1 /*
2 * TLSv1 client - write handshake message
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
17 #include "x509v3.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_client.h"
21 #include "tlsv1_client_i.h"
22
23
tls_client_cert_chain_der_len(struct tlsv1_client * conn)24 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
25 {
26 size_t len = 0;
27 struct x509_certificate *cert;
28
29 if (conn->cred == NULL)
30 return 0;
31
32 cert = conn->cred->cert;
33 while (cert) {
34 len += 3 + cert->cert_len;
35 if (x509_certificate_self_signed(cert))
36 break;
37 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
38 &cert->issuer);
39 }
40
41 return len;
42 }
43
44
tls_send_client_hello(struct tlsv1_client * conn,size_t * out_len)45 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
46 {
47 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
48 struct os_time now;
49 size_t len, i;
50 u8 *ext_start;
51 u16 tls_version = tls_client_highest_ver(conn);
52
53 if (!tls_version) {
54 wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed");
55 return NULL;
56 }
57
58 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)",
59 tls_version_str(tls_version));
60 *out_len = 0;
61
62 os_get_time(&now);
63 #ifdef TEST_FUZZ
64 now.sec = 0xfffefdfc;
65 #endif /* TEST_FUZZ */
66 WPA_PUT_BE32(conn->client_random, now.sec);
67 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
68 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
69 "client_random");
70 return NULL;
71 }
72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
73 conn->client_random, TLS_RANDOM_LEN);
74
75 len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
76 hello = os_malloc(len);
77 if (hello == NULL)
78 return NULL;
79 end = hello + len;
80
81 rhdr = hello;
82 pos = rhdr + TLS_RECORD_HEADER_LEN;
83
84 /* opaque fragment[TLSPlaintext.length] */
85
86 /* Handshake */
87 hs_start = pos;
88 /* HandshakeType msg_type */
89 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
90 /* uint24 length (to be filled) */
91 hs_length = pos;
92 pos += 3;
93 /* body - ClientHello */
94 /* ProtocolVersion client_version */
95 WPA_PUT_BE16(pos, tls_version);
96 pos += 2;
97 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
98 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
99 pos += TLS_RANDOM_LEN;
100 /* SessionID session_id */
101 *pos++ = conn->session_id_len;
102 os_memcpy(pos, conn->session_id, conn->session_id_len);
103 pos += conn->session_id_len;
104 /* CipherSuite cipher_suites<2..2^16-1> */
105 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
106 pos += 2;
107 for (i = 0; i < conn->num_cipher_suites; i++) {
108 WPA_PUT_BE16(pos, conn->cipher_suites[i]);
109 pos += 2;
110 }
111 /* CompressionMethod compression_methods<1..2^8-1> */
112 *pos++ = 1;
113 *pos++ = TLS_COMPRESSION_NULL;
114
115 /* Extension */
116 ext_start = pos;
117 pos += 2;
118
119 #ifdef CONFIG_TLSV12
120 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
121 /*
122 * Add signature_algorithms extension since we support only
123 * SHA256 (and not the default SHA1) with TLSv1.2.
