contrib/wpa/src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "md5.h"
  19 #include "sha1.h"
  20 #include "x509v3.h"
  21 #include "tls.h"
  22 #include "tlsv1_common.h"
  23 #include "tlsv1_record.h"
  24 #include "tlsv1_server.h"
  25 #include "tlsv1_server_i.h"
  26
  27
  28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  29                                            const u8 *in_data, size_t *in_len);
  30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  31                                           u8 ct, const u8 *in_data,
  32                                           size_t *in_len);
  33
  34
  35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  36                                     const u8 *in_data, size_t *in_len)
  37 {
  38         const u8 *pos, *end, *c;
  39         size_t left, len, i, j;
  40         u16 cipher_suite;
  41         u16 num_suites;
  42         int compr_null_found;
  43
  44         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  45                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  46                            "received content type 0x%x", ct);
  47                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  48                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  49                 return -1;
  50         }
  51
  52         pos = in_data;
  53         left = *in_len;
  54
  55         if (left < 4)
  56                 goto decode_error;
  57
  58         /* HandshakeType msg_type */
  59         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  60                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  61                            "message %d (expected ClientHello)", *pos);
  62                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  63                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  64                 return -1;
  65         }
  66         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
  67         pos++;
  68         /* uint24 length */
  69         len = WPA_GET_BE24(pos);
  70         pos += 3;
  71         left -= 4;
  72
  73         if (len > left)
  74                 goto decode_error;
  75
  76         /* body - ClientHello */
  77
  78         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  79         end = pos + len;
  80
  81         /* ProtocolVersion client_version */
  82         if (end - pos < 2)
  83                 goto decode_error;
  84         conn->client_version = WPA_GET_BE16(pos);
  85         wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
  86                    conn->client_version >> 8, conn->client_version & 0xff);
  87         if (conn->client_version < TLS_VERSION) {
  88                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  89                            "ClientHello");
  90                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  91                                    TLS_ALERT_PROTOCOL_VERSION);
  92                 return -1;
  93         }
  94         pos += 2;
  95
  96         /* Random random */
  97         if (end - pos < TLS_RANDOM_LEN)
  98                 goto decode_error;
  99
 100         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 101         pos += TLS_RANDOM_LEN;
 102         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 103                     conn->client_random, TLS_RANDOM_LEN);
 104
 105         /* SessionID session_id */
 106         if (end - pos < 1)
 107                 goto decode_error;
 108         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 109                 goto decode_error;
 110         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 111         pos += 1 + *pos;
 112         /* TODO: add support for session resumption */
 113
 114         /* CipherSuite cipher_suites<2..2^16-1> */
 115         if (end - pos < 2)
 116                 goto decode_error;
 117         num_suites = WPA_GET_BE16(pos);
 118         pos += 2;
 119         if (end - pos < num_suites)
 120                 goto decode_error;
 121         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 122                     pos, num_suites);
 123         if (num_suites & 1)
 124                 goto decode_error;
 125         num_suites /= 2;
 126
 127         cipher_suite = 0;
 128         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 129                 c = pos;
 130                 for (j = 0; j < num_suites; j++) {
 131                         u16 tmp = WPA_GET_BE16(c);
 132                         c += 2;
 133                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 134                                 cipher_suite = tmp;
 135                                 break;
 136                         }
 137                 }
 138         }
 139         pos += num_suites * 2;
 140         if (!cipher_suite) {
 141                 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 142                            "available");
 143                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 144                                    TLS_ALERT_ILLEGAL_PARAMETER);
 145                 return -1;
 146         }
 147
 148         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 149                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 150                            "record layer");
 151                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 152                                    TLS_ALERT_INTERNAL_ERROR);
 153                 return -1;
 154         }
 155
 156         conn->cipher_suite = cipher_suite;
 157
 158         /* CompressionMethod compression_methods<1..2^8-1> */
 159         if (end - pos < 1)
 160                 goto decode_error;
 161         num_suites = *pos++;
 162         if (end - pos < num_suites)
 163                 goto decode_error;
 164         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 165                     pos, num_suites);
 166         compr_null_found = 0;
 167         for (i = 0; i < num_suites; i++) {
 168                 if (*pos++ == TLS_COMPRESSION_NULL)
 169                         compr_null_found = 1;
 170         }
 171         if (!compr_null_found) {
 172                 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 173                            "compression");
 174                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 175                                    TLS_ALERT_ILLEGAL_PARAMETER);
 176                 return -1;
 177         }
 178
 179         if (end - pos == 1) {
 180                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 181                             "end of ClientHello: 0x%02x", *pos);
 182                 goto decode_error;
 183         }
 184
 185         if (end - pos >= 2) {
 186                 u16 ext_len;
 187
 188                 /* Extension client_hello_extension_list<0..2^16-1> */
 189
 190                 ext_len = WPA_GET_BE16(pos);
