139beb93cSSam Leffler /* 239beb93cSSam Leffler * TLSv1 client - write handshake message 3*f05cddf9SRui Paulo * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 439beb93cSSam Leffler * 5*f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license. 6*f05cddf9SRui Paulo * See README for more details. 739beb93cSSam Leffler */ 839beb93cSSam Leffler 939beb93cSSam Leffler #include "includes.h" 1039beb93cSSam Leffler 1139beb93cSSam Leffler #include "common.h" 12e28a4053SRui Paulo #include "crypto/md5.h" 13e28a4053SRui Paulo #include "crypto/sha1.h" 14*f05cddf9SRui Paulo #include "crypto/sha256.h" 15e28a4053SRui Paulo #include "crypto/tls.h" 16*f05cddf9SRui Paulo #include "crypto/random.h" 1739beb93cSSam Leffler #include "x509v3.h" 1839beb93cSSam Leffler #include "tlsv1_common.h" 1939beb93cSSam Leffler #include "tlsv1_record.h" 2039beb93cSSam Leffler #include "tlsv1_client.h" 2139beb93cSSam Leffler #include "tlsv1_client_i.h" 2239beb93cSSam Leffler 2339beb93cSSam Leffler 2439beb93cSSam Leffler static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 2539beb93cSSam Leffler { 2639beb93cSSam Leffler size_t len = 0; 2739beb93cSSam Leffler struct x509_certificate *cert; 2839beb93cSSam Leffler 2939beb93cSSam Leffler if (conn->cred == NULL) 3039beb93cSSam Leffler return 0; 3139beb93cSSam Leffler 3239beb93cSSam Leffler cert = conn->cred->cert; 3339beb93cSSam Leffler while (cert) { 3439beb93cSSam Leffler len += 3 + cert->cert_len; 3539beb93cSSam Leffler if (x509_certificate_self_signed(cert)) 3639beb93cSSam Leffler break; 3739beb93cSSam Leffler cert = x509_certificate_get_subject(conn->cred->trusted_certs, 3839beb93cSSam Leffler &cert->issuer); 3939beb93cSSam Leffler } 4039beb93cSSam Leffler 4139beb93cSSam Leffler return len; 4239beb93cSSam Leffler } 4339beb93cSSam Leffler 4439beb93cSSam Leffler 4539beb93cSSam Leffler u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 4639beb93cSSam Leffler { 4739beb93cSSam Leffler u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 4839beb93cSSam Leffler struct os_time now; 4939beb93cSSam Leffler size_t len, i; 5039beb93cSSam Leffler 5139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 5239beb93cSSam Leffler *out_len = 0; 5339beb93cSSam Leffler 5439beb93cSSam Leffler os_get_time(&now); 5539beb93cSSam Leffler WPA_PUT_BE32(conn->client_random, now.sec); 56*f05cddf9SRui Paulo if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 5739beb93cSSam Leffler wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 5839beb93cSSam Leffler "client_random"); 5939beb93cSSam Leffler return NULL; 6039beb93cSSam Leffler } 6139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 6239beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN); 6339beb93cSSam Leffler 6439beb93cSSam Leffler len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 6539beb93cSSam Leffler hello = os_malloc(len); 6639beb93cSSam Leffler if (hello == NULL) 6739beb93cSSam Leffler return NULL; 6839beb93cSSam Leffler end = hello + len; 6939beb93cSSam Leffler 7039beb93cSSam Leffler rhdr = hello; 7139beb93cSSam Leffler pos = rhdr + TLS_RECORD_HEADER_LEN; 7239beb93cSSam Leffler 7339beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */ 7439beb93cSSam Leffler 7539beb93cSSam Leffler /* Handshake */ 7639beb93cSSam Leffler hs_start = pos; 7739beb93cSSam Leffler /* HandshakeType msg_type */ 7839beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 7939beb93cSSam Leffler /* uint24 length (to be filled) */ 8039beb93cSSam Leffler hs_length = pos; 8139beb93cSSam Leffler pos += 3; 8239beb93cSSam Leffler /* body - ClientHello */ 8339beb93cSSam Leffler /* ProtocolVersion client_version */ 8439beb93cSSam Leffler WPA_PUT_BE16(pos, TLS_VERSION); 8539beb93cSSam Leffler pos += 2; 8639beb93cSSam Leffler /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 8739beb93cSSam Leffler os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 8839beb93cSSam Leffler pos += TLS_RANDOM_LEN; 8939beb93cSSam Leffler /* SessionID session_id */ 9039beb93cSSam Leffler *pos++ = conn->session_id_len; 9139beb93cSSam Leffler os_memcpy(pos, conn->session_id, conn->session_id_len); 9239beb93cSSam Leffler pos += conn->session_id_len; 9339beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */ 9439beb93cSSam Leffler WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 9539beb93cSSam Leffler pos += 2; 9639beb93cSSam Leffler for (i = 0; i < conn->num_cipher_suites; i++) { 9739beb93cSSam Leffler WPA_PUT_BE16(pos, conn->cipher_suites[i]); 9839beb93cSSam Leffler pos += 2; 9939beb93cSSam Leffler } 10039beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */ 10139beb93cSSam Leffler *pos++ = 1; 10239beb93cSSam Leffler *pos++ = TLS_COMPRESSION_NULL; 10339beb93cSSam Leffler 10439beb93cSSam Leffler if (conn->client_hello_ext) { 10539beb93cSSam Leffler os_memcpy(pos, conn->client_hello_ext, 10639beb93cSSam Leffler conn->client_hello_ext_len); 10739beb93cSSam Leffler pos += conn->client_hello_ext_len; 10839beb93cSSam Leffler } 10939beb93cSSam Leffler 