tlsv1_record.c revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/* 2 * TLSv1 Record Protocol 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "crypto/md5.h" 19#include "crypto/sha1.h" 20#include "crypto/sha256.h" 21#include "tlsv1_common.h" 22#include "tlsv1_record.h" 23 24 25/** 26 * tlsv1_record_set_cipher_suite - TLS record layer: Set cipher suite 27 * @rl: Pointer to TLS record layer data 28 * @cipher_suite: New cipher suite 29 * Returns: 0 on success, -1 on failure 30 * 31 * This function is used to prepare TLS record layer for cipher suite change. 32 * tlsv1_record_change_write_cipher() and 33 * tlsv1_record_change_read_cipher() functions can then be used to change the 34 * currently used ciphers. 35 */ 36int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer *rl, 37 u16 cipher_suite) 38{ 39 const struct tls_cipher_suite *suite; 40 const struct tls_cipher_data *data; 41 42 wpa_printf(MSG_DEBUG, "TLSv1: Selected cipher suite: 0x%04x", 43 cipher_suite); 44 rl->cipher_suite = cipher_suite; 45 46 suite = tls_get_cipher_suite(cipher_suite); 47 if (suite == NULL) 48 return -1; 49 50 if (suite->hash == TLS_HASH_MD5) { 51 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_MD5; 52 rl->hash_size = MD5_MAC_LEN; 53 } else if (suite->hash == TLS_HASH_SHA) { 54 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1; 55 rl->hash_size = SHA1_MAC_LEN; 56 } else if (suite->hash == TLS_HASH_SHA256) { 57 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA256; 58 rl->hash_size = SHA256_MAC_LEN; 59 } 60 61 data = tls_get_cipher_data(suite->cipher); 62 if (data == NULL) 63 return -1; 64 65 rl->key_material_len = data->key_material; 66 rl->iv_size = data->block_size; 67 rl->cipher_alg = data->alg; 68 69 return 0; 70} 71 72 73/** 74 * tlsv1_record_change_write_cipher - TLS record layer: Change write cipher 75 * @rl: Pointer to TLS record layer data 76 * Returns: 0 on success (cipher changed), -1 on failure 77 * 78 * This function changes TLS record layer to use the new cipher suite 79 * configured with tlsv1_record_set_cipher_suite() for writing. 80 */ 81int tlsv1_record_change_write_cipher(struct tlsv1_record_layer *rl) 82{ 83 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New write cipher suite " 84 "0x%04x", rl->cipher_suite); 85 rl->write_cipher_suite = rl->cipher_suite; 86 os_memset(rl->write_seq_num, 0, TLS_SEQ_NUM_LEN); 87 88 if (rl->write_cbc) { 89 crypto_cipher_deinit(rl->write_cbc); 90 rl->write_cbc = NULL; 91 } 92 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) { 93 rl->write_cbc = crypto_cipher_init(rl->cipher_alg, 94 rl->write_iv, rl->write_key, 95 rl->key_material_len); 96 if (rl->write_cbc == NULL) { 97 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize " 98 "cipher"); 99 return -1; 100 } 101 } 102 103 return 0; 104} 105 106 107/** 108 * tlsv1_record_change_read_cipher - TLS record layer: Change read cipher 109 * @rl: Pointer to TLS record layer data 110 * Returns: 0 on success (cipher changed), -1 on failure 111 * 112 * This function changes TLS record layer to use the new cipher suite 113 * configured with tlsv1_record_set_cipher_suite() for reading. 