1 /*
2 * TLSv1 client - write handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/random.h"
16 #include "tls/tls.h"
17 #include "tls/x509v3.h"
18 #include "tls/tlsv1_common.h"
19 #include "tls/tlsv1_record.h"
20 #include "tls/tlsv1_client.h"
21 #include "tls/tlsv1_client_i.h"
22
23 #include "eap_peer/eap_i.h"
24
tls_client_cert_chain_der_len(struct tlsv1_client * conn)25 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
26 {
27 size_t len = 0;
28 struct x509_certificate *cert;
29
30 if (conn->cred == NULL)
31 return 0;
32
33 cert = conn->cred->cert;
34 while (cert) {
35 len += 3 + cert->cert_len;
36 if (x509_certificate_self_signed(cert))
37 break;
38 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
39 &cert->issuer);
40 }
41
42 return len;
43 }
44
45
tls_send_client_hello(struct tlsv1_client * conn,size_t * out_len)46 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
47 {
48 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
49 struct os_time now;
50 size_t len, i;
51 u8 *ext_start;
52
53 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello");
54 *out_len = 0;
55
56 os_get_time(&now);
57 WPA_PUT_BE32(conn->client_random, now.sec);
58 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
59 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
60 "client_random");
61 return NULL;
62 }
63 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
64 conn->client_random, TLS_RANDOM_LEN);
65
66 len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
67 hello = os_malloc(len);
68 if (hello == NULL)
69 return NULL;
70 end = hello + len;
71
72 rhdr = hello;
73 pos = rhdr + TLS_RECORD_HEADER_LEN;
74
75 /* opaque fragment[TLSPlaintext.length] */
76
77 /* Handshake */
78 hs_start = pos;
79 /* HandshakeType msg_type */
80 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
81 /* uint24 length (to be filled) */
82 hs_length = pos;
83 pos += 3;
84 /* body - ClientHello */
85 /* ProtocolVersion client_version */
86 WPA_PUT_BE16(pos, TLS_VERSION);
87 pos += 2;
88 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
89 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
90 pos += TLS_RANDOM_LEN;
91 /* SessionID session_id */
92 *pos++ = conn->session_id_len;
93 os_memcpy(pos, conn->session_id, conn->session_id_len);
94 pos += conn->session_id_len;
95 /* CipherSuite cipher_suites<2..2^16-1> */
96 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
97 pos += 2;
98 for (i = 0; i < conn->num_cipher_suites; i++) {
99 WPA_PUT_BE16(pos, conn->cipher_suites[i]);
100 pos += 2;
101 }
102 /* CompressionMethod compression_methods<1..2^8-1> */
103 *pos++ = 1;
104 *pos++ = TLS_COMPRESSION_NULL;
105
106 /* Extension */
107 ext_start = pos;
108 pos += 2;
109
110 #ifdef CONFIG_TLSV12
111 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
112 /*
113 * Add signature_algorithms extension since we support only
114 * SHA256 (and not the default SHA1) with TLSv1.2.
