1 /*
2  * TLSv1 server - read handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21 
22 
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 					   const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 					  u8 ct, const u8 *in_data,
27 					  size_t *in_len);
28 
29 
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 	if ((conn->test_flags &
34 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 	      TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 	      TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 	    suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 	    suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 	    suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 		return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44 
45 	return 0;
46 }
47 
48 
tls_process_status_request_item(struct tlsv1_server * conn,const u8 * req,size_t req_len)49 static void tls_process_status_request_item(struct tlsv1_server *conn,
50 					    const u8 *req, size_t req_len)
51 {
52 	const u8 *pos, *end;
53 	u8 status_type;
54 
55 	pos = req;
56 	end = req + req_len;
57 
58 	/*
59 	 * RFC 6961, 2.2:
60 	 * struct {
61 	 *   CertificateStatusType status_type;
62 	 *   uint16 request_length;
63 	 *   select (status_type) {
64 	 *     case ocsp: OCSPStatusRequest;
65 	 *     case ocsp_multi: OCSPStatusRequest;
66 	 *   } request;
67 	 * } CertificateStatusRequestItemV2;
68 	 *
69 	 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
70 	 */
71 
72 	if (end - pos < 1)
73 		return; /* Truncated data */
74 
75 	status_type = *pos++;
76 	wpa_printf(MSG_DEBUG, "TLSv1: CertificateStatusType %u", status_type);
77 	if (status_type != 1 && status_type != 2)
78 		return; /* Unsupported status type */
79 	/*
80 	 * For now, only OCSP stapling is supported, so ignore the specific
81 	 * request, if any.
82 	 */
83 	wpa_hexdump(MSG_DEBUG, "TLSv1: OCSPStatusRequest", pos, end - pos);
84 
85 	if (status_type == 2)
86 		conn->status_request_multi = 1;
87 }
88 
89 
tls_process_status_request_v2(struct tlsv1_server * conn,const u8 * ext,size_t ext_len)90 static void tls_process_status_request_v2(struct tlsv1_server *conn,
91 					  const u8 *ext, size_t ext_len)
92 {
93 	const u8 *pos, *end;
94 
95 	conn->status_request_v2 = 1;
96 
97 	pos = ext;
98 	end = ext + ext_len;
99 
100 	/*
101 	 * RFC 6961, 2.2:
102 	 * struct {
103 	 *   CertificateStatusRequestItemV2
104 	 *                    certificate_status_req_list<1..2^16-1>;
105 	 * } CertificateStatusRequestListV2;
106 	 */
107 
108 	while (end - pos >= 2) {
109 		u16 len;
110 
111 		len = WPA_GET_BE16(pos);
112 		pos += 2;
113 		if (len > end - pos)
114 			break; /* Truncated data */
115 		tls_process_status_request_item(conn, pos, len);
116 		pos += len;
117 	}
118 }
119 
120 
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)121 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
122 				    const u8 *in_data, size_t *in_len)
123 {
124 	const u8 *pos, *end, *c;
125 	size_t left, len, i, j;
126 	u16 cipher_suite;
127 	u16 num_suites;
128 	int compr_null_found;
129 	u16 ext_type, ext_len;
130 
131 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
132 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
133 				 ct);
134 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
135 				   TLS_ALERT_UNEXPECTED_MESSAGE);
136 		return -1;
137 	}
138 
139 	pos = in_data;
140 	left = *in_len;
141 
142 	if (left < 4) {
143 		tlsv1_server_log(conn,
144 				 "Truncated handshake message (expected ClientHello)");
145 		goto decode_error;
146 	}
147 
148 	/* HandshakeType msg_type */
149 	if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
150 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
151 				 *pos);
152 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
153 				   TLS_ALERT_UNEXPECTED_MESSAGE);
154 		return -1;
155 	}
156 	tlsv1_server_log(conn, "Received ClientHello");
157 	pos++;
158 	/* uint24 length */
159 	len = WPA_GET_BE24(pos);
160 	pos += 3;
161 	left -= 4;
162 
163 	if (len > left) {
164 		tlsv1_server_log(conn,
165 				 "Truncated ClientHello (len=%d left=%d)",
166 				 (int) len, (int) left);
167 		goto decode_error;
168 	}
169 
170 	/* body - ClientHello */
171 
172 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
173 	end = pos + len;
174 
175 	/* ProtocolVersion client_version */
176 	if (end - pos < 2) {
177 		tlsv1_server_log(conn, "Truncated ClientHello/client_version");
178 		goto decode_error;
179 	}
180 	conn->client_version = WPA_GET_BE16(pos);
181 	tlsv1_server_log(conn, "Client version %d.%d",
182 			 conn->client_version >> 8,
183 			 conn->client_version & 0xff);
184 	if (conn->client_version < TLS_VERSION_1) {