114 */ 115int tlsv1_record_change_read_cipher(struct tlsv1_record_layer *rl) 116{ 117 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New read cipher suite " 118 "0x%04x", rl->cipher_suite); 119 rl->read_cipher_suite = rl->cipher_suite; 120 os_memset(rl->read_seq_num, 0, TLS_SEQ_NUM_LEN); 121 122 if (rl->read_cbc) { 123 crypto_cipher_deinit(rl->read_cbc); 124 rl->read_cbc = NULL; 125 } 126 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) { 127 rl->read_cbc = crypto_cipher_init(rl->cipher_alg, 128 rl->read_iv, rl->read_key, 129 rl->key_material_len); 130 if (rl->read_cbc == NULL) { 131 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize " 132 "cipher"); 133 return -1; 134 } 135 } 136 137 return 0; 138} 139 140 141/** 142 * tlsv1_record_send - TLS record layer: Send a message 143 * @rl: Pointer to TLS record layer data 144 * @content_type: Content type (TLS_CONTENT_TYPE_*) 145 * @buf: Buffer for the generated TLS message (needs to have extra space for 146 * header, IV (TLS v1.1), and HMAC) 147 * @buf_size: Maximum buf size 148 * @payload: Payload to be sent 149 * @payload_len: Length of the payload 150 * @out_len: Buffer for returning the used buf length 151 * Returns: 0 on success, -1 on failure 152 * 153 * This function fills in the TLS record layer header, adds HMAC, and encrypts 154 * the data using the current write cipher. 155 */ 156int tlsv1_record_send(struct tlsv1_record_layer *rl, u8 content_type, u8 *buf, 157 size_t buf_size, const u8 *payload, size_t payload_len, 158 size_t *out_len) 159{ 160 u8 *pos, *ct_start, *length, *cpayload; 161 struct crypto_hash *hmac; 162 size_t clen; 163 int explicit_iv; 164 165 pos = buf; 166 if (pos + TLS_RECORD_HEADER_LEN > buf + buf_size) 167 return -1; 168 169 /* ContentType type */ 170 ct_start = pos; 171 *pos++ = content_type; 172 /* ProtocolVersion version */ 173 WPA_PUT_BE16(pos, rl->tls_version); 174 pos += 2; 175 /* uint16 length */ 176 length = pos; 177 WPA_PUT_BE16(length, payload_len); 178 pos += 2; 179 180 cpayload = pos; 181 explicit_iv = rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL && 182 rl->iv_size && rl->tls_version >= TLS_VERSION_1_1; 183 if (explicit_iv) { 184 /* opaque IV[Cipherspec.block_length] */ 185 if (pos + rl->iv_size > buf + buf_size) 186 return -1; 187 188 /* 189 * Use random number R per the RFC 4346, 6.2.3.2 CBC Block 190 * Cipher option 2a. 191 */ 192 193 if (os_get_random(pos, rl->iv_size)) 194 return -1; 195 pos += rl->iv_size; 196 } 197 198 /* 199 * opaque fragment[TLSPlaintext.length] 200 * (opaque content[TLSCompressed.length] in GenericBlockCipher) 201 */ 202 if (pos + payload_len > buf + buf_size) 203 return -1; 204 os_memmove(pos, payload, payload_len); 205 pos += payload_len; 206 207 if (rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL) { 208 /* 209 * MAC calculated over seq_num + TLSCompressed.type + 210 * TLSCompressed.version + TLSCompressed.length + 211 * TLSCompressed.fragment 212 */ 213 hmac = crypto_hash_init(rl->hash_alg, rl->write_mac_secret, 214 rl->hash_size); 215 if (hmac == NULL) { 216 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 217 "to initialize HMAC"); 218 return -1; 219 } 220 crypto_hash_update(hmac, rl->write_seq_num, TLS_SEQ_NUM_LEN); 221 /* type + version + length + fragment */ 222 crypto_hash_update(hmac, ct_start, TLS_RECORD_HEADER_LEN); 223 crypto_hash_update(hmac, payload, payload_len); 224 clen = buf + buf_size - pos; 225 if (clen < rl->hash_size) { 226 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Not " 227 "enough room for MAC"); 228 crypto_hash_finish(hmac, NULL, NULL); 229 return -1; 230 } 231 232 if (crypto_hash_finish(hmac, pos, &clen) < 0) { 233 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 234 "to calculate HMAC"); 235 return -1; 236 } 237 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Write HMAC", 238 pos, clen); 239 pos += clen; 240 if (rl->iv_size) { 241 size_t len = pos - cpayload; 242 size_t pad; 243 pad = (len + 1) % rl->iv_size; 244 if (pad) 245 pad = rl->iv_size - pad; 246 if (pos + pad + 1 > buf + buf_size) { 247 wpa_printf(MSG_DEBUG, "TLSv1: No