1/* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "md5.h" 19#include "sha1.h" 20#include "x509v3.h" 21#include "tls.h" 22#include "tlsv1_common.h" 23#include "tlsv1_record.h" 24#include "tlsv1_client.h" 25#include "tlsv1_client_i.h" 26 27 28static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 29{ 30 size_t len = 0; 31 struct x509_certificate *cert; 32 33 if (conn->cred == NULL) 34 return 0; 35 36 cert = conn->cred->cert; 37 while (cert) { 38 len += 3 + cert->cert_len; 39 if (x509_certificate_self_signed(cert)) 40 break; 41 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 42 &cert->issuer); 43 } 44 45 return len; 46} 47 48 49u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 50{ 51 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 52 struct os_time now; 53 size_t len, i; 54 55 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 56 *out_len = 0; 57 58 os_get_time(&now); 59 WPA_PUT_BE32(conn->client_random, now.sec); 60 if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 61 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 62 "client_random"); 63 return NULL; 64 } 65 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 66 conn->client_random, TLS_RANDOM_LEN); 67 68 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 69 hello = os_malloc(len); 70 if (hello == NULL) 71 return NULL; 72 end = hello + len; 73 74 rhdr = hello; 75 pos = rhdr + TLS_RECORD_HEADER_LEN; 76 77 /* opaque fragment[TLSPlaintext.length] */ 78 79 /* Handshake */ 80 hs_start = pos; 81 /* HandshakeType msg_type */ 82 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 83 /* uint24 length (to be filled) */ 84 hs_length = pos; 85 pos += 3; 86 /* body - ClientHello */ 87 /* ProtocolVersion client_version */ 88 WPA_PUT_BE16(pos, TLS_VERSION); 89 pos += 2; 90 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 91 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 92 pos += TLS_RANDOM_LEN; 93 /* SessionID session_id */ 94 *pos++ = conn->session_id_len; 95 os_memcpy(pos, conn->session_id, conn->session_id_len); 96 pos += conn->session_id_len; 97 /* CipherSuite cipher_suites<2..2^16-1> */ 98 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 99 pos += 2; 100 for (i = 0; i < conn->num_cipher_suites; i++) { 101 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 102 pos += 2; 103 } 104 /* CompressionMethod compression_methods<1..2^8-1> */ 105 *pos++ = 1; 106 *pos++ = TLS_COMPRESSION_NULL; 107 108 if (conn->client_hello_ext) { 109 os_memcpy(pos, conn->client_hello_ext, 110 conn->client_hello_ext_len); 111 pos += conn->client_hello_ext_len; 112 } 113 114 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 115 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 116 117 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 118 rhdr, end - rhdr, pos - hs_start, out_len) < 0) { 119 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 120 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 121 TLS_ALERT_INTERNAL_ERROR); 122 os_free(hello); 123 return NULL; 124 } 125 126 conn->state = SERVER_HELLO; 127 128 return hello; 129} 130 131 132static int tls_write_client_certificate(struct tlsv1_client *conn, 133 u8 **msgpos, u8 *end) 134{ 135 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 136 size_t rlen; 137 struct x509_certificate *cert; 138 139 pos = *msgpos; 140 141 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 142 rhdr = pos; 143 pos += TLS_RECORD_HEADER_LEN; 144 145 /* opaque fragment[TLSPlaintext.length] */ 146 147 /* Handshake */ 148 hs_start = pos; 149 /* HandshakeType msg_type */ 150 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 151 /* uint24 length (to be filled) */ 152 hs_length = pos; 153 pos += 3; 154 /* body - Certificate */ 155 /* uint24 length (to be filled) */ 156 cert_start = pos; 157 pos += 3; 158 cert = conn->cred ? conn->cred->cert : NULL; 159 while (cert) { 160 if (pos + 3 + cert->cert_len > end) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 162 "for Certificate (cert_len=%lu left=%lu)", 163 (unsigned long) cert->cert_len, 164 (unsigned long) (end - pos)); 165 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 166 TLS_ALERT_INTERNAL_ERROR); 167 return -1; 168 } 169 WPA_PUT_BE24(pos, cert->cert_len); 170 pos += 3; 171 os_memcpy(pos, cert->cert_start, cert->cert_len); 172 pos += cert->cert_len; 173 174 if (x509_certificate_self_signed(cert)) 175 break; 176 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 177 &cert->issuer); 178 } 179 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 180 /* 181 * Client was not configured with all the needed certificates 182 * to form a full certificate chain. The server may fail to 183 * validate the chain unless it is configured with all the 184 * missing CA certificates. 