1 /*
2 * TLSv1 server - read handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_server.h"
20 #include "tlsv1_server_i.h"
21
22
23 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
24 const u8 *in_data, size_t *in_len);
25 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
26 u8 ct, const u8 *in_data,
27 size_t *in_len);
28
29
testing_cipher_suite_filter(struct tlsv1_server * conn,u16 suite)30 static int testing_cipher_suite_filter(struct tlsv1_server *conn, u16 suite)
31 {
32 #ifdef CONFIG_TESTING_OPTIONS
33 if ((conn->test_flags &
34 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE |
35 TLS_DHE_PRIME_511B | TLS_DHE_PRIME_767B | TLS_DHE_PRIME_15 |
36 TLS_DHE_PRIME_58B | TLS_DHE_NON_PRIME)) &&
37 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
38 suite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
39 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
40 suite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
41 suite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 return 1;
43 #endif /* CONFIG_TESTING_OPTIONS */
44
45 return 0;
46 }
47
48
tls_process_client_hello(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)49 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
50 const u8 *in_data, size_t *in_len)
51 {
52 const u8 *pos, *end, *c;
53 size_t left, len, i, j;
54 u16 cipher_suite;
55 u16 num_suites;
56 int compr_null_found;
57 u16 ext_type, ext_len;
58
59 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
60 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
61 ct);
62 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
63 TLS_ALERT_UNEXPECTED_MESSAGE);
64 return -1;
65 }
66
67 pos = in_data;
68 left = *in_len;
69
70 if (left < 4)
71 goto decode_error;
72
73 /* HandshakeType msg_type */
74 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
75 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientHello)",
76 *pos);
77 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
78 TLS_ALERT_UNEXPECTED_MESSAGE);
79 return -1;
80 }
81 tlsv1_server_log(conn, "Received ClientHello");
82 pos++;
83 /* uint24 length */
84 len = WPA_GET_BE24(pos);
85 pos += 3;
86 left -= 4;
87
88 if (len > left)
89 goto decode_error;
90
91 /* body - ClientHello */
92
93 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
94 end = pos + len;
95
96 /* ProtocolVersion client_version */
97 if (end - pos < 2)
98 goto decode_error;
99 conn->client_version = WPA_GET_BE16(pos);
100 tlsv1_server_log(conn, "Client version %d.%d",
101 conn->client_version >> 8,
102 conn->client_version & 0xff);
103 if (conn->client_version < TLS_VERSION_1) {
104 tlsv1_server_log(conn, "Unexpected protocol version in ClientHello %u.%u",
105 conn->client_version >> 8,
106 conn->client_version & 0xff);
107 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
108 TLS_ALERT_PROTOCOL_VERSION);
109 return -1;
110 }
111 pos += 2;
112
113 if (TLS_VERSION == TLS_VERSION_1)
114 conn->rl.tls_version = TLS_VERSION_1;
115 #ifdef CONFIG_TLSV12
116 else if (conn->client_version >= TLS_VERSION_1_2)
117 conn->rl.tls_version = TLS_VERSION_1_2;
118 #endif /* CONFIG_TLSV12 */
119 else if (conn->client_version > TLS_VERSION_1_1)
120 conn->rl.tls_version = TLS_VERSION_1_1;
121 else
122 conn->rl.tls_version = conn->client_version;
123 tlsv1_server_log(conn, "Using TLS v%s",
124 tls_version_str(conn->rl.tls_version));
125
126 /* Random random */
127 if (end - pos < TLS_RANDOM_LEN)
128 goto decode_error;
129
130 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
131 pos += TLS_RANDOM_LEN;
132 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
133 conn->client_random, TLS_RANDOM_LEN);
134
135 /* SessionID session_id */
136 if (end - pos < 1)
137 goto decode_error;
138 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
139 goto decode_error;
140 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
141 pos += 1 + *pos;
142 /* TODO: add support for session resumption */
143
144 /* CipherSuite cipher_suites<2..2^16-1> */
145 if (end - pos < 2)
146 goto decode_error;
147 num_suites = WPA_GET_BE16(pos);
148 pos += 2;
149 if (end - pos < num_suites)
150 goto decode_error;
151 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
152 pos, num_suites);
153 if (num_suites & 1)
154 goto decode_error;
155 num_suites /= 2;
156
157 cipher_suite = 0;
158 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
