static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr;
size_t rlen;
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
*pos = TLS_CHANGE_CIPHER_SPEC;
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
rhdr, end - rhdr, 1, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
"record layer");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*msgpos = rhdr + rlen;
return 0;
}
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
u8 ct, const u8 *in_data,
size_t *in_len)
{
const u8 *pos;
size_t left;
if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 1) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
if (*pos != TLS_CHANGE_CIPHER_SPEC) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
"received data 0x%x", *pos);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
"for record layer");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
*in_len = pos + 1 - in_data;
conn->state = CLIENT_FINISHED;
return 0;
}
/**
* tlsv1_server_decrypt - Decrypt data from TLS tunnel
* @conn: TLSv1 server connection data from tlsv1_server_init()
* @in_data: Pointer to input buffer (encrypted TLS data)
* @in_len: Input buffer length
* @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
* @out_len: Maximum out_data length
* Returns: Number of bytes written to out_data, -1 on failure
*
* This function is used after TLS handshake has been completed successfully to
* receive data from the encrypted tunnel.
*/
int tlsv1_server_decrypt(struct tlsv1_server *conn,
const u8 *in_data, size_t in_len,
u8 *out_data, size_t out_len)
{
const u8 *in_end, *pos;
int res;
u8 alert, *out_end, *out_pos;
size_t olen;
pos = in_data;
in_end = in_data + in_len;
out_pos = out_data;
out_end = out_data + out_len;
while (pos < in_end) {
if (pos[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type "
"0x%x", pos[0]);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
olen = out_end - out_pos;
res = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
out_pos, &olen, &alert);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing "
"failed");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
return -1;
}
out_pos += olen;
if (out_pos > out_end) {
wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
"for processing the received record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3);
}
return out_pos - out_data;
}
int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
const u8 *buf, size_t *len)
{
if (ct == TLS_CONTENT_TYPE_ALERT) {
if (*len < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
buf[0], buf[1]);
*len = 2;
conn->state = FAILED;
return -1;
}
switch (conn->state) {
case CLIENT_HELLO:
if (tls_process_client_hello(conn, ct, buf, len))
return -1;
break;
case CLIENT_CERTIFICATE:
if (tls_process_certificate(conn, ct, buf, len))
return -1;
break;
case CLIENT_KEY_EXCHANGE:
if (tls_process_client_key_exchange(conn, ct, buf, len))
return -1;
break;
case CERTIFICATE_VERIFY:
if (tls_process_certificate_verify(conn, ct, buf, len))
return -1;
break;
case CHANGE_CIPHER_SPEC:
if (tls_process_change_cipher_spec(conn, ct, buf, len))
return -1;
break;
case CLIENT_FINISHED:
if (tls_process_client_finished(conn, ct, buf, len))
return -1;
break;
default:
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
"while processing received message",
conn->state);
return -1;
}
if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
tls_verify_hash_add(&conn->verify, buf, *len);
return 0;
}
/**
* tlsv1_server_encrypt - Encrypt data into TLS tunnel
* @conn: TLSv1 server connection data from tlsv1_server_init()
* @in_data: Pointer to plaintext data to be encrypted
* @in_len: Input buffer length
* @out_data: Pointer to output buffer (encrypted TLS data)
* @out_len: Maximum out_data length
* Returns: Number of bytes written to out_data, -1 on failure
*
* This function is used after TLS handshake has been completed successfully to
* send data in the encrypted tunnel.
