xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_read.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a)
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
21 #include "x509v3.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
26 
27 
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 					   const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 					  u8 ct, const u8 *in_data,
32 					  size_t *in_len);
33 
34 
35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 				    const u8 *in_data, size_t *in_len)
37 {
38 	const u8 *pos, *end, *c;
39 	size_t left, len, i, j;
40 	u16 cipher_suite;
41 	u16 num_suites;
42 	int compr_null_found;
43 	u16 ext_type, ext_len;
44 
45 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
46 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
47 			   "received content type 0x%x", ct);
48 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
49 				   TLS_ALERT_UNEXPECTED_MESSAGE);
50 		return -1;
51 	}
52 
53 	pos = in_data;
54 	left = *in_len;
55 
56 	if (left < 4)
57 		goto decode_error;
58 
59 	/* HandshakeType msg_type */
60 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
61 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
62 			   "message %d (expected ClientHello)", *pos);
63 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
64 				   TLS_ALERT_UNEXPECTED_MESSAGE);
65 		return -1;
66 	}
67 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
68 	pos++;
69 	/* uint24 length */
70 	len = WPA_GET_BE24(pos);
71 	pos += 3;
72 	left -= 4;
73 
74 	if (len > left)
75 		goto decode_error;
76 
77 	/* body - ClientHello */
78 
79 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
80 	end = pos + len;
81 
82 	/* ProtocolVersion client_version */
83 	if (end - pos < 2)
84 		goto decode_error;
85 	conn->client_version = WPA_GET_BE16(pos);
86 	wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
87 		   conn->client_version >> 8, conn->client_version & 0xff);
88 	if (conn->client_version < TLS_VERSION) {
89 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
90 			   "ClientHello");
91 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
92 				   TLS_ALERT_PROTOCOL_VERSION);
93 		return -1;
94 	}
95 	pos += 2;
96 
97 	/* Random random */
98 	if (end - pos < TLS_RANDOM_LEN)
99 		goto decode_error;
100 
101 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
102 	pos += TLS_RANDOM_LEN;
103 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
104 		    conn->client_random, TLS_RANDOM_LEN);
105 
106 	/* SessionID session_id */
107 	if (end - pos < 1)
108 		goto decode_error;
109 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
110 		goto decode_error;
111 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
112 	pos += 1 + *pos;
113 	/* TODO: add support for session resumption */
114 
115 	/* CipherSuite cipher_suites<2..2^16-1> */
116 	if (end - pos < 2)
117 		goto decode_error;
118 	num_suites = WPA_GET_BE16(pos);
119 	pos += 2;
120 	if (end - pos < num_suites)
121 		goto decode_error;
122 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
123 		    pos, num_suites);
124 	if (num_suites & 1)
125 		goto decode_error;
126 	num_suites /= 2;
127 
128 	cipher_suite = 0;
129 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
130 		c = pos;
131 		for (j = 0; j < num_suites; j++) {
132 			u16 tmp = WPA_GET_BE16(c);
133 			c += 2;
134 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
135 				cipher_suite = tmp;
136 				break;
137 			}
138 		}
139 	}
140 	pos += num_suites * 2;
141 	if (!cipher_suite) {
142 		wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
143 			   "available");
144 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 				   TLS_ALERT_ILLEGAL_PARAMETER);
146 		return -1;
147 	}
148 
149 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
150 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
151 			   "record layer");
152 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 				   TLS_ALERT_INTERNAL_ERROR);
154 		return -1;
155 	}
156 
157 	conn->cipher_suite = cipher_suite;
158 
159 	/* CompressionMethod compression_methods<1..2^8-1> */
160 	if (end - pos < 1)
161 		goto decode_error;
162 	num_suites = *pos++;
163 	if (end - pos < num_suites)
164 		goto decode_error;
165 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
166 		    pos, num_suites);
167 	compr_null_found = 0;
168 	for (i = 0; i < num_suites; i++) {
169 		if (*pos++ == TLS_COMPRESSION_NULL)
170 			compr_null_found = 1;
171 	}
172 	if (!compr_null_found) {
173 		wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
174 			   "compression");
175 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
176 				   TLS_ALERT_ILLEGAL_PARAMETER);
177 		return -1;
178 	}
179 
180 	if (end - pos == 1) {
181 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
