/**
* dh_derive_shared - Derive shared Diffie-Hellman key
* @peer_public: Diffie-Hellman public value from peer
* @own_private: Diffie-Hellman private key from dh_init()
* @dh: Selected Diffie-Hellman group
* Returns: Diffie-Hellman shared key
*/
struct wpabuf * dh_derive_shared(const struct wpabuf *peer_public,
const struct wpabuf *own_private,
const struct dh_group *dh)
{
struct wpabuf *shared;
size_t shared_len;
if (dh == NULL || peer_public == NULL || own_private == NULL)
return NULL;
shared_len = dh->prime_len;
shared = wpabuf_alloc(shared_len);
if (shared == NULL)
return NULL;
if (crypto_mod_exp(wpabuf_head(peer_public), wpabuf_len(peer_public),
wpabuf_head(own_private), wpabuf_len(own_private),
dh->prime, dh->prime_len,
wpabuf_put(shared, shared_len), &shared_len) < 0) {
wpabuf_free(shared);
wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
return NULL;
}
wpa_hexdump_buf_key(MSG_DEBUG, "DH: shared key", shared);
return shared;
}
/**
* dh_init - Initialize Diffie-Hellman handshake
* @dh: Selected Diffie-Hellman group
* @priv: Pointer for returning Diffie-Hellman private key
* Returns: Diffie-Hellman public value
*/
struct wpabuf * dh_init(const struct dh_group *dh, struct wpabuf **priv)
{
struct wpabuf *pv;
size_t pv_len;
int retval = 1;
if (dh == NULL)
return NULL;
wpabuf_free(*priv);
*priv = wpabuf_alloc(dh->prime_len);
if (*priv == NULL)
return NULL;
if(get_dh_small())
{
/* Use small DH secret (1) to reduce calculation time on AP */
if(!memset(wpabuf_put(*priv, 1), 1, 1))
retval = 0;
}
else
{
if(os_get_random(wpabuf_put(*priv, dh->prime_len), dh->prime_len))
retval = 0;
}
if(!retval)
{
wpabuf_free(*priv);
*priv = NULL;
return NULL;
}
if (os_memcmp(wpabuf_head(*priv), dh->prime, dh->prime_len) > 0) {
/* Make sure private value is smaller than prime */
*(wpabuf_mhead_u8(*priv)) = 0;
}
wpa_hexdump_buf_key(/*MSG_INFO*/ MSG_DEBUG, "DH: private value", *priv);
pv_len = dh->prime_len;
pv = wpabuf_alloc(pv_len);
if (pv == NULL)
return NULL;
if (crypto_mod_exp(dh->generator, dh->generator_len,
wpabuf_head(*priv), wpabuf_len(*priv),
dh->prime, dh->prime_len, wpabuf_mhead(pv),
&pv_len) < 0) {
wpabuf_free(pv);
wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
return NULL;
}
wpabuf_put(pv, pv_len);
wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
return pv;
}
/**
* dh_init - Initialize Diffie-Hellman handshake
* @dh: Selected Diffie-Hellman group
* @priv: Pointer for returning Diffie-Hellman private key
* Returns: Diffie-Hellman public value
*/
struct wpabuf * dh_init(const struct dh_group *dh, struct wpabuf **priv)
{
struct wpabuf *pv;
size_t pv_len;
if (dh == NULL)
return NULL;
wpabuf_free(*priv);
*priv = wpabuf_alloc(dh->prime_len);
if (*priv == NULL)
return NULL;
if (random_get_bytes(wpabuf_put(*priv, dh->prime_len), dh->prime_len))
{
wpabuf_free(*priv);
*priv = NULL;
return NULL;
}
if (os_memcmp(wpabuf_head(*priv), dh->prime, dh->prime_len) > 0) {
/* Make sure private value is smaller than prime */
*(wpabuf_mhead_u8(*priv)) = 0;
}
wpa_hexdump_buf_key(MSG_DEBUG, "DH: private value", *priv);
pv_len = dh->prime_len;
pv = wpabuf_alloc(pv_len);
if (pv == NULL)
return NULL;
if (crypto_mod_exp(dh->generator, dh->generator_len,
wpabuf_head(*priv), wpabuf_len(*priv),
dh->prime, dh->prime_len, wpabuf_mhead(pv),
&pv_len) < 0) {
wpabuf_free(pv);
wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
return NULL;
}
wpabuf_put(pv, pv_len);
wpa_hexdump_buf(MSG_DEBUG, "DH: public value", pv);
return pv;
}
static int tls_write_server_key_exchange(struct tlsv1_server *conn,
u8 **msgpos, u8 *end)
{
tls_key_exchange keyx;
const struct tls_cipher_suite *suite;
#ifdef EAP_FAST
u8 *pos, *rhdr, *hs_start, *hs_length;
size_t rlen;
u8 *dh_ys;
size_t dh_ys_len;
#endif /* EAP_FAST */
suite = tls_get_cipher_suite(conn->rl.cipher_suite);
if (suite == NULL)
keyx = TLS_KEY_X_NULL;
else
keyx = suite->key_exchange;
if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
return 0;
}
if (keyx != TLS_KEY_X_DH_anon) {
/* TODO? */
wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
"supported with key exchange type %d", keyx);
return -1;
}
#ifdef EAP_FAST
if (conn->cred == NULL || conn->cred->dh_p == NULL ||
conn->cred->dh_g == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
"ServerKeyExhcange");
return -1;
}
os_free(conn->dh_secret);
conn->dh_secret_len = conn->cred->dh_p_len;
conn->dh_secret = os_malloc(conn->dh_secret_len);
if (conn->dh_secret == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
"memory for secret (Diffie-Hellman)");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (os_get_random(conn->dh_secret, conn->dh_secret_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
"data for Diffie-Hellman");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(conn->dh_secret);
conn->dh_secret = NULL;
return -1;
}
if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
0)
conn->dh_secret[0] = 0; /* make sure secret < p */
pos = conn->dh_secret;
while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
pos++;
if (pos != conn->dh_secret) {
os_memmove(conn->dh_secret, pos,
conn->dh_secret_len - (pos - conn->dh_secret));
conn->dh_secret_len -= pos - conn->dh_secret;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
conn->dh_secret, conn->dh_secret_len);
/* Ys = g^secret mod p */
dh_ys_len = conn->cred->dh_p_len;
dh_ys = os_malloc(dh_ys_len);
if (dh_ys == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
"Diffie-Hellman");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
conn->dh_secret, conn->dh_secret_len,
conn->cred->dh_p, conn->cred->dh_p_len,
dh_ys, &dh_ys_len)) {
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
dh_ys, dh_ys_len);
/*
* struct {
* select (KeyExchangeAlgorithm) {
* case diffie_hellman:
* ServerDHParams params;
* Signature signed_params;
* case rsa:
* ServerRSAParams params;
* Signature signed_params;
* };
* } ServerKeyExchange;
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
pos = *msgpos;
wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
rhdr = pos;
pos += TLS_RECORD_HEADER_LEN;
/* opaque fragment[TLSPlaintext.length] */
/* Handshake */
hs_start = pos;
/* HandshakeType msg_type */
*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
/* uint24 length (to be filled) */
hs_length = pos;
pos += 3;
/* body - ServerDHParams */
/* dh_p */
if (pos + 2 + conn->cred->dh_p_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_p");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, conn->cred->dh_p_len);
pos += 2;
os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
pos += conn->cred->dh_p_len;
/* dh_g */
if (pos + 2 + conn->cred->dh_g_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_g");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, conn->cred->dh_g_len);
pos += 2;
os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
pos += conn->cred->dh_g_len;
/* dh_Ys */
if (pos + 2 + dh_ys_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
"dh_Ys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(dh_ys);
return -1;
}
WPA_PUT_BE16(pos, dh_ys_len);
pos += 2;
os_memcpy(pos, dh_ys, dh_ys_len);
pos += dh_ys_len;
os_free(dh_ys);
WPA_PUT_BE24(hs_length, pos - hs_length - 3);
if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
pos = rhdr + rlen;
tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
*msgpos = pos;
return 0;
#else /* EAP_FAST */
return -1;
#endif /* EAP_FAST */
}
static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
{
#ifdef EAP_FAST
/* ClientDiffieHellmanPublic */
u8 *csecret, *csecret_start, *dh_yc, *shared;
size_t csecret_len, dh_yc_len, shared_len;
csecret_len = conn->dh_p_len;
csecret = os_malloc(csecret_len);
if (csecret == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
"memory for Yc (Diffie-Hellman)");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (os_get_random(csecret, csecret_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
"data for Diffie-Hellman");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
return -1;
}
