xref: /dragonfly/contrib/wpa_supplicant/src/tls/tlsv1_server_read.c (revision 3a84a4273475ed07d0ab1c2dfeffdfedef35d9cd)
1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21 
22 
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24                                                      const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26                                                     u8 ct, const u8 *in_data,
27                                                     size_t *in_len);
28 
29 
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33           if ((conn->test_flags &
34                (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35                 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36                 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37               suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38               suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39               suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40               suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41               suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42                     return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44 
45           return 0;
46 }
47 
48 
tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50                                                       const u8 *req, size_t req_len)
51 {
52           const u8 *pos, *end;
53           u8 status_type;
54 
55           pos = req;
56           end = req + req_len;
57 
58           /*
59            * RFC 6961, 2.2:
60            * struct {
61            *   CertificateStatusType status_type;
62            *   uint16 request_length;
63            *   select (status_type) {
64            *     case ocsp: OCSPStatusRequest;
65            *     case ocsp_multi: OCSPStatusRequest;
66            *   } request;
67            * } CertificateStatusRequestItemV2;
68            *
69            * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70            */
71 
72           if (end - pos < 1)
73                     return; /* Truncated data */
74 
75           status_type = *pos++;
76           wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77           if (status_type != 1 && status_type != 2)
78                     return; /* Unsupported status type */
79           /*
80            * For now, only OCSP stapling is supported, so ignore the specific
81            * request, if any.
82            */
83           wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84 
85           if (status_type == 2)
86                     conn->status_request_multi = 1;
87 }
88 
89 
tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91                                                     const u8 *ext, size_t ext_len)
92 {
93           const u8 *pos, *end;
94 
95           conn->status_request_v2 = 1;
96 
97           pos = ext;
98           end = ext + ext_len;
99 
100           /*
101            * RFC 6961, 2.2:
102            * struct {
103            *   CertificateStatusRequestItemV2
104            *                    certificate_status_req_list<1..2^16-1>;
105            * } CertificateStatusRequestListV2;
106            */
107 
108           while (end - pos >= 2) {
109                     u16 len;
110 
111                     len = WPA_GET_BE16(pos);
112                     pos += 2;
113                     if (len > end - pos)
114                               break; /* Truncated data */
115                     tls_process_status_request_item(conn, pos, len);
116                     pos += len;
117           }
118 }
119 
120 
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122                                             const u8 *in_data, size_t *in_len)
123 {
124           const u8 *pos, *end, *c;
125           size_t left, len, i, j;
126           u16 cipher_suite;
127           u16 num_suites;
128           int compr_null_found;
129           u16 ext_type, ext_len;
130 
131           if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132                     tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
133                                          ct);
134                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135                                            TLS_ALERT_UNEXPECTED_MESSAGE);
136                     return -1;
137           }
138 
139           pos = in_data;
140           left = *in_len;
141 
142           if (left < 4) {
143                     tlsv1_server_log(conn,
144                                          "Truncated handshake message (expected ClientHello)");
145                     goto decode_error;
146           }
147 
148           /* HandshakeType msg_type */
149           if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
150                     tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
151                                          *pos);
152                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153                                            TLS_ALERT_UNEXPECTED_MESSAGE);
154                     return -1;
155           }
156           tlsv1_server_log(conn, "Received ClientHello");
157           pos++;
158           /* uint24 length */
159           len = WPA_GET_BE24(pos);
160           pos += 3;
161           left -= 4;
162 
163           if (len > left) {
164                     tlsv1_server_log(conn,
165                                          "Truncated ClientHello (len=%d left=%d)",
166                                          (int) len, (int) left);
167                     goto decode_error;
168           }
169 
170           /* body - ClientHello */
171 
172           wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
173           end = pos + len;
174 
175           /* ProtocolVersion client_version */
176           if (end - pos < 2) {
177                     tlsv1_server_log(conn, "Truncated ClientHello/client_version");
178                     goto decode_error;
179           }
180           conn->client_version = WPA_GET_BE16(pos);
181           tlsv1_server_log(conn, "Client version %d.%d",
182                                conn->client_version >> 8,
183                                conn->client_version & 0xff);
184           if (conn->client_version < TLS_VERSION_1) {
185                     tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
186                                          conn->client_version >> 8,
187                                          conn->client_version & 0xff);
188                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
189                                            TLS_ALERT_PROTOCOL_VERSION);
190                     return -1;
191           }
192           pos += 2;
193 
194           if (TLS_VERSION == TLS_VERSION_1)
195                     conn->rl.tls_version = TLS_VERSION_1;
196 #ifdef CONFIG_TLSV12
197           else if (conn->client_version >= TLS_VERSION_1_2)