185 */ 186 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 187 "not configured - validation may fail"); 188 } 189 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 190 191 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 192 193 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 194 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 195 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 196 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 197 TLS_ALERT_INTERNAL_ERROR); 198 return -1; 199 } 200 pos = rhdr + rlen; 201 202 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 203 204 *msgpos = pos; 205 206 return 0; 207} 208 209 210static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 211{ 212#ifdef EAP_FAST 213 /* ClientDiffieHellmanPublic */ 214 u8 *csecret, *csecret_start, *dh_yc, *shared; 215 size_t csecret_len, dh_yc_len, shared_len; 216 217 csecret_len = conn->dh_p_len; 218 csecret = os_malloc(csecret_len); 219 if (csecret == NULL) { 220 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 221 "memory for Yc (Diffie-Hellman)"); 222 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 223 TLS_ALERT_INTERNAL_ERROR); 224 return -1; 225 } 226 if (os_get_random(csecret, csecret_len)) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 228 "data for Diffie-Hellman"); 229 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 230 TLS_ALERT_INTERNAL_ERROR); 231 os_free(csecret); 232 return -1; 233 } 234 235 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 236 csecret[0] = 0; /* make sure Yc < p */ 237 238 csecret_start = csecret; 239 while (csecret_len > 1 && *csecret_start == 0) { 240 csecret_start++; 241 csecret_len--; 242 } 243 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 244 csecret_start, csecret_len); 245 246 /* Yc = g^csecret mod p */ 247 dh_yc_len = conn->dh_p_len; 248 dh_yc = os_malloc(dh_yc_len); 249 if (dh_yc == NULL) { 250 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 251 "memory for Diffie-Hellman"); 252 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 253 TLS_ALERT_INTERNAL_ERROR); 254 os_free(csecret); 255 return -1; 256 } 257 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 258 csecret_start, csecret_len, 259 conn->dh_p, conn->dh_p_len, 260 dh_yc, &dh_yc_len)) { 261 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 262 TLS_ALERT_INTERNAL_ERROR); 263 os_free(csecret); 264 os_free(dh_yc); 265 return -1; 266 } 267 268 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 269 dh_yc, dh_yc_len); 270 271 WPA_PUT_BE16(*pos, dh_yc_len); 272 *pos += 2; 273 if (*pos + dh_yc_len > end) { 274 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 275 "message buffer for Yc"); 276 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 277 TLS_ALERT_INTERNAL_ERROR); 278 os_free(csecret); 279 os_free(dh_yc); 280 return -1; 281 } 282 os_memcpy(*pos, dh_yc, dh_yc_len); 283 *pos += dh_yc_len; 284 os_free(dh_yc); 285 286 shared_len = conn->dh_p_len; 287 shared = os_malloc(shared_len); 288 if (shared == NULL) { 289 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 290 "DH"); 291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 292 TLS_ALERT_INTERNAL_ERROR); 293 os_free(csecret); 294 return -1; 295 } 296 297 /* shared = Ys^csecret mod p */ 298 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 299 csecret_start, csecret_len, 300 conn->dh_p, conn->dh_p_len, 301 shared, &shared_len)) { 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 303 TLS_ALERT_INTERNAL_ERROR); 304 os_free(csecret); 305 os_free(shared); 306 return -1; 307 } 308 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 309 shared, shared_len); 310 311 os_memset(csecret_start, 0, csecret_len); 312 os_free(csecret); 313 if (tls_derive_keys(conn, shared, shared_len)) { 314 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 315 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 316 TLS_ALERT_INTERNAL_ERROR); 317 os_free(shared); 