1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_server.h" 20 #include "tlsv1_server_i.h" 21 22 23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31 { 32 #ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 42 return 1; 43 #endif /* CONFIG_TESTING_OPTIONS */ 44 45 return 0; 46 } 47 48 tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49 static void tls_process_status_request_item(struct tlsv1_server *conn, 50 const u8 *req, size_t req_len) 51 { 52 const u8 *pos, *end; 53 u8 status_type; 54 55 pos = req; 56 end = req + req_len; 57 58 /* 59 * RFC 6961, 2.2: 60 * struct { 61 * CertificateStatusType status_type; 62 * uint16 request_length; 63 * select (status_type) { 64 * case ocsp: OCSPStatusRequest; 65 * case ocsp_multi: OCSPStatusRequest; 66 * } request; 67 * } CertificateStatusRequestItemV2; 68 * 69 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType; 70 */ 71 72 if (end - pos < 1) 73 return; /* Truncated data */ 74 75 status_type = *pos++; 76 wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type); 77 if (status_type != 1 && status_type != 2) 78 return; /* Unsupported status type */ 79 /* 80 * For now, only OCSP stapling is supported, so ignore the specific 81 * request, if any. 82 */ 83 wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos); 84 85 if (status_type == 2) 86 conn->status_request_multi = 1; 87 } 88 89 tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90 static void tls_process_status_request_v2(struct tlsv1_server *conn, 91 const u8 *ext, size_t ext_len) 92 { 93 const u8 *pos, *end; 94 95 conn->status_request_v2 = 1; 96 97 pos = ext; 98 end = ext + ext_len; 99 100 /* 101 * RFC 6961, 2.2: 102 * struct { 103 * CertificateStatusRequestItemV2 104 * certificate_status_req_list<1..2^16-1>; 105 * } CertificateStatusRequestListV2; 106 */ 107 108 while (end - pos >= 2) { 109 u16 len; 110 111 len = WPA_GET_BE16(pos); 112 pos += 2; 113 if (len > end - pos) 114 break; /* Truncated data */ 115 tls_process_status_request_item(conn, pos, len); 116 pos += len; 117 } 118 } 119 120 tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 122 const u8 *in_data, size_t *in_len) 123 { 124 const u8 *pos, *end, *c; 125 size_t left, len, i, j; 126 u16 cipher_suite; 127 u16 num_suites; 128 int compr_null_found; 129 u16 ext_type, ext_len; 130 131 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 132 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 133 ct); 134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 135 TLS_ALERT_UNEXPECTED_MESSAGE); 136 return -1; 137 } 138 139 pos = in_data; 140 left = *in_len; 141 142 if (left < 4) { 143 tlsv1_server_log(conn, 144 "Truncated handshake message (expected ClientHello)"); 145 goto decode_error; 146 } 147 148 /* HandshakeType msg_type */ 149 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 150 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 151 *pos); 152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 153 TLS_ALERT_UNEXPECTED_MESSAGE); 154 return -1; 155 } 156 tlsv1_server_log(conn, "Received ClientHello"); 157 pos++; 158 /* uint24 length */ 159 len = WPA_GET_BE24(pos); 160 pos += 3; 161 left -= 4; 162 163 if (len > left) { 164 tlsv1_server_log(conn, 165 "Truncated ClientHello (len=%d left=%d)", 166 (int) len, (int) left); 167 goto decode_error; 168 } 169 170 /* body - ClientHello */ 171 172 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 173 end = pos + len; 174 175 /* ProtocolVersion client_version */ 176 if (end - pos < 2) { 177 tlsv1_server_log(conn, "Truncated ClientHello/client_version"); 178 goto decode_error; 179 } 180 conn->client_version = WPA_GET_BE16(pos); 181 tlsv1_server_log(conn, "Client version %d.%d", 182 conn->client_version >> 8, 183 conn->client_version & 0xff); 184 if (conn->client_version < TLS_VERSION_1) { 185 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 186 conn->client_version >> 8, 187 conn->client_version & 0xff); 188 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 189 TLS_ALERT_PROTOCOL_VERSION); 190 return -1; 191 } 192 pos += 2; 193 194 if (TLS_VERSION == TLS_VERSION_1) 195 conn->rl.tls_version = TLS_VERSION_1; 196 #ifdef CONFIG_TLSV12 197 else if (conn->client_version >= TLS_VERSION_1_2) 198 conn->rl.tls_version = TLS_VERSION_1_2; 199 #endif /* CONFIG_TLSV12 */ 200 else if (conn->client_version > TLS_VERSION_1_1) 201 conn->rl.tls_version = TLS_VERSION_1_1; 202 else 203 conn->rl.tls_version = conn->client_version; 204 tlsv1_server_log(conn, "Using TLS v%s", 205 