contrib/hostapd/src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "md5.h"
  19 #include "sha1.h"
  20 #include "x509v3.h"
  21 #include "tls.h"
  22 #include "tlsv1_common.h"
  23 #include "tlsv1_record.h"
  24 #include "tlsv1_server.h"
  25 #include "tlsv1_server_i.h"
  26
  27
  28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  29                                            const u8 *in_data, size_t *in_len);
  30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  31                                           u8 ct, const u8 *in_data,
  32                                           size_t *in_len);
  33
  34
  35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  36                                     const u8 *in_data, size_t *in_len)
  37 {
  38         const u8 *pos, *end, *c;
  39         size_t left, len, i, j;
  40         u16 cipher_suite;
  41         u16 num_suites;
  42         int compr_null_found;
  43         u16 ext_type, ext_len;
  44
  45         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  46                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  47                            "received content type 0x%x", ct);
  48                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  49                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  50                 return -1;
  51         }
  52
  53         pos = in_data;
  54         left = *in_len;
  55
  56         if (left < 4)
  57                 goto decode_error;
  58
  59         /* HandshakeType msg_type */
  60         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  61                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  62                            "message %d (expected ClientHello)", *pos);
  63                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  64                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  65                 return -1;
  66         }
  67         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
  68         pos++;
  69         /* uint24 length */
  70         len = WPA_GET_BE24(pos);
  71         pos += 3;
  72         left -= 4;
  73
  74         if (len > left)
  75                 goto decode_error;
  76
  77         /* body - ClientHello */
  78
  79         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  80         end = pos + len;
  81
  82         /* ProtocolVersion client_version */
  83         if (end - pos < 2)
  84                 goto decode_error;
  85         conn->client_version = WPA_GET_BE16(pos);
  86         wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
  87                    conn->client_version >> 8, conn->client_version & 0xff);
  88         if (conn->client_version < TLS_VERSION) {
  89                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  90                            "ClientHello");
  91                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  92                                    TLS_ALERT_PROTOCOL_VERSION);
  93                 return -1;
  94         }
  95         pos += 2;
  96
  97         /* Random random */
  98         if (end - pos < TLS_RANDOM_LEN)
  99                 goto decode_error;
 100
 101         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 102         pos += TLS_RANDOM_LEN;
 103         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 104                     conn->client_random, TLS_RANDOM_LEN);
 105
 106         /* SessionID session_id */
 107         if (end - pos < 1)
 108                 goto decode_error;
 109         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 110                 goto decode_error;
 111         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 112         pos += 1 + *pos;
 113         /* TODO: add support for session resumption */
 114
 115         /* CipherSuite cipher_suites<2..2^16-1> */
 116         if (end - pos < 2)
 117                 goto decode_error;
 118         num_suites = WPA_GET_BE16(pos);
 119         pos += 2;
 120         if (end - pos < num_suites)
 121                 goto decode_error;
 122         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 123                     pos, num_suites);
 124         if (num_suites & 1)
 125                 goto decode_error;
 126         num_suites /= 2;
 127
 128         cipher_suite = 0;
 129         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 130                 c = pos;
 131                 for (j = 0; j < num_suites; j++) {
 132                         u16 tmp = WPA_GET_BE16(c);
 133                         c += 2;
 134                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 135                                 cipher_suite = tmp;
 136                                 break;
 137                         }
 138                 }
 139         }
 140         pos += num_suites * 2;
 141         if (!cipher_suite) {
 142                 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 143                            "available");
 144                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 145                                    TLS_ALERT_ILLEGAL_PARAMETER);
 146                 return -1;
 147         }
 148
 149         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 150                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 151                            "record layer");
 152                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 153                                    TLS_ALERT_INTERNAL_ERROR);
 154                 return -1;
 155         }
 156
 157         conn->cipher_suite = cipher_suite;
 158
 159         /* CompressionMethod compression_methods<1..2^8-1> */
 160         if (end - pos < 1)
 161                 goto decode_error;
 162         num_suites = *pos++;
 163         if (end - pos < num_suites)
 164                 goto decode_error;
 165         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 166                     pos, num_suites);
 167         compr_null_found = 0;
 168         for (i = 0; i < num_suites; i++) {
 169                 if (*pos++ == TLS_COMPRESSION_NULL)
 170                         compr_null_found = 1;
 171         }
 172         if (!compr_null_found) {
 173                 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 174                            "compression");
 175                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 176                                    TLS_ALERT_ILLEGAL_PARAMETER);
 177                 return -1;
 178         }
 179
 180         if (end - pos == 1) {
 181                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 182                             "end of ClientHello: 0x%02x", *pos);
 183                 goto decode_error;
 184         }
 185
 186         if (end - pos >= 2) {
 187                 /* Extension client_hello_extension_list<0..2^16-1> */
