← Back to branch summary

~ubuntu-branches/ubuntu/vivid/wpasupplicant/vivid

« back to all changes in this revision

Viewing changes to src/tls/tlsv1_server_read.c

  • Committer: Bazaar Package Importer
  • Author(s): Kel Modderman
  • Date: 2008-03-12 20:03:04 UTC
  • mfrom: (1.1.10 upstream)
  • mto: This revision was merged to the branch mainline in revision 4.
  • Revision ID: james.westby@ubuntu.com-20080312200304-4331y9wj46pdd34z
Tags: 0.6.3-1
http://bugs.debian.org/466910
* New upstream release.
* Drop patches applied upstream:
  - debian/patches/30_wpa_gui_qt4_eventhistoryui_rework.patch
  - debian/patches/31_wpa_gui_qt4_eventhistory_always_scrollbar.patch
  - debian/patches/32_wpa_gui_qt4_eventhistory_scroll_with_events.patch
  - debian/patches/40_dbus_ssid_data.patch
* Tidy up the clean target of debian/rules. Now that the madwifi headers are
  handled differently we no longer need to do any cleanup.
* Fix formatting error in debian/ifupdown/wpa_action.8 to make lintian
  quieter.
* Add patch to fix formatting errors in manpages build from sgml source. Use
  <emphasis> tags to hightlight keywords instead of surrounding them in
  strong quotes.
  - debian/patches/41_manpage_format_fixes.patch
* wpasupplicant binary package no longer suggests pcscd, guessnet, iproute
  or wireless-tools, nor does it recommend dhcp3-client. These are not
  needed.
* Add debian/patches/10_silence_siocsiwauth_icotl_failure.patch to disable
  ioctl failure messages that occur under normal conditions.
* Cherry pick two upstream git commits concerning the dbus interface:
  - debian/patches/11_avoid_dbus_version_namespace.patch
  - debian/patches/12_fix_potential_use_after_free.patch
* Add debian/patches/42_manpage_explain_available_drivers.patch to explain
  that not all of the driver backends are available in the provided
  wpa_supplicant binary, and that the canonical list of supported driver
  backends can be retrieved from the wpa_supplicant -h (help) output.
  (Closes: #466910)
* Add debian/patches/20_wpa_gui_qt4_disable_link_prl.patch to remove
  link_prl CONFIG compile flag added by qmake-qt4 >= 4.3.4-2 to avoid excess
  linking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/tls/tlsv1_server_read.c
 
1
/*
 
2
 * TLSv1 server - read handshake message
 
3
 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
 
4
 *
 
5
 * This program is free software; you can redistribute it and/or modify
 
6
 * it under the terms of the GNU General Public License version 2 as
 
7
 * published by the Free Software Foundation.
 
8
 *
 
9
 * Alternatively, this software may be distributed under the terms of BSD
 
10
 * license.
 
11
 *
 
12
 * See README and COPYING for more details.
 
13
 */
 
14
 
 
15
#include "includes.h"
 
16
 
 
17
#include "common.h"
 
18
#include "md5.h"
 
19
#include "sha1.h"
 
20
#include "x509v3.h"
 
21
#include "tls.h"
 
22
#include "tlsv1_common.h"
 
23
#include "tlsv1_record.h"
 
24
#include "tlsv1_server.h"
 
25
#include "tlsv1_server_i.h"
 
26
 
 
27
 
 
28
static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 
29
                                           const u8 *in_data, size_t *in_len);
 
30
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 
31
                                          u8 ct, const u8 *in_data,
 
32
                                          size_t *in_len);
 
33
 
 
34
 
 
35
static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
 
36
                                    const u8 *in_data, size_t *in_len)
 
37
{
 
38
        const u8 *pos, *end, *c;
 
39
        size_t left, len, i, j;
 
40
        u16 cipher_suite;
 
41
        u16 num_suites;
 
42
        int compr_null_found;
 
43
 
 
44
        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 
45
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 
46
                           "received content type 0x%x", ct);
 
47
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
48
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
49
                return -1;
 
50
        }
 
51
 
 
52
        pos = in_data;
 
53
        left = *in_len;
 
54
 
 
55
        if (left < 4)
 
56
                goto decode_error;
 
57
 
 
58
        /* HandshakeType msg_type */
 
59
        if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
 
60
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 
61
                           "message %d (expected ClientHello)", *pos);
 
62
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
63
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
64
                return -1;
 
65
        }
 
66
        wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
 
67
        pos++;
 
68
        /* uint24 length */
 
69
        len = WPA_GET_BE24(pos);
 
70
        pos += 3;
 
71
        left -= 4;
 
72
 
 
73
        if (len > left)
 
74
                goto decode_error;
 
75
 
 
76
        /* body - ClientHello */
 
77
 
 
78
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
 
79
        end = pos + len;
 
80
 
 
81
        /* ProtocolVersion client_version */
 
82
        if (end - pos < 2)
 
83
                goto decode_error;
 
84
        conn->client_version = WPA_GET_BE16(pos);
 