11039beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3); 11139beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 11239beb93cSSam Leffler 11339beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 114*f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start, 115*f05cddf9SRui Paulo out_len) < 0) { 11639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 11739beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 11839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 11939beb93cSSam Leffler os_free(hello); 12039beb93cSSam Leffler return NULL; 12139beb93cSSam Leffler } 12239beb93cSSam Leffler 12339beb93cSSam Leffler conn->state = SERVER_HELLO; 12439beb93cSSam Leffler 12539beb93cSSam Leffler return hello; 12639beb93cSSam Leffler } 12739beb93cSSam Leffler 12839beb93cSSam Leffler 12939beb93cSSam Leffler static int tls_write_client_certificate(struct tlsv1_client *conn, 13039beb93cSSam Leffler u8 **msgpos, u8 *end) 13139beb93cSSam Leffler { 13239beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 13339beb93cSSam Leffler size_t rlen; 13439beb93cSSam Leffler struct x509_certificate *cert; 13539beb93cSSam Leffler 13639beb93cSSam Leffler pos = *msgpos; 13739beb93cSSam Leffler 13839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 13939beb93cSSam Leffler rhdr = pos; 14039beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN; 14139beb93cSSam Leffler 14239beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */ 14339beb93cSSam Leffler 14439beb93cSSam Leffler /* Handshake */ 14539beb93cSSam Leffler hs_start = pos; 14639beb93cSSam Leffler /* HandshakeType msg_type */ 14739beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 14839beb93cSSam Leffler /* uint24 length (to be filled) */ 14939beb93cSSam Leffler hs_length = pos; 15039beb93cSSam Leffler pos += 3; 15139beb93cSSam Leffler /* body - Certificate */ 15239beb93cSSam Leffler /* uint24 length (to be filled) */ 15339beb93cSSam Leffler cert_start = pos; 15439beb93cSSam Leffler pos += 3; 15539beb93cSSam Leffler cert = conn->cred ? conn->cred->cert : NULL; 15639beb93cSSam Leffler while (cert) { 15739beb93cSSam Leffler if (pos + 3 + cert->cert_len > end) { 15839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 15939beb93cSSam Leffler "for Certificate (cert_len=%lu left=%lu)", 16039beb93cSSam Leffler (unsigned long) cert->cert_len, 16139beb93cSSam Leffler (unsigned long) (end - pos)); 16239beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 16339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 16439beb93cSSam Leffler return -1; 16539beb93cSSam Leffler } 16639beb93cSSam Leffler WPA_PUT_BE24(pos, cert->cert_len); 16739beb93cSSam Leffler pos += 3; 16839beb93cSSam Leffler os_memcpy(pos, cert->cert_start, cert->cert_len); 16939beb93cSSam Leffler pos += cert->cert_len; 17039beb93cSSam Leffler 17139beb93cSSam Leffler if (x509_certificate_self_signed(cert)) 17239beb93cSSam Leffler break; 17339beb93cSSam Leffler cert = x509_certificate_get_subject(conn->cred->trusted_certs, 17439beb93cSSam Leffler &cert->issuer); 17539beb93cSSam Leffler } 17639beb93cSSam Leffler if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 17739beb93cSSam Leffler /* 17839beb93cSSam Leffler * Client was not configured with all the needed certificates 17939beb93cSSam Leffler * to form a full certificate chain. The server may fail to 18039beb93cSSam Leffler * validate the chain unless it is configured with all the 18139beb93cSSam Leffler * missing CA certificates. 18239beb93cSSam Leffler */ 18339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 18439beb93cSSam Leffler "not configured - validation may fail"); 18539beb93cSSam Leffler } 18639beb93cSSam Leffler WPA_PUT_BE24(cert_start, pos - cert_start - 3); 18739beb93cSSam Leffler 18839beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3); 18939beb93cSSam Leffler 19039beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 191*f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start, 192*f05cddf9SRui Paulo &rlen) < 0) { 19339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 19439beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 19539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 19639beb93cSSam Leffler return -1; 19739beb93cSSam Leffler } 19839beb93cSSam Leffler pos = rhdr + rlen; 19939beb93cSSam Leffler 20039beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 20139beb93cSSam Leffler 20239beb93cSSam Leffler *msgpos = pos; 20339beb93cSSam Leffler 20439beb93cSSam Leffler return 0; 20539beb93cSSam Leffler } 20639beb93cSSam Leffler 20739beb93cSSam Leffler 20839beb93cSSam Leffler static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 20939beb93cSSam Leffler { 21039beb93cSSam Leffler /* ClientDiffieHellmanPublic */ 21139beb93cSSam Leffler u8 *csecret, *csecret_start, *dh_yc, *shared; 21239beb93cSSam Leffler size_t csecret_len, dh_yc_len, shared_len; 21339beb93cSSam Leffler 21439beb93cSSam Leffler csecret_len = conn->dh_p_len; 21539beb93cSSam Leffler csecret = os_malloc(csecret_len); 21639beb93cSSam Leffler if (csecret == NULL) { 21739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 21839beb93cSSam Leffler "memory for Yc (Diffie-Hellman)"); 21939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 22039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 22139beb93cSSam Leffler return -1; 22239beb93cSSam Leffler } 223*f05cddf9SRui Paulo if (random_get_bytes(csecret, csecret_len)) { 22439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 22539beb93cSSam Leffler "data for Diffie-Hellman"); 22639beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 22739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 22839beb93cSSam Leffler os_free(csecret); 22939beb93cSSam Leffler return -1; 23039beb93cSSam Leffler } 23139beb93cSSam Leffler 23239beb93cSSam Leffler if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 23339beb93cSSam Leffler csecret[0] = 0; /* make sure Yc < p */ 23439beb93cSSam Leffler 23539beb93cSSam Leffler csecret_start = csecret; 23639beb93cSSam Leffler while (csecret_len > 1 && *csecret_start == 0) { 23739beb93cSSam Leffler csecret_start++; 23839beb93cSSam Leffler csecret_len--; 23939beb93cSSam Leffler } 24039beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 24139beb93cSSam Leffler csecret_start, csecret_len); 24239beb93cSSam Leffler 24339beb93cSSam Leffler /* Yc = g^csecret mod p */ 24439beb93cSSam Leffler dh_yc_len = conn->dh_p_len; 24539beb93cSSam Leffler dh_yc = os_malloc(dh_yc_len); 24639beb93cSSam Leffler if (dh_yc == NULL) { 24739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 24839beb93cSSam Leffler "memory for Diffie-Hellman"); 24939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 25039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 25139beb93cSSam Leffler os_free(csecret); 25239beb93cSSam Leffler return -1; 25339beb93cSSam Leffler } 25439beb93cSSam Leffler if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 25539beb93cSSam Leffler csecret_start, csecret_len, 25639beb93cSSam Leffler conn->dh_p, conn->dh_p_len, 25739beb93cSSam Leffler dh_yc, &dh_yc_len)) { 25839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 25939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 26039beb93cSSam Leffler os_free(csecret); 26139beb93cSSam Leffler os_free(dh_yc); 26239beb93cSSam Leffler return -1; 26339beb93cSSam Leffler } 26439beb93cSSam Leffler 26539beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 26639beb93cSSam Leffler dh_yc, dh_yc_len); 26739beb93cSSam Leffler 26839beb93cSSam Leffler WPA_PUT_BE16(*pos, dh_yc_len); 26939beb93cSSam Leffler *pos += 2; 27039beb93cSSam Leffler if (*pos + dh_yc_len > end) { 27139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 27239beb93cSSam Leffler "message buffer for Yc"); 27339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 27439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 27539beb93cSSam Leffler os_free(csecret); 27639beb93cSSam Leffler os_free(dh_yc); 27739beb93cSSam Leffler return -1; 27839beb93cSSam Leffler } 27939beb93cSSam Leffler os_memcpy(*pos, dh_yc, dh_yc_len); 28039beb93cSSam Leffler *pos += dh_yc_len; 28139beb93cSSam Leffler os_free(dh_yc); 28239beb93cSSam Leffler 28339beb93cSSam Leffler shared_len = conn->dh_p_len; 28439beb93cSSam Leffler shared = os_malloc(shared_len); 28539beb93cSSam Leffler if (shared == NULL) { 28639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 28739beb93cSSam Leffler "DH"); 28839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 28939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 29039beb93cSSam Leffler os_free(csecret); 29139beb93cSSam Leffler return -1; 29239beb93cSSam Leffler } 29339beb93cSSam Leffler 29439beb93cSSam Leffler /* shared = Ys^csecret mod p */ 29539beb93cSSam Leffler if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 29639beb93cSSam Leffler csecret_start, csecret_len, 29739beb93cSSam Leffler conn->dh_p, conn->dh_p_len, 29839beb93cSSam Leffler shared, &shared_len)) { 29939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 30039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 30139beb93cSSam Leffler os_free(csecret); 30239beb93cSSam Leffler os_free(shared); 30339beb93cSSam Leffler return -1; 30439beb93cSSam Leffler } 30539beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 30639beb93cSSam Leffler shared, shared_len); 30739beb93cSSam Leffler 30839beb93cSSam Leffler os_memset(csecret_start, 0, csecret_len); 30939beb93cSSam Leffler os_free(csecret); 31039beb93cSSam Leffler if (tls_derive_keys(conn, shared, shared_len)) { 31139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 31239beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 31339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 31439beb93cSSam Leffler os_free(shared); 31539beb93cSSam Leffler return -1; 31639beb93cSSam Leffler } 31739beb93cSSam Leffler os_memset(shared, 0, shared_len); 31839beb93cSSam Leffler os_free(shared); 31939beb93cSSam Leffler tlsv1_client_free_dh(conn); 32039beb93cSSam