134192Sjdp/* 255687Sjdp * TLSv1 server - read handshake message 334192Sjdp * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 434192Sjdp * 534192Sjdp * This program is free software; you can redistribute it and/or modify 634192Sjdp * it under the terms of the GNU General Public License version 2 as 734192Sjdp * published by the Free Software Foundation. 834192Sjdp * 934192Sjdp * Alternatively, this software may be distributed under the terms of BSD 1034192Sjdp * license. 1134192Sjdp * 1234192Sjdp * See README and COPYING for more details. 1334192Sjdp */ 1434192Sjdp 1534192Sjdp#include "includes.h" 1634192Sjdp 1734192Sjdp#include "common.h" 1834192Sjdp#include "crypto/md5.h" 1934192Sjdp#include "crypto/sha1.h" 2034192Sjdp#include "crypto/tls.h" 2134192Sjdp#include "x509v3.h" 2234192Sjdp#include "tlsv1_common.h" 2334192Sjdp#include "tlsv1_record.h" 2434192Sjdp#include "tlsv1_server.h" 2550476Speter#include "tlsv1_server_i.h" 2634192Sjdp 2734192Sjdp 2834192Sjdpstatic int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 2934192Sjdp const u8 *in_data, size_t *in_len); 3034192Sjdpstatic int tls_process_change_cipher_spec(struct tlsv1_server *conn, 3176224Sobrien u8 ct, const u8 *in_data, 3234192Sjdp size_t *in_len); 3350608Sjdp 3434192Sjdp 3576224Sobrienstatic int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 3635529Sdfr const u8 *in_data, size_t *in_len) 37225152Skib{ 38216695Skib const u8 *pos, *end, *c; 3934192Sjdp size_t left, len, i, j; 4034192Sjdp u16 cipher_suite; 41115396Skan u16 num_suites; 4245501Sjdp int compr_null_found; 4345501Sjdp u16 ext_type, ext_len; 44127250Speter 45127250Speter if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 46127250Speter wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 47127250Speter "received content type 0x%x", ct); 48127250Speter tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49127250Speter TLS_ALERT_UNEXPECTED_MESSAGE); 50127250Speter return -1; 51127250Speter } 52127250Speter 5334192Sjdp pos = in_data; 54119013Sgordon left = *in_len; 5534192Sjdp 56127250Speter if (left < 4) 57127250Speter goto decode_error; 58127250Speter 5934192Sjdp /* HandshakeType msg_type */ 6034192Sjdp if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 61233307Skib wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 6234192Sjdp "message %d (expected ClientHello)", *pos); 6334192Sjdp tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 6434192Sjdp TLS_ALERT_UNEXPECTED_MESSAGE); 6534192Sjdp return -1; 6634192Sjdp } 6734192Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 68133063Sdfr pos++; 69133063Sdfr /* uint24 length */ 70133063Sdfr len = WPA_GET_BE24(pos); 71133063Sdfr pos += 3; 72133063Sdfr left -= 4; 73133063Sdfr 74232831Skib if (len > left) 75232831Skib goto decode_error; 76232831Skib 77232831Skib /* body - ClientHello */ 7850609Sjdp 7934192Sjdp wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 8034192Sjdp end = pos + len; 8155687Sjdp 8250608Sjdp /* ProtocolVersion client_version */ 8360938Sjake if (end - pos < 2) 8450608Sjdp goto decode_error; 8550608Sjdp conn->client_version = WPA_GET_BE16(pos); 8650608Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 8760938Sjake conn->client_version >> 8, conn->client_version & 0xff); 8850608Sjdp if (conn->client_version < TLS_VERSION) { 8963870Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 9055687Sjdp "ClientHello"); 91232831Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 9255687Sjdp TLS_ALERT_PROTOCOL_VERSION); 9355687Sjdp return -1; 9434192Sjdp } 9534192Sjdp pos += 2; 9634192Sjdp 9734192Sjdp /* Random random */ 9834192Sjdp if (end - pos < TLS_RANDOM_LEN) 9934192Sjdp goto decode_error; 100153515Skan 101153515Skan os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 102153515Skan pos += TLS_RANDOM_LEN; 103153515Skan wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 104153515Skan conn->client_random, TLS_RANDOM_LEN); 10562801Sjdp 10662801Sjdp /* SessionID session_id */ 10762801Sjdp if (end - pos < 1) 10862801Sjdp goto decode_error; 10962801Sjdp if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 11062801Sjdp goto decode_error; 11162801Sjdp wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 11262801Sjdp pos += 1 + *pos; 11362801Sjdp /* TODO: add support for session resumption */ 11462801Sjdp 11562801Sjdp /* CipherSuite cipher_suites<2..2^16-1> */ 