85
        wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
 
86
                   conn->client_version >> 8, conn->client_version & 0xff);
 
87
        if (conn->client_version < TLS_VERSION) {
 
88
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 
89
                           "ClientHello");
 
90
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
91
                                   TLS_ALERT_PROTOCOL_VERSION);
 
92
                return -1;
 
93
        }
 
94
        pos += 2;
 
95
 
 
96
        /* Random random */
 
97
        if (end - pos < TLS_RANDOM_LEN)
 
98
                goto decode_error;
 
99
 
 
100
        os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
 
101
        pos += TLS_RANDOM_LEN;
 
102
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
 
103
                    conn->client_random, TLS_RANDOM_LEN);
 
104
 
 
105
        /* SessionID session_id */
 
106
        if (end - pos < 1)
 
107
                goto decode_error;
 
108
        if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
 
109
                goto decode_error;
 
110
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
 
111
        pos += 1 + *pos;
 
112
        /* TODO: add support for session resumption */
 
113
 
 
114
        /* CipherSuite cipher_suites<2..2^16-1> */
 
115
        if (end - pos < 2)
 
116
                goto decode_error;
 
117
        num_suites = WPA_GET_BE16(pos);
 
118
        pos += 2;
 
119
        if (end - pos < num_suites)
 
120
                goto decode_error;
 
121
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
 
122
                    pos, num_suites);
 
123
        if (num_suites & 1)
 
124
                goto decode_error;
 
125
        num_suites /= 2;
 
126
 
 
127
        cipher_suite = 0;
 
128
        for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
 
129
                c = pos;
 
130
                for (j = 0; j < num_suites; j++) {
 
131
                        u16 tmp = WPA_GET_BE16(c);
 
132
                        c += 2;
 
133
                        if (!cipher_suite && tmp == conn->cipher_suites[i]) {
 
134
                                cipher_suite = tmp;
 
135
                                break;
 
136
                        }
 
137
                }
 
138
        }
 
139
        pos += num_suites * 2;
 
140
        if (!cipher_suite) {
 
141
                wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
 
142
                           "available");
 
143
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
144
                                   TLS_ALERT_ILLEGAL_PARAMETER);
 
145
                return -1;
 
146
        }
 
147
 
 
148
        if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
 
149
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
 
150
                           "record layer");
 
151
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
152
                                   TLS_ALERT_INTERNAL_ERROR);
 
153
                return -1;
 
154
        }
 
155
 
 
156
        conn->cipher_suite = cipher_suite;
 
157
 
 
158
        /* CompressionMethod compression_methods<1..2^8-1> */
 
159
        if (end - pos < 1)
 
160
                goto decode_error;
 
161
        num_suites = *pos++;
 
162
        if (end - pos < num_suites)
 
163
                goto decode_error;
 
164
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
 
165
                    pos, num_suites);
 
166
        compr_null_found = 0;
 
167
        for (i = 0; i < num_suites; i++) {
 
168
                if (*pos++ == TLS_COMPRESSION_NULL)
 
169
                        compr_null_found = 1;
 
170
        }
 
171
        if (!compr_null_found) {
 
172
                wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
 
173
                           "compression");
 
174
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
175
                                   TLS_ALERT_ILLEGAL_PARAMETER);
 
176
                return -1;
 
177
        }
 
178
 
 
179
        if (end - pos == 1) {
 
180
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
 
181
                            "end of ClientHello: 0x%02x", *pos);
 
182
                goto decode_error;
 
183
        }
 
184
 
 
185
        if (end - pos >= 2) {
 
186
                u16 ext_len;
 
187
 
 
188
                /* Extension client_hello_extension_list<0..2^16-1> */
 
189
 
 
190
                ext_len = WPA_GET_BE16(pos);
 
191
                pos += 2;
 
192
 
 
193
                wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
 
194
                           "extensions", ext_len);
 
195
                if (end - pos != ext_len) {
 
196
                        wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
 
197
                                   "extension list length %u (expected %u)",
 
198
                                   ext_len, end - pos);
 
199
                        goto decode_error;
 
200
                }
 
201
 
 
202
                /*
 
203
                 * struct {
 
204
                 *   ExtensionType extension_type (0..65535)
 
205
                 *   opaque extension_data<0..2^16-1>
 
206
                 * } Extension;
 
207
                 */
 
208
 
 
209
                while (pos < end) {
 
210
                        u16 ext_type, ext_len;
 
211
 
 
212
                        if (end - pos < 2) {
 
213
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 
214
                                           "extension_type field");
 
215
                                goto decode_error;
 
216
                        }
 
217
 
 
218
                        ext_type = WPA_GET_BE16(pos);
 
219
                        pos += 2;
 
220
 
 
221
                        if (end - pos < 2) {
 
222
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 
223
                                           "extension_data length field");
 
224
                                goto decode_error;
 
225
                        }
 
226
 
 
227
                        ext_len = WPA_GET_BE16(pos);
 
228
                        pos += 2;
 
