• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "x509v3.h"
21 #include "tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
26 
27 
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 					   const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 					  u8 ct, const u8 *in_data,
32 					  size_t *in_len);
33 
34 
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 				    const u8 *in_data, size_t *in_len)
37 {
38 	const u8 *pos, *end, *c;
39 	size_t left, len, i, j;
40 	u16 cipher_suite;
41 	u16 num_suites;
42 	int compr_null_found;
43 	u16 ext_type, ext_len;
44 
45 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47 			   "received content type 0x%x", ct);
48 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49 				   TLS_ALERT_UNEXPECTED_MESSAGE);
50 		return -1;
51 	}
52 
53 	pos = in_data;
54 	left = *in_len;
55 
56 	if (left < 4)
57 		goto decode_error;
58 
59 	/* HandshakeType msg_type */
60 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
62 			   "message %d (expected ClientHello)", *pos);
63 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
64 				   TLS_ALERT_UNEXPECTED_MESSAGE);
65 		return -1;
66 	}
67 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
68 	pos++;
69 	/* uint24 length */
70 	len = WPA_GET_BE24(pos);
71 	pos += 3;
72 	left -= 4;
73 
74 	if (len > left)
75 		goto decode_error;
76 
77 	/* body - ClientHello */
78 
79 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
80 	end = pos + len;
81 
82 	/* ProtocolVersion client_version */
83 	if (end - pos < 2)
84 		goto decode_error;
85 	conn->client_version = WPA_GET_BE16(pos);
86 	wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
87 		   conn->client_version >> 8, conn->client_version & 0xff);
88 	if (conn->client_version < TLS_VERSION) {
89 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
90 			   "ClientHello");
91 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
92 				   TLS_ALERT_PROTOCOL_VERSION);
93 		return -1;
94 	}
95 	pos += 2;
96 
97 	/* Random random */
98 	if (end - pos < TLS_RANDOM_LEN)
99 		goto decode_error;
100 
101 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
102 	pos += TLS_RANDOM_LEN;
103 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
104 		    conn->client_random, TLS_RANDOM_LEN);
105 
106 	/* SessionID session_id */
107 	if (end - pos < 1)
108 		goto decode_error;
109 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
110 		goto decode_error;
111 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
112 	pos += 1 + *pos;
113 	/* TODO: add support for session resumption */
114 
115 	/* CipherSuite cipher_suites<2..2^16-1> */
116 	if (end - pos < 2)
117 		goto decode_error;
118 	num_suites = WPA_GET_BE16(pos);
119 	pos += 2;
120 	if (end - pos < num_suites)
121 		goto decode_error;
122 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
123 		    pos, num_suites);
124 	if (num_suites & 1)
125 		goto decode_error;
126 	num_suites /= 2;
127 
128 	cipher_suite = 0;
129 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
130 		c = pos;
131 		for (j = 0; j < num_suites; j++) {
132 			u16 tmp = WPA_GET_BE16(c);
133 			c += 2;
134 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
135 				cipher_suite = tmp;
136 				break;
137 			}
138 		}
139 	}
140 	pos += num_suites * 2;
141 	if (!cipher_suite) {
142 		wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
143 			   "available");
144 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 				   TLS_ALERT_ILLEGAL_PARAMETER);
146 		return -1;
147 	}
148 
149 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
150 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
151 			   "record layer");
152 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 				   TLS_ALERT_INTERNAL_ERROR);
154 		return -1;
155 	}
156 
157 	conn->cipher_suite = cipher_suite;
158 
159 	/* CompressionMethod compression_methods<1..2^8-1> */
160 	if (end - pos < 1)
161 		goto decode_error;
162 	num_suites = *pos++;
163 	if (end - pos < num_suites)
164 		goto decode_error;
165 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
166 		    pos, num_suites);
167 	compr_null_found = 0;
168 	for (i = 0; i < num_suites; i++) {
169 		if (*pos++ == TLS_COMPRESSION_NULL)
170 			compr_null_found = 1;
171 	}
172 	if (!compr_null_found) {
173 		wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
174 			   "compression");
175 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
176 				   TLS_ALERT_ILLEGAL_PARAMETER);
177 		return -1;
178 	}
179 
180 	if (end - pos == 1) {
181 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
182 			    "end of ClientHello: 0x%02x", *pos);
183 		goto decode_error;
184 	}
185 
186 	if (end - pos >= 2) {
187 		/* Extension client_hello_extension_list<0..2^16-1> */
