1 /*
2  * TLS v1.0/v1.1/v1.2 server (RFC 2246, RFC 4346, RFC 5246)
3  * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "tlsv1_common.h"
15 #include "tlsv1_record.h"
16 #include "tlsv1_server.h"
17 #include "tlsv1_server_i.h"
18 
19 /* TODO:
20  * Support for a message fragmented across several records (RFC 2246, 6.2.1)
21  */
22 
23 
tlsv1_server_log(struct tlsv1_server * conn,const char * fmt,...)24 void tlsv1_server_log(struct tlsv1_server *conn, const char *fmt, ...)
25 {
26 	va_list ap;
27 	char *buf;
28 	int buflen;
29 
30 	va_start(ap, fmt);
31 	buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
32 	va_end(ap);
33 
34 	buf = os_malloc(buflen);
35 	if (buf == NULL)
36 		return;
37 	va_start(ap, fmt);
38 	vsnprintf(buf, buflen, fmt, ap);
39 	va_end(ap);
40 
41 	wpa_printf(MSG_DEBUG, "TLSv1: %s", buf);
42 	if (conn->log_cb)
43 		conn->log_cb(conn->log_cb_ctx, buf);
44 
45 	os_free(buf);
46 }
47 
48 
tlsv1_server_alert(struct tlsv1_server * conn,u8 level,u8 description)49 void tlsv1_server_alert(struct tlsv1_server *conn, u8 level, u8 description)
50 {
51 	conn->alert_level = level;
52 	conn->alert_description = description;
53 }
54 
55 
tlsv1_server_derive_keys(struct tlsv1_server * conn,const u8 * pre_master_secret,size_t pre_master_secret_len)56 int tlsv1_server_derive_keys(struct tlsv1_server *conn,
57 			     const u8 *pre_master_secret,
58 			     size_t pre_master_secret_len)
59 {
60 	u8 seed[2 * TLS_RANDOM_LEN];
61 	u8 key_block[TLS_MAX_KEY_BLOCK_LEN];
62 	u8 *pos;
63 	size_t key_block_len;
64 
65 	if (pre_master_secret) {
66 		wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret",
67 				pre_master_secret, pre_master_secret_len);
68 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
69 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
70 			  TLS_RANDOM_LEN);
71 		if (tls_prf(conn->rl.tls_version,
72 			    pre_master_secret, pre_master_secret_len,
73 			    "master secret", seed, 2 * TLS_RANDOM_LEN,
74 			    conn->master_secret, TLS_MASTER_SECRET_LEN)) {
75 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
76 				   "master_secret");
77 			return -1;
78 		}
79 		wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret",
80 				conn->master_secret, TLS_MASTER_SECRET_LEN);
81 	}
82 
83 	os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
84 	os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
85 	key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
86 			     conn->rl.iv_size);
87 	if (tls_prf(conn->rl.tls_version,
88 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
89 		    "key expansion", seed, 2 * TLS_RANDOM_LEN,
90 		    key_block, key_block_len)) {
91 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
92 		return -1;
93 	}
94 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block",
95 			key_block, key_block_len);
96 
97 	pos = key_block;
98 
99 	/* client_write_MAC_secret */
100 	os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size);
101 	pos += conn->rl.hash_size;
102 	/* server_write_MAC_secret */
103 	os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size);
104 	pos += conn->rl.hash_size;
105 
106 	/* client_write_key */
107 	os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len);
108 	pos += conn->rl.key_material_len;
109 	/* server_write_key */
110 	os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len);
111 	pos += conn->rl.key_material_len;
112 
113 	/* client_write_IV */
114 	os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size);
115 	pos += conn->rl.iv_size;
116 	/* server_write_IV */
117 	os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size);
118 	pos += conn->rl.iv_size;
119 
120 	return 0;
121 }
122 
123 
124 /**
125  * tlsv1_server_handshake - Process TLS handshake
126  * @conn: TLSv1 server connection data from tlsv1_server_init()
127  * @in_data: Input data from TLS peer
128  * @in_len: Input data length
129  * @out_len: Length of the output buffer.
