tlsv1_client_write.c revision d7ff03d48f825360eec2a371e3361306f2fd721b
1/* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "crypto/random.h" 17#include "x509v3.h" 18#include "tlsv1_common.h" 19#include "tlsv1_record.h" 20#include "tlsv1_client.h" 21#include "tlsv1_client_i.h" 22 23 24static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 25{ 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 if (conn->cred == NULL) 30 return 0; 31 32 cert = conn->cred->cert; 33 while (cert) { 34 len += 3 + cert->cert_len; 35 if (x509_certificate_self_signed(cert)) 36 break; 37 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 38 &cert->issuer); 39 } 40 41 return len; 42} 43 44 45u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 46{ 47 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 48 struct os_time now; 49 size_t len, i; 50 u8 *ext_start; 51 u16 tls_version = TLS_VERSION; 52 53 /* Pick the highest locally enabled TLS version */ 54#ifdef CONFIG_TLSV12 55 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 56 tls_version == TLS_VERSION_1_2) 57 tls_version = TLS_VERSION_1_1; 58#endif /* CONFIG_TLSV12 */ 59#ifdef CONFIG_TLSV11 60 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 61 tls_version == TLS_VERSION_1_1) 62 tls_version = TLS_VERSION_1; 63#endif /* CONFIG_TLSV11 */ 64 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 65 tls_version == TLS_VERSION_1) { 66 wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed"); 67 return NULL; 68 } 69 70 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)", 71 tls_version_str(tls_version)); 72 *out_len = 0; 73 74 os_get_time(&now); 75 WPA_PUT_BE32(conn->client_random, now.sec); 76 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 77 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 78 "client_random"); 79 return NULL; 80 } 81 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 82 conn->client_random, TLS_RANDOM_LEN); 83 84 len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 85 hello = os_malloc(len); 86 if (hello == NULL) 87 return NULL; 88 end = hello + len; 89 90 rhdr = hello; 91 pos = rhdr + TLS_RECORD_HEADER_LEN; 92 93 /* opaque fragment[TLSPlaintext.length] */ 94 95 /* Handshake */ 96 hs_start = pos; 97 /* HandshakeType msg_type */ 98 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 99 /* uint24 length (to be filled) */ 100 hs_length = pos; 101 pos += 3; 102 /* body - ClientHello */ 103 /* ProtocolVersion client_version */ 104 WPA_PUT_BE16(pos, tls_version); 105 pos += 2; 106 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 107 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 108 pos += TLS_RANDOM_LEN; 109 /* SessionID session_id */ 110 *pos++ = conn->session_id_len; 111 os_memcpy(pos, conn->session_id, conn->session_id_len); 112 pos += conn->session_id_len; 113 /* CipherSuite cipher_suites<2..2^16-1> */ 114 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 115 pos += 2; 116 for (i = 0; i < conn->num_cipher_suites; i++) { 117 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 118 pos += 2; 119 } 120 /* CompressionMethod compression_methods<1..2^8-1> */ 121 *pos++ = 1; 122 *pos++ = TLS_COMPRESSION_NULL; 123 124 /* Extension */ 125 ext_start = pos; 126 pos += 2; 127 128#ifdef CONFIG_TLSV12 129 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 130 /* 131 * Add signature_algorithms extension since we support only 132 * SHA256 (and not the default SHA1) with TLSv1.2. 133 */ 134 /* ExtensionsType extension_type = signature_algorithms(13) */ 135 WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS); 136 pos += 2; 137 /* opaque extension_data<0..2^16-1> length */ 138 WPA_PUT_BE16(pos, 8); 139 pos += 2; 140 /* supported_signature_algorithms<2..2^16-2> length */ 141 WPA_PUT_BE16(pos, 6); 142 pos += 2; 143 /* supported_signature_algorithms */ 144 *pos++ = TLS_HASH_ALG_SHA512; 145 *pos++ = TLS_SIGN_ALG_RSA; 146 *pos++ = TLS_HASH_ALG_SHA384; 147 *pos++ = TLS_SIGN_ALG_RSA; 148 *pos++ = TLS_HASH_ALG_SHA256; 149 *pos++ = TLS_SIGN_ALG_RSA; 150 } 151#endif /* CONFIG_TLSV12 */ 152 153 if (conn->client_hello_ext) { 154 os_memcpy(pos, conn->client_hello_ext, 155 conn->client_hello_ext_len); 156 pos += conn->client_hello_ext_len; 157 } 158 159 if (pos == ext_start + 2) 160 pos -= 2; /* no extensions */ 161 