1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_server.h" 20 #include "tlsv1_server_i.h" 21 22 23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31 { 32 #ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 42 return 1; 43 #endif /* CONFIG_TESTING_OPTIONS */ 44 45 return 0; 46 } 47 48 49 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 50 const u8 *in_data, size_t *in_len) 51 { 52 const u8 *pos, *end, *c; 53 size_t left, len, i, j; 54 u16 cipher_suite; 55 u16 num_suites; 56 int compr_null_found; 57 u16 ext_type, ext_len; 58 59 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 60 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 61 ct); 62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63 TLS_ALERT_UNEXPECTED_MESSAGE); 64 return -1; 65 } 66 67 pos = in_data; 68 left = *in_len; 69 70 if (left < 4) 71 goto decode_error; 72 73 /* HandshakeType msg_type */ 74 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 75 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 76 *pos); 77 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78 TLS_ALERT_UNEXPECTED_MESSAGE); 79 return -1; 80 } 81 tlsv1_server_log(conn, "Received ClientHello"); 82 pos++; 83 /* uint24 length */ 84 len = WPA_GET_BE24(pos); 85 pos += 3; 86 left -= 4; 87 88 if (len > left) 89 goto decode_error; 90 91 /* body - ClientHello */ 92 93 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 94 end = pos + len; 95 96 /* ProtocolVersion client_version */ 97 if (end - pos < 2) 98 goto decode_error; 99 conn->client_version = WPA_GET_BE16(pos); 100 tlsv1_server_log(conn, "Client version %d.%d", 101 conn->client_version >> 8, 102 conn->client_version & 0xff); 103 if (conn->client_version < TLS_VERSION_1) { 104 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 105 conn->client_version >> 8, 106 conn->client_version & 0xff); 107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 108 TLS_ALERT_PROTOCOL_VERSION); 109 return -1; 110 } 111 pos += 2; 112 113 if (TLS_VERSION == TLS_VERSION_1) 114 conn->rl.tls_version = TLS_VERSION_1; 115 #ifdef CONFIG_TLSV12 116 else if (conn->client_version >= TLS_VERSION_1_2) 117 conn->rl.tls_version = TLS_VERSION_1_2; 118 #endif /* CONFIG_TLSV12 */ 119 else if (conn->client_version > TLS_VERSION_1_1) 120 conn->rl.tls_version = TLS_VERSION_1_1; 121 else 122 conn->rl.tls_version = conn->client_version; 123 tlsv1_server_log(conn, "Using TLS v%s", 124 tls_version_str(conn->rl.tls_version)); 125 126 /* Random random */ 127 if (end - pos < TLS_RANDOM_LEN) 128 goto decode_error; 129 130 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 131 pos += TLS_RANDOM_LEN; 132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 133 conn->client_random, TLS_RANDOM_LEN); 134 135 /* SessionID session_id */ 136 if (end - pos < 1) 137 goto decode_error; 138 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 139 goto decode_error; 140 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 141 pos += 1 + *pos; 142 /* TODO: add support for session resumption */ 143 144 /* CipherSuite cipher_suites<2..2^16-1> */ 145 if (end - pos < 2) 146 goto decode_error; 147 num_suites = WPA_GET_BE16(pos); 148 pos += 2; 149 if (end - pos < num_suites) 150 goto decode_error; 151 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 152 pos, num_suites); 153 if (num_suites & 1) 154 goto decode_error; 155 num_suites /= 2; 156 157 cipher_suite = 0; 158 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 159 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 160 continue; 161 c = pos; 162 for (j = 0; j < num_suites; j++) { 163 u16 tmp = WPA_GET_BE16(c); 164 c += 2; 165 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 166 cipher_suite = tmp; 167 break; 168 } 169 } 170 } 171 pos += num_suites * 2; 172 if (!cipher_suite) { 173 tlsv1_server_log(conn, "No supported cipher suite available"); 174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 175 TLS_ALERT_ILLEGAL_PARAMETER); 176 return -1; 177 } 178 179 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 180 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 181 "record layer"); 182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 183 TLS_ALERT_INTERNAL_ERROR); 184 return -1; 185 } 186 187 conn->cipher_suite = cipher_suite; 188 189 /* CompressionMethod compression_methods<1..2^8-1> */ 190 if (end - pos < 1) 191 goto decode_error; 192 num_suites = *pos++; 193 if (end - pos < num_suites) 194 goto decode_error; 195 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 196 pos, num_suites); 197 compr_null_found = 0; 198 for (i = 0; i < num_suites; i++) { 199 if (*pos++ == TLS_COMPRESSION_NULL) 