tls_version_str(conn->rl.tls_version)); 206 207 /* Random random */ 208 if (end - pos < TLS_RANDOM_LEN) { 209 tlsv1_server_log(conn, "Truncated ClientHello/client_random"); 210 goto decode_error; 211 } 212 213 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 214 pos += TLS_RANDOM_LEN; 215 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 216 conn->client_random, TLS_RANDOM_LEN); 217 218 /* SessionID session_id */ 219 if (end - pos < 1) { 220 tlsv1_server_log(conn, "Truncated ClientHello/session_id len"); 221 goto decode_error; 222 } 223 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) { 224 tlsv1_server_log(conn, "Truncated ClientHello/session_id"); 225 goto decode_error; 226 } 227 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 228 pos += 1 + *pos; 229 /* TODO: add support for session resumption */ 230 231 /* CipherSuite cipher_suites<2..2^16-1> */ 232 if (end - pos < 2) { 233 tlsv1_server_log(conn, 234 "Truncated ClientHello/cipher_suites len"); 235 goto decode_error; 236 } 237 num_suites = WPA_GET_BE16(pos); 238 pos += 2; 239 if (end - pos < num_suites) { 240 tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites"); 241 goto decode_error; 242 } 243 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 244 pos, num_suites); 245 if (num_suites & 1) { 246 tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites"); 247 goto decode_error; 248 } 249 num_suites /= 2; 250 251 cipher_suite = 0; 252 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 253 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 254 continue; 255 c = pos; 256 for (j = 0; j < num_suites; j++) { 257 u16 tmp = WPA_GET_BE16(c); 258 c += 2; 259 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 260 cipher_suite = tmp; 261 break; 262 } 263 } 264 } 265 pos += num_suites * 2; 266 if (!cipher_suite) { 267 tlsv1_server_log(conn, "No supported cipher suite available"); 268 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 269 TLS_ALERT_ILLEGAL_PARAMETER); 270 return -1; 271 } 272 273 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 274 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 275 "record layer"); 276 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 277 TLS_ALERT_INTERNAL_ERROR); 278 return -1; 279 } 280 281 conn->cipher_suite = cipher_suite; 282 283 /* CompressionMethod compression_methods<1..2^8-1> */ 284 if (end - pos < 1) { 285 tlsv1_server_log(conn, 286 "Truncated ClientHello/compression_methods len"); 287 goto decode_error; 288 } 289 num_suites = *pos++; 290 if (end - pos < num_suites) { 291 tlsv1_server_log(conn, 292 "Truncated ClientHello/compression_methods"); 293 goto decode_error; 294 } 295 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 296 pos, num_suites); 297 compr_null_found = 0; 298 for (i = 0; i < num_suites; i++) { 299 if (*pos++ == TLS_COMPRESSION_NULL) 300 compr_null_found = 1; 301 } 302 if (!compr_null_found) { 303 tlsv1_server_log(conn, "Client does not accept NULL compression"); 304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 305 TLS_ALERT_ILLEGAL_PARAMETER); 306 return -1; 307 } 308 309 if (end - pos == 1) { 310 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 311 *pos); 312 goto decode_error; 313 } 314 315 if (end - pos >= 2) { 316 /* Extension client_hello_extension_list<0..2^16-1> */ 317 ext_len = WPA_GET_BE16(pos); 318 pos += 2; 319 320 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 321 ext_len); 322 if (end - pos != ext_len) { 323 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 324 ext_len, (unsigned int) (end - pos)); 325 goto decode_error; 326 } 327 328 /* 329 * struct { 330 * ExtensionType extension_type (0..65535) 331 * opaque extension_data<0..2^16-1> 332 * } Extension; 333 */ 334 335 while (pos < end) { 336 if (end - pos < 2) { 337 tlsv1_server_log(conn, "Invalid extension_type field"); 338 goto decode_error; 339 } 340 341 ext_type = WPA_GET_BE16(pos); 342 pos += 2; 343 344 if (end - pos < 2) { 345 tlsv1_server_log(conn, "Invalid extension_data length field"); 346 goto decode_error; 347 } 348 349 ext_len = WPA_GET_BE16(pos); 350 pos += 2; 351 352 if (end - pos < ext_len) { 353 tlsv1_server_log(conn, "Invalid extension_data field"); 354 goto decode_error; 355 } 356 357 tlsv1_server_log(conn, "ClientHello Extension type %u", 358 ext_type); 359 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 360 "Extension data", pos, ext_len); 361 362 if (ext_type == TLS_EXT_SESSION_TICKET) { 363 os_free(conn->session_ticket); 364 