139beb93cSSam Leffler /* 239beb93cSSam Leffler * TLSv1 server - read handshake message 35b9c547cSRui Paulo * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 439beb93cSSam Leffler * 5f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license. 6f05cddf9SRui Paulo * See README for more details. 739beb93cSSam Leffler */ 839beb93cSSam Leffler 939beb93cSSam Leffler #include "includes.h" 1039beb93cSSam Leffler 1139beb93cSSam Leffler #include "common.h" 12e28a4053SRui Paulo #include "crypto/md5.h" 13e28a4053SRui Paulo #include "crypto/sha1.h" 14f05cddf9SRui Paulo #include "crypto/sha256.h" 15e28a4053SRui Paulo #include "crypto/tls.h" 1639beb93cSSam Leffler #include "x509v3.h" 1739beb93cSSam Leffler #include "tlsv1_common.h" 1839beb93cSSam Leffler #include "tlsv1_record.h" 1939beb93cSSam Leffler #include "tlsv1_server.h" 2039beb93cSSam Leffler #include "tlsv1_server_i.h" 2139beb93cSSam Leffler 2239beb93cSSam Leffler 2339beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 2439beb93cSSam Leffler const u8 *in_data, size_t *in_len); 2539beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 2639beb93cSSam Leffler u8 ct, const u8 *in_data, 2739beb93cSSam Leffler size_t *in_len); 2839beb93cSSam Leffler 2939beb93cSSam Leffler 305b9c547cSRui Paulo static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 315b9c547cSRui Paulo { 325b9c547cSRui Paulo #ifdef CONFIG_TESTING_OPTIONS 335b9c547cSRui Paulo if ((conn->test_flags & 345b9c547cSRui Paulo (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 355b9c547cSRui Paulo TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 365b9c547cSRui Paulo TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 375b9c547cSRui Paulo suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 385b9c547cSRui Paulo suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 395b9c547cSRui Paulo suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 405b9c547cSRui Paulo suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 415b9c547cSRui Paulo suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 425b9c547cSRui Paulo return 1; 435b9c547cSRui Paulo #endif /* CONFIG_TESTING_OPTIONS */ 445b9c547cSRui Paulo 455b9c547cSRui Paulo return 0; 465b9c547cSRui Paulo } 475b9c547cSRui Paulo 485b9c547cSRui Paulo 49*780fb4a2SCy Schubert static void tls_process_status_request_item(struct tlsv1_server *conn, 50*780fb4a2SCy Schubert const u8 *req, size_t req_len) 51*780fb4a2SCy Schubert { 52*780fb4a2SCy Schubert const u8 *pos, *end; 53*780fb4a2SCy Schubert u8 status_type; 54*780fb4a2SCy Schubert 55*780fb4a2SCy Schubert pos = req; 56*780fb4a2SCy Schubert end = req + req_len; 57*780fb4a2SCy Schubert 58*780fb4a2SCy Schubert /* 59*780fb4a2SCy Schubert * RFC 6961, 2.2: 60*780fb4a2SCy Schubert * struct { 61*780fb4a2SCy Schubert * CertificateStatusType status_type; 62*780fb4a2SCy Schubert * uint16 request_length; 63*780fb4a2SCy Schubert * select (status_type) { 64*780fb4a2SCy Schubert * case ocsp: OCSPStatusRequest; 65*780fb4a2SCy Schubert * case ocsp_multi: OCSPStatusRequest; 66*780fb4a2SCy Schubert * } request; 67*780fb4a2SCy Schubert * } CertificateStatusRequestItemV2; 68*780fb4a2SCy Schubert * 69*780fb4a2SCy Schubert * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType; 70*780fb4a2SCy Schubert */ 71*780fb4a2SCy Schubert 72*780fb4a2SCy Schubert if (end - pos < 1) 73*780fb4a2SCy Schubert return; /* Truncated data */ 74*780fb4a2SCy Schubert 75*780fb4a2SCy Schubert status_type = *pos++; 76*780fb4a2SCy Schubert wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type); 77*780fb4a2SCy Schubert if (status_type != 1 && status_type != 2) 78*780fb4a2SCy Schubert return; /* Unsupported status type */ 79*780fb4a2SCy Schubert /* 80*780fb4a2SCy Schubert * For now, only OCSP stapling is supported, so ignore the specific 81*780fb4a2SCy Schubert * request, if any. 82*780fb4a2SCy Schubert */ 83*780fb4a2SCy Schubert wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos); 84*780fb4a2SCy Schubert 85*780fb4a2SCy Schubert if (status_type == 2) 86*780fb4a2SCy Schubert conn->status_request_multi = 1; 87*780fb4a2SCy Schubert } 88*780fb4a2SCy Schubert 89*780fb4a2SCy Schubert 90*780fb4a2SCy Schubert static void tls_process_status_request_v2(struct tlsv1_server *conn, 91*780fb4a2SCy Schubert const u8 *ext, size_t ext_len) 92*780fb4a2SCy Schubert { 93*780fb4a2SCy Schubert const u8 *pos, *end; 94*780fb4a2SCy Schubert 95*780fb4a2SCy Schubert conn->status_request_v2 = 1; 96*780fb4a2SCy Schubert 97*780fb4a2SCy Schubert pos = ext; 98*780fb4a2SCy Schubert end = ext + ext_len; 99*780fb4a2SCy Schubert 100*780fb4a2SCy Schubert /* 101*780fb4a2SCy Schubert * RFC 6961, 2.2: 102*780fb4a2SCy Schubert * struct { 103*780fb4a2SCy Schubert * CertificateStatusRequestItemV2 104*780fb4a2SCy Schubert * certificate_status_req_list<1..2^16-1>; 105*780fb4a2SCy Schubert * } CertificateStatusRequestListV2; 106*780fb4a2SCy Schubert */ 107*780fb4a2SCy Schubert 108*780fb4a2SCy Schubert while (end - pos >= 2) { 109*780fb4a2SCy Schubert u16 len; 110*780fb4a2SCy Schubert 111*780fb4a2SCy Schubert len = WPA_GET_BE16(pos); 112*780fb4a2SCy Schubert pos += 2; 113*780fb4a2SCy Schubert if (len > end - pos) 114*780fb4a2SCy Schubert break; /* Truncated data */ 115*780fb4a2SCy Schubert tls_process_status_request_item(conn, pos, len); 116*780fb4a2SCy Schubert pos += len; 117*780fb4a2SCy Schubert } 118*780fb4a2SCy Schubert } 119*780fb4a2SCy Schubert 120*780fb4a2SCy Schubert 12139beb93cSSam Leffler static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 12239beb93cSSam Leffler const u8 *in_data, size_t *in_len) 12339beb93cSSam Leffler { 12439beb93cSSam Leffler const u8 *pos, *end, *c; 12539beb93cSSam Leffler size_t left, len, i, j; 12639beb93cSSam Leffler u16 cipher_suite; 12739beb93cSSam Leffler u16 num_suites; 12839beb93cSSam Leffler int compr_null_found; 1293157ba21SRui Paulo u16 ext_type, ext_len; 13039beb93cSSam Leffler 13139beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1325b9c547cSRui Paulo tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 1335b9c547cSRui Paulo ct); 13439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 13539beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 13639beb93cSSam Leffler return -1; 13739beb93cSSam Leffler } 13839beb93cSSam Leffler 13939beb93cSSam Leffler pos = in_data; 14039beb93cSSam Leffler left = *in_len; 14139beb93cSSam Leffler 14239beb93cSSam Leffler if (left < 4) 14339beb93cSSam Leffler goto decode_error; 14439beb93cSSam Leffler 14539beb93cSSam Leffler /* HandshakeType msg_type */ 14639beb93cSSam Leffler if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 1475b9c547cSRui Paulo tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 1485b9c547cSRui Paulo *pos); 14939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 15039beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 15139beb93cSSam Leffler return -1; 15239beb93cSSam Leffler } 1535b9c547cSRui Paulo tlsv1_server_log(conn, "Received ClientHello"); 15439beb93cSSam Leffler pos++; 15539beb93cSSam Leffler /* uint24 length */ 15639beb93cSSam Leffler len = WPA_GET_BE24(pos); 15739beb93cSSam Leffler pos += 3; 15839beb93cSSam Leffler left -= 4; 15939beb93cSSam Leffler 16039beb93cSSam Leffler if (len > left) 16139beb93cSSam Leffler goto decode_error; 16239beb93cSSam Leffler 16339beb93cSSam Leffler /* body - ClientHello */ 16439beb93cSSam Leffler 16539beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 16639beb93cSSam Leffler end = pos + len; 16739beb93cSSam Leffler 16839beb93cSSam Leffler /* ProtocolVersion client_version */ 16939beb93cSSam Leffler if (end - pos < 2) 17039beb93cSSam Leffler goto decode_error; 17139beb93cSSam Leffler conn->client_version = WPA_GET_BE16(pos); 1725b9c547cSRui Paulo tlsv1_server_log(conn, "Client version %d.