1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_server.h" 20 #include "tlsv1_server_i.h" 21 22 23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31 { 32 #ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 42 return 1; 43 #endif /* CONFIG_TESTING_OPTIONS */ 44 45 return 0; 46 } 47 48 49 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 50 const u8 *in_data, size_t *in_len) 51 { 52 const u8 *pos, *end, *c; 53 size_t left, len, i, j; 54 u16 cipher_suite; 55 u16 num_suites; 56 int compr_null_found; 57 u16 ext_type, ext_len; 58 59 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 60 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 61 ct); 62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63 TLS_ALERT_UNEXPECTED_MESSAGE); 64 return -1; 65 } 66 67 pos = in_data; 68 left = *in_len; 69 70 if (left < 4) 71 goto decode_error; 72 73 /* HandshakeType msg_type */ 74 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 75 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 76 *pos); 77 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78 TLS_ALERT_UNEXPECTED_MESSAGE); 79 return -1; 80 } 81 tlsv1_server_log(conn, "Received ClientHello"); 82 pos++; 83 /* uint24 length */ 84 len = WPA_GET_BE24(pos); 85 pos += 3; 86 left -= 4; 87 88 if (len > left) 89 goto decode_error; 90 91 /* body - ClientHello */ 92 93 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 94 end = pos + len; 95 96 /* ProtocolVersion client_version */ 97 if (end - pos < 2) 98 goto decode_error; 99 conn->client_version = WPA_GET_BE16(pos); 100 tlsv1_server_log(conn, "Client version %d.%d", 101 conn->client_version >> 8, 102 conn->client_version & 0xff); 103 if (conn->client_version < TLS_VERSION_1) { 104 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 105 conn->client_version >> 8, 106 conn->client_version & 0xff); 107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 108 TLS_ALERT_PROTOCOL_VERSION); 109 return -1; 110 } 111 pos += 2; 112 113 if (TLS_VERSION == TLS_VERSION_1) 114 conn->rl.tls_version = TLS_VERSION_1; 115 #ifdef CONFIG_TLSV12 116 else if (conn->client_version >= TLS_VERSION_1_2) 117 conn->rl.tls_version = TLS_VERSION_1_2; 118 #endif /* CONFIG_TLSV12 */ 119 else if (conn->client_version > TLS_VERSION_1_1) 120 conn->rl.tls_version = TLS_VERSION_1_1; 121 else 122 conn->rl.tls_version = conn->client_version; 123 tlsv1_server_log(conn, "Using TLS v%s", 124 tls_version_str(conn->rl.tls_version)); 125 126 /* Random random */ 127 if (end - pos < TLS_RANDOM_LEN) 128 goto decode_error; 129 130 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 131 pos += TLS_RANDOM_LEN; 132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 133 conn->client_random, TLS_RANDOM_LEN); 134 135 /* SessionID session_id */ 136 if (end - pos < 1) 137 goto decode_error; 138 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 139 goto decode_error; 140 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 141 pos += 1 + *pos; 142 /* TODO: add support for session resumption */ 143 144 /* CipherSuite cipher_suites<2..2^16-1> */ 145 if (end - pos < 2) 146 goto decode_error; 147 num_suites = WPA_GET_BE16(pos); 148 pos += 2; 149 if (end - pos < num_suites) 150 goto decode_error; 151 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 152 pos, num_suites); 153 if (num_suites & 1) 154 goto decode_error; 155 num_suites /= 2; 156 157 cipher_suite = 0; 158 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 159 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 160 continue; 161 c = pos; 162 for (j = 0; j < num_suites; j++) { 163 u16 tmp = WPA_GET_BE16(c); 164 c += 2; 165 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 166 cipher_suite = tmp; 167 break; 168 } 169 } 170 } 171 pos += num_suites * 2; 172 if (!cipher_suite) { 173 tlsv1_server_log(conn, "No supported cipher suite available"); 174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 175 TLS_ALERT_ILLEGAL_PARAMETER); 176 return -1; 177 } 178 179 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 180 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 181 "record layer"); 182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 183 TLS_ALERT_INTERNAL_ERROR); 184 return -1; 185 } 186 187 conn->cipher_suite = cipher_suite; 188 189 /* CompressionMethod compression_methods<1..2^8-1> */ 190 if (end - pos < 1) 191 goto decode_error; 192 num_suites = *pos++; 193 if (end - pos < num_suites) 194 goto decode_error; 195 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 196 pos, num_suites); 197 compr_null_found = 0; 198 for (i = 0; i < num_suites; i++) { 