115 */
116 /* ExtensionsType extension_type = signature_algorithms(13) */
117 WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
118 pos += 2;
119 /* opaque extension_data<0..2^16-1> length */
120 WPA_PUT_BE16(pos, 4);
121 pos += 2;
122 /* supported_signature_algorithms<2..2^16-2> length */
123 WPA_PUT_BE16(pos, 2);
124 pos += 2;
125 /* supported_signature_algorithms */
126 *pos++ = TLS_HASH_ALG_SHA256;
127 *pos++ = TLS_SIGN_ALG_RSA;
128 }
129 #endif /* CONFIG_TLSV12 */
130
131 if (conn->client_hello_ext) {
132 os_memcpy(pos, conn->client_hello_ext,
133 conn->client_hello_ext_len);
134 pos += conn->client_hello_ext_len;
135 }
136
137 if (pos == ext_start + 2)
138 pos -= 2; /* no extensions */
139 else
140 WPA_PUT_BE16(ext_start, pos - ext_start - 2);
141
142 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
143 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
144
145 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
146 rhdr, end - rhdr, hs_start, pos - hs_start,
147 out_len) < 0) {
148 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 TLS_ALERT_INTERNAL_ERROR);
151 os_free(hello);
152 return NULL;
153 }
154
155 conn->state = SERVER_HELLO;
156
157 return hello;
158 }
159
160
tls_write_client_certificate(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)161 static int tls_write_client_certificate(struct tlsv1_client *conn,
162 u8 **msgpos, u8 *end)
163 {
164 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
165 size_t rlen;
166 struct x509_certificate *cert;
167
168 pos = *msgpos;
169
170 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
171 rhdr = pos;
172 pos += TLS_RECORD_HEADER_LEN;
173
174 /* opaque fragment[TLSPlaintext.length] */
175
176 /* Handshake */
177 hs_start = pos;
178 /* HandshakeType msg_type */
179 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
180 /* uint24 length (to be filled) */
181 hs_length = pos;
182 pos += 3;
183 /* body - Certificate */
184 /* uint24 length (to be filled) */
185 cert_start = pos;
186 pos += 3;
187 cert = conn->cred ? conn->cred->cert : NULL;
188 while (cert) {
189 if (pos + 3 + cert->cert_len > end) {
190 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
191 "for Certificate (cert_len=%lu left=%lu)",
192 (unsigned long) cert->cert_len,
193 (unsigned long) (end - pos));
194 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
195 TLS_ALERT_INTERNAL_ERROR);
196 return -1;
197 }
198 WPA_PUT_BE24(pos, cert->cert_len);
199 pos += 3;
200 os_memcpy(pos, cert->cert_start, cert->cert_len);
201 pos += cert->cert_len;
202
203 if (x509_certificate_self_signed(cert))
204 break;
205 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
206 &cert->issuer);
207 }
208 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
209 /*
210 * Client was not configured with all the needed certificates
211 * to form a full certificate chain. The server may fail to
212 * validate the chain unless it is configured with all the
213 * missing CA certificates.
214 */
215 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
216 "not configured - validation may fail");
217 }
218 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
219
220 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
221
222 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
223 rhdr, end - rhdr, hs_start, pos - hs_start,
224 &rlen) < 0) {
225 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 TLS_ALERT_INTERNAL_ERROR);
228 return -1;
229 }
230 pos = rhdr + rlen;
231
232 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
233
234 *msgpos = pos;
235
236 return 0;
237 }
238
239
tlsv1_key_x_anon_dh(struct tlsv1_client * conn,u8 ** pos,u8 * end)240 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
241 {
242 /* ClientDiffieHellmanPublic */
243 u8 *csecret, *csecret_start, *dh_yc, *shared;
244 size_t csecret_len, dh_yc_len, shared_len;
245
246 csecret_len = conn->dh_p_len;
247 csecret = os_malloc(csecret_len);
248 if (csecret == NULL) {
249 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
250 "memory for Yc (Diffie-Hellman)");
251 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
252 TLS_ALERT_INTERNAL_ERROR);
253 return -1;
254 }
255 if (random_get_bytes(csecret, csecret_len)) {
256 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
257 "data for Diffie-Hellman");
258 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
259 TLS_ALERT_INTERNAL_ERROR);
260 os_free(csecret);
261 return -1;
262 }
263
264 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
265 csecret[0] = 0; /* make sure Yc < p */
