1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "x509v3.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_server.h" 25 #include "tlsv1_server_i.h" 26 27 28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 29 const u8 *in_data, size_t *in_len); 30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 31 u8 ct, const u8 *in_data, 32 size_t *in_len); 33 34 35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end, *c; 39 size_t left, len, i, j; 40 u16 cipher_suite; 41 u16 num_suites; 42 int compr_null_found; 43 u16 ext_type, ext_len; 44 45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 47 "received content type 0x%x", ct); 48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49 TLS_ALERT_UNEXPECTED_MESSAGE); 50 return -1; 51 } 52 53 pos = in_data; 54 left = *in_len; 55 56 if (left < 4) 57 goto decode_error; 58 59 /* HandshakeType msg_type */ 60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 62 "message %d (expected ClientHello)", *pos); 63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64 TLS_ALERT_UNEXPECTED_MESSAGE); 65 return -1; 66 } 67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 68 pos++; 69 /* uint24 length */ 70 len = WPA_GET_BE24(pos); 71 pos += 3; 72 left -= 4; 73 74 if (len > left) 75 goto decode_error; 76 77 /* body - ClientHello */ 78 79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 80 end = pos + len; 81 82 /* ProtocolVersion client_version */ 83 if (end - pos < 2) 84 goto decode_error; 85 conn->client_version = WPA_GET_BE16(pos); 86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 87 conn->client_version >> 8, conn->client_version & 0xff); 88 if (conn->client_version < TLS_VERSION_1) { 89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 90 "ClientHello %u.%u", 91 conn->client_version >> 8, 92 conn->client_version & 0xff); 93 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 94 TLS_ALERT_PROTOCOL_VERSION); 95 return -1; 96 } 97 pos += 2; 98 99 if (TLS_VERSION == TLS_VERSION_1) 100 conn->rl.tls_version = TLS_VERSION_1; 101 else if (conn->client_version > TLS_VERSION_1_1) 102 conn->rl.tls_version = TLS_VERSION_1_1; 103 else 104 conn->rl.tls_version = conn->client_version; 105 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 106 conn->rl.tls_version == TLS_VERSION_1_1 ? "1.1" : "1.0"); 107 108 /* Random random */ 109 if (end - pos < TLS_RANDOM_LEN) 110 goto decode_error; 111 112 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 113 pos += TLS_RANDOM_LEN; 114 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 115 conn->client_random, TLS_RANDOM_LEN); 116 117 /* SessionID session_id */ 118 if (end - pos < 1) 119 goto decode_error; 120 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 121 goto decode_error; 122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 123 pos += 1 + *pos; 124 /* TODO: add support for session resumption */ 125 126 /* CipherSuite cipher_suites<2..2^16-1> */ 127 if (end - pos < 2) 128 goto decode_error; 129 num_suites = WPA_GET_BE16(pos); 130 pos += 2; 131 if (end - pos < num_suites) 132 goto decode_error; 133 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 134 pos, num_suites); 135 if (num_suites & 1) 136 goto decode_error; 137 num_suites /= 2; 138 139 cipher_suite = 0; 140 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 141 c = pos; 142 for (j = 0; j < num_suites; j++) { 143 u16 tmp = WPA_GET_BE16(c); 144 c += 2; 145 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 146 cipher_suite = tmp; 147 break; 148 } 149 } 150 } 151 pos += num_suites * 2; 152 if (!cipher_suite) { 153 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 154 "available"); 155 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 156 TLS_ALERT_ILLEGAL_PARAMETER); 157 return -1; 158 } 159 160 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 162 "record layer"); 163 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 164 TLS_ALERT_INTERNAL_ERROR); 165 return -1; 166 } 167 168 conn->cipher_suite = cipher_suite; 169 170 /* CompressionMethod compression_methods<1..2^8-1> */ 171 if (end - pos < 1) 172 goto decode_error; 173 num_suites = *pos++; 174 if (end - pos < num_suites) 175 goto decode_error; 176 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 177 pos, num_suites); 178 compr_null_found = 0; 179 for (i = 0; i < num_suites; i++) { 180 if (*pos++ == TLS_COMPRESSION_NULL) 181 compr_null_found = 1; 182 } 183 if (!compr_null_found) { 184 