*/
int tlsv1_server_encrypt(struct tlsv1_server *conn,
const u8 *in_data, size_t in_len,
u8 *out_data, size_t out_len)
{
size_t rlen;
wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData",
in_data, in_len);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA,
out_data, out_len, in_data, in_len, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
return rlen;
}
static int tls_write_server_hello_done(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr, *hs_start, *hs_length;
size_t rlen;
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - ServerHelloDone (empty) */
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
*msgpos = pos;
return 0;
}
static int tls_write_server_certificate(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
size_t rlen;
struct x509_certificate *cert;
const struct tls_cipher_suite *suite;
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
"using anonymous DH");
return 0;
}
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - Certificate */
/* uint24 length (to be filled) */
cert_start = pos;
pos += 3;
cert = conn->cred->cert;
while (cert) {
if (pos + 3 + cert->cert_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
"for Certificate (cert_len=%lu left=%lu)",
(unsigned long) cert->cert_len,
(unsigned long) (end - pos));
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
WPA_PUT_BE24(pos, cert->cert_len);
pos += 3;
os_memcpy(pos, cert->cert_start, cert->cert_len);
pos += cert->cert_len;
if (x509_certificate_self_signed(cert))
break;
cert = x509_certificate_get_subject(conn->cred->trusted_certs,
&cert->issuer);
}
if (cert == conn->cred->cert || cert == NULL) {
/*
* Server was not configured with all the needed certificates
* to form a full certificate chain. The client may fail to
* validate the chain unless it is configured with all the
* missing CA certificates.
*/
wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
"not configured - validation may fail");
}
WPA_PUT_BE24(cert_start, pos - cert_start - 3);
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
*msgpos = pos;
return 0;
}
static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len) {
const u8 *pos, *end;
size_t left, len, hlen;
u8 verify_data[TLS_VERIFY_DATA_LEN];
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
"Finished",
(unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
"type 0x%x", pos[0]);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
len = WPA_GET_BE24(pos + 1);
pos += 4;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
"(len=%lu > left=%lu)",
(unsigned long) len, (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (len != TLS_VERIFY_DATA_LEN) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
"in Finished: %lu (expected %d)",
(unsigned long) len, TLS_VERIFY_DATA_LEN);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
pos, TLS_VERIFY_DATA_LEN);
hlen = MD5_MAC_LEN;
if (conn->verify.md5_client == NULL ||
crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.md5_client = NULL;
crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
conn->verify.sha1_client = NULL;
return -1;
}
conn->verify.md5_client = NULL;
hlen = SHA1_MAC_LEN;
if (conn->verify.sha1_client == NULL ||
crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
&hlen) < 0) {
conn->verify.sha1_client = NULL;
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->verify.sha1_client = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
verify_data, TLS_VERIFY_DATA_LEN);
if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
*in_len = end - in_data;
if (conn->use_session_ticket) {
/* Abbreviated handshake using session ticket; RFC 4507 */
wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
"successfully");
conn->state = ESTABLISHED;
} else {
/* Full handshake */
conn->state = SERVER_CHANGE_CIPHER_SPEC;
}
return 0;
}
static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len) {
const u8 *pos, *end;
size_t left, len;
u8 type;
size_t hlen, buflen;
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
enum {
SIGN_ALG_RSA, SIGN_ALG_DSA
} alg = SIGN_ALG_RSA;
u16 slen;
if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
if (conn->verify_peer) {
wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
"CertificateVerify");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
return tls_process_change_cipher_spec(conn, ct, in_data,
in_len);
}
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
"message (len=%lu)", (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
"message length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected CertificateVerify)", type);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
/*
* struct {
* Signature signature;
* } CertificateVerify;
*/
hpos = hash;
if (alg == SIGN_ALG_RSA) {
hlen = MD5_MAC_LEN;
if (conn->verify.md5_cert == NULL ||
crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.md5_cert = NULL;
crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
conn->verify.sha1_cert = NULL;
return -1;
}
hpos += MD5_MAC_LEN;
} else
crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
