1/* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "crypto/md5.h" 19#include "crypto/sha1.h" 20#include "crypto/tls.h" 21#include "crypto/random.h" 22#include "x509v3.h" 23#include "tlsv1_common.h" 24#include "tlsv1_record.h" 25#include "tlsv1_client.h" 26#include "tlsv1_client_i.h" 27 28 29static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 30{ 31 size_t len = 0; 32 struct x509_certificate *cert; 33 34 if (conn->cred == NULL) 35 return 0; 36 37 cert = conn->cred->cert; 38 while (cert) { 39 len += 3 + cert->cert_len; 40 if (x509_certificate_self_signed(cert)) 41 break; 42 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 43 &cert->issuer); 44 } 45 46 return len; 47} 48 49 50u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 51{ 52 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 53 struct os_time now; 54 size_t len, i; 55 56 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 57 *out_len = 0; 58 59 os_get_time(&now); 60 WPA_PUT_BE32(conn->client_random, now.sec); 61 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 62 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 63 "client_random"); 64 return NULL; 65 } 66 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 67 conn->client_random, TLS_RANDOM_LEN); 68 69 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 70 hello = os_malloc(len); 71 if (hello == NULL) 72 return NULL; 73 end = hello + len; 74 75 rhdr = hello; 76 pos = rhdr + TLS_RECORD_HEADER_LEN; 77 78 /* opaque fragment[TLSPlaintext.length] */ 79 80 /* Handshake */ 81 hs_start = pos; 82 /* HandshakeType msg_type */ 83 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 84 /* uint24 length (to be filled) */ 85 hs_length = pos; 86 pos += 3; 87 /* body - ClientHello */ 88 /* ProtocolVersion client_version */ 89 WPA_PUT_BE16(pos, TLS_VERSION); 90 pos += 2; 91 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 92 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 93 pos += TLS_RANDOM_LEN; 94 /* SessionID session_id */ 95 *pos++ = conn->session_id_len; 96 os_memcpy(pos, conn->session_id, conn->session_id_len); 97 pos += conn->session_id_len; 98 /* CipherSuite cipher_suites<2..2^16-1> */ 99 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 100 pos += 2; 101 for (i = 0; i < conn->num_cipher_suites; i++) { 102 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 103 pos += 2; 104 } 105 /* CompressionMethod compression_methods<1..2^8-1> */ 106 *pos++ = 1; 107 *pos++ = TLS_COMPRESSION_NULL; 108 109 if (conn->client_hello_ext) { 110 os_memcpy(pos, conn->client_hello_ext, 111 conn->client_hello_ext_len); 112 pos += conn->client_hello_ext_len; 113 } 114 115 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 116 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 117 118 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 119 rhdr, end - rhdr, pos - hs_start, out_len) < 0) { 120 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 121 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 122 TLS_ALERT_INTERNAL_ERROR); 123 os_free(hello); 124 return NULL; 125 } 126 127 conn->state = SERVER_HELLO; 128 129 return hello; 130} 131 132 133static int tls_write_client_certificate(struct tlsv1_client *conn, 134 u8 **msgpos, u8 *end) 135{ 136 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 137 size_t rlen; 138 struct x509_certificate *cert; 139 140 pos = *msgpos; 141 142 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 143 rhdr = pos; 144 pos += TLS_RECORD_HEADER_LEN; 145 146 /* opaque fragment[TLSPlaintext.length] */ 147 148 /* Handshake */ 149 hs_start = pos; 150 /* HandshakeType msg_type */ 151 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 152 /* uint24 length (to be filled) */ 153 hs_length = pos; 154 pos += 3; 155 /* body - Certificate */ 156 /* uint24 length (to be filled) */ 157 cert_start = pos; 158 pos += 3; 159 cert = conn->cred ? conn->cred->cert : NULL; 160 while (cert) { 161 if (pos + 3 + cert->cert_len > end) { 162 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 163 "for Certificate (cert_len=%lu left=%lu)", 164 (unsigned long) cert->cert_len, 165 (unsigned long) (end - pos)); 166 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 167 TLS_ALERT_INTERNAL_ERROR); 168 return -1; 169 } 170 WPA_PUT_BE24(pos, cert->cert_len); 171 pos += 3; 172 os_memcpy(pos, cert->cert_start, cert->cert_len); 173 pos += cert->cert_len; 174 175 if (x509_certificate_self_signed(cert)) 176 break; 177 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 178 &cert->issuer); 179 } 180 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 181 /* 182 * Client was not configured with all the needed certificates 183 * to form a full certificate chain. The server may fail to 184 * validate the chain unless it is configured with all the 185 * missing CA certificates. 