229
 
 
230
                        if (end - pos < ext_len) {
 
231
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
 
232
                                           "extension_data field");
 
233
                                goto decode_error;
 
234
                        }
 
235
 
 
236
                        wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
 
237
                                   "type %u", ext_type);
 
238
                        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
 
239
                                    "Extension data", pos, ext_len);
 
240
 
 
241
                        if (ext_type == TLS_EXT_SESSION_TICKET) {
 
242
                                os_free(conn->session_ticket);
 
243
                                conn->session_ticket = os_malloc(ext_len);
 
244
                                if (conn->session_ticket) {
 
245
                                        os_memcpy(conn->session_ticket, pos,
 
246
                                                  ext_len);
 
247
                                        conn->session_ticket_len = ext_len;
 
248
                                }
 
249
                        }
 
250
 
 
251
                        pos += ext_len;
 
252
                }
 
253
        }
 
254
 
 
255
        *in_len = end - in_data;
 
256
 
 
257
        wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
 
258
                   "ServerHello");
 
259
        conn->state = SERVER_HELLO;
 
260
 
 
261
        return 0;
 
262
 
 
263
decode_error:
 
264
        wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
 
265
        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
266
                           TLS_ALERT_DECODE_ERROR);
 
267
        return -1;
 
268
}
 
269
 
 
270
 
 
271
static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 
272
                                   const u8 *in_data, size_t *in_len)
 
273
{
 
274
        const u8 *pos, *end;
 
275
        size_t left, len, list_len, cert_len, idx;
 
276
        u8 type;
 
277
        struct x509_certificate *chain = NULL, *last = NULL, *cert;
 
278
        int reason;
 
279
 
 
280
        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 
281
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 
282
                           "received content type 0x%x", ct);
 
283
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
284
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
285
                return -1;
 
286
        }
 
287
 
 
288
        pos = in_data;
 
289
        left = *in_len;
 
290
 
 
291
        if (left < 4) {
 
292
                wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
 
293
                           "(len=%lu)", (unsigned long) left);
 
294
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
295
                                   TLS_ALERT_DECODE_ERROR);
 
296
                return -1;
 
297
        }
 
298
 
 
299
        type = *pos++;
 
300
        len = WPA_GET_BE24(pos);
 
301
        pos += 3;
 
302
        left -= 4;
 
303
 
 
304
        if (len > left) {
 
305
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
 
306
                           "length (len=%lu != left=%lu)",
 
307
                           (unsigned long) len, (unsigned long) left);
 
308
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
309
                                   TLS_ALERT_DECODE_ERROR);
 
310
                return -1;
 
311
        }
 
312
 
 
313
        if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 
314
                if (conn->verify_peer) {
 
315
                        wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 
316
                                   "Certificate");
 
317
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
318
                                           TLS_ALERT_UNEXPECTED_MESSAGE);
 
319
                        return -1;
 
320
                }
 
321
 
 
322
                return tls_process_client_key_exchange(conn, ct, in_data,
 
323
                                                       in_len);
 
324
        }
 
325
        if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
 
326
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 
327
                           "message %d (expected Certificate/"
 
328
                           "ClientKeyExchange)", type);
 
329
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
330
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
331
                return -1;
 
332
        }
 
333
 
 
334
        wpa_printf(MSG_DEBUG,
 
335
                   "TLSv1: Received Certificate (certificate_list len %lu)",
 
336
                   (unsigned long) len);
 
337
 
 
338
        /*
 
339
         * opaque ASN.1Cert<2^24-1>;
 
340
         *
 
341
         * struct {
 
342
         *     ASN.1Cert certificate_list<1..2^24-1>;
 
343
         * } Certificate;
 
344
         */
 
345
 
 
346
        end = pos + len;
 
347
 
 
348
        if (end - pos < 3) {
 
349
                wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
 
350
                           "(left=%lu)", (unsigned long) left);
 
351
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
352
                                   TLS_ALERT_DECODE_ERROR);
 
353
                return -1;
 
354
        }
 
355
 
 
356
        list_len = WPA_GET_BE24(pos);
 
357
        pos += 3;
 
358
 
 
359
        if ((size_t) (end - pos) != list_len) {
 
360
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
 
361
                           "length (len=%lu left=%lu)",
 
362
                           (unsigned long) list_len,
 
363
                           (unsigned long) (end - pos));
 
364
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
365
                                   TLS_ALERT_DECODE_ERROR);
 
366
                return -1;
 
367
        }
 
368
 
 
369
        idx = 0;
 
370
        while (pos < end) {
 
371
                if (end - pos < 3) {
 
372
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 
373
                                   "certificate_list");
 
374
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
375
                                           TLS_ALERT_DECODE_ERROR);
 
376
                        x509_certificate_chain_free(chain);
 
377
                        return -1;
 
378
                }
 
379
 
 
380
                cert_len = WPA_GET_BE24(pos);
 
381
                pos += 3;
 
382
 
 
383
                if ((size_t) (end - pos) < cert_len) {
 
384
                        wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
 
