search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / wpa / src / tls / tlsv1_server_read.c
blob0e299d8aa4e5e9f5f3922287877a3be971a74f21
1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "x509v3.h"
21 #include "tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
26
27
28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
29 const u8 *in_data, size_t *in_len);
30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
31 u8 ct, const u8 *in_data,
32 size_t *in_len);
33
34
35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
36 const u8 *in_data, size_t *in_len)
37 {
38 const u8 *pos, *end, *c;
39 size_t left, len, i, j;
40 u16 cipher_suite;
41 u16 num_suites;
42 int compr_null_found;
43
44 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
45 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
46 "received content type 0x%x", ct);
47 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
48 TLS_ALERT_UNEXPECTED_MESSAGE);
49 return -1;
50 }
51
52 pos = in_data;
53 left = *in_len;
54
55 if (left < 4)
56 goto decode_error;
57
58 /* HandshakeType msg_type */
59 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
60 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
61 "message %d (expected ClientHello)", *pos);
62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
63 TLS_ALERT_UNEXPECTED_MESSAGE);
64 return -1;
65 }
66 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
67 pos++;
68 /* uint24 length */
69 len = WPA_GET_BE24(pos);
70 pos += 3;
71 left -= 4;
72
73 if (len > left)
74 goto decode_error;
75
76 /* body - ClientHello */
77
78 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
79 end = pos + len;
80
81 /* ProtocolVersion client_version */
82 if (end - pos < 2)
83 goto decode_error;
84 conn->client_version = WPA_GET_BE16(pos);
85 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
86 conn->client_version >> 8, conn->client_version & 0xff);
87 if (conn->client_version < TLS_VERSION) {
88 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
89 "ClientHello");
90 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
91 TLS_ALERT_PROTOCOL_VERSION);
92 return -1;
93 }
94 pos += 2;
95
96 /* Random random */
97 if (end - pos < TLS_RANDOM_LEN)
98 goto decode_error;
99
100 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
101 pos += TLS_RANDOM_LEN;
102 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
103 conn->client_random, TLS_RANDOM_LEN);
104
105 /* SessionID session_id */
106 if (end - pos < 1)
107 goto decode_error;
108 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
109 goto decode_error;
110 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
111 pos += 1 + *pos;
112 /* TODO: add support for session resumption */
113
114 /* CipherSuite cipher_suites<2..2^16-1> */
115 if (end - pos < 2)
116 goto decode_error;
117 num_suites = WPA_GET_BE16(pos);
118 pos += 2;
119 if (end - pos < num_suites)
120 goto decode_error;
121 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
122 pos, num_suites);
123 if (num_suites & 1)
124 goto decode_error;
125 num_suites /= 2;
126
127 cipher_suite = 0;
128 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
129 c = pos;
130 for (j = 0; j < num_suites; j++) {
131 u16 tmp = WPA_GET_BE16(c);
132 c += 2;
133 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
134 cipher_suite = tmp;
135 break;
136 }
137 }
138 }
139 pos += num_suites * 2;
140 if (!cipher_suite) {
141 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
142 "available");
143 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
144 TLS_ALERT_ILLEGAL_PARAMETER);
145 return -1;
146 }
147
148 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
149 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
150 "record layer");
151 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
152 TLS_ALERT_INTERNAL_ERROR);
153 return -1;
154 }
155
156 conn->cipher_suite = cipher_suite;
157
158 /* CompressionMethod compression_methods<1..2^8-1> */
159 if (end - pos < 1)
160 goto decode_error;
161 num_suites = *pos++;
162 if (end - pos < num_suites)
163 goto decode_error;
164 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
165 pos, num_suites);
166 compr_null_found = 0;
167 for (i = 0; i < num_suites; i++) {
168 if (*pos++ == TLS_COMPRESSION_NULL)
169 compr_null_found = 1;
170 }
171 if (!compr_null_found) {
172 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
173 "compression");
174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
175 TLS_ALERT_ILLEGAL_PARAMETER);