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 185 "compression"); 186 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 187 TLS_ALERT_ILLEGAL_PARAMETER); 188 return -1; 189 } 190 191 if (end - pos == 1) { 192 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 193 "end of ClientHello: 0x%02x", *pos); 194 goto decode_error; 195 } 196 197 if (end - pos >= 2) { 198 /* Extension client_hello_extension_list<0..2^16-1> */ 199 ext_len = WPA_GET_BE16(pos); 200 pos += 2; 201 202 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 203 "extensions", ext_len); 204 if (end - pos != ext_len) { 205 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 206 "extension list length %u (expected %u)", 207 ext_len, (unsigned int) (end - pos)); 208 goto decode_error; 209 } 210 211 /* 212 * struct { 213 * ExtensionType extension_type (0..65535) 214 * opaque extension_data<0..2^16-1> 215 * } Extension; 216 */ 217 218 while (pos < end) { 219 if (end - pos < 2) { 220 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 221 "extension_type field"); 222 goto decode_error; 223 } 224 225 ext_type = WPA_GET_BE16(pos); 226 pos += 2; 227 228 if (end - pos < 2) { 229 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 230 "extension_data length field"); 231 goto decode_error; 232 } 233 234 ext_len = WPA_GET_BE16(pos); 235 pos += 2; 236 237 if (end - pos < ext_len) { 238 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 239 "extension_data field"); 240 goto decode_error; 241 } 242 243 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 244 "type %u", ext_type); 245 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 246 "Extension data", pos, ext_len); 247 248 if (ext_type == TLS_EXT_SESSION_TICKET) { 249 os_free(conn->session_ticket); 250 conn->session_ticket = os_malloc(ext_len); 251 if (conn->session_ticket) { 252 os_memcpy(conn->session_ticket, pos, 253 ext_len); 254 conn->session_ticket_len = ext_len; 255 } 256 } 257 258 pos += ext_len; 259 } 260 } 261 262 *in_len = end - in_data; 263 264 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 265 "ServerHello"); 266 conn->state = SERVER_HELLO; 267 268 return 0; 269 270 decode_error: 271 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 272 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 273 TLS_ALERT_DECODE_ERROR); 274 return -1; 275 } 276 277 278 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 279 const u8 *in_data, size_t *in_len) 280 { 281 const u8 *pos, *end; 282 size_t left, len, list_len, cert_len, idx; 283 u8 type; 284 struct x509_certificate *chain = NULL, *last = NULL, *cert; 285 int reason; 286 287 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 289 "received content type 0x%x", ct); 290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_UNEXPECTED_MESSAGE); 292 return -1; 293 } 294 295 pos = in_data; 296 left = *in_len; 297 298 if (left < 4) { 299 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 300 "(len=%lu)", (unsigned long) left); 301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 302 TLS_ALERT_DECODE_ERROR); 303 return -1; 304 } 305 306 type = *pos++; 307 len = WPA_GET_BE24(pos); 308 pos += 3; 309 left -= 4; 310 311 if (len > left) { 312 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 313 "length (len=%lu != left=%lu)", 314 (unsigned long) len, (unsigned long) left); 315 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 316 TLS_ALERT_DECODE_ERROR); 317 return -1; 318 } 319 320 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 321 if (conn->verify_peer) { 322 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 323 "Certificate"); 324 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 325 TLS_ALERT_UNEXPECTED_MESSAGE); 326 return -1; 327 } 328 329 return tls_process_client_key_exchange(conn, ct, in_data, 330 in_len); 331 } 332 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 333 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 334 "message %d (expected Certificate/" 335 "ClientKeyExchange)", type); 336 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 337 TLS_ALERT_UNEXPECTED_MESSAGE); 338 return -1; 339 } 340 341 wpa_printf(MSG_DEBUG, 342 "TLSv1: Received Certificate (certificate_list len %lu)", 343 (unsigned long) len); 344 345 /* 346 * opaque ASN.1Cert<2^24-1>; 347 * 348 * struct { 349 * ASN.1Cert certificate_list<1..2^24-1>; 350 * } Certificate; 351 */ 352 353 end = pos + len; 354 355 if (end - pos < 3) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 