124 */
125 /* ExtensionsType extension_type = signature_algorithms(13) */
126 WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
127 pos += 2;
128 /* opaque extension_data<0..2^16-1> length */
129 #ifdef CONFIG_CRYPTO_MBEDTLS
130 WPA_PUT_BE16(pos, 8);
131 #else
132 WPA_PUT_BE16(pos, 4);
133 #endif
134 pos += 2;
135 /* supported_signature_algorithms<2..2^16-2> length */
136 #ifdef CONFIG_CRYPTO_MBEDTLS
137 WPA_PUT_BE16(pos, 6);
138 #else
139 WPA_PUT_BE16(pos, 2);
140 #endif
141 pos += 2;
142 /* supported_signature_algorithms */
143 #ifdef CONFIG_CRYPTO_MBEDTLS
144 *pos++ = TLS_HASH_ALG_SHA512;
145 *pos++ = TLS_SIGN_ALG_RSA;
146 *pos++ = TLS_HASH_ALG_SHA384;
147 *pos++ = TLS_SIGN_ALG_RSA;
148 #endif
149 *pos++ = TLS_HASH_ALG_SHA256;
150 *pos++ = TLS_SIGN_ALG_RSA;
151 }
152 #endif /* CONFIG_TLSV12 */
153
154 if (conn->client_hello_ext) {
155 os_memcpy(pos, conn->client_hello_ext,
156 conn->client_hello_ext_len);
157 pos += conn->client_hello_ext_len;
158 }
159
160 if (conn->flags & TLS_CONN_REQUEST_OCSP) {
161 wpa_printf(MSG_DEBUG,
162 "TLSv1: Add status_request extension for OCSP stapling");
163 /* ExtensionsType extension_type = status_request(5) */
164 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
165 pos += 2;
166 /* opaque extension_data<0..2^16-1> length */
167 WPA_PUT_BE16(pos, 5);
168 pos += 2;
169
170 /*
171 * RFC 6066, 8:
172 * struct {
173 * CertificateStatusType status_type;
174 * select (status_type) {
175 * case ocsp: OCSPStatusRequest;
176 * } request;
177 * } CertificateStatusRequest;
178 *
179 * enum { ocsp(1), (255) } CertificateStatusType;
180 */
181 *pos++ = 1; /* status_type = ocsp(1) */
182
183 /*
184 * struct {
185 * ResponderID responder_id_list<0..2^16-1>;
186 * Extensions request_extensions;
187 * } OCSPStatusRequest;
188 *
189 * opaque ResponderID<1..2^16-1>;
190 * opaque Extensions<0..2^16-1>;
191 */
192 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
193 pos += 2;
194 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
195 pos += 2;
196
197 wpa_printf(MSG_DEBUG,
198 "TLSv1: Add status_request_v2 extension for OCSP stapling");
199 /* ExtensionsType extension_type = status_request_v2(17) */
200 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
201 pos += 2;
202 /* opaque extension_data<0..2^16-1> length */
203 WPA_PUT_BE16(pos, 7);
204 pos += 2;
205
206 /*
207 * RFC 6961, 2.2:
208 * struct {
209 * CertificateStatusType status_type;
210 * uint16 request_length;
211 * select (status_type) {
212 * case ocsp: OCSPStatusRequest;
213 * case ocsp_multi: OCSPStatusRequest;
214 * } request;
215 * } CertificateStatusRequestItemV2;
216 *
217 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
218 *
219 * struct {
220 * CertificateStatusRequestItemV2
221 * certificate_status_req_list<1..2^16-1>;
222 * } CertificateStatusRequestListV2;
223 */
224
225 /* certificate_status_req_list<1..2^16-1> */
226 WPA_PUT_BE16(pos, 5);
227 pos += 2;
228
229 /* CertificateStatusRequestItemV2 */
230 *pos++ = 2; /* status_type = ocsp_multi(2) */
231 /* OCSPStatusRequest as shown above for v1 */
232 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
233 pos += 2;
234 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
235 pos += 2;
236 }
237
238 if (pos == ext_start + 2)
239 pos -= 2; /* no extensions */
240 else
241 WPA_PUT_BE16(ext_start, pos - ext_start - 2);
242
243 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
244 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
245
246 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
247 rhdr, end - rhdr, hs_start, pos - hs_start,
248 out_len) < 0) {
249 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
251 TLS_ALERT_INTERNAL_ERROR);
252 os_free(hello);
253 return NULL;
254 }
255
256 conn->state = SERVER_HELLO;
257
258 return hello;
259 }
260
261
tls_write_client_certificate(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)262 static int tls_write_client_certificate(struct tlsv1_client *conn,
263 u8 **msgpos, u8 *end)
264 {
265 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
266 size_t rlen;
267 struct x509_certificate *cert;
268
269 pos = *msgpos;
270 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
271 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