conn->verify.md5_cert = NULL;
hlen = SHA1_MAC_LEN;
if (conn->verify.sha1_cert == NULL ||
crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
conn->verify.sha1_cert = NULL;
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->verify.sha1_cert = NULL;
if (alg == SIGN_ALG_RSA)
hlen += MD5_MAC_LEN;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
if (end - pos < 2) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
slen = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < slen) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
if (conn->client_rsa_key == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
"signature");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
buflen = end - pos;
buf = os_malloc(end - pos);
if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
pos, end - pos, buf, &buflen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
os_free(buf);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
buf, buflen);
if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
"CertificateVerify - did not match with calculated "
"hash");
os_free(buf);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECRYPT_ERROR);
return -1;
}
os_free(buf);
*in_len = end - in_data;
conn->state = CHANGE_CIPHER_SPEC;
return 0;
}
static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len) {
const u8 *pos, *end;
size_t left, len;
u8 type;
tls_key_exchange keyx;
const struct tls_cipher_suite *suite;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
"(Left=%lu)", (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
end = pos + len;
if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ClientKeyExchange)", type);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
if (suite == NULL)
keyx = TLS_KEY_X_NULL;
else
keyx = suite->key_exchange;
if (keyx == TLS_KEY_X_DH_anon &&
tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
return -1;
if (keyx != TLS_KEY_X_DH_anon &&
tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
return -1;
*in_len = end - in_data;
conn->state = CERTIFICATE_VERIFY;
return 0;
}
static int tls_write_server_certificate_request(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr, *hs_start, *hs_length;
size_t rlen;
if (!conn->verify_peer) {
wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
return 0;
}
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - CertificateRequest */
/*
* enum {
* rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
* (255)
* } ClientCertificateType;
* ClientCertificateType certificate_types<1..2^8-1>
*/
*pos++ = 1;
*pos++ = 1; /* rsa_sign */
/*
* opaque DistinguishedName<1..2^16-1>
* DistinguishedName certificate_authorities<3..2^16-1>
*/
/* TODO: add support for listing DNs for trusted CAs */
WPA_PUT_BE16(pos, 0);
pos += 2;
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
*msgpos = pos;
return 0;
}
static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len) {
const u8 *pos, *end;
size_t left, len, list_len, cert_len, idx;
u8 type;
struct x509_certificate *chain = NULL, *last = NULL, *cert;
int reason;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
"(len=%lu)", (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
type = *pos++;
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
"length (len=%lu != left=%lu)",
(unsigned long) len, (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
if (conn->verify_peer) {
wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
"Certificate");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
return tls_process_client_key_exchange(conn, ct, in_data,
in_len);
}
if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected Certificate/"
"ClientKeyExchange)", type);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG,
"TLSv1: Received Certificate (certificate_list len %lu)",
(unsigned long) len);
/*
* opaque ASN.1Cert<2^24-1>;
*
* struct {
* ASN.1Cert certificate_list<1..2^24-1>;
* } Certificate;
*/
end = pos + len;
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
"(left=%lu)", (unsigned long) left);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
list_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) != list_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
"length (len=%lu left=%lu)",
(unsigned long) list_len,
(unsigned long) (end - pos));
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
idx = 0;
while (pos < end) {
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"certificate_list");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
cert_len = WPA_GET_BE24(pos);
pos += 3;
if ((size_t) (end - pos) < cert_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
"length (len=%lu left=%lu)",
(unsigned long) cert_len,
(unsigned long) (end - pos));
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
x509_certificate_chain_free(chain);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
(unsigned long) idx, (unsigned long) cert_len);
if (idx == 0) {
crypto_public_key_free(conn->client_rsa_key);
if (tls_parse_cert(pos, cert_len,
&conn->client_rsa_key)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