188 		ext_len = WPA_GET_BE16(pos);
189 		pos += 2;
190 
191 		wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
192 			   "extensions", ext_len);
193 		if (end - pos != ext_len) {
194 			wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
195 				   "extension list length %u (expected %u)",
196 				   ext_len, (unsigned int) (end - pos));
197 			goto decode_error;
198 		}
199 
200 		/*
201 		 * struct {
202 		 *   ExtensionType extension_type (0..65535)
203 		 *   opaque extension_data<0..2^16-1>
204 		 * } Extension;
205 		 */
206 
207 		while (pos < end) {
208 			if (end - pos < 2) {
209 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
210 					   "extension_type field");
211 				goto decode_error;
212 			}
213 
214 			ext_type = WPA_GET_BE16(pos);
215 			pos += 2;
216 
217 			if (end - pos < 2) {
218 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
219 					   "extension_data length field");
220 				goto decode_error;
221 			}
222 
223 			ext_len = WPA_GET_BE16(pos);
224 			pos += 2;
225 
226 			if (end - pos < ext_len) {
227 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
228 					   "extension_data field");
229 				goto decode_error;
230 			}
231 
232 			wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
233 				   "type %u", ext_type);
234 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
235 				    "Extension data", pos, ext_len);
236 
237 			if (ext_type == TLS_EXT_SESSION_TICKET) {
238 				os_free(conn->session_ticket);
239 				conn->session_ticket = os_malloc(ext_len);
240 				if (conn->session_ticket) {
241 					os_memcpy(conn->session_ticket, pos,
242 						  ext_len);
243 					conn->session_ticket_len = ext_len;
244 				}
245 			}
246 
247 			pos += ext_len;
248 		}
249 	}
250 
251 	*in_len = end - in_data;
252 
253 	wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
254 		   "ServerHello");
255 	conn->state = SERVER_HELLO;
256 
257 	return 0;
258 
259 decode_error:
260 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
261 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
262 			   TLS_ALERT_DECODE_ERROR);
263 	return -1;
264 }
265 
266 
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
268 				   const u8 *in_data, size_t *in_len)
269 {
270 	const u8 *pos, *end;
271 	size_t left, len, list_len, cert_len, idx;
272 	u8 type;
273 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
274 	int reason;
275 
276 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
277 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
278 			   "received content type 0x%x", ct);
279 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
280 				   TLS_ALERT_UNEXPECTED_MESSAGE);
281 		return -1;
282 	}
283 
284 	pos = in_data;
285 	left = *in_len;
286 
287 	if (left < 4) {
288 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
289 			   "(len=%lu)", (unsigned long) left);
290 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 				   TLS_ALERT_DECODE_ERROR);
292 		return -1;
293 	}
294 
295 	type = *pos++;
296 	len = WPA_GET_BE24(pos);
297 	pos += 3;
298 	left -= 4;
299 
300 	if (len > left) {
301 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
302 			   "length (len=%lu != left=%lu)",
303 			   (unsigned long) len, (unsigned long) left);
304 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 				   TLS_ALERT_DECODE_ERROR);
306 		return -1;
307 	}
308 
309 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
310 		if (conn->verify_peer) {
311 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
312 				   "Certificate");
313 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
314 					   TLS_ALERT_UNEXPECTED_MESSAGE);
315 			return -1;
316 		}
317 
318 		return tls_process_client_key_exchange(conn, ct, in_data,
319 						       in_len);
320 	}
321 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
322 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
323 			   "message %d (expected Certificate/"
324 			   "ClientKeyExchange)", type);
325 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 				   TLS_ALERT_UNEXPECTED_MESSAGE);
327 		return -1;
328 	}
329 
330 	wpa_printf(MSG_DEBUG,
331 		   "TLSv1: Received Certificate (certificate_list len %lu)",
332 		   (unsigned long) len);
333 
334 	/*
335 	 * opaque ASN.1Cert<2^24-1>;
336 	 *
337 	 * struct {
338 	 *     ASN.1Cert certificate_list<1..2^24-1>;
339 	 * } Certificate;
340 	 */
341 
342 	end = pos + len;
343 
344 	if (end - pos < 3) {
345 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
346 			   "(left=%lu)", (unsigned long) left);
347 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
348 				   TLS_ALERT_DECODE_ERROR);
349 		return -1;
350 	}
351 
352 	list_len = WPA_GET_BE24(pos);
353 	pos += 3;
354 