else 162 WPA_PUT_BE16(ext_start, pos - ext_start - 2); 163 164 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 165 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 166 167 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 168 rhdr, end - rhdr, hs_start, pos - hs_start, 169 out_len) < 0) { 170 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 171 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 172 TLS_ALERT_INTERNAL_ERROR); 173 os_free(hello); 174 return NULL; 175 } 176 177 conn->state = SERVER_HELLO; 178 179 return hello; 180} 181 182 183static int tls_write_client_certificate(struct tlsv1_client *conn, 184 u8 **msgpos, u8 *end) 185{ 186 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 187 size_t rlen; 188 struct x509_certificate *cert; 189 190 pos = *msgpos; 191 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) { 192 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 193 TLS_ALERT_INTERNAL_ERROR); 194 return -1; 195 } 196 197 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 198 rhdr = pos; 199 pos += TLS_RECORD_HEADER_LEN; 200 201 /* opaque fragment[TLSPlaintext.length] */ 202 203 /* Handshake */ 204 hs_start = pos; 205 /* HandshakeType msg_type */ 206 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 207 /* uint24 length (to be filled) */ 208 hs_length = pos; 209 pos += 3; 210 /* body - Certificate */ 211 /* uint24 length (to be filled) */ 212 cert_start = pos; 213 pos += 3; 214 cert = conn->cred ? conn->cred->cert : NULL; 215 while (cert) { 216 if (3 + cert->cert_len > (size_t) (end - pos)) { 217 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 218 "for Certificate (cert_len=%lu left=%lu)", 219 (unsigned long) cert->cert_len, 220 (unsigned long) (end - pos)); 221 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 222 TLS_ALERT_INTERNAL_ERROR); 223 return -1; 224 } 225 WPA_PUT_BE24(pos, cert->cert_len); 226 pos += 3; 227 os_memcpy(pos, cert->cert_start, cert->cert_len); 228 pos += cert->cert_len; 229 230 if (x509_certificate_self_signed(cert)) 231 break; 232 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 233 &cert->issuer); 234 } 235 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 236 /* 237 * Client was not configured with all the needed certificates 238 * to form a full certificate chain. The server may fail to 239 * validate the chain unless it is configured with all the 240 * missing CA certificates. 241 */ 242 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 243 "not configured - validation may fail"); 244 } 245 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 246 247 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 248 249 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 250 rhdr, end - rhdr, hs_start, pos - hs_start, 251 &rlen) < 0) { 252 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 253 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 254 TLS_ALERT_INTERNAL_ERROR); 255 return -1; 256 } 257 pos = rhdr + rlen; 258 259 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 260 261 *msgpos = pos; 262 263 return 0; 264} 265 266 267static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 268{ 269 /* ClientDiffieHellmanPublic */ 270 u8 *csecret, *csecret_start, *dh_yc, *shared; 271 size_t csecret_len, dh_yc_len, shared_len; 272 273 csecret_len = conn->dh_p_len; 274 csecret = os_malloc(csecret_len); 275 if (csecret == NULL) { 276 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 277 "memory for Yc (Diffie-Hellman)"); 278 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 279 TLS_ALERT_INTERNAL_ERROR); 280 return -1; 281 } 282 if (random_get_bytes(csecret, csecret_len)) { 283 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 284 "data for Diffie-Hellman"); 285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_INTERNAL_ERROR); 287 os_free(csecret); 288 return -1; 289 } 290 291 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 292 csecret[0] = 0; /* make sure Yc < p */ 293 294 csecret_start = csecret; 295 while (csecret_len > 1 && *csecret_start == 0) { 296 csecret_start++; 297 csecret_len--; 298 } 299 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 300 csecret_start, csecret_len); 301 302 /* Yc = g^csecret mod p */ 303 dh_yc_len = conn->dh_p_len; 304 dh_yc = os_malloc(dh_yc_len); 