185 		tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
186 				 conn->client_version >> 8,
187 				 conn->client_version & 0xff);
188 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
189 				   TLS_ALERT_PROTOCOL_VERSION);
190 		return -1;
191 	}
192 	pos += 2;
193 
194 	if (TLS_VERSION == TLS_VERSION_1)
195 		conn->rl.tls_version = TLS_VERSION_1;
196 #ifdef CONFIG_TLSV12
197 	else if (conn->client_version >= TLS_VERSION_1_2)
198 		conn->rl.tls_version = TLS_VERSION_1_2;
199 #endif /* CONFIG_TLSV12 */
200 	else if (conn->client_version > TLS_VERSION_1_1)
201 		conn->rl.tls_version = TLS_VERSION_1_1;
202 	else
203 		conn->rl.tls_version = conn->client_version;
204 	tlsv1_server_log(conn, "Using TLS v%s",
205 			 tls_version_str(conn->rl.tls_version));
206 
207 	/* Random random */
208 	if (end - pos < TLS_RANDOM_LEN) {
209 		tlsv1_server_log(conn, "Truncated ClientHello/client_random");
210 		goto decode_error;
211 	}
212 
213 	os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
214 	pos += TLS_RANDOM_LEN;
215 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
216 		    conn->client_random, TLS_RANDOM_LEN);
217 
218 	/* SessionID session_id */
219 	if (end - pos < 1) {
220 		tlsv1_server_log(conn, "Truncated ClientHello/session_id len");
221 		goto decode_error;
222 	}
223 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) {
224 		tlsv1_server_log(conn, "Truncated ClientHello/session_id");
225 		goto decode_error;
226 	}
227 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
228 	pos += 1 + *pos;
229 	/* TODO: add support for session resumption */
230 
231 	/* CipherSuite cipher_suites<2..2^16-1> */
232 	if (end - pos < 2) {
233 		tlsv1_server_log(conn,
234 				 "Truncated ClientHello/cipher_suites len");
235 		goto decode_error;
236 	}
237 	num_suites = WPA_GET_BE16(pos);
238 	pos += 2;
239 	if (end - pos < num_suites) {
240 		tlsv1_server_log(conn, "Truncated ClientHello/cipher_suites");
241 		goto decode_error;
242 	}
243 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
244 		    pos, num_suites);
245 	if (num_suites & 1) {
246 		tlsv1_server_log(conn, "Odd len ClientHello/cipher_suites");
247 		goto decode_error;
248 	}
249 	num_suites /= 2;
250 
251 	cipher_suite = 0;
252 	for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
253 		if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
254 			continue;
255 		c = pos;
256 		for (j = 0; j < num_suites; j++) {
257 			u16 tmp = WPA_GET_BE16(c);
258 			c += 2;
259 			if (!cipher_suite && tmp == conn->cipher_suites[i]) {
260 				cipher_suite = tmp;
261 				break;
262 			}
263 		}
264 	}
265 	pos += num_suites * 2;
266 	if (!cipher_suite) {
267 		tlsv1_server_log(conn, "No supported cipher suite available");
268 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 				   TLS_ALERT_ILLEGAL_PARAMETER);
270 		return -1;
271 	}
272 
273 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
274 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
275 			   "record layer");
276 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 				   TLS_ALERT_INTERNAL_ERROR);
278 		return -1;
279 	}
280 
281 	conn->cipher_suite = cipher_suite;
282 
283 	/* CompressionMethod compression_methods<1..2^8-1> */
284 	if (end - pos < 1) {
285 		tlsv1_server_log(conn,
286 				 "Truncated ClientHello/compression_methods len");
287 		goto decode_error;
288 	}
289 	num_suites = *pos++;
290 	if (end - pos < num_suites) {
291 		tlsv1_server_log(conn,
292 				 "Truncated ClientHello/compression_methods");
293 		goto decode_error;
294 	}
295 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
296 		    pos, num_suites);
297 	compr_null_found = 0;
298 	for (i = 0; i < num_suites; i++) {
299 		if (*pos++ == TLS_COMPRESSION_NULL)
300 			compr_null_found = 1;
301 	}
302 	if (!compr_null_found) {
303 		tlsv1_server_log(conn, "Client does not accept NULL compression");
304 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
305 				   TLS_ALERT_ILLEGAL_PARAMETER);
306 		return -1;
307 	}
308 
309 	if (end - pos == 1) {
310 		tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
311 				 *pos);
312 		goto decode_error;
313 	}
314 
315 	if (end - pos >= 2) {
316 		/* Extension client_hello_extension_list<0..2^16-1> */
317 		ext_len = WPA_GET_BE16(pos);
318 		pos += 2;
319 
320 		tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
321 				 ext_len);
322 		if (end - pos != ext_len) {
323 			tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
324 					 ext_len, (unsigned int) (end - pos));
325 			goto decode_error;
326 		}
327 
328 		/*
329 		 * struct {
330 		 *   ExtensionType extension_type (0..65535)
331 		 *   opaque extension_data<0..2^16-1>
