src/tls/tlsv1_server_read.c

   1 /*
   2  * TLSv1 server - read handshake message
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/md5.h"
  19 #include "crypto/sha1.h"
  20 #include "crypto/tls.h"
  21 #include "x509v3.h"
  22 #include "tlsv1_common.h"
  23 #include "tlsv1_record.h"
  24 #include "tlsv1_server.h"
  25 #include "tlsv1_server_i.h"
  26
  27
  28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
  29                                            const u8 *in_data, size_t *in_len);
  30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
  31                                           u8 ct, const u8 *in_data,
  32                                           size_t *in_len);
  33
  34
  35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
  36                                     const u8 *in_data, size_t *in_len)
  37 {
  38         const u8 *pos, *end, *c;
  39         size_t left, len, i, j;
  40         u16 cipher_suite;
  41         u16 num_suites;
  42         int compr_null_found;
  43         u16 ext_type, ext_len;
  44
  45         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
  46                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
  47                            "received content type 0x%x", ct);
  48                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  49                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  50                 return -1;
  51         }
  52
  53         pos = in_data;
  54         left = *in_len;
  55
  56         if (left < 4)
  57                 goto decode_error;
  58
  59         /* HandshakeType msg_type */
  60         if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
  61                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
  62                            "message %d (expected ClientHello)", *pos);
  63                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  64                                    TLS_ALERT_UNEXPECTED_MESSAGE);
  65                 return -1;
  66         }
  67         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
  68         pos++;
  69         /* uint24 length */
  70         len = WPA_GET_BE24(pos);
  71         pos += 3;
  72         left -= 4;
  73
  74         if (len > left)
  75                 goto decode_error;
  76
  77         /* body - ClientHello */
  78
  79         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
  80         end = pos + len;
  81
  82         /* ProtocolVersion client_version */
  83         if (end - pos < 2)
  84                 goto decode_error;
  85         conn->client_version = WPA_GET_BE16(pos);
  86         wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
  87                    conn->client_version >> 8, conn->client_version & 0xff);
  88         if (conn->client_version < TLS_VERSION_1) {
  89                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
  90                            "ClientHello %u.%u",
  91                            conn->client_version >> 8,
  92                            conn->client_version & 0xff);
  93                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
  94                                    TLS_ALERT_PROTOCOL_VERSION);
  95                 return -1;
  96         }
  97         pos += 2;
  98
  99         if (TLS_VERSION == TLS_VERSION_1)
 100                 conn->rl.tls_version = TLS_VERSION_1;
 101         else if (conn->client_version > TLS_VERSION_1_1)
 102                 conn->rl.tls_version = TLS_VERSION_1_1;
 103         else
 104                 conn->rl.tls_version = conn->client_version;
 105         wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
 106                    conn->rl.tls_version == TLS_VERSION_1_1 ? "1.1" : "1.0");
 107
 108         /* Random random */
 109         if (end - pos < TLS_RANDOM_LEN)
 110                 goto decode_error;
 111
 112         os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 113         pos += TLS_RANDOM_LEN;
 114         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 115                     conn->client_random, TLS_RANDOM_LEN);
 116
 117         /* SessionID session_id */
 118         if (end - pos < 1)
 119                 goto decode_error;
 120         if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 121                 goto decode_error;
 122         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 123         pos += 1 + *pos;
 124         /* TODO: add support for session resumption */
 125
 126         /* CipherSuite cipher_suites<2..2^16-1> */
 127         if (end - pos < 2)
 128                 goto decode_error;
 129         num_suites = WPA_GET_BE16(pos);
 130         pos += 2;
 131         if (end - pos < num_suites)
 132                 goto decode_error;
 133         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 134                     pos, num_suites);
 135         if (num_suites & 1)
 136                 goto decode_error;
 137         num_suites /= 2;
 138
 139         cipher_suite = 0;
 140         for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 141                 c = pos;
 142                 for (j = 0; j < num_suites; j++) {
 143                         u16 tmp = WPA_GET_BE16(c);
 144                         c += 2;
 145                         if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 146                                 cipher_suite = tmp;
 147                                 break;
 148                         }
 149                 }