357 "(left=%lu)", (unsigned long) left); 358 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 359 TLS_ALERT_DECODE_ERROR); 360 return -1; 361 } 362 363 list_len = WPA_GET_BE24(pos); 364 pos += 3; 365 366 if ((size_t) (end - pos) != list_len) { 367 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 368 "length (len=%lu left=%lu)", 369 (unsigned long) list_len, 370 (unsigned long) (end - pos)); 371 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 372 TLS_ALERT_DECODE_ERROR); 373 return -1; 374 } 375 376 idx = 0; 377 while (pos < end) { 378 if (end - pos < 3) { 379 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 380 "certificate_list"); 381 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 382 TLS_ALERT_DECODE_ERROR); 383 x509_certificate_chain_free(chain); 384 return -1; 385 } 386 387 cert_len = WPA_GET_BE24(pos); 388 pos += 3; 389 390 if ((size_t) (end - pos) < cert_len) { 391 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 392 "length (len=%lu left=%lu)", 393 (unsigned long) cert_len, 394 (unsigned long) (end - pos)); 395 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 396 TLS_ALERT_DECODE_ERROR); 397 x509_certificate_chain_free(chain); 398 return -1; 399 } 400 401 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 402 (unsigned long) idx, (unsigned long) cert_len); 403 404 if (idx == 0) { 405 crypto_public_key_free(conn->client_rsa_key); 406 if (tls_parse_cert(pos, cert_len, 407 &conn->client_rsa_key)) { 408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 409 "the certificate"); 410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 411 TLS_ALERT_BAD_CERTIFICATE); 412 x509_certificate_chain_free(chain); 413 return -1; 414 } 415 } 416 417 cert = x509_certificate_parse(pos, cert_len); 418 if (cert == NULL) { 419 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 420 "the certificate"); 421 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 422 TLS_ALERT_BAD_CERTIFICATE); 423 x509_certificate_chain_free(chain); 424 return -1; 425 } 426 427 if (last == NULL) 428 chain = cert; 429 else 430 last->next = cert; 431 last = cert; 432 433 idx++; 434 pos += cert_len; 435 } 436 437 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 438 &reason, 0) < 0) { 439 int tls_reason; 440 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 441 "validation failed (reason=%d)", reason); 442 switch (reason) { 443 case X509_VALIDATE_BAD_CERTIFICATE: 444 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 445 break; 446 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 447 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 448 break; 449 case X509_VALIDATE_CERTIFICATE_REVOKED: 450 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 451 break; 452 case X509_VALIDATE_CERTIFICATE_EXPIRED: 453 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 454 break; 455 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 456 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 457 break; 458 case X509_VALIDATE_UNKNOWN_CA: 459 tls_reason = TLS_ALERT_UNKNOWN_CA; 460 break; 461 default: 462 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 463 break; 464 } 465 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 466 x509_certificate_chain_free(chain); 467 return -1; 468 } 469 470 x509_certificate_chain_free(chain); 471 472 *in_len = end - in_data; 473 474 conn->state = CLIENT_KEY_EXCHANGE; 475 476 return 0; 477 } 478 479 480 static int tls_process_client_key_exchange_rsa( 481 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 482 { 483 u8 *out; 484 size_t outlen, outbuflen; 485 u16 encr_len; 486 int res; 487 int use_random = 0; 488 489 if (end - pos < 2) { 490 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 491 TLS_ALERT_DECODE_ERROR); 492 return -1; 493 } 494 495 encr_len = WPA_GET_BE16(pos); 496 pos += 2; 497 if (pos + encr_len > end) { 498 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientKeyExchange " 499 "format: encr_len=%u left=%u", 500 encr_len, (unsigned int) (end - pos)); 501 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 502 TLS_ALERT_DECODE_ERROR); 503 return -1; 504 } 505 506 outbuflen = outlen = end - pos; 507 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 508 outlen : TLS_PRE_MASTER_SECRET_LEN); 509 if (out == NULL) { 510 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 511 TLS_ALERT_INTERNAL_ERROR); 512 return -1; 513 } 514 515 /* 516 * struct { 517 * ProtocolVersion