room for " 248 "block cipher padding"); 249 return -1; 250 } 251 os_memset(pos, pad, pad + 1); 252 pos += pad + 1; 253 } 254 255 if (crypto_cipher_encrypt(rl->write_cbc, cpayload, 256 cpayload, pos - cpayload) < 0) 257 return -1; 258 } 259 260 WPA_PUT_BE16(length, pos - length - 2); 261 inc_byte_array(rl->write_seq_num, TLS_SEQ_NUM_LEN); 262 263 *out_len = pos - buf; 264 265 return 0; 266} 267 268 269/** 270 * tlsv1_record_receive - TLS record layer: Process a received message 271 * @rl: Pointer to TLS record layer data 272 * @in_data: Received data 273 * @in_len: Length of the received data 274 * @out_data: Buffer for output data (must be at least as long as in_data) 275 * @out_len: Set to maximum out_data length by caller; used to return the 276 * length of the used data 277 * @alert: Buffer for returning an alert value on failure 278 * Returns: Number of bytes used from in_data on success, 0 if record was not 279 * complete (more data needed), or -1 on failure 280 * 281 * This function decrypts the received message, verifies HMAC and TLS record 282 * layer header. 283 */ 284int tlsv1_record_receive(struct tlsv1_record_layer *rl, 285 const u8 *in_data, size_t in_len, 286 u8 *out_data, size_t *out_len, u8 *alert) 287{ 288 size_t i, rlen, hlen; 289 u8 padlen; 290 struct crypto_hash *hmac; 291 u8 len[2], hash[100]; 292 int force_mac_error = 0; 293 u8 ct; 294 295 if (in_len < TLS_RECORD_HEADER_LEN) { 296 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (in_len=%lu) - " 297 "need more data", 298 (unsigned long) in_len); 299 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received", 300 in_data, in_len); 301 return 0; 302 } 303 304 ct = in_data[0]; 305 rlen = WPA_GET_BE16(in_data + 3); 306 wpa_printf(MSG_DEBUG, "TLSv1: Received content type %d version %d.%d " 307 "length %d", ct, in_data[1], in_data[2], (int) rlen); 308 309 /* 310 * TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the 311 * protocol version in record layer. As such, accept any {03,xx} value 312 * to remain compatible with existing implementations. 313 */ 314 if (in_data[1] != 0x03) { 315 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version " 316 "%u.%u", in_data[1], in_data[2]); 317 *alert = TLS_ALERT_PROTOCOL_VERSION; 318 return -1; 319 } 320 321 /* TLSCiphertext must not be more than 2^14+2048 bytes */ 322 if (TLS_RECORD_HEADER_LEN + rlen > 18432) { 323 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)", 324 (unsigned long) (TLS_RECORD_HEADER_LEN + rlen)); 325 *alert = TLS_ALERT_RECORD_OVERFLOW; 326 return -1; 327 } 328 329 in_data += TLS_RECORD_HEADER_LEN; 330 in_len -= TLS_RECORD_HEADER_LEN; 331 332 if (rlen > in_len) { 333 wpa_printf(MSG_DEBUG, "TLSv1: Not all record data included " 334 "(rlen=%lu > in_len=%lu)", 335 (unsigned long) rlen, (unsigned long) in_len); 336 return 0; 337 } 338 339 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received", 340 in_data, rlen); 341 342 if (ct != TLS_CONTENT_TYPE_HANDSHAKE && 343 ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC && 344 ct != TLS_CONTENT_TYPE_ALERT && 345 ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 346 wpa_printf(MSG_DEBUG, "TLSv1: Ignore record with unknown " 347 "content type 0x%x", ct); 348 *alert = TLS_ALERT_UNEXPECTED_MESSAGE; 349 return -1; 350 } 351 352 in_len = rlen; 353 354 if (*out_len < in_len) { 355 wpa_printf(MSG_DEBUG, "TLSv1: Not enough output buffer for " 356 "processing received record"); 357 *alert = TLS_ALERT_INTERNAL_ERROR; 358 return -1; 359 } 360 361 if (rl->read_cipher_suite != TLS_NULL_WITH_NULL_NULL) { 362 size_t plen; 363 if (crypto_cipher_decrypt(rl->read_cbc, in_data, 364 out_data, in_len) < 0) { 365 *alert = TLS_ALERT_DECRYPTION_FAILED; 366 return -1; 367 } 368 plen = in_len; 369 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - Decrypted " 370 "data", out_data, plen); 371 372 if (rl->iv_size) { 373 /* 374 * TLS v1.0 defines different alert values for various 375 * failures. That may information to aid in attacks, so 376 * use the same bad_record_mac alert regardless of the 377 * issues. 