tlsv1_server_read.c revision d7ff03d48f825360eec2a371e3361306f2fd721b
1/* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "x509v3.h" 17#include "tlsv1_common.h" 18#include "tlsv1_record.h" 19#include "tlsv1_server.h" 20#include "tlsv1_server_i.h" 21 22 23static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 24 const u8 *in_data, size_t *in_len); 25static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 26 u8 ct, const u8 *in_data, 27 size_t *in_len); 28 29 30static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite) 31{ 32#ifdef CONFIG_TESTING_OPTIONS 33 if ((conn->test_flags & 34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE | 35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 | 36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) && 37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 && 38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA && 39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 && 40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA && 41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 42 return 1; 43#endif /* CONFIG_TESTING_OPTIONS */ 44 45 return 0; 46} 47 48 49static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 50 const u8 *in_data, size_t *in_len) 51{ 52 const u8 *pos, *end, *c; 53 size_t left, len, i, j; 54 u16 cipher_suite; 55 u16 num_suites; 56 int compr_null_found; 57 u16 ext_type, ext_len; 58 59 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 60 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 61 ct); 62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63 TLS_ALERT_UNEXPECTED_MESSAGE); 64 return -1; 65 } 66 67 pos = in_data; 68 left = *in_len; 69 70 if (left < 4) 71 goto decode_error; 72 73 /* HandshakeType msg_type */ 74 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 75 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)", 76 *pos); 77 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 78 TLS_ALERT_UNEXPECTED_MESSAGE); 79 return -1; 80 } 81 tlsv1_server_log(conn, "Received ClientHello"); 82 pos++; 83 /* uint24 length */ 84 len = WPA_GET_BE24(pos); 85 pos += 3; 86 left -= 4; 87 88 if (len > left) 89 goto decode_error; 90 91 /* body - ClientHello */ 92 93 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 94 end = pos + len; 95 96 /* ProtocolVersion client_version */ 97 if (end - pos < 2) 98 goto decode_error; 99 conn->client_version = WPA_GET_BE16(pos); 100 tlsv1_server_log(conn, "Client version %d.%d", 101 conn->client_version >> 8, 102 conn->client_version & 0xff); 103 if (conn->client_version < TLS_VERSION_1) { 104 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u", 105 conn->client_version >> 8, 106 conn->client_version & 0xff); 107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 108 TLS_ALERT_PROTOCOL_VERSION); 109 return -1; 110 } 111 pos += 2; 112 113 if (TLS_VERSION == TLS_VERSION_1) 114 conn->rl.tls_version = TLS_VERSION_1; 115#ifdef CONFIG_TLSV12 116 else if (conn->client_version >= TLS_VERSION_1_2) 117 conn->rl.tls_version = TLS_VERSION_1_2; 118#endif /* CONFIG_TLSV12 */ 119 else if (conn->client_version > TLS_VERSION_1_1) 120 conn->rl.tls_version = TLS_VERSION_1_1; 121 else 122 conn->rl.tls_version = conn->client_version; 123 tlsv1_server_log(conn, "Using TLS v%s", 124 tls_version_str(conn->rl.tls_version)); 125 126 /* Random random */ 127 if (end - pos < TLS_RANDOM_LEN) 128 goto decode_error; 129 130 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 131 pos += TLS_RANDOM_LEN; 132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 133 conn->client_random, TLS_RANDOM_LEN); 134 135 /* SessionID session_id */ 136 if (end - pos < 1) 137 goto decode_error; 138 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 139 goto decode_error; 140 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 141 pos += 1 + *pos; 142 /* TODO: add support for session resumption */ 143 144 /* CipherSuite cipher_suites<2..2^16-1> */ 145 if (end - pos < 2) 146 goto decode_error; 147 num_suites = WPA_GET_BE16(pos); 148 pos += 2; 149 if (end - pos < num_suites) 150 goto decode_error; 151 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 152 pos, num_suites); 153 if (num_suites & 1) 154 goto