198                     conn->rl.tls_version = TLS_VERSION_1_2;
199 #endif /* CONFIG_TLSV12 */
200           else if (conn->client_version > TLS_VERSION_1_1)
201                     conn->rl.tls_version = TLS_VERSION_1_1;
202           else
203                     conn->rl.tls_version = conn->client_version;
204           tlsv1_server_log(conn, "Using TLS v%s",
205                                tls_version_str(conn->rl.tls_version));
206 
207           /* Random random */
208           if (end - pos < TLS_RANDOM_LEN) {
209                     tlsv1_server_log(conn, "Truncated ClientHello/client_random");
210                     goto decode_error;
211           }
212 
213           os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
214           pos += TLS_RANDOM_LEN;
215           wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
216                         conn->client_random, TLS_RANDOM_LEN);
217 
218           /* SessionID session_id */
219           if (end - pos < 1) {
220                     tlsv1_server_log(conn, "Truncated ClientHello/session_id len");
221                     goto decode_error;
222           }
223           if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) {
224                     tlsv1_server_log(conn, "Truncated ClientHello/session_id");
225                     goto decode_error;
226           }
227           wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
228           pos += 1 + *pos;
229           /* TODO: add support for session resumption */
230 
231           /* CipherSuite cipher_suites<2..2^16-1> */
232           if (end - pos < 2) {
233                     tlsv1_server_log(conn,
234                                          "Truncated ClientHello/cipher_suites len");
235                     goto decode_error;
236           }
237           num_suites = WPA_GET_BE16(pos);
238           pos += 2;
239           if (end - pos < num_suites) {
240                     tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites");
241                     goto decode_error;
242           }
243           wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
244                         pos, num_suites);
245           if (num_suites & 1) {
246                     tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites");
247                     goto decode_error;
248           }
249           num_suites /= 2;
250 
251           cipher_suite = 0;
252           for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
253                     if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
254                               continue;
255                     c = pos;
256                     for (j = 0; j < num_suites; j++) {
257                               u16 tmp = WPA_GET_BE16(c);
258                               c += 2;
259                               if (!cipher_suite && tmp == conn->cipher_suites[i]) {
260                                         cipher_suite = tmp;
261                                         break;
262                               }
263                     }
264           }
265           pos += num_suites * 2;
266           if (!cipher_suite) {
267                     tlsv1_server_log(conn, "No supported cipher suite available");
268                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
269                                            TLS_ALERT_ILLEGAL_PARAMETER);
270                     return -1;
271           }
272 
273           if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
274                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
275                                  "record layer");
276                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277                                            TLS_ALERT_INTERNAL_ERROR);
278                     return -1;
279           }
280 
281           conn->cipher_suite = cipher_suite;
282 
283           /* CompressionMethod compression_methods<1..2^8-1> */
284           if (end - pos < 1) {
285                     tlsv1_server_log(conn,
286                                          "Truncated ClientHello/compression_methods len");
287                     goto decode_error;
288           }
289           num_suites = *pos++;
290           if (end - pos < num_suites) {
291                     tlsv1_server_log(conn,
292                                          "Truncated ClientHello/compression_methods");
293                     goto decode_error;
294           }
295           wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
296                         pos, num_suites);
297           compr_null_found = 0;
298           for (i = 0; i < num_suites; i++) {
299                     if (*pos++ == TLS_COMPRESSION_NULL)
300                               compr_null_found = 1;
301           }
302           if (!compr_null_found) {
303                     tlsv1_server_log(conn, "Client does not accept NULL compression");
304                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305                                            TLS_ALERT_ILLEGAL_PARAMETER);
306                     return -1;
307           }
308 
309           if (end - pos == 1) {
310                     tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
311                                          *pos);
312                     goto decode_error;
313           }
314 
315           if (end - pos >= 2) {
316                     /* Extension client_hello_extension_list<0..2^16-1> */
317                     ext_len = WPA_GET_BE16(pos);
318                     pos += 2;
319 
320                     tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
321                                          ext_len);
322                     if (end - pos != ext_len) {
323                               tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
324                                                    ext_len, (unsigned int) (end - pos));
325                               goto decode_error;
326                     }
327 
328                     /*
329                      * struct {
330                      *   ExtensionType extension_type (0..65535)
331                      *   opaque extension_data<0..2^16-1>
332                      * } Extension;
333                      */
334 
335                     while (pos < end) {
336                               if (end - pos < 2) {
337                                         tlsv1_server_log(conn, "Invalid extension_type field");
338                                         goto decode_error;
339                               }
340 
341                               ext_type = WPA_GET_BE16(pos);
342                               pos += 2;
343 
344                               if (end - pos < 2) {
345                                         tlsv1_server_log(conn, "Invalid extension_data length field");
346                                         goto decode_error;
347                               }
348 
