Implemented input record decryption and verification
authorMartin Willi <martin@revosec.ch>
Fri, 5 Feb 2010 10:50:29 +0000 (10:50 +0000)
committerMartin Willi <martin@revosec.ch>
Tue, 3 Aug 2010 13:39:25 +0000 (15:39 +0200)
src/charon/plugins/eap_tls/eap_tls.c
src/charon/plugins/eap_tls/tls/tls_crypto.c
src/charon/plugins/eap_tls/tls/tls_fragmentation.c
src/charon/plugins/eap_tls/tls/tls_handshake.h
src/charon/plugins/eap_tls/tls/tls_peer.c
src/charon/plugins/eap_tls/tls/tls_protection.c
src/charon/plugins/eap_tls/tls/tls_server.c

index 589096d..3518dfc 100644 (file)
@@ -318,6 +318,7 @@ METHOD(eap_method_t, process, status_t,
        status_t status;
 
        data = in->get_data(in);
+
        pkt = (eap_tls_packet_t*)data.ptr;
        if (data.len < sizeof(eap_tls_packet_t) ||
                untoh16(&pkt->length) != data.len)
index 829d29a..e097721 100644 (file)
@@ -363,7 +363,7 @@ METHOD(tls_crypto_t, derive_master_secret, void,
        if (this->crypter_out)
        {
                eks = this->crypter_out->get_key_size(this->crypter_out);
-               if (this->tls->get_version(this->tls) < TLS_1_2)
+               if (this->tls->get_version(this->tls) < TLS_1_1)
                {
                        ivs = this->crypter_out->get_block_size(this->crypter_out);
                }
index 83295e2..7a99c92 100644 (file)
@@ -141,8 +141,12 @@ METHOD(tls_fragmentation_t, process, status_t,
        switch (type)
        {
                case TLS_CHANGE_CIPHER_SPEC:
-                       this->handshake->change_cipherspec(this->handshake);
-                       status = NEED_MORE;
+                       if (this->handshake->change_cipherspec(this->handshake))
+                       {
+                               status = NEED_MORE;
+                               break;
+                       }
+                       status = FAILED;
                        break;
                case TLS_ALERT:
                        /* TODO: handle Alert */
index e32f3e5..1139740 100644 (file)
@@ -68,8 +68,10 @@ struct tls_handshake_t {
 
        /**
         * Change the cipher spec for incoming messages.
+        *
+        * @return                      TRUE if cipher spec changed
         */
-       void (*change_cipherspec)(tls_handshake_t *this);
+       bool (*change_cipherspec)(tls_handshake_t *this);
 
        /**
         * Destroy a tls_handshake_t.
index f742caf..97052b5 100644 (file)
@@ -28,8 +28,9 @@ typedef enum {
        STATE_CERT_SENT,
        STATE_KEY_EXCHANGE_SENT,
        STATE_VERIFY_SENT,
-       STATE_CIPHERSPEC_CHANGED,
+       STATE_CIPHERSPEC_CHANGED_OUT,
        STATE_FINISHED_SENT,
+       STATE_CIPHERSPEC_CHANGED_IN,
 } peer_state_t;
 
 /**
@@ -270,6 +271,14 @@ static status_t process_hello_done(private_tls_peer_t *this,
        return NEED_MORE;
 }
 
+/**
+ * Process finished message
+ */
+static status_t process_finished(private_tls_peer_t *this, tls_reader_t *reader)
+{
+       return FAILED;
+}
+
 METHOD(tls_handshake_t, process, status_t,
        private_tls_peer_t *this, tls_handshake_type_t type, tls_reader_t *reader)
 {
@@ -290,6 +299,15 @@ METHOD(tls_handshake_t, process, status_t,
                                        break;
                        }
                        break;
+               case STATE_CIPHERSPEC_CHANGED_IN:
+                       switch (type)
+                       {
+                               case TLS_FINISHED:
+                                       return process_finished(this, reader);
+                               default:
+                                       break;
+                       }
+                       break;
                default:
                        break;
        }
@@ -568,6 +586,7 @@ static status_t send_finished(private_tls_peer_t *this,
 
        *type = TLS_FINISHED;
        this->state = STATE_FINISHED_SENT;
+       append_handshake(this, *type, writer->get_buf(writer));
        return NEED_MORE;
 }
 
@@ -584,7 +603,7 @@ METHOD(tls_handshake_t, build, status_t,
                        return send_key_exchange(this, type, writer);
                case STATE_KEY_EXCHANGE_SENT:
                        return send_certificate_verify(this, type, writer);
-               case STATE_CIPHERSPEC_CHANGED:
+               case STATE_CIPHERSPEC_CHANGED_OUT:
                        return send_finished(this, type, writer);
                default:
                        return INVALID_STATE;
@@ -597,16 +616,22 @@ METHOD(tls_handshake_t, cipherspec_changed, bool,
        if (this->state == STATE_VERIFY_SENT)
        {
                this->crypto->change_cipher(this->crypto, FALSE);
-               this->state = STATE_CIPHERSPEC_CHANGED;
+               this->state = STATE_CIPHERSPEC_CHANGED_OUT;
                return TRUE;
        }
        return FALSE;
 }
 