 188                 ext_len = WPA_GET_BE16(pos);
 189                 pos += 2;
 190
 191                 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 192                            "extensions", ext_len);
 193                 if (end - pos != ext_len) {
 194                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 195                                    "extension list length %u (expected %u)",
 196                                    ext_len, (unsigned int) (end - pos));
 197                         goto decode_error;
 198                 }
 199
 200                 /*
 201                  * struct {
 202                  *   ExtensionType extension_type (0..65535)
 203                  *   opaque extension_data<0..2^16-1>
 204                  * } Extension;
 205                  */
 206
 207                 while (pos < end) {
 208                         if (end - pos < 2) {
 209                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 210                                            "extension_type field");
 211                                 goto decode_error;
 212                         }
 213
 214                         ext_type = WPA_GET_BE16(pos);
 215                         pos += 2;
 216
 217                         if (end - pos < 2) {
 218                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 219                                            "extension_data length field");
 220                                 goto decode_error;
 221                         }
 222
 223                         ext_len = WPA_GET_BE16(pos);
 224                         pos += 2;
 225
 226                         if (end - pos < ext_len) {
 227                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 228                                            "extension_data field");
 229                                 goto decode_error;
 230                         }
 231
 232                         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 233                                    "type %u", ext_type);
 234                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 235                                     "Extension data", pos, ext_len);
 236
 237                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 238                                 os_free(conn->session_ticket);
 239                                 conn->session_ticket = os_malloc(ext_len);
 240                                 if (conn->session_ticket) {
 241                                         os_memcpy(conn->session_ticket, pos,
 242                                                   ext_len);
 243                                         conn->session_ticket_len = ext_len;
 244                                 }
 245                         }
 246
 247                         pos += ext_len;
 248                 }
 249         }
 250
 251         *in_len = end - in_data;
 252
 253         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 254                    "ServerHello");
 255         conn->state = SERVER_HELLO;
 256
 257         return 0;
 258
 259 decode_error:
 260         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 261         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 262                            TLS_ALERT_DECODE_ERROR);
 263         return -1;
 264 }
 265
 266
 267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 268                                    const u8 *in_data, size_t *in_len)
 269 {
 270         const u8 *pos, *end;
 271         size_t left, len, list_len, cert_len, idx;
 272         u8 type;
 273         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 274         int reason;
 275
 276         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 277                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 278                            "received content type 0x%x", ct);
 279                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 280                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 281                 return -1;
 282         }
 283
 284         pos = in_data;
 285         left = *in_len;
 286
 287         if (left < 4) {
 288                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 289                            "(len=%lu)", (unsigned long) left);
 290                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 291                                    TLS_ALERT_DECODE_ERROR);
 292                 return -1;
 293         }
 294
 295         type = *pos++;
 296         len = WPA_GET_BE24(pos);
 297         pos += 3;
 298         left -= 4;
 299
 300         if (len > left) {
 301                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 302                            "length (len=%lu != left=%lu)",
 303                            (unsigned long) len, (unsigned long) left);
 304                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 305                                    TLS_ALERT_DECODE_ERROR);
 306                 return -1;
 307         }
 308
 309         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 310                 if (conn->verify_peer) {
 311                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 312                                    "Certificate");
 313                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 314                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 315                         return -1;
 316                 }
 317
 318                 return tls_process_client_key_exchange(conn, ct, in_data,
 319                                                        in_len);
 320         }
 321         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 322                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 323                            "message %d (expected Certificate/"
 324                            "ClientKeyExchange)", type);
 325                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 326                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 327                 return -1;
 328         }
 329
 330         wpa_printf(MSG_DEBUG,
 331                    "TLSv1: Received Certificate (certificate_list len %lu)",
 332                    (unsigned long) len);
 333
 334         /*
 335          * opaque ASN.1Cert<2^24-1>;
 336          *
 337          * struct {
 338          *     ASN.1Cert certificate_list<1..2^24-1>;
 339          * } Certificate;
 340          */
 341
 342         end = pos + len;
 343
 344         if (end - pos < 3) {
 345                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 346                            "(left=%lu)", (unsigned long) left);
 347                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 348                                    TLS_ALERT_DECODE_ERROR);
 349                 return -1;
 350         }
 351
 352         list_len = WPA_GET_BE24(pos);