349                               ext_len = WPA_GET_BE16(pos);
350                               pos += 2;
351 
352                               if (end - pos < ext_len) {
353                                         tlsv1_server_log(conn, "Invalid extension_data field");
354                                         goto decode_error;
355                               }
356 
357                               tlsv1_server_log(conn, "ClientHello Extension type %u",
358                                                    ext_type);
359                               wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
360                                             "Extension data", pos, ext_len);
361 
362                               if (ext_type == TLS_EXT_SESSION_TICKET) {
363                                         os_free(conn->session_ticket);
364                                         conn->session_ticket = os_malloc(ext_len);
365                                         if (conn->session_ticket) {
366                                                   os_memcpy(conn->session_ticket, pos,
367                                                               ext_len);
368                                                   conn->session_ticket_len = ext_len;
369                                         }
370                               } else if (ext_type == TLS_EXT_STATUS_REQUEST) {
371                                         conn->status_request = 1;
372                               } else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
373                                         tls_process_status_request_v2(conn, pos,
374                                                                             ext_len);
375                               }
376 
377                               pos += ext_len;
378                     }
379           }
380 
381           *in_len = end - in_data;
382 
383           tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
384           conn->state = SERVER_HELLO;
385 
386           return 0;
387 
388 decode_error:
389           tlsv1_server_log(conn, "Failed to decode ClientHello");
390           tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391                                  TLS_ALERT_DECODE_ERROR);
392           return -1;
393 }
394 
395 
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)396 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
397                                            const u8 *in_data, size_t *in_len)
398 {
399           const u8 *pos, *end;
400           size_t left, len, list_len, cert_len, idx;
401           u8 type;
402           struct x509_certificate *chain = NULL, *last = NULL, *cert;
403           int reason;
404 
405           if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
406                     tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
407                                          ct);
408                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
409                                            TLS_ALERT_UNEXPECTED_MESSAGE);
410                     return -1;
411           }
412 
413           pos = in_data;
414           left = *in_len;
415 
416           if (left < 4) {
417                     tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
418                                          (unsigned long) left);
419                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420                                            TLS_ALERT_DECODE_ERROR);
421                     return -1;
422           }
423 
424           type = *pos++;
425           len = WPA_GET_BE24(pos);
426           pos += 3;
427           left -= 4;
428 
429           if (len > left) {
430                     tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
431                                          (unsigned long) len, (unsigned long) left);
432                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
433                                            TLS_ALERT_DECODE_ERROR);
434                     return -1;
435           }
436 
437           if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
438                     if (conn->verify_peer) {
439                               tlsv1_server_log(conn, "Client did not include Certificate");
440                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
441                                                      TLS_ALERT_UNEXPECTED_MESSAGE);
442                               return -1;
443                     }
444 
445                     return tls_process_client_key_exchange(conn, ct, in_data,
446                                                                    in_len);
447           }
448           if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
449                     tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
450                                          type);
451                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
452                                            TLS_ALERT_UNEXPECTED_MESSAGE);
453                     return -1;
454           }
455 
456           tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
457                                (unsigned long) len);
458 
459           /*
460            * opaque ASN.1Cert<2^24-1>;
461            *
462            * struct {
463            *     ASN.1Cert certificate_list<1..2^24-1>;
464            * } Certificate;
465            */
466 
467           end = pos + len;
468 
469           if (end - pos < 3) {
470                     tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
471                                          (unsigned long) left);
472                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
473                                            TLS_ALERT_DECODE_ERROR);
474                     return -1;
475           }
476 
477           list_len = WPA_GET_BE24(pos);
478           pos += 3;
479 
480           if ((size_t) (end - pos) != list_len) {
481                     tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
482                                          (unsigned long) list_len,
483                                          (unsigned long) (end - pos));
484                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
485                                            TLS_ALERT_DECODE_ERROR);
486                     return -1;
487           }
488 
489           idx = 0;
490           while (pos < end) {
491                     if (end - pos < 3) {
492                               tlsv1_server_log(conn, "Failed to parse certificate_list");
493                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
494                                                      TLS_ALERT_DECODE_ERROR);
495                               x509_certificate_chain_free(chain);
496                               return -1;
497                     }
498 
499                     cert_len = WPA_GET_BE24(pos);