130  * Returns: Pointer to output data, %NULL on failure
131  */
tlsv1_server_handshake(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,size_t * out_len)132 u8 * tlsv1_server_handshake(struct tlsv1_server *conn,
133 			    const u8 *in_data, size_t in_len,
134 			    size_t *out_len)
135 {
136 	const u8 *pos, *end;
137 	u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct;
138 	size_t in_msg_len;
139 	int used;
140 
141 	if (in_data == NULL || in_len == 0) {
142 		wpa_printf(MSG_DEBUG, "TLSv1: No input data to server");
143 		return NULL;
144 	}
145 
146 	pos = in_data;
147 	end = in_data + in_len;
148 	in_msg = os_malloc(in_len);
149 	if (in_msg == NULL)
150 		return NULL;
151 
152 	/* Each received packet may include multiple records */
153 	while (pos < end) {
154 		in_msg_len = in_len;
155 		used = tlsv1_record_receive(&conn->rl, pos, end - pos,
156 					    in_msg, &in_msg_len, &alert);
157 		if (used < 0) {
158 			wpa_printf(MSG_DEBUG, "TLSv1: Processing received "
159 				   "record failed");
160 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
161 			goto failed;
162 		}
163 		if (used == 0) {
164 			/* need more data */
165 			wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
166 				   "yet supported");
167 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
168 					   TLS_ALERT_INTERNAL_ERROR);
169 			goto failed;
170 		}
171 		ct = pos[0];
172 
173 		in_pos = in_msg;
174 		in_end = in_msg + in_msg_len;
175 
176 		/* Each received record may include multiple messages of the
177 		 * same ContentType. */
178 		while (in_pos < in_end) {
179 			in_msg_len = in_end - in_pos;
180 			if (tlsv1_server_process_handshake(conn, ct, in_pos,
181 							   &in_msg_len) < 0)
182 				goto failed;
183 			in_pos += in_msg_len;
184 		}
185 
186 		pos += used;
187 	}
188 
189 	os_free(in_msg);
190 	in_msg = NULL;
191 
192 	msg = tlsv1_server_handshake_write(conn, out_len);
193 
194 failed:
195 	os_free(in_msg);
196 	if (conn->alert_level) {
197 		if (conn->state == FAILED) {
198 			/* Avoid alert loops */
199 			wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop");
200 			os_free(msg);
201 			return NULL;
202 		}
203 		conn->state = FAILED;
204 		os_free(msg);
205 		msg = tlsv1_server_send_alert(conn, conn->alert_level,
206 					      conn->alert_description,
207 					      out_len);
208 		conn->write_alerts++;
209 	}
210 
211 	return msg;
212 }
213 
214 
215 /**
216  * tlsv1_server_encrypt - Encrypt data into TLS tunnel
217  * @conn: TLSv1 server connection data from tlsv1_server_init()
218  * @in_data: Pointer to plaintext data to be encrypted
219  * @in_len: Input buffer length
220  * @out_data: Pointer to output buffer (encrypted TLS data)
221  * @out_len: Maximum out_data length
222  * Returns: Number of bytes written to out_data, -1 on failure
223  *
224  * This function is used after TLS handshake has been completed successfully to
225  * send data in the encrypted tunnel.
226  */
tlsv1_server_encrypt(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,u8 * out_data,size_t out_len)227 int tlsv1_server_encrypt(struct tlsv1_server *conn,
228 			 const u8 *in_data, size_t in_len,
229 			 u8 *out_data, size_t out_len)
230 {
231 	size_t rlen;
232 
233 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData",
234 			in_data, in_len);
235 
236 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA,
237 			      out_data, out_len, in_data, in_len, &rlen) < 0) {
238 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
239 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
240 				   TLS_ALERT_INTERNAL_ERROR);
241 		return -1;
242 	}
243 
244 	return rlen;
245 }
246 
247 
248 /**
249  * tlsv1_server_decrypt - Decrypt data from TLS tunnel
250  * @conn: TLSv1 server connection data from tlsv1_server_init()
251  * @in_data: Pointer to input buffer (encrypted TLS data)
252  * @in_len: Input buffer length
253  * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
254  * @out_len: Maximum out_data length
255  * Returns: Number of bytes written to out_data, -1 on failure
256  *
257  * This function is used after TLS handshake has been completed successfully to
258  * receive data from the encrypted tunnel.