200 compr_null_found = 1; 201 } 202 if (!compr_null_found) { 203 tlsv1_server_log(conn, "Client does not accept NULL compression"); 204 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 205 TLS_ALERT_ILLEGAL_PARAMETER); 206 return -1; 207 } 208 209 if (end - pos == 1) { 210 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 211 *pos); 212 goto decode_error; 213 } 214 215 if (end - pos >= 2) { 216 /* Extension client_hello_extension_list<0..2^16-1> */ 217 ext_len = WPA_GET_BE16(pos); 218 pos += 2; 219 220 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 221 ext_len); 222 if (end - pos != ext_len) { 223 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 224 ext_len, (unsigned int) (end - pos)); 225 goto decode_error; 226 } 227 228 /* 229 * struct { 230 * ExtensionType extension_type (0..65535) 231 * opaque extension_data<0..2^16-1> 232 * } Extension; 233 */ 234 235 while (pos < end) { 236 if (end - pos < 2) { 237 tlsv1_server_log(conn, "Invalid extension_type field"); 238 goto decode_error; 239 } 240 241 ext_type = WPA_GET_BE16(pos); 242 pos += 2; 243 244 if (end - pos < 2) { 245 tlsv1_server_log(conn, "Invalid extension_data length field"); 246 goto decode_error; 247 } 248 249 ext_len = WPA_GET_BE16(pos); 250 pos += 2; 251 252 if (end - pos < ext_len) { 253 tlsv1_server_log(conn, "Invalid extension_data field"); 254 goto decode_error; 255 } 256 257 tlsv1_server_log(conn, "ClientHello Extension type %u", 258 ext_type); 259 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 260 "Extension data", pos, ext_len); 261 262 if (ext_type == TLS_EXT_SESSION_TICKET) { 263 os_free(conn->session_ticket); 264 conn->session_ticket = os_malloc(ext_len); 265 if (conn->session_ticket) { 266 os_memcpy(conn->session_ticket, pos, 267 ext_len); 268 conn->session_ticket_len = ext_len; 269 } 270 } 271 272 pos += ext_len; 273 } 274 } 275 276 *in_len = end - in_data; 277 278 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 279 conn->state = SERVER_HELLO; 280 281 return 0; 282 283 decode_error: 284 tlsv1_server_log(conn, "Failed to decode ClientHello"); 285 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_DECODE_ERROR); 287 return -1; 288 } 289 290 291 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 292 const u8 *in_data, size_t *in_len) 293 { 294 const u8 *pos, *end; 295 size_t left, len, list_len, cert_len, idx; 296 u8 type; 297 struct x509_certificate *chain = NULL, *last = NULL, *cert; 298 int reason; 299 300 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 301 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 302 ct); 303 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 304 TLS_ALERT_UNEXPECTED_MESSAGE); 305 return -1; 306 } 307 308 pos = in_data; 309 left = *in_len; 310 311 if (left < 4) { 312 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 313 (unsigned long) left); 314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 315 TLS_ALERT_DECODE_ERROR); 316 return -1; 317 } 318 319 type = *pos++; 320 len = WPA_GET_BE24(pos); 321 pos += 3; 322 left -= 4; 323 324 if (len > left) { 325 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 326 (unsigned long) len, (unsigned long) left); 327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 328 TLS_ALERT_DECODE_ERROR); 329 return -1; 330 } 331 332 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 333 if (conn->verify_peer) { 334 tlsv1_server_log(conn, "Client did not include Certificate"); 335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 336 TLS_ALERT_UNEXPECTED_MESSAGE); 337 return -1; 338 } 339 340 return tls_process_client_key_exchange(conn, ct, in_data, 341 in_len); 342 } 343 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 344 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 345 type); 346 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_UNEXPECTED_MESSAGE); 348 return -1; 349 } 350 351 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 352 (unsigned long) len); 353 354 /* 355 * opaque ASN.1Cert<2^24-1>; 356 * 357 * struct { 358 * ASN.1Cert certificate_list<1..2^24-1>; 359 * } Certificate; 360 */ 361 362 end = pos + len; 363 364 if (end - pos < 3) { 365 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 366 (unsigned long) left); 367 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 368 TLS_ALERT_DECODE_ERROR); 369 return -1; 370 } 371 372 list_len = WPA_GET_BE24(pos); 373 pos += 3; 374 375 if ((size_t) (end - pos) != list_len) { 376 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 377 (unsigned long) list_len, 378 (unsigned long) (end - pos)); 379 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 