159 if (testing_cipher_suite_filter(conn, conn->cipher_suites[i]))
160 continue;
161 c = pos;
162 for (j = 0; j < num_suites; j++) {
163 u16 tmp = WPA_GET_BE16(c);
164 c += 2;
165 if (!cipher_suite && tmp == conn->cipher_suites[i]) {
166 cipher_suite = tmp;
167 break;
168 }
169 }
170 }
171 pos += num_suites * 2;
172 if (!cipher_suite) {
173 tlsv1_server_log(conn, "No supported cipher suite available");
174 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
175 TLS_ALERT_ILLEGAL_PARAMETER);
176 return -1;
177 }
178
179 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
180 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
181 "record layer");
182 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
183 TLS_ALERT_INTERNAL_ERROR);
184 return -1;
185 }
186
187 conn->cipher_suite = cipher_suite;
188
189 /* CompressionMethod compression_methods<1..2^8-1> */
190 if (end - pos < 1)
191 goto decode_error;
192 num_suites = *pos++;
193 if (end - pos < num_suites)
194 goto decode_error;
195 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
196 pos, num_suites);
197 compr_null_found = 0;
198 for (i = 0; i < num_suites; i++) {
199 if (*pos++ == TLS_COMPRESSION_NULL)
200 compr_null_found = 1;
201 }
202 if (!compr_null_found) {
203 tlsv1_server_log(conn, "Client does not accept NULL compression");
204 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
205 TLS_ALERT_ILLEGAL_PARAMETER);
206 return -1;
207 }
208
209 if (end - pos == 1) {
210 tlsv1_server_log(conn, "Unexpected extra octet in the end of ClientHello: 0x%02x",
211 *pos);
212 goto decode_error;
213 }
214
215 if (end - pos >= 2) {
216 /* Extension client_hello_extension_list<0..2^16-1> */
217 ext_len = WPA_GET_BE16(pos);
218 pos += 2;
219
220 tlsv1_server_log(conn, "%u bytes of ClientHello extensions",
221 ext_len);
222 if (end - pos != ext_len) {
223 tlsv1_server_log(conn, "Invalid ClientHello extension list length %u (expected %u)",
224 ext_len, (unsigned int) (end - pos));
225 goto decode_error;
226 }
227
228 /*
229 * struct {
230 * ExtensionType extension_type (0..65535)
231 * opaque extension_data<0..2^16-1>
232 * } Extension;
233 */
234
235 while (pos < end) {
236 if (end - pos < 2) {
237 tlsv1_server_log(conn, "Invalid extension_type field");
238 goto decode_error;
239 }
240
241 ext_type = WPA_GET_BE16(pos);
242 pos += 2;
243
244 if (end - pos < 2) {
245 tlsv1_server_log(conn, "Invalid extension_data length field");
246 goto decode_error;
247 }
248
249 ext_len = WPA_GET_BE16(pos);
250 pos += 2;
251
252 if (end - pos < ext_len) {
253 tlsv1_server_log(conn, "Invalid extension_data field");
254 goto decode_error;
255 }
256
257 tlsv1_server_log(conn, "ClientHello Extension type %u",
258 ext_type);
259 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
260 "Extension data", pos, ext_len);
261
262 if (ext_type == TLS_EXT_SESSION_TICKET) {
263 os_free(conn->session_ticket);
264 conn->session_ticket = os_malloc(ext_len);
265 if (conn->session_ticket) {
266 os_memcpy(conn->session_ticket, pos,
267 ext_len);
268 conn->session_ticket_len = ext_len;
269 }
270 }
271
272 pos += ext_len;
273 }
274 }
275
276 *in_len = end - in_data;
277
278 tlsv1_server_log(conn, "ClientHello OK - proceed to ServerHello");
279 conn->state = SERVER_HELLO;
280
281 return 0;
282
283 decode_error:
284 tlsv1_server_log(conn, "Failed to decode ClientHello");
285 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
286 TLS_ALERT_DECODE_ERROR);
287 return -1;
288 }
289
290
tls_process_certificate(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)291 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
292 const u8 *in_data, size_t *in_len)
293 {
294 const u8 *pos, *end;
295 size_t left, len, list_len, cert_len, idx;
296 u8 type;
297 struct x509_certificate *chain = NULL, *last = NULL, *cert;
298 int reason;
299
300 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
301 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
302 ct);
303 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
304 TLS_ALERT_UNEXPECTED_MESSAGE);
305 return -1;
306 }
307
308 pos = in_data;
309 left = *in_len;
310
311 if (left < 4) {
312 tlsv1_server_log(conn, "Too short Certificate message (len=%lu)",
313 (unsigned long) left);
314 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
315 TLS_ALERT_DECODE_ERROR);
316 return -1;
317 }
318
319 type = *pos++;
320 len = WPA_GET_BE24(pos);
321 pos += 3;
