1 /* 2 * TLSv1 Record Protocol 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "tlsv1_common.h" 16 #include "tlsv1_record.h" 17 18 19 /** 20 * tlsv1_record_set_cipher_suite - TLS record layer: Set cipher suite 21 * @rl: Pointer to TLS record layer data 22 * @cipher_suite: New cipher suite 23 * Returns: 0 on success, -1 on failure 24 * 25 * This function is used to prepare TLS record layer for cipher suite change. 26 * tlsv1_record_change_write_cipher() and 27 * tlsv1_record_change_read_cipher() functions can then be used to change the 28 * currently used ciphers. 29 */ 30 int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer *rl, 31 u16 cipher_suite) 32 { 33 const struct tls_cipher_suite *suite; 34 const struct tls_cipher_data *data; 35 36 wpa_printf(MSG_DEBUG, "TLSv1: Selected cipher suite: 0x%04x", 37 cipher_suite); 38 rl->cipher_suite = cipher_suite; 39 40 suite = tls_get_cipher_suite(cipher_suite); 41 if (suite == NULL) 42 return -1; 43 44 if (suite->hash == TLS_HASH_MD5) { 45 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_MD5; 46 rl->hash_size = MD5_MAC_LEN; 47 } else if (suite->hash == TLS_HASH_SHA) { 48 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1; 49 rl->hash_size = SHA1_MAC_LEN; 50 } else if (suite->hash == TLS_HASH_SHA256) { 51 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA256; 52 rl->hash_size = SHA256_MAC_LEN; 53 } 54 55 data = tls_get_cipher_data(suite->cipher); 56 if (data == NULL) 57 return -1; 58 59 rl->key_material_len = data->key_material; 60 rl->iv_size = data->block_size; 61 rl->cipher_alg = data->alg; 62 63 return 0; 64 } 65 66 67 /** 68 * tlsv1_record_change_write_cipher - TLS record layer: Change write cipher 69 * @rl: Pointer to TLS record layer data 70 * Returns: 0 on success (cipher changed), -1 on failure 71 * 72 * This function changes TLS record layer to use the new cipher suite 73 * configured with tlsv1_record_set_cipher_suite() for writing. 74 */ 75 int tlsv1_record_change_write_cipher(struct tlsv1_record_layer *rl) 76 { 77 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New write cipher suite " 78 "0x%04x", rl->cipher_suite); 79 rl->write_cipher_suite = rl->cipher_suite; 80 os_memset(rl->write_seq_num, 0, TLS_SEQ_NUM_LEN); 81 82 if (rl->write_cbc) { 83 crypto_cipher_deinit(rl->write_cbc); 84 rl->write_cbc = NULL; 85 } 86 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) { 87 rl->write_cbc = crypto_cipher_init(rl->cipher_alg, 88 rl->write_iv, rl->write_key, 89 rl->key_material_len); 90 if (rl->write_cbc == NULL) { 91 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize " 92 "cipher"); 93 return -1; 94 } 95 } 96 97 return 0; 98 } 99 100 101 /** 102 * tlsv1_record_change_read_cipher - TLS record layer: Change read cipher 103 * @rl: Pointer to TLS record layer data 104 * Returns: 0 on success (cipher changed), -1 on failure 105 * 106 * This function changes TLS record layer to use the new cipher suite 107 * configured with tlsv1_record_set_cipher_suite() for reading. 108 */ 109 int tlsv1_record_change_read_cipher(struct tlsv1_record_layer *rl) 110 { 111 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New read cipher suite " 112 "0x%04x", rl->cipher_suite); 113 rl->read_cipher_suite = rl->cipher_suite; 114 os_memset(rl->read_seq_num, 0, TLS_SEQ_NUM_LEN); 115 116 if (rl->read_cbc) { 117 crypto_cipher_deinit(rl->read_cbc); 118 rl->read_cbc = NULL; 119 } 120 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) { 121 rl->read_cbc = crypto_cipher_init(rl->cipher_alg, 122 rl->read_iv, rl->read_key, 123 rl->key_material_len); 124 if (rl->read_cbc == NULL) { 