1 /* 2 * TLSv1 server - read handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "md5.h" 19 #include "sha1.h" 20 #include "x509v3.h" 21 #include "tls.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_server.h" 25 #include "tlsv1_server_i.h" 26 27 28 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 29 const u8 *in_data, size_t *in_len); 30 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 31 u8 ct, const u8 *in_data, 32 size_t *in_len); 33 34 35 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 36 const u8 *in_data, size_t *in_len) 37 { 38 const u8 *pos, *end, *c; 39 size_t left, len, i, j; 40 u16 cipher_suite; 41 u16 num_suites; 42 int compr_null_found; 43 u16 ext_type, ext_len; 44 45 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 46 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 47 "received content type 0x%x", ct); 48 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 49 TLS_ALERT_UNEXPECTED_MESSAGE); 50 return -1; 51 } 52 53 pos = in_data; 54 left = *in_len; 55 56 if (left < 4) 57 goto decode_error; 58 59 /* HandshakeType msg_type */ 60 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 61 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 62 "message %d (expected ClientHello)", *pos); 63 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 64 TLS_ALERT_UNEXPECTED_MESSAGE); 65 return -1; 66 } 67 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 68 pos++; 69 /* uint24 length */ 70 len = WPA_GET_BE24(pos); 71 pos += 3; 72 left -= 4; 73 74 if (len > left) 75 goto decode_error; 76 77 /* body - ClientHello */ 78 79 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 80 end = pos + len; 81 82 /* ProtocolVersion client_version */ 83 if (end - pos < 2) 84 goto decode_error; 85 conn->client_version = WPA_GET_BE16(pos); 86 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 87 conn->client_version >> 8, conn->client_version & 0xff); 88 if (conn->client_version < TLS_VERSION) { 89 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 90 "ClientHello"); 91 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 92 TLS_ALERT_PROTOCOL_VERSION); 93 return -1; 94 } 95 pos += 2; 96 97 /* Random random */ 98 if (end - pos < TLS_RANDOM_LEN) 99 goto decode_error; 100 101 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 102 pos += TLS_RANDOM_LEN; 103 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 104 conn->client_random, TLS_RANDOM_LEN); 105 106 /* SessionID session_id */ 107 if (end - pos < 1) 108 goto decode_error; 109 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 110 goto decode_error; 111 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 112 pos += 1 + *pos; 113 /* TODO: add support for session resumption */ 114 115 /* CipherSuite cipher_suites<2..2^16-1> */ 116 if (end - pos < 2) 117 goto decode_error; 118 num_suites = WPA_GET_BE16(pos); 119 pos += 2; 120 if (end - pos < num_suites) 121 goto decode_error; 122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 123 pos, num_suites); 124 if (num_suites & 1) 125 goto decode_error; 126 num_suites /= 2; 127 128 cipher_suite = 0; 129 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 130 c = pos; 131 for (j = 0; j < num_suites; j++) { 132 u16 tmp = WPA_GET_BE16(c); 133 c += 2; 134 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 135 cipher_suite = tmp; 136 break; 137 } 138 } 139 } 140 pos += num_suites * 2; 141 if (!cipher_suite) { 142 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 143 "available"); 144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 145 TLS_ALERT_ILLEGAL_PARAMETER); 146 return -1; 147 } 148 149 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 150 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 151 "record layer"); 152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 153 TLS_ALERT_INTERNAL_ERROR); 154 return -1; 155 } 156 157 conn->cipher_suite = cipher_suite; 158 159 /* CompressionMethod compression_methods<1..2^8-1> */ 160 if (end - pos < 1) 161 goto decode_error; 162 num_suites = *pos++; 163 if (end - pos < num_suites) 164 goto decode_error; 165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 166 pos, num_suites); 167 compr_null_found = 0; 168 for (i = 0; i < num_suites; i++) { 169 if (*pos++ == TLS_COMPRESSION_NULL) 170 compr_null_found = 1; 171 } 172 if (!compr_null_found) { 173 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 