259  */
tlsv1_server_decrypt(struct tlsv1_server * conn,const u8 * in_data,size_t in_len,u8 * out_data,size_t out_len)260 int tlsv1_server_decrypt(struct tlsv1_server *conn,
261 			 const u8 *in_data, size_t in_len,
262 			 u8 *out_data, size_t out_len)
263 {
264 	const u8 *in_end, *pos;
265 	int used;
266 	u8 alert, *out_end, *out_pos, ct;
267 	size_t olen;
268 
269 	pos = in_data;
270 	in_end = in_data + in_len;
271 	out_pos = out_data;
272 	out_end = out_data + out_len;
273 
274 	while (pos < in_end) {
275 		ct = pos[0];
276 		olen = out_end - out_pos;
277 		used = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
278 					    out_pos, &olen, &alert);
279 		if (used < 0) {
280 			tlsv1_server_log(conn, "Record layer processing failed");
281 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
282 			return -1;
283 		}
284 		if (used == 0) {
285 			/* need more data */
286 			wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
287 				   "yet supported");
288 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
289 			return -1;
290 		}
291 
292 		if (ct == TLS_CONTENT_TYPE_ALERT) {
293 			if (olen < 2) {
294 				tlsv1_server_log(conn, "Alert underflow");
295 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
296 						   TLS_ALERT_DECODE_ERROR);
297 				return -1;
298 			}
299 			tlsv1_server_log(conn, "Received alert %d:%d",
300 					 out_pos[0], out_pos[1]);
301 			conn->read_alerts++;
302 			if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) {
303 				/* Continue processing */
304 				pos += used;
305 				continue;
306 			}
307 
308 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
309 					   out_pos[1]);
310 			return -1;
311 		}
312 
313 		if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
314 			tlsv1_server_log(conn, "Unexpected content type 0x%x",
315 					 pos[0]);
316 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
317 					   TLS_ALERT_UNEXPECTED_MESSAGE);
318 			return -1;
319 		}
320 
321 #ifdef CONFIG_TESTING_OPTIONS
322 		if ((conn->test_flags &
323 		     (TLS_BREAK_VERIFY_DATA | TLS_BREAK_SRV_KEY_X_HASH |
324 		      TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
325 		    !conn->test_failure_reported) {
326 			tlsv1_server_log(conn, "TEST-FAILURE: Client ApplData received after invalid handshake");
327 			conn->test_failure_reported = 1;
328 		}
329 #endif /* CONFIG_TESTING_OPTIONS */
330 
331 		out_pos += olen;
332 		if (out_pos > out_end) {
333 			wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
334 				   "for processing the received record");
335 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 					   TLS_ALERT_INTERNAL_ERROR);
337 			return -1;
338 		}
339 
340 		pos += used;
341 	}
342 
343 	return out_pos - out_data;
344 }
345 
346 
347 /**
348  * tlsv1_server_global_init - Initialize TLSv1 server
349  * Returns: 0 on success, -1 on failure
350  *
351  * This function must be called before using any other TLSv1 server functions.
352  */
tlsv1_server_global_init(void)353 int tlsv1_server_global_init(void)
354 {
355 	return crypto_global_init();
356 }
357 
358 
359 /**
360  * tlsv1_server_global_deinit - Deinitialize TLSv1 server
361  *
362  * This function can be used to deinitialize the TLSv1 server that was
363  * initialized by calling tlsv1_server_global_init(). No TLSv1 server functions
364  * can be called after this before calling tlsv1_server_global_init() again.