272 TLS_ALERT_INTERNAL_ERROR);
273 return -1;
274 }
275
276 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
277 rhdr = pos;
278 pos += TLS_RECORD_HEADER_LEN;
279
280 /* opaque fragment[TLSPlaintext.length] */
281
282 /* Handshake */
283 hs_start = pos;
284 /* HandshakeType msg_type */
285 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
286 /* uint24 length (to be filled) */
287 hs_length = pos;
288 pos += 3;
289 /* body - Certificate */
290 /* uint24 length (to be filled) */
291 cert_start = pos;
292 pos += 3;
293 cert = conn->cred ? conn->cred->cert : NULL;
294 while (cert) {
295 if (3 + cert->cert_len > (size_t) (end - pos)) {
296 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
297 "for Certificate (cert_len=%lu left=%lu)",
298 (unsigned long) cert->cert_len,
299 (unsigned long) (end - pos));
300 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
301 TLS_ALERT_INTERNAL_ERROR);
302 return -1;
303 }
304 WPA_PUT_BE24(pos, cert->cert_len);
305 pos += 3;
306 os_memcpy(pos, cert->cert_start, cert->cert_len);
307 pos += cert->cert_len;
308
309 if (x509_certificate_self_signed(cert))
310 break;
311 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
312 &cert->issuer);
313 }
314 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
315 /*
316 * Client was not configured with all the needed certificates
317 * to form a full certificate chain. The server may fail to
318 * validate the chain unless it is configured with all the
319 * missing CA certificates.
320 */
321 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
322 "not configured - validation may fail");
323 }
324 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
325
326 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
327
328 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
329 rhdr, end - rhdr, hs_start, pos - hs_start,
330 &rlen) < 0) {
331 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
332 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
333 TLS_ALERT_INTERNAL_ERROR);
334 return -1;
335 }
336 pos = rhdr + rlen;
337
338 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
339
340 *msgpos = pos;
341
342 return 0;
343 }
344
345
tlsv1_key_x_dh(struct tlsv1_client * conn,u8 ** pos,u8 * end)346 static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
347 {
348 /* ClientDiffieHellmanPublic */
349 u8 *csecret, *csecret_start, *dh_yc, *shared;
350 size_t csecret_len, dh_yc_len, shared_len;
351
352 csecret_len = conn->dh_p_len;
353 csecret = os_malloc(csecret_len);
354 if (csecret == NULL) {
355 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
356 "memory for Yc (Diffie-Hellman)");
357 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
358 TLS_ALERT_INTERNAL_ERROR);
359 return -1;
360 }
361 if (random_get_bytes(csecret, csecret_len)) {
362 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
363 "data for Diffie-Hellman");
364 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
365 TLS_ALERT_INTERNAL_ERROR);
366 os_free(csecret);
367 return -1;
368 }
369
370 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
371 csecret[0] = 0; /* make sure Yc < p */
372
373 csecret_start = csecret;
374 while (csecret_len > 1 && *csecret_start == 0) {
375 csecret_start++;
376 csecret_len--;
377 }
378 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
379 csecret_start, csecret_len);
380
381 /* Yc = g^csecret mod p */
382 dh_yc_len = conn->dh_p_len;
383 dh_yc = os_malloc(dh_yc_len);
384 if (dh_yc == NULL) {
385 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
386 "memory for Diffie-Hellman");
387 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
388 TLS_ALERT_INTERNAL_ERROR);
389 os_free(csecret);
390 return -1;
391 }
392 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
393 csecret_start, csecret_len,
394 conn->dh_p, conn->dh_p_len,
395 dh_yc, &dh_yc_len)) {
396 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
397 TLS_ALERT_INTERNAL_ERROR);
398 os_free(csecret);
399 os_free(dh_yc);
400 return -1;
401 }
402
403 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
404 dh_yc, dh_yc_len);
405
406 if (end - *pos < 2) {
407 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
408 TLS_ALERT_INTERNAL_ERROR);
409 os_free(csecret);