385
                                   "length (len=%lu left=%lu)",
 
386
                                   (unsigned long) cert_len,
 
387
                                   (unsigned long) (end - pos));
 
388
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
389
                                           TLS_ALERT_DECODE_ERROR);
 
390
                        x509_certificate_chain_free(chain);
 
391
                        return -1;
 
392
                }
 
393
 
 
394
                wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
 
395
                           (unsigned long) idx, (unsigned long) cert_len);
 
396
 
 
397
                if (idx == 0) {
 
398
                        crypto_public_key_free(conn->client_rsa_key);
 
399
                        if (tls_parse_cert(pos, cert_len,
 
400
                                           &conn->client_rsa_key)) {
 
401
                                wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 
402
                                           "the certificate");
 
403
                                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
404
                                                   TLS_ALERT_BAD_CERTIFICATE);
 
405
                                x509_certificate_chain_free(chain);
 
406
                                return -1;
 
407
                        }
 
408
                }
 
409
 
 
410
                cert = x509_certificate_parse(pos, cert_len);
 
411
                if (cert == NULL) {
 
412
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
 
413
                                   "the certificate");
 
414
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
415
                                           TLS_ALERT_BAD_CERTIFICATE);
 
416
                        x509_certificate_chain_free(chain);
 
417
                        return -1;
 
418
                }
 
419
 
 
420
                if (last == NULL)
 
421
                        chain = cert;
 
422
                else
 
423
                        last->next = cert;
 
424
                last = cert;
 
425
 
 
426
                idx++;
 
427
                pos += cert_len;
 
428
        }
 
429
 
 
430
        if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 
431
                                            &reason) < 0) {
 
432
                int tls_reason;
 
433
                wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 
434
                           "validation failed (reason=%d)", reason);
 
435
                switch (reason) {
 
436
                case X509_VALIDATE_BAD_CERTIFICATE:
 
437
                        tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 
438
                        break;
 
439
                case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
 
440
                        tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
 
441
                        break;
 
442
                case X509_VALIDATE_CERTIFICATE_REVOKED:
 
443
                        tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
 
444
                        break;
 
445
                case X509_VALIDATE_CERTIFICATE_EXPIRED:
 
446
                        tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
 
447
                        break;
 
448
                case X509_VALIDATE_CERTIFICATE_UNKNOWN:
 
449
                        tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
 
450
                        break;
 
451
                case X509_VALIDATE_UNKNOWN_CA:
 
452
                        tls_reason = TLS_ALERT_UNKNOWN_CA;
 
453
                        break;
 
454
                default:
 
455
                        tls_reason = TLS_ALERT_BAD_CERTIFICATE;
 
456
                        break;
 
457
                }
 
458
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
 
459
                x509_certificate_chain_free(chain);
 
460
                return -1;
 
461
        }
 
462
 
 
463
        x509_certificate_chain_free(chain);
 
464
 
 
465
        *in_len = end - in_data;
 
466
 
 
467
        conn->state = CLIENT_KEY_EXCHANGE;
 
468
 
 
469
        return 0;
 
470
}
 
471
 
 
472
 
 
473
static int tls_process_client_key_exchange_rsa(
 
474
        struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 
475
{
 
476
        u8 *out;
 
477
        size_t outlen, outbuflen;
 
478
        u16 encr_len;
 
479
        int res;
 
480
        int use_random = 0;
 
481
 
 
482
        if (end - pos < 2) {
 
483
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
484
                                   TLS_ALERT_DECODE_ERROR);
 
485
                return -1;
 
486
        }
 
487
 
 
488
        encr_len = WPA_GET_BE16(pos);
 
489
        pos += 2;
 
490
 
 
491
        outbuflen = outlen = end - pos;
 
492
        out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
 
493
                        outlen : TLS_PRE_MASTER_SECRET_LEN);
 
494
        if (out == NULL) {
 
495
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
496
                                   TLS_ALERT_INTERNAL_ERROR);
 
497
                return -1;
 
498
        }
 
499
 
 
500
        /*
 
501
         * struct {
 
502
         *   ProtocolVersion client_version;
 
503
         *   opaque random[46];
 
504
         * } PreMasterSecret;
 
505
         *
 
506
         * struct {
 
507
         *   public-key-encrypted PreMasterSecret pre_master_secret;
 
508
         * } EncryptedPreMasterSecret;
 
509
         */
 
510
 
 
511
        /*
 
512
         * Note: To avoid Bleichenbacher attack, we do not report decryption or
 
513
         * parsing errors from EncryptedPreMasterSecret processing to the
 
514
         * client. Instead, a random pre-master secret is used to force the
 
515
         * handshake to fail.
 