332 		 * } Extension;
333 		 */
334 
335 		while (pos < end) {
336 			if (end - pos < 2) {
337 				tlsv1_server_log(conn, "Invalid extension_type field");
338 				goto decode_error;
339 			}
340 
341 			ext_type = WPA_GET_BE16(pos);
342 			pos += 2;
343 
344 			if (end - pos < 2) {
345 				tlsv1_server_log(conn, "Invalid extension_data length field");
346 				goto decode_error;
347 			}
348 
349 			ext_len = WPA_GET_BE16(pos);
350 			pos += 2;
351 
352 			if (end - pos < ext_len) {
353 				tlsv1_server_log(conn, "Invalid extension_data field");
354 				goto decode_error;
355 			}
356 
357 			tlsv1_server_log(conn, "ClientHello Extension type %u",
358 					 ext_type);
359 			wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
360 				    "Extension data", pos, ext_len);
361 
362 			if (ext_type == TLS_EXT_SESSION_TICKET) {
363 				os_free(conn->session_ticket);
364 				conn->session_ticket = os_malloc(ext_len);
365 				if (conn->session_ticket) {
366 					os_memcpy(conn->session_ticket, pos,
367 						  ext_len);
368 					conn->session_ticket_len = ext_len;
369 				}
370 			} else if (ext_type == TLS_EXT_STATUS_REQUEST) {
371 				conn->status_request = 1;
372 			} else if (ext_type == TLS_EXT_STATUS_REQUEST_V2) {
373 				tls_process_status_request_v2(conn, pos,
374 							      ext_len);
375 			}
376 
377 			pos += ext_len;
378 		}
379 	}
380 
381 	*in_len = end - in_data;
382 
383 	tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
384 	conn->state = SERVER_HELLO;
385 
386 	return 0;
387 
388 decode_error:
389 	tlsv1_server_log(conn, "Failed to decode ClientHello");
390 	tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 			   TLS_ALERT_DECODE_ERROR);
392 	return -1;
393 }
394 
395 
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)396 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
397 				   const u8 *in_data, size_t *in_len)
398 {
399 	const u8 *pos, *end;
400 	size_t left, len, list_len, cert_len, idx;
401 	u8 type;
402 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
403 	int reason;
404 
405 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
406 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
407 				 ct);
408 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
409 				   TLS_ALERT_UNEXPECTED_MESSAGE);
410 		return -1;
411 	}
412 
413 	pos = in_data;
414 	left = *in_len;
415 
416 	if (left < 4) {
417 		tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
418 				 (unsigned long) left);
419 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420 				   TLS_ALERT_DECODE_ERROR);
421 		return -1;
422 	}
423 
424 	type = *pos++;
425 	len = WPA_GET_BE24(pos);
426 	pos += 3;
427 	left -= 4;
428 
429 	if (len > left) {
430 		tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
431 				 (unsigned long) len, (unsigned long) left);
432 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
433 				   TLS_ALERT_DECODE_ERROR);
434 		return -1;
435 	}
436 
437 	if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
438 		if (conn->verify_peer) {
439 			tlsv1_server_log(conn, "Client did not include Certificate");
440 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
441 					   TLS_ALERT_UNEXPECTED_MESSAGE);
442 			return -1;
443 		}
444 
445 		return tls_process_client_key_exchange(conn, ct, in_data,
446 						       in_len);
447 	}
448 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
449 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
450 				 type);
451 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
452 				   TLS_ALERT_UNEXPECTED_MESSAGE);
453 		return -1;
454 	}
455 
456 	tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
457 			 (unsigned long) len);
458 
459 	/*
460 	 * opaque ASN.1Cert<2^24-1>;
461 	 *
462 	 * struct {
463 	 *     ASN.1Cert certificate_list<1..2^24-1>;
464 	 * } Certificate;
465 	 */
466 
467 	end = pos + len;
468 
469 	if (end - pos < 3) {
470 		tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
471 				 (unsigned long) left);
472 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
473 				   TLS_ALERT_DECODE_ERROR);
474 		return -1;
475 	}
476 
477 	list_len = WPA_GET_BE24(pos);
478 	pos += 3;
479 
480 	if ((size_t) (end - pos) != list_len) {
481 		tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
482 				 (unsigned long) list_len,
483 				 (unsigned long) (end - pos));
484 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
485 				   TLS_ALERT_DECODE_ERROR);
486 		return -1;
487 	}
488 
489 	idx = 0;
490 	while (pos < end) {
491 		if (end - pos < 3) {
492 			tlsv1_server_log(conn, "Failed to parse certificate_list");
493 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