conn->session_ticket = os_malloc(ext_len); 365 if (conn->session_ticket) { 366 os_memcpy(conn->session_ticket, pos, 367 ext_len); 368 conn->session_ticket_len = ext_len; 369 } 370 } else if (ext_type == TLS_EXT_STATUS_REQUEST) { 371 conn->status_request = 1; 372 } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) { 373 tls_process_status_request_v2(conn, pos, 374 ext_len); 375 } 376 377 pos += ext_len; 378 } 379 } 380 381 *in_len = end - in_data; 382 383 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 384 conn->state = SERVER_HELLO; 385 386 return 0; 387 388 decode_error: 389 tlsv1_server_log(conn, "Failed to decode ClientHello"); 390 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 391 TLS_ALERT_DECODE_ERROR); 392 return -1; 393 } 394 395 tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)396 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 397 const u8 *in_data, size_t *in_len) 398 { 399 const u8 *pos, *end; 400 size_t left, len, list_len, cert_len, idx; 401 u8 type; 402 struct x509_certificate *chain = NULL, *last = NULL, *cert; 403 int reason; 404 405 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 406 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 407 ct); 408 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 409 TLS_ALERT_UNEXPECTED_MESSAGE); 410 return -1; 411 } 412 413 pos = in_data; 414 left = *in_len; 415 416 if (left < 4) { 417 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 418 (unsigned long) left); 419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 420 TLS_ALERT_DECODE_ERROR); 421 return -1; 422 } 423 424 type = *pos++; 425 len = WPA_GET_BE24(pos); 426 pos += 3; 427 left -= 4; 428 429 if (len > left) { 430 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 431 (unsigned long) len, (unsigned long) left); 432 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 433 TLS_ALERT_DECODE_ERROR); 434 return -1; 435 } 436 437 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 438 if (conn->verify_peer) { 439 tlsv1_server_log(conn, "Client did not include Certificate"); 440 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 441 TLS_ALERT_UNEXPECTED_MESSAGE); 442 return -1; 443 } 444 445 return tls_process_client_key_exchange(conn, ct, in_data, 446 in_len); 447 } 448 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 449 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 450 type); 451 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 452 TLS_ALERT_UNEXPECTED_MESSAGE); 453 return -1; 454 } 455 456 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 457 (unsigned long) len); 458 459 /* 460 * opaque ASN.1Cert<2^24-1>; 461 * 462 * struct { 463 * ASN.1Cert certificate_list<1..2^24-1>; 464 * } Certificate; 465 */ 466 467 end = pos + len; 468 469 if (end - pos < 3) { 470 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 471 (unsigned long) left); 472 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 473 TLS_ALERT_DECODE_ERROR); 474 return -1; 475 } 476 477 list_len = WPA_GET_BE24(pos); 478 pos += 3; 479 480 if ((size_t) (end - pos) != list_len) { 481 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 482 (unsigned long) list_len, 483 (unsigned long) (end - pos)); 484 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 485 TLS_ALERT_DECODE_ERROR); 486 return -1; 487 } 488 489 idx = 0; 490 while (pos < end) { 491 if (end - pos < 3) { 492 tlsv1_server_log(conn, "Failed to parse certificate_list"); 493 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 494 TLS_ALERT_DECODE_ERROR); 495 x509_certificate_chain_free(chain); 496 return -1; 497 } 498 499 cert_len = WPA_GET_BE24(pos); 500 pos += 3; 501 502 if ((size_t) (end - pos) < cert_len) { 503 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 504 (unsigned long) cert_len, 505 (unsigned long) (end - pos)); 506 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 507 TLS_ALERT_DECODE_ERROR); 508 x509_certificate_chain_free(chain); 509 return -1; 510 } 511 512 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 513 (unsigned long) idx, (unsigned long) cert_len); 514 515 if (idx == 0) { 516 crypto_public_key_free(conn->client_rsa_key); 517 if (tls_parse_cert(pos, cert_len, 518 &conn->client_rsa_key)) { 519 tlsv1_server_log(conn, "Failed to parse the certificate"); 520 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 521 TLS_ALERT_BAD_CERTIFICATE); 522 x509_certificate_chain_free(chain); 523 return -1; 524 } 525 } 526 527 cert = x509_certificate_parse(pos, cert_len); 528 if (cert == NULL) { 529 tlsv1_server_log(conn, "Failed to parse the certificate"); 530 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 531 TLS_ALERT_BAD_CERTIFICATE); 532 x509_certificate_chain_free(chain); 533 return -1; 534 } 535 536 if (last == NULL) 537 chain = cert; 538 else 539 last->next = cert; 540 last = cert; 541 542 idx++; 543 pos += cert_len; 544 } 545 546 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 547 &reason, 0) < 0) { 548 int tls_reason; 549 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 550 reason); 551 switch (reason) { 552 case X509_VALIDATE_BAD_CERTIFICATE: 553 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 554 break; 555 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 556 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 557 break; 558 case X509_VALIDATE_CERTIFICATE_REVOKED: 559 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 560 break; 561 case X509_VALIDATE_CERTIFICATE_EXPIRED: 562 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 563 break; 564 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 565 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 566 break; 567 case X509_VALIDATE_UNKNOWN_CA: 568 tls_reason = TLS_ALERT_UNKNOWN_CA; 569 break; 570 default: 571 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 572 break; 573 } 574 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 575 x509_certificate_chain_free(chain); 576 return -1; 577 } 578 579 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 580 !(chain->ext_key_usage & 581 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) { 582 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 583 TLS_ALERT_BAD_CERTIFICATE); 584 x509_certificate_chain_free(chain); 585 return -1; 586 } 587 588 x509_certificate_chain_free(chain); 589 590 *in_len = end - in_data; 591 592 conn->state = CLIENT_KEY_EXCHANGE; 593 594 return 0; 595 } 596 597 tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)598 static int tls_process_client_key_exchange_rsa( 599 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 600 { 601 u8 *out; 602 size_t outlen, outbuflen; 603 u16 encr_len; 604 int res; 605 int use_random = 0; 606 607 if (end - pos < 2) { 608 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 609 TLS_ALERT_DECODE_ERROR); 610 return -1; 611 } 612 613 encr_len = WPA_GET_BE16(pos); 614 pos += 2; 615 if (pos + encr_len > end) { 616 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 617 encr_len, (unsigned int) (end - pos)); 618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 619 TLS_ALERT_DECODE_ERROR); 620 return -1; 621 } 622 623 outbuflen = outlen = end - pos; 624 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 625 outlen : TLS_PRE_MASTER_SECRET_LEN); 626 if (out == NULL) { 627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 628 TLS_ALERT_INTERNAL_ERROR); 629 return -1; 630 } 631 632 /* 633 * struct { 634 * ProtocolVersion client_version; 635 * opaque random[46]; 636 * } PreMasterSecret; 637 * 638 * struct { 639 * public-key-encrypted PreMasterSecret pre_master_secret; 640 * } EncryptedPreMasterSecret; 641 */ 642 643 /* 644 * Note: To avoid Bleichenbacher attack, we do not report decryption or 645 * parsing errors from EncryptedPreMasterSecret processing to the 646 * client. Instead, a random pre-master secret is used to force the 647 * handshake to fail. 648 */ 649 650 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 651 pos, encr_len, 652 out, &outlen) < 0) { 653 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 654 "PreMasterSecret (encr_len=%u outlen=%lu)", 655 encr_len, (unsigned long) outlen); 656 use_random = 1; 657 } 658 659 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 660 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 661 (unsigned long) outlen); 662 use_random = 1; 663 } 664 665 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 666 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 667 use_random = 1; 668 } 669 670 if (use_random) { 671 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 672 "to avoid revealing information about private key"); 673 outlen = TLS_PRE_MASTER_SECRET_LEN; 674 if (os_get_random(out, outlen)) { 675 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 676 "data"); 677 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 678 TLS_ALERT_INTERNAL_ERROR); 679 os_free(out); 680 return -1; 681 } 682 } 683 684 res = tlsv1_server_derive_keys(conn, out, outlen); 685 686 /* Clear the pre-master secret since it