1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "x509v3.h"
21 #include "tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
26
27
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 u8 ct, const u8 *in_data,
32 size_t *in_len);
33
34
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 const u8 *in_data, size_t *in_len)
37 {
38 const u8 *pos, *end, *c;
39 size_t left, len, i, j;
40 u16 cipher_suite;
41 u16 num_suites;
42 int compr_null_found;
43 u16 ext_type, ext_len;
44
45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47 "received content type 0x%x", ct);
48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49 TLS_ALERT_UNEXPECTED_MESSAGE);
50 return -1;
51 }
52
53 pos = in_data;
54 left = *in_len;
55
56 if (left < 4)
57 goto decode_error;
58
59 /* HandshakeType msg_type */
60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
62 "message %d (expected ClientHello)", *pos);
63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
64 TLS_ALERT_UNEXPECTED_MESSAGE);
65 return -1;
66 }
67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
68 pos++;
69 /* uint24 length */
70 len = WPA_GET_BE24(pos);
71 pos += 3;
72 left -= 4;
73
74 if (len > left)
75 goto decode_error;
76
77 /* body - ClientHello */
78
79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
80 end = pos + len;
81
82 /* ProtocolVersion client_version */
83 if (end - pos < 2)
84 goto decode_error;
85 conn->client_version = WPA_GET_BE16(pos);
86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
87 conn->client_version >> 8, conn->client_version & 0xff);
88 if (conn->client_version < TLS_VERSION) {
89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
90 "ClientHello");
91 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
92 TLS_ALERT_PROTOCOL_VERSION);
93 return -1;
94 }
95 pos += 2;
96
97 /* Random random */
98 if (end - pos < TLS_RANDOM_LEN)
99 goto decode_error;
100
101 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
102 pos += TLS_RANDOM_LEN;
103 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
104 conn->client_random, TLS_RANDOM_LEN);
105
106 /* SessionID session_id */
107 if (end - pos < 1)
108 goto decode_error;
109 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
110 goto decode_error;
111 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
112 pos += 1 + *pos;
113 /* TODO: add support for session resumption */
114
115 /* CipherSuite cipher_suites<2..2^16-1> */
116 if (end - pos < 2)
117 goto decode_error;
118 num_suites = WPA_GET_BE16(pos);
119 pos += 2;
120 if (end - pos < num_suites)
121 goto decode_error;
122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
123 pos, num_suites);
124 if (num_suites & 1)
125 goto decode_error;
126 num_suites /= 2;
127
128 cipher_suite = 0;
129 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
130 c = pos;
131 for (j = 0; j < num_suites; j++) {
132 u16 tmp = WPA_GET_BE16(c);
133 c += 2;
134 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
135 cipher_suite = tmp;
136 break;
137 }
138 }
139 }
140 pos += num_suites * 2;
141 if (!cipher_suite) {
142 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
143 "available");
144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 TLS_ALERT_ILLEGAL_PARAMETER);
146 return -1;
147 }
148
149 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
150 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
151 "record layer");
152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 TLS_ALERT_INTERNAL_ERROR);
154 return -1;
155 }
156
157 conn->cipher_suite = cipher_suite;
158
159 /* CompressionMethod compression_methods<1..2^8-1> */
160 if (end - pos < 1)
161 goto decode_error;
162 num_suites = *pos++;
163 if (end - pos < num_suites)
164 goto decode_error;
165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
166 pos, num_suites);
167 compr_null_found = 0;
168 for (i = 0; i < num_suites; i++) {
169 if (*pos++ == TLS_COMPRESSION_NULL)
170 compr_null_found = 1;
171 }
172 if (!compr_null_found) {
173 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
174 "compression");
175 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
176 TLS_ALERT_ILLEGAL_PARAMETER);
177 return -1;
178 }
179
180 if (end - pos == 1) {
181 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
182 "end of ClientHello: 0x%02x", *pos);
183 goto decode_error;
184 }
