1/* 2 * TLS v1.0/v1.1/v1.2 server (RFC 2246, RFC 4346, RFC 5246) 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "crypto/tls.h" 14#include "tlsv1_common.h" 15#include "tlsv1_record.h" 16#include "tlsv1_server.h" 17#include "tlsv1_server_i.h" 18 19/* TODO: 20 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 21 */ 22 23 24void tlsv1_server_alert(struct tlsv1_server *conn, u8 level, u8 description) 25{ 26 conn->alert_level = level; 27 conn->alert_description = description; 28} 29 30 31int tlsv1_server_derive_keys(struct tlsv1_server *conn, 32 const u8 *pre_master_secret, 33 size_t pre_master_secret_len) 34{ 35 u8 seed[2 * TLS_RANDOM_LEN]; 36 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 37 u8 *pos; 38 size_t key_block_len; 39 40 if (pre_master_secret) { 41 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 42 pre_master_secret, pre_master_secret_len); 43 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 44 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 45 TLS_RANDOM_LEN); 46 if (tls_prf(conn->rl.tls_version, 47 pre_master_secret, pre_master_secret_len, 48 "master secret", seed, 2 * TLS_RANDOM_LEN, 49 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 50 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 51 "master_secret"); 52 return -1; 53 } 54 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 55 conn->master_secret, TLS_MASTER_SECRET_LEN); 56 } 57 58 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 59 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 60 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len + 61 conn->rl.iv_size); 62 if (tls_prf(conn->rl.tls_version, 63 conn->master_secret, TLS_MASTER_SECRET_LEN, 64 "key expansion", seed, 2 * TLS_RANDOM_LEN, 65 key_block, key_block_len)) { 66 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 67 return -1; 68 } 69 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 70 key_block, key_block_len); 71 72 pos = key_block; 73 74 /* client_write_MAC_secret */ 75 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 76 pos += conn->rl.hash_size; 77 /* server_write_MAC_secret */ 78 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 79 pos += conn->rl.hash_size; 80 81 /* client_write_key */ 82 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 83 pos += conn->rl.key_material_len; 84 /* server_write_key */ 85 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 86 pos += conn->rl.key_material_len; 87 88 /* client_write_IV */ 89 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 90 pos += conn->rl.iv_size; 91 /* server_write_IV */ 92 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 93 pos += conn->rl.iv_size; 94 95 return 0; 96} 97 98 99/** 100 * tlsv1_server_handshake - Process TLS handshake 101 * @conn: TLSv1 server connection data from tlsv1_server_init() 102 * @in_data: Input data from TLS peer 103 * @in_len: Input data length 104 * @out_len: Length of the output buffer. 105 * Returns: Pointer to output data, %NULL on failure 106 */ 107u8 * tlsv1_server_handshake(struct tlsv1_server *conn, 108 const u8 *in_data, size_t in_len, 109 size_t *out_len) 110{ 111 const u8 *pos, *end; 112 u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct; 113 size_t in_msg_len; 114 int used; 115 116 if (in_data == NULL || in_len == 0) { 117 wpa_printf(MSG_DEBUG, "TLSv1: No input data to server"); 118 return NULL; 119 } 120 121 pos = in_data; 122 end = in_data + in_len; 123 in_msg = os_malloc(in_len); 124 if (in_msg == NULL) 125 return NULL; 126 127 /* Each received packet may include multiple records */ 128 while (pos < end) { 129 in_msg_len = in_len; 130 used = tlsv1_record_receive(&conn->rl, pos, end - pos, 131 in_msg, &in_msg_len, &alert); 132 if (used < 0) { 133 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 134 "record failed"); 135 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 136 goto failed; 137 } 138 if (used == 0) { 139 /* need more data */ 140 wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not " 141 "yet supported"); 142 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 143 goto failed; 144 } 145 ct = pos[0]; 146 147 in_pos = in_msg; 148 in_end = in_msg + in_msg_len; 149 150 /* Each received record may include multiple messages of the 151 * same ContentType. */ 152 while (in_pos < in_end) { 153 in_msg_len = in_end - in_pos; 154 if (tlsv1_server_process_handshake(conn, ct, in_pos, 155 &in_msg_len) < 0) 156 goto failed; 157 in_pos += in_msg_len; 158 } 159 160 pos += used; 161 } 162 163 os_free(in_msg); 164 in_msg = NULL; 165 166 msg = tlsv1_server_handshake_write(conn, out_len); 167 168failed: 169 os_free(in_msg); 170 if (conn->alert_level) { 171 if (conn->state == FAILED) { 172 /* Avoid alert loops */ 173 wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop"); 174 os_free(msg); 175 return NULL; 176 } 177 conn->state = FAILED; 178 os_free(msg); 179 msg = tlsv1_server_send_alert(conn, conn->alert_level, 180 conn->alert_description, 181 out_len); 182 } 183 184 return msg; 185} 186 187 188/** 189 * tlsv1_server_encrypt - Encrypt data into TLS tunnel 190 * @conn: TLSv1 server connection data from tlsv1_server_init() 191 * @in_data: Pointer to plaintext data to be encrypted 192 * @in_len: Input buffer length 193 * @out_data: Pointer to output buffer (encrypted TLS data) 194 * @out_len: Maximum out_data length 195 * Returns: Number of bytes written to out_data, -1 on failure 196 * 197 * This function is used after TLS handshake has been completed successfully to 198 * send data in the encrypted tunnel. 199 */ 200int tlsv1_server_encrypt(struct tlsv1_server *conn, 201 const u8 *in_data, size_t in_len, 202 u8 *out_data, size_t out_len) 203{ 204 size_t rlen; 205 206 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 207 in_data, in_len); 208 209 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 210 out_data, out_len, in_data, in_len, &rlen) < 0) { 211 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 212 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 213 TLS_ALERT_INTERNAL_ERROR); 214 return -1; 215 } 216 217 return rlen; 218} 219 220 221/** 222 * tlsv1_server_decrypt - Decrypt data from TLS tunnel 223 * @conn: TLSv1 server connection data from tlsv1_server_init() 224 * @in_data: Pointer to input buffer (encrypted TLS data) 225 * @in_len: Input buffer length 226 * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) 227 * @out_len: Maximum out_data length 228 * Returns: Number of bytes written to out_data, -1 on failure 229 * 230 * This function is used after TLS handshake has been completed successfully to 231 * receive data from the encrypted tunnel. 232 */ 233int tlsv1_server_decrypt(struct tlsv1_server *conn, 234 const u8 *in_data, size_t in_len, 235 u8 *out_data, size_t out_len) 236{ 237 const u8 *in_end, *pos; 238 int used; 239 u8 alert, *out_end, *out_pos, ct; 240 size_t olen; 241 242 pos = in_data; 243 in_end = in_data + in_len; 244 out_pos = out_data; 245 out_end = out_data + out_len; 246 247 while (pos < in_end) { 248 ct = pos[0]; 249 olen = out_end - out_pos; 250 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 251 out_pos, &olen, &alert); 252 if (used < 0) { 253 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 254 "failed"); 255 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 256 return -1; 257 } 258 if (used == 0) { 259 /* need more data */ 260 wpa_printf(MSG_DEBUG, "TLSv1: Partial processing not " 261 "yet supported"); 262 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 263 return -1; 264 } 265 266 if (ct == TLS_CONTENT_TYPE_ALERT) { 267 if (olen < 2) { 268 wpa_printf(MSG_DEBUG, "TLSv1: Alert " 269 "underflow"); 270 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 271 TLS_ALERT_DECODE_ERROR); 272 return -1; 273 } 274 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 275 out_pos[0], out_pos[1]); 276 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) { 277 /* Continue processing */ 278 pos += used; 279 continue; 280 } 281 282 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 283 out_pos[1]); 284 return -1; 285 } 286 287 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 289 "0x%x", pos[0]); 290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_UNEXPECTED_MESSAGE); 292 return -1; 293 } 294 295 out_pos += olen; 296 if (out_pos > out_end) { 297 wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough " 298 "for processing the received record"); 299 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 300 TLS_ALERT_INTERNAL_ERROR); 301 return -1; 302 } 303 304 pos += used; 305 } 306 307 return out_pos - out_data; 308} 309 310 311/** 312 * tlsv1_server_global_init - Initialize TLSv1 server 313 * Returns: 0 on success, -1 on failure 314 * 315 * This function must be called before using any other TLSv1 server functions. 