tlsv1_client_write.c revision d80a401aed31d06f261efd19223cf55d1a2a8228
1/* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/tls.h" 16#include "crypto/random.h" 17#include "x509v3.h" 18#include "tlsv1_common.h" 19#include "tlsv1_record.h" 20#include "tlsv1_client.h" 21#include "tlsv1_client_i.h" 22 23 24static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 25{ 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 if (conn->cred == NULL) 30 return 0; 31 32 cert = conn->cred->cert; 33 while (cert) { 34 len += 3 + cert->cert_len; 35 if (x509_certificate_self_signed(cert)) 36 break; 37 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 38 &cert->issuer); 39 } 40 41 return len; 42} 43 44 45u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 46{ 47 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 48 struct os_time now; 49 size_t len, i; 50 51 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 52 *out_len = 0; 53 54 os_get_time(&now); 55 WPA_PUT_BE32(conn->client_random, now.sec); 56 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 57 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 58 "client_random"); 59 return NULL; 60 } 61 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 62 conn->client_random, TLS_RANDOM_LEN); 63 64 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 65 hello = os_malloc(len); 66 if (hello == NULL) 67 return NULL; 68 end = hello + len; 69 70 rhdr = hello; 71 pos = rhdr + TLS_RECORD_HEADER_LEN; 72 73 /* opaque fragment[TLSPlaintext.length] */ 74 75 /* Handshake */ 76 hs_start = pos; 77 /* HandshakeType msg_type */ 78 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 79 /* uint24 length (to be filled) */ 80 hs_length = pos; 81 pos += 3; 82 /* body - ClientHello */ 83 /* ProtocolVersion client_version */ 84 WPA_PUT_BE16(pos, TLS_VERSION); 85 pos += 2; 86 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 87 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 88 pos += TLS_RANDOM_LEN; 89 /* SessionID session_id */ 90 *pos++ = conn->session_id_len; 91 os_memcpy(pos, conn->session_id, conn->session_id_len); 92 pos += conn->session_id_len; 93 /* CipherSuite cipher_suites<2..2^16-1> */ 94 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 95 pos += 2; 96 for (i = 0; i < conn->num_cipher_suites; i++) { 97 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 98 pos += 2; 99 } 100 /* CompressionMethod compression_methods<1..2^8-1> */ 101 *pos++ = 1; 102 *pos++ = TLS_COMPRESSION_NULL; 103 104 if (conn->client_hello_ext) { 105 os_memcpy(pos, conn->client_hello_ext, 106 conn->client_hello_ext_len); 107 pos += conn->client_hello_ext_len; 108 } 109 110 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 111 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 112 113 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 114 rhdr, end - rhdr, hs_start, pos - hs_start, 115 out_len) < 0) { 116 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 117 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 118 TLS_ALERT_INTERNAL_ERROR); 119 os_free(hello); 120 return NULL; 121 } 122 123 conn->state = SERVER_HELLO; 124 125 return hello; 126} 127 128 129static int tls_write_client_certificate(struct tlsv1_client *conn, 130 u8 **msgpos, u8 *end) 131{ 132 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 133 size_t rlen; 134 struct x509_certificate *cert; 135 136 pos = *msgpos; 137 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) { 138 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 139 TLS_ALERT_INTERNAL_ERROR); 140 return -1; 141 } 142 143 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 144 rhdr = pos; 145 pos += TLS_RECORD_HEADER_LEN; 146 147 /* opaque fragment[TLSPlaintext.length] */ 148 149 /* Handshake */ 150 hs_start = pos; 151 /* HandshakeType msg_type */ 152 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 153 /* uint24 length (to be filled) */ 154 hs_length = pos; 155 pos += 3; 156 /* body - Certificate */ 157 /* uint24 length (to be filled) */ 158 cert_start = pos; 159 pos += 3; 160 cert = conn->cred ? conn->cred->cert : NULL; 161 while (cert) { 162 if (3 + cert->cert_len > (size_t) (end - pos)) { 163 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 164 "for Certificate (cert_len=%lu left=%lu)", 165 (unsigned long) cert->cert_len, 166 (unsigned long) (end - pos)); 167 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 168 TLS_ALERT_INTERNAL_ERROR); 169 return -1; 170 } 171 WPA_PUT_BE24(pos, cert->cert_len); 172 pos += 3; 173 os_memcpy(pos, cert->cert_start, cert->cert_len); 174 pos += cert->cert_len; 175 176 if (x509_certificate_self_signed(cert)) 177 break; 178 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 179 &cert->issuer); 180 } 181 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 182 /* 183 * Client was not configured with all the needed certificates 184 * to form a full certificate chain. The server may fail to 185 * validate the chain unless it is configured with all the 186 * missing CA certificates. 