199 if (*pos++ == TLS_COMPRESSION_NULL) 200 compr_null_found = 1; 201 } 202 if (!compr_null_found) { 203 tlsv1_server_log(conn, "Client does not accept NULL compression"); 204 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 205 TLS_ALERT_ILLEGAL_PARAMETER); 206 return -1; 207 } 208 209 if (end - pos == 1) { 210 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 211 *pos); 212 goto decode_error; 213 } 214 215 if (end - pos >= 2) { 216 /* Extension client_hello_extension_list<0..2^16-1> */ 217 ext_len = WPA_GET_BE16(pos); 218 pos += 2; 219 220 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 221 ext_len); 222 if (end - pos != ext_len) { 223 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 224 ext_len, (unsigned int) (end - pos)); 225 goto decode_error; 226 } 227 228 /* 229 * struct { 230 * ExtensionType extension_type (0..65535) 231 * opaque extension_data<0..2^16-1> 232 * } Extension; 233 */ 234 235 while (pos < end) { 236 if (end - pos < 2) { 237 tlsv1_server_log(conn, "Invalid extension_type field"); 238 goto decode_error; 239 } 240 241 ext_type = WPA_GET_BE16(pos); 242 pos += 2; 243 244 if (end - pos < 2) { 245 tlsv1_server_log(conn, "Invalid extension_data length field"); 246 goto decode_error; 247 } 248 249 ext_len = WPA_GET_BE16(pos); 250 pos += 2; 251 252 if (end - pos < ext_len) { 253 tlsv1_server_log(conn, "Invalid extension_data field"); 254 goto decode_error; 255 } 256 257 tlsv1_server_log(conn, "ClientHello Extension type %u", 258 ext_type); 259 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 260 "Extension data", pos, ext_len); 261 262 if (ext_type == TLS_EXT_SESSION_TICKET) { 263 os_free(conn->session_ticket); 264 conn->session_ticket = os_malloc(ext_len); 265 if (conn->session_ticket) { 266 os_memcpy(conn->session_ticket, pos, 267 ext_len); 268 conn->session_ticket_len = ext_len; 269 } 270 } 271 272 pos += ext_len; 273 } 274 } 275 276 *in_len = end - in_data; 277 278 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 279 conn->state = SERVER_HELLO; 280 281 return 0; 282 283 decode_error: 284 tlsv1_server_log(conn, "Failed to decode ClientHello"); 285 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_DECODE_ERROR); 287 return -1; 288 } 289 290 291 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 292 const u8 *in_data, size_t *in_len) 293 { 294 const u8 *pos, *end; 295 size_t left, len, list_len, cert_len, idx; 296 u8 type; 297 struct x509_certificate *chain = NULL, *last = NULL, *cert; 298 int reason; 299 300 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 301 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 302 ct); 303 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 304 TLS_ALERT_UNEXPECTED_MESSAGE); 305 return -1; 306 } 307 308 pos = in_data; 309 left = *in_len; 310 311 if (left < 4) { 312 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 313 (unsigned long) left); 314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 315 TLS_ALERT_DECODE_ERROR); 316 return -1; 317 } 318 319 type = *pos++; 320 len = WPA_GET_BE24(pos); 321 pos += 3; 322 left -= 4; 323 324 if (len > left) { 325 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 326 (unsigned long) len, (unsigned long) left); 327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 328 TLS_ALERT_DECODE_ERROR); 329 return -1; 330 } 331 332 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 333 if (conn->verify_peer) { 334 tlsv1_server_log(conn, "Client did not include Certificate"); 335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 336 TLS_ALERT_UNEXPECTED_MESSAGE); 337 return -1; 338 } 339 340 return tls_process_client_key_exchange(conn, ct, in_data, 341 in_len); 342 } 343 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 344 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 345 type); 346 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_UNEXPECTED_MESSAGE); 348 return -1; 349 } 350 351 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 352 (unsigned long) len); 353 354 /* 355 * opaque ASN.1Cert<2^24-1>; 356 * 357 * struct { 358 * ASN.1Cert certificate_list<1..2^24-1>; 359 * } Certificate; 360 */ 361 362 end = pos + len; 363 364 if (end - pos < 3) { 365 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 366 (unsigned long) left); 367 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 368 TLS_ALERT_DECODE_ERROR); 369 return -1; 370 } 371 372 list_len = WPA_GET_BE24(pos); 373 pos += 3; 374 375 if ((size_t) (end - pos) != list_len) { 376 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 377 (unsigned long) list_len, 378 (unsigned long) (end - pos)); 379 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 380 TLS_ALERT_DECODE_ERROR); 381 return -1; 382 } 383 384 idx = 0; 385 while (pos < end) { 386 if (end - pos < 3) { 387 tlsv1_server_log(conn, "Failed to parse certificate_list"); 388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 389 TLS_ALERT_DECODE_ERROR); 390 x509_certificate_chain_free(chain); 391 return -1; 392 } 393 394 cert_len = WPA_GET_BE24(pos); 395 pos += 3; 396 397 if ((size_t) (end - pos) < cert_len) { 398 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 399 (unsigned long) cert_len, 400 (unsigned long) (end - pos)); 401 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 402 TLS_ALERT_DECODE_ERROR); 403 x509_certificate_chain_free(chain); 404 return -1; 405 } 406 407 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 408 (unsigned long) idx, (unsigned long) cert_len); 409 410 if (idx == 0) { 411 crypto_public_key_free(conn->client_rsa_key); 412 if (tls_parse_cert(pos, cert_len, 413 &conn->client_rsa_key)) { 414 tlsv1_server_log(conn, "Failed to parse the certificate"); 415 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 416 TLS_ALERT_BAD_CERTIFICATE); 417 x509_certificate_chain_free(chain); 418 return -1; 419 } 420 } 421 422 cert = x509_certificate_parse(pos, cert_len); 423 if (cert == NULL) { 424 tlsv1_server_log(conn, "Failed to parse the certificate"); 425 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 426 TLS_ALERT_BAD_CERTIFICATE); 427 x509_certificate_chain_free(chain); 428 return -1; 429 } 430 431 if (last == NULL) 432 chain = cert; 433 else 434 last->next = cert; 435 last = cert; 436 437 idx++; 438 pos += cert_len; 439 } 440 441 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 442 &reason, 0) < 0) { 443 int tls_reason; 444 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 445 reason); 446 switch (reason) { 447 case X509_VALIDATE_BAD_CERTIFICATE: 448 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 449 break; 450 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 451 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 452 break; 453 case X509_VALIDATE_CERTIFICATE_REVOKED: 454 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 455 break; 456 case X509_VALIDATE_CERTIFICATE_EXPIRED: 457 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 458 break; 459 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 460 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 461 break; 462 case X509_VALIDATE_UNKNOWN_CA: 463 tls_reason = TLS_ALERT_UNKNOWN_CA; 464 break; 465 default: 466 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 467 break; 468 } 469 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 470 x509_certificate_chain_free(chain); 471 return -1; 472 } 473 474 x509_certificate_chain_free(chain); 475 476 *in_len = end - in_data; 477 478 conn->state = CLIENT_KEY_EXCHANGE; 479 480 return 0; 481 } 482 483 484 static int tls_process_client_key_exchange_rsa( 485 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 486 { 487 u8 *out; 488 size_t outlen, outbuflen; 489 u16 encr_len; 490 int res; 491 int use_random = 0; 492 493 if (end - pos < 2) { 494 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 495 TLS_ALERT_DECODE_ERROR); 496 return -1; 497 } 498 499 encr_len = WPA_GET_BE16(pos); 500 pos += 2; 501 if (pos + encr_len > end) { 502 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 503 encr_len, (unsigned int) (end - pos)); 504 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 505 TLS_ALERT_DECODE_ERROR); 506 return -1; 507 } 508 509 outbuflen = outlen = end - pos; 510 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 511 outlen : TLS_PRE_MASTER_SECRET_LEN); 512 if (out == NULL) { 513 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 514 TLS_ALERT_INTERNAL_ERROR); 515 return -1; 516 } 517 518 /* 519 * struct { 520 * ProtocolVersion client_version; 521 * opaque random[46]; 522 * } PreMasterSecret; 523 * 524 * struct { 525 * public-key-encrypted PreMasterSecret pre_master_secret; 526 * } EncryptedPreMasterSecret; 527 */ 528 529 /* 530 * Note: To avoid Bleichenbacher attack, we do not report decryption or 531 * parsing errors from EncryptedPreMasterSecret processing to the 532 * client. Instead, a random pre-master secret is used to force the 533 * handshake to fail. 534 */ 535 536 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 537 pos, encr_len, 538 out, &outlen) < 0) { 539 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 540 "PreMasterSecret (encr_len=%u outlen=%lu)", 541 encr_len, (unsigned long) outlen); 542 use_random = 1; 543 } 