1 /* 2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) client - write handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "crypto/random.h" 22 #include "x509v3.h" 23 #include "tlsv1_common.h" 24 #include "tlsv1_record.h" 25 #include "tlsv1_client.h" 26 #include "tlsv1_client_i.h" 27 28 29 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 30 { 31 size_t len = 0; 32 struct x509_certificate *cert; 33 34 if (conn->cred == NULL) 35 return 0; 36 37 cert = conn->cred->cert; 38 while (cert) { 39 len += 3 + cert->cert_len; 40 if (x509_certificate_self_signed(cert)) 41 break; 42 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 43 &cert->issuer); 44 } 45 46 return len; 47 } 48 49 50 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 51 { 52 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 53 struct os_time now; 54 size_t len, i; 55 56 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 57 *out_len = 0; 58 59 os_get_time(&now); 60 WPA_PUT_BE32(conn->client_random, now.sec); 61 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 62 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 63 "client_random"); 64 return NULL; 65 } 66 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 67 conn->client_random, TLS_RANDOM_LEN); 68 69 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 70 hello = os_malloc(len); 71 if (hello == NULL) 72 return NULL; 73 end = hello + len; 74 75 rhdr = hello; 76 pos = rhdr + TLS_RECORD_HEADER_LEN; 77 78 /* opaque fragment[TLSPlaintext.length] */ 79 80 /* Handshake */ 81 hs_start = pos; 82 /* HandshakeType msg_type */ 83 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 84 /* uint24 length (to be filled) */ 85 hs_length = pos; 86 pos += 3; 87 /* body - ClientHello */ 88 /* ProtocolVersion client_version */ 89 WPA_PUT_BE16(pos, TLS_VERSION); 90 pos += 2; 91 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 92 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 93 pos += TLS_RANDOM_LEN; 94 /* SessionID session_id */ 95 *pos++ = conn->session_id_len; 96 os_memcpy(pos, conn->session_id, conn->session_id_len); 97 pos += conn->session_id_len; 98 /* CipherSuite cipher_suites<2..2^16-1> */ 99 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 100 pos += 2; 101 for (i = 0; i < conn->num_cipher_suites; i++) { 102 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 103 pos += 2; 104 } 105 /* CompressionMethod compression_methods<1..2^8-1> */ 106 *pos++ = 1; 107 *pos++ = TLS_COMPRESSION_NULL; 108 109 if (conn->client_hello_ext) { 110 os_memcpy(pos, conn->client_hello_ext, 111 conn->client_hello_ext_len); 112 pos += conn->client_hello_ext_len; 113 } 114 115 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 116 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 117 118 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 119 rhdr, end - rhdr, hs_start, pos - hs_start, 120 out_len) < 0) { 121 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 122 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 123 TLS_ALERT_INTERNAL_ERROR); 124 os_free(hello); 125 return NULL; 126 } 127 128 conn->state = SERVER_HELLO; 129 130 return hello; 131 } 132 133 134 static int tls_write_client_certificate(struct tlsv1_client *conn, 135 u8 **msgpos, u8 *end) 136 { 137 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 138 size_t rlen; 139 struct x509_certificate *cert; 140 141 pos = *msgpos; 142 143 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 144 rhdr = pos; 145 pos += TLS_RECORD_HEADER_LEN; 146 147 /* opaque fragment[TLSPlaintext.length] */ 148 149 /* Handshake */ 150 hs_start = pos; 151 /* HandshakeType msg_type */ 152 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 153 /* uint24 length (to be filled) */ 154 hs_length = pos; 155 pos += 3; 156 /* body - Certificate */ 157 /* uint24 length (to be filled) */ 158 cert_start = pos; 159 pos += 3; 160 cert = conn->cred ? conn->cred->cert : NULL; 161 while (cert) { 162 if (pos + 3 + cert->cert_len > end) { 163 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 164 "for Certificate (cert_len=%lu left=%lu)", 165 (unsigned long) cert->cert_len, 166 (unsigned long) (end - pos)); 167 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 168 TLS_ALERT_INTERNAL_ERROR); 169 return -1; 170 } 171 WPA_PUT_BE24(pos, cert->cert_len); 172 pos += 3; 173 os_memcpy(pos, cert->cert_start, cert->cert_len); 174 pos += cert->cert_len; 175 176 if (x509_certificate_self_signed(cert)) 177 break; 178 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 179 &cert->issuer); 180 } 181 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 182 /* 183 * Client was not configured with all the needed certificates 184 * to form a full certificate chain. The server may fail to 185 * validate the chain unless it is configured with all the 186 * missing CA certificates. 