410 os_free(dh_yc);
411 return -1;
412 }
413 WPA_PUT_BE16(*pos, dh_yc_len);
414 *pos += 2;
415 if (dh_yc_len > (size_t) (end - *pos)) {
416 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
417 "message buffer for Yc");
418 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
419 TLS_ALERT_INTERNAL_ERROR);
420 os_free(csecret);
421 os_free(dh_yc);
422 return -1;
423 }
424 os_memcpy(*pos, dh_yc, dh_yc_len);
425 *pos += dh_yc_len;
426 os_free(dh_yc);
427
428 shared_len = conn->dh_p_len;
429 shared = os_malloc(shared_len);
430 if (shared == NULL) {
431 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
432 "DH");
433 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
434 TLS_ALERT_INTERNAL_ERROR);
435 os_free(csecret);
436 return -1;
437 }
438
439 /* shared = Ys^csecret mod p */
440 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
441 csecret_start, csecret_len,
442 conn->dh_p, conn->dh_p_len,
443 shared, &shared_len)) {
444 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
445 TLS_ALERT_INTERNAL_ERROR);
446 os_free(csecret);
447 os_free(shared);
448 return -1;
449 }
450 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
451 shared, shared_len);
452
453 os_memset(csecret_start, 0, csecret_len);
454 os_free(csecret);
455 if (tls_derive_keys(conn, shared, shared_len)) {
456 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
457 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
458 TLS_ALERT_INTERNAL_ERROR);
459 os_free(shared);
460 return -1;
461 }
462 os_memset(shared, 0, shared_len);
463 os_free(shared);
464 tlsv1_client_free_dh(conn);
465 return 0;
466 }
467
468
tlsv1_key_x_rsa(struct tlsv1_client * conn,u8 ** pos,u8 * end)469 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
470 {
471 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
472 size_t clen;
473 int res;
474
475 if (tls_derive_pre_master_secret(conn, pre_master_secret) < 0 ||
476 tls_derive_keys(conn, pre_master_secret,
477 TLS_PRE_MASTER_SECRET_LEN)) {
478 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
479 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
480 TLS_ALERT_INTERNAL_ERROR);
481 return -1;
482 }
483
484 /* EncryptedPreMasterSecret */
485 if (conn->server_rsa_key == NULL) {
486 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
487 "use for encrypting pre-master secret");
488 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
489 TLS_ALERT_INTERNAL_ERROR);
490 return -1;
491 }
492
493 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
494 *pos += 2;
495 clen = end - *pos;
496 res = crypto_public_key_encrypt_pkcs1_v15(
497 conn->server_rsa_key,
498 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
499 *pos, &clen);
500 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
501 if (res < 0) {
502 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
503 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
504 TLS_ALERT_INTERNAL_ERROR);
505 return -1;
506 }
507 WPA_PUT_BE16(*pos - 2, clen);
508 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
509 *pos, clen);
510 *pos += clen;
511
512 return 0;
513 }
514
515
tls_write_client_key_exchange(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)516 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
517 u8 **msgpos, u8 *end)
518 {
519 u8 *pos, *rhdr, *hs_start, *hs_length;
520 size_t rlen;
521 tls_key_exchange keyx;
522 const struct tls_cipher_suite *suite;
523
524 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
525 if (suite == NULL)
526 keyx = TLS_KEY_X_NULL;
527 else
528 keyx = suite->key_exchange;
529
530 pos = *msgpos;
531
532 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
533
534 rhdr = pos;
535 pos += TLS_RECORD_HEADER_LEN;
536
537 /* opaque fragment[TLSPlaintext.length] */
538
539 /* Handshake */
540 hs_start = pos;
541 /* HandshakeType msg_type */
542 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
543 /* uint24 length (to be filled) */
544 hs_length = pos;
545 pos += 3;
546 /* body - ClientKeyExchange */
547 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) {
548 if (tlsv1_key_x_dh(conn, &pos, end) < 0)
549 return -1;
550 } else {
551 if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
552 return -1;
553 }
554
555 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
