18dbcf02cSchristos /*
28dbcf02cSchristos * TLSv1 server - read handshake message
336d97821Schristos * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
48dbcf02cSchristos *
562a52023Schristos * This software may be distributed under the terms of the BSD license.
662a52023Schristos * See README for more details.
78dbcf02cSchristos */
88dbcf02cSchristos
98dbcf02cSchristos #include "includes.h"
108dbcf02cSchristos
118dbcf02cSchristos #include "common.h"
128dbcf02cSchristos #include "crypto/md5.h"
138dbcf02cSchristos #include "crypto/sha1.h"
1462a52023Schristos #include "crypto/sha256.h"
158dbcf02cSchristos #include "crypto/tls.h"
168dbcf02cSchristos #include "x509v3.h"
178dbcf02cSchristos #include "tlsv1_common.h"
188dbcf02cSchristos #include "tlsv1_record.h"
198dbcf02cSchristos #include "tlsv1_server.h"
208dbcf02cSchristos #include "tlsv1_server_i.h"
218dbcf02cSchristos
228dbcf02cSchristos
238dbcf02cSchristos static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
248dbcf02cSchristos const u8 *in_data, size_t *in_len);
258dbcf02cSchristos static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
268dbcf02cSchristos u8 ct, const u8 *in_data,
278dbcf02cSchristos size_t *in_len);
288dbcf02cSchristos
298dbcf02cSchristos
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)3036d97821Schristos static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
3136d97821Schristos {
3236d97821Schristos #ifdef CONFIG_TESTING_OPTIONS
3336d97821Schristos if ((conn->test_flags &
3436d97821Schristos (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
3536d97821Schristos TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
3636d97821Schristos TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
3736d97821Schristos suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
3836d97821Schristos suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
3936d97821Schristos suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
4036d97821Schristos suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
4136d97821Schristos suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
4236d97821Schristos return 1;
4336d97821Schristos #endif /* CONFIG_TESTING_OPTIONS */
4436d97821Schristos
4536d97821Schristos return 0;
4636d97821Schristos }
4736d97821Schristos
4836d97821Schristos
tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49928750b6Schristos static void tls_process_status_request_item(struct tlsv1_server *conn,
50928750b6Schristos const u8 *req, size_t req_len)
51928750b6Schristos {
52928750b6Schristos const u8 *pos, *end;
53928750b6Schristos u8 status_type;
54928750b6Schristos
55928750b6Schristos pos = req;
56928750b6Schristos end = req + req_len;
57928750b6Schristos
58928750b6Schristos /*
59928750b6Schristos * RFC 6961, 2.2:
60928750b6Schristos * struct {
61928750b6Schristos * CertificateStatusType status_type;
62928750b6Schristos * uint16 request_length;
63928750b6Schristos * select (status_type) {
64928750b6Schristos * case ocsp: OCSPStatusRequest;
65928750b6Schristos * case ocsp_multi: OCSPStatusRequest;
66928750b6Schristos * } request;
67928750b6Schristos * } CertificateStatusRequestItemV2;
68928750b6Schristos *
69928750b6Schristos * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70928750b6Schristos */
71928750b6Schristos
72928750b6Schristos if (end - pos < 1)
73928750b6Schristos return; /* Truncated data */
74928750b6Schristos
75928750b6Schristos status_type = *pos++;
76928750b6Schristos wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77928750b6Schristos if (status_type != 1 && status_type != 2)
78928750b6Schristos return; /* Unsupported status type */
79928750b6Schristos /*
80928750b6Schristos * For now, only OCSP stapling is supported, so ignore the specific
81928750b6Schristos * request, if any.
82928750b6Schristos */
83928750b6Schristos wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84928750b6Schristos
85928750b6Schristos if (status_type == 2)
86928750b6Schristos conn->status_request_multi = 1;
87928750b6Schristos }
88928750b6Schristos
89928750b6Schristos
tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90928750b6Schristos static void tls_process_status_request_v2(struct tlsv1_server *conn,
91928750b6Schristos const u8 *ext, size_t ext_len)
92928750b6Schristos {
93928750b6Schristos const u8 *pos, *end;
94928750b6Schristos
95928750b6Schristos conn->status_request_v2 = 1;
96928750b6Schristos
97928750b6Schristos pos = ext;
98928750b6Schristos end = ext + ext_len;
99928750b6Schristos
100928750b6Schristos /*
101928750b6Schristos * RFC 6961, 2.2:
102928750b6Schristos * struct {
103928750b6Schristos * CertificateStatusRequestItemV2
104928750b6Schristos * certificate_status_req_list<1..2^16-1>;
105928750b6Schristos * } CertificateStatusRequestListV2;
106928750b6Schristos */
107928750b6Schristos
108928750b6Schristos while (end - pos >= 2) {
109928750b6Schristos u16 len;
110928750b6Schristos
111928750b6Schristos len = WPA_GET_BE16(pos);
112928750b6Schristos pos += 2;
113928750b6Schristos if (len > end - pos)
114928750b6Schristos break; /* Truncated data */
115928750b6Schristos tls_process_status_request_item(conn, pos, len);
116928750b6Schristos pos += len;
117928750b6Schristos }
118928750b6Schristos }
119928750b6Schristos
120928750b6Schristos
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1218dbcf02cSchristos static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
1228dbcf02cSchristos const u8 *in_data, size_t *in_len)
1238dbcf02cSchristos {
1248dbcf02cSchristos const u8 *pos, *end, *c;
1258dbcf02cSchristos size_t left, len, i, j;
1268dbcf02cSchristos u16 cipher_suite;
1278dbcf02cSchristos u16 num_suites;
1288dbcf02cSchristos int compr_null_found;
1298dbcf02cSchristos u16 ext_type, ext_len;
1308dbcf02cSchristos
1318dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
13236d97821Schristos tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
13336d97821Schristos ct);
1348dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1358dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
1368dbcf02cSchristos return -1;
1378dbcf02cSchristos }
1388dbcf02cSchristos
1398dbcf02cSchristos pos = in_data;
1408dbcf02cSchristos left = *in_len;
1418dbcf02cSchristos
142*0d69f216Schristos if (left < 4) {
143*0d69f216Schristos tlsv1_server_log(conn,
144*0d69f216Schristos "Truncated handshake message (expected ClientHello)");
1458dbcf02cSchristos goto decode_error;
146*0d69f216Schristos }
1478dbcf02cSchristos
1488dbcf02cSchristos /* HandshakeType msg_type */
1498dbcf02cSchristos if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
15036d97821Schristos tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
15136d97821Schristos *pos);
1528dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1538dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
1548dbcf02cSchristos return -1;
1558dbcf02cSchristos }
15636d97821Schristos tlsv1_server_log(conn, "Received ClientHello");
1578dbcf02cSchristos pos++;
1588dbcf02cSchristos /* uint24 length */
1598dbcf02cSchristos len = WPA_GET_BE24(pos);
1608dbcf02cSchristos pos += 3;
1618dbcf02cSchristos left -= 4;
1628dbcf02cSchristos
163*0d69f216Schristos if (len > left) {
164*0d69f216Schristos tlsv1_server_log(conn,