%d", 1735b9c547cSRui Paulo conn->client_version >> 8, 1745b9c547cSRui Paulo conn->client_version & 0xff); 175f05cddf9SRui Paulo if (conn->client_version < TLS_VERSION_1) { 1765b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 177f05cddf9SRui Paulo conn->client_version >> 8, 178f05cddf9SRui Paulo conn->client_version & 0xff); 17939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 18039beb93cSSam Leffler TLS_ALERT_PROTOCOL_VERSION); 18139beb93cSSam Leffler return -1; 18239beb93cSSam Leffler } 18339beb93cSSam Leffler pos += 2; 18439beb93cSSam Leffler 185f05cddf9SRui Paulo if (TLS_VERSION == TLS_VERSION_1) 186f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1; 187f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 188f05cddf9SRui Paulo else if (conn->client_version >= TLS_VERSION_1_2) 189f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1_2; 190f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 191f05cddf9SRui Paulo else if (conn->client_version > TLS_VERSION_1_1) 192f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1_1; 193f05cddf9SRui Paulo else 194f05cddf9SRui Paulo conn->rl.tls_version = conn->client_version; 1955b9c547cSRui Paulo tlsv1_server_log(conn, "Using TLS v%s", 196f05cddf9SRui Paulo tls_version_str(conn->rl.tls_version)); 197f05cddf9SRui Paulo 19839beb93cSSam Leffler /* Random random */ 19939beb93cSSam Leffler if (end - pos < TLS_RANDOM_LEN) 20039beb93cSSam Leffler goto decode_error; 20139beb93cSSam Leffler 20239beb93cSSam Leffler os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 20339beb93cSSam Leffler pos += TLS_RANDOM_LEN; 20439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 20539beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN); 20639beb93cSSam Leffler 20739beb93cSSam Leffler /* SessionID session_id */ 20839beb93cSSam Leffler if (end - pos < 1) 20939beb93cSSam Leffler goto decode_error; 21039beb93cSSam Leffler if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 21139beb93cSSam Leffler goto decode_error; 21239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 21339beb93cSSam Leffler pos += 1 + *pos; 21439beb93cSSam Leffler /* TODO: add support for session resumption */ 21539beb93cSSam Leffler 21639beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */ 21739beb93cSSam Leffler if (end - pos < 2) 21839beb93cSSam Leffler goto decode_error; 21939beb93cSSam Leffler num_suites = WPA_GET_BE16(pos); 22039beb93cSSam Leffler pos += 2; 22139beb93cSSam Leffler if (end - pos < num_suites) 22239beb93cSSam Leffler goto decode_error; 22339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 22439beb93cSSam Leffler pos, num_suites); 22539beb93cSSam Leffler if (num_suites & 1) 22639beb93cSSam Leffler goto decode_error; 22739beb93cSSam Leffler num_suites /= 2; 22839beb93cSSam Leffler 22939beb93cSSam Leffler cipher_suite = 0; 23039beb93cSSam Leffler for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 2315b9c547cSRui Paulo if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 2325b9c547cSRui Paulo continue; 23339beb93cSSam Leffler c = pos; 23439beb93cSSam Leffler for (j = 0; j < num_suites; j++) { 23539beb93cSSam Leffler u16 tmp = WPA_GET_BE16(c); 23639beb93cSSam Leffler c += 2; 23739beb93cSSam Leffler if (!cipher_suite && tmp == conn->cipher_suites[i]) { 23839beb93cSSam Leffler cipher_suite = tmp; 23939beb93cSSam Leffler break; 24039beb93cSSam Leffler } 24139beb93cSSam Leffler } 24239beb93cSSam Leffler } 24339beb93cSSam Leffler pos += num_suites * 2; 24439beb93cSSam Leffler if (!cipher_suite) { 2455b9c547cSRui Paulo tlsv1_server_log(conn, "No supported cipher suite available"); 24639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 24739beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 24839beb93cSSam Leffler return -1; 24939beb93cSSam Leffler } 25039beb93cSSam Leffler 25139beb93cSSam Leffler if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 25239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 25339beb93cSSam Leffler "record layer"); 25439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 25539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 25639beb93cSSam Leffler return -1; 25739beb93cSSam Leffler } 25839beb93cSSam Leffler 25939beb93cSSam Leffler conn->cipher_suite = cipher_suite; 26039beb93cSSam Leffler 26139beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */ 26239beb93cSSam Leffler if (end - pos < 1) 26339beb93cSSam Leffler goto decode_error; 26439beb93cSSam Leffler num_suites = *pos++; 26539beb93cSSam Leffler if (end - pos < num_suites) 26639beb93cSSam Leffler goto decode_error; 26739beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 26839beb93cSSam Leffler pos, num_suites); 26939beb93cSSam Leffler compr_null_found = 0; 27039beb93cSSam Leffler for (i = 0; i < num_suites; i++) { 27139beb93cSSam Leffler if (*pos++ == TLS_COMPRESSION_NULL) 27239beb93cSSam Leffler compr_null_found = 1; 27339beb93cSSam Leffler } 27439beb93cSSam Leffler if (!compr_null_found) { 2755b9c547cSRui Paulo tlsv1_server_log(conn, "Client does not accept NULL compression"); 27639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 27739beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 27839beb93cSSam Leffler return -1; 27939beb93cSSam Leffler } 28039beb93cSSam Leffler 28139beb93cSSam Leffler if (end - pos == 1) { 2825b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 2835b9c547cSRui Paulo *pos); 28439beb93cSSam Leffler goto decode_error; 28539beb93cSSam Leffler } 28639beb93cSSam Leffler 28739beb93cSSam Leffler if (end - pos >= 2) { 28839beb93cSSam Leffler /* Extension client_hello_extension_list<0..2^16-1> */ 28939beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 29039beb93cSSam Leffler pos += 2; 29139beb93cSSam Leffler 2925b9c547cSRui Paulo tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 2935b9c547cSRui Paulo ext_len); 29439beb93cSSam Leffler if (end - pos != ext_len) { 2955b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 2963157ba21SRui Paulo ext_len, (unsigned int) (end - pos)); 29739beb93cSSam Leffler goto decode_error; 29839beb93cSSam Leffler } 29939beb93cSSam Leffler 30039beb93cSSam Leffler /* 30139beb93cSSam Leffler * struct { 30239beb93cSSam Leffler * ExtensionType extension_type (0..65535) 30339beb93cSSam Leffler * opaque extension_data<0..2^16-1> 30439beb93cSSam Leffler * } Extension; 30539beb93cSSam Leffler */ 30639beb93cSSam Leffler 30739beb93cSSam Leffler while (pos < end) { 30839beb93cSSam Leffler if (end - pos < 2) { 3095b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid extension_type field"); 31039beb93cSSam Leffler goto decode_error; 31139beb93cSSam Leffler } 31239beb93cSSam Leffler 31339beb93cSSam Leffler ext_type = WPA_GET_BE16(pos); 31439beb93cSSam Leffler pos += 2; 31539beb93cSSam Leffler 31639beb93cSSam Leffler if (end - pos < 2) { 3175b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid extension_data length field"); 31839beb93cSSam Leffler goto decode_error; 31939beb93cSSam Leffler } 32039beb93cSSam Leffler 32139beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 32239beb93cSSam Leffler