tlsv1_server_write.c revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/* 2 * TLSv1 server - write handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "crypto/md5.h" 19#include "crypto/sha1.h" 20#include "crypto/sha256.h" 21#include "crypto/tls.h" 22#include "crypto/random.h" 23#include "x509v3.h" 24#include "tlsv1_common.h" 25#include "tlsv1_record.h" 26#include "tlsv1_server.h" 27#include "tlsv1_server_i.h" 28 29 30static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn) 31{ 32 size_t len = 0; 33 struct x509_certificate *cert; 34 35 cert = conn->cred->cert; 36 while (cert) { 37 len += 3 + cert->cert_len; 38 if (x509_certificate_self_signed(cert)) 39 break; 40 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 41 &cert->issuer); 42 } 43 44 return len; 45} 46 47 48static int tls_write_server_hello(struct tlsv1_server *conn, 49 u8 **msgpos, u8 *end) 50{ 51 u8 *pos, *rhdr, *hs_start, *hs_length; 52 struct os_time now; 53 size_t rlen; 54 55 pos = *msgpos; 56 57 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello"); 58 rhdr = pos; 59 pos += TLS_RECORD_HEADER_LEN; 60 61 os_get_time(&now); 62 WPA_PUT_BE32(conn->server_random, now.sec); 63 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) { 64 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 65 "server_random"); 66 return -1; 67 } 68 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 69 conn->server_random, TLS_RANDOM_LEN); 70 71 conn->session_id_len = TLS_SESSION_ID_MAX_LEN; 72 if (random_get_bytes(conn->session_id, conn->session_id_len)) { 73 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 74 "session_id"); 75 return -1; 76 } 77 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 78 conn->session_id, conn->session_id_len); 79 80 /* opaque fragment[TLSPlaintext.length] */ 81 82 /* Handshake */ 83 hs_start = pos; 84 /* HandshakeType msg_type */ 85 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO; 86 /* uint24 length (to be filled) */ 87 hs_length = pos; 88 pos += 3; 89 /* body - ServerHello */ 90 /* ProtocolVersion server_version */ 91 WPA_PUT_BE16(pos, conn->rl.tls_version); 92 pos += 2; 93 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 94 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN); 95 pos += TLS_RANDOM_LEN; 96 /* SessionID session_id */ 97 *pos++ = conn->session_id_len; 98 os_memcpy(pos, conn->session_id, conn->session_id_len); 99 pos += conn->session_id_len; 100 /* CipherSuite cipher_suite */ 101 WPA_PUT_BE16(pos, conn->cipher_suite); 102 pos += 2; 103 /* CompressionMethod compression_method */ 104 *pos++ = TLS_COMPRESSION_NULL; 105 106 if (conn->session_ticket && conn->session_ticket_cb) { 107 int res = conn->session_ticket_cb( 108 conn->session_ticket_cb_ctx, 109 conn->session_ticket, conn->session_ticket_len, 110 conn->client_random, conn->server_random, 111 conn->master_secret); 112 if (res < 0) { 113 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 114 "indicated failure"); 115 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 116 TLS_ALERT_HANDSHAKE_FAILURE); 117 return -1; 118 } 119 conn->use_session_ticket = res; 120 121 if (conn->use_session_ticket) { 122 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) { 123 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 124 "derive keys"); 125 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 126 TLS_ALERT_INTERNAL_ERROR); 127 return -1; 128 } 129 } 130 131 /* 132 * RFC 4507 specifies that server would include an empty 133 * SessionTicket extension in ServerHello and a 134 * NewSessionTicket message after the ServerHello. However, 135 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket 136 * extension at the moment, does not use such extensions. 