tlsv1_server_read.c revision 818ea489ef32dcdc7c098d8a336d6e1dd8996112
1/* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "x509v3.h" 17#include "tlsv1_common.h" 18#include "tlsv1_record.h" 19#include "tlsv1_server.h" 20#include "tlsv1_server_i.h" 21 22 23static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31{ 32#ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 35 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 36 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 37 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 40 return 1; 41#endif /* CONFIG_TESTING_OPTIONS */ 42 43 return 0; 44} 45 46 47static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 48 const u8 *in_data, size_t *in_len) 49{ 50 const u8 *pos, *end, *c; 51 size_t left, len, i, j; 52 u16 cipher_suite; 53 u16 num_suites; 54 int compr_null_found; 55 u16 ext_type, ext_len; 56 57 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 58 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 59 ct); 60 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 61 TLS_ALERT_UNEXPECTED_MESSAGE); 62 return -1; 63 } 64 65 pos = in_data; 66 left = *in_len; 67 68 if (left < 4) 69 goto decode_error; 70 71 /* HandshakeType msg_type */ 72 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 73 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 74 *pos); 75 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 76 TLS_ALERT_UNEXPECTED_MESSAGE); 77 return -1; 78 } 79 tlsv1_server_log(conn, "Received ClientHello"); 80 pos++; 81 /* uint24 length */ 82 len = WPA_GET_BE24(pos); 83 pos += 3; 84 left -= 4; 85 86 if (len > left) 87 goto decode_error; 88 89 /* body - ClientHello */ 90 91 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 92 end = pos + len; 93 94 /* ProtocolVersion client_version */ 95 if (end - pos < 2) 96 goto decode_error; 97 conn->client_version = WPA_GET_BE16(pos); 98 tlsv1_server_log(conn, "Client version %d.%d", 99 conn->client_version >> 8, 100 conn->client_version & 0xff); 101 if (conn->client_version < TLS_VERSION_1) { 102 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 103 conn->client_version >> 8, 104 conn->client_version & 0xff); 105 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 106 TLS_ALERT_PROTOCOL_VERSION); 107 return -1; 108 } 109 pos += 2; 110 111 if (TLS_VERSION == TLS_VERSION_1) 112 conn->rl.tls_version = TLS_VERSION_1; 113#ifdef CONFIG_TLSV12 114 else if (conn->client_version >= TLS_VERSION_1_2) 115 conn->rl.tls_version = TLS_VERSION_1_2; 116#endif /* CONFIG_TLSV12 */ 117 else if (conn->client_version > TLS_VERSION_1_1) 118 conn->rl.tls_version = TLS_VERSION_1_1; 119 else 120 conn->rl.tls_version = conn->client_version; 121 tlsv1_server_log(conn, "Using TLS v%s", 122 tls_version_str(conn->rl.tls_version)); 123 124 /* Random random */ 125 if (end - pos < TLS_RANDOM_LEN) 126 goto decode_error; 127 128 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 129 pos += TLS_RANDOM_LEN; 130 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 131 conn->client_random, TLS_RANDOM_LEN); 132 133 /* SessionID session_id */ 134 if (end - pos < 1) 135 goto decode_error; 136 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 137 goto decode_error; 138 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 139 pos += 1 + *pos; 140 /* TODO: add support for session resumption */ 141 142 /* CipherSuite cipher_suites<2..2^16-1> */ 143 if (end - pos < 2) 144 goto decode_error; 145 num_suites = WPA_GET_BE16(pos); 146 pos += 2; 147 if (end - pos < num_suites) 148 goto decode_error; 149 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 150 pos, num_suites); 151 if (num_suites & 1) 152 goto decode_error; 153 num_suites /= 2; 154 155 cipher_suite = 0; 156 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 157 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 158 continue; 159 c = pos; 160 for (j = 0; j < num_suites; j++) { 161 u16 tmp = WPA_GET_BE16(c); 162 c += 2; 163 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 164 cipher_suite = tmp; 165 break; 166 } 167 } 168 } 169 pos += num_suites * 2; 170 if (!cipher_suite) { 171 tlsv1_server_log(conn, "No supported cipher suite available"); 172 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 173 TLS_ALERT_ILLEGAL_PARAMETER); 174 return -1; 175 } 176 177 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 178 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 179 "record layer"); 180 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 181 