174 "compression"); 175 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 176 TLS_ALERT_ILLEGAL_PARAMETER); 177 return -1; 178 } 179 180 if (end - pos == 1) { 181 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 182 "end of ClientHello: 0x%02x", *pos); 183 goto decode_error; 184 } 185 186 if (end - pos >= 2) { 187 /* Extension client_hello_extension_list<0..2^16-1> */ 188 ext_len = WPA_GET_BE16(pos); 189 pos += 2; 190 191 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 192 "extensions", ext_len); 193 if (end - pos != ext_len) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 195 "extension list length %u (expected %u)", 196 ext_len, (unsigned int) (end - pos)); 197 goto decode_error; 198 } 199 200 /* 201 * struct { 202 * ExtensionType extension_type (0..65535) 203 * opaque extension_data<0..2^16-1> 204 * } Extension; 205 */ 206 207 while (pos < end) { 208 if (end - pos < 2) { 209 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 210 "extension_type field"); 211 goto decode_error; 212 } 213 214 ext_type = WPA_GET_BE16(pos); 215 pos += 2; 216 217 if (end - pos < 2) { 218 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 219 "extension_data length field"); 220 goto decode_error; 221 } 222 223 ext_len = WPA_GET_BE16(pos); 224 pos += 2; 225 226 if (end - pos < ext_len) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 228 "extension_data field"); 229 goto decode_error; 230 } 231 232 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 233 "type %u", ext_type); 234 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 235 "Extension data", pos, ext_len); 236 237 if (ext_type == TLS_EXT_SESSION_TICKET) { 238 os_free(conn->session_ticket); 239 conn->session_ticket = os_malloc(ext_len); 240 if (conn->session_ticket) { 241 os_memcpy(conn->session_ticket, pos, 242 ext_len); 243 conn->session_ticket_len = ext_len; 244 } 245 } 246 247 pos += ext_len; 248 } 249 } 250 251 *in_len = end - in_data; 252 253 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 254 "ServerHello"); 255 conn->state = SERVER_HELLO; 256 257 return 0; 258 259 decode_error: 260 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 261 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 262 TLS_ALERT_DECODE_ERROR); 263 return -1; 264 } 265 266 267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 268 const u8 *in_data, size_t *in_len) 269 { 270 const u8 *pos, *end; 271 size_t left, len, list_len, cert_len, idx; 272 u8 type; 273 struct x509_certificate *chain = NULL, *last = NULL, *cert; 274 int reason; 275 276 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 277 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 278 "received content type 0x%x", ct); 279 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 280 TLS_ALERT_UNEXPECTED_MESSAGE); 281 return -1; 282 } 283 284 pos = in_data; 285 left = *in_len; 286 287 if (left < 4) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 289 "(len=%lu)", (unsigned long) left); 290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_DECODE_ERROR); 292 return -1; 293 } 294 295 type = *pos++; 296 len = WPA_GET_BE24(pos); 297 pos += 3; 298 left -= 4; 299 300 if (len > left) { 301 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 302 "length (len=%lu != left=%lu)", 303 (unsigned long) len, (unsigned long) left); 304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 305 TLS_ALERT_DECODE_ERROR); 306 return -1; 307 } 308 309 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 310 if (conn->verify_peer) { 311 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 312 "Certificate"); 313 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 314 TLS_ALERT_UNEXPECTED_MESSAGE); 315 return -1; 316 } 317 318 return tls_process_client_key_exchange(conn, ct, in_data, 319 in_len); 320 } 321 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 322 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 323 "message %d (expected Certificate/" 324 "ClientKeyExchange)", type); 325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_UNEXPECTED_MESSAGE); 327 return -1; 328 } 329 330 wpa_printf(MSG_DEBUG, 331 "TLSv1: Received Certificate (certificate_list len %lu)", 332 (unsigned long) len); 333 334 /* 335 * opaque ASN.1Cert<2^24-1>; 336 * 337 * struct { 338 * ASN.1Cert certificate_list<1..2^24-1>; 339 * } Certificate; 340 */ 341 342 end = pos + len; 