185
186 if (end - pos >= 2) {
187 /* Extension client_hello_extension_list<0..2^16-1> */
188 ext_len = WPA_GET_BE16(pos);
189 pos += 2;
190
191 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
192 "extensions", ext_len);
193 if (end - pos != ext_len) {
194 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
195 "extension list length %u (expected %u)",
196 ext_len, (unsigned int) (end - pos));
197 goto decode_error;
198 }
199
200 /*
201 * struct {
202 * ExtensionType extension_type (0..65535)
203 * opaque extension_data<0..2^16-1>
204 * } Extension;
205 */
206
207 while (pos < end) {
208 if (end - pos < 2) {
209 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
210 "extension_type field");
211 goto decode_error;
212 }
213
214 ext_type = WPA_GET_BE16(pos);
215 pos += 2;
216
217 if (end - pos < 2) {
218 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
219 "extension_data length field");
220 goto decode_error;
221 }
222
223 ext_len = WPA_GET_BE16(pos);
224 pos += 2;
225
226 if (end - pos < ext_len) {
227 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
228 "extension_data field");
229 goto decode_error;
230 }
231
232 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
233 "type %u", ext_type);
234 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
235 "Extension data", pos, ext_len);
236
237 if (ext_type == TLS_EXT_SESSION_TICKET) {
238 os_free(conn->session_ticket);
239 conn->session_ticket = os_malloc(ext_len);
240 if (conn->session_ticket) {
241 os_memcpy(conn->session_ticket, pos,
242 ext_len);
243 conn->session_ticket_len = ext_len;
244 }
245 }
246
247 pos += ext_len;
248 }
249 }
250
251 *in_len = end - in_data;
252
253 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
254 "ServerHello");
255 conn->state = SERVER_HELLO;
256
257 return 0;
258
259 decode_error:
260 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
261 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
262 TLS_ALERT_DECODE_ERROR);
263 return -1;
264 }
265
266
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
268 const u8 *in_data, size_t *in_len)
269 {
270 const u8 *pos, *end;
271 size_t left, len, list_len, cert_len, idx;
272 u8 type;
273 struct x509_certificate *chain = NULL, *last = NULL, *cert;
274 int reason;
275
276 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
277 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
278 "received content type 0x%x", ct);
279 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
280 TLS_ALERT_UNEXPECTED_MESSAGE);
281 return -1;
282 }
283
284 pos = in_data;
285 left = *in_len;
286
287 if (left < 4) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
289 "(len=%lu)", (unsigned long) left);
290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_DECODE_ERROR);
292 return -1;
293 }
294
295 type = *pos++;
296 len = WPA_GET_BE24(pos);
297 pos += 3;
298 left -= 4;
299
300 if (len > left) {
301 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
302 "length (len=%lu != left=%lu)",
303 (unsigned long) len, (unsigned long) left);
304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 TLS_ALERT_DECODE_ERROR);
306 return -1;
307 }
308
309 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
310 if (conn->verify_peer) {
311 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
312 "Certificate");
313 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
314 TLS_ALERT_UNEXPECTED_MESSAGE);
315 return -1;
316 }
317
318 return tls_process_client_key_exchange(conn, ct, in_data,
319 in_len);
320 }
321 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
322 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
323 "message %d (expected Certificate/"
324 "ClientKeyExchange)", type);
325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_UNEXPECTED_MESSAGE);
327 return -1;
328 }
329
330 wpa_printf(MSG_DEBUG,
331 "TLSv1: Received Certificate (certificate_list len %lu)",
332 (unsigned long) len);
333
334 /*
335 * opaque ASN.1Cert<2^24-1>;
336 *
337 * struct {
338 * ASN.1Cert certificate_list<1..2^24-1>;
339 * } Certificate;
340 */
341
342 end = pos + len;
343
344 if (end - pos < 3) {
345 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
346 "(left=%lu)", (unsigned long) left);
347 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
348 TLS_ALERT_DECODE_ERROR);
349 return -1;
350 }
351