305 if (dh_yc == NULL) { 306 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 307 "memory for Diffie-Hellman"); 308 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 309 TLS_ALERT_INTERNAL_ERROR); 310 os_free(csecret); 311 return -1; 312 } 313 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 314 csecret_start, csecret_len, 315 conn->dh_p, conn->dh_p_len, 316 dh_yc, &dh_yc_len)) { 317 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 318 TLS_ALERT_INTERNAL_ERROR); 319 os_free(csecret); 320 os_free(dh_yc); 321 return -1; 322 } 323 324 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 325 dh_yc, dh_yc_len); 326 327 if (end - *pos < 2) { 328 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 329 TLS_ALERT_INTERNAL_ERROR); 330 os_free(csecret); 331 os_free(dh_yc); 332 return -1; 333 } 334 WPA_PUT_BE16(*pos, dh_yc_len); 335 *pos += 2; 336 if (dh_yc_len > (size_t) (end - *pos)) { 337 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 338 "message buffer for Yc"); 339 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 340 TLS_ALERT_INTERNAL_ERROR); 341 os_free(csecret); 342 os_free(dh_yc); 343 return -1; 344 } 345 os_memcpy(*pos, dh_yc, dh_yc_len); 346 *pos += dh_yc_len; 347 os_free(dh_yc); 348 349 shared_len = conn->dh_p_len; 350 shared = os_malloc(shared_len); 351 if (shared == NULL) { 352 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 353 "DH"); 354 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 355 TLS_ALERT_INTERNAL_ERROR); 356 os_free(csecret); 357 return -1; 358 } 359 360 /* shared = Ys^csecret mod p */ 361 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 362 csecret_start, csecret_len, 363 conn->dh_p, conn->dh_p_len, 364 shared, &shared_len)) { 365 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 366 TLS_ALERT_INTERNAL_ERROR); 367 os_free(csecret); 368 os_free(shared); 369 return -1; 370 } 371 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 372 shared, shared_len); 373 374 os_memset(csecret_start, 0, csecret_len); 375 os_free(csecret); 376 if (tls_derive_keys(conn, shared, shared_len)) { 377 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 378 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 379 TLS_ALERT_INTERNAL_ERROR); 380 os_free(shared); 381 return -1; 382 } 383 os_memset(shared, 0, shared_len); 384 os_free(shared); 385 tlsv1_client_free_dh(conn); 386 return 0; 387} 388 389 390static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 391{ 392 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 393 size_t clen; 394 int res; 395 396 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 397 tls_derive_keys(conn, pre_master_secret, 398 TLS_PRE_MASTER_SECRET_LEN)) { 399 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 400 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 401 TLS_ALERT_INTERNAL_ERROR); 402 return -1; 403 } 404 405 /* EncryptedPreMasterSecret */ 406 if (conn->server_rsa_key == NULL) { 407 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 408 "use for encrypting pre-master secret"); 409 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 410 TLS_ALERT_INTERNAL_ERROR); 411 return -1; 412 } 413 414 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 415 *pos += 2; 416 clen = end - *pos; 417 res = crypto_public_key_encrypt_pkcs1_v15( 418 conn->server_rsa_key, 419 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 420 *pos, &clen); 421 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 422 if (res < 0) { 423 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 424 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 425 TLS_ALERT_INTERNAL_ERROR); 426 return -1; 427 } 428 WPA_PUT_BE16(*pos - 2, clen); 429 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 430 *pos, clen); 431 *pos += clen; 432 433 return 0; 434} 435 436 437static int tls_write_client_key_exchange(struct tlsv1_client *conn, 438 u8 **msgpos, u8 *end) 439{ 440 u8 *pos, *rhdr, *hs_start, *hs_length; 441 size_t rlen; 442 tls_key_exchange keyx; 443 const struct tls_cipher_suite *suite; 444 445 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 446 if (suite == NULL) 447 keyx = TLS_KEY_X_NULL; 448 else 449 keyx = suite->key_exchange; 450 451 pos = *msgpos; 452 453 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 