355 	if ((size_t) (end - pos) != list_len) {
356 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
357 			   "length (len=%lu left=%lu)",
358 			   (unsigned long) list_len,
359 			   (unsigned long) (end - pos));
360 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
361 				   TLS_ALERT_DECODE_ERROR);
362 		return -1;
363 	}
364 
365 	idx = 0;
366 	while (pos < end) {
367 		if (end - pos < 3) {
368 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
369 				   "certificate_list");
370 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 					   TLS_ALERT_DECODE_ERROR);
372 			x509_certificate_chain_free(chain);
373 			return -1;
374 		}
375 
376 		cert_len = WPA_GET_BE24(pos);
377 		pos += 3;
378 
379 		if ((size_t) (end - pos) < cert_len) {
380 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
381 				   "length (len=%lu left=%lu)",
382 				   (unsigned long) cert_len,
383 				   (unsigned long) (end - pos));
384 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
385 					   TLS_ALERT_DECODE_ERROR);
386 			x509_certificate_chain_free(chain);
387 			return -1;
388 		}
389 
390 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
391 			   (unsigned long) idx, (unsigned long) cert_len);
392 
393 		if (idx == 0) {
394 			crypto_public_key_free(conn->client_rsa_key);
395 			if (tls_parse_cert(pos, cert_len,
396 					   &conn->client_rsa_key)) {
397 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
398 					   "the certificate");
399 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
400 						   TLS_ALERT_BAD_CERTIFICATE);
401 				x509_certificate_chain_free(chain);
402 				return -1;
403 			}
404 		}
405 
406 		cert = x509_certificate_parse(pos, cert_len);
407 		if (cert == NULL) {
408 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
409 				   "the certificate");
410 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 					   TLS_ALERT_BAD_CERTIFICATE);
412 			x509_certificate_chain_free(chain);
413 			return -1;
414 		}
415 
416 		if (last == NULL)
417 			chain = cert;
418 		else
419 			last->next = cert;
420 		last = cert;
421 
422 		idx++;
423 		pos += cert_len;
424 	}
425 
426 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
427 					    &reason) < 0) {
428 		int tls_reason;
429 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
430 			   "validation failed (reason=%d)", reason);
431 		switch (reason) {
432 		case X509_VALIDATE_BAD_CERTIFICATE:
433 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
434 			break;
435 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
436 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
437 			break;
438 		case X509_VALIDATE_CERTIFICATE_REVOKED:
439 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
440 			break;
441 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
442 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
443 			break;
444 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
445 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
446 			break;
447 		case X509_VALIDATE_UNKNOWN_CA:
448 			tls_reason = TLS_ALERT_UNKNOWN_CA;
449 			break;
450 		default:
451 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
452 			break;
453 		}
454 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
455 		x509_certificate_chain_free(chain);
456 		return -1;
457 	}
458 
459 	x509_certificate_chain_free(chain);
460 
461 	*in_len = end - in_data;
462 
463 	conn->state = CLIENT_KEY_EXCHANGE;
464 
465 	return 0;
466 }
467 
468 
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)469 static int tls_process_client_key_exchange_rsa(
470 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
471 {
472 	u8 *out;
473 	size_t outlen, outbuflen;
474 	u16 encr_len;
475 	int res;
476 	int use_random = 0;
477 
478 	if (end - pos < 2) {
479 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
480 				   TLS_ALERT_DECODE_ERROR);
481 		return -1;
482 	}
483 
484 	encr_len = WPA_GET_BE16(pos);
485 	pos += 2;
486 
487 	outbuflen = outlen = end - pos;
488 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
489 			outlen : TLS_PRE_MASTER_SECRET_LEN);
490 	if (out == NULL) {
491 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 				   TLS_ALERT_INTERNAL_ERROR);
493 		return -1;
494 	}
495 
496 	/*
497 	 * struct {
498 	 *   ProtocolVersion client_version;
499 	 *   opaque random[46];
500 	 * } PreMasterSecret;
501 	 *
502 	 * struct {
503 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
504 	 * } EncryptedPreMasterSecret;
505 	 */
506 
507 	/*
508 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509 	 * parsing errors from EncryptedPreMasterSecret processing to the
510 	 * client. Instead, a random pre-master secret is used to force the
511 	 * handshake to fail.