decode_error; 155 num_suites /= 2; 156 157 cipher_suite = 0; 158 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 159 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i])) 160 continue; 161 c = pos; 162 for (j = 0; j < num_suites; j++) { 163 u16 tmp = WPA_GET_BE16(c); 164 c += 2; 165 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 166 cipher_suite = tmp; 167 break; 168 } 169 } 170 } 171 pos += num_suites * 2; 172 if (!cipher_suite) { 173 tlsv1_server_log(conn, "No supported cipher suite available"); 174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 175 TLS_ALERT_ILLEGAL_PARAMETER); 176 return -1; 177 } 178 179 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 180 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 181 "record layer"); 182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 183 TLS_ALERT_INTERNAL_ERROR); 184 return -1; 185 } 186 187 conn->cipher_suite = cipher_suite; 188 189 /* CompressionMethod compression_methods<1..2^8-1> */ 190 if (end - pos < 1) 191 goto decode_error; 192 num_suites = *pos++; 193 if (end - pos < num_suites) 194 goto decode_error; 195 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 196 pos, num_suites); 197 compr_null_found = 0; 198 for (i = 0; i < num_suites; i++) { 199 if (*pos++ == TLS_COMPRESSION_NULL) 200 compr_null_found = 1; 201 } 202 if (!compr_null_found) { 203 tlsv1_server_log(conn, "Client does not accept NULL compression"); 204 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 205 TLS_ALERT_ILLEGAL_PARAMETER); 206 return -1; 207 } 208 209 if (end - pos == 1) { 210 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x", 211 *pos); 212 goto decode_error; 213 } 214 215 if (end - pos >= 2) { 216 /* Extension client_hello_extension_list<0..2^16-1> */ 217 ext_len = WPA_GET_BE16(pos); 218 pos += 2; 219 220 tlsv1_server_log(conn, "%u bytes of ClientHello extensions", 221 ext_len); 222 if (end - pos != ext_len) { 223 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)", 224 ext_len, (unsigned int) (end - pos)); 225 goto decode_error; 226 } 227 228 /* 229 * struct { 230 * ExtensionType extension_type (0..65535) 231 * opaque extension_data<0..2^16-1> 232 * } Extension; 233 */ 234 235 while (pos < end) { 236 if (end - pos < 2) { 237 tlsv1_server_log(conn, "Invalid extension_type field"); 238 goto decode_error; 239 } 240 241 ext_type = WPA_GET_BE16(pos); 242 pos += 2; 243 244 if (end - pos < 2) { 245 tlsv1_server_log(conn, "Invalid extension_data length field"); 246 goto decode_error; 247 } 248 249 ext_len = WPA_GET_BE16(pos); 250 pos += 2; 251 252 if (end - pos < ext_len) { 253 tlsv1_server_log(conn, "Invalid extension_data field"); 254 goto decode_error; 255 } 256 257 tlsv1_server_log(conn, "ClientHello Extension type %u", 258 ext_type); 259 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 260 "Extension data", pos, ext_len); 261 262 if (ext_type == TLS_EXT_SESSION_TICKET) { 263 os_free(conn->session_ticket); 264 conn->session_ticket = os_malloc(ext_len); 265 if (conn->session_ticket) { 266 os_memcpy(conn->session_ticket, pos, 267 ext_len); 268 conn->session_ticket_len = ext_len; 269 } 270 } 271 272 pos += ext_len; 273 } 274 } 275 276 *in_len = end - in_data; 277 278 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello"); 279 conn->state = SERVER_HELLO; 280 281 return 0; 282 283decode_error: 284 tlsv1_server_log(conn, "Failed to decode ClientHello"); 285 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_DECODE_ERROR); 287 return -1; 288} 289 290 291static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 292 const u8 *in_data, size_t *in_len) 293{ 294 const u8 *pos, *end; 295 size_t left, len, list_len, cert_len, idx; 296 u8 type; 297 struct x509_certificate *chain = NULL, *last = NULL, *cert; 298 int reason; 299 300 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 301 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 302 ct); 303 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 304 TLS_ALERT_UNEXPECTED_MESSAGE); 305 return -1; 306 } 307 308 pos = in_data; 309 left = *in_len; 310 311 if (left < 4) { 312 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)", 313 (unsigned long) left); 