$search
00001 /* 00002 * TLSv1 server - read handshake message 00003 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 00004 * 00005 * This program is free software; you can redistribute it and/or modify 00006 * it under the terms of the GNU General Public License version 2 as 00007 * published by the Free Software Foundation. 00008 * 00009 * Alternatively, this software may be distributed under the terms of BSD 00010 * license. 00011 * 00012 * See README and COPYING for more details. 00013 */ 00014 00015 #include "includes.h" 00016 00017 #include "common.h" 00018 #include "crypto/md5.h" 00019 #include "crypto/sha1.h" 00020 #include "crypto/tls.h" 00021 #include "x509v3.h" 00022 #include "tlsv1_common.h" 00023 #include "tlsv1_record.h" 00024 #include "tlsv1_server.h" 00025 #include "tlsv1_server_i.h" 00026 00027 00028 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 00029 const u8 *in_data, size_t *in_len); 00030 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 00031 u8 ct, const u8 *in_data, 00032 size_t *in_len); 00033 00034 00035 static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, 00036 const u8 *in_data, size_t *in_len) 00037 { 00038 const u8 *pos, *end, *c; 00039 size_t left, len, i, j; 00040 u16 cipher_suite; 00041 u16 num_suites; 00042 int compr_null_found; 00043 u16 ext_type, ext_len; 00044 00045 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 00046 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 00047 "received content type 0x%x", ct); 00048 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00049 TLS_ALERT_UNEXPECTED_MESSAGE); 00050 return -1; 00051 } 00052 00053 pos = in_data; 00054 left = *in_len; 00055 00056 if (left < 4) 00057 goto decode_error; 00058 00059 /* HandshakeType msg_type */ 00060 if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { 00061 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 00062 "message %d (expected ClientHello)", *pos); 00063 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00064 TLS_ALERT_UNEXPECTED_MESSAGE); 00065 return -1; 00066 } 00067 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello"); 00068 pos++; 00069 /* uint24 length */ 00070 len = WPA_GET_BE24(pos); 00071 pos += 3; 00072 left -= 4; 00073 00074 if (len > left) 00075 goto decode_error; 00076 00077 /* body - ClientHello */ 00078 00079 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len); 00080 end = pos + len; 00081 00082 /* ProtocolVersion client_version */ 00083 if (end - pos < 2) 00084 goto decode_error; 00085 conn->client_version = WPA_GET_BE16(pos); 00086 wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d", 00087 conn->client_version >> 8, conn->client_version & 0xff); 00088 if (conn->client_version < TLS_VERSION) { 00089 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 00090 "ClientHello"); 00091 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00092 TLS_ALERT_PROTOCOL_VERSION); 00093 return -1; 00094 } 00095 pos += 2; 00096 00097 /* Random random */ 00098 if (end - pos < TLS_RANDOM_LEN) 00099 goto decode_error; 00100 00101 os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN); 00102 pos += TLS_RANDOM_LEN; 00103 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 00104 conn->client_random, TLS_RANDOM_LEN); 00105 00106 /* SessionID session_id */ 00107 if (end - pos < 1) 00108 goto decode_error; 00109 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 00110 goto decode_error; 00111 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos); 00112 pos += 1 + *pos; 00113 /* TODO: add support for session resumption */ 00114 00115 /* CipherSuite cipher_suites<2..2^16-1> */ 00116 if (end - pos < 2) 00117 goto decode_error; 00118 num_suites = WPA_GET_BE16(pos); 00119 pos += 2; 00120 if (end - pos < num_suites) 00121 goto decode_error; 00122 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites", 00123 pos, num_suites); 00124 if (num_suites & 1) 00125 goto decode_error; 00126 num_suites /= 2; 00127 00128 cipher_suite = 0; 00129 for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) { 00130 c = pos; 00131 for (j = 0; j < num_suites; j++) { 00132 u16 tmp = WPA_GET_BE16(c); 00133 c += 2; 00134 if (!cipher_suite && tmp == conn->cipher_suites[i]) { 00135 cipher_suite = tmp; 00136 break; 00137 } 00138 } 00139 } 00140 pos += num_suites * 2; 00141 if (!cipher_suite) { 00142 wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite " 00143 "available"); 00144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00145 TLS_ALERT_ILLEGAL_PARAMETER); 00146 return -1; 00147 } 00148 00149 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 00150 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 00151 "record layer"); 00152 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00153 TLS_ALERT_INTERNAL_ERROR); 00154 return -1; 00155 } 00156 00157 conn->cipher_suite = cipher_suite; 00158 00159 /* CompressionMethod compression_methods<1..2^8-1> */ 00160 if (end - pos < 1) 00161 goto decode_error; 00162 num_suites = *pos++; 00163 if (end - pos < num_suites) 00164 goto decode_error; 00165 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods", 00166 pos, num_suites); 00167 compr_null_found = 0; 00168 for (i = 0; i < num_suites; i++) { 00169 if (*pos++ == TLS_COMPRESSION_NULL) 00170 compr_null_found = 1; 00171 } 00172 if (!compr_null_found) { 00173 wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL " 00174 "compression"); 00175 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00176 TLS_ALERT_ILLEGAL_PARAMETER); 00177 return -1; 00178 } 00179 00180 if (end - pos == 1) { 00181 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the " 00182 "end of ClientHello: 0x%02x", *pos); 00183 goto decode_error; 00184 } 00185 00186 if (end - pos >= 2) { 00187 /* Extension client_hello_extension_list<0..2^16-1> */ 00188 ext_len = WPA_GET_BE16(pos); 00189 pos += 2; 00190 00191 wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello " 00192 "extensions", ext_len); 00193 if (end - pos != ext_len) { 00194 wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " 00195 "extension list length %u (expected %u)", 00196 ext_len, (unsigned int) (end - pos)); 00197 goto decode_error; 00198 } 00199 00200 /* 00201 * struct { 00202 * ExtensionType extension_type (0..65535) 00203 * opaque extension_data<0..2^16-1> 00204 * } Extension; 00205 */ 00206 00207 while (pos < end) { 00208 if (end - pos < 2) { 00209 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 00210 "extension_type field"); 00211 goto decode_error; 00212 } 00213 00214 ext_type = WPA_GET_BE16(pos); 00215 pos += 2; 00216 00217 if (end - pos < 2) { 00218 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 00219 "extension_data length field"); 00220 goto decode_error; 00221 } 00222 00223 ext_len = WPA_GET_BE16(pos); 00224 pos += 2; 00225 00226 if (end - pos < ext_len) { 00227 wpa_printf(MSG_DEBUG, "TLSv1: Invalid " 00228 "extension_data field"); 00229 goto decode_error; 00230 } 00231 00232 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension " 00233 "type %u", ext_type); 00234 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello " 00235 "Extension data", pos, ext_len); 00236 00237 if (ext_type == TLS_EXT_SESSION_TICKET) { 00238 os_free(conn->session_ticket); 00239 conn->session_ticket = os_malloc(ext_len); 00240 if (conn->session_ticket) { 00241 os_memcpy(conn->session_ticket, pos, 00242 ext_len); 00243 conn->session_ticket_len = ext_len; 00244 } 00245 } 00246 00247 pos += ext_len; 00248 } 00249 } 00250 00251 *in_len = end - in_data; 00252 00253 wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to " 00254 "ServerHello"); 00255 conn->state = SERVER_HELLO; 00256 00257 return 0; 00258 00259 decode_error: 00260 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello"); 00261 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00262 TLS_ALERT_DECODE_ERROR); 00263 return -1; 00264 } 00265 00266 00267 static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, 00268 const u8 *in_data, size_t *in_len) 00269 { 00270 const u8 *pos, *end; 00271 size_t left, len, list_len, cert_len, idx; 00272 u8 type; 00273 struct x509_certificate *chain = NULL, *last = NULL, *cert; 00274 int reason; 00275 00276 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 00277 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 00278 "received content type 0x%x", ct); 00279 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00280 TLS_ALERT_UNEXPECTED_MESSAGE); 00281 return -1; 