Home | History | Annotate | Download | only in tls
      1 /*
      2  * TLS v1.0/v1.1/v1.2 server (RFC 2246, RFC 4346, RFC 5246)
      3  * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/sha1.h"
     13 #include "crypto/tls.h"
     14 #include "tlsv1_common.h"
     15 #include "tlsv1_record.h"
     16 #include "tlsv1_server.h"
     17 #include "tlsv1_server_i.h"
     18 
     19 /* TODO:
     20  * Support for a message fragmented across several records (RFC 2246, 6.2.1)
     21  */
     22 
     23 
     24 void tlsv1_server_log(struct tlsv1_server *conn, const char *fmt, ...)
     25 {
     26 	va_list ap;
     27 	char *buf;
     28 	int buflen;
     29 
     30 	va_start(ap, fmt);
     31 	buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
     32 	va_end(ap);
     33 
     34 	buf = os_malloc(buflen);
     35 	if (buf == NULL)
     36 		return;
     37 	va_start(ap, fmt);
     38 	vsnprintf(buf, buflen, fmt, ap);
     39 	va_end(ap);
     40 
     41 	wpa_printf(MSG_DEBUG, "TLSv1: %s", buf);
     42 	if (conn->log_cb)
     43 		conn->log_cb(conn->log_cb_ctx, buf);
     44 
     45 	os_free(buf);
     46 }
     47 
     48 
     49 void tlsv1_server_alert(struct tlsv1_server *conn, u8 level, u8 description)
     50 {
     51 	conn->alert_level = level;
     52 	conn->alert_description = description;
     53 }
     54 
     55 
     56 int tlsv1_server_derive_keys(struct tlsv1_server *conn,
     57 			     const u8 *pre_master_secret,
     58 			     size_t pre_master_secret_len)
     59 {
     60 	u8 seed[2 * TLS_RANDOM_LEN];
     61 	u8 key_block[TLS_MAX_KEY_BLOCK_LEN];
     62 	u8 *pos;
     63 	size_t key_block_len;
     64 
     65 	if (pre_master_secret) {
     66 		wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret",
     67 				pre_master_secret, pre_master_secret_len);
     68 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
     69 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
     70 			  TLS_RANDOM_LEN);
     71 		if (tls_prf(conn->rl.tls_version,
     72 			    pre_master_secret, pre_master_secret_len,
     73 			    "master secret", seed, 2 * TLS_RANDOM_LEN,
     74 			    conn->master_secret, TLS_MASTER_SECRET_LEN)) {
     75 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
     76 				   "master_secret");
     77 			return -1;
     78 		}
     79 		wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret",
     80 				conn->master_secret, TLS_MASTER_SECRET_LEN);
     81 	}
     82 
     83 	os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
     84 	os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
     85 	key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
     86 			     conn->rl.iv_size);
     87 	if (tls_prf(conn->rl.tls_version,
     88 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
     89 		    "key expansion", seed, 2 * TLS_RANDOM_LEN,
     90 		    key_block, key_block_len)) {
     91 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
     92 		return -1;
     93 	}
     94 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block",
     95 			key_block, key_block_len);
     96 
     97 	pos = key_block;
     98 
     99 	/* client_write_MAC_secret */
    100 	os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size);
    101 	pos += conn->rl.hash_size;
    102 	/* server_write_MAC_secret */
    103 	os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size);
    104 	pos += conn->rl.hash_size;
    105 
    106 	/* client_write_key */
    107 	os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len);
    108 	pos += conn->rl.key_material_len;
    109 	/* server_write_key */
    110 	os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len);
    111 	pos += conn->rl.key_material_len;
    112 
    113 	/* client_write_IV */
    114 	os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size);
    115 	pos += conn->rl.iv_size;
    116 	/* server_write_IV */
    117 	os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size);
    118 	pos += conn->rl.iv_size;
    119 
    120 	return 0;
    121 }
    122 
    123 
    124 /**
    125  * tlsv1_server_handshake - Process TLS handshake
    126  * @conn: TLSv1 server connection data from tlsv1_server_init()
    127  * @in_data: Input data from TLS peer
    128  * @in_len: Input data length
    129  * @out_len: Length of the output buffer.