322 left -= 4;
323
324 if (len > left) {
325 tlsv1_server_log(conn, "Unexpected Certificate message length (len=%lu != left=%lu)",
326 (unsigned long) len, (unsigned long) left);
327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
328 TLS_ALERT_DECODE_ERROR);
329 return -1;
330 }
331
332 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
333 if (conn->verify_peer) {
334 tlsv1_server_log(conn, "Client did not include Certificate");
335 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
336 TLS_ALERT_UNEXPECTED_MESSAGE);
337 return -1;
338 }
339
340 return tls_process_client_key_exchange(conn, ct, in_data,
341 in_len);
342 }
343 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
344 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected Certificate/ClientKeyExchange)",
345 type);
346 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
347 TLS_ALERT_UNEXPECTED_MESSAGE);
348 return -1;
349 }
350
351 tlsv1_server_log(conn, "Received Certificate (certificate_list len %lu)",
352 (unsigned long) len);
353
354 /*
355 * opaque ASN.1Cert<2^24-1>;
356 *
357 * struct {
358 * ASN.1Cert certificate_list<1..2^24-1>;
359 * } Certificate;
360 */
361
362 end = pos + len;
363
364 if (end - pos < 3) {
365 tlsv1_server_log(conn, "Too short Certificate (left=%lu)",
366 (unsigned long) left);
367 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
368 TLS_ALERT_DECODE_ERROR);
369 return -1;
370 }
371
372 list_len = WPA_GET_BE24(pos);
373 pos += 3;
374
375 if ((size_t) (end - pos) != list_len) {
376 tlsv1_server_log(conn, "Unexpected certificate_list length (len=%lu left=%lu)",
377 (unsigned long) list_len,
378 (unsigned long) (end - pos));
379 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
380 TLS_ALERT_DECODE_ERROR);
381 return -1;
382 }
383
384 idx = 0;
385 while (pos < end) {
386 if (end - pos < 3) {
387 tlsv1_server_log(conn, "Failed to parse certificate_list");
388 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
389 TLS_ALERT_DECODE_ERROR);
390 x509_certificate_chain_free(chain);
391 return -1;
392 }
393
394 cert_len = WPA_GET_BE24(pos);
395 pos += 3;
396
397 if ((size_t) (end - pos) < cert_len) {
398 tlsv1_server_log(conn, "Unexpected certificate length (len=%lu left=%lu)",
399 (unsigned long) cert_len,
400 (unsigned long) (end - pos));
401 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
402 TLS_ALERT_DECODE_ERROR);
403 x509_certificate_chain_free(chain);
404 return -1;
405 }
406
407 tlsv1_server_log(conn, "Certificate %lu (len %lu)",
408 (unsigned long) idx, (unsigned long) cert_len);
409
410 if (idx == 0) {
411 crypto_public_key_free(conn->client_rsa_key);
412 if (tls_parse_cert(pos, cert_len,
413 &conn->client_rsa_key)) {
414 tlsv1_server_log(conn, "Failed to parse the certificate");
415 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
416 TLS_ALERT_BAD_CERTIFICATE);
417 x509_certificate_chain_free(chain);
418 return -1;
419 }
420 }
421
422 cert = x509_certificate_parse(pos, cert_len);
423 if (cert == NULL) {
424 tlsv1_server_log(conn, "Failed to parse the certificate");
425 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
426 TLS_ALERT_BAD_CERTIFICATE);
427 x509_certificate_chain_free(chain);
428 return -1;
429 }
430
431 if (last == NULL)
432 chain = cert;
433 else
434 last->next = cert;
435 last = cert;
436
437 idx++;
438 pos += cert_len;
439 }
440
441 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
442 &reason, 0) < 0) {
443 int tls_reason;
444 tlsv1_server_log(conn, "Server certificate chain validation failed (reason=%d)",
445 reason);
446 switch (reason) {
447 case X509_VALIDATE_BAD_CERTIFICATE:
448 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
449 break;
450 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
451 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
452 break;
453 case X509_VALIDATE_CERTIFICATE_REVOKED:
454 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
455 break;
456 case X509_VALIDATE_CERTIFICATE_EXPIRED:
457 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
458 break;
459 case X509_VALIDATE_CERTIFICATE_UNKNOWN:
460 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
461 break;
462 case X509_VALIDATE_UNKNOWN_CA:
463 tls_reason = TLS_ALERT_UNKNOWN_CA;
464 break;
465 default:
466 tls_reason = TLS_ALERT_BAD_CERTIFICATE;
467 break;
468 }
469 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
