tlsv1_server_write.c revision 818ea489ef32dcdc7c098d8a336d6e1dd8996112
1/* 2 * TLSv1 server - write handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "crypto/random.h" 17#include "x509v3.h" 18#include "tlsv1_common.h" 19#include "tlsv1_record.h" 20#include "tlsv1_server.h" 21#include "tlsv1_server_i.h" 22 23 24static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn) 25{ 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 cert = conn->cred->cert; 30 while (cert) { 31 len += 3 + cert->cert_len; 32 if (x509_certificate_self_signed(cert)) 33 break; 34 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 35 &cert->issuer); 36 } 37 38 return len; 39} 40 41 42static int tls_write_server_hello(struct tlsv1_server *conn, 43 u8 **msgpos, u8 *end) 44{ 45 u8 *pos, *rhdr, *hs_start, *hs_length; 46 struct os_time now; 47 size_t rlen; 48 49 pos = *msgpos; 50 51 tlsv1_server_log(conn, "Send ServerHello"); 52 rhdr = pos; 53 pos += TLS_RECORD_HEADER_LEN; 54 55 os_get_time(&now); 56 WPA_PUT_BE32(conn->server_random, now.sec); 57 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) { 58 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 59 "server_random"); 60 return -1; 61 } 62 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 63 conn->server_random, TLS_RANDOM_LEN); 64 65 conn->session_id_len = TLS_SESSION_ID_MAX_LEN; 66 if (random_get_bytes(conn->session_id, conn->session_id_len)) { 67 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 68 "session_id"); 69 return -1; 70 } 71 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 72 conn->session_id, conn->session_id_len); 73 74 /* opaque fragment[TLSPlaintext.length] */ 75 76 /* Handshake */ 77 hs_start = pos; 78 /* HandshakeType msg_type */ 79 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO; 80 /* uint24 length (to be filled) */ 81 hs_length = pos; 82 pos += 3; 83 /* body - ServerHello */ 84 /* ProtocolVersion server_version */ 85 WPA_PUT_BE16(pos, conn->rl.tls_version); 86 pos += 2; 87 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 88 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN); 89 pos += TLS_RANDOM_LEN; 90 /* SessionID session_id */ 91 *pos++ = conn->session_id_len; 92 os_memcpy(pos, conn->session_id, conn->session_id_len); 93 pos += conn->session_id_len; 94 /* CipherSuite cipher_suite */ 95 WPA_PUT_BE16(pos, conn->cipher_suite); 96 pos += 2; 97 /* CompressionMethod compression_method */ 98 *pos++ = TLS_COMPRESSION_NULL; 99 100 if (conn->session_ticket && conn->session_ticket_cb) { 101 int res = conn->session_ticket_cb( 102 conn->session_ticket_cb_ctx, 103 conn->session_ticket, conn->session_ticket_len, 104 conn->client_random, conn->server_random, 105 conn->master_secret); 106 if (res < 0) { 107 tlsv1_server_log(conn, "SessionTicket callback indicated failure"); 108 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 109 TLS_ALERT_HANDSHAKE_FAILURE); 110 return -1; 111 } 112 conn->use_session_ticket = res; 113 114 if (conn->use_session_ticket) { 115 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) { 116 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 117 "derive keys"); 118 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 119 TLS_ALERT_INTERNAL_ERROR); 120 return -1; 121 } 122 } 123 124 /* 125 * RFC 4507 specifies that server would include an empty 126 * SessionTicket extension in ServerHello and a 127 * NewSessionTicket message after the ServerHello. However, 128 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket 129 * extension at the moment, does not use such extensions. 130 * 131 * TODO: Add support for configuring RFC 4507 behavior and make 132 * EAP-FAST disable it. 133 */ 134 } 135 136 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 137 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 138 139 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 140 rhdr, end - rhdr, hs_start, pos - hs_start, 141 &rlen) < 0) { 142 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 143 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 144 TLS_ALERT_INTERNAL_ERROR); 145 return -1; 146 } 147 pos = rhdr + rlen; 148 149 *msgpos = pos; 150 151 return 0; 152} 153 154 155static int tls_write_server_certificate(struct tlsv1_server *conn, 156 u8 **msgpos, u8 *end) 157{ 158 