343 344 if (end - pos < 3) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 346 "(left=%lu)", (unsigned long) left); 347 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 348 TLS_ALERT_DECODE_ERROR); 349 return -1; 350 } 351 352 list_len = WPA_GET_BE24(pos); 353 pos += 3; 354 355 if ((size_t) (end - pos) != list_len) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 357 "length (len=%lu left=%lu)", 358 (unsigned long) list_len, 359 (unsigned long) (end - pos)); 360 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 361 TLS_ALERT_DECODE_ERROR); 362 return -1; 363 } 364 365 idx = 0; 366 while (pos < end) { 367 if (end - pos < 3) { 368 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 369 "certificate_list"); 370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 371 TLS_ALERT_DECODE_ERROR); 372 x509_certificate_chain_free(chain); 373 return -1; 374 } 375 376 cert_len = WPA_GET_BE24(pos); 377 pos += 3; 378 379 if ((size_t) (end - pos) < cert_len) { 380 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 381 "length (len=%lu left=%lu)", 382 (unsigned long) cert_len, 383 (unsigned long) (end - pos)); 384 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 385 TLS_ALERT_DECODE_ERROR); 386 x509_certificate_chain_free(chain); 387 return -1; 388 } 389 390 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 391 (unsigned long) idx, (unsigned long) cert_len); 392 393 if (idx == 0) { 394 crypto_public_key_free(conn->client_rsa_key); 395 if (tls_parse_cert(pos, cert_len, 396 &conn->client_rsa_key)) { 397 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 398 "the certificate"); 399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 400 TLS_ALERT_BAD_CERTIFICATE); 401 x509_certificate_chain_free(chain); 402 return -1; 403 } 404 } 405 406 cert = x509_certificate_parse(pos, cert_len); 407 if (cert == NULL) { 408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 409 "the certificate"); 410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 411 TLS_ALERT_BAD_CERTIFICATE); 412 x509_certificate_chain_free(chain); 413 return -1; 414 } 415 416 if (last == NULL) 417 chain = cert; 418 else 419 last->next = cert; 420 last = cert; 421 422 idx++; 423 pos += cert_len; 424 } 425 426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 427 &reason) < 0) { 428 int tls_reason; 429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 430 "validation failed (reason=%d)", reason); 431 switch (reason) { 432 case X509_VALIDATE_BAD_CERTIFICATE: 433 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 434 break; 435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 437 break; 438 case X509_VALIDATE_CERTIFICATE_REVOKED: 439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 440 break; 441 case X509_VALIDATE_CERTIFICATE_EXPIRED: 442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 443 break; 444 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 446 break; 447 case X509_VALIDATE_UNKNOWN_CA: 448 tls_reason = TLS_ALERT_UNKNOWN_CA; 449 break; 450 default: 451 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 452 break; 453 } 454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 455 x509_certificate_chain_free(chain); 456 return -1; 457 } 458 459 x509_certificate_chain_free(chain); 460 461 *in_len = end - in_data; 462 463 conn->state = CLIENT_KEY_EXCHANGE; 464 465 return 0; 466 } 467 468 469 static int tls_process_client_key_exchange_rsa( 470 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 471 { 472 u8 *out; 473 size_t outlen, outbuflen; 474 u16 encr_len; 475 int res; 476 int use_random = 0; 477 478 if (end - pos < 2) { 479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 480 TLS_ALERT_DECODE_ERROR); 481 return -1; 482 } 483 484 encr_len = WPA_GET_BE16(pos); 485 pos += 2; 486 487 outbuflen = outlen = end - pos; 488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 489 outlen : TLS_PRE_MASTER_SECRET_LEN); 490 if (out == NULL) { 491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 492 TLS_ALERT_INTERNAL_ERROR); 493 return -1; 494 } 495 496 /* 497 * struct { 498 * ProtocolVersion client_version; 499 * opaque random[46]; 500 * } PreMasterSecret; 501 * 502 * struct { 503 * public-key-encrypted PreMasterSecret pre_master_secret; 504 * } EncryptedPreMasterSecret; 505 */ 506 507 /* 508 * Note: To avoid Bleichenbacher attack, we do not report decryption or 509 * parsing