316 */ 317int tlsv1_server_global_init(void) 318{ 319 return crypto_global_init(); 320} 321 322 323/** 324 * tlsv1_server_global_deinit - Deinitialize TLSv1 server 325 * 326 * This function can be used to deinitialize the TLSv1 server that was 327 * initialized by calling tlsv1_server_global_init(). No TLSv1 server functions 328 * can be called after this before calling tlsv1_server_global_init() again. 329 */ 330void tlsv1_server_global_deinit(void) 331{ 332 crypto_global_deinit(); 333} 334 335 336/** 337 * tlsv1_server_init - Initialize TLSv1 server connection 338 * @cred: Pointer to server credentials from tlsv1_server_cred_alloc() 339 * Returns: Pointer to TLSv1 server connection data or %NULL on failure 340 */ 341struct tlsv1_server * tlsv1_server_init(struct tlsv1_credentials *cred) 342{ 343 struct tlsv1_server *conn; 344 size_t count; 345 u16 *suites; 346 347 conn = os_zalloc(sizeof(*conn)); 348 if (conn == NULL) 349 return NULL; 350 351 conn->cred = cred; 352 353 conn->state = CLIENT_HELLO; 354 355 if (tls_verify_hash_init(&conn->verify) < 0) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 357 "hash"); 358 os_free(conn); 359 return NULL; 360 } 361 362 count = 0; 363 suites = conn->cipher_suites; 364#ifndef CONFIG_CRYPTO_INTERNAL 365 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 366#endif /* CONFIG_CRYPTO_INTERNAL */ 367 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 368 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 369 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 370 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 371 conn->num_cipher_suites = count; 372 373 return conn; 374} 375 376 377static void tlsv1_server_clear_data(struct tlsv1_server *conn) 378{ 379 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 380 tlsv1_record_change_write_cipher(&conn->rl); 381 tlsv1_record_change_read_cipher(&conn->rl); 382 tls_verify_hash_free(&conn->verify); 383 384 crypto_public_key_free(conn->client_rsa_key); 385 conn->client_rsa_key = NULL; 386 387 os_free(conn->session_ticket); 388 conn->session_ticket = NULL; 389 conn->session_ticket_len = 0; 390 conn->use_session_ticket = 0; 391 392 os_free(conn->dh_secret); 393 conn->dh_secret = NULL; 394 conn->dh_secret_len = 0; 395} 396 397 398/** 399 * tlsv1_server_deinit - Deinitialize TLSv1 server connection 400 * @conn: TLSv1 server connection data from tlsv1_server_init() 401 */ 402void tlsv1_server_deinit(struct tlsv1_server *conn) 403{ 404 tlsv1_server_clear_data(conn); 405 os_free(conn); 406} 407 408 409/** 410 * tlsv1_server_established - Check whether connection has been established 411 * @conn: TLSv1 server connection data from tlsv1_server_init() 412 * Returns: 1 if connection is established, 0 if not 413 */ 414int tlsv1_server_established(struct tlsv1_server *conn) 415{ 416 return conn->state == ESTABLISHED; 417} 418 419 420/** 421 * tlsv1_server_prf - Use TLS-PRF to derive keying material 422 * @conn: TLSv1 server connection data from tlsv1_server_init() 423 * @label: Label (e.g., description of the key) for PRF 424 * @server_random_first: seed is 0 = client_random|server_random, 425 * 1 = server_random|client_random 426 * @out: Buffer for output data from TLS-PRF 427 * @out_len: Length of the output buffer 428 * Returns: 0 on success, -1 on failure 429 */ 430int tlsv1_server_prf(struct tlsv1_server *conn, const char *label, 431 int server_random_first, u8 *out, size_t out_len) 432{ 433 u8 seed[2 * TLS_RANDOM_LEN]; 434 435 if (conn->state != ESTABLISHED) 436 return -1; 437 438 if (server_random_first) { 439 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 440 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 441 TLS_RANDOM_LEN); 442 } else { 443 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 444 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 445 TLS_RANDOM_LEN); 446 } 447 448 return tls_prf(conn->rl.tls_version, 449 conn->master_secret, TLS_MASTER_SECRET_LEN, 450 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 451} 452 453 454/** 455 * tlsv1_server_get_cipher - Get current cipher name 456 * @conn: TLSv1 server connection data from tlsv1_server_init() 457 * @buf: Buffer for the cipher name 458 * @buflen: buf size 459 * Returns: 0 on success, -1 on failure 460 * 461 * Get the name of the currently used cipher. 