187 */ 188 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 189 "not configured - validation may fail"); 190 } 191 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 192 193 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 194 195 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 196 rhdr, end - rhdr, hs_start, pos - hs_start, 197 &rlen) < 0) { 198 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 199 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 200 TLS_ALERT_INTERNAL_ERROR); 201 return -1; 202 } 203 pos = rhdr + rlen; 204 205 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 206 207 *msgpos = pos; 208 209 return 0; 210 } 211 212 213 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 214 { 215 /* ClientDiffieHellmanPublic */ 216 u8 *csecret, *csecret_start, *dh_yc, *shared; 217 size_t csecret_len, dh_yc_len, shared_len; 218 219 csecret_len = conn->dh_p_len; 220 csecret = os_malloc(csecret_len); 221 if (csecret == NULL) { 222 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 223 "memory for Yc (Diffie-Hellman)"); 224 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 225 TLS_ALERT_INTERNAL_ERROR); 226 return -1; 227 } 228 if (random_get_bytes(csecret, csecret_len)) { 229 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 230 "data for Diffie-Hellman"); 231 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 232 TLS_ALERT_INTERNAL_ERROR); 233 os_free(csecret); 234 return -1; 235 } 236 237 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 238 csecret[0] = 0; /* make sure Yc < p */ 239 240 csecret_start = csecret; 241 while (csecret_len > 1 && *csecret_start == 0) { 242 csecret_start++; 243 csecret_len--; 244 } 245 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 246 csecret_start, csecret_len); 247 248 /* Yc = g^csecret mod p */ 249 dh_yc_len = conn->dh_p_len; 250 dh_yc = os_malloc(dh_yc_len); 251 if (dh_yc == NULL) { 252 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 253 "memory for Diffie-Hellman"); 254 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 255 TLS_ALERT_INTERNAL_ERROR); 256 os_free(csecret); 257 return -1; 258 } 259 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 260 csecret_start, csecret_len, 261 conn->dh_p, conn->dh_p_len, 262 dh_yc, &dh_yc_len)) { 263 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 264 TLS_ALERT_INTERNAL_ERROR); 265 os_free(csecret); 266 os_free(dh_yc); 267 return -1; 268 } 269 270 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 271 dh_yc, dh_yc_len); 272 273 WPA_PUT_BE16(*pos, dh_yc_len); 274 *pos += 2; 275 if (*pos + dh_yc_len > end) { 276 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 277 "message buffer for Yc"); 278 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 279 TLS_ALERT_INTERNAL_ERROR); 280 os_free(csecret); 281 os_free(dh_yc); 282 return -1; 283 } 284 os_memcpy(*pos, dh_yc, dh_yc_len); 285 *pos += dh_yc_len; 286 os_free(dh_yc); 287 288 shared_len = conn->dh_p_len; 289 shared = os_malloc(shared_len); 290 if (shared == NULL) { 291 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 292 "DH"); 293 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 294 TLS_ALERT_INTERNAL_ERROR); 295 os_free(csecret); 296 return -1; 297 } 298 299 /* shared = Ys^csecret mod p */ 300 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 301 csecret_start, csecret_len, 302 conn->dh_p, conn->dh_p_len, 303 shared, &shared_len)) { 304 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 305 TLS_ALERT_INTERNAL_ERROR); 306 os_free(csecret); 307 os_free(shared); 308 return -1; 309 } 310 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 311 shared, shared_len); 312 313 os_memset(csecret_start, 0, csecret_len); 314 os_free(csecret); 315 if (tls_derive_keys(conn, shared, shared_len)) { 316 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 317 