266
267 csecret_start = csecret;
268 while (csecret_len > 1 && *csecret_start == 0) {
269 csecret_start++;
270 csecret_len--;
271 }
272 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
273 csecret_start, csecret_len);
274
275 /* Yc = g^csecret mod p */
276 dh_yc_len = conn->dh_p_len;
277 dh_yc = os_malloc(dh_yc_len);
278 if (dh_yc == NULL) {
279 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
280 "memory for Diffie-Hellman");
281 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
282 TLS_ALERT_INTERNAL_ERROR);
283 os_free(csecret);
284 return -1;
285 }
286 if(crypto_mod_exp(conn->dh_g, conn->dh_g_len,
287 csecret_start, csecret_len,
288 conn->dh_p, conn->dh_p_len,
289 dh_yc, &dh_yc_len)) {
290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_INTERNAL_ERROR);
292 os_free(csecret);
293 os_free(dh_yc);
294 return -1;
295 }
296
297 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
298 dh_yc, dh_yc_len);
299
300 WPA_PUT_BE16(*pos, dh_yc_len);
301 *pos += 2;
302 if (*pos + dh_yc_len > end) {
303 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
304 "message buffer for Yc");
305 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
306 TLS_ALERT_INTERNAL_ERROR);
307 os_free(csecret);
308 os_free(dh_yc);
309 return -1;
310 }
311 os_memcpy(*pos, dh_yc, dh_yc_len);
312 *pos += dh_yc_len;
313 os_free(dh_yc);
314
315 shared_len = conn->dh_p_len;
316 shared = os_malloc(shared_len);
317 if (shared == NULL) {
318 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
319 "DH");
320 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
321 TLS_ALERT_INTERNAL_ERROR);
322 os_free(csecret);
323 return -1;
324 }
325
326 /* shared = Ys^csecret mod p */
327 if(crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
328 csecret_start, csecret_len,
329 conn->dh_p, conn->dh_p_len,
330 shared, &shared_len)) {
331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
332 TLS_ALERT_INTERNAL_ERROR);
333 os_free(csecret);
334 os_free(shared);
335 return -1;
336 }
337 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
338 shared, shared_len);
339
340 os_memset(csecret_start, 0, csecret_len);
341 os_free(csecret);
342 if (tls_derive_keys(conn, shared, shared_len)) {
343 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
344 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
345 TLS_ALERT_INTERNAL_ERROR);
346 os_free(shared);
347 return -1;
348 }
349 os_memset(shared, 0, shared_len);
350 os_free(shared);
351 tlsv1_client_free_dh(conn);
352 return 0;
353 }
354
355
tlsv1_key_x_rsa(struct tlsv1_client * conn,u8 ** pos,u8 * end)356 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
357 {
358 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
359 size_t clen;
360 int res;
361
362 if (tls_derive_pre_master_secret(pre_master_secret) < 0 ||
363 tls_derive_keys(conn, pre_master_secret,
364 TLS_PRE_MASTER_SECRET_LEN)) {
365 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
366 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 TLS_ALERT_INTERNAL_ERROR);
368 return -1;
369 }
370
371 /* EncryptedPreMasterSecret */
372 if (conn->server_rsa_key == NULL) {
373 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
374 "use for encrypting pre-master secret");
375 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
376 TLS_ALERT_INTERNAL_ERROR);
377 return -1;
378 }
379
380 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
381 *pos += 2;
382 clen = end - *pos;
383 res = crypto_public_key_encrypt_pkcs1_v15(
384 conn->server_rsa_key,
385 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
386 *pos, &clen);
387 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
388 if (res < 0) {
389 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
390 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 TLS_ALERT_INTERNAL_ERROR);
392 return -1;
393 }
394 WPA_PUT_BE16(*pos - 2, clen);
395 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
396 *pos, clen);
397 *pos += clen;
398
399 return 0;
400 }
401
402
tls_write_client_key_exchange(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)403 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
404 u8 **msgpos, u8 *end)
405 {
406 u8 *pos, *rhdr, *hs_start, *hs_length;
407 size_t rlen;
408 tls_key_exchange keyx;
409 const struct tls_cipher_suite *suite;
410
411 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
412 if (suite == NULL)
413 keyx = TLS_KEY_X_NULL;
414 else
415 keyx = suite->key_exchange;
416
417 pos = *msgpos;
418
419 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