}
cert = x509_certificate_parse(pos, cert_len);
if (cert == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
"the certificate");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE);
x509_certificate_chain_free(chain);
return -1;
}
if (last == NULL)
chain = cert;
else
last->next = cert;
last = cert;
idx++;
pos += cert_len;
}
if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
&reason) < 0) {
int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason);
switch (reason) {
case X509_VALIDATE_BAD_CERTIFICATE:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
break;
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case X509_VALIDATE_CERTIFICATE_REVOKED:
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
break;
case X509_VALIDATE_CERTIFICATE_EXPIRED:
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
break;
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
break;
case X509_VALIDATE_UNKNOWN_CA:
tls_reason = TLS_ALERT_UNKNOWN_CA;
break;
default:
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
break;
}
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
x509_certificate_chain_free(chain);
return -1;
}
x509_certificate_chain_free(chain);
*in_len = end - in_data;
conn->state = CLIENT_KEY_EXCHANGE;
return 0;
}
static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len)
{
const u8 *pos, *end, *c;
size_t left, len, i, j;
u16 cipher_suite;
u16 num_suites;
int compr_null_found;
u16 ext_type, ext_len;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4)
goto decode_error;
/* HandshakeType msg_type */
if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
*pos);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
tlsv1_server_log(conn, "Received ClientHello");
pos++;
/* uint24 length */
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left)
goto decode_error;
/* body - ClientHello */
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
end = pos + len;
/* ProtocolVersion client_version */
if (end - pos < 2)
goto decode_error;
conn->client_version = WPA_GET_BE16(pos);
tlsv1_server_log(conn, "Client version %d.%d",
conn->client_version >> 8,
conn->client_version & 0xff);
if (conn->client_version < TLS_VERSION_1) {
tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
conn->client_version >> 8,
conn->client_version & 0xff);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_PROTOCOL_VERSION);
return -1;
}
/**
* tlsv1_server_decrypt - Decrypt data from TLS tunnel
* @conn: TLSv1 server connection data from tlsv1_server_init()
* @in_data: Pointer to input buffer (encrypted TLS data)
* @in_len: Input buffer length
* @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
* @out_len: Maximum out_data length
* Returns: Number of bytes written to out_data, -1 on failure
*
* This function is used after TLS handshake has been completed successfully to
* receive data from the encrypted tunnel.
*/
int tlsv1_server_decrypt(struct tlsv1_server *conn,
const u8 *in_data, size_t in_len,
u8 *out_data, size_t out_len)
{
const u8 *in_end, *pos;
int used;
u8 alert, *out_end, *out_pos, ct;
size_t olen;
pos = in_data;
in_end = in_data + in_len;
out_pos = out_data;
out_end = out_data + out_len;
while (pos < in_end) {
ct = pos[0];
olen = out_end - out_pos;
used = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
out_pos, &olen, &alert);
if (used < 0) {
tlsv1_server_log(conn, "Record layer processing failed");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
return -1;
}
if (used == 0) {
/* need more data */
wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
"yet supported");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
return -1;
}
if (ct == TLS_CONTENT_TYPE_ALERT) {
if (olen < 2) {
tlsv1_server_log(conn, "Alert underflow");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
tlsv1_server_log(conn, "Received alert %d:%d",
out_pos[0], out_pos[1]);
if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) {
/* Continue processing */
pos += used;
continue;
}
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
out_pos[1]);
return -1;
}
if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
tlsv1_server_log(conn, "Unexpected content type 0x%x",
pos[0]);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
#ifdef CONFIG_TESTING_OPTIONS
if ((conn->test_flags &&
(TLS_BREAK_VERIFY_DATA | TLS_BREAK_SRV_KEY_X_HASH |
TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
!conn->test_failure_reported) {
tlsv1_server_log(conn, "TEST-FAILURE: Client ApplData received after invalid handshake");
conn->test_failure_reported = 1;
}
#endif /* CONFIG_TESTING_OPTIONS */
out_pos += olen;
if (out_pos > out_end) {
wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
"for processing the received record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos += used;
}
return out_pos - out_data;
}
/**
* tlsv1_server_handshake - Process TLS handshake
* @conn: TLSv1 server connection data from tlsv1_server_init()
* @in_data: Input data from TLS peer
* @in_len: Input data length
* @out_len: Length of the output buffer.