errors from EncryptedPreMasterSecret processing to the 510 * client. Instead, a random pre-master secret is used to force the 511 * handshake to fail. 512 */ 513 514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 515 pos, end - pos, 516 out, &outlen) < 0) { 517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 518 "PreMasterSecret (encr_len=%d outlen=%lu)", 519 (int) (end - pos), (unsigned long) outlen); 520 use_random = 1; 521 } 522 523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 525 "length %lu", (unsigned long) outlen); 526 use_random = 1; 527 } 528 529 if (WPA_GET_BE16(out) != conn->client_version) { 530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 531 "ClientKeyExchange does not match with version in " 532 "ClientHello"); 533 use_random = 1; 534 } 535 536 if (use_random) { 537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 538 "to avoid revealing information about private key"); 539 outlen = TLS_PRE_MASTER_SECRET_LEN; 540 if (os_get_random(out, outlen)) { 541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 542 "data"); 543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 544 TLS_ALERT_INTERNAL_ERROR); 545 os_free(out); 546 return -1; 547 } 548 } 549 550 res = tlsv1_server_derive_keys(conn, out, outlen); 551 552 /* Clear the pre-master secret since it is not needed anymore */ 553 os_memset(out, 0, outbuflen); 554 os_free(out); 555 556 if (res) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 559 TLS_ALERT_INTERNAL_ERROR); 560 return -1; 561 } 562 563 return 0; 564 } 565 566 567 static int tls_process_client_key_exchange_dh_anon( 568 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 569 { 570 #ifdef EAP_FAST 571 const u8 *dh_yc; 572 u16 dh_yc_len; 573 u8 *shared; 574 size_t shared_len; 575 int res; 576 577 /* 578 * struct { 579 * select (PublicValueEncoding) { 580 * case implicit: struct { }; 581 * case explicit: opaque dh_Yc<1..2^16-1>; 582 * } dh_public; 583 * } ClientDiffieHellmanPublic; 584 */ 585 586 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 587 pos, end - pos); 588 589 if (end == pos) { 590 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 591 "not supported"); 592 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 593 TLS_ALERT_INTERNAL_ERROR); 594 return -1; 595 } 596 597 if (end - pos < 3) { 598 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 599 "length"); 600 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 601 TLS_ALERT_DECODE_ERROR); 602 return -1; 603 } 604 605 dh_yc_len = WPA_GET_BE16(pos); 606 dh_yc = pos + 2; 607 608 if (dh_yc + dh_yc_len > end) { 609 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 610 "(length %d)", dh_yc_len); 611 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 612 TLS_ALERT_DECODE_ERROR); 613 return -1; 614 } 615 616 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 617 dh_yc, dh_yc_len); 618 619 if (conn->cred == NULL || conn->cred->dh_p == NULL || 620 conn->dh_secret == NULL) { 621 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 622 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 623 TLS_ALERT_INTERNAL_ERROR); 624 return -1; 625 } 626 627 shared_len = conn->cred->dh_p_len; 628 shared = os_malloc(shared_len); 629 if (shared == NULL) { 630 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 631 "DH"); 632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 633 TLS_ALERT_INTERNAL_ERROR); 634 return -1; 635 } 636 637 /* shared = Yc^secret mod p */ 638 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 639 conn->dh_secret_len, 640 conn->cred->dh_p, conn->cred->dh_p_len, 641 shared, &shared_len)) { 642 os_free(shared); 643 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 644 TLS_ALERT_INTERNAL_ERROR); 645 return -1; 646 } 647 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 648 shared, shared_len); 649 650 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 651 os_free(conn->dh_secret); 652 conn->dh_secret = NULL; 653 654 res = tlsv1_server_derive_keys(conn, shared, shared_len); 655 656 /* Clear the pre-master secret since it is not needed anymore */ 657 os_memset(shared, 0, shared_len); 658 os_free(shared); 659 660 if (res) { 661 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 662 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 663 TLS_ALERT_INTERNAL_ERROR); 664 return -1; 665 } 666 667 return 0; 668 #else /* EAP_FAST */ 669 return -1; 670 #endif /* EAP_FAST */ 671 } 672 673 674 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 675 const u8 *in_data, size_t *in_len) 676 { 677 const u8 *pos, *end; 678 size_t left, len; 679 u8 type; 680 tls_key_exchange keyx; 681 const struct tls_cipher_suite *suite; 682 683 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 684 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 685 "received content type 0x%x", ct); 686 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 687 TLS_ALERT_UNEXPECTED_MESSAGE); 688 return -1; 689 } 690 691 pos = in_data; 692 left = *in_len; 693 694 if (left < 4) { 695 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 696 "(Left=%lu)", (unsigned long) left); 697 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 698 TLS_ALERT_DECODE_ERROR); 699 return -1; 700 } 701 702 type = *pos++; 703 len = WPA_GET_BE24(pos); 704 pos += 3; 705 left -= 4; 706 707 if (len > left) { 708 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 709 "length (len=%lu != left=%lu)", 710 (unsigned long) len, (unsigned long) left); 711 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 712 TLS_ALERT_DECODE_ERROR); 713 return -1; 714 } 715 716 end = pos + len; 717 718 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 719 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 720 "message %d (expected ClientKeyExchange)", type); 721 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 722 TLS_ALERT_UNEXPECTED_MESSAGE); 723 return -1; 724 } 725 726 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 727 728 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 729 730 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 731 if (suite == NULL) 732 keyx = TLS_KEY_X_NULL; 733 else 734 keyx = suite->key_exchange; 735 736 if (keyx == TLS_KEY_X_DH_anon && 737 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 738 return -1; 739 740 if (keyx != TLS_KEY_X_DH_anon && 741 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 742 return -1; 743 744 *in_len = end - in_data; 745 746 conn->state = CERTIFICATE_VERIFY; 747 748 return 0; 749 } 750 751 752 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 753 const u8 *in_data, size_t *in_len) 754 { 755 const u8 *pos, *end; 756 size_t left, len; 757 u8 type; 758 size_t hlen, buflen; 759 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 760 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 761 u16 slen; 762 763 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 764 if (conn->verify_peer) { 765 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 766 "CertificateVerify"); 767 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 768 TLS_ALERT_UNEXPECTED_MESSAGE); 769 return -1; 770 } 771 772 return tls_process_change_cipher_spec(conn, ct, in_data, 773 in_len); 774 } 775 776 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 777 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 778 "received content type 0x%x", ct); 779 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 780 TLS_ALERT_UNEXPECTED_MESSAGE); 781 return -1; 782 } 783 784 pos = in_data; 785 left = *in_len; 786 787 if (left < 4) { 788 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 789 "message (len=%lu)", (unsigned long) left); 790 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 791 TLS_ALERT_DECODE_ERROR); 792 return -1; 793 } 794 795 type = *pos++; 796 len = WPA_GET_BE24(pos); 797 pos += 3; 798 left -= 4; 799 800 if (len > left) { 801 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 802 "message length (len=%lu != left=%lu)", 803 (unsigned long) len, (unsigned long) left); 804 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 805 TLS_ALERT_DECODE_ERROR); 806 return -1; 807 } 808 809 end = pos + len; 810 811 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 812 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 813 "message %d (expected CertificateVerify)", type); 814 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 815 TLS_ALERT_UNEXPECTED_MESSAGE); 816 return -1; 817 } 818 819 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 820 821 /* 822 * struct { 823 * Signature signature; 824 * } CertificateVerify; 825 */ 826 827 hpos = hash; 828 829 if (alg == SIGN_ALG_RSA) { 830 hlen = MD5_MAC_LEN; 831 if (conn->verify.md5_cert == NULL || 832 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 