139beb93cSSam Leffler /* 239beb93cSSam Leffler * TLSv1 server - read handshake message 3*f05cddf9SRui Paulo * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 439beb93cSSam Leffler * 5*f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license. 6*f05cddf9SRui Paulo * See README for more details. 739beb93cSSam Leffler */ 839beb93cSSam Leffler 939beb93cSSam Leffler #include "includes.h" 1039beb93cSSam Leffler 1139beb93cSSam Leffler #include "common.h" 12e28a4053SRui Paulo #include "crypto/md5.h" 13e28a4053SRui Paulo #include "crypto/sha1.h" 14*f05cddf9SRui Paulo #include "crypto/sha256.h" 15e28a4053SRui Paulo #include "crypto/tls.h" 1639beb93cSSam Leffler #include "x509v3.h" 1739beb93cSSam Leffler #include "tlsv1_common.h" 1839beb93cSSam Leffler #include "tlsv1_record.h" 1939beb93cSSam Leffler #include "tlsv1_server.h" 2039beb93cSSam Leffler #include "tlsv1_server_i.h" 2139beb93cSSam Leffler 2239beb93cSSam Leffler 2339beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 2439beb93cSSam Leffler const u8 *in_data, size_t *in_len); 2539beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 2639beb93cSSam Leffler u8 ct, const u8 *in_data, 2739beb93cSSam Leffler size_t *in_len); 2839beb93cSSam Leffler 2939beb93cSSam Leffler 3039beb93cSSam Leffler static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 3139beb93cSSam Leffler const u8 *in_data, size_t *in_len) 3239beb93cSSam Leffler { 3339beb93cSSam Leffler const u8 *pos, *end, *c; 3439beb93cSSam Leffler size_t left, len, i, j; 3539beb93cSSam Leffler u16 cipher_suite; 3639beb93cSSam Leffler u16 num_suites; 3739beb93cSSam Leffler int compr_null_found; 383157ba21SRui Paulo u16 ext_type, ext_len; 3939beb93cSSam Leffler 4039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 4139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 4239beb93cSSam Leffler "received content type 0x%x", ct); 4339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 4439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 4539beb93cSSam Leffler return -1; 4639beb93cSSam Leffler } 4739beb93cSSam Leffler 4839beb93cSSam Leffler pos = in_data; 4939beb93cSSam Leffler left = *in_len; 5039beb93cSSam Leffler 5139beb93cSSam Leffler if (left < 4) 5239beb93cSSam Leffler goto decode_error; 5339beb93cSSam Leffler 5439beb93cSSam Leffler /* HandshakeType msg_type */ 5539beb93cSSam Leffler if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 5639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 5739beb93cSSam Leffler "message %d (expected ClientHello)", *pos); 5839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 5939beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 6039beb93cSSam Leffler return -1; 6139beb93cSSam Leffler } 6239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 6339beb93cSSam Leffler pos++; 6439beb93cSSam Leffler /* uint24 length */ 6539beb93cSSam Leffler len = WPA_GET_BE24(pos); 6639beb93cSSam Leffler pos += 3; 6739beb93cSSam Leffler left -= 4; 6839beb93cSSam Leffler 6939beb93cSSam Leffler if (len > left) 7039beb93cSSam Leffler goto decode_error; 7139beb93cSSam Leffler 7239beb93cSSam Leffler /* body - ClientHello */ 7339beb93cSSam Leffler 7439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 7539beb93cSSam Leffler end = pos + len; 7639beb93cSSam Leffler 7739beb93cSSam Leffler /* ProtocolVersion client_version */ 7839beb93cSSam Leffler if (end - pos < 2) 7939beb93cSSam Leffler goto decode_error; 8039beb93cSSam Leffler conn->client_version = WPA_GET_BE16(pos); 8139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 8239beb93cSSam Leffler conn->client_version >> 8, conn->client_version & 0xff); 83*f05cddf9SRui Paulo if (conn->client_version < TLS_VERSION_1) { 8439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 85*f05cddf9SRui Paulo "ClientHello %u.%u", 86*f05cddf9SRui Paulo conn->client_version >> 8, 87*f05cddf9SRui Paulo conn->client_version & 0xff); 8839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 8939beb93cSSam Leffler TLS_ALERT_PROTOCOL_VERSION); 9039beb93cSSam Leffler return -1; 9139beb93cSSam Leffler } 9239beb93cSSam Leffler pos += 2; 9339beb93cSSam Leffler 94*f05cddf9SRui Paulo if (TLS_VERSION == TLS_VERSION_1) 95*f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1; 96*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 97*f05cddf9SRui Paulo else if (conn->client_version >= TLS_VERSION_1_2) 98*f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1_2; 99*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 100*f05cddf9SRui Paulo else if (conn->client_version > TLS_VERSION_1_1) 101*f05cddf9SRui Paulo conn->rl.tls_version = TLS_VERSION_1_1; 102*f05cddf9SRui Paulo else 103*f05cddf9SRui Paulo conn->rl.tls_version = conn->client_version; 104*f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 105*f05cddf9SRui Paulo tls_version_str(conn->rl.tls_version)); 106*f05cddf9SRui Paulo 10739beb93cSSam Leffler /* Random random */ 10839beb93cSSam Leffler if (end - pos < TLS_RANDOM_LEN) 10939beb93cSSam Leffler goto decode_error; 11039beb93cSSam Leffler 11139beb93cSSam Leffler os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 11239beb93cSSam Leffler pos += TLS_RANDOM_LEN; 11339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 11439beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN); 11539beb93cSSam Leffler 11639beb93cSSam Leffler /* SessionID session_id */ 11739beb93cSSam Leffler if (end - pos < 1) 11839beb93cSSam Leffler goto decode_error; 11939beb93cSSam Leffler if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 12039beb93cSSam Leffler goto decode_error; 12139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 12239beb93cSSam Leffler pos += 1 + *pos; 12339beb93cSSam Leffler /* TODO: add support for session resumption */ 12439beb93cSSam Leffler 12539beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */ 12639beb93cSSam Leffler if (end - pos < 2) 12739beb93cSSam Leffler goto decode_error; 12839beb93cSSam Leffler num_suites = WPA_GET_BE16(pos); 12939beb93cSSam Leffler pos += 2; 13039beb93cSSam Leffler if (end - pos < num_suites) 13139beb93cSSam Leffler goto decode_error; 13239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 13339beb93cSSam Leffler pos, num_suites); 13439beb93cSSam Leffler if (num_suites & 1) 13539beb93cSSam Leffler goto decode_error; 13639beb93cSSam Leffler num_suites /= 2; 13739beb93cSSam Leffler 13839beb93cSSam Leffler cipher_suite = 0; 13939beb93cSSam Leffler for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 14039beb93cSSam Leffler c = pos; 14139beb93cSSam Leffler for (j = 0; j < num_suites; j++) { 14239beb93cSSam Leffler u16 tmp = WPA_GET_BE16(c); 14339beb93cSSam Leffler c += 2; 14439beb93cSSam Leffler if (!cipher_suite && tmp == conn->cipher_suites[i]) { 14539beb93cSSam Leffler cipher_suite = tmp; 14639beb93cSSam Leffler break; 14739beb93cSSam Leffler } 14839beb93cSSam Leffler } 14939beb93cSSam Leffler } 15039beb93cSSam Leffler pos += num_suites * 2; 15139beb93cSSam Leffler if (!cipher_suite) { 15239beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 15339beb93cSSam Leffler "available"); 15439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 