494 					   TLS_ALERT_DECODE_ERROR);
495 			x509_certificate_chain_free(chain);
496 			return -1;
497 		}
498 
499 		cert_len = WPA_GET_BE24(pos);
500 		pos += 3;
501 
502 		if ((size_t) (end - pos) < cert_len) {
503 			tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
504 					 (unsigned long) cert_len,
505 					 (unsigned long) (end - pos));
506 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
507 					   TLS_ALERT_DECODE_ERROR);
508 			x509_certificate_chain_free(chain);
509 			return -1;
510 		}
511 
512 		tlsv1_server_log(conn, "Certificate %lu (len %lu)",
513 				 (unsigned long) idx, (unsigned long) cert_len);
514 
515 		if (idx == 0) {
516 			crypto_public_key_free(conn->client_rsa_key);
517 			if (tls_parse_cert(pos, cert_len,
518 					   &conn->client_rsa_key)) {
519 				tlsv1_server_log(conn, "Failed to parse the certificate");
520 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
521 						   TLS_ALERT_BAD_CERTIFICATE);
522 				x509_certificate_chain_free(chain);
523 				return -1;
524 			}
525 		}
526 
527 		cert = x509_certificate_parse(pos, cert_len);
528 		if (cert == NULL) {
529 			tlsv1_server_log(conn, "Failed to parse the certificate");
530 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
531 					   TLS_ALERT_BAD_CERTIFICATE);
532 			x509_certificate_chain_free(chain);
533 			return -1;
534 		}
535 
536 		if (last == NULL)
537 			chain = cert;
538 		else
539 			last->next = cert;
540 		last = cert;
541 
542 		idx++;
543 		pos += cert_len;
544 	}
545 
546 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
547 					    &reason, 0) < 0) {
548 		int tls_reason;
549 		tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
550 				 reason);
551 		switch (reason) {
552 		case X509_VALIDATE_BAD_CERTIFICATE:
553 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
554 			break;
555 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
556 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
557 			break;
558 		case X509_VALIDATE_CERTIFICATE_REVOKED:
559 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
560 			break;
561 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
562 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
563 			break;
564 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
565 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
566 			break;
567 		case X509_VALIDATE_UNKNOWN_CA:
568 			tls_reason = TLS_ALERT_UNKNOWN_CA;
569 			break;
570 		default:
571 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
572 			break;
573 		}
574 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
575 		x509_certificate_chain_free(chain);
576 		return -1;
577 	}
578 
579 	if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) &&
580 	    !(chain->ext_key_usage &
581 	      (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) {
582 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
583 				   TLS_ALERT_BAD_CERTIFICATE);
584 		x509_certificate_chain_free(chain);
585 		return -1;
586 	}
587 
588 	x509_certificate_chain_free(chain);
589 
590 	*in_len = end - in_data;
591 
592 	conn->state = CLIENT_KEY_EXCHANGE;
593 
594 	return 0;
595 }
596 
597 
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)598 static int tls_process_client_key_exchange_rsa(
599 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
600 {
601 	u8 *out;
602 	size_t outlen, outbuflen;
603 	u16 encr_len;
604 	int res;
605 	int use_random = 0;
606 
607 	if (end - pos < 2) {
608 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
609 				   TLS_ALERT_DECODE_ERROR);
610 		return -1;
611 	}
612 
613 	encr_len = WPA_GET_BE16(pos);
614 	pos += 2;
615 	if (pos + encr_len > end) {
616 		tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
617 				 encr_len, (unsigned int) (end - pos));
618 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
619 				   TLS_ALERT_DECODE_ERROR);
620 		return -1;
621 	}
622 
623 	outbuflen = outlen = end - pos;
624 	out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
625 			outlen : TLS_PRE_MASTER_SECRET_LEN);
626 	if (out == NULL) {
627 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 				   TLS_ALERT_INTERNAL_ERROR);
629 		return -1;
630 	}
631 
632 	/*
633 	 * struct {
634 	 *   ProtocolVersion client_version;
635 	 *   opaque random[46];
636 	 * } PreMasterSecret;
637 	 *
638 	 * struct {
639 	 *   public-key-encrypted PreMasterSecret pre_master_secret;
640 	 * } EncryptedPreMasterSecret;
641 	 */
642 
643 	/*
644 	 * Note: To avoid Bleichenbacher attack, we do not report decryption or
645 	 * parsing errors from EncryptedPreMasterSecret processing to the
646 	 * client. Instead, a random pre-master secret is used to force the
647 	 * handshake to fail.