165*0d69f216Schristos "Truncated ClientHello (len=%d left=%d)",
166*0d69f216Schristos (int) len, (int) left);
1678dbcf02cSchristos goto decode_error;
168*0d69f216Schristos }
1698dbcf02cSchristos
1708dbcf02cSchristos /* body - ClientHello */
1718dbcf02cSchristos
1728dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
1738dbcf02cSchristos end = pos + len;
1748dbcf02cSchristos
1758dbcf02cSchristos /* ProtocolVersion client_version */
176*0d69f216Schristos if (end - pos < 2) {
177*0d69f216Schristos tlsv1_server_log(conn, "Truncated ClientHello/client_version");
1788dbcf02cSchristos goto decode_error;
179*0d69f216Schristos }
1808dbcf02cSchristos conn->client_version = WPA_GET_BE16(pos);
18136d97821Schristos tlsv1_server_log(conn, "Client version %d.%d",
18236d97821Schristos conn->client_version >> 8,
18336d97821Schristos conn->client_version & 0xff);
18442669be3Schristos if (conn->client_version < TLS_VERSION_1) {
18536d97821Schristos tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
18642669be3Schristos conn->client_version >> 8,
18742669be3Schristos conn->client_version & 0xff);
1888dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1898dbcf02cSchristos TLS_ALERT_PROTOCOL_VERSION);
1908dbcf02cSchristos return -1;
1918dbcf02cSchristos }
1928dbcf02cSchristos pos += 2;
1938dbcf02cSchristos
19442669be3Schristos if (TLS_VERSION == TLS_VERSION_1)
19542669be3Schristos conn->rl.tls_version = TLS_VERSION_1;
19662a52023Schristos #ifdef CONFIG_TLSV12
19762a52023Schristos else if (conn->client_version >= TLS_VERSION_1_2)
19862a52023Schristos conn->rl.tls_version = TLS_VERSION_1_2;
19962a52023Schristos #endif /* CONFIG_TLSV12 */
20042669be3Schristos else if (conn->client_version > TLS_VERSION_1_1)
20142669be3Schristos conn->rl.tls_version = TLS_VERSION_1_1;
20242669be3Schristos else
20342669be3Schristos conn->rl.tls_version = conn->client_version;
20436d97821Schristos tlsv1_server_log(conn, "Using TLS v%s",
20562a52023Schristos tls_version_str(conn->rl.tls_version));
20642669be3Schristos
2078dbcf02cSchristos /* Random random */
208*0d69f216Schristos if (end - pos < TLS_RANDOM_LEN) {
209*0d69f216Schristos tlsv1_server_log(conn, "Truncated ClientHello/client_random");
2108dbcf02cSchristos goto decode_error;
211*0d69f216Schristos }
2128dbcf02cSchristos
2138dbcf02cSchristos os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
2148dbcf02cSchristos pos += TLS_RANDOM_LEN;
2158dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
2168dbcf02cSchristos conn->client_random, TLS_RANDOM_LEN);
2178dbcf02cSchristos
2188dbcf02cSchristos /* SessionID session_id */
219*0d69f216Schristos if (end - pos < 1) {
220*0d69f216Schristos tlsv1_server_log(conn, "Truncated ClientHello/session_id len");
2218dbcf02cSchristos goto decode_error;
222*0d69f216Schristos }
223*0d69f216Schristos if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) {
224*0d69f216Schristos tlsv1_server_log(conn, "Truncated ClientHello/session_id");
2258dbcf02cSchristos goto decode_error;
226*0d69f216Schristos }
2278dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
2288dbcf02cSchristos pos += 1 + *pos;
2298dbcf02cSchristos /* TODO: add support for session resumption */
2308dbcf02cSchristos
2318dbcf02cSchristos /* CipherSuite cipher_suites<2..2^16-1> */
232*0d69f216Schristos if (end - pos < 2) {
233*0d69f216Schristos tlsv1_server_log(conn,
234*0d69f216Schristos "Truncated ClientHello/cipher_suites len");
2358dbcf02cSchristos goto decode_error;
236*0d69f216Schristos }
2378dbcf02cSchristos num_suites = WPA_GET_BE16(pos);
2388dbcf02cSchristos pos += 2;
239*0d69f216Schristos if (end - pos < num_suites) {
240*0d69f216Schristos tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites");
2418dbcf02cSchristos goto decode_error;
242*0d69f216Schristos }
2438dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
2448dbcf02cSchristos pos, num_suites);
245*0d69f216Schristos if (num_suites & 1) {
246*0d69f216Schristos tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites");
2478dbcf02cSchristos goto decode_error;
248*0d69f216Schristos }
2498dbcf02cSchristos num_suites /= 2;
2508dbcf02cSchristos
2518dbcf02cSchristos cipher_suite = 0;
2528dbcf02cSchristos for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
25336d97821Schristos if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
25436d97821Schristos continue;
2558dbcf02cSchristos c = pos;
2568dbcf02cSchristos for (j = 0; j < num_suites; j++) {
2578dbcf02cSchristos u16 tmp = WPA_GET_BE16(c);
2588dbcf02cSchristos c += 2;
2598dbcf02cSchristos if (!cipher_suite && tmp == conn->cipher_suites[i]) {
2608dbcf02cSchristos cipher_suite = tmp;
2618dbcf02cSchristos break;
2628dbcf02cSchristos }
2638dbcf02cSchristos }
2648dbcf02cSchristos }
2658dbcf02cSchristos pos += num_suites * 2;
2668dbcf02cSchristos if (!cipher_suite) {
26736d97821Schristos tlsv1_server_log(conn, "No supported cipher suite available");
2688dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
2698dbcf02cSchristos TLS_ALERT_ILLEGAL_PARAMETER);
2708dbcf02cSchristos return -1;
2718dbcf02cSchristos }
2728dbcf02cSchristos
2738dbcf02cSchristos if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
2748dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
2758dbcf02cSchristos "record layer");
2768dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
2778dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
2788dbcf02cSchristos return -1;
2798dbcf02cSchristos }
2808dbcf02cSchristos
2818dbcf02cSchristos conn->cipher_suite = cipher_suite;
2828dbcf02cSchristos
2838dbcf02cSchristos /* CompressionMethod compression_methods<1..2^8-1> */
284*0d69f216Schristos if (end - pos < 1) {
285*0d69f216Schristos tlsv1_server_log(conn,
286*0d69f216Schristos "Truncated ClientHello/compression_methods len");
2878dbcf02cSchristos goto decode_error;
288*0d69f216Schristos }
2898dbcf02cSchristos num_suites = *pos++;
290*0d69f216Schristos if (end - pos < num_suites) {
291*0d69f216Schristos tlsv1_server_log(conn,
292*0d69f216Schristos "Truncated ClientHello/compression_methods");
2938dbcf02cSchristos goto decode_error;
294*0d69f216Schristos }
2958dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
2968dbcf02cSchristos pos, num_suites);
2978dbcf02cSchristos compr_null_found = 0;
2988dbcf02cSchristos for (i = 0; i < num_suites; i++) {
2998dbcf02cSchristos if (*pos++ == TLS_COMPRESSION_NULL)
3008dbcf02cSchristos compr_null_found = 1;
3018dbcf02cSchristos }
3028dbcf02cSchristos if (!compr_null_found) {
30336d97821Schristos tlsv1_server_log(conn, "Client does not accept NULL compression");
3048dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
3058dbcf02cSchristos TLS_ALERT_ILLEGAL_PARAMETER);
3068dbcf02cSchristos return -1;
3078dbcf02cSchristos }
3088dbcf02cSchristos
3098dbcf02cSchristos if (end - pos == 1) {
31036d97821Schristos tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
31136d97821Schristos *pos);
3128dbcf02cSchristos goto decode_error;
3138dbcf02cSchristos }
3148dbcf02cSchristos
3158dbcf02cSchristos if (end - pos >= 2) {
3168dbcf02cSchristos /* Extension client_hello_extension_list<0..2^16-1> */
3178dbcf02cSchristos ext_len = WPA_GET_BE16(pos);
3188dbcf02cSchristos pos += 2;
3198dbcf02cSchristos