556
557 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
558 rhdr, end - rhdr, hs_start, pos - hs_start,
559 &rlen) < 0) {
560 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
561 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
562 TLS_ALERT_INTERNAL_ERROR);
563 return -1;
564 }
565 pos = rhdr + rlen;
566 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
567
568 *msgpos = pos;
569
570 return 0;
571 }
572
573
tls_write_client_certificate_verify(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)574 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
575 u8 **msgpos, u8 *end)
576 {
577 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
578 size_t rlen, hlen, clen;
579 u8 hash[100], *hpos;
580
581 pos = *msgpos;
582
583 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
584 rhdr = pos;
585 pos += TLS_RECORD_HEADER_LEN;
586
587 /* Handshake */
588 hs_start = pos;
589 /* HandshakeType msg_type */
590 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
591 /* uint24 length (to be filled) */
592 hs_length = pos;
593 pos += 3;
594
595 /*
596 * RFC 2246: 7.4.3 and 7.4.8:
597 * Signature signature
598 *
599 * RSA:
600 * digitally-signed struct {
601 * opaque md5_hash[16];
602 * opaque sha_hash[20];
603 * };
604 *
605 * DSA:
606 * digitally-signed struct {
607 * opaque sha_hash[20];
608 * };
609 *
610 * The hash values are calculated over all handshake messages sent or
611 * received starting at ClientHello up to, but not including, this
612 * CertificateVerify message, including the type and length fields of
613 * the handshake messages.
614 */
615
616 hpos = hash;
617
618 #ifdef CONFIG_TLSV12
619 if (conn->rl.tls_version == TLS_VERSION_1_2) {
620 hlen = SHA256_MAC_LEN;
621 if (conn->verify.sha256_cert == NULL ||
622 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
623 0) {
624 conn->verify.sha256_cert = NULL;
625 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
626 TLS_ALERT_INTERNAL_ERROR);
627 return -1;
628 }
629 conn->verify.sha256_cert = NULL;
630
631 /*
632 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
633 *
634 * DigestInfo ::= SEQUENCE {
635 * digestAlgorithm DigestAlgorithm,
636 * digest OCTET STRING
637 * }
638 *
639 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
640 *
641 * DER encoded DigestInfo for SHA256 per RFC 3447:
642 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
643 * H
644 */
645 os_memmove(hash + 19, hash, hlen);
646 hlen += 19;
647 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
648 "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
649 } else {
650 #endif /* CONFIG_TLSV12 */
651
652 hlen = MD5_MAC_LEN;
653 if (conn->verify.md5_cert == NULL ||
654 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
655 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
656 TLS_ALERT_INTERNAL_ERROR);
657 conn->verify.md5_cert = NULL;
658 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
659 conn->verify.sha1_cert = NULL;
660 return -1;
661 }
662 hpos += MD5_MAC_LEN;
663
664 conn->verify.md5_cert = NULL;
665 hlen = SHA1_MAC_LEN;
666 if (conn->verify.sha1_cert == NULL ||
667 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
668 conn->verify.sha1_cert = NULL;
669 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
670 TLS_ALERT_INTERNAL_ERROR);
671 return -1;
672 }
673 conn->verify.sha1_cert = NULL;
674
675 hlen += MD5_MAC_LEN;
676
677 #ifdef CONFIG_TLSV12
678 }
679 #endif /* CONFIG_TLSV12 */
680
681 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
682
683 #ifdef CONFIG_TLSV12
684 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
685 /*
686 * RFC 5246, 4.7:
687 * TLS v1.2 adds explicit indication of the used signature and
688 * hash algorithms.
689 *
690 * struct {
691 * HashAlgorithm hash;
692 * SignatureAlgorithm signature;
693 * } SignatureAndHashAlgorithm;
694 */
695 *pos++ = TLS_HASH_ALG_SHA256;
696 *pos++ = TLS_SIGN_ALG_RSA;
697 }
698 #endif /* CONFIG_TLSV12 */
699
700 /*
701 * RFC 2246, 4.7:
702 * In digital signing, one-way hash functions are used as input for a
703 * signing algorithm. A digitally-signed element is encoded as an
704 * opaque vector <0..2^16-1>, where the length is specified by the
705 * signing algorithm and key.