470 x509_certificate_chain_free(chain);
471 return -1;
472 }
473
474 x509_certificate_chain_free(chain);
475
476 *in_len = end - in_data;
477
478 conn->state = CLIENT_KEY_EXCHANGE;
479
480 return 0;
481 }
482
483
tls_process_client_key_exchange_rsa(struct tlsv1_server * conn,const u8 * pos,const u8 * end)484 static int tls_process_client_key_exchange_rsa(
485 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
486 {
487 u8 *out;
488 size_t outlen, outbuflen;
489 u16 encr_len;
490 int res;
491 int use_random = 0;
492
493 if (end - pos < 2) {
494 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
495 TLS_ALERT_DECODE_ERROR);
496 return -1;
497 }
498
499 encr_len = WPA_GET_BE16(pos);
500 pos += 2;
501 if (pos + encr_len > end) {
502 tlsv1_server_log(conn, "Invalid ClientKeyExchange format: encr_len=%u left=%u",
503 encr_len, (unsigned int) (end - pos));
504 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
505 TLS_ALERT_DECODE_ERROR);
506 return -1;
507 }
508
509 outbuflen = outlen = end - pos;
510 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
511 outlen : TLS_PRE_MASTER_SECRET_LEN);
512 if (out == NULL) {
513 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
514 TLS_ALERT_INTERNAL_ERROR);
515 return -1;
516 }
517
518 /*
519 * struct {
520 * ProtocolVersion client_version;
521 * opaque random[46];
522 * } PreMasterSecret;
523 *
524 * struct {
525 * public-key-encrypted PreMasterSecret pre_master_secret;
526 * } EncryptedPreMasterSecret;
527 */
528
529 /*
530 * Note: To avoid Bleichenbacher attack, we do not report decryption or
531 * parsing errors from EncryptedPreMasterSecret processing to the
532 * client. Instead, a random pre-master secret is used to force the
533 * handshake to fail.
534 */
535
536 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
537 pos, encr_len,
538 out, &outlen) < 0) {
539 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
540 "PreMasterSecret (encr_len=%u outlen=%lu)",
541 encr_len, (unsigned long) outlen);
542 use_random = 1;
543 }
544
545 if (!use_random && outlen != TLS_PRE_MASTER_SECRET_LEN) {
546 tlsv1_server_log(conn, "Unexpected PreMasterSecret length %lu",
547 (unsigned long) outlen);
548 use_random = 1;
549 }
550
551 if (!use_random && WPA_GET_BE16(out) != conn->client_version) {
552 tlsv1_server_log(conn, "Client version in ClientKeyExchange does not match with version in ClientHello");
553 use_random = 1;
554 }
555
556 if (use_random) {
557 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
558 "to avoid revealing information about private key");
559 outlen = TLS_PRE_MASTER_SECRET_LEN;
560 if (os_get_random(out, outlen)) {
561 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
562 "data");
563 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
564 TLS_ALERT_INTERNAL_ERROR);
565 os_free(out);
566 return -1;
567 }
568 }
569
570 res = tlsv1_server_derive_keys(conn, out, outlen);
571
572 /* Clear the pre-master secret since it is not needed anymore */
573 os_memset(out, 0, outbuflen);
574 os_free(out);
575
576 if (res) {
577 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
578 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
579 TLS_ALERT_INTERNAL_ERROR);
580 return -1;
581 }
582
583 return 0;
584 }
585
586
tls_process_client_key_exchange_dh(struct tlsv1_server * conn,const u8 * pos,const u8 * end)587 static int tls_process_client_key_exchange_dh(
588 struct tlsv1_server *conn, const u8 *pos, const u8 *end)
589 {
590 const u8 *dh_yc;
591 u16 dh_yc_len;
592 u8 *shared;
593 size_t shared_len;
594 int res;
595 const u8 *dh_p;
596 size_t dh_p_len;
597
598 /*
599 * struct {
600 * select (PublicValueEncoding) {
601 * case implicit: struct { };
602 * case explicit: opaque dh_Yc<1..2^16-1>;
603 * } dh_public;
604 * } ClientDiffieHellmanPublic;
605 */
606
607 tlsv1_server_log(conn, "ClientDiffieHellmanPublic received");
608 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
609 pos, end - pos);
610
611 if (end == pos) {
612 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
613 "not supported");
614 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
615 TLS_ALERT_INTERNAL_ERROR);
616 return -1;
617 }
618
619 if (end - pos < 3) {
620 tlsv1_server_log(conn, "Invalid client public value length");
621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 TLS_ALERT_DECODE_ERROR);
623 return -1;
624 }
625
626 dh_yc_len = WPA_GET_BE16(pos);