 353         pos += 3;
 354
 355         if ((size_t) (end - pos) != list_len) {
 356                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 357                            "length (len=%lu left=%lu)",
 358                            (unsigned long) list_len,
 359                            (unsigned long) (end - pos));
 360                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 361                                    TLS_ALERT_DECODE_ERROR);
 362                 return -1;
 363         }
 364
 365         idx = 0;
 366         while (pos < end) {
 367                 if (end - pos < 3) {
 368                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 369                                    "certificate_list");
 370                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 371                                            TLS_ALERT_DECODE_ERROR);
 372                         x509_certificate_chain_free(chain);
 373                         return -1;
 374                 }
 375
 376                 cert_len = WPA_GET_BE24(pos);
 377                 pos += 3;
 378
 379                 if ((size_t) (end - pos) < cert_len) {
 380                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 381                                    "length (len=%lu left=%lu)",
 382                                    (unsigned long) cert_len,
 383                                    (unsigned long) (end - pos));
 384                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 385                                            TLS_ALERT_DECODE_ERROR);
 386                         x509_certificate_chain_free(chain);
 387                         return -1;
 388                 }
 389
 390                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 391                            (unsigned long) idx, (unsigned long) cert_len);
 392
 393                 if (idx == 0) {
 394                         crypto_public_key_free(conn->client_rsa_key);
 395                         if (tls_parse_cert(pos, cert_len,
 396                                            &conn->client_rsa_key)) {
 397                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 398                                            "the certificate");
 399                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 400                                                    TLS_ALERT_BAD_CERTIFICATE);
 401                                 x509_certificate_chain_free(chain);
 402                                 return -1;
 403                         }
 404                 }
 405
 406                 cert = x509_certificate_parse(pos, cert_len);
 407                 if (cert == NULL) {
 408                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 409                                    "the certificate");
 410                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 411                                            TLS_ALERT_BAD_CERTIFICATE);
 412                         x509_certificate_chain_free(chain);
 413                         return -1;
 414                 }
 415
 416                 if (last == NULL)
 417                         chain = cert;
 418                 else
 419                         last->next = cert;
 420                 last = cert;
 421
 422                 idx++;
 423                 pos += cert_len;
 424         }
 425
 426         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 427                                             &reason) < 0) {
 428                 int tls_reason;
 429                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 430                            "validation failed (reason=%d)", reason);
 431                 switch (reason) {
 432                 case X509_VALIDATE_BAD_CERTIFICATE:
 433                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 434                         break;
 435                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 436                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 437                         break;
 438                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 439                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 440                         break;
 441                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 442                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 443                         break;
 444                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 445                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 446                         break;
 447                 case X509_VALIDATE_UNKNOWN_CA:
 448                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 449                         break;
 450                 default:
 451                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 452                         break;
 453                 }
 454                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 455                 x509_certificate_chain_free(chain);
 456                 return -1;
 457         }
 458
 459         x509_certificate_chain_free(chain);
 460
 461         *in_len = end - in_data;
 462
 463         conn->state = CLIENT_KEY_EXCHANGE;
 464
 465         return 0;
 466 }
 467
 468
 469 static int tls_process_client_key_exchange_rsa(
 470         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 471 {
 472         u8 *out;
 473         size_t outlen, outbuflen;
 474         u16 encr_len;
 475         int res;
 476         int use_random = 0;
 477
 478         if (end - pos < 2) {
 479                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 480                                    TLS_ALERT_DECODE_ERROR);
 481                 return -1;
 482         }
 483
 484         encr_len = WPA_GET_BE16(pos);
 485         pos += 2;
 486
 487         outbuflen = outlen = end - pos;
 488         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 489                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 490         if (out == NULL) {
 491                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 492                                    TLS_ALERT_INTERNAL_ERROR);
 493                 return -1;
 494         }
 495
 496         /*
 497          * struct {
 498          *   ProtocolVersion client_version;
 499          *   opaque random[46];
 500          * } PreMasterSecret;
 501          *
 502          * struct {
 503          *   public-key-encrypted PreMasterSecret pre_master_secret;
 504          * } EncryptedPreMasterSecret;
 505          */
 506
 507         /*
 508          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 509          * parsing errors from EncryptedPreMasterSecret processing to the
 510          * client. Instead, a random pre-master secret is used to force the
 511          * handshake to fail.
