1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "x509v3.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_server.h" 25 #include "tlsv1_server_i.h" 26 27 28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 29 const u8 *in_data, size_t *in_len); 30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 31 u8 ct, const u8 *in_data, 32 size_t *in_len); 33 34 35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end, *c; 39 size_t left, len, i, j; 40 u16 cipher_suite; 41 u16 num_suites; 42 int compr_null_found; 43 u16 ext_type, ext_len; 44 45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 47 "received content type 0x%x", ct); 48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49 TLS_ALERT_UNEXPECTED_MESSAGE); 50 return -1; 51 } 52 53 pos = in_data; 54 left = *in_len; 55 56 if (left < 4) 57 goto decode_error; 58 59 /* HandshakeType msg_type */ 60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 62 "message %d (expected ClientHello)", *pos); 63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64 TLS_ALERT_UNEXPECTED_MESSAGE); 65 return -1; 66 } 67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 68 pos++; 69 /* uint24 length */ 70 len = WPA_GET_BE24(pos); 71 pos += 3; 72 left -= 4; 73 74 if (len > left) 75 goto decode_error; 76 77 /* body - ClientHello */ 78 79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 80 end = pos + len; 81 82 /* ProtocolVersion client_version */ 83 if (end - pos < 2) 84 goto decode_error; 85 conn->client_version = WPA_GET_BE16(pos); 86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 87 conn->client_version >> 8, conn->client_version & 0xff); 88 if (conn->client_version < TLS_VERSION) { 89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 90 "ClientHello"); 91 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 92 TLS_ALERT_PROTOCOL_VERSION); 93 return -1; 94 } 95 pos += 2; 96 97 /* Random random */ 98 if (end - pos < TLS_RANDOM_LEN) 99 goto decode_error; 100 101 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 102 pos += TLS_RANDOM_LEN; 103 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 104 conn->client_random, TLS_RANDOM_LEN); 105 106 /* SessionID session_id */ 107 if (end - pos < 1) 108 goto decode_error; 109 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 110 goto decode_error; 111 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 112 pos += 1 + *pos; 113 /* TODO: add support for session resumption */ 114 115 /* CipherSuite cipher_suites<2..2^16-1> */ 116 if (end - pos < 2) 117 goto decode_error; 118 num_suites = WPA_GET_BE16(pos); 119 pos += 2; 120 if (end - pos < num_suites) 121 goto decode_error; 122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 123 pos, num_suites); 124 if (num_suites & 1) 125 goto decode_error; 126 num_suites /= 2; 127 128 cipher_suite = 0; 129 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 130 c = pos; 131 for (j = 0; j < num_suites; j++) { 132 u16 tmp = WPA_GET_BE16(c); 133 c += 2; 134 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 135 cipher_suite = tmp; 136 break; 137 } 138 } 139 } 140 pos += num_suites * 2; 141 if (!cipher_suite) { 142 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 143 "available"); 144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 145 TLS_ALERT_ILLEGAL_PARAMETER); 146 return -1; 147 } 148 149 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 150 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 151 "record layer"); 152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 153 TLS_ALERT_INTERNAL_ERROR); 154 return -1; 155 } 156 157 conn->cipher_suite = cipher_suite; 158 159 /* CompressionMethod compression_methods<1..2^8-1> */ 160 if (end - pos < 1) 161 goto decode_error; 162 num_suites = *pos++; 163 if (end - pos < num_suites) 164 goto decode_error; 165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 166 pos, num_suites); 167 compr_null_found = 0; 168 for (i = 0; i < num_suites; i++) { 169 if (*pos++ == TLS_COMPRESSION_NULL) 170 compr_null_found = 1; 171 } 172 if (!compr_null_found) { 173 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 174 "compression"); 175 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 176 TLS_ALERT_ILLEGAL_PARAMETER); 177 return -1; 178 } 179 180 if (end - pos == 1) { 181 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 182 "end of ClientHello: 0x%02x", *pos); 183 goto decode_error; 184 } 185 186 if (end - pos >= 2) { 187 /* Extension client_hello_extension_list<0..2^16-1> */ 188 ext_len = WPA_GET_BE16(pos); 189 pos += 2; 190 191 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 192 "extensions", ext_len); 193 if (end - pos != ext_len) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 195 "extension list length %u (expected %u)", 196 ext_len, (unsigned int) (end - pos)); 197 goto decode_error; 198 } 199 200 /* 201 * struct { 202 * ExtensionType extension_type (0..65535) 203 * opaque extension_data<0..2^16-1> 204 * } Extension; 205 */ 206 207 while (pos < end) { 208 if (end - pos < 