318 return -1; 319 } 320 os_memset(shared, 0, shared_len); 321 os_free(shared); 322 tlsv1_client_free_dh(conn); 323 return 0; 324#else /* EAP_FAST */ 325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR); 326 return -1; 327#endif /* EAP_FAST */ 328} 329 330 331static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 332{ 333 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 334 size_t clen; 335 int res; 336 337 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 338 tls_derive_keys(conn, pre_master_secret, 339 TLS_PRE_MASTER_SECRET_LEN)) { 340 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 341 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 342 TLS_ALERT_INTERNAL_ERROR); 343 return -1; 344 } 345 346 /* EncryptedPreMasterSecret */ 347 if (conn->server_rsa_key == NULL) { 348 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 349 "use for encrypting pre-master secret"); 350 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 351 TLS_ALERT_INTERNAL_ERROR); 352 return -1; 353 } 354 355 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 356 *pos += 2; 357 clen = end - *pos; 358 res = crypto_public_key_encrypt_pkcs1_v15( 359 conn->server_rsa_key, 360 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 361 *pos, &clen); 362 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 363 if (res < 0) { 364 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 366 TLS_ALERT_INTERNAL_ERROR); 367 return -1; 368 } 369 WPA_PUT_BE16(*pos - 2, clen); 370 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 371 *pos, clen); 372 *pos += clen; 373 374 return 0; 375} 376 377 378static int tls_write_client_key_exchange(struct tlsv1_client *conn, 379 u8 **msgpos, u8 *end) 380{ 381 u8 *pos, *rhdr, *hs_start, *hs_length; 382 size_t rlen; 383 tls_key_exchange keyx; 384 const struct tls_cipher_suite *suite; 385 386 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 387 if (suite == NULL) 388 keyx = TLS_KEY_X_NULL; 389 else 390 keyx = suite->key_exchange; 391 392 pos = *msgpos; 393 394 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 395 396 rhdr = pos; 397 pos += TLS_RECORD_HEADER_LEN; 398 399 /* opaque fragment[TLSPlaintext.length] */ 400 401 /* Handshake */ 402 hs_start = pos; 403 /* HandshakeType msg_type */ 404 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 405 /* uint24 length (to be filled) */ 406 hs_length = pos; 407 pos += 3; 408 /* body - ClientKeyExchange */ 409 if (keyx == TLS_KEY_X_DH_anon) { 410 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 411 return -1; 412 } else { 413 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 414 return -1; 415 } 416 417 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 418 419 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 420 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 421 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 422 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 423 TLS_ALERT_INTERNAL_ERROR); 424 return -1; 425 } 426 pos = rhdr + rlen; 427 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 428 429 *msgpos = pos; 430 431 return 0; 432} 433 434 435static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 436 u8 **msgpos, u8 *end) 437{ 438 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 439 size_t rlen, hlen, clen; 440 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 441 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 442 443 pos = *msgpos; 444 445 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 446 rhdr = pos; 447 pos += TLS_RECORD_HEADER_LEN; 448 449 /* Handshake */ 450 hs_start = pos; 451 /* HandshakeType msg_type */ 452 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 453 /* uint24 length (to be filled) */ 454 hs_length = pos; 455 pos += 3; 456 457 /* 458 * RFC 2246: 7.4.3 and 7.4.8: 459 * Signature signature 460 * 461 * RSA: 462 * digitally-signed struct { 463 * opaque md5_hash[16]; 464 * opaque sha_hash[20]; 465 * }; 466 * 467 * DSA: 468 * digitally-signed struct { 469 * opaque sha_hash[20]; 470 * }; 471 * 472 * The hash values are calculated over all handshake messages sent or 473 * received starting at ClientHello up to, but not including, this 474 * CertificateVerify message, including the type and length fields of 475 * the handshake messages. 