380 TLS_ALERT_DECODE_ERROR); 381 return -1; 382 } 383 384 idx = 0; 385 while (pos < end) { 386 if (end - pos < 3) { 387 tlsv1_server_log(conn, "Failed to parse certificate_list"); 388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 389 TLS_ALERT_DECODE_ERROR); 390 x509_certificate_chain_free(chain); 391 return -1; 392 } 393 394 cert_len = WPA_GET_BE24(pos); 395 pos += 3; 396 397 if ((size_t) (end - pos) < cert_len) { 398 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 399 (unsigned long) cert_len, 400 (unsigned long) (end - pos)); 401 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 402 TLS_ALERT_DECODE_ERROR); 403 x509_certificate_chain_free(chain); 404 return -1; 405 } 406 407 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 408 (unsigned long) idx, (unsigned long) cert_len); 409 410 if (idx == 0) { 411 crypto_public_key_free(conn->client_rsa_key); 412 if (tls_parse_cert(pos, cert_len, 413 &conn->client_rsa_key)) { 414 tlsv1_server_log(conn, "Failed to parse the certificate"); 415 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 416 TLS_ALERT_BAD_CERTIFICATE); 417 x509_certificate_chain_free(chain); 418 return -1; 419 } 420 } 421 422 cert = x509_certificate_parse(pos, cert_len); 423 if (cert == NULL) { 424 tlsv1_server_log(conn, "Failed to parse the certificate"); 425 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 426 TLS_ALERT_BAD_CERTIFICATE); 427 x509_certificate_chain_free(chain); 428 return -1; 429 } 430 431 if (last == NULL) 432 chain = cert; 433 else 434 last->next = cert; 435 last = cert; 436 437 idx++; 438 pos += cert_len; 439 } 440 441 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 442 &reason, 0) < 0) { 443 int tls_reason; 444 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 445 reason); 446 switch (reason) { 447 case X509_VALIDATE_BAD_CERTIFICATE: 448 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 449 break; 450 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 451 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 452 break; 453 case X509_VALIDATE_CERTIFICATE_REVOKED: 454 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 455 break; 456 case X509_VALIDATE_CERTIFICATE_EXPIRED: 457 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 458 break; 459 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 460 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 461 break; 462 case X509_VALIDATE_UNKNOWN_CA: 463 tls_reason = TLS_ALERT_UNKNOWN_CA; 464 break; 465 default: 466 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 467 break; 468 } 469 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 470 x509_certificate_chain_free(chain); 471 return -1; 472 } 473 474 x509_certificate_chain_free(chain); 475 476 *in_len = end - in_data; 477 478 conn->state = CLIENT_KEY_EXCHANGE; 479 480 return 0; 481 } 482 483 484 static int tls_process_client_key_exchange_rsa( 485 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 486 { 487 u8 *out; 488 size_t outlen, outbuflen; 489 u16 encr_len; 490 int res; 491 int use_random = 0; 492 493 if (end - pos < 2) { 494 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 495 TLS_ALERT_DECODE_ERROR); 496 return -1; 497 } 498 499 encr_len = WPA_GET_BE16(pos); 500 pos += 2; 501 if (pos + encr_len > end) { 502 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 503 encr_len, (unsigned int) (end - pos)); 504 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 505 TLS_ALERT_DECODE_ERROR); 506 return -1; 507 } 508 509 outbuflen = outlen = end - pos; 510 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 511 outlen : TLS_PRE_MASTER_SECRET_LEN); 512 if (out == NULL) { 513 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 514 TLS_ALERT_INTERNAL_ERROR); 515 return -1; 516 } 517 518 /* 519 * struct { 520 * ProtocolVersion client_version; 521 * opaque random[46]; 522 * } PreMasterSecret; 523 * 524 * struct { 525 * public-key-encrypted PreMasterSecret pre_master_secret; 526 * } EncryptedPreMasterSecret; 527 */ 528 529 /* 530 * Note: To avoid Bleichenbacher attack, we do not report decryption or 531 * parsing errors from EncryptedPreMasterSecret processing to the 532 * client. Instead, a random pre-master secret is used to force the 533 * handshake to fail. 534 */ 535 536 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 537 pos, encr_len, 538 out, &outlen) < 0) { 539 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 540 "PreMasterSecret (encr_len=%u outlen=%lu)", 541 encr_len, (unsigned long) outlen); 542 use_random = 1; 543 } 544 545 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 546 