627 dh_yc = pos + 2;
628
629 if (dh_yc + dh_yc_len > end) {
630 tlsv1_server_log(conn, "Client public value overflow (length %d)",
631 dh_yc_len);
632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 TLS_ALERT_DECODE_ERROR);
634 return -1;
635 }
636
637 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
638 dh_yc, dh_yc_len);
639
640 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
641 conn->dh_secret == NULL) {
642 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
643 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
644 TLS_ALERT_INTERNAL_ERROR);
645 return -1;
646 }
647
648 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
649
650 shared_len = dh_p_len;
651 shared = os_malloc(shared_len);
652 if (shared == NULL) {
653 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
654 "DH");
655 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
656 TLS_ALERT_INTERNAL_ERROR);
657 return -1;
658 }
659
660 /* shared = Yc^secret mod p */
661 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
662 conn->dh_secret_len, dh_p, dh_p_len,
663 shared, &shared_len)) {
664 os_free(shared);
665 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
666 TLS_ALERT_INTERNAL_ERROR);
667 return -1;
668 }
669 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
670 shared, shared_len);
671
672 os_memset(conn->dh_secret, 0, conn->dh_secret_len);
673 os_free(conn->dh_secret);
674 conn->dh_secret = NULL;
675
676 res = tlsv1_server_derive_keys(conn, shared, shared_len);
677
678 /* Clear the pre-master secret since it is not needed anymore */
679 os_memset(shared, 0, shared_len);
680 os_free(shared);
681
682 if (res) {
683 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
684 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
685 TLS_ALERT_INTERNAL_ERROR);
686 return -1;
687 }
688
689 return 0;
690 }
691
692
tls_process_client_key_exchange(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)693 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
694 const u8 *in_data, size_t *in_len)
695 {
696 const u8 *pos, *end;
697 size_t left, len;
698 u8 type;
699 tls_key_exchange keyx;
700 const struct tls_cipher_suite *suite;
701
702 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
703 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
704 ct);
705 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
706 TLS_ALERT_UNEXPECTED_MESSAGE);
707 return -1;
708 }
709
710 pos = in_data;
711 left = *in_len;
712
713 if (left < 4) {
714 tlsv1_server_log(conn, "Too short ClientKeyExchange (Left=%lu)",
715 (unsigned long) left);
716 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
717 TLS_ALERT_DECODE_ERROR);
718 return -1;
719 }
720
721 type = *pos++;
722 len = WPA_GET_BE24(pos);
723 pos += 3;
724 left -= 4;
725
726 if (len > left) {
727 tlsv1_server_log(conn, "Mismatch in ClientKeyExchange length (len=%lu != left=%lu)",
728 (unsigned long) len, (unsigned long) left);
729 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
730 TLS_ALERT_DECODE_ERROR);
731 return -1;
732 }
733
734 end = pos + len;
735
736 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
737 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected ClientKeyExchange)",
738 type);
739 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
740 TLS_ALERT_UNEXPECTED_MESSAGE);
741 return -1;
742 }
743
744 tlsv1_server_log(conn, "Received ClientKeyExchange");
745
746 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);
747
748 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
749 if (suite == NULL)
750 keyx = TLS_KEY_X_NULL;
751 else
752 keyx = suite->key_exchange;
753
754 if ((keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) &&
755 tls_process_client_key_exchange_dh(conn, pos, end) < 0)
756 return -1;
757
758 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA &&
759 tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
760 return -1;
761
762 *in_len = end - in_data;
763
764 conn->state = CERTIFICATE_VERIFY;
765
766 return 0;
767 }
768
769
tls_process_certificate_verify(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)770 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
771 const u8 *in_data, size_t *in_len)
772 {
773 const u8 *pos, *end;
774 size_t left, len;
775 u8 type;
776 size_t hlen;
777 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
778 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
