xDB, 0x67, 0x6C, 0xF7, 0x6B, 0xAC, 0xAC, 0xE5,
827 0xF7, 0x9F, 0xD4, 0x63, 0x55, 0x70, 0x32, 0x7C,
828 0x70, 0xFB, 0xAF, 0xB8, 0xEB, 0x37, 0xCF, 0x3F,
829 0xFE, 0x94, 0x73, 0xF9, 0x7A, 0xC7, 0x12, 0x2E,
830 0x9B, 0xB4, 0x7D, 0x08, 0x60, 0x83, 0x43, 0x52,
831 0x83, 0x1E, 0xA5, 0xFC, 0xFA, 0x87, 0x12, 0xF4,
832 0x64, 0xE2, 0xCE, 0x71, 0x17, 0x72, 0xB6, 0xAB
833 };
834
835 #endif /* CONFIG_TESTING_OPTIONS */
836
837
tlsv1_server_get_dh_p(struct tlsv1_server * conn,const u8 ** dh_p,size_t * dh_p_len)838 void tlsv1_server_get_dh_p(struct tlsv1_server *conn, const u8 **dh_p,
839 size_t *dh_p_len)
840 {
841 *dh_p = conn->cred->dh_p;
842 *dh_p_len = conn->cred->dh_p_len;
843
844 #ifdef CONFIG_TESTING_OPTIONS
845 if (conn->test_flags & TLS_DHE_PRIME_511B) {
846 tlsv1_server_log(conn, "TESTING: Use short 511-bit prime with DHE");
847 *dh_p = test_tls_prime511b;
848 *dh_p_len = sizeof(test_tls_prime511b);
849 } else if (conn->test_flags & TLS_DHE_PRIME_767B) {
850 tlsv1_server_log(conn, "TESTING: Use short 767-bit prime with DHE");
851 *dh_p = test_tls_prime767b;
852 *dh_p_len = sizeof(test_tls_prime767b);
853 } else if (conn->test_flags & TLS_DHE_PRIME_15) {
854 tlsv1_server_log(conn, "TESTING: Use bogus 15 \"prime\" with DHE");
855 *dh_p = test_tls_prime15;
856 *dh_p_len = sizeof(test_tls_prime15);
857 } else if (conn->test_flags & TLS_DHE_PRIME_58B) {
858 tlsv1_server_log(conn, "TESTING: Use short 58-bit prime in long container with DHE");
859 *dh_p = test_tls_prime58;
860 *dh_p_len = sizeof(test_tls_prime58);
861 } else if (conn->test_flags & TLS_DHE_NON_PRIME) {
862 tlsv1_server_log(conn, "TESTING: Use claim non-prime as the DHE prime");
863 *dh_p = test_tls_non_prime;
864 *dh_p_len = sizeof(test_tls_non_prime);
865 }
866 #endif /* CONFIG_TESTING_OPTIONS */
867 }
868