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 159 size_t rlen; 160 struct x509_certificate *cert; 161 const struct tls_cipher_suite *suite; 162 163 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 164 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 165 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when " 166 "using anonymous DH"); 167 return 0; 168 } 169 170 pos = *msgpos; 171 172 tlsv1_server_log(conn, "Send Certificate"); 173 rhdr = pos; 174 pos += TLS_RECORD_HEADER_LEN; 175 176 /* opaque fragment[TLSPlaintext.length] */ 177 178 /* Handshake */ 179 hs_start = pos; 180 /* HandshakeType msg_type */ 181 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 182 /* uint24 length (to be filled) */ 183 hs_length = pos; 184 pos += 3; 185 /* body - Certificate */ 186 /* uint24 length (to be filled) */ 187 cert_start = pos; 188 pos += 3; 189 cert = conn->cred->cert; 190 while (cert) { 191 if (pos + 3 + cert->cert_len > end) { 192 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 193 "for Certificate (cert_len=%lu left=%lu)", 194 (unsigned long) cert->cert_len, 195 (unsigned long) (end - pos)); 196 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 197 TLS_ALERT_INTERNAL_ERROR); 198 return -1; 199 } 200 WPA_PUT_BE24(pos, cert->cert_len); 201 pos += 3; 202 os_memcpy(pos, cert->cert_start, cert->cert_len); 203 pos += cert->cert_len; 204 205 if (x509_certificate_self_signed(cert)) 206 break; 207 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 208 &cert->issuer); 209 } 210 if (cert == conn->cred->cert || cert == NULL) { 211 /* 212 * Server was not configured with all the needed certificates 213 * to form a full certificate chain. The client may fail to 214 * validate the chain unless it is configured with all the 215 * missing CA certificates. 216 */ 217 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain " 218 "not configured - validation may fail"); 219 } 220 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 221 222 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 223 224 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 225 rhdr, end - rhdr, hs_start, pos - hs_start, 226 &rlen) < 0) { 227 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 228 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 229 TLS_ALERT_INTERNAL_ERROR); 230 return -1; 231 } 232 pos = rhdr + rlen; 233 234 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 235 236 *msgpos = pos; 237 238 return 0; 239} 240 241 242static int tls_write_server_key_exchange(struct tlsv1_server *conn, 243 u8 **msgpos, u8 *end) 244{ 245 tls_key_exchange keyx; 246 const struct tls_cipher_suite *suite; 247 u8 *pos, *rhdr, *hs_start, *hs_length, *server_params; 248 size_t rlen; 249 u8 *dh_ys; 250 size_t dh_ys_len; 251 252 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 253 if (suite == NULL) 254 keyx = TLS_KEY_X_NULL; 255 else 256 keyx = suite->key_exchange; 257 258 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 259 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed"); 260 return 0; 261 } 262 263 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) { 264 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet " 265 "supported with key exchange type %d", keyx); 266 return -1; 267 } 268 269 if (conn->cred == NULL || conn->cred->dh_p == NULL || 270 conn->cred->dh_g == NULL) { 271 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for " 272 "ServerKeyExhcange"); 273 return -1; 274 } 275 276 os_free(conn->dh_secret); 277 conn->dh_secret_len = conn->cred->dh_p_len; 278 conn->dh_secret = os_malloc(conn->dh_secret_len); 279 if (conn->dh_secret == NULL) { 280 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 281 "memory for secret (Diffie-Hellman)"); 282 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 283 TLS_ALERT_INTERNAL_ERROR); 284 return -1; 285 } 286 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) { 287 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 288 "data for Diffie-Hellman"); 289 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 290 TLS_ALERT_INTERNAL_ERROR); 291 os_free(conn->dh_secret); 292 conn->dh_secret = NULL; 293 return -1; 294 } 295 296 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) > 297 0) 298 conn->dh_secret[0] = 0; /* make sure secret < p */ 299 300 