186 */ 187 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 188 "not configured - validation may fail"); 189 } 190 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 191 192 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 193 194 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 195 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 196 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 197 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 198 TLS_ALERT_INTERNAL_ERROR); 199 return -1; 200 } 201 pos = rhdr + rlen; 202 203 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 204 205 *msgpos = pos; 206 207 return 0; 208} 209 210 211static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 212{ 213 /* ClientDiffieHellmanPublic */ 214 u8 *csecret, *csecret_start, *dh_yc, *shared; 215 size_t csecret_len, dh_yc_len, shared_len; 216 217 csecret_len = conn->dh_p_len; 218 csecret = os_malloc(csecret_len); 219 if (csecret == NULL) { 220 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 221 "memory for Yc (Diffie-Hellman)"); 222 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 223 TLS_ALERT_INTERNAL_ERROR); 224 return -1; 225 } 226 if (random_get_bytes(csecret, csecret_len)) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 228 "data for Diffie-Hellman"); 229 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 230 TLS_ALERT_INTERNAL_ERROR); 231 os_free(csecret); 232 return -1; 233 } 234 235 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 236 csecret[0] = 0; /* make sure Yc < p */ 237 238 csecret_start = csecret; 239 while (csecret_len > 1 && *csecret_start == 0) { 240 csecret_start++; 241 csecret_len--; 242 } 243 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 244 csecret_start, csecret_len); 245 246 /* Yc = g^csecret mod p */ 247 dh_yc_len = conn->dh_p_len; 248 dh_yc = os_malloc(dh_yc_len); 249 if (dh_yc == NULL) { 250 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 251 "memory for Diffie-Hellman"); 252 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 253 TLS_ALERT_INTERNAL_ERROR); 254 os_free(csecret); 255 return -1; 256 } 257 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 258 csecret_start, csecret_len, 259 conn->dh_p, conn->dh_p_len, 260 dh_yc, &dh_yc_len)) { 261 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 262 TLS_ALERT_INTERNAL_ERROR); 263 os_free(csecret); 264 os_free(dh_yc); 265 return -1; 266 } 267 268 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 269 dh_yc, dh_yc_len); 270 271 WPA_PUT_BE16(*pos, dh_yc_len); 272 *pos += 2; 273 if (*pos + dh_yc_len > end) { 274 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 275 "message buffer for Yc"); 276 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 277 TLS_ALERT_INTERNAL_ERROR); 278 os_free(csecret); 279 os_free(dh_yc); 280 return -1; 281 } 282 os_memcpy(*pos, dh_yc, dh_yc_len); 283 *pos += dh_yc_len; 284 os_free(dh_yc); 285 286 shared_len = conn->dh_p_len; 287 shared = os_malloc(shared_len); 288 if (shared == NULL) { 289 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 290 "DH"); 291 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 292 TLS_ALERT_INTERNAL_ERROR); 293 os_free(csecret); 294 return -1; 295 } 296 297 /* shared = Ys^csecret mod p */ 298 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 299 csecret_start, csecret_len, 300 conn->dh_p, conn->dh_p_len, 301 shared, &shared_len)) { 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 303 TLS_ALERT_INTERNAL_ERROR); 304 os_free(csecret); 305 os_free(shared); 306 return -1; 307 } 308 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 309 shared, shared_len); 310 311 os_memset(csecret_start, 0, csecret_len); 312 os_free(csecret); 313 if (tls_derive_keys(conn, shared, shared_len)) { 314 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 315 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 