516
         */
 
517
 
 
518
        if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
 
519
                                                 pos, end - pos,
 
520
                                                 out, &outlen) < 0) {
 
521
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
 
522
                           "PreMasterSecret (encr_len=%d outlen=%lu)",
 
523
                           end - pos, (unsigned long) outlen);
 
524
                use_random = 1;
 
525
        }
 
526
 
 
527
        if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
 
528
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
 
529
                           "length %lu", (unsigned long) outlen);
 
530
                use_random = 1;
 
531
        }
 
532
 
 
533
        if (WPA_GET_BE16(out) != conn->client_version) {
 
534
                wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
 
535
                           "ClientKeyExchange does not match with version in "
 
536
                           "ClientHello");
 
537
                use_random = 1;
 
538
        }
 
539
 
 
540
        if (use_random) {
 
541
                wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
 
542
                           "to avoid revealing information about private key");
 
543
                outlen = TLS_PRE_MASTER_SECRET_LEN;
 
544
                if (os_get_random(out, outlen)) {
 
545
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
 
546
                                   "data");
 
547
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
548
                                           TLS_ALERT_INTERNAL_ERROR);
 
549
                        os_free(out);
 
550
                        return -1;
 
551
                }
 
552
        }
 
553
 
 
554
        res = tlsv1_server_derive_keys(conn, out, outlen);
 
555
 
 
556
        /* Clear the pre-master secret since it is not needed anymore */
 
557
        os_memset(out, 0, outbuflen);
 
558
        os_free(out);
 
559
 
 
560
        if (res) {
 
561
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 
562
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
563
                                   TLS_ALERT_INTERNAL_ERROR);
 
564
                return -1;
 
565
        }
 
566
 
 
567
        return 0;
 
568
}
 
569
 
 
570
 
 
571
static int tls_process_client_key_exchange_dh_anon(
 
572
        struct tlsv1_server *conn, const u8 *pos, const u8 *end)
 
573
{
 
574
#ifdef EAP_FAST
 
575
        const u8 *dh_yc;
 
576
        u16 dh_yc_len;
 
577
        u8 *shared;
 
578
        size_t shared_len;
 
579
        int res;
 
580
 
 
581
        /*
 
582
         * struct {
 
583
         *   select (PublicValueEncoding) {
 
584
         *     case implicit: struct { };
 
585
         *     case explicit: opaque dh_Yc<1..2^16-1>;
 
586
         *   } dh_public;
 
587
         * } ClientDiffieHellmanPublic;
 
588
         */
 
589
 
 
590
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
 
591
                    pos, end - pos);
 
592
 
 
593
        if (end == pos) {
 
594
                wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
 
595
                           "not supported");
 
596
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
597
                                   TLS_ALERT_INTERNAL_ERROR);
 
598
                return -1;
 
599
        }
 
600
 
 
601
        if (end - pos < 3) {
 
602
                wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
 
603
                           "length");
 
604
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
605
                                   TLS_ALERT_DECODE_ERROR);
 
606
                return -1;
 
607
        }
 
608
 
 
609
        dh_yc_len = WPA_GET_BE16(pos);
 
610
        dh_yc = pos + 2;
 
611
 
 
612
        if (dh_yc + dh_yc_len > end) {
 
613
                wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
 
614
                           "(length %d)", dh_yc_len);
 
615
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
616
                                   TLS_ALERT_DECODE_ERROR);
 
617
                return -1;
 
618
        }
 
619
 
 
620
        wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
 
621
                    dh_yc, dh_yc_len);
 
622
 
 
623
        if (conn->cred == NULL || conn->cred->dh_p == NULL ||
 
624
            conn->dh_secret == NULL) {
 
625
                wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
 
626
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
627
                                   TLS_ALERT_INTERNAL_ERROR);
 
628
                return -1;
 
629
        }
 
630
 
 
631
        shared_len = conn->cred->dh_p_len;
 
632
        shared = os_malloc(shared_len);
 
633
        if (shared == NULL) {
 
634
                wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
 
635
                           "DH");
 
636
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
637
                                   TLS_ALERT_INTERNAL_ERROR);
 
638
                return -1;
 
639
        }
 
640
 
 
641
        /* shared = Yc^secret mod p */
 
642
        if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
 
643
                           conn->dh_secret_len,
 
644
                           conn->cred->dh_p, conn->cred->dh_p_len,
 
645
                           shared, &shared_len)) {
 
646
                os_free(shared);
 
647
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
648
                                   TLS_ALERT_INTERNAL_ERROR);
 
649
                return -1;
 
650
        }
 
651
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
 
652
                        shared, shared_len);
 
653
 
 
654
        os_memset(conn->dh_secret, 0, conn->dh_secret_len);
 
655
        os_free(conn->dh_secret);
 
656
        conn->dh_secret = NULL;
 
657
 
 
658
        res = tlsv1_server_derive_keys(conn, shared, shared_len);
 
659
 
 
660
        /* Clear the pre-master secret since it is not needed anymore */
 
661
        os_memset(shared, 0, shared_len);
 
662
        os_free(shared);
 
663
 
 
664
        if (res) {
 
665
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
 
666
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
667
                                   TLS_ALERT_INTERNAL_ERROR);
 
668
                return -1;
 
669
        }
 
670
 
 
671
        return 0;
 