15539beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 15639beb93cSSam Leffler return -1; 15739beb93cSSam Leffler } 15839beb93cSSam Leffler 15939beb93cSSam Leffler if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 16039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 16139beb93cSSam Leffler "record layer"); 16239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 16339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 16439beb93cSSam Leffler return -1; 16539beb93cSSam Leffler } 16639beb93cSSam Leffler 16739beb93cSSam Leffler conn->cipher_suite = cipher_suite; 16839beb93cSSam Leffler 16939beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */ 17039beb93cSSam Leffler if (end - pos < 1) 17139beb93cSSam Leffler goto decode_error; 17239beb93cSSam Leffler num_suites = *pos++; 17339beb93cSSam Leffler if (end - pos < num_suites) 17439beb93cSSam Leffler goto decode_error; 17539beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 17639beb93cSSam Leffler pos, num_suites); 17739beb93cSSam Leffler compr_null_found = 0; 17839beb93cSSam Leffler for (i = 0; i < num_suites; i++) { 17939beb93cSSam Leffler if (*pos++ == TLS_COMPRESSION_NULL) 18039beb93cSSam Leffler compr_null_found = 1; 18139beb93cSSam Leffler } 18239beb93cSSam Leffler if (!compr_null_found) { 18339beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 18439beb93cSSam Leffler "compression"); 18539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 18639beb93cSSam Leffler TLS_ALERT_ILLEGAL_PARAMETER); 18739beb93cSSam Leffler return -1; 18839beb93cSSam Leffler } 18939beb93cSSam Leffler 19039beb93cSSam Leffler if (end - pos == 1) { 19139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 19239beb93cSSam Leffler "end of ClientHello: 0x%02x", *pos); 19339beb93cSSam Leffler goto decode_error; 19439beb93cSSam Leffler } 19539beb93cSSam Leffler 19639beb93cSSam Leffler if (end - pos >= 2) { 19739beb93cSSam Leffler /* Extension client_hello_extension_list<0..2^16-1> */ 19839beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 19939beb93cSSam Leffler pos += 2; 20039beb93cSSam Leffler 20139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 20239beb93cSSam Leffler "extensions", ext_len); 20339beb93cSSam Leffler if (end - pos != ext_len) { 20439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 20539beb93cSSam Leffler "extension list length %u (expected %u)", 2063157ba21SRui Paulo ext_len, (unsigned int) (end - pos)); 20739beb93cSSam Leffler goto decode_error; 20839beb93cSSam Leffler } 20939beb93cSSam Leffler 21039beb93cSSam Leffler /* 21139beb93cSSam Leffler * struct { 21239beb93cSSam Leffler * ExtensionType extension_type (0..65535) 21339beb93cSSam Leffler * opaque extension_data<0..2^16-1> 21439beb93cSSam Leffler * } Extension; 21539beb93cSSam Leffler */ 21639beb93cSSam Leffler 21739beb93cSSam Leffler while (pos < end) { 21839beb93cSSam Leffler if (end - pos < 2) { 21939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 22039beb93cSSam Leffler "extension_type field"); 22139beb93cSSam Leffler goto decode_error; 22239beb93cSSam Leffler } 22339beb93cSSam Leffler 22439beb93cSSam Leffler ext_type = WPA_GET_BE16(pos); 22539beb93cSSam Leffler pos += 2; 22639beb93cSSam Leffler 22739beb93cSSam Leffler if (end - pos < 2) { 22839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 22939beb93cSSam Leffler "extension_data length field"); 23039beb93cSSam Leffler goto decode_error; 23139beb93cSSam Leffler } 23239beb93cSSam Leffler 23339beb93cSSam Leffler ext_len = WPA_GET_BE16(pos); 23439beb93cSSam Leffler pos += 2; 23539beb93cSSam Leffler 23639beb93cSSam Leffler if (end - pos < ext_len) { 23739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 23839beb93cSSam Leffler "extension_data field"); 23939beb93cSSam Leffler goto decode_error; 24039beb93cSSam Leffler } 24139beb93cSSam Leffler 24239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 24339beb93cSSam Leffler "type %u", ext_type); 24439beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 24539beb93cSSam Leffler "Extension data", pos, ext_len); 24639beb93cSSam Leffler 24739beb93cSSam Leffler if (ext_type == TLS_EXT_SESSION_TICKET) { 24839beb93cSSam Leffler os_free(conn->session_ticket); 24939beb93cSSam Leffler conn->session_ticket = os_malloc(ext_len); 25039beb93cSSam Leffler if (conn->session_ticket) { 25139beb93cSSam Leffler os_memcpy(conn->session_ticket, pos, 25239beb93cSSam Leffler ext_len); 25339beb93cSSam Leffler conn->session_ticket_len = ext_len; 25439beb93cSSam Leffler } 25539beb93cSSam Leffler } 25639beb93cSSam Leffler 25739beb93cSSam Leffler pos += ext_len; 25839beb93cSSam Leffler } 25939beb93cSSam Leffler } 26039beb93cSSam Leffler 26139beb93cSSam Leffler *in_len = end - in_data; 26239beb93cSSam Leffler 26339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 26439beb93cSSam Leffler "ServerHello"); 26539beb93cSSam Leffler conn->state = SERVER_HELLO; 26639beb93cSSam Leffler 26739beb93cSSam Leffler return 0; 26839beb93cSSam Leffler 26939beb93cSSam Leffler decode_error: 27039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 27139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 27239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 27339beb93cSSam Leffler return -1; 27439beb93cSSam Leffler } 27539beb93cSSam Leffler 27639beb93cSSam Leffler 27739beb93cSSam Leffler static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 27839beb93cSSam Leffler const u8 *in_data, size_t *in_len) 27939beb93cSSam Leffler { 28039beb93cSSam Leffler const u8 *pos, *end; 28139beb93cSSam Leffler size_t left, len, list_len, cert_len, idx; 28239beb93cSSam Leffler u8 type; 28339beb93cSSam Leffler struct x509_certificate *chain = NULL, *last = NULL, *cert; 28439beb93cSSam Leffler int reason; 28539beb93cSSam Leffler 28639beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 28739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 28839beb93cSSam Leffler "received content type 0x%x", ct); 28939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 29039beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 29139beb93cSSam Leffler return -1; 29239beb93cSSam Leffler } 29339beb93cSSam Leffler 29439beb93cSSam Leffler pos = in_data; 29539beb93cSSam Leffler left = *in_len; 29639beb93cSSam Leffler 29739beb93cSSam Leffler if (left < 4) { 29839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 29939beb93cSSam Leffler "(len=%lu)", (unsigned long) left); 30039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 30139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 30239beb93cSSam Leffler return -1; 30339beb93cSSam Leffler } 30439beb93cSSam Leffler 30539beb93cSSam Leffler type = *pos++; 30639beb93cSSam Leffler len = WPA_GET_BE24(pos); 30739beb93cSSam Leffler pos += 3; 30839beb93cSSam Leffler left -= 4; 30939beb93cSSam Leffler 31039beb93cSSam Leffler if (len > left) { 31139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 31239beb93cSSam Leffler "length (len=%lu != left=%lu)", 31339beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 31439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 31539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 31639beb93cSSam Leffler