176 return -1;
177 }
178
179 if (end - pos == 1) {
180 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
181 "end of ClientHello: 0x%02x", *pos);
182 goto decode_error;
183 }
184
185 if (end - pos >= 2) {
186 u16 ext_len;
187
188 /* Extension client_hello_extension_list<0..2^16-1> */
189
190 ext_len = WPA_GET_BE16(pos);
191 pos += 2;
192
193 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
194 "extensions", ext_len);
195 if (end - pos != ext_len) {
196 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
197 "extension list length %u (expected %u)",
198 ext_len, end - pos);
199 goto decode_error;
200 }
201
202 /*
203 * struct {
204 * ExtensionType extension_type (0..65535)
205 * opaque extension_data<0..2^16-1>
206 * } Extension;
207 */
208
209 while (pos < end) {
210 u16 ext_type, ext_len;
211
212 if (end - pos < 2) {
213 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
214 "extension_type field");
215 goto decode_error;
216 }
217
218 ext_type = WPA_GET_BE16(pos);
219 pos += 2;
220
221 if (end - pos < 2) {
222 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
223 "extension_data length field");
224 goto decode_error;
225 }
226
227 ext_len = WPA_GET_BE16(pos);
228 pos += 2;
229
230 if (end - pos < ext_len) {
231 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
232 "extension_data field");
233 goto decode_error;
234 }
235
236 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
237 "type %u", ext_type);
238 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
239 "Extension data", pos, ext_len);
240
241 if (ext_type == TLS_EXT_SESSION_TICKET) {
242 os_free(conn->session_ticket);
243 conn->session_ticket = os_malloc(ext_len);
244 if (conn->session_ticket) {
245 os_memcpy(conn->session_ticket, pos,
246 ext_len);
247 conn->session_ticket_len = ext_len;
248 }
249 }
250
251 pos += ext_len;
252 }
253 }
254
255 *in_len = end - in_data;
256
257 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
258 "ServerHello");
259 conn->state = SERVER_HELLO;
260
261 return 0;
262
263 decode_error:
264 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
265 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
266 TLS_ALERT_DECODE_ERROR);
267 return -1;
268 }
269
270
271 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
272 const u8 *in_data, size_t *in_len)
273 {
274 const u8 *pos, *end;
275 size_t left, len, list_len, cert_len, idx;
276 u8 type;
277 struct x509_certificate *chain = NULL, *last = NULL, *cert;
278 int reason;
279
280 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
281 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
282 "received content type 0x%x", ct);
283 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
284 TLS_ALERT_UNEXPECTED_MESSAGE);
285 return -1;
286 }
287
288 pos = in_data;
289 left = *in_len;
290
291 if (left < 4) {
292 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
293 "(len=%lu)", (unsigned long) left);
294 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
295 TLS_ALERT_DECODE_ERROR);
296 return -1;
297 }
298
299 type = *pos++;
300 len = WPA_GET_BE24(pos);
301 pos += 3;
302 left -= 4;
303
304 if (len > left) {
305 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
306 "length (len=%lu != left=%lu)",
307 (unsigned long) len, (unsigned long) left);
308 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
309 TLS_ALERT_DECODE_ERROR);
310 return -1;
311 }
312
313 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
314 if (conn->verify_peer) {
315 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
316 "Certificate");
317 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
318 TLS_ALERT_UNEXPECTED_MESSAGE);
319 return -1;
320 }
321
322 return tls_process_client_key_exchange(conn, ct, in_data,
323 in_len);
324 }
325 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
326 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
327 "message %d (expected Certificate/"
328 "ClientKeyExchange)", type);
329 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
330 TLS_ALERT_UNEXPECTED_MESSAGE);
331 return -1;
332 }
333
334 wpa_printf(MSG_DEBUG,
335 "TLSv1: Received Certificate (certificate_list len %lu)",
336 (unsigned long) len);
337
338 /*
339 * opaque ASN.1Cert<2^24-1>;
340 *
341 * struct {
342 * ASN.1Cert certificate_list<1..2^24-1>;
343 * } Certificate;
344 */
345
346 end = pos + len;
347
348 if (end - pos < 3) {
349 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
350 "(left=%lu)", (unsigned long) left);