 150         }
 151         pos += num_suites * 2;
 152         if (!cipher_suite) {
 153                 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 154                            "available");
 155                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 156                                    TLS_ALERT_ILLEGAL_PARAMETER);
 157                 return -1;
 158         }
 159
 160         if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 161                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 162                            "record layer");
 163                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 164                                    TLS_ALERT_INTERNAL_ERROR);
 165                 return -1;
 166         }
 167
 168         conn->cipher_suite = cipher_suite;
 169
 170         /* CompressionMethod compression_methods<1..2^8-1> */
 171         if (end - pos < 1)
 172                 goto decode_error;
 173         num_suites = *pos++;
 174         if (end - pos < num_suites)
 175                 goto decode_error;
 176         wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 177                     pos, num_suites);
 178         compr_null_found = 0;
 179         for (i = 0; i < num_suites; i++) {
 180                 if (*pos++ == TLS_COMPRESSION_NULL)
 181                         compr_null_found = 1;
 182         }
 183         if (!compr_null_found) {
 184                 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 185                            "compression");
 186                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 187                                    TLS_ALERT_ILLEGAL_PARAMETER);
 188                 return -1;
 189         }
 190
 191         if (end - pos == 1) {
 192                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 193                             "end of ClientHello: 0x%02x", *pos);
 194                 goto decode_error;
 195         }
 196
 197         if (end - pos >= 2) {
 198                 /* Extension client_hello_extension_list<0..2^16-1> */
 199                 ext_len = WPA_GET_BE16(pos);
 200                 pos += 2;
 201
 202                 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 203                            "extensions", ext_len);
 204                 if (end - pos != ext_len) {
 205                         wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 206                                    "extension list length %u (expected %u)",
 207                                    ext_len, (unsigned int) (end - pos));
 208                         goto decode_error;
 209                 }
 210
 211                 /*
 212                  * struct {
 213                  *   ExtensionType extension_type (0..65535)
 214                  *   opaque extension_data<0..2^16-1>
 215                  * } Extension;
 216                  */
 217
 218                 while (pos < end) {
 219                         if (end - pos < 2) {
 220                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 221                                            "extension_type field");
 222                                 goto decode_error;
 223                         }
 224
 225                         ext_type = WPA_GET_BE16(pos);
 226                         pos += 2;
 227
 228                         if (end - pos < 2) {
 229                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 230                                            "extension_data length field");
 231                                 goto decode_error;
 232                         }
 233
 234                         ext_len = WPA_GET_BE16(pos);
 235                         pos += 2;
 236
 237                         if (end - pos < ext_len) {
 238                                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 239                                            "extension_data field");
 240                                 goto decode_error;
 241                         }
 242
 243                         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 244                                    "type %u", ext_type);
 245                         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 246                                     "Extension data", pos, ext_len);
 247
 248                         if (ext_type == TLS_EXT_SESSION_TICKET) {
 249                                 os_free(conn->session_ticket);
 250                                 conn->session_ticket = os_malloc(ext_len);
 251                                 if (conn->session_ticket) {
 252                                         os_memcpy(conn->session_ticket, pos,
 253                                                   ext_len);
 254                                         conn->session_ticket_len = ext_len;
 255                                 }
 256                         }
 257
 258                         pos += ext_len;
 259                 }
 260         }
 261
 262         *in_len = end - in_data;
 263
 264         wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 265                    "ServerHello");
 266         conn->state = SERVER_HELLO;
 267
 268         return 0;
 269
 270 decode_error:
 271         wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 272         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 273                            TLS_ALERT_DECODE_ERROR);
 274         return -1;
 275 }
 276
 277