314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 315 TLS_ALERT_DECODE_ERROR); 316 return -1; 317 } 318 319 type = *pos++; 320 len = WPA_GET_BE24(pos); 321 pos += 3; 322 left -= 4; 323 324 if (len > left) { 325 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)", 326 (unsigned long) len, (unsigned long) left); 327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 328 TLS_ALERT_DECODE_ERROR); 329 return -1; 330 } 331 332 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 333 if (conn->verify_peer) { 334 tlsv1_server_log(conn, "Client did not include Certificate"); 335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 336 TLS_ALERT_UNEXPECTED_MESSAGE); 337 return -1; 338 } 339 340 return tls_process_client_key_exchange(conn, ct, in_data, 341 in_len); 342 } 343 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 344 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)", 345 type); 346 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_UNEXPECTED_MESSAGE); 348 return -1; 349 } 350 351 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)", 352 (unsigned long) len); 353 354 /* 355 * opaque ASN.1Cert<2^24-1>; 356 * 357 * struct { 358 * ASN.1Cert certificate_list<1..2^24-1>; 359 * } Certificate; 360 */ 361 362 end = pos + len; 363 364 if (end - pos < 3) { 365 tlsv1_server_log(conn, "Too short Certificate (left=%lu)", 366 (unsigned long) left); 367 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 368 TLS_ALERT_DECODE_ERROR); 369 return -1; 370 } 371 372 list_len = WPA_GET_BE24(pos); 373 pos += 3; 374 375 if ((size_t) (end - pos) != list_len) { 376 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)", 377 (unsigned long) list_len, 378 (unsigned long) (end - pos)); 379 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 380 TLS_ALERT_DECODE_ERROR); 381 return -1; 382 } 383 384 idx = 0; 385 while (pos < end) { 386 if (end - pos < 3) { 387 tlsv1_server_log(conn, "Failed to parse certificate_list"); 388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 389 TLS_ALERT_DECODE_ERROR); 390 x509_certificate_chain_free(chain); 391 return -1; 392 } 393 394 cert_len = WPA_GET_BE24(pos); 395 pos += 3; 396 397 if ((size_t) (end - pos) < cert_len) { 398 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)", 399 (unsigned long) cert_len, 400 (unsigned long) (end - pos)); 401 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 402 TLS_ALERT_DECODE_ERROR); 403 x509_certificate_chain_free(chain); 404 return -1; 405 } 406 407 tlsv1_server_log(conn, "Certificate %lu (len %lu)", 408 (unsigned long) idx, (unsigned long) cert_len); 409 410 if (idx == 0) { 411 crypto_public_key_free(conn->client_rsa_key); 412 if (tls_parse_cert(pos, cert_len, 413 &conn->client_rsa_key)) { 414 tlsv1_server_log(conn, "Failed to parse the certificate"); 415 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 416 TLS_ALERT_BAD_CERTIFICATE); 417 x509_certificate_chain_free(chain); 418 return -1; 419 } 420 } 421 422 cert = x509_certificate_parse(pos, cert_len); 423 if (cert == NULL) { 424 tlsv1_server_log(conn, "Failed to parse the certificate"); 425 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 426 TLS_ALERT_BAD_CERTIFICATE); 427 x509_certificate_chain_free(chain); 428 return -1; 429 } 430 431 if (last == NULL) 432 chain = cert; 433 else 434 last->next = cert; 435 last = cert; 436 437 idx++; 438 pos += cert_len; 439 } 440 441 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 442 &reason, 0) < 0) { 443 int tls_reason; 444 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)", 445 reason); 446 switch (reason) { 447 case X509_VALIDATE_BAD_CERTIFICATE: 448 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 449 break; 450 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 451 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 452 break; 453 case X509_VALIDATE_CERTIFICATE_REVOKED: 454 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 455 break; 456 case X509_VALIDATE_CERTIFICATE_EXPIRED: 457 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 458 break; 459 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 460 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 461 break; 462 case X509_VALIDATE_UNKNOWN_CA: 463 tls_reason = TLS_ALERT_UNKNOWN_CA; 464 break; 465 default: 466 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 467 break; 468 } 469 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 470 x509_certificate_chain_free(chain); 471 return -1; 472 } 473 474 if (chain && (chain->extensions_present & X509_EXT_EXT_KEY_USAGE) && 475 !