1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "md5.h" 19 #include "sha1.h" 20 #include "x509v3.h" 21 #include "tls.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_server.h" 25 #include "tlsv1_server_i.h" 26 27 28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 29 const u8 *in_data, size_t *in_len); 30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 31 u8 ct, const u8 *in_data, 32 size_t *in_len); 33 34 35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end, *c; 39 size_t left, len, i, j; 40 u16 cipher_suite; 41 u16 num_suites; 42 int compr_null_found; 43 44 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 45 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 46 "received content type 0x%x", ct); 47 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 48 TLS_ALERT_UNEXPECTED_MESSAGE); 49 return -1; 50 } 51 52 pos = in_data; 53 left = *in_len; 54 55 if (left < 4) 56 goto decode_error; 57 58 /* HandshakeType msg_type */ 59 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 60 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 61 "message %d (expected ClientHello)", *pos); 62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 63 TLS_ALERT_UNEXPECTED_MESSAGE); 64 return -1; 65 } 66 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 67 pos++; 68 /* uint24 length */ 69 len = WPA_GET_BE24(pos); 70 pos += 3; 71 left -= 4; 72 73 if (len > left) 74 goto decode_error; 75 76 /* body - ClientHello */ 77 78 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 79 end = pos + len; 80 81 /* ProtocolVersion client_version */ 82 if (end - pos < 2) 83 goto decode_error; 84 conn->client_version = WPA_GET_BE16(pos); 85 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 86 conn->client_version >> 8, conn->client_version & 0xff); 87 if (conn->client_version < TLS_VERSION) { 88 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 89 "ClientHello"); 90 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 91 TLS_ALERT_PROTOCOL_VERSION); 92 return -1; 93 } 94 pos += 2; 95 96 /* Random random */ 97 if (end - pos < TLS_RANDOM_LEN) 98 goto decode_error; 99 100 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 101 pos += TLS_RANDOM_LEN; 102 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 103 conn->client_random, TLS_RANDOM_LEN); 104 105 /* SessionID session_id */ 106 if (end - pos < 1) 107 goto decode_error; 108 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 109 goto decode_error; 110 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 111 pos += 1 + *pos; 112 /* TODO: add support for session resumption */ 113 114 /* CipherSuite cipher_suites<2..2^16-1> */ 115 if (end - pos < 2) 116 goto decode_error; 117 num_suites = WPA_GET_BE16(pos); 118 pos += 2; 119 if (end - pos < num_suites) 120 goto decode_error; 121 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 122 pos, num_suites); 123 if (num_suites & 1) 124 goto decode_error; 125 num_suites /= 2; 126 127 cipher_suite = 0; 128 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 129 c = pos; 130 for (j = 0; j < num_suites; j++) { 131 u16 tmp = WPA_GET_BE16(c); 132 c += 2; 133 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 134 cipher_suite = tmp; 135 break; 136 } 137 } 138 } 139 pos += num_suites * 2; 140 if (!cipher_suite) { 141 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 142 "available"); 143 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 144 TLS_ALERT_ILLEGAL_PARAMETER); 145 return -1; 146 } 147 148 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 149 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 150 "record layer"); 151 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 152 TLS_ALERT_INTERNAL_ERROR); 153 return -1; 154 } 155 156 conn->cipher_suite = cipher_suite; 157 158 /* CompressionMethod compression_methods<1..2^8-1> */ 159 if (end - pos < 1) 160 goto decode_error; 161 num_suites = *pos++; 162 if (end - pos < num_suites) 163 goto decode_error; 164 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 165 pos, num_suites); 166 compr_null_found = 0; 167 for (i = 0; i < num_suites; i++) { 168 if (*pos++ == TLS_COMPRESSION_NULL) 169 compr_null_found = 1; 170 } 171 if (!compr_null_found) { 172 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 173 "compression"); 174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 175 TLS_ALERT_ILLEGAL_PARAMETER); 176 return -1; 177 } 