351 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 TLS_ALERT_DECODE_ERROR);
353 return -1;
354 }
355
356 list_len = WPA_GET_BE24(pos);
357 pos += 3;
358
359 if ((size_t) (end - pos) != list_len) {
360 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
361 "length (len=%lu left=%lu)",
362 (unsigned long) list_len,
363 (unsigned long) (end - pos));
364 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
365 TLS_ALERT_DECODE_ERROR);
366 return -1;
367 }
368
369 idx = 0;
370 while (pos < end) {
371 if (end - pos < 3) {
372 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
373 "certificate_list");
374 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
375 TLS_ALERT_DECODE_ERROR);
376 x509_certificate_chain_free(chain);
377 return -1;
378 }
379
380 cert_len = WPA_GET_BE24(pos);
381 pos += 3;
382
383 if ((size_t) (end - pos) < cert_len) {
384 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
385 "length (len=%lu left=%lu)",
386 (unsigned long) cert_len,
387 (unsigned long) (end - pos));
388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
389 TLS_ALERT_DECODE_ERROR);
390 x509_certificate_chain_free(chain);
391 return -1;
392 }
393
394 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
395 (unsigned long) idx, (unsigned long) cert_len);
396
397 if (idx == 0) {
398 crypto_public_key_free(conn->client_rsa_key);
399 if (tls_parse_cert(pos, cert_len,
400 &conn->client_rsa_key)) {
401 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
402 "the certificate");
403 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
404 TLS_ALERT_BAD_CERTIFICATE);
405 x509_certificate_chain_free(chain);
406 return -1;
407 }
408 }
409
410 cert = x509_certificate_parse(pos, cert_len);
411 if (cert == NULL) {
412 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
413 "the certificate");
414 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
415 TLS_ALERT_BAD_CERTIFICATE);
416 x509_certificate_chain_free(chain);
417 return -1;
418 }
419
420 if (last == NULL)
421 chain = cert;
422 else
423 last->next = cert;
424 last = cert;
425
426 idx++;
427 pos += cert_len;
428 }
429
430 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
431 &reason) < 0) {
432 int tls_reason;
433 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
434 "validation failed (reason=%d)", reason);
435 switch (reason) {
436 case X509_VALIDATE_BAD_CERTIFICATE:
437 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
438 break;
439 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
440 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
441 break;
442 case X509_VALIDATE_CERTIFICATE_REVOKED:
443 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
444 break;
445 case X509_VALIDATE_CERTIFICATE_EXPIRED:
446 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
447 break;
448 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
449 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
450 break;
451 case X509_VALIDATE_UNKNOWN_CA:
452 tls_reason = TLS_ALERT_UNKNOWN_CA;
453 break;
454 default:
455 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
456 break;
457 }
458 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
459 x509_certificate_chain_free(chain);
460 return -1;
461 }
462
463 x509_certificate_chain_free(chain);
464
465 *in_len = end - in_data;
466
467 conn->state = CLIENT_KEY_EXCHANGE;
468
469 return 0;
470 }
471
472
473 static int tls_process_client_key_exchange_rsa(
474 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
475 {
476 u8 *out;
477 size_t outlen, outbuflen;
478 u16 encr_len;
479 int res;
480 int use_random = 0;
481
482 if (end - pos < 2) {
483 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
484 TLS_ALERT_DECODE_ERROR);
485 return -1;
486 }
487
488 encr_len = WPA_GET_BE16(pos);
489 pos += 2;
490
491 outbuflen = outlen = end - pos;
492 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
493 outlen : TLS_PRE_MASTER_SECRET_LEN);
494 if (out == NULL) {
495 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
496 TLS_ALERT_INTERNAL_ERROR);
497 return -1;
498 }
499
500 /*
501 * struct {
502 * ProtocolVersion client_version;
503 * opaque random[46];
504 * } PreMasterSecret;
505 *
506 * struct {
507 * public-key-encrypted PreMasterSecret pre_master_secret;
508 * } EncryptedPreMasterSecret;
509 */
510
511 /*
512 * Note: To avoid Bleichenbacher attack, we do not report decryption or
513 * parsing errors from EncryptedPreMasterSecret processing to the
514 * client. Instead, a random pre-master secret is used to force the
515 * handshake to fail.