378 * 379 * In addition, instead of returning immediately on 380 * error, run through the MAC check to make timing 381 * attacks more difficult. 382 */ 383 384 if (rl->tls_version >= TLS_VERSION_1_1) { 385 /* Remove opaque IV[Cipherspec.block_length] */ 386 if (plen < rl->iv_size) { 387 wpa_printf(MSG_DEBUG, "TLSv1.1: Not " 388 "enough room for IV"); 389 force_mac_error = 1; 390 goto check_mac; 391 } 392 os_memmove(out_data, out_data + rl->iv_size, 393 plen - rl->iv_size); 394 plen -= rl->iv_size; 395 } 396 397 /* Verify and remove padding */ 398 if (plen == 0) { 399 wpa_printf(MSG_DEBUG, "TLSv1: Too short record" 400 " (no pad)"); 401 force_mac_error = 1; 402 goto check_mac; 403 } 404 padlen = out_data[plen - 1]; 405 if (padlen >= plen) { 406 wpa_printf(MSG_DEBUG, "TLSv1: Incorrect pad " 407 "length (%u, plen=%lu) in " 408 "received record", 409 padlen, (unsigned long) plen); 410 force_mac_error = 1; 411 goto check_mac; 412 } 413 for (i = plen - padlen - 1; i < plen - 1; i++) { 414 if (out_data[i] != padlen) { 415 wpa_hexdump(MSG_DEBUG, 416 "TLSv1: Invalid pad in " 417 "received record", 418 out_data + plen - padlen - 419 1, padlen + 1); 420 force_mac_error = 1; 421 goto check_mac; 422 } 423 } 424 425 plen -= padlen + 1; 426 427 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - " 428 "Decrypted data with IV and padding " 429 "removed", out_data, plen); 430 } 431 432 check_mac: 433 if (plen < rl->hash_size) { 434 wpa_printf(MSG_DEBUG, "TLSv1: Too short record; no " 435 "hash value"); 436 *alert = TLS_ALERT_BAD_RECORD_MAC; 437 return -1; 438 } 439 440 plen -= rl->hash_size; 441 442 hmac = crypto_hash_init(rl->hash_alg, rl->read_mac_secret, 443 rl->hash_size); 444 if (hmac == NULL) { 445 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 446 "to initialize HMAC"); 447 *alert = TLS_ALERT_INTERNAL_ERROR; 448 return -1; 449 } 450 451 crypto_hash_update(hmac, rl->read_seq_num, TLS_SEQ_NUM_LEN); 452 /* type + version + length + fragment */ 453 crypto_hash_update(hmac, in_data - TLS_RECORD_HEADER_LEN, 3); 454 WPA_PUT_BE16(len, plen); 455 crypto_hash_update(hmac, len, 2); 456 crypto_hash_update(hmac, out_data, plen); 457 hlen = sizeof(hash); 458 if (crypto_hash_finish(hmac, hash, &hlen) < 0) { 459 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 460 "to calculate HMAC"); 461 *alert = TLS_ALERT_INTERNAL_ERROR; 462 return -1; 463 } 464 if (hlen != rl->hash_size || 465 os_memcmp(hash, out_data + plen, hlen) != 0 || 466 force_mac_error) { 467 wpa_printf(MSG_DEBUG, "TLSv1: Invalid HMAC value in " 468 "received message (force_mac_error=%d)", 469 force_mac_error); 470 *alert = TLS_ALERT_BAD_RECORD_MAC; 471 return -1; 472 } 473 474 *out_len = plen; 475 } else { 476 os_memcpy(out_data, in_data, in_len); 477 *out_len = in_len; 478 } 479 480 /* TLSCompressed must not be more than 2^14+1024 bytes */ 481 if (TLS_RECORD_HEADER_LEN + *out_len > 17408) { 482 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)", 483 (unsigned long) (TLS_RECORD_HEADER_LEN + *out_len)); 484 *alert = TLS_ALERT_RECORD_OVERFLOW; 485 return -1; 486 } 487 488 inc_byte_array(rl->read_seq_num, TLS_SEQ_NUM_LEN); 489 490 return TLS_RECORD_HEADER_LEN + rlen; 491} 492