return -1; 31739beb93cSSam Leffler } 31839beb93cSSam Leffler 31939beb93cSSam Leffler if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 32039beb93cSSam Leffler if (conn->verify_peer) { 32139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 32239beb93cSSam Leffler "Certificate"); 32339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 32439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 32539beb93cSSam Leffler return -1; 32639beb93cSSam Leffler } 32739beb93cSSam Leffler 32839beb93cSSam Leffler return tls_process_client_key_exchange(conn, ct, in_data, 32939beb93cSSam Leffler in_len); 33039beb93cSSam Leffler } 33139beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 33239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 33339beb93cSSam Leffler "message %d (expected Certificate/" 33439beb93cSSam Leffler "ClientKeyExchange)", type); 33539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 33639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 33739beb93cSSam Leffler return -1; 33839beb93cSSam Leffler } 33939beb93cSSam Leffler 34039beb93cSSam Leffler wpa_printf(MSG_DEBUG, 34139beb93cSSam Leffler "TLSv1: Received Certificate (certificate_list len %lu)", 34239beb93cSSam Leffler (unsigned long) len); 34339beb93cSSam Leffler 34439beb93cSSam Leffler /* 34539beb93cSSam Leffler * opaque ASN.1Cert<2^24-1>; 34639beb93cSSam Leffler * 34739beb93cSSam Leffler * struct { 34839beb93cSSam Leffler * ASN.1Cert certificate_list<1..2^24-1>; 34939beb93cSSam Leffler * } Certificate; 35039beb93cSSam Leffler */ 35139beb93cSSam Leffler 35239beb93cSSam Leffler end = pos + len; 35339beb93cSSam Leffler 35439beb93cSSam Leffler if (end - pos < 3) { 35539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 35639beb93cSSam Leffler "(left=%lu)", (unsigned long) left); 35739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 35839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 35939beb93cSSam Leffler return -1; 36039beb93cSSam Leffler } 36139beb93cSSam Leffler 36239beb93cSSam Leffler list_len = WPA_GET_BE24(pos); 36339beb93cSSam Leffler pos += 3; 36439beb93cSSam Leffler 36539beb93cSSam Leffler if ((size_t) (end - pos) != list_len) { 36639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 36739beb93cSSam Leffler "length (len=%lu left=%lu)", 36839beb93cSSam Leffler (unsigned long) list_len, 36939beb93cSSam Leffler (unsigned long) (end - pos)); 37039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 37139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 37239beb93cSSam Leffler return -1; 37339beb93cSSam Leffler } 37439beb93cSSam Leffler 37539beb93cSSam Leffler idx = 0; 37639beb93cSSam Leffler while (pos < end) { 37739beb93cSSam Leffler if (end - pos < 3) { 37839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 37939beb93cSSam Leffler "certificate_list"); 38039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 38139beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 38239beb93cSSam Leffler x509_certificate_chain_free(chain); 38339beb93cSSam Leffler return -1; 38439beb93cSSam Leffler } 38539beb93cSSam Leffler 38639beb93cSSam Leffler cert_len = WPA_GET_BE24(pos); 38739beb93cSSam Leffler pos += 3; 38839beb93cSSam Leffler 38939beb93cSSam Leffler if ((size_t) (end - pos) < cert_len) { 39039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 39139beb93cSSam Leffler "length (len=%lu left=%lu)", 39239beb93cSSam Leffler (unsigned long) cert_len, 39339beb93cSSam Leffler (unsigned long) (end - pos)); 39439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 39539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 39639beb93cSSam Leffler x509_certificate_chain_free(chain); 39739beb93cSSam Leffler return -1; 39839beb93cSSam Leffler } 39939beb93cSSam Leffler 40039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 40139beb93cSSam Leffler (unsigned long) idx, (unsigned long) cert_len); 40239beb93cSSam Leffler 40339beb93cSSam Leffler if (idx == 0) { 40439beb93cSSam Leffler crypto_public_key_free(conn->client_rsa_key); 40539beb93cSSam Leffler if (tls_parse_cert(pos, cert_len, 40639beb93cSSam Leffler &conn->client_rsa_key)) { 40739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 40839beb93cSSam Leffler "the certificate"); 40939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 41039beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 41139beb93cSSam Leffler x509_certificate_chain_free(chain); 41239beb93cSSam Leffler return -1; 41339beb93cSSam Leffler } 41439beb93cSSam Leffler } 41539beb93cSSam Leffler 41639beb93cSSam Leffler cert = x509_certificate_parse(pos, cert_len); 41739beb93cSSam Leffler if (cert == NULL) { 41839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 41939beb93cSSam Leffler "the certificate"); 42039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 42139beb93cSSam Leffler TLS_ALERT_BAD_CERTIFICATE); 42239beb93cSSam Leffler x509_certificate_chain_free(chain); 42339beb93cSSam Leffler return -1; 42439beb93cSSam Leffler } 42539beb93cSSam Leffler 42639beb93cSSam Leffler if (last == NULL) 42739beb93cSSam Leffler chain = cert; 42839beb93cSSam Leffler else 42939beb93cSSam Leffler last->next = cert; 43039beb93cSSam Leffler last = cert; 43139beb93cSSam Leffler 43239beb93cSSam Leffler idx++; 43339beb93cSSam Leffler pos += cert_len; 43439beb93cSSam Leffler } 43539beb93cSSam Leffler 43639beb93cSSam Leffler if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 437*f05cddf9SRui Paulo &reason, 0) < 0) { 43839beb93cSSam Leffler int tls_reason; 43939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 44039beb93cSSam Leffler "validation failed (reason=%d)", reason); 44139beb93cSSam Leffler switch (reason) { 44239beb93cSSam Leffler case X509_VALIDATE_BAD_CERTIFICATE: 44339beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 44439beb93cSSam Leffler break; 44539beb93cSSam Leffler case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 44639beb93cSSam Leffler tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 44739beb93cSSam Leffler break; 44839beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_REVOKED: 44939beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 45039beb93cSSam Leffler break; 45139beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_EXPIRED: 45239beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 45339beb93cSSam Leffler break; 45439beb93cSSam Leffler case X509_VALIDATE_CERTIFICATE_UNKNOWN: 45539beb93cSSam Leffler tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 45639beb93cSSam Leffler break; 45739beb93cSSam Leffler case X509_VALIDATE_UNKNOWN_CA: 45839beb93cSSam Leffler tls_reason = TLS_ALERT_UNKNOWN_CA; 45939beb93cSSam Leffler break; 46039beb93cSSam Leffler default: 46139beb93cSSam Leffler tls_reason = TLS_ALERT_BAD_CERTIFICATE; 46239beb93cSSam Leffler break; 46339beb93cSSam Leffler } 46439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 46539beb93cSSam Leffler x509_certificate_chain_free(chain); 46639beb93cSSam Leffler return -1; 46739beb93cSSam Leffler } 46839beb93cSSam Leffler 46939beb93cSSam Leffler x509_certificate_chain_free(chain); 47039beb93cSSam Leffler 47139beb93cSSam Leffler *in_len = end - in_data; 