516 */
517
518 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
519 pos, end - pos,
520 out, &outlen) < 0) {
521 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
522 "PreMasterSecret (encr_len=%d outlen=%lu)",
523 end - pos, (unsigned long) outlen);
524 use_random = 1;
525 }
526
527 if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
528 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
529 "length %lu", (unsigned long) outlen);
530 use_random = 1;
531 }
532
533 if (WPA_GET_BE16(out) != conn->client_version) {
534 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
535 "ClientKeyExchange does not match with version in "
536 "ClientHello");
537 use_random = 1;
538 }
539
540 if (use_random) {
541 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
542 "to avoid revealing information about private key");
543 outlen = TLS_PRE_MASTER_SECRET_LEN;
544 if (os_get_random(out, outlen)) {
545 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
546 "data");
547 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
548 TLS_ALERT_INTERNAL_ERROR);
549 os_free(out);
550 return -1;
551 }
552 }
553
554 res = tlsv1_server_derive_keys(conn, out, outlen);
555
556 /* Clear the pre-master secret since it is not needed anymore */
557 os_memset(out, 0, outbuflen);
558 os_free(out);
559
560 if (res) {
561 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
562 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
563 TLS_ALERT_INTERNAL_ERROR);
564 return -1;
565 }
566
567 return 0;
568 }
569
570
571 static int tls_process_client_key_exchange_dh_anon(
572 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
573 {
574 #ifdef EAP_FAST
575 const u8 *dh_yc;
576 u16 dh_yc_len;
577 u8 *shared;
578 size_t shared_len;
579 int res;
580
581 /*
582 * struct {
583 * select (PublicValueEncoding) {
584 * case implicit: struct { };
585 * case explicit: opaque dh_Yc<1..2^16-1>;
586 * } dh_public;
587 * } ClientDiffieHellmanPublic;
588 */
589
590 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
591 pos, end - pos);
592
593 if (end == pos) {
594 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
595 "not supported");
596 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
597 TLS_ALERT_INTERNAL_ERROR);
598 return -1;
599 }
600
601 if (end - pos < 3) {
602 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
603 "length");
604 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
605 TLS_ALERT_DECODE_ERROR);
606 return -1;
607 }
608
609 dh_yc_len = WPA_GET_BE16(pos);
610 dh_yc = pos + 2;
611
612 if (dh_yc + dh_yc_len > end) {
613 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
614 "(length %d)", dh_yc_len);
615 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
616 TLS_ALERT_DECODE_ERROR);
617 return -1;
618 }
619
620 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
621 dh_yc, dh_yc_len);
622
623 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
624 conn->dh_secret == NULL) {
625 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
626 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
627 TLS_ALERT_INTERNAL_ERROR);
628 return -1;
629 }
630
631 shared_len = conn->cred->dh_p_len;
632 shared = os_malloc(shared_len);
633 if (shared == NULL) {
634 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
635 "DH");
636 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
637 TLS_ALERT_INTERNAL_ERROR);
638 return -1;
639 }
640
641 /* shared = Yc^secret mod p */
642 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
643 conn->dh_secret_len,
644 conn->cred->dh_p, conn->cred->dh_p_len,
645 shared, &shared_len)) {
646 os_free(shared);
647 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
648 TLS_ALERT_INTERNAL_ERROR);
649 return -1;
650 }
651 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
652 shared, shared_len);
653
654 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
655 os_free(conn->dh_secret);
656 conn->dh_secret = NULL;
657
658 res = tlsv1_server_derive_keys(conn, shared, shared_len);
659
660 /* Clear the pre-master secret since it is not needed anymore */
661 os_memset(shared, 0, shared_len);
662 os_free(shared);
663
664 if (res) {
665 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
666 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
667 TLS_ALERT_INTERNAL_ERROR);
668 return -1;
669 }
670
671 return 0;
672 #else /* EAP_FAST */
673 return -1;