 278 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 279                                    const u8 *in_data, size_t *in_len)
 280 {
 281         const u8 *pos, *end;
 282         size_t left, len, list_len, cert_len, idx;
 283         u8 type;
 284         struct x509_certificate *chain = NULL, *last = NULL, *cert;
 285         int reason;
 286
 287         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 288                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 289                            "received content type 0x%x", ct);
 290                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 291                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 292                 return -1;
 293         }
 294
 295         pos = in_data;
 296         left = *in_len;
 297
 298         if (left < 4) {
 299                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 300                            "(len=%lu)", (unsigned long) left);
 301                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 302                                    TLS_ALERT_DECODE_ERROR);
 303                 return -1;
 304         }
 305
 306         type = *pos++;
 307         len = WPA_GET_BE24(pos);
 308         pos += 3;
 309         left -= 4;
 310
 311         if (len > left) {
 312                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 313                            "length (len=%lu != left=%lu)",
 314                            (unsigned long) len, (unsigned long) left);
 315                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 316                                    TLS_ALERT_DECODE_ERROR);
 317                 return -1;
 318         }
 319
 320         if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 321                 if (conn->verify_peer) {
 322                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 323                                    "Certificate");
 324                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 325                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 326                         return -1;
 327                 }
 328
 329                 return tls_process_client_key_exchange(conn, ct, in_data,
 330                                                        in_len);
 331         }
 332         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 333                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 334                            "message %d (expected Certificate/"
 335                            "ClientKeyExchange)", type);
 336                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 337                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 338                 return -1;
 339         }
 340
 341         wpa_printf(MSG_DEBUG,
 342                    "TLSv1: Received Certificate (certificate_list len %lu)",
 343                    (unsigned long) len);
 344
 345         /*
 346          * opaque ASN.1Cert<2^24-1>;
 347          *
 348          * struct {
 349          *     ASN.1Cert certificate_list<1..2^24-1>;
 350          * } Certificate;
 351          */
 352
 353         end = pos + len;
 354
 355         if (end - pos < 3) {
 356                 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 357                            "(left=%lu)", (unsigned long) left);
 358                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 359                                    TLS_ALERT_DECODE_ERROR);
 360                 return -1;
 361         }
 362
 363         list_len = WPA_GET_BE24(pos);
 364         pos += 3;
 365
 366         if ((size_t) (end - pos) != list_len) {
 367                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 368                            "length (len=%lu left=%lu)",
 369                            (unsigned long) list_len,
 370                            (unsigned long) (end - pos));
 371                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 372                                    TLS_ALERT_DECODE_ERROR);
 373                 return -1;
 374         }
 375
 376         idx = 0;
 377         while (pos < end) {
 378                 if (end - pos < 3) {
 379                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 380                                    "certificate_list");
 381                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 382                                            TLS_ALERT_DECODE_ERROR);
 383                         x509_certificate_chain_free(chain);
 384                         return -1;
 385                 }
 386
 387                 cert_len = WPA_GET_BE24(pos);
 388                 pos += 3;
 389
 390                 if ((size_t) (end - pos) < cert_len) {
 391                         wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 392                                    "length (len=%lu left=%lu)",
 393                                    (unsigned long) cert_len,
 394                                    (unsigned long) (end - pos));
 395                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 396                                            TLS_ALERT_DECODE_ERROR);
 397                         x509_certificate_chain_free(chain);
 398                         return -1;
 399                 }
 400
 401                 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 402                            (unsigned long) idx, (unsigned long) cert_len);
 403
 404                 if (idx == 0) {