178 179 if (end - pos == 1) { 180 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 181 "end of ClientHello: 0x%02x", *pos); 182 goto decode_error; 183 } 184 185 if (end - pos >= 2) { 186 u16 ext_len; 187 188 /* Extension client_hello_extension_list<0..2^16-1> */ 189 190 ext_len = WPA_GET_BE16(pos); 191 pos += 2; 192 193 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 194 "extensions", ext_len); 195 if (end - pos != ext_len) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 197 "extension list length %u (expected %u)", 198 ext_len, end - pos); 199 goto decode_error; 200 } 201 202 /* 203 * struct { 204 * ExtensionType extension_type (0..65535) 205 * opaque extension_data<0..2^16-1> 206 * } Extension; 207 */ 208 209 while (pos < end) { 210 u16 ext_type, ext_len; 211 212 if (end - pos < 2) { 213 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 214 "extension_type field"); 215 goto decode_error; 216 } 217 218 ext_type = WPA_GET_BE16(pos); 219 pos += 2; 220 221 if (end - pos < 2) { 222 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 223 "extension_data length field"); 224 goto decode_error; 225 } 226 227 ext_len = WPA_GET_BE16(pos); 228 pos += 2; 229 230 if (end - pos < ext_len) { 231 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 232 "extension_data field"); 233 goto decode_error; 234 } 235 236 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 237 "type %u", ext_type); 238 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 239 "Extension data", pos, ext_len); 240 241 if (ext_type == TLS_EXT_SESSION_TICKET) { 242 os_free(conn->session_ticket); 243 conn->session_ticket = os_malloc(ext_len); 244 if (conn->session_ticket) { 245 os_memcpy(conn->session_ticket, pos, 246 ext_len); 247 conn->session_ticket_len = ext_len; 248 } 249 } 250 251 pos += ext_len; 252 } 253 } 254 255 *in_len = end - in_data; 256 257 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 258 "ServerHello"); 259 conn->state = SERVER_HELLO; 260 261 return 0; 262 263 decode_error: 264 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 265 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 266 TLS_ALERT_DECODE_ERROR); 267 return -1; 268 } 269 270 271 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 272 const u8 *in_data, size_t *in_len) 273 { 274 const u8 *pos, *end; 275 size_t left, len, list_len, cert_len, idx; 276 u8 type; 277 struct x509_certificate *chain = NULL, *last = NULL, *cert; 278 int reason; 279 280 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 281 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 282 "received content type 0x%x", ct); 283 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 284 TLS_ALERT_UNEXPECTED_MESSAGE); 285 return -1; 286 } 287 288 pos = in_data; 289 left = *in_len; 290 291 if (left < 4) { 292 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 293 "(len=%lu)", (unsigned long) left); 294 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 295 TLS_ALERT_DECODE_ERROR); 296 return -1; 297 } 298 299 type = *pos++; 300 len = WPA_GET_BE24(pos); 301 pos += 3; 302 left -= 4; 303 304 if (len > left) { 305 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 306 "length (len=%lu != left=%lu)", 307 (unsigned long) len, (unsigned long) left); 308 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 309 TLS_ALERT_DECODE_ERROR); 310 return -1; 311 } 312 313 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 314 if (conn->verify_peer) { 315 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 316 "Certificate"); 317 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 318 TLS_ALERT_UNEXPECTED_MESSAGE); 319 return -1; 320 } 321 322 return tls_process_client_key_exchange(conn, ct, in_data, 323 in_len); 324 } 325 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 326 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 327 "message %d (expected Certificate/" 328 "ClientKeyExchange)", type); 329 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 330 TLS_ALERT_UNEXPECTED_MESSAGE); 331 return -1; 332 } 333 334 wpa_printf(MSG_DEBUG, 335 "TLSv1: Received Certificate (certificate_list len %lu)", 336 (unsigned long) len); 337 338 /* 339 * opaque ASN.1Cert<2^24-1>; 340 * 341 * struct { 342 * ASN.1Cert certificate_list<1..2^24-1>; 343 * } Certificate; 344 */ 345 346 end = pos + len; 347 348 if (end - pos < 3) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 