is not needed anymore */ 687 os_memset(out, 0, outbuflen); 688 os_free(out); 689 690 if (res) { 691 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 692 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 693 TLS_ALERT_INTERNAL_ERROR); 694 return -1; 695 } 696 697 return 0; 698 } 699 700 tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)701 static int tls_process_client_key_exchange_dh( 702 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 703 { 704 const u8 *dh_yc; 705 u16 dh_yc_len; 706 u8 *shared; 707 size_t shared_len; 708 int res; 709 const u8 *dh_p; 710 size_t dh_p_len; 711 712 /* 713 * struct { 714 * select (PublicValueEncoding) { 715 * case implicit: struct { }; 716 * case explicit: opaque dh_Yc<1..2^16-1>; 717 * } dh_public; 718 * } ClientDiffieHellmanPublic; 719 */ 720 721 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 722 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 723 pos, end - pos); 724 725 if (end == pos) { 726 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 727 "not supported"); 728 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 729 TLS_ALERT_INTERNAL_ERROR); 730 return -1; 731 } 732 733 if (end - pos < 3) { 734 tlsv1_server_log(conn, "Invalid client public value length"); 735 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 736 TLS_ALERT_DECODE_ERROR); 737 return -1; 738 } 739 740 dh_yc_len = WPA_GET_BE16(pos); 741 dh_yc = pos + 2; 742 743 if (dh_yc_len > end - dh_yc) { 744 tlsv1_server_log(conn, "Client public value overflow (length %d)", 745 dh_yc_len); 746 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 747 TLS_ALERT_DECODE_ERROR); 748 return -1; 749 } 750 751 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 752 dh_yc, dh_yc_len); 753 754 if (conn->cred == NULL || conn->cred->dh_p == NULL || 755 conn->dh_secret == NULL) { 756 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 757 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 758 TLS_ALERT_INTERNAL_ERROR); 759 return -1; 760 } 761 762 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 763 764 shared_len = dh_p_len; 765 shared = os_malloc(shared_len); 766 if (shared == NULL) { 767 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 768 "DH"); 769 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 770 TLS_ALERT_INTERNAL_ERROR); 771 return -1; 772 } 773 774 /* shared = Yc^secret mod p */ 775 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 776 conn->dh_secret_len, dh_p, dh_p_len, 777 shared, &shared_len)) { 778 os_free(shared); 779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 780 TLS_ALERT_INTERNAL_ERROR); 781 return -1; 782 } 783 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 784 shared, shared_len); 785 786 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 787 os_free(conn->dh_secret); 788 conn->dh_secret = NULL; 789 790 res = tlsv1_server_derive_keys(conn, shared, shared_len); 791 792 /* Clear the pre-master secret since it is not needed anymore */ 793 os_memset(shared, 0, shared_len); 794 os_free(shared); 795 796 if (res) { 797 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 798 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 799 TLS_ALERT_INTERNAL_ERROR); 800 return -1; 801 } 802 803 return 0; 804 } 805 806 tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)807 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 808 const u8 *in_data, size_t *in_len) 809 { 810 const u8 *pos, *end; 811 size_t left, len; 812 u8 type; 813 tls_key_exchange keyx; 814 const struct tls_cipher_suite *suite; 815 816 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 817 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 818 ct); 819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 820 TLS_ALERT_UNEXPECTED_MESSAGE); 821 return -1; 822 } 823 824 pos = in_data; 825 left = *in_len; 826 827 if (left < 4) { 828 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 829 (unsigned long) left); 830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 831 TLS_ALERT_DECODE_ERROR); 832 return -1; 833 } 834 835 type = *pos++; 836 len = WPA_GET_BE24(pos); 837 pos += 3; 838 left -= 4; 839 840 if (len > left) { 841 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 842 (unsigned long) len, (unsigned long) left); 843 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 844 TLS_ALERT_DECODE_ERROR); 845 return -1; 846 } 847 848 end = pos + len; 849 850 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 851 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 