187 */ 188 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 189 "not configured - validation may fail"); 190 } 191 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 192 193 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 194 195 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 196 rhdr, end - rhdr, hs_start, pos - hs_start, 197 &rlen) < 0) { 198 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 199 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 200 TLS_ALERT_INTERNAL_ERROR); 201 return -1; 202 } 203 pos = rhdr + rlen; 204 205 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 206 207 *msgpos = pos; 208 209 return 0; 210} 211 212 213static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 214{ 215 /* ClientDiffieHellmanPublic */ 216 u8 *csecret, *csecret_start, *dh_yc, *shared; 217 size_t csecret_len, dh_yc_len, shared_len; 218 219 csecret_len = conn->dh_p_len; 220 csecret = os_malloc(csecret_len); 221 if (csecret == NULL) { 222 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 223 "memory for Yc (Diffie-Hellman)"); 224 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 225 TLS_ALERT_INTERNAL_ERROR); 226 return -1; 227 } 228 if (random_get_bytes(csecret, csecret_len)) { 229 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 230 "data for Diffie-Hellman"); 231 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 232 TLS_ALERT_INTERNAL_ERROR); 233 os_free(csecret); 234 return -1; 235 } 236 237 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 238 csecret[0] = 0; /* make sure Yc < p */ 239 240 csecret_start = csecret; 241 while (csecret_len > 1 && *csecret_start == 0) { 242 csecret_start++; 243 csecret_len--; 244 } 245 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 246 csecret_start, csecret_len); 247 248 /* Yc = g^csecret mod p */ 249 dh_yc_len = conn->dh_p_len; 250 dh_yc = os_malloc(dh_yc_len); 251 if (dh_yc == NULL) { 252 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 253 "memory for Diffie-Hellman"); 254 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 255 TLS_ALERT_INTERNAL_ERROR); 256 os_free(csecret); 257 return -1; 258 } 259 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 260 csecret_start, csecret_len, 261 conn->dh_p, conn->dh_p_len, 262 dh_yc, &dh_yc_len)) { 263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 264 TLS_ALERT_INTERNAL_ERROR); 265 os_free(csecret); 266 os_free(dh_yc); 267 return -1; 268 } 269 270 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 271 dh_yc, dh_yc_len); 272 273 if (end - *pos < 2) { 274 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 275 TLS_ALERT_INTERNAL_ERROR); 276 os_free(csecret); 277 os_free(dh_yc); 278 return -1; 279 } 280 WPA_PUT_BE16(*pos, dh_yc_len); 281 *pos += 2; 282 if (dh_yc_len > (size_t) (end - *pos)) { 283 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 284 "message buffer for Yc"); 285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_INTERNAL_ERROR); 287 os_free(csecret); 288 os_free(dh_yc); 289 return -1; 290 } 291 os_memcpy(*pos, dh_yc, dh_yc_len); 292 *pos += dh_yc_len; 293 os_free(dh_yc); 294 295 shared_len = conn->dh_p_len; 296 shared = os_malloc(shared_len); 297 if (shared == NULL) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 299 "DH"); 300 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 301 TLS_ALERT_INTERNAL_ERROR); 302 os_free(csecret); 303 return -1; 304 } 305 306 /* shared = Ys^csecret mod p */ 307 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 308 csecret_start, csecret_len, 309 conn->dh_p, conn->dh_p_len, 310 shared, &shared_len)) { 311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 312 TLS_ALERT_INTERNAL_ERROR); 313 os_free(csecret); 314 os_free(shared); 315 return -1; 316 } 317 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 318 shared, shared_len); 319 320 os_memset(csecret_start, 0, csecret_len); 321 os_free(csecret); 322 if (tls_derive_keys(conn, shared, shared_len)) { 323 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 324 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 325 TLS_ALERT_INTERNAL_ERROR); 326 os_free(shared); 327 return -1; 328 } 329 os_memset(shared, 0, shared_len); 330 os_free(shared); 331 tlsv1_client_free_dh(conn); 332 return 0; 333} 334 335 336static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 337{ 338 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 339 size_t clen; 340 int res; 341 342 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 343 tls_derive_keys(conn, pre_master_secret, 344 