350 "(left=%lu)", (unsigned long) left); 351 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 352 TLS_ALERT_DECODE_ERROR); 353 return -1; 354 } 355 356 list_len = WPA_GET_BE24(pos); 357 pos += 3; 358 359 if ((size_t) (end - pos) != list_len) { 360 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 361 "length (len=%lu left=%lu)", 362 (unsigned long) list_len, 363 (unsigned long) (end - pos)); 364 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 365 TLS_ALERT_DECODE_ERROR); 366 return -1; 367 } 368 369 idx = 0; 370 while (pos < end) { 371 if (end - pos < 3) { 372 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 373 "certificate_list"); 374 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 375 TLS_ALERT_DECODE_ERROR); 376 x509_certificate_chain_free(chain); 377 return -1; 378 } 379 380 cert_len = WPA_GET_BE24(pos); 381 pos += 3; 382 383 if ((size_t) (end - pos) < cert_len) { 384 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 385 "length (len=%lu left=%lu)", 386 (unsigned long) cert_len, 387 (unsigned long) (end - pos)); 388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 389 TLS_ALERT_DECODE_ERROR); 390 x509_certificate_chain_free(chain); 391 return -1; 392 } 393 394 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 395 (unsigned long) idx, (unsigned long) cert_len); 396 397 if (idx == 0) { 398 crypto_public_key_free(conn->client_rsa_key); 399 if (tls_parse_cert(pos, cert_len, 400 &conn->client_rsa_key)) { 401 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 402 "the certificate"); 403 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 404 TLS_ALERT_BAD_CERTIFICATE); 405 x509_certificate_chain_free(chain); 406 return -1; 407 } 408 } 409 410 cert = x509_certificate_parse(pos, cert_len); 411 if (cert == NULL) { 412 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 413 "the certificate"); 414 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 415 TLS_ALERT_BAD_CERTIFICATE); 416 x509_certificate_chain_free(chain); 417 return -1; 418 } 419 420 if (last == NULL) 421 chain = cert; 422 else 423 last->next = cert; 424 last = cert; 425 426 idx++; 427 pos += cert_len; 428 } 429 430 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 431 &reason) < 0) { 432 int tls_reason; 433 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 434 "validation failed (reason=%d)", reason); 435 switch (reason) { 436 case X509_VALIDATE_BAD_CERTIFICATE: 437 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 438 break; 439 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 440 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 441 break; 442 case X509_VALIDATE_CERTIFICATE_REVOKED: 443 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 444 break; 445 case X509_VALIDATE_CERTIFICATE_EXPIRED: 446 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 447 break; 448 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 449 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 450 break; 451 case X509_VALIDATE_UNKNOWN_CA: 452 tls_reason = TLS_ALERT_UNKNOWN_CA; 453 break; 454 default: 455 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 456 break; 457 } 458 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 459 x509_certificate_chain_free(chain); 460 return -1; 461 } 462 463 x509_certificate_chain_free(chain); 464 465 *in_len = end - in_data; 466 467 conn->state = CLIENT_KEY_EXCHANGE; 468 469 return 0; 470 } 471 472 473 static int tls_process_client_key_exchange_rsa( 474 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 475 { 476 u8 *out; 477 size_t outlen, outbuflen; 478 u16 encr_len; 479 int res; 480 int use_random = 0; 481 482 if (end - pos < 2) { 483 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 484 TLS_ALERT_DECODE_ERROR); 485 return -1; 486 } 487 488 encr_len = WPA_GET_BE16(pos); 489 pos += 2; 490 491 outbuflen = outlen = end - pos; 492 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 493 outlen : TLS_PRE_MASTER_SECRET_LEN); 494 if (out == NULL) { 495 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 496 TLS_ALERT_INTERNAL_ERROR); 497 return -1; 498 } 499 500 /* 501 * struct { 502 * ProtocolVersion client_version; 503 * opaque random[46]; 504 * } PreMasterSecret; 505 * 506 * struct { 507 * public-key-encrypted PreMasterSecret pre_master_secret; 508 * } EncryptedPreMasterSecret; 509 */ 510 511 /* 512 * Note: To avoid Bleichenbacher attack, we do not