648 	 */
649 
650 	if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
651 						 pos, encr_len,
652 						 out, &outlen) < 0) {
653 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
654 			   "PreMasterSecret (encr_len=%u outlen=%lu)",
655 			   encr_len, (unsigned long) outlen);
656 		use_random = 1;
657 	}
658 
659 	if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
660 		tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
661 				 (unsigned long) outlen);
662 		use_random = 1;
663 	}
664 
665 	if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
666 		tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
667 		use_random = 1;
668 	}
669 
670 	if (use_random) {
671 		wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
672 			   "to avoid revealing information about private key");
673 		outlen = TLS_PRE_MASTER_SECRET_LEN;
674 		if (os_get_random(out, outlen)) {
675 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
676 				   "data");
677 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
678 					   TLS_ALERT_INTERNAL_ERROR);
679 			os_free(out);
680 			return -1;
681 		}
682 	}
683 
684 	res = tlsv1_server_derive_keys(conn, out, outlen);
685 
686 	/* Clear the pre-master secret since it is not needed anymore */
687 	os_memset(out, 0, outbuflen);
688 	os_free(out);
689 
690 	if (res) {
691 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
692 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
693 				   TLS_ALERT_INTERNAL_ERROR);
694 		return -1;
695 	}
696 
697 	return 0;
698 }
699 
700 
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)701 static int tls_process_client_key_exchange_dh(
702 	struct tlsv1_server *conn, const u8 *pos, const u8 *end)
703 {
704 	const u8 *dh_yc;
705 	u16 dh_yc_len;
706 	u8 *shared;
707 	size_t shared_len;
708 	int res;
709 	const u8 *dh_p;
710 	size_t dh_p_len;
711 
712 	/*
713 	 * struct {
714 	 *   select (PublicValueEncoding) {
715 	 *     case implicit: struct { };
716 	 *     case explicit: opaque dh_Yc<1..2^16-1>;
717 	 *   } dh_public;
718 	 * } ClientDiffieHellmanPublic;
719 	 */
720 
721 	tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
722 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
723 		    pos, end - pos);
724 
725 	if (end == pos) {
726 		wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
727 			   "not supported");
728 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
729 				   TLS_ALERT_INTERNAL_ERROR);
730 		return -1;
731 	}
732 
733 	if (end - pos < 3) {
734 		tlsv1_server_log(conn, "Invalid client public value length");
735 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 				   TLS_ALERT_DECODE_ERROR);
737 		return -1;
738 	}
739 
740 	dh_yc_len = WPA_GET_BE16(pos);
741 	dh_yc = pos + 2;
742 
743 	if (dh_yc_len > end - dh_yc) {
744 		tlsv1_server_log(conn, "Client public value overflow (length %d)",
745 				 dh_yc_len);
746 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
747 				   TLS_ALERT_DECODE_ERROR);
748 		return -1;
749 	}
750 
751 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
752 		    dh_yc, dh_yc_len);
753 
754 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
755 	    conn->dh_secret == NULL) {
756 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
757 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
758 				   TLS_ALERT_INTERNAL_ERROR);
759 		return -1;
760 	}
761 
762 	tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
763 
764 	shared_len = dh_p_len;
765 	shared = os_malloc(shared_len);
766 	if (shared == NULL) {
767 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
768 			   "DH");
769 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
770 				   TLS_ALERT_INTERNAL_ERROR);
771 		return -1;
772 	}
773 
774 	/* shared = Yc^secret mod p */
775 	if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
776 			   conn->dh_secret_len, dh_p, dh_p_len,
777 			   shared, &shared_len)) {
778 		os_free(shared);
779 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
780 				   TLS_ALERT_INTERNAL_ERROR);
781 		return -1;
782 	}
783 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
784 			shared, shared_len);
785 
786 	os_memset(conn->dh_secret, 0, conn->dh_secret_len);
787 	os_free(conn->dh_secret);
788 	conn->dh_secret = NULL;
789 
790 	res = tlsv1_server_derive_keys(conn, shared, shared_len);
791 
792 	/* Clear the pre-master secret since it is not needed anymore */
793 	os_memset(shared, 0, shared_len);
794 	os_free(shared);
795 
796 	if (res) {
797 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
798 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