 405                         crypto_public_key_free(conn->client_rsa_key);
 406                         if (tls_parse_cert(pos, cert_len,
 407                                            &conn->client_rsa_key)) {
 408                                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 409                                            "the certificate");
 410                                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 411                                                    TLS_ALERT_BAD_CERTIFICATE);
 412                                 x509_certificate_chain_free(chain);
 413                                 return -1;
 414                         }
 415                 }
 416
 417                 cert = x509_certificate_parse(pos, cert_len);
 418                 if (cert == NULL) {
 419                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 420                                    "the certificate");
 421                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 422                                            TLS_ALERT_BAD_CERTIFICATE);
 423                         x509_certificate_chain_free(chain);
 424                         return -1;
 425                 }
 426
 427                 if (last == NULL)
 428                         chain = cert;
 429                 else
 430                         last->next = cert;
 431                 last = cert;
 432
 433                 idx++;
 434                 pos += cert_len;
 435         }
 436
 437         if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 438                                             &reason, 0) < 0) {
 439                 int tls_reason;
 440                 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 441                            "validation failed (reason=%d)", reason);
 442                 switch (reason) {
 443                 case X509_VALIDATE_BAD_CERTIFICATE:
 444                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 445                         break;
 446                 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 447                         tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 448                         break;
 449                 case X509_VALIDATE_CERTIFICATE_REVOKED:
 450                         tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 451                         break;
 452                 case X509_VALIDATE_CERTIFICATE_EXPIRED:
 453                         tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 454                         break;
 455                 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 456                         tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 457                         break;
 458                 case X509_VALIDATE_UNKNOWN_CA:
 459                         tls_reason = TLS_ALERT_UNKNOWN_CA;
 460                         break;
 461                 default:
 462                         tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 463                         break;
 464                 }
 465                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 466                 x509_certificate_chain_free(chain);
 467                 return -1;
 468         }
 469
 470         x509_certificate_chain_free(chain);
 471
 472         *in_len = end - in_data;
 473
 474         conn->state = CLIENT_KEY_EXCHANGE;
 475
 476         return 0;
 477 }
 478
 479
 480 static int tls_process_client_key_exchange_rsa(
 481         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 482 {
 483         u8 *out;
 484         size_t outlen, outbuflen;
 485         u16 encr_len;
 486         int res;
 487         int use_random = 0;
 488
 489         if (end - pos < 2) {
 490                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 491                                    TLS_ALERT_DECODE_ERROR);
 492                 return -1;
 493         }
 494
 495         encr_len = WPA_GET_BE16(pos);
 496         pos += 2;
 497         if (pos + encr_len > end) {
 498                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange "
 499                            "format: encr_len=%u left=%u",
 500                            encr_len, (unsigned int) (end - pos));
 501                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 502                                    TLS_ALERT_DECODE_ERROR);
 503                 return -1;
 504         }
 505
 506         outbuflen = outlen = end - pos;
 507         out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 508                         outlen : TLS_PRE_MASTER_SECRET_LEN);
 509         if (out == NULL) {
 510                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 511                                    TLS_ALERT_INTERNAL_ERROR);
 512                 return -1;
 513         }
 514
 515         /*
 516          * struct {
 517          *   ProtocolVersion client_version;
 518          *   opaque random[46];
 519          * } PreMasterSecret;
 520          *
 521          * struct {
 522          *   public-key-encrypted PreMasterSecret pre_master_secret;
 523          * } EncryptedPreMasterSecret;
 524          */
 525
 526         /*
 527          * Note: To avoid Bleichenbacher attack, we do not report decryption or
 528          * parsing errors from EncryptedPreMasterSecret processing to the
 529          * client. Instead, a random pre-master secret is used to force the
 530          * handshake to fail.