pos += 2; 32339beb93cSSam Leffler 32439beb93cSSam Leffler if (end - pos < ext_len) { 3255b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid extension_data field"); 32639beb93cSSam Leffler goto decode_error; 32739beb93cSSam Leffler } 32839beb93cSSam Leffler 3295b9c547cSRui Paulo tlsv1_server_log(conn, "ClientHello Extension type %u", 3305b9c547cSRui Paulo ext_type); 33139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 33239beb93cSSam Leffler "Extension data", pos, ext_len); 33339beb93cSSam Leffler 33439beb93cSSam Leffler if (ext_type == TLS_EXT_SESSION_TICKET) { 33539beb93cSSam Leffler os_free(conn->session_ticket); 33639beb93cSSam Leffler conn->session_ticket = os_malloc(ext_len); 33739beb93cSSam Leffler if (conn->session_ticket) { 33839beb93cSSam Leffler os_memcpy(conn->session_ticket, pos, 33939beb93cSSam Leffler ext_len); 34039beb93cSSam Leffler conn->session_ticket_len = ext_len; 34139beb93cSSam Leffler } 342*780fb4a2SCy Schubert } else if (ext_type == TLS_EXT_STATUS_REQUEST) { 343*780fb4a2SCy Schubert conn->status_request = 1; 344*780fb4a2SCy Schubert } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) { 345*780fb4a2SCy Schubert tls_process_status_request_v2(conn, pos, 346*780fb4a2SCy Schubert ext_len); 34739beb93cSSam Leffler } 34839beb93cSSam Leffler 34939beb93cSSam Leffler pos += ext_len; 35039beb93cSSam Leffler } 35139beb93cSSam Leffler } 35239beb93cSSam Leffler 35339beb93cSSam Leffler *in_len = end - in_data; 35439beb93cSSam Leffler 3555b9c547cSRui Paulo tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 35639beb93cSSam Leffler conn->state = SERVER_HELLO; 35739beb93cSSam Leffler 35839beb93cSSam Leffler return 0; 35939beb93cSSam Leffler 36039beb93cSSam Leffler decode_error: 3615b9c547cSRui Paulo tlsv1_server_log(conn, "Failed to decode ClientHello"); 36239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 36339beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 36439beb93cSSam Leffler return -1; 36539beb93cSSam Leffler } 36639beb93cSSam Leffler 36739beb93cSSam Leffler 36839beb93cSSam Leffler static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 36939beb93cSSam Leffler const u8 *in_data, size_t *in_len) 37039beb93cSSam Leffler { 37139beb93cSSam Leffler const u8 *pos, *end; 37239beb93cSSam Leffler size_t left, len, list_len, cert_len, idx; 37339beb93cSSam Leffler u8 type; 37439beb93cSSam Leffler struct x509_certificate *chain = NULL, *last = NULL, *cert; 37539beb93cSSam Leffler int reason; 37639beb93cSSam Leffler 37739beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 3785b9c547cSRui Paulo tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 3795b9c547cSRui Paulo ct); 38039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 38139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 38239beb93cSSam Leffler return -1; 38339beb93cSSam Leffler } 38439beb93cSSam Leffler 38539beb93cSSam Leffler pos = in_data; 38639beb93cSSam Leffler left = *in_len; 38739beb93cSSam Leffler 38839beb93cSSam Leffler if (left < 4) { 3895b9c547cSRui Paulo tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 3905b9c547cSRui Paulo (unsigned long) left); 39139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 39239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 39339beb93cSSam Leffler return -1; 39439beb93cSSam Leffler } 39539beb93cSSam Leffler 39639beb93cSSam Leffler type = *pos++; 39739beb93cSSam Leffler len = WPA_GET_BE24(pos); 39839beb93cSSam Leffler pos += 3; 39939beb93cSSam Leffler left -= 4; 40039beb93cSSam Leffler 40139beb93cSSam Leffler if (len > left) { 4025b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 40339beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 40439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 40539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 40639beb93cSSam Leffler return -1; 40739beb93cSSam Leffler } 40839beb93cSSam Leffler 40939beb93cSSam Leffler if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 41039beb93cSSam Leffler if (conn->verify_peer) { 4115b9c547cSRui Paulo tlsv1_server_log(conn, "Client did not include Certificate"); 41239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 41339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 41439beb93cSSam Leffler return -1; 41539beb93cSSam Leffler } 41639beb93cSSam Leffler 41739beb93cSSam Leffler return tls_process_client_key_exchange(conn, ct, in_data, 41839beb93cSSam Leffler in_len); 41939beb93cSSam Leffler } 42039beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 4215b9c547cSRui Paulo tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 4225b9c547cSRui Paulo type); 42339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 42439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 42539beb93cSSam Leffler return -1; 42639beb93cSSam Leffler } 42739beb93cSSam Leffler 4285b9c547cSRui Paulo tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 42939beb93cSSam Leffler (unsigned long) len); 43039beb93cSSam Leffler 43139beb93cSSam Leffler /* 43239beb93cSSam Leffler * opaque ASN.1Cert<2^24-1>; 43339beb93cSSam Leffler * 43439beb93cSSam Leffler * struct { 43539beb93cSSam Leffler * ASN.1Cert certificate_list<1..2^24-1>; 43639beb93cSSam Leffler * } Certificate; 43739beb93cSSam Leffler */ 43839beb93cSSam Leffler 43939beb93cSSam Leffler end = pos + len; 44039beb93cSSam Leffler 44139beb93cSSam Leffler if (end - pos < 3) { 4425b9c547cSRui Paulo tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 4435b9c547cSRui Paulo (unsigned long) left); 44439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 44539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 44639beb93cSSam Leffler return -1; 44739beb93cSSam Leffler } 44839beb93cSSam Leffler 44939beb93cSSam Leffler list_len = WPA_GET_BE24(pos); 45039beb93cSSam Leffler pos += 3; 45139beb93cSSam Leffler 45239beb93cSSam Leffler if ((size_t) (end - pos) != list_len) { 4535b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 45439beb93cSSam Leffler (unsigned long) list_len, 45539beb93cSSam Leffler (unsigned long) (end - pos)); 45639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 45739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 45839beb93cSSam Leffler return -1; 45939beb93cSSam Leffler } 46039beb93cSSam Leffler 46139beb93cSSam Leffler idx = 0; 46239beb93cSSam Leffler while (pos < end) { 46339beb93cSSam Leffler if (end - pos < 3) { 4645b9c547cSRui Paulo tlsv1_server_log(conn, "Failed to parse certificate_list"); 46539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 46639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 46739beb93cSSam Leffler x509_certificate_chain_free(chain); 46839beb93cSSam Leffler return -1; 46939beb93cSSam Leffler } 47039beb93cSSam Leffler 47139beb93cSSam Leffler cert_len = WPA_GET_BE24(pos); 47239beb93cSSam Leffler pos += 3; 47339beb93cSSam Leffler 47439beb93cSSam Leffler if ((size_t) (end - pos) < cert_len) { 4755b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 47639beb93cSSam Leffler (unsigned long) cert_len, 47739beb93cSSam Leffler (unsigned long) (end - pos)); 47839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 47939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 48039beb93cSSam Leffler x509_certificate_chain_free(chain); 48139beb93cSSam Leffler return -1; 48239beb93cSSam Leffler } 48339beb93cSSam Leffler 4845b9c547cSRui Paulo tlsv1_server_log(conn, "Certificate %lu (len %lu)", 48539beb93cSSam Leffler (unsigned