47239beb93cSSam Leffler 47339beb93cSSam Leffler conn->state = CLIENT_KEY_EXCHANGE; 47439beb93cSSam Leffler 47539beb93cSSam Leffler return 0; 47639beb93cSSam Leffler } 47739beb93cSSam Leffler 47839beb93cSSam Leffler 47939beb93cSSam Leffler static int tls_process_client_key_exchange_rsa( 48039beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 48139beb93cSSam Leffler { 48239beb93cSSam Leffler u8 *out; 48339beb93cSSam Leffler size_t outlen, outbuflen; 48439beb93cSSam Leffler u16 encr_len; 48539beb93cSSam Leffler int res; 48639beb93cSSam Leffler int use_random = 0; 48739beb93cSSam Leffler 48839beb93cSSam Leffler if (end - pos < 2) { 48939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49039beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 49139beb93cSSam Leffler return -1; 49239beb93cSSam Leffler } 49339beb93cSSam Leffler 49439beb93cSSam Leffler encr_len = WPA_GET_BE16(pos); 49539beb93cSSam Leffler pos += 2; 496*f05cddf9SRui Paulo if (pos + encr_len > end) { 497*f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange " 498*f05cddf9SRui Paulo "format: encr_len=%u left=%u", 499*f05cddf9SRui Paulo encr_len, (unsigned int) (end - pos)); 500*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 501*f05cddf9SRui Paulo TLS_ALERT_DECODE_ERROR); 502*f05cddf9SRui Paulo return -1; 503*f05cddf9SRui Paulo } 50439beb93cSSam Leffler 50539beb93cSSam Leffler outbuflen = outlen = end - pos; 50639beb93cSSam Leffler out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 50739beb93cSSam Leffler outlen : TLS_PRE_MASTER_SECRET_LEN); 50839beb93cSSam Leffler if (out == NULL) { 50939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 51039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 51139beb93cSSam Leffler return -1; 51239beb93cSSam Leffler } 51339beb93cSSam Leffler 51439beb93cSSam Leffler /* 51539beb93cSSam Leffler * struct { 51639beb93cSSam Leffler * ProtocolVersion client_version; 51739beb93cSSam Leffler * opaque random[46]; 51839beb93cSSam Leffler * } PreMasterSecret; 51939beb93cSSam Leffler * 52039beb93cSSam Leffler * struct { 52139beb93cSSam Leffler * public-key-encrypted PreMasterSecret pre_master_secret; 52239beb93cSSam Leffler * } EncryptedPreMasterSecret; 52339beb93cSSam Leffler */ 52439beb93cSSam Leffler 52539beb93cSSam Leffler /* 52639beb93cSSam Leffler * Note: To avoid Bleichenbacher attack, we do not report decryption or 52739beb93cSSam Leffler * parsing errors from EncryptedPreMasterSecret processing to the 52839beb93cSSam Leffler * client. Instead, a random pre-master secret is used to force the 52939beb93cSSam Leffler * handshake to fail. 53039beb93cSSam Leffler */ 53139beb93cSSam Leffler 53239beb93cSSam Leffler if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 533*f05cddf9SRui Paulo pos, encr_len, 53439beb93cSSam Leffler out, &outlen) < 0) { 53539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 536*f05cddf9SRui Paulo "PreMasterSecret (encr_len=%u outlen=%lu)", 537*f05cddf9SRui Paulo encr_len, (unsigned long) outlen); 53839beb93cSSam Leffler use_random = 1; 53939beb93cSSam Leffler } 54039beb93cSSam Leffler 541*f05cddf9SRui Paulo if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 54239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 54339beb93cSSam Leffler "length %lu", (unsigned long) outlen); 54439beb93cSSam Leffler use_random = 1; 54539beb93cSSam Leffler } 54639beb93cSSam Leffler 547*f05cddf9SRui Paulo if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 54839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 54939beb93cSSam Leffler "ClientKeyExchange does not match with version in " 55039beb93cSSam Leffler "ClientHello"); 55139beb93cSSam Leffler use_random = 1; 55239beb93cSSam Leffler } 55339beb93cSSam Leffler 55439beb93cSSam Leffler if (use_random) { 55539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 55639beb93cSSam Leffler "to avoid revealing information about private key"); 55739beb93cSSam Leffler outlen = TLS_PRE_MASTER_SECRET_LEN; 55839beb93cSSam Leffler if (os_get_random(out, outlen)) { 55939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 56039beb93cSSam Leffler "data"); 56139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 56239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 56339beb93cSSam Leffler os_free(out); 56439beb93cSSam Leffler return -1; 56539beb93cSSam Leffler } 56639beb93cSSam Leffler } 56739beb93cSSam Leffler 56839beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, out, outlen); 56939beb93cSSam Leffler 57039beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 57139beb93cSSam Leffler os_memset(out, 0, outbuflen); 57239beb93cSSam Leffler os_free(out); 57339beb93cSSam Leffler 57439beb93cSSam Leffler if (res) { 57539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 57639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 57739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 57839beb93cSSam Leffler return -1; 57939beb93cSSam Leffler } 58039beb93cSSam Leffler 58139beb93cSSam Leffler return 0; 58239beb93cSSam Leffler } 58339beb93cSSam Leffler 58439beb93cSSam Leffler 58539beb93cSSam Leffler static int tls_process_client_key_exchange_dh_anon( 58639beb93cSSam Leffler struct tlsv1_server *conn, const u8 *pos, const u8 *end) 58739beb93cSSam Leffler { 58839beb93cSSam Leffler const u8 *dh_yc; 58939beb93cSSam Leffler u16 dh_yc_len; 59039beb93cSSam Leffler u8 *shared; 59139beb93cSSam Leffler size_t shared_len; 59239beb93cSSam Leffler int res; 59339beb93cSSam Leffler 59439beb93cSSam Leffler /* 59539beb93cSSam Leffler * struct { 59639beb93cSSam Leffler * select (PublicValueEncoding) { 59739beb93cSSam Leffler * case implicit: struct { }; 59839beb93cSSam Leffler * case explicit: opaque dh_Yc<1..2^16-1>; 59939beb93cSSam Leffler * } dh_public; 60039beb93cSSam Leffler * } ClientDiffieHellmanPublic; 60139beb93cSSam Leffler */ 60239beb93cSSam Leffler 60339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 60439beb93cSSam Leffler pos, end - pos); 60539beb93cSSam Leffler 60639beb93cSSam Leffler if (end == pos) { 60739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 60839beb93cSSam Leffler "not supported"); 60939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 61039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 61139beb93cSSam Leffler return -1; 61239beb93cSSam Leffler } 61339beb93cSSam Leffler 61439beb93cSSam Leffler if (end - pos < 3) { 61539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 61639beb93cSSam Leffler "length"); 61739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 61839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 61939beb93cSSam Leffler return -1; 62039beb93cSSam Leffler } 62139beb93cSSam Leffler 62239beb93cSSam Leffler dh_yc_len = WPA_GET_BE16(pos); 62339beb93cSSam Leffler dh_yc = pos + 2; 62439beb93cSSam Leffler 62539beb93cSSam Leffler if (dh_yc + dh_yc_len > end) { 62639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 62739beb93cSSam Leffler "(length %d)", dh_yc_len); 62839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 62939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 63039beb93cSSam Leffler return -1; 63139beb93cSSam Leffler } 