 512          */
 513
 514         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 515                                                  pos, end - pos,
 516                                                  out, &outlen) < 0) {
 517                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 518                            "PreMasterSecret (encr_len=%d outlen=%lu)",
 519                            (int) (end - pos), (unsigned long) outlen);
 520                 use_random = 1;
 521         }
 522
 523         if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
 524                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 525                            "length %lu", (unsigned long) outlen);
 526                 use_random = 1;
 527         }
 528
 529         if (WPA_GET_BE16(out) != conn->client_version) {
 530                 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 531                            "ClientKeyExchange does not match with version in "
 532                            "ClientHello");
 533                 use_random = 1;
 534         }
 535
 536         if (use_random) {
 537                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 538                            "to avoid revealing information about private key");
 539                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 540                 if (os_get_random(out, outlen)) {
 541                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 542                                    "data");
 543                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 544                                            TLS_ALERT_INTERNAL_ERROR);
 545                         os_free(out);
 546                         return -1;
 547                 }
 548         }
 549
 550         res = tlsv1_server_derive_keys(conn, out, outlen);
 551
 552         /* Clear the pre-master secret since it is not needed anymore */
 553         os_memset(out, 0, outbuflen);
 554         os_free(out);
 555
 556         if (res) {
 557                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 558                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 559                                    TLS_ALERT_INTERNAL_ERROR);
 560                 return -1;
 561         }
 562
 563         return 0;
 564 }
 565
 566
 567 static int tls_process_client_key_exchange_dh_anon(
 568         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 569 {
 570 #ifdef EAP_FAST
 571         const u8 *dh_yc;
 572         u16 dh_yc_len;
 573         u8 *shared;
 574         size_t shared_len;
 575         int res;
 576
 577         /*
 578          * struct {
 579          *   select (PublicValueEncoding) {
 580          *     case implicit: struct { };
 581          *     case explicit: opaque dh_Yc<1..2^16-1>;
 582          *   } dh_public;
 583          * } ClientDiffieHellmanPublic;
 584          */
 585
 586         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 587                     pos, end - pos);
 588
 589         if (end == pos) {
 590                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 591                            "not supported");
 592                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 593                                    TLS_ALERT_INTERNAL_ERROR);
 594                 return -1;
 595         }
 596
 597         if (end - pos < 3) {
 598                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 599                            "length");
 600                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 601                                    TLS_ALERT_DECODE_ERROR);
 602                 return -1;
 603         }
 604
 605         dh_yc_len = WPA_GET_BE16(pos);
 606         dh_yc = pos + 2;
 607
 608         if (dh_yc + dh_yc_len > end) {
 609                 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 610                            "(length %d)", dh_yc_len);
 611                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 612                                    TLS_ALERT_DECODE_ERROR);
 613                 return -1;
 614         }
 615
 616         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 617                     dh_yc, dh_yc_len);
 618
 619         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 620             conn->dh_secret == NULL) {
 621                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 622                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 623                                    TLS_ALERT_INTERNAL_ERROR);
 624                 return -1;
 625         }
 626
 627         shared_len = conn->cred->dh_p_len;
 628         shared = os_malloc(shared_len);
 629         if (shared == NULL) {
 630                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 631                            "DH");
 632                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 633                                    TLS_ALERT_INTERNAL_ERROR);
 634                 return -1;
 635         }
 636
 637         /* shared = Yc^secret mod p */
 638         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 639                            conn->dh_secret_len,
 640                            conn->cred->dh_p, conn->cred->dh_p_len,
 641                            shared, &shared_len)) {
 642                 os_free(shared);
 643                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 644                                    TLS_ALERT_INTERNAL_ERROR);
 645                 return -1;
 646         }
 647         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 648                         shared, shared_len);
 649
 650         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 651         os_free(conn->dh_secret);
 652         conn->dh_secret = NULL;
 653
 654         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 655
 656         /* Clear the pre-master secret since it is not needed anymore */
 657         os_memset(shared, 0, shared_len);
 658         os_free(shared);
 659
 660         if (res) {
 661                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 662                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 663                                    TLS_ALERT_INTERNAL_ERROR);
 664                 return -1;
 665         }
 666
 667         return 0;