462 */ 463int tlsv1_server_get_cipher(struct tlsv1_server *conn, char *buf, 464 size_t buflen) 465{ 466 char *cipher; 467 468 switch (conn->rl.cipher_suite) { 469 case TLS_RSA_WITH_RC4_128_MD5: 470 cipher = "RC4-MD5"; 471 break; 472 case TLS_RSA_WITH_RC4_128_SHA: 473 cipher = "RC4-SHA"; 474 break; 475 case TLS_RSA_WITH_DES_CBC_SHA: 476 cipher = "DES-CBC-SHA"; 477 break; 478 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 479 cipher = "DES-CBC3-SHA"; 480 break; 481 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 482 cipher = "ADH-AES-128-SHA"; 483 break; 484 case TLS_RSA_WITH_AES_256_CBC_SHA: 485 cipher = "AES-256-SHA"; 486 break; 487 case TLS_RSA_WITH_AES_128_CBC_SHA: 488 cipher = "AES-128-SHA"; 489 break; 490 default: 491 return -1; 492 } 493 494 if (os_strlcpy(buf, cipher, buflen) >= buflen) 495 return -1; 496 return 0; 497} 498 499 500/** 501 * tlsv1_server_shutdown - Shutdown TLS connection 502 * @conn: TLSv1 server connection data from tlsv1_server_init() 503 * Returns: 0 on success, -1 on failure 504 */ 505int tlsv1_server_shutdown(struct tlsv1_server *conn) 506{ 507 conn->state = CLIENT_HELLO; 508 509 if (tls_verify_hash_init(&conn->verify) < 0) { 510 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 511 "hash"); 512 return -1; 513 } 514 515 tlsv1_server_clear_data(conn); 516 517 return 0; 518} 519 520 521/** 522 * tlsv1_server_resumed - Was session resumption used 523 * @conn: TLSv1 server connection data from tlsv1_server_init() 524 * Returns: 1 if current session used session resumption, 0 if not 525 */ 526int tlsv1_server_resumed(struct tlsv1_server *conn) 527{ 528 return 0; 529} 530 531 532/** 533 * tlsv1_server_get_keys - Get master key and random data from TLS connection 534 * @conn: TLSv1 server connection data from tlsv1_server_init() 535 * @keys: Structure of key/random data (filled on success) 536 * Returns: 0 on success, -1 on failure 537 */ 538int tlsv1_server_get_keys(struct tlsv1_server *conn, struct tls_keys *keys) 539{ 540 os_memset(keys, 0, sizeof(*keys)); 541 if (conn->state == CLIENT_HELLO) 542 return -1; 543 544 keys->client_random = conn->client_random; 545 keys->client_random_len = TLS_RANDOM_LEN; 546 547 if (conn->state != SERVER_HELLO) { 548 keys->server_random = conn->server_random; 549 keys->server_random_len = TLS_RANDOM_LEN; 550 keys->master_key = conn->master_secret; 551 keys->master_key_len = TLS_MASTER_SECRET_LEN; 552 } 553 554 return 0; 555} 556 557 558/** 559 * tlsv1_server_get_keyblock_size - Get TLS key_block size 560 * @conn: TLSv1 server connection data from tlsv1_server_init() 561 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 562 * failure 563 */ 564int tlsv1_server_get_keyblock_size(struct tlsv1_server *conn) 565{ 566 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 567 return -1; 568 569 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 570 conn->rl.iv_size); 571} 572 573 574/** 575 * tlsv1_server_set_cipher_list - Configure acceptable cipher suites 576 * @conn: TLSv1 server connection data from tlsv1_server_init() 577 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 578 * (TLS_CIPHER_*). 579 * Returns: 0 on success, -1 on failure 580 */ 581int tlsv1_server_set_cipher_list(struct tlsv1_server *conn, u8 *ciphers) 582{ 583 size_t count; 584 u16 *suites; 585 586 /* TODO: implement proper configuration of cipher suites */ 587 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 588 count = 0; 589 suites = conn->cipher_suites; 590#ifndef CONFIG_CRYPTO_INTERNAL 591 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 592#endif /* CONFIG_CRYPTO_INTERNAL */ 593 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 594 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 595 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 596 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 597#ifndef CONFIG_CRYPTO_INTERNAL 598 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 599#endif /* CONFIG_CRYPTO_INTERNAL */ 600 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 601 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 602 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 603 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 604 conn->num_cipher_suites = count; 605 } 606 607 return 0; 608} 609 610 611int tlsv1_server_set_verify(struct tlsv1_server *conn, int verify_peer) 612{ 613 conn->verify_peer = verify_peer; 614 return 0; 615} 616 617 618void tlsv1_server_set_session_ticket_cb(struct tlsv1_server *conn, 619 tlsv1_server_session_ticket_cb cb, 620 void *ctx) 621{ 622 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 623 cb, ctx); 624 conn->session_ticket_cb = cb; 625 conn->session_ticket_cb_ctx = ctx; 626} 627