1 /* 2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) server 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/sha1.h" 19 #include "crypto/tls.h" 20 #include "tlsv1_common.h" 21 #include "tlsv1_record.h" 22 #include "tlsv1_server.h" 23 #include "tlsv1_server_i.h" 24 25 /* TODO: 26 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 27 */ 28 29 30 void tlsv1_server_alert(struct tlsv1_server *conn, u8 level, u8 description) 31 { 32 conn->alert_level = level; 33 conn->alert_description = description; 34 } 35 36 37 int tlsv1_server_derive_keys(struct tlsv1_server *conn, 38 const u8 *pre_master_secret, 39 size_t pre_master_secret_len) 40 { 41 u8 seed[2 * TLS_RANDOM_LEN]; 42 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 43 u8 *pos; 44 size_t key_block_len; 45 46 if (pre_master_secret) { 47 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 48 pre_master_secret, pre_master_secret_len); 49 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 50 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 51 TLS_RANDOM_LEN); 52 if (tls_prf(pre_master_secret, pre_master_secret_len, 53 "master secret", seed, 2 * TLS_RANDOM_LEN, 54 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 55 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 56 "master_secret"); 57 return -1; 58 } 59 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 60 conn->master_secret, TLS_MASTER_SECRET_LEN); 61 } 62 63 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 64 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 65 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len + 66 conn->rl.iv_size); 67 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 68 "key expansion", seed, 2 * TLS_RANDOM_LEN, 69 key_block, key_block_len)) { 70 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 71 return -1; 72 } 73 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 74 key_block, key_block_len); 75 76 pos = key_block; 77 78 /* client_write_MAC_secret */ 79 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 80 pos += conn->rl.hash_size; 81 /* server_write_MAC_secret */ 82 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 83 pos += conn->rl.hash_size; 84 85 /* client_write_key */ 86 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 87 pos += conn->rl.key_material_len; 88 /* server_write_key */ 89 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 90 pos += conn->rl.key_material_len; 91 92 /* client_write_IV */ 93 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 94 pos += conn->rl.iv_size; 95 /* server_write_IV */ 96 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 97 pos += conn->rl.iv_size; 98 99 return 0; 100 } 101 102 103 /** 104 * tlsv1_server_handshake - Process TLS handshake 105 * @conn: TLSv1 server connection data from tlsv1_server_init() 106 * @in_data: Input data from TLS peer 107 * @in_len: Input data length 108 * @out_len: Length of the output buffer. 109 * Returns: Pointer to output data, %NULL on failure 110 */ 111 u8 * tlsv1_server_handshake(struct tlsv1_server *conn, 112 const u8 *in_data, size_t in_len, 113 size_t *out_len) 114 { 115 const u8 *pos, *end; 116 u8 *msg = NULL, *in_msg, *in_pos, *in_end, alert, ct; 117 size_t in_msg_len; 118 119 if (in_data == NULL || in_len == 0) { 120 wpa_printf(MSG_DEBUG, "TLSv1: No input data to server"); 121 return NULL; 122 } 123 124 pos = in_data; 125 end = in_data + in_len; 126 in_msg = os_malloc(in_len); 127 if (in_msg == NULL) 128 return NULL; 129 130 /* Each received packet may include multiple records */ 131 while (pos < end) { 132 in_msg_len = in_len; 133 if (tlsv1_record_receive(&conn->rl, pos, end - pos, 134 in_msg, &in_msg_len, &alert)) { 135 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 136 "record failed"); 137 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 138 goto failed; 139 } 140 ct = pos[0]; 141 142 in_pos = in_msg; 143 in_end = in_msg + in_msg_len; 144 145 /* Each received record may include multiple messages of the 146 * same ContentType. */ 147 while (in_pos < in_end) { 148 in_msg_len = in_end - in_pos; 149 if (tlsv1_server_process_handshake(conn, ct, in_pos, 150 &in_msg_len) < 0) 151 goto failed; 152 in_pos += in_msg_len; 153 } 154 155 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); 