420
421 rhdr = pos;
422 pos += TLS_RECORD_HEADER_LEN;
423
424 /* opaque fragment[TLSPlaintext.length] */
425
426 /* Handshake */
427 hs_start = pos;
428 /* HandshakeType msg_type */
429 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
430 /* uint24 length (to be filled) */
431 hs_length = pos;
432 pos += 3;
433 /* body - ClientKeyExchange */
434 if (keyx == TLS_KEY_X_DH_anon) {
435 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0)
436 return -1;
437 } else {
438 if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
439 return -1;
440 }
441
442 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
443
444 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
445 rhdr, end - rhdr, hs_start, pos - hs_start,
446 &rlen) < 0) {
447 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
448 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
449 TLS_ALERT_INTERNAL_ERROR);
450 return -1;
451 }
452 pos = rhdr + rlen;
453 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
454
455 *msgpos = pos;
456
457 return 0;
458 }
459
460
tls_write_client_certificate_verify(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)461 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
462 u8 **msgpos, u8 *end)
463 {
464 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
465 size_t rlen, hlen, clen;
466 u8 hash[100], *hpos;
467 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
468
469 pos = *msgpos;
470
471 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
472 rhdr = pos;
473 pos += TLS_RECORD_HEADER_LEN;
474
475 /* Handshake */
476 hs_start = pos;
477 /* HandshakeType msg_type */
478 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
479 /* uint24 length (to be filled) */
480 hs_length = pos;
481 pos += 3;
482
483 /*
484 * RFC 2246: 7.4.3 and 7.4.8:
485 * Signature signature
486 *
487 * RSA:
488 * digitally-signed struct {
489 * opaque md5_hash[16];
490 * opaque sha_hash[20];
491 * };
492 *
493 * DSA:
494 * digitally-signed struct {
495 * opaque sha_hash[20];
496 * };
497 *
498 * The hash values are calculated over all handshake messages sent or
499 * received starting at ClientHello up to, but not including, this
500 * CertificateVerify message, including the type and length fields of
501 * the handshake messages.
502 */
503
504 hpos = hash;
505
506 #ifdef CONFIG_TLSV12
507 if (conn->rl.tls_version == TLS_VERSION_1_2) {
508 hlen = SHA256_MAC_LEN;
509 if (conn->verify.sha256_cert == NULL ||
510 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
511 0) {
512 conn->verify.sha256_cert = NULL;
513 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
514 TLS_ALERT_INTERNAL_ERROR);
515 return -1;
516 }
517 conn->verify.sha256_cert = NULL;
518
519 /*
520 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
521 *
522 * DigestInfo ::= SEQUENCE {
523 * digestAlgorithm DigestAlgorithm,
524 * digest OCTET STRING
525 * }
526 *
527 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
528 *
529 * DER encoded DigestInfo for SHA256 per RFC 3447:
530 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
531 * H
532 */
533 os_memmove(hash + 19, hash, hlen);
534 hlen += 19;
535 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
536 "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
537 } else {
538 #endif /* CONFIG_TLSV12 */
539
540 if (alg == SIGN_ALG_RSA) {
541 hlen = MD5_MAC_LEN;
542 if (conn->verify.md5_cert == NULL ||
543 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
544 {
545 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
546 TLS_ALERT_INTERNAL_ERROR);
547 conn->verify.md5_cert = NULL;
548 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
549 conn->verify.sha1_cert = NULL;
550 return -1;
551 }
552 hpos += MD5_MAC_LEN;
553 } else
554 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
555
556 conn->verify.md5_cert = NULL;
557 hlen = SHA1_MAC_LEN;
558 if (conn->verify.sha1_cert == NULL ||
559 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
560 conn->verify.sha1_cert = NULL;
561 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
562 TLS_ALERT_INTERNAL_ERROR);
563 return -1;
564 }
565 conn->verify.sha1_cert = NULL;
566
567 if (alg == SIGN_ALG_RSA)
568 hlen += MD5_MAC_LEN;
569
570 #ifdef CONFIG_TLSV12
571 }
572 #endif /* CONFIG_TLSV12 */
573
574 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
575
576 #ifdef CONFIG_TLSV12
577 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
578 /*
579 * RFC 5246, 4.7:
580 * TLS v1.2 adds explicit indication of the used signature and
581 * hash algorithms.