* Returns: Pointer to output data, %NULL on failure
*/
u8 * tlsv1_server_handshake(struct tlsv1_server *conn,
const u8 *in_data, size_t in_len,
size_t *out_len)
{
const u8 *pos, *end;
u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct;
size_t in_msg_len;
int used;
if (in_data == NULL || in_len == 0) {
wpa_printf(MSG_DEBUG, "TLSv1: No input data to server");
return NULL;
}
pos = in_data;
end = in_data + in_len;
in_msg = os_malloc(in_len);
if (in_msg == NULL)
return NULL;
/* Each received packet may include multiple records */
while (pos < end) {
in_msg_len = in_len;
used = tlsv1_record_receive(&conn->rl, pos, end - pos,
in_msg, &in_msg_len, &alert);
if (used < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Processing received "
"record failed");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
goto failed;
}
if (used == 0) {
/* need more data */
wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
"yet supported");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
goto failed;
}
ct = pos[0];
in_pos = in_msg;
in_end = in_msg + in_msg_len;
/* Each received record may include multiple messages of the
* same ContentType. */
while (in_pos < in_end) {
in_msg_len = in_end - in_pos;
if (tlsv1_server_process_handshake(conn, ct, in_pos,
&in_msg_len) < 0)
goto failed;
in_pos += in_msg_len;
}
pos += used;
}
os_free(in_msg);
in_msg = NULL;
msg = tlsv1_server_handshake_write(conn, out_len);
failed:
os_free(in_msg);
if (conn->alert_level) {
if (conn->state == FAILED) {
/* Avoid alert loops */
wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop");
os_free(msg);
return NULL;
}
conn->state = FAILED;
os_free(msg);
msg = tlsv1_server_send_alert(conn, conn->alert_level,
conn->alert_description,
out_len);
}
return msg;
}
static int tls_write_server_key_exchange(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
tls_key_exchange keyx;
const struct tls_cipher_suite *suite;
#ifdef EAP_FAST
u8 *pos, *rhdr, *hs_start, *hs_length;
size_t rlen;
u8 *dh_ys;
size_t dh_ys_len;
#endif /* EAP_FAST */
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
if (suite == NULL)
keyx = TLS_KEY_X_NULL;
else
keyx = suite->key_exchange;
if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
return 0;
}
if (keyx != TLS_KEY_X_DH_anon) {
/* TODO? */
wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
"supported with key exchange type %d", keyx);
return -1;
}
#ifdef EAP_FAST
if (conn->cred == NULL || conn->cred->dh_p == NULL ||
conn->cred->dh_g == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
"ServerKeyExhcange");
return -1;
}
os_free(conn->dh_secret);
conn->dh_secret_len = conn->cred->dh_p_len;
conn->dh_secret = os_malloc(conn->dh_secret_len);
if (conn->dh_secret == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
"memory for secret (Diffie-Hellman)");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (os_get_random(conn->dh_secret, conn->dh_secret_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
"data for Diffie-Hellman");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(conn->dh_secret);
conn->dh_secret = NULL;
return -1;
}
if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
0)
conn->dh_secret[0] = 0; /* make sure secret < p */
pos = conn->dh_secret;
while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
pos++;
if (pos != conn->dh_secret) {
os_memmove(conn->dh_secret, pos,
conn->dh_secret_len - (pos - conn->dh_secret));
conn->dh_secret_len -= pos - conn->dh_secret;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
conn->dh_secret, conn->dh_secret_len);
/* Ys = g^secret mod p */
dh_ys_len = conn->cred->dh_p_len;
dh_ys = os_malloc(dh_ys_len);
if (dh_ys == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
"Diffie-Hellman");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
conn->dh_secret, conn->dh_secret_len,
conn->cred->dh_p, conn->cred->dh_p_len,
dh_ys, &dh_ys_len)) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
dh_ys, dh_ys_len);
/*
* struct {
* select (KeyExchangeAlgorithm) {
* case diffie_hellman:
* ServerDHParams params;
* Signature signed_params;
* case rsa:
* ServerRSAParams params;
* Signature signed_params;
* };
* } ServerKeyExchange;
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - ServerDHParams */
/* dh_p */
if (pos + 2 + conn->cred->dh_p_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_p");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, conn->cred->dh_p_len);