(chain->ext_key_usage & 476 (X509_EXT_KEY_USAGE_ANY | X509_EXT_KEY_USAGE_CLIENT_AUTH))) { 477 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 478 TLS_ALERT_BAD_CERTIFICATE); 479 x509_certificate_chain_free(chain); 480 return -1; 481 } 482 483 x509_certificate_chain_free(chain); 484 485 *in_len = end - in_data; 486 487 conn->state = CLIENT_KEY_EXCHANGE; 488 489 return 0; 490} 491 492 493static int tls_process_client_key_exchange_rsa( 494 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 495{ 496 u8 *out; 497 size_t outlen, outbuflen; 498 u16 encr_len; 499 int res; 500 int use_random = 0; 501 502 if (end - pos < 2) { 503 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 504 TLS_ALERT_DECODE_ERROR); 505 return -1; 506 } 507 508 encr_len = WPA_GET_BE16(pos); 509 pos += 2; 510 if (pos + encr_len > end) { 511 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u", 512 encr_len, (unsigned int) (end - pos)); 513 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 514 TLS_ALERT_DECODE_ERROR); 515 return -1; 516 } 517 518 outbuflen = outlen = end - pos; 519 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 520 outlen : TLS_PRE_MASTER_SECRET_LEN); 521 if (out == NULL) { 522 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 523 TLS_ALERT_INTERNAL_ERROR); 524 return -1; 525 } 526 527 /* 528 * struct { 529 * ProtocolVersion client_version; 530 * opaque random[46]; 531 * } PreMasterSecret; 532 * 533 * struct { 534 * public-key-encrypted PreMasterSecret pre_master_secret; 535 * } EncryptedPreMasterSecret; 536 */ 537 538 /* 539 * Note: To avoid Bleichenbacher attack, we do not report decryption or 540 * parsing errors from EncryptedPreMasterSecret processing to the 541 * client. Instead, a random pre-master secret is used to force the 542 * handshake to fail. 543 */ 544 545 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 546 pos, encr_len, 547 out, &outlen) < 0) { 548 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 549 "PreMasterSecret (encr_len=%u outlen=%lu)", 550 encr_len, (unsigned long) outlen); 551 use_random = 1; 552 } 553 554 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 555 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu", 556 (unsigned long) outlen); 557 use_random = 1; 558 } 559 560 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 561 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello"); 562 use_random = 1; 563 } 564 565 if (use_random) { 566 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 567 "to avoid revealing information about private key"); 568 outlen = TLS_PRE_MASTER_SECRET_LEN; 569 if (os_get_random(out, outlen)) { 570 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 571 "data"); 572 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 573 TLS_ALERT_INTERNAL_ERROR); 574 os_free(out); 575 return -1; 576 } 577 } 578 579 res = tlsv1_server_derive_keys(conn, out, outlen); 580 581 /* Clear the pre-master secret since it is not needed anymore */ 582 os_memset(out, 0, outbuflen); 583 os_free(out); 584 585 if (res) { 586 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 587 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 588 TLS_ALERT_INTERNAL_ERROR); 589 return -1; 590 } 591 592 return 0; 593} 594 595 596static int tls_process_client_key_exchange_dh( 597 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 598{ 599 const u8 *dh_yc; 600 u16 dh_yc_len; 601 u8 *shared; 602 size_t shared_len; 603 int res; 604 const u8 *dh_p; 605 size_t dh_p_len; 606 607 /* 608 * struct { 609 * select (PublicValueEncoding) { 610 * case implicit: struct { }; 611 * case explicit: opaque dh_Yc<1..2^16-1>; 612 * } dh_public; 613 * } ClientDiffieHellmanPublic; 614 */ 615 616 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received"); 617 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 618 pos, end - pos); 619 620 if (end == pos) { 621 