 531          */
 532
 533         if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 534                                                  pos, encr_len,
 535                                                  out, &outlen) < 0) {
 536                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 537                            "PreMasterSecret (encr_len=%u outlen=%lu)",
 538                            encr_len, (unsigned long) outlen);
 539                 use_random = 1;
 540         }
 541
 542         if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
 543                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 544                            "length %lu", (unsigned long) outlen);
 545                 use_random = 1;
 546         }
 547
 548         if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
 549                 wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 550                            "ClientKeyExchange does not match with version in "
 551                            "ClientHello");
 552                 use_random = 1;
 553         }
 554
 555         if (use_random) {
 556                 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 557                            "to avoid revealing information about private key");
 558                 outlen = TLS_PRE_MASTER_SECRET_LEN;
 559                 if (os_get_random(out, outlen)) {
 560                         wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 561                                    "data");
 562                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 563                                            TLS_ALERT_INTERNAL_ERROR);
 564                         os_free(out);
 565                         return -1;
 566                 }
 567         }
 568
 569         res = tlsv1_server_derive_keys(conn, out, outlen);
 570
 571         /* Clear the pre-master secret since it is not needed anymore */
 572         os_memset(out, 0, outbuflen);
 573         os_free(out);
 574
 575         if (res) {
 576                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 577                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 578                                    TLS_ALERT_INTERNAL_ERROR);
 579                 return -1;
 580         }
 581
 582         return 0;
 583 }
 584
 585
 586 static int tls_process_client_key_exchange_dh_anon(
 587         struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 588 {
 589         const u8 *dh_yc;
 590         u16 dh_yc_len;
 591         u8 *shared;
 592         size_t shared_len;
 593         int res;
 594
 595         /*
 596          * struct {
 597          *   select (PublicValueEncoding) {
 598          *     case implicit: struct { };
 599          *     case explicit: opaque dh_Yc<1..2^16-1>;
 600          *   } dh_public;
 601          * } ClientDiffieHellmanPublic;
 602          */
 603
 604         wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 605                     pos, end - pos);
 606
 607         if (end == pos) {
 608                 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 609                            "not supported");
 610                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 611                                    TLS_ALERT_INTERNAL_ERROR);
 612                 return -1;
 613         }
 614
 615         if (end - pos < 3) {
 616                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 617                            "length");
 618                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 619                                    TLS_ALERT_DECODE_ERROR);
 620                 return -1;
 621         }
 622
 623         dh_yc_len = WPA_GET_BE16(pos);
 624         dh_yc = pos + 2;
 625
 626         if (dh_yc + dh_yc_len > end) {
 627                 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 628                            "(length %d)", dh_yc_len);
 629                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 630                                    TLS_ALERT_DECODE_ERROR);
 631                 return -1;
 632         }
 633
 634         wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 635                     dh_yc, dh_yc_len);
 636
 637         if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 638             conn->dh_secret == NULL) {
 639                 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 640                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 641                                    TLS_ALERT_INTERNAL_ERROR);
 642                 return -1;
 643         }
 644
 645         shared_len = conn->cred->dh_p_len;
 646         shared = os_malloc(shared_len);
 647         if (shared == NULL) {
 648                 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 649                            "DH");
 650                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 651                                    TLS_ALERT_INTERNAL_ERROR);
 652                 return -1;
 653         }
 654
 655         /* shared = Yc^secret mod p */
 656         if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 657                            conn->dh_secret_len,
 658                            conn->cred->dh_p, conn->cred->dh_p_len,
 659                            shared, &shared_len)) {
 660                 os_free(shared);
 661                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 662                                    TLS_ALERT_INTERNAL_ERROR);
 663                 return -1;
 664         }
 665         wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 666                         shared, shared_len);
 667
 668         os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 669         os_free(conn->dh_secret);
 670         conn->dh_secret = NULL;
 671
 672         res = tlsv1_server_derive_keys(conn, shared, shared_len);
 673
 674         /* Clear the pre-master secret since it is not needed anymore */
 675         os_memset(shared, 0, shared_len);
 676         os_free(shared);
 677
 678         if (res) {
 679                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 680                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 681                                    TLS_ALERT_INTERNAL_ERROR);
 682                 return -1;
 683         }
 684
 685         return 0;