500                     pos += 3;
501 
502                     if ((size_t) (end - pos) < cert_len) {
503                               tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
504                                                    (unsigned long) cert_len,
505                                                    (unsigned long) (end - pos));
506                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
507                                                      TLS_ALERT_DECODE_ERROR);
508                               x509_certificate_chain_free(chain);
509                               return -1;
510                     }
511 
512                     tlsv1_server_log(conn, "Certificate %lu (len %lu)",
513                                          (unsigned long) idx, (unsigned long) cert_len);
514 
515                     if (idx == 0) {
516                               crypto_public_key_free(conn->client_rsa_key);
517                               if (tls_parse_cert(pos, cert_len,
518                                                      &conn->client_rsa_key)) {
519                                         tlsv1_server_log(conn, "Failed to parse the certificate");
520                                         tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
521                                                                TLS_ALERT_BAD_CERTIFICATE);
522                                         x509_certificate_chain_free(chain);
523                                         return -1;
524                               }
525                     }
526 
527                     cert = x509_certificate_parse(pos, cert_len);
528                     if (cert == NULL) {
529                               tlsv1_server_log(conn, "Failed to parse the certificate");
530                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
531                                                      TLS_ALERT_BAD_CERTIFICATE);
532                               x509_certificate_chain_free(chain);
533                               return -1;
534                     }
535 
536                     if (last == NULL)
537                               chain = cert;
538                     else
539                               last->next = cert;
540                     last = cert;
541 
542                     idx++;
543                     pos += cert_len;
544           }
545 
546           if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
547                                                       &reason, 0) < 0) {
548                     int tls_reason;
549                     tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
550                                          reason);
551                     switch (reason) {
552                     case X509_VALIDATE_BAD_CERTIFICATE:
553                               tls_reason = TLS_ALERT_BAD_CERTIFICATE;
554                               break;
555                     case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
556                               tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
557                               break;
558                     case X509_VALIDATE_CERTIFICATE_REVOKED:
559                               tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
560                               break;
561                     case X509_VALIDATE_CERTIFICATE_EXPIRED:
562                               tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
563                               break;
564                     case X509_VALIDATE_CERTIFICATE_UNKNOWN:
565                               tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
566                               break;
567                     case X509_VALIDATE_UNKNOWN_CA:
568                               tls_reason = TLS_ALERT_UNKNOWN_CA;
569                               break;
570                     default:
571                               tls_reason = TLS_ALERT_BAD_CERTIFICATE;
572                               break;
573                     }
574                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
575                     x509_certificate_chain_free(chain);
576                     return -1;
577           }
578 
579           if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
580               !(chain->ext_key_usage &
581                 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
582                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
583                                            TLS_ALERT_BAD_CERTIFICATE);
584                     x509_certificate_chain_free(chain);
585                     return -1;
586           }
587 
588           x509_certificate_chain_free(chain);
589 
590           *in_len = end - in_data;
591 
592           conn->state = CLIENT_KEY_EXCHANGE;
593 
594           return 0;
595 }
596 
597 
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)598 static int tls_process_client_key_exchange_rsa(
599           struct tlsv1_server *conn, const u8 *pos, const u8 *end)
600 {
601           u8 *out;
602           size_t outlen, outbuflen;
603           u16 encr_len;
604           int res;
605           int use_random = 0;
606 
607           if (end - pos < 2) {
608                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
609                                            TLS_ALERT_DECODE_ERROR);
610                     return -1;
611           }
612 
613           encr_len = WPA_GET_BE16(pos);
614           pos += 2;
615           if (pos + encr_len > end) {
616                     tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
617                                          encr_len, (unsigned int) (end - pos));
618                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
619                                            TLS_ALERT_DECODE_ERROR);
620                     return -1;
621           }
622 
623           outbuflen = outlen = end - pos;
624           out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
625                               outlen : TLS_PRE_MASTER_SECRET_LEN);
626           if (out == NULL) {
627                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628                                            TLS_ALERT_INTERNAL_ERROR);
629                     return -1;
630           }
631 
632           /*
633            * struct {
634            *   ProtocolVersion client_version;
635            *   opaque random[46];
636            * } PreMasterSecret;
637            *
638            * struct {
639            *   public-key-encrypted PreMasterSecret pre_master_secret;
640            * } EncryptedPreMasterSecret;
641            */
642 
643           /*
644            * Note: To avoid Bleichenbacher attack, we do not report decryption or
645            * parsing errors from EncryptedPreMasterSecret processing to the
646            * client. Instead, a random pre-master secret is used to force the
647            * handshake to fail.