client_version; 518 * opaque random[46]; 519 * } PreMasterSecret; 520 * 521 * struct { 522 * public-key-encrypted PreMasterSecret pre_master_secret; 523 * } EncryptedPreMasterSecret; 524 */ 525 526 /* 527 * Note: To avoid Bleichenbacher attack, we do not report decryption or 528 * parsing errors from EncryptedPreMasterSecret processing to the 529 * client. Instead, a random pre-master secret is used to force the 530 * handshake to fail. 531 */ 532 533 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 534 pos, encr_len, 535 out, &outlen) < 0) { 536 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 537 "PreMasterSecret (encr_len=%u outlen=%lu)", 538 encr_len, (unsigned long) outlen); 539 use_random = 1; 540 } 541 542 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) { 543 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 544 "length %lu", (unsigned long) outlen); 545 use_random = 1; 546 } 547 548 if (!use_random && WPA_GET_BE16(out) != conn->client_version) { 549 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 550 "ClientKeyExchange does not match with version in " 551 "ClientHello"); 552 use_random = 1; 553 } 554 555 if (use_random) { 556 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 557 "to avoid revealing information about private key"); 558 outlen = TLS_PRE_MASTER_SECRET_LEN; 559 if (os_get_random(out, outlen)) { 560 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 561 "data"); 562 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 563 TLS_ALERT_INTERNAL_ERROR); 564 os_free(out); 565 return -1; 566 } 567 } 568 569 res = tlsv1_server_derive_keys(conn, out, outlen); 570 571 /* Clear the pre-master secret since it is not needed anymore */ 572 os_memset(out, 0, outbuflen); 573 os_free(out); 574 575 if (res) { 576 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 577 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 578 TLS_ALERT_INTERNAL_ERROR); 579 return -1; 580 } 581 582 return 0; 583 } 584 585 586 static int tls_process_client_key_exchange_dh_anon( 587 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 588 { 589 const u8 *dh_yc; 590 u16 dh_yc_len; 591 u8 *shared; 592 size_t shared_len; 593 int res; 594 595 /* 596 * struct { 597 * select (PublicValueEncoding) { 598 * case implicit: struct { }; 599 * case explicit: opaque dh_Yc<1..2^16-1>; 600 * } dh_public; 601 * } ClientDiffieHellmanPublic; 602 */ 603 604 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 605 pos, end - pos); 606 607 if (end == pos) { 608 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 609 "not supported"); 610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 611 TLS_ALERT_INTERNAL_ERROR); 612 return -1; 613 } 614 615 if (end - pos < 3) { 616 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 617 "length"); 618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 619 TLS_ALERT_DECODE_ERROR); 620 return -1; 621 } 622 623 dh_yc_len = WPA_GET_BE16(pos); 624 dh_yc = pos + 2; 625 626 if (dh_yc + dh_yc_len > end) { 627 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 628 "(length %d)", dh_yc_len); 629 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 630 TLS_ALERT_DECODE_ERROR); 631 return -1; 632 } 633 634 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 635 dh_yc, dh_yc_len); 636 637 if (conn->cred == NULL || conn->cred->dh_p == NULL || 638 conn->dh_secret == NULL) { 639 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 640 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 641 TLS_ALERT_INTERNAL_ERROR); 642 return -1; 643 } 644 645 shared_len = conn->cred->dh_p_len; 646 shared = os_malloc(shared_len); 647 if (shared == NULL) { 648 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 649 "DH"); 650 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 651 TLS_ALERT_INTERNAL_ERROR); 652 return -1; 653 } 654 655 /* shared = Yc^secret mod p */ 656 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 657 conn->dh_secret_len, 658 conn->cred->dh_p, conn->cred->dh_p_len, 659 shared, &shared_len)) { 660 os_free(shared); 661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 662 TLS_ALERT_INTERNAL_ERROR); 663 return -1; 664 } 665 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 666 shared, shared_len); 667 668 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 669 os_free(conn->dh_secret); 670 conn->dh_secret = NULL; 671 672 res = tlsv1_server_derive_keys(conn, shared, shared_len); 673 674 /* Clear the pre-master