544 545 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 546 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 547 (unsigned long) outlen); 548 use_random = 1; 549 } 550 551 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 552 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 553 use_random = 1; 554 } 555 556 if (use_random) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 558 "to avoid revealing information about private key"); 559 outlen = TLS_PRE_MASTER_SECRET_LEN; 560 if (os_get_random(out, outlen)) { 561 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 562 "data"); 563 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 564 TLS_ALERT_INTERNAL_ERROR); 565 os_free(out); 566 return -1; 567 } 568 } 569 570 res = tlsv1_server_derive_keys(conn, out, outlen); 571 572 /* Clear the pre-master secret since it is not needed anymore */ 573 os_memset(out, 0, outbuflen); 574 os_free(out); 575 576 if (res) { 577 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 578 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 579 TLS_ALERT_INTERNAL_ERROR); 580 return -1; 581 } 582 583 return 0; 584 } 585 586 587 static int tls_process_client_key_exchange_dh( 588 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 589 { 590 const u8 *dh_yc; 591 u16 dh_yc_len; 592 u8 *shared; 593 size_t shared_len; 594 int res; 595 const u8 *dh_p; 596 size_t dh_p_len; 597 598 /* 599 * struct { 600 * select (PublicValueEncoding) { 601 * case implicit: struct { }; 602 * case explicit: opaque dh_Yc<1..2^16-1>; 603 * } dh_public; 604 * } ClientDiffieHellmanPublic; 605 */ 606 607 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 608 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 609 pos, end - pos); 610 611 if (end == pos) { 612 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 613 "not supported"); 614 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 615 TLS_ALERT_INTERNAL_ERROR); 616 return -1; 617 } 618 619 if (end - pos < 3) { 620 tlsv1_server_log(conn, "Invalid client public value length"); 621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_DECODE_ERROR); 623 return -1; 624 } 625 626 dh_yc_len = WPA_GET_BE16(pos); 627 dh_yc = pos + 2; 628 629 if (dh_yc_len > end - dh_yc) { 630 tlsv1_server_log(conn, "Client public value overflow (length %d)", 631 dh_yc_len); 632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 633 TLS_ALERT_DECODE_ERROR); 634 return -1; 635 } 636 637 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 638 dh_yc, dh_yc_len); 639 640 if (conn->cred == NULL || conn->cred->dh_p == NULL || 641 conn->dh_secret == NULL) { 642 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 643 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 644 TLS_ALERT_INTERNAL_ERROR); 645 return -1; 646 } 647 648 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 649 650 shared_len = dh_p_len; 651 shared = os_malloc(shared_len); 652 if (shared == NULL) { 653 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 654 "DH"); 655 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 656 TLS_ALERT_INTERNAL_ERROR); 657 return -1; 658 } 659 660 /* shared = Yc^secret mod p */ 661 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 662 conn->dh_secret_len, dh_p, dh_p_len, 663 shared, &shared_len)) { 664 os_free(shared); 665 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 666 TLS_ALERT_INTERNAL_ERROR); 667 return -1; 668 } 669 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 670 shared, shared_len); 671 672 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 673 os_free(conn->dh_secret); 674 conn->dh_secret = NULL; 675 676 res = tlsv1_server_derive_keys(conn, shared, shared_len); 677 678 /* Clear the pre-master secret since it is not needed anymore */ 679 os_memset(shared, 0, shared_len); 680 os_free(shared); 681 682 if (res) { 683 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 684 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 685 TLS_ALERT_INTERNAL_ERROR); 686 return -1; 687 } 688 689 return 0; 690 } 691 692 693 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 694 const u8 *in_data, size_t *in_len) 695 { 696 const u8 *pos, *end; 697 size_t left, len; 698 u8 type; 699 tls_key_exchange keyx; 700 const struct tls_cipher_suite *suite; 701 702 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 703 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 704 ct); 705 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 706 TLS_ALERT_UNEXPECTED_MESSAGE); 707 return -1; 708 } 709 710 pos = in_data; 711 left = *in_len; 712 713 if (left < 4) { 714 