63239beb93cSSam Leffler 63339beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 63439beb93cSSam Leffler dh_yc, dh_yc_len); 63539beb93cSSam Leffler 63639beb93cSSam Leffler if (conn->cred == NULL || conn->cred->dh_p == NULL || 63739beb93cSSam Leffler conn->dh_secret == NULL) { 63839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 63939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 64139beb93cSSam Leffler return -1; 64239beb93cSSam Leffler } 64339beb93cSSam Leffler 64439beb93cSSam Leffler shared_len = conn->cred->dh_p_len; 64539beb93cSSam Leffler shared = os_malloc(shared_len); 64639beb93cSSam Leffler if (shared == NULL) { 64739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 64839beb93cSSam Leffler "DH"); 64939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 65039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 65139beb93cSSam Leffler return -1; 65239beb93cSSam Leffler } 65339beb93cSSam Leffler 65439beb93cSSam Leffler /* shared = Yc^secret mod p */ 65539beb93cSSam Leffler if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 65639beb93cSSam Leffler conn->dh_secret_len, 65739beb93cSSam Leffler conn->cred->dh_p, conn->cred->dh_p_len, 65839beb93cSSam Leffler shared, &shared_len)) { 65939beb93cSSam Leffler os_free(shared); 66039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 66139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 66239beb93cSSam Leffler return -1; 66339beb93cSSam Leffler } 66439beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 66539beb93cSSam Leffler shared, shared_len); 66639beb93cSSam Leffler 66739beb93cSSam Leffler os_memset(conn->dh_secret, 0, conn->dh_secret_len); 66839beb93cSSam Leffler os_free(conn->dh_secret); 66939beb93cSSam Leffler conn->dh_secret = NULL; 67039beb93cSSam Leffler 67139beb93cSSam Leffler res = tlsv1_server_derive_keys(conn, shared, shared_len); 67239beb93cSSam Leffler 67339beb93cSSam Leffler /* Clear the pre-master secret since it is not needed anymore */ 67439beb93cSSam Leffler os_memset(shared, 0, shared_len); 67539beb93cSSam Leffler os_free(shared); 67639beb93cSSam Leffler 67739beb93cSSam Leffler if (res) { 67839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 67939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 68039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 68139beb93cSSam Leffler return -1; 68239beb93cSSam Leffler } 68339beb93cSSam Leffler 68439beb93cSSam Leffler return 0; 68539beb93cSSam Leffler } 68639beb93cSSam Leffler 68739beb93cSSam Leffler 68839beb93cSSam Leffler static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 68939beb93cSSam Leffler const u8 *in_data, size_t *in_len) 69039beb93cSSam Leffler { 69139beb93cSSam Leffler const u8 *pos, *end; 69239beb93cSSam Leffler size_t left, len; 69339beb93cSSam Leffler u8 type; 69439beb93cSSam Leffler tls_key_exchange keyx; 69539beb93cSSam Leffler const struct tls_cipher_suite *suite; 69639beb93cSSam Leffler 69739beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 69839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 69939beb93cSSam Leffler "received content type 0x%x", ct); 70039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 70139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 70239beb93cSSam Leffler return -1; 70339beb93cSSam Leffler } 70439beb93cSSam Leffler 70539beb93cSSam Leffler pos = in_data; 70639beb93cSSam Leffler left = *in_len; 70739beb93cSSam Leffler 70839beb93cSSam Leffler if (left < 4) { 70939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 71039beb93cSSam Leffler "(Left=%lu)", (unsigned long) left); 71139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 71239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 71339beb93cSSam Leffler return -1; 71439beb93cSSam Leffler } 71539beb93cSSam Leffler 71639beb93cSSam Leffler type = *pos++; 71739beb93cSSam Leffler len = WPA_GET_BE24(pos); 71839beb93cSSam Leffler pos += 3; 71939beb93cSSam Leffler left -= 4; 72039beb93cSSam Leffler 72139beb93cSSam Leffler if (len > left) { 72239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 72339beb93cSSam Leffler "length (len=%lu != left=%lu)", 72439beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 72539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 72639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 72739beb93cSSam Leffler return -1; 72839beb93cSSam Leffler } 72939beb93cSSam Leffler 73039beb93cSSam Leffler end = pos + len; 73139beb93cSSam Leffler 73239beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 73339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 73439beb93cSSam Leffler "message %d (expected ClientKeyExchange)", type); 73539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 73639beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 73739beb93cSSam Leffler return -1; 73839beb93cSSam Leffler } 73939beb93cSSam Leffler 74039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 74139beb93cSSam Leffler 74239beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 74339beb93cSSam Leffler 74439beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite); 74539beb93cSSam Leffler if (suite == NULL) 74639beb93cSSam Leffler keyx = TLS_KEY_X_NULL; 74739beb93cSSam Leffler else 74839beb93cSSam Leffler keyx = suite->key_exchange; 74939beb93cSSam Leffler 75039beb93cSSam Leffler if (keyx == TLS_KEY_X_DH_anon && 75139beb93cSSam Leffler tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 75239beb93cSSam Leffler return -1; 75339beb93cSSam Leffler 75439beb93cSSam Leffler if (keyx != TLS_KEY_X_DH_anon && 75539beb93cSSam Leffler tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 75639beb93cSSam Leffler return -1; 75739beb93cSSam Leffler 75839beb93cSSam Leffler *in_len = end - in_data; 75939beb93cSSam Leffler 76039beb93cSSam Leffler conn->state = CERTIFICATE_VERIFY; 76139beb93cSSam Leffler 76239beb93cSSam Leffler return 0; 76339beb93cSSam Leffler } 76439beb93cSSam Leffler 76539beb93cSSam Leffler 76639beb93cSSam Leffler static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 76739beb93cSSam Leffler const u8 *in_data, size_t *in_len) 76839beb93cSSam Leffler { 76939beb93cSSam Leffler const u8 *pos, *end; 77039beb93cSSam Leffler size_t left, len; 77139beb93cSSam Leffler u8 type; 77239beb93cSSam Leffler size_t hlen, buflen; 77339beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 77439beb93cSSam Leffler enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 77539beb93cSSam Leffler u16 slen; 77639beb93cSSam Leffler 77739beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 77839beb93cSSam Leffler if (conn->verify_peer) { 77939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 78039beb93cSSam Leffler "CertificateVerify"); 78139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78239beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 78339beb93cSSam Leffler return -1; 78439beb93cSSam Leffler } 78539beb93cSSam Leffler 78639beb93cSSam Leffler return tls_process_change_cipher_spec(conn, ct, in_data, 78739beb93cSSam Leffler in_len); 78839beb93cSSam Leffler } 78939beb93cSSam Leffler 79039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 79139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 