32036d97821Schristos tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
32136d97821Schristos ext_len);
3228dbcf02cSchristos if (end - pos != ext_len) {
32336d97821Schristos tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
3248dbcf02cSchristos ext_len, (unsigned int) (end - pos));
3258dbcf02cSchristos goto decode_error;
3268dbcf02cSchristos }
3278dbcf02cSchristos
3288dbcf02cSchristos /*
3298dbcf02cSchristos * struct {
3308dbcf02cSchristos * ExtensionType extension_type (0..65535)
3318dbcf02cSchristos * opaque extension_data<0..2^16-1>
3328dbcf02cSchristos * } Extension;
3338dbcf02cSchristos */
3348dbcf02cSchristos
3358dbcf02cSchristos while (pos < end) {
3368dbcf02cSchristos if (end - pos < 2) {
33736d97821Schristos tlsv1_server_log(conn, "Invalid extension_type field");
3388dbcf02cSchristos goto decode_error;
3398dbcf02cSchristos }
3408dbcf02cSchristos
3418dbcf02cSchristos ext_type = WPA_GET_BE16(pos);
3428dbcf02cSchristos pos += 2;
3438dbcf02cSchristos
3448dbcf02cSchristos if (end - pos < 2) {
34536d97821Schristos tlsv1_server_log(conn, "Invalid extension_data length field");
3468dbcf02cSchristos goto decode_error;
3478dbcf02cSchristos }
3488dbcf02cSchristos
3498dbcf02cSchristos ext_len = WPA_GET_BE16(pos);
3508dbcf02cSchristos pos += 2;
3518dbcf02cSchristos
3528dbcf02cSchristos if (end - pos < ext_len) {
35336d97821Schristos tlsv1_server_log(conn, "Invalid extension_data field");
3548dbcf02cSchristos goto decode_error;
3558dbcf02cSchristos }
3568dbcf02cSchristos
35736d97821Schristos tlsv1_server_log(conn, "ClientHello Extension type %u",
35836d97821Schristos ext_type);
3598dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
3608dbcf02cSchristos "Extension data", pos, ext_len);
3618dbcf02cSchristos
3628dbcf02cSchristos if (ext_type == TLS_EXT_SESSION_TICKET) {
3638dbcf02cSchristos os_free(conn->session_ticket);
3648dbcf02cSchristos conn->session_ticket = os_malloc(ext_len);
3658dbcf02cSchristos if (conn->session_ticket) {
3668dbcf02cSchristos os_memcpy(conn->session_ticket, pos,
3678dbcf02cSchristos ext_len);
3688dbcf02cSchristos conn->session_ticket_len = ext_len;
3698dbcf02cSchristos }
370928750b6Schristos } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
371928750b6Schristos conn->status_request = 1;
372928750b6Schristos } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
373928750b6Schristos tls_process_status_request_v2(conn, pos,
374928750b6Schristos ext_len);
3758dbcf02cSchristos }
3768dbcf02cSchristos
3778dbcf02cSchristos pos += ext_len;
3788dbcf02cSchristos }
3798dbcf02cSchristos }
3808dbcf02cSchristos
3818dbcf02cSchristos *in_len = end - in_data;
3828dbcf02cSchristos
38336d97821Schristos tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
3848dbcf02cSchristos conn->state = SERVER_HELLO;
3858dbcf02cSchristos
3868dbcf02cSchristos return 0;
3878dbcf02cSchristos
3888dbcf02cSchristos decode_error:
38936d97821Schristos tlsv1_server_log(conn, "Failed to decode ClientHello");
3908dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
3918dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
3928dbcf02cSchristos return -1;
3938dbcf02cSchristos }
3948dbcf02cSchristos
3958dbcf02cSchristos
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)3968dbcf02cSchristos static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
3978dbcf02cSchristos const u8 *in_data, size_t *in_len)
3988dbcf02cSchristos {
3998dbcf02cSchristos const u8 *pos, *end;
4008dbcf02cSchristos size_t left, len, list_len, cert_len, idx;
4018dbcf02cSchristos u8 type;
4028dbcf02cSchristos struct x509_certificate *chain = NULL, *last = NULL, *cert;
4038dbcf02cSchristos int reason;
4048dbcf02cSchristos
4058dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
40636d97821Schristos tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
40736d97821Schristos ct);
4088dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4098dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
4108dbcf02cSchristos return -1;
4118dbcf02cSchristos }
4128dbcf02cSchristos
4138dbcf02cSchristos pos = in_data;
4148dbcf02cSchristos left = *in_len;
4158dbcf02cSchristos
4168dbcf02cSchristos if (left < 4) {
41736d97821Schristos tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
41836d97821Schristos (unsigned long) left);
4198dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4208dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
4218dbcf02cSchristos return -1;
4228dbcf02cSchristos }
4238dbcf02cSchristos
4248dbcf02cSchristos type = *pos++;
4258dbcf02cSchristos len = WPA_GET_BE24(pos);
4268dbcf02cSchristos pos += 3;
4278dbcf02cSchristos left -= 4;
4288dbcf02cSchristos
4298dbcf02cSchristos if (len > left) {
43036d97821Schristos tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
4318dbcf02cSchristos (unsigned long) len, (unsigned long) left);
4328dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4338dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
4348dbcf02cSchristos return -1;
4358dbcf02cSchristos }
4368dbcf02cSchristos
4378dbcf02cSchristos if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
4388dbcf02cSchristos if (conn->verify_peer) {
43936d97821Schristos tlsv1_server_log(conn, "Client did not include Certificate");
4408dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4418dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
4428dbcf02cSchristos return -1;
4438dbcf02cSchristos }
4448dbcf02cSchristos
4458dbcf02cSchristos return tls_process_client_key_exchange(conn, ct, in_data,
4468dbcf02cSchristos in_len);
4478dbcf02cSchristos }
4488dbcf02cSchristos if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
44936d97821Schristos tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
45036d97821Schristos type);
4518dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4528dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
4538dbcf02cSchristos return -1;
4548dbcf02cSchristos }
4558dbcf02cSchristos
45636d97821Schristos tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
4578dbcf02cSchristos (unsigned long) len);
4588dbcf02cSchristos
4598dbcf02cSchristos /*
4608dbcf02cSchristos * opaque ASN.1Cert<2^24-1>;
4618dbcf02cSchristos *
4628dbcf02cSchristos * struct {
4638dbcf02cSchristos * ASN.1Cert certificate_list<1..2^24-1>;
4648dbcf02cSchristos * } Certificate;
4658dbcf02cSchristos */
4668dbcf02cSchristos
4678dbcf02cSchristos end = pos + len;
4688dbcf02cSchristos
4698dbcf02cSchristos if (end - pos < 3) {
47036d97821Schristos tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
47136d97821Schristos (unsigned long) left);
4728dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4738dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
4748dbcf02cSchristos return -1;
4758dbcf02cSchristos }
4768dbcf02cSchristos
4778dbcf02cSchristos list_len = WPA_GET_BE24(pos);
4788dbcf02cSchristos pos += 3;
4798dbcf02cSchristos
4808dbcf02cSchristos if ((size_t) (end - pos) != list_len) {
48136d97821Schristos tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
4828dbcf02cSchristos (unsigned long) list_len,
4838dbcf02cSchristos (unsigned long) (end - pos));
4848dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4858dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
4868dbcf02cSchristos return -1;