182 			    "end of ClientHello: 0x%02x", *pos);
183 		goto decode_error;
184 	}
185 
186 	if (end - pos >= 2) {
187 		/* Extension client_hello_extension_list<0..2^16-1> */
188 		ext_len = WPA_GET_BE16(pos);
189 		pos += 2;
190 
191 		wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
192 			   "extensions", ext_len);
193 		if (end - pos != ext_len) {
194 			wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
195 				   "extension list length %u (expected %u)",
196 				   ext_len, (unsigned int) (end - pos));
197 			goto decode_error;
198 		}
199 
200 		/*
201 		 * struct {
202 		 *   ExtensionType extension_type (0..65535)
203 		 *   opaque extension_data<0..2^16-1>
204 		 * } Extension;
205 		 */
206 
207 		while (pos < end) {
208 			if (end - pos < 2) {
209 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
210 					   "extension_type field");
211 				goto decode_error;
212 			}
213 
214 			ext_type = WPA_GET_BE16(pos);
215 			pos += 2;
216 
217 			if (end - pos < 2) {
218 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
219 					   "extension_data length field");
220 				goto decode_error;
221 			}
222 
223 			ext_len = WPA_GET_BE16(pos);
224 			pos += 2;
225 
226 			if (end - pos < ext_len) {
227 				wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
228 					   "extension_data field");
229 				goto decode_error;
230 			}
231 
232 			wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
233 				   "type %u", ext_type);
234 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
235 				    "Extension data", pos, ext_len);
236 
237 			if (ext_type == TLS_EXT_SESSION_TICKET) {
238 				os_free(conn->session_ticket);
239 				conn->session_ticket = os_malloc(ext_len);
240 				if (conn->session_ticket) {
241 					os_memcpy(conn->session_ticket, pos,
242 						  ext_len);
243 					conn->session_ticket_len = ext_len;
244 				}
245 			}
246 
247 			pos += ext_len;
248 		}
249 	}
250 
251 	*in_len = end - in_data;
252 
253 	wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
254 		   "ServerHello");
255 	conn->state = SERVER_HELLO;
256 
257 	return 0;
258 
259 decode_error:
260 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
261 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
262 			   TLS_ALERT_DECODE_ERROR);
263 	return -1;
264 }
265 
266 
267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
268 				   const u8 *in_data, size_t *in_len)
269 {
270 	const u8 *pos, *end;
271 	size_t left, len, list_len, cert_len, idx;
272 	u8 type;
273 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
274 	int reason;
275 
276 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
277 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
278 			   "received content type 0x%x", ct);
279 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
280 				   TLS_ALERT_UNEXPECTED_MESSAGE);
281 		return -1;
282 	}
283 
284 	pos = in_data;
285 	left = *in_len;
286 
287 	if (left < 4) {
288 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
289 			   "(len=%lu)", (unsigned long) left);
290 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 				   TLS_ALERT_DECODE_ERROR);
292 		return -1;
293 	}
294 
295 	type = *pos++;
296 	len = WPA_GET_BE24(pos);
297 	pos += 3;
298 	left -= 4;
299 
300 	if (len > left) {
301 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
302 			   "length (len=%lu != left=%lu)",
303 			   (unsigned long) len, (unsigned long) left);
304 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 				   TLS_ALERT_DECODE_ERROR);
306 		return -1;
307 	}
308 
309 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
310 		if (conn->verify_peer) {
311 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
312 				   "Certificate");
313 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
314 					   TLS_ALERT_UNEXPECTED_MESSAGE);
315 			return -1;
316 		}
317 
318 		return tls_process_client_key_exchange(conn, ct, in_data,
319 						       in_len);
320 	}
321 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
322 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
323 			   "message %d (expected Certificate/"
324 			   "ClientKeyExchange)", type);
325 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 				   TLS_ALERT_UNEXPECTED_MESSAGE);
327 		return -1;
328 	}
329 
330 	wpa_printf(MSG_DEBUG,
331 		   "TLSv1: Received Certificate (certificate_list len %lu)",
332 		   (unsigned long) len);
333 
334 	/*
335 	 * opaque ASN.1Cert<2^24-1>;
336 	 *
337 	 * struct {
338 	 *     ASN.1Cert certificate_list<1..2^24-1>;
339 	 * } Certificate;
340 	 */
341 
342 	end = pos + len;
343 
344 	if (end - pos < 3) {
345 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
346 			   "(left=%lu)", (unsigned long) left);
347 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