316 TLS_ALERT_INTERNAL_ERROR); 317 os_free(shared); 318 return -1; 319 } 320 os_memset(shared, 0, shared_len); 321 os_free(shared); 322 tlsv1_client_free_dh(conn); 323 return 0; 324} 325 326 327static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 328{ 329 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 330 size_t clen; 331 int res; 332 333 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 334 tls_derive_keys(conn, pre_master_secret, 335 TLS_PRE_MASTER_SECRET_LEN)) { 336 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 337 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 338 TLS_ALERT_INTERNAL_ERROR); 339 return -1; 340 } 341 342 /* EncryptedPreMasterSecret */ 343 if (conn->server_rsa_key == NULL) { 344 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 345 "use for encrypting pre-master secret"); 346 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_INTERNAL_ERROR); 348 return -1; 349 } 350 351 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 352 *pos += 2; 353 clen = end - *pos; 354 res = crypto_public_key_encrypt_pkcs1_v15( 355 conn->server_rsa_key, 356 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 357 *pos, &clen); 358 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 359 if (res < 0) { 360 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 361 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 362 TLS_ALERT_INTERNAL_ERROR); 363 return -1; 364 } 365 WPA_PUT_BE16(*pos - 2, clen); 366 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 367 *pos, clen); 368 *pos += clen; 369 370 return 0; 371} 372 373 374static int tls_write_client_key_exchange(struct tlsv1_client *conn, 375 u8 **msgpos, u8 *end) 376{ 377 u8 *pos, *rhdr, *hs_start, *hs_length; 378 size_t rlen; 379 tls_key_exchange keyx; 380 const struct tls_cipher_suite *suite; 381 382 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 383 if (suite == NULL) 384 keyx = TLS_KEY_X_NULL; 385 else 386 keyx = suite->key_exchange; 387 388 pos = *msgpos; 389 390 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 391 392 rhdr = pos; 393 pos += TLS_RECORD_HEADER_LEN; 394 395 /* opaque fragment[TLSPlaintext.length] */ 396 397 /* Handshake */ 398 hs_start = pos; 399 /* HandshakeType msg_type */ 400 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 401 /* uint24 length (to be filled) */ 402 hs_length = pos; 403 pos += 3; 404 /* body - ClientKeyExchange */ 405 if (keyx == TLS_KEY_X_DH_anon) { 406 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 407 return -1; 408 } else { 409 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 410 return -1; 411 } 412 413 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 414 415 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 416 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 417 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 418 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 419 TLS_ALERT_INTERNAL_ERROR); 420 return -1; 421 } 422 pos = rhdr + rlen; 423 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 424 425 *msgpos = pos; 426 427 return 0; 428} 429 430 431static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 432 u8 **msgpos, u8 *end) 433{ 434 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 435 size_t rlen, hlen, clen; 436 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 437 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 438 439 pos = *msgpos; 440 441 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 442 rhdr = pos; 443 pos += TLS_RECORD_HEADER_LEN; 444 445 /* Handshake */ 446 hs_start = pos; 447 /* HandshakeType msg_type */ 448 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 449 /* uint24 length (to be filled) */ 450 hs_length = pos; 451 pos += 3; 452 453 /* 454 * RFC 2246: 7.4.3 and 7.4.8: 455 * Signature signature 456 * 457 * RSA: 458 * digitally-signed struct { 459 * opaque md5_hash[16]; 460 * opaque sha_hash[20]; 461 * }; 462 * 463 * DSA: 464 * digitally-signed struct { 465 * opaque sha_hash[20]; 466 * }; 467 * 468 * The hash values are calculated over all handshake messages sent or 469 * received starting at ClientHello up to, but not including, this 470 * CertificateVerify message, including the type and length fields of 471 * the handshake messages. 