674 #endif /* EAP_FAST */
675 }
676
677
678 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
679 const u8 *in_data, size_t *in_len)
680 {
681 const u8 *pos, *end;
682 size_t left, len;
683 u8 type;
684 tls_key_exchange keyx;
685 const struct tls_cipher_suite *suite;
686
687 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
688 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
689 "received content type 0x%x", ct);
690 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
691 TLS_ALERT_UNEXPECTED_MESSAGE);
692 return -1;
693 }
694
695 pos = in_data;
696 left = *in_len;
697
698 if (left < 4) {
699 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
700 "(Left=%lu)", (unsigned long) left);
701 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
702 TLS_ALERT_DECODE_ERROR);
703 return -1;
704 }
705
706 type = *pos++;
707 len = WPA_GET_BE24(pos);
708 pos += 3;
709 left -= 4;
710
711 if (len > left) {
712 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
713 "length (len=%lu != left=%lu)",
714 (unsigned long) len, (unsigned long) left);
715 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
716 TLS_ALERT_DECODE_ERROR);
717 return -1;
718 }
719
720 end = pos + len;
721
722 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
723 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
724 "message %d (expected ClientKeyExchange)", type);
725 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
726 TLS_ALERT_UNEXPECTED_MESSAGE);
727 return -1;
728 }
729
730 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
731
732 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
733
734 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
735 if (suite == NULL)
736 keyx = TLS_KEY_X_NULL;
737 else
738 keyx = suite->key_exchange;
739
740 if (keyx == TLS_KEY_X_DH_anon &&
741 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
742 return -1;
743
744 if (keyx != TLS_KEY_X_DH_anon &&
745 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
746 return -1;
747
748 *in_len = end - in_data;
749
750 conn->state = CERTIFICATE_VERIFY;
751
752 return 0;
753 }
754
755
756 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
757 const u8 *in_data, size_t *in_len)
758 {
759 const u8 *pos, *end;
760 size_t left, len;
761 u8 type;
762 size_t hlen, buflen;
763 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
764 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
765 u16 slen;
766
767 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
768 if (conn->verify_peer) {
769 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
770 "CertificateVerify");
771 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
772 TLS_ALERT_UNEXPECTED_MESSAGE);
773 return -1;
774 }
775
776 return tls_process_change_cipher_spec(conn, ct, in_data,
777 in_len);
778 }
779
780 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
781 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
782 "received content type 0x%x", ct);
783 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
784 TLS_ALERT_UNEXPECTED_MESSAGE);
785 return -1;
786 }
787
788 pos = in_data;
789 left = *in_len;
790
791 if (left < 4) {
792 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
793 "message (len=%lu)", (unsigned long) left);
794 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
795 TLS_ALERT_DECODE_ERROR);
796 return -1;
797 }
798
799 type = *pos++;
800 len = WPA_GET_BE24(pos);
801 pos += 3;
802 left -= 4;
803
804 if (len > left) {
805 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
806 "message length (len=%lu != left=%lu)",
807 (unsigned long) len, (unsigned long) left);
808 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
809 TLS_ALERT_DECODE_ERROR);
810 return -1;
811 }
812
813 end = pos + len;
814
815 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
816 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
817 "message %d (expected CertificateVerify)", type);
818 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
819 TLS_ALERT_UNEXPECTED_MESSAGE);
820 return -1;
821 }
822
823 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
824
825 /*
826 * struct {
827 * Signature signature;
828 * } CertificateVerify;
829 */
830
831 hpos = hash;
832
833 if (alg == SIGN_ALG_RSA) {
834 hlen = MD5_MAC_LEN;
835 if (conn->verify.md5_cert == NULL ||
836 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