476 */ 477 478 hpos = hash; 479 480 if (alg == SIGN_ALG_RSA) { 481 hlen = MD5_MAC_LEN; 482 if (conn->verify.md5_cert == NULL || 483 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 484 { 485 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 486 TLS_ALERT_INTERNAL_ERROR); 487 conn->verify.md5_cert = NULL; 488 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 489 conn->verify.sha1_cert = NULL; 490 return -1; 491 } 492 hpos += MD5_MAC_LEN; 493 } else 494 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 495 496 conn->verify.md5_cert = NULL; 497 hlen = SHA1_MAC_LEN; 498 if (conn->verify.sha1_cert == NULL || 499 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 500 conn->verify.sha1_cert = NULL; 501 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 502 TLS_ALERT_INTERNAL_ERROR); 503 return -1; 504 } 505 conn->verify.sha1_cert = NULL; 506 507 if (alg == SIGN_ALG_RSA) 508 hlen += MD5_MAC_LEN; 509 510 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 511 512 /* 513 * RFC 2246, 4.7: 514 * In digital signing, one-way hash functions are used as input for a 515 * signing algorithm. A digitally-signed element is encoded as an 516 * opaque vector <0..2^16-1>, where the length is specified by the 517 * signing algorithm and key. 518 * 519 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 520 * MD5) is signed (encrypted with the private key). It is encoded with 521 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 522 */ 523 signed_start = pos; /* length to be filled */ 524 pos += 2; 525 clen = end - pos; 526 if (conn->cred == NULL || 527 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 528 pos, &clen) < 0) { 529 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 530 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 531 TLS_ALERT_INTERNAL_ERROR); 532 return -1; 533 } 534 WPA_PUT_BE16(signed_start, clen); 535 536 pos += clen; 537 538 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 539 540 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 541 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 542 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 543 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 544 TLS_ALERT_INTERNAL_ERROR); 545 return -1; 546 } 547 pos = rhdr + rlen; 548 549 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 550 551 *msgpos = pos; 552 553 return 0; 554} 555 556 557static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 558 u8 **msgpos, u8 *end) 559{ 560 u8 *pos, *rhdr; 561 size_t rlen; 562 563 pos = *msgpos; 564 565 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 566 rhdr = pos; 567 pos += TLS_RECORD_HEADER_LEN; 568 *pos = TLS_CHANGE_CIPHER_SPEC; 569 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 570 rhdr, end - rhdr, 1, &rlen) < 0) { 571 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 572 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 573 TLS_ALERT_INTERNAL_ERROR); 574 return -1; 575 } 576 577 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 578 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 579 "record layer"); 580 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 581 TLS_ALERT_INTERNAL_ERROR); 582 return -1; 583 } 584 585 *msgpos = rhdr + rlen; 586 587 return 0; 588} 589 590 591static int tls_write_client_finished(struct tlsv1_client *conn, 592 u8 **msgpos, u8 *end) 593{ 594 u8 *pos, *rhdr, *hs_start, *hs_length; 595 size_t rlen, hlen; 596 u8 verify_data[TLS_VERIFY_DATA_LEN]; 597 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 598 599 pos = *msgpos; 600 601 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 602 603 /* Encrypted Handshake Message: Finished */ 604 605 hlen = MD5_MAC_LEN; 606 if (conn->verify.md5_client == NULL || 607 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 608 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 609 TLS_ALERT_INTERNAL_ERROR); 610 conn->verify.md5_client = NULL; 611 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 612 conn->verify.sha1_client = NULL; 613 return -1; 614 } 615 conn->verify.md5_client = NULL; 616 hlen = SHA1_MAC_LEN; 617 if (conn->verify.sha1_client == NULL || 618 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 619 &hlen) < 0) { 620 conn->verify.sha1_client = NULL; 621 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_INTERNAL_ERROR); 623 return -1; 624 } 625 conn->verify.sha1_client = NULL; 626 627 