    130  * Returns: Pointer to output data, %NULL on failure
    131  */
    132 u8 * tlsv1_server_handshake(struct tlsv1_server *conn,
    133 			    const u8 *in_data, size_t in_len,
    134 			    size_t *out_len)
    135 {
    136 	const u8 *pos, *end;
    137 	u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct;
    138 	size_t in_msg_len;
    139 	int used;
    140 
    141 	if (in_data == NULL || in_len == 0) {
    142 		wpa_printf(MSG_DEBUG, "TLSv1: No input data to server");
    143 		return NULL;
    144 	}
    145 
    146 	pos = in_data;
    147 	end = in_data + in_len;
    148 	in_msg = os_malloc(in_len);
    149 	if (in_msg == NULL)
    150 		return NULL;
    151 
    152 	/* Each received packet may include multiple records */
    153 	while (pos < end) {
    154 		in_msg_len = in_len;
    155 		used = tlsv1_record_receive(&conn->rl, pos, end - pos,
    156 					    in_msg, &in_msg_len, &alert);
    157 		if (used < 0) {
    158 			wpa_printf(MSG_DEBUG, "TLSv1: Processing received "
    159 				   "record failed");
    160 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
    161 			goto failed;
    162 		}
    163 		if (used == 0) {
    164 			/* need more data */
    165 			wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
    166 				   "yet supported");
    167 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
    168 			goto failed;
    169 		}
    170 		ct = pos[0];
    171 
    172 		in_pos = in_msg;
    173 		in_end = in_msg + in_msg_len;
    174 
    175 		/* Each received record may include multiple messages of the
    176 		 * same ContentType. */
    177 		while (in_pos < in_end) {
    178 			in_msg_len = in_end - in_pos;
    179 			if (tlsv1_server_process_handshake(conn, ct, in_pos,
    180 							   &in_msg_len) < 0)
    181 				goto failed;
    182 			in_pos += in_msg_len;
    183 		}
    184 
    185 		pos += used;
    186 	}
    187 
    188 	os_free(in_msg);
    189 	in_msg = NULL;
    190 
    191 	msg = tlsv1_server_handshake_write(conn, out_len);
    192 
    193 failed:
    194 	os_free(in_msg);
    195 	if (conn->alert_level) {
    196 		if (conn->state == FAILED) {
    197 			/* Avoid alert loops */
    198 			wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop");
    199 			os_free(msg);
    200 			return NULL;
    201 		}
    202 		conn->state = FAILED;
    203 		os_free(msg);
    204 		msg = tlsv1_server_send_alert(conn, conn->alert_level,
    205 					      conn->alert_description,
    206 					      out_len);
    207 	}
    208 
    209 	return msg;
    210 }
    211 
    212 
    213 /**
    214  * tlsv1_server_encrypt - Encrypt data into TLS tunnel
    215  * @conn: TLSv1 server connection data from tlsv1_server_init()
    216  * @in_data: Pointer to plaintext data to be encrypted
    217  * @in_len: Input buffer length
    218  * @out_data: Pointer to output buffer (encrypted TLS data)
    219  * @out_len: Maximum out_data length
    220  * Returns: Number of bytes written to out_data, -1 on failure
    221  *
    222  * This function is used after TLS handshake has been completed successfully to
    223  * send data in the encrypted tunnel.