pos = conn->dh_secret; 301 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0) 302 pos++; 303 if (pos != conn->dh_secret) { 304 os_memmove(conn->dh_secret, pos, 305 conn->dh_secret_len - (pos - conn->dh_secret)); 306 conn->dh_secret_len -= pos - conn->dh_secret; 307 } 308 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value", 309 conn->dh_secret, conn->dh_secret_len); 310 311 /* Ys = g^secret mod p */ 312 dh_ys_len = conn->cred->dh_p_len; 313 dh_ys = os_malloc(dh_ys_len); 314 if (dh_ys == NULL) { 315 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for " 316 "Diffie-Hellman"); 317 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 318 TLS_ALERT_INTERNAL_ERROR); 319 return -1; 320 } 321 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len, 322 conn->dh_secret, conn->dh_secret_len, 323 conn->cred->dh_p, conn->cred->dh_p_len, 324 dh_ys, &dh_ys_len)) { 325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_INTERNAL_ERROR); 327 os_free(dh_ys); 328 return -1; 329 } 330 331 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 332 dh_ys, dh_ys_len); 333 334 /* 335 * struct { 336 * select (KeyExchangeAlgorithm) { 337 * case diffie_hellman: 338 * ServerDHParams params; 339 * Signature signed_params; 340 * case rsa: 341 * ServerRSAParams params; 342 * Signature signed_params; 343 * }; 344 * } ServerKeyExchange; 345 * 346 * struct { 347 * opaque dh_p<1..2^16-1>; 348 * opaque dh_g<1..2^16-1>; 349 * opaque dh_Ys<1..2^16-1>; 350 * } ServerDHParams; 351 */ 352 353 pos = *msgpos; 354 355 tlsv1_server_log(conn, "Send ServerKeyExchange"); 356 rhdr = pos; 357 pos += TLS_RECORD_HEADER_LEN; 358 359 /* opaque fragment[TLSPlaintext.length] */ 360 361 /* Handshake */ 362 hs_start = pos; 363 /* HandshakeType msg_type */ 364 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE; 365 /* uint24 length (to be filled) */ 366 hs_length = pos; 367 pos += 3; 368 369 /* body - ServerDHParams */ 370 server_params = pos; 371 /* dh_p */ 372 if (pos + 2 + conn->cred->dh_p_len > end) { 373 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 374 "dh_p"); 375 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 376 TLS_ALERT_INTERNAL_ERROR); 377 os_free(dh_ys); 378 return -1; 379 } 380 WPA_PUT_BE16(pos, conn->cred->dh_p_len); 381 pos += 2; 382 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len); 383 pos += conn->cred->dh_p_len; 384 385 /* dh_g */ 386 if (pos + 2 + conn->cred->dh_g_len > end) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 388 "dh_g"); 389 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 390 TLS_ALERT_INTERNAL_ERROR); 391 os_free(dh_ys); 392 return -1; 393 } 394 WPA_PUT_BE16(pos, conn->cred->dh_g_len); 395 pos += 2; 396 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len); 397 pos += conn->cred->dh_g_len; 398 399 /* dh_Ys */ 400 if (pos + 2 + dh_ys_len > end) { 401 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 402 "dh_Ys"); 403 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 404 TLS_ALERT_INTERNAL_ERROR); 405 os_free(dh_ys); 406 return -1; 407 } 408 WPA_PUT_BE16(pos, dh_ys_len); 409 pos += 2; 410 os_memcpy(pos, dh_ys, dh_ys_len); 411 pos += dh_ys_len; 412 os_free(dh_ys); 413 414 /* 415 * select (SignatureAlgorithm) 416 * { case anonymous: struct { }; 417 * case rsa: 418 * digitally-signed struct { 419 * opaque md5_hash[16]; 420 * opaque sha_hash[20]; 421 * }; 422 * case dsa: 423 * digitally-signed struct { 424 * opaque sha_hash[20]; 425 * }; 426 * } Signature; 427 * 428 * md5_hash 429 * MD5(ClientHello.random + ServerHello.random + ServerParams); 430 * 431 * sha_hash 432 * SHA(ClientHello.random + ServerHello.random + ServerParams); 433 */ 434 435 if (keyx == TLS_KEY_X_DHE_RSA) { 436 u8 hash[100]; 437 u8 *signed_start; 438 size_t clen; 439 int hlen; 440 441 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 442#ifdef CONFIG_TLSV12 443 hlen = tlsv12_key_x_server_params_hash( 444 conn->rl.tls_version, conn->client_random, 445 conn->server_random, server_params, 446 pos - server_params, hash + 19); 447 448 /* 449 * RFC 5246, 4.7: 450 * TLS v1.2 adds explicit indication of the used 451 * signature and hash algorithms. 