 668 #else /* EAP_FAST */
 669         return -1;
 670 #endif /* EAP_FAST */
 671 }
 672
 673
 674 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 675                                            const u8 *in_data, size_t *in_len)
 676 {
 677         const u8 *pos, *end;
 678         size_t left, len;
 679         u8 type;
 680         tls_key_exchange keyx;
 681         const struct tls_cipher_suite *suite;
 682
 683         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 684                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 685                            "received content type 0x%x", ct);
 686                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 687                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 688                 return -1;
 689         }
 690
 691         pos = in_data;
 692         left = *in_len;
 693
 694         if (left < 4) {
 695                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 696                            "(Left=%lu)", (unsigned long) left);
 697                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 698                                    TLS_ALERT_DECODE_ERROR);
 699                 return -1;
 700         }
 701
 702         type = *pos++;
 703         len = WPA_GET_BE24(pos);
 704         pos += 3;
 705         left -= 4;
 706
 707         if (len > left) {
 708                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 709                            "length (len=%lu != left=%lu)",
 710                            (unsigned long) len, (unsigned long) left);
 711                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 712                                    TLS_ALERT_DECODE_ERROR);
 713                 return -1;
 714         }
 715
 716         end = pos + len;
 717
 718         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 719                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 720                            "message %d (expected ClientKeyExchange)", type);
 721                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 722                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 723                 return -1;
 724         }
 725
 726         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 727
 728         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 729
 730         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 731         if (suite == NULL)
 732                 keyx = TLS_KEY_X_NULL;
 733         else
 734                 keyx = suite->key_exchange;
 735
 736         if (keyx == TLS_KEY_X_DH_anon &&
 737             tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 738                 return -1;
 739
 740         if (keyx != TLS_KEY_X_DH_anon &&
 741             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 742                 return -1;
 743
 744         *in_len = end - in_data;
 745
 746         conn->state = CERTIFICATE_VERIFY;
 747
 748         return 0;
 749 }
 750
 751
 752 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 753                                           const u8 *in_data, size_t *in_len)
 754 {
 755         const u8 *pos, *end;
 756         size_t left, len;
 757         u8 type;
 758         size_t hlen, buflen;
 759         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 760         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 761         u16 slen;
 762
 763         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 764                 if (conn->verify_peer) {
 765                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 766                                    "CertificateVerify");
 767                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 768                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 769                         return -1;
 770                 }
 771
 772                 return tls_process_change_cipher_spec(conn, ct, in_data,
 773                                                       in_len);
 774         }
 775
 776         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 777                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 778                            "received content type 0x%x", ct);
 779                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 780                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 781                 return -1;
 782         }
 783
 784         pos = in_data;
 785         left = *in_len;
 786
 787         if (left < 4) {
 788                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 789                            "message (len=%lu)", (unsigned long) left);
 790                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 791                                    TLS_ALERT_DECODE_ERROR);
 792                 return -1;
 793         }
 794
 795         type = *pos++;
 796         len = WPA_GET_BE24(pos);
 797         pos += 3;
 798         left -= 4;
 799
 800         if (len > left) {
 801                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 802                            "message length (len=%lu != left=%lu)",
 803                            (unsigned long) len, (unsigned long) left);
 804                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 805                                    TLS_ALERT_DECODE_ERROR);
 806                 return -1;
 807         }
 808
 809         end = pos + len;
 810
 811         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 812                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 813                            "message %d (expected CertificateVerify)", type);
 814                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 815                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 816                 return -1;
 817         }
 818
 819         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 820
 821         /*
 822          * struct {
 823          *   Signature signature;
 824          * } CertificateVerify;
 825          */
 826
 827         hpos = hash;
 828
 829         if (alg == SIGN_ALG_RSA) {
 830                 hlen = MD5_MAC_LEN;
 831                 if (conn->verify.md5_cert == NULL ||
 832                     crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 833                 {