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 547 (unsigned long) outlen); 548 use_random = 1; 549 } 550 551 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 552 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 553 use_random = 1; 554 } 555 556 if (use_random) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 558 "to avoid revealing information about private key"); 559 outlen = TLS_PRE_MASTER_SECRET_LEN; 560 if (os_get_random(out, outlen)) { 561 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 562 "data"); 563 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 564 TLS_ALERT_INTERNAL_ERROR); 565 os_free(out); 566 return -1; 567 } 568 } 569 570 res = tlsv1_server_derive_keys(conn, out, outlen); 571 572 /* Clear the pre-master secret since it is not needed anymore */ 573 os_memset(out, 0, outbuflen); 574 os_free(out); 575 576 if (res) { 577 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 578 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 579 TLS_ALERT_INTERNAL_ERROR); 580 return -1; 581 } 582 583 return 0; 584 } 585 586 587 static int tls_process_client_key_exchange_dh( 588 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 589 { 590 const u8 *dh_yc; 591 u16 dh_yc_len; 592 u8 *shared; 593 size_t shared_len; 594 int res; 595 const u8 *dh_p; 596 size_t dh_p_len; 597 598 /* 599 * struct { 600 * select (PublicValueEncoding) { 601 * case implicit: struct { }; 602 * case explicit: opaque dh_Yc<1..2^16-1>; 603 * } dh_public; 604 * } ClientDiffieHellmanPublic; 605 */ 606 607 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 608 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 609 pos, end - pos); 610 611 if (end == pos) { 612 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 613 "not supported"); 614 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 615 TLS_ALERT_INTERNAL_ERROR); 616 return -1; 617 } 618 619 if (end - pos < 3) { 620 tlsv1_server_log(conn, "Invalid client public value length"); 621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_DECODE_ERROR); 623 return -1; 624 } 625 626 dh_yc_len = WPA_GET_BE16(pos); 627 dh_yc = pos + 2; 628 629 if (dh_yc + dh_yc_len > end) { 630 tlsv1_server_log(conn, "Client public value overflow (length %d)", 631 dh_yc_len); 632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 633 TLS_ALERT_DECODE_ERROR); 634 return -1; 635 } 636 637 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 638 dh_yc, dh_yc_len); 639 640 if (conn->cred == NULL || conn->cred->dh_p == NULL || 641 conn->dh_secret == NULL) { 642 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 643 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 644 TLS_ALERT_INTERNAL_ERROR); 645 return -1; 646 } 647 648 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 649 650 shared_len = dh_p_len; 651 shared = os_malloc(shared_len); 652 if (shared == NULL) { 653 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 654 "DH"); 655 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 656 TLS_ALERT_INTERNAL_ERROR); 657 return -1; 658 } 659 660 /* shared = Yc^secret mod p */ 661 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 662 conn->dh_secret_len, dh_p, dh_p_len, 663 shared, &shared_len)) { 664 os_free(shared); 665 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 666 TLS_ALERT_INTERNAL_ERROR); 667 return -1; 668 } 669 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 670 shared, shared_len); 671 672 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 673 os_free(conn->dh_secret); 674 conn->dh_secret = NULL; 675 676 res = tlsv1_server_derive_keys(conn, shared, shared_len); 677 678 /* Clear the pre-master secret since it is not needed anymore */ 679 os_memset(shared, 0, shared_len); 680 os_free(shared); 681 682 if (res) { 683 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 684 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 685 TLS_ALERT_INTERNAL_ERROR); 686 return -1; 687 } 688 689 return 0; 690 } 691 692 693 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 694 const u8 *in_data, size_t *in_len) 695 { 696 const u8 *pos, *end; 697 size_t left, len; 698 u8 type; 699 tls_key_exchange keyx; 700 const struct tls_cipher_suite *suite; 701 702 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 703 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 704 ct); 705 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 706 TLS_ALERT_UNEXPECTED_MESSAGE); 707 return -1; 708 } 709 710 pos = in_data; 711 left = *in_len; 712 713 if (left < 4) { 714 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 715 (unsigned long) left); 716 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 