TLS_ALERT_INTERNAL_ERROR); 182 return -1; 183 } 184 185 conn->cipher_suite = cipher_suite; 186 187 /* CompressionMethod compression_methods<1..2^8-1> */ 188 if (end - pos < 1) 189 goto decode_error; 190 num_suites = *pos++; 191 if (end - pos < num_suites) 192 goto decode_error; 193 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 194 pos, num_suites); 195 compr_null_found = 0; 196 for (i = 0; i < num_suites; i++) { 197 if (*pos++ == TLS_COMPRESSION_NULL) 198 compr_null_found = 1; 199 } 200 if (!compr_null_found) { 201 tlsv1_server_log(conn, "Client does not accept NULL compression"); 202 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_ILLEGAL_PARAMETER); 204 return -1; 205 } 206 207 if (end - pos == 1) { 208 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 209 *pos); 210 goto decode_error; 211 } 212 213 if (end - pos >= 2) { 214 /* Extension client_hello_extension_list<0..2^16-1> */ 215 ext_len = WPA_GET_BE16(pos); 216 pos += 2; 217 218 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 219 ext_len); 220 if (end - pos != ext_len) { 221 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 222 ext_len, (unsigned int) (end - pos)); 223 goto decode_error; 224 } 225 226 /* 227 * struct { 228 * ExtensionType extension_type (0..65535) 229 * opaque extension_data<0..2^16-1> 230 * } Extension; 231 */ 232 233 while (pos < end) { 234 if (end - pos < 2) { 235 tlsv1_server_log(conn, "Invalid extension_type field"); 236 goto decode_error; 237 } 238 239 ext_type = WPA_GET_BE16(pos); 240 pos += 2; 241 242 if (end - pos < 2) { 243 tlsv1_server_log(conn, "Invalid extension_data length field"); 244 goto decode_error; 245 } 246 247 ext_len = WPA_GET_BE16(pos); 248 pos += 2; 249 250 if (end - pos < ext_len) { 251 tlsv1_server_log(conn, "Invalid extension_data field"); 252 goto decode_error; 253 } 254 255 tlsv1_server_log(conn, "ClientHello Extension type %u", 256 ext_type); 257 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 258 "Extension data", pos, ext_len); 259 260 if (ext_type == TLS_EXT_SESSION_TICKET) { 261 os_free(conn->session_ticket); 262 conn->session_ticket = os_malloc(ext_len); 263 if (conn->session_ticket) { 264 os_memcpy(conn->session_ticket, pos, 265 ext_len); 266 conn->session_ticket_len = ext_len; 267 } 268 } 269 270 pos += ext_len; 271 } 272 } 273 274 *in_len = end - in_data; 275 276 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 277 conn->state = SERVER_HELLO; 278 279 return 0; 280 281decode_error: 282 tlsv1_server_log(conn, "Failed to decode ClientHello"); 283 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 284 TLS_ALERT_DECODE_ERROR); 285 return -1; 286} 287 288 289static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 290 const u8 *in_data, size_t *in_len) 291{ 292 const u8 *pos, *end; 293 size_t left, len, list_len, cert_len, idx; 294 u8 type; 295 struct x509_certificate *chain = NULL, *last = NULL, *cert; 296 int reason; 297 298 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 299 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 300 ct); 301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 302 TLS_ALERT_UNEXPECTED_MESSAGE); 303 return -1; 304 } 305 306 pos = in_data; 307 left = *in_len; 308 309 if (left < 4) { 310 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 311 (unsigned long) left); 312 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 313 TLS_ALERT_DECODE_ERROR); 314 return -1; 315 } 316 317 type = *pos++; 318 len = WPA_GET_BE24(pos); 319 pos += 3; 320 left -= 4; 321 322 if (len > left) { 323 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 324 (unsigned long) len, (unsigned long) left); 325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_DECODE_ERROR); 327 return -1; 328 } 329 330 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 331 if (conn->verify_peer) { 332 tlsv1_server_log(conn, "Client did not include Certificate"); 333 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 334 TLS_ALERT_UNEXPECTED_MESSAGE); 335 return -1; 336 } 337 338 return tls_process_client_key_exchange(conn, ct, in_data, 339 in_len); 340 } 341 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 342 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 343 type); 344 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 345 TLS_ALERT_UNEXPECTED_MESSAGE); 346 return -1; 347 } 348 349 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 350 (unsigned long) len); 351 352 /* 353 * opaque ASN.1Cert<2^24-1>; 354 * 355 * struct { 356 * ASN.1Cert certificate_list<1..2^24-1>; 