672
#else /* EAP_FAST */
 
673
        return -1;
 
674
#endif /* EAP_FAST */
 
675
}
 
676
 
 
677
 
 
678
static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
 
679
                                           const u8 *in_data, size_t *in_len)
 
680
{
 
681
        const u8 *pos, *end;
 
682
        size_t left, len;
 
683
        u8 type;
 
684
        tls_key_exchange keyx;
 
685
        const struct tls_cipher_suite *suite;
 
686
 
 
687
        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 
688
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 
689
                           "received content type 0x%x", ct);
 
690
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
691
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
692
                return -1;
 
693
        }
 
694
 
 
695
        pos = in_data;
 
696
        left = *in_len;
 
697
 
 
698
        if (left < 4) {
 
699
                wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
 
700
                           "(Left=%lu)", (unsigned long) left);
 
701
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
702
                                   TLS_ALERT_DECODE_ERROR);
 
703
                return -1;
 
704
        }
 
705
 
 
706
        type = *pos++;
 
707
        len = WPA_GET_BE24(pos);
 
708
        pos += 3;
 
709
        left -= 4;
 
710
 
 
711
        if (len > left) {
 
712
                wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
 
713
                           "length (len=%lu != left=%lu)",
 
714
                           (unsigned long) len, (unsigned long) left);
 
715
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
716
                                   TLS_ALERT_DECODE_ERROR);
 
717
                return -1;
 
718
        }
 
719
 
 
720
        end = pos + len;
 
721
 
 
722
        if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
 
723
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 
724
                           "message %d (expected ClientKeyExchange)", type);
 
725
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
726
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
727
                return -1;
 
728
        }
 
729
 
 
730
        wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");
 
731
 
 
732
        wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
 
733
 
 
734
        suite = tls_get_cipher_suite(conn->rl.cipher_suite);
 
735
        if (suite == NULL)
 
736
                keyx = TLS_KEY_X_NULL;
 
737
        else
 
738
                keyx = suite->key_exchange;
 
739
 
 
740
        if (keyx == TLS_KEY_X_DH_anon &&
 
741
            tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
 
742
                return -1;
 
743
 
 
744
        if (keyx != TLS_KEY_X_DH_anon &&
 
745
            tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
 
746
                return -1;
 
747
 
 
748
        *in_len = end - in_data;
 
749
 
 
750
        conn->state = CERTIFICATE_VERIFY;
 
751
 
 
752
        return 0;
 
753
}
 
754
 
 
755
 
 
756
static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
 
757
                                          const u8 *in_data, size_t *in_len)
 
758
{
 
759
        const u8 *pos, *end;
 
760
        size_t left, len;
 
761
        u8 type;
 
762
        size_t hlen, buflen;
 
763
        u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
 
764
        enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
 
765
        u16 slen;
 
766
 
 
767
        if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 
768
                if (conn->verify_peer) {
 
769
                        wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
 
770
                                   "CertificateVerify");
 
771
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
772
                                           TLS_ALERT_UNEXPECTED_MESSAGE);
 
773
                        return -1;
 
774
                }
 
775
 
 
776
                return tls_process_change_cipher_spec(conn, ct, in_data,
 
777
                                                      in_len);
 
778
        }
 
779
 
 
780
        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 
781
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
 
782
                           "received content type 0x%x", ct);
 
783
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
784
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
785
                return -1;
 
786
        }
 
787
 
 
788
        pos = in_data;
 
789
        left = *in_len;
 
790
 
 
791
        if (left < 4) {
 
792
                wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
 
793
                           "message (len=%lu)", (unsigned long) left);
 
794
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
795
                                   TLS_ALERT_DECODE_ERROR);
 
796
                return -1;
 
797
        }
 
798
 
 
799
        type = *pos++;
 
800
        len = WPA_GET_BE24(pos);
 
801
        pos += 3;
 
802
        left -= 4;
 
803
 
 
804
        if (len > left) {
 
805
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
 
806
                           "message length (len=%lu != left=%lu)",
 
807
                           (unsigned long) len, (unsigned long) left);
 
808
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
809
                                   TLS_ALERT_DECODE_ERROR);
 
810
                return -1;
 
811
        }
 
812
 
 
813
        end = pos + len;
 
814
 
 
815
        if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
 
816
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
 
817
                           "message %d (expected CertificateVerify)", type);
 
818
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
819
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
820
                return -1;
 
821
        }
 
822
 
 
823
        wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");
 
824
 
 
825
        /*
 
826
         * struct {
 
827
         *   Signature signature;
 
828
         * } CertificateVerify;
 
829
         */
 
830
 
 
831
        hpos = hash;
 
832
 
 
833
        if (alg == SIGN_ALG_RSA) {
 
834
                hlen = MD5_MAC_LEN;
 
835
                if (conn->verify.md5_cert == NULL ||
 
836
                    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
 
837
                {
 
838
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
839
                                           TLS_ALERT_INTERNAL_ERROR);
 
840
                        conn->verify.md5_cert = NULL;
 