717 TLS_ALERT_DECODE_ERROR); 718 return -1; 719 } 720 721 type = *pos++; 722 len = WPA_GET_BE24(pos); 723 pos += 3; 724 left -= 4; 725 726 if (len > left) { 727 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 728 (unsigned long) len, (unsigned long) left); 729 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 730 TLS_ALERT_DECODE_ERROR); 731 return -1; 732 } 733 734 end = pos + len; 735 736 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 737 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 738 type); 739 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 740 TLS_ALERT_UNEXPECTED_MESSAGE); 741 return -1; 742 } 743 744 tlsv1_server_log(conn, "Received ClientKeyExchange"); 745 746 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 747 748 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 749 if (suite == NULL) 750 keyx = TLS_KEY_X_NULL; 751 else 752 keyx = suite->key_exchange; 753 754 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 755 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 756 return -1; 757 758 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 759 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 760 return -1; 761 762 *in_len = end - in_data; 763 764 conn->state = CERTIFICATE_VERIFY; 765 766 return 0; 767 } 768 769 770 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 771 const u8 *in_data, size_t *in_len) 772 { 773 const u8 *pos, *end; 774 size_t left, len; 775 u8 type; 776 size_t hlen; 777 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 778 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 779 u8 alert; 780 781 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 782 if (conn->verify_peer) { 783 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 784 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 785 TLS_ALERT_UNEXPECTED_MESSAGE); 786 return -1; 787 } 788 789 return tls_process_change_cipher_spec(conn, ct, in_data, 790 in_len); 791 } 792 793 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 794 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 795 ct); 796 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 797 TLS_ALERT_UNEXPECTED_MESSAGE); 798 return -1; 799 } 800 801 pos = in_data; 802 left = *in_len; 803 804 if (left < 4) { 805 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 806 (unsigned long) left); 807 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 808 TLS_ALERT_DECODE_ERROR); 809 return -1; 810 } 811 812 type = *pos++; 813 len = WPA_GET_BE24(pos); 814 pos += 3; 815 left -= 4; 816 817 if (len > left) { 818 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 819 (unsigned long) len, (unsigned long) left); 820 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 821 TLS_ALERT_DECODE_ERROR); 822 return -1; 823 } 824 825 end = pos + len; 826 827 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 828 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 829 type); 830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 831 TLS_ALERT_UNEXPECTED_MESSAGE); 832 return -1; 833 } 834 835 tlsv1_server_log(conn, "Received CertificateVerify"); 836 837 /* 838 * struct { 839 * Signature signature; 840 * } CertificateVerify; 841 */ 842 843 hpos = hash; 844 845 #ifdef CONFIG_TLSV12 846 if (conn->rl.tls_version == TLS_VERSION_1_2) { 847 /* 848 * RFC 5246, 4.7: 849 * TLS v1.2 adds explicit indication of the used signature and 850 * hash algorithms. 851 * 852 * struct { 853 * HashAlgorithm hash; 854 * SignatureAlgorithm signature; 855 * } SignatureAndHashAlgorithm; 856 */ 857 if (end - pos < 2) { 858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 859 TLS_ALERT_DECODE_ERROR); 860 return -1; 861 } 862 if (pos[0] != TLS_HASH_ALG_SHA256 || 863 pos[1] != TLS_SIGN_ALG_RSA) { 864 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 865 "signature(%u) algorithm", 866 pos[0], pos[1]); 867 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 868 TLS_ALERT_INTERNAL_ERROR); 869 return -1; 870 } 871 pos += 2; 872 873 hlen = SHA256_MAC_LEN; 874 if (conn->verify.sha256_cert == NULL || 875 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 876 0) { 877 conn->verify.sha256_cert = NULL; 878 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 879 TLS_ALERT_INTERNAL_ERROR); 880 return -1; 881 } 882 conn->verify.sha256_cert = NULL; 883 } else { 884 #endif /* CONFIG_TLSV12 */ 885 886 if (alg == SIGN_ALG_RSA) { 887 hlen = MD5_MAC_LEN; 888 if (conn->verify.md5_cert == NULL || 889 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 890 { 891 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 892 TLS_ALERT_INTERNAL_ERROR); 