1 /* 2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) server - write handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "crypto/random.h" 22 #include "x509v3.h" 23 #include "tlsv1_common.h" 24 #include "tlsv1_record.h" 25 #include "tlsv1_server.h" 26 #include "tlsv1_server_i.h" 27 28 29 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn) 30 { 31 size_t len = 0; 32 struct x509_certificate *cert; 33 34 cert = conn->cred->cert; 35 while (cert) { 36 len += 3 + cert->cert_len; 37 if (x509_certificate_self_signed(cert)) 38 break; 39 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 40 &cert->issuer); 41 } 42 43 return len; 44 } 45 46 47 static int tls_write_server_hello(struct tlsv1_server *conn, 48 u8 **msgpos, u8 *end) 49 { 50 u8 *pos, *rhdr, *hs_start, *hs_length; 51 struct os_time now; 52 size_t rlen; 53 54 pos = *msgpos; 55 56 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello"); 57 rhdr = pos; 58 pos += TLS_RECORD_