512 	 */
513 
514 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
515 						 pos, end - pos,
516 						 out, &outlen) < 0) {
517 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
518 			   "PreMasterSecret (encr_len=%d outlen=%lu)",
519 			   (int) (end - pos), (unsigned long) outlen);
520 		use_random = 1;
521 	}
522 
523 	if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
524 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
525 			   "length %lu", (unsigned long) outlen);
526 		use_random = 1;
527 	}
528 
529 	if (WPA_GET_BE16(out) != conn->client_version) {
530 		wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
531 			   "ClientKeyExchange does not match with version in "
532 			   "ClientHello");
533 		use_random = 1;
534 	}
535 
536 	if (use_random) {
537 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
538 			   "to avoid revealing information about private key");
539 		outlen = TLS_PRE_MASTER_SECRET_LEN;
540 		if (os_get_random(out, outlen)) {
541 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
542 				   "data");
543 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
544 					   TLS_ALERT_INTERNAL_ERROR);
545 			os_free(out);
546 			return -1;
547 		}
548 	}
549 
550 	res = tlsv1_server_derive_keys(conn, out, outlen);
551 
552 	/* Clear the pre-master secret since it is not needed anymore */
553 	os_memset(out, 0, outbuflen);
554 	os_free(out);
555 
556 	if (res) {
557 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
558 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 				   TLS_ALERT_INTERNAL_ERROR);
560 		return -1;
561 	}
562 
563 	return 0;
564 }
565 
566 
tls_process_client_key_exchange_dh_anon(struct tlsv1_server * conn,const u8 * pos,const u8 * end)567 static int tls_process_client_key_exchange_dh_anon(
568 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
569 {
570 #ifdef EAP_FAST
571 	const u8 *dh_yc;
572 	u16 dh_yc_len;
573 	u8 *shared;
574 	size_t shared_len;
575 	int res;
576 
577 	/*
578 	 * struct {
579 	 *   select (PublicValueEncoding) {
580 	 *     case implicit: struct { };
581 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
582 	 *   } dh_public;
583 	 * } ClientDiffieHellmanPublic;
584 	 */
585 
586 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
587 		    pos, end - pos);
588 
589 	if (end == pos) {
590 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
591 			   "not supported");
592 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
593 				   TLS_ALERT_INTERNAL_ERROR);
594 		return -1;
595 	}
596 
597 	if (end - pos < 3) {
598 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
599 			   "length");
600 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
601 				   TLS_ALERT_DECODE_ERROR);
602 		return -1;
603 	}
604 
605 	dh_yc_len = WPA_GET_BE16(pos);
606 	dh_yc = pos + 2;
607 
608 	if (dh_yc + dh_yc_len > end) {
609 		wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
610 			   "(length %d)", dh_yc_len);
611 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 				   TLS_ALERT_DECODE_ERROR);
613 		return -1;
614 	}
615 
616 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
617 		    dh_yc, dh_yc_len);
618 
619 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
620 	    conn->dh_secret == NULL) {
621 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
622 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
623 				   TLS_ALERT_INTERNAL_ERROR);
624 		return -1;
625 	}
626 
627 	shared_len = conn->cred->dh_p_len;
628 	shared = os_malloc(shared_len);
629 	if (shared == NULL) {
630 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
631 			   "DH");
632 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 				   TLS_ALERT_INTERNAL_ERROR);
634 		return -1;
635 	}
636 
637 	/* shared = Yc^secret mod p */
638 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
639 			   conn->dh_secret_len,
640 			   conn->cred->dh_p, conn->cred->dh_p_len,
641 			   shared, &shared_len)) {
642 		os_free(shared);
643 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
644 				   TLS_ALERT_INTERNAL_ERROR);
645 		return -1;
646 	}
647 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
648 			shared, shared_len);
649 
650 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
651 	os_free(conn->dh_secret);
652 	conn->dh_secret = NULL;
653 
654 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
655 
656 	/* Clear the pre-master secret since it is not needed anymore */
657 	os_memset(shared, 0, shared_len);
658 	os_free(shared);
659 
660 	if (res) {
661 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
662 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
663 				   TLS_ALERT_INTERNAL_ERROR);
664 		return -1;
665 	}
666 
667 	return 0;
668 #else /* EAP_FAST */
