2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) Record Protocol
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "tlsv1_common.h"
21 #include "tlsv1_record.h"
25 * tlsv1_record_set_cipher_suite - TLS record layer: Set cipher suite
26 * @rl: Pointer to TLS record layer data
27 * @cipher_suite: New cipher suite
28 * Returns: 0 on success, -1 on failure
30 * This function is used to prepare TLS record layer for cipher suite change.
31 * tlsv1_record_change_write_cipher() and
32 * tlsv1_record_change_read_cipher() functions can then be used to change the
33 * currently used ciphers.
35 int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer *rl,
38 const struct tls_cipher_suite *suite;
39 const struct tls_cipher_data *data;
41 wpa_printf(MSG_DEBUG, "TLSv1: Selected cipher suite: 0x%04x",
43 rl->cipher_suite = cipher_suite;
45 suite = tls_get_cipher_suite(cipher_suite);
49 if (suite->hash == TLS_HASH_MD5) {
50 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_MD5;
51 rl->hash_size = MD5_MAC_LEN;
52 } else if (suite->hash == TLS_HASH_SHA) {
53 rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1;
54 rl->hash_size = SHA1_MAC_LEN;
57 data = tls_get_cipher_data(suite->cipher);
61 rl->key_material_len = data->key_material;
62 rl->iv_size = data->block_size;
63 rl->cipher_alg = data->alg;
70 * tlsv1_record_change_write_cipher - TLS record layer: Change write cipher
71 * @rl: Pointer to TLS record layer data
72 * Returns: 0 on success (cipher changed), -1 on failure
74 * This function changes TLS record layer to use the new cipher suite
75 * configured with tlsv1_record_set_cipher_suite() for writing.
77 int tlsv1_record_change_write_cipher(struct tlsv1_record_layer *rl)
79 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New write cipher suite "
80 "0x%04x", rl->cipher_suite);
81 rl->write_cipher_suite = rl->cipher_suite;
82 os_memset(rl->write_seq_num, 0, TLS_SEQ_NUM_LEN);
85 crypto_cipher_deinit(rl->write_cbc);
88 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) {
89 rl->write_cbc = crypto_cipher_init(rl->cipher_alg,
90 rl->write_iv, rl->write_key,
91 rl->key_material_len);
92 if (rl->write_cbc == NULL) {
93 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize "
104 * tlsv1_record_change_read_cipher - TLS record layer: Change read cipher
105 * @rl: Pointer to TLS record layer data
106 * Returns: 0 on success (cipher changed), -1 on failure
108 * This function changes TLS record layer to use the new cipher suite
109 * configured with tlsv1_record_set_cipher_suite() for reading.
111 int tlsv1_record_change_read_cipher(struct tlsv1_record_layer *rl)
113 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New read cipher suite "
114 "0x%04x", rl->cipher_suite);
115 rl->read_cipher_suite = rl->cipher_suite;
116 os_memset(rl->read_seq_num, 0, TLS_SEQ_NUM_LEN);
119 crypto_cipher_deinit(rl->read_cbc);
122 if (rl->cipher_alg != CRYPTO_CIPHER_NULL) {
123 rl->read_cbc = crypto_cipher_init(rl->cipher_alg,
124 rl->read_iv, rl->read_key,
125 rl->key_material_len);
126 if (rl->read_cbc == NULL) {
127 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize "
138 * tlsv1_record_send - TLS record layer: Send a message
139 * @rl: Pointer to TLS record layer data
140 * @content_type: Content type (TLS_CONTENT_TYPE_*)
141 * @buf: Buffer for the generated TLS message (needs to have extra space for
142 * header, IV (TLS v1.1), and HMAC)
143 * @buf_size: Maximum buf size
144 * @payload: Payload to be sent
145 * @payload_len: Length of the payload
146 * @out_len: Buffer for returning the used buf length
147 * Returns: 0 on success, -1 on failure
149 * This function fills in the TLS record layer header, adds HMAC, and encrypts
150 * the data using the current write cipher.