4878dbcf02cSchristos }
4888dbcf02cSchristos
4898dbcf02cSchristos idx = 0;
4908dbcf02cSchristos while (pos < end) {
4918dbcf02cSchristos if (end - pos < 3) {
49236d97821Schristos tlsv1_server_log(conn, "Failed to parse certificate_list");
4938dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
4948dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
4958dbcf02cSchristos x509_certificate_chain_free(chain);
4968dbcf02cSchristos return -1;
4978dbcf02cSchristos }
4988dbcf02cSchristos
4998dbcf02cSchristos cert_len = WPA_GET_BE24(pos);
5008dbcf02cSchristos pos += 3;
5018dbcf02cSchristos
5028dbcf02cSchristos if ((size_t) (end - pos) < cert_len) {
50336d97821Schristos tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
5048dbcf02cSchristos (unsigned long) cert_len,
5058dbcf02cSchristos (unsigned long) (end - pos));
5068dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
5078dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
5088dbcf02cSchristos x509_certificate_chain_free(chain);
5098dbcf02cSchristos return -1;
5108dbcf02cSchristos }
5118dbcf02cSchristos
51236d97821Schristos tlsv1_server_log(conn, "Certificate %lu (len %lu)",
5138dbcf02cSchristos (unsigned long) idx, (unsigned long) cert_len);
5148dbcf02cSchristos
5158dbcf02cSchristos if (idx == 0) {
5168dbcf02cSchristos crypto_public_key_free(conn->client_rsa_key);
5178dbcf02cSchristos if (tls_parse_cert(pos, cert_len,
5188dbcf02cSchristos &conn->client_rsa_key)) {
51936d97821Schristos tlsv1_server_log(conn, "Failed to parse the certificate");
5208dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
5218dbcf02cSchristos TLS_ALERT_BAD_CERTIFICATE);
5228dbcf02cSchristos x509_certificate_chain_free(chain);
5238dbcf02cSchristos return -1;
5248dbcf02cSchristos }
5258dbcf02cSchristos }
5268dbcf02cSchristos
5278dbcf02cSchristos cert = x509_certificate_parse(pos, cert_len);
5288dbcf02cSchristos if (cert == NULL) {
52936d97821Schristos tlsv1_server_log(conn, "Failed to parse the certificate");
5308dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
5318dbcf02cSchristos TLS_ALERT_BAD_CERTIFICATE);
5328dbcf02cSchristos x509_certificate_chain_free(chain);
5338dbcf02cSchristos return -1;
5348dbcf02cSchristos }
5358dbcf02cSchristos
5368dbcf02cSchristos if (last == NULL)
5378dbcf02cSchristos chain = cert;
5388dbcf02cSchristos else
5398dbcf02cSchristos last->next = cert;
5408dbcf02cSchristos last = cert;
5418dbcf02cSchristos
5428dbcf02cSchristos idx++;
5438dbcf02cSchristos pos += cert_len;
5448dbcf02cSchristos }
5458dbcf02cSchristos
5468dbcf02cSchristos if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
54742669be3Schristos &reason, 0) < 0) {
5488dbcf02cSchristos int tls_reason;
54936d97821Schristos tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
55036d97821Schristos reason);
5518dbcf02cSchristos switch (reason) {
5528dbcf02cSchristos case X509_VALIDATE_BAD_CERTIFICATE:
5538dbcf02cSchristos tls_reason = TLS_ALERT_BAD_CERTIFICATE;
5548dbcf02cSchristos break;
5558dbcf02cSchristos case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
5568dbcf02cSchristos tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
5578dbcf02cSchristos break;
5588dbcf02cSchristos case X509_VALIDATE_CERTIFICATE_REVOKED:
5598dbcf02cSchristos tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
5608dbcf02cSchristos break;
5618dbcf02cSchristos case X509_VALIDATE_CERTIFICATE_EXPIRED:
5628dbcf02cSchristos tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
5638dbcf02cSchristos break;
5648dbcf02cSchristos case X509_VALIDATE_CERTIFICATE_UNKNOWN:
5658dbcf02cSchristos tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
5668dbcf02cSchristos break;
5678dbcf02cSchristos case X509_VALIDATE_UNKNOWN_CA:
5688dbcf02cSchristos tls_reason = TLS_ALERT_UNKNOWN_CA;
5698dbcf02cSchristos break;
5708dbcf02cSchristos default:
5718dbcf02cSchristos tls_reason = TLS_ALERT_BAD_CERTIFICATE;
5728dbcf02cSchristos break;
5738dbcf02cSchristos }
5748dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
5758dbcf02cSchristos x509_certificate_chain_free(chain);
5768dbcf02cSchristos return -1;
5778dbcf02cSchristos }
5788dbcf02cSchristos
579928750b6Schristos if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
580928750b6Schristos !(chain->ext_key_usage &
581928750b6Schristos (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
582928750b6Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
583928750b6Schristos TLS_ALERT_BAD_CERTIFICATE);
584928750b6Schristos x509_certificate_chain_free(chain);
585928750b6Schristos return -1;
586928750b6Schristos }
587928750b6Schristos
5888dbcf02cSchristos x509_certificate_chain_free(chain);
5898dbcf02cSchristos
5908dbcf02cSchristos *in_len = end - in_data;
5918dbcf02cSchristos
5928dbcf02cSchristos conn->state = CLIENT_KEY_EXCHANGE;
5938dbcf02cSchristos
5948dbcf02cSchristos return 0;
5958dbcf02cSchristos }
5968dbcf02cSchristos
5978dbcf02cSchristos
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)5988dbcf02cSchristos static int tls_process_client_key_exchange_rsa(
5998dbcf02cSchristos struct tlsv1_server *conn, const u8 *pos, const u8 *end)
6008dbcf02cSchristos {
6018dbcf02cSchristos u8 *out;
6028dbcf02cSchristos size_t outlen, outbuflen;
6038dbcf02cSchristos u16 encr_len;
6048dbcf02cSchristos int res;
6058dbcf02cSchristos int use_random = 0;
6068dbcf02cSchristos
6078dbcf02cSchristos if (end - pos < 2) {
6088dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
6098dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
6108dbcf02cSchristos return -1;
6118dbcf02cSchristos }
6128dbcf02cSchristos
6138dbcf02cSchristos encr_len = WPA_GET_BE16(pos);
6148dbcf02cSchristos pos += 2;
61542669be3Schristos if (pos + encr_len > end) {
61636d97821Schristos tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
61742669be3Schristos encr_len, (unsigned int) (end - pos));
61842669be3Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
61942669be3Schristos TLS_ALERT_DECODE_ERROR);
62042669be3Schristos return -1;
62142669be3Schristos }
6228dbcf02cSchristos
6238dbcf02cSchristos outbuflen = outlen = end - pos;
6248dbcf02cSchristos out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
6258dbcf02cSchristos outlen : TLS_PRE_MASTER_SECRET_LEN);
6268dbcf02cSchristos if (out == NULL) {
6278dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
6288dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
6298dbcf02cSchristos return -1;
6308dbcf02cSchristos }
6318dbcf02cSchristos
6328dbcf02cSchristos /*
6338dbcf02cSchristos * struct {
6348dbcf02cSchristos * ProtocolVersion client_version;
6358dbcf02cSchristos * opaque random[46];
6368dbcf02cSchristos * } PreMasterSecret;
6378dbcf02cSchristos *
6388dbcf02cSchristos * struct {
6398dbcf02cSchristos * public-key-encrypted PreMasterSecret pre_master_secret;
6408dbcf02cSchristos * } EncryptedPreMasterSecret;
6418dbcf02cSchristos */
6428dbcf02cSchristos
6438dbcf02cSchristos /*
6448dbcf02cSchristos * Note: To avoid Bleichenbacher attack, we do not report decryption or
6458dbcf02cSchristos * parsing errors from EncryptedPreMasterSecret processing to the
6468dbcf02cSchristos * client. Instead, a random pre-master secret is used to force the
6478dbcf02cSchristos * handshake to fail.