365  */
tlsv1_server_global_deinit(void)366 void tlsv1_server_global_deinit(void)
367 {
368 	crypto_global_deinit();
369 }
370 
371 
372 /**
373  * tlsv1_server_init - Initialize TLSv1 server connection
374  * @cred: Pointer to server credentials from tlsv1_server_cred_alloc()
375  * Returns: Pointer to TLSv1 server connection data or %NULL on failure
376  */
tlsv1_server_init(struct tlsv1_credentials * cred)377 struct tlsv1_server * tlsv1_server_init(struct tlsv1_credentials *cred)
378 {
379 	struct tlsv1_server *conn;
380 	size_t count;
381 	u16 *suites;
382 
383 	conn = os_zalloc(sizeof(*conn));
384 	if (conn == NULL)
385 		return NULL;
386 
387 	conn->cred = cred;
388 
389 	conn->state = CLIENT_HELLO;
390 
391 	if (tls_verify_hash_init(&conn->verify) < 0) {
392 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify "
393 			   "hash");
394 		os_free(conn);
395 		return NULL;
396 	}
397 
398 	count = 0;
399 	suites = conn->cipher_suites;
400 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
401 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
402 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
403 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
404 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
405 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
406 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
407 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
408 	suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
409 	suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
410 	suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
411 	suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
412 	conn->num_cipher_suites = count;
413 
414 	return conn;
415 }
416 
417 
tlsv1_server_clear_data(struct tlsv1_server * conn)418 static void tlsv1_server_clear_data(struct tlsv1_server *conn)
419 {
420 	tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL);
421 	tlsv1_record_change_write_cipher(&conn->rl);
422 	tlsv1_record_change_read_cipher(&conn->rl);
423 	tls_verify_hash_free(&conn->verify);
424 
425 	crypto_public_key_free(conn->client_rsa_key);
426 	conn->client_rsa_key = NULL;
427 
428 	os_free(conn->session_ticket);
429 	conn->session_ticket = NULL;
430 	conn->session_ticket_len = 0;
431 	conn->use_session_ticket = 0;
432 
433 	os_free(conn->dh_secret);
434 	conn->dh_secret = NULL;
435 	conn->dh_secret_len = 0;
436 }
437 
438 
439 /**
440  * tlsv1_server_deinit - Deinitialize TLSv1 server connection
441  * @conn: TLSv1 server connection data from tlsv1_server_init()
442  */
tlsv1_server_deinit(struct tlsv1_server * conn)443 void tlsv1_server_deinit(struct tlsv1_server *conn)
444 {
445 	tlsv1_server_clear_data(conn);
446 	os_free(conn);
447 }
448 
449 
450 /**
451  * tlsv1_server_established - Check whether connection has been established
452  * @conn: TLSv1 server connection data from tlsv1_server_init()
453  * Returns: 1 if connection is established, 0 if not
454  */
tlsv1_server_established(struct tlsv1_server * conn)455 int tlsv1_server_established(struct tlsv1_server *conn)
456 {
457 	return conn->state == ESTABLISHED;
458 }
459 
460 
461 /**
462  * tlsv1_server_prf - Use TLS-PRF to derive keying material
463  * @conn: TLSv1 server connection data from tlsv1_server_init()
464  * @label: Label (e.g., description of the key) for PRF
465  * @context: Optional extra upper-layer context (max len 2^16)
466  * @context_len: The length of the context value
467  * @server_random_first: seed is 0 = client_random|server_random,
468  * 1 = server_random|client_random
469  * @out: Buffer for output data from TLS-PRF
470  * @out_len: Length of the output buffer
471  * Returns: 0 on success, -1 on failure
472  */
tlsv1_server_prf(struct tlsv1_server * conn,const char * label,const u8 * context,size_t context_len,int server_random_first,u8 * out,size_t out_len)473 int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
474 		     const u8 *context, size_t context_len,
475 		     int server_random_first, u8 *out, size_t out_len)
476 {
477 	u8 *seed, *pos;
478 	size_t seed_len = 2 * TLS_RANDOM_LEN;
479 	int res;
480 
481 	if (conn->state != ESTABLISHED)
482 		return -1;
483 
484 	if (context_len > 65535)
485 		return -1;
486 
487 	if (context)
488 		seed_len += 2 + context_len;
489 
490 	seed = os_malloc(seed_len);
491 	if (!seed)
492 		return -1;
493 
494 	if (server_random_first) {
495 		os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
496 		os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random,
497 			  TLS_RANDOM_LEN);
498 	} else {
499 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
500 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
501 			  TLS_RANDOM_LEN);
502 	}
503 
504 	if (context) {
505 		pos = seed + 2 * TLS_RANDOM_LEN;
506 		WPA_PUT_BE16(pos, context_len);
507 		pos += 2;
508 		os_memcpy(pos, context, context_len);
509 	}
510 
511 	res = tls_prf(conn->rl.tls_version,
512 		      conn->master_secret, TLS_MASTER_SECRET_LEN,
513 		      label, seed, seed_len, out, out_len);
514 	os_free(seed);
515 	return res;
516 }
517 
518 
519 /**
520  * tlsv1_server_get_cipher - Get current cipher name
521  * @conn: TLSv1 server connection data from tlsv1_server_init()
522  * @buf: Buffer for the cipher name
523  * @buflen: buf size
524  * Returns: 0 on success, -1 on failure
525  *
526  * Get the name of the currently used cipher.