454 455 rhdr = pos; 456 pos += TLS_RECORD_HEADER_LEN; 457 458 /* opaque fragment[TLSPlaintext.length] */ 459 460 /* Handshake */ 461 hs_start = pos; 462 /* HandshakeType msg_type */ 463 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 464 /* uint24 length (to be filled) */ 465 hs_length = pos; 466 pos += 3; 467 /* body - ClientKeyExchange */ 468 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 469 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 470 return -1; 471 } else { 472 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 473 return -1; 474 } 475 476 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 477 478 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 479 rhdr, end - rhdr, hs_start, pos - hs_start, 480 &rlen) < 0) { 481 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 482 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 483 TLS_ALERT_INTERNAL_ERROR); 484 return -1; 485 } 486 pos = rhdr + rlen; 487 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 488 489 *msgpos = pos; 490 491 return 0; 492} 493 494 495static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 496 u8 **msgpos, u8 *end) 497{ 498 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 499 size_t rlen, hlen, clen; 500 u8 hash[100], *hpos; 501 502 pos = *msgpos; 503 504 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 505 rhdr = pos; 506 pos += TLS_RECORD_HEADER_LEN; 507 508 /* Handshake */ 509 hs_start = pos; 510 /* HandshakeType msg_type */ 511 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 512 /* uint24 length (to be filled) */ 513 hs_length = pos; 514 pos += 3; 515 516 /* 517 * RFC 2246: 7.4.3 and 7.4.8: 518 * Signature signature 519 * 520 * RSA: 521 * digitally-signed struct { 522 * opaque md5_hash[16]; 523 * opaque sha_hash[20]; 524 * }; 525 * 526 * DSA: 527 * digitally-signed struct { 528 * opaque sha_hash[20]; 529 * }; 530 * 531 * The hash values are calculated over all handshake messages sent or 532 * received starting at ClientHello up to, but not including, this 533 * CertificateVerify message, including the type and length fields of 534 * the handshake messages. 535 */ 536 537 hpos = hash; 538 539#ifdef CONFIG_TLSV12 540 if (conn->rl.tls_version == TLS_VERSION_1_2) { 541 hlen = SHA256_MAC_LEN; 542 if (conn->verify.sha256_cert == NULL || 543 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 544 0) { 545 conn->verify.sha256_cert = NULL; 546 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 547 TLS_ALERT_INTERNAL_ERROR); 548 return -1; 549 } 550 conn->verify.sha256_cert = NULL; 551 552 /* 553 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 554 * 555 * DigestInfo ::= SEQUENCE { 556 * digestAlgorithm DigestAlgorithm, 557 * digest OCTET STRING 558 * } 559 * 560 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 561 * 562 * DER encoded DigestInfo for SHA256 per RFC 3447: 563 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 564 * H 565 */ 566 os_memmove(hash + 19, hash, hlen); 567 hlen += 19; 568 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 569 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 570 } else { 571#endif /* CONFIG_TLSV12 */ 572 573 hlen = MD5_MAC_LEN; 574 if (conn->verify.md5_cert == NULL || 575 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 576 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 577 TLS_ALERT_INTERNAL_ERROR); 578 conn->verify.md5_cert = NULL; 579 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 580 conn->verify.sha1_cert = NULL; 581 return -1; 582 } 583 hpos += MD5_MAC_LEN; 584 585 conn->verify.md5_cert = NULL; 586 hlen = SHA1_MAC_LEN; 587 if (conn->verify.sha1_cert == NULL || 588 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 589 conn->verify.sha1_cert = NULL; 590 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 591 TLS_ALERT_INTERNAL_ERROR); 592 return -1; 593 } 594 conn->verify.sha1_cert = NULL; 595 596 hlen += MD5_MAC_LEN; 597 598#ifdef CONFIG_TLSV12 599 } 600#endif /* CONFIG_TLSV12 */ 601 602 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 603 604#ifdef CONFIG_TLSV12 605 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 606 /* 607 * RFC 5246, 4.7: 608 * TLS v1.2 adds explicit indication of the used signature and 609 * hash algorithms. 