    224  */
    225 int tlsv1_server_encrypt(struct tlsv1_server *conn,
    226 			 const u8 *in_data, size_t in_len,
    227 			 u8 *out_data, size_t out_len)
    228 {
    229 	size_t rlen;
    230 
    231 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData",
    232 			in_data, in_len);
    233 
    234 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA,
    235 			      out_data, out_len, in_data, in_len, &rlen) < 0) {
    236 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
    237 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    238 				   TLS_ALERT_INTERNAL_ERROR);
    239 		return -1;
    240 	}
    241 
    242 	return rlen;
    243 }
    244 
    245 
    246 /**
    247  * tlsv1_server_decrypt - Decrypt data from TLS tunnel
    248  * @conn: TLSv1 server connection data from tlsv1_server_init()
    249  * @in_data: Pointer to input buffer (encrypted TLS data)
    250  * @in_len: Input buffer length
    251  * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
    252  * @out_len: Maximum out_data length
    253  * Returns: Number of bytes written to out_data, -1 on failure
    254  *
    255  * This function is used after TLS handshake has been completed successfully to
    256  * receive data from the encrypted tunnel.
    257  */
    258 int tlsv1_server_decrypt(struct tlsv1_server *conn,
    259 			 const u8 *in_data, size_t in_len,
    260 			 u8 *out_data, size_t out_len)
    261 {
    262 	const u8 *in_end, *pos;
    263 	int used;
    264 	u8 alert, *out_end, *out_pos, ct;
    265 	size_t olen;
    266 
    267 	pos = in_data;
    268 	in_end = in_data + in_len;
    269 	out_pos = out_data;
    270 	out_end = out_data + out_len;
    271 
    272 	while (pos < in_end) {
    273 		ct = pos[0];
    274 		olen = out_end - out_pos;
    275 		used = tlsv1_record_receive(&conn->rl, pos, in_end - pos,
    276 					    out_pos, &olen, &alert);
    277 		if (used < 0) {
    278 			tlsv1_server_log(conn, "Record layer processing failed");
    279 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
    280 			return -1;
    281 		}
    282 		if (used == 0) {
    283 			/* need more data */
    284 			wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not "
    285 				   "yet supported");
    286 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
    287 			return -1;
    288 		}
    289 
    290 		if (ct == TLS_CONTENT_TYPE_ALERT) {
    291 			if (olen < 2) {
    292 				tlsv1_server_log(conn, "Alert underflow");
    293 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    294 						   TLS_ALERT_DECODE_ERROR);
    295 				return -1;
    296 			}
    297 			tlsv1_server_log(conn, "Received alert %d:%d",
    298 					 out_pos[0], out_pos[1]);
    299 			if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) {
    300 				/* Continue processing */
    301 				pos += used;
    302 				continue;
    303 			}
    304 
    305 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    306 					   out_pos[1]);
    307 			return -1;
    308 		}
    309 
    310 		if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
    311 			tlsv1_server_log(conn, "Unexpected content type 0x%x",
    312 					 pos[0]);
    313 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    314 					   TLS_ALERT_UNEXPECTED_MESSAGE);
    315 			return -1;
    316 		}
    317 
    318 #ifdef CONFIG_TESTING_OPTIONS
    319 		if ((conn->test_flags &
    320 		     (TLS_BREAK_VERIFY_DATA | TLS_BREAK_SRV_KEY_X_HASH |
    321 		      TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
    322 		    !conn->test_failure_reported) {
    323 			tlsv1_server_log(conn, "TEST-FAILURE: Client ApplData received after invalid handshake");
    324 			conn->test_failure_reported = 1;
    325 		}
    326 #endif /* CONFIG_TESTING_OPTIONS */
    327 
    328 		out_pos += olen;
    329 		if (out_pos > out_end) {
    330 			wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough "
    331 				   "for processing the received record");
    332 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
    333 					   TLS_ALERT_INTERNAL_ERROR);
    334 			return -1;
    335 		}
    336 
    337 		pos += used;
    338 	}
    339 
    340 	return out_pos - out_data;
    341 }
    342 
    343 
    344 /**
    345  * tlsv1_server_global_init - Initialize TLSv1 server
    346  * Returns: 0 on success, -1 on failure
    347  *
    348  * This function must be called before using any other TLSv1 server functions.