648            */
649 
650           if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
651                                                              pos, encr_len,
652                                                              out, &outlen) < 0) {
653                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
654                                  "PreMasterSecret (encr_len=%u outlen=%lu)",
655                                  encr_len, (unsigned long) outlen);
656                     use_random = 1;
657           }
658 
659           if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
660                     tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
661                                          (unsigned long) outlen);
662                     use_random = 1;
663           }
664 
665           if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
666                     tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
667                     use_random = 1;
668           }
669 
670           if (use_random) {
671                     wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
672                                  "to avoid revealing information about private key");
673                     outlen = TLS_PRE_MASTER_SECRET_LEN;
674                     if (os_get_random(out, outlen)) {
675                               wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
676                                            "data");
677                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
678                                                      TLS_ALERT_INTERNAL_ERROR);
679                               os_free(out);
680                               return -1;
681                     }
682           }
683 
684           res = tlsv1_server_derive_keys(conn, out, outlen);
685 
686           /* Clear the pre-master secret since it is not needed anymore */
687           os_memset(out, 0, outbuflen);
688           os_free(out);
689 
690           if (res) {
691                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
692                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
693                                            TLS_ALERT_INTERNAL_ERROR);
694                     return -1;
695           }
696 
697           return 0;
698 }
699 
700 
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)701 static int tls_process_client_key_exchange_dh(
702           struct tlsv1_server *conn, const u8 *pos, const u8 *end)
703 {
704           const u8 *dh_yc;
705           u16 dh_yc_len;
706           u8 *shared;
707           size_t shared_len;
708           int res;
709           const u8 *dh_p;
710           size_t dh_p_len;
711 
712           /*
713            * struct {
714            *   select (PublicValueEncoding) {
715            *     case implicit: struct { };
716            *     case explicit: opaque dh_Yc<1..2^16-1>;
717            *   } dh_public;
718            * } ClientDiffieHellmanPublic;
719            */
720 
721           tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
722           wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
723                         pos, end - pos);
724 
725           if (end == pos) {
726                     wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
727                                  "not supported");
728                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
729                                            TLS_ALERT_INTERNAL_ERROR);
730                     return -1;
731           }
732 
733           if (end - pos < 3) {
734                     tlsv1_server_log(conn, "Invalid client public value length");
735                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736                                            TLS_ALERT_DECODE_ERROR);
737                     return -1;
738           }
739 
740           dh_yc_len = WPA_GET_BE16(pos);
741           dh_yc = pos + 2;
742 
743           if (dh_yc_len > end - dh_yc) {
744                     tlsv1_server_log(conn, "Client public value overflow (length %d)",
745                                          dh_yc_len);
746                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
747                                            TLS_ALERT_DECODE_ERROR);
748                     return -1;
749           }
750 
751           wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
752                         dh_yc, dh_yc_len);
753 
754           if (conn->cred == NULL || conn->cred->dh_p == NULL ||
755               conn->dh_secret == NULL) {
756                     wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
757                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
758                                            TLS_ALERT_INTERNAL_ERROR);
759                     return -1;
760           }
761 
762           tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
763 
764           shared_len = dh_p_len;
765           shared = os_malloc(shared_len);
766           if (shared == NULL) {
767                     wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
768                                  "DH");
769                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
770                                            TLS_ALERT_INTERNAL_ERROR);
771                     return -1;
772           }
773 
774           /* shared = Yc^secret mod p */
775           if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
776                                  conn->dh_secret_len, dh_p, dh_p_len,
777                                  shared, &shared_len)) {
778                     os_free(shared);
779                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780                                            TLS_ALERT_INTERNAL_ERROR);
781                     return -1;
782           }
783           wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
784                               shared, shared_len);
785 
786           os_memset(conn->dh_secret, 0, conn->dh_secret_len);
787           os_free(conn->dh_secret);
788           conn->dh_secret = NULL;
789 
790           res = tlsv1_server_derive_keys(conn, shared, shared_len);
791 
792           /* Clear the pre-master secret since it is not needed anymore */
793           os_memset(shared, 0, shared_len);
794           os_free(shared);
795 
796           if (res) {
797                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
798                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
799                                            TLS_ALERT_INTERNAL_ERROR);
800                     return -1;
801           }
802 
803           return 0;
804 }
805 
806 
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)807 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
808                                                      const u8 *in_data, size_t *in_len)
809 {
810           const u8 *pos, *end;
811           size_t left, len;
812           u8 type;
813           tls_key_exchange keyx;
814           const struct tls_cipher_suite *suite;
815 
816           if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
817                     tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
818                                          ct);