582 *
583 * struct {
584 * HashAlgorithm hash;
585 * SignatureAlgorithm signature;
586 * } SignatureAndHashAlgorithm;
587 */
588 *pos++ = TLS_HASH_ALG_SHA256;
589 *pos++ = TLS_SIGN_ALG_RSA;
590 }
591 #endif /* CONFIG_TLSV12 */
592
593 /*
594 * RFC 2246, 4.7:
595 * In digital signing, one-way hash functions are used as input for a
596 * signing algorithm. A digitally-signed element is encoded as an
597 * opaque vector <0..2^16-1>, where the length is specified by the
598 * signing algorithm and key.
599 *
600 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
601 * MD5) is signed (encrypted with the private key). It is encoded with
602 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
603 */
604 signed_start = pos; /* length to be filled */
605 pos += 2;
606 clen = end - pos;
607 if (conn->cred == NULL ||
608 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
609 pos, &clen) < 0) {
610 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
611 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
612 TLS_ALERT_INTERNAL_ERROR);
613 return -1;
614 }
615 WPA_PUT_BE16(signed_start, clen);
616
617 pos += clen;
618
619 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
620
621 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
622 rhdr, end - rhdr, hs_start, pos - hs_start,
623 &rlen) < 0) {
624 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
625 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
626 TLS_ALERT_INTERNAL_ERROR);
627 return -1;
628 }
629 pos = rhdr + rlen;
630
631 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
632
633 *msgpos = pos;
634
635 return 0;
636 }
637
638
tls_write_client_change_cipher_spec(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)639 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
640 u8 **msgpos, u8 *end)
641 {
642 size_t rlen;
643 u8 payload[1];
644
645 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
646
647 payload[0] = TLS_CHANGE_CIPHER_SPEC;
648
649 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
650 *msgpos, end - *msgpos, payload, sizeof(payload),
651 &rlen) < 0) {
652 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
653 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
654 TLS_ALERT_INTERNAL_ERROR);
655 return -1;
656 }
657
658 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
659 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
660 "record layer");
661 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
662 TLS_ALERT_INTERNAL_ERROR);
663 return -1;
664 }
665
666 *msgpos += rlen;
667
668 return 0;
669 }
670
671
tls_write_client_finished(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)672 static int tls_write_client_finished(struct tlsv1_client *conn,
673 u8 **msgpos, u8 *end)
674 {
675 u8 *pos, *hs_start;
676 size_t rlen, hlen;
677 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
678 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
679
680 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
681
682 /* Encrypted Handshake Message: Finished */
683
684 #ifdef CONFIG_TLSV12
685 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
686 hlen = SHA256_MAC_LEN;
687 if (conn->verify.sha256_client == NULL ||
688 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
689 < 0) {
690 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
691 TLS_ALERT_INTERNAL_ERROR);
692 conn->verify.sha256_client = NULL;
693 return -1;
694 }
695 conn->verify.sha256_client = NULL;
696 } else {
697 #endif /* CONFIG_TLSV12 */
698
699 hlen = MD5_MAC_LEN;
700 if (conn->verify.md5_client == NULL ||
701 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
702 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
703 TLS_ALERT_INTERNAL_ERROR);
704 conn->verify.md5_client = NULL;
705 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
706 conn->verify.sha1_client = NULL;
707 return -1;
708 }
709 conn->verify.md5_client = NULL;
710 hlen = SHA1_MAC_LEN;
711 if (conn->verify.sha1_client == NULL ||
712 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
713 &hlen) < 0) {
714 conn->verify.sha1_client = NULL;
715 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
716 TLS_ALERT_INTERNAL_ERROR);
717 return -1;
718 }
719 conn->verify.sha1_client = NULL;
720 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
721
722 #ifdef CONFIG_TLSV12
723 }
724 #endif /* CONFIG_TLSV12 */
725
726 if (tls_prf(conn->rl.tls_version,
727 conn->master_secret, TLS_MASTER_SECRET_LEN,
728 "client finished", hash, hlen,
729 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