348 				   TLS_ALERT_DECODE_ERROR);
349 		return -1;
350 	}
351 
352 	list_len = WPA_GET_BE24(pos);
353 	pos += 3;
354 
355 	if ((size_t) (end - pos) != list_len) {
356 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
357 			   "length (len=%lu left=%lu)",
358 			   (unsigned long) list_len,
359 			   (unsigned long) (end - pos));
360 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
361 				   TLS_ALERT_DECODE_ERROR);
362 		return -1;
363 	}
364 
365 	idx = 0;
366 	while (pos < end) {
367 		if (end - pos < 3) {
368 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
369 				   "certificate_list");
370 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
371 					   TLS_ALERT_DECODE_ERROR);
372 			x509_certificate_chain_free(chain);
373 			return -1;
374 		}
375 
376 		cert_len = WPA_GET_BE24(pos);
377 		pos += 3;
378 
379 		if ((size_t) (end - pos) < cert_len) {
380 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
381 				   "length (len=%lu left=%lu)",
382 				   (unsigned long) cert_len,
383 				   (unsigned long) (end - pos));
384 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
385 					   TLS_ALERT_DECODE_ERROR);
386 			x509_certificate_chain_free(chain);
387 			return -1;
388 		}
389 
390 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
391 			   (unsigned long) idx, (unsigned long) cert_len);
392 
393 		if (idx == 0) {
394 			crypto_public_key_free(conn->client_rsa_key);
395 			if (tls_parse_cert(pos, cert_len,
396 					   &conn->client_rsa_key)) {
397 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
398 					   "the certificate");
399 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
400 						   TLS_ALERT_BAD_CERTIFICATE);
401 				x509_certificate_chain_free(chain);
402 				return -1;
403 			}
404 		}
405 
406 		cert = x509_certificate_parse(pos, cert_len);
407 		if (cert == NULL) {
408 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
409 				   "the certificate");
410 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 					   TLS_ALERT_BAD_CERTIFICATE);
412 			x509_certificate_chain_free(chain);
413 			return -1;
414 		}
415 
416 		if (last == NULL)
417 			chain = cert;
418 		else
419 			last->next = cert;
420 		last = cert;
421 
422 		idx++;
423 		pos += cert_len;
424 	}
425 
426 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
427 					    &reason) < 0) {
428 		int tls_reason;
429 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
430 			   "validation failed (reason=%d)", reason);
431 		switch (reason) {
432 		case X509_VALIDATE_BAD_CERTIFICATE:
433 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
434 			break;
435 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
436 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
437 			break;
438 		case X509_VALIDATE_CERTIFICATE_REVOKED:
439 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
440 			break;
441 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
442 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
443 			break;
444 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
445 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
446 			break;
447 		case X509_VALIDATE_UNKNOWN_CA:
448 			tls_reason = TLS_ALERT_UNKNOWN_CA;
449 			break;
450 		default:
451 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
452 			break;
453 		}
454 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
455 		x509_certificate_chain_free(chain);
456 		return -1;
457 	}
458 
459 	x509_certificate_chain_free(chain);
460 
461 	*in_len = end - in_data;
462 
463 	conn->state = CLIENT_KEY_EXCHANGE;
464 
465 	return 0;
466 }
467 
468 
469 static int tls_process_client_key_exchange_rsa(
470 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
471 {
472 	u8 *out;
473 	size_t outlen, outbuflen;
474 	u16 encr_len;
475 	int res;
476 	int use_random = 0;
477 
478 	if (end - pos < 2) {
479 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
480 				   TLS_ALERT_DECODE_ERROR);
481 		return -1;
482 	}
483 
484 	encr_len = WPA_GET_BE16(pos);
485 	pos += 2;
486 
487 	outbuflen = outlen = end - pos;
488 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
489 			outlen : TLS_PRE_MASTER_SECRET_LEN);
490 	if (out == NULL) {
491 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
492 				   TLS_ALERT_INTERNAL_ERROR);
493 		return -1;
494 	}
495 
496 	/*
497 	 * struct {
498 	 *   ProtocolVersion client_version;
499 	 *   opaque random[46];
500 	 * } PreMasterSecret;
501 	 *
502 	 * struct {
503 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
504 	 * } EncryptedPreMasterSecret;
505 	 */
506 
507 	/*
508 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
509 	 * parsing errors from EncryptedPreMasterSecret processing to the
510 	 * client. Instead, a random pre-master secret is used to force the
511 	 * handshake to fail.