 191                 pos += 2;
 192
 193                 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 194                            "extensions", ext_len);
 195                 if (end - pos != ext_len) {
 196                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 197                                    "extension list length %u (expected %u)",
 198                                    ext_len, end - pos);
 199                         goto decode_error;
 200                 }
 201
 202                 /*
 203                  * struct {
 204                  *   ExtensionType extension_type (0..65535)
 205                  *   opaque extension_data<0..2^16-1>
 206                  * } Extension;
 207                  */
 208
 209                 while (pos < end) {
 210                         u16 ext_type, ext_len;
 211
 212                         if (end - pos < 2) {
 213                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 214                                            "extension_type field");
 215                                 goto decode_error;
 216                         }
 217
 218                         ext_type = WPA_GET_BE16(pos);
 219                         pos += 2;
 220
 221                         if (end - pos < 2) {
 222                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 223                                            "extension_data length field");
 224                                 goto decode_error;
 225                         }
 226
 227                         ext_len = WPA_GET_BE16(pos);
 228                         pos += 2;
 229
 230                         if (end - pos < ext_len) {
 231                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 232                                            "extension_data field");
 233                                 goto decode_error;
 234                         }
 235
 236                         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 237                                    "type %u", ext_type);
 238                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 239                                     "Extension data", pos, ext_len);
 240
 241                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 242                                 os_free(conn->session_ticket);
 243                                 conn->session_ticket = os_malloc(ext_len);
 244                                 if (conn->session_ticket) {
 245                                         os_memcpy(conn->session_ticket, pos,
 246                                                   ext_len);
 247                                         conn->session_ticket_len = ext_len;
 248                                 }
 249                         }
 250
 251                         pos += ext_len;
 252                 }
 253         }
 254
 255         *in_len = end - in_data;
 256
 257         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 258                    "ServerHello");
 259         conn->state = SERVER_HELLO;
 260
 261         return 0;
 262
 263 decode_error:
 264         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 265         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 266                            TLS_ALERT_DECODE_ERROR);
 267         return -1;
 268 }
 269
 270
 271 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 272                                    const u8 *in_data, size_t *in_len)
 273 {
 274         const u8 *pos, *end;
 275         size_t left, len, list_len, cert_len, idx;
 276         u8 type;
 277         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 278         int reason;
 279
 280         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 281                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 282                            "received content type 0x%x", ct);
 283                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 284                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 285                 return -1;
 286         }
 287
 288         pos = in_data;
 289         left = *in_len;
 290
 291         if (left < 4) {
 292                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 293                            "(len=%lu)", (unsigned long) left);
 294                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 295                                    TLS_ALERT_DECODE_ERROR);
 296                 return -1;
 297         }
 298
 299         type = *pos++;
 300         len = WPA_GET_BE24(pos);
 301         pos += 3;
 302         left -= 4;
 303
 304         if (len > left) {
 305                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 306                            "length (len=%lu != left=%lu)",
 307                            (unsigned long) len, (unsigned long) left);
 308                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 309                                    TLS_ALERT_DECODE_ERROR);
 310                 return -1;
 311         }
 312
 313         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 314                 if (conn->verify_peer) {
 315                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 316                                    "Certificate");
 317                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 318                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 319                         return -1;
 320                 }
 321
 322                 return tls_process_client_key_exchange(conn, ct, in_data,
 323                                                        in_len);
 324         }
 325         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 326                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 327                            "message %d (expected Certificate/"
 328                            "ClientKeyExchange)", type);
 329                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 330                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 331                 return -1;
 332         }
 333
 334         wpa_printf(MSG_DEBUG,
 335                    "TLSv1: Received Certificate (certificate_list len %lu)",
 336                    (unsigned long) len);
 337
 338         /*
 339          * opaque ASN.1Cert<2^24-1>;
 340          *
 341          * struct {
 342          *     ASN.1Cert certificate_list<1..2^24-1>;
 343          * } Certificate;
 344          */
 345
 346         end = pos + len;
 347
 348         if (end - pos < 3) {
 349                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 350                            "(left=%lu)", (unsigned long) left);
 351                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 352                                    TLS_ALERT_DECODE_ERROR);
 353                 return -1;
 354         }
 355