00282 } 00283 00284 pos = in_data; 00285 left = *in_len; 00286 00287 if (left < 4) { 00288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 00289 "(len=%lu)", (unsigned long) left); 00290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00291 TLS_ALERT_DECODE_ERROR); 00292 return -1; 00293 } 00294 00295 type = *pos++; 00296 len = WPA_GET_BE24(pos); 00297 pos += 3; 00298 left -= 4; 00299 00300 if (len > left) { 00301 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 00302 "length (len=%lu != left=%lu)", 00303 (unsigned long) len, (unsigned long) left); 00304 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00305 TLS_ALERT_DECODE_ERROR); 00306 return -1; 00307 } 00308 00309 if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 00310 if (conn->verify_peer) { 00311 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 00312 "Certificate"); 00313 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00314 TLS_ALERT_UNEXPECTED_MESSAGE); 00315 return -1; 00316 } 00317 00318 return tls_process_client_key_exchange(conn, ct, in_data, 00319 in_len); 00320 } 00321 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 00322 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 00323 "message %d (expected Certificate/" 00324 "ClientKeyExchange)", type); 00325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00326 TLS_ALERT_UNEXPECTED_MESSAGE); 00327 return -1; 00328 } 00329 00330 wpa_printf(MSG_DEBUG, 00331 "TLSv1: Received Certificate (certificate_list len %lu)", 00332 (unsigned long) len); 00333 00334 /* 00335 * opaque ASN.1Cert<2^24-1>; 00336 * 00337 * struct { 00338 * ASN.1Cert certificate_list<1..2^24-1>; 00339 * } Certificate; 00340 */ 00341 00342 end = pos + len; 00343 00344 if (end - pos < 3) { 00345 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 00346 "(left=%lu)", (unsigned long) left); 00347 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00348 TLS_ALERT_DECODE_ERROR); 00349 return -1; 00350 } 00351 00352 list_len = WPA_GET_BE24(pos); 00353 pos += 3; 00354 00355 if ((size_t) (end - pos) != list_len) { 00356 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 00357 "length (len=%lu left=%lu)", 00358 (unsigned long) list_len, 00359 (unsigned long) (end - pos)); 00360 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00361 TLS_ALERT_DECODE_ERROR); 00362 return -1; 00363 } 00364 00365 idx = 0; 00366 while (pos < end) { 00367 if (end - pos < 3) { 00368 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 00369 "certificate_list"); 00370 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00371 TLS_ALERT_DECODE_ERROR); 00372 x509_certificate_chain_free(chain); 00373 return -1; 00374 } 00375 00376 cert_len = WPA_GET_BE24(pos); 00377 pos += 3; 00378 00379 if ((size_t) (end - pos) < cert_len) { 00380 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 00381 "length (len=%lu left=%lu)", 00382 (unsigned long) cert_len, 00383 (unsigned long) (end - pos)); 00384 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00385 TLS_ALERT_DECODE_ERROR); 00386 x509_certificate_chain_free(chain); 00387 return -1; 00388 } 00389 00390 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 00391 (unsigned long) idx, (unsigned long) cert_len); 00392 00393 if (idx == 0) { 00394 crypto_public_key_free(conn->client_rsa_key); 00395 if (tls_parse_cert(pos, cert_len, 00396 &conn->client_rsa_key)) { 00397 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 00398 "the certificate"); 00399 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00400 TLS_ALERT_BAD_CERTIFICATE); 00401 x509_certificate_chain_free(chain); 00402 return -1; 00403 } 00404 } 00405 00406 cert = x509_certificate_parse(pos, cert_len); 00407 if (cert == NULL) { 00408 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 00409 "the certificate"); 00410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00411 TLS_ALERT_BAD_CERTIFICATE); 00412 x509_certificate_chain_free(chain); 00413 return -1; 00414 } 00415 00416 if (last == NULL) 00417 chain = cert; 00418 else 00419 last->next = cert; 00420 last = cert; 00421 00422 idx++; 00423 pos += cert_len; 00424 } 00425 00426 if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 00427 &reason) < 0) { 00428 int tls_reason; 00429 