156 } 157 158 os_free(in_msg); 159 in_msg = NULL; 160 161 msg = tlsv1_server_handshake_write(conn, out_len); 162 163 failed: 164 os_free(in_msg); 165 if (conn->alert_level) { 166 if (conn->state == FAILED) { 167 /* Avoid alert loops */ 168 wpa_printf(MSG_DEBUG, "TLSv1: Drop alert loop"); 169 os_free(msg); 170 return NULL; 171 } 172 conn->state = FAILED; 173 os_free(msg); 174 msg = tlsv1_server_send_alert(conn, conn->alert_level, 175 conn->alert_description, 176 out_len); 177 } 178 179 return msg; 180 } 181 182 183 /** 184 * tlsv1_server_encrypt - Encrypt data into TLS tunnel 185 * @conn: TLSv1 server connection data from tlsv1_server_init() 186 * @in_data: Pointer to plaintext data to be encrypted 187 * @in_len: Input buffer length 188 * @out_data: Pointer to output buffer (encrypted TLS data) 189 * @out_len: Maximum out_data length 190 * Returns: Number of bytes written to out_data, -1 on failure 191 * 192 * This function is used after TLS handshake has been completed successfully to 193 * send data in the encrypted tunnel. 194 */ 195 int tlsv1_server_encrypt(struct tlsv1_server *conn, 196 const u8 *in_data, size_t in_len, 197 u8 *out_data, size_t out_len) 198 { 199 size_t rlen; 200 201 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 202 in_data, in_len); 203 204 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 205 out_data, out_len, in_data, in_len, &rlen) < 0) { 206 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 207 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 208 TLS_ALERT_INTERNAL_ERROR); 209 return -1; 210 } 211 212 return rlen; 213 } 214 215 216 /** 217 * tlsv1_server_decrypt - Decrypt data from TLS tunnel 218 * @conn: TLSv1 server connection data from tlsv1_server_init() 219 * @in_data: Pointer to input buffer (encrypted TLS data) 220 * @in_len: Input buffer length 221 * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) 222 * @out_len: Maximum out_data length 223 * Returns: Number of bytes written to out_data, -1 on failure 224 * 225 * This function is used after TLS handshake has been completed successfully to 226 * receive data from the encrypted tunnel. 227 */ 228 int tlsv1_server_decrypt(struct tlsv1_server *conn, 229 const u8 *in_data, size_t in_len, 230 u8 *out_data, size_t out_len) 231 { 232 const u8 *in_end, *pos; 233 int res; 234 u8 alert, *out_end, *out_pos; 235 size_t olen; 236 237 pos = in_data; 238 in_end = in_data + in_len; 239 out_pos = out_data; 240 out_end = out_data + out_len; 241 242 while (pos < in_end) { 243 if (pos[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) { 244 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 245 "0x%x", pos[0]); 246 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 247 TLS_ALERT_UNEXPECTED_MESSAGE); 248 return -1; 249 } 250 251 olen = out_end - out_pos; 252 res = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 253 out_pos, &olen, &alert); 254 if (res < 0) { 255 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 256 "failed"); 257 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 258 return -1; 259 } 260 out_pos += olen; 261 if (out_pos > out_end) { 262 wpa_printf(MSG_DEBUG, "TLSv1: Buffer not large enough " 263 "for processing the received record"); 264 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 265 TLS_ALERT_INTERNAL_ERROR); 266 return -1; 267 } 268 269 pos += TLS_RECORD_HEADER_LEN + WPA_GET_BE16(pos + 3); 270 } 271 272 return out_pos - out_data; 273 } 274 275 276 /** 277 * tlsv1_server_global_init - Initialize TLSv1 server 278 * Returns: 0 on success, -1 on failure 279 * 280 * This function must be called before using any other TLSv1 server functions. 281 */ 282 int tlsv1_server_global_init(void) 283 { 284 return crypto_global_init(); 285 } 286 287 288 /** 289 * tlsv1_server_global_deinit - Deinitialize TLSv1 server 290 * 291 * This function can be used to deinitialize the TLSv1 server that was 292 * initialized by calling tlsv1_server_global_init(). No TLSv1 server functions 293 * can be called after this before calling tlsv1_server_global_init() again. 