    349  */
    350 int tlsv1_server_global_init(void)
    351 {
    352 	return crypto_global_init();
    353 }
    354 
    355 
    356 /**
    357  * tlsv1_server_global_deinit - Deinitialize TLSv1 server
    358  *
    359  * This function can be used to deinitialize the TLSv1 server that was
    360  * initialized by calling tlsv1_server_global_init(). No TLSv1 server functions
    361  * can be called after this before calling tlsv1_server_global_init() again.
    362  */
    363 void tlsv1_server_global_deinit(void)
    364 {
    365 	crypto_global_deinit();
    366 }
    367 
    368 
    369 /**
    370  * tlsv1_server_init - Initialize TLSv1 server connection
    371  * @cred: Pointer to server credentials from tlsv1_server_cred_alloc()
    372  * Returns: Pointer to TLSv1 server connection data or %NULL on failure
    373  */
    374 struct tlsv1_server * tlsv1_server_init(struct tlsv1_credentials *cred)
    375 {
    376 	struct tlsv1_server *conn;
    377 	size_t count;
    378 	u16 *suites;
    379 
    380 	conn = os_zalloc(sizeof(*conn));
    381 	if (conn == NULL)
    382 		return NULL;
    383 
    384 	conn->cred = cred;
    385 
    386 	conn->state = CLIENT_HELLO;
    387 
    388 	if (tls_verify_hash_init(&conn->verify) < 0) {
    389 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify "
    390 			   "hash");
    391 		os_free(conn);
    392 		return NULL;
    393 	}
    394 
    395 	count = 0;
    396 	suites = conn->cipher_suites;
    397 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
    398 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
    399 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
    400 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
    401 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
    402 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
    403 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
    404 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
    405 	suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
    406 	suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
    407 	suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
    408 	suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
    409 	conn->num_cipher_suites = count;
    410 
    411 	return conn;
    412 }
    413 
    414 
    415 static void tlsv1_server_clear_data(struct tlsv1_server *conn)
    416 {
    417 	tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL);
    418 	tlsv1_record_change_write_cipher(&conn->rl);
    419 	tlsv1_record_change_read_cipher(&conn->rl);
    420 	tls_verify_hash_free(&conn->verify);
    421 
    422 	crypto_public_key_free(conn->client_rsa_key);
    423 	conn->client_rsa_key = NULL;
    424 
    425 	os_free(conn->session_ticket);
    426 	conn->session_ticket = NULL;
    427 	conn->session_ticket_len = 0;
    428 	conn->use_session_ticket = 0;
    429 
    430 	os_free(conn->dh_secret);
    431 	conn->dh_secret = NULL;
    432 	conn->dh_secret_len = 0;
    433 }
    434 
    435 
    436 /**
    437  * tlsv1_server_deinit - Deinitialize TLSv1 server connection
    438  * @conn: TLSv1 server connection data from tlsv1_server_init()
    439  */
    440 void tlsv1_server_deinit(struct tlsv1_server *conn)
    441 {
    442 	tlsv1_server_clear_data(conn);
    443 	os_free(conn);
    444 }
    445 
    446 
    447 /**
    448  * tlsv1_server_established - Check whether connection has been established
    449  * @conn: TLSv1 server connection data from tlsv1_server_init()
    450  * Returns: 1 if connection is established, 0 if not
    451  */
    452 int tlsv1_server_established(struct tlsv1_server *conn)
    453 {
    454 	return conn->state == ESTABLISHED;
    455 }
    456 
    457 
    458 /**
    459  * tlsv1_server_prf - Use TLS-PRF to derive keying material
    460  * @conn: TLSv1 server connection data from tlsv1_server_init()
    461  * @label: Label (e.g., description of the key) for PRF
    462  * @server_random_first: seed is 0 = client_random|server_random,
    463  * 1 = server_random|client_random
    464  * @out: Buffer for output data from TLS-PRF
    465  * @out_len: Length of the output buffer
    466  * Returns: 0 on success, -1 on failure
    467  */
    468 int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
    469 		     int server_random_first, u8 *out, size_t out_len)
    470 {
    471 	u8 seed[2 * TLS_RANDOM_LEN];
    472 
    473 	if (conn->state != ESTABLISHED)
    474 		return -1;
    475 
    476 	if (server_random_first) {
    477 		os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN);
    478 		os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random,
    479 			  TLS_RANDOM_LEN);
    480 	} else {
    481 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
    482 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
    483 			  TLS_RANDOM_LEN);
    484 	}
    485 
    486 	return tls_prf(conn->rl.tls_version,
    487 		       conn->master_secret, TLS_MASTER_SECRET_LEN,
    488 		       label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
    489 }
    490 
    491 
    492 /**
    493  * tlsv1_server_get_cipher - Get current cipher name
    494  * @conn: TLSv1 server connection data from tlsv1_server_init()
    495  * @buf: Buffer for the cipher name
    496  * @buflen: buf size
    497  * Returns: 0 on success, -1 on failure
    498  *
    499  * Get the name of the currently used cipher.