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 00430 "validation failed (reason=%d)", reason); 00431 switch (reason) { 00432 case X509_VALIDATE_BAD_CERTIFICATE: 00433 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 00434 break; 00435 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 00436 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 00437 break; 00438 case X509_VALIDATE_CERTIFICATE_REVOKED: 00439 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 00440 break; 00441 case X509_VALIDATE_CERTIFICATE_EXPIRED: 00442 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 00443 break; 00444 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 00445 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 00446 break; 00447 case X509_VALIDATE_UNKNOWN_CA: 00448 tls_reason = TLS_ALERT_UNKNOWN_CA; 00449 break; 00450 default: 00451 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 00452 break; 00453 } 00454 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 00455 x509_certificate_chain_free(chain); 00456 return -1; 00457 } 00458 00459 x509_certificate_chain_free(chain); 00460 00461 *in_len = end - in_data; 00462 00463 conn->state = CLIENT_KEY_EXCHANGE; 00464 00465 return 0; 00466 } 00467 00468 00469 static int tls_process_client_key_exchange_rsa( 00470 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 00471 { 00472 u8 *out; 00473 size_t outlen, outbuflen; 00474 u16 encr_len; 00475 int res; 00476 int use_random = 0; 00477 00478 if (end - pos < 2) { 00479 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00480 TLS_ALERT_DECODE_ERROR); 00481 return -1; 00482 } 00483 00484 encr_len = WPA_GET_BE16(pos); 00485 pos += 2; 00486 00487 outbuflen = outlen = end - pos; 00488 out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ? 00489 outlen : TLS_PRE_MASTER_SECRET_LEN); 00490 if (out == NULL) { 00491 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00492 TLS_ALERT_INTERNAL_ERROR); 00493 return -1; 00494 } 00495 00496 /* 00497 * struct { 00498 * ProtocolVersion client_version; 00499 * opaque random[46]; 00500 * } PreMasterSecret; 00501 * 00502 * struct { 00503 * public-key-encrypted PreMasterSecret pre_master_secret; 00504 * } EncryptedPreMasterSecret; 00505 */ 00506 00507 /* 00508 * Note: To avoid Bleichenbacher attack, we do not report decryption or 00509 * parsing errors from EncryptedPreMasterSecret processing to the 00510 * client. Instead, a random pre-master secret is used to force the 00511 * handshake to fail. 00512 */ 00513 00514 if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key, 00515 pos, end - pos, 00516 out, &outlen) < 0) { 00517 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " 00518 "PreMasterSecret (encr_len=%d outlen=%lu)", 00519 (int) (end - pos), (unsigned long) outlen); 00520 use_random = 1; 00521 } 00522 00523 if (outlen != TLS_PRE_MASTER_SECRET_LEN) { 00524 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret " 00525 "length %lu", (unsigned long) outlen); 00526 use_random = 1; 00527 } 00528 00529 if (WPA_GET_BE16(out) != conn->client_version) { 00530 wpa_printf(MSG_DEBUG, "TLSv1: Client version in " 00531 "ClientKeyExchange does not match with version in " 00532 "ClientHello"); 00533 use_random = 1; 00534 } 00535 00536 if (use_random) { 00537 wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret " 00538 "to avoid revealing information about private key"); 00539 outlen = TLS_PRE_MASTER_SECRET_LEN; 00540 if (os_get_random(out, outlen)) { 00541 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 00542 "data"); 00543 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00544 TLS_ALERT_INTERNAL_ERROR); 00545 os_free(out); 00546 return -1; 00547 } 00548 } 00549 00550 res = tlsv1_server_derive_keys(conn, out, outlen); 00551 00552 /* Clear the pre-master secret since it is not needed anymore */ 00553 os_memset(out, 0, outbuflen); 00554 os_free(out); 00555 00556 if (res) { 00557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 00558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00559 TLS_ALERT_INTERNAL_ERROR); 00560 return -1; 00561 } 00562 00563 return 0; 00564 } 00565 00566 00567 static int tls_process_client_key_exchange_dh_anon( 00568 struct tlsv1_server *conn, const u8 *pos, const u8 *end) 00569 { 00570 const u8 *dh_yc; 00571 u16 dh_yc_len; 00572 u8 *shared; 00573 size_t shared_len; 00574 int res; 00575 00576 /* 00577 * struct { 00578 * select (PublicValueEncoding) { 00579 * case implicit: struct { }; 00580 * case explicit: opaque dh_Yc<1..2^16-1>; 00581 * } dh_public; 00582 * } ClientDiffieHellmanPublic; 00583 */ 00584 00585 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic", 00586 pos, end - pos); 00587 00588 if (end == pos) { 00589 wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding " 00590 "not supported"); 00591 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00592 TLS_ALERT_INTERNAL_ERROR); 00593 return -1; 00594 } 00595 00596 if (end - pos < 3) { 00597 wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value " 00598 "length"); 00599 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00600 TLS_ALERT_DECODE_ERROR); 00601 return -1; 00602 } 00603 00604 dh_yc_len = WPA_GET_BE16(pos); 00605 dh_yc = pos + 2; 00606 00607 if (dh_yc + dh_yc_len > end) { 00608 wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow " 00609 "(length %d)", dh_yc_len); 00610 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00611 TLS_ALERT_DECODE_ERROR); 00612 return -1; 00613 } 00614 00615 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 00616 dh_yc, dh_yc_len); 00617 00618 if (conn->cred == NULL || conn->cred->dh_p == NULL || 00619 conn->dh_secret == NULL) { 00620 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available"); 00621 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00622 TLS_ALERT_INTERNAL_ERROR); 00623 return -1; 00624 } 00625 00626 shared_len = conn->cred->dh_p_len; 00627 shared = os_malloc(shared_len); 00628 if (shared == NULL) { 00629 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 00630 "DH"); 00631 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00632 TLS_ALERT_INTERNAL_ERROR); 00633 return -1; 00634 } 00635 00636 /* shared = Yc^secret mod p */ 00637 if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret, 00638 conn->dh_secret_len, 00639 conn->cred->dh_p, conn->cred->dh_p_len, 00640 shared, &shared_len)) { 00641 os_free(shared); 00642 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00643 TLS_ALERT_INTERNAL_ERROR); 00644 return -1; 00645 } 00646 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 00647 shared, shared_len); 00648 00649 os_memset(conn->dh_secret, 0, conn->dh_secret_len); 00650 os_free(conn->dh_secret); 00651 conn->dh_secret = NULL; 00652 00653 res = tlsv1_server_derive_keys(conn, shared, shared_len); 00654 00655 /* Clear the pre-master secret since it is not needed anymore */ 00656 os_memset(shared, 0, shared_len); 00657 os_free(shared); 00658 00659 if (res) { 00660 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 00661 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00662 TLS_ALERT_INTERNAL_ERROR); 00663 return -1; 00664 } 00665 00666 return 0; 00667 } 00668 00669 00670 static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct, 00671 const u8 *in_data, size_t *in_len) 00672 { 00673 const u8 *pos, *end; 00674 size_t left, len; 00675 u8 type; 00676 tls_key_exchange keyx; 00677 const struct tls_cipher_suite *suite; 00678 00679 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 00680 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 00681 "received content type 0x%x", ct); 00682 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00683 TLS_ALERT_UNEXPECTED_MESSAGE); 00684 return -1; 00685 } 00686 00687 pos = in_data; 00688 left = *in_len; 00689 00690 if (left < 4) { 00691 wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange " 00692 "(Left=%lu)", (unsigned long) left); 00693 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00694 TLS_ALERT_DECODE_ERROR); 00695 return -1; 00696 } 00697 00698 type = *pos++; 00699 len = WPA_GET_BE24(pos); 00700 pos += 3; 00701 left -= 4; 00702 00703 if (len > left) { 00704 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange " 00705 "length (len=%lu != left=%lu)", 00706 (unsigned long) len, (unsigned long) left); 00707 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00708 TLS_ALERT_DECODE_ERROR); 00709 return -1; 00710 } 00711 00712 end = pos + len; 00713 00714 