TLS_PRE_MASTER_SECRET_LEN)) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 346 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 347 TLS_ALERT_INTERNAL_ERROR); 348 return -1; 349 } 350 351 /* EncryptedPreMasterSecret */ 352 if (conn->server_rsa_key == NULL) { 353 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 354 "use for encrypting pre-master secret"); 355 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 356 TLS_ALERT_INTERNAL_ERROR); 357 return -1; 358 } 359 360 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 361 *pos += 2; 362 clen = end - *pos; 363 res = crypto_public_key_encrypt_pkcs1_v15( 364 conn->server_rsa_key, 365 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 366 *pos, &clen); 367 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 368 if (res < 0) { 369 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 370 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 371 TLS_ALERT_INTERNAL_ERROR); 372 return -1; 373 } 374 WPA_PUT_BE16(*pos - 2, clen); 375 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 376 *pos, clen); 377 *pos += clen; 378 379 return 0; 380} 381 382 383static int tls_write_client_key_exchange(struct tlsv1_client *conn, 384 u8 **msgpos, u8 *end) 385{ 386 u8 *pos, *rhdr, *hs_start, *hs_length; 387 size_t rlen; 388 tls_key_exchange keyx; 389 const struct tls_cipher_suite *suite; 390 391 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 392 if (suite == NULL) 393 keyx = TLS_KEY_X_NULL; 394 else 395 keyx = suite->key_exchange; 396 397 pos = *msgpos; 398 399 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 400 401 rhdr = pos; 402 pos += TLS_RECORD_HEADER_LEN; 403 404 /* opaque fragment[TLSPlaintext.length] */ 405 406 /* Handshake */ 407 hs_start = pos; 408 /* HandshakeType msg_type */ 409 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 410 /* uint24 length (to be filled) */ 411 hs_length = pos; 412 pos += 3; 413 /* body - ClientKeyExchange */ 414 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 415 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 416 return -1; 417 } else { 418 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 419 return -1; 420 } 421 422 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 423 424 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 425 rhdr, end - rhdr, hs_start, pos - hs_start, 426 &rlen) < 0) { 427 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 428 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 429 TLS_ALERT_INTERNAL_ERROR); 430 return -1; 431 } 432 pos = rhdr + rlen; 433 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 434 435 *msgpos = pos; 436 437 return 0; 438} 439 440 441static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 442 u8 **msgpos, u8 *end) 443{ 444 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 445 size_t rlen, hlen, clen; 446 u8 hash[100], *hpos; 447 448 pos = *msgpos; 449 450 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 451 rhdr = pos; 452 pos += TLS_RECORD_HEADER_LEN; 453 454 /* Handshake */ 455 hs_start = pos; 456 /* HandshakeType msg_type */ 457 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 458 /* uint24 length (to be filled) */ 459 hs_length = pos; 460 pos += 3; 461 462 /* 463 * RFC 2246: 7.4.3 and 7.4.8: 464 * Signature signature 465 * 466 * RSA: 467 * digitally-signed struct { 468 * opaque md5_hash[16]; 469 * opaque sha_hash[20]; 470 * }; 471 * 472 * DSA: 473 * digitally-signed struct { 474 * opaque sha_hash[20]; 475 * }; 476 * 477 * The hash values are calculated over all handshake messages sent or 478 * received starting at ClientHello up to, but not including, this 479 * CertificateVerify message, including the type and length fields of 480 * the handshake messages. 481 */ 482 483 hpos = hash; 484 485#ifdef CONFIG_TLSV12 486 if (conn->rl.tls_version == TLS_VERSION_1_2) { 487 hlen = SHA256_MAC_LEN; 488 if (conn->verify.sha256_cert == NULL || 489 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 490 0) { 491 conn->verify.sha256_cert = NULL; 492 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 493 TLS_ALERT_INTERNAL_ERROR); 494 return -1; 495 } 496 conn->verify.sha256_cert = NULL; 497 498 /* 499 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 500 * 501 * DigestInfo ::= SEQUENCE { 502 * digestAlgorithm DigestAlgorithm, 503 * digest OCTET STRING 504 * } 505 * 506 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 507 * 508 * DER encoded DigestInfo for SHA256 per RFC 3447: 509 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 510 * H 511 */ 512 os_memmove(hash + 19, hash, hlen); 513 hlen += 19; 514 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 515 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 516 } else { 517#endif /* CONFIG_TLSV12 */ 518 519 hlen = MD5_MAC_LEN; 520 if (conn->verify.md5_cert == NULL || 521 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 522 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 523 TLS_ALERT_INTERNAL_ERROR); 524 conn->verify.md5_cert = NULL; 525 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 526 conn->verify.sha1_cert = NULL; 527 return -1; 528 } 529 hpos += MD5_MAC_LEN; 530 531 conn->verify.md5_cert = NULL; 532 hlen = SHA1_MAC_LEN; 533 if (conn->verify.sha1_cert == NULL || 534 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 535 conn->verify.sha1_cert = NULL; 536 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 537 TLS_ALERT_INTERNAL_ERROR); 538 return -1; 539 } 540 conn->verify.sha1_cert = NULL; 541 542 hlen += MD5_MAC_LEN; 543 544#ifdef CONFIG_TLSV12 545 } 546#endif /* CONFIG_TLSV12 */ 547 548 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 549 550#ifdef CONFIG_TLSV12 551 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 552 /* 553 * RFC 5246, 4.7: 554 * TLS v1.2 adds explicit indication of the used signature and 555 * hash algorithms. 556 * 557 * struct { 558 * HashAlgorithm hash; 559 * SignatureAlgorithm signature; 560 * } SignatureAndHashAlgorithm; 561 */ 562 *pos++ = TLS_HASH_ALG_SHA256; 563 *pos++ = TLS_SIGN_ALG_RSA; 564 } 565#endif /* CONFIG_TLSV12 */ 566 567 /* 568 * RFC 2246, 4.7: 569 * In digital signing, one-way hash functions are used as input for a 570 * signing algorithm. A digitally-signed element is encoded as an 571 * opaque vector <0..2^16-1>, where the length is specified by the 572 * signing algorithm and key. 573 * 574 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 575 * MD5) is signed (encrypted with the private key). It is encoded with 576 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 577 */ 578 signed_start = pos; /* length to be filled */ 579 pos += 2; 580 clen = end - pos; 581 if (conn->cred == NULL || 582 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 583 pos, &clen) < 0) { 584 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 585 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 586 TLS_ALERT_INTERNAL_ERROR); 587 return -1; 588 } 589 WPA_PUT_BE16(signed_start, clen); 590 591 pos += clen; 592 593 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 594 595 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 596 rhdr, end - rhdr, hs_start, pos - hs_start, 597 &rlen) < 0) { 598 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 599 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 600 TLS_ALERT_INTERNAL_ERROR); 601 return -1; 602 } 603 pos = rhdr + rlen; 604 605 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 606 607 *msgpos = pos; 608 609 return 0; 610} 611 612 613static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 614 u8 **msgpos, u8 *end) 615{ 616 size_t rlen; 617 u8 payload[1]; 618 619 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 620 621 payload[0] = TLS_CHANGE_CIPHER_SPEC; 622 623 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 624 *msgpos, end - *msgpos, payload, sizeof(payload), 625 &rlen) < 0) { 626 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 627 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 628 TLS_ALERT_INTERNAL_ERROR); 629 return -1; 630 } 631 632 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 633 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 634 "record layer"); 635 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 636 TLS_ALERT_INTERNAL_ERROR); 637 return -1; 638 } 639 640 *msgpos += rlen; 641 642 return 0; 643} 644 645 646static int tls_write_client_finished(struct tlsv1_client *conn, 647 u8 **msgpos, u8 *end) 648{ 649 u8 *pos, *hs_start; 650 size_t rlen, hlen; 651 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 652 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 653 654 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 655 656 /* Encrypted Handshake Message: Finished */ 657 658#ifdef CONFIG_TLSV12 659 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 660 hlen = SHA256_MAC_LEN; 661 if (conn->verify.sha256_client == NULL || 662 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 663 < 0) { 664 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 665 TLS_ALERT_INTERNAL_ERROR); 666 conn->verify.sha256_client = NULL; 667 return -1; 668 } 669 conn->verify.sha256_client = NULL; 670 } else { 671#endif /* CONFIG_TLSV12 */ 672 673 hlen = MD5_MAC_LEN; 674 if (conn->verify.md5_client == NULL || 675 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 676 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 677 TLS_ALERT_INTERNAL_ERROR); 678 conn->verify.md5_client = NULL; 679 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 680 conn->verify.sha1_client = NULL; 681 return -1; 682 } 683 conn->verify.md5_client = NULL; 684 hlen = SHA1_MAC_LEN; 685 if (conn->verify.sha1_client == NULL || 686 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 687 &hlen) < 0) { 688 conn->verify.sha1_client = NULL; 689 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 690 TLS_ALERT_INTERNAL_ERROR); 691 return -1; 692 } 693 conn->verify.sha1_client = NULL; 694 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 695 696#ifdef CONFIG_TLSV12 697 } 698#endif /* CONFIG_TLSV12 */ 699 700 if (tls_prf(conn->rl.tls_version, 701 conn->master_secret, TLS_MASTER_SECRET_LEN, 702 "client finished", hash, hlen, 703 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 704 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 705 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 706 TLS_ALERT_INTERNAL_ERROR); 707 return -1; 708 } 709 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 710 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 711 712 /* Handshake */ 713 pos = hs_start = verify_data; 714 /* HandshakeType msg_type */ 715 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 716 /* uint24 length */ 717 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 718 pos += 3; 719 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 720 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 721 722 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 723 *msgpos, end - *msgpos, hs_start, pos - hs_start, 724 &rlen) < 0) { 725 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 726 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 727 TLS_ALERT_INTERNAL_ERROR); 728 return -1; 729 } 730 731 *msgpos += rlen; 732 733 return 0; 734} 735 736 737static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 738 size_t *out_len) 739{ 740 u8 *msg, *end, *pos; 741 size_t msglen; 742 743 *out_len = 0; 744 745 msglen = 2000; 746 if (conn->certificate_requested) 747 msglen += tls_client_cert_chain_der_len(conn); 748 749 msg = os_malloc(msglen); 750 if (msg == NULL) 751 return NULL; 752 753 pos = msg; 754 end = msg + msglen; 755 756 if (conn->certificate_requested) { 757 if (tls_write_client_certificate(conn, &pos, end) < 0) { 758 os_free(msg); 759 return NULL; 760 } 761 } 762 763 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 764 (conn->certificate_requested && conn->cred && conn->cred->key && 765 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 766 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 767 tls_write_client_finished(conn, &pos, end) < 0) { 768 os_free(msg); 769 return NULL; 770 } 771 772 *out_len = pos - msg; 773 774 conn->state = SERVER_CHANGE_CIPHER_SPEC; 775 776 return msg; 777} 778 779 780static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 781 size_t *out_len) 782{ 783 u8 *msg, *end, *pos; 784 785 *out_len = 0; 786 787 msg = os_malloc(1000); 788 if (msg == NULL) 789 return NULL; 790 791 pos = msg; 792 end = msg + 1000; 793 794 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 795 tls_write_client_finished(conn, &pos, end) < 0) { 796 os_free(msg); 797 return NULL; 798 } 799 800 *out_len = pos - msg; 801 802 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 803 "successfully"); 804 conn->state = ESTABLISHED; 805 806 return msg; 807} 808 809 810u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 811 int no_appl_data) 812{ 813 switch (conn->state) { 814 case CLIENT_KEY_EXCHANGE: 815 return tls_send_client_key_exchange(conn, out_len); 816 case CHANGE_CIPHER_SPEC: 817 return tls_send_change_cipher_spec(conn, out_len); 818 case ACK_FINISHED: 819 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 820 "successfully"); 821 conn->state = ESTABLISHED; 822 *out_len = 0; 823 if (no_appl_data) { 824 /* Need to return something to get final TLS ACK. */ 825 return os_malloc(1); 826 } 827 return NULL; 828 default: 829 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 830 "generating reply", conn->state); 831 return NULL; 832 } 833} 834 835 836u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 837 u8 description, size_t *out_len) 838{ 839 u8 *alert, *pos, *length; 840 841 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 842 *out_len = 0; 843 844 alert = os_malloc(10); 845 if (alert == NULL) 846 return NULL; 847 848 pos = alert; 849 850 /* TLSPlaintext */ 851 /* ContentType type */ 852 *pos++ = TLS_CONTENT_TYPE_ALERT; 853 /* ProtocolVersion version */ 854 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 855 TLS_VERSION); 856 pos += 2; 857 /* uint16 length (to be filled) */ 858 length = pos; 859 pos += 2; 860 /* opaque fragment[TLSPlaintext.length] */ 861 862 /* Alert */ 863 /* AlertLevel level */ 864 *pos++ = level; 865 /* AlertDescription description */ 866 *pos++ = description; 867 868 WPA_PUT_BE16(length, pos - length - 2); 869 *out_len = pos - alert; 870 871 return alert; 872} 873