Leffler return 0; 32139beb93cSSam Leffler } 32239beb93cSSam Leffler 32339beb93cSSam Leffler 32439beb93cSSam Leffler static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 32539beb93cSSam Leffler { 32639beb93cSSam Leffler u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 32739beb93cSSam Leffler size_t clen; 32839beb93cSSam Leffler int res; 32939beb93cSSam Leffler 33039beb93cSSam Leffler if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 33139beb93cSSam Leffler tls_derive_keys(conn, pre_master_secret, 33239beb93cSSam Leffler TLS_PRE_MASTER_SECRET_LEN)) { 33339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 33439beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 33539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 33639beb93cSSam Leffler return -1; 33739beb93cSSam Leffler } 33839beb93cSSam Leffler 33939beb93cSSam Leffler /* EncryptedPreMasterSecret */ 34039beb93cSSam Leffler if (conn->server_rsa_key == NULL) { 34139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 34239beb93cSSam Leffler "use for encrypting pre-master secret"); 34339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 34439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 34539beb93cSSam Leffler return -1; 34639beb93cSSam Leffler } 34739beb93cSSam Leffler 34839beb93cSSam Leffler /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 34939beb93cSSam Leffler *pos += 2; 35039beb93cSSam Leffler clen = end - *pos; 35139beb93cSSam Leffler res = crypto_public_key_encrypt_pkcs1_v15( 35239beb93cSSam Leffler conn->server_rsa_key, 35339beb93cSSam Leffler pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 35439beb93cSSam Leffler *pos, &clen); 35539beb93cSSam Leffler os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 35639beb93cSSam Leffler if (res < 0) { 35739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 35839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 35939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 36039beb93cSSam Leffler return -1; 36139beb93cSSam Leffler } 36239beb93cSSam Leffler WPA_PUT_BE16(*pos - 2, clen); 36339beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 36439beb93cSSam Leffler *pos, clen); 36539beb93cSSam Leffler *pos += clen; 36639beb93cSSam Leffler 36739beb93cSSam Leffler return 0; 36839beb93cSSam Leffler } 36939beb93cSSam Leffler 37039beb93cSSam Leffler 37139beb93cSSam Leffler static int tls_write_client_key_exchange(struct tlsv1_client *conn, 37239beb93cSSam Leffler u8 **msgpos, u8 *end) 37339beb93cSSam Leffler { 37439beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length; 37539beb93cSSam Leffler size_t rlen; 37639beb93cSSam Leffler tls_key_exchange keyx; 37739beb93cSSam Leffler const struct tls_cipher_suite *suite; 37839beb93cSSam Leffler 37939beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite); 38039beb93cSSam Leffler if (suite == NULL) 38139beb93cSSam Leffler keyx = TLS_KEY_X_NULL; 38239beb93cSSam Leffler else 38339beb93cSSam Leffler keyx = suite->key_exchange; 38439beb93cSSam Leffler 38539beb93cSSam Leffler pos = *msgpos; 38639beb93cSSam Leffler 38739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 38839beb93cSSam Leffler 38939beb93cSSam Leffler rhdr = pos; 39039beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN; 39139beb93cSSam Leffler 39239beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */ 39339beb93cSSam Leffler 39439beb93cSSam Leffler /* Handshake */ 39539beb93cSSam Leffler hs_start = pos; 39639beb93cSSam Leffler /* HandshakeType msg_type */ 39739beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 39839beb93cSSam Leffler /* uint24 length (to be filled) */ 39939beb93cSSam Leffler hs_length = pos; 40039beb93cSSam Leffler pos += 3; 40139beb93cSSam Leffler /* body - ClientKeyExchange */ 40239beb93cSSam Leffler if (keyx == TLS_KEY_X_DH_anon) { 40339beb93cSSam Leffler if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 40439beb93cSSam Leffler return -1; 40539beb93cSSam Leffler } else { 40639beb93cSSam Leffler if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 40739beb93cSSam Leffler return -1; 40839beb93cSSam Leffler } 40939beb93cSSam Leffler 41039beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3); 41139beb93cSSam Leffler 41239beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 413*f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start, 414*f05cddf9SRui Paulo &rlen) < 0) { 41539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 41639beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 41739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 41839beb93cSSam Leffler return -1; 41939beb93cSSam Leffler } 42039beb93cSSam Leffler pos = rhdr + rlen; 42139beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 42239beb93cSSam Leffler 42339beb93cSSam Leffler *msgpos = pos; 42439beb93cSSam Leffler 42539beb93cSSam Leffler return 0; 42639beb93cSSam Leffler } 42739beb93cSSam Leffler 42839beb93cSSam Leffler 42939beb93cSSam Leffler static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 