2) { 209 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 210 "extension_type field"); 211 goto decode_error; 212 } 213 214 ext_type = WPA_GET_BE16(pos); 215 pos += 2; 216 217 if (end - pos < 2) { 218 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 219 "extension_data length field"); 220 goto decode_error; 221 } 222 223 ext_len = WPA_GET_BE16(pos); 224 pos += 2; 225 226 if (end - pos < ext_len) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 228 "extension_data field"); 229 goto decode_error; 230 } 231 232 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 233 "type %u", ext_type); 234 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 235 "Extension data", pos, ext_len); 236 237 if (ext_type == TLS_EXT_SESSION_TICKET) { 238 os_free(conn->session_ticket); 239 conn->session_ticket = os_malloc(ext_len); 240 if (conn->session_ticket) { 241 os_memcpy(conn->session_ticket, pos, 242 ext_len); 243 conn->session_ticket_len = ext_len; 244 } 245 } 246 247 pos += ext_len; 248 } 249 } 250 251 *in_len = end - in_data; 252 253 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 254 "ServerHello"); 255 conn->state = SERVER_HELLO; 256 257 return 0; 258 259 decode_error: 260 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 261 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 262 TLS_ALERT_DECODE_ERROR); 263 return -1; 264 } 265 266 267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 268 const u8 *in_data, size_t *in_len) 269 { 270 const u8 *pos, *end; 271 size_t left, len, list_len, cert_len, idx; 272 u8 type; 273 struct x509_certificate *chain = NULL, *last = NULL, *cert; 274 int reason; 275 276 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 277 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 278 "received content type 0x%x", ct); 279 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 280 TLS_ALERT_UNEXPECTED_MESSAGE); 281 return -1; 282 } 283 284 pos = in_data; 285 left = *in_len; 286 287 if (left < 4) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 289 "(len=%lu)", (unsigned long) left); 290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_DECODE_ERROR); 292 return -1; 293 } 294 295 type = *pos++; 296 len = WPA_GET_BE24(pos); 297 pos += 3; 298 left -= 4; 299 300 if (len > left) { 301 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 302 "length (len=%lu != left=%lu)", 303 (unsigned long) len, (unsigned long) left); 304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 305 TLS_ALERT_DECODE_ERROR); 306 return -1; 307 } 308 309 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 310 if (conn->verify_peer) { 311 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 312 "Certificate"); 313 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 314 TLS_ALERT_UNEXPECTED_MESSAGE); 315 return -1; 316 } 317 318 return tls_process_client_key_exchange(conn, ct, in_data, 319 in_len); 320 } 321 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 322 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 323 "message %d (expected Certificate/" 324 "ClientKeyExchange)", type); 325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_UNEXPECTED_MESSAGE); 327 return -1; 328 } 329 330 wpa_printf(MSG_DEBUG, 331 "TLSv1: Received Certificate (certificate_list len %lu)", 332 (unsigned long) len); 333 334 /* 335 * opaque ASN.1Cert<2^24-1>; 336 * 337 * struct { 338 * ASN.1Cert certificate_list<1..2^24-1>; 339 * } Certificate; 340 */ 341 342 end = pos + len; 343 344 if (end - pos < 3) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 346 "(left=%lu)", (unsigned long) left); 347 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 348 TLS_ALERT_DECODE_ERROR); 349 return -1; 350 } 351 352 list_len = WPA_GET_BE24(pos); 353 pos += 3; 354 355 if ((size_t) (end - pos) != list_len) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 357 "length (len=%lu left=%lu)", 358 (unsigned long) list_len, 359 (unsigned long) (end - pos)); 360 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 361 TLS_ALERT_DECODE_ERROR); 362 return -1; 363 } 364 365 idx = 0; 366 while (pos < end) { 367 if (end - pos < 3) { 368 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 369 "certificate_list"); 370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 371 TLS_ALERT_DECODE_ERROR); 372 x509_certificate_chain_free(chain); 373 return -1; 374 } 375 376 cert_len = WPA_GET_BE24(pos); 377 pos += 3; 378 379 if ((size_t) (end - pos) < cert_len) { 380 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 381 "length (len=%lu left=%lu)", 382 (unsigned long) cert_len, 383 (unsigned long) (end - pos)); 384 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 385 TLS_ALERT_DECODE_ERROR); 386 x509_certificate_chain_free(chain); 387 return -1; 388 } 389 390 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 391 (unsigned long) idx, (unsigned long) cert_len); 392 393 if (idx == 0) { 394 crypto_public_key_free(conn->client_rsa_key); 395 if (tls_parse_cert(pos, cert_len, 396 &conn->client_rsa_key)) { 397 