527  */
tlsv1_server_get_cipher(struct tlsv1_server * conn,char * buf,size_t buflen)528 int tlsv1_server_get_cipher(struct tlsv1_server *conn, char *buf,
529 			    size_t buflen)
530 {
531 	char *cipher;
532 
533 	switch (conn->rl.cipher_suite) {
534 	case TLS_RSA_WITH_RC4_128_MD5:
535 		cipher = "RC4-MD5";
536 		break;
537 	case TLS_RSA_WITH_RC4_128_SHA:
538 		cipher = "RC4-SHA";
539 		break;
540 	case TLS_RSA_WITH_DES_CBC_SHA:
541 		cipher = "DES-CBC-SHA";
542 		break;
543 	case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
544 		cipher = "DES-CBC3-SHA";
545 		break;
546 	case TLS_DHE_RSA_WITH_DES_CBC_SHA:
547 		cipher = "DHE-RSA-DES-CBC-SHA";
548 		break;
549 	case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
550 		cipher = "DHE-RSA-DES-CBC3-SHA";
551 		break;
552 	case TLS_DH_anon_WITH_RC4_128_MD5:
553 		cipher = "ADH-RC4-MD5";
554 		break;
555 	case TLS_DH_anon_WITH_DES_CBC_SHA:
556 		cipher = "ADH-DES-SHA";
557 		break;
558 	case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
559 		cipher = "ADH-DES-CBC3-SHA";
560 		break;
561 	case TLS_RSA_WITH_AES_128_CBC_SHA:
562 		cipher = "AES-128-SHA";
563 		break;
564 	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
565 		cipher = "DHE-RSA-AES-128-SHA";
566 		break;
567 	case TLS_DH_anon_WITH_AES_128_CBC_SHA:
568 		cipher = "ADH-AES-128-SHA";
569 		break;
570 	case TLS_RSA_WITH_AES_256_CBC_SHA:
571 		cipher = "AES-256-SHA";
572 		break;
573 	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
574 		cipher = "DHE-RSA-AES-256-SHA";
575 		break;
576 	case TLS_DH_anon_WITH_AES_256_CBC_SHA:
577 		cipher = "ADH-AES-256-SHA";
578 		break;
579 	case TLS_RSA_WITH_AES_128_CBC_SHA256:
580 		cipher = "AES-128-SHA256";
581 		break;
582 	case TLS_RSA_WITH_AES_256_CBC_SHA256:
583 		cipher = "AES-256-SHA256";
584 		break;
585 	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
586 		cipher = "DHE-RSA-AES-128-SHA256";
587 		break;
588 	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
589 		cipher = "DHE-RSA-AES-256-SHA256";
590 		break;
591 	case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
592 		cipher = "ADH-AES-128-SHA256";
593 		break;
594 	case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
595 		cipher = "ADH-AES-256-SHA256";
596 		break;
597 	default:
598 		return -1;
599 	}
600 
601 	if (os_strlcpy(buf, cipher, buflen) >= buflen)
602 		return -1;
603 	return 0;
604 }
605 
606 
607 /**
608  * tlsv1_server_shutdown - Shutdown TLS connection
609  * @conn: TLSv1 server connection data from tlsv1_server_init()
610  * Returns: 0 on success, -1 on failure
611  */
tlsv1_server_shutdown(struct tlsv1_server * conn)612 int tlsv1_server_shutdown(struct tlsv1_server *conn)
613 {
614 	conn->state = CLIENT_HELLO;
615 
616 	if (tls_verify_hash_init(&conn->verify) < 0) {
617 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify "
618 			   "hash");
619 		return -1;
620 	}
621 
622 	tlsv1_server_clear_data(conn);
623 
624 	return 0;
625 }
626 
627 
628 /**
629  * tlsv1_server_resumed - Was session resumption used
630  * @conn: TLSv1 server connection data from tlsv1_server_init()