294 */ 295 void tlsv1_server_global_deinit(void) 296 { 297 crypto_global_deinit(); 298 } 299 300 301 /** 302 * tlsv1_server_init - Initialize TLSv1 server connection 303 * @cred: Pointer to server credentials from tlsv1_server_cred_alloc() 304 * Returns: Pointer to TLSv1 server connection data or %NULL on failure 305 */ 306 struct tlsv1_server * tlsv1_server_init(struct tlsv1_credentials *cred) 307 { 308 struct tlsv1_server *conn; 309 size_t count; 310 u16 *suites; 311 312 conn = os_zalloc(sizeof(*conn)); 313 if (conn == NULL) 314 return NULL; 315 316 conn->cred = cred; 317 318 conn->state = CLIENT_HELLO; 319 320 if (tls_verify_hash_init(&conn->verify) < 0) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 322 "hash"); 323 os_free(conn); 324 return NULL; 325 } 326 327 count = 0; 328 suites = conn->cipher_suites; 329 #ifndef CONFIG_CRYPTO_INTERNAL 330 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 331 #endif /* CONFIG_CRYPTO_INTERNAL */ 332 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 333 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 334 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 335 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 336 conn->num_cipher_suites = count; 337 338 return conn; 339 } 340 341 342 static void tlsv1_server_clear_data(struct tlsv1_server *conn) 343 { 344 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 345 tlsv1_record_change_write_cipher(&conn->rl); 346 tlsv1_record_change_read_cipher(&conn->rl); 347 tls_verify_hash_free(&conn->verify); 348 349 crypto_public_key_free(conn->client_rsa_key); 350 conn->client_rsa_key = NULL; 351 352 os_free(conn->session_ticket); 353 conn->session_ticket = NULL; 354 conn->session_ticket_len = 0; 355 conn->use_session_ticket = 0; 356 357 os_free(conn->dh_secret); 358 conn->dh_secret = NULL; 359 conn->dh_secret_len = 0; 360 } 361 362 363 /** 364 * tlsv1_server_deinit - Deinitialize TLSv1 server connection 365 * @conn: TLSv1 server connection data from tlsv1_server_init() 366 */ 367 void tlsv1_server_deinit(struct tlsv1_server *conn) 368 { 369 tlsv1_server_clear_data(conn); 370 os_free(conn); 371 } 372 373 374 /** 375 * tlsv1_server_established - Check whether connection has been established 376 * @conn: TLSv1 server connection data from tlsv1_server_init() 377 * Returns: 1 if connection is established, 0 if not 378 */ 379 int tlsv1_server_established(struct tlsv1_server *conn) 380 { 381 return conn->state == ESTABLISHED; 382 } 383 384 385 /** 386 * tlsv1_server_prf - Use TLS-PRF to derive keying material 387 * @conn: TLSv1 server connection data from tlsv1_server_init() 388 * @label: Label (e.g., description of the key) for PRF 389 * @server_random_first: seed is 0 = client_random|server_random, 390 * 1 = server_random|client_random 391 * @out: Buffer for output data from TLS-PRF 392 * @out_len: Length of the output buffer 393 * Returns: 0 on success, -1 on failure 394 */ 395 int tlsv1_server_prf(struct tlsv1_server *conn, const char *label, 396 int server_random_first, u8 *out, size_t out_len) 397 { 398 u8 seed[2 * TLS_RANDOM_LEN]; 399 400 if (conn->state != ESTABLISHED) 401 return -1; 402 403 if (server_random_first) { 404 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 405 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 406 TLS_RANDOM_LEN); 407 } else { 408 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 409 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 410 TLS_RANDOM_LEN); 411 } 412 413 return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 414 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 415 } 416 417 418 /** 419 * tlsv1_server_get_cipher - Get current cipher name 420 * @conn: TLSv1 server connection data from tlsv1_server_init() 421 * @buf: Buffer for the cipher name 422 * @buflen: buf size 423 * Returns: 0 on success, -1 on failure 424 * 425 * Get the name of the currently used cipher. 