357 * } Certificate; 358 */ 359 360 end = pos + len; 361 362 if (end - pos < 3) { 363 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 364 (unsigned long) left); 365 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 366 TLS_ALERT_DECODE_ERROR); 367 return -1; 368 } 369 370 list_len = WPA_GET_BE24(pos); 371 pos += 3; 372 373 if ((size_t) (end - pos) != list_len) { 374 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 375 (unsigned long) list_len, 376 (unsigned long) (end - pos)); 377 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 378 TLS_ALERT_DECODE_ERROR); 379 return -1; 380 } 381 382 idx = 0; 383 while (pos < end) { 384 if (end - pos < 3) { 385 tlsv1_server_log(conn, "Failed to parse certificate_list"); 386 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 387 TLS_ALERT_DECODE_ERROR); 388 x509_certificate_chain_free(chain); 389 return -1; 390 } 391 392 cert_len = WPA_GET_BE24(pos); 393 pos += 3; 394 395 if ((size_t) (end - pos) < cert_len) { 396 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 397 (unsigned long) cert_len, 398 (unsigned long) (end - pos)); 399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 400 TLS_ALERT_DECODE_ERROR); 401 x509_certificate_chain_free(chain); 402 return -1; 403 } 404 405 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 406 (unsigned long) idx, (unsigned long) cert_len); 407 408 if (idx == 0) { 409 crypto_public_key_free(conn->client_rsa_key); 410 if (tls_parse_cert(pos, cert_len, 411 &conn->client_rsa_key)) { 412 tlsv1_server_log(conn, "Failed to parse the certificate"); 413 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 414 TLS_ALERT_BAD_CERTIFICATE); 415 x509_certificate_chain_free(chain); 416 return -1; 417 } 418 } 419 420 cert = x509_certificate_parse(pos, cert_len); 421 if (cert == NULL) { 422 tlsv1_server_log(conn, "Failed to parse the certificate"); 423 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 424 TLS_ALERT_BAD_CERTIFICATE); 425 x509_certificate_chain_free(chain); 426 return -1; 427 } 428 429 if (last == NULL) 430 chain = cert; 431 else 432 last->next = cert; 433 last = cert; 434 435 idx++; 436 pos += cert_len; 437 } 438 439 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 440 &reason, 0) < 0) { 441 int tls_reason; 442 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 443 reason); 444 switch (reason) { 445 case X509_VALIDATE_BAD_CERTIFICATE: 446 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 447 break; 448 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 449 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 450 break; 451 case X509_VALIDATE_CERTIFICATE_REVOKED: 452 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 453 break; 454 case X509_VALIDATE_CERTIFICATE_EXPIRED: 455 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 456 break; 457 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 458 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 459 break; 460 case X509_VALIDATE_UNKNOWN_CA: 461 tls_reason = TLS_ALERT_UNKNOWN_CA; 462 break; 463 default: 464 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 465 break; 466 } 467 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 468 x509_certificate_chain_free(chain); 469 return -1; 470 } 471 472 x509_certificate_chain_free(chain); 473 474 *in_len = end - in_data; 475 476 conn->state = CLIENT_KEY_EXCHANGE; 477 478 return 0; 479} 480 481 482static int tls_process_client_key_exchange_rsa( 483 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 484{ 485 u8 *out; 486 size_t outlen, outbuflen; 487 u16 encr_len; 488 int res; 489 int use_random = 0; 490 491 if (end - pos < 2) { 492 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 493 TLS_ALERT_DECODE_ERROR); 494 return -1; 495 } 496 497 encr_len = WPA_GET_BE16(pos); 498 pos += 2; 499 if (pos + encr_len > end) { 500 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 501 encr_len, (unsigned int) (end - pos)); 502 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 503 TLS_ALERT_DECODE_ERROR); 504 return -1; 505 } 506 507 outbuflen = outlen = end - pos; 508 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 509 outlen : TLS_PRE_MASTER_SECRET_LEN); 510 if (out == NULL) { 511 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 512 TLS_ALERT_INTERNAL_ERROR); 513 return -1; 514 } 515 516 /* 517 * struct { 518 * ProtocolVersion client_version; 519 * opaque random[46]; 520 * } PreMasterSecret; 521 * 522 * struct { 523 * public-key-encrypted PreMasterSecret pre_master_secret; 