79239beb93cSSam Leffler "received content type 0x%x", ct); 79339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 79439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 79539beb93cSSam Leffler return -1; 79639beb93cSSam Leffler } 79739beb93cSSam Leffler 79839beb93cSSam Leffler pos = in_data; 79939beb93cSSam Leffler left = *in_len; 80039beb93cSSam Leffler 80139beb93cSSam Leffler if (left < 4) { 80239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 80339beb93cSSam Leffler "message (len=%lu)", (unsigned long) left); 80439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 80539beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 80639beb93cSSam Leffler return -1; 80739beb93cSSam Leffler } 80839beb93cSSam Leffler 80939beb93cSSam Leffler type = *pos++; 81039beb93cSSam Leffler len = WPA_GET_BE24(pos); 81139beb93cSSam Leffler pos += 3; 81239beb93cSSam Leffler left -= 4; 81339beb93cSSam Leffler 81439beb93cSSam Leffler if (len > left) { 81539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 81639beb93cSSam Leffler "message length (len=%lu != left=%lu)", 81739beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 81839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 81939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 82039beb93cSSam Leffler return -1; 82139beb93cSSam Leffler } 82239beb93cSSam Leffler 82339beb93cSSam Leffler end = pos + len; 82439beb93cSSam Leffler 82539beb93cSSam Leffler if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 82639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 82739beb93cSSam Leffler "message %d (expected CertificateVerify)", type); 82839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 82939beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 83039beb93cSSam Leffler return -1; 83139beb93cSSam Leffler } 83239beb93cSSam Leffler 83339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 83439beb93cSSam Leffler 83539beb93cSSam Leffler /* 83639beb93cSSam Leffler * struct { 83739beb93cSSam Leffler * Signature signature; 83839beb93cSSam Leffler * } CertificateVerify; 83939beb93cSSam Leffler */ 84039beb93cSSam Leffler 84139beb93cSSam Leffler hpos = hash; 84239beb93cSSam Leffler 843*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 844*f05cddf9SRui Paulo if (conn->rl.tls_version == TLS_VERSION_1_2) { 845*f05cddf9SRui Paulo /* 846*f05cddf9SRui Paulo * RFC 5246, 4.7: 847*f05cddf9SRui Paulo * TLS v1.2 adds explicit indication of the used signature and 848*f05cddf9SRui Paulo * hash algorithms. 849*f05cddf9SRui Paulo * 850*f05cddf9SRui Paulo * struct { 851*f05cddf9SRui Paulo * HashAlgorithm hash; 852*f05cddf9SRui Paulo * SignatureAlgorithm signature; 853*f05cddf9SRui Paulo * } SignatureAndHashAlgorithm; 854*f05cddf9SRui Paulo */ 855*f05cddf9SRui Paulo if (end - pos < 2) { 856*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 857*f05cddf9SRui Paulo TLS_ALERT_DECODE_ERROR); 858*f05cddf9SRui Paulo return -1; 859*f05cddf9SRui Paulo } 860*f05cddf9SRui Paulo if (pos[0] != TLS_HASH_ALG_SHA256 || 861*f05cddf9SRui Paulo pos[1] != TLS_SIGN_ALG_RSA) { 862*f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 863*f05cddf9SRui Paulo "signature(%u) algorithm", 864*f05cddf9SRui Paulo pos[0], pos[1]); 865*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 866*f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 867*f05cddf9SRui Paulo return -1; 868*f05cddf9SRui Paulo } 869*f05cddf9SRui Paulo pos += 2; 870*f05cddf9SRui Paulo 871*f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 872*f05cddf9SRui Paulo if (conn->verify.sha256_cert == NULL || 873*f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 874*f05cddf9SRui Paulo 0) { 875*f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 876*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 877*f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 878*f05cddf9SRui Paulo return -1; 879*f05cddf9SRui Paulo } 880*f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 881*f05cddf9SRui Paulo } else { 882*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 883*f05cddf9SRui Paulo 88439beb93cSSam Leffler if (alg == SIGN_ALG_RSA) { 88539beb93cSSam Leffler hlen = MD5_MAC_LEN; 88639beb93cSSam Leffler if (conn->verify.md5_cert == NULL || 88739beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 88839beb93cSSam Leffler { 88939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 89039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 89139beb93cSSam Leffler conn->verify.md5_cert = NULL; 89239beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 89339beb93cSSam Leffler conn->verify.sha1_cert = NULL; 89439beb93cSSam Leffler return -1; 89539beb93cSSam Leffler } 89639beb93cSSam Leffler hpos += MD5_MAC_LEN; 89739beb93cSSam Leffler } else 89839beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 89939beb93cSSam Leffler 90039beb93cSSam Leffler conn->verify.md5_cert = NULL; 90139beb93cSSam Leffler hlen = SHA1_MAC_LEN; 90239beb93cSSam Leffler if (conn->verify.sha1_cert == NULL || 90339beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 90439beb93cSSam Leffler conn->verify.sha1_cert = NULL; 90539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 90639beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 90739beb93cSSam Leffler return -1; 90839beb93cSSam Leffler } 90939beb93cSSam Leffler conn->verify.sha1_cert = NULL; 91039beb93cSSam Leffler 91139beb93cSSam Leffler if (alg == SIGN_ALG_RSA) 91239beb93cSSam Leffler hlen += MD5_MAC_LEN; 91339beb93cSSam Leffler 914*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 915*f05cddf9SRui Paulo } 916*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 917*f05cddf9SRui Paulo 91839beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 91939beb93cSSam Leffler 92039beb93cSSam Leffler if (end - pos < 2) { 92139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 92239beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 92339beb93cSSam Leffler return -1; 92439beb93cSSam Leffler } 92539beb93cSSam Leffler slen = WPA_GET_BE16(pos); 92639beb93cSSam Leffler pos += 2; 92739beb93cSSam Leffler if (end - pos < slen) { 92839beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 92939beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 93039beb93cSSam Leffler return -1; 93139beb93cSSam Leffler } 93239beb93cSSam Leffler 93339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 93439beb93cSSam Leffler if (conn->client_rsa_key == NULL) { 93539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 93639beb93cSSam Leffler "signature"); 93739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 93839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 93939beb93cSSam Leffler return -1; 94039beb93cSSam Leffler } 94139beb93cSSam Leffler 94239beb93cSSam Leffler buflen = end - pos; 94339beb93cSSam Leffler buf = os_malloc(end - pos); 94439beb93cSSam Leffler if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 94539beb93cSSam Leffler pos, end - pos, buf, &buflen) < 0) 94639beb93cSSam Leffler { 94739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 94839beb93cSSam Leffler os_free(buf); 94939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 