452 * 453 * struct { 454 * HashAlgorithm hash; 455 * SignatureAlgorithm signature; 456 * } SignatureAndHashAlgorithm; 457 */ 458 if (hlen < 0 || pos + 2 > end) { 459 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 460 TLS_ALERT_INTERNAL_ERROR); 461 return -1; 462 } 463 *pos++ = TLS_HASH_ALG_SHA256; 464 *pos++ = TLS_SIGN_ALG_RSA; 465 466 /* 467 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 468 * 469 * DigestInfo ::= SEQUENCE { 470 * digestAlgorithm DigestAlgorithm, 471 * digest OCTET STRING 472 * } 473 * 474 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 475 * 476 * DER encoded DigestInfo for SHA256 per RFC 3447: 477 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 478 * 04 20 || H 479 */ 480 hlen += 19; 481 os_memcpy(hash, 482 "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 483 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 484 485#else /* CONFIG_TLSV12 */ 486 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 487 TLS_ALERT_INTERNAL_ERROR); 488 return -1; 489#endif /* CONFIG_TLSV12 */ 490 } else { 491 hlen = tls_key_x_server_params_hash( 492 conn->rl.tls_version, conn->client_random, 493 conn->server_random, server_params, 494 pos - server_params, hash); 495 } 496 497 if (hlen < 0) { 498 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 499 TLS_ALERT_INTERNAL_ERROR); 500 return -1; 501 } 502 503 wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash", 504 hash, hlen); 505#ifdef CONFIG_TESTING_OPTIONS 506 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) { 507 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash"); 508 hash[hlen - 1] ^= 0x80; 509 } 510#endif /* CONFIG_TESTING_OPTIONS */ 511 512 /* 513 * RFC 2246, 4.7: 514 * In digital signing, one-way hash functions are used as input 515 * for a signing algorithm. A digitally-signed element is 516 * encoded as an opaque vector <0..2^16-1>, where the length is 517 * specified by the signing algorithm and key. 518 * 519 * In RSA signing, a 36-byte structure of two hashes (one SHA 520 * and one MD5) is signed (encrypted with the private key). It 521 * is encoded with PKCS #1 block type 0 or type 1 as described 522 * in [PKCS1]. 523 */ 524 signed_start = pos; /* length to be filled */ 525 pos += 2; 526 clen = end - pos; 527 if (conn->cred == NULL || 528 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 529 pos, &clen) < 0) { 530 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 532 TLS_ALERT_INTERNAL_ERROR); 533 return -1; 534 } 535 WPA_PUT_BE16(signed_start, clen); 536#ifdef CONFIG_TESTING_OPTIONS 537 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) { 538 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature"); 539 pos[clen - 1] ^= 0x80; 540 } 541#endif /* CONFIG_TESTING_OPTIONS */ 542 543 pos += clen; 544 } 545 546 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 547 548 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 549 rhdr, end - rhdr, hs_start, pos - hs_start, 550 &rlen) < 0) { 551 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 552 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 553 TLS_ALERT_INTERNAL_ERROR); 554 return -1; 555 } 556 pos = rhdr + rlen; 557 558 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 559 560 *msgpos = pos; 561 562 return 0; 563} 564 565 566static int tls_write_server_certificate_request(struct tlsv1_server *conn, 567 u8 **msgpos, u8 *end) 568{ 569 u8 *pos, *rhdr, *hs_start, *hs_length; 570 size_t rlen; 571 572 if (!conn->verify_peer) { 573 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed"); 574 return 0; 575 } 576 577 pos = *msgpos; 578 579 tlsv1_server_log(conn, "Send CertificateRequest"); 580 rhdr = pos; 581 pos += TLS_RECORD_HEADER_LEN; 582 583 /* opaque fragment[TLSPlaintext.length] */ 584 585 /* Handshake */ 586 hs_start = pos; 587 /* HandshakeType msg_type */ 588 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST; 589 /* uint24 length (to be filled) */ 590 hs_length = pos; 591 pos += 3; 592 /* body - CertificateRequest */ 593 594 /* 595 * enum { 596 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 597 * (255) 598 * } ClientCertificateType; 599 * ClientCertificateType certificate_types<1..2^8-1> 600 */ 601 *pos++ = 1; 602 *pos++ = 1; /* rsa_sign */ 603 604 /* 605 * opaque DistinguishedName<1..2^16-1> 606 * DistinguishedName certificate_authorities<3..2^16-1> 607 */ 608 /* TODO: add support for listing DNs for trusted CAs */ 609 WPA_PUT_BE16(pos, 