-METHOD(tls_handshake_t, change_cipherspec, void,
+METHOD(tls_handshake_t, change_cipherspec, bool,
        private_tls_peer_t *this)
 {
-
+       if (this->state == STATE_FINISHED_SENT)
+       {
+               this->crypto->change_cipher(this->crypto, TRUE);
+               this->state = STATE_CIPHERSPEC_CHANGED_IN;
+               return TRUE;
+       }
+       return FALSE;
 }
 
 METHOD(tls_handshake_t, destroy, void,
index d0bb1e0..75fae0a 100644 (file)
@@ -106,7 +106,82 @@ static chunk_t sigheader(u_int32_t seq, u_int8_t type,
 METHOD(tls_protection_t, process, status_t,
        private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
-       this->seq_in++;
+       if (this->crypter_in)
+       {
+               chunk_t iv, next_iv = chunk_empty;
+               u_int8_t bs, padding_length;
+
+               bs = this->crypter_in->get_block_size(this->crypter_in);
+               if (data.len < bs || data.len % bs)
+               {
+                       DBG1(DBG_IKE, "encrypted TLS record not multiple of block size");
+                       return FAILED;
+               }
+               if (this->iv_in.len)
+               {       /* < TLSv1.1 uses IV from key derivation/last block */
+                       iv = this->iv_in;
+                       next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
+               }
+               else
+               {       /* TLSv1.1 uses random IVs, prepended to record */
+                       iv = chunk_create(data.ptr, bs);
+                       data = chunk_skip(data, bs);
+                       if (data.len < bs)
+                       {
+                               DBG1(DBG_IKE, "TLS record too short to decrypt");
+                               return FAILED;
+                       }
+               }
+               this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+
+               if (next_iv.len)
+               {       /* next record IV is last ciphertext block of this record */
+                       memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
+                       free(next_iv.ptr);
+               }
+
+               padding_length = data.ptr[data.len - 1];
+               if (padding_length >= data.len)
+               {
+                       DBG1(DBG_IKE, "invalid TLS record padding");
+                       return FAILED;
+               }
+               data.len -= padding_length + 1;
+       }
+       if (this->signer_in)
+       {
+               chunk_t mac, macdata, header;
+               u_int8_t bs;
+
+               bs = this->signer_in->get_block_size(this->signer_in);
+               if (data.len <= bs)
+               {
+                       DBG1(DBG_IKE, "TLS record too short to verify MAC");
+                       return FAILED;
+               }
+               mac = chunk_skip(data, data.len - bs);
+               data.len -= bs;
+
+               header = sigheader(this->seq_in, type,
+                                                  this->tls->get_version(this->tls), data.len);
+               macdata = chunk_cat("mc", header, data);
+               if (!this->signer_in->verify_signature(this->signer_in, macdata, mac))
+               {
+                       DBG1(DBG_IKE, "TLS record MAC verification failed");
+                       free(macdata.ptr);
+                       return FAILED;
+               }
+               free(macdata.ptr);
+       }
+
+       if (type == TLS_CHANGE_CIPHER_SPEC)
+       {
+               this->seq_in = 0;
+       }
+       else
+       {
+               this->seq_in++;
+       }
        return this->compression->process(this->compression, type, data);
 }
 
@@ -145,11 +220,11 @@ METHOD(tls_protection_t, build, status_t,
                                memset(padding.ptr, padding_length, padding.len);
 
                                if (this->iv_out.len)
-                               {       /* < TLSv1.2 uses IV from key derivation/last block */
+                               {       /* < TLSv1.1 uses IV from key derivation/last block */
                                        iv = this->iv_out;
                                }
                                else
-                               {       /* TLSv1.2 uses random IVs, prepended to record */
+                               {       /* TLSv1.1 uses random IVs, prepended to record */
                                        if (!this->rng)
                                        {
                                                DBG1(DBG_IKE, "no RNG supported to generate TLS IV");
@@ -162,8 +237,7 @@ METHOD(tls_protection_t, build, status_t,
                                *data = chunk_cat("mmcc", *data, mac, padding,
                                                                  chunk_from_thing(padding_length));
                                /* encrypt inline */
-                               this->crypter_out->encrypt(this->crypter_out, *data,
-                                                                                  this->iv_out, NULL);
+                               this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL);
 
                                if (this->iv_out.len)
                                {       /* next record IV is last ciphertext block of this record */
index a5dcdd0..8d5e016 100644 (file)
@@ -69,10 +69,10 @@ METHOD(tls_handshake_t, cipherspec_changed, bool,
        return FALSE;
 }
 
-METHOD(tls_handshake_t, change_cipherspec, void,
+METHOD(tls_handshake_t, change_cipherspec, bool,
        private_tls_server_t *this)
 {
-
+       return FALSE;
 }
 
 METHOD(tls_handshake_t, destroy, void,