11662801Sjdp if (end - pos < 2) 11762801Sjdp goto decode_error; 11862801Sjdp num_suites = WPA_GET_BE16(pos); 11962801Sjdp pos += 2; 12062801Sjdp if (end - pos < num_suites) 12162801Sjdp goto decode_error; 122153515Skan wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 123153515Skan pos, num_suites); 124153515Skan if (num_suites & 1) 125153515Skan goto decode_error; 126153515Skan num_suites /= 2; 127153515Skan 128153515Skan cipher_suite = 0; 129234840Skib for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 130234840Skib c = pos; 131234840Skib for (j = 0; j < num_suites; j++) { 132234840Skib u16 tmp = WPA_GET_BE16(c); 133234840Skib c += 2; 134234840Skib if (!cipher_suite && tmp == conn->cipher_suites[i]) { 135153515Skan cipher_suite = tmp; 136153515Skan break; 13734192Sjdp } 13834192Sjdp } 13934192Sjdp } 14034192Sjdp pos += num_suites * 2; 14134192Sjdp if (!cipher_suite) { 14250977Sjdp wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 14350977Sjdp "available"); 14450977Sjdp tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 14550977Sjdp TLS_ALERT_ILLEGAL_PARAMETER); 14634192Sjdp return -1; 14734192Sjdp } 14834192Sjdp 14934192Sjdp if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 15034192Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 15134192Sjdp "record layer"); 152153504Smarcel tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 153153504Smarcel TLS_ALERT_INTERNAL_ERROR); 15434192Sjdp return -1; 15534192Sjdp } 15634192Sjdp 157116511Smdodd conn->cipher_suite = cipher_suite; 15834192Sjdp 15934192Sjdp /* CompressionMethod compression_methods<1..2^8-1> */ 16034192Sjdp if (end - pos < 1) 16134192Sjdp goto decode_error; 16234192Sjdp num_suites = *pos++; 16334192Sjdp if (end - pos < num_suites) 16434192Sjdp goto decode_error; 16538467Sjb wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 16634192Sjdp pos, num_suites); 16738467Sjb compr_null_found = 0; 16834192Sjdp for (i = 0; i < num_suites; i++) { 16938467Sjb if (*pos++ == TLS_COMPRESSION_NULL) 17034192Sjdp compr_null_found = 1; 17150610Sjdp } 172217153Skib if (!compr_null_found) { 17334192Sjdp wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 174133063Sdfr "compression"); 175133063Sdfr tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 176133063Sdfr TLS_ALERT_ILLEGAL_PARAMETER); 177133063Sdfr return -1; 178133063Sdfr } 179133063Sdfr 180133063Sdfr if (end - pos == 1) { 181133063Sdfr wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 182230784Skib "end of ClientHello: 0x%02x", *pos); 183230784Skib goto decode_error; 184230784Skib } 18534192Sjdp 18645501Sjdp if (end - pos >= 2) { 18738467Sjb /* Extension client_hello_extension_list<0..2^16-1> */ 18834192Sjdp ext_len = WPA_GET_BE16(pos); 18938816Sdfr pos += 2; 19038816Sdfr 19138467Sjb wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 19234192Sjdp "extensions", ext_len); 19338816Sdfr if (end - pos != ext_len) { 19438816Sdfr wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 19538467Sjb "extension list length %u (expected %u)", 19634192Sjdp ext_len, (unsigned int) (end - pos)); 19734192Sjdp goto decode_error; 198177924Simp } 199177924Simp 200177924Simp /* 201177924Simp * struct { 202177924Simp * ExtensionType extension_type (0..65535) 20334192Sjdp * opaque extension_data<0..2^16-1> 204153515Skan * } Extension; 205153515Skan */ 206153515Skan 207153515Skan while (pos < end) { 208153515Skan if (end - pos < 2) { 209153515Skan wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 21085004Sdfr "extension_type field"); 21134192Sjdp goto decode_error; 21285004Sdfr } 213234841Skib 21434192Sjdp ext_type = WPA_GET_BE16(pos); 215234841Skib pos += 2; 216234841Skib 217234841Skib if (end - pos < 2) { 218234841Skib wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 219234841Skib "extension_data length field"); 220234841Skib goto decode_error; 221234841Skib } 222234841Skib 223234841Skib ext_len = WPA_GET_BE16(pos); 224189959Skib pos += 2; 225238471Skib 22634192Sjdp if (end - pos < ext_len) { 227216695Skib wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 228216695Skib "extension_data field"); 22934192Sjdp goto decode_error; 230153515Skan } 231153515Skan 232153515Skan wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 233153515Skan "type %u", ext_type); 234153515Skan wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 