6488dbcf02cSchristos */
6498dbcf02cSchristos
6508dbcf02cSchristos if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
65142669be3Schristos pos, encr_len,
6528dbcf02cSchristos out, &outlen) < 0) {
6538dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
65442669be3Schristos "PreMasterSecret (encr_len=%u outlen=%lu)",
65542669be3Schristos encr_len, (unsigned long) outlen);
6568dbcf02cSchristos use_random = 1;
6578dbcf02cSchristos }
6588dbcf02cSchristos
65942669be3Schristos if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
66036d97821Schristos tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
66136d97821Schristos (unsigned long) outlen);
6628dbcf02cSchristos use_random = 1;
6638dbcf02cSchristos }
6648dbcf02cSchristos
66542669be3Schristos if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
66636d97821Schristos tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
6678dbcf02cSchristos use_random = 1;
6688dbcf02cSchristos }
6698dbcf02cSchristos
6708dbcf02cSchristos if (use_random) {
6718dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
6728dbcf02cSchristos "to avoid revealing information about private key");
6738dbcf02cSchristos outlen = TLS_PRE_MASTER_SECRET_LEN;
6748dbcf02cSchristos if (os_get_random(out, outlen)) {
6758dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
6768dbcf02cSchristos "data");
6778dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
6788dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
6798dbcf02cSchristos os_free(out);
6808dbcf02cSchristos return -1;
6818dbcf02cSchristos }
6828dbcf02cSchristos }
6838dbcf02cSchristos
6848dbcf02cSchristos res = tlsv1_server_derive_keys(conn, out, outlen);
6858dbcf02cSchristos
6868dbcf02cSchristos /* Clear the pre-master secret since it is not needed anymore */
6878dbcf02cSchristos os_memset(out, 0, outbuflen);
6888dbcf02cSchristos os_free(out);
6898dbcf02cSchristos
6908dbcf02cSchristos if (res) {
6918dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
6928dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
6938dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
6948dbcf02cSchristos return -1;
6958dbcf02cSchristos }
6968dbcf02cSchristos
6978dbcf02cSchristos return 0;
6988dbcf02cSchristos }
6998dbcf02cSchristos
7008dbcf02cSchristos
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)70136d97821Schristos static int tls_process_client_key_exchange_dh(
7028dbcf02cSchristos struct tlsv1_server *conn, const u8 *pos, const u8 *end)
7038dbcf02cSchristos {
7048dbcf02cSchristos const u8 *dh_yc;
7058dbcf02cSchristos u16 dh_yc_len;
7068dbcf02cSchristos u8 *shared;
7078dbcf02cSchristos size_t shared_len;
7088dbcf02cSchristos int res;
70936d97821Schristos const u8 *dh_p;
71036d97821Schristos size_t dh_p_len;
7118dbcf02cSchristos
7128dbcf02cSchristos /*
7138dbcf02cSchristos * struct {
7148dbcf02cSchristos * select (PublicValueEncoding) {
7158dbcf02cSchristos * case implicit: struct { };
7168dbcf02cSchristos * case explicit: opaque dh_Yc<1..2^16-1>;
7178dbcf02cSchristos * } dh_public;
7188dbcf02cSchristos * } ClientDiffieHellmanPublic;
7198dbcf02cSchristos */
7208dbcf02cSchristos
72136d97821Schristos tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
7228dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
7238dbcf02cSchristos pos, end - pos);
7248dbcf02cSchristos
7258dbcf02cSchristos if (end == pos) {
7268dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
7278dbcf02cSchristos "not supported");
7288dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7298dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
7308dbcf02cSchristos return -1;
7318dbcf02cSchristos }
7328dbcf02cSchristos
7338dbcf02cSchristos if (end - pos < 3) {
73436d97821Schristos tlsv1_server_log(conn, "Invalid client public value length");
7358dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7368dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
7378dbcf02cSchristos return -1;
7388dbcf02cSchristos }
7398dbcf02cSchristos
7408dbcf02cSchristos dh_yc_len = WPA_GET_BE16(pos);
7418dbcf02cSchristos dh_yc = pos + 2;
7428dbcf02cSchristos
7439a53cbbeSchristos if (dh_yc_len > end - dh_yc) {
74436d97821Schristos tlsv1_server_log(conn, "Client public value overflow (length %d)",
74536d97821Schristos dh_yc_len);
7468dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7478dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
7488dbcf02cSchristos return -1;
7498dbcf02cSchristos }
7508dbcf02cSchristos
7518dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
7528dbcf02cSchristos dh_yc, dh_yc_len);
7538dbcf02cSchristos
7548dbcf02cSchristos if (conn->cred == NULL || conn->cred->dh_p == NULL ||
7558dbcf02cSchristos conn->dh_secret == NULL) {
7568dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
7578dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7588dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
7598dbcf02cSchristos return -1;
7608dbcf02cSchristos }
7618dbcf02cSchristos
76236d97821Schristos tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
76336d97821Schristos
76436d97821Schristos shared_len = dh_p_len;
7658dbcf02cSchristos shared = os_malloc(shared_len);
7668dbcf02cSchristos if (shared == NULL) {
7678dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
7688dbcf02cSchristos "DH");
7698dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7708dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
7718dbcf02cSchristos return -1;
7728dbcf02cSchristos }
7738dbcf02cSchristos
7748dbcf02cSchristos /* shared = Yc^secret mod p */
7758dbcf02cSchristos if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
77636d97821Schristos conn->dh_secret_len, dh_p, dh_p_len,
7778dbcf02cSchristos shared, &shared_len)) {
7788dbcf02cSchristos os_free(shared);
7798dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7808dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
7818dbcf02cSchristos return -1;
7828dbcf02cSchristos }
7838dbcf02cSchristos wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
7848dbcf02cSchristos shared, shared_len);
7858dbcf02cSchristos
7868dbcf02cSchristos os_memset(conn->dh_secret, 0, conn->dh_secret_len);
7878dbcf02cSchristos os_free(conn->dh_secret);
7888dbcf02cSchristos conn->dh_secret = NULL;
7898dbcf02cSchristos
7908dbcf02cSchristos res = tlsv1_server_derive_keys(conn, shared, shared_len);
7918dbcf02cSchristos
7928dbcf02cSchristos /* Clear the pre-master secret since it is not needed anymore */
7938dbcf02cSchristos os_memset(shared, 0, shared_len);
7948dbcf02cSchristos os_free(shared);
7958dbcf02cSchristos
7968dbcf02cSchristos if (res) {
7978dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
7988dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
7998dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
8008dbcf02cSchristos return -1;
8018dbcf02cSchristos }
8028dbcf02cSchristos
8038dbcf02cSchristos return 0;