610 * 611 * struct { 612 * HashAlgorithm hash; 613 * SignatureAlgorithm signature; 614 * } SignatureAndHashAlgorithm; 615 */ 616 *pos++ = TLS_HASH_ALG_SHA256; 617 *pos++ = TLS_SIGN_ALG_RSA; 618 } 619#endif /* CONFIG_TLSV12 */ 620 621 /* 622 * RFC 2246, 4.7: 623 * In digital signing, one-way hash functions are used as input for a 624 * signing algorithm. A digitally-signed element is encoded as an 625 * opaque vector <0..2^16-1>, where the length is specified by the 626 * signing algorithm and key. 627 * 628 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 629 * MD5) is signed (encrypted with the private key). It is encoded with 630 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 631 */ 632 signed_start = pos; /* length to be filled */ 633 pos += 2; 634 clen = end - pos; 635 if (conn->cred == NULL || 636 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 637 pos, &clen) < 0) { 638 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 639 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 640 TLS_ALERT_INTERNAL_ERROR); 641 return -1; 642 } 643 WPA_PUT_BE16(signed_start, clen); 644 645 pos += clen; 646 647 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 648 649 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 650 rhdr, end - rhdr, hs_start, pos - hs_start, 651 &rlen) < 0) { 652 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 653 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 654 TLS_ALERT_INTERNAL_ERROR); 655 return -1; 656 } 657 pos = rhdr + rlen; 658 659 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 660 661 *msgpos = pos; 662 663 return 0; 664} 665 666 667static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 668 u8 **msgpos, u8 *end) 669{ 670 size_t rlen; 671 u8 payload[1]; 672 673 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 674 675 payload[0] = TLS_CHANGE_CIPHER_SPEC; 676 677 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 678 *msgpos, end - *msgpos, payload, sizeof(payload), 679 &rlen) < 0) { 680 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 681 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 682 TLS_ALERT_INTERNAL_ERROR); 683 return -1; 684 } 685 686 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 687 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 688 "record layer"); 689 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 690 TLS_ALERT_INTERNAL_ERROR); 691 return -1; 692 } 693 694 *msgpos += rlen; 695 696 return 0; 697} 698 699 700static int tls_write_client_finished(struct tlsv1_client *conn, 701 u8 **msgpos, u8 *end) 702{ 703 u8 *pos, *hs_start; 704 size_t rlen, hlen; 705 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 706 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 707 708 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 709 710 /* Encrypted Handshake Message: Finished */ 711 712#ifdef CONFIG_TLSV12 713 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 714 hlen = SHA256_MAC_LEN; 715 if (conn->verify.sha256_client == NULL || 716 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 717 < 0) { 718 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 719 TLS_ALERT_INTERNAL_ERROR); 720 conn->verify.sha256_client = NULL; 721 return -1; 722 } 723 conn->verify.sha256_client = NULL; 724 } else { 725#endif /* CONFIG_TLSV12 */ 726 727 hlen = MD5_MAC_LEN; 728 if (conn->verify.md5_client == NULL || 729 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 730 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 731 TLS_ALERT_INTERNAL_ERROR); 732 conn->verify.md5_client = NULL; 733 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 734 conn->verify.sha1_client = NULL; 735 return -1; 736 } 737 conn->verify.md5_client = NULL; 738 hlen = SHA1_MAC_LEN; 739 if (conn->verify.sha1_client == NULL || 740 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 741 &hlen) < 0) { 742 conn->verify.sha1_client = NULL; 743 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 744 TLS_ALERT_INTERNAL_ERROR); 745 return -1; 746 } 747 conn->verify.sha1_client = NULL; 748 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 749 750#ifdef CONFIG_TLSV12 751 } 752#endif /* CONFIG_TLSV12 */ 753 754 if (tls_prf(conn->rl.tls_version, 755 conn->master_secret, TLS_MASTER_SECRET_LEN, 756 "client finished", hash, hlen, 757 