 356         list_len = WPA_GET_BE24(pos);
 357         pos += 3;
 358
 359         if ((size_t) (end - pos) != list_len) {
 360                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 361                            "length (len=%lu left=%lu)",
 362                            (unsigned long) list_len,
 363                            (unsigned long) (end - pos));
 364                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 365                                    TLS_ALERT_DECODE_ERROR);
 366                 return -1;
 367         }
 368
 369         idx = 0;
 370         while (pos < end) {
 371                 if (end - pos < 3) {
 372                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 373                                    "certificate_list");
 374                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 375                                            TLS_ALERT_DECODE_ERROR);
 376                         x509_certificate_chain_free(chain);
 377                         return -1;
 378                 }
 379
 380                 cert_len = WPA_GET_BE24(pos);
 381                 pos += 3;
 382
 383                 if ((size_t) (end - pos) < cert_len) {
 384                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 385                                    "length (len=%lu left=%lu)",
 386                                    (unsigned long) cert_len,
 387                                    (unsigned long) (end - pos));
 388                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 389                                            TLS_ALERT_DECODE_ERROR);
 390                         x509_certificate_chain_free(chain);
 391                         return -1;
 392                 }
 393
 394                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 395                            (unsigned long) idx, (unsigned long) cert_len);
 396
 397                 if (idx == 0) {
 398                         crypto_public_key_free(conn->client_rsa_key);
 399                         if (tls_parse_cert(pos, cert_len,
 400                                            &conn->client_rsa_key)) {
 401                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 402                                            "the certificate");
 403                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 404                                                    TLS_ALERT_BAD_CERTIFICATE);
 405                                 x509_certificate_chain_free(chain);
 406                                 return -1;
 407                         }
 408                 }
 409
 410                 cert = x509_certificate_parse(pos, cert_len);
 411                 if (cert == NULL) {
 412                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 413                                    "the certificate");
 414                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 415                                            TLS_ALERT_BAD_CERTIFICATE);
 416                         x509_certificate_chain_free(chain);
 417                         return -1;
 418                 }
 419
 420                 if (last == NULL)
 421                         chain = cert;
 422                 else
 423                         last->next = cert;
 424                 last = cert;
 425
 426                 idx++;
 427                 pos += cert_len;
 428         }
 429
 430         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 431                                             &reason) < 0) {
 432                 int tls_reason;
 433                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 434                            "validation failed (reason=%d)", reason);
 435                 switch (reason) {
 436                 case X509_VALIDATE_BAD_CERTIFICATE:
 437                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 438                         break;
 439                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 440                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 441                         break;
 442                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 443                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 444                         break;
 445                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 446                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 447                         break;
 448                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 449                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 450                         break;
 451                 case X509_VALIDATE_UNKNOWN_CA:
 452                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 453                         break;
 454                 default:
 455                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 456                         break;
 457                 }
 458                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 459                 x509_certificate_chain_free(chain);
 460                 return -1;
 461         }
 462
 463         x509_certificate_chain_free(chain);
 464
 465         *in_len = end - in_data;
 466
 467         conn->state = CLIENT_KEY_EXCHANGE;
 468
 469         return 0;
 470 }
 471
 472
 473 static int tls_process_client_key_exchange_rsa(
 474         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 475 {
 476         u8 *out;
 477         size_t outlen, outbuflen;
 478         u16 encr_len;
 479         int res;
 480         int use_random = 0;
 481
 482         if (end - pos < 2) {
 483                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 484                                    TLS_ALERT_DECODE_ERROR);
 485                 return -1;
 486         }
 487
 488         encr_len = WPA_GET_BE16(pos);
 489         pos += 2;
 490
 491         outbuflen = outlen = end - pos;
 492         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 493                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 494         if (out == NULL) {
 495                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 496                                    TLS_ALERT_INTERNAL_ERROR);
 497                 return -1;
 498         }
 499
 500         /*
 501          * struct {
 502          *   ProtocolVersion client_version;
 503          *   opaque random[46];
 504          * } PreMasterSecret;
 505          *
 506          * struct {
 507          *   public-key-encrypted PreMasterSecret pre_master_secret;
 508          * } EncryptedPreMasterSecret;
 509          */
 510
 511         /*
 512          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 513          * parsing errors from EncryptedPreMasterSecret processing to the
 514          * client. Instead, a random pre-master secret is used to force the
 515          * handshake to fail.