352 list_len = WPA_GET_BE24(pos);
353 pos += 3;
354
355 if ((size_t) (end - pos) != list_len) {
356 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
357 "length (len=%lu left=%lu)",
358 (unsigned long) list_len,
359 (unsigned long) (end - pos));
360 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
361 TLS_ALERT_DECODE_ERROR);
362 return -1;
363 }
364
365 idx = 0;
366 while (pos < end) {
367 if (end - pos < 3) {
368 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
369 "certificate_list");
370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 TLS_ALERT_DECODE_ERROR);
372 x509_certificate_chain_free(chain);
373 return -1;
374 }
375
376 cert_len = WPA_GET_BE24(pos);
377 pos += 3;
378
379 if ((size_t) (end - pos) < cert_len) {
380 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
381 "length (len=%lu left=%lu)",
382 (unsigned long) cert_len,
383 (unsigned long) (end - pos));
384 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
385 TLS_ALERT_DECODE_ERROR);
386 x509_certificate_chain_free(chain);
387 return -1;
388 }
389
390 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
391 (unsigned long) idx, (unsigned long) cert_len);
392
393 if (idx == 0) {
394 crypto_public_key_free(conn->client_rsa_key);
395 if (tls_parse_cert(pos, cert_len,
396 &conn->client_rsa_key)) {
397 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
398 "the certificate");
399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
400 TLS_ALERT_BAD_CERTIFICATE);
401 x509_certificate_chain_free(chain);
402 return -1;
403 }
404 }
405
406 cert = x509_certificate_parse(pos, cert_len);
407 if (cert == NULL) {
408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
409 "the certificate");
410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 TLS_ALERT_BAD_CERTIFICATE);
412 x509_certificate_chain_free(chain);
413 return -1;
414 }
415
416 if (last == NULL)
417 chain = cert;
418 else
419 last->next = cert;
420 last = cert;
421
422 idx++;
423 pos += cert_len;
424 }
425
426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
427 &reason) < 0) {
428 int tls_reason;
429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
430 "validation failed (reason=%d)", reason);
431 switch (reason) {
432 case X509_VALIDATE_BAD_CERTIFICATE:
433 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
434 break;
435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
437 break;
438 case X509_VALIDATE_CERTIFICATE_REVOKED:
439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
440 break;
441 case X509_VALIDATE_CERTIFICATE_EXPIRED:
442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
443 break;
444 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
446 break;
447 case X509_VALIDATE_UNKNOWN_CA:
448 tls_reason = TLS_ALERT_UNKNOWN_CA;
449 break;
450 default:
451 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
452 break;
453 }
454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
455 x509_certificate_chain_free(chain);
456 return -1;
457 }
458
459 x509_certificate_chain_free(chain);
460
461 *in_len = end - in_data;
462
463 conn->state = CLIENT_KEY_EXCHANGE;
464
465 return 0;
466 }
467
468
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)469 static int tls_process_client_key_exchange_rsa(
470 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
471 {
472 u8 *out;
473 size_t outlen, outbuflen;
474 u16 encr_len;
475 int res;
476 int use_random = 0;
477
478 if (end - pos < 2) {
479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
480 TLS_ALERT_DECODE_ERROR);
481 return -1;
482 }
483
484 encr_len = WPA_GET_BE16(pos);
485 pos += 2;
486
487 outbuflen = outlen = end - pos;
488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
489 outlen : TLS_PRE_MASTER_SECRET_LEN);
490 if (out == NULL) {
491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 TLS_ALERT_INTERNAL_ERROR);
493 return -1;
494 }
495
496 /*
497 * struct {
498 * ProtocolVersion client_version;
499 * opaque random[46];
500 * } PreMasterSecret;
501 *
502 * struct {
503 * public-key-encrypted PreMasterSecret pre_master_secret;
504 * } EncryptedPreMasterSecret;
505 */
506
507 /*
508 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509 * parsing errors from EncryptedPreMasterSecret processing to the
510 * client. Instead, a random pre-master secret is used to force the
511 * handshake to fail.