pos += 2;
os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
pos += conn->cred->dh_p_len;
/* dh_g */
if (pos + 2 + conn->cred->dh_g_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_g");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, conn->cred->dh_g_len);
pos += 2;
os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
pos += conn->cred->dh_g_len;
/* dh_Ys */
if (pos + 2 + dh_ys_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_Ys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, dh_ys_len);
pos += 2;
os_memcpy(pos, dh_ys, dh_ys_len);
pos += dh_ys_len;
os_free(dh_ys);
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
*msgpos = pos;
return 0;
#else /* EAP_FAST */
return -1;
#endif /* EAP_FAST */
}
static int tls_write_server_hello(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr, *hs_start, *hs_length;
struct os_time now;
size_t rlen;
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
os_get_time(&now);
WPA_PUT_BE32(conn->server_random, now.sec);
if (os_get_random(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
"server_random");
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
conn->server_random, TLS_RANDOM_LEN);
conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
if (os_get_random(conn->session_id, conn->session_id_len)) {
wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
"session_id");
return -1;
}
wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
conn->session_id, conn->session_id_len);
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - ServerHello */
/* ProtocolVersion server_version */
WPA_PUT_BE16(pos, TLS_VERSION);
pos += 2;
/* Random random: uint32 gmt_unix_time, opaque random_bytes */
os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
pos += TLS_RANDOM_LEN;
/* SessionID session_id */
*pos++ = conn->session_id_len;
os_memcpy(pos, conn->session_id, conn->session_id_len);
pos += conn->session_id_len;
/* CipherSuite cipher_suite */
WPA_PUT_BE16(pos, conn->cipher_suite);
pos += 2;
/* CompressionMethod compression_method */
*pos++ = TLS_COMPRESSION_NULL;
if (conn->session_ticket && conn->session_ticket_cb) {
int res = conn->session_ticket_cb(
conn->session_ticket_cb_ctx,
conn->session_ticket, conn->session_ticket_len,
conn->client_random, conn->server_random,
conn->master_secret);
if (res < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
"indicated failure");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_HANDSHAKE_FAILURE);
return -1;
}
conn->use_session_ticket = res;
if (conn->use_session_ticket) {
if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
"derive keys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
}
/*
* RFC 4507 specifies that server would include an empty
* SessionTicket extension in ServerHello and a
* NewSessionTicket message after the ServerHello. However,
* EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
* extension at the moment, does not use such extensions.
*
* TODO: Add support for configuring RFC 4507 behavior and make
* EAP-FAST disable it.
*/
}
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
*msgpos = pos;
return 0;
}
static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
const u8 *in_data, size_t *in_len) {
const u8 *pos, *end, *c;
size_t left, len, i, j;
u16 cipher_suite;
u16 num_suites;
int compr_null_found;
u16 ext_type, ext_len;
if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
"received content type 0x%x", ct);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
pos = in_data;
left = *in_len;
if (left < 4)
goto decode_error;
/* HandshakeType msg_type */
if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
"message %d (expected ClientHello)", *pos);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
pos++;
/* uint24 length */
len = WPA_GET_BE24(pos);
pos += 3;
left -= 4;
if (len > left)
goto decode_error;
/* body - ClientHello */
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
end = pos + len;
/* ProtocolVersion client_version */
if (end - pos < 2)
goto decode_error;
conn->client_version = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
conn->client_version >> 8, conn->client_version & 0xff);
if (conn->client_version < TLS_VERSION) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
"ClientHello");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_PROTOCOL_VERSION);
return -1;
}
pos += 2;