report decryption or 513 * parsing errors from EncryptedPreMasterSecret processing to the 514 * client. Instead, a random pre-master secret is used to force the 515 * handshake to fail. 516 */ 517 518 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 519 pos, end - pos, 520 out, &outlen) < 0) { 521 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 522 "PreMasterSecret (encr_len=%d outlen=%lu)", 523 end - pos, (unsigned long) outlen); 524 use_random = 1; 525 } 526 527 if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 528 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 529 "length %lu", (unsigned long) outlen); 530 use_random = 1; 531 } 532 533 if (WPA_GET_BE16(out) != conn->client_version) { 534 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 535 "ClientKeyExchange does not match with version in " 536 "ClientHello"); 537 use_random = 1; 538 } 539 540 if (use_random) { 541 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 542 "to avoid revealing information about private key"); 543 outlen = TLS_PRE_MASTER_SECRET_LEN; 544 if (os_get_random(out, outlen)) { 545 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 546 "data"); 547 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 548 TLS_ALERT_INTERNAL_ERROR); 549 os_free(out); 550 return -1; 551 } 552 } 553 554 res = tlsv1_server_derive_keys(conn, out, outlen); 555 556 /* Clear the pre-master secret since it is not needed anymore */ 557 os_memset(out, 0, outbuflen); 558 os_free(out); 559 560 if (res) { 561 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 562 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 563 TLS_ALERT_INTERNAL_ERROR); 564 return -1; 565 } 566 567 return 0; 568 } 569 570 571 static int tls_process_client_key_exchange_dh_anon( 572 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 573 { 574 #ifdef EAP_FAST 575 const u8 *dh_yc; 576 u16 dh_yc_len; 577 u8 *shared; 578 size_t shared_len; 579 int res; 580 581 /* 582 * struct { 583 * select (PublicValueEncoding) { 584 * case implicit: struct { }; 585 * case explicit: opaque dh_Yc<1..2^16-1>; 586 * } dh_public; 587 * } ClientDiffieHellmanPublic; 588 */ 589 590 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 591 pos, end - pos); 592 593 if (end == pos) { 594 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 595 "not supported"); 596 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 597 TLS_ALERT_INTERNAL_ERROR); 598 return -1; 599 } 600 601 if (end - pos < 3) { 602 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 603 "length"); 604 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 605 TLS_ALERT_DECODE_ERROR); 606 return -1; 607 } 608 609 dh_yc_len = WPA_GET_BE16(pos); 610 dh_yc = pos + 2; 611 612 if (dh_yc + dh_yc_len > end) { 613 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 614 "(length %d)", dh_yc_len); 615 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 616 TLS_ALERT_DECODE_ERROR); 617 return -1; 618 } 619 620 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 621 dh_yc, dh_yc_len); 622 623 if (conn->cred == NULL || conn->cred->dh_p == NULL || 624 conn->dh_secret == NULL) { 625 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 626 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 627 TLS_ALERT_INTERNAL_ERROR); 628 return -1; 629 } 630 631 shared_len = conn->cred->dh_p_len; 632 shared = os_malloc(shared_len); 633 if (shared == NULL) { 634 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 635 "DH"); 636 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 637 TLS_ALERT_INTERNAL_ERROR); 638 return -1; 639 } 640 641 /* shared = Yc^secret mod p */ 642 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 643 conn->dh_secret_len, 644 conn->cred->dh_p, conn->cred->dh_p_len, 645 shared, &shared_len)) { 646 os_free(shared); 647 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 648 TLS_ALERT_INTERNAL_ERROR); 649 return -1; 650 } 651 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 652 shared, shared_len); 653 654 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 655 os_free(conn->dh_secret); 656 conn->dh_secret = NULL; 657 658 res = tlsv1_server_derive_keys(conn, shared, shared_len); 659 660 /* Clear the pre-master secret since it is not needed anymore */ 661 os_memset(shared, 0, shared_len); 662 os_free(shared); 663 664 if (res) { 665 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 666 