 516          */
 517
 518         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 519                                                  pos, end - pos,
 520                                                  out, &outlen) < 0) {
 521                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 522                            "PreMasterSecret (encr_len=%d outlen=%lu)",
 523                            end - pos, (unsigned long) outlen);
 524                 use_random = 1;
 525         }
 526
 527         if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
 528                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 529                            "length %lu", (unsigned long) outlen);
 530                 use_random = 1;
 531         }
 532
 533         if (WPA_GET_BE16(out) != conn->client_version) {
 534                 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 535                            "ClientKeyExchange does not match with version in "
 536                            "ClientHello");
 537                 use_random = 1;
 538         }
 539
 540         if (use_random) {
 541                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 542                            "to avoid revealing information about private key");
 543                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 544                 if (os_get_random(out, outlen)) {
 545                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 546                                    "data");
 547                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 548                                            TLS_ALERT_INTERNAL_ERROR);
 549                         os_free(out);
 550                         return -1;
 551                 }
 552         }
 553
 554         res = tlsv1_server_derive_keys(conn, out, outlen);
 555
 556         /* Clear the pre-master secret since it is not needed anymore */
 557         os_memset(out, 0, outbuflen);
 558         os_free(out);
 559
 560         if (res) {
 561                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 562                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 563                                    TLS_ALERT_INTERNAL_ERROR);
 564                 return -1;
 565         }
 566
 567         return 0;
 568 }
 569
 570
 571 static int tls_process_client_key_exchange_dh_anon(
 572         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 573 {
 574 #ifdef EAP_FAST
 575         const u8 *dh_yc;
 576         u16 dh_yc_len;
 577         u8 *shared;
 578         size_t shared_len;
 579         int res;
 580
 581         /*
 582          * struct {
 583          *   select (PublicValueEncoding) {
 584          *     case implicit: struct { };
 585          *     case explicit: opaque dh_Yc<1..2^16-1>;
 586          *   } dh_public;
 587          * } ClientDiffieHellmanPublic;
 588          */
 589
 590         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 591                     pos, end - pos);
 592
 593         if (end == pos) {
 594                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 595                            "not supported");
 596                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 597                                    TLS_ALERT_INTERNAL_ERROR);
 598                 return -1;
 599         }
 600
 601         if (end - pos < 3) {
 602                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 603                            "length");
 604                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 605                                    TLS_ALERT_DECODE_ERROR);
 606                 return -1;
 607         }
 608
 609         dh_yc_len = WPA_GET_BE16(pos);
 610         dh_yc = pos + 2;
 611
 612         if (dh_yc + dh_yc_len > end) {
 613                 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 614                            "(length %d)", dh_yc_len);
 615                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 616                                    TLS_ALERT_DECODE_ERROR);
 617                 return -1;
 618         }
 619
 620         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 621                     dh_yc, dh_yc_len);
 622
 623         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 624             conn->dh_secret == NULL) {
 625                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 626                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 627                                    TLS_ALERT_INTERNAL_ERROR);
 628                 return -1;
 629         }
 630
 631         shared_len = conn->cred->dh_p_len;
 632         shared = os_malloc(shared_len);
 633         if (shared == NULL) {
 634                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 635                            "DH");
 636                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 637                                    TLS_ALERT_INTERNAL_ERROR);
 638                 return -1;
 639         }
 640
 641         /* shared = Yc^secret mod p */
 642         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 643                            conn->dh_secret_len,
 644                            conn->cred->dh_p, conn->cred->dh_p_len,
 645                            shared, &shared_len)) {
 646                 os_free(shared);
 647                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 648                                    TLS_ALERT_INTERNAL_ERROR);
 649                 return -1;
 650         }
 651         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 652                         shared, shared_len);
 653
 654         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 655         os_free(conn->dh_secret);
 656         conn->dh_secret = NULL;
 657
 658         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 659
 660         /* Clear the pre-master secret since it is not needed anymore */
 661         os_memset(shared, 0, shared_len);
 662         os_free(shared);
 663
 664         if (res) {
 665                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 666                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 667                                    TLS_ALERT_INTERNAL_ERROR);
 668                 return -1;
 669         }
 670
 671         return 0;