secret since it is not needed anymore */ 675 os_memset(shared, 0, shared_len); 676 os_free(shared); 677 678 if (res) { 679 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 680 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 681 TLS_ALERT_INTERNAL_ERROR); 682 return -1; 683 } 684 685 return 0; 686 } 687 688 689 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 690 const u8 *in_data, size_t *in_len) 691 { 692 const u8 *pos, *end; 693 size_t left, len; 694 u8 type; 695 tls_key_exchange keyx; 696 const struct tls_cipher_suite *suite; 697 698 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 699 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 700 "received content type 0x%x", ct); 701 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 702 TLS_ALERT_UNEXPECTED_MESSAGE); 703 return -1; 704 } 705 706 pos = in_data; 707 left = *in_len; 708 709 if (left < 4) { 710 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 711 "(Left=%lu)", (unsigned long) left); 712 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 713 TLS_ALERT_DECODE_ERROR); 714 return -1; 715 } 716 717 type = *pos++; 718 len = WPA_GET_BE24(pos); 719 pos += 3; 720 left -= 4; 721 722 if (len > left) { 723 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 724 "length (len=%lu != left=%lu)", 725 (unsigned long) len, (unsigned long) left); 726 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 727 TLS_ALERT_DECODE_ERROR); 728 return -1; 729 } 730 731 end = pos + len; 732 733 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 734 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 735 "message %d (expected ClientKeyExchange)", type); 736 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 737 TLS_ALERT_UNEXPECTED_MESSAGE); 738 return -1; 739 } 740 741 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 742 743 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 744 745 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 746 if (suite == NULL) 747 keyx = TLS_KEY_X_NULL; 748 else 749 keyx = suite->key_exchange; 750 751 if (keyx == TLS_KEY_X_DH_anon && 752 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 753 return -1; 754 755 if (keyx != TLS_KEY_X_DH_anon && 756 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 757 return -1; 758 759 *in_len = end - in_data; 760 761 conn->state = CERTIFICATE_VERIFY; 762 763 return 0; 764 } 765 766 767 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 768 const u8 *in_data, size_t *in_len) 769 { 770 const u8 *pos, *end; 771 size_t left, len; 772 u8 type; 773 size_t hlen, buflen; 774 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 775 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 776 u16 slen; 777 778 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 779 if (conn->verify_peer) { 780 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 781 "CertificateVerify"); 782 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 783 TLS_ALERT_UNEXPECTED_MESSAGE); 784 return -1; 785 } 786 787 return tls_process_change_cipher_spec(conn, ct, in_data, 788 in_len); 789 } 790 791 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 792 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 793 "received content type 0x%x", ct); 794 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 795 TLS_ALERT_UNEXPECTED_MESSAGE); 796 return -1; 797 } 798 799 pos = in_data; 800 left = *in_len; 801 802 if (left < 4) { 803 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 804 "message (len=%lu)", (unsigned long) left); 805 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 806 TLS_ALERT_DECODE_ERROR); 807 return -1; 808 } 809 810 type = *pos++; 811 len = WPA_GET_BE24(pos); 812 pos += 3; 813 left -= 4; 814 815 if (len > left) { 816 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 817 "message length (len=%lu != left=%lu)", 818 (unsigned long) len, (unsigned long) left); 819 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 820 TLS_ALERT_DECODE_ERROR); 821 return -1; 822 } 823 824 end = pos + len; 825 826 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 827 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 828 "message %d (expected CertificateVerify)", type); 829 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 830 TLS_ALERT_UNEXPECTED_MESSAGE); 831 return -1; 832 } 833 834 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 835 836 /* 837 * struct { 838 * Signature signature; 839 * } CertificateVerify; 