43039beb93cSSam Leffler u8 **msgpos, u8 *end) 43139beb93cSSam Leffler { 43239beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 43339beb93cSSam Leffler size_t rlen, hlen, clen; 434*f05cddf9SRui Paulo u8 hash[100], *hpos; 43539beb93cSSam Leffler enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 43639beb93cSSam Leffler 43739beb93cSSam Leffler pos = *msgpos; 43839beb93cSSam Leffler 43939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 44039beb93cSSam Leffler rhdr = pos; 44139beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN; 44239beb93cSSam Leffler 44339beb93cSSam Leffler /* Handshake */ 44439beb93cSSam Leffler hs_start = pos; 44539beb93cSSam Leffler /* HandshakeType msg_type */ 44639beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 44739beb93cSSam Leffler /* uint24 length (to be filled) */ 44839beb93cSSam Leffler hs_length = pos; 44939beb93cSSam Leffler pos += 3; 45039beb93cSSam Leffler 45139beb93cSSam Leffler /* 45239beb93cSSam Leffler * RFC 2246: 7.4.3 and 7.4.8: 45339beb93cSSam Leffler * Signature signature 45439beb93cSSam Leffler * 45539beb93cSSam Leffler * RSA: 45639beb93cSSam Leffler * digitally-signed struct { 45739beb93cSSam Leffler * opaque md5_hash[16]; 45839beb93cSSam Leffler * opaque sha_hash[20]; 45939beb93cSSam Leffler * }; 46039beb93cSSam Leffler * 46139beb93cSSam Leffler * DSA: 46239beb93cSSam Leffler * digitally-signed struct { 46339beb93cSSam Leffler * opaque sha_hash[20]; 46439beb93cSSam Leffler * }; 46539beb93cSSam Leffler * 46639beb93cSSam Leffler * The hash values are calculated over all handshake messages sent or 46739beb93cSSam Leffler * received starting at ClientHello up to, but not including, this 46839beb93cSSam Leffler * CertificateVerify message, including the type and length fields of 46939beb93cSSam Leffler * the handshake messages. 47039beb93cSSam Leffler */ 47139beb93cSSam Leffler 47239beb93cSSam Leffler hpos = hash; 47339beb93cSSam Leffler 474*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 475*f05cddf9SRui Paulo if (conn->rl.tls_version == TLS_VERSION_1_2) { 476*f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 477*f05cddf9SRui Paulo if (conn->verify.sha256_cert == NULL || 478*f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 479*f05cddf9SRui Paulo 0) { 480*f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 481*f05cddf9SRui Paulo tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 482*f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 483*f05cddf9SRui Paulo return -1; 484*f05cddf9SRui Paulo } 485*f05cddf9SRui Paulo conn->verify.sha256_cert = NULL; 486*f05cddf9SRui Paulo 487*f05cddf9SRui Paulo /* 488*f05cddf9SRui Paulo * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 489*f05cddf9SRui Paulo * 490*f05cddf9SRui Paulo * DigestInfo ::= SEQUENCE { 491*f05cddf9SRui Paulo * digestAlgorithm DigestAlgorithm, 492*f05cddf9SRui Paulo * digest OCTET STRING 493*f05cddf9SRui Paulo * } 494*f05cddf9SRui Paulo * 495*f05cddf9SRui Paulo * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 496*f05cddf9SRui Paulo * 497*f05cddf9SRui Paulo * DER encoded DigestInfo for SHA256 per RFC 3447: 498*f05cddf9SRui Paulo * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 499*f05cddf9SRui Paulo * H 500*f05cddf9SRui Paulo */ 501*f05cddf9SRui Paulo os_memmove(hash + 19, hash, hlen); 502*f05cddf9SRui Paulo hlen += 19; 503*f05cddf9SRui Paulo os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 504*f05cddf9SRui Paulo "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 505*f05cddf9SRui Paulo } else { 506*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 507*f05cddf9SRui Paulo 50839beb93cSSam Leffler if (alg == SIGN_ALG_RSA) { 50939beb93cSSam Leffler hlen = MD5_MAC_LEN; 51039beb93cSSam Leffler if (conn->verify.md5_cert == NULL || 51139beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 51239beb93cSSam Leffler { 51339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 51439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 51539beb93cSSam Leffler conn->verify.md5_cert = NULL; 51639beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 51739beb93cSSam Leffler conn->verify.sha1_cert = NULL; 51839beb93cSSam Leffler return -1; 51939beb93cSSam Leffler } 52039beb93cSSam Leffler hpos += MD5_MAC_LEN; 52139beb93cSSam Leffler } else 52239beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 52339beb93cSSam Leffler 52439beb93cSSam Leffler conn->verify.md5_cert = NULL; 52539beb93cSSam Leffler hlen = SHA1_MAC_LEN; 52639beb93cSSam Leffler if (conn->verify.sha1_cert == NULL || 52739beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 52839beb93cSSam Leffler conn->verify.sha1_cert = NULL; 52939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 53039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 53139beb93cSSam Leffler return -1; 53239beb93cSSam Leffler } 53339beb93cSSam Leffler conn->verify.sha1_cert = NULL; 53439beb93cSSam Leffler 53539beb93cSSam Leffler if (alg == SIGN_ALG_RSA) 53639beb93cSSam Leffler hlen += MD5_MAC_LEN; 53739beb93cSSam Leffler 538*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 539*f05cddf9SRui Paulo } 540*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 541*f05cddf9SRui Paulo 54239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 54339beb93cSSam Leffler 544*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 545*f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) { 546*f05cddf9SRui Paulo /* 547*f05cddf9SRui Paulo * RFC 5246, 4.7: 548*f05cddf9SRui Paulo * TLS v1.2 adds explicit indication of the used signature and 549*f05cddf9SRui Paulo * hash algorithms. 