524 * } EncryptedPreMasterSecret; 525 */ 526 527 /* 528 * Note: To avoid Bleichenbacher attack, we do not report decryption or 529 * parsing errors from EncryptedPreMasterSecret processing to the 530 * client. Instead, a random pre-master secret is used to force the 531 * handshake to fail. 532 */ 533 534 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 535 pos, encr_len, 536 out, &outlen) < 0) { 537 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 538 "PreMasterSecret (encr_len=%u outlen=%lu)", 539 encr_len, (unsigned long) outlen); 540 use_random = 1; 541 } 542 543 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 544 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 545 (unsigned long) outlen); 546 use_random = 1; 547 } 548 549 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 550 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 551 use_random = 1; 552 } 553 554 if (use_random) { 555 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 556 "to avoid revealing information about private key"); 557 outlen = TLS_PRE_MASTER_SECRET_LEN; 558 if (os_get_random(out, outlen)) { 559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 560 "data"); 561 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 562 TLS_ALERT_INTERNAL_ERROR); 563 os_free(out); 564 return -1; 565 } 566 } 567 568 res = tlsv1_server_derive_keys(conn, out, outlen); 569 570 /* Clear the pre-master secret since it is not needed anymore */ 571 os_memset(out, 0, outbuflen); 572 os_free(out); 573 574 if (res) { 575 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 576 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 577 TLS_ALERT_INTERNAL_ERROR); 578 return -1; 579 } 580 581 return 0; 582} 583 584 585static int tls_process_client_key_exchange_dh( 586 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 587{ 588 const u8 *dh_yc; 589 u16 dh_yc_len; 590 u8 *shared; 591 size_t shared_len; 592 int res; 593 594 /* 595 * struct { 596 * select (PublicValueEncoding) { 597 * case implicit: struct { }; 598 * case explicit: opaque dh_Yc<1..2^16-1>; 599 * } dh_public; 600 * } ClientDiffieHellmanPublic; 601 */ 602 603 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 604 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 605 pos, end - pos); 606 607 if (end == pos) { 608 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 609 "not supported"); 610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 611 TLS_ALERT_INTERNAL_ERROR); 612 return -1; 613 } 614 615 if (end - pos < 3) { 616 tlsv1_server_log(conn, "Invalid client public value length"); 617 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 618 TLS_ALERT_DECODE_ERROR); 619 return -1; 620 } 621 622 dh_yc_len = WPA_GET_BE16(pos); 623 dh_yc = pos + 2; 624 625 if (dh_yc + dh_yc_len > end) { 626 tlsv1_server_log(conn, "Client public value overflow (length %d)", 627 dh_yc_len); 628 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 629 TLS_ALERT_DECODE_ERROR); 630 return -1; 631 } 632 633 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 634 dh_yc, dh_yc_len); 635 636 if (conn->cred == NULL || conn->cred->dh_p == NULL || 637 conn->dh_secret == NULL) { 638 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 639 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 640 TLS_ALERT_INTERNAL_ERROR); 641 return -1; 642 } 643 644 shared_len = conn->cred->dh_p_len; 645 shared = os_malloc(shared_len); 646 if (shared == NULL) { 647 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 648 "DH"); 649 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 650 TLS_ALERT_INTERNAL_ERROR); 651 return -1; 652 } 653 654 /* shared = Yc^secret mod p */ 655 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 656 conn->dh_secret_len, 657 conn->cred->dh_p, conn->cred->dh_p_len, 658 shared, &shared_len)) { 659 os_free(shared); 660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 661 TLS_ALERT_INTERNAL_ERROR); 662 return -1; 663 } 664 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 665 shared, shared_len); 666 667 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 668 os_free(conn->dh_secret); 669 conn->dh_secret = NULL; 670 671 res = tlsv1_server_derive_keys(conn, shared, shared_len); 672 673 /* Clear the pre-master secret since it is not needed anymore */ 674 os_memset(shared, 0, shared_len); 675 os_free(shared); 676 677 if (res) { 678 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 679 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 680 TLS_ALERT_INTERNAL_ERROR); 