779 u8 alert;
780
781 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
782 if (conn->verify_peer) {
783 tlsv1_server_log(conn, "Client did not include CertificateVerify");
784 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
785 TLS_ALERT_UNEXPECTED_MESSAGE);
786 return -1;
787 }
788
789 return tls_process_change_cipher_spec(conn, ct, in_data,
790 in_len);
791 }
792
793 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
794 tlsv1_server_log(conn, "Expected Handshake; received content type 0x%x",
795 ct);
796 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
797 TLS_ALERT_UNEXPECTED_MESSAGE);
798 return -1;
799 }
800
801 pos = in_data;
802 left = *in_len;
803
804 if (left < 4) {
805 tlsv1_server_log(conn, "Too short CertificateVerify message (len=%lu)",
806 (unsigned long) left);
807 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
808 TLS_ALERT_DECODE_ERROR);
809 return -1;
810 }
811
812 type = *pos++;
813 len = WPA_GET_BE24(pos);
814 pos += 3;
815 left -= 4;
816
817 if (len > left) {
818 tlsv1_server_log(conn, "Unexpected CertificateVerify message length (len=%lu != left=%lu)",
819 (unsigned long) len, (unsigned long) left);
820 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
821 TLS_ALERT_DECODE_ERROR);
822 return -1;
823 }
824
825 end = pos + len;
826
827 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
828 tlsv1_server_log(conn, "Received unexpected handshake message %d (expected CertificateVerify)",
829 type);
830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
831 TLS_ALERT_UNEXPECTED_MESSAGE);
832 return -1;
833 }
834
835 tlsv1_server_log(conn, "Received CertificateVerify");
836
837 /*
838 * struct {
839 * Signature signature;
840 * } CertificateVerify;
841 */
842
843 hpos = hash;
844
845 #ifdef CONFIG_TLSV12
846 if (conn->rl.tls_version == TLS_VERSION_1_2) {
847 /*
848 * RFC 5246, 4.7:
849 * TLS v1.2 adds explicit indication of the used signature and
850 * hash algorithms.
851 *
852 * struct {
853 * HashAlgorithm hash;
854 * SignatureAlgorithm signature;
855 * } SignatureAndHashAlgorithm;
856 */
857 if (end - pos < 2) {
858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
859 TLS_ALERT_DECODE_ERROR);
860 return -1;
861 }
862 if (pos[0] != TLS_HASH_ALG_SHA256 ||
863 pos[1] != TLS_SIGN_ALG_RSA) {
864 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/"
865 "signature(%u) algorithm",
866 pos[0], pos[1]);
867 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
868 TLS_ALERT_INTERNAL_ERROR);
869 return -1;
870 }
871 pos += 2;
872
873 hlen = SHA256_MAC_LEN;
874 if (conn->verify.sha256_cert == NULL ||
875 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
876 0) {
877 conn->verify.sha256_cert = NULL;
878 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
879 TLS_ALERT_INTERNAL_ERROR);
880 return -1;
881 }
882 conn->verify.sha256_cert = NULL;
883 } else {
884 #endif /* CONFIG_TLSV12 */
885
886 if (alg == SIGN_ALG_RSA) {
887 hlen = MD5_MAC_LEN;
888 if (conn->verify.md5_cert == NULL ||
889 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
890 {
891 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
892 TLS_ALERT_INTERNAL_ERROR);
893 conn->verify.md5_cert = NULL;
894 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
895 conn->verify.sha1_cert = NULL;
896 return -1;
897 }
898 hpos += MD5_MAC_LEN;
899 } else
900 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
901
902 conn->verify.md5_cert = NULL;
903 hlen = SHA1_MAC_LEN;
904 if (conn->verify.sha1_cert == NULL ||
905 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
906 conn->verify.sha1_cert = NULL;
907 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
908 TLS_ALERT_INTERNAL_ERROR);
909 return -1;
910 }
911 conn->verify.sha1_cert = NULL;
912
913 if (alg == SIGN_ALG_RSA)
914 hlen += MD5_MAC_LEN;
915
916 #ifdef CONFIG_TLSV12
917 }
918 #endif /* CONFIG_TLSV12 */
919
920 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
921
922 if (tls_verify_signature(conn->rl.tls_version, conn->client_rsa_key,
923 hash, hlen, pos, end - pos, &alert) < 0) {
924 tlsv1_server_log(conn, "Invalid Signature in CertificateVerify");
925 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, alert);
926 return -1;
927 }
928
929 *in_len = end - in_data;
930
931 conn->state = CHANGE_CIPHER_SPEC;
932
933 return 0;
934 }
935
936
tls_process_change_cipher_spec(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)937 static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