550*f05cddf9SRui Paulo * 551*f05cddf9SRui Paulo * struct { 552*f05cddf9SRui Paulo * HashAlgorithm hash; 553*f05cddf9SRui Paulo * SignatureAlgorithm signature; 554*f05cddf9SRui Paulo * } SignatureAndHashAlgorithm; 555*f05cddf9SRui Paulo */ 556*f05cddf9SRui Paulo *pos++ = TLS_HASH_ALG_SHA256; 557*f05cddf9SRui Paulo *pos++ = TLS_SIGN_ALG_RSA; 558*f05cddf9SRui Paulo } 559*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 560*f05cddf9SRui Paulo 56139beb93cSSam Leffler /* 56239beb93cSSam Leffler * RFC 2246, 4.7: 56339beb93cSSam Leffler * In digital signing, one-way hash functions are used as input for a 56439beb93cSSam Leffler * signing algorithm. A digitally-signed element is encoded as an 56539beb93cSSam Leffler * opaque vector <0..2^16-1>, where the length is specified by the 56639beb93cSSam Leffler * signing algorithm and key. 56739beb93cSSam Leffler * 56839beb93cSSam Leffler * In RSA signing, a 36-byte structure of two hashes (one SHA and one 56939beb93cSSam Leffler * MD5) is signed (encrypted with the private key). It is encoded with 57039beb93cSSam Leffler * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 57139beb93cSSam Leffler */ 57239beb93cSSam Leffler signed_start = pos; /* length to be filled */ 57339beb93cSSam Leffler pos += 2; 57439beb93cSSam Leffler clen = end - pos; 57539beb93cSSam Leffler if (conn->cred == NULL || 57639beb93cSSam Leffler crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 57739beb93cSSam Leffler pos, &clen) < 0) { 57839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 57939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 58039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 58139beb93cSSam Leffler return -1; 58239beb93cSSam Leffler } 58339beb93cSSam Leffler WPA_PUT_BE16(signed_start, clen); 58439beb93cSSam Leffler 58539beb93cSSam Leffler pos += clen; 58639beb93cSSam Leffler 58739beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3); 58839beb93cSSam Leffler 58939beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 590*f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start, 591*f05cddf9SRui Paulo &rlen) < 0) { 59239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 59339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 59439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 59539beb93cSSam Leffler return -1; 59639beb93cSSam Leffler } 59739beb93cSSam Leffler pos = rhdr + rlen; 59839beb93cSSam Leffler 59939beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 60039beb93cSSam Leffler 60139beb93cSSam Leffler *msgpos = pos; 60239beb93cSSam Leffler 60339beb93cSSam Leffler return 0; 60439beb93cSSam Leffler } 60539beb93cSSam Leffler 60639beb93cSSam Leffler 60739beb93cSSam Leffler static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 60839beb93cSSam Leffler u8 **msgpos, u8 *end) 60939beb93cSSam Leffler { 61039beb93cSSam Leffler size_t rlen; 611*f05cddf9SRui Paulo u8 payload[1]; 61239beb93cSSam Leffler 61339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 614*f05cddf9SRui Paulo 615*f05cddf9SRui Paulo payload[0] = TLS_CHANGE_CIPHER_SPEC; 616*f05cddf9SRui Paulo 61739beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 618*f05cddf9SRui Paulo *msgpos, end - *msgpos, payload, sizeof(payload), 619*f05cddf9SRui Paulo &rlen) < 0) { 62039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 62139beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 62239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 62339beb93cSSam Leffler return -1; 62439beb93cSSam Leffler } 62539beb93cSSam Leffler 62639beb93cSSam Leffler if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 62739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 62839beb93cSSam Leffler "record layer"); 62939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 63039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 63139beb93cSSam Leffler return -1; 63239beb93cSSam Leffler } 63339beb93cSSam Leffler 634*f05cddf9SRui Paulo *msgpos += rlen; 63539beb93cSSam Leffler 63639beb93cSSam Leffler return 0; 63739beb93cSSam Leffler } 63839beb93cSSam Leffler 63939beb93cSSam Leffler 64039beb93cSSam Leffler static int tls_write_client_finished(struct tlsv1_client *conn, 64139beb93cSSam Leffler u8 **msgpos, u8 *end) 64239beb93cSSam Leffler { 643*f05cddf9SRui Paulo u8 *pos, *hs_start; 64439beb93cSSam Leffler size_t rlen, hlen; 645*f05cddf9SRui Paulo u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 