23585677Speter "Extension data", pos, ext_len); 23685677Speter 237232831Skib if (ext_type == TLS_EXT_SESSION_TICKET) { 238232831Skib os_free(conn->session_ticket); 239232831Skib conn->session_ticket = os_malloc(ext_len); 240232831Skib if (conn->session_ticket) { 241232831Skib os_memcpy(conn->session_ticket, pos, 242232831Skib ext_len); 24334192Sjdp conn->session_ticket_len = ext_len; 244232831Skib } 245232831Skib } 246168312Skan 247168312Skan pos += ext_len; 248233231Skib } 249233546Skib } 250168312Skan 251168312Skan *in_len = end - in_data; 252168312Skan 253168312Skan wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 254168312Skan "ServerHello"); 255168312Skan conn->state = SERVER_HELLO; 256168312Skan 257168312Skan return 0; 258189959Skib 259190543Skibdecode_error: 260199829Skib wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 261216695Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 262256101Skib TLS_ALERT_DECODE_ERROR); 263238471Skib return -1; 264194531Skan} 265194531Skan 266194531Skan 267214728Skibstatic int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 268216695Skib const u8 *in_data, size_t *in_len) 269228435Skib{ 270228435Skib const u8 *pos, *end; 271271469Skib size_t left, len, list_len, cert_len, idx; 272232831Skib u8 type; 273234841Skib struct x509_certificate *chain = NULL, *last = NULL, *cert; 274234841Skib int reason; 27535529Sdfr 276194531Skan if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 27750977Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 27850977Sjdp "received content type 0x%x", ct); 27950977Sjdp tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 28050977Sjdp TLS_ALERT_UNEXPECTED_MESSAGE); 281229780Suqs return -1; 28234192Sjdp } 28334192Sjdp 28434192Sjdp pos = in_data; 28534192Sjdp left = *in_len; 28634192Sjdp 287192922Sdfr if (left < 4) { 288133063Sdfr wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 289153515Skan "(len=%lu)", (unsigned long) left); 290153515Skan tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291228375Skib TLS_ALERT_DECODE_ERROR); 292153515Skan return -1; 293233231Skib } 294271469Skib 295271469Skib type = *pos++; 296153515Skan len = WPA_GET_BE24(pos); 297199829Skib pos += 3; 298199877Skib left -= 4; 299199877Skib 300199877Skib if (len > left) { 301216695Skib wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 302216695Skib "length (len=%lu != left=%lu)", 303233231Skib (unsigned long) len, (unsigned long) left); 304233231Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 305199829Skib TLS_ALERT_DECODE_ERROR); 30676296Sjdp return -1; 30776296Sjdp } 30876296Sjdp 30976296Sjdp if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 31076296Sjdp if (conn->verify_peer) { 31176296Sjdp wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 31276296Sjdp "Certificate"); 31376296Sjdp tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 31476296Sjdp TLS_ALERT_UNEXPECTED_MESSAGE); 315216695Skib return -1; 316216695Skib } 317216695Skib 318216695Skib return tls_process_client_key_exchange(conn, ct, in_data, 319216695Skib in_len); 320216695Skib } 321216695Skib if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 322216695Skib wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 323216695Skib "message %d (expected Certificate/" 324216695Skib "ClientKeyExchange)", type); 325216695Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326216695Skib TLS_ALERT_UNEXPECTED_MESSAGE); 327218476Skib return -1; 328216695Skib } 329216695Skib 330238471Skib wpa_printf(MSG_DEBUG, 331238471Skib "TLSv1: Received Certificate (certificate_list len %lu)", 332238471Skib (unsigned long) len); 333238471Skib 334238471Skib /* 335238471Skib * opaque ASN.1Cert<2^24-1>; 336238471Skib * 337238471Skib * struct { 338216695Skib * ASN.1Cert certificate_list<1..2^24-1>; 339216695Skib * } Certificate; 340216695Skib */ 341216695Skib 342216695Skib end = pos + len; 343216695Skib 344234841Skib if (end - pos < 3) { 345216695Skib wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 346216695Skib "(left=%lu)", (unsigned long) left); 347216695Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 348216695Skib TLS_ALERT_DECODE_ERROR); 349216695Skib return -1; 350216695Skib } 351216695Skib 352233361Skib list_len = WPA_GET_BE24(pos); 353233361Skib pos += 3; 354233361Skib 355233361Skib if ((size_t) (end - pos) != list_len) { 