938 u8 ct, const u8 *in_data,
939 size_t *in_len)
940 {
941 const u8 *pos;
942 size_t left;
943
944 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
945 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received content type 0x%x",
946 ct);
947 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
948 TLS_ALERT_UNEXPECTED_MESSAGE);
949 return -1;
950 }
951
952 pos = in_data;
953 left = *in_len;
954
955 if (left < 1) {
956 tlsv1_server_log(conn, "Too short ChangeCipherSpec");
957 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
958 TLS_ALERT_DECODE_ERROR);
959 return -1;
960 }
961
962 if (*pos != TLS_CHANGE_CIPHER_SPEC) {
963 tlsv1_server_log(conn, "Expected ChangeCipherSpec; received data 0x%x",
964 *pos);
965 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
966 TLS_ALERT_UNEXPECTED_MESSAGE);
967 return -1;
968 }
969
970 tlsv1_server_log(conn, "Received ChangeCipherSpec");
971 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
972 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
973 "for record layer");
974 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
975 TLS_ALERT_INTERNAL_ERROR);
976 return -1;
977 }
978
979 *in_len = pos + 1 - in_data;
980
981 conn->state = CLIENT_FINISHED;
982
983 return 0;
984 }
985
986
tls_process_client_finished(struct tlsv1_server * conn,u8 ct,const u8 * in_data,size_t * in_len)987 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
988 const u8 *in_data, size_t *in_len)
989 {
990 const u8 *pos, *end;
991 size_t left, len, hlen;
992 u8 verify_data[TLS_VERIFY_DATA_LEN];
993 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
994
995 #ifdef CONFIG_TESTING_OPTIONS
996 if ((conn->test_flags &
997 (TLS_BREAK_SRV_KEY_X_HASH | TLS_BREAK_SRV_KEY_X_SIGNATURE)) &&
998 !conn->test_failure_reported) {
999 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after invalid ServerKeyExchange");
1000 conn->test_failure_reported = 1;
1001 }
1002
1003 if ((conn->test_flags & TLS_DHE_PRIME_15) &&
1004 !conn->test_failure_reported) {
1005 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after bogus DHE \"prime\" 15");
1006 conn->test_failure_reported = 1;
1007 }
1008
1009 if ((conn->test_flags & TLS_DHE_PRIME_58B) &&
1010 !conn->test_failure_reported) {
1011 tlsv1_server_log(conn, "TEST-FAILURE: Client Finished received after short 58-bit DHE prime in long container");
1012 conn->test_failure_reported = 1;
1013 }
1014
1015 if ((conn->test_flags & TLS_DHE_PRIME_511B) &&
1016 !conn->test_failure_reported) {
1017 tlsv1_server_log(conn, "TEST-WARNING: Client Finished received after short 511-bit DHE prime (insecure)");
1018 conn->test_failure_reported = 1;
1019 }
1020
1021 if ((conn->test_flags & TLS_DHE_PRIME_767B) &&
1022 !conn->test_failure_reported) {
1023 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after 767-bit DHE prime (relatively insecure)");
1024 conn->test_failure_reported = 1;
1025 }
1026
1027 if ((conn->test_flags & TLS_DHE_NON_PRIME) &&
1028 !conn->test_failure_reported) {
1029 tlsv1_server_log(conn, "TEST-NOTE: Client Finished received after non-prime claimed as DHE prime");
1030 conn->test_failure_reported = 1;
1031 }
1032 #endif /* CONFIG_TESTING_OPTIONS */
1033
1034 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
1035 tlsv1_server_log(conn, "Expected Finished; received content type 0x%x",
1036 ct);
1037 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1038 TLS_ALERT_UNEXPECTED_MESSAGE);
1039 return -1;
1040 }
1041
1042 pos = in_data;
1043 left = *in_len;
1044
1045 if (left < 4) {
1046 tlsv1_server_log(conn, "Too short record (left=%lu) forFinished",
1047 (unsigned long) left);
1048 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1049 TLS_ALERT_DECODE_ERROR);
1050 return -1;
1051 }
1052
1053 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
1054 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
1055 "type 0x%x", pos[0]);
1056 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1057 TLS_ALERT_UNEXPECTED_MESSAGE);
1058 return -1;
1059 }
1060
1061 len = WPA_GET_BE24(pos + 1);
1062
1063 pos += 4;
1064 left -= 4;
1065
1066 if (len > left) {
1067 tlsv1_server_log(conn, "Too short buffer for Finished (len=%lu > left=%lu)",
1068 (unsigned long) len, (unsigned long) left);
1069 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1070 TLS_ALERT_DECODE_ERROR);