819                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820                                            TLS_ALERT_UNEXPECTED_MESSAGE);
821                     return -1;
822           }
823 
824           pos = in_data;
825           left = *in_len;
826 
827           if (left < 4) {
828                     tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
829                                          (unsigned long) left);
830                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831                                            TLS_ALERT_DECODE_ERROR);
832                     return -1;
833           }
834 
835           type = *pos++;
836           len = WPA_GET_BE24(pos);
837           pos += 3;
838           left -= 4;
839 
840           if (len > left) {
841                     tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
842                                          (unsigned long) len, (unsigned long) left);
843                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
844                                            TLS_ALERT_DECODE_ERROR);
845                     return -1;
846           }
847 
848           end = pos + len;
849 
850           if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
851                     tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
852                                          type);
853                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
854                                            TLS_ALERT_UNEXPECTED_MESSAGE);
855                     return -1;
856           }
857 
858           tlsv1_server_log(conn, "Received ClientKeyExchange");
859 
860           wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
861 
862           suite = tls_get_cipher_suite(conn->rl.cipher_suite);
863           if (suite == NULL)
864                     keyx = TLS_KEY_X_NULL;
865           else
866                     keyx = suite->key_exchange;
867 
868           if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
869               tls_process_client_key_exchange_dh(conn, pos, end) < 0)
870                     return -1;
871 
872           if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
873               tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
874                     return -1;
875 
876           *in_len = end - in_data;
877 
878           conn->state = CERTIFICATE_VERIFY;
879 
880           return 0;
881 }
882 
883 
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)884 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
885                                                     const u8 *in_data, size_t *in_len)
886 {
887           const u8 *pos, *end;
888           size_t left, len;
889           u8 type;
890           size_t hlen;
891           u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
892           u8 alert;
893 
894           if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
895                     if (conn->verify_peer) {
896                               tlsv1_server_log(conn, "Client did not include CertificateVerify");
897                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
898                                                      TLS_ALERT_UNEXPECTED_MESSAGE);
899                               return -1;
900                     }
901 
902                     return tls_process_change_cipher_spec(conn, ct, in_data,
903                                                                   in_len);
904           }
905 
906           if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
907                     tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
908                                          ct);
909                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
910                                            TLS_ALERT_UNEXPECTED_MESSAGE);
911                     return -1;
912           }
913 
914           pos = in_data;
915           left = *in_len;
916 
917           if (left < 4) {
918                     tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
919                                          (unsigned long) left);
920                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
921                                            TLS_ALERT_DECODE_ERROR);
922                     return -1;
923           }
924 
925           type = *pos++;
926           len = WPA_GET_BE24(pos);
927           pos += 3;
928           left -= 4;
929 
930           if (len > left) {
931                     tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
932                                          (unsigned long) len, (unsigned long) left);
933                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
934                                            TLS_ALERT_DECODE_ERROR);
935                     return -1;
936           }
937 
938           end = pos + len;
939 
940           if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
941                     tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
942                                          type);
943                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944                                            TLS_ALERT_UNEXPECTED_MESSAGE);
945                     return -1;
946           }
947 
948           tlsv1_server_log(conn, "Received CertificateVerify");
949 
950           /*
951            * struct {
952            *   Signature signature;
953            * } CertificateVerify;
954            */
955 
956           hpos = hash;
957 
958 #ifdef CONFIG_TLSV12
959           if (conn->rl.tls_version == TLS_VERSION_1_2) {
960                     /*
961                      * RFC 5246, 4.7:
962                      * TLS v1.2 adds explicit indication of the used signature and
963                      * hash algorithms.
964                      *
965                      * struct {
966                      *   HashAlgorithm hash;
967                      *   SignatureAlgorithm signature;
968                      * } SignatureAndHashAlgorithm;
969                      */
970                     if (end - pos < 2) {
971                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
972                                                      TLS_ALERT_DECODE_ERROR);
973                               return -1;
974                     }
975                     if (pos[0] != TLS_HASH_ALG_SHA256 ||
976                         pos[1] != TLS_SIGN_ALG_RSA) {
977                               wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
978                                            "signature(%u) algorithm",
979                                            pos[0], pos[1]);
980                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
981                                                      TLS_ALERT_INTERNAL_ERROR);
982                               return -1;
983                     }
984                     pos += 2;
985 
986                     hlen = SHA256_MAC_LEN;
987                     if (conn->verify.sha256_cert == NULL ||
988                         crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
989                         0) {
990                               conn->verify.sha256_cert = NULL;
991                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992                                                      TLS_ALERT_INTERNAL_ERROR);