833 { 834 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 835 TLS_ALERT_INTERNAL_ERROR); 836 conn->verify.md5_cert = NULL; 837 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 838 conn->verify.sha1_cert = NULL; 839 return -1; 840 } 841 hpos += MD5_MAC_LEN; 842 } else 843 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 844 845 conn->verify.md5_cert = NULL; 846 hlen = SHA1_MAC_LEN; 847 if (conn->verify.sha1_cert == NULL || 848 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 849 conn->verify.sha1_cert = NULL; 850 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 851 TLS_ALERT_INTERNAL_ERROR); 852 return -1; 853 } 854 conn->verify.sha1_cert = NULL; 855 856 if (alg == SIGN_ALG_RSA) 857 hlen += MD5_MAC_LEN; 858 859 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 860 861 if (end - pos < 2) { 862 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 863 TLS_ALERT_DECODE_ERROR); 864 return -1; 865 } 866 slen = WPA_GET_BE16(pos); 867 pos += 2; 868 if (end - pos < slen) { 869 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 870 TLS_ALERT_DECODE_ERROR); 871 return -1; 872 } 873 874 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 875 if (conn->client_rsa_key == NULL) { 876 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 877 "signature"); 878 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 879 TLS_ALERT_INTERNAL_ERROR); 880 return -1; 881 } 882 883 buflen = end - pos; 884 buf = os_malloc(end - pos); 885 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 886 pos, end - pos, buf, &buflen) < 0) 887 { 888 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 889 os_free(buf); 890 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 891 TLS_ALERT_DECRYPT_ERROR); 892 return -1; 893 } 894 895 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 896 buf, buflen); 897 898 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 899 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 900 "CertificateVerify - did not match with calculated " 901 "hash"); 902 os_free(buf); 903 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 904 TLS_ALERT_DECRYPT_ERROR); 905 return -1; 906 } 907 908 os_free(buf); 909 910 *in_len = end - in_data; 911 912 conn->state = CHANGE_CIPHER_SPEC; 913 914 return 0; 915 } 916 917 918 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 919 u8 ct, const u8 *in_data, 920 size_t *in_len) 921 { 922 const u8 *pos; 923 size_t left; 924 925 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 926 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 927 "received content type 0x%x", ct); 928 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 929 TLS_ALERT_UNEXPECTED_MESSAGE); 930 return -1; 931 } 932 933 pos = in_data; 934 left = *in_len; 935 936 if (left < 1) { 937 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 938 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 939 TLS_ALERT_DECODE_ERROR); 940 return -1; 941 } 942 943 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 944 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 945 "received data 0x%x", *pos); 946 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 947 TLS_ALERT_UNEXPECTED_MESSAGE); 948 return -1; 949 } 950 951 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 952 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 953 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 954 "for record layer"); 955 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 956 TLS_ALERT_INTERNAL_ERROR); 957 return -1; 958 } 959 960 *in_len = pos + 1 - in_data; 961 962 conn->state = CLIENT_FINISHED; 963 964 return 0; 965 } 966 967 968 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 969 const u8 *in_data, size_t *in_len) 970 { 971 const u8 *pos, *end; 972 size_t left, len, hlen; 973 u8 verify_data[TLS_VERIFY_DATA_LEN]; 974 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 975 976 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 977 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 978 "received content type 0x%x", ct); 979 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 980 TLS_ALERT_UNEXPECTED_MESSAGE); 981 return -1; 982 } 983 984 pos = in_data; 985 left = *in_len; 986 987 if (left < 4) { 988 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 989 "Finished", 990 (unsigned long) left); 991 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 