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 622 "not supported"); 623 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 624 TLS_ALERT_INTERNAL_ERROR); 625 return -1; 626 } 627 628 if (end - pos < 3) { 629 tlsv1_server_log(conn, "Invalid client public value length"); 630 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 631 TLS_ALERT_DECODE_ERROR); 632 return -1; 633 } 634 635 dh_yc_len = WPA_GET_BE16(pos); 636 dh_yc = pos + 2; 637 638 if (dh_yc_len > end - dh_yc) { 639 tlsv1_server_log(conn, "Client public value overflow (length %d)", 640 dh_yc_len); 641 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 642 TLS_ALERT_DECODE_ERROR); 643 return -1; 644 } 645 646 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 647 dh_yc, dh_yc_len); 648 649 if (conn->cred == NULL || conn->cred->dh_p == NULL || 650 conn->dh_secret == NULL) { 651 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 652 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 653 TLS_ALERT_INTERNAL_ERROR); 654 return -1; 655 } 656 657 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 658 659 shared_len = dh_p_len; 660 shared = os_malloc(shared_len); 661 if (shared == NULL) { 662 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 663 "DH"); 664 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 665 TLS_ALERT_INTERNAL_ERROR); 666 return -1; 667 } 668 669 /* shared = Yc^secret mod p */ 670 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 671 conn->dh_secret_len, dh_p, dh_p_len, 672 shared, &shared_len)) { 673 os_free(shared); 674 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 675 TLS_ALERT_INTERNAL_ERROR); 676 return -1; 677 } 678 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 679 shared, shared_len); 680 681 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 682 os_free(conn->dh_secret); 683 conn->dh_secret = NULL; 684 685 res = tlsv1_server_derive_keys(conn, shared, shared_len); 686 687 /* Clear the pre-master secret since it is not needed anymore */ 688 os_memset(shared, 0, shared_len); 689 os_free(shared); 690 691 if (res) { 692 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 693 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 694 TLS_ALERT_INTERNAL_ERROR); 695 return -1; 696 } 697 698 return 0; 699} 700 701 702static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 703 const u8 *in_data, size_t *in_len) 704{ 705 const u8 *pos, *end; 706 size_t left, len; 707 u8 type; 708 tls_key_exchange keyx; 709 const struct tls_cipher_suite *suite; 710 711 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 712 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 713 ct); 714 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 715 TLS_ALERT_UNEXPECTED_MESSAGE); 716 return -1; 717 } 718 719 pos = in_data; 720 left = *in_len; 721 722 if (left < 4) { 723 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)", 724 (unsigned long) left); 725 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 726 TLS_ALERT_DECODE_ERROR); 727 return -1; 728 } 729 730 type = *pos++; 731 len = WPA_GET_BE24(pos); 732 pos += 3; 733 left -= 4; 734 735 if (len > left) { 736 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)", 737 (unsigned long) len, (unsigned long) left); 738 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 739 TLS_ALERT_DECODE_ERROR); 740 return -1; 741 } 742 743 end = pos + len; 744 745 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 746 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)", 747 type); 748 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 749 TLS_ALERT_UNEXPECTED_MESSAGE); 750 return -1; 751 } 752 753 tlsv1_server_log(conn, "Received ClientKeyExchange"); 754 755 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 756 757 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 758 if (suite == NULL) 759 keyx = TLS_KEY_X_NULL; 760 else 761 keyx = suite->key_exchange; 762 763 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) && 764 tls_process_client_key_exchange_dh(conn, pos, end) < 0) 765 return -1; 766 767 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA && 768 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 769 return -1; 770 771 *in_len = end - in_data; 772 773 conn->state = CERTIFICATE_VERIFY; 774 775 return 0; 776} 777 778 779static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 780 const u8 *in_data, size_t *in_len) 781{ 782 const u8 *pos, *end; 783 size_t left, len; 784 u8 type; 785 size_t hlen; 786 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 787 u8 alert; 788 789 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 790 if (conn->verify_peer) { 791 tlsv1_server_log(conn, "Client did not include CertificateVerify"); 792 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 793 TLS_ALERT_UNEXPECTED_MESSAGE); 794 return -1; 795 } 796 797 return tls_process_change_cipher_spec(conn, ct, in_data, 798 in_len); 799 } 800 801 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 802 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x", 803 ct); 804 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 805 TLS_ALERT_UNEXPECTED_MESSAGE); 806 return -1; 807 } 808 809 pos = in_data; 810 left = *in_len; 811 812 if (left < 4) { 813 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)", 814 (unsigned long) left); 815 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 816 TLS_ALERT_DECODE_ERROR); 817 return -1; 818 } 819 820 type = *pos++; 821 len = WPA_GET_BE24(pos); 822 pos += 3; 823 left -= 4; 824 825 if (len > left) { 826 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)", 827 (unsigned long) len, (unsigned long) left); 828 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 829 TLS_ALERT_DECODE_ERROR); 830 return -1; 831 } 832 833 end = pos + len; 834 835 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 836 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)", 837 type); 838 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 839 TLS_ALERT_UNEXPECTED_MESSAGE); 840 return -1; 841 } 842 843 tlsv1_server_log(conn, "Received CertificateVerify"); 844 845 /* 846 * struct { 847 * Signature signature; 848 * } CertificateVerify; 849 */ 850 851 hpos = hash; 852 853#ifdef CONFIG_TLSV12 854 if (conn->rl.tls_version == TLS_VERSION_1_2) { 855 /* 856 * RFC 5246, 4.7: 857 * TLS v1.2 adds explicit indication of the used signature and 858 * hash algorithms. 859 * 860 * struct { 861 * HashAlgorithm hash; 862 * SignatureAlgorithm signature; 863 * } SignatureAndHashAlgorithm; 864 */ 865 if (end - pos < 2) { 866 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 867 TLS_ALERT_DECODE_ERROR); 868 return -1; 869 } 870 if (pos[0] != TLS_HASH_ALG_SHA256 || 871 pos[1] != TLS_SIGN_ALG_RSA) { 872 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/" 873 "signature(%u) algorithm", 874 pos[0], pos[1]); 875 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 876 TLS_ALERT_INTERNAL_ERROR); 877 return -1; 878 } 879 pos += 2; 880 881 hlen = SHA256_MAC_LEN; 882 if (conn->verify.sha256_cert == NULL || 883 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 884 0) { 885 conn->verify.sha256_cert = NULL; 886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 887 TLS_ALERT_INTERNAL_ERROR); 888 return -1; 889 } 890 conn->verify.sha256_cert = NULL; 891 } else { 892#endif /* CONFIG_TLSV12 */ 893 894 hlen = MD5_MAC_LEN; 895 if (conn->verify.md5_cert == NULL || 896 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 897 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 898 TLS_ALERT_INTERNAL_ERROR); 899 conn->verify.md5_cert = NULL; 900 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 901 conn->verify.sha1_cert = NULL; 902 return -1; 903 } 904 hpos += MD5_MAC_LEN; 905 906 conn->verify.md5_cert = NULL; 907 hlen = SHA1_MAC_LEN; 908 if (conn->verify.sha1_cert == NULL || 909 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 910 conn->verify.sha1_cert = NULL; 911 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 912 TLS_ALERT_INTERNAL_ERROR); 913 return -1; 914 } 915 conn->verify.sha1_cert = NULL; 916 917 hlen += MD5_MAC_LEN; 918 919#ifdef CONFIG_TLSV12 920 } 921#endif /* CONFIG_TLSV12 */ 922 923 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 924 925 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key, 926 hash, hlen, pos, end - pos, &alert) < 0) { 927 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify"); 928 