993                               return -1;
994                     }
995                     conn->verify.sha256_cert = NULL;
996           } else {
997 #endif /* CONFIG_TLSV12 */
998 
999           hlen = MD5_MAC_LEN;
1000           if (conn->verify.md5_cert == NULL ||
1001               crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
1002                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003                                            TLS_ALERT_INTERNAL_ERROR);
1004                     conn->verify.md5_cert = NULL;
1005                     crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
1006                     conn->verify.sha1_cert = NULL;
1007                     return -1;
1008           }
1009           hpos += MD5_MAC_LEN;
1010 
1011           conn->verify.md5_cert = NULL;
1012           hlen = SHA1_MAC_LEN;
1013           if (conn->verify.sha1_cert == NULL ||
1014               crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
1015                     conn->verify.sha1_cert = NULL;
1016                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1017                                            TLS_ALERT_INTERNAL_ERROR);
1018                     return -1;
1019           }
1020           conn->verify.sha1_cert = NULL;
1021 
1022           hlen += MD5_MAC_LEN;
1023 
1024 #ifdef CONFIG_TLSV12
1025           }
1026 #endif /* CONFIG_TLSV12 */
1027 
1028           wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1029 
1030           if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1031                                          hash, hlen, pos, end - pos, &alert) < 0) {
1032                     tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1033                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1034                     return -1;
1035           }
1036 
1037           *in_len = end - in_data;
1038 
1039           conn->state = CHANGE_CIPHER_SPEC;
1040 
1041           return 0;
1042 }
1043 
1044 
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1045 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1046                                                     u8 ct, const u8 *in_data,
1047                                                     size_t *in_len)
1048 {
1049           const u8 *pos;
1050           size_t left;
1051 
1052           if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1053                     tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1054                                          ct);
1055                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056                                            TLS_ALERT_UNEXPECTED_MESSAGE);
1057                     return -1;
1058           }
1059 
1060           pos = in_data;
1061           left = *in_len;
1062 
1063           if (left < 1) {
1064                     tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1065                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1066                                            TLS_ALERT_DECODE_ERROR);
1067                     return -1;
1068           }
1069 
1070           if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1071                     tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1072                                          *pos);
1073                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074                                            TLS_ALERT_UNEXPECTED_MESSAGE);
1075                     return -1;
1076           }
1077 
1078           tlsv1_server_log(conn, "Received ChangeCipherSpec");
1079           if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1080                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1081                                  "for record layer");
1082                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1083                                            TLS_ALERT_INTERNAL_ERROR);
1084                     return -1;
1085           }
1086 
1087           *in_len = pos + 1 - in_data;
1088 
1089           conn->state = CLIENT_FINISHED;
1090 
1091           return 0;
1092 }
1093 
1094 
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1095 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1096                                                const u8 *in_data, size_t *in_len)
1097 {
1098           const u8 *pos, *end;
1099           size_t left, len, hlen;
1100           u8 verify_data[TLS_VERIFY_DATA_LEN];
1101           u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1102 
1103 #ifdef CONFIG_TESTING_OPTIONS
1104           if ((conn->test_flags &
1105                (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1106               !conn->test_failure_reported) {
1107                     tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1108                     conn->test_failure_reported = 1;
1109           }
1110 
1111           if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1112               !conn->test_failure_reported) {
1113                     tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1114                     conn->test_failure_reported = 1;
1115           }
1116 
1117           if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1118               !conn->test_failure_reported) {
1119                     tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1120                     conn->test_failure_reported = 1;
1121           }
1122 
1123           if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1124               !conn->test_failure_reported) {
1125                     tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1126                     conn->test_failure_reported = 1;
1127           }
1128 
1129           if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1130               !conn->test_failure_reported) {
1131                     tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1132                     conn->test_failure_reported = 1;
1133           }
1134 
1135           if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1136               !conn->test_failure_reported) {
1137                     tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1138                     conn->test_failure_reported = 1;
1139           }
1140 #endif /* CONFIG_TESTING_OPTIONS */
1141 
1142           if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1143                     tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1144                                          ct);
1145                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1146                                            TLS_ALERT_UNEXPECTED_MESSAGE);
1147                     return -1;
1148           }
1149 
1150           pos = in_data;
1151           left = *in_len;
1152 
1153           if (left < 4) {
1154                     tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1155                                          (unsigned long) left);
1156                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1157                                            TLS_ALERT_DECODE_ERROR);
1158                     return -1;
1159           }
1160 