799 				   TLS_ALERT_INTERNAL_ERROR);
800 		return -1;
801 	}
802 
803 	return 0;
804 }
805 
806 
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)807 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
808 					   const u8 *in_data, size_t *in_len)
809 {
810 	const u8 *pos, *end;
811 	size_t left, len;
812 	u8 type;
813 	tls_key_exchange keyx;
814 	const struct tls_cipher_suite *suite;
815 
816 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
817 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
818 				 ct);
819 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
820 				   TLS_ALERT_UNEXPECTED_MESSAGE);
821 		return -1;
822 	}
823 
824 	pos = in_data;
825 	left = *in_len;
826 
827 	if (left < 4) {
828 		tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
829 				 (unsigned long) left);
830 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 				   TLS_ALERT_DECODE_ERROR);
832 		return -1;
833 	}
834 
835 	type = *pos++;
836 	len = WPA_GET_BE24(pos);
837 	pos += 3;
838 	left -= 4;
839 
840 	if (len > left) {
841 		tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
842 				 (unsigned long) len, (unsigned long) left);
843 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
844 				   TLS_ALERT_DECODE_ERROR);
845 		return -1;
846 	}
847 
848 	end = pos + len;
849 
850 	if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
851 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
852 				 type);
853 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
854 				   TLS_ALERT_UNEXPECTED_MESSAGE);
855 		return -1;
856 	}
857 
858 	tlsv1_server_log(conn, "Received ClientKeyExchange");
859 
860 	wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
861 
862 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
863 	if (suite == NULL)
864 		keyx = TLS_KEY_X_NULL;
865 	else
866 		keyx = suite->key_exchange;
867 
868 	if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
869 	    tls_process_client_key_exchange_dh(conn, pos, end) < 0)
870 		return -1;
871 
872 	if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
873 	    tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
874 		return -1;
875 
876 	*in_len = end - in_data;
877 
878 	conn->state = CERTIFICATE_VERIFY;
879 
880 	return 0;
881 }
882 
883 
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)884 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
885 					  const u8 *in_data, size_t *in_len)
886 {
887 	const u8 *pos, *end;
888 	size_t left, len;
889 	u8 type;
890 	size_t hlen;
891 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
892 	u8 alert;
893 
894 	if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
895 		if (conn->verify_peer) {
896 			tlsv1_server_log(conn, "Client did not include CertificateVerify");
897 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
898 					   TLS_ALERT_UNEXPECTED_MESSAGE);
899 			return -1;
900 		}
901 
902 		return tls_process_change_cipher_spec(conn, ct, in_data,
903 						      in_len);
904 	}
905 
906 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
907 		tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
908 				 ct);
909 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
910 				   TLS_ALERT_UNEXPECTED_MESSAGE);
911 		return -1;
912 	}
913 
914 	pos = in_data;
915 	left = *in_len;
916 
917 	if (left < 4) {
918 		tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
919 				 (unsigned long) left);
920 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
921 				   TLS_ALERT_DECODE_ERROR);
922 		return -1;
923 	}
924 
925 	type = *pos++;
926 	len = WPA_GET_BE24(pos);
927 	pos += 3;
928 	left -= 4;
929 
930 	if (len > left) {
931 		tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
932 				 (unsigned long) len, (unsigned long) left);
933 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
934 				   TLS_ALERT_DECODE_ERROR);
935 		return -1;
936 	}
937 
938 	end = pos + len;
939 
940 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
941 		tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
942 				 type);
943 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
944 				   TLS_ALERT_UNEXPECTED_MESSAGE);
945 		return -1;
946 	}
947 
948 	tlsv1_server_log(conn, "Received CertificateVerify");
949 
950 	/*
951 	 * struct {
952 	 *   Signature signature;
953 	 * } CertificateVerify;
954 	 */
955 
956 	hpos = hash;
957 
958 #ifdef CONFIG_TLSV12
959 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
960 		/*
961 		 * RFC 5246, 4.7:
962 		 * TLS v1.2 adds explicit indication of the used signature and
963 		 * hash algorithms.