840 */ 841 842 hpos = hash; 843 844 if (alg == SIGN_ALG_RSA) { 845 hlen = MD5_MAC_LEN; 846 if (conn->verify.md5_cert == NULL || 847 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 848 { 849 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 850 TLS_ALERT_INTERNAL_ERROR); 851 conn->verify.md5_cert = NULL; 852 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 853 conn->verify.sha1_cert = NULL; 854 return -1; 855 } 856 hpos += MD5_MAC_LEN; 857 } else 858 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 859 860 conn->verify.md5_cert = NULL; 861 hlen = SHA1_MAC_LEN; 862 if (conn->verify.sha1_cert == NULL || 863 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 864 conn->verify.sha1_cert = NULL; 865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 866 TLS_ALERT_INTERNAL_ERROR); 867 return -1; 868 } 869 conn->verify.sha1_cert = NULL; 870 871 if (alg == SIGN_ALG_RSA) 872 hlen += MD5_MAC_LEN; 873 874 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 875 876 if (end - pos < 2) { 877 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 878 TLS_ALERT_DECODE_ERROR); 879 return -1; 880 } 881 slen = WPA_GET_BE16(pos); 882 pos += 2; 883 if (end - pos < slen) { 884 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 885 TLS_ALERT_DECODE_ERROR); 886 return -1; 887 } 888 889 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 890 if (conn->client_rsa_key == NULL) { 891 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 892 "signature"); 893 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 894 TLS_ALERT_INTERNAL_ERROR); 895 return -1; 896 } 897 898 buflen = end - pos; 899 buf = os_malloc(end - pos); 900 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 901 pos, end - pos, buf, &buflen) < 0) 902 { 903 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 904 os_free(buf); 905 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 906 TLS_ALERT_DECRYPT_ERROR); 907 return -1; 908 } 909 910 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 911 buf, buflen); 912 913 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 914 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 915 "CertificateVerify - did not match with calculated " 916 "hash"); 917 os_free(buf); 918 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 919 TLS_ALERT_DECRYPT_ERROR); 920 return -1; 921 } 922 923 os_free(buf); 924 925 *in_len = end - in_data; 926 927 conn->state = CHANGE_CIPHER_SPEC; 928 929 return 0; 930 } 931 932 933 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 934 u8 ct, const u8 *in_data, 935 size_t *in_len) 936 { 937 const u8 *pos; 938 size_t left; 939 940 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 941 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 942 "received content type 0x%x", ct); 943 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 944 TLS_ALERT_UNEXPECTED_MESSAGE); 945 return -1; 946 } 947 948 pos = in_data; 949 left = *in_len; 950 951 if (left < 1) { 952 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 953 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 954 TLS_ALERT_DECODE_ERROR); 955 return -1; 956 } 957 958 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 959 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 960 "received data 0x%x", *pos); 961 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 962 TLS_ALERT_UNEXPECTED_MESSAGE); 963 return -1; 964 } 965 966 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 967 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 968 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 969 "for record layer"); 970 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 971 TLS_ALERT_INTERNAL_ERROR); 972 return -1; 973 } 974 975 *in_len = pos + 1 - in_data; 976 977 conn->state = CLIENT_FINISHED; 978 979 return 0; 980 } 981 982 983 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 984 const u8 *in_data, size_t *in_len) 985 { 986 const u8 *pos, *end; 987 size_t left, len, hlen; 988 u8 verify_data[TLS_VERIFY_DATA_LEN]; 989 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 990 991 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 992 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 993 "received content type 0x%x", ct); 994 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 995 TLS_ALERT_UNEXPECTED_MESSAGE); 996 return -1; 997 } 998 999 pos = in_data; 1000 left = *in_len; 1001 1002 if (left < 4) { 1003 