/* Random random */
if (end - pos < TLS_RANDOM_LEN)
goto decode_error;
os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
pos += TLS_RANDOM_LEN;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
conn->client_random, TLS_RANDOM_LEN);
/* SessionID session_id */
if (end - pos < 1)
goto decode_error;
if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
goto decode_error;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
pos += 1 + *pos;
/* TODO: add support for session resumption */
/* CipherSuite cipher_suites<2..2^16-1> */
if (end - pos < 2)
goto decode_error;
num_suites = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < num_suites)
goto decode_error;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
pos, num_suites);
if (num_suites & 1)
goto decode_error;
num_suites /= 2;
cipher_suite = 0;
for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
c = pos;
for (j = 0; j < num_suites; j++) {
u16 tmp = WPA_GET_BE16(c);
c += 2;
if (!cipher_suite && tmp == conn->cipher_suites[i]) {
cipher_suite = tmp;
break;
}
}
}
pos += num_suites * 2;
if (!cipher_suite) {
wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
"available");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
"record layer");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->cipher_suite = cipher_suite;
/* CompressionMethod compression_methods<1..2^8-1> */
if (end - pos < 1)
goto decode_error;
num_suites = *pos++;
if (end - pos < num_suites)
goto decode_error;
wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
pos, num_suites);
compr_null_found = 0;
for (i = 0; i < num_suites; i++) {
if (*pos++ == TLS_COMPRESSION_NULL)
compr_null_found = 1;
}
if (!compr_null_found) {
wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
"compression");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_ILLEGAL_PARAMETER);
return -1;
}
if (end - pos == 1) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
"end of ClientHello: 0x%02x", *pos);
goto decode_error;
}
if (end - pos >= 2) {
/* Extension client_hello_extension_list<0..2^16-1> */
ext_len = WPA_GET_BE16(pos);
pos += 2;
wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
"extensions", ext_len);
if (end - pos != ext_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
"extension list length %u (expected %u)",
ext_len, (unsigned int) (end - pos));
goto decode_error;
}
/*
* struct {
* ExtensionType extension_type (0..65535)
* opaque extension_data<0..2^16-1>
* } Extension;
*/
while (pos < end) {
if (end - pos < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
"extension_type field");
goto decode_error;
}
ext_type = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
"extension_data length field");
goto decode_error;
}
ext_len = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < ext_len) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
"extension_data field");
goto decode_error;
}
wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
"type %u", ext_type);
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
"Extension data", pos, ext_len);
if (ext_type == TLS_EXT_SESSION_TICKET) {
os_free(conn->session_ticket);
conn->session_ticket = os_malloc(ext_len);
if (conn->session_ticket) {
os_memcpy(conn->session_ticket, pos,
ext_len);
conn->session_ticket_len = ext_len;
}
}
pos += ext_len;
}
}
*in_len = end - in_data;
wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
"ServerHello");
conn->state = SERVER_HELLO;
return 0;
decode_error:
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
static int tls_process_client_key_exchange_rsa(
struct tlsv1_server *conn, const u8 *pos, const u8 *end) {
u8 *out;
size_t outlen, outbuflen;
int res;
int use_random = 0;
if (end - pos < 2) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
pos += 2;
outbuflen = outlen = end - pos;
out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
outlen : TLS_PRE_MASTER_SECRET_LEN);
if (out == NULL) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
/*
* struct {
* ProtocolVersion client_version;
* opaque random[46];
* } PreMasterSecret;
*
* struct {
* public-key-encrypted PreMasterSecret pre_master_secret;
* } EncryptedPreMasterSecret;
*/
/*
* Note: To avoid Bleichenbacher attack, we do not report decryption or
* parsing errors from EncryptedPreMasterSecret processing to the
* client. Instead, a random pre-master secret is used to force the
* handshake to fail.