 686 }
 687
 688
 689 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 690                                            const u8 *in_data, size_t *in_len)
 691 {
 692         const u8 *pos, *end;
 693         size_t left, len;
 694         u8 type;
 695         tls_key_exchange keyx;
 696         const struct tls_cipher_suite *suite;
 697
 698         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 699                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 700                            "received content type 0x%x", ct);
 701                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 702                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 703                 return -1;
 704         }
 705
 706         pos = in_data;
 707         left = *in_len;
 708
 709         if (left < 4) {
 710                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 711                            "(Left=%lu)", (unsigned long) left);
 712                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 713                                    TLS_ALERT_DECODE_ERROR);
 714                 return -1;
 715         }
 716
 717         type = *pos++;
 718         len = WPA_GET_BE24(pos);
 719         pos += 3;
 720         left -= 4;
 721
 722         if (len > left) {
 723                 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 724                            "length (len=%lu != left=%lu)",
 725                            (unsigned long) len, (unsigned long) left);
 726                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 727                                    TLS_ALERT_DECODE_ERROR);
 728                 return -1;
 729         }
 730
 731         end = pos + len;
 732
 733         if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 734                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 735                            "message %d (expected ClientKeyExchange)", type);
 736                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 737                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 738                 return -1;
 739         }
 740
 741         wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 742
 743         wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 744
 745         suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 746         if (suite == NULL)
 747                 keyx = TLS_KEY_X_NULL;
 748         else
 749                 keyx = suite->key_exchange;
 750
 751         if (keyx == TLS_KEY_X_DH_anon &&
 752             tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 753                 return -1;
 754
 755         if (keyx != TLS_KEY_X_DH_anon &&
 756             tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 757                 return -1;
 758
 759         *in_len = end - in_data;
 760
 761         conn->state = CERTIFICATE_VERIFY;
 762
 763         return 0;
 764 }
 765
 766
 767 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 768                                           const u8 *in_data, size_t *in_len)
 769 {
 770         const u8 *pos, *end;
 771         size_t left, len;
 772         u8 type;
 773         size_t hlen, buflen;
 774         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 775         enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 776         u16 slen;
 777
 778         if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 779                 if (conn->verify_peer) {
 780                         wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 781                                    "CertificateVerify");
 782                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 783                                            TLS_ALERT_UNEXPECTED_MESSAGE);
 784                         return -1;
 785                 }
 786
 787                 return tls_process_change_cipher_spec(conn, ct, in_data,
 788                                                       in_len);
 789         }
 790
 791         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 792                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 793                            "received content type 0x%x", ct);
 794                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 795                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 796                 return -1;
 797         }
 798
 799         pos = in_data;
 800         left = *in_len;
 801
 802         if (left < 4) {
 803                 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 804                            "message (len=%lu)", (unsigned long) left);
 805                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 806                                    TLS_ALERT_DECODE_ERROR);
 807                 return -1;
 808         }
 809
 810         type = *pos++;
 811         len = WPA_GET_BE24(pos);
 812         pos += 3;
 813         left -= 4;
 814
 815         if (len > left) {
 816                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 817                            "message length (len=%lu != left=%lu)",
 818                            (unsigned long) len, (unsigned long) left);
 819                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 820                                    TLS_ALERT_DECODE_ERROR);
 821                 return -1;
 822         }
 823
 824         end = pos + len;
 825
 826         if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 827                 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 828                            "message %d (expected CertificateVerify)", type);
 829                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 830                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 831                 return -1;
 832         }
 833
 834         wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 835
 836         /*
 837          * struct {
 838          *   Signature signature;
 839          * } CertificateVerify;
 840          */
 841
 842         hpos = hash;
 843
 844         if (alg == SIGN_ALG_RSA) {
 845                 hlen = MD5_MAC_LEN;
 846                 if (conn->verify.md5_cert == NULL ||
 847                     crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 848                 {