 672 #else /* EAP_FAST */
 673         return -1;
 674 #endif /* EAP_FAST */
 675 }
 676
 677
 678 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 679                                            const u8 *in_data, size_t *in_len)
 680 {
 681         const u8 *pos, *end;
 682         size_t left, len;
 683         u8 type;
 684         tls_key_exchange keyx;
 685         const struct tls_cipher_suite *suite;
 686
 687         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 688                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 689                            "received content type 0x%x", ct);
 690                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 691                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 692                 return -1;
 693         }
 694
 695         pos = in_data;
 696         left = *in_len;
 697
 698         if (left < 4) {
 699                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 700                            "(Left=%lu)", (unsigned long) left);
 701                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 702                                    TLS_ALERT_DECODE_ERROR);
 703                 return -1;
 704         }
 705
 706         type = *pos++;
 707         len = WPA_GET_BE24(pos);
 708         pos += 3;
 709         left -= 4;
 710
 711         if (len > left) {
 712                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 713                            "length (len=%lu != left=%lu)",
 714                            (unsigned long) len, (unsigned long) left);
 715                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 716                                    TLS_ALERT_DECODE_ERROR);
 717                 return -1;
 718         }
 719
 720         end = pos + len;
 721
 722         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 723                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 724                            "message %d (expected ClientKeyExchange)", type);
 725                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 726                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 727                 return -1;
 728         }
 729
 730         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 731
 732         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 733
 734         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 735         if (suite == NULL)
 736                 keyx = TLS_KEY_X_NULL;
 737         else
 738                 keyx = suite->key_exchange;
 739
 740         if (keyx == TLS_KEY_X_DH_anon &&
 741             tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 742                 return -1;
 743
 744         if (keyx != TLS_KEY_X_DH_anon &&
 745             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 746                 return -1;
 747
 748         *in_len = end - in_data;
 749
 750         conn->state = CERTIFICATE_VERIFY;
 751
 752         return 0;
 753 }
 754
 755
 756 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 757                                           const u8 *in_data, size_t *in_len)
 758 {
 759         const u8 *pos, *end;
 760         size_t left, len;
 761         u8 type;
 762         size_t hlen, buflen;
 763         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 764         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 765         u16 slen;
 766
 767         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 768                 if (conn->verify_peer) {
 769                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 770                                    "CertificateVerify");
 771                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 772                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 773                         return -1;
 774                 }
 775
 776                 return tls_process_change_cipher_spec(conn, ct, in_data,
 777                                                       in_len);
 778         }
 779
 780         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 781                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 782                            "received content type 0x%x", ct);
 783                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 784                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 785                 return -1;
 786         }
 787
 788         pos = in_data;
 789         left = *in_len;
 790
 791         if (left < 4) {
 792                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 793                            "message (len=%lu)", (unsigned long) left);
 794                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 795                                    TLS_ALERT_DECODE_ERROR);
 796                 return -1;
 797         }
 798
 799         type = *pos++;
 800         len = WPA_GET_BE24(pos);
 801         pos += 3;
 802         left -= 4;
 803
 804         if (len > left) {
 805                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 806                            "message length (len=%lu != left=%lu)",
 807                            (unsigned long) len, (unsigned long) left);
 808                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 809                                    TLS_ALERT_DECODE_ERROR);
 810                 return -1;
 811         }
 812
 813         end = pos + len;
 814
 815         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 816                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 817                            "message %d (expected CertificateVerify)", type);
 818                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 819                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 820                 return -1;
 821         }
 822
 823         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 824
 825         /*
 826          * struct {
 827          *   Signature signature;
 828          * } CertificateVerify;
 829          */
 830
 831         hpos = hash;
 832
 833         if (alg == SIGN_ALG_RSA) {
 834                 hlen = MD5_MAC_LEN;
 835                 if (conn->verify.md5_cert == NULL ||
 836                     crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 837                 {