64639beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 64739beb93cSSam Leffler 64839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 64939beb93cSSam Leffler 65039beb93cSSam Leffler /* Encrypted Handshake Message: Finished */ 65139beb93cSSam Leffler 652*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 653*f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) { 654*f05cddf9SRui Paulo hlen = SHA256_MAC_LEN; 655*f05cddf9SRui Paulo if (conn->verify.sha256_client == NULL || 656*f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 657*f05cddf9SRui Paulo < 0) { 658*f05cddf9SRui Paulo tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 659*f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR); 660*f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 661*f05cddf9SRui Paulo return -1; 662*f05cddf9SRui Paulo } 663*f05cddf9SRui Paulo conn->verify.sha256_client = NULL; 664*f05cddf9SRui Paulo } else { 665*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 666*f05cddf9SRui Paulo 66739beb93cSSam Leffler hlen = MD5_MAC_LEN; 66839beb93cSSam Leffler if (conn->verify.md5_client == NULL || 66939beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 67039beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 67139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 67239beb93cSSam Leffler conn->verify.md5_client = NULL; 67339beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 67439beb93cSSam Leffler conn->verify.sha1_client = NULL; 67539beb93cSSam Leffler return -1; 67639beb93cSSam Leffler } 67739beb93cSSam Leffler conn->verify.md5_client = NULL; 67839beb93cSSam Leffler hlen = SHA1_MAC_LEN; 67939beb93cSSam Leffler if (conn->verify.sha1_client == NULL || 68039beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 68139beb93cSSam Leffler &hlen) < 0) { 68239beb93cSSam Leffler conn->verify.sha1_client = NULL; 68339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 68439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 68539beb93cSSam Leffler return -1; 68639beb93cSSam Leffler } 68739beb93cSSam Leffler conn->verify.sha1_client = NULL; 688*f05cddf9SRui Paulo hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 68939beb93cSSam Leffler 690*f05cddf9SRui Paulo #ifdef CONFIG_TLSV12 691*f05cddf9SRui Paulo } 692*f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */ 693*f05cddf9SRui Paulo 694*f05cddf9SRui Paulo if (tls_prf(conn->rl.tls_version, 695*f05cddf9SRui Paulo conn->master_secret, TLS_MASTER_SECRET_LEN, 696*f05cddf9SRui Paulo "client finished", hash, hlen, 697*f05cddf9SRui Paulo verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 69839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 69939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 70039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 70139beb93cSSam Leffler return -1; 70239beb93cSSam Leffler } 70339beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 704*f05cddf9SRui Paulo verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 70539beb93cSSam Leffler 70639beb93cSSam Leffler /* Handshake */ 707*f05cddf9SRui Paulo pos = hs_start = verify_data; 70839beb93cSSam Leffler /* HandshakeType msg_type */ 70939beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 710*f05cddf9SRui Paulo /* uint24 length */ 711*f05cddf9SRui Paulo WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 71239beb93cSSam Leffler pos += 3; 713*f05cddf9SRui Paulo pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 71439beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 71539beb93cSSam Leffler 71639beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 717*f05cddf9SRui Paulo *msgpos, end - *msgpos, hs_start, pos - hs_start, 718*f05cddf9SRui Paulo &rlen) < 0) { 71939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 72039beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 72139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR); 72239beb93cSSam Leffler return -1; 72339beb93cSSam Leffler } 72439beb93cSSam Leffler 725*f05cddf9SRui Paulo *msgpos += rlen; 72639beb93cSSam Leffler 72739beb93cSSam Leffler return 0; 72839beb93cSSam Leffler } 72939beb93cSSam Leffler 73039beb93cSSam Leffler 73139beb93cSSam Leffler static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 73239beb93cSSam Leffler size_t *out_len) 73339beb93cSSam Leffler { 73439beb93cSSam Leffler u8 *msg, *end, *pos; 73539beb93cSSam Leffler size_t msglen; 73639beb93cSSam Leffler 73739beb93cSSam Leffler *out_len = 0; 73839beb93cSSam Leffler 739*f05cddf9SRui Paulo msglen = 2000; 74039beb93cSSam Leffler if (conn->certificate_requested) 74139beb93cSSam Leffler msglen += tls_client_cert_chain_der_len(conn); 74239beb93cSSam Leffler 74339beb93cSSam Leffler msg = os_malloc(msglen); 74439beb93cSSam Leffler if (msg == NULL) 74539beb93cSSam Leffler return NULL; 74639beb93cSSam Leffler 74739beb93cSSam Leffler pos = msg; 74839beb93cSSam Leffler end = msg + msglen; 74939beb93cSSam Leffler 75039beb93cSSam Leffler if (conn->certificate_requested) { 