152 int tlsv1_record_send(struct tlsv1_record_layer *rl, u8 content_type, u8 *buf,
153 size_t buf_size, const u8 *payload, size_t payload_len,
156 u8 *pos, *ct_start, *length, *cpayload;
157 struct crypto_hash *hmac;
162 if (pos + TLS_RECORD_HEADER_LEN > buf + buf_size)
165 /* ContentType type */
167 *pos++ = content_type;
168 /* ProtocolVersion version */
169 WPA_PUT_BE16(pos, rl->tls_version);
173 WPA_PUT_BE16(length, payload_len);
177 explicit_iv = rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL &&
178 rl->iv_size && rl->tls_version >= TLS_VERSION_1_1;
180 /* opaque IV[Cipherspec.block_length] */
181 if (pos + rl->iv_size > buf + buf_size)
185 * Use random number R per the RFC 4346, 6.2.3.2 CBC Block
189 if (os_get_random(pos, rl->iv_size))
195 * opaque fragment[TLSPlaintext.length]
196 * (opaque content[TLSCompressed.length] in GenericBlockCipher)
198 if (pos + payload_len > buf + buf_size)
200 os_memmove(pos, payload, payload_len);
203 if (rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL) {
205 * MAC calculated over seq_num + TLSCompressed.type +
206 * TLSCompressed.version + TLSCompressed.length +
207 * TLSCompressed.fragment
209 hmac = crypto_hash_init(rl->hash_alg, rl->write_mac_secret,
212 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
213 "to initialize HMAC");
216 crypto_hash_update(hmac, rl->write_seq_num, TLS_SEQ_NUM_LEN);
217 /* type + version + length + fragment */
218 crypto_hash_update(hmac, ct_start, TLS_RECORD_HEADER_LEN);
219 crypto_hash_update(hmac, payload, payload_len);
220 clen = buf + buf_size - pos;
221 if (clen < rl->hash_size) {
222 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Not "
223 "enough room for MAC");
224 crypto_hash_finish(hmac, NULL, NULL);
228 if (crypto_hash_finish(hmac, pos, &clen) < 0) {
229 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
230 "to calculate HMAC");
233 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Write HMAC",
237 size_t len = pos - cpayload;
239 pad = (len + 1) % rl->iv_size;
241 pad = rl->iv_size - pad;
242 if (pos + pad + 1 > buf + buf_size) {
243 wpa_printf(MSG_DEBUG, "TLSv1: No room for "
244 "block cipher padding");
247 os_memset(pos, pad, pad + 1);
251 if (crypto_cipher_encrypt(rl->write_cbc, cpayload,
252 cpayload, pos - cpayload) < 0)
256 WPA_PUT_BE16(length, pos - length - 2);
257 inc_byte_array(rl->write_seq_num, TLS_SEQ_NUM_LEN);
259 *out_len = pos - buf;
266 * tlsv1_record_receive - TLS record layer: Process a received message
267 * @rl: Pointer to TLS record layer data
268 * @in_data: Received data
269 * @in_len: Length of the received data
270 * @out_data: Buffer for output data (must be at least as long as in_data)
271 * @out_len: Set to maximum out_data length by caller; used to return the
272 * length of the used data
273 * @alert: Buffer for returning an alert value on failure
274 * Returns: Number of bytes used from in_data on success, 0 if record was not
275 * complete (more data needed), or -1 on failure
277 * This function decrypts the received message, verifies HMAC and TLS record
280 int tlsv1_record_receive(struct tlsv1_record_layer *rl,
281 const u8 *in_data, size_t in_len,
282 u8 *out_data, size_t *out_len, u8 *alert)
284 size_t i, rlen, hlen;
286 struct crypto_hash *hmac;
287 u8 len[2], hash[100];
288 int force_mac_error = 0;
291 if (in_len < TLS_RECORD_HEADER_LEN) {
292 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (in_len=%lu) - "
294 (unsigned long) in_len);
295 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received",
301 rlen = WPA_GET_BE16(in_data + 3);
302 wpa_printf(MSG_DEBUG, "TLSv1: Received content type %d version %d.%d "
303 "length %d", ct, in_data[1], in_data[2], (int) rlen);
306 * TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the
307 * protocol version in record layer. As such, accept any {03,xx} value
308 * to remain compatible with existing implementations.