512 */
513
514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
515 pos, end - pos,
516 out, &outlen) < 0) {
517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
518 "PreMasterSecret (encr_len=%d outlen=%lu)",
519 (int) (end - pos), (unsigned long) outlen);
520 use_random = 1;
521 }
522
523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
525 "length %lu", (unsigned long) outlen);
526 use_random = 1;
527 }
528
529 if (WPA_GET_BE16(out) != conn->client_version) {
530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
531 "ClientKeyExchange does not match with version in "
532 "ClientHello");
533 use_random = 1;
534 }
535
536 if (use_random) {
537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
538 "to avoid revealing information about private key");
539 outlen = TLS_PRE_MASTER_SECRET_LEN;
540 if (os_get_random(out, outlen)) {
541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
542 "data");
543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
544 TLS_ALERT_INTERNAL_ERROR);
545 os_free(out);
546 return -1;
547 }
548 }
549
550 res = tlsv1_server_derive_keys(conn, out, outlen);
551
552 /* Clear the pre-master secret since it is not needed anymore */
553 os_memset(out, 0, outbuflen);
554 os_free(out);
555
556 if (res) {
557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 TLS_ALERT_INTERNAL_ERROR);
560 return -1;
561 }
562
563 return 0;
564 }
565
566
tls_process_client_key_exchange_dh_anon(struct tlsv1_server * conn,const u8 * pos,const u8 * end)567 static int tls_process_client_key_exchange_dh_anon(
568 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
569 {
570 #ifdef EAP_FAST
571 const u8 *dh_yc;
572 u16 dh_yc_len;
573 u8 *shared;
574 size_t shared_len;
575 int res;
576
577 /*
578 * struct {
579 * select (PublicValueEncoding) {
580 * case implicit: struct { };
581 * case explicit: opaque dh_Yc<1..2^16-1>;
582 * } dh_public;
583 * } ClientDiffieHellmanPublic;
584 */
585
586 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
587 pos, end - pos);
588
589 if (end == pos) {
590 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
591 "not supported");
592 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
593 TLS_ALERT_INTERNAL_ERROR);
594 return -1;
595 }
596
597 if (end - pos < 3) {
598 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
599 "length");
600 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
601 TLS_ALERT_DECODE_ERROR);
602 return -1;
603 }
604
605 dh_yc_len = WPA_GET_BE16(pos);
606 dh_yc = pos + 2;
607
608 if (dh_yc + dh_yc_len > end) {
609 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
610 "(length %d)", dh_yc_len);
611 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_DECODE_ERROR);
613 return -1;
614 }
615
616 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
617 dh_yc, dh_yc_len);
618
619 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
620 conn->dh_secret == NULL) {
621 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
622 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
623 TLS_ALERT_INTERNAL_ERROR);
624 return -1;
625 }
626
627 shared_len = conn->cred->dh_p_len;
628 shared = os_malloc(shared_len);
629 if (shared == NULL) {
630 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
631 "DH");
632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 TLS_ALERT_INTERNAL_ERROR);
634 return -1;
635 }
636
637 /* shared = Yc^secret mod p */
638 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
639 conn->dh_secret_len,
640 conn->cred->dh_p, conn->cred->dh_p_len,
641 shared, &shared_len)) {
642 os_free(shared);
643 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
644 TLS_ALERT_INTERNAL_ERROR);
645 return -1;
646 }
647 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
648 shared, shared_len);
649
650 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
651 os_free(conn->dh_secret);
652 conn->dh_secret = NULL;
653
654 res = tlsv1_server_derive_keys(conn, shared, shared_len);
655
656 /* Clear the pre-master secret since it is not needed anymore */
657 os_memset(shared, 0, shared_len);
658 os_free(shared);
659
660 if (res) {
661 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
662 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
663 TLS_ALERT_INTERNAL_ERROR);
664 return -1;
665 }
666
667 return 0;
668 #else /* EAP_FAST */
669 return -1;
670 #endif /* EAP_FAST */
671 }
672
673