852 type); 853 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 854 TLS_ALERT_UNEXPECTED_MESSAGE); 855 return -1; 856 } 857 858 tlsv1_server_log(conn, "Received ClientKeyExchange"); 859 860 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 861 862 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 863 if (suite == NULL) 864 keyx = TLS_KEY_X_NULL; 865 else 866 keyx = suite->key_exchange; 867 868 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 869 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 870 return -1; 871 872 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 873 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 874 return -1; 875 876 *in_len = end - in_data; 877 878 conn->state = CERTIFICATE_VERIFY; 879 880 return 0; 881 } 882 883 tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)884 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 885 const u8 *in_data, size_t *in_len) 886 { 887 const u8 *pos, *end; 888 size_t left, len; 889 u8 type; 890 size_t hlen; 891 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 892 u8 alert; 893 894 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 895 if (conn->verify_peer) { 896 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 897 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 898 TLS_ALERT_UNEXPECTED_MESSAGE); 899 return -1; 900 } 901 902 return tls_process_change_cipher_spec(conn, ct, in_data, 903 in_len); 904 } 905 906 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 907 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 908 ct); 909 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 910 TLS_ALERT_UNEXPECTED_MESSAGE); 911 return -1; 912 } 913 914 pos = in_data; 915 left = *in_len; 916 917 if (left < 4) { 918 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 919 (unsigned long) left); 920 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 921 TLS_ALERT_DECODE_ERROR); 922 return -1; 923 } 924 925 type = *pos++; 926 len = WPA_GET_BE24(pos); 927 pos += 3; 928 left -= 4; 929 930 if (len > left) { 931 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 932 (unsigned long) len, (unsigned long) left); 933 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 934 TLS_ALERT_DECODE_ERROR); 935 return -1; 936 } 937 938 end = pos + len; 939 940 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 941 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 942 type); 943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 944 TLS_ALERT_UNEXPECTED_MESSAGE); 945 return -1; 946 } 947 948 tlsv1_server_log(conn, "Received CertificateVerify"); 949 950 /* 951 * struct { 952 * Signature signature; 953 * } CertificateVerify; 954 */ 955 956 hpos = hash; 957 958 #ifdef CONFIG_TLSV12 959 if (conn->rl.tls_version == TLS_VERSION_1_2) { 960 /* 961 * RFC 5246, 4.7: 962 * TLS v1.2 adds explicit indication of the used signature and 963 * hash algorithms. 964 * 965 * struct { 966 * HashAlgorithm hash; 967 * SignatureAlgorithm signature; 968 * } SignatureAndHashAlgorithm; 969 */ 970 if (end - pos < 2) { 971 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 972 TLS_ALERT_DECODE_ERROR); 973 return -1; 974 } 975 if (pos[0] != TLS_HASH_ALG_SHA256 || 976 pos[1] != TLS_SIGN_ALG_RSA) { 977 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 978 "signature(%u) algorithm", 979 pos[0], pos[1]); 980 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 981 TLS_ALERT_INTERNAL_ERROR); 982 return -1; 983 } 984 pos += 2; 985 986 hlen = SHA256_MAC_LEN; 987 if (conn->verify.sha256_cert == NULL || 988 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 989 0) { 990 conn->verify.sha256_cert = NULL; 991 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 992 TLS_ALERT_INTERNAL_ERROR); 993 return -1; 994 } 995 conn->verify.sha256_cert = NULL; 996 } else { 997 #endif /* CONFIG_TLSV12 */ 998 999 hlen = MD5_MAC_LEN; 1000 if (conn->verify.md5_cert == NULL || 1001 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 1002 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1003 TLS_ALERT_INTERNAL_ERROR); 1004 conn->verify.md5_cert = NULL; 1005 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 1006 conn->verify.sha1_cert = NULL; 1007 return -1; 1008 } 1009 hpos += MD5_MAC_LEN; 1010 1011 conn->verify.md5_cert = NULL; 1012 hlen = SHA1_MAC_LEN; 1013 if (conn->verify.sha1_cert == NULL || 1014 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 1015 conn->verify.sha1_cert = NULL; 1016 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1017 