706 *
707 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
708 * MD5) is signed (encrypted with the private key). It is encoded with
709 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
710 */
711 signed_start = pos; /* length to be filled */
712 pos += 2;
713 clen = end - pos;
714 if (conn->cred == NULL ||
715 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
716 pos, &clen) < 0) {
717 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
718 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
719 TLS_ALERT_INTERNAL_ERROR);
720 return -1;
721 }
722 WPA_PUT_BE16(signed_start, clen);
723
724 pos += clen;
725
726 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
727
728 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
729 rhdr, end - rhdr, hs_start, pos - hs_start,
730 &rlen) < 0) {
731 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
732 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
733 TLS_ALERT_INTERNAL_ERROR);
734 return -1;
735 }
736 pos = rhdr + rlen;
737
738 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
739
740 *msgpos = pos;
741
742 return 0;
743 }
744
745
tls_write_client_change_cipher_spec(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)746 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
747 u8 **msgpos, u8 *end)
748 {
749 size_t rlen;
750 u8 payload[1];
751
752 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
753
754 payload[0] = TLS_CHANGE_CIPHER_SPEC;
755
756 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
757 *msgpos, end - *msgpos, payload, sizeof(payload),
758 &rlen) < 0) {
759 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
760 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
761 TLS_ALERT_INTERNAL_ERROR);
762 return -1;
763 }
764
765 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
766 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
767 "record layer");
768 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
769 TLS_ALERT_INTERNAL_ERROR);
770 return -1;
771 }
772
773 *msgpos += rlen;
774
775 return 0;
776 }
777
778
tls_write_client_finished(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)779 static int tls_write_client_finished(struct tlsv1_client *conn,
780 u8 **msgpos, u8 *end)
781 {
782 u8 *pos, *hs_start;
783 size_t rlen, hlen;
784 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
785 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
786
787 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
788
789 /* Encrypted Handshake Message: Finished */
790
791 #ifdef CONFIG_TLSV12
792 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
793 hlen = SHA256_MAC_LEN;
794 if (conn->verify.sha256_client == NULL ||
795 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
796 < 0) {
797 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
798 TLS_ALERT_INTERNAL_ERROR);
799 conn->verify.sha256_client = NULL;
800 return -1;
801 }
802 conn->verify.sha256_client = NULL;
803 } else {
804 #endif /* CONFIG_TLSV12 */
805
806 hlen = MD5_MAC_LEN;
807 if (conn->verify.md5_client == NULL ||
808 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
809 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
810 TLS_ALERT_INTERNAL_ERROR);
811 conn->verify.md5_client = NULL;
812 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
813 conn->verify.sha1_client = NULL;
814 return -1;
815 }
816 conn->verify.md5_client = NULL;
817 hlen = SHA1_MAC_LEN;
818 if (conn->verify.sha1_client == NULL ||
819 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
820 &hlen) < 0) {
821 conn->verify.sha1_client = NULL;
822 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
823 TLS_ALERT_INTERNAL_ERROR);
824 return -1;
825 }
826 conn->verify.sha1_client = NULL;
827 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
828
829 #ifdef CONFIG_TLSV12
830 }
831 #endif /* CONFIG_TLSV12 */
832
833 if (tls_prf(conn->rl.tls_version,
834 conn->master_secret, TLS_MASTER_SECRET_LEN,
835 "client finished", hash, hlen,
836 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
837 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
838 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
839 TLS_ALERT_INTERNAL_ERROR);
840 return -1;
841 }
842 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
843 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