669 	return -1;
670 #endif /* EAP_FAST */
671 }
672 
673 
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)674 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
675 					   const u8 *in_data, size_t *in_len)
676 {
677 	const u8 *pos, *end;
678 	size_t left, len;
679 	u8 type;
680 	tls_key_exchange keyx;
681 	const struct tls_cipher_suite *suite;
682 
683 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
684 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
685 			   "received content type 0x%x", ct);
686 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
687 				   TLS_ALERT_UNEXPECTED_MESSAGE);
688 		return -1;
689 	}
690 
691 	pos = in_data;
692 	left = *in_len;
693 
694 	if (left < 4) {
695 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
696 			   "(Left=%lu)", (unsigned long) left);
697 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
698 				   TLS_ALERT_DECODE_ERROR);
699 		return -1;
700 	}
701 
702 	type = *pos++;
703 	len = WPA_GET_BE24(pos);
704 	pos += 3;
705 	left -= 4;
706 
707 	if (len > left) {
708 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
709 			   "length (len=%lu != left=%lu)",
710 			   (unsigned long) len, (unsigned long) left);
711 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 				   TLS_ALERT_DECODE_ERROR);
713 		return -1;
714 	}
715 
716 	end = pos + len;
717 
718 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
719 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
720 			   "message %d (expected ClientKeyExchange)", type);
721 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
722 				   TLS_ALERT_UNEXPECTED_MESSAGE);
723 		return -1;
724 	}
725 
726 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
727 
728 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
729 
730 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
731 	if (suite == NULL)
732 		keyx = TLS_KEY_X_NULL;
733 	else
734 		keyx = suite->key_exchange;
735 
736 	if (keyx == TLS_KEY_X_DH_anon &&
737 	    tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
738 		return -1;
739 
740 	if (keyx != TLS_KEY_X_DH_anon &&
741 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
742 		return -1;
743 
744 	*in_len = end - in_data;
745 
746 	conn->state = CERTIFICATE_VERIFY;
747 
748 	return 0;
749 }
750 
751 
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)752 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
753 					  const u8 *in_data, size_t *in_len)
754 {
755 	const u8 *pos, *end;
756 	size_t left, len;
757 	u8 type;
758 	size_t hlen, buflen;
759 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
760 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
761 	u16 slen;
762 
763 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
764 		if (conn->verify_peer) {
765 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
766 				   "CertificateVerify");
767 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
768 					   TLS_ALERT_UNEXPECTED_MESSAGE);
769 			return -1;
770 		}
771 
772 		return tls_process_change_cipher_spec(conn, ct, in_data,
773 						      in_len);
774 	}
775 
776 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
777 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
778 			   "received content type 0x%x", ct);
779 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780 				   TLS_ALERT_UNEXPECTED_MESSAGE);
781 		return -1;
782 	}
783 
784 	pos = in_data;
785 	left = *in_len;
786 
787 	if (left < 4) {
788 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
789 			   "message (len=%lu)", (unsigned long) left);
790 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
791 				   TLS_ALERT_DECODE_ERROR);
792 		return -1;
793 	}
794 
795 	type = *pos++;
796 	len = WPA_GET_BE24(pos);
797 	pos += 3;
798 	left -= 4;
799 
800 	if (len > left) {
801 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
802 			   "message length (len=%lu != left=%lu)",
803 			   (unsigned long) len, (unsigned long) left);
804 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 				   TLS_ALERT_DECODE_ERROR);
806 		return -1;
807 	}
808 
809 	end = pos + len;
810 
811 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
812 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
813 			   "message %d (expected CertificateVerify)", type);
814 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
815 				   TLS_ALERT_UNEXPECTED_MESSAGE);
816 		return -1;
817 	}
818 
819 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
820 
821 	/*
822 	 * struct {
823 	 *   Signature signature;
824 	 * } CertificateVerify;
825 	 */
826 
827 	hpos = hash;
828 
829 	if (alg == SIGN_ALG_RSA) {
830 		hlen = MD5_MAC_LEN;
831 		if (conn->verify.md5_cert == NULL ||
832 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