1161           if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1162                     wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1163                                  "type 0x%x", pos[0]);
1164                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1165                                            TLS_ALERT_UNEXPECTED_MESSAGE);
1166                     return -1;
1167           }
1168 
1169           len = WPA_GET_BE24(pos + 1);
1170 
1171           pos += 4;
1172           left -= 4;
1173 
1174           if (len > left) {
1175                     tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1176                                          (unsigned long) len, (unsigned long) left);
1177                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1178                                            TLS_ALERT_DECODE_ERROR);
1179                     return -1;
1180           }
1181           end = pos + len;
1182           if (len != TLS_VERIFY_DATA_LEN) {
1183                     tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1184                                          (unsigned long) len, TLS_VERIFY_DATA_LEN);
1185                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1186                                            TLS_ALERT_DECODE_ERROR);
1187                     return -1;
1188           }
1189           wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1190                         pos, TLS_VERIFY_DATA_LEN);
1191 
1192 #ifdef CONFIG_TLSV12
1193           if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1194                     hlen = SHA256_MAC_LEN;
1195                     if (conn->verify.sha256_client == NULL ||
1196                         crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1197                         < 0) {
1198                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1199                                                      TLS_ALERT_INTERNAL_ERROR);
1200                               conn->verify.sha256_client = NULL;
1201                               return -1;
1202                     }
1203                     conn->verify.sha256_client = NULL;
1204           } else {
1205 #endif /* CONFIG_TLSV12 */
1206 
1207           hlen = MD5_MAC_LEN;
1208           if (conn->verify.md5_client == NULL ||
1209               crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1210                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1211                                            TLS_ALERT_INTERNAL_ERROR);
1212                     conn->verify.md5_client = NULL;
1213                     crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1214                     conn->verify.sha1_client = NULL;
1215                     return -1;
1216           }
1217           conn->verify.md5_client = NULL;
1218           hlen = SHA1_MAC_LEN;
1219           if (conn->verify.sha1_client == NULL ||
1220               crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1221                                      &hlen) < 0) {
1222                     conn->verify.sha1_client = NULL;
1223                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1224                                            TLS_ALERT_INTERNAL_ERROR);
1225                     return -1;
1226           }
1227           conn->verify.sha1_client = NULL;
1228           hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1229 
1230 #ifdef CONFIG_TLSV12
1231           }
1232 #endif /* CONFIG_TLSV12 */
1233 
1234           if (tls_prf(conn->rl.tls_version,
1235                         conn->master_secret, TLS_MASTER_SECRET_LEN,
1236                         "client finished", hash, hlen,
1237                         verify_data, TLS_VERIFY_DATA_LEN)) {
1238                     wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1239                     tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1240                                            TLS_ALERT_DECRYPT_ERROR);
1241                     return -1;
1242           }
1243           wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1244                               verify_data, TLS_VERIFY_DATA_LEN);
1245 
1246           if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1247                     tlsv1_server_log(conn, "Mismatch in verify_data");
1248                     conn->state = FAILED;
1249                     return -1;
1250           }
1251 
1252           tlsv1_server_log(conn, "Received Finished");
1253 
1254           *in_len = end - in_data;
1255 
1256           if (conn->use_session_ticket) {
1257                     /* Abbreviated handshake using session ticket; RFC 4507 */
1258                     tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1259                     conn->state = ESTABLISHED;
1260           } else {
1261                     /* Full handshake */
1262                     conn->state = SERVER_CHANGE_CIPHER_SPEC;
1263           }
1264 
1265           return 0;
1266 }
1267 
1268 
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1269 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1270                                            const u8 *buf, size_t *len)
1271 {
1272           if (ct == TLS_CONTENT_TYPE_ALERT) {
1273                     if (*len < 2) {
1274                               tlsv1_server_log(conn, "Alert underflow");
1275                               tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276                                                      TLS_ALERT_DECODE_ERROR);
1277                               return -1;
1278                     }
1279                     tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1280                     *len = 2;
1281                     conn->state = FAILED;
1282                     return -1;
1283           }
1284 
1285           switch (conn->state) {
1286           case CLIENT_HELLO:
1287                     if (tls_process_client_hello(conn, ct, buf, len))
1288                               return -1;
1289                     break;
1290           case CLIENT_CERTIFICATE:
1291                     if (tls_process_certificate(conn, ct, buf, len))
1292                               return -1;
1293                     break;
1294           case CLIENT_KEY_EXCHANGE:
1295                     if (tls_process_client_key_exchange(conn, ct, buf, len))
1296                               return -1;
1297                     break;
1298           case CERTIFICATE_VERIFY:
1299                     if (tls_process_certificate_verify(conn, ct, buf, len))
1300                               return -1;
1301                     break;
1302           case CHANGE_CIPHER_SPEC:
1303                     if (tls_process_change_cipher_spec(conn, ct, buf, len))
1304                               return -1;
1305                     break;
1306           case CLIENT_FINISHED:
1307                     if (tls_process_client_finished(conn, ct, buf, len))
1308                               return -1;
1309                     break;
1310           default:
1311                     tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1312                                          conn->state);
1313                     return -1;
1314           }
1315 
1316           if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1317                     tls_verify_hash_add(&conn->verify, buf, *len);
1318 
1319           return 0;
1320 }
1321