426 */ 427 int tlsv1_server_get_cipher(struct tlsv1_server *conn, char *buf, 428 size_t buflen) 429 { 430 char *cipher; 431 432 switch (conn->rl.cipher_suite) { 433 case TLS_RSA_WITH_RC4_128_MD5: 434 cipher = "RC4-MD5"; 435 break; 436 case TLS_RSA_WITH_RC4_128_SHA: 437 cipher = "RC4-SHA"; 438 break; 439 case TLS_RSA_WITH_DES_CBC_SHA: 440 cipher = "DES-CBC-SHA"; 441 break; 442 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 443 cipher = "DES-CBC3-SHA"; 444 break; 445 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 446 cipher = "ADH-AES-128-SHA"; 447 break; 448 case TLS_RSA_WITH_AES_256_CBC_SHA: 449 cipher = "AES-256-SHA"; 450 break; 451 case TLS_RSA_WITH_AES_128_CBC_SHA: 452 cipher = "AES-128-SHA"; 453 break; 454 default: 455 return -1; 456 } 457 458 if (os_strlcpy(buf, cipher, buflen) >= buflen) 459 return -1; 460 return 0; 461 } 462 463 464 /** 465 * tlsv1_server_shutdown - Shutdown TLS connection 466 * @conn: TLSv1 server connection data from tlsv1_server_init() 467 * Returns: 0 on success, -1 on failure 468 */ 469 int tlsv1_server_shutdown(struct tlsv1_server *conn) 470 { 471 conn->state = CLIENT_HELLO; 472 473 if (tls_verify_hash_init(&conn->verify) < 0) { 474 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 475 "hash"); 476 return -1; 477 } 478 479 tlsv1_server_clear_data(conn); 480 481 return 0; 482 } 483 484 485 /** 486 * tlsv1_server_resumed - Was session resumption used 487 * @conn: TLSv1 server connection data from tlsv1_server_init() 488 * Returns: 1 if current session used session resumption, 0 if not 489 */ 490 int tlsv1_server_resumed(struct tlsv1_server *conn) 491 { 492 return 0; 493 } 494 495 496 /** 497 * tlsv1_server_get_keys - Get master key and random data from TLS connection 498 * @conn: TLSv1 server connection data from tlsv1_server_init() 499 * @keys: Structure of key/random data (filled on success) 500 * Returns: 0 on success, -1 on failure 501 */ 502 int tlsv1_server_get_keys(struct tlsv1_server *conn, struct tls_keys *keys) 503 { 504 os_memset(keys, 0, sizeof(*keys)); 505 if (conn->state == CLIENT_HELLO) 506 return -1; 507 508 keys->client_random = conn->client_random; 509 keys->client_random_len = TLS_RANDOM_LEN; 510 511 if (conn->state != SERVER_HELLO) { 512 keys->server_random = conn->server_random; 513 keys->server_random_len = TLS_RANDOM_LEN; 514 keys->master_key = conn->master_secret; 515 keys->master_key_len = TLS_MASTER_SECRET_LEN; 516 } 517 518 return 0; 519 } 520 521 522 /** 523 * tlsv1_server_get_keyblock_size - Get TLS key_block size 524 * @conn: TLSv1 server connection data from tlsv1_server_init() 525 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 526 * failure 527 */ 528 int tlsv1_server_get_keyblock_size(struct tlsv1_server *conn) 529 { 530 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 531 return -1; 532 533 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 534 conn->rl.iv_size); 535 } 536 537 538 /** 539 * tlsv1_server_set_cipher_list - Configure acceptable cipher suites 540 * @conn: TLSv1 server connection data from tlsv1_server_init() 541 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 542 * (TLS_CIPHER_*). 543 * Returns: 0 on success, -1 on failure 544 */ 545 int tlsv1_server_set_cipher_list(struct tlsv1_server *conn, u8 *ciphers) 546 { 547 size_t count; 548 u16 *suites; 549 550 /* TODO: implement proper configuration of cipher suites */ 551 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 552 count = 0; 553 suites = conn->cipher_suites; 554 #ifndef CONFIG_CRYPTO_INTERNAL 555 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 556 #endif /* CONFIG_CRYPTO_INTERNAL */ 557 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 558 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 559 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 560 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 561 #ifndef CONFIG_CRYPTO_INTERNAL 562 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 563 #endif /* CONFIG_CRYPTO_INTERNAL */ 564 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 565 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 566 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 567 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 568 conn->num_cipher_suites = count; 569 } 570 571 return 0; 572 } 573 574 575 int tlsv1_server_set_verify(struct tlsv1_server *conn, int verify_peer) 576 { 577 conn->verify_peer = verify_peer; 578 return 0; 579 } 580 581 582 void tlsv1_server_set_session_ticket_cb(struct tlsv1_server *conn, 583 tlsv1_server_session_ticket_cb cb, 584 void *ctx) 585 { 586 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 587 cb, ctx); 588 conn->session_ticket_cb = cb; 589 conn->session_ticket_cb_ctx = ctx; 590 } 591