 849                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 850                                            TLS_ALERT_INTERNAL_ERROR);
 851                         conn->verify.md5_cert = NULL;
 852                         crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 853                         conn->verify.sha1_cert = NULL;
 854                         return -1;
 855                 }
 856                 hpos += MD5_MAC_LEN;
 857         } else
 858                 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 859
 860         conn->verify.md5_cert = NULL;
 861         hlen = SHA1_MAC_LEN;
 862         if (conn->verify.sha1_cert == NULL ||
 863             crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 864                 conn->verify.sha1_cert = NULL;
 865                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 866                                    TLS_ALERT_INTERNAL_ERROR);
 867                 return -1;
 868         }
 869         conn->verify.sha1_cert = NULL;
 870
 871         if (alg == SIGN_ALG_RSA)
 872                 hlen += MD5_MAC_LEN;
 873
 874         wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 875
 876         if (end - pos < 2) {
 877                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 878                                    TLS_ALERT_DECODE_ERROR);
 879                 return -1;
 880         }
 881         slen = WPA_GET_BE16(pos);
 882         pos += 2;
 883         if (end - pos < slen) {
 884                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 885                                    TLS_ALERT_DECODE_ERROR);
 886                 return -1;
 887         }
 888
 889         wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 890         if (conn->client_rsa_key == NULL) {
 891                 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 892                            "signature");
 893                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 894                                    TLS_ALERT_INTERNAL_ERROR);
 895                 return -1;
 896         }
 897
 898         buflen = end - pos;
 899         buf = os_malloc(end - pos);
 900         if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 901                                             pos, end - pos, buf, &buflen) < 0)
 902         {
 903                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 904                 os_free(buf);
 905                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 906                                    TLS_ALERT_DECRYPT_ERROR);
 907                 return -1;
 908         }
 909
 910         wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 911                         buf, buflen);
 912
 913         if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 914                 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 915                            "CertificateVerify - did not match with calculated "
 916                            "hash");
 917                 os_free(buf);
 918                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 919                                    TLS_ALERT_DECRYPT_ERROR);
 920                 return -1;
 921         }
 922
 923         os_free(buf);
 924
 925         *in_len = end - in_data;
 926
 927         conn->state = CHANGE_CIPHER_SPEC;
 928
 929         return 0;
 930 }
 931
 932
 933 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 934                                           u8 ct, const u8 *in_data,
 935                                           size_t *in_len)
 936 {
 937         const u8 *pos;
 938         size_t left;
 939
 940         if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 941                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 942                            "received content type 0x%x", ct);
 943                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 944                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 945                 return -1;
 946         }
 947
 948         pos = in_data;
 949         left = *in_len;
 950
 951         if (left < 1) {
 952                 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 953                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 954                                    TLS_ALERT_DECODE_ERROR);
 955                 return -1;
 956         }
 957
 958         if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 959                 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 960                            "received data 0x%x", *pos);
 961                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 962                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 963                 return -1;
 964         }
 965
 966         wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 967         if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 968                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 969                            "for record layer");
 970                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 971                                    TLS_ALERT_INTERNAL_ERROR);
 972                 return -1;
 973         }
 974
 975         *in_len = pos + 1 - in_data;
 976
 977         conn->state = CLIENT_FINISHED;
 978
 979         return 0;
 980 }
 981
 982
 983 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 984                                        const u8 *in_data, size_t *in_len)
 985 {
 986         const u8 *pos, *end;
 987         size_t left, len, hlen;
 988         u8 verify_data[TLS_VERIFY_DATA_LEN];
 989         u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 990
 991         if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 992                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 993                            "received content type 0x%x", ct);
 994                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 995                                    TLS_ALERT_UNEXPECTED_MESSAGE);
 996                 return -1;
 997         }
 998
 999         pos = in_data;
1000         left = *in_len;
1001
1002         if (left < 4) {
1003                 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
1004                            "Finished",
1005                            (unsigned long) left);