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)674 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
675 const u8 *in_data, size_t *in_len)
676 {
677 const u8 *pos, *end;
678 size_t left, len;
679 u8 type;
680 tls_key_exchange keyx;
681 const struct tls_cipher_suite *suite;
682
683 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
684 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
685 "received content type 0x%x", ct);
686 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
687 TLS_ALERT_UNEXPECTED_MESSAGE);
688 return -1;
689 }
690
691 pos = in_data;
692 left = *in_len;
693
694 if (left < 4) {
695 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
696 "(Left=%lu)", (unsigned long) left);
697 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
698 TLS_ALERT_DECODE_ERROR);
699 return -1;
700 }
701
702 type = *pos++;
703 len = WPA_GET_BE24(pos);
704 pos += 3;
705 left -= 4;
706
707 if (len > left) {
708 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
709 "length (len=%lu != left=%lu)",
710 (unsigned long) len, (unsigned long) left);
711 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
712 TLS_ALERT_DECODE_ERROR);
713 return -1;
714 }
715
716 end = pos + len;
717
718 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
719 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
720 "message %d (expected ClientKeyExchange)", type);
721 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
722 TLS_ALERT_UNEXPECTED_MESSAGE);
723 return -1;
724 }
725
726 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
727
728 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
729
730 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
731 if (suite == NULL)
732 keyx = TLS_KEY_X_NULL;
733 else
734 keyx = suite->key_exchange;
735
736 if (keyx == TLS_KEY_X_DH_anon &&
737 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
738 return -1;
739
740 if (keyx != TLS_KEY_X_DH_anon &&
741 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
742 return -1;
743
744 *in_len = end - in_data;
745
746 conn->state = CERTIFICATE_VERIFY;
747
748 return 0;
749 }
750
751
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)752 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
753 const u8 *in_data, size_t *in_len)
754 {
755 const u8 *pos, *end;
756 size_t left, len;
757 u8 type;
758 size_t hlen, buflen;
759 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
760 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
761 u16 slen;
762
763 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
764 if (conn->verify_peer) {
765 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
766 "CertificateVerify");
767 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
768 TLS_ALERT_UNEXPECTED_MESSAGE);
769 return -1;
770 }
771
772 return tls_process_change_cipher_spec(conn, ct, in_data,
773 in_len);
774 }
775
776 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
777 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
778 "received content type 0x%x", ct);
779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780 TLS_ALERT_UNEXPECTED_MESSAGE);
781 return -1;
782 }
783
784 pos = in_data;
785 left = *in_len;
786
787 if (left < 4) {
788 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
789 "message (len=%lu)", (unsigned long) left);
790 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
791 TLS_ALERT_DECODE_ERROR);
792 return -1;
793 }
794
795 type = *pos++;
796 len = WPA_GET_BE24(pos);
797 pos += 3;
798 left -= 4;
799
800 if (len > left) {
801 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
802 "message length (len=%lu != left=%lu)",
803 (unsigned long) len, (unsigned long) left);
804 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
805 TLS_ALERT_DECODE_ERROR);
806 return -1;
807 }
808
809 end = pos + len;
810
811 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
812 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
813 "message %d (expected CertificateVerify)", type);
814 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
815 TLS_ALERT_UNEXPECTED_MESSAGE);
816 return -1;
817 }
818
819 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
820
821 /*
822 * struct {
823 * Signature signature;
824 * } CertificateVerify;
825 */
826
827 hpos = hash;
828
829 if (alg == SIGN_ALG_RSA) {
830 hlen = MD5_MAC_LEN;
831 if (conn->verify.md5_cert == NULL ||
832 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
833 {