if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) { 00715 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 00716 "message %d (expected ClientKeyExchange)", type); 00717 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00718 TLS_ALERT_UNEXPECTED_MESSAGE); 00719 return -1; 00720 } 00721 00722 wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange"); 00723 00724 wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len); 00725 00726 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 00727 if (suite == NULL) 00728 keyx = TLS_KEY_X_NULL; 00729 else 00730 keyx = suite->key_exchange; 00731 00732 if (keyx == TLS_KEY_X_DH_anon && 00733 tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0) 00734 return -1; 00735 00736 if (keyx != TLS_KEY_X_DH_anon && 00737 tls_process_client_key_exchange_rsa(conn, pos, end) < 0) 00738 return -1; 00739 00740 *in_len = end - in_data; 00741 00742 conn->state = CERTIFICATE_VERIFY; 00743 00744 return 0; 00745 } 00746 00747 00748 static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct, 00749 const u8 *in_data, size_t *in_len) 00750 { 00751 const u8 *pos, *end; 00752 size_t left, len; 00753 u8 type; 00754 size_t hlen, buflen; 00755 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf; 00756 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 00757 u16 slen; 00758 00759 if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 00760 if (conn->verify_peer) { 00761 wpa_printf(MSG_DEBUG, "TLSv1: Client did not include " 00762 "CertificateVerify"); 00763 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00764 TLS_ALERT_UNEXPECTED_MESSAGE); 00765 return -1; 00766 } 00767 00768 return tls_process_change_cipher_spec(conn, ct, in_data, 00769 in_len); 00770 } 00771 00772 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 00773 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 00774 "received content type 0x%x", ct); 00775 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00776 TLS_ALERT_UNEXPECTED_MESSAGE); 00777 return -1; 00778 } 00779 00780 pos = in_data; 00781 left = *in_len; 00782 00783 if (left < 4) { 00784 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify " 00785 "message (len=%lu)", (unsigned long) left); 00786 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00787 TLS_ALERT_DECODE_ERROR); 00788 return -1; 00789 } 00790 00791 type = *pos++; 00792 len = WPA_GET_BE24(pos); 00793 pos += 3; 00794 left -= 4; 00795 00796 if (len > left) { 00797 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify " 00798 "message length (len=%lu != left=%lu)", 00799 (unsigned long) len, (unsigned long) left); 00800 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00801 TLS_ALERT_DECODE_ERROR); 00802 return -1; 00803 } 00804 00805 end = pos + len; 00806 00807 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { 00808 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 00809 "message %d (expected CertificateVerify)", type); 00810 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00811 TLS_ALERT_UNEXPECTED_MESSAGE); 00812 return -1; 00813 } 00814 00815 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify"); 00816 00817 /* 00818 * struct { 00819 * Signature signature; 00820 * } CertificateVerify; 00821 */ 00822 00823 hpos = hash; 00824 00825 if (alg == SIGN_ALG_RSA) { 00826 hlen = MD5_MAC_LEN; 00827 if (conn->verify.md5_cert == NULL || 00828 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 00829 { 00830 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00831 TLS_ALERT_INTERNAL_ERROR); 00832 conn->verify.md5_cert = NULL; 00833 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 00834 conn->verify.sha1_cert = NULL; 00835 return -1; 00836 } 00837 hpos += MD5_MAC_LEN; 00838 } else 00839 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 00840 00841 conn->verify.md5_cert = NULL; 00842 hlen = SHA1_MAC_LEN; 00843 if (conn->verify.sha1_cert == NULL || 00844 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 00845 conn->verify.sha1_cert = NULL; 00846 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00847 TLS_ALERT_INTERNAL_ERROR); 00848 return -1; 00849 } 00850 conn->verify.sha1_cert = NULL; 00851 00852 if (alg == SIGN_ALG_RSA) 00853 hlen += MD5_MAC_LEN; 00854 00855 