512 	 */
513 
514 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
515 						 pos, end - pos,
516 						 out, &outlen) < 0) {
517 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
518 			   "PreMasterSecret (encr_len=%d outlen=%lu)",
519 			   (int) (end - pos), (unsigned long) outlen);
520 		use_random = 1;
521 	}
522 
523 	if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
524 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
525 			   "length %lu", (unsigned long) outlen);
526 		use_random = 1;
527 	}
528 
529 	if (WPA_GET_BE16(out) != conn->client_version) {
530 		wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
531 			   "ClientKeyExchange does not match with version in "
532 			   "ClientHello");
533 		use_random = 1;
534 	}
535 
536 	if (use_random) {
537 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
538 			   "to avoid revealing information about private key");
539 		outlen = TLS_PRE_MASTER_SECRET_LEN;
540 		if (os_get_random(out, outlen)) {
541 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
542 				   "data");
543 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
544 					   TLS_ALERT_INTERNAL_ERROR);
545 			os_free(out);
546 			return -1;
547 		}
548 	}
549 
550 	res = tlsv1_server_derive_keys(conn, out, outlen);
551 
552 	/* Clear the pre-master secret since it is not needed anymore */
553 	os_memset(out, 0, outbuflen);
554 	os_free(out);
555 
556 	if (res) {
557 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
558 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 				   TLS_ALERT_INTERNAL_ERROR);
560 		return -1;
561 	}
562 
563 	return 0;
564 }
565 
566 
567 static int tls_process_client_key_exchange_dh_anon(
568 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
569 {
570 	const u8 *dh_yc;
571 	u16 dh_yc_len;
572 	u8 *shared;
573 	size_t shared_len;
574 	int res;
575 
576 	/*
577 	 * struct {
578 	 *   select (PublicValueEncoding) {
579 	 *     case implicit: struct { };
580 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
581 	 *   } dh_public;
582 	 * } ClientDiffieHellmanPublic;
583 	 */
584 
585 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
586 		    pos, end - pos);
587 
588 	if (end == pos) {
589 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
590 			   "not supported");
591 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
592 				   TLS_ALERT_INTERNAL_ERROR);
593 		return -1;
594 	}
595 
596 	if (end - pos < 3) {
597 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
598 			   "length");
599 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
600 				   TLS_ALERT_DECODE_ERROR);
601 		return -1;
602 	}
603 
604 	dh_yc_len = WPA_GET_BE16(pos);
605 	dh_yc = pos + 2;
606 
607 	if (dh_yc + dh_yc_len > end) {
608 		wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
609 			   "(length %d)", dh_yc_len);
610 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
611 				   TLS_ALERT_DECODE_ERROR);
612 		return -1;
613 	}
614 
615 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
616 		    dh_yc, dh_yc_len);
617 
618 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
619 	    conn->dh_secret == NULL) {
620 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
621 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 				   TLS_ALERT_INTERNAL_ERROR);
623 		return -1;
624 	}
625 
626 	shared_len = conn->cred->dh_p_len;
627 	shared = os_malloc(shared_len);
628 	if (shared == NULL) {
629 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
630 			   "DH");
631 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
632 				   TLS_ALERT_INTERNAL_ERROR);
633 		return -1;
634 	}
635 
636 	/* shared = Yc^secret mod p */
637 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
638 			   conn->dh_secret_len,
639 			   conn->cred->dh_p, conn->cred->dh_p_len,
640 			   shared, &shared_len)) {
641 		os_free(shared);
642 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
643 				   TLS_ALERT_INTERNAL_ERROR);
644 		return -1;
645 	}
646 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
647 			shared, shared_len);
648 
649 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
650 	os_free(conn->dh_secret);
651 	conn->dh_secret = NULL;
652 
653 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
654 
655 	/* Clear the pre-master secret since it is not needed anymore */
656 	os_memset(shared, 0, shared_len);
657 	os_free(shared);
658 
659 	if (res) {
660 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
661 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
662 				   TLS_ALERT_INTERNAL_ERROR);
663 		return -1;
664 	}
665 
666 	return 0;
667 }
668 
669 