    500  */
    501 int tlsv1_server_get_cipher(struct tlsv1_server *conn, char *buf,
    502 			    size_t buflen)
    503 {
    504 	char *cipher;
    505 
    506 	switch (conn->rl.cipher_suite) {
    507 	case TLS_RSA_WITH_RC4_128_MD5:
    508 		cipher = "RC4-MD5";
    509 		break;
    510 	case TLS_RSA_WITH_RC4_128_SHA:
    511 		cipher = "RC4-SHA";
    512 		break;
    513 	case TLS_RSA_WITH_DES_CBC_SHA:
    514 		cipher = "DES-CBC-SHA";
    515 		break;
    516 	case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
    517 		cipher = "DES-CBC3-SHA";
    518 		break;
    519 	case TLS_DHE_RSA_WITH_DES_CBC_SHA:
    520 		cipher = "DHE-RSA-DES-CBC-SHA";
    521 		break;
    522 	case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    523 		cipher = "DHE-RSA-DES-CBC3-SHA";
    524 		break;
    525 	case TLS_DH_anon_WITH_RC4_128_MD5:
    526 		cipher = "ADH-RC4-MD5";
    527 		break;
    528 	case TLS_DH_anon_WITH_DES_CBC_SHA:
    529 		cipher = "ADH-DES-SHA";
    530 		break;
    531 	case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
    532 		cipher = "ADH-DES-CBC3-SHA";
    533 		break;
    534 	case TLS_RSA_WITH_AES_128_CBC_SHA:
    535 		cipher = "AES-128-SHA";
    536 		break;
    537 	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    538 		cipher = "DHE-RSA-AES-128-SHA";
    539 		break;
    540 	case TLS_DH_anon_WITH_AES_128_CBC_SHA:
    541 		cipher = "ADH-AES-128-SHA";
    542 		break;
    543 	case TLS_RSA_WITH_AES_256_CBC_SHA:
    544 		cipher = "AES-256-SHA";
    545 		break;
    546 	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
    547 		cipher = "DHE-RSA-AES-256-SHA";
    548 		break;
    549 	case TLS_DH_anon_WITH_AES_256_CBC_SHA:
    550 		cipher = "ADH-AES-256-SHA";
    551 		break;
    552 	case TLS_RSA_WITH_AES_128_CBC_SHA256:
    553 		cipher = "AES-128-SHA256";
    554 		break;
    555 	case TLS_RSA_WITH_AES_256_CBC_SHA256:
    556 		cipher = "AES-256-SHA256";
    557 		break;
    558 	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    559 		cipher = "DHE-RSA-AES-128-SHA256";
    560 		break;
    561 	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
    562 		cipher = "DHE-RSA-AES-256-SHA256";
    563 		break;
    564 	case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
    565 		cipher = "ADH-AES-128-SHA256";
    566 		break;
    567 	case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
    568 		cipher = "ADH-AES-256-SHA256";
    569 		break;
    570 	default:
    571 		return -1;
    572 	}
    573 
    574 	if (os_strlcpy(buf, cipher, buflen) >= buflen)
    575 		return -1;
    576 	return 0;
    577 }