long) idx, (unsigned long) cert_len); 48639beb93cSSam Leffler 48739beb93cSSam Leffler if (idx == 0) { 48839beb93cSSam Leffler crypto_public_key_free(conn->client_rsa_key); 48939beb93cSSam Leffler if (tls_parse_cert(pos, cert_len, 49039beb93cSSam Leffler &conn->client_rsa_key)) { 4915b9c547cSRui Paulo tlsv1_server_log(conn, "Failed to parse the certificate"); 49239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49339beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 49439beb93cSSam Leffler x509_certificate_chain_free(chain); 49539beb93cSSam Leffler return -1; 49639beb93cSSam Leffler } 49739beb93cSSam Leffler } 49839beb93cSSam Leffler 49939beb93cSSam Leffler cert = x509_certificate_parse(pos, cert_len); 50039beb93cSSam Leffler if (cert == NULL) { 5015b9c547cSRui Paulo tlsv1_server_log(conn, "Failed to parse the certificate"); 50239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 50339beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 50439beb93cSSam Leffler x509_certificate_chain_free(chain); 50539beb93cSSam Leffler return -1; 50639beb93cSSam Leffler } 50739beb93cSSam Leffler 50839beb93cSSam Leffler if (last == NULL) 50939beb93cSSam Leffler chain = cert; 51039beb93cSSam Leffler else 51139beb93cSSam Leffler last->next = cert; 51239beb93cSSam Leffler last = cert; 51339beb93cSSam Leffler 51439beb93cSSam Leffler idx++; 51539beb93cSSam Leffler pos += cert_len; 51639beb93cSSam Leffler } 51739beb93cSSam Leffler 51839beb93cSSam Leffler if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 519f05cddf9SRui Paulo &reason, 0) < 0) { 52039beb93cSSam Leffler int tls_reason; 5215b9c547cSRui Paulo tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 5225b9c547cSRui Paulo reason); 52339beb93cSSam Leffler switch (reason) { 52439beb93cSSam Leffler case X509_VALIDATE_BAD_CERTIFICATE: 52539beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 52639beb93cSSam Leffler break; 52739beb93cSSam Leffler case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 52839beb93cSSam Leffler tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 52939beb93cSSam Leffler break; 53039beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_REVOKED: 53139beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 53239beb93cSSam Leffler break; 53339beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_EXPIRED: 53439beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 53539beb93cSSam Leffler break; 53639beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_UNKNOWN: 53739beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 53839beb93cSSam Leffler break; 53939beb93cSSam Leffler case X509_VALIDATE_UNKNOWN_CA: 54039beb93cSSam Leffler tls_reason = TLS_ALERT_UNKNOWN_CA; 54139beb93cSSam Leffler break; 54239beb93cSSam Leffler default: 54339beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 54439beb93cSSam Leffler break; 54539beb93cSSam Leffler } 54639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 54739beb93cSSam Leffler x509_certificate_chain_free(chain); 54839beb93cSSam Leffler return -1; 54939beb93cSSam Leffler } 55039beb93cSSam Leffler 551*780fb4a2SCy Schubert if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 552*780fb4a2SCy Schubert !(chain->ext_key_usage & 553*780fb4a2SCy Schubert (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) { 554*780fb4a2SCy Schubert tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 555*780fb4a2SCy Schubert TLS_ALERT_BAD_CERTIFICATE); 556*780fb4a2SCy Schubert x509_certificate_chain_free(chain); 557*780fb4a2SCy Schubert return -1; 558*780fb4a2SCy Schubert } 559*780fb4a2SCy Schubert 56039beb93cSSam Leffler x509_certificate_chain_free(chain); 56139beb93cSSam Leffler 56239beb93cSSam Leffler *in_len = end - in_data; 56339beb93cSSam Leffler 56439beb93cSSam Leffler conn->state = CLIENT_KEY_EXCHANGE; 56539beb93cSSam Leffler 56639beb93cSSam Leffler return 0; 56739beb93cSSam Leffler } 56839beb93cSSam Leffler 56939beb93cSSam Leffler 57039beb93cSSam Leffler static int tls_process_client_key_exchange_rsa( 57139beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 57239beb93cSSam Leffler { 57339beb93cSSam Leffler u8 *out; 57439beb93cSSam Leffler size_t outlen, outbuflen; 57539beb93cSSam Leffler u16 encr_len; 57639beb93cSSam Leffler int res; 57739beb93cSSam Leffler int use_random = 0; 57839beb93cSSam Leffler 57939beb93cSSam Leffler if (end - pos < 2) { 58039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 58139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 58239beb93cSSam Leffler return -1; 58339beb93cSSam Leffler } 58439beb93cSSam Leffler 58539beb93cSSam Leffler encr_len = WPA_GET_BE16(pos); 58639beb93cSSam Leffler pos += 2; 587f05cddf9SRui Paulo if (pos + encr_len > end) { 5885b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 589f05cddf9SRui Paulo encr_len, (unsigned int) (end - pos)); 590f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 591f05cddf9SRui Paulo TLS_ALERT_DECODE_ERROR); 592f05cddf9SRui Paulo return -1; 593f05cddf9SRui Paulo } 59439beb93cSSam Leffler 59539beb93cSSam Leffler outbuflen = outlen = end - pos; 59639beb93cSSam Leffler out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 59739beb93cSSam Leffler outlen : TLS_PRE_MASTER_SECRET_LEN); 59839beb93cSSam Leffler if (out == NULL) { 59939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 60039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 60139beb93cSSam Leffler return -1; 60239beb93cSSam Leffler } 60339beb93cSSam Leffler 60439beb93cSSam Leffler /* 60539beb93cSSam Leffler * struct { 60639beb93cSSam Leffler * ProtocolVersion client_version; 60739beb93cSSam Leffler * opaque random[46]; 60839beb93cSSam Leffler * } PreMasterSecret; 60939beb93cSSam Leffler * 61039beb93cSSam Leffler * struct { 61139beb93cSSam Leffler * public-key-encrypted PreMasterSecret pre_master_secret; 61239beb93cSSam Leffler * } EncryptedPreMasterSecret; 61339beb93cSSam Leffler */ 61439beb93cSSam Leffler 61539beb93cSSam Leffler /* 61639beb93cSSam Leffler * Note: To avoid Bleichenbacher attack, we do not report decryption or 61739beb93cSSam Leffler * parsing errors from EncryptedPreMasterSecret processing to the 61839beb93cSSam Leffler * client. Instead, a random pre-master secret is used to force the 61939beb93cSSam Leffler * handshake to fail. 62039beb93cSSam Leffler */ 62139beb93cSSam Leffler 62239beb93cSSam Leffler if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 623f05cddf9SRui Paulo pos, encr_len, 62439beb93cSSam Leffler out, &outlen) < 0) { 62539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 626f05cddf9SRui Paulo "PreMasterSecret (encr_len=%u outlen=%lu)", 627f05cddf9SRui Paulo encr_len, (unsigned long) outlen); 62839beb93cSSam Leffler use_random = 1; 62939beb93cSSam Leffler } 63039beb93cSSam Leffler 631f05cddf9SRui Paulo if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 6325b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 6335b9c547cSRui Paulo (unsigned long) outlen); 63439beb93cSSam Leffler use_random = 1; 63539beb93cSSam Leffler } 63639beb93cSSam Leffler 637f05cddf9SRui Paulo if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 6385b9c547cSRui Paulo tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 63939beb93cSSam Leffler use_random = 1; 64039beb93cSSam Leffler } 64139beb93cSSam Leffler 64239beb93cSSam Leffler if (use_random) { 64339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 64439beb93cSSam Leffler "to avoid revealing