681 return -1; 682 } 683 684 return 0; 685} 686 687 688static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 689 const u8 *in_data, size_t *in_len) 690{ 691 const u8 *pos, *end; 692 size_t left, len; 693 u8 type; 694 tls_key_exchange keyx; 695 const struct tls_cipher_suite *suite; 696 697 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 698 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 699 ct); 700 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 701 TLS_ALERT_UNEXPECTED_MESSAGE); 702 return -1; 703 } 704 705 pos = in_data; 706 left = *in_len; 707 708 if (left < 4) { 709 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 710 (unsigned long) left); 711 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 712 TLS_ALERT_DECODE_ERROR); 713 return -1; 714 } 715 716 type = *pos++; 717 len = WPA_GET_BE24(pos); 718 pos += 3; 719 left -= 4; 720 721 if (len > left) { 722 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 723 (unsigned long) len, (unsigned long) left); 724 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 725 TLS_ALERT_DECODE_ERROR); 726 return -1; 727 } 728 729 end = pos + len; 730 731 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 732 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 733 type); 734 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 735 TLS_ALERT_UNEXPECTED_MESSAGE); 736 return -1; 737 } 738 739 tlsv1_server_log(conn, "Received ClientKeyExchange"); 740 741 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 742 743 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 744 if (suite == NULL) 745 keyx = TLS_KEY_X_NULL; 746 else 747 keyx = suite->key_exchange; 748 749 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 750 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 751 return -1; 752 753 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 754 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 755 return -1; 756 757 *in_len = end - in_data; 758 759 conn->state = CERTIFICATE_VERIFY; 760 761 return 0; 762} 763 764 765static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 766 const u8 *in_data, size_t *in_len) 767{ 768 const u8 *pos, *end; 769 size_t left, len; 770 u8 type; 771 size_t hlen; 772 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 773 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 774 u8 alert; 775 776 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 777 if (conn->verify_peer) { 778 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 780 TLS_ALERT_UNEXPECTED_MESSAGE); 781 return -1; 782 } 783 784 return tls_process_change_cipher_spec(conn, ct, in_data, 785 in_len); 786 } 787 788 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 789 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 790 ct); 791 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 792 TLS_ALERT_UNEXPECTED_MESSAGE); 793 return -1; 794 } 795 796 pos = in_data; 797 left = *in_len; 798 799 if (left < 4) { 800 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 801 (unsigned long) left); 802 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 803 TLS_ALERT_DECODE_ERROR); 804 return -1; 805 } 806 807 type = *pos++; 808 len = WPA_GET_BE24(pos); 809 pos += 3; 810 left -= 4; 811 812 if (len > left) { 813 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 814 (unsigned long) len, (unsigned long) left); 815 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 816 TLS_ALERT_DECODE_ERROR); 817 return -1; 818 } 819 820 end = pos + len; 821 822 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 823 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 824 type); 825 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 826 TLS_ALERT_UNEXPECTED_MESSAGE); 827 return -1; 828 } 829 830 tlsv1_server_log(conn, "Received CertificateVerify"); 831 832 /* 833 * struct { 834 * Signature signature; 835 * } CertificateVerify; 836 */ 837 838 hpos = hash; 839 840#ifdef CONFIG_TLSV12 841 if (conn->rl.tls_version == TLS_VERSION_1_2) { 842 /* 843 * RFC 5246, 4.7: 844 * TLS v1.2 adds explicit indication of the used signature and 845 * hash algorithms. 