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 715 (unsigned long) left); 716 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 717 TLS_ALERT_DECODE_ERROR); 718 return -1; 719 } 720 721 type = *pos++; 722 len = WPA_GET_BE24(pos); 723 pos += 3; 724 left -= 4; 725 726 if (len > left) { 727 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 728 (unsigned long) len, (unsigned long) left); 729 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 730 TLS_ALERT_DECODE_ERROR); 731 return -1; 732 } 733 734 end = pos + len; 735 736 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 737 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 738 type); 739 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 740 TLS_ALERT_UNEXPECTED_MESSAGE); 741 return -1; 742 } 743 744 tlsv1_server_log(conn, "Received ClientKeyExchange"); 745 746 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 747 748 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 749 if (suite == NULL) 750 keyx = TLS_KEY_X_NULL; 751 else 752 keyx = suite->key_exchange; 753 754 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 755 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 756 return -1; 757 758 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 759 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 760 return -1; 761 762 *in_len = end - in_data; 763 764 conn->state = CERTIFICATE_VERIFY; 765 766 return 0; 767 } 768 769 770 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 771 const u8 *in_data, size_t *in_len) 772 { 773 const u8 *pos, *end; 774 size_t left, len; 775 u8 type; 776 size_t hlen; 777 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 778 u8 alert; 779 780 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 781 if (conn->verify_peer) { 782 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 783 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 784 TLS_ALERT_UNEXPECTED_MESSAGE); 785 return -1; 786 } 787 788 return tls_process_change_cipher_spec(conn, ct, in_data, 789 in_len); 790 } 791 792 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 793 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 794 ct); 795 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 796 TLS_ALERT_UNEXPECTED_MESSAGE); 797 return -1; 798 } 799 800 pos = in_data; 801 left = *in_len; 802 803 if (left < 4) { 804 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 805 (unsigned long) left); 806 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 807 TLS_ALERT_DECODE_ERROR); 808 return -1; 809 } 810 811 type = *pos++; 812 len = WPA_GET_BE24(pos); 813 pos += 3; 814 left -= 4; 815 816 if (len > left) { 817 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 818 (unsigned long) len, (unsigned long) left); 819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 820 TLS_ALERT_DECODE_ERROR); 821 return -1; 822 } 823 824 end = pos + len; 825 826 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 827 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 828 type); 829 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 830 TLS_ALERT_UNEXPECTED_MESSAGE); 831 return -1; 832 } 833 834 tlsv1_server_log(conn, "Received CertificateVerify"); 835 836 /* 837 * struct { 838 * Signature signature; 839 * } CertificateVerify; 840 */ 841 842 hpos = hash; 843 844 #ifdef CONFIG_TLSV12 845 if (conn->rl.tls_version == TLS_VERSION_1_2) { 846 /* 847 * RFC 5246, 4.7: 848 * TLS v1.2 adds explicit indication of the used signature and 849 * hash algorithms. 850 * 851 * struct { 852 * HashAlgorithm hash; 853 * SignatureAlgorithm signature; 854 * } SignatureAndHashAlgorithm; 855 */ 856 if (end - pos < 2) { 857 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 858 TLS_ALERT_DECODE_ERROR); 859 return -1; 860 } 861 if (pos[0] != TLS_HASH_ALG_SHA256 || 862 pos[1] != TLS_SIGN_ALG_RSA) { 863 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 864 "signature(%u) algorithm", 865 pos[0], pos[1]); 866 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 867 TLS_ALERT_INTERNAL_ERROR); 868 return -1; 869 } 870 pos += 2; 871 872 hlen = SHA256_MAC_LEN; 873 if (conn->verify.sha256_cert == NULL || 874 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 875 0) { 876 conn->verify.sha256_cert = NULL; 877 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 878 TLS_ALERT_INTERNAL_ERROR); 879 return -1; 880 } 881 conn->verify.sha256_cert = NULL; 882 } else { 883 #endif /* CONFIG_TLSV12 */ 884 885 hlen = MD5_MAC_LEN; 886 if (conn->verify.md5_cert == NULL || 887 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 888 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 