information about private key"); 64539beb93cSSam Leffler outlen = TLS_PRE_MASTER_SECRET_LEN; 64639beb93cSSam Leffler if (os_get_random(out, outlen)) { 64739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 64839beb93cSSam Leffler "data"); 64939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 65039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 65139beb93cSSam Leffler os_free(out); 65239beb93cSSam Leffler return -1; 65339beb93cSSam Leffler } 65439beb93cSSam Leffler } 65539beb93cSSam Leffler 65639beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, out, outlen); 65739beb93cSSam Leffler 65839beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 65939beb93cSSam Leffler os_memset(out, 0, outbuflen); 66039beb93cSSam Leffler os_free(out); 66139beb93cSSam Leffler 66239beb93cSSam Leffler if (res) { 66339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 66439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 66539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 66639beb93cSSam Leffler return -1; 66739beb93cSSam Leffler } 66839beb93cSSam Leffler 66939beb93cSSam Leffler return 0; 67039beb93cSSam Leffler } 67139beb93cSSam Leffler 67239beb93cSSam Leffler 6735b9c547cSRui Paulo static int tls_process_client_key_exchange_dh( 67439beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 67539beb93cSSam Leffler { 67639beb93cSSam Leffler const u8 *dh_yc; 67739beb93cSSam Leffler u16 dh_yc_len; 67839beb93cSSam Leffler u8 *shared; 67939beb93cSSam Leffler size_t shared_len; 68039beb93cSSam Leffler int res; 6815b9c547cSRui Paulo const u8 *dh_p; 6825b9c547cSRui Paulo size_t dh_p_len; 68339beb93cSSam Leffler 68439beb93cSSam Leffler /* 68539beb93cSSam Leffler * struct { 68639beb93cSSam Leffler * select (PublicValueEncoding) { 68739beb93cSSam Leffler * case implicit: struct { }; 68839beb93cSSam Leffler * case explicit: opaque dh_Yc<1..2^16-1>; 68939beb93cSSam Leffler * } dh_public; 69039beb93cSSam Leffler * } ClientDiffieHellmanPublic; 69139beb93cSSam Leffler */ 69239beb93cSSam Leffler 6935b9c547cSRui Paulo tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 69439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 69539beb93cSSam Leffler pos, end - pos); 69639beb93cSSam Leffler 69739beb93cSSam Leffler if (end == pos) { 69839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 69939beb93cSSam Leffler "not supported"); 70039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 70139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 70239beb93cSSam Leffler return -1; 70339beb93cSSam Leffler } 70439beb93cSSam Leffler 70539beb93cSSam Leffler if (end - pos < 3) { 7065b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid client public value length"); 70739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 70839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 70939beb93cSSam Leffler return -1; 71039beb93cSSam Leffler } 71139beb93cSSam Leffler 71239beb93cSSam Leffler dh_yc_len = WPA_GET_BE16(pos); 71339beb93cSSam Leffler dh_yc = pos + 2; 71439beb93cSSam Leffler 7155b9c547cSRui Paulo if (dh_yc_len > end - dh_yc) { 7165b9c547cSRui Paulo tlsv1_server_log(conn, "Client public value overflow (length %d)", 7175b9c547cSRui Paulo dh_yc_len); 71839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 71939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 72039beb93cSSam Leffler return -1; 72139beb93cSSam Leffler } 72239beb93cSSam Leffler 72339beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 72439beb93cSSam Leffler dh_yc, dh_yc_len); 72539beb93cSSam Leffler 72639beb93cSSam Leffler if (conn->cred == NULL || conn->cred->dh_p == NULL || 72739beb93cSSam Leffler conn->dh_secret == NULL) { 72839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 72939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 73039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 73139beb93cSSam Leffler return -1; 73239beb93cSSam Leffler } 73339beb93cSSam Leffler 7345b9c547cSRui Paulo tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 7355b9c547cSRui Paulo 7365b9c547cSRui Paulo shared_len = dh_p_len; 73739beb93cSSam Leffler shared = os_malloc(shared_len); 73839beb93cSSam Leffler if (shared == NULL) { 73939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 74039beb93cSSam Leffler "DH"); 74139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 74239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 74339beb93cSSam Leffler return -1; 74439beb93cSSam Leffler } 74539beb93cSSam Leffler 74639beb93cSSam Leffler /* shared = Yc^secret mod p */ 74739beb93cSSam Leffler if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 7485b9c547cSRui Paulo conn->dh_secret_len, dh_p, dh_p_len, 74939beb93cSSam Leffler shared, &shared_len)) { 75039beb93cSSam Leffler os_free(shared); 75139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 75239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 75339beb93cSSam Leffler return -1; 75439beb93cSSam Leffler } 75539beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 75639beb93cSSam Leffler shared, shared_len); 75739beb93cSSam Leffler 75839beb93cSSam Leffler os_memset(conn->dh_secret, 0, conn->dh_secret_len); 75939beb93cSSam Leffler os_free(conn->dh_secret); 76039beb93cSSam Leffler conn->dh_secret = NULL; 76139beb93cSSam Leffler 76239beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, shared, shared_len); 76339beb93cSSam Leffler 76439beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 76539beb93cSSam Leffler os_memset(shared, 0, shared_len); 76639beb93cSSam Leffler os_free(shared); 76739beb93cSSam Leffler 76839beb93cSSam Leffler if (res) { 76939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 77039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 77139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 77239beb93cSSam Leffler return -1; 77339beb93cSSam Leffler } 77439beb93cSSam Leffler 77539beb93cSSam Leffler return 0; 77639beb93cSSam Leffler } 77739beb93cSSam Leffler 77839beb93cSSam Leffler 77939beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 78039beb93cSSam Leffler const u8 *in_data, size_t *in_len) 78139beb93cSSam Leffler { 78239beb93cSSam Leffler const u8 *pos, *end; 78339beb93cSSam Leffler size_t left, len; 78439beb93cSSam Leffler u8 type; 78539beb93cSSam Leffler tls_key_exchange keyx; 78639beb93cSSam Leffler const struct tls_cipher_suite *suite; 78739beb93cSSam Leffler 78839beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 7895b9c547cSRui Paulo tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 7905b9c547cSRui Paulo ct); 79139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 79239beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 79339beb93cSSam Leffler return -1; 79439beb93cSSam Leffler } 79539beb93cSSam Leffler 79639beb93cSSam Leffler pos = in_data; 79739beb93cSSam Leffler left = *in_len; 79839beb93cSSam Leffler 79939beb93cSSam Leffler if (left < 4) { 8005b9c547cSRui Paulo tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 8015b9c547cSRui Paulo (unsigned long) left); 80239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 80339beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 80439beb93cSSam Leffler return -1; 80539beb93cSSam Leffler } 80639beb93cSSam Leffler 80739beb93cSSam Leffler type = *pos++; 80839beb93cSSam Leffler len = WPA_GET_BE24(pos); 80939beb93cSSam Leffler pos += 3; 81039beb93cSSam Leffler left -= 4; 81139beb93cSSam Leffler 81239beb93cSSam Leffler if (len > left) { 8135b9c547cSRui Paulo tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 81439beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 81539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 81639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 81739beb93cSSam Leffler return -1; 81839beb93cSSam Leffler } 81939beb93cSSam Leffler 82039beb93cSSam Leffler end = pos + len; 82139beb93cSSam Leffler 82239beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 8235b9c547cSRui Paulo tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 8245b9c547cSRui Paulo type); 82539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 82639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 82739beb93cSSam Leffler return -1; 82839beb93cSSam Leffler } 82939beb93cSSam Leffler 8305b9c547cSRui Paulo tlsv1_server_log(conn, "Received ClientKeyExchange"); 83139beb93cSSam Leffler 83239beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 83339beb93cSSam Leffler 83439beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite); 83539beb93cSSam Leffler if (suite == NULL) 83639beb93cSSam Leffler keyx = TLS_KEY_X_NULL; 83739beb93cSSam Leffler else 83839beb93cSSam Leffler keyx = suite->key_exchange; 83939beb93cSSam Leffler 8405b9c547cSRui Paulo if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 8415b9c547cSRui Paulo tls_process_client_key_exchange_dh(conn, pos, end) < 0) 84239beb93cSSam Leffler return -1; 84339beb93cSSam Leffler 8445b9c547cSRui Paulo if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 84539beb93cSSam Leffler tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 84639beb93cSSam Leffler return -1; 84739beb93cSSam Leffler 84839beb93cSSam Leffler *in_len = end - in_data; 84939beb93cSSam Leffler 85039beb93cSSam Leffler conn->state = CERTIFICATE_VERIFY; 85139beb93cSSam Leffler 85239beb93cSSam Leffler return 0; 85339beb93cSSam Leffler } 85439beb93cSSam Leffler 85539beb93cSSam Leffler 85639beb93cSSam Leffler static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 85739beb93cSSam Leffler const u8 *in_data, size_t *in_len) 85839beb93cSSam Leffler { 85939beb93cSSam Leffler const u8 *pos, *end; 86039beb93cSSam Leffler size_t left, len; 86139beb93cSSam Leffler u8 type; 8625b9c547cSRui Paulo size_t hlen; 8635b9c547cSRui Paulo u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 8645b9c547cSRui Paulo u8 alert; 86539beb93cSSam Leffler 86639beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 86739beb93cSSam Leffler if (conn->verify_peer) { 8685b9c547cSRui Paulo tlsv1_server_log(conn, "Client did not include CertificateVerify"); 86939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 87039beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 87139beb93cSSam Leffler return -1; 87239beb93cSSam Leffler } 87339beb93cSSam Leffler 87439beb93cSSam Leffler return tls_process_change_cipher_spec(conn, ct, in_data, 87539beb93cSSam Leffler in_len); 87639beb93cSSam Leffler } 87739beb93cSSam Leffler 87839beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 8795b9c547cSRui Paulo tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 8805b9c547cSRui Paulo ct); 88139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 88239beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 88339beb93cSSam Leffler return -1; 88439beb93cSSam Leffler } 88539beb93cSSam Leffler 88639beb93cSSam Leffler pos = in_data; 88739beb93cSSam Leffler left = *in_len; 88839beb93cSSam Leffler 88939beb93cSSam Leffler if (left < 4) { 8905b9c547cSRui Paulo tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 8915b9c547cSRui Paulo (unsigned long) left); 89239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 89339beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 89439beb93cSSam Leffler return -1; 89539beb93cSSam Leffler } 89639beb93cSSam Leffler 89739beb93cSSam Leffler type = *pos++; 89839beb93cSSam Leffler len = WPA_GET_BE24(pos); 89939beb93cSSam Leffler pos += 3; 90039beb93cSSam Leffler left -= 4; 90139beb93cSSam Leffler 90239beb93cSSam Leffler if (len > left) { 9035b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 90439beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 90539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 90639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 90739beb93cSSam Leffler return -1; 90839beb93cSSam Leffler } 90939beb93cSSam Leffler 91039beb93cSSam Leffler end = pos + len; 91139beb93cSSam Leffler 91239beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 9135b9c547cSRui Paulo tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 9145b9c547cSRui Paulo type); 91539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 91639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 91739beb93cSSam Leffler return -1; 91839beb93cSSam Leffler } 91939beb93cSSam Leffler 9205b9c547cSRui Paulo tlsv1_server_log(conn, "Received CertificateVerify"); 92139beb93cSSam Leffler 92239beb93cSSam Leffler /* 92339beb93cSSam Leffler * struct { 92439beb93cSSam Leffler * Signature signature; 92539beb93cSSam Leffler * } CertificateVerify; 92639beb93cSSam Leffler */ 92739beb93cSSam Leffler 92839beb93cSSam Leffler hpos = hash; 92939beb93cSSam Leffler 930f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 931f05cddf9SRui Paulo if (conn->rl.tls_version == TLS_VERSION_1_2) { 932f05cddf9SRui Paulo /* 933f05cddf9SRui Paulo * RFC 5246, 4.7: 934f05cddf9SRui Paulo * TLS v1.2 adds explicit indication of the used signature and 935f05cddf9SRui Paulo * hash algorithms. 936f05cddf9SRui Paulo * 937f05cddf9SRui Paulo * struct { 938f05cddf9SRui Paulo * HashAlgorithm hash; 939f05cddf9SRui Paulo * SignatureAlgorithm signature; 940f05cddf9SRui Paulo * } SignatureAndHashAlgorithm; 941f05cddf9SRui Paulo */ 942f05cddf9SRui Paulo if (end - pos < 2) { 943f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 944f05cddf9SRui Paulo TLS_ALERT_DECODE_ERROR); 945f05cddf9SRui Paulo return -1; 946f05cddf9SRui Paulo } 947f05cddf9SRui Paulo if (pos[0] != TLS_HASH_ALG_SHA256 || 948f05cddf9SRui Paulo pos[1] != TLS_SIGN_ALG_RSA) { 949f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 950f05cddf9SRui Paulo "signature(%u) algorithm", 951f05cddf9SRui Paulo pos[0], pos[1]); 952f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 953f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 954f05cddf9SRui Paulo return -1; 955f05cddf9SRui Paulo } 956f05cddf9SRui Paulo pos += 2; 957f05cddf9SRui Paulo 958f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 959f05cddf9SRui Paulo if (conn->verify.sha256_cert == NULL || 960f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 961f05cddf9SRui Paulo 0) { 962f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 963f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 964f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 965f05cddf9SRui Paulo return -1; 966f05cddf9SRui Paulo } 967f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 968f05cddf9SRui Paulo } else { 969f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 970f05cddf9SRui Paulo 97139beb93cSSam Leffler hlen = MD5_MAC_LEN; 97239beb93cSSam Leffler if (conn->verify.md5_cert == NULL || 9735b9c547cSRui Paulo crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 97439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 97539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 97639beb93cSSam Leffler conn->verify.md5_cert = NULL; 97739beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 