125 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize " 126 "cipher"); 127 return -1; 128 } 129 } 130 131 return 0; 132 } 133 134 135 /** 136 * tlsv1_record_send - TLS record layer: Send a message 137 * @rl: Pointer to TLS record layer data 138 * @content_type: Content type (TLS_CONTENT_TYPE_*) 139 * @buf: Buffer for the generated TLS message (needs to have extra space for 140 * header, IV (TLS v1.1), and HMAC) 141 * @buf_size: Maximum buf size 142 * @payload: Payload to be sent 143 * @payload_len: Length of the payload 144 * @out_len: Buffer for returning the used buf length 145 * Returns: 0 on success, -1 on failure 146 * 147 * This function fills in the TLS record layer header, adds HMAC, and encrypts 148 * the data using the current write cipher. 149 */ 150 int tlsv1_record_send(struct tlsv1_record_layer *rl, u8 content_type, u8 *buf, 151 size_t buf_size, const u8 *payload, size_t payload_len, 152 size_t *out_len) 153 { 154 u8 *pos, *ct_start, *length, *cpayload; 155 struct crypto_hash *hmac; 156 size_t clen; 157 int explicit_iv; 158 159 pos = buf; 160 if (pos + TLS_RECORD_HEADER_LEN > buf + buf_size) 161 return -1; 162 163 /* ContentType type */ 164 ct_start = pos; 165 *pos++ = content_type; 166 /* ProtocolVersion version */ 167 WPA_PUT_BE16(pos, rl->tls_version); 168 pos += 2; 169 /* uint16 length */ 170 length = pos; 171 WPA_PUT_BE16(length, payload_len); 172 pos += 2; 173 174 cpayload = pos; 175 explicit_iv = rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL && 176 rl->iv_size && rl->tls_version >= TLS_VERSION_1_1; 177 if (explicit_iv) { 178 /* opaque IV[Cipherspec.block_length] */ 179 if (pos + rl->iv_size > buf + buf_size) 180 return -1; 181 182 /* 183 * Use random number R per the RFC 4346, 6.2.3.2 CBC Block 184 * Cipher option 2a. 185 */ 186 187 if (os_get_random(pos, rl->iv_size)) 188 return -1; 189 pos += rl->iv_size; 190 } 191 192 /* 193 * opaque fragment[TLSPlaintext.length] 194 * (opaque content[TLSCompressed.length] in GenericBlockCipher) 195 */ 196 if (pos + payload_len > buf + buf_size) 197 return -1; 198 os_memmove(pos, payload, payload_len); 199 pos += payload_len; 200 201 if (rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL) { 202 /* 203 * MAC calculated over seq_num + TLSCompressed.type + 204 * TLSCompressed.version + TLSCompressed.length + 205 * TLSCompressed.fragment 206 */ 207 hmac = crypto_hash_init(rl->hash_alg, rl->write_mac_secret, 208 rl->hash_size); 209 if (hmac == NULL) { 210 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 211 "to initialize HMAC"); 212 return -1; 213 } 214 crypto_hash_update(hmac, rl->write_seq_num, TLS_SEQ_NUM_LEN); 215 /* type + version + length + fragment */ 216 crypto_hash_update(hmac, ct_start, TLS_RECORD_HEADER_LEN); 217 crypto_hash_update(hmac, payload, payload_len); 218 clen = buf + buf_size - pos; 219 if (clen < rl->hash_size) { 220 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Not " 221 "enough room for MAC"); 222 crypto_hash_finish(hmac, NULL, NULL); 223 return -1; 224 } 225 226 if (crypto_hash_finish(hmac, pos, &clen) < 0) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 228 "to calculate HMAC"); 229 return -1; 230 } 231 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Write HMAC", 232 pos, clen); 233 pos += clen; 234 if (rl->iv_size) { 235 size_t len = pos - cpayload; 236 size_t pad; 237 pad = (len + 1) % rl->iv_size; 238 if (pad) 239 pad = rl->iv_size - pad; 240 if (pos + pad + 1 > buf + buf_size) { 241 wpa_printf(MSG_DEBUG, "TLSv1: No room for " 242 "block cipher padding"); 243 return -1; 244 } 245 os_memset(pos, pad, pad + 1); 246 pos += pad + 1; 247 } 248 249 if (crypto_cipher_encrypt(rl->write_cbc, cpayload, 250 cpayload, pos - cpayload) < 0) 251 return -1; 252 } 253 254 WPA_PUT_BE16(length, pos - length - 2); 255 inc_byte_array(rl->write_seq_num, TLS_SEQ_NUM_LEN); 256 257 *out_len = pos - buf; 258 259 return 0; 260 } 261 262 263 /** 264 * tlsv1_record_receive - TLS record layer: Process a received message 265 * @rl: Pointer to TLS record layer data 266 * @in_data: Received data 267 * @in_len: Length of the received data 268 * @out_data: Buffer for output data (must be at least as long as in_data) 269 * @out_len: Set to maximum out_data length by caller; used to return the 270 * length of the used data 271 * @alert: Buffer for returning an alert value on failure 272 * Returns: Number of bytes used from in_data on success, 0 if record was not 273 * complete (more data needed), or -1 on failure 274 * 275 * This function decrypts the received message, verifies HMAC and TLS record 276 * layer header. 277 */ 278 int tlsv1_record_receive(struct tlsv1_record_layer *rl, 279 const u8 *in_data, size_t in_len, 280 u8 *out_data, size_t *out_len, u8 *alert) 281 { 282 size_t i, rlen, hlen; 283 u8 padlen; 284 struct crypto_hash *hmac; 285 u8 len[2], hash[100]; 286 int force_mac_error = 0; 287 u8 ct; 288 289 if (in_len < TLS_RECORD_HEADER_LEN) { 290 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (in_len=%lu) - " 291 "need more data", 292 (unsigned long) in_len); 293 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received", 294 in_data, in_len); 295 return 0; 296 } 297 298 ct = in_data[0]; 299 rlen = WPA_GET_BE16(in_data + 3); 300 wpa_printf(MSG_DEBUG, "TLSv1: Received content type %d version %d.%d " 301 "length %d", ct, in_data[1], in_data[2], (int) rlen); 302 303 /* 304 * TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the 305 * protocol version in record layer. As such, accept any {03,xx} value 306 * to remain compatible with existing implementations. 307 */ 308 if (in_data[1] != 0x03) { 309 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version " 310 "%u.%u", in_data[1], in_data[2]); 311 *alert = TLS_ALERT_PROTOCOL_VERSION; 312 return -1; 313 } 314 315 /* TLSCiphertext must not be more than 2^14+2048 bytes */ 316 if (TLS_RECORD_HEADER_LEN + rlen > 18432) { 317 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)", 318 (unsigned long) (TLS_RECORD_HEADER_LEN + rlen)); 319 *alert = TLS_ALERT_RECORD_OVERFLOW; 320 return -1; 321 } 322 323 in_data += TLS_RECORD_HEADER_LEN; 324 in_len -= TLS_RECORD_HEADER_LEN; 325 326 if (rlen > in_len) { 327 wpa_printf(MSG_DEBUG, "TLSv1: Not all record data included " 328 "(rlen=%lu > in_len=%lu)", 329 (unsigned long) rlen, (unsigned long) in_len); 330 return 0; 331 } 332 333 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received", 334 in_data, rlen); 335 336 if (ct != TLS_CONTENT_TYPE_HANDSHAKE && 337 ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC && 338 ct != TLS_CONTENT_TYPE_ALERT && 339 ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 340 wpa_printf(MSG_DEBUG, "TLSv1: Ignore record with unknown " 341 "content type 0x%x", ct); 342 *alert = TLS_ALERT_UNEXPECTED_MESSAGE; 343 return -1; 344 } 345 346 in_len = rlen; 347 348 if (*out_len < in_len) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Not enough output buffer for " 350 "processing received record"); 351 *alert = TLS_ALERT_INTERNAL_ERROR; 352 return -1; 353 } 354 355 if (rl->read_cipher_suite != TLS_NULL_WITH_NULL_NULL) { 356 size_t plen; 357 if (crypto_cipher_decrypt(rl->read_cbc, in_data, 358 out_data, in_len) < 0) { 359 *alert = TLS_ALERT_DECRYPTION_FAILED; 360 return -1; 361 } 362 plen = in_len; 363 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - Decrypted " 364 "data", out_data, plen); 365 366 if (rl->iv_size) { 367 /* 368 * TLS v1.0 defines different alert values for various 369 * failures. That may information to aid in attacks, so 370 * use the same bad_record_mac alert regardless of the 371 * issues. 