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 929 return -1; 930 } 931 932 *in_len = end - in_data; 933 934 conn->state = CHANGE_CIPHER_SPEC; 935 936 return 0; 937} 938 939 940static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 941 u8 ct, const u8 *in_data, 942 size_t *in_len) 943{ 944 const u8 *pos; 945 size_t left; 946 947 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 948 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x", 949 ct); 950 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 951 TLS_ALERT_UNEXPECTED_MESSAGE); 952 return -1; 953 } 954 955 pos = in_data; 956 left = *in_len; 957 958 if (left < 1) { 959 tlsv1_server_log(conn, "Too short ChangeCipherSpec"); 960 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 961 TLS_ALERT_DECODE_ERROR); 962 return -1; 963 } 964 965 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 966 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x", 967 *pos); 968 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 969 TLS_ALERT_UNEXPECTED_MESSAGE); 970 return -1; 971 } 972 973 tlsv1_server_log(conn, "Received ChangeCipherSpec"); 974 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 975 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 976 "for record layer"); 977 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 978 TLS_ALERT_INTERNAL_ERROR); 979 return -1; 980 } 981 982 *in_len = pos + 1 - in_data; 983 984 conn->state = CLIENT_FINISHED; 985 986 return 0; 987} 988 989 990static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 991 const u8 *in_data, size_t *in_len) 992{ 993 const u8 *pos, *end; 994 size_t left, len, hlen; 995 u8 verify_data[TLS_VERIFY_DATA_LEN]; 996 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 997 998#ifdef CONFIG_TESTING_OPTIONS 999 if ((conn->test_flags & 1000 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) && 1001 !conn->test_failure_reported) { 1002 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange"); 1003 conn->test_failure_reported = 1; 1004 } 1005 1006 if ((conn->test_flags & TLS_DHE_PRIME_15) && 1007 !conn->test_failure_reported) { 1008 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15"); 1009 conn->test_failure_reported = 1; 1010 } 1011 1012 if ((conn->test_flags & TLS_DHE_PRIME_58B) && 1013 !conn->test_failure_reported) { 1014 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container"); 1015 conn->test_failure_reported = 1; 1016 } 1017 1018 if ((conn->test_flags & TLS_DHE_PRIME_511B) && 1019 !conn->test_failure_reported) { 1020 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)"); 1021 conn->test_failure_reported = 1; 1022 } 1023 1024 if ((conn->test_flags & TLS_DHE_PRIME_767B) && 1025 !conn->test_failure_reported) { 1026 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)"); 1027 conn->test_failure_reported = 1; 1028 } 1029 1030 if ((conn->test_flags & TLS_DHE_NON_PRIME) && 1031 !conn->test_failure_reported) { 1032 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime"); 1033 conn->test_failure_reported = 1; 1034 } 1035#endif /* CONFIG_TESTING_OPTIONS */ 1036 1037 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 1038 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x", 1039 ct); 1040 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1041 TLS_ALERT_UNEXPECTED_MESSAGE); 1042 return -1; 1043 } 1044 1045 pos = in_data; 1046 left = *in_len; 1047 1048 if (left < 4) { 1049 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished", 1050 (unsigned long) left); 1051 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1052 TLS_ALERT_DECODE_ERROR); 1053 return -1; 1054 } 1055 1056 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1057 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1058 "type 0x%x", pos[0]); 1059 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1060 TLS_ALERT_UNEXPECTED_MESSAGE); 1061 return -1; 1062 } 1063 1064 len = WPA_GET_BE24(pos + 1); 1065 1066 pos += 4; 1067 left -= 4; 1068 1069 if (len > left) { 1070 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)", 1071 (unsigned long) len, (unsigned long) left); 1072 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1073 TLS_ALERT_DECODE_ERROR); 1074 return -1; 1075 } 1076 end = pos + len; 1077 if (len != TLS_VERIFY_DATA_LEN) { 1078 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)", 1079 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1080 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1081 TLS_ALERT_DECODE_ERROR); 1082 return -1; 1083 } 1084 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1085 pos, TLS_VERIFY_DATA_LEN); 1086 1087#ifdef CONFIG_TLSV12 1088 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 1089 hlen = SHA256_MAC_LEN; 1090 if (conn->verify.sha256_client == NULL || 1091 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 1092 < 0) { 1093 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1094 TLS_ALERT_INTERNAL_ERROR); 1095 conn->verify.sha256_client = NULL; 1096 return -1; 1097 } 1098 conn->verify.sha256_client = NULL; 1099 } else { 1100#endif /* CONFIG_TLSV12 */ 1101 1102 hlen = MD5_MAC_LEN; 1103 if (conn->verify.md5_client == NULL || 1104 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1105 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1106 TLS_ALERT_INTERNAL_ERROR); 1107 conn->verify.md5_client = NULL; 1108 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1109 conn->verify.sha1_client = NULL; 1110 return -1; 1111 } 1112 conn->verify.md5_client = NULL; 1113 hlen = SHA1_MAC_LEN; 1114 if (conn->verify.sha1_client == NULL || 1115 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1116 &hlen) < 0) { 1117 conn->verify.sha1_client = NULL; 1118 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1119 TLS_ALERT_INTERNAL_ERROR); 1120 return -1; 1121 } 1122 conn->verify.sha1_client = NULL; 1123 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 1124 1125#ifdef CONFIG_TLSV12 1126 } 1127#endif /* CONFIG_TLSV12 */ 1128 1129 if (tls_prf(conn->rl.tls_version, 1130 conn->master_secret, TLS_MASTER_SECRET_LEN, 1131 "client finished", hash, hlen, 1132 verify_data, TLS_VERIFY_DATA_LEN)) { 1133 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1134 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1135 TLS_ALERT_DECRYPT_ERROR); 1136 return -1; 1137 } 1138 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1139 verify_data, TLS_VERIFY_DATA_LEN); 1140 1141 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1142 tlsv1_server_log(conn, "Mismatch in verify_data"); 1143 return -1; 1144 } 1145 1146 tlsv1_server_log(conn, "Received Finished"); 1147 1148 *in_len = end - in_data; 1149 1150 if (conn->use_session_ticket) { 1151 /* Abbreviated handshake using session ticket; RFC 4507 */ 1152 tlsv1_server_log(conn, "Abbreviated handshake completed successfully"); 1153 conn->state = ESTABLISHED; 1154 } else { 1155 /* Full handshake */ 1156 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1157 } 1158 1159 return 0; 1160} 1161 1162 1163int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1164 const u8 *buf, size_t *len) 1165{ 1166 if (ct == TLS_CONTENT_TYPE_ALERT) { 1167 if (*len < 2) { 1168 tlsv1_server_log(conn, "Alert underflow"); 1169 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1170 TLS_ALERT_DECODE_ERROR); 1171 return -1; 1172 } 1173 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]); 1174 *len = 2; 1175 conn->state = FAILED; 1176 return -1; 1177 } 1178 1179 switch (conn->state) { 1180 case CLIENT_HELLO: 1181 if (tls_process_client_hello(conn, ct, buf, len)) 1182 return -1; 1183 break; 1184 case CLIENT_CERTIFICATE: 1185 if (tls_process_certificate(conn, ct, buf, len)) 1186 return -1; 1187 break; 1188 case CLIENT_KEY_EXCHANGE: 1189 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1190 return -1; 1191 break; 1192 case CERTIFICATE_VERIFY: 1193 if (tls_process_certificate_verify(conn, ct, buf, len)) 1194 return -1; 1195 break; 1196 case CHANGE_CIPHER_SPEC: 1197 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1198 return -1; 1199 break; 1200 case CLIENT_FINISHED: 1201 if (tls_process_client_finished(conn, ct, buf, len)) 1202 return -1; 1203 break; 1204 default: 1205 tlsv1_server_log(conn, "Unexpected state %d while processing received message", 1206 conn->state); 1207 return -1; 1208 } 1209 1210 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1211 tls_verify_hash_add(&conn->verify, buf, *len); 1212 1213 return 0; 1214} 1215