97839beb93cSSam Leffler conn->verify.sha1_cert = NULL; 97939beb93cSSam Leffler return -1; 98039beb93cSSam Leffler } 98139beb93cSSam Leffler hpos += MD5_MAC_LEN; 98239beb93cSSam Leffler 98339beb93cSSam Leffler conn->verify.md5_cert = NULL; 98439beb93cSSam Leffler hlen = SHA1_MAC_LEN; 98539beb93cSSam Leffler if (conn->verify.sha1_cert == NULL || 98639beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 98739beb93cSSam Leffler conn->verify.sha1_cert = NULL; 98839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 98939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 99039beb93cSSam Leffler return -1; 99139beb93cSSam Leffler } 99239beb93cSSam Leffler conn->verify.sha1_cert = NULL; 99339beb93cSSam Leffler 99439beb93cSSam Leffler hlen += MD5_MAC_LEN; 99539beb93cSSam Leffler 996f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 997f05cddf9SRui Paulo } 998f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 999f05cddf9SRui Paulo 100039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 100139beb93cSSam Leffler 10025b9c547cSRui Paulo if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 10035b9c547cSRui Paulo hash, hlen, pos, end - pos, &alert) < 0) { 10045b9c547cSRui Paulo tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 10055b9c547cSRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 100639beb93cSSam Leffler return -1; 100739beb93cSSam Leffler } 100839beb93cSSam Leffler 100939beb93cSSam Leffler *in_len = end - in_data; 101039beb93cSSam Leffler 101139beb93cSSam Leffler conn->state = CHANGE_CIPHER_SPEC; 101239beb93cSSam Leffler 101339beb93cSSam Leffler return 0; 101439beb93cSSam Leffler } 101539beb93cSSam Leffler 101639beb93cSSam Leffler 101739beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 101839beb93cSSam Leffler u8 ct, const u8 *in_data, 101939beb93cSSam Leffler size_t *in_len) 102039beb93cSSam Leffler { 102139beb93cSSam Leffler const u8 *pos; 102239beb93cSSam Leffler size_t left; 102339beb93cSSam Leffler 102439beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 10255b9c547cSRui Paulo tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 10265b9c547cSRui Paulo ct); 102739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 102839beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 102939beb93cSSam Leffler return -1; 103039beb93cSSam Leffler } 103139beb93cSSam Leffler 103239beb93cSSam Leffler pos = in_data; 103339beb93cSSam Leffler left = *in_len; 103439beb93cSSam Leffler 103539beb93cSSam Leffler if (left < 1) { 10365b9c547cSRui Paulo tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 103739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 103839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 103939beb93cSSam Leffler return -1; 104039beb93cSSam Leffler } 104139beb93cSSam Leffler 104239beb93cSSam Leffler if (*pos != TLS_CHANGE_CIPHER_SPEC) { 10435b9c547cSRui Paulo tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 10445b9c547cSRui Paulo *pos); 104539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 104639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 104739beb93cSSam Leffler return -1; 104839beb93cSSam Leffler } 104939beb93cSSam Leffler 10505b9c547cSRui Paulo tlsv1_server_log(conn, "Received ChangeCipherSpec"); 105139beb93cSSam Leffler if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 105239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 105339beb93cSSam Leffler "for record layer"); 105439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 105539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 105639beb93cSSam Leffler return -1; 105739beb93cSSam Leffler } 105839beb93cSSam Leffler 105939beb93cSSam Leffler *in_len = pos + 1 - in_data; 106039beb93cSSam Leffler 106139beb93cSSam Leffler conn->state = CLIENT_FINISHED; 106239beb93cSSam Leffler 106339beb93cSSam Leffler return 0; 106439beb93cSSam Leffler } 106539beb93cSSam Leffler 106639beb93cSSam Leffler 106739beb93cSSam Leffler static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 106839beb93cSSam Leffler const u8 *in_data, size_t *in_len) 106939beb93cSSam Leffler { 107039beb93cSSam Leffler const u8 *pos, *end; 107139beb93cSSam Leffler size_t left, len, hlen; 107239beb93cSSam Leffler u8 verify_data[TLS_VERIFY_DATA_LEN]; 107339beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 107439beb93cSSam Leffler 10755b9c547cSRui Paulo #ifdef CONFIG_TESTING_OPTIONS 10765b9c547cSRui Paulo if ((conn->test_flags & 10775b9c547cSRui Paulo (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 10785b9c547cSRui Paulo !conn->test_failure_reported) { 10795b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 10805b9c547cSRui Paulo conn->test_failure_reported = 1; 10815b9c547cSRui Paulo } 10825b9c547cSRui Paulo 10835b9c547cSRui Paulo if ((conn->test_flags & TLS_DHE_PRIME_15) && 10845b9c547cSRui Paulo !conn->test_failure_reported) { 10855b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 10865b9c547cSRui Paulo conn->test_failure_reported = 1; 10875b9c547cSRui Paulo } 10885b9c547cSRui Paulo 10895b9c547cSRui Paulo if ((conn->test_flags & TLS_DHE_PRIME_58B) && 10905b9c547cSRui Paulo !conn->test_failure_reported) { 10915b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 10925b9c547cSRui Paulo conn->test_failure_reported = 1; 10935b9c547cSRui Paulo } 10945b9c547cSRui Paulo 10955b9c547cSRui Paulo if ((conn->test_flags & TLS_DHE_PRIME_511B) && 10965b9c547cSRui Paulo !conn->test_failure_reported) { 10975b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 10985b9c547cSRui Paulo conn->test_failure_reported = 1; 10995b9c547cSRui Paulo } 11005b9c547cSRui Paulo 11015b9c547cSRui Paulo if ((conn->test_flags & TLS_DHE_PRIME_767B) && 11025b9c547cSRui Paulo !conn->test_failure_reported) { 11035b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 11045b9c547cSRui Paulo conn->test_failure_reported = 1; 11055b9c547cSRui Paulo } 11065b9c547cSRui Paulo 11075b9c547cSRui Paulo if ((conn->test_flags & TLS_DHE_NON_PRIME) && 11085b9c547cSRui Paulo !conn->test_failure_reported) { 11095b9c547cSRui Paulo tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 11105b9c547cSRui Paulo conn->test_failure_reported = 1; 11115b9c547cSRui Paulo } 11125b9c547cSRui Paulo #endif /* CONFIG_TESTING_OPTIONS */ 11135b9c547cSRui Paulo 111439beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 11155b9c547cSRui Paulo tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 11165b9c547cSRui Paulo ct); 111739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 111839beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 111939beb93cSSam Leffler return -1; 112039beb93cSSam Leffler } 112139beb93cSSam Leffler 112239beb93cSSam Leffler pos = in_data; 112339beb93cSSam Leffler left = *in_len; 112439beb93cSSam Leffler 112539beb93cSSam Leffler if (left < 4) { 11265b9c547cSRui Paulo tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 112739beb93cSSam Leffler (unsigned long) left); 112839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 112939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 113039beb93cSSam Leffler return -1; 113139beb93cSSam Leffler } 113239beb93cSSam Leffler 113339beb93cSSam Leffler if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 113439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 113539beb93cSSam Leffler "type 0x%x", pos[0]); 113639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 113739beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 