846 * 847 * struct { 848 * HashAlgorithm hash; 849 * SignatureAlgorithm signature; 850 * } SignatureAndHashAlgorithm; 851 */ 852 if (end - pos < 2) { 853 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 854 TLS_ALERT_DECODE_ERROR); 855 return -1; 856 } 857 if (pos[0] != TLS_HASH_ALG_SHA256 || 858 pos[1] != TLS_SIGN_ALG_RSA) { 859 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 860 "signature(%u) algorithm", 861 pos[0], pos[1]); 862 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 863 TLS_ALERT_INTERNAL_ERROR); 864 return -1; 865 } 866 pos += 2; 867 868 hlen = SHA256_MAC_LEN; 869 if (conn->verify.sha256_cert == NULL || 870 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 871 0) { 872 conn->verify.sha256_cert = NULL; 873 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 874 TLS_ALERT_INTERNAL_ERROR); 875 return -1; 876 } 877 conn->verify.sha256_cert = NULL; 878 } else { 879#endif /* CONFIG_TLSV12 */ 880 881 if (alg == SIGN_ALG_RSA) { 882 hlen = MD5_MAC_LEN; 883 if (conn->verify.md5_cert == NULL || 884 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 885 { 886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 887 TLS_ALERT_INTERNAL_ERROR); 888 conn->verify.md5_cert = NULL; 889 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 890 conn->verify.sha1_cert = NULL; 891 return -1; 892 } 893 hpos += MD5_MAC_LEN; 894 } else 895 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 896 897 conn->verify.md5_cert = NULL; 898 hlen = SHA1_MAC_LEN; 899 if (conn->verify.sha1_cert == NULL || 900 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 901 conn->verify.sha1_cert = NULL; 902 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 903 TLS_ALERT_INTERNAL_ERROR); 904 return -1; 905 } 906 conn->verify.sha1_cert = NULL; 907 908 if (alg == SIGN_ALG_RSA) 909 hlen += MD5_MAC_LEN; 910 911#ifdef CONFIG_TLSV12 912 } 913#endif /* CONFIG_TLSV12 */ 914 915 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 916 917 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 918 hash, hlen, pos, end - pos, &alert) < 0) { 919 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 920 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 921 return -1; 922 } 923 924 *in_len = end - in_data; 925 926 conn->state = CHANGE_CIPHER_SPEC; 927 928 return 0; 929} 930 931 932static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 933 u8 ct, const u8 *in_data, 934 size_t *in_len) 935{ 936 const u8 *pos; 937 size_t left; 938 939 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 940 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 941 ct); 942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_UNEXPECTED_MESSAGE); 944 return -1; 945 } 946 947 pos = in_data; 948 left = *in_len; 949 950 if (left < 1) { 951 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 952 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 953 TLS_ALERT_DECODE_ERROR); 954 return -1; 955 } 956 957 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 958 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 959 *pos); 960 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 961 TLS_ALERT_UNEXPECTED_MESSAGE); 962 return -1; 963 } 964 965 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 966 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 967 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 968 "for record layer"); 969 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 970 TLS_ALERT_INTERNAL_ERROR); 971 return -1; 972 } 973 974 *in_len = pos + 1 - in_data; 975 976 conn->state = CLIENT_FINISHED; 977 978 return 0; 979} 980 981 982static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 983 const u8 *in_data, size_t *in_len) 984{ 985 const u8 *pos, *end; 986 size_t left, len, hlen; 987 u8 verify_data[TLS_VERIFY_DATA_LEN]; 988 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 989 990#ifdef CONFIG_TESTING_OPTIONS 991 if ((conn->test_flags & 992 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 993 !conn->test_failure_reported) { 994 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 995 conn->test_failure_reported = 1; 996 } 997#endif /* CONFIG_TESTING_OPTIONS */ 998 999 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1000 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1001 ct); 1002 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1003 TLS_ALERT_UNEXPECTED_MESSAGE); 1004 return -1; 1005 } 1006 1007 pos = in_data; 1008 left = *in_len; 1009 1010 if (left < 4) { 1011 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1012 (unsigned long) left); 1013 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1014 TLS_ALERT_DECODE_ERROR); 1015 return -1; 1016 } 1017 1018 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1019 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1020 "type 0x%x", pos[0]); 1021 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1022 TLS_ALERT_UNEXPECTED_MESSAGE); 