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 667 TLS_ALERT_INTERNAL_ERROR); 668 return -1; 669 } 670 671 return 0; 672 #else /* EAP_FAST */ 673 return -1; 674 #endif /* EAP_FAST */ 675 } 676 677 678 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 679 const u8 *in_data, size_t *in_len) 680 { 681 const u8 *pos, *end; 682 size_t left, len; 683 u8 type; 684 tls_key_exchange keyx; 685 const struct tls_cipher_suite *suite; 686 687 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 688 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 689 "received content type 0x%x", ct); 690 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 691 TLS_ALERT_UNEXPECTED_MESSAGE); 692 return -1; 693 } 694 695 pos = in_data; 696 left = *in_len; 697 698 if (left < 4) { 699 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 700 "(Left=%lu)", (unsigned long) left); 701 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 702 TLS_ALERT_DECODE_ERROR); 703 return -1; 704 } 705 706 type = *pos++; 707 len = WPA_GET_BE24(pos); 708 pos += 3; 709 left -= 4; 710 711 if (len > left) { 712 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 713 "length (len=%lu != left=%lu)", 714 (unsigned long) len, (unsigned long) left); 715 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 716 TLS_ALERT_DECODE_ERROR); 717 return -1; 718 } 719 720 end = pos + len; 721 722 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 723 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 724 "message %d (expected ClientKeyExchange)", type); 725 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 726 TLS_ALERT_UNEXPECTED_MESSAGE); 727 return -1; 728 } 729 730 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 731 732 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 733 734 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 735 if (suite == NULL) 736 keyx = TLS_KEY_X_NULL; 737 else 738 keyx = suite->key_exchange; 739 740 if (keyx == TLS_KEY_X_DH_anon && 741 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 742 return -1; 743 744 if (keyx != TLS_KEY_X_DH_anon && 745 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 746 return -1; 747 748 *in_len = end - in_data; 749 750 conn->state = CERTIFICATE_VERIFY; 751 752 return 0; 753 } 754 755 756 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 757 const u8 *in_data, size_t *in_len) 758 { 759 const u8 *pos, *end; 760 size_t left, len; 761 u8 type; 762 size_t hlen, buflen; 763 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 764 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 765 u16 slen; 766 767 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 768 if (conn->verify_peer) { 769 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 770 "CertificateVerify"); 771 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 772 TLS_ALERT_UNEXPECTED_MESSAGE); 773 return -1; 774 } 775 776 return tls_process_change_cipher_spec(conn, ct, in_data, 777 in_len); 778 } 779 780 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 781 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 782 "received content type 0x%x", ct); 783 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 784 TLS_ALERT_UNEXPECTED_MESSAGE); 785 return -1; 786 } 787 788 pos = in_data; 789 left = *in_len; 790 791 if (left < 4) { 792 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 793 "message (len=%lu)", (unsigned long) left); 794 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 795 TLS_ALERT_DECODE_ERROR); 796 return -1; 797 } 798 799 type = *pos++; 800 len = WPA_GET_BE24(pos); 801 pos += 3; 802 left -= 4; 803 804 if (len > left) { 805 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 806 "message length (len=%lu != left=%lu)", 807 (unsigned long) len, (unsigned long) left); 808 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 809 TLS_ALERT_DECODE_ERROR); 810 return -1; 811 } 812 813 end = pos + len; 814 815 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 816 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 817 "message %d (expected CertificateVerify)", type); 818 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 819 TLS_ALERT_UNEXPECTED_MESSAGE); 820 return -1; 821 } 822 823 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 824 825 /* 826 * struct { 827 * Signature signature; 828 * } CertificateVerify; 829 */ 830 831 hpos = hash; 832 833 if (alg == SIGN_ALG_RSA) { 834 