8048dbcf02cSchristos }
8058dbcf02cSchristos
8068dbcf02cSchristos
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)8078dbcf02cSchristos static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
8088dbcf02cSchristos const u8 *in_data, size_t *in_len)
8098dbcf02cSchristos {
8108dbcf02cSchristos const u8 *pos, *end;
8118dbcf02cSchristos size_t left, len;
8128dbcf02cSchristos u8 type;
8138dbcf02cSchristos tls_key_exchange keyx;
8148dbcf02cSchristos const struct tls_cipher_suite *suite;
8158dbcf02cSchristos
8168dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
81736d97821Schristos tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
81836d97821Schristos ct);
8198dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
8208dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
8218dbcf02cSchristos return -1;
8228dbcf02cSchristos }
8238dbcf02cSchristos
8248dbcf02cSchristos pos = in_data;
8258dbcf02cSchristos left = *in_len;
8268dbcf02cSchristos
8278dbcf02cSchristos if (left < 4) {
82836d97821Schristos tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
82936d97821Schristos (unsigned long) left);
8308dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
8318dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
8328dbcf02cSchristos return -1;
8338dbcf02cSchristos }
8348dbcf02cSchristos
8358dbcf02cSchristos type = *pos++;
8368dbcf02cSchristos len = WPA_GET_BE24(pos);
8378dbcf02cSchristos pos += 3;
8388dbcf02cSchristos left -= 4;
8398dbcf02cSchristos
8408dbcf02cSchristos if (len > left) {
84136d97821Schristos tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
8428dbcf02cSchristos (unsigned long) len, (unsigned long) left);
8438dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
8448dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
8458dbcf02cSchristos return -1;
8468dbcf02cSchristos }
8478dbcf02cSchristos
8488dbcf02cSchristos end = pos + len;
8498dbcf02cSchristos
8508dbcf02cSchristos if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
85136d97821Schristos tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
85236d97821Schristos type);
8538dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
8548dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
8558dbcf02cSchristos return -1;
8568dbcf02cSchristos }
8578dbcf02cSchristos
85836d97821Schristos tlsv1_server_log(conn, "Received ClientKeyExchange");
8598dbcf02cSchristos
8608dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
8618dbcf02cSchristos
8628dbcf02cSchristos suite = tls_get_cipher_suite(conn->rl.cipher_suite);
8638dbcf02cSchristos if (suite == NULL)
8648dbcf02cSchristos keyx = TLS_KEY_X_NULL;
8658dbcf02cSchristos else
8668dbcf02cSchristos keyx = suite->key_exchange;
8678dbcf02cSchristos
86836d97821Schristos if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
86936d97821Schristos tls_process_client_key_exchange_dh(conn, pos, end) < 0)
8708dbcf02cSchristos return -1;
8718dbcf02cSchristos
87236d97821Schristos if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
8738dbcf02cSchristos tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
8748dbcf02cSchristos return -1;
8758dbcf02cSchristos
8768dbcf02cSchristos *in_len = end - in_data;
8778dbcf02cSchristos
8788dbcf02cSchristos conn->state = CERTIFICATE_VERIFY;
8798dbcf02cSchristos
8808dbcf02cSchristos return 0;
8818dbcf02cSchristos }
8828dbcf02cSchristos
8838dbcf02cSchristos
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)8848dbcf02cSchristos static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
8858dbcf02cSchristos const u8 *in_data, size_t *in_len)
8868dbcf02cSchristos {
8878dbcf02cSchristos const u8 *pos, *end;
8888dbcf02cSchristos size_t left, len;
8898dbcf02cSchristos u8 type;
89036d97821Schristos size_t hlen;
89136d97821Schristos u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
89236d97821Schristos u8 alert;
8938dbcf02cSchristos
8948dbcf02cSchristos if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
8958dbcf02cSchristos if (conn->verify_peer) {
89636d97821Schristos tlsv1_server_log(conn, "Client did not include CertificateVerify");
8978dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
8988dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
8998dbcf02cSchristos return -1;
9008dbcf02cSchristos }
9018dbcf02cSchristos
9028dbcf02cSchristos return tls_process_change_cipher_spec(conn, ct, in_data,
9038dbcf02cSchristos in_len);
9048dbcf02cSchristos }
9058dbcf02cSchristos
9068dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
90736d97821Schristos tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
90836d97821Schristos ct);
9098dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
9108dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
9118dbcf02cSchristos return -1;
9128dbcf02cSchristos }
9138dbcf02cSchristos
9148dbcf02cSchristos pos = in_data;
9158dbcf02cSchristos left = *in_len;
9168dbcf02cSchristos
9178dbcf02cSchristos if (left < 4) {
91836d97821Schristos tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
91936d97821Schristos (unsigned long) left);
9208dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
9218dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
9228dbcf02cSchristos return -1;
9238dbcf02cSchristos }
9248dbcf02cSchristos
9258dbcf02cSchristos type = *pos++;
9268dbcf02cSchristos len = WPA_GET_BE24(pos);
9278dbcf02cSchristos pos += 3;
9288dbcf02cSchristos left -= 4;
9298dbcf02cSchristos
9308dbcf02cSchristos if (len > left) {
93136d97821Schristos tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
9328dbcf02cSchristos (unsigned long) len, (unsigned long) left);
9338dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
9348dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
9358dbcf02cSchristos return -1;
9368dbcf02cSchristos }
9378dbcf02cSchristos
9388dbcf02cSchristos end = pos + len;
9398dbcf02cSchristos
9408dbcf02cSchristos if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
94136d97821Schristos tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
94236d97821Schristos type);
9438dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
9448dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
9458dbcf02cSchristos return -1;
9468dbcf02cSchristos }
9478dbcf02cSchristos
94836d97821Schristos tlsv1_server_log(conn, "Received CertificateVerify");
9498dbcf02cSchristos
9508dbcf02cSchristos /*
9518dbcf02cSchristos * struct {
9528dbcf02cSchristos * Signature signature;
9538dbcf02cSchristos * } CertificateVerify;
9548dbcf02cSchristos */
9558dbcf02cSchristos
9568dbcf02cSchristos hpos = hash;
9578dbcf02cSchristos
95862a52023Schristos #ifdef CONFIG_TLSV12
95962a52023Schristos if (conn->rl.tls_version == TLS_VERSION_1_2) {
96062a52023Schristos /*
96162a52023Schristos * RFC 5246, 4.7:
96262a52023Schristos * TLS v1.2 adds explicit indication of the used signature and
96362a52023Schristos * hash algorithms.