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 398 "the certificate"); 399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 400 TLS_ALERT_BAD_CERTIFICATE); 401 x509_certificate_chain_free(chain); 402 return -1; 403 } 404 } 405 406 cert = x509_certificate_parse(pos, cert_len); 407 if (cert == NULL) { 408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 409 "the certificate"); 410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 411 TLS_ALERT_BAD_CERTIFICATE); 412 x509_certificate_chain_free(chain); 413 return -1; 414 } 415 416 if (last == NULL) 417 chain = cert; 418 else 419 last->next = cert; 420 last = cert; 421 422 idx++; 423 pos += cert_len; 424 } 425 426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 427 &reason) < 0) { 428 int tls_reason; 429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 430 "validation failed (reason=%d)", reason); 431 switch (reason) { 432 case X509_VALIDATE_BAD_CERTIFICATE: 433 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 434 break; 435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 437 break; 438 case X509_VALIDATE_CERTIFICATE_REVOKED: 439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 440 break; 441 case X509_VALIDATE_CERTIFICATE_EXPIRED: 442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 443 break; 444 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 446 break; 447 case X509_VALIDATE_UNKNOWN_CA: 448 tls_reason = TLS_ALERT_UNKNOWN_CA; 449 break; 450 default: 451 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 452 break; 453 } 454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 455 x509_certificate_chain_free(chain); 456 return -1; 457 } 458 459 x509_certificate_chain_free(chain); 460 461 *in_len = end - in_data; 462 463 conn->state = CLIENT_KEY_EXCHANGE; 464 465 return 0; 466 } 467 468 469 static int tls_process_client_key_exchange_rsa( 470 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 471 { 472 u8 *out; 473 size_t outlen, outbuflen; 474 u16 encr_len; 475 int res; 476 int use_random = 0; 477 478 if (end - pos < 2) { 479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 480 TLS_ALERT_DECODE_ERROR); 481 return -1; 482 } 483 484 encr_len = WPA_GET_BE16(pos); 485 pos += 2; 486 487 outbuflen = outlen = end - pos; 488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 489 outlen : TLS_PRE_MASTER_SECRET_LEN); 490 if (out == NULL) { 491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 492 TLS_ALERT_INTERNAL_ERROR); 493 return -1; 494 } 495 496 /* 497 * struct { 498 * ProtocolVersion client_version; 499 * opaque random[46]; 500 * } PreMasterSecret; 501 * 502 * struct { 503 * public-key-encrypted PreMasterSecret pre_master_secret; 504 * } EncryptedPreMasterSecret; 505 */ 506 507 /* 508 * Note: To avoid Bleichenbacher attack, we do not report decryption or 509 * parsing errors from EncryptedPreMasterSecret processing to the 510 * client. Instead, a random pre-master secret is used to force the 511 * handshake to fail. 512 */ 513 514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 515 pos, end - pos, 516 out, &outlen) < 0) { 517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 518 "PreMasterSecret (encr_len=%d outlen=%lu)", 519 (int) (end - pos), (unsigned long) outlen); 520 use_random = 1; 521 } 522 523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 525 "length %lu", (unsigned long) outlen); 526 use_random = 1; 527 } 528 529 if (WPA_GET_BE16(out) != conn->client_version) { 530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 531 "ClientKeyExchange does not match with version in " 532 "ClientHello"); 533 use_random = 1; 534 } 535 536 if (use_random) { 537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 538 "to avoid revealing information about private key"); 539 outlen = TLS_PRE_MASTER_SECRET_LEN; 540 if (os_get_random(out, outlen)) { 541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 542 "data"); 543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 544 TLS_ALERT_INTERNAL_ERROR); 545 os_free(out); 546 return -1; 547 } 548 } 549 550 res = tlsv1_server_derive_keys(conn, out, outlen); 551 552 /* Clear the pre-master secret since it is not needed anymore */ 553 os_memset(out, 0, outbuflen); 554 os_free(out); 555 556 if (res) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 559 TLS_ALERT_INTERNAL_ERROR); 560 return -1; 561 } 562 563 return 0; 564 } 565 566 567 static int tls_process_client_key_exchange_dh_anon( 568 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 569 { 570 const u8 *dh_yc; 571 u16 dh_yc_len; 572 u8 *shared; 573 size_t shared_len; 574 int res; 575 576 /* 577 * struct { 578 * select (PublicValueEncoding) { 579 * case implicit: struct { }; 580 * case explicit: opaque dh_Yc<1..2^16-1>; 581 * } dh_public; 582 * } ClientDiffieHellmanPublic; 583 */ 584 585 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 586 pos, end - pos); 587 588 if (end == pos) { 589 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 590 "not supported"); 591 