 838                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 839                                            TLS_ALERT_INTERNAL_ERROR);
 840                         conn->verify.md5_cert = NULL;
 841                         crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 842                         conn->verify.sha1_cert = NULL;
 843                         return -1;
 844                 }
 845                 hpos += MD5_MAC_LEN;
 846         } else
 847                 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 848
 849         conn->verify.md5_cert = NULL;
 850         hlen = SHA1_MAC_LEN;
 851         if (conn->verify.sha1_cert == NULL ||
 852             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 853                 conn->verify.sha1_cert = NULL;
 854                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 855                                    TLS_ALERT_INTERNAL_ERROR);
 856                 return -1;
 857         }
 858         conn->verify.sha1_cert = NULL;
 859
 860         if (alg == SIGN_ALG_RSA)
 861                 hlen += MD5_MAC_LEN;
 862
 863         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 864
 865         if (end - pos < 2) {
 866                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 867                                    TLS_ALERT_DECODE_ERROR);
 868                 return -1;
 869         }
 870         slen = WPA_GET_BE16(pos);
 871         pos += 2;
 872         if (end - pos < slen) {
 873                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 874                                    TLS_ALERT_DECODE_ERROR);
 875                 return -1;
 876         }
 877
 878         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 879         if (conn->client_rsa_key == NULL) {
 880                 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 881                            "signature");
 882                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 883                                    TLS_ALERT_INTERNAL_ERROR);
 884                 return -1;
 885         }
 886
 887         buflen = end - pos;
 888         buf = os_malloc(end - pos);
 889         if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 890                                             pos, end - pos, buf, &buflen) < 0)
 891         {
 892                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 893                 os_free(buf);
 894                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 895                                    TLS_ALERT_DECRYPT_ERROR);
 896                 return -1;
 897         }
 898
 899         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 900                         buf, buflen);
 901
 902         if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 903                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 904                            "CertificateVerify - did not match with calculated "
 905                            "hash");
 906                 os_free(buf);
 907                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 908                                    TLS_ALERT_DECRYPT_ERROR);
 909                 return -1;
 910         }
 911
 912         os_free(buf);
 913
 914         *in_len = end - in_data;
 915
 916         conn->state = CHANGE_CIPHER_SPEC;
 917
 918         return 0;
 919 }
 920
 921
 922 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 923                                           u8 ct, const u8 *in_data,
 924                                           size_t *in_len)
 925 {
 926         const u8 *pos;
 927         size_t left;
 928
 929         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 930                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 931                            "received content type 0x%x", ct);
 932                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 933                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 934                 return -1;
 935         }
 936
 937         pos = in_data;
 938         left = *in_len;
 939
 940         if (left < 1) {
 941                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 942                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 943                                    TLS_ALERT_DECODE_ERROR);
 944                 return -1;
 945         }
 946
 947         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 948                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 949                            "received data 0x%x", *pos);
 950                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 951                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 952                 return -1;
 953         }
 954
 955         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 956         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 957                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 958                            "for record layer");
 959                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 960                                    TLS_ALERT_INTERNAL_ERROR);
 961                 return -1;
 962         }
 963
 964         *in_len = pos + 1 - in_data;
 965
 966         conn->state = CLIENT_FINISHED;
 967
 968         return 0;
 969 }
 970
 971
 972 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 973                                        const u8 *in_data, size_t *in_len)
 974 {
 975         const u8 *pos, *end;
 976         size_t left, len, hlen;
 977         u8 verify_data[TLS_VERIFY_DATA_LEN];
 978         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 979
 980         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 981                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 982                            "received content type 0x%x", ct);
 983                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 984                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 985                 return -1;
 986         }
 987
 988         pos = in_data;
 989         left = *in_len;
 990
 991         if (left < 4) {
 992                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 993                            "Finished",
 994                            (unsigned long) left);