472 */ 473 474 hpos = hash; 475 476 if (alg == SIGN_ALG_RSA) { 477 hlen = MD5_MAC_LEN; 478 if (conn->verify.md5_cert == NULL || 479 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 480 { 481 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 482 TLS_ALERT_INTERNAL_ERROR); 483 conn->verify.md5_cert = NULL; 484 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 485 conn->verify.sha1_cert = NULL; 486 return -1; 487 } 488 hpos += MD5_MAC_LEN; 489 } else 490 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 491 492 conn->verify.md5_cert = NULL; 493 hlen = SHA1_MAC_LEN; 494 if (conn->verify.sha1_cert == NULL || 495 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 496 conn->verify.sha1_cert = NULL; 497 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 498 TLS_ALERT_INTERNAL_ERROR); 499 return -1; 500 } 501 conn->verify.sha1_cert = NULL; 502 503 if (alg == SIGN_ALG_RSA) 504 hlen += MD5_MAC_LEN; 505 506 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 507 508 /* 509 * RFC 2246, 4.7: 510 * In digital signing, one-way hash functions are used as input for a 511 * signing algorithm. A digitally-signed element is encoded as an 512 * opaque vector <0..2^16-1>, where the length is specified by the 513 * signing algorithm and key. 514 * 515 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 516 * MD5) is signed (encrypted with the private key). It is encoded with 517 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 518 */ 519 signed_start = pos; /* length to be filled */ 520 pos += 2; 521 clen = end - pos; 522 if (conn->cred == NULL || 523 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 524 pos, &clen) < 0) { 525 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 526 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 527 TLS_ALERT_INTERNAL_ERROR); 528 return -1; 529 } 530 WPA_PUT_BE16(signed_start, clen); 531 532 pos += clen; 533 534 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 535 536 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 537 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 538 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 539 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 540 TLS_ALERT_INTERNAL_ERROR); 541 return -1; 542 } 543 pos = rhdr + rlen; 544 545 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 546 547 *msgpos = pos; 548 549 return 0; 550} 551 552 553static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 554 u8 **msgpos, u8 *end) 555{ 556 u8 *pos, *rhdr; 557 size_t rlen; 558 559 pos = *msgpos; 560 561 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 562 rhdr = pos; 563 pos += TLS_RECORD_HEADER_LEN; 564 *pos = TLS_CHANGE_CIPHER_SPEC; 565 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 566 rhdr, end - rhdr, 1, &rlen) < 0) { 567 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 568 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 569 TLS_ALERT_INTERNAL_ERROR); 570 return -1; 571 } 572 573 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 574 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 575 "record layer"); 576 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 577 TLS_ALERT_INTERNAL_ERROR); 578 return -1; 579 } 580 581 *msgpos = rhdr + rlen; 582 583 return 0; 584} 585 586 587static int tls_write_client_finished(struct tlsv1_client *conn, 588 u8 **msgpos, u8 *end) 589{ 590 u8 *pos, *rhdr, *hs_start, *hs_length; 591 size_t rlen, hlen; 592 u8 verify_data[TLS_VERIFY_DATA_LEN]; 593 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 594 595 pos = *msgpos; 596 597 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 598 599 /* Encrypted Handshake Message: Finished */ 600 601 hlen = MD5_MAC_LEN; 602 if (conn->verify.md5_client == NULL || 603 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 604 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 605 TLS_ALERT_INTERNAL_ERROR); 606 conn->verify.md5_client = NULL; 607 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 608 conn->verify.sha1_client = NULL; 609 return -1; 610 } 611 conn->verify.md5_client = NULL; 612 hlen = SHA1_MAC_LEN; 613 if (conn->verify.sha1_client == NULL || 614 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 615 &hlen) < 0) { 616 conn->verify.sha1_client = NULL; 617 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 618 TLS_ALERT_INTERNAL_ERROR); 619 return -1; 620 } 621 conn->verify.sha1_client = NULL; 622 623 