356233361Skib wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 357233361Skib "length (len=%lu left=%lu)", 358259290Skib (unsigned long) list_len, 359259290Skib (unsigned long) (end - pos)); 36038816Sdfr tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 361212497Snwhitehorn TLS_ALERT_DECODE_ERROR); 36234192Sjdp return -1; 363233361Skib } 364233361Skib 365233361Skib idx = 0; 366233361Skib while (pos < end) { 367116563Smdodd if (end - pos < 3) { 36838816Sdfr wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 36938816Sdfr "certificate_list"); 37038816Sdfr tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 37138816Sdfr TLS_ALERT_DECODE_ERROR); 37266056Sjdp x509_certificate_chain_free(chain); 373216695Skib return -1; 37445501Sjdp } 375116557Smdodd 376232831Skib cert_len = WPA_GET_BE24(pos); 37750608Sjdp pos += 3; 37850608Sjdp 37945501Sjdp if ((size_t) (end - pos) < cert_len) { 380228435Skib wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 381216695Skib "length (len=%lu left=%lu)", 382216695Skib (unsigned long) cert_len, 383133063Sdfr (unsigned long) (end - pos)); 384133063Sdfr tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 385133063Sdfr TLS_ALERT_DECODE_ERROR); 386133063Sdfr x509_certificate_chain_free(chain); 387133063Sdfr return -1; 388142645Sdfr } 389153515Skan 39038816Sdfr wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 391116558Smdodd (unsigned long) idx, (unsigned long) cert_len); 392116558Smdodd 393116558Smdodd if (idx == 0) { 394116558Smdodd crypto_public_key_free(conn->client_rsa_key); 395233231Skib if (tls_parse_cert(pos, cert_len, 396233231Skib &conn->client_rsa_key)) { 397116558Smdodd wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 398233231Skib "the certificate"); 399228435Skib tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 400233231Skib TLS_ALERT_BAD_CERTIFICATE); 401133063Sdfr x509_certificate_chain_free(chain); 402116558Smdodd return -1; 40334192Sjdp } 404 } 405 406 cert = x509_certificate_parse(pos, cert_len); 407 if (cert == NULL) { 408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 409 "the certificate"); 410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 411 TLS_ALERT_BAD_CERTIFICATE); 412 x509_certificate_chain_free(chain); 413 return -1; 414 } 415 416 if (last == NULL) 417 chain = cert; 418 else 419 last->next = cert; 420 last = cert; 421 422 idx++; 423 pos += cert_len; 424 } 425 426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 427 &reason) < 0) { 428 int tls_reason; 429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 430 "validation failed (reason=%d)", reason); 431 switch (reason) { 432 case X509_VALIDATE_BAD_CERTIFICATE: 433 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 434 break; 435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 437 break; 438 case X509_VALIDATE_CERTIFICATE_REVOKED: 439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 440 break; 441 case X509_VALIDATE_CERTIFICATE_EXPIRED: 442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 443 break; 444 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 446 break; 447 case X509_VALIDATE_UNKNOWN_CA: 448 tls_reason = TLS_ALERT_UNKNOWN_CA; 449 break; 450 default: 451 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 452 break; 453 } 454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 455 x509_certificate_chain_free(chain); 456 return -1; 457 } 458 459 x509_certificate_chain_free(chain); 460 461 *in_len = end - in_data; 462 463 conn->state = CLIENT_KEY_EXCHANGE; 464 465 return 0; 466} 467 468 469static int tls_process_client_key_exchange_rsa( 470 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 471{ 472 u8 *out; 473 size_t outlen, outbuflen; 474 u16 encr_len; 475 int res; 476 int use_random = 0; 477 478 if (end - pos < 2) { 479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 480 TLS_ALERT_DECODE_ERROR); 481 return -1; 482 } 483 484 encr_len = WPA_GET_BE16(pos); 485 pos += 2; 486 487 outbuflen = outlen = end - pos; 488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 489 outlen : TLS_PRE_MASTER_SECRET_LEN); 490 if (out == NULL) { 491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 492 TLS_ALERT_INTERNAL_ERROR); 493 return -1; 494 } 495 496 /* 497 * struct { 498 * ProtocolVersion client_version; 499 * opaque random[46]; 500 * } PreMasterSecret; 501 * 502 * struct { 503 * public-key-encrypted PreMasterSecret pre_master_secret; 504 * } EncryptedPreMasterSecret; 505 */ 506 507 /* 508 * Note: To avoid Bleichenbacher attack, we do not report decryption or 509 * parsing errors from EncryptedPreMasterSecret processing to the 510 * client. Instead, a random pre-master secret is used to force the 511 * handshake to fail. 512 */ 513 514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 515 pos, end - pos, 516 out, &outlen) < 0) { 517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 518 "PreMasterSecret (encr_len=%d outlen=%lu)", 519 (int) (end - pos), (unsigned long) outlen); 520 use_random = 1; 521 } 522 523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 525 "length %lu", (unsigned long) outlen); 526 use_random = 1; 527 } 528 529 if (WPA_GET_BE16(out) != conn->client_version) { 530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 531 "ClientKeyExchange does not match with version in " 532 "ClientHello"); 533 use_random = 1; 534 } 535 536 if (use_random) { 537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 538 "to avoid revealing information about private key"); 539 outlen = TLS_PRE_MASTER_SECRET_LEN; 540 if (os_get_random(out, outlen)) { 541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 542 "data"); 543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 544 TLS_ALERT_INTERNAL_ERROR); 545 os_free(out); 546 return -1; 547 } 548 } 549 550 res = tlsv1_server_derive_keys(conn, out, outlen); 551 552 /* Clear the pre-master secret since it is not needed anymore */ 553 os_memset(out, 0, outbuflen); 554 os_free(out); 555 556 if (res) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 559 TLS_ALERT_INTERNAL_ERROR); 560 return -1; 561 } 562 563 return 0; 564} 565 566 567static int tls_process_client_key_exchange_dh_anon( 568 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 569{ 570 const u8 *dh_yc; 571 u16 dh_yc_len; 572 u8 *shared; 573 size_t shared_len; 574 int res; 575 576 /* 577 * struct { 578 * select (PublicValueEncoding) { 579 * case implicit: struct { }; 580 * case explicit: opaque dh_Yc<1..2^16-1>; 581 * } dh_public; 582 * } ClientDiffieHellmanPublic; 583 */ 584 585 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 586 pos, end - pos); 587 588 if (end == pos) { 589 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 590 "not supported"); 591 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 592 TLS_ALERT_INTERNAL_ERROR); 593 return -1; 594 } 595 596 if (end - pos < 3) { 597 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 598 "length"); 599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 600 TLS_ALERT_DECODE_ERROR); 601 return -1; 602 } 603 604 dh_yc_len = WPA_GET_BE16(pos); 605 dh_yc = pos + 2; 606 607 if (dh_yc + dh_yc_len > end) { 608 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 609 "(length %d)", dh_yc_len); 610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 611 TLS_ALERT_DECODE_ERROR); 612 return -1; 613 } 614 615 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 616 dh_yc, dh_yc_len); 617 618 if (conn->cred == NULL || conn->cred->dh_p == NULL || 619 conn->dh_secret == NULL) { 620 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_INTERNAL_ERROR); 623 return -1; 624 } 625 626 shared_len = conn->cred->dh_p_len; 627 shared = os_malloc(shared_len); 628 if (shared == NULL) { 629 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 630 "DH"); 631 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 632 TLS_ALERT_INTERNAL_ERROR); 633 return -1; 634 } 635 636 /* shared = Yc^secret mod p */ 637 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 638 conn->dh_secret_len, 639 conn->cred->dh_p, conn->cred->dh_p_len, 640 shared, &shared_len)) { 641 os_free(shared); 642 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 643 TLS_ALERT_INTERNAL_ERROR); 644 return -1; 645 } 646 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 647 shared, shared_len); 648 649 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 650 os_free(conn->dh_secret); 651 conn->dh_secret = NULL; 652 653 res = tlsv1_server_derive_keys(conn, shared, shared_len); 654 655 /* Clear the pre-master secret since it is not needed anymore */ 656 os_memset(shared, 0, shared_len); 657 os_free(shared); 658 659 if (res) { 660 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 662 TLS_ALERT_INTERNAL_ERROR); 