1006                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1007                                    TLS_ALERT_DECODE_ERROR);
1008                 return -1;
1009         }
1010
1011         if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1012                 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1013                            "type 0x%x", pos[0]);
1014                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1015                                    TLS_ALERT_UNEXPECTED_MESSAGE);
1016                 return -1;
1017         }
1018
1019         len = WPA_GET_BE24(pos + 1);
1020
1021         pos += 4;
1022         left -= 4;
1023
1024         if (len > left) {
1025                 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
1026                            "(len=%lu > left=%lu)",
1027                            (unsigned long) len, (unsigned long) left);
1028                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1029                                    TLS_ALERT_DECODE_ERROR);
1030                 return -1;
1031         }
1032         end = pos + len;
1033         if (len != TLS_VERIFY_DATA_LEN) {
1034                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
1035                            "in Finished: %lu (expected %d)",
1036                            (unsigned long) len, TLS_VERIFY_DATA_LEN);
1037                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038                                    TLS_ALERT_DECODE_ERROR);
1039                 return -1;
1040         }
1041         wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1042                     pos, TLS_VERIFY_DATA_LEN);
1043
1044         hlen = MD5_MAC_LEN;
1045         if (conn->verify.md5_client == NULL ||
1046             crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1047                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1048                                    TLS_ALERT_INTERNAL_ERROR);
1049                 conn->verify.md5_client = NULL;
1050                 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1051                 conn->verify.sha1_client = NULL;
1052                 return -1;
1053         }
1054         conn->verify.md5_client = NULL;
1055         hlen = SHA1_MAC_LEN;
1056         if (conn->verify.sha1_client == NULL ||
1057             crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1058                                &hlen) < 0) {
1059                 conn->verify.sha1_client = NULL;
1060                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1061                                    TLS_ALERT_INTERNAL_ERROR);
1062                 return -1;
1063         }
1064         conn->verify.sha1_client = NULL;
1065
1066         if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
1067                     "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
1068                     verify_data, TLS_VERIFY_DATA_LEN)) {
1069                 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1070                 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1071                                    TLS_ALERT_DECRYPT_ERROR);
1072                 return -1;
1073         }
1074         wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1075                         verify_data, TLS_VERIFY_DATA_LEN);
1076
1077         if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1078                 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
1079                 return -1;
1080         }
1081
1082         wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
1083
1084         *in_len = end - in_data;
1085
1086         if (conn->use_session_ticket) {
1087                 /* Abbreviated handshake using session ticket; RFC 4507 */
1088                 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
1089                            "successfully");
1090                 conn->state = ESTABLISHED;
1091         } else {
1092                 /* Full handshake */
1093                 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1094         }
1095
1096         return 0;
1097 }
1098
1099
1100 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1101                                    const u8 *buf, size_t *len)
1102 {
1103         if (ct == TLS_CONTENT_TYPE_ALERT) {
1104                 if (*len < 2) {
1105                         wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1106                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1107                                            TLS_ALERT_DECODE_ERROR);
1108                         return -1;
1109                 }
1110                 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1111                            buf[0], buf[1]);
1112                 *len = 2;
1113                 conn->state = FAILED;
1114                 return -1;
1115         }
1116
1117         switch (conn->state) {
1118         case CLIENT_HELLO:
1119                 if (tls_process_client_hello(conn, ct, buf, len))
1120                         return -1;
1121                 break;
1122         case CLIENT_CERTIFICATE:
1123                 if (tls_process_certificate(conn, ct, buf, len))
1124                         return -1;
1125                 break;
1126         case CLIENT_KEY_EXCHANGE:
1127                 if (tls_process_client_key_exchange(conn, ct, buf, len))
1128                         return -1;
1129                 break;
1130         case CERTIFICATE_VERIFY:
1131                 if (tls_process_certificate_verify(conn, ct, buf, len))
1132                         return -1;
1133                 break;
1134         case CHANGE_CIPHER_SPEC:
1135                 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1136                         return -1;
1137                 break;
1138         case CLIENT_FINISHED:
1139                 if (tls_process_client_finished(conn, ct, buf, len))
1140                         return -1;
1141                 break;
1142         default:
1143                 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1144                            "while processing received message",
1145                            conn->state);
1146                 return -1;
1147         }
1148
1149         if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1150                 tls_verify_hash_add(&conn->verify, buf, *len);
1151
1152         return 0;
1153 }