730 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
731 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
732 TLS_ALERT_INTERNAL_ERROR);
733 return -1;
734 }
735 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
736 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
737
738 /* Handshake */
739 pos = hs_start = verify_data;
740 /* HandshakeType msg_type */
741 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
742 /* uint24 length */
743 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
744 pos += 3;
745 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */
746 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
747
748 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
749 *msgpos, end - *msgpos, hs_start, pos - hs_start,
750 &rlen) < 0) {
751 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
752 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
753 TLS_ALERT_INTERNAL_ERROR);
754 return -1;
755 }
756
757 *msgpos += rlen;
758
759 return 0;
760 }
761
762
tls_send_client_key_exchange(struct tlsv1_client * conn,size_t * out_len)763 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
764 size_t *out_len)
765 {
766 u8 *msg, *end, *pos;
767 size_t msglen;
768
769 *out_len = 0;
770
771 msglen = 2000;
772 if (conn->certificate_requested)
773 msglen += tls_client_cert_chain_der_len(conn);
774
775 msg = os_malloc(msglen);
776 if (msg == NULL)
777 return NULL;
778
779 pos = msg;
780 end = msg + msglen;
781
782 if (conn->certificate_requested) {
783 if (tls_write_client_certificate(conn, &pos, end) < 0) {
784 os_free(msg);
785 return NULL;
786 }
787 }
788
789 if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
790 (conn->certificate_requested && conn->cred && conn->cred->key &&
791 tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
792 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
793 tls_write_client_finished(conn, &pos, end) < 0) {
794 os_free(msg);
795 return NULL;
796 }
797
798 *out_len = pos - msg;
799 conn->state = SERVER_CHANGE_CIPHER_SPEC;
800
801 return msg;
802 }
803
804
tls_send_change_cipher_spec(struct tlsv1_client * conn,size_t * out_len)805 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
806 size_t *out_len)
807 {
808 u8 *msg, *end, *pos;
809
810 *out_len = 0;
811
812 msg = os_malloc(1000);
813 if (msg == NULL)
814 return NULL;
815
816 pos = msg;
817 end = msg + 1000;
818
819 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
820 tls_write_client_finished(conn, &pos, end) < 0) {
821 os_free(msg);
822 return NULL;
823 }
824
825 *out_len = pos - msg;
826
827 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
828 "successfully");
829
830 conn->state = ESTABLISHED;
831
832 return msg;
833 }
834
835
tlsv1_client_handshake_write(struct tlsv1_client * conn,size_t * out_len,int no_appl_data)836 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
837 int no_appl_data)
838 {
839 switch (conn->state) {
840 case CLIENT_KEY_EXCHANGE:
841 return tls_send_client_key_exchange(conn, out_len);
842 case CHANGE_CIPHER_SPEC:
843 return tls_send_change_cipher_spec(conn, out_len);
844 case ACK_FINISHED:
845 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
846 "successfully");
847 conn->state = ESTABLISHED;
848 *out_len = 0;
849 if (no_appl_data) {
850 /* Need to return something to get final TLS ACK. */
851 return os_malloc(1);
852 }
853 return NULL;
854 default:
855 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
856 "generating reply", conn->state);
857 return NULL;
858 }
859 }
860
861
tlsv1_client_send_alert(struct tlsv1_client * conn,u8 level,u8 description,size_t * out_len)862 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
863 u8 description, size_t *out_len)
864 {
865 u8 *alert, *pos, *length;
866
867 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
868 *out_len = 0;
869
870 alert = os_malloc(10);
871 if (alert == NULL)
872 return NULL;
873
874 pos = alert;
875
876 /* TLSPlaintext */
877 /* ContentType type */
878 *pos++ = TLS_CONTENT_TYPE_ALERT;
879 /* ProtocolVersion version */
880 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
881 TLS_VERSION);
882 pos += 2;
883 /* uint16 length (to be filled) */
884 length = pos;
885 pos += 2;
886 /* opaque fragment[TLSPlaintext.length] */
887
888 /* Alert */
889 /* AlertLevel level */
890 *pos++ = level;
891 /* AlertDescription description */
892 *pos++ = description;
893
894 WPA_PUT_BE16(length, pos - length - 2);
895 *out_len = pos - alert;
896
897 return alert;
898 }
899