631  * Returns: 1 if current session used session resumption, 0 if not
632  */
tlsv1_server_resumed(struct tlsv1_server * conn)633 int tlsv1_server_resumed(struct tlsv1_server *conn)
634 {
635 	return 0;
636 }
637 
638 
639 /**
640  * tlsv1_server_get_random - Get random data from TLS connection
641  * @conn: TLSv1 server connection data from tlsv1_server_init()
642  * @keys: Structure of random data (filled on success)
643  * Returns: 0 on success, -1 on failure
644  */
tlsv1_server_get_random(struct tlsv1_server * conn,struct tls_random * keys)645 int tlsv1_server_get_random(struct tlsv1_server *conn, struct tls_random *keys)
646 {
647 	os_memset(keys, 0, sizeof(*keys));
648 	if (conn->state == CLIENT_HELLO)
649 		return -1;
650 
651 	keys->client_random = conn->client_random;
652 	keys->client_random_len = TLS_RANDOM_LEN;
653 
654 	if (conn->state != SERVER_HELLO) {
655 		keys->server_random = conn->server_random;
656 		keys->server_random_len = TLS_RANDOM_LEN;
657 	}
658 
659 	return 0;
660 }
661 
662 
663 /**
664  * tlsv1_server_get_keyblock_size - Get TLS key_block size
665  * @conn: TLSv1 server connection data from tlsv1_server_init()
666  * Returns: Size of the key_block for the negotiated cipher suite or -1 on
667  * failure
668  */
tlsv1_server_get_keyblock_size(struct tlsv1_server * conn)669 int tlsv1_server_get_keyblock_size(struct tlsv1_server *conn)
670 {
671 	if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO)
672 		return -1;
673 
674 	return 2 * (conn->rl.hash_size + conn->rl.key_material_len +
675 		    conn->rl.iv_size);
676 }
677 
678 
679 /**
680  * tlsv1_server_set_cipher_list - Configure acceptable cipher suites
681  * @conn: TLSv1 server connection data from tlsv1_server_init()
682  * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
683  * (TLS_CIPHER_*).
684  * Returns: 0 on success, -1 on failure
685  */
tlsv1_server_set_cipher_list(struct tlsv1_server * conn,u8 * ciphers)686 int tlsv1_server_set_cipher_list(struct tlsv1_server *conn, u8 *ciphers)
687 {
688 	size_t count;
689 	u16 *suites;
690 
691 	/* TODO: implement proper configuration of cipher suites */
692 	if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {
693 		count = 0;
694 		suites = conn->cipher_suites;
695 		suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
696 		suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
697 		suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
698 		suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
699 		suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
700 		suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
701 		suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
702 		suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
703 		suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
704 		suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
705 		conn->num_cipher_suites = count;
706 	}
707 
708 	return 0;
709 }
710 
711 
tlsv1_server_set_verify(struct tlsv1_server * conn,int verify_peer)712 int tlsv1_server_set_verify(struct tlsv1_server *conn, int verify_peer)
713 {
714 	conn->verify_peer = verify_peer;
715 	return 0;