95039beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 95139beb93cSSam Leffler return -1; 95239beb93cSSam Leffler } 95339beb93cSSam Leffler 95439beb93cSSam Leffler wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 95539beb93cSSam Leffler buf, buflen); 95639beb93cSSam Leffler 957*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 958*f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) { 959*f05cddf9SRui Paulo /* 960*f05cddf9SRui Paulo * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 961*f05cddf9SRui Paulo * 962*f05cddf9SRui Paulo * DigestInfo ::= SEQUENCE { 963*f05cddf9SRui Paulo * digestAlgorithm DigestAlgorithm, 964*f05cddf9SRui Paulo * digest OCTET STRING 965*f05cddf9SRui Paulo * } 966*f05cddf9SRui Paulo * 967*f05cddf9SRui Paulo * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 968*f05cddf9SRui Paulo * 969*f05cddf9SRui Paulo * DER encoded DigestInfo for SHA256 per RFC 3447: 970*f05cddf9SRui Paulo * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 971*f05cddf9SRui Paulo * H 972*f05cddf9SRui Paulo */ 973*f05cddf9SRui Paulo if (buflen >= 19 + 32 && 974*f05cddf9SRui Paulo os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" 975*f05cddf9SRui Paulo "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) 976*f05cddf9SRui Paulo { 977*f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = " 978*f05cddf9SRui Paulo "SHA-256"); 979*f05cddf9SRui Paulo os_memmove(buf, buf + 19, buflen - 19); 980*f05cddf9SRui Paulo buflen -= 19; 981*f05cddf9SRui Paulo } else { 982*f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized " 983*f05cddf9SRui Paulo "DigestInfo"); 984*f05cddf9SRui Paulo os_free(buf); 985*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 986*f05cddf9SRui Paulo TLS_ALERT_DECRYPT_ERROR); 987*f05cddf9SRui Paulo return -1; 988*f05cddf9SRui Paulo } 989*f05cddf9SRui Paulo } 990*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 991*f05cddf9SRui Paulo 99239beb93cSSam Leffler if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 99339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 99439beb93cSSam Leffler "CertificateVerify - did not match with calculated " 99539beb93cSSam Leffler "hash"); 99639beb93cSSam Leffler os_free(buf); 99739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 99839beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 99939beb93cSSam Leffler return -1; 100039beb93cSSam Leffler } 100139beb93cSSam Leffler 100239beb93cSSam Leffler os_free(buf); 100339beb93cSSam Leffler 100439beb93cSSam Leffler *in_len = end - in_data; 100539beb93cSSam Leffler 100639beb93cSSam Leffler conn->state = CHANGE_CIPHER_SPEC; 100739beb93cSSam Leffler 100839beb93cSSam Leffler return 0; 100939beb93cSSam Leffler } 101039beb93cSSam Leffler 101139beb93cSSam Leffler 101239beb93cSSam Leffler static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 101339beb93cSSam Leffler u8 ct, const u8 *in_data, 101439beb93cSSam Leffler size_t *in_len) 101539beb93cSSam Leffler { 101639beb93cSSam Leffler const u8 *pos; 101739beb93cSSam Leffler size_t left; 101839beb93cSSam Leffler 101939beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 102039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 102139beb93cSSam Leffler "received content type 0x%x", ct); 102239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 102339beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 102439beb93cSSam Leffler return -1; 102539beb93cSSam Leffler } 102639beb93cSSam Leffler 102739beb93cSSam Leffler pos = in_data; 102839beb93cSSam Leffler left = *in_len; 102939beb93cSSam Leffler 103039beb93cSSam Leffler if (left < 1) { 103139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 103239beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 103339beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 103439beb93cSSam Leffler return -1; 103539beb93cSSam Leffler } 103639beb93cSSam Leffler 103739beb93cSSam Leffler if (*pos != TLS_CHANGE_CIPHER_SPEC) { 103839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 103939beb93cSSam Leffler "received data 0x%x", *pos); 104039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 104139beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 104239beb93cSSam Leffler return -1; 104339beb93cSSam Leffler } 104439beb93cSSam Leffler 104539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 104639beb93cSSam Leffler if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 104739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 104839beb93cSSam Leffler "for record layer"); 104939beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 105039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 105139beb93cSSam Leffler return -1; 105239beb93cSSam Leffler } 105339beb93cSSam Leffler 105439beb93cSSam Leffler *in_len = pos + 1 - in_data; 105539beb93cSSam Leffler 105639beb93cSSam Leffler conn->state = CLIENT_FINISHED; 105739beb93cSSam Leffler 105839beb93cSSam Leffler return 0; 105939beb93cSSam Leffler } 106039beb93cSSam Leffler 106139beb93cSSam Leffler 106239beb93cSSam Leffler static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 106339beb93cSSam Leffler const u8 *in_data, size_t *in_len) 106439beb93cSSam Leffler { 106539beb93cSSam Leffler const u8 *pos, *end; 106639beb93cSSam Leffler size_t left, len, hlen; 106739beb93cSSam Leffler u8 verify_data[TLS_VERIFY_DATA_LEN]; 106839beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 106939beb93cSSam Leffler 107039beb93cSSam Leffler if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 107139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 107239beb93cSSam Leffler "received content type 0x%x", ct); 107339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 107439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 107539beb93cSSam Leffler return -1; 107639beb93cSSam Leffler } 107739beb93cSSam Leffler 107839beb93cSSam Leffler pos = in_data; 107939beb93cSSam Leffler left = *in_len; 108039beb93cSSam Leffler 108139beb93cSSam Leffler if (left < 4) { 108239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 108339beb93cSSam Leffler "Finished", 108439beb93cSSam Leffler (unsigned long) left); 108539beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 108639beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 108739beb93cSSam Leffler return -1; 108839beb93cSSam Leffler } 108939beb93cSSam Leffler 109039beb93cSSam Leffler if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 109139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 109239beb93cSSam Leffler "type 0x%x", pos[0]); 109339beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 109439beb93cSSam Leffler TLS_ALERT_UNEXPECTED_MESSAGE); 109539beb93cSSam Leffler return -1; 109639beb93cSSam Leffler } 109739beb93cSSam Leffler 109839beb93cSSam Leffler len = WPA_GET_BE24(pos + 1); 109939beb93cSSam Leffler 110039beb93cSSam Leffler pos += 4; 110139beb93cSSam Leffler left -= 4; 110239beb93cSSam Leffler 110339beb93cSSam Leffler if (len > left) { 110439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 110539beb93cSSam Leffler "(len=%lu > left=%lu)", 110639beb93cSSam Leffler (unsigned long) len, (unsigned long) left); 