    578 
    579 
    580 /**
    581  * tlsv1_server_shutdown - Shutdown TLS connection
    582  * @conn: TLSv1 server connection data from tlsv1_server_init()
    583  * Returns: 0 on success, -1 on failure
    584  */
    585 int tlsv1_server_shutdown(struct tlsv1_server *conn)
    586 {
    587 	conn->state = CLIENT_HELLO;
    588 
    589 	if (tls_verify_hash_init(&conn->verify) < 0) {
    590 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify "
    591 			   "hash");
    592 		return -1;
    593 	}
    594 
    595 	tlsv1_server_clear_data(conn);
    596 
    597 	return 0;
    598 }
    599 
    600 
    601 /**
    602  * tlsv1_server_resumed - Was session resumption used
    603  * @conn: TLSv1 server connection data from tlsv1_server_init()
    604  * Returns: 1 if current session used session resumption, 0 if not
    605  */
    606 int tlsv1_server_resumed(struct tlsv1_server *conn)
    607 {
    608 	return 0;
    609 }
    610 
    611 
    612 /**
    613  * tlsv1_server_get_keys - Get master key and random data from TLS connection
    614  * @conn: TLSv1 server connection data from tlsv1_server_init()
    615  * @keys: Structure of key/random data (filled on success)
    616  * Returns: 0 on success, -1 on failure
    617  */
    618 int tlsv1_server_get_keys(struct tlsv1_server *conn, struct tls_keys *keys)
    619 {
    620 	os_memset(keys, 0, sizeof(*keys));
    621 	if (conn->state == CLIENT_HELLO)
    622 		return -1;
    623 
    624 	keys->client_random = conn->client_random;
    625 	keys->client_random_len = TLS_RANDOM_LEN;
    626 
    627 	if (conn->state != SERVER_HELLO) {
    628 		keys->server_random = conn->server_random;
    629 		keys->server_random_len = TLS_RANDOM_LEN;
    630 	}
    631 
    632 	return 0;
    633 }
    634 
    635 
    636 /**
    637  * tlsv1_server_get_keyblock_size - Get TLS key_block size
    638  * @conn: TLSv1 server connection data from tlsv1_server_init()
    639  * Returns: Size of the key_block for the negotiated cipher suite or -1 on
    640  * failure
    641  */
    642 int tlsv1_server_get_keyblock_size(struct tlsv1_server *conn)
    643 {
    644 	if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO)
    645 		return -1;
    646 
    647 	return 2 * (conn->rl.hash_size + conn->rl.key_material_len +
    648 		    conn->rl.iv_size);
    649 }
    650 
    651 
    652 /**
    653  * tlsv1_server_set_cipher_list - Configure acceptable cipher suites
    654  * @conn: TLSv1 server connection data from tlsv1_server_init()
    655  * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
    656  * (TLS_CIPHER_*).