716 }
717 
718 
tlsv1_server_set_session_ticket_cb(struct tlsv1_server * conn,tlsv1_server_session_ticket_cb cb,void * ctx)719 void tlsv1_server_set_session_ticket_cb(struct tlsv1_server *conn,
720 					tlsv1_server_session_ticket_cb cb,
721 					void *ctx)
722 {
723 	wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)",
724 		   cb, ctx);
725 	conn->session_ticket_cb = cb;
726 	conn->session_ticket_cb_ctx = ctx;
727 }
728 
729 
tlsv1_server_set_log_cb(struct tlsv1_server * conn,void (* cb)(void * ctx,const char * msg),void * ctx)730 void tlsv1_server_set_log_cb(struct tlsv1_server *conn,
731 			     void (*cb)(void *ctx, const char *msg), void *ctx)
732 {
733 	conn->log_cb = cb;
734 	conn->log_cb_ctx = ctx;
735 }
736 
737 
tlsv1_server_get_failed(struct tlsv1_server * conn)738 int tlsv1_server_get_failed(struct tlsv1_server *conn)
739 {
740 	return conn->state == FAILED;
741 }
742 
743 
tlsv1_server_get_read_alerts(struct tlsv1_server * conn)744 int tlsv1_server_get_read_alerts(struct tlsv1_server *conn)
745 {
746 	return conn->read_alerts;
747 }
748 
749 
tlsv1_server_get_write_alerts(struct tlsv1_server * conn)750 int tlsv1_server_get_write_alerts(struct tlsv1_server *conn)
751 {
752 	return conn->write_alerts;
753 }
754 
755 
756 #ifdef CONFIG_TESTING_OPTIONS
tlsv1_server_set_test_flags(struct tlsv1_server * conn,u32 flags)757 void tlsv1_server_set_test_flags(struct tlsv1_server *conn, u32 flags)
758 {
759 	conn->test_flags = flags;
760 }
761 
762 
763 static const u8 test_tls_prime15[1] = {
764 	15
765 };
766 
767 static const u8 test_tls_prime511b[64] = {
768 	0x50, 0xfb, 0xf1, 0xae, 0x01, 0xf1, 0xfe, 0xe6,
769 	0xe1, 0xae, 0xdc, 0x1e, 0xbe, 0xfb, 0x9e, 0x58,
770 	0x9a, 0xd7, 0x54, 0x9d, 0x6b, 0xb3, 0x78, 0xe2,
771 	0x39, 0x7f, 0x30, 0x01, 0x25, 0xa1, 0xf9, 0x7c,
772 	0x55, 0x0e, 0xa1, 0x15, 0xcc, 0x36, 0x34, 0xbb,
773 	0x6c, 0x8b, 0x64, 0x45, 0x15, 0x7f, 0xd3, 0xe7,
774 	0x31, 0xc8, 0x8e, 0x56, 0x8e, 0x95, 0xdc, 0xea,
775 	0x9e, 0xdf, 0xf7, 0x56, 0xdd, 0xb0, 0x34, 0xdb
776 };
777 
778 static const u8 test_tls_prime767b[96] = {
779 	0x4c, 0xdc, 0xb8, 0x21, 0x20, 0x9d, 0xe8, 0xa3,
780 	0x53, 0xd9, 0x1c, 0x18, 0xc1, 0x3a, 0x58, 0x67,
781 	0xa7, 0x85, 0xf9, 0x28, 0x9b, 0xce, 0xc0, 0xd1,
782 	0x05, 0x84, 0x61, 0x97, 0xb2, 0x86, 0x1c, 0xd0,
783 	0xd1, 0x96, 0x23, 0x29, 0x8c, 0xc5, 0x30, 0x68,
784 	0x3e, 0xf9, 0x05, 0xba, 0x60, 0xeb, 0xdb, 0xee,
785 	0x2d, 0xdf, 0x84, 0x65, 0x49, 0x87, 0x90, 0x2a,
786 	0xc9, 0x8e, 0x34, 0x63, 0x6d, 0x9a, 0x2d, 0x32,
787 	0x1c, 0x46, 0xd5, 0x4e, 0x20, 0x20, 0x90, 0xac,
788 	0xd5, 0x48, 0x79, 0x99, 0x0c, 0xe6, 0xed, 0xbf,
789 	0x79, 0xc2, 0x47, 0x50, 0x95, 0x38, 0x38, 0xbc,
790 	0xde, 0xb0, 0xd2, 0xe8, 0x97, 0xcb, 0x22, 0xbb
791 };
792 
793 static const u8 test_tls_prime58[128] = {
794 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
795 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
796 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
797 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
798 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
799 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