670 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
671 					   const u8 *in_data, size_t *in_len)
672 {
673 	const u8 *pos, *end;
674 	size_t left, len;
675 	u8 type;
676 	tls_key_exchange keyx;
677 	const struct tls_cipher_suite *suite;
678 
679 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
680 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
681 			   "received content type 0x%x", ct);
682 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
683 				   TLS_ALERT_UNEXPECTED_MESSAGE);
684 		return -1;
685 	}
686 
687 	pos = in_data;
688 	left = *in_len;
689 
690 	if (left < 4) {
691 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
692 			   "(Left=%lu)", (unsigned long) left);
693 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
694 				   TLS_ALERT_DECODE_ERROR);
695 		return -1;
696 	}
697 
698 	type = *pos++;
699 	len = WPA_GET_BE24(pos);
700 	pos += 3;
701 	left -= 4;
702 
703 	if (len > left) {
704 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
705 			   "length (len=%lu != left=%lu)",
706 			   (unsigned long) len, (unsigned long) left);
707 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
708 				   TLS_ALERT_DECODE_ERROR);
709 		return -1;
710 	}
711 
712 	end = pos + len;
713 
714 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
715 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
716 			   "message %d (expected ClientKeyExchange)", type);
717 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
718 				   TLS_ALERT_UNEXPECTED_MESSAGE);
719 		return -1;
720 	}
721 
722 	wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
723 
724 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
725 
726 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
727 	if (suite == NULL)
728 		keyx = TLS_KEY_X_NULL;
729 	else
730 		keyx = suite->key_exchange;
731 
732 	if (keyx == TLS_KEY_X_DH_anon &&
733 	    tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
734 		return -1;
735 
736 	if (keyx != TLS_KEY_X_DH_anon &&
737 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
738 		return -1;
739 
740 	*in_len = end - in_data;
741 
742 	conn->state = CERTIFICATE_VERIFY;
743 
744 	return 0;
745 }
746 
747 
748 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
749 					  const u8 *in_data, size_t *in_len)
750 {
751 	const u8 *pos, *end;
752 	size_t left, len;
753 	u8 type;
754 	size_t hlen, buflen;
755 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
756 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
757 	u16 slen;
758 
759 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
760 		if (conn->verify_peer) {
761 			wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
762 				   "CertificateVerify");
763 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
764 					   TLS_ALERT_UNEXPECTED_MESSAGE);
765 			return -1;
766 		}
767 
768 		return tls_process_change_cipher_spec(conn, ct, in_data,
769 						      in_len);
770 	}
771 
772 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
773 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
774 			   "received content type 0x%x", ct);
775 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
776 				   TLS_ALERT_UNEXPECTED_MESSAGE);
777 		return -1;
778 	}
779 
780 	pos = in_data;
781 	left = *in_len;
782 
783 	if (left < 4) {
784 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
785 			   "message (len=%lu)", (unsigned long) left);
786 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
787 				   TLS_ALERT_DECODE_ERROR);
788 		return -1;
789 	}
790 
791 	type = *pos++;
792 	len = WPA_GET_BE24(pos);
793 	pos += 3;
794 	left -= 4;
795 
796 	if (len > left) {
797 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
798 			   "message length (len=%lu != left=%lu)",
799 			   (unsigned long) len, (unsigned long) left);
800 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
801 				   TLS_ALERT_DECODE_ERROR);
802 		return -1;
803 	}
804 
805 	end = pos + len;
806 
807 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
808 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
809 			   "message %d (expected CertificateVerify)", type);
810 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
811 				   TLS_ALERT_UNEXPECTED_MESSAGE);
812 		return -1;
813 	}
814 
815 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
816 
817 	/*
818 	 * struct {
819 	 *   Signature signature;
820 	 * } CertificateVerify;
821 	 */
822 
823 	hpos = hash;
824 
825 	if (alg == SIGN_ALG_RSA) {
826 		hlen = MD5_MAC_LEN;
827 		if (conn->verify.md5_cert == NULL ||
828 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
829 		{