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 318 TLS_ALERT_INTERNAL_ERROR); 319 os_free(shared); 320 return -1; 321 } 322 os_memset(shared, 0, shared_len); 323 os_free(shared); 324 tlsv1_client_free_dh(conn); 325 return 0; 326 } 327 328 329 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 330 { 331 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 332 size_t clen; 333 int res; 334 335 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 336 tls_derive_keys(conn, pre_master_secret, 337 TLS_PRE_MASTER_SECRET_LEN)) { 338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 339 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 340 TLS_ALERT_INTERNAL_ERROR); 341 return -1; 342 } 343 344 /* EncryptedPreMasterSecret */ 345 if (conn->server_rsa_key == NULL) { 346 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 347 "use for encrypting pre-master secret"); 348 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 349 TLS_ALERT_INTERNAL_ERROR); 350 return -1; 351 } 352 353 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 354 *pos += 2; 355 clen = end - *pos; 356 res = crypto_public_key_encrypt_pkcs1_v15( 357 conn->server_rsa_key, 358 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 359 *pos, &clen); 360 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 361 if (res < 0) { 362 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 363 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 364 TLS_ALERT_INTERNAL_ERROR); 365 return -1; 366 } 367 WPA_PUT_BE16(*pos - 2, clen); 368 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 369 *pos, clen); 370 *pos += clen; 371 372 return 0; 373 } 374 375 376 static int tls_write_client_key_exchange(struct tlsv1_client *conn, 377 u8 **msgpos, u8 *end) 378 { 379 u8 *pos, *rhdr, *hs_start, *hs_length; 380 size_t rlen; 381 tls_key_exchange keyx; 382 const struct tls_cipher_suite *suite; 383 384 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 385 if (suite == NULL) 386 keyx = TLS_KEY_X_NULL; 387 else 388 keyx = suite->key_exchange; 389 390 pos = *msgpos; 391 392 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 393 394 rhdr = pos; 395 pos += TLS_RECORD_HEADER_LEN; 396 397 /* opaque fragment[TLSPlaintext.length] */ 398 399 /* Handshake */ 400 hs_start = pos; 401 /* HandshakeType msg_type */ 402 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 403 /* uint24 length (to be filled) */ 404 hs_length = pos; 405 pos += 3; 406 /* body - ClientKeyExchange */ 407 if (keyx == TLS_KEY_X_DH_anon) { 408 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 409 return -1; 410 } else { 411 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 412 return -1; 413 } 414 415 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 416 417 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 418 rhdr, end - rhdr, hs_start, pos - hs_start, 419 &rlen) < 0) { 420 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 421 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 422 TLS_ALERT_INTERNAL_ERROR); 423 return -1; 424 } 425 pos = rhdr + rlen; 426 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 427 428 *msgpos = pos; 429 430 return 0; 431 } 432 433 434 static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 435 u8 **msgpos, u8 *end) 436 { 437 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 438 size_t rlen, hlen, clen; 439 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 440 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 441 442 pos = *msgpos; 443 444 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 445 rhdr = pos; 446 pos += TLS_RECORD_HEADER_LEN; 447 448 /* Handshake */ 449 hs_start = pos; 450 /* HandshakeType msg_type */ 451 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 452 /* uint24 length (to be filled) */ 453 hs_length = pos; 454 pos += 3; 455 456 /* 457 * RFC 2246: 7.4.3 and 7.4.8: 458 * Signature signature 459 * 460 * RSA: 461 * digitally-signed struct { 462 * opaque md5_hash[16]; 463 * opaque sha_hash[20]; 464 * }; 465 * 466 * DSA: 467 * digitally-signed struct { 468 * opaque sha_hash[20]; 469 * }; 470 * 471 * The hash values are calculated over all handshake messages sent or 472 * received starting at ClientHello up to, but not including, this 473 * CertificateVerify message, including the type and length fields of 474 * the handshake messages. 