800 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
801 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
802 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
803 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
804 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
805 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
806 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
807 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
808 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
809 	0x03, 0xc1, 0xba, 0xc8, 0x25, 0xbe, 0x2d, 0xf3
810 };
811 
812 static const u8 test_tls_non_prime[] = {
813 	/*
814 	 * This is not a prime and the value has the following factors:
815 	 * 13736783488716579923 * 16254860191773456563 * 18229434976173670763 *
816 	 * 11112313018289079419 * 10260802278580253339 * 12394009491575311499 *
817 	 * 12419059668711064739 * 14317973192687985827 * 10498605410533203179 *
818 	 * 16338688760390249003 * 11128963991123878883 * 12990532258280301419 *
819 	 * 3
820 	 */
821 	0x0C, 0x8C, 0x36, 0x9C, 0x6F, 0x71, 0x2E, 0xA7,
822 	0xAB, 0x32, 0xD3, 0x0F, 0x68, 0x3D, 0xB2, 0x6D,
823 	0x81, 0xDD, 0xC4, 0x84, 0x0D, 0x9C, 0x6E, 0x36,
824 	0x29, 0x70, 0xF3, 0x1E, 0x9A, 0x42, 0x0B, 0x67,
825 	0x82, 0x6B, 0xB1, 0xF2, 0xAF, 0x55, 0x28, 0xE7,
826 	0xDB, 0x67, 0x6C, 0xF7, 0x6B, 0xAC, 0xAC, 0xE5,
827 	0xF7, 0x9F, 0xD4, 0x63, 0x55, 0x70, 0x32, 0x7C,
828 	0x70, 0xFB, 0xAF, 0xB8, 0xEB, 0x37, 0xCF, 0x3F,
829 	0xFE, 0x94, 0x73, 0xF9, 0x7A, 0xC7, 0x12, 0x2E,
830 	0x9B, 0xB4, 0x7D, 0x08, 0x60, 0x83, 0x43, 0x52,
831 	0x83, 0x1E, 0xA5, 0xFC, 0xFA, 0x87, 0x12, 0xF4,
832 	0x64, 0xE2, 0xCE, 0x71, 0x17, 0x72, 0xB6, 0xAB
833 };
834 
835 #endif /* CONFIG_TESTING_OPTIONS */
836 
837 
tlsv1_server_get_dh_p(struct tlsv1_server * conn,const u8 ** dh_p,size_t * dh_p_len)838 void tlsv1_server_get_dh_p(struct tlsv1_server *conn, const u8 **dh_p,
839 			   size_t *dh_p_len)
840 {
841 	*dh_p = conn->cred->dh_p;
842 	*dh_p_len = conn->cred->dh_p_len;
843 
844 #ifdef CONFIG_TESTING_OPTIONS
845 	if (conn->test_flags & TLS_DHE_PRIME_511B) {
846 		tlsv1_server_log(conn, "TESTING: Use short 511-bit prime with DHE");
847 		*dh_p = test_tls_prime511b;
848 		*dh_p_len = sizeof(test_tls_prime511b);
849 	} else if (conn->test_flags & TLS_DHE_PRIME_767B) {
850 		tlsv1_server_log(conn, "TESTING: Use short 767-bit prime with DHE");
851 		*dh_p = test_tls_prime767b;
852 		*dh_p_len = sizeof(test_tls_prime767b);
853 	} else if (conn->test_flags & TLS_DHE_PRIME_15) {
854 		tlsv1_server_log(conn, "TESTING: Use bogus 15 \"prime\" with DHE");
855 		*dh_p = test_tls_prime15;
856 		*dh_p_len = sizeof(test_tls_prime15);
857 	} else if (conn->test_flags & TLS_DHE_PRIME_58B) {
858 		tlsv1_server_log(conn, "TESTING: Use short 58-bit prime in long container with DHE");
859 		*dh_p = test_tls_prime58;
860 		*dh_p_len = sizeof(test_tls_prime58);
861 	} else if (conn->test_flags & TLS_DHE_NON_PRIME) {
862 		tlsv1_server_log(conn, "TESTING: Use claim non-prime as the DHE prime");
863 		*dh_p = test_tls_non_prime;
864 		*dh_p_len = sizeof(test_tls_non_prime);
865 	}
866 #endif /* CONFIG_TESTING_OPTIONS */
867 }
868