 834                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 835                                            TLS_ALERT_INTERNAL_ERROR);
 836                         conn->verify.md5_cert = NULL;
 837                         crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 838                         conn->verify.sha1_cert = NULL;
 839                         return -1;
 840                 }
 841                 hpos += MD5_MAC_LEN;
 842         } else
 843                 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 844
 845         conn->verify.md5_cert = NULL;
 846         hlen = SHA1_MAC_LEN;
 847         if (conn->verify.sha1_cert == NULL ||
 848             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 849                 conn->verify.sha1_cert = NULL;
 850                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 851                                    TLS_ALERT_INTERNAL_ERROR);
 852                 return -1;
 853         }
 854         conn->verify.sha1_cert = NULL;
 855
 856         if (alg == SIGN_ALG_RSA)
 857                 hlen += MD5_MAC_LEN;
 858
 859         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 860
 861         if (end - pos < 2) {
 862                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 863                                    TLS_ALERT_DECODE_ERROR);
 864                 return -1;
 865         }
 866         slen = WPA_GET_BE16(pos);
 867         pos += 2;
 868         if (end - pos < slen) {
 869                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 870                                    TLS_ALERT_DECODE_ERROR);
 871                 return -1;
 872         }
 873
 874         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 875         if (conn->client_rsa_key == NULL) {
 876                 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 877                            "signature");
 878                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 879                                    TLS_ALERT_INTERNAL_ERROR);
 880                 return -1;
 881         }
 882
 883         buflen = end - pos;
 884         buf = os_malloc(end - pos);
 885         if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 886                                             pos, end - pos, buf, &buflen) < 0)
 887         {
 888                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 889                 os_free(buf);
 890                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 891                                    TLS_ALERT_DECRYPT_ERROR);
 892                 return -1;
 893         }
 894
 895         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 896                         buf, buflen);
 897
 898         if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 899                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 900                            "CertificateVerify - did not match with calculated "
 901                            "hash");
 902                 os_free(buf);
 903                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 904                                    TLS_ALERT_DECRYPT_ERROR);
 905                 return -1;
 906         }
 907
 908         os_free(buf);
 909
 910         *in_len = end - in_data;
 911
 912         conn->state = CHANGE_CIPHER_SPEC;
 913
 914         return 0;
 915 }
 916
 917
 918 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 919                                           u8 ct, const u8 *in_data,
 920                                           size_t *in_len)
 921 {
 922         const u8 *pos;
 923         size_t left;
 924
 925         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 926                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 927                            "received content type 0x%x", ct);
 928                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 929                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 930                 return -1;
 931         }
 932
 933         pos = in_data;
 934         left = *in_len;
 935
 936         if (left < 1) {
 937                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 938                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 939                                    TLS_ALERT_DECODE_ERROR);
 940                 return -1;
 941         }
 942
 943         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 944                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 945                            "received data 0x%x", *pos);
 946                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 947                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 948                 return -1;
 949         }
 950
 951         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 952         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 953                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 954                            "for record layer");
 955                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 956                                    TLS_ALERT_INTERNAL_ERROR);
 957                 return -1;
 958         }
 959
 960         *in_len = pos + 1 - in_data;
 961
 962         conn->state = CLIENT_FINISHED;
 963
 964         return 0;
 965 }
 966
 967
 968 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 969                                        const u8 *in_data, size_t *in_len)
 970 {
 971         const u8 *pos, *end;
 972         size_t left, len, hlen;
 973         u8 verify_data[TLS_VERIFY_DATA_LEN];
 974         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 975
 976         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 977                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 978                            "received content type 0x%x", ct);
 979                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 980                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 981                 return -1;
 982         }
 983
 984         pos = in_data;
 985         left = *in_len;
 986
 987         if (left < 4) {
 988                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 989                            "Finished",
 990                            (unsigned long) left);