889 TLS_ALERT_INTERNAL_ERROR); 890 conn->verify.md5_cert = NULL; 891 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 892 conn->verify.sha1_cert = NULL; 893 return -1; 894 } 895 hpos += MD5_MAC_LEN; 896 897 conn->verify.md5_cert = NULL; 898 hlen = SHA1_MAC_LEN; 899 if (conn->verify.sha1_cert == NULL || 900 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 901 conn->verify.sha1_cert = NULL; 902 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 903 TLS_ALERT_INTERNAL_ERROR); 904 return -1; 905 } 906 conn->verify.sha1_cert = NULL; 907 908 hlen += MD5_MAC_LEN; 909 910 #ifdef CONFIG_TLSV12 911 } 912 #endif /* CONFIG_TLSV12 */ 913 914 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 915 916 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 917 hash, hlen, pos, end - pos, &alert) < 0) { 918 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 919 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 920 return -1; 921 } 922 923 *in_len = end - in_data; 924 925 conn->state = CHANGE_CIPHER_SPEC; 926 927 return 0; 928 } 929 930 931 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 932 u8 ct, const u8 *in_data, 933 size_t *in_len) 934 { 935 const u8 *pos; 936 size_t left; 937 938 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 939 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 940 ct); 941 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 942 TLS_ALERT_UNEXPECTED_MESSAGE); 943 return -1; 944 } 945 946 pos = in_data; 947 left = *in_len; 948 949 if (left < 1) { 950 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 951 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 952 TLS_ALERT_DECODE_ERROR); 953 return -1; 954 } 955 956 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 957 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 958 *pos); 959 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 960 TLS_ALERT_UNEXPECTED_MESSAGE); 961 return -1; 962 } 963 964 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 965 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 966 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 967 "for record layer"); 968 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 969 TLS_ALERT_INTERNAL_ERROR); 970 return -1; 971 } 972 973 *in_len = pos + 1 - in_data; 974 975 conn->state = CLIENT_FINISHED; 976 977 return 0; 978 } 979 980 981 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 982 const u8 *in_data, size_t *in_len) 983 { 984 const u8 *pos, *end; 985 size_t left, len, hlen; 986 u8 verify_data[TLS_VERIFY_DATA_LEN]; 987 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 988 989 #ifdef CONFIG_TESTING_OPTIONS 990 if ((conn->test_flags & 991 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 992 !conn->test_failure_reported) { 993 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 994 conn->test_failure_reported = 1; 995 } 996 997 if ((conn->test_flags & TLS_DHE_PRIME_15) && 998 !conn->test_failure_reported) { 999 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 1000 conn->test_failure_reported = 1; 1001 } 1002 1003 if ((conn->test_flags & TLS_DHE_PRIME_58B) && 1004 !conn->test_failure_reported) { 1005 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 1006 conn->test_failure_reported = 1; 1007 } 1008 1009 if ((conn->test_flags & TLS_DHE_PRIME_511B) && 1010 !conn->test_failure_reported) { 1011 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 1012 conn->test_failure_reported = 1; 1013 } 1014 1015 if ((conn->test_flags & TLS_DHE_PRIME_767B) && 1016 !conn->test_failure_reported) { 1017 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 1018 conn->test_failure_reported = 1; 1019 } 1020 1021 if ((conn->test_flags & TLS_DHE_NON_PRIME) && 1022 !conn->test_failure_reported) { 1023 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 1024 conn->test_failure_reported = 1; 1025 } 1026 #endif /* CONFIG_TESTING_OPTIONS */ 1027 1028 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1029 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1030 ct); 1031 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1032 TLS_ALERT_UNEXPECTED_MESSAGE); 1033 return -1; 1034 } 1035 1036 pos = in_data; 1037 left = *in_len; 1038 1039 if (left < 4) { 1040 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1041 (unsigned long) left); 1042 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1043 TLS_ALERT_DECODE_ERROR); 1044 return -1; 1045 } 1046 1047 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1048 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1049 "type 0x%x", pos[0]); 1050 