475 */ 476 477 hpos = hash; 478 479 if (alg == SIGN_ALG_RSA) { 480 hlen = MD5_MAC_LEN; 481 if (conn->verify.md5_cert == NULL || 482 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 483 { 484 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 485 TLS_ALERT_INTERNAL_ERROR); 486 conn->verify.md5_cert = NULL; 487 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 488 conn->verify.sha1_cert = NULL; 489 return -1; 490 } 491 hpos += MD5_MAC_LEN; 492 } else 493 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 494 495 conn->verify.md5_cert = NULL; 496 hlen = SHA1_MAC_LEN; 497 if (conn->verify.sha1_cert == NULL || 498 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 499 conn->verify.sha1_cert = NULL; 500 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 501 TLS_ALERT_INTERNAL_ERROR); 502 return -1; 503 } 504 conn->verify.sha1_cert = NULL; 505 506 if (alg == SIGN_ALG_RSA) 507 hlen += MD5_MAC_LEN; 508 509 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 510 511 /* 512 * RFC 2246, 4.7: 513 * In digital signing, one-way hash functions are used as input for a 514 * signing algorithm. A digitally-signed element is encoded as an 515 * opaque vector <0..2^16-1>, where the length is specified by the 516 * signing algorithm and key. 517 * 518 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 519 * MD5) is signed (encrypted with the private key). It is encoded with 520 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 521 */ 522 signed_start = pos; /* length to be filled */ 523 pos += 2; 524 clen = end - pos; 525 if (conn->cred == NULL || 526 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 527 pos, &clen) < 0) { 528 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 529 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 530 TLS_ALERT_INTERNAL_ERROR); 531 return -1; 532 } 533 WPA_PUT_BE16(signed_start, clen); 534 535 pos += clen; 536 537 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 538 539 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 540 rhdr, end - rhdr, hs_start, pos - hs_start, 541 &rlen) < 0) { 542 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 543 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 544 TLS_ALERT_INTERNAL_ERROR); 545 return -1; 546 } 547 pos = rhdr + rlen; 548 549 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 550 551 *msgpos = pos; 552 553 return 0; 554 } 555 556 557 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 558 u8 **msgpos, u8 *end) 559 { 560 size_t rlen; 561 u8 payload[1]; 562 563 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 564 565 payload[0] = TLS_CHANGE_CIPHER_SPEC; 566 567 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 568 *msgpos, end - *msgpos, payload, sizeof(payload), 569 &rlen) < 0) { 570 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 571 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 572 TLS_ALERT_INTERNAL_ERROR); 573 return -1; 574 } 575 576 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 577 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 578 "record layer"); 579 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 580 TLS_ALERT_INTERNAL_ERROR); 581 return -1; 582 } 583 584 *msgpos += rlen; 585 586 return 0; 587 } 588 589 590 static int tls_write_client_finished(struct tlsv1_client *conn, 591 u8 **msgpos, u8 *end) 592 { 593 u8 *pos, *hs_start; 594 size_t rlen, hlen; 595 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 596 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 597 598 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 599 600 /* Encrypted Handshake Message: Finished */ 601 602 hlen = MD5_MAC_LEN; 603 if (conn->verify.md5_client == NULL || 604 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 605 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 606 TLS_ALERT_INTERNAL_ERROR); 607 conn->verify.md5_client = NULL; 608 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 609 conn->verify.sha1_client = NULL; 610 return -1; 611 } 612 conn->verify.md5_client = NULL; 613 hlen = SHA1_MAC_LEN; 614 if (conn->verify.sha1_client == NULL || 615 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 616 &hlen) < 0) { 617 conn->verify.sha1_client = NULL; 618 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 619 TLS_ALERT_INTERNAL_ERROR); 620 return -1; 621 } 622 conn->verify.sha1_client = NULL; 623 624 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 625 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 626 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 627 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 628 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 629 TLS_ALERT_INTERNAL_ERROR); 630 return -1; 631 } 632 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 633 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 634 635 /* Handshake */ 636 pos = hs_start = verify_data; 637 /* HandshakeType msg_type */ 638 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 639 /* uint24 length */ 640 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 641 pos += 3; 642 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 643 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 644 645 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 646 *msgpos, end - *msgpos, hs_start, pos - hs_start, 647 &rlen) < 0) { 648 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 649 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 650 TLS_ALERT_INTERNAL_ERROR); 651 return -1; 652 } 653 654 *msgpos += rlen; 655 656 return 0; 657 } 658 659 660 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 661 size_t *out_len) 662 { 663 u8 *msg, *end, *pos; 664 size_t msglen; 665 666 *out_len = 0; 667 668 msglen = 2000; 669 if (conn->certificate_requested) 670 msglen += tls_client_cert_chain_der_len(conn); 671 672 msg = os_malloc(msglen); 673 if (msg == NULL) 674 return NULL; 675 676 pos = msg; 677 end = msg + msglen; 678 679 if (conn->certificate_requested) { 680 if (tls_write_client_certificate(conn, &pos, end) < 0) { 681 os_free(msg); 682 return NULL; 683 } 684 } 685 686 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 687 (conn->certificate_requested && conn->cred && conn->cred->key && 688 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 689 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 690 tls_write_client_finished(conn, &pos, end) < 0) { 691 os_free(msg); 692 return NULL; 693 } 694 695 *out_len = pos - msg; 696 697 conn->state = SERVER_CHANGE_CIPHER_SPEC; 698 699 return msg; 700 } 701 702 703 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 704 size_t *out_len) 705 { 706 u8 *msg, *end, *pos; 707 708 *out_len = 0; 709 710 msg = os_malloc(1000); 711 if (msg == NULL) 712 return NULL; 713 714 pos = msg; 715 end = msg + 1000; 716 717 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 718 tls_write_client_finished(conn, &pos, end) < 0) { 719 os_free(msg); 720 return NULL; 721 } 722 723 *out_len = pos - msg; 724 725 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 726 "successfully"); 727 conn->state = ESTABLISHED; 728 729 return msg; 730 } 731 732 733 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 734 int no_appl_data) 735 { 736 switch (conn->state) { 737 case CLIENT_KEY_EXCHANGE: 738 return tls_send_client_key_exchange(conn, out_len); 739 case CHANGE_CIPHER_SPEC: 740 return tls_send_change_cipher_spec(conn, out_len); 741 case ACK_FINISHED: 742 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 743 "successfully"); 744 conn->state = ESTABLISHED; 745 *out_len = 0; 746 if (no_appl_data) { 747 /* Need to return something to get final TLS ACK. */ 748 return os_malloc(1); 749 } 750 return NULL; 751 default: 752 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 753 "generating reply", conn->state); 754 return NULL; 755 } 756 } 757 758 759 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 760 u8 description, size_t *out_len) 761 { 762 u8 *alert, *pos, *length; 763 764 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 765 *out_len = 0; 766 767 alert = os_malloc(10); 768 if (alert == NULL) 769 return NULL; 770 771 pos = alert; 772 773 /* TLSPlaintext */ 774 /* ContentType type */ 775 *pos++ = TLS_CONTENT_TYPE_ALERT; 776 /* ProtocolVersion version */ 777 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 778 TLS_VERSION); 779 pos += 2; 780 /* uint16 length (to be filled) */ 781 length = pos; 782 pos += 2; 783 /* opaque fragment[TLSPlaintext.length] */ 784 785 /* Alert */ 786 /* AlertLevel level */ 787 *pos++ = level; 788 /* AlertDescription description */ 789 *pos++ = description; 790 791 WPA_PUT_BE16(length, pos - length - 2); 792 *out_len = pos - alert; 793 794 return alert; 795 } 796