96462a52023Schristos *
96562a52023Schristos * struct {
96662a52023Schristos * HashAlgorithm hash;
96762a52023Schristos * SignatureAlgorithm signature;
96862a52023Schristos * } SignatureAndHashAlgorithm;
96962a52023Schristos */
97062a52023Schristos if (end - pos < 2) {
97162a52023Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
97262a52023Schristos TLS_ALERT_DECODE_ERROR);
97362a52023Schristos return -1;
97462a52023Schristos }
97562a52023Schristos if (pos[0] != TLS_HASH_ALG_SHA256 ||
97662a52023Schristos pos[1] != TLS_SIGN_ALG_RSA) {
97762a52023Schristos wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
97862a52023Schristos "signature(%u) algorithm",
97962a52023Schristos pos[0], pos[1]);
98062a52023Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
98162a52023Schristos TLS_ALERT_INTERNAL_ERROR);
98262a52023Schristos return -1;
98362a52023Schristos }
98462a52023Schristos pos += 2;
98562a52023Schristos
98662a52023Schristos hlen = SHA256_MAC_LEN;
98762a52023Schristos if (conn->verify.sha256_cert == NULL ||
98862a52023Schristos crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
98962a52023Schristos 0) {
99062a52023Schristos conn->verify.sha256_cert = NULL;
99162a52023Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
99262a52023Schristos TLS_ALERT_INTERNAL_ERROR);
99362a52023Schristos return -1;
99462a52023Schristos }
99562a52023Schristos conn->verify.sha256_cert = NULL;
99662a52023Schristos } else {
99762a52023Schristos #endif /* CONFIG_TLSV12 */
99862a52023Schristos
9998dbcf02cSchristos hlen = MD5_MAC_LEN;
10008dbcf02cSchristos if (conn->verify.md5_cert == NULL ||
10019a53cbbeSchristos crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
10028dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10038dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
10048dbcf02cSchristos conn->verify.md5_cert = NULL;
10058dbcf02cSchristos crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
10068dbcf02cSchristos conn->verify.sha1_cert = NULL;
10078dbcf02cSchristos return -1;
10088dbcf02cSchristos }
10098dbcf02cSchristos hpos += MD5_MAC_LEN;
10108dbcf02cSchristos
10118dbcf02cSchristos conn->verify.md5_cert = NULL;
10128dbcf02cSchristos hlen = SHA1_MAC_LEN;
10138dbcf02cSchristos if (conn->verify.sha1_cert == NULL ||
10148dbcf02cSchristos crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
10158dbcf02cSchristos conn->verify.sha1_cert = NULL;
10168dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10178dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
10188dbcf02cSchristos return -1;
10198dbcf02cSchristos }
10208dbcf02cSchristos conn->verify.sha1_cert = NULL;
10218dbcf02cSchristos
10228dbcf02cSchristos hlen += MD5_MAC_LEN;
10238dbcf02cSchristos
102462a52023Schristos #ifdef CONFIG_TLSV12
102562a52023Schristos }
102662a52023Schristos #endif /* CONFIG_TLSV12 */
102762a52023Schristos
10288dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
10298dbcf02cSchristos
103036d97821Schristos if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
103136d97821Schristos hash, hlen, pos, end - pos, &alert) < 0) {
103236d97821Schristos tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
103336d97821Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
10348dbcf02cSchristos return -1;
10358dbcf02cSchristos }
10368dbcf02cSchristos
10378dbcf02cSchristos *in_len = end - in_data;
10388dbcf02cSchristos
10398dbcf02cSchristos conn->state = CHANGE_CIPHER_SPEC;
10408dbcf02cSchristos
10418dbcf02cSchristos return 0;
10428dbcf02cSchristos }
10438dbcf02cSchristos
10448dbcf02cSchristos
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)10458dbcf02cSchristos static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
10468dbcf02cSchristos u8 ct, const u8 *in_data,
10478dbcf02cSchristos size_t *in_len)
10488dbcf02cSchristos {
10498dbcf02cSchristos const u8 *pos;
10508dbcf02cSchristos size_t left;
10518dbcf02cSchristos
10528dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
105336d97821Schristos tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
105436d97821Schristos ct);
10558dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10568dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
10578dbcf02cSchristos return -1;
10588dbcf02cSchristos }
10598dbcf02cSchristos
10608dbcf02cSchristos pos = in_data;
10618dbcf02cSchristos left = *in_len;
10628dbcf02cSchristos
10638dbcf02cSchristos if (left < 1) {
106436d97821Schristos tlsv1_server_log(conn, "Too short ChangeCipherSpec");
10658dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10668dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
10678dbcf02cSchristos return -1;
10688dbcf02cSchristos }
10698dbcf02cSchristos
10708dbcf02cSchristos if (*pos != TLS_CHANGE_CIPHER_SPEC) {
107136d97821Schristos tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
107236d97821Schristos *pos);
10738dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10748dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
10758dbcf02cSchristos return -1;
10768dbcf02cSchristos }
10778dbcf02cSchristos
107836d97821Schristos tlsv1_server_log(conn, "Received ChangeCipherSpec");
10798dbcf02cSchristos if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
10808dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
10818dbcf02cSchristos "for record layer");
10828dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
10838dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
10848dbcf02cSchristos return -1;
10858dbcf02cSchristos }
10868dbcf02cSchristos
10878dbcf02cSchristos *in_len = pos + 1 - in_data;
10888dbcf02cSchristos
10898dbcf02cSchristos conn->state = CLIENT_FINISHED;
10908dbcf02cSchristos
10918dbcf02cSchristos return 0;
10928dbcf02cSchristos }
10938dbcf02cSchristos
10948dbcf02cSchristos
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)10958dbcf02cSchristos static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
10968dbcf02cSchristos const u8 *in_data, size_t *in_len)
10978dbcf02cSchristos {
10988dbcf02cSchristos const u8 *pos, *end;
10998dbcf02cSchristos size_t left, len, hlen;
11008dbcf02cSchristos u8 verify_data[TLS_VERIFY_DATA_LEN];
11018dbcf02cSchristos u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
11028dbcf02cSchristos
110336d97821Schristos #ifdef CONFIG_TESTING_OPTIONS
110436d97821Schristos if ((conn->test_flags &
110536d97821Schristos (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
110636d97821Schristos !conn->test_failure_reported) {
110736d97821Schristos tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
110836d97821Schristos conn->test_failure_reported = 1;
110936d97821Schristos }
111036d97821Schristos
111136d97821Schristos if ((conn->test_flags & TLS_DHE_PRIME_15) &&
111236d97821Schristos !conn->test_failure_reported) {
111336d97821Schristos tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
111436d97821Schristos conn->test_failure_reported = 1;
111536d97821Schristos }
111636d97821Schristos
111736d97821Schristos if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
111836d97821Schristos !conn->test_failure_reported) {
111936d97821Schristos tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
112036d97821Schristos conn->test_failure_reported = 1;
112136d97821Schristos }
112236d97821Schristos
112336d97821Schristos if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
112436d97821Schristos !conn->test_failure_reported) {
112536d97821Schristos tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
112636d97821Schristos conn->test_failure_reported = 1;
112736d97821Schristos }
112836d97821Schristos
112936d97821Schristos if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
113036d97821Schristos !conn->test_failure_reported) {
113136d97821Schristos tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
113236d97821Schristos conn->test_failure_reported = 1;
113336d97821Schristos }
113436d97821Schristos
113536d97821Schristos if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
113636d97821Schristos !conn->test_failure_reported) {
113736d97821Schristos tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
113836d97821Schristos conn->test_failure_reported = 1;
113936d97821Schristos }
114036d97821Schristos #endif /* CONFIG_TESTING_OPTIONS */
114136d97821Schristos
11428dbcf02cSchristos if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