    657  * Returns: 0 on success, -1 on failure
    658  */
    659 int tlsv1_server_set_cipher_list(struct tlsv1_server *conn, u8 *ciphers)
    660 {
    661 	size_t count;
    662 	u16 *suites;
    663 
    664 	/* TODO: implement proper configuration of cipher suites */
    665 	if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {
    666 		count = 0;
    667 		suites = conn->cipher_suites;
    668 		suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
    669 		suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
    670 		suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
    671 		suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
    672 		suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
    673 		suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
    674 		suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
    675 		suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
    676 		suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
    677 		suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
    678 		conn->num_cipher_suites = count;
    679 	}
    680 
    681 	return 0;
    682 }
    683 
    684 
    685 int tlsv1_server_set_verify(struct tlsv1_server *conn, int verify_peer)
    686 {
    687 	conn->verify_peer = verify_peer;
    688 	return 0;
    689 }
    690 
    691 
    692 void tlsv1_server_set_session_ticket_cb(struct tlsv1_server *conn,
    693 					tlsv1_server_session_ticket_cb cb,
    694 					void *ctx)
    695 {
    696 	wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)",
    697 		   cb, ctx);
    698 	conn->session_ticket_cb = cb;
    699 	conn->session_ticket_cb_ctx = ctx;
    700 }
    701 
    702 
    703 void tlsv1_server_set_log_cb(struct tlsv1_server *conn,
    704 			     void (*cb)(void *ctx, const char *msg), void *ctx)
    705 {
    706 	conn->log_cb = cb;
    707 	conn->log_cb_ctx = ctx;
    708 }
    709 
    710 
    711 #ifdef CONFIG_TESTING_OPTIONS
    712 void tlsv1_server_set_test_flags(struct tlsv1_server *conn, u32 flags)
    713 {
    714 	conn->test_flags = flags;
    715 }
    716 
    717 
    718 static const u8 test_tls_prime15[1] = {
    719 	15
    720 };
    721 
    722 static const u8 test_tls_prime511b[64] = {
    723 	0x50, 0xfb, 0xf1, 0xae, 0x01, 0xf1, 0xfe, 0xe6,
    724 	0xe1, 0xae, 0xdc, 0x1e, 0xbe, 0xfb, 0x9e, 0x58,
    725 	0x9a, 0xd7, 0x54, 0x9d, 0x6b, 0xb3, 0x78, 0xe2,
    726 	0x39, 0x7f, 0x30, 0x01, 0x25, 0xa1, 0xf9, 0x7c,
    727 	0x55, 0x0e, 0xa1, 0x15, 0xcc, 0x36, 0x34, 0xbb,
    728 	0x6c, 0x8b, 0x64, 0x45, 0x15, 0x7f, 0xd3, 0xe7,
    729 	0x31, 0xc8, 0x8e, 0x56, 0x8e, 0x95, 0xdc, 0xea,
    730 	0x9e, 0xdf, 0xf7, 0x56, 0xdd, 0xb0, 0x34, 0xdb
    731 };
    732 
    733 static const u8 test_tls_prime767b[96] = {
    734 	0x4c, 0xdc, 0xb8, 0x21, 0x20, 0x9d, 0xe8, 0xa3,
    735 	0x53, 0xd9, 0x1c, 0x18, 0xc1, 0x3a, 0x58, 0x67,
    736 	0xa7, 0x85, 0xf9, 0x28, 0x9b, 0xce, 0xc0, 0xd1,
    737 	0x05, 0x84, 0x61, 0x97, 0xb2, 0x86, 0x1c, 0xd0,
    738 	0xd1, 0x96, 0x23, 0x29, 0x8c, 0xc5, 0x30, 0x68,
    739 	0x3e, 0xf9, 0x05, 0xba, 0x60, 0xeb, 0xdb, 0xee,
    740 	0x2d, 0xdf, 0x84, 0x65, 0x49, 0x87, 0x90, 0x2a,
    741 	0xc9, 0x8e, 0x34, 0x63, 0x6d, 0x9a, 0x2d, 0x32,
    742 	0x1c, 0x46, 0xd5, 0x4e, 0x20, 0x20, 0x90, 0xac,
    743 	0xd5, 0x48, 0x79, 0x99, 0x0c, 0xe6, 0xed, 0xbf,
    744 	0x79, 0xc2, 0x47, 0x50, 0x95, 0x38, 0x38, 0xbc,
    745 	0xde, 0xb0, 0xd2, 0xe8, 0x97, 0xcb, 0x22, 0xbb
    746 };
    747 
    748 static const u8 test_tls_prime58[128] = {