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1051 TLS_ALERT_UNEXPECTED_MESSAGE); 1052 return -1; 1053 } 1054 1055 len = WPA_GET_BE24(pos + 1); 1056 1057 pos += 4; 1058 left -= 4; 1059 1060 if (len > left) { 1061 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1062 (unsigned long) len, (unsigned long) left); 1063 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1064 TLS_ALERT_DECODE_ERROR); 1065 return -1; 1066 } 1067 end = pos + len; 1068 if (len != TLS_VERIFY_DATA_LEN) { 1069 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1070 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1071 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1072 TLS_ALERT_DECODE_ERROR); 1073 return -1; 1074 } 1075 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1076 pos, TLS_VERIFY_DATA_LEN); 1077 1078 #ifdef CONFIG_TLSV12 1079 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1080 hlen = SHA256_MAC_LEN; 1081 if (conn->verify.sha256_client == NULL || 1082 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1083 < 0) { 1084 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1085 TLS_ALERT_INTERNAL_ERROR); 1086 conn->verify.sha256_client = NULL; 1087 return -1; 1088 } 1089 conn->verify.sha256_client = NULL; 1090 } else { 1091 #endif /* CONFIG_TLSV12 */ 1092 1093 hlen = MD5_MAC_LEN; 1094 if (conn->verify.md5_client == NULL || 1095 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1096 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1097 TLS_ALERT_INTERNAL_ERROR); 1098 conn->verify.md5_client = NULL; 1099 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1100 conn->verify.sha1_client = NULL; 1101 return -1; 1102 } 1103 conn->verify.md5_client = NULL; 1104 hlen = SHA1_MAC_LEN; 1105 if (conn->verify.sha1_client == NULL || 1106 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1107 &hlen) < 0) { 1108 conn->verify.sha1_client = NULL; 1109 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1110 TLS_ALERT_INTERNAL_ERROR); 1111 return -1; 1112 } 1113 conn->verify.sha1_client = NULL; 1114 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1115 1116 #ifdef CONFIG_TLSV12 1117 } 1118 #endif /* CONFIG_TLSV12 */ 1119 1120 if (tls_prf(conn->rl.tls_version, 1121 conn->master_secret, TLS_MASTER_SECRET_LEN, 1122 "client finished", hash, hlen, 1123 verify_data, TLS_VERIFY_DATA_LEN)) { 1124 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1125 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1126 TLS_ALERT_DECRYPT_ERROR); 1127 return -1; 1128 } 1129 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1130 verify_data, TLS_VERIFY_DATA_LEN); 1131 1132 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1133 tlsv1_server_log(conn, "Mismatch in verify_data"); 1134 return -1; 1135 } 1136 1137 tlsv1_server_log(conn, "Received Finished"); 1138 1139 *in_len = end - in_data; 1140 1141 if (conn->use_session_ticket) { 1142 /* Abbreviated handshake using session ticket; RFC 4507 */ 1143 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1144 conn->state = ESTABLISHED; 1145 } else { 1146 /* Full handshake */ 1147 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1148 } 1149 1150 return 0; 1151 } 1152 1153 1154 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1155 const u8 *buf, size_t *len) 1156 { 1157 if (ct == TLS_CONTENT_TYPE_ALERT) { 1158 if (*len < 2) { 1159 tlsv1_server_log(conn, "Alert underflow"); 1160 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1161 TLS_ALERT_DECODE_ERROR); 1162 return -1; 1163 } 1164 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1165 *len = 2; 1166 conn->state = FAILED; 1167 return -1; 1168 } 1169 1170 switch (conn->state) { 1171 case CLIENT_HELLO: 1172 if (tls_process_client_hello(conn, ct, buf, len)) 1173 return -1; 1174 break; 1175 case CLIENT_CERTIFICATE: 1176 if (tls_process_certificate(conn, ct, buf, len)) 1177 return -1; 1178 break; 1179 case CLIENT_KEY_EXCHANGE: 1180 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1181 return -1; 1182 break; 1183 case CERTIFICATE_VERIFY: 1184 if (tls_process_certificate_verify(conn, ct, buf, len)) 1185 return -1; 1186 break; 1187 case CHANGE_CIPHER_SPEC: 1188 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1189 return -1; 1190 break; 1191 case CLIENT_FINISHED: 1192 if (tls_process_client_finished(conn, ct, buf, len)) 1193 return -1; 1194 break; 1195 default: 1196 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1197 conn->state); 1198 return -1; 1199 } 1200 1201 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1202 tls_verify_hash_add(&conn->verify, buf, *len); 1203 1204 return 0; 1205 } 1206