 995                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 996                                    TLS_ALERT_DECODE_ERROR);
 997                 return -1;
 998         }
 999
1000         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1001                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1002                            "type 0x%x", pos[0]);
1003                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1004                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1005                 return -1;
1006         }
1007
1008         len = WPA_GET_BE24(pos + 1);
1009
1010         pos += 4;
1011         left -= 4;
1012
1013         if (len > left) {
1014                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1015                            "(len=%lu > left=%lu)",
1016                            (unsigned long) len, (unsigned long) left);
1017                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1018                                    TLS_ALERT_DECODE_ERROR);
1019                 return -1;
1020         }
1021         end = pos + len;
1022         if (len != TLS_VERIFY_DATA_LEN) {
1023                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1024                            "in Finished: %lu (expected %d)",
1025                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1026                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1027                                    TLS_ALERT_DECODE_ERROR);
1028                 return -1;
1029         }
1030         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1031                     pos, TLS_VERIFY_DATA_LEN);
1032
1033         hlen = MD5_MAC_LEN;
1034         if (conn->verify.md5_client == NULL ||
1035             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1036                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1037                                    TLS_ALERT_INTERNAL_ERROR);
1038                 conn->verify.md5_client = NULL;
1039                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1040                 conn->verify.sha1_client = NULL;
1041                 return -1;
1042         }
1043         conn->verify.md5_client = NULL;
1044         hlen = SHA1_MAC_LEN;
1045         if (conn->verify.sha1_client == NULL ||
1046             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1047                                &hlen) < 0) {
1048                 conn->verify.sha1_client = NULL;
1049                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050                                    TLS_ALERT_INTERNAL_ERROR);
1051                 return -1;
1052         }
1053         conn->verify.sha1_client = NULL;
1054
1055         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1056                     "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1057                     verify_data, TLS_VERIFY_DATA_LEN)) {
1058                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1059                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1060                                    TLS_ALERT_DECRYPT_ERROR);
1061                 return -1;
1062         }
1063         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1064                         verify_data, TLS_VERIFY_DATA_LEN);
1065
1066         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1067                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1068                 return -1;
1069         }
1070
1071         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1072
1073         *in_len = end - in_data;
1074
1075         if (conn->use_session_ticket) {
1076                 /* Abbreviated handshake using session ticket; RFC 4507 */
1077                 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1078                            "successfully");
1079                 conn->state = ESTABLISHED;
1080         } else {
1081                 /* Full handshake */
1082                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1083         }
1084
1085         return 0;
1086 }
1087
1088
1089 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1090                                    const u8 *buf, size_t *len)
1091 {
1092         if (ct == TLS_CONTENT_TYPE_ALERT) {
1093                 if (*len < 2) {
1094                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1095                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1096                                            TLS_ALERT_DECODE_ERROR);
1097                         return -1;
1098                 }
1099                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1100                            buf[0], buf[1]);
1101                 *len = 2;
1102                 conn->state = FAILED;
1103                 return -1;
1104         }
1105
1106         switch (conn->state) {
1107         case CLIENT_HELLO:
1108                 if (tls_process_client_hello(conn, ct, buf, len))
1109                         return -1;
1110                 break;
1111         case CLIENT_CERTIFICATE:
1112                 if (tls_process_certificate(conn, ct, buf, len))
1113                         return -1;
1114                 break;
1115         case CLIENT_KEY_EXCHANGE:
1116                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1117                         return -1;
1118                 break;
1119         case CERTIFICATE_VERIFY:
1120                 if (tls_process_certificate_verify(conn, ct, buf, len))
1121                         return -1;
1122                 break;
1123         case CHANGE_CIPHER_SPEC:
1124                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1125                         return -1;
1126                 break;
1127         case CLIENT_FINISHED:
1128                 if (tls_process_client_finished(conn, ct, buf, len))
1129                         return -1;
1130                 break;
1131         default:
1132                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1133                            "while processing received message",
1134                            conn->state);
1135                 return -1;
1136         }
1137
1138         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1139                 tls_verify_hash_add(&conn->verify, buf, *len);
1140
1141         return 0;
1142 }