834 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
835 TLS_ALERT_INTERNAL_ERROR);
836 conn->verify.md5_cert = NULL;
837 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
838 conn->verify.sha1_cert = NULL;
839 return -1;
840 }
841 hpos += MD5_MAC_LEN;
842 } else
843 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
844
845 conn->verify.md5_cert = NULL;
846 hlen = SHA1_MAC_LEN;
847 if (conn->verify.sha1_cert == NULL ||
848 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
849 conn->verify.sha1_cert = NULL;
850 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
851 TLS_ALERT_INTERNAL_ERROR);
852 return -1;
853 }
854 conn->verify.sha1_cert = NULL;
855
856 if (alg == SIGN_ALG_RSA)
857 hlen += MD5_MAC_LEN;
858
859 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
860
861 if (end - pos < 2) {
862 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
863 TLS_ALERT_DECODE_ERROR);
864 return -1;
865 }
866 slen = WPA_GET_BE16(pos);
867 pos += 2;
868 if (end - pos < slen) {
869 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
870 TLS_ALERT_DECODE_ERROR);
871 return -1;
872 }
873
874 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
875 if (conn->client_rsa_key == NULL) {
876 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
877 "signature");
878 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
879 TLS_ALERT_INTERNAL_ERROR);
880 return -1;
881 }
882
883 buflen = end - pos;
884 buf = os_malloc(end - pos);
885 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
886 pos, end - pos, buf, &buflen) < 0)
887 {
888 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
889 os_free(buf);
890 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
891 TLS_ALERT_DECRYPT_ERROR);
892 return -1;
893 }
894
895 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
896 buf, buflen);
897
898 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
899 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
900 "CertificateVerify - did not match with calculated "
901 "hash");
902 os_free(buf);
903 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
904 TLS_ALERT_DECRYPT_ERROR);
905 return -1;
906 }
907
908 os_free(buf);
909
910 *in_len = end - in_data;
911
912 conn->state = CHANGE_CIPHER_SPEC;
913
914 return 0;
915 }
916
917
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)918 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
919 u8 ct, const u8 *in_data,
920 size_t *in_len)
921 {
922 const u8 *pos;
923 size_t left;
924
925 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
926 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
927 "received content type 0x%x", ct);
928 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
929 TLS_ALERT_UNEXPECTED_MESSAGE);
930 return -1;
931 }
932
933 pos = in_data;
934 left = *in_len;
935
936 if (left < 1) {
937 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
938 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
939 TLS_ALERT_DECODE_ERROR);
940 return -1;
941 }
942
943 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
944 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
945 "received data 0x%x", *pos);
946 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
947 TLS_ALERT_UNEXPECTED_MESSAGE);
948 return -1;
949 }
950
951 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
952 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
953 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
954 "for record layer");
955 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
956 TLS_ALERT_INTERNAL_ERROR);
957 return -1;
958 }
959
960 *in_len = pos + 1 - in_data;
961
962 conn->state = CLIENT_FINISHED;
963
964 return 0;
965 }
966
967
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)968 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
969 const u8 *in_data, size_t *in_len)
970 {
971 const u8 *pos, *end;
972 size_t left, len, hlen;
973 u8 verify_data[TLS_VERIFY_DATA_LEN];
974 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
975
976 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
977 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
978 "received content type 0x%x", ct);
979 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
980 TLS_ALERT_UNEXPECTED_MESSAGE);
981 return -1;
982 }
983
984 pos = in_data;
985 left = *in_len;
986
987 if (left < 4) {
988 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
989 "Finished",
990 (unsigned long) left);