0); 610 pos += 2; 611 612 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 613 614 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 615 rhdr, end - rhdr, hs_start, pos - hs_start, 616 &rlen) < 0) { 617 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 618 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 619 TLS_ALERT_INTERNAL_ERROR); 620 return -1; 621 } 622 pos = rhdr + rlen; 623 624 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 625 626 *msgpos = pos; 627 628 return 0; 629} 630 631 632static int tls_write_server_hello_done(struct tlsv1_server *conn, 633 u8 **msgpos, u8 *end) 634{ 635 u8 *pos; 636 size_t rlen; 637 u8 payload[4]; 638 639 tlsv1_server_log(conn, "Send ServerHelloDone"); 640 641 /* opaque fragment[TLSPlaintext.length] */ 642 643 /* Handshake */ 644 pos = payload; 645 /* HandshakeType msg_type */ 646 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE; 647 /* uint24 length */ 648 WPA_PUT_BE24(pos, 0); 649 pos += 3; 650 /* body - ServerHelloDone (empty) */ 651 652 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 653 *msgpos, end - *msgpos, payload, pos - payload, 654 &rlen) < 0) { 655 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 656 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 657 TLS_ALERT_INTERNAL_ERROR); 658 return -1; 659 } 660 661 tls_verify_hash_add(&conn->verify, payload, pos - payload); 662 663 *msgpos += rlen; 664 665 return 0; 666} 667 668 669static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn, 670 u8 **msgpos, u8 *end) 671{ 672 size_t rlen; 673 u8 payload[1]; 674 675 tlsv1_server_log(conn, "Send ChangeCipherSpec"); 676 677 payload[0] = TLS_CHANGE_CIPHER_SPEC; 678 679 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 680 *msgpos, end - *msgpos, payload, sizeof(payload), 681 &rlen) < 0) { 682 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 683 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 684 TLS_ALERT_INTERNAL_ERROR); 685 return -1; 686 } 687 688 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 689 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 690 "record layer"); 691 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 692 TLS_ALERT_INTERNAL_ERROR); 693 return -1; 694 } 695 696 *msgpos += rlen; 697 698 return 0; 699} 700 701 702static int tls_write_server_finished(struct tlsv1_server *conn, 703 u8 **msgpos, u8 *end) 704{ 705 u8 *pos, *hs_start; 706 size_t rlen, hlen; 707 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 708 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 709 710 pos = *msgpos; 711 712 tlsv1_server_log(conn, "Send Finished"); 713 714 /* Encrypted Handshake Message: Finished */ 715 716#ifdef CONFIG_TLSV12 717 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 718 hlen = SHA256_MAC_LEN; 719 if (conn->verify.sha256_server == NULL || 720 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 721 < 0) { 722 conn->verify.sha256_server = NULL; 723 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 724 TLS_ALERT_INTERNAL_ERROR); 725 return -1; 726 } 727 conn->verify.sha256_server = NULL; 728 } else { 729#endif /* CONFIG_TLSV12 */ 730 731 hlen = MD5_MAC_LEN; 732 if (conn->verify.md5_server == NULL || 733 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 734 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 735 TLS_ALERT_INTERNAL_ERROR); 736 conn->verify.md5_server = NULL; 737 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 738 conn->verify.sha1_server = NULL; 739 return -1; 740 } 741 conn->verify.md5_server = NULL; 742 hlen = SHA1_MAC_LEN; 743 if (conn->verify.sha1_server == NULL || 744 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 745 &hlen) < 0) { 746 conn->verify.sha1_server = NULL; 747 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 748 TLS_ALERT_INTERNAL_ERROR); 749 return -1; 750 } 751 conn->verify.sha1_server = NULL; 752 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 753 754#ifdef CONFIG_TLSV12 755 } 756#endif /* CONFIG_TLSV12 */ 757 758 if (tls_prf(conn->rl.tls_version, 759 conn->master_secret, TLS_MASTER_SECRET_LEN, 760 "server finished", hash, hlen, 761 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 762 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 763 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 