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 00856 00857 if (end - pos < 2) { 00858 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00859 TLS_ALERT_DECODE_ERROR); 00860 return -1; 00861 } 00862 slen = WPA_GET_BE16(pos); 00863 pos += 2; 00864 if (end - pos < slen) { 00865 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00866 TLS_ALERT_DECODE_ERROR); 00867 return -1; 00868 } 00869 00870 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 00871 if (conn->client_rsa_key == NULL) { 00872 wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify " 00873 "signature"); 00874 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00875 TLS_ALERT_INTERNAL_ERROR); 00876 return -1; 00877 } 00878 00879 buflen = end - pos; 00880 buf = os_malloc(end - pos); 00881 if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key, 00882 pos, end - pos, buf, &buflen) < 0) 00883 { 00884 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 00885 os_free(buf); 00886 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00887 TLS_ALERT_DECRYPT_ERROR); 00888 return -1; 00889 } 00890 00891 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 00892 buf, buflen); 00893 00894 if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) { 00895 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in " 00896 "CertificateVerify - did not match with calculated " 00897 "hash"); 00898 os_free(buf); 00899 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00900 TLS_ALERT_DECRYPT_ERROR); 00901 return -1; 00902 } 00903 00904 os_free(buf); 00905 00906 *in_len = end - in_data; 00907 00908 conn->state = CHANGE_CIPHER_SPEC; 00909 00910 return 0; 00911 } 00912 00913 00914 static int tls_process_change_cipher_spec(struct tlsv1_server *conn, 00915 u8 ct, const u8 *in_data, 00916 size_t *in_len) 00917 { 00918 const u8 *pos; 00919 size_t left; 00920 00921 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 00922 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 00923 "received content type 0x%x", ct); 00924 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00925 TLS_ALERT_UNEXPECTED_MESSAGE); 00926 return -1; 00927 } 00928 00929 pos = in_data; 00930 left = *in_len; 00931 00932 if (left < 1) { 00933 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 00934 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00935 TLS_ALERT_DECODE_ERROR); 00936 return -1; 00937 } 00938 00939 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 00940 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 00941 "received data 0x%x", *pos); 00942 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00943 TLS_ALERT_UNEXPECTED_MESSAGE); 00944 return -1; 00945 } 00946 00947 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 00948 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 00949 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 00950 "for record layer"); 00951 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00952 TLS_ALERT_INTERNAL_ERROR); 00953 return -1; 00954 } 00955 00956 *in_len = pos + 1 - in_data; 00957 00958 conn->state = CLIENT_FINISHED; 00959 00960 return 0; 00961 } 00962 00963 00964 static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct, 00965 const u8 *in_data, size_t *in_len) 00966 { 00967 const u8 *pos, *end; 00968 size_t left, len, hlen; 00969 u8 verify_data[TLS_VERIFY_DATA_LEN]; 00970 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 00971 00972 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 00973 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 00974 "received content type 0x%x", ct); 00975 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00976 TLS_ALERT_UNEXPECTED_MESSAGE); 00977 return -1; 00978 } 00979 00980 pos = in_data; 00981 left = *in_len; 00982 00983 if (left < 4) { 00984 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 00985 "Finished", 00986 (unsigned long) left); 00987 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00988 TLS_ALERT_DECODE_ERROR); 00989 return -1; 00990 } 00991 00992 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 00993 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 00994 "type 0x%x", pos[0]); 00995 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 00996 TLS_ALERT_UNEXPECTED_MESSAGE); 