893 conn->verify.md5_cert = NULL; 894 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 895 conn->verify.sha1_cert = NULL; 896 return -1; 897 } 898 hpos += MD5_MAC_LEN; 899 } else 900 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 901 902 conn->verify.md5_cert = NULL; 903 hlen = SHA1_MAC_LEN; 904 if (conn->verify.sha1_cert == NULL || 905 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 906 conn->verify.sha1_cert = NULL; 907 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 908 TLS_ALERT_INTERNAL_ERROR); 909 return -1; 910 } 911 conn->verify.sha1_cert = NULL; 912 913 if (alg == SIGN_ALG_RSA) 914 hlen += MD5_MAC_LEN; 915 916 #ifdef CONFIG_TLSV12 917 } 918 #endif /* CONFIG_TLSV12 */ 919 920 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 921 922 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 923 hash, hlen, pos, end - pos, &alert) < 0) { 924 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 925 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 926 return -1; 927 } 928 929 *in_len = end - in_data; 930 931 conn->state = CHANGE_CIPHER_SPEC; 932 933 return 0; 934 } 935 936 937 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 938 u8 ct, const u8 *in_data, 939 size_t *in_len) 940 { 941 const u8 *pos; 942 size_t left; 943 944 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 945 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 946 ct); 947 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 948 TLS_ALERT_UNEXPECTED_MESSAGE); 949 return -1; 950 } 951 952 pos = in_data; 953 left = *in_len; 954 955 if (left < 1) { 956 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 957 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 958 TLS_ALERT_DECODE_ERROR); 959 return -1; 960 } 961 962 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 963 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 964 *pos); 965 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 966 TLS_ALERT_UNEXPECTED_MESSAGE); 967 return -1; 968 } 969 970 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 971 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 972 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 973 "for record layer"); 974 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 975 TLS_ALERT_INTERNAL_ERROR); 976 return -1; 977 } 978 979 *in_len = pos + 1 - in_data; 980 981 conn->state = CLIENT_FINISHED; 982 983 return 0; 984 } 985 986 987 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 988 const u8 *in_data, size_t *in_len) 989 { 990 const u8 *pos, *end; 991 size_t left, len, hlen; 992 u8 verify_data[TLS_VERIFY_DATA_LEN]; 993 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 994 995 #ifdef CONFIG_TESTING_OPTIONS 996 if ((conn->test_flags & 997 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 998 !conn->test_failure_reported) { 999 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 1000 conn->test_failure_reported = 1; 1001 } 1002 1003 if ((conn->test_flags & TLS_DHE_PRIME_15) && 1004 !conn->test_failure_reported) { 1005 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 1006 conn->test_failure_reported = 1; 1007 } 1008 1009 if ((conn->test_flags & TLS_DHE_PRIME_58B) && 1010 !conn->test_failure_reported) { 1011 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 1012 conn->test_failure_reported = 1; 1013 } 1014 1015 if ((conn->test_flags & TLS_DHE_PRIME_511B) && 1016 !conn->test_failure_reported) { 1017 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 1018 conn->test_failure_reported = 1; 1019 } 1020 1021 if ((conn->test_flags & TLS_DHE_PRIME_767B) && 1022 !conn->test_failure_reported) { 1023 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 1024 conn->test_failure_reported = 1; 1025 } 1026 1027 if ((conn->test_flags & TLS_DHE_NON_PRIME) && 1028 !conn->test_failure_reported) { 1029 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 1030 conn->test_failure_reported = 1; 1031 } 1032 #endif /* CONFIG_TESTING_OPTIONS */ 1033 1034 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1035 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1036 ct); 1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1038 TLS_ALERT_UNEXPECTED_MESSAGE); 1039 return -1; 1040 } 1041 1042 pos = in_data; 1043 left = *in_len; 1044 1045 if (left < 4) { 1046 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1047 (unsigned long) left); 1048 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1049 TLS_ALERT_DECODE_ERROR); 1050 return -1; 1051 } 1052 1053 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1054 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1055 "type 