837 {
838 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 TLS_ALERT_INTERNAL_ERROR);
840 conn->verify.md5_cert = NULL;
841 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
842 conn->verify.sha1_cert = NULL;
843 return -1;
844 }
845 hpos += MD5_MAC_LEN;
846 } else
847 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
848
849 conn->verify.md5_cert = NULL;
850 hlen = SHA1_MAC_LEN;
851 if (conn->verify.sha1_cert == NULL ||
852 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
853 conn->verify.sha1_cert = NULL;
854 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
855 TLS_ALERT_INTERNAL_ERROR);
856 return -1;
857 }
858 conn->verify.sha1_cert = NULL;
859
860 if (alg == SIGN_ALG_RSA)
861 hlen += MD5_MAC_LEN;
862
863 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
864
865 if (end - pos < 2) {
866 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
867 TLS_ALERT_DECODE_ERROR);
868 return -1;
869 }
870 slen = WPA_GET_BE16(pos);
871 pos += 2;
872 if (end - pos < slen) {
873 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
874 TLS_ALERT_DECODE_ERROR);
875 return -1;
876 }
877
878 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
879 if (conn->client_rsa_key == NULL) {
880 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
881 "signature");
882 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
883 TLS_ALERT_INTERNAL_ERROR);
884 return -1;
885 }
886
887 buflen = end - pos;
888 buf = os_malloc(end - pos);
889 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
890 pos, end - pos, buf, &buflen) < 0)
891 {
892 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
893 os_free(buf);
894 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
895 TLS_ALERT_DECRYPT_ERROR);
896 return -1;
897 }
898
899 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
900 buf, buflen);
901
902 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
903 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
904 "CertificateVerify - did not match with calculated "
905 "hash");
906 os_free(buf);
907 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
908 TLS_ALERT_DECRYPT_ERROR);
909 return -1;
910 }
911
912 os_free(buf);
913
914 *in_len = end - in_data;
915
916 conn->state = CHANGE_CIPHER_SPEC;
917
918 return 0;
919 }
920
921
922 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
923 u8 ct, const u8 *in_data,
924 size_t *in_len)
925 {
926 const u8 *pos;
927 size_t left;
928
929 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
930 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
931 "received content type 0x%x", ct);
932 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
933 TLS_ALERT_UNEXPECTED_MESSAGE);
934 return -1;
935 }
936
937 pos = in_data;
938 left = *in_len;
939
940 if (left < 1) {
941 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
943 TLS_ALERT_DECODE_ERROR);
944 return -1;
945 }
946
947 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
948 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
949 "received data 0x%x", *pos);
950 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
951 TLS_ALERT_UNEXPECTED_MESSAGE);
952 return -1;
953 }
954
955 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
956 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
957 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
958 "for record layer");
959 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
960 TLS_ALERT_INTERNAL_ERROR);
961 return -1;
962 }
963
964 *in_len = pos + 1 - in_data;
965
966 conn->state = CLIENT_FINISHED;
967
968 return 0;
969 }
970
971
972 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
973 const u8 *in_data, size_t *in_len)
974 {
975 const u8 *pos, *end;
976 size_t left, len, hlen;
977 u8 verify_data[TLS_VERIFY_DATA_LEN];
978 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
979
980 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
981 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
982 "received content type 0x%x", ct);
983 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
984 TLS_ALERT_UNEXPECTED_MESSAGE);
985 return -1;
986 }
987
988 pos = in_data;
989 left = *in_len;
990
991 if (left < 4) {
992 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
993 "Finished",
994 (unsigned long) left);
995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
996 TLS_ALERT_DECODE_ERROR);
997 return -1;