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 592 TLS_ALERT_INTERNAL_ERROR); 593 return -1; 594 } 595 596 if (end - pos < 3) { 597 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 598 "length"); 599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 600 TLS_ALERT_DECODE_ERROR); 601 return -1; 602 } 603 604 dh_yc_len = WPA_GET_BE16(pos); 605 dh_yc = pos + 2; 606 607 if (dh_yc + dh_yc_len > end) { 608 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 609 "(length %d)", dh_yc_len); 610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 611 TLS_ALERT_DECODE_ERROR); 612 return -1; 613 } 614 615 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 616 dh_yc, dh_yc_len); 617 618 if (conn->cred == NULL || conn->cred->dh_p == NULL || 619 conn->dh_secret == NULL) { 620 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_INTERNAL_ERROR); 623 return -1; 624 } 625 626 shared_len = conn->cred->dh_p_len; 627 shared = os_malloc(shared_len); 628 if (shared == NULL) { 629 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 630 "DH"); 631 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 632 TLS_ALERT_INTERNAL_ERROR); 633 return -1; 634 } 635 636 /* shared = Yc^secret mod p */ 637 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 638 conn->dh_secret_len, 639 conn->cred->dh_p, conn->cred->dh_p_len, 640 shared, &shared_len)) { 641 os_free(shared); 642 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 643 TLS_ALERT_INTERNAL_ERROR); 644 return -1; 645 } 646 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 647 shared, shared_len); 648 649 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 650 os_free(conn->dh_secret); 651 conn->dh_secret = NULL; 652 653 res = tlsv1_server_derive_keys(conn, shared, shared_len); 654 655 /* Clear the pre-master secret since it is not needed anymore */ 656 os_memset(shared, 0, shared_len); 657 os_free(shared); 658 659 if (res) { 660 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 662 TLS_ALERT_INTERNAL_ERROR); 663 return -1; 664 } 665 666 return 0; 667 } 668 669 670 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 671 const u8 *in_data, size_t *in_len) 672 { 673 const u8 *pos, *end; 674 size_t left, len; 675 u8 type; 676 tls_key_exchange keyx; 677 const struct tls_cipher_suite *suite; 678 679 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 680 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 681 "received content type 0x%x", ct); 682 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 683 TLS_ALERT_UNEXPECTED_MESSAGE); 684 return -1; 685 } 686 687 pos = in_data; 688 left = *in_len; 689 690 if (left < 4) { 691 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 692 "(Left=%lu)", (unsigned long) left); 693 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 694 TLS_ALERT_DECODE_ERROR); 695 return -1; 696 } 697 698 type = *pos++; 699 len = WPA_GET_BE24(pos); 700 pos += 3; 701 left -= 4; 702 703 if (len > left) { 704 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 705 "length (len=%lu != left=%lu)", 706 (unsigned long) len, (unsigned long) left); 707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 708 TLS_ALERT_DECODE_ERROR); 709 return -1; 710 } 711 712 end = pos + len; 713 714 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 715 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 716 "message %d (expected ClientKeyExchange)", type); 717 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 718 TLS_ALERT_UNEXPECTED_MESSAGE); 719 return -1; 720 } 721 722 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 723 724 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 725 726 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 727 if (suite == NULL) 728 keyx = TLS_KEY_X_NULL; 729 else 730 keyx = suite->key_exchange; 731 732 if (keyx == TLS_KEY_X_DH_anon && 733 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 734 return -1; 735 736 if (keyx != TLS_KEY_X_DH_anon && 737 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 738 return -1; 739 740 *in_len = end - in_data; 741 742 conn->state = CERTIFICATE_VERIFY; 743 744 return 0; 745 } 746 747 748 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 749 const u8 *in_data, size_t *in_len) 750 { 751 const u8 *pos, *end; 752 size_t left, len; 753 u8 type; 754 size_t hlen, buflen; 755 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 756 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 757 u16 slen; 758 759 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 760 if (conn->verify_peer) { 761 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 762 "CertificateVerify"); 763 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 764 TLS_ALERT_UNEXPECTED_MESSAGE); 765 return -1; 766 } 767 768 return tls_process_change_cipher_spec(conn, ct, in_data, 769 in_len); 770 } 771 772 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 773 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 774 "received content type 0x%x", ct); 775 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 