00997 return -1; 00998 } 00999 01000 len = WPA_GET_BE24(pos + 1); 01001 01002 pos += 4; 01003 left -= 4; 01004 01005 if (len > left) { 01006 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 01007 "(len=%lu > left=%lu)", 01008 (unsigned long) len, (unsigned long) left); 01009 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01010 TLS_ALERT_DECODE_ERROR); 01011 return -1; 01012 } 01013 end = pos + len; 01014 if (len != TLS_VERIFY_DATA_LEN) { 01015 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 01016 "in Finished: %lu (expected %d)", 01017 (unsigned long) len, TLS_VERIFY_DATA_LEN); 01018 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01019 TLS_ALERT_DECODE_ERROR); 01020 return -1; 01021 } 01022 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 01023 pos, TLS_VERIFY_DATA_LEN); 01024 01025 hlen = MD5_MAC_LEN; 01026 if (conn->verify.md5_client == NULL || 01027 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 01028 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01029 TLS_ALERT_INTERNAL_ERROR); 01030 conn->verify.md5_client = NULL; 01031 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 01032 conn->verify.sha1_client = NULL; 01033 return -1; 01034 } 01035 conn->verify.md5_client = NULL; 01036 hlen = SHA1_MAC_LEN; 01037 if (conn->verify.sha1_client == NULL || 01038 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 01039 &hlen) < 0) { 01040 conn->verify.sha1_client = NULL; 01041 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01042 TLS_ALERT_INTERNAL_ERROR); 01043 return -1; 01044 } 01045 conn->verify.sha1_client = NULL; 01046 01047 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 01048 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 01049 verify_data, TLS_VERIFY_DATA_LEN)) { 01050 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 01051 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01052 TLS_ALERT_DECRYPT_ERROR); 01053 return -1; 01054 } 01055 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 01056 verify_data, TLS_VERIFY_DATA_LEN); 01057 01058 if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 01059 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 01060 return -1; 01061 } 01062 01063 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 01064 01065 *in_len = end - in_data; 01066 01067 if (conn->use_session_ticket) { 01068 /* Abbreviated handshake using session ticket; RFC 4507 */ 01069 wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed " 01070 "successfully"); 01071 conn->state = ESTABLISHED; 01072 } else { 01073 /* Full handshake */ 01074 conn->state = SERVER_CHANGE_CIPHER_SPEC; 01075 } 01076 01077 return 0; 01078 } 01079 01080 01081 int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct, 01082 const u8 *buf, size_t *len) 01083 { 01084 if (ct == TLS_CONTENT_TYPE_ALERT) { 01085 if (*len < 2) { 01086 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 01087 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 01088 TLS_ALERT_DECODE_ERROR); 01089 return -1; 01090 } 01091 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 01092 buf[0], buf[1]); 01093 *len = 2; 01094 conn->state = FAILED; 01095 return -1; 01096 } 01097 01098 switch (conn->state) { 01099 case CLIENT_HELLO: 01100 if (tls_process_client_hello(conn, ct, buf, len)) 01101 return -1; 01102 break; 01103 case CLIENT_CERTIFICATE: 01104 if (tls_process_certificate(conn, ct, buf, len)) 01105 return -1; 01106 break; 01107 case CLIENT_KEY_EXCHANGE: 01108 if (tls_process_client_key_exchange(conn, ct, buf, len)) 01109 return -1; 01110 break; 01111 case CERTIFICATE_VERIFY: 01112 if (tls_process_certificate_verify(conn, ct, buf, len)) 01113 return -1; 01114 break; 01115 case CHANGE_CIPHER_SPEC: 01116 if (tls_process_change_cipher_spec(conn, ct, buf, len)) 01117 return -1; 01118 break; 01119 case CLIENT_FINISHED: 01120 if (tls_process_client_finished(conn, ct, buf, len)) 01121 return -1; 01122 break; 01123 default: 01124 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 01125 "while processing received message", 01126 conn->state); 01127 return -1; 01128 } 01129 01130 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 01131 tls_verify_hash_add(&conn->verify, buf, *len); 01132 01133 return 0; 01134 }