hlen = MD5_MAC_LEN; 835 if (conn->verify.md5_cert == NULL || 836 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 837 { 838 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 839 TLS_ALERT_INTERNAL_ERROR); 840 conn->verify.md5_cert = NULL; 841 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 842 conn->verify.sha1_cert = NULL; 843 return -1; 844 } 845 hpos += MD5_MAC_LEN; 846 } else 847 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 848 849 conn->verify.md5_cert = NULL; 850 hlen = SHA1_MAC_LEN; 851 if (conn->verify.sha1_cert == NULL || 852 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 853 conn->verify.sha1_cert = NULL; 854 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 855 TLS_ALERT_INTERNAL_ERROR); 856 return -1; 857 } 858 conn->verify.sha1_cert = NULL; 859 860 if (alg == SIGN_ALG_RSA) 861 hlen += MD5_MAC_LEN; 862 863 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 864 865 if (end - pos < 2) { 866 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 867 TLS_ALERT_DECODE_ERROR); 868 return -1; 869 } 870 slen = WPA_GET_BE16(pos); 871 pos += 2; 872 if (end - pos < slen) { 873 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 874 TLS_ALERT_DECODE_ERROR); 875 return -1; 876 } 877 878 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 879 if (conn->client_rsa_key == NULL) { 880 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 881 "signature"); 882 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 883 TLS_ALERT_INTERNAL_ERROR); 884 return -1; 885 } 886 887 buflen = end - pos; 888 buf = os_malloc(end - pos); 889 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 890 pos, end - pos, buf, &buflen) < 0) 891 { 892 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 893 os_free(buf); 894 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 895 TLS_ALERT_DECRYPT_ERROR); 896 return -1; 897 } 898 899 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 900 buf, buflen); 901 902 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 903 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 904 "CertificateVerify - did not match with calculated " 905 "hash"); 906 os_free(buf); 907 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 908 TLS_ALERT_DECRYPT_ERROR); 909 return -1; 910 } 911 912 os_free(buf); 913 914 *in_len = end - in_data; 915 916 conn->state = CHANGE_CIPHER_SPEC; 917 918 return 0; 919 } 920 921 922 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 923 u8 ct, const u8 *in_data, 924 size_t *in_len) 925 { 926 const u8 *pos; 927 size_t left; 928 929 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 930 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 931 "received content type 0x%x", ct); 932 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 933 TLS_ALERT_UNEXPECTED_MESSAGE); 934 return -1; 935 } 936 937 pos = in_data; 938 left = *in_len; 939 940 if (left < 1) { 941 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_DECODE_ERROR); 944 return -1; 945 } 946 947 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 948 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 949 "received data 0x%x", *pos); 950 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 951 TLS_ALERT_UNEXPECTED_MESSAGE); 952 return -1; 953 } 954 955 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 956 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 957 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 958 "for record layer"); 959 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 960 TLS_ALERT_INTERNAL_ERROR); 961 return -1; 962 } 963 964 *in_len = pos + 1 - in_data; 965 966 conn->state = CLIENT_FINISHED; 967 968 return 0; 969 } 970 971 972 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 973 const u8 *in_data, size_t *in_len) 974 { 975 const u8 *pos, *end; 976 size_t left, len, hlen; 977 u8 verify_data[TLS_VERIFY_DATA_LEN]; 978 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 979 980 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 981 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 982 "received content type 0x%x", ct); 983 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 984 TLS_ALERT_UNEXPECTED_MESSAGE); 985 return -1; 986 } 987 988 pos = in_data; 989 left = *in_len; 990 991 if (left < 4) { 992 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 993 "Finished", 994 (unsigned long) left); 