*/
if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
pos, end - pos,
out, &outlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
"PreMasterSecret (encr_len=%d outlen=%lu)",
(int) (end - pos), (unsigned long) outlen);
use_random = 1;
}
if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
"length %lu", (unsigned long) outlen);
use_random = 1;
}
if (WPA_GET_BE16(out) != conn->client_version) {
wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
"ClientKeyExchange does not match with version in "
"ClientHello");
use_random = 1;
}
if (use_random) {
wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
"to avoid revealing information about private key");
outlen = TLS_PRE_MASTER_SECRET_LEN;
if (os_get_random(out, outlen)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
"data");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(out);
return -1;
}
}
res = tlsv1_server_derive_keys(conn, out, outlen);
/* Clear the pre-master secret since it is not needed anymore */
os_memset(out, 0, outbuflen);
os_free(out);
if (res) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
return 0;
}
static int tls_process_client_key_exchange_dh_anon(
struct tlsv1_server *conn, const u8 *pos, const u8 *end) {
const u8 *dh_yc;
u16 dh_yc_len;
u8 *shared;
size_t shared_len;
int res;
/*
* struct {
* select (PublicValueEncoding) {
* case implicit: struct { };
* case explicit: opaque dh_Yc<1..2^16-1>;
* } dh_public;
* } ClientDiffieHellmanPublic;
*/
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
pos, end - pos);
if (end == pos) {
wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
"not supported");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
"length");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
dh_yc_len = WPA_GET_BE16(pos);
dh_yc = pos + 2;
if (dh_yc + dh_yc_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
"(length %d)", dh_yc_len);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
dh_yc, dh_yc_len);
if (conn->cred == NULL || conn->cred->dh_p == NULL ||
conn->dh_secret == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
shared_len = conn->cred->dh_p_len;
shared = os_malloc(shared_len);
if (shared == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
"DH");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
/* shared = Yc^secret mod p */
if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
conn->dh_secret_len,
conn->cred->dh_p, conn->cred->dh_p_len,
shared, &shared_len)) {
os_free(shared);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
shared, shared_len);
os_memset(conn->dh_secret, 0, conn->dh_secret_len);
os_free(conn->dh_secret);
conn->dh_secret = NULL;
res = tlsv1_server_derive_keys(conn, shared, shared_len);
/* Clear the pre-master secret since it is not needed anymore */
os_memset(shared, 0, shared_len);
os_free(shared);
if (res) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
return 0;
}
static int tls_write_server_finished(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
u8 *pos, *rhdr, *hs_start, *hs_length;
size_t rlen, hlen;
u8 verify_data[TLS_VERIFY_DATA_LEN];
u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
/* Encrypted Handshake Message: Finished */
hlen = MD5_MAC_LEN;
if (conn->verify.md5_server == NULL ||
crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
conn->verify.md5_server = NULL;
crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
conn->verify.sha1_server = NULL;
return -1;
}
conn->verify.md5_server = NULL;
hlen = SHA1_MAC_LEN;
if (conn->verify.sha1_server == NULL ||
crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
&hlen) < 0) {
conn->verify.sha1_server = NULL;
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
conn->verify.sha1_server = NULL;
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
"server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
verify_data, TLS_VERIFY_DATA_LEN)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
verify_data, TLS_VERIFY_DATA_LEN);
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN);
pos += TLS_VERIFY_DATA_LEN;
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
*msgpos = pos;
return 0;
}
/**
* tlsv1_server_decrypt - Decrypt data from TLS tunnel
* @conn: TLSv1 server connection data from tlsv1_server_init()
* @in_data: Pointer to input buffer (encrypted TLS data)
* @in_len: Input buffer length
* @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
* @out_len: Maximum out_data length
* Returns: Number of bytes written to out_data, -1 on failure
*
* This function is used after TLS handshake has been completed successfully to
* receive data from the encrypted tunnel.
*/
int tlsv1_server_decrypt(struct tlsv1_server *conn,
const u8 *in_data, size_t in_len,
u8 *out_data, size_t out_len)
{
const u8 *in_end, *pos;
int used;
u8 alert, *out_end, *out_pos, ct;
size_t olen;
pos = in_data;
in_end = in_data + in_len;
out_pos = out_data;
out_end = out_data + out_len;
while (pos < in_end) {
ct = pos[0];
olen = out_end - out_pos;
used = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
out_pos, &olen, &alert);
if (used < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing "
"failed");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
return -1;
}
if (used == 0) {
/* need more data */
wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
"yet supported");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
return -1;
}
if (ct == TLS_CONTENT_TYPE_ALERT) {
if (olen < 2) {
wpa_printf(MSG_DEBUG, "TLSv1: Alert "
"underflow");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
out_pos[0], out_pos[1]);
if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) {
/* Continue processing */
pos += used;
continue;
}
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
out_pos[1]);
return -1;
}
if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type "
"0x%x", pos[0]);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_UNEXPECTED_MESSAGE);
return -1;
}
out_pos += olen;
if (out_pos > out_end) {
wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
"for processing the received record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos += used;
}
return out_pos - out_data;
}