663 return -1; 664 } 665 666 return 0; 667} 668 669 670static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 671 const u8 *in_data, size_t *in_len) 672{ 673 const u8 *pos, *end; 674 size_t left, len; 675 u8 type; 676 tls_key_exchange keyx; 677 const struct tls_cipher_suite *suite; 678 679 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 680 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 681 "received content type 0x%x", ct); 682 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 683 TLS_ALERT_UNEXPECTED_MESSAGE); 684 return -1; 685 } 686 687 pos = in_data; 688 left = *in_len; 689 690 if (left < 4) { 691 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 692 "(Left=%lu)", (unsigned long) left); 693 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 694 TLS_ALERT_DECODE_ERROR); 695 return -1; 696 } 697 698 type = *pos++; 699 len = WPA_GET_BE24(pos); 700 pos += 3; 701 left -= 4; 702 703 if (len > left) { 704 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 705 "length (len=%lu != left=%lu)", 706 (unsigned long) len, (unsigned long) left); 707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 708 TLS_ALERT_DECODE_ERROR); 709 return -1; 710 } 711 712 end = pos + len; 713 714 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 715 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 716 "message %d (expected ClientKeyExchange)", type); 717 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 718 TLS_ALERT_UNEXPECTED_MESSAGE); 719 return -1; 720 } 721 722 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 723 724 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 725 726 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 727 if (suite == NULL) 728 keyx = TLS_KEY_X_NULL; 729 else 730 keyx = suite->key_exchange; 731 732 if (keyx == TLS_KEY_X_DH_anon && 733 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 734 return -1; 735 736 if (keyx != TLS_KEY_X_DH_anon && 737 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 738 return -1; 739 740 *in_len = end - in_data; 741 742 conn->state = CERTIFICATE_VERIFY; 743 744 return 0; 745} 746 747 748static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 749 const u8 *in_data, size_t *in_len) 750{ 751 const u8 *pos, *end; 752 size_t left, len; 753 u8 type; 754 size_t hlen, buflen; 755 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 756 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 757 u16 slen; 758 759 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 760 if (conn->verify_peer) { 761 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 762 "CertificateVerify"); 763 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 764 TLS_ALERT_UNEXPECTED_MESSAGE); 765 return -1; 766 } 767 768 return tls_process_change_cipher_spec(conn, ct, in_data, 769 in_len); 770 } 771 772 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 773 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 774 "received content type 0x%x", ct); 775 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 776 TLS_ALERT_UNEXPECTED_MESSAGE); 777 return -1; 778 } 779 780 pos = in_data; 781 left = *in_len; 782 783 if (left < 4) { 784 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 785 "message (len=%lu)", (unsigned long) left); 786 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 787 TLS_ALERT_DECODE_ERROR); 788 return -1; 789 } 790 791 type = *pos++; 792 len = WPA_GET_BE24(pos); 793 pos += 3; 794 left -= 4; 795 796 if (len > left) { 797 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 798 "message length (len=%lu != left=%lu)", 799 (unsigned long) len, (unsigned long) left); 800 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 801 TLS_ALERT_DECODE_ERROR); 802 return -1; 803 } 804 805 end = pos + len; 806 807 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 808 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 809 "message %d (expected CertificateVerify)", type); 810 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 811 TLS_ALERT_UNEXPECTED_MESSAGE); 812 return -1; 813 } 814 815 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 816 817 /* 818 * struct { 819 * Signature signature; 820 * } CertificateVerify; 821 */ 822 823 hpos = hash; 824 825 if (alg == SIGN_ALG_RSA) { 826 hlen = MD5_MAC_LEN; 827 if (conn->verify.md5_cert == NULL || 828 