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 1004 "Finished", 1005 (unsigned long) left); 1006 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1007 TLS_ALERT_DECODE_ERROR); 1008 return -1; 1009 } 1010 1011 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 1012 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 1013 "type 0x%x", pos[0]); 1014 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1015 TLS_ALERT_UNEXPECTED_MESSAGE); 1016 return -1; 1017 } 1018 1019 len = WPA_GET_BE24(pos + 1); 1020 1021 pos += 4; 1022 left -= 4; 1023 1024 if (len > left) { 1025 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1026 "(len=%lu > left=%lu)", 1027 (unsigned long) len, (unsigned long) left); 1028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1029 TLS_ALERT_DECODE_ERROR); 1030 return -1; 1031 } 1032 end = pos + len; 1033 if (len != TLS_VERIFY_DATA_LEN) { 1034 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1035 "in Finished: %lu (expected %d)", 1036 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1038 TLS_ALERT_DECODE_ERROR); 1039 return -1; 1040 } 1041 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1042 pos, TLS_VERIFY_DATA_LEN); 1043 1044 hlen = MD5_MAC_LEN; 1045 if (conn->verify.md5_client == NULL || 1046 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1047 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1048 TLS_ALERT_INTERNAL_ERROR); 1049 conn->verify.md5_client = NULL; 1050 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1051 conn->verify.sha1_client = NULL; 1052 return -1; 1053 } 1054 conn->verify.md5_client = NULL; 1055 hlen = SHA1_MAC_LEN; 1056 if (conn->verify.sha1_client == NULL || 1057 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1058 &hlen) < 0) { 1059 conn->verify.sha1_client = NULL; 1060 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1061 TLS_ALERT_INTERNAL_ERROR); 1062 return -1; 1063 } 1064 conn->verify.sha1_client = NULL; 1065 1066 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1067 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1068 verify_data, TLS_VERIFY_DATA_LEN)) { 1069 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1070 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1071 TLS_ALERT_DECRYPT_ERROR); 1072 return -1; 1073 } 1074 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1075 verify_data, TLS_VERIFY_DATA_LEN); 1076 1077 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1078 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1079 return -1; 1080 } 1081 1082 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1083 1084 *in_len = end - in_data; 1085 1086 if (conn->use_session_ticket) { 1087 /* Abbreviated handshake using session ticket; RFC 4507 */ 1088 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1089 "successfully"); 1090 conn->state = ESTABLISHED; 1091 } else { 1092 /* Full handshake */ 1093 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1094 } 1095 1096 return 0; 1097 } 1098 1099 1100 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1101 const u8 *buf, size_t *len) 1102 { 1103 if (ct == TLS_CONTENT_TYPE_ALERT) { 1104 if (*len < 2) { 1105 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1106 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1107 TLS_ALERT_DECODE_ERROR); 1108 return -1; 1109 } 1110 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1111 buf[0], buf[1]); 1112 *len = 2; 1113 conn->state = FAILED; 1114 return -1; 1115 } 1116 1117 switch (conn->state) { 1118 case CLIENT_HELLO: 1119 if (tls_process_client_hello(conn, ct, buf, len)) 1120 return -1; 1121 break; 1122 case CLIENT_CERTIFICATE: 1123 if (tls_process_certificate(conn, ct, buf, len)) 1124 return -1; 1125 break; 1126 case CLIENT_KEY_EXCHANGE: 1127 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1128 return -1; 1129 break; 1130 case CERTIFICATE_VERIFY: 1131 if (tls_process_certificate_verify(conn, ct, buf, len)) 1132 return -1; 1133 break; 1134 case CHANGE_CIPHER_SPEC: 1135 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1136 return -1; 1137 break; 1138 case CLIENT_FINISHED: 1139 if (tls_process_client_finished(conn, ct, buf, len)) 1140 return -1; 1141 break; 1142 default: 1143 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1144 "while processing received message", 1145 conn->state); 1146 return -1; 1147 } 1148 1149 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1150 tls_verify_hash_add(&conn->verify, buf, *len); 1151 1152 return 0; 1153 } 1154