830 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 					   TLS_ALERT_INTERNAL_ERROR);
832 			conn->verify.md5_cert = NULL;
833 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
834 			conn->verify.sha1_cert = NULL;
835 			return -1;
836 		}
837 		hpos += MD5_MAC_LEN;
838 	} else
839 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
840 
841 	conn->verify.md5_cert = NULL;
842 	hlen = SHA1_MAC_LEN;
843 	if (conn->verify.sha1_cert == NULL ||
844 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
845 		conn->verify.sha1_cert = NULL;
846 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
847 				   TLS_ALERT_INTERNAL_ERROR);
848 		return -1;
849 	}
850 	conn->verify.sha1_cert = NULL;
851 
852 	if (alg == SIGN_ALG_RSA)
853 		hlen += MD5_MAC_LEN;
854 
855 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
856 
857 	if (end - pos < 2) {
858 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
859 				   TLS_ALERT_DECODE_ERROR);
860 		return -1;
861 	}
862 	slen = WPA_GET_BE16(pos);
863 	pos += 2;
864 	if (end - pos < slen) {
865 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
866 				   TLS_ALERT_DECODE_ERROR);
867 		return -1;
868 	}
869 
870 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
871 	if (conn->client_rsa_key == NULL) {
872 		wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
873 			   "signature");
874 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
875 				   TLS_ALERT_INTERNAL_ERROR);
876 		return -1;
877 	}
878 
879 	buflen = end - pos;
880 	buf = os_malloc(end - pos);
881 	if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
882 					    pos, end - pos, buf, &buflen) < 0)
883 	{
884 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
885 		os_free(buf);
886 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
887 				   TLS_ALERT_DECRYPT_ERROR);
888 		return -1;
889 	}
890 
891 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
892 			buf, buflen);
893 
894 	if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
895 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
896 			   "CertificateVerify - did not match with calculated "
897 			   "hash");
898 		os_free(buf);
899 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
900 				   TLS_ALERT_DECRYPT_ERROR);
901 		return -1;
902 	}
903 
904 	os_free(buf);
905 
906 	*in_len = end - in_data;
907 
908 	conn->state = CHANGE_CIPHER_SPEC;
909 
910 	return 0;
911 }
912 
913 
914 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
915 					  u8 ct, const u8 *in_data,
916 					  size_t *in_len)
917 {
918 	const u8 *pos;
919 	size_t left;
920 
921 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
922 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
923 			   "received content type 0x%x", ct);
924 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
925 				   TLS_ALERT_UNEXPECTED_MESSAGE);
926 		return -1;
927 	}
928 
929 	pos = in_data;
930 	left = *in_len;
931 
932 	if (left < 1) {
933 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
934 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
935 				   TLS_ALERT_DECODE_ERROR);
936 		return -1;
937 	}
938 
939 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
940 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
941 			   "received data 0x%x", *pos);
942 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
943 				   TLS_ALERT_UNEXPECTED_MESSAGE);
944 		return -1;
945 	}
946 
947 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
948 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
949 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
950 			   "for record layer");
951 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
952 				   TLS_ALERT_INTERNAL_ERROR);
953 		return -1;
954 	}
955 
956 	*in_len = pos + 1 - in_data;
957 
958 	conn->state = CLIENT_FINISHED;
959 
960 	return 0;
961 }
962 
963 
964 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
965 				       const u8 *in_data, size_t *in_len)
966 {
967 	const u8 *pos, *end;
968 	size_t left, len, hlen;
969 	u8 verify_data[TLS_VERIFY_DATA_LEN];
970 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
971 
972 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
973 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
974 			   "received content type 0x%x", ct);
975 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
976 				   TLS_ALERT_UNEXPECTED_MESSAGE);
977 		return -1;
978 	}
979 
980 	pos = in_data;
981 	left = *in_len;
982 
983 	if (left < 4) {
984 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
985 			   "Finished",
986 			   (unsigned long) left);
987 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