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 624 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 625 verify_data, TLS_VERIFY_DATA_LEN)) { 626 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 627 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 628 TLS_ALERT_INTERNAL_ERROR); 629 return -1; 630 } 631 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 632 verify_data, TLS_VERIFY_DATA_LEN); 633 634 rhdr = pos; 635 pos += TLS_RECORD_HEADER_LEN; 636 /* Handshake */ 637 hs_start = pos; 638 /* HandshakeType msg_type */ 639 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 640 /* uint24 length (to be filled) */ 641 hs_length = pos; 642 pos += 3; 643 os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN); 644 pos += TLS_VERIFY_DATA_LEN; 645 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 646 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 647 648 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 649 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 650 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 651 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 652 TLS_ALERT_INTERNAL_ERROR); 653 return -1; 654 } 655 656 pos = rhdr + rlen; 657 658 *msgpos = pos; 659 660 return 0; 661} 662 663 664static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 665 size_t *out_len) 666{ 667 u8 *msg, *end, *pos; 668 size_t msglen; 669 670 *out_len = 0; 671 672 msglen = 2000; 673 if (conn->certificate_requested) 674 msglen += tls_client_cert_chain_der_len(conn); 675 676 msg = os_malloc(msglen); 677 if (msg == NULL) 678 return NULL; 679 680 pos = msg; 681 end = msg + msglen; 682 683 if (conn->certificate_requested) { 684 if (tls_write_client_certificate(conn, &pos, end) < 0) { 685 os_free(msg); 686 return NULL; 687 } 688 } 689 690 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 691 (conn->certificate_requested && conn->cred && conn->cred->key && 692 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 693 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 694 tls_write_client_finished(conn, &pos, end) < 0) { 695 os_free(msg); 696 return NULL; 697 } 698 699 *out_len = pos - msg; 700 701 conn->state = SERVER_CHANGE_CIPHER_SPEC; 702 703 return msg; 704} 705 706 707static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 708 size_t *out_len) 709{ 710 u8 *msg, *end, *pos; 711 712 *out_len = 0; 713 714 msg = os_malloc(1000); 715 if (msg == NULL) 716 return NULL; 717 718 pos = msg; 719 end = msg + 1000; 720 721 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 722 tls_write_client_finished(conn, &pos, end) < 0) { 723 os_free(msg); 724 return NULL; 725 } 726 727 *out_len = pos - msg; 728 729 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 730 "successfully"); 731 conn->state = ESTABLISHED; 732 733 return msg; 734} 735 736 737u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 738 int no_appl_data) 739{ 740 switch (conn->state) { 741 case CLIENT_KEY_EXCHANGE: 742 return tls_send_client_key_exchange(conn, out_len); 743 case CHANGE_CIPHER_SPEC: 744 return tls_send_change_cipher_spec(conn, out_len); 745 case ACK_FINISHED: 746 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 747 "successfully"); 748 conn->state = ESTABLISHED; 749 *out_len = 0; 750 if (no_appl_data) { 751 /* Need to return something to get final TLS ACK. */ 752 return os_malloc(1); 753 } 754 return NULL; 755 default: 756 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 757 "generating reply", conn->state); 758 return NULL; 759 } 760} 761 762 763u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 764 u8 description, size_t *out_len) 765{ 766 u8 *alert, *pos, *length; 767 768 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 769 *out_len = 0; 770 771 alert = os_malloc(10); 772 if (alert == NULL) 773 return NULL; 774 775 pos = alert; 776 777 /* TLSPlaintext */ 778 /* ContentType type */ 779 *pos++ = TLS_CONTENT_TYPE_ALERT; 780 /* ProtocolVersion version */ 781 WPA_PUT_BE16(pos, TLS_VERSION); 782 pos += 2; 783 /* uint16 length (to be filled) */ 784 length = pos; 785 pos += 2; 786 /* opaque fragment[TLSPlaintext.length] */ 787 788 /* Alert */ 789 /* AlertLevel level */ 790 *pos++ = level; 791 /* AlertDescription description */ 792 *pos++ = description; 793 794 WPA_PUT_BE16(length, pos - length - 2); 795 *out_len = pos - alert; 796 797 return alert; 798} 799