114336d97821Schristos tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
114436d97821Schristos ct);
11458dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
11468dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
11478dbcf02cSchristos return -1;
11488dbcf02cSchristos }
11498dbcf02cSchristos
11508dbcf02cSchristos pos = in_data;
11518dbcf02cSchristos left = *in_len;
11528dbcf02cSchristos
11538dbcf02cSchristos if (left < 4) {
115436d97821Schristos tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
11558dbcf02cSchristos (unsigned long) left);
11568dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
11578dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
11588dbcf02cSchristos return -1;
11598dbcf02cSchristos }
11608dbcf02cSchristos
11618dbcf02cSchristos if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
11628dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
11638dbcf02cSchristos "type 0x%x", pos[0]);
11648dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
11658dbcf02cSchristos TLS_ALERT_UNEXPECTED_MESSAGE);
11668dbcf02cSchristos return -1;
11678dbcf02cSchristos }
11688dbcf02cSchristos
11698dbcf02cSchristos len = WPA_GET_BE24(pos + 1);
11708dbcf02cSchristos
11718dbcf02cSchristos pos += 4;
11728dbcf02cSchristos left -= 4;
11738dbcf02cSchristos
11748dbcf02cSchristos if (len > left) {
117536d97821Schristos tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
11768dbcf02cSchristos (unsigned long) len, (unsigned long) left);
11778dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
11788dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
11798dbcf02cSchristos return -1;
11808dbcf02cSchristos }
11818dbcf02cSchristos end = pos + len;
11828dbcf02cSchristos if (len != TLS_VERIFY_DATA_LEN) {
118336d97821Schristos tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
11848dbcf02cSchristos (unsigned long) len, TLS_VERIFY_DATA_LEN);
11858dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
11868dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
11878dbcf02cSchristos return -1;
11888dbcf02cSchristos }
11898dbcf02cSchristos wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
11908dbcf02cSchristos pos, TLS_VERIFY_DATA_LEN);
11918dbcf02cSchristos
119262a52023Schristos #ifdef CONFIG_TLSV12
119362a52023Schristos if (conn->rl.tls_version >= TLS_VERSION_1_2) {
119462a52023Schristos hlen = SHA256_MAC_LEN;
119562a52023Schristos if (conn->verify.sha256_client == NULL ||
119662a52023Schristos crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
119762a52023Schristos < 0) {
119862a52023Schristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
119962a52023Schristos TLS_ALERT_INTERNAL_ERROR);
120062a52023Schristos conn->verify.sha256_client = NULL;
120162a52023Schristos return -1;
120262a52023Schristos }
120362a52023Schristos conn->verify.sha256_client = NULL;
120462a52023Schristos } else {
120562a52023Schristos #endif /* CONFIG_TLSV12 */
120662a52023Schristos
12078dbcf02cSchristos hlen = MD5_MAC_LEN;
12088dbcf02cSchristos if (conn->verify.md5_client == NULL ||
12098dbcf02cSchristos crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
12108dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
12118dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
12128dbcf02cSchristos conn->verify.md5_client = NULL;
12138dbcf02cSchristos crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
12148dbcf02cSchristos conn->verify.sha1_client = NULL;
12158dbcf02cSchristos return -1;
12168dbcf02cSchristos }
12178dbcf02cSchristos conn->verify.md5_client = NULL;
12188dbcf02cSchristos hlen = SHA1_MAC_LEN;
12198dbcf02cSchristos if (conn->verify.sha1_client == NULL ||
12208dbcf02cSchristos crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
12218dbcf02cSchristos &hlen) < 0) {
12228dbcf02cSchristos conn->verify.sha1_client = NULL;
12238dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
12248dbcf02cSchristos TLS_ALERT_INTERNAL_ERROR);
12258dbcf02cSchristos return -1;
12268dbcf02cSchristos }
12278dbcf02cSchristos conn->verify.sha1_client = NULL;
122862a52023Schristos hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
12298dbcf02cSchristos
123062a52023Schristos #ifdef CONFIG_TLSV12
123162a52023Schristos }
123262a52023Schristos #endif /* CONFIG_TLSV12 */
123362a52023Schristos
123462a52023Schristos if (tls_prf(conn->rl.tls_version,
123562a52023Schristos conn->master_secret, TLS_MASTER_SECRET_LEN,
123662a52023Schristos "client finished", hash, hlen,
12378dbcf02cSchristos verify_data, TLS_VERIFY_DATA_LEN)) {
12388dbcf02cSchristos wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
12398dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
12408dbcf02cSchristos TLS_ALERT_DECRYPT_ERROR);
12418dbcf02cSchristos return -1;
12428dbcf02cSchristos }
12438dbcf02cSchristos wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
12448dbcf02cSchristos verify_data, TLS_VERIFY_DATA_LEN);
12458dbcf02cSchristos
124636d97821Schristos if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
124736d97821Schristos tlsv1_server_log(conn, "Mismatch in verify_data");
1248*0d69f216Schristos conn->state = FAILED;
12498dbcf02cSchristos return -1;
12508dbcf02cSchristos }
12518dbcf02cSchristos
125236d97821Schristos tlsv1_server_log(conn, "Received Finished");
12538dbcf02cSchristos
12548dbcf02cSchristos *in_len = end - in_data;
12558dbcf02cSchristos
12568dbcf02cSchristos if (conn->use_session_ticket) {
12578dbcf02cSchristos /* Abbreviated handshake using session ticket; RFC 4507 */
125836d97821Schristos tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
12598dbcf02cSchristos conn->state = ESTABLISHED;
12608dbcf02cSchristos } else {
12618dbcf02cSchristos /* Full handshake */
12628dbcf02cSchristos conn->state = SERVER_CHANGE_CIPHER_SPEC;
12638dbcf02cSchristos }
12648dbcf02cSchristos
12658dbcf02cSchristos return 0;
12668dbcf02cSchristos }
12678dbcf02cSchristos
12688dbcf02cSchristos
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)12698dbcf02cSchristos int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
12708dbcf02cSchristos const u8 *buf, size_t *len)
12718dbcf02cSchristos {
12728dbcf02cSchristos if (ct == TLS_CONTENT_TYPE_ALERT) {
12738dbcf02cSchristos if (*len < 2) {
127436d97821Schristos tlsv1_server_log(conn, "Alert underflow");
12758dbcf02cSchristos tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
12768dbcf02cSchristos TLS_ALERT_DECODE_ERROR);
12778dbcf02cSchristos return -1;
12788dbcf02cSchristos }
127936d97821Schristos tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
12808dbcf02cSchristos *len = 2;
12818dbcf02cSchristos conn->state = FAILED;
12828dbcf02cSchristos return -1;
12838dbcf02cSchristos }
12848dbcf02cSchristos
12858dbcf02cSchristos switch (conn->state) {
12868dbcf02cSchristos case CLIENT_HELLO:
12878dbcf02cSchristos if (tls_process_client_hello(conn, ct, buf, len))
12888dbcf02cSchristos return -1;
12898dbcf02cSchristos break;
12908dbcf02cSchristos case CLIENT_CERTIFICATE:
12918dbcf02cSchristos if (tls_process_certificate(conn, ct, buf, len))
12928dbcf02cSchristos return -1;
12938dbcf02cSchristos break;
12948dbcf02cSchristos case CLIENT_KEY_EXCHANGE:
12958dbcf02cSchristos if (tls_process_client_key_exchange(conn, ct, buf, len))
12968dbcf02cSchristos return -1;
12978dbcf02cSchristos break;
12988dbcf02cSchristos case CERTIFICATE_VERIFY:
12998dbcf02cSchristos if (tls_process_certificate_verify(conn, ct, buf, len))
13008dbcf02cSchristos return -1;
13018dbcf02cSchristos break;
13028dbcf02cSchristos case CHANGE_CIPHER_SPEC:
13038dbcf02cSchristos if (tls_process_change_cipher_spec(conn, ct, buf, len))
13048dbcf02cSchristos return -1;
13058dbcf02cSchristos break;
13068dbcf02cSchristos case CLIENT_FINISHED:
13078dbcf02cSchristos if (tls_process_client_finished(conn, ct, buf, len))
13088dbcf02cSchristos return -1;
13098dbcf02cSchristos break;
13108dbcf02cSchristos default:
131136d97821Schristos tlsv1_server_log(conn, "Unexpected state %d while processing received message",
13128dbcf02cSchristos conn->state);
13138dbcf02cSchristos return -1;
13148dbcf02cSchristos }
13158dbcf02cSchristos
13168dbcf02cSchristos if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
13178dbcf02cSchristos tls_verify_hash_add(&conn->verify, buf, *len);
13188dbcf02cSchristos
13198dbcf02cSchristos return 0;
13208dbcf02cSchristos }
1321