776 TLS_ALERT_UNEXPECTED_MESSAGE); 777 return -1; 778 } 779 780 pos = in_data; 781 left = *in_len; 782 783 if (left < 4) { 784 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 785 "message (len=%lu)", (unsigned long) left); 786 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 787 TLS_ALERT_DECODE_ERROR); 788 return -1; 789 } 790 791 type = *pos++; 792 len = WPA_GET_BE24(pos); 793 pos += 3; 794 left -= 4; 795 796 if (len > left) { 797 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 798 "message length (len=%lu != left=%lu)", 799 (unsigned long) len, (unsigned long) left); 800 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 801 TLS_ALERT_DECODE_ERROR); 802 return -1; 803 } 804 805 end = pos + len; 806 807 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 808 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 809 "message %d (expected CertificateVerify)", type); 810 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 811 TLS_ALERT_UNEXPECTED_MESSAGE); 812 return -1; 813 } 814 815 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 816 817 /* 818 * struct { 819 * Signature signature; 820 * } CertificateVerify; 821 */ 822 823 hpos = hash; 824 825 if (alg == SIGN_ALG_RSA) { 826 hlen = MD5_MAC_LEN; 827 if (conn->verify.md5_cert == NULL || 828 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 829 { 830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 831 TLS_ALERT_INTERNAL_ERROR); 832 conn->verify.md5_cert = NULL; 833 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 834 conn->verify.sha1_cert = NULL; 835 return -1; 836 } 837 hpos += MD5_MAC_LEN; 838 } else 839 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 840 841 conn->verify.md5_cert = NULL; 842 hlen = SHA1_MAC_LEN; 843 if (conn->verify.sha1_cert == NULL || 844 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 845 conn->verify.sha1_cert = NULL; 846 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 847 TLS_ALERT_INTERNAL_ERROR); 848 return -1; 849 } 850 conn->verify.sha1_cert = NULL; 851 852 if (alg == SIGN_ALG_RSA) 853 hlen += MD5_MAC_LEN; 854 855 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 856 857 if (end - pos < 2) { 858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 859 TLS_ALERT_DECODE_ERROR); 860 return -1; 861 } 862 slen = WPA_GET_BE16(pos); 863 pos += 2; 864 if (end - pos < slen) { 865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 866 TLS_ALERT_DECODE_ERROR); 867 return -1; 868 } 869 870 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 871 if (conn->client_rsa_key == NULL) { 872 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 873 "signature"); 874 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 875 TLS_ALERT_INTERNAL_ERROR); 876 return -1; 877 } 878 879 buflen = end - pos; 880 buf = os_malloc(end - pos); 881 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 882 pos, end - pos, buf, &buflen) < 0) 883 { 884 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 885 os_free(buf); 886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 887 TLS_ALERT_DECRYPT_ERROR); 888 return -1; 889 } 890 891 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 892 buf, buflen); 893 894 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 895 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 896 "CertificateVerify - did not match with calculated " 897 "hash"); 898 os_free(buf); 899 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 900 TLS_ALERT_DECRYPT_ERROR); 901 return -1; 902 } 903 904 os_free(buf); 905 906 *in_len = end - in_data; 907 908 conn->state = CHANGE_CIPHER_SPEC; 909 910 return 0; 911 } 912 913 914 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 915 u8 ct, const u8 *in_data, 916 size_t *in_len) 917 { 918 const u8 *pos; 919 size_t left; 920 921 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 922 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 923 "received content type 0x%x", ct); 924 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 925 TLS_ALERT_UNEXPECTED_MESSAGE); 926 return -1; 927 } 928 929 pos = in_data; 930 left = *in_len; 931 932 if (left < 1) { 933 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 934 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 935 TLS_ALERT_DECODE_ERROR); 936 return -1; 937 } 938 939 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 940 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 941 "received data 0x%x", *pos); 942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_UNEXPECTED_MESSAGE); 944 return -1; 945 } 946 947 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 948 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 949 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 950 "for record layer"); 951 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 952 TLS_ALERT_INTERNAL_ERROR); 953 return -1; 954 } 955 956 *in_len = pos + 1 - in_data; 957 958 conn->state = CLIENT_FINISHED; 959 960 return 0; 961 } 962 963 964 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 