764 TLS_ALERT_INTERNAL_ERROR); 765 return -1; 766 } 767 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 768 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 769#ifdef CONFIG_TESTING_OPTIONS 770 if (conn->test_flags & TLS_BREAK_VERIFY_DATA) { 771 tlsv1_server_log(conn, "TESTING: Break verify_data (server)"); 772 verify_data[1 + 3 + 1] ^= 0x80; 773 } 774#endif /* CONFIG_TESTING_OPTIONS */ 775 776 /* Handshake */ 777 pos = hs_start = verify_data; 778 /* HandshakeType msg_type */ 779 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 780 /* uint24 length */ 781 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 782 pos += 3; 783 pos += TLS_VERIFY_DATA_LEN; 784 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 785 786 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 787 *msgpos, end - *msgpos, hs_start, pos - hs_start, 788 &rlen) < 0) { 789 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 790 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 791 TLS_ALERT_INTERNAL_ERROR); 792 return -1; 793 } 794 795 *msgpos += rlen; 796 797 return 0; 798} 799 800 801static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len) 802{ 803 u8 *msg, *end, *pos; 804 size_t msglen; 805 806 *out_len = 0; 807 808 msglen = 1000 + tls_server_cert_chain_der_len(conn); 809 810 msg = os_malloc(msglen); 811 if (msg == NULL) 812 return NULL; 813 814 pos = msg; 815 end = msg + msglen; 816 817 if (tls_write_server_hello(conn, &pos, end) < 0) { 818 os_free(msg); 819 return NULL; 820 } 821 822 if (conn->use_session_ticket) { 823 /* Abbreviated handshake using session ticket; RFC 4507 */ 824 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 825 tls_write_server_finished(conn, &pos, end) < 0) { 826 os_free(msg); 827 return NULL; 828 } 829 830 *out_len = pos - msg; 831 832 conn->state = CHANGE_CIPHER_SPEC; 833 834 return msg; 835 } 836 837 /* Full handshake */ 838 if (tls_write_server_certificate(conn, &pos, end) < 0 || 839 tls_write_server_key_exchange(conn, &pos, end) < 0 || 840 tls_write_server_certificate_request(conn, &pos, end) < 0 || 841 tls_write_server_hello_done(conn, &pos, end) < 0) { 842 os_free(msg); 843 return NULL; 844 } 845 846 *out_len = pos - msg; 847 848 conn->state = CLIENT_CERTIFICATE; 849 850 return msg; 851} 852 853 854static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn, 855 size_t *out_len) 856{ 857 u8 *msg, *end, *pos; 858 859 *out_len = 0; 860 861 msg = os_malloc(1000); 862 if (msg == NULL) 863 return NULL; 864 865 pos = msg; 866 end = msg + 1000; 867 868 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 869 tls_write_server_finished(conn, &pos, end) < 0) { 870 os_free(msg); 871 return NULL; 872 } 873 874 *out_len = pos - msg; 875 876 tlsv1_server_log(conn, "Handshake completed successfully"); 877 conn->state = ESTABLISHED; 878 879 return msg; 880} 881 882 883u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len) 884{ 885 switch (conn->state) { 886 case SERVER_HELLO: 887 return tls_send_server_hello(conn, out_len); 888 case SERVER_CHANGE_CIPHER_SPEC: 889 return tls_send_change_cipher_spec(conn, out_len); 890 default: 891 if (conn->state == ESTABLISHED && conn->use_session_ticket) { 892 /* Abbreviated handshake was already completed. */ 893 return NULL; 894 } 895 tlsv1_server_log(conn, "Unexpected state %d while generating reply", 896 conn->state); 897 return NULL; 898 } 899} 900 901 902u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level, 903 u8 description, size_t *out_len) 904{ 905 u8 *alert, *pos, *length; 906 907 tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description); 908 *out_len = 0; 909 910 alert = os_malloc(10); 911 if (alert == NULL) 912 return NULL; 913 914 pos = alert; 915 916 /* TLSPlaintext */ 917 /* ContentType type */ 918 *pos++ = TLS_CONTENT_TYPE_ALERT; 919 /* ProtocolVersion version */ 920 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 921 TLS_VERSION); 922 pos += 2; 923 /* uint16 length (to be filled) */ 924 length = pos; 925 pos += 2; 926 /* opaque fragment[TLSPlaintext.length] */ 927 928 /* Alert */ 929 /* AlertLevel level */ 930 *pos++ = level; 931 /* AlertDescription description */ 932 *pos++ = description; 933 934 WPA_PUT_BE16(length, pos - length - 2); 935 *out_len = pos - alert; 936 937 return alert; 938} 939