991 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 TLS_ALERT_DECODE_ERROR);
993 return -1;
994 }
995
996 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
997 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
998 "type 0x%x", pos[0]);
999 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1000 TLS_ALERT_UNEXPECTED_MESSAGE);
1001 return -1;
1002 }
1003
1004 len = WPA_GET_BE24(pos + 1);
1005
1006 pos += 4;
1007 left -= 4;
1008
1009 if (len > left) {
1010 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1011 "(len=%lu > left=%lu)",
1012 (unsigned long) len, (unsigned long) left);
1013 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1014 TLS_ALERT_DECODE_ERROR);
1015 return -1;
1016 }
1017 end = pos + len;
1018 if (len != TLS_VERIFY_DATA_LEN) {
1019 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1020 "in Finished: %lu (expected %d)",
1021 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1022 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023 TLS_ALERT_DECODE_ERROR);
1024 return -1;
1025 }
1026 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1027 pos, TLS_VERIFY_DATA_LEN);
1028
1029 hlen = MD5_MAC_LEN;
1030 if (conn->verify.md5_client == NULL ||
1031 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1032 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033 TLS_ALERT_INTERNAL_ERROR);
1034 conn->verify.md5_client = NULL;
1035 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1036 conn->verify.sha1_client = NULL;
1037 return -1;
1038 }
1039 conn->verify.md5_client = NULL;
1040 hlen = SHA1_MAC_LEN;
1041 if (conn->verify.sha1_client == NULL ||
1042 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1043 &hlen) < 0) {
1044 conn->verify.sha1_client = NULL;
1045 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046 TLS_ALERT_INTERNAL_ERROR);
1047 return -1;
1048 }
1049 conn->verify.sha1_client = NULL;
1050
1051 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1052 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1053 verify_data, TLS_VERIFY_DATA_LEN)) {
1054 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056 TLS_ALERT_DECRYPT_ERROR);
1057 return -1;
1058 }
1059 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1060 verify_data, TLS_VERIFY_DATA_LEN);
1061
1062 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1063 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1064 return -1;
1065 }
1066
1067 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1068
1069 *in_len = end - in_data;
1070
1071 if (conn->use_session_ticket) {
1072 /* Abbreviated handshake using session ticket; RFC 4507 */
1073 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1074 "successfully");
1075 conn->state = ESTABLISHED;
1076 } else {
1077 /* Full handshake */
1078 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1079 }
1080
1081 return 0;
1082 }
1083
1084
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1085 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1086 const u8 *buf, size_t *len)
1087 {
1088 if (ct == TLS_CONTENT_TYPE_ALERT) {
1089 if (*len < 2) {
1090 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1091 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092 TLS_ALERT_DECODE_ERROR);
1093 return -1;
1094 }
1095 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1096 buf[0], buf[1]);
1097 *len = 2;
1098 conn->state = FAILED;
1099 return -1;
1100 }
1101
1102 switch (conn->state) {
1103 case CLIENT_HELLO:
1104 if (tls_process_client_hello(conn, ct, buf, len))
1105 return -1;
1106 break;
1107 case CLIENT_CERTIFICATE:
1108 if (tls_process_certificate(conn, ct, buf, len))
1109 return -1;
1110 break;
1111 case CLIENT_KEY_EXCHANGE:
1112 if (tls_process_client_key_exchange(conn, ct, buf, len))
1113 return -1;
1114 break;
1115 case CERTIFICATE_VERIFY:
1116 if (tls_process_certificate_verify(conn, ct, buf, len))
1117 return -1;
1118 break;
1119 case CHANGE_CIPHER_SPEC:
1120 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1121 return -1;
1122 break;
1123 case CLIENT_FINISHED:
1124 if (tls_process_client_finished(conn, ct, buf, len))
1125 return -1;
1126 break;
1127 default:
1128 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1129 "while processing received message",
1130 conn->state);
1131 return -1;
1132 }
1133
1134 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1135 tls_verify_hash_add(&conn->verify, buf, *len);
1136
1137 return 0;
1138 }
1139