113839beb93cSSam Leffler return -1; 113939beb93cSSam Leffler } 114039beb93cSSam Leffler 114139beb93cSSam Leffler len = WPA_GET_BE24(pos + 1); 114239beb93cSSam Leffler 114339beb93cSSam Leffler pos += 4; 114439beb93cSSam Leffler left -= 4; 114539beb93cSSam Leffler 114639beb93cSSam Leffler if (len > left) { 11475b9c547cSRui Paulo tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 114839beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 114939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 115039beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 115139beb93cSSam Leffler return -1; 115239beb93cSSam Leffler } 115339beb93cSSam Leffler end = pos + len; 115439beb93cSSam Leffler if (len != TLS_VERIFY_DATA_LEN) { 11555b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 115639beb93cSSam Leffler (unsigned long) len, TLS_VERIFY_DATA_LEN); 115739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 115839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 115939beb93cSSam Leffler return -1; 116039beb93cSSam Leffler } 116139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 116239beb93cSSam Leffler pos, TLS_VERIFY_DATA_LEN); 116339beb93cSSam Leffler 1164f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 1165f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1166f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 1167f05cddf9SRui Paulo if (conn->verify.sha256_client == NULL || 1168f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1169f05cddf9SRui Paulo < 0) { 1170f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1171f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 1172f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 1173f05cddf9SRui Paulo return -1; 1174f05cddf9SRui Paulo } 1175f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 1176f05cddf9SRui Paulo } else { 1177f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 1178f05cddf9SRui Paulo 117939beb93cSSam Leffler hlen = MD5_MAC_LEN; 118039beb93cSSam Leffler if (conn->verify.md5_client == NULL || 118139beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 118239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 118339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 118439beb93cSSam Leffler conn->verify.md5_client = NULL; 118539beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 118639beb93cSSam Leffler conn->verify.sha1_client = NULL; 118739beb93cSSam Leffler return -1; 118839beb93cSSam Leffler } 118939beb93cSSam Leffler conn->verify.md5_client = NULL; 119039beb93cSSam Leffler hlen = SHA1_MAC_LEN; 119139beb93cSSam Leffler if (conn->verify.sha1_client == NULL || 119239beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 119339beb93cSSam Leffler &hlen) < 0) { 119439beb93cSSam Leffler conn->verify.sha1_client = NULL; 119539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 119639beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 119739beb93cSSam Leffler return -1; 119839beb93cSSam Leffler } 119939beb93cSSam Leffler conn->verify.sha1_client = NULL; 1200f05cddf9SRui Paulo hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 120139beb93cSSam Leffler 1202f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 1203f05cddf9SRui Paulo } 1204f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 1205f05cddf9SRui Paulo 1206f05cddf9SRui Paulo if (tls_prf(conn->rl.tls_version, 1207f05cddf9SRui Paulo conn->master_secret, TLS_MASTER_SECRET_LEN, 1208f05cddf9SRui Paulo "client finished", hash, hlen, 120939beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN)) { 121039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 121139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 121239beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 121339beb93cSSam Leffler return -1; 121439beb93cSSam Leffler } 121539beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 121639beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN); 121739beb93cSSam Leffler 12185b9c547cSRui Paulo if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 12195b9c547cSRui Paulo tlsv1_server_log(conn, "Mismatch in verify_data"); 122039beb93cSSam Leffler return -1; 122139beb93cSSam Leffler } 122239beb93cSSam Leffler 12235b9c547cSRui Paulo tlsv1_server_log(conn, "Received Finished"); 122439beb93cSSam Leffler 122539beb93cSSam Leffler *in_len = end - in_data; 122639beb93cSSam Leffler 122739beb93cSSam Leffler if (conn->use_session_ticket) { 122839beb93cSSam Leffler /* Abbreviated handshake using session ticket; RFC 4507 */ 12295b9c547cSRui Paulo tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 123039beb93cSSam Leffler conn->state = ESTABLISHED; 123139beb93cSSam Leffler } else { 123239beb93cSSam Leffler /* Full handshake */ 123339beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC; 123439beb93cSSam Leffler } 123539beb93cSSam Leffler 123639beb93cSSam Leffler return 0; 123739beb93cSSam Leffler } 123839beb93cSSam Leffler 123939beb93cSSam Leffler 124039beb93cSSam Leffler int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 124139beb93cSSam Leffler const u8 *buf, size_t *len) 124239beb93cSSam Leffler { 124339beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_ALERT) { 124439beb93cSSam Leffler if (*len < 2) { 12455b9c547cSRui Paulo tlsv1_server_log(conn, "Alert underflow"); 124639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 124739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 124839beb93cSSam Leffler return -1; 124939beb93cSSam Leffler } 12505b9c547cSRui Paulo tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 125139beb93cSSam Leffler *len = 2; 125239beb93cSSam Leffler conn->state = FAILED; 125339beb93cSSam Leffler return -1; 125439beb93cSSam Leffler } 125539beb93cSSam Leffler 125639beb93cSSam Leffler switch (conn->state) { 125739beb93cSSam Leffler case CLIENT_HELLO: 125839beb93cSSam Leffler if (tls_process_client_hello(conn, ct, buf, len)) 125939beb93cSSam Leffler return -1; 126039beb93cSSam Leffler break; 126139beb93cSSam Leffler case CLIENT_CERTIFICATE: 126239beb93cSSam Leffler if (tls_process_certificate(conn, ct, buf, len)) 126339beb93cSSam Leffler return -1; 126439beb93cSSam Leffler break; 126539beb93cSSam Leffler case CLIENT_KEY_EXCHANGE: 126639beb93cSSam Leffler if (tls_process_client_key_exchange(conn, ct, buf, len)) 126739beb93cSSam Leffler return -1; 126839beb93cSSam Leffler break; 126939beb93cSSam Leffler case CERTIFICATE_VERIFY: 127039beb93cSSam Leffler if (tls_process_certificate_verify(conn, ct, buf, len)) 127139beb93cSSam Leffler return -1; 127239beb93cSSam Leffler break; 127339beb93cSSam Leffler case CHANGE_CIPHER_SPEC: 127439beb93cSSam Leffler if (tls_process_change_cipher_spec(conn, ct, buf, len)) 127539beb93cSSam Leffler return -1; 127639beb93cSSam Leffler break; 127739beb93cSSam Leffler case CLIENT_FINISHED: 127839beb93cSSam Leffler if (tls_process_client_finished(conn, ct, buf, len)) 127939beb93cSSam Leffler return -1; 128039beb93cSSam Leffler break; 128139beb93cSSam Leffler default: 12825b9c547cSRui Paulo tlsv1_server_log(conn, "Unexpected state %d while processing received message", 128339beb93cSSam Leffler conn->state); 128439beb93cSSam Leffler return -1; 128539beb93cSSam Leffler } 128639beb93cSSam Leffler 128739beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 128839beb93cSSam Leffler tls_verify_hash_add(&conn->verify, buf, *len); 128939beb93cSSam Leffler 129039beb93cSSam Leffler return 0; 129139beb93cSSam Leffler } 1292