1071 return -1;
1072 }
1073 end = pos + len;
1074 if (len != TLS_VERIFY_DATA_LEN) {
1075 tlsv1_server_log(conn, "Unexpected verify_data length in Finished: %lu (expected %d)",
1076 (unsigned long) len, TLS_VERIFY_DATA_LEN);
1077 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1078 TLS_ALERT_DECODE_ERROR);
1079 return -1;
1080 }
1081 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
1082 pos, TLS_VERIFY_DATA_LEN);
1083
1084 #ifdef CONFIG_TLSV12
1085 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
1086 hlen = SHA256_MAC_LEN;
1087 if (conn->verify.sha256_client == NULL ||
1088 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
1089 < 0) {
1090 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1091 TLS_ALERT_INTERNAL_ERROR);
1092 conn->verify.sha256_client = NULL;
1093 return -1;
1094 }
1095 conn->verify.sha256_client = NULL;
1096 } else {
1097 #endif /* CONFIG_TLSV12 */
1098
1099 hlen = MD5_MAC_LEN;
1100 if (conn->verify.md5_client == NULL ||
1101 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
1102 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1103 TLS_ALERT_INTERNAL_ERROR);
1104 conn->verify.md5_client = NULL;
1105 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
1106 conn->verify.sha1_client = NULL;
1107 return -1;
1108 }
1109 conn->verify.md5_client = NULL;
1110 hlen = SHA1_MAC_LEN;
1111 if (conn->verify.sha1_client == NULL ||
1112 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
1113 &hlen) < 0) {
1114 conn->verify.sha1_client = NULL;
1115 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1116 TLS_ALERT_INTERNAL_ERROR);
1117 return -1;
1118 }
1119 conn->verify.sha1_client = NULL;
1120 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
1121
1122 #ifdef CONFIG_TLSV12
1123 }
1124 #endif /* CONFIG_TLSV12 */
1125
1126 if (tls_prf(conn->rl.tls_version,
1127 conn->master_secret, TLS_MASTER_SECRET_LEN,
1128 "client finished", hash, hlen,
1129 verify_data, TLS_VERIFY_DATA_LEN)) {
1130 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
1131 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1132 TLS_ALERT_DECRYPT_ERROR);
1133 return -1;
1134 }
1135 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
1136 verify_data, TLS_VERIFY_DATA_LEN);
1137
1138 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
1139 tlsv1_server_log(conn, "Mismatch in verify_data");
1140 return -1;
1141 }
1142
1143 tlsv1_server_log(conn, "Received Finished");
1144
1145 *in_len = end - in_data;
1146
1147 if (conn->use_session_ticket) {
1148 /* Abbreviated handshake using session ticket; RFC 4507 */
1149 tlsv1_server_log(conn, "Abbreviated handshake completed successfully");
1150 conn->state = ESTABLISHED;
1151 } else {
1152 /* Full handshake */
1153 conn->state = SERVER_CHANGE_CIPHER_SPEC;
1154 }
1155
1156 return 0;
1157 }
1158
1159
tlsv1_server_process_handshake(struct tlsv1_server * conn,u8 ct,const u8 * buf,size_t * len)1160 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
1161 const u8 *buf, size_t *len)
1162 {
1163 if (ct == TLS_CONTENT_TYPE_ALERT) {
1164 if (*len < 2) {
1165 tlsv1_server_log(conn, "Alert underflow");
1166 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
1167 TLS_ALERT_DECODE_ERROR);
1168 return -1;
1169 }
1170 tlsv1_server_log(conn, "Received alert %d:%d", buf[0], buf[1]);
1171 *len = 2;
1172 conn->state = FAILED;
1173 return -1;
1174 }
1175
1176 switch (conn->state) {
1177 case CLIENT_HELLO:
1178 if (tls_process_client_hello(conn, ct, buf, len))
1179 return -1;
1180 break;
1181 case CLIENT_CERTIFICATE:
1182 if (tls_process_certificate(conn, ct, buf, len))
1183 return -1;
1184 break;
1185 case CLIENT_KEY_EXCHANGE:
1186 if (tls_process_client_key_exchange(conn, ct, buf, len))
1187 return -1;
1188 break;
1189 case CERTIFICATE_VERIFY:
1190 if (tls_process_certificate_verify(conn, ct, buf, len))
1191 return -1;
1192 break;
1193 case CHANGE_CIPHER_SPEC:
1194 if (tls_process_change_cipher_spec(conn, ct, buf, len))
1195 return -1;
1196 break;
1197 case CLIENT_FINISHED:
1198 if (tls_process_client_finished(conn, ct, buf, len))
1199 return -1;
1200 break;
1201 default:
1202 tlsv1_server_log(conn, "Unexpected state %d while processing received message",
1203 conn->state);
1204 return -1;
1205 }
1206
1207 if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1208 tls_verify_hash_add(&conn->verify, buf, *len);
1209
1210 return 0;
1211 }
1212