110739beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 110839beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 110939beb93cSSam Leffler return -1; 111039beb93cSSam Leffler } 111139beb93cSSam Leffler end = pos + len; 111239beb93cSSam Leffler if (len != TLS_VERIFY_DATA_LEN) { 111339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 111439beb93cSSam Leffler "in Finished: %lu (expected %d)", 111539beb93cSSam Leffler (unsigned long) len, TLS_VERIFY_DATA_LEN); 111639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 111739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 111839beb93cSSam Leffler return -1; 111939beb93cSSam Leffler } 112039beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 112139beb93cSSam Leffler pos, TLS_VERIFY_DATA_LEN); 112239beb93cSSam Leffler 1123*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 1124*f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1125*f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 1126*f05cddf9SRui Paulo if (conn->verify.sha256_client == NULL || 1127*f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1128*f05cddf9SRui Paulo < 0) { 1129*f05cddf9SRui Paulo tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1130*f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 1131*f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 1132*f05cddf9SRui Paulo return -1; 1133*f05cddf9SRui Paulo } 1134*f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 1135*f05cddf9SRui Paulo } else { 1136*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 1137*f05cddf9SRui Paulo 113839beb93cSSam Leffler hlen = MD5_MAC_LEN; 113939beb93cSSam Leffler if (conn->verify.md5_client == NULL || 114039beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 114139beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 114239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 114339beb93cSSam Leffler conn->verify.md5_client = NULL; 114439beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 114539beb93cSSam Leffler conn->verify.sha1_client = NULL; 114639beb93cSSam Leffler return -1; 114739beb93cSSam Leffler } 114839beb93cSSam Leffler conn->verify.md5_client = NULL; 114939beb93cSSam Leffler hlen = SHA1_MAC_LEN; 115039beb93cSSam Leffler if (conn->verify.sha1_client == NULL || 115139beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 115239beb93cSSam Leffler &hlen) < 0) { 115339beb93cSSam Leffler conn->verify.sha1_client = NULL; 115439beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 115539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 115639beb93cSSam Leffler return -1; 115739beb93cSSam Leffler } 115839beb93cSSam Leffler conn->verify.sha1_client = NULL; 1159*f05cddf9SRui Paulo hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 116039beb93cSSam Leffler 1161*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 1162*f05cddf9SRui Paulo } 1163*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 1164*f05cddf9SRui Paulo 1165*f05cddf9SRui Paulo if (tls_prf(conn->rl.tls_version, 1166*f05cddf9SRui Paulo conn->master_secret, TLS_MASTER_SECRET_LEN, 1167*f05cddf9SRui Paulo "client finished", hash, hlen, 116839beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN)) { 116939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 117039beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 117139beb93cSSam Leffler TLS_ALERT_DECRYPT_ERROR); 117239beb93cSSam Leffler return -1; 117339beb93cSSam Leffler } 117439beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 117539beb93cSSam Leffler verify_data, TLS_VERIFY_DATA_LEN); 117639beb93cSSam Leffler 117739beb93cSSam Leffler if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 117839beb93cSSam Leffler wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 117939beb93cSSam Leffler return -1; 118039beb93cSSam Leffler } 118139beb93cSSam Leffler 118239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 118339beb93cSSam Leffler 118439beb93cSSam Leffler *in_len = end - in_data; 118539beb93cSSam Leffler 118639beb93cSSam Leffler if (conn->use_session_ticket) { 118739beb93cSSam Leffler /* Abbreviated handshake using session ticket; RFC 4507 */ 118839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 118939beb93cSSam Leffler "successfully"); 119039beb93cSSam Leffler conn->state = ESTABLISHED; 119139beb93cSSam Leffler } else { 119239beb93cSSam Leffler /* Full handshake */ 119339beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC; 119439beb93cSSam Leffler } 119539beb93cSSam Leffler 119639beb93cSSam Leffler return 0; 119739beb93cSSam Leffler } 119839beb93cSSam Leffler 119939beb93cSSam Leffler 120039beb93cSSam Leffler int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 120139beb93cSSam Leffler const u8 *buf, size_t *len) 120239beb93cSSam Leffler { 120339beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_ALERT) { 120439beb93cSSam Leffler if (*len < 2) { 120539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 120639beb93cSSam Leffler tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 120739beb93cSSam Leffler TLS_ALERT_DECODE_ERROR); 120839beb93cSSam Leffler return -1; 120939beb93cSSam Leffler } 121039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 121139beb93cSSam Leffler buf[0], buf[1]); 121239beb93cSSam Leffler *len = 2; 121339beb93cSSam Leffler conn->state = FAILED; 121439beb93cSSam Leffler return -1; 121539beb93cSSam Leffler } 121639beb93cSSam Leffler 121739beb93cSSam Leffler switch (conn->state) { 121839beb93cSSam Leffler case CLIENT_HELLO: 121939beb93cSSam Leffler if (tls_process_client_hello(conn, ct, buf, len)) 122039beb93cSSam Leffler return -1; 122139beb93cSSam Leffler break; 122239beb93cSSam Leffler case CLIENT_CERTIFICATE: 122339beb93cSSam Leffler if (tls_process_certificate(conn, ct, buf, len)) 122439beb93cSSam Leffler return -1; 122539beb93cSSam Leffler break; 122639beb93cSSam Leffler case CLIENT_KEY_EXCHANGE: 122739beb93cSSam Leffler if (tls_process_client_key_exchange(conn, ct, buf, len)) 122839beb93cSSam Leffler return -1; 122939beb93cSSam Leffler break; 123039beb93cSSam Leffler case CERTIFICATE_VERIFY: 123139beb93cSSam Leffler if (tls_process_certificate_verify(conn, ct, buf, len)) 123239beb93cSSam Leffler return -1; 123339beb93cSSam Leffler break; 123439beb93cSSam Leffler case CHANGE_CIPHER_SPEC: 123539beb93cSSam Leffler if (tls_process_change_cipher_spec(conn, ct, buf, len)) 123639beb93cSSam Leffler return -1; 123739beb93cSSam Leffler break; 123839beb93cSSam Leffler case CLIENT_FINISHED: 123939beb93cSSam Leffler if (tls_process_client_finished(conn, ct, buf, len)) 124039beb93cSSam Leffler return -1; 124139beb93cSSam Leffler break; 124239beb93cSSam Leffler default: 124339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 124439beb93cSSam Leffler "while processing received message", 124539beb93cSSam Leffler conn->state); 124639beb93cSSam Leffler return -1; 124739beb93cSSam Leffler } 124839beb93cSSam Leffler 124939beb93cSSam Leffler if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 125039beb93cSSam Leffler tls_verify_hash_add(&conn->verify, buf, *len); 125139beb93cSSam Leffler 125239beb93cSSam Leffler return 0; 125339beb93cSSam Leffler } 1254