75139beb93cSSam Leffler if (tls_write_client_certificate(conn, &pos, end) < 0) { 75239beb93cSSam Leffler os_free(msg); 75339beb93cSSam Leffler return NULL; 75439beb93cSSam Leffler } 75539beb93cSSam Leffler } 75639beb93cSSam Leffler 75739beb93cSSam Leffler if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 75839beb93cSSam Leffler (conn->certificate_requested && conn->cred && conn->cred->key && 75939beb93cSSam Leffler tls_write_client_certificate_verify(conn, &pos, end) < 0) || 76039beb93cSSam Leffler tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 76139beb93cSSam Leffler tls_write_client_finished(conn, &pos, end) < 0) { 76239beb93cSSam Leffler os_free(msg); 76339beb93cSSam Leffler return NULL; 76439beb93cSSam Leffler } 76539beb93cSSam Leffler 76639beb93cSSam Leffler *out_len = pos - msg; 76739beb93cSSam Leffler 76839beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC; 76939beb93cSSam Leffler 77039beb93cSSam Leffler return msg; 77139beb93cSSam Leffler } 77239beb93cSSam Leffler 77339beb93cSSam Leffler 77439beb93cSSam Leffler static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 77539beb93cSSam Leffler size_t *out_len) 77639beb93cSSam Leffler { 77739beb93cSSam Leffler u8 *msg, *end, *pos; 77839beb93cSSam Leffler 77939beb93cSSam Leffler *out_len = 0; 78039beb93cSSam Leffler 78139beb93cSSam Leffler msg = os_malloc(1000); 78239beb93cSSam Leffler if (msg == NULL) 78339beb93cSSam Leffler return NULL; 78439beb93cSSam Leffler 78539beb93cSSam Leffler pos = msg; 78639beb93cSSam Leffler end = msg + 1000; 78739beb93cSSam Leffler 78839beb93cSSam Leffler if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 78939beb93cSSam Leffler tls_write_client_finished(conn, &pos, end) < 0) { 79039beb93cSSam Leffler os_free(msg); 79139beb93cSSam Leffler return NULL; 79239beb93cSSam Leffler } 79339beb93cSSam Leffler 79439beb93cSSam Leffler *out_len = pos - msg; 79539beb93cSSam Leffler 79639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 79739beb93cSSam Leffler "successfully"); 79839beb93cSSam Leffler conn->state = ESTABLISHED; 79939beb93cSSam Leffler 80039beb93cSSam Leffler return msg; 80139beb93cSSam Leffler } 80239beb93cSSam Leffler 80339beb93cSSam Leffler 80439beb93cSSam Leffler u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 80539beb93cSSam Leffler int no_appl_data) 80639beb93cSSam Leffler { 80739beb93cSSam Leffler switch (conn->state) { 80839beb93cSSam Leffler case CLIENT_KEY_EXCHANGE: 80939beb93cSSam Leffler return tls_send_client_key_exchange(conn, out_len); 81039beb93cSSam Leffler case CHANGE_CIPHER_SPEC: 81139beb93cSSam Leffler return tls_send_change_cipher_spec(conn, out_len); 81239beb93cSSam Leffler case ACK_FINISHED: 81339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 81439beb93cSSam Leffler "successfully"); 81539beb93cSSam Leffler conn->state = ESTABLISHED; 81639beb93cSSam Leffler *out_len = 0; 81739beb93cSSam Leffler if (no_appl_data) { 81839beb93cSSam Leffler /* Need to return something to get final TLS ACK. */ 81939beb93cSSam Leffler return os_malloc(1); 82039beb93cSSam Leffler } 82139beb93cSSam Leffler return NULL; 82239beb93cSSam Leffler default: 82339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 82439beb93cSSam Leffler "generating reply", conn->state); 82539beb93cSSam Leffler return NULL; 82639beb93cSSam Leffler } 82739beb93cSSam Leffler } 82839beb93cSSam Leffler 82939beb93cSSam Leffler 83039beb93cSSam Leffler u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 83139beb93cSSam Leffler u8 description, size_t *out_len) 83239beb93cSSam Leffler { 83339beb93cSSam Leffler u8 *alert, *pos, *length; 83439beb93cSSam Leffler 83539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 83639beb93cSSam Leffler *out_len = 0; 83739beb93cSSam Leffler 83839beb93cSSam Leffler alert = os_malloc(10); 83939beb93cSSam Leffler if (alert == NULL) 84039beb93cSSam Leffler return NULL; 84139beb93cSSam Leffler 84239beb93cSSam Leffler pos = alert; 84339beb93cSSam Leffler 84439beb93cSSam Leffler /* TLSPlaintext */ 84539beb93cSSam Leffler /* ContentType type */ 84639beb93cSSam Leffler *pos++ = TLS_CONTENT_TYPE_ALERT; 84739beb93cSSam Leffler /* ProtocolVersion version */ 848*f05cddf9SRui Paulo WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 849*f05cddf9SRui Paulo TLS_VERSION); 85039beb93cSSam Leffler pos += 2; 85139beb93cSSam Leffler /* uint16 length (to be filled) */ 85239beb93cSSam Leffler length = pos; 85339beb93cSSam Leffler pos += 2; 85439beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */ 85539beb93cSSam Leffler 85639beb93cSSam Leffler /* Alert */ 85739beb93cSSam Leffler /* AlertLevel level */ 85839beb93cSSam Leffler *pos++ = level; 85939beb93cSSam Leffler /* AlertDescription description */ 86039beb93cSSam Leffler *pos++ = description; 86139beb93cSSam Leffler 86239beb93cSSam Leffler WPA_PUT_BE16(length, pos - length - 2); 86339beb93cSSam Leffler *out_len = pos - alert; 86439beb93cSSam Leffler 86539beb93cSSam Leffler return alert; 86639beb93cSSam Leffler } 867