    749 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    750 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    751 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    752 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    753 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    754 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    755 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    756 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    757 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    758 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    759 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    760 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    761 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    762 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    763 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    764 	0x03, 0xc1, 0xba, 0xc8, 0x25, 0xbe, 0x2d, 0xf3
    765 };
    766 
    767 static const u8 test_tls_non_prime[] = {
    768 	/*
    769 	 * This is not a prime and the value has the following factors:
    770 	 * 13736783488716579923 * 16254860191773456563 * 18229434976173670763 *
    771 	 * 11112313018289079419 * 10260802278580253339 * 12394009491575311499 *
    772 	 * 12419059668711064739 * 14317973192687985827 * 10498605410533203179 *
    773 	 * 16338688760390249003 * 11128963991123878883 * 12990532258280301419 *
    774 	 * 3
    775 	 */
    776 	0x0C, 0x8C, 0x36, 0x9C, 0x6F, 0x71, 0x2E, 0xA7,
    777 	0xAB, 0x32, 0xD3, 0x0F, 0x68, 0x3D, 0xB2, 0x6D,
    778 	0x81, 0xDD, 0xC4, 0x84, 0x0D, 0x9C, 0x6E, 0x36,
    779 	0x29, 0x70, 0xF3, 0x1E, 0x9A, 0x42, 0x0B, 0x67,
    780 	0x82, 0x6B, 0xB1, 0xF2, 0xAF, 0x55, 0x28, 0xE7,
    781 	0xDB, 0x67, 0x6C, 0xF7, 0x6B, 0xAC, 0xAC, 0xE5,
    782 	0xF7, 0x9F, 0xD4, 0x63, 0x55, 0x70, 0x32, 0x7C,
    783 	0x70, 0xFB, 0xAF, 0xB8, 0xEB, 0x37, 0xCF, 0x3F,
    784 	0xFE, 0x94, 0x73, 0xF9, 0x7A, 0xC7, 0x12, 0x2E,
    785 	0x9B, 0xB4, 0x7D, 0x08, 0x60, 0x83, 0x43, 0x52,
    786 	0x83, 0x1E, 0xA5, 0xFC, 0xFA, 0x87, 0x12, 0xF4,
    787 	0x64, 0xE2, 0xCE, 0x71, 0x17, 0x72, 0xB6, 0xAB
    788 };
    789 
    790 #endif /* CONFIG_TESTING_OPTIONS */
    791 
    792 
    793 void tlsv1_server_get_dh_p(struct tlsv1_server *conn, const u8 **dh_p,
    794 			   size_t *dh_p_len)
    795 {
    796 	*dh_p = conn->cred->dh_p;
    797 	*dh_p_len = conn->cred->dh_p_len;
    798 
    799 #ifdef CONFIG_TESTING_OPTIONS
    800 	if (conn->test_flags & TLS_DHE_PRIME_511B) {
    801 		tlsv1_server_log(conn, "TESTING: Use short 511-bit prime with DHE");
    802 		*dh_p = test_tls_prime511b;
    803 		*dh_p_len = sizeof(test_tls_prime511b);
    804 	} else if (conn->test_flags & TLS_DHE_PRIME_767B) {
    805 		tlsv1_server_log(conn, "TESTING: Use short 767-bit prime with DHE");
    806 		*dh_p = test_tls_prime767b;
    807 		*dh_p_len = sizeof(test_tls_prime767b);
    808 	} else if (conn->test_flags & TLS_DHE_PRIME_15) {
    809 		tlsv1_server_log(conn, "TESTING: Use bogus 15 \"prime\" with DHE");
    810 		*dh_p = test_tls_prime15;
    811 		*dh_p_len = sizeof(test_tls_prime15);
    812 	} else if (conn->test_flags & TLS_DHE_PRIME_58B) {
    813 		tlsv1_server_log(conn, "TESTING: Use short 58-bit prime in long container with DHE");
    814 		*dh_p = test_tls_prime58;
    815 		*dh_p_len = sizeof(test_tls_prime58);
    816 	} else if (conn->test_flags & TLS_DHE_NON_PRIME) {
    817 		tlsv1_server_log(conn, "TESTING: Use claim non-prime as the DHE prime");
    818 		*dh_p = test_tls_non_prime;
    819 		*dh_p_len = sizeof(test_tls_non_prime);
    820 	}
    821 #endif /* CONFIG_TESTING_OPTIONS */
    822 }
    823