965 const u8 *in_data, size_t *in_len) 966 { 967 const u8 *pos, *end; 968 size_t left, len, hlen; 969 u8 verify_data[TLS_VERIFY_DATA_LEN]; 970 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 971 972 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 973 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 974 "received content type 0x%x", ct); 975 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 976 TLS_ALERT_UNEXPECTED_MESSAGE); 977 return -1; 978 } 979 980 pos = in_data; 981 left = *in_len; 982 983 if (left < 4) { 984 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 985 "Finished", 986 (unsigned long) left); 987 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 988 TLS_ALERT_DECODE_ERROR); 989 return -1; 990 } 991 992 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 993 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 994 "type 0x%x", pos[0]); 995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 996 TLS_ALERT_UNEXPECTED_MESSAGE); 997 return -1; 998 } 999 1000 len = WPA_GET_BE24(pos + 1); 1001 1002 pos += 4; 1003 left -= 4; 1004 1005 if (len > left) { 1006 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1007 "(len=%lu > left=%lu)", 1008 (unsigned long) len, (unsigned long) left); 1009 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1010 TLS_ALERT_DECODE_ERROR); 1011 return -1; 1012 } 1013 end = pos + len; 1014 if (len != TLS_VERIFY_DATA_LEN) { 1015 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1016 "in Finished: %lu (expected %d)", 1017 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1018 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1019 TLS_ALERT_DECODE_ERROR); 1020 return -1; 1021 } 1022 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1023 pos, TLS_VERIFY_DATA_LEN); 1024 1025 hlen = MD5_MAC_LEN; 1026 if (conn->verify.md5_client == NULL || 1027 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1029 TLS_ALERT_INTERNAL_ERROR); 1030 conn->verify.md5_client = NULL; 1031 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1032 conn->verify.sha1_client = NULL; 1033 return -1; 1034 } 1035 conn->verify.md5_client = NULL; 1036 hlen = SHA1_MAC_LEN; 1037 if (conn->verify.sha1_client == NULL || 1038 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1039 &hlen) < 0) { 1040 conn->verify.sha1_client = NULL; 1041 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1042 TLS_ALERT_INTERNAL_ERROR); 1043 return -1; 1044 } 1045 conn->verify.sha1_client = NULL; 1046 1047 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1048 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1049 verify_data, TLS_VERIFY_DATA_LEN)) { 1050 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1051 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1052 TLS_ALERT_DECRYPT_ERROR); 1053 return -1; 1054 } 1055 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1056 verify_data, TLS_VERIFY_DATA_LEN); 1057 1058 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1059 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1060 return -1; 1061 } 1062 1063 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1064 1065 *in_len = end - in_data; 1066 1067 if (conn->use_session_ticket) { 1068 /* Abbreviated handshake using session ticket; RFC 4507 */ 1069 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1070 "successfully"); 1071 conn->state = ESTABLISHED; 1072 } else { 1073 /* Full handshake */ 1074 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1075 } 1076 1077 return 0; 1078 } 1079 1080 1081 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1082 const u8 *buf, size_t *len) 1083 { 1084 if (ct == TLS_CONTENT_TYPE_ALERT) { 1085 if (*len < 2) { 1086 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1087 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1088 TLS_ALERT_DECODE_ERROR); 1089 return -1; 1090 } 1091 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1092 buf[0], buf[1]); 1093 *len = 2; 1094 conn->state = FAILED; 1095 return -1; 1096 } 1097 1098 switch (conn->state) { 1099 case CLIENT_HELLO: 1100 if (tls_process_client_hello(conn, ct, buf, len)) 1101 return -1; 1102 break; 1103 case CLIENT_CERTIFICATE: 1104 if (tls_process_certificate(conn, ct, buf, len)) 1105 return -1; 1106 break; 1107 case CLIENT_KEY_EXCHANGE: 1108 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1109 return -1; 1110 break; 1111 case CERTIFICATE_VERIFY: 1112 if (tls_process_certificate_verify(conn, ct, buf, len)) 1113 return -1; 1114 break; 1115 case CHANGE_CIPHER_SPEC: 1116 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1117 return -1; 1118 break; 1119 case CLIENT_FINISHED: 1120 if (tls_process_client_finished(conn, ct, buf, len)) 1121 return -1; 1122 break; 1123 default: 1124 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1125 "while processing received message", 1126 conn->state); 1127 return -1; 1128 } 1129 1130 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1131 tls_verify_hash_add(&conn->verify, buf, *len); 1132 1133 return 0; 1134 } 1135