833 		{
834 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
835 					   TLS_ALERT_INTERNAL_ERROR);
836 			conn->verify.md5_cert = NULL;
837 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
838 			conn->verify.sha1_cert = NULL;
839 			return -1;
840 		}
841 		hpos += MD5_MAC_LEN;
842 	} else
843 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
844 
845 	conn->verify.md5_cert = NULL;
846 	hlen = SHA1_MAC_LEN;
847 	if (conn->verify.sha1_cert == NULL ||
848 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
849 		conn->verify.sha1_cert = NULL;
850 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
851 				   TLS_ALERT_INTERNAL_ERROR);
852 		return -1;
853 	}
854 	conn->verify.sha1_cert = NULL;
855 
856 	if (alg == SIGN_ALG_RSA)
857 		hlen += MD5_MAC_LEN;
858 
859 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
860 
861 	if (end - pos < 2) {
862 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
863 				   TLS_ALERT_DECODE_ERROR);
864 		return -1;
865 	}
866 	slen = WPA_GET_BE16(pos);
867 	pos += 2;
868 	if (end - pos < slen) {
869 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
870 				   TLS_ALERT_DECODE_ERROR);
871 		return -1;
872 	}
873 
874 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
875 	if (conn->client_rsa_key == NULL) {
876 		wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
877 			   "signature");
878 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
879 				   TLS_ALERT_INTERNAL_ERROR);
880 		return -1;
881 	}
882 
883 	buflen = end - pos;
884 	buf = os_malloc(end - pos);
885 	if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
886 					    pos, end - pos, buf, &buflen) < 0)
887 	{
888 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
889 		os_free(buf);
890 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
891 				   TLS_ALERT_DECRYPT_ERROR);
892 		return -1;
893 	}
894 
895 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
896 			buf, buflen);
897 
898 	if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
899 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
900 			   "CertificateVerify - did not match with calculated "
901 			   "hash");
902 		os_free(buf);
903 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
904 				   TLS_ALERT_DECRYPT_ERROR);
905 		return -1;
906 	}
907 
908 	os_free(buf);
909 
910 	*in_len = end - in_data;
911 
912 	conn->state = CHANGE_CIPHER_SPEC;
913 
914 	return 0;
915 }
916 
917 
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)918 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
919 					  u8 ct, const u8 *in_data,
920 					  size_t *in_len)
921 {
922 	const u8 *pos;
923 	size_t left;
924 
925 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
926 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
927 			   "received content type 0x%x", ct);
928 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 				   TLS_ALERT_UNEXPECTED_MESSAGE);
930 		return -1;
931 	}
932 
933 	pos = in_data;
934 	left = *in_len;
935 
936 	if (left < 1) {
937 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
938 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
939 				   TLS_ALERT_DECODE_ERROR);
940 		return -1;
941 	}
942 
943 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
944 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
945 			   "received data 0x%x", *pos);
946 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
947 				   TLS_ALERT_UNEXPECTED_MESSAGE);
948 		return -1;
949 	}
950 
951 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
952 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
953 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
954 			   "for record layer");
955 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 				   TLS_ALERT_INTERNAL_ERROR);
957 		return -1;
958 	}
959 
960 	*in_len = pos + 1 - in_data;
961 
962 	conn->state = CLIENT_FINISHED;
963 
964 	return 0;
965 }
966 
967 
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)968 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
969 				       const u8 *in_data, size_t *in_len)
970 {
971 	const u8 *pos, *end;
972 	size_t left, len, hlen;
973 	u8 verify_data[TLS_VERIFY_DATA_LEN];
974 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
975 
976 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
977 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
978 			   "received content type 0x%x", ct);
979 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
980 				   TLS_ALERT_UNEXPECTED_MESSAGE);
981 		return -1;
982 	}
983 
984 	pos = in_data;
985 	left = *in_len;
986 
987 	if (left < 4) {
988 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
989 			   "Finished",
990 			   (unsigned long) left);