964 		 *
965 		 * struct {
966 		 *   HashAlgorithm hash;
967 		 *   SignatureAlgorithm signature;
968 		 * } SignatureAndHashAlgorithm;
969 		 */
970 		if (end - pos < 2) {
971 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
972 					   TLS_ALERT_DECODE_ERROR);
973 			return -1;
974 		}
975 		if (pos[0] != TLS_HASH_ALG_SHA256 ||
976 		    pos[1] != TLS_SIGN_ALG_RSA) {
977 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
978 				   "signature(%u) algorithm",
979 				   pos[0], pos[1]);
980 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
981 					   TLS_ALERT_INTERNAL_ERROR);
982 			return -1;
983 		}
984 		pos += 2;
985 
986 		hlen = SHA256_MAC_LEN;
987 		if (conn->verify.sha256_cert == NULL ||
988 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
989 		    0) {
990 			conn->verify.sha256_cert = NULL;
991 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
992 					   TLS_ALERT_INTERNAL_ERROR);
993 			return -1;
994 		}
995 		conn->verify.sha256_cert = NULL;
996 	} else {
997 #endif /* CONFIG_TLSV12 */
998 
999 	hlen = MD5_MAC_LEN;
1000 	if (conn->verify.md5_cert == NULL ||
1001 	    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
1002 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1003 				   TLS_ALERT_INTERNAL_ERROR);
1004 		conn->verify.md5_cert = NULL;
1005 		crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
1006 		conn->verify.sha1_cert = NULL;
1007 		return -1;
1008 	}
1009 	hpos += MD5_MAC_LEN;
1010 
1011 	conn->verify.md5_cert = NULL;
1012 	hlen = SHA1_MAC_LEN;
1013 	if (conn->verify.sha1_cert == NULL ||
1014 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
1015 		conn->verify.sha1_cert = NULL;
1016 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1017 				   TLS_ALERT_INTERNAL_ERROR);
1018 		return -1;
1019 	}
1020 	conn->verify.sha1_cert = NULL;
1021 
1022 	hlen += MD5_MAC_LEN;
1023 
1024 #ifdef CONFIG_TLSV12
1025 	}
1026 #endif /* CONFIG_TLSV12 */
1027 
1028 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
1029 
1030 	if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
1031 				 hash, hlen, pos, end - pos, &alert) < 0) {
1032 		tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
1033 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
1034 		return -1;
1035 	}
1036 
1037 	*in_len = end - in_data;
1038 
1039 	conn->state = CHANGE_CIPHER_SPEC;
1040 
1041 	return 0;
1042 }
1043 
1044 
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1045 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
1046 					  u8 ct, const u8 *in_data,
1047 					  size_t *in_len)
1048 {
1049 	const u8 *pos;
1050 	size_t left;
1051 
1052 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
1053 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
1054 				 ct);
1055 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1056 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1057 		return -1;
1058 	}
1059 
1060 	pos = in_data;
1061 	left = *in_len;
1062 
1063 	if (left < 1) {
1064 		tlsv1_server_log(conn, "Too short ChangeCipherSpec");
1065 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1066 				   TLS_ALERT_DECODE_ERROR);
1067 		return -1;
1068 	}
1069 
1070 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
1071 		tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
1072 				 *pos);
1073 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1074 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1075 		return -1;
1076 	}
1077 
1078 	tlsv1_server_log(conn, "Received ChangeCipherSpec");
1079 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
1080 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
1081 			   "for record layer");
1082 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1083 				   TLS_ALERT_INTERNAL_ERROR);
1084 		return -1;
1085 	}
1086 
1087 	*in_len = pos + 1 - in_data;
1088 
1089 	conn->state = CLIENT_FINISHED;
1090 
1091 	return 0;
1092 }
1093 
1094 
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)1095 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
1096 				       const u8 *in_data, size_t *in_len)
1097 {
1098 	const u8 *pos, *end;
1099 	size_t left, len, hlen;
1100 	u8 verify_data[TLS_VERIFY_DATA_LEN];
1101 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
1102 
1103 #ifdef CONFIG_TESTING_OPTIONS
1104 	if ((conn->test_flags &
1105 	     (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
1106 	    !conn->test_failure_reported) {
1107 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1108 		conn->test_failure_reported = 1;
1109 	}
1110 
1111 	if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1112 	    !conn->test_failure_reported) {
1113 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1114 		conn->test_failure_reported = 1;
1115 	}
1116 
1117 	if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1118 	    !conn->test_failure_reported) {
1119 		tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1120 		conn->test_failure_reported = 1;
1121 	}
1122 
1123 	if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1124 	    !conn->test_failure_reported) {
1125 		tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1126 		conn->test_failure_reported = 1;
1127 	}
1128 
1129 	if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1130 	    !conn->test_failure_reported) {
1131 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1132 		conn->test_failure_reported = 1;
1133 	}
1134 
1135 	if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1136 	    !conn->test_failure_reported) {
1137 		tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1138 		conn->test_failure_reported = 1;
1139 	}
1140 #endif /* CONFIG_TESTING_OPTIONS */
1141 