988 				   TLS_ALERT_DECODE_ERROR);
989 		return -1;
990 	}
991 
992 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
993 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
994 			   "type 0x%x", pos[0]);
995 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
996 				   TLS_ALERT_UNEXPECTED_MESSAGE);
997 		return -1;
998 	}
999 
1000 	len = WPA_GET_BE24(pos + 1);
1001 
1002 	pos += 4;
1003 	left -= 4;
1004 
1005 	if (len > left) {
1006 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1007 			   "(len=%lu > left=%lu)",
1008 			   (unsigned long) len, (unsigned long) left);
1009 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1010 				   TLS_ALERT_DECODE_ERROR);
1011 		return -1;
1012 	}
1013 	end = pos + len;
1014 	if (len != TLS_VERIFY_DATA_LEN) {
1015 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1016 			   "in Finished: %lu (expected %d)",
1017 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
1018 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1019 				   TLS_ALERT_DECODE_ERROR);
1020 		return -1;
1021 	}
1022 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1023 		    pos, TLS_VERIFY_DATA_LEN);
1024 
1025 	hlen = MD5_MAC_LEN;
1026 	if (conn->verify.md5_client == NULL ||
1027 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1028 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029 				   TLS_ALERT_INTERNAL_ERROR);
1030 		conn->verify.md5_client = NULL;
1031 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1032 		conn->verify.sha1_client = NULL;
1033 		return -1;
1034 	}
1035 	conn->verify.md5_client = NULL;
1036 	hlen = SHA1_MAC_LEN;
1037 	if (conn->verify.sha1_client == NULL ||
1038 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1039 			       &hlen) < 0) {
1040 		conn->verify.sha1_client = NULL;
1041 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1042 				   TLS_ALERT_INTERNAL_ERROR);
1043 		return -1;
1044 	}
1045 	conn->verify.sha1_client = NULL;
1046 
1047 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1048 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1049 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1050 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1051 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1052 				   TLS_ALERT_DECRYPT_ERROR);
1053 		return -1;
1054 	}
1055 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1056 			verify_data, TLS_VERIFY_DATA_LEN);
1057 
1058 	if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1059 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1060 		return -1;
1061 	}
1062 
1063 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1064 
1065 	*in_len = end - in_data;
1066 
1067 	if (conn->use_session_ticket) {
1068 		/* Abbreviated handshake using session ticket; RFC 4507 */
1069 		wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1070 			   "successfully");
1071 		conn->state = ESTABLISHED;
1072 	} else {
1073 		/* Full handshake */
1074 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1075 	}
1076 
1077 	return 0;
1078 }
1079 
1080 
1081 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1082 				   const u8 *buf, size_t *len)
1083 {
1084 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1085 		if (*len < 2) {
1086 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1087 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1088 					   TLS_ALERT_DECODE_ERROR);
1089 			return -1;
1090 		}
1091 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1092 			   buf[0], buf[1]);
1093 		*len = 2;
1094 		conn->state = FAILED;
1095 		return -1;
1096 	}
1097 
1098 	switch (conn->state) {
1099 	case CLIENT_HELLO:
1100 		if (tls_process_client_hello(conn, ct, buf, len))
1101 			return -1;
1102 		break;
1103 	case CLIENT_CERTIFICATE:
1104 		if (tls_process_certificate(conn, ct, buf, len))
1105 			return -1;
1106 		break;
1107 	case CLIENT_KEY_EXCHANGE:
1108 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1109 			return -1;
1110 		break;
1111 	case CERTIFICATE_VERIFY:
1112 		if (tls_process_certificate_verify(conn, ct, buf, len))
1113 			return -1;
1114 		break;
1115 	case CHANGE_CIPHER_SPEC:
1116 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1117 			return -1;
1118 		break;
1119 	case CLIENT_FINISHED:
1120 		if (tls_process_client_finished(conn, ct, buf, len))
1121 			return -1;
1122 		break;
1123 	default:
1124 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1125 			   "while processing received message",
1126 			   conn->state);
1127 		return -1;
1128 	}
1129 
1130 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1131 		tls_verify_hash_add(&conn->verify, buf, *len);
1132 
1133 	return 0;
1134 }
1135