995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 996 TLS_ALERT_DECODE_ERROR); 997 return -1; 998 } 999 1000 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1001 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1002 "type 0x%x", pos[0]); 1003 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1004 TLS_ALERT_UNEXPECTED_MESSAGE); 1005 return -1; 1006 } 1007 1008 len = WPA_GET_BE24(pos + 1); 1009 1010 pos += 4; 1011 left -= 4; 1012 1013 if (len > left) { 1014 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1015 "(len=%lu > left=%lu)", 1016 (unsigned long) len, (unsigned long) left); 1017 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1018 TLS_ALERT_DECODE_ERROR); 1019 return -1; 1020 } 1021 end = pos + len; 1022 if (len != TLS_VERIFY_DATA_LEN) { 1023 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1024 "in Finished: %lu (expected %d)", 1025 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1026 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1027 TLS_ALERT_DECODE_ERROR); 1028 return -1; 1029 } 1030 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1031 pos, TLS_VERIFY_DATA_LEN); 1032 1033 hlen = MD5_MAC_LEN; 1034 if (conn->verify.md5_client == NULL || 1035 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1036 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1037 TLS_ALERT_INTERNAL_ERROR); 1038 conn->verify.md5_client = NULL; 1039 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1040 conn->verify.sha1_client = NULL; 1041 return -1; 1042 } 1043 conn->verify.md5_client = NULL; 1044 hlen = SHA1_MAC_LEN; 1045 if (conn->verify.sha1_client == NULL || 1046 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1047 &hlen) < 0) { 1048 conn->verify.sha1_client = NULL; 1049 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1050 TLS_ALERT_INTERNAL_ERROR); 1051 return -1; 1052 } 1053 conn->verify.sha1_client = NULL; 1054 1055 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1056 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1057 verify_data, TLS_VERIFY_DATA_LEN)) { 1058 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1059 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1060 TLS_ALERT_DECRYPT_ERROR); 1061 return -1; 1062 } 1063 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1064 verify_data, TLS_VERIFY_DATA_LEN); 1065 1066 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1067 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1068 return -1; 1069 } 1070 1071 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1072 1073 *in_len = end - in_data; 1074 1075 if (conn->use_session_ticket) { 1076 /* Abbreviated handshake using session ticket; RFC 4507 */ 1077 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1078 "successfully"); 1079 conn->state = ESTABLISHED; 1080 } else { 1081 /* Full handshake */ 1082 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1083 } 1084 1085 return 0; 1086 } 1087 1088 1089 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1090 const u8 *buf, size_t *len) 1091 { 1092 if (ct == TLS_CONTENT_TYPE_ALERT) { 1093 if (*len < 2) { 1094 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1095 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1096 TLS_ALERT_DECODE_ERROR); 1097 return -1; 1098 } 1099 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1100 buf[0], buf[1]); 1101 *len = 2; 1102 conn->state = FAILED; 1103 return -1; 1104 } 1105 1106 switch (conn->state) { 1107 case CLIENT_HELLO: 1108 if (tls_process_client_hello(conn, ct, buf, len)) 1109 return -1; 1110 break; 1111 case CLIENT_CERTIFICATE: 1112 if (tls_process_certificate(conn, ct, buf, len)) 1113 return -1; 1114 break; 1115 case CLIENT_KEY_EXCHANGE: 1116 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1117 return -1; 1118 break; 1119 case CERTIFICATE_VERIFY: 1120 if (tls_process_certificate_verify(conn, ct, buf, len)) 1121 return -1; 1122 break; 1123 case CHANGE_CIPHER_SPEC: 1124 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1125 return -1; 1126 break; 1127 case CLIENT_FINISHED: 1128 if (tls_process_client_finished(conn, ct, buf, len)) 1129 return -1; 1130 break; 1131 default: 1132 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1133 "while processing received message", 1134 conn->state); 1135 return -1; 1136 } 1137 1138 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1139 tls_verify_hash_add(&conn->verify, buf, *len); 1140 1141 return 0; 1142 } 1143