372 * 373 * In addition, instead of returning immediately on 374 * error, run through the MAC check to make timing 375 * attacks more difficult. 376 */ 377 378 if (rl->tls_version >= TLS_VERSION_1_1) { 379 /* Remove opaque IV[Cipherspec.block_length] */ 380 if (plen < rl->iv_size) { 381 wpa_printf(MSG_DEBUG, "TLSv1.1: Not " 382 "enough room for IV"); 383 force_mac_error = 1; 384 goto check_mac; 385 } 386 os_memmove(out_data, out_data + rl->iv_size, 387 plen - rl->iv_size); 388 plen -= rl->iv_size; 389 } 390 391 /* Verify and remove padding */ 392 if (plen == 0) { 393 wpa_printf(MSG_DEBUG, "TLSv1: Too short record" 394 " (no pad)"); 395 force_mac_error = 1; 396 goto check_mac; 397 } 398 padlen = out_data[plen - 1]; 399 if (padlen >= plen) { 400 wpa_printf(MSG_DEBUG, "TLSv1: Incorrect pad " 401 "length (%u, plen=%lu) in " 402 "received record", 403 padlen, (unsigned long) plen); 404 force_mac_error = 1; 405 goto check_mac; 406 } 407 for (i = plen - padlen - 1; i < plen - 1; i++) { 408 if (out_data[i] != padlen) { 409 wpa_hexdump(MSG_DEBUG, 410 "TLSv1: Invalid pad in " 411 "received record", 412 out_data + plen - padlen - 413 1, padlen + 1); 414 force_mac_error = 1; 415 goto check_mac; 416 } 417 } 418 419 plen -= padlen + 1; 420 421 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - " 422 "Decrypted data with IV and padding " 423 "removed", out_data, plen); 424 } 425 426 check_mac: 427 if (plen < rl->hash_size) { 428 wpa_printf(MSG_DEBUG, "TLSv1: Too short record; no " 429 "hash value"); 430 *alert = TLS_ALERT_BAD_RECORD_MAC; 431 return -1; 432 } 433 434 plen -= rl->hash_size; 435 436 hmac = crypto_hash_init(rl->hash_alg, rl->read_mac_secret, 437 rl->hash_size); 438 if (hmac == NULL) { 439 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 440 "to initialize HMAC"); 441 *alert = TLS_ALERT_INTERNAL_ERROR; 442 return -1; 443 } 444 445 crypto_hash_update(hmac, rl->read_seq_num, TLS_SEQ_NUM_LEN); 446 /* type + version + length + fragment */ 447 crypto_hash_update(hmac, in_data - TLS_RECORD_HEADER_LEN, 3); 448 WPA_PUT_BE16(len, plen); 449 crypto_hash_update(hmac, len, 2); 450 crypto_hash_update(hmac, out_data, plen); 451 hlen = sizeof(hash); 452 if (crypto_hash_finish(hmac, hash, &hlen) < 0) { 453 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed " 454 "to calculate HMAC"); 455 *alert = TLS_ALERT_INTERNAL_ERROR; 456 return -1; 457 } 458 if (hlen != rl->hash_size || 459 os_memcmp(hash, out_data + plen, hlen) != 0 || 460 force_mac_error) { 461 wpa_printf(MSG_DEBUG, "TLSv1: Invalid HMAC value in " 462 "received message (force_mac_error=%d)", 463 force_mac_error); 464 *alert = TLS_ALERT_BAD_RECORD_MAC; 465 return -1; 466 } 467 468 *out_len = plen; 469 } else { 470 os_memcpy(out_data, in_data, in_len); 471 *out_len = in_len; 472 } 473 474 /* TLSCompressed must not be more than 2^14+1024 bytes */ 475 if (TLS_RECORD_HEADER_LEN + *out_len > 17408) { 476 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)", 477 (unsigned long) (TLS_RECORD_HEADER_LEN + *out_len)); 478 *alert = TLS_ALERT_RECORD_OVERFLOW; 479 return -1; 480 } 481 482 inc_byte_array(rl->read_seq_num, TLS_SEQ_NUM_LEN); 483 484 return TLS_RECORD_HEADER_LEN + rlen; 485 } 486