992 TLS_ALERT_DECODE_ERROR); 993 return -1; 994 } 995 996 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 997 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 998 "type 0x%x", pos[0]); 999 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1000 TLS_ALERT_UNEXPECTED_MESSAGE); 1001 return -1; 1002 } 1003 1004 len = WPA_GET_BE24(pos + 1); 1005 1006 pos += 4; 1007 left -= 4; 1008 1009 if (len > left) { 1010 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 1011 "(len=%lu > left=%lu)", 1012 (unsigned long) len, (unsigned long) left); 1013 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1014 TLS_ALERT_DECODE_ERROR); 1015 return -1; 1016 } 1017 end = pos + len; 1018 if (len != TLS_VERIFY_DATA_LEN) { 1019 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 1020 "in Finished: %lu (expected %d)", 1021 (unsigned long) len, TLS_VERIFY_DATA_LEN); 1022 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1023 TLS_ALERT_DECODE_ERROR); 1024 return -1; 1025 } 1026 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 1027 pos, TLS_VERIFY_DATA_LEN); 1028 1029 hlen = MD5_MAC_LEN; 1030 if (conn->verify.md5_client == NULL || 1031 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 1032 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1033 TLS_ALERT_INTERNAL_ERROR); 1034 conn->verify.md5_client = NULL; 1035 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 1036 conn->verify.sha1_client = NULL; 1037 return -1; 1038 } 1039 conn->verify.md5_client = NULL; 1040 hlen = SHA1_MAC_LEN; 1041 if (conn->verify.sha1_client == NULL || 1042 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 1043 &hlen) < 0) { 1044 conn->verify.sha1_client = NULL; 1045 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1046 TLS_ALERT_INTERNAL_ERROR); 1047 return -1; 1048 } 1049 conn->verify.sha1_client = NULL; 1050 1051 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 1052 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 1053 verify_data, TLS_VERIFY_DATA_LEN)) { 1054 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 1055 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1056 TLS_ALERT_DECRYPT_ERROR); 1057 return -1; 1058 } 1059 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 1060 verify_data, TLS_VERIFY_DATA_LEN); 1061 1062 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 1063 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 1064 return -1; 1065 } 1066 1067 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 1068 1069 *in_len = end - in_data; 1070 1071 if (conn->use_session_ticket) { 1072 /* Abbreviated handshake using session ticket; RFC 4507 */ 1073 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 1074 "successfully"); 1075 conn->state = ESTABLISHED; 1076 } else { 1077 /* Full handshake */ 1078 conn->state = SERVER_CHANGE_CIPHER_SPEC; 1079 } 1080 1081 return 0; 1082 } 1083 1084 1085 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 1086 const u8 *buf, size_t *len) 1087 { 1088 if (ct == TLS_CONTENT_TYPE_ALERT) { 1089 if (*len < 2) { 1090 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1091 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 1092 TLS_ALERT_DECODE_ERROR); 1093 return -1; 1094 } 1095 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1096 buf[0], buf[1]); 1097 *len = 2; 1098 conn->state = FAILED; 1099 return -1; 1100 } 1101 1102 switch (conn->state) { 1103 case CLIENT_HELLO: 1104 if (tls_process_client_hello(conn, ct, buf, len)) 1105 return -1; 1106 break; 1107 case CLIENT_CERTIFICATE: 1108 if (tls_process_certificate(conn, ct, buf, len)) 1109 return -1; 1110 break; 1111 case CLIENT_KEY_EXCHANGE: 1112 if (tls_process_client_key_exchange(conn, ct, buf, len)) 1113 return -1; 1114 break; 1115 case CERTIFICATE_VERIFY: 1116 if (tls_process_certificate_verify(conn, ct, buf, len)) 1117 return -1; 1118 break; 1119 case CHANGE_CIPHER_SPEC: 1120 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 1121 return -1; 1122 break; 1123 case CLIENT_FINISHED: 1124 if (tls_process_client_finished(conn, ct, buf, len)) 1125 return -1; 1126 break; 1127 default: 1128 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1129 "while processing received message", 1130 conn->state); 1131 return -1; 1132 } 1133 1134 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1135 tls_verify_hash_add(&conn->verify, buf, *len); 1136 1137 return 0; 1138 } 1139