 991                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 992                                    TLS_ALERT_DECODE_ERROR);
 993                 return -1;
 994         }
 995
 996         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 997                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 998                            "type 0x%x", pos[0]);
 999                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1000                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1001                 return -1;
1002         }
1003
1004         len = WPA_GET_BE24(pos + 1);
1005
1006         pos += 4;
1007         left -= 4;
1008
1009         if (len > left) {
1010                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1011                            "(len=%lu > left=%lu)",
1012                            (unsigned long) len, (unsigned long) left);
1013                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1014                                    TLS_ALERT_DECODE_ERROR);
1015                 return -1;
1016         }
1017         end = pos + len;
1018         if (len != TLS_VERIFY_DATA_LEN) {
1019                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1020                            "in Finished: %lu (expected %d)",
1021                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1022                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1023                                    TLS_ALERT_DECODE_ERROR);
1024                 return -1;
1025         }
1026         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1027                     pos, TLS_VERIFY_DATA_LEN);
1028
1029         hlen = MD5_MAC_LEN;
1030         if (conn->verify.md5_client == NULL ||
1031             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1032                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1033                                    TLS_ALERT_INTERNAL_ERROR);
1034                 conn->verify.md5_client = NULL;
1035                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1036                 conn->verify.sha1_client = NULL;
1037                 return -1;
1038         }
1039         conn->verify.md5_client = NULL;
1040         hlen = SHA1_MAC_LEN;
1041         if (conn->verify.sha1_client == NULL ||
1042             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1043                                &hlen) < 0) {
1044                 conn->verify.sha1_client = NULL;
1045                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1046                                    TLS_ALERT_INTERNAL_ERROR);
1047                 return -1;
1048         }
1049         conn->verify.sha1_client = NULL;
1050
1051         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1052                     "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1053                     verify_data, TLS_VERIFY_DATA_LEN)) {
1054                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1055                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056                                    TLS_ALERT_DECRYPT_ERROR);
1057                 return -1;
1058         }
1059         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1060                         verify_data, TLS_VERIFY_DATA_LEN);
1061
1062         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1063                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1064                 return -1;
1065         }
1066
1067         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1068
1069         *in_len = end - in_data;
1070
1071         if (conn->use_session_ticket) {
1072                 /* Abbreviated handshake using session ticket; RFC 4507 */
1073                 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1074                            "successfully");
1075                 conn->state = ESTABLISHED;
1076         } else {
1077                 /* Full handshake */
1078                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1079         }
1080
1081         return 0;
1082 }
1083
1084
1085 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1086                                    const u8 *buf, size_t *len)
1087 {
1088         if (ct == TLS_CONTENT_TYPE_ALERT) {
1089                 if (*len < 2) {
1090                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1091                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1092                                            TLS_ALERT_DECODE_ERROR);
1093                         return -1;
1094                 }
1095                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1096                            buf[0], buf[1]);
1097                 *len = 2;
1098                 conn->state = FAILED;
1099                 return -1;
1100         }
1101
1102         switch (conn->state) {
1103         case CLIENT_HELLO:
1104                 if (tls_process_client_hello(conn, ct, buf, len))
1105                         return -1;
1106                 break;
1107         case CLIENT_CERTIFICATE:
1108                 if (tls_process_certificate(conn, ct, buf, len))
1109                         return -1;
1110                 break;
1111         case CLIENT_KEY_EXCHANGE:
1112                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1113                         return -1;
1114                 break;
1115         case CERTIFICATE_VERIFY:
1116                 if (tls_process_certificate_verify(conn, ct, buf, len))
1117                         return -1;
1118                 break;
1119         case CHANGE_CIPHER_SPEC:
1120                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1121                         return -1;
1122                 break;
1123         case CLIENT_FINISHED:
1124                 if (tls_process_client_finished(conn, ct, buf, len))
1125                         return -1;
1126                 break;
1127         default:
1128                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1129                            "while processing received message",
1130                            conn->state);
1131                 return -1;
1132         }
1133
1134         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1135                 tls_verify_hash_add(&conn->verify, buf, *len);
1136
1137         return 0;
1138 }