137 * 138 * TODO: Add support for configuring RFC 4507 behavior and make 139 * EAP-FAST disable it. 140 */ 141 } 142 143 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 144 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 145 146 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 147 rhdr, end - rhdr, hs_start, pos - hs_start, 148 &rlen) < 0) { 149 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 150 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 151 TLS_ALERT_INTERNAL_ERROR); 152 return -1; 153 } 154 pos = rhdr + rlen; 155 156 *msgpos = pos; 157 158 return 0; 159} 160 161 162static int tls_write_server_certificate(struct tlsv1_server *conn, 163 u8 **msgpos, u8 *end) 164{ 165 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 166 size_t rlen; 167 struct x509_certificate *cert; 168 const struct tls_cipher_suite *suite; 169 170 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 171 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 172 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when " 173 "using anonymous DH"); 174 return 0; 175 } 176 177 pos = *msgpos; 178 179 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 180 rhdr = pos; 181 pos += TLS_RECORD_HEADER_LEN; 182 183 /* opaque fragment[TLSPlaintext.length] */ 184 185 /* Handshake */ 186 hs_start = pos; 187 /* HandshakeType msg_type */ 188 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 189 /* uint24 length (to be filled) */ 190 hs_length = pos; 191 pos += 3; 192 /* body - Certificate */ 193 /* uint24 length (to be filled) */ 194 cert_start = pos; 195 pos += 3; 196 cert = conn->cred->cert; 197 while (cert) { 198 if (pos + 3 + cert->cert_len > end) { 199 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 200 "for Certificate (cert_len=%lu left=%lu)", 201 (unsigned long) cert->cert_len, 202 (unsigned long) (end - pos)); 203 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 204 TLS_ALERT_INTERNAL_ERROR); 205 return -1; 206 } 207 WPA_PUT_BE24(pos, cert->cert_len); 208 pos += 3; 209 os_memcpy(pos, cert->cert_start, cert->cert_len); 210 pos += cert->cert_len; 211 212 if (x509_certificate_self_signed(cert)) 213 break; 214 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 215 &cert->issuer); 216 } 217 if (cert == conn->cred->cert || cert == NULL) { 218 /* 219 * Server was not configured with all the needed certificates 220 * to form a full certificate chain. The client may fail to 221 * validate the chain unless it is configured with all the 222 * missing CA certificates. 223 */ 224 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain " 225 "not configured - validation may fail"); 226 } 227 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 228 229 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 230 231 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 232 rhdr, end - rhdr, hs_start, pos - hs_start, 233 &rlen) < 0) { 234 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 235 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 236 TLS_ALERT_INTERNAL_ERROR); 237 return -1; 238 } 239 pos = rhdr + rlen; 240 241 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 242 243 *msgpos = pos; 244 245 return 0; 246} 247 248 249static int tls_write_server_key_exchange(struct tlsv1_server *conn, 250 u8 **msgpos, u8 *end) 251{ 252 tls_key_exchange keyx; 253 const struct tls_cipher_suite *suite; 254 u8 *pos, *rhdr, *hs_start, *hs_length; 255 size_t rlen; 256 u8 *dh_ys; 257 size_t dh_ys_len; 258 259 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 260 if (suite == NULL) 261 keyx = TLS_KEY_X_NULL; 262 else 263 keyx = suite->key_exchange; 264 265 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 266 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed"); 267 return 0; 268 } 269 270 if (keyx != TLS_KEY_X_DH_anon) { 271 /* TODO? */ 272 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet " 273 "supported with key exchange type %d", keyx); 274 return -1; 275 } 276 277 if (conn->cred == NULL || conn->cred->dh_p == NULL || 278 conn->cred->dh_g == NULL) { 279 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for " 280 "ServerKeyExhcange"); 281 return -1; 282 } 283 284 os_free(conn->dh_secret); 285 conn->dh_secret_len = conn->cred->dh_p_len; 286 conn->dh_secret = os_malloc(conn->dh_secret_len); 287 if (conn->dh_secret == NULL) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 289 "memory for secret (Diffie-Hellman)"); 290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_INTERNAL_ERROR); 292 return -1; 293 } 294 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) { 295 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 296 "data for Diffie-Hellman"); 297 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 298 TLS_ALERT_INTERNAL_ERROR); 299 os_free(conn->dh_secret); 300 conn->dh_secret = NULL; 301 return -1; 302 } 303 304 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) > 305 0) 306 conn->dh_secret[0] = 0; /* make sure secret < p */ 307 308 pos = conn->dh_secret; 309 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0) 310 pos++; 311 if (pos != conn->dh_secret) { 312 os_memmove(conn->dh_secret, pos, 313 conn->dh_secret_len - (pos - conn->dh_secret)); 314 conn->dh_secret_len -= pos - conn->dh_secret; 315 } 316 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value", 317 conn->dh_secret, conn->dh_secret_len); 318 319 /* Ys = g^secret mod p */ 320 dh_ys_len = conn->cred->dh_p_len; 321 dh_ys = os_malloc(dh_ys_len); 322 if (dh_ys == NULL) { 323 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for " 324 "Diffie-Hellman"); 325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_INTERNAL_ERROR); 327 return -1; 328 } 329 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len, 330 conn->dh_secret, conn->dh_secret_len, 331 conn->cred->dh_p, conn->cred->dh_p_len, 332 dh_ys, &dh_ys_len)) { 333 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 334 TLS_ALERT_INTERNAL_ERROR); 335 os_free(dh_ys); 336 return -1; 337 } 338 339 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 340 dh_ys, dh_ys_len); 341 342 /* 343 * struct { 344 * select (KeyExchangeAlgorithm) { 345 * case diffie_hellman: 346 * ServerDHParams params; 347 * Signature signed_params; 348 * case rsa: 349 * ServerRSAParams params; 350 * Signature signed_params; 351 * }; 352 * } ServerKeyExchange; 353 * 354 * struct { 355 * opaque dh_p<1..2^16-1>; 356 * opaque dh_g<1..2^16-1>; 357 * opaque dh_Ys<1..2^16-1>; 358 * } ServerDHParams; 359 */ 360 361 pos = *msgpos; 362 363 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange"); 364 rhdr = pos; 365 pos += TLS_RECORD_HEADER_LEN; 366 367 /* opaque fragment[TLSPlaintext.length] */ 368 369 /* Handshake */ 370 hs_start = pos; 371 /* HandshakeType msg_type */ 372 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE; 373 /* uint24 length (to be filled) */ 374 hs_length = pos; 375 pos += 3; 376 377 /* body - ServerDHParams */ 378 /* dh_p */ 379 if (pos + 2 + conn->cred->dh_p_len > end) { 380 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 381 "dh_p"); 382 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 383 TLS_ALERT_INTERNAL_ERROR); 384 os_free(dh_ys); 385 return -1; 386 } 387 WPA_PUT_BE16(pos, conn->cred->dh_p_len); 388 pos += 2; 389 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len); 390 pos += conn->cred->dh_p_len; 391 392 /* dh_g */ 393 if (pos + 2 + conn->cred->dh_g_len > end) { 394 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 395 "dh_g"); 396 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 397 TLS_ALERT_INTERNAL_ERROR); 398 os_free(dh_ys); 399 return -1; 400 } 401 WPA_PUT_BE16(pos, conn->cred->dh_g_len); 402 pos += 2; 403 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len); 404 pos += conn->cred->dh_g_len; 405 406 /* dh_Ys */ 407 if (pos + 2 + dh_ys_len > end) { 408 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 409 "dh_Ys"); 410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 411 TLS_ALERT_INTERNAL_ERROR); 412 os_free(dh_ys); 413 return -1; 414 } 415 WPA_PUT_BE16(pos, dh_ys_len); 416 pos += 2; 417 os_memcpy(pos, dh_ys, dh_ys_len); 418 pos += dh_ys_len; 419 os_free(dh_ys); 420 421 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 422 423 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 424 rhdr, end - rhdr, hs_start, pos - hs_start, 425 &rlen) < 0) { 426 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 427 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 428 TLS_ALERT_INTERNAL_ERROR); 429 return -1; 430 } 431 pos = rhdr + rlen; 432 433 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 434 435 *msgpos = pos; 436 437 return 0; 438} 439 440 441static int tls_write_server_certificate_request(struct tlsv1_server *conn, 442 u8 **msgpos, u8 *end) 443{ 444 u8 *pos, *rhdr, *hs_start, *hs_length; 445 size_t rlen; 446 447 if (!conn->verify_peer) { 448 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed"); 449 return 0; 450 } 451 452 pos = *msgpos; 453 454 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest"); 455 rhdr = pos; 456 pos += TLS_RECORD_HEADER_LEN; 457 458 /* opaque fragment[TLSPlaintext.length] */ 459 460 /* Handshake */ 461 hs_start = pos; 462 /* HandshakeType msg_type */ 463 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST; 464 /* uint24 length (to be filled) */ 465 hs_length = pos; 466 pos += 3; 467 /* body - CertificateRequest */ 468 469 /* 470 * enum { 471 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 472 * (255) 473 * } ClientCertificateType; 474 * ClientCertificateType certificate_types<1..2^8-1> 475 */ 476 *pos++ = 1; 477 *pos++ = 1; /* rsa_sign */ 478 479 /* 480 * opaque DistinguishedName<1..2^16-1> 481 * DistinguishedName certificate_authorities<3..2^16-1> 482 */ 483 /* TODO: add support for listing DNs for trusted CAs */ 484 WPA_PUT_BE16(pos, 0); 485 pos += 2; 486 487 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 488 489 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 490 rhdr, end - rhdr, hs_start, pos - hs_start, 491 &rlen) < 0) { 492 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 493 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 494 TLS_ALERT_INTERNAL_ERROR); 495 return -1; 496 } 497 pos = rhdr + rlen; 498 499 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 500 501 *msgpos = pos; 502 503 return 0; 504} 505 506 507static int tls_write_server_hello_done(struct tlsv1_server *conn, 508 u8 **msgpos, u8 *end) 509{ 510 u8 *pos; 511 size_t rlen; 512 u8 payload[4]; 513 514 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone"); 515 516 /* opaque fragment[TLSPlaintext.length] */ 517 518 /* Handshake */ 519 pos = payload; 520 /* HandshakeType msg_type */ 521 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE; 522 /* uint24 length */ 523 WPA_PUT_BE24(pos, 0); 524 pos += 3; 525 /* body - ServerHelloDone (empty) */ 526 527 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 528 *msgpos, end - *msgpos, payload, pos - payload, 529 &rlen) < 0) { 530 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 532 TLS_ALERT_INTERNAL_ERROR); 533 return -1; 534 } 535 536 tls_verify_hash_add(&conn->verify, payload, pos - payload); 537 538 *msgpos += rlen; 539 540 return 0; 541} 542 543 544static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn, 545 u8 **msgpos, u8 *end) 546{ 547 size_t rlen; 548 u8 payload[1]; 549 550 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 551 552 payload[0] = TLS_CHANGE_CIPHER_SPEC; 553 554 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 555 *msgpos, end - *msgpos, payload, sizeof(payload), 556 &rlen) < 0) { 557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 559 TLS_ALERT_INTERNAL_ERROR); 560 return -1; 561 } 562 563 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 564 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 565 "record layer"); 566 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 567 TLS_ALERT_INTERNAL_ERROR); 568 return -1; 569 } 570 571 *msgpos += rlen; 572 573 return 0; 574} 575 576 577static int tls_write_server_finished(struct tlsv1_server *conn, 578 u8 **msgpos, u8 *end) 579{ 580 u8 *pos, *hs_start; 581 size_t rlen, hlen; 582 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 583 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 584 585 pos = *msgpos; 586 587 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 588 589 /* Encrypted Handshake Message: Finished */ 590 591#ifdef CONFIG_TLSV12 592 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 593 hlen = SHA256_MAC_LEN; 594 if (conn->verify.sha256_server == NULL || 595 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 596 < 0) { 597 conn->verify.sha256_server = NULL; 598 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 599 TLS_ALERT_INTERNAL_ERROR); 600 return -1; 601 } 602 conn->verify.sha256_server = NULL; 603 } else { 604#endif /* CONFIG_TLSV12 */ 605 606 hlen = MD5_MAC_LEN; 607 if (conn->verify.md5_server == NULL || 608 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 609 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 610 TLS_ALERT_INTERNAL_ERROR); 611 conn->verify.md5_server = NULL; 612 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 613 conn->verify.sha1_server = NULL; 614 return -1; 615 } 616 conn->verify.md5_server = NULL; 617 hlen = SHA1_MAC_LEN; 618 if (conn->verify.sha1_server == NULL || 619 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 620 &hlen) < 0) { 621 conn->verify.sha1_server = NULL; 622 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 623 TLS_ALERT_INTERNAL_ERROR); 624 return -1; 625 } 626 conn->verify.sha1_server = NULL; 627 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 628 629#ifdef CONFIG_TLSV12 630 } 631#endif /* CONFIG_TLSV12 */ 632 633 if (tls_prf(conn->rl.tls_version, 634 conn->master_secret, TLS_MASTER_SECRET_LEN, 635 "server finished", hash, hlen, 636 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 637 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 638 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 639 TLS_ALERT_INTERNAL_ERROR); 640 return -1; 641 } 642 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 643 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 644 645 /* Handshake */ 646 pos = hs_start = verify_data; 647 /* HandshakeType msg_type */ 648 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 649 /* uint24 length */ 650 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 651 pos += 3; 652 pos += TLS_VERIFY_DATA_LEN; 653 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 654 655 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 656 *msgpos, end - *msgpos, hs_start, pos - hs_start, 657 &rlen) < 0) { 658 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 659 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 660 TLS_ALERT_INTERNAL_ERROR); 661 return -1; 662 } 663 664 *msgpos += rlen; 665 666 return 0; 667} 668 669 670static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len) 671{ 672 u8 *msg, *end, *pos; 673 size_t msglen; 674 675 *out_len = 0; 676 677 msglen = 1000 + tls_server_cert_chain_der_len(conn); 678 679 msg = os_malloc(msglen); 680 if (msg == NULL) 681 return NULL; 682 683 pos = msg; 684 end = msg + msglen; 685 686 if (tls_write_server_hello(conn, &pos, end) < 0) { 687 os_free(msg); 688 return NULL; 689 } 690 691 if (conn->use_session_ticket) { 692 /* Abbreviated handshake using session ticket; RFC 4507 */ 693 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 694 tls_write_server_finished(conn, &pos, end) < 0) { 695 os_free(msg); 696 return NULL; 697 } 698 699 *out_len = pos - msg; 700 701 conn->state = CHANGE_CIPHER_SPEC; 702 703 return msg; 704 } 705 706 /* Full handshake */ 707 if (tls_write_server_certificate(conn, &pos, end) < 0 || 708 tls_write_server_key_exchange(conn, &pos, end) < 0 || 709 tls_write_server_certificate_request(conn, &pos, end) < 0 || 710 tls_write_server_hello_done(conn, &pos, end) < 0) { 711 os_free(msg); 712 return NULL; 713 } 714 715 *out_len = pos - msg; 716 717 conn->state = CLIENT_CERTIFICATE; 718 719 return msg; 720} 721 722 723static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn, 724 size_t *out_len) 725{ 726 u8 *msg, *end, *pos; 727 728 *out_len = 0; 729 730 msg = os_malloc(1000); 731 if (msg == NULL) 732 return NULL; 733 734 pos = msg; 735 end = msg + 1000; 736 737 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 738 tls_write_server_finished(conn, &pos, end) < 0) { 739 os_free(msg); 740 return NULL; 741 } 742 743 *out_len = pos - msg; 744 745 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully"); 746 conn->state = ESTABLISHED; 747 748 return msg; 749} 750 751 752u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len) 753{ 754 switch (conn->state) { 755 case SERVER_HELLO: 756 return tls_send_server_hello(conn, out_len); 757 case SERVER_CHANGE_CIPHER_SPEC: 758 return tls_send_change_cipher_spec(conn, out_len); 759 default: 760 if (conn->state == ESTABLISHED && conn->use_session_ticket) { 761 /* Abbreviated handshake was already completed. */ 762 return NULL; 763 } 764 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 765 "generating reply", conn->state); 766 return NULL; 767 } 768} 769 770 771u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level, 772 u8 description, size_t *out_len) 773{ 774 u8 *alert, *pos, *length; 775 776 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 777 *out_len = 0; 778 779 alert = os_malloc(10); 780 if (alert == NULL) 781 return NULL; 782 783 pos = alert; 784 785 /* TLSPlaintext */ 786 /* ContentType type */ 787 *pos++ = TLS_CONTENT_TYPE_ALERT; 788 /* ProtocolVersion version */ 789 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 790 TLS_VERSION); 791 pos += 2; 792 /* uint16 length (to be filled) */ 793 length = pos; 794 pos += 2; 795 /* opaque fragment[TLSPlaintext.length] */ 796 797 /* Alert */ 798 /* AlertLevel level */ 799 *pos++ = level; 800 /* AlertDescription description */ 801 *pos++ = description; 802 803 WPA_PUT_BE16(length, pos - length - 2); 804 *out_len = pos - alert; 805 806 return alert; 807} 808