310 if (in_data[1] != 0x03) {
311 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version "
312 "%u.%u", in_data[1], in_data[2]);
313 *alert = TLS_ALERT_PROTOCOL_VERSION;
317 /* TLSCiphertext must not be more than 2^14+2048 bytes */
318 if (TLS_RECORD_HEADER_LEN + rlen > 18432) {
319 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)",
320 (unsigned long) (TLS_RECORD_HEADER_LEN + rlen));
321 *alert = TLS_ALERT_RECORD_OVERFLOW;
325 in_data += TLS_RECORD_HEADER_LEN;
326 in_len -= TLS_RECORD_HEADER_LEN;
329 wpa_printf(MSG_DEBUG, "TLSv1: Not all record data included "
330 "(rlen=%lu > in_len=%lu)",
331 (unsigned long) rlen, (unsigned long) in_len);
335 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received",
338 if (ct != TLS_CONTENT_TYPE_HANDSHAKE &&
339 ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC &&
340 ct != TLS_CONTENT_TYPE_ALERT &&
341 ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
342 wpa_printf(MSG_DEBUG, "TLSv1: Ignore record with unknown "
343 "content type 0x%x", ct);
344 *alert = TLS_ALERT_UNEXPECTED_MESSAGE;
350 if (*out_len < in_len) {
351 wpa_printf(MSG_DEBUG, "TLSv1: Not enough output buffer for "
352 "processing received record");
353 *alert = TLS_ALERT_INTERNAL_ERROR;
357 if (rl->read_cipher_suite != TLS_NULL_WITH_NULL_NULL) {
359 if (crypto_cipher_decrypt(rl->read_cbc, in_data,
360 out_data, in_len) < 0) {
361 *alert = TLS_ALERT_DECRYPTION_FAILED;
365 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - Decrypted "
366 "data", out_data, plen);
370 * TLS v1.0 defines different alert values for various
371 * failures. That may information to aid in attacks, so
372 * use the same bad_record_mac alert regardless of the
375 * In addition, instead of returning immediately on
376 * error, run through the MAC check to make timing
377 * attacks more difficult.
380 if (rl->tls_version >= TLS_VERSION_1_1) {
381 /* Remove opaque IV[Cipherspec.block_length] */
382 if (plen < rl->iv_size) {
383 wpa_printf(MSG_DEBUG, "TLSv1.1: Not "
384 "enough room for IV");
388 os_memmove(out_data, out_data + rl->iv_size,
393 /* Verify and remove padding */
395 wpa_printf(MSG_DEBUG, "TLSv1: Too short record"
400 padlen = out_data[plen - 1];
401 if (padlen >= plen) {
402 wpa_printf(MSG_DEBUG, "TLSv1: Incorrect pad "
403 "length (%u, plen=%lu) in "
405 padlen, (unsigned long) plen);
409 for (i = plen - padlen - 1; i < plen - 1; i++) {
410 if (out_data[i] != padlen) {
411 wpa_hexdump(MSG_DEBUG,
412 "TLSv1: Invalid pad in "
414 out_data + plen - padlen -
423 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Record Layer - "
424 "Decrypted data with IV and padding "
425 "removed", out_data, plen);
429 if (plen < rl->hash_size) {
430 wpa_printf(MSG_DEBUG, "TLSv1: Too short record; no "
432 *alert = TLS_ALERT_BAD_RECORD_MAC;
436 plen -= rl->hash_size;
438 hmac = crypto_hash_init(rl->hash_alg, rl->read_mac_secret,
441 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
442 "to initialize HMAC");
443 *alert = TLS_ALERT_INTERNAL_ERROR;
447 crypto_hash_update(hmac, rl->read_seq_num, TLS_SEQ_NUM_LEN);
448 /* type + version + length + fragment */
449 crypto_hash_update(hmac, in_data - TLS_RECORD_HEADER_LEN, 3);
450 WPA_PUT_BE16(len, plen);
451 crypto_hash_update(hmac, len, 2);
452 crypto_hash_update(hmac, out_data, plen);
454 if (crypto_hash_finish(hmac, hash, &hlen) < 0) {
455 wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
456 "to calculate HMAC");
457 *alert = TLS_ALERT_INTERNAL_ERROR;
460 if (hlen != rl->hash_size ||
461 os_memcmp(hash, out_data + plen, hlen) != 0 ||
463 wpa_printf(MSG_DEBUG, "TLSv1: Invalid HMAC value in "
464 "received message (force_mac_error=%d)",
466 *alert = TLS_ALERT_BAD_RECORD_MAC;
472 os_memcpy(out_data, in_data, in_len);
476 /* TLSCompressed must not be more than 2^14+1024 bytes */
477 if (TLS_RECORD_HEADER_LEN + *out_len > 17408) {
478 wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)",
479 (unsigned long) (TLS_RECORD_HEADER_LEN + *out_len));
480 *alert = TLS_ALERT_RECORD_OVERFLOW;
484 inc_byte_array(rl->read_seq_num, TLS_SEQ_NUM_LEN);
486 return TLS_RECORD_HEADER_LEN + rlen;