if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
csecret[0] = 0; /* make sure Yc < p */
csecret_start = csecret;
while (csecret_len > 1 && *csecret_start == 0) {
csecret_start++;
csecret_len--;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
csecret_start, csecret_len);
/* Yc = g^csecret mod p */
dh_yc_len = conn->dh_p_len;
dh_yc = os_malloc(dh_yc_len);
if (dh_yc == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
"memory for Diffie-Hellman");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
return -1;
}
if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
csecret_start, csecret_len,
conn->dh_p, conn->dh_p_len,
dh_yc, &dh_yc_len)) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
os_free(dh_yc);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
dh_yc, dh_yc_len);
WPA_PUT_BE16(*pos, dh_yc_len);
*pos += 2;
if (*pos + dh_yc_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
"message buffer for Yc");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
os_free(dh_yc);
return -1;
}
os_memcpy(*pos, dh_yc, dh_yc_len);
*pos += dh_yc_len;
os_free(dh_yc);
shared_len = conn->dh_p_len;
shared = os_malloc(shared_len);
if (shared == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
"DH");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
return -1;
}
/* shared = Ys^csecret mod p */
if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
csecret_start, csecret_len,
conn->dh_p, conn->dh_p_len,
shared, &shared_len)) {
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(csecret);
os_free(shared);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
shared, shared_len);
os_memset(csecret_start, 0, csecret_len);
os_free(csecret);
if (tls_derive_keys(conn, shared, shared_len)) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
os_free(shared);
return -1;
}
os_memset(shared, 0, shared_len);
os_free(shared);
tlsv1_client_free_dh(conn);
return 0;
#else /* EAP_FAST */
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR);
return -1;
#endif /* EAP_FAST */
}
static int tls_process_client_key_exchange_dh_anon(
struct tlsv1_server *conn, const u8 *pos, const u8 *end) {
const u8 *dh_yc;
u16 dh_yc_len;
u8 *shared;
size_t shared_len;
int res;
/*
* struct {
* select (PublicValueEncoding) {
* case implicit: struct { };
* case explicit: opaque dh_Yc<1..2^16-1>;
* } dh_public;
* } ClientDiffieHellmanPublic;
*/
wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
pos, end - pos);
if (end == pos) {
wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
"not supported");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
if (end - pos < 3) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
"length");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
dh_yc_len = WPA_GET_BE16(pos);
dh_yc = pos + 2;
if (dh_yc + dh_yc_len > end) {
wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
"(length %d)", dh_yc_len);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_DECODE_ERROR);
return -1;
}
wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
dh_yc, dh_yc_len);
if (conn->cred == NULL || conn->cred->dh_p == NULL ||
conn->dh_secret == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
shared_len = conn->cred->dh_p_len;
shared = os_malloc(shared_len);
if (shared == NULL) {
wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
"DH");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
/* shared = Yc^secret mod p */
if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
conn->dh_secret_len,
conn->cred->dh_p, conn->cred->dh_p_len,
shared, &shared_len)) {
os_free(shared);
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
shared, shared_len);
os_memset(conn->dh_secret, 0, conn->dh_secret_len);
os_free(conn->dh_secret);
conn->dh_secret = NULL;
res = tlsv1_server_derive_keys(conn, shared, shared_len);
/* Clear the pre-master secret since it is not needed anymore */
os_memset(shared, 0, shared_len);
os_free(shared);
if (res) {
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_INTERNAL_ERROR);
return -1;
}
return 0;
}