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 758 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 759 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 760 TLS_ALERT_INTERNAL_ERROR); 761 return -1; 762 } 763 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 764 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 765 766 /* Handshake */ 767 pos = hs_start = verify_data; 768 /* HandshakeType msg_type */ 769 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 770 /* uint24 length */ 771 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 772 pos += 3; 773 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 774 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 775 776 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 777 *msgpos, end - *msgpos, hs_start, pos - hs_start, 778 &rlen) < 0) { 779 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 780 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 781 TLS_ALERT_INTERNAL_ERROR); 782 return -1; 783 } 784 785 *msgpos += rlen; 786 787 return 0; 788} 789 790 791static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 792 size_t *out_len) 793{ 794 u8 *msg, *end, *pos; 795 size_t msglen; 796 797 *out_len = 0; 798 799 msglen = 2000; 800 if (conn->certificate_requested) 801 msglen += tls_client_cert_chain_der_len(conn); 802 803 msg = os_malloc(msglen); 804 if (msg == NULL) 805 return NULL; 806 807 pos = msg; 808 end = msg + msglen; 809 810 if (conn->certificate_requested) { 811 if (tls_write_client_certificate(conn, &pos, end) < 0) { 812 os_free(msg); 813 return NULL; 814 } 815 } 816 817 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 818 (conn->certificate_requested && conn->cred && conn->cred->key && 819 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 820 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 821 tls_write_client_finished(conn, &pos, end) < 0) { 822 os_free(msg); 823 return NULL; 824 } 825 826 *out_len = pos - msg; 827 828 conn->state = SERVER_CHANGE_CIPHER_SPEC; 829 830 return msg; 831} 832 833 834static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 835 size_t *out_len) 836{ 837 u8 *msg, *end, *pos; 838 839 *out_len = 0; 840 841 msg = os_malloc(1000); 842 if (msg == NULL) 843 return NULL; 844 845 pos = msg; 846 end = msg + 1000; 847 848 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 849 tls_write_client_finished(conn, &pos, end) < 0) { 850 os_free(msg); 851 return NULL; 852 } 853 854 *out_len = pos - msg; 855 856 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 857 "successfully"); 858 if (!conn->session_resumed && conn->use_session_ticket) 859 conn->session_resumed = 1; 860 conn->state = ESTABLISHED; 861 862 return msg; 863} 864 865 866u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 867 int no_appl_data) 868{ 869 switch (conn->state) { 870 case CLIENT_KEY_EXCHANGE: 871 return tls_send_client_key_exchange(conn, out_len); 872 case CHANGE_CIPHER_SPEC: 873 return tls_send_change_cipher_spec(conn, out_len); 874 case ACK_FINISHED: 875 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 876 "successfully"); 877 conn->state = ESTABLISHED; 878 *out_len = 0; 879 if (no_appl_data) { 880 /* Need to return something to get final TLS ACK. */ 881 return os_malloc(1); 882 } 883 return NULL; 884 default: 885 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 886 "generating reply", conn->state); 887 return NULL; 888 } 889} 890 891 892u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 893 u8 description, size_t *out_len) 894{ 895 u8 *alert, *pos, *length; 896 897 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 898 *out_len = 0; 899 900 alert = os_malloc(10); 901 if (alert == NULL) 902 return NULL; 903 904 pos = alert; 905 906 /* TLSPlaintext */ 907 /* ContentType type */ 908 *pos++ = TLS_CONTENT_TYPE_ALERT; 909 /* ProtocolVersion version */ 910 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 911 TLS_VERSION); 912 pos += 2; 913 /* uint16 length (to be filled) */ 914 length = pos; 915 pos += 2; 916 /* opaque fragment[TLSPlaintext.length] */ 917 918 /* Alert */ 919 /* AlertLevel level */ 920 *pos++ = level; 921 /* AlertDescription description */ 922 *pos++ = description; 923 924 WPA_PUT_BE16(length, pos - length - 2); 925 *out_len = pos - alert; 926 927 return alert; 928} 929