841
                        crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
 
842
                        conn->verify.sha1_cert = NULL;
 
843
                        return -1;
 
844
                }
 
845
                hpos += MD5_MAC_LEN;
 
846
        } else
 
847
                crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
 
848
 
 
849
        conn->verify.md5_cert = NULL;
 
850
        hlen = SHA1_MAC_LEN;
 
851
        if (conn->verify.sha1_cert == NULL ||
 
852
            crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
 
853
                conn->verify.sha1_cert = NULL;
 
854
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
855
                                   TLS_ALERT_INTERNAL_ERROR);
 
856
                return -1;
 
857
        }
 
858
        conn->verify.sha1_cert = NULL;
 
859
 
 
860
        if (alg == SIGN_ALG_RSA)
 
861
                hlen += MD5_MAC_LEN;
 
862
 
 
863
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
 
864
 
 
865
        if (end - pos < 2) {
 
866
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
867
                                   TLS_ALERT_DECODE_ERROR);
 
868
                return -1;
 
869
        }
 
870
        slen = WPA_GET_BE16(pos);
 
871
        pos += 2;
 
872
        if (end - pos < slen) {
 
873
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
874
                                   TLS_ALERT_DECODE_ERROR);
 
875
                return -1;
 
876
        }
 
877
 
 
878
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
 
879
        if (conn->client_rsa_key == NULL) {
 
880
                wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
 
881
                           "signature");
 
882
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
883
                                   TLS_ALERT_INTERNAL_ERROR);
 
884
                return -1;
 
885
        }
 
886
 
 
887
        buflen = end - pos;
 
888
        buf = os_malloc(end - pos);
 
889
        if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
 
890
                                            pos, end - pos, buf, &buflen) < 0)
 
891
        {
 
892
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
 
893
                os_free(buf);
 
894
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
895
                                   TLS_ALERT_DECRYPT_ERROR);
 
896
                return -1;
 
897
        }
 
898
 
 
899
        wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
 
900
                        buf, buflen);
 
901
 
 
902
        if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
 
903
                wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
 
904
                           "CertificateVerify - did not match with calculated "
 
905
                           "hash");
 
906
                os_free(buf);
 
907
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
908
                                   TLS_ALERT_DECRYPT_ERROR);
 
909
                return -1;
 
910
        }
 
911
 
 
912
        os_free(buf);
 
913
 
 
914
        *in_len = end - in_data;
 
915
 
 
916
        conn->state = CHANGE_CIPHER_SPEC;
 
917
 
 
918
        return 0;
 
919
}
 
920
 
 
921
 
 
922
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
 
923
                                          u8 ct, const u8 *in_data,
 
924
                                          size_t *in_len)
 
925
{
 
926
        const u8 *pos;
 
927
        size_t left;
 
928
 
 
929
        if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
 
930
                wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 
931
                           "received content type 0x%x", ct);
 
932
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
933
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
934
                return -1;
 
935
        }
 
936
 
 
937
        pos = in_data;
 
938
        left = *in_len;
 
939
 
 
940
        if (left < 1) {
 
941
                wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
 
942
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
943
                                   TLS_ALERT_DECODE_ERROR);
 
944
                return -1;
 
945
        }
 
946
 
 
947
        if (*pos != TLS_CHANGE_CIPHER_SPEC) {
 
948
                wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
 
949
                           "received data 0x%x", *pos);
 
950
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
951
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
952
                return -1;
 
953
        }
 
954
 
 
955
        wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
 
956
        if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
 
957
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
 
958
                           "for record layer");
 
959
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
960
                                   TLS_ALERT_INTERNAL_ERROR);
 
961
                return -1;
 
962
        }
 
963
 
 
964
        *in_len = pos + 1 - in_data;
 
965
 
 
966
        conn->state = CLIENT_FINISHED;
 
967
 
 
968
        return 0;
 
969
}
 
970
 
 
971
 
 
972
static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 
973
                                       const u8 *in_data, size_t *in_len)
 
974
{
 
975
        const u8 *pos, *end;
 
976
        size_t left, len, hlen;
 
977
        u8 verify_data[TLS_VERIFY_DATA_LEN];
 
978
        u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
 
979
 
 
980
        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
 
981
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
 
982
                           "received content type 0x%x", ct);
 
983
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
984
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
985
                return -1;
 
986
        }
 
987
 
 
988
        pos = in_data;
 
989
        left = *in_len;
 
990
 
 
991
        if (left < 4) {
 
992
                wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
 
993
                           "Finished",
 
994
                           (unsigned long) left);
 
995
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
996
                                   TLS_ALERT_DECODE_ERROR);
 
997
                return -1;
 
998
        }
 
999
 
 
1000
        if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
 
1001
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
 
1002
                           "type 0x%x", pos[0]);
 
1003
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1004
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
 
1005
                return -1;
 
1006
        }
 
1007
 
 
1008
        len = WPA_GET_BE24(pos + 1);
 
1009
 
 
1010
        pos += 4;
 