TLS_ALERT_INTERNAL_ERROR); 1018 return -1; 1019 } 1020 conn->verify.sha1_cert = NULL; 1021 1022 hlen += MD5_MAC_LEN; 1023 1024 #ifdef CONFIG_TLSV12 1025 } 1026 #endif /* CONFIG_TLSV12 */ 1027 1028 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 1029 1030 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 1031 hash, hlen, pos, end - pos, &alert) < 0) { 1032 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 1033 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 1034 return -1; 1035 } 1036 1037 *in_len = end - in_data; 1038 1039 conn->state = CHANGE_CIPHER_SPEC; 1040 1041 return 0; 1042 } 1043 1044 tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1045 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 1046 u8 ct, const u8 *in_data, 1047 size_t *in_len) 1048 { 1049 const u8 *pos; 1050 size_t left; 1051 1052 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 1053 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 1054 ct); 1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1056 TLS_ALERT_UNEXPECTED_MESSAGE); 1057 return -1; 1058 } 1059 1060 pos = in_data; 1061 left = *in_len; 1062 1063 if (left < 1) { 1064 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 1065 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1066 TLS_ALERT_DECODE_ERROR); 1067 return -1; 1068 } 1069 1070 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 1071 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 1072 *pos); 1073 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1074 TLS_ALERT_UNEXPECTED_MESSAGE); 1075 return -1; 1076 } 1077 1078 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 1079 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 1080 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 1081 "for record layer"); 1082 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1083 TLS_ALERT_INTERNAL_ERROR); 1084 return -1; 1085 } 1086 1087 *in_len = pos + 1 - in_data; 1088 1089 conn->state = CLIENT_FINISHED; 1090 1091 return 0; 1092 } 1093 1094 tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1095 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 1096 const u8 *in_data, size_t *in_len) 1097 { 1098 const u8 *pos, *end; 1099 size_t left, len, hlen; 1100 u8 verify_data[TLS_VERIFY_DATA_LEN]; 1101 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 1102 1103 #ifdef CONFIG_TESTING_OPTIONS 1104 if ((conn->test_flags & 1105 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 1106 !conn->test_failure_reported) { 1107 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 1108 conn->test_failure_reported = 1; 1109 } 1110 1111 if ((conn->test_flags & TLS_DHE_PRIME_15) && 1112 !conn->test_failure_reported) { 1113 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 1114 conn->test_failure_reported = 1; 1115 } 1116 1117 if ((conn->test_flags & TLS_DHE_PRIME_58B) && 1118 !conn->test_failure_reported) { 1119 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 1120 conn->test_failure_reported = 1; 1121 } 1122 1123 if ((conn->test_flags & TLS_DHE_PRIME_511B) && 1124 !conn->test_failure_reported) { 1125 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 1126 conn->test_failure_reported = 1; 1127 } 1128 1129 if ((conn->test_flags & TLS_DHE_PRIME_767B) && 1130 !conn->test_failure_reported) { 1131 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 1132 conn->test_failure_reported = 1; 1133 } 1134 1135 if ((conn->test_flags & TLS_DHE_NON_PRIME) && 1136 !conn->test_failure_reported) { 1137 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 1138 conn->test_failure_reported = 1; 1139 } 1140 #endif /* CONFIG_TESTING_OPTIONS */ 1141 1142 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1143 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1144 ct); 1145 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1146 TLS_ALERT_UNEXPECTED_MESSAGE); 1147 return -1; 1148 } 1149 1150 pos = in_data; 1151 left = *in_len; 1152 1153 if (left < 4) { 1154 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1155 (unsigned long) left); 1156 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1157 TLS_ALERT_DECODE_ERROR); 1158 return -1; 1159 } 1160 1161 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1162 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1163 "type 0x%x", pos[0]); 1164 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1165 TLS_ALERT_UNEXPECTED_MESSAGE); 1166 return -1; 1167 } 1168 1169 len = WPA_GET_BE24(pos + 1); 1170 1171 pos += 4; 1172 left -= 4; 1173 1174 if (len > left) { 1175 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1176 (unsigned long) len, (unsigned long) left); 1177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1178 TLS_ALERT_DECODE_ERROR); 1179 return -1; 1180 } 1181 end = pos + len; 1182 if (len != TLS_VERIFY_DATA_LEN) { 1183 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1184 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1185 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1186 TLS_ALERT_DECODE_ERROR); 1187 return -1; 1188 } 1189 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1190 pos, TLS_VERIFY_DATA_LEN); 1191 1192 #ifdef CONFIG_TLSV12 1193 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1194 hlen = SHA256_MAC_LEN; 1195 if (conn->verify.sha256_client == NULL || 1196 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1197 < 0) { 1198 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1199 TLS_ALERT_INTERNAL_ERROR); 1200 conn->verify.sha256_client = NULL; 1201 return -1; 1202 } 1203 conn->verify.sha256_client = NULL; 1204 } else { 1205 #endif /* CONFIG_TLSV12 */ 1206 1207 hlen = MD5_MAC_LEN; 1208 if (conn->verify.md5_client == NULL || 1209 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1210 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1211 TLS_ALERT_INTERNAL_ERROR); 1212 conn->verify.md5_client = NULL; 1213 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1214 conn->verify.sha1_client = NULL; 1215 return -1; 1216 } 1217 conn->verify.md5_client = NULL; 1218 hlen = SHA1_MAC_LEN; 1219 if (conn->verify.sha1_client == NULL || 1220 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1221 &hlen) < 0) { 1222 conn->verify.sha1_client = NULL; 1223 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1224 TLS_ALERT_INTERNAL_ERROR); 1225 return -1; 1226 } 1227 conn->verify.sha1_client = NULL; 1228 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1229 1230 #ifdef CONFIG_TLSV12 1231 } 1232 #endif /* CONFIG_TLSV12 */ 1233 1234 if (tls_prf(conn->rl.tls_version, 1235 conn->master_secret, TLS_MASTER_SECRET_LEN, 1236 "client finished", hash, hlen, 1237 verify_data, TLS_VERIFY_DATA_LEN)) { 1238 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1239 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1240 TLS_ALERT_DECRYPT_ERROR); 1241 return -1; 1242 } 1243 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1244 verify_data, TLS_VERIFY_DATA_LEN); 1245 1246 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1247 tlsv1_server_log(conn, "Mismatch in verify_data"); 1248 conn->state = FAILED; 1249 return -1; 1250 } 1251 1252 tlsv1_server_log(conn, "Received Finished"); 1253 1254 *in_len = end - in_data; 1255 1256 if (conn->use_session_ticket) { 1257 /* Abbreviated handshake using session ticket; RFC 4507 */ 1258 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1259 conn->state = ESTABLISHED; 1260 } else { 1261 /* Full handshake */ 1262 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1263 } 1264 1265 return 0; 1266 } 1267 1268 tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1269 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1270 const u8 *buf, size_t *len) 1271 { 1272 if (ct == TLS_CONTENT_TYPE_ALERT) { 1273 if (*len < 2) { 1274 tlsv1_server_log(conn, "Alert underflow"); 1275 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1276 TLS_ALERT_DECODE_ERROR); 1277 return -1; 1278 } 1279 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1280 *len = 2; 1281 conn->state = FAILED; 1282 return -1; 1283 } 1284 1285 switch (conn->state) { 1286 case CLIENT_HELLO: 1287 if (tls_process_client_hello(conn, ct, buf, len)) 1288 return -1; 1289 break; 1290 case CLIENT_CERTIFICATE: 1291 if (tls_process_certificate(conn, ct, buf, len)) 1292 return -1; 1293 break; 1294 case CLIENT_KEY_EXCHANGE: 1295 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1296 return -1; 1297 break; 1298 case CERTIFICATE_VERIFY: 1299 if (tls_process_certificate_verify(conn, ct, buf, len)) 1300 return -1; 1301 break; 1302 case CHANGE_CIPHER_SPEC: 1303 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1304 return -1; 1305 break; 1306 case CLIENT_FINISHED: 1307 if (tls_process_client_finished(conn, ct, buf, len)) 1308 return -1; 1309 break; 1310 default: 1311 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1312 conn->state); 1313 return -1; 1314 } 1315 1316 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1317 tls_verify_hash_add(&conn->verify, buf, *len); 1318 1319 return 0; 1320 } 1321