0x%x", pos[0]); 1056 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1057 TLS_ALERT_UNEXPECTED_MESSAGE); 1058 return -1; 1059 } 1060 1061 len = WPA_GET_BE24(pos + 1); 1062 1063 pos += 4; 1064 left -= 4; 1065 1066 if (len > left) { 1067 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1068 (unsigned long) len, (unsigned long) left); 1069 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1070 TLS_ALERT_DECODE_ERROR); 1071 return -1; 1072 } 1073 end = pos + len; 1074 if (len != TLS_VERIFY_DATA_LEN) { 1075 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1076 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1077 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1078 TLS_ALERT_DECODE_ERROR); 1079 return -1; 1080 } 1081 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1082 pos, TLS_VERIFY_DATA_LEN); 1083 1084 #ifdef CONFIG_TLSV12 1085 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1086 hlen = SHA256_MAC_LEN; 1087 if (conn->verify.sha256_client == NULL || 1088 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1089 < 0) { 1090 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1091 TLS_ALERT_INTERNAL_ERROR); 1092 conn->verify.sha256_client = NULL; 1093 return -1; 1094 } 1095 conn->verify.sha256_client = NULL; 1096 } else { 1097 #endif /* CONFIG_TLSV12 */ 1098 1099 hlen = MD5_MAC_LEN; 1100 if (conn->verify.md5_client == NULL || 1101 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1102 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1103 TLS_ALERT_INTERNAL_ERROR); 1104 conn->verify.md5_client = NULL; 1105 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1106 conn->verify.sha1_client = NULL; 1107 return -1; 1108 } 1109 conn->verify.md5_client = NULL; 1110 hlen = SHA1_MAC_LEN; 1111 if (conn->verify.sha1_client == NULL || 1112 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1113 &hlen) < 0) { 1114 conn->verify.sha1_client = NULL; 1115 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1116 TLS_ALERT_INTERNAL_ERROR); 1117 return -1; 1118 } 1119 conn->verify.sha1_client = NULL; 1120 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1121 1122 #ifdef CONFIG_TLSV12 1123 } 1124 #endif /* CONFIG_TLSV12 */ 1125 1126 if (tls_prf(conn->rl.tls_version, 1127 conn->master_secret, TLS_MASTER_SECRET_LEN, 1128 "client finished", hash, hlen, 1129 verify_data, TLS_VERIFY_DATA_LEN)) { 1130 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1131 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1132 TLS_ALERT_DECRYPT_ERROR); 1133 return -1; 1134 } 1135 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1136 verify_data, TLS_VERIFY_DATA_LEN); 1137 1138 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1139 tlsv1_server_log(conn, "Mismatch in verify_data"); 1140 return -1; 1141 } 1142 1143 tlsv1_server_log(conn, "Received Finished"); 1144 1145 *in_len = end - in_data; 1146 1147 if (conn->use_session_ticket) { 1148 /* Abbreviated handshake using session ticket; RFC 4507 */ 1149 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1150 conn->state = ESTABLISHED; 1151 } else { 1152 /* Full handshake */ 1153 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1154 } 1155 1156 return 0; 1157 } 1158 1159 1160 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1161 const u8 *buf, size_t *len) 1162 { 1163 if (ct == TLS_CONTENT_TYPE_ALERT) { 1164 if (*len < 2) { 1165 tlsv1_server_log(conn, "Alert underflow"); 1166 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1167 TLS_ALERT_DECODE_ERROR); 1168 return -1; 1169 } 1170 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1171 *len = 2; 1172 conn->state = FAILED; 1173 return -1; 1174 } 1175 1176 switch (conn->state) { 1177 case CLIENT_HELLO: 1178 if (tls_process_client_hello(conn, ct, buf, len)) 1179 return -1; 1180 break; 1181 case CLIENT_CERTIFICATE: 1182 if (tls_process_certificate(conn, ct, buf, len)) 1183 return -1; 1184 break; 1185 case CLIENT_KEY_EXCHANGE: 1186 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1187 return -1; 1188 break; 1189 case CERTIFICATE_VERIFY: 1190 if (tls_process_certificate_verify(conn, ct, buf, len)) 1191 return -1; 1192 break; 1193 case CHANGE_CIPHER_SPEC: 1194 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1195 return -1; 1196 break; 1197 case CLIENT_FINISHED: 1198 if (tls_process_client_finished(conn, ct, buf, len)) 1199 return -1; 1200 break; 1201 default: 1202 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1203 conn->state); 1204 return -1; 1205 } 1206 1207 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1208 tls_verify_hash_add(&conn->verify, buf, *len); 1209 1210 return 0; 1211 } 1212