1142 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1143 		tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1144 				 ct);
1145 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1146 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1147 		return -1;
1148 	}
1149 
1150 	pos = in_data;
1151 	left = *in_len;
1152 
1153 	if (left < 4) {
1154 		tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1155 				 (unsigned long) left);
1156 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1157 				   TLS_ALERT_DECODE_ERROR);
1158 		return -1;
1159 	}
1160 
1161 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1162 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1163 			   "type 0x%x", pos[0]);
1164 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1165 				   TLS_ALERT_UNEXPECTED_MESSAGE);
1166 		return -1;
1167 	}
1168 
1169 	len = WPA_GET_BE24(pos + 1);
1170 
1171 	pos += 4;
1172 	left -= 4;
1173 
1174 	if (len > left) {
1175 		tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1176 				 (unsigned long) len, (unsigned long) left);
1177 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1178 				   TLS_ALERT_DECODE_ERROR);
1179 		return -1;
1180 	}
1181 	end = pos + len;
1182 	if (len != TLS_VERIFY_DATA_LEN) {
1183 		tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1184 				 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1185 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1186 				   TLS_ALERT_DECODE_ERROR);
1187 		return -1;
1188 	}
1189 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1190 		    pos, TLS_VERIFY_DATA_LEN);
1191 
1192 #ifdef CONFIG_TLSV12
1193 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1194 		hlen = SHA256_MAC_LEN;
1195 		if (conn->verify.sha256_client == NULL ||
1196 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1197 		    < 0) {
1198 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1199 					   TLS_ALERT_INTERNAL_ERROR);
1200 			conn->verify.sha256_client = NULL;
1201 			return -1;
1202 		}
1203 		conn->verify.sha256_client = NULL;
1204 	} else {
1205 #endif /* CONFIG_TLSV12 */
1206 
1207 	hlen = MD5_MAC_LEN;
1208 	if (conn->verify.md5_client == NULL ||
1209 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1210 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1211 				   TLS_ALERT_INTERNAL_ERROR);
1212 		conn->verify.md5_client = NULL;
1213 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1214 		conn->verify.sha1_client = NULL;
1215 		return -1;
1216 	}
1217 	conn->verify.md5_client = NULL;
1218 	hlen = SHA1_MAC_LEN;
1219 	if (conn->verify.sha1_client == NULL ||
1220 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1221 			       &hlen) < 0) {
1222 		conn->verify.sha1_client = NULL;
1223 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1224 				   TLS_ALERT_INTERNAL_ERROR);
1225 		return -1;
1226 	}
1227 	conn->verify.sha1_client = NULL;
1228 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1229 
1230 #ifdef CONFIG_TLSV12
1231 	}
1232 #endif /* CONFIG_TLSV12 */
1233 
1234 	if (tls_prf(conn->rl.tls_version,
1235 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
1236 		    "client finished", hash, hlen,
1237 		    verify_data, TLS_VERIFY_DATA_LEN)) {
1238 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1239 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1240 				   TLS_ALERT_DECRYPT_ERROR);
1241 		return -1;
1242 	}
1243 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1244 			verify_data, TLS_VERIFY_DATA_LEN);
1245 
1246 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1247 		tlsv1_server_log(conn, "Mismatch in verify_data");
1248 		conn->state = FAILED;
1249 		return -1;
1250 	}
1251 
1252 	tlsv1_server_log(conn, "Received Finished");
1253 
1254 	*in_len = end - in_data;
1255 
1256 	if (conn->use_session_ticket) {
1257 		/* Abbreviated handshake using session ticket; RFC 4507 */
1258 		tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1259 		conn->state = ESTABLISHED;
1260 	} else {
1261 		/* Full handshake */
1262 		conn->state = SERVER_CHANGE_CIPHER_SPEC;
1263 	}
1264 
1265 	return 0;
1266 }
1267 
1268 
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1269 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1270 				   const u8 *buf, size_t *len)
1271 {
1272 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1273 		if (*len < 2) {
1274 			tlsv1_server_log(conn, "Alert underflow");
1275 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1276 					   TLS_ALERT_DECODE_ERROR);
1277 			return -1;
1278 		}
1279 		tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1280 		*len = 2;
1281 		conn->state = FAILED;
1282 		return -1;
1283 	}
1284 
1285 	switch (conn->state) {
1286 	case CLIENT_HELLO:
1287 		if (tls_process_client_hello(conn, ct, buf, len))
1288 			return -1;
1289 		break;
1290 	case CLIENT_CERTIFICATE:
1291 		if (tls_process_certificate(conn, ct, buf, len))
1292 			return -1;
1293 		break;
1294 	case CLIENT_KEY_EXCHANGE:
1295 		if (tls_process_client_key_exchange(conn, ct, buf, len))
1296 			return -1;
1297 		break;
1298 	case CERTIFICATE_VERIFY:
1299 		if (tls_process_certificate_verify(conn, ct, buf, len))
1300 			return -1;
1301 		break;
1302 	case CHANGE_CIPHER_SPEC:
1303 		if (tls_process_change_cipher_spec(conn, ct, buf, len))
1304 			return -1;
1305 		break;
1306 	case CLIENT_FINISHED:
1307 		if (tls_process_client_finished(conn, ct, buf, len))
1308 			return -1;
1309 		break;
1310 	default:
1311 		tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1312 				 conn->state);
1313 		return -1;
1314 	}
1315 
1316 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1317 		tls_verify_hash_add(&conn->verify, buf, *len);
1318 
1319 	return 0;
1320 }
1321