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 628 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 629 verify_data, TLS_VERIFY_DATA_LEN)) { 630 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 631 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 632 TLS_ALERT_INTERNAL_ERROR); 633 return -1; 634 } 635 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 636 verify_data, TLS_VERIFY_DATA_LEN); 637 638 rhdr = pos; 639 pos += TLS_RECORD_HEADER_LEN; 640 /* Handshake */ 641 hs_start = pos; 642 /* HandshakeType msg_type */ 643 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 644 /* uint24 length (to be filled) */ 645 hs_length = pos; 646 pos += 3; 647 os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN); 648 pos += TLS_VERIFY_DATA_LEN; 649 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 650 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 651 652 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 653 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 654 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 655 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 656 TLS_ALERT_INTERNAL_ERROR); 657 return -1; 658 } 659 660 pos = rhdr + rlen; 661 662 *msgpos = pos; 663 664 return 0; 665} 666 667 668static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 669 size_t *out_len) 670{ 671 u8 *msg, *end, *pos; 672 size_t msglen; 673 674 *out_len = 0; 675 676 msglen = 1000; 677 if (conn->certificate_requested) 678 msglen += tls_client_cert_chain_der_len(conn); 679 680 msg = os_malloc(msglen); 681 if (msg == NULL) 682 return NULL; 683 684 pos = msg; 685 end = msg + msglen; 686 687 if (conn->certificate_requested) { 688 if (tls_write_client_certificate(conn, &pos, end) < 0) { 689 os_free(msg); 690 return NULL; 691 } 692 } 693 694 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 695 (conn->certificate_requested && conn->cred && conn->cred->key && 696 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 697 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 698 tls_write_client_finished(conn, &pos, end) < 0) { 699 os_free(msg); 700 return NULL; 701 } 702 703 *out_len = pos - msg; 704 705 conn->state = SERVER_CHANGE_CIPHER_SPEC; 706 707 return msg; 708} 709 710 711static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 712 size_t *out_len) 713{ 714 u8 *msg, *end, *pos; 715 716 *out_len = 0; 717 718 msg = os_malloc(1000); 719 if (msg == NULL) 720 return NULL; 721 722 pos = msg; 723 end = msg + 1000; 724 725 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 726 tls_write_client_finished(conn, &pos, end) < 0) { 727 os_free(msg); 728 return NULL; 729 } 730 731 *out_len = pos - msg; 732 733 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 734 "successfully"); 735 conn->state = ESTABLISHED; 736 737 return msg; 738} 739 740 741u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 742 int no_appl_data) 743{ 744 switch (conn->state) { 745 case CLIENT_KEY_EXCHANGE: 746 return tls_send_client_key_exchange(conn, out_len); 747 case CHANGE_CIPHER_SPEC: 748 return tls_send_change_cipher_spec(conn, out_len); 749 case ACK_FINISHED: 750 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 751 "successfully"); 752 conn->state = ESTABLISHED; 753 *out_len = 0; 754 if (no_appl_data) { 755 /* Need to return something to get final TLS ACK. */ 756 return os_malloc(1); 757 } 758 return NULL; 759 default: 760 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 761 "generating reply", conn->state); 762 return NULL; 763 } 764} 765 766 767u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 768 u8 description, size_t *out_len) 769{ 770 u8 *alert, *pos, *length; 771 772 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 773 *out_len = 0; 774 775 alert = os_malloc(10); 776 if (alert == NULL) 777 return NULL; 778 779 pos = alert; 780 781 /* TLSPlaintext */ 782 /* ContentType type */ 783 *pos++ = TLS_CONTENT_TYPE_ALERT; 784 /* ProtocolVersion version */ 785 WPA_PUT_BE16(pos, TLS_VERSION); 786 pos += 2; 787 /* uint16 length (to be filled) */ 788 length = pos; 789 pos += 2; 790 /* opaque fragment[TLSPlaintext.length] */ 791 792 /* Alert */ 793 /* AlertLevel level */ 794 *pos++ = level; 795 /* AlertDescription description */ 796 *pos++ = description; 797 798 WPA_PUT_BE16(length, pos - length - 2); 799 *out_len = pos - alert; 800 801 return alert; 802} 803