998 }
999
1000 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1001 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1002 "type 0x%x", pos[0]);
1003 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1004 TLS_ALERT_UNEXPECTED_MESSAGE);
1005 return -1;
1006 }
1007
1008 len = WPA_GET_BE24(pos + 1);
1009
1010 pos += 4;
1011 left -= 4;
1012
1013 if (len > left) {
1014 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1015 "(len=%lu > left=%lu)",
1016 (unsigned long) len, (unsigned long) left);
1017 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1018 TLS_ALERT_DECODE_ERROR);
1019 return -1;
1020 }
1021 end = pos + len;
1022 if (len != TLS_VERIFY_DATA_LEN) {
1023 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1024 "in Finished: %lu (expected %d)",
1025 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1026 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1027 TLS_ALERT_DECODE_ERROR);
1028 return -1;
1029 }
1030 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1031 pos, TLS_VERIFY_DATA_LEN);
1032
1033 hlen = MD5_MAC_LEN;
1034 if (conn->verify.md5_client == NULL ||
1035 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1036 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1037 TLS_ALERT_INTERNAL_ERROR);
1038 conn->verify.md5_client = NULL;
1039 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1040 conn->verify.sha1_client = NULL;
1041 return -1;
1042 }
1043 conn->verify.md5_client = NULL;
1044 hlen = SHA1_MAC_LEN;
1045 if (conn->verify.sha1_client == NULL ||
1046 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1047 &hlen) < 0) {
1048 conn->verify.sha1_client = NULL;
1049 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1050 TLS_ALERT_INTERNAL_ERROR);
1051 return -1;
1052 }
1053 conn->verify.sha1_client = NULL;
1054
1055 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1056 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1057 verify_data, TLS_VERIFY_DATA_LEN)) {
1058 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1059 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1060 TLS_ALERT_DECRYPT_ERROR);
1061 return -1;
1062 }
1063 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1064 verify_data, TLS_VERIFY_DATA_LEN);
1065
1066 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1067 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1068 return -1;
1069 }
1070
1071 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1072
1073 *in_len = end - in_data;
1074
1075 if (conn->use_session_ticket) {
1076 /* Abbreviated handshake using session ticket; RFC 4507 */
1077 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1078 "successfully");
1079 conn->state = ESTABLISHED;
1080 } else {
1081 /* Full handshake */
1082 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1083 }
1084
1085 return 0;
1086 }
1087
1088
1089 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1090 const u8 *buf, size_t *len)
1091 {
1092 if (ct == TLS_CONTENT_TYPE_ALERT) {
1093 if (*len < 2) {
1094 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1095 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1096 TLS_ALERT_DECODE_ERROR);
1097 return -1;
1098 }
1099 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1100 buf[0], buf[1]);
1101 *len = 2;
1102 conn->state = FAILED;
1103 return -1;
1104 }
1105
1106 switch (conn->state) {
1107 case CLIENT_HELLO:
1108 if (tls_process_client_hello(conn, ct, buf, len))
1109 return -1;
1110 break;
1111 case CLIENT_CERTIFICATE:
1112 if (tls_process_certificate(conn, ct, buf, len))
1113 return -1;
1114 break;
1115 case CLIENT_KEY_EXCHANGE:
1116 if (tls_process_client_key_exchange(conn, ct, buf, len))
1117 return -1;
1118 break;
1119 case CERTIFICATE_VERIFY:
1120 if (tls_process_certificate_verify(conn, ct, buf, len))
1121 return -1;
1122 break;
1123 case CHANGE_CIPHER_SPEC:
1124 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1125 return -1;
1126 break;
1127 case CLIENT_FINISHED:
1128 if (tls_process_client_finished(conn, ct, buf, len))
1129 return -1;
1130 break;
1131 default:
1132 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1133 "while processing received message",
1134 conn->state);
1135 return -1;
1136 }
1137
1138 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1139 tls_verify_hash_add(&conn->verify, buf, *len);
1140
1141 return 0;
1142 }
NetBSD on the FriendlyARM MINI2440