844
845 /* Handshake */
846 pos = hs_start = verify_data;
847 /* HandshakeType msg_type */
848 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
849 /* uint24 length */
850 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
851 pos += 3;
852 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */
853 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
854
855 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
856 *msgpos, end - *msgpos, hs_start, pos - hs_start,
857 &rlen) < 0) {
858 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
859 tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
860 TLS_ALERT_INTERNAL_ERROR);
861 return -1;
862 }
863
864 *msgpos += rlen;
865
866 return 0;
867 }
868
869
tls_send_client_key_exchange(struct tlsv1_client * conn,size_t * out_len)870 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
871 size_t *out_len)
872 {
873 u8 *msg, *end, *pos;
874 size_t msglen;
875
876 *out_len = 0;
877
878 msglen = 2000;
879 if (conn->certificate_requested)
880 msglen += tls_client_cert_chain_der_len(conn);
881
882 msg = os_malloc(msglen);
883 if (msg == NULL)
884 return NULL;
885
886 pos = msg;
887 end = msg + msglen;
888
889 if (conn->certificate_requested) {
890 if (tls_write_client_certificate(conn, &pos, end) < 0) {
891 os_free(msg);
892 return NULL;
893 }
894 }
895
896 if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
897 (conn->certificate_requested && conn->cred && conn->cred->key &&
898 tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
899 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
900 tls_write_client_finished(conn, &pos, end) < 0) {
901 os_free(msg);
902 return NULL;
903 }
904
905 *out_len = pos - msg;
906
907 conn->state = SERVER_CHANGE_CIPHER_SPEC;
908
909 return msg;
910 }
911
912
tls_send_change_cipher_spec(struct tlsv1_client * conn,size_t * out_len)913 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
914 size_t *out_len)
915 {
916 u8 *msg, *end, *pos;
917
918 *out_len = 0;
919
920 msg = os_malloc(1000);
921 if (msg == NULL)
922 return NULL;
923
924 pos = msg;
925 end = msg + 1000;
926
927 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
928 tls_write_client_finished(conn, &pos, end) < 0) {
929 os_free(msg);
930 return NULL;
931 }
932
933 *out_len = pos - msg;
934
935 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
936 "successfully");
937 if (!conn->session_resumed && conn->use_session_ticket)
938 conn->session_resumed = 1;
939 conn->state = ESTABLISHED;
940
941 return msg;
942 }
943
944
tlsv1_client_handshake_write(struct tlsv1_client * conn,size_t * out_len,int no_appl_data)945 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
946 int no_appl_data)
947 {
948 switch (conn->state) {
949 case CLIENT_KEY_EXCHANGE:
950 return tls_send_client_key_exchange(conn, out_len);
951 case CHANGE_CIPHER_SPEC:
952 return tls_send_change_cipher_spec(conn, out_len);
953 case ACK_FINISHED:
954 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
955 "successfully");
956 conn->state = ESTABLISHED;
957 *out_len = 0;
958 if (no_appl_data) {
959 /* Need to return something to get final TLS ACK. */
960 return os_malloc(1);
961 }
962 return NULL;
963 default:
964 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
965 "generating reply", conn->state);
966 return NULL;
967 }
968 }
969
970
tlsv1_client_send_alert(struct tlsv1_client * conn,u8 level,u8 description,size_t * out_len)971 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
972 u8 description, size_t *out_len)
973 {
974 u8 *alert, *pos, *length;
975
976 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
977 *out_len = 0;
978
979 alert = os_malloc(10);
980 if (alert == NULL)
981 return NULL;
982
983 pos = alert;
984
985 /* TLSPlaintext */
986 /* ContentType type */
987 *pos++ = TLS_CONTENT_TYPE_ALERT;
988 /* ProtocolVersion version */
989 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
990 TLS_VERSION);
991 pos += 2;
992 /* uint16 length (to be filled) */
993 length = pos;
994 pos += 2;
995 /* opaque fragment[TLSPlaintext.length] */
996
997 /* Alert */
998 /* AlertLevel level */
999 *pos++ = level;
1000 /* AlertDescription description */
1001 *pos++ = description;
1002
1003 WPA_PUT_BE16(length, pos - length - 2);
1004 *out_len = pos - alert;
1005
1006 return alert;
1007 }
1008