1023 return -1; 1024 } 1025 1026 len = WPA_GET_BE24(pos + 1); 1027 1028 pos += 4; 1029 left -= 4; 1030 1031 if (len > left) { 1032 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1033 (unsigned long) len, (unsigned long) left); 1034 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1035 TLS_ALERT_DECODE_ERROR); 1036 return -1; 1037 } 1038 end = pos + len; 1039 if (len != TLS_VERIFY_DATA_LEN) { 1040 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1041 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1042 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1043 TLS_ALERT_DECODE_ERROR); 1044 return -1; 1045 } 1046 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1047 pos, TLS_VERIFY_DATA_LEN); 1048 1049#ifdef CONFIG_TLSV12 1050 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1051 hlen = SHA256_MAC_LEN; 1052 if (conn->verify.sha256_client == NULL || 1053 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1054 < 0) { 1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1056 TLS_ALERT_INTERNAL_ERROR); 1057 conn->verify.sha256_client = NULL; 1058 return -1; 1059 } 1060 conn->verify.sha256_client = NULL; 1061 } else { 1062#endif /* CONFIG_TLSV12 */ 1063 1064 hlen = MD5_MAC_LEN; 1065 if (conn->verify.md5_client == NULL || 1066 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1067 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1068 TLS_ALERT_INTERNAL_ERROR); 1069 conn->verify.md5_client = NULL; 1070 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1071 conn->verify.sha1_client = NULL; 1072 return -1; 1073 } 1074 conn->verify.md5_client = NULL; 1075 hlen = SHA1_MAC_LEN; 1076 if (conn->verify.sha1_client == NULL || 1077 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1078 &hlen) < 0) { 1079 conn->verify.sha1_client = NULL; 1080 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1081 TLS_ALERT_INTERNAL_ERROR); 1082 return -1; 1083 } 1084 conn->verify.sha1_client = NULL; 1085 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1086 1087#ifdef CONFIG_TLSV12 1088 } 1089#endif /* CONFIG_TLSV12 */ 1090 1091 if (tls_prf(conn->rl.tls_version, 1092 conn->master_secret, TLS_MASTER_SECRET_LEN, 1093 "client finished", hash, hlen, 1094 verify_data, TLS_VERIFY_DATA_LEN)) { 1095 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1096 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1097 TLS_ALERT_DECRYPT_ERROR); 1098 return -1; 1099 } 1100 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1101 verify_data, TLS_VERIFY_DATA_LEN); 1102 1103 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1104 tlsv1_server_log(conn, "Mismatch in verify_data"); 1105 return -1; 1106 } 1107 1108 tlsv1_server_log(conn, "Received Finished"); 1109 1110 *in_len = end - in_data; 1111 1112 if (conn->use_session_ticket) { 1113 /* Abbreviated handshake using session ticket; RFC 4507 */ 1114 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1115 conn->state = ESTABLISHED; 1116 } else { 1117 /* Full handshake */ 1118 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1119 } 1120 1121 return 0; 1122} 1123 1124 1125int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1126 const u8 *buf, size_t *len) 1127{ 1128 if (ct == TLS_CONTENT_TYPE_ALERT) { 1129 if (*len < 2) { 1130 tlsv1_server_log(conn, "Alert underflow"); 1131 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1132 TLS_ALERT_DECODE_ERROR); 1133 return -1; 1134 } 1135 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1136 *len = 2; 1137 conn->state = FAILED; 1138 return -1; 1139 } 1140 1141 switch (conn->state) { 1142 case CLIENT_HELLO: 1143 if (tls_process_client_hello(conn, ct, buf, len)) 1144 return -1; 1145 break; 1146 case CLIENT_CERTIFICATE: 1147 if (tls_process_certificate(conn, ct, buf, len)) 1148 return -1; 1149 break; 1150 case CLIENT_KEY_EXCHANGE: 1151 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1152 return -1; 1153 break; 1154 case CERTIFICATE_VERIFY: 1155 if (tls_process_certificate_verify(conn, ct, buf, len)) 1156 return -1; 1157 break; 1158 case CHANGE_CIPHER_SPEC: 1159 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1160 return -1; 1161 break; 1162 case CLIENT_FINISHED: 1163 if (tls_process_client_finished(conn, ct, buf, len)) 1164 return -1; 1165 break; 1166 default: 1167 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1168 conn->state); 1169 return -1; 1170 } 1171 1172 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1173 tls_verify_hash_add(&conn->verify, buf, *len); 1174 1175 return 0; 1176} 1177