1011
        left -= 4;
 
1012
 
 
1013
        if (len > left) {
 
1014
                wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
 
1015
                           "(len=%lu > left=%lu)",
 
1016
                           (unsigned long) len, (unsigned long) left);
 
1017
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1018
                                   TLS_ALERT_DECODE_ERROR);
 
1019
                return -1;
 
1020
        }
 
1021
        end = pos + len;
 
1022
        if (len != TLS_VERIFY_DATA_LEN) {
 
1023
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
 
1024
                           "in Finished: %lu (expected %d)",
 
1025
                           (unsigned long) len, TLS_VERIFY_DATA_LEN);
 
1026
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1027
                                   TLS_ALERT_DECODE_ERROR);
 
1028
                return -1;
 
1029
        }
 
1030
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
 
1031
                    pos, TLS_VERIFY_DATA_LEN);
 
1032
 
 
1033
        hlen = MD5_MAC_LEN;
 
1034
        if (conn->verify.md5_client == NULL ||
 
1035
            crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
 
1036
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1037
                                   TLS_ALERT_INTERNAL_ERROR);
 
1038
                conn->verify.md5_client = NULL;
 
1039
                crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
 
1040
                conn->verify.sha1_client = NULL;
 
1041
                return -1;
 
1042
        }
 
1043
        conn->verify.md5_client = NULL;
 
1044
        hlen = SHA1_MAC_LEN;
 
1045
        if (conn->verify.sha1_client == NULL ||
 
1046
            crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
 
1047
                               &hlen) < 0) {
 
1048
                conn->verify.sha1_client = NULL;
 
1049
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1050
                                   TLS_ALERT_INTERNAL_ERROR);
 
1051
                return -1;
 
1052
        }
 
1053
        conn->verify.sha1_client = NULL;
 
1054
 
 
1055
        if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
 
1056
                    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 
1057
                    verify_data, TLS_VERIFY_DATA_LEN)) {
 
1058
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
 
1059
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1060
                                   TLS_ALERT_DECRYPT_ERROR);
 
1061
                return -1;
 
1062
        }
 
1063
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
 
1064
                        verify_data, TLS_VERIFY_DATA_LEN);
 
1065
 
 
1066
        if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
 
1067
                wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
 
1068
                return -1;
 
1069
        }
 
1070
 
 
1071
        wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
 
1072
 
 
1073
        *in_len = end - in_data;
 
1074
 
 
1075
        if (conn->use_session_ticket) {
 
1076
                /* Abbreviated handshake using session ticket; RFC 4507 */
 
1077
                wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
 
1078
                           "successfully");
 
1079
                conn->state = ESTABLISHED;
 
1080
        } else {
 
1081
                /* Full handshake */
 
1082
                conn->state = SERVER_CHANGE_CIPHER_SPEC;
 
1083
        }
 
1084
 
 
1085
        return 0;
 
1086
}
 
1087
 
 
1088
 
 
1089
int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
 
1090
                                   const u8 *buf, size_t *len)
 
1091
{
 
1092
        if (ct == TLS_CONTENT_TYPE_ALERT) {
 
1093
                if (*len < 2) {
 
1094
                        wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
 
1095
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
1096
                                           TLS_ALERT_DECODE_ERROR);
 
1097
                        return -1;
 
1098
                }
 
1099
                wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
 
1100
                           buf[0], buf[1]);
 
1101
                *len = 2;
 
1102
                conn->state = FAILED;
 
1103
                return -1;
 
1104
        }
 
1105
 
 
1106
        switch (conn->state) {
 
1107
        case CLIENT_HELLO:
 
1108
                if (tls_process_client_hello(conn, ct, buf, len))
 
1109
                        return -1;
 
1110
                break;
 
1111
        case CLIENT_CERTIFICATE:
 
1112
                if (tls_process_certificate(conn, ct, buf, len))
 
1113
                        return -1;
 
1114
                break;
 
1115
        case CLIENT_KEY_EXCHANGE:
 
1116
                if (tls_process_client_key_exchange(conn, ct, buf, len))
 
1117
                        return -1;
 
1118
                break;
 
1119
        case CERTIFICATE_VERIFY:
 
1120
                if (tls_process_certificate_verify(conn, ct, buf, len))
 
1121
                        return -1;
 
1122
                break;
 
1123
        case CHANGE_CIPHER_SPEC:
 
1124
                if (tls_process_change_cipher_spec(conn, ct, buf, len))
 
1125
                        return -1;
 
1126
                break;
 
1127
        case CLIENT_FINISHED:
 
1128
                if (tls_process_client_finished(conn, ct, buf, len))
 
1129
                        return -1;
 
1130
                break;
 
1131
        default:
 
1132
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
 
1133
                           "while processing received message",
 
1134
                           conn->state);
 
1135
                return -1;
 
1136
        }
 
1137
 
 
1138
        if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
 
1139
                tls_verify_hash_add(&conn->verify, buf, *len);
 
1140
 
 
1141
        return 0;
 
1142
}