991 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 				   TLS_ALERT_DECODE_ERROR);
993 		return -1;
994 	}
995 
996 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
997 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
998 			   "type 0x%x", pos[0]);
999 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1000 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1001 		return -1;
1002 	}
1003 
1004 	len = WPA_GET_BE24(pos + 1);
1005 
1006 	pos += 4;
1007 	left -= 4;
1008 
1009 	if (len > left) {
1010 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1011 			   "(len=%lu > left=%lu)",
1012 			   (unsigned long) len, (unsigned long) left);
1013 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1014 				   TLS_ALERT_DECODE_ERROR);
1015 		return -1;
1016 	}
1017 	end = pos + len;
1018 	if (len != TLS_VERIFY_DATA_LEN) {
1019 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1020 			   "in Finished: %lu (expected %d)",
1021 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1022 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023 				   TLS_ALERT_DECODE_ERROR);
1024 		return -1;
1025 	}
1026 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1027 		    pos, TLS_VERIFY_DATA_LEN);
1028 
1029 	hlen = MD5_MAC_LEN;
1030 	if (conn->verify.md5_client == NULL ||
1031 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1032 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 				   TLS_ALERT_INTERNAL_ERROR);
1034 		conn->verify.md5_client = NULL;
1035 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1036 		conn->verify.sha1_client = NULL;
1037 		return -1;
1038 	}
1039 	conn->verify.md5_client = NULL;
1040 	hlen = SHA1_MAC_LEN;
1041 	if (conn->verify.sha1_client == NULL ||
1042 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1043 			       &hlen) < 0) {
1044 		conn->verify.sha1_client = NULL;
1045 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046 				   TLS_ALERT_INTERNAL_ERROR);
1047 		return -1;
1048 	}
1049 	conn->verify.sha1_client = NULL;
1050 
1051 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1052 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1053 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1054 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1055 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056 				   TLS_ALERT_DECRYPT_ERROR);
1057 		return -1;
1058 	}
1059 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1060 			verify_data, TLS_VERIFY_DATA_LEN);
1061 
1062 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1063 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1064 		return -1;
1065 	}
1066 
1067 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1068 
1069 	*in_len = end - in_data;
1070 
1071 	if (conn->use_session_ticket) {
1072 		/* Abbreviated handshake using session ticket; RFC 4507 */
1073 		wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1074 			   "successfully");
1075 		conn->state = ESTABLISHED;
1076 	} else {
1077 		/* Full handshake */
1078 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1079 	}
1080 
1081 	return 0;
1082 }
1083 
1084 
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1085 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1086 				   const u8 *buf, size_t *len)
1087 {
1088 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1089 		if (*len < 2) {
1090 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1091 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092 					   TLS_ALERT_DECODE_ERROR);
1093 			return -1;
1094 		}
1095 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1096 			   buf[0], buf[1]);
1097 		*len = 2;
1098 		conn->state = FAILED;
1099 		return -1;
1100 	}
1101 
1102 	switch (conn->state) {
1103 	case CLIENT_HELLO:
1104 		if (tls_process_client_hello(conn, ct, buf, len))
1105 			return -1;
1106 		break;
1107 	case CLIENT_CERTIFICATE:
1108 		if (tls_process_certificate(conn, ct, buf, len))
1109 			return -1;
1110 		break;
1111 	case CLIENT_KEY_EXCHANGE:
1112 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1113 			return -1;
1114 		break;
1115 	case CERTIFICATE_VERIFY:
1116 		if (tls_process_certificate_verify(conn, ct, buf, len))
1117 			return -1;
1118 		break;
1119 	case CHANGE_CIPHER_SPEC:
1120 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1121 			return -1;
1122 		break;
1123 	case CLIENT_FINISHED:
1124 		if (tls_process_client_finished(conn, ct, buf, len))
1125 			return -1;
1126 		break;
1127 	default:
1128 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1129 			   "while processing received message",
1130 			   conn->state);
1131 		return -1;
1132 	}
1133 
1134 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1135 		tls_verify_hash_add(&conn->verify, buf, *len);
1136 
1137 	return 0;
1138 }
1139