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 829 { 830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 831 TLS_ALERT_INTERNAL_ERROR); 832 conn->verify.md5_cert = NULL; 833 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 834 conn->verify.sha1_cert = NULL; 835 return -1; 836 } 837 hpos += MD5_MAC_LEN; 838 } else 839 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 840 841 conn->verify.md5_cert = NULL; 842 hlen = SHA1_MAC_LEN; 843 if (conn->verify.sha1_cert == NULL || 844 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 845 conn->verify.sha1_cert = NULL; 846 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 847 TLS_ALERT_INTERNAL_ERROR); 848 return -1; 849 } 850 conn->verify.sha1_cert = NULL; 851 852 if (alg == SIGN_ALG_RSA) 853 hlen += MD5_MAC_LEN; 854 855 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 856 857 if (end - pos < 2) { 858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 859 TLS_ALERT_DECODE_ERROR); 860 return -1; 861 } 862 slen = WPA_GET_BE16(pos); 863 pos += 2; 864 if (end - pos < slen) { 865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 866 TLS_ALERT_DECODE_ERROR); 867 return -1; 868 } 869 870 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 871 if (conn->client_rsa_key == NULL) { 872 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 873 "signature"); 874 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 875 TLS_ALERT_INTERNAL_ERROR); 876 return -1; 877 } 878 879 buflen = end - pos; 880 buf = os_malloc(end - pos); 881 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 882 pos, end - pos, buf, &buflen) < 0) 883 { 884 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 885 os_free(buf); 886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 887 TLS_ALERT_DECRYPT_ERROR); 888 return -1; 889 } 890 891 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 892 buf, buflen); 893 894 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 895 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 896 "CertificateVerify - did not match with calculated " 897 "hash"); 898 os_free(buf); 899 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 900 TLS_ALERT_DECRYPT_ERROR); 901 return -1; 902 } 903 904 os_free(buf); 905 906 *in_len = end - in_data; 907 908 conn->state = CHANGE_CIPHER_SPEC; 909 910 return 0; 911} 912 913 914static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 915 u8 ct, const u8 *in_data, 916 size_t *in_len) 917{ 918 const u8 *pos; 919 size_t left; 920 921 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 922 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 923 "received content type 0x%x", ct); 924 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 925 TLS_ALERT_UNEXPECTED_MESSAGE); 926 return -1; 927 } 928 929 pos = in_data; 930 left = *in_len; 931 932 if (left < 1) { 933 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 934 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 935 TLS_ALERT_DECODE_ERROR); 936 return -1; 937 } 938 939 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 940 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 941 "received data 0x%x", *pos); 942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 943 TLS_ALERT_UNEXPECTED_MESSAGE); 944 return -1; 945 } 946 947 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 948 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 949 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 950 "for record layer"); 951 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 952 TLS_ALERT_INTERNAL_ERROR); 953 return -1; 954 } 955 956 *in_len = pos + 1 - in_data; 957 958 conn->state = CLIENT_FINISHED; 959 960 return 0; 961} 962 963 964static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 965 const u8 *in_data, size_t *in_len) 966{ 967 const u8 *pos, *end; 968 size_t left, len, hlen; 969 u8 verify_data[TLS_VERIFY_DATA_LEN]; 970 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 971 972 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 973 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 974 "received content type 0x%x", ct); 975 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 976 TLS_ALERT_UNEXPECTED_MESSAGE); 977 return -1; 978 } 979 980 pos = in_data; 981 left = *in_len; 982 983 if (left < 4) { 984 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 985 "Finished", 986 (unsigned long) left); 987 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 988 TLS_ALERT_DECODE_ERROR); 989 return -1; 990 } 991 992 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 993 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 994 "type 0x%x", pos[0]); 995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 996 TLS_ALERT_UNEXPECTED_MESSAGE); 997 return -1; 998 } 999 1000 len = WPA_GET_BE24(pos + 1); 1001 1002 pos += 4; 1003 left -= 4; 1004 1005 if (len > left) { 1006 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1007 "(len=%lu > left=%lu)", 1008 (unsigned long) len, (unsigned long) left); 1009 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1010 TLS_ALERT_DECODE_ERROR); 1011 return -1; 1012 } 1013 end = pos + len; 1014 if (len != TLS_VERIFY_DATA_LEN) { 1015 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1016 "in Finished: %lu (expected %d)", 1017 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1018 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1019 TLS_ALERT_DECODE_ERROR); 1020 return -1; 1021 } 1022 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1023 pos, TLS_VERIFY_DATA_LEN); 1024 1025 hlen = MD5_MAC_LEN; 1026 if (conn->verify.md5_client == NULL || 1027 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1029 TLS_ALERT_INTERNAL_ERROR); 1030 conn->verify.md5_client = NULL; 1031 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1032 conn->verify.sha1_client = NULL; 1033 return -1; 1034 } 1035 conn->verify.md5_client = NULL; 1036 hlen = SHA1_MAC_LEN; 1037 if (conn->verify.sha1_client == NULL || 1038 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1039 &hlen) < 0) { 1040 conn->verify.sha1_client = NULL; 1041 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1042 TLS_ALERT_INTERNAL_ERROR); 1043 return -1; 1044 } 1045 conn->verify.sha1_client = NULL; 1046 1047 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1048 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1049 verify_data, TLS_VERIFY_DATA_LEN)) { 1050 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1051 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1052 TLS_ALERT_DECRYPT_ERROR); 1053 return -1; 1054 } 1055 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1056 verify_data, TLS_VERIFY_DATA_LEN); 1057 1058 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1059 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1060 return -1; 1061 } 1062 1063 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1064 1065 *in_len = end - in_data; 1066 1067 if (conn->use_session_ticket) { 1068 /* Abbreviated handshake using session ticket; RFC 4507 */ 1069 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1070 "successfully"); 1071 conn->state = ESTABLISHED; 1072 } else { 1073 /* Full handshake */ 1074 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1075 } 1076 1077 return 0; 1078} 1079 1080 1081int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1082 const u8 *buf, size_t *len) 1083{ 1084 if (ct == TLS_CONTENT_TYPE_ALERT) { 1085 if (*len < 2) { 1086 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1087 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1088 TLS_ALERT_DECODE_ERROR); 1089 return -1; 1090 } 1091 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1092 buf[0], buf[1]); 1093 *len = 2; 1094 conn->state = FAILED; 1095 return -1; 1096 } 1097 1098 switch (conn->state) { 1099 case CLIENT_HELLO: 1100 if (tls_process_client_hello(conn, ct, buf, len)) 1101 return -1; 1102 break; 1103 case CLIENT_CERTIFICATE: 1104 if (tls_process_certificate(conn, ct, buf, len)) 1105 return -1; 1106 break; 1107 case CLIENT_KEY_EXCHANGE: 1108 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1109 return -1; 1110 break; 1111 case CERTIFICATE_VERIFY: 1112 if (tls_process_certificate_verify(conn, ct, buf, len)) 1113 return -1; 1114 break; 1115 case CHANGE_CIPHER_SPEC: 1116 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1117 return -1; 1118 break; 1119 case CLIENT_FINISHED: 1120 if (tls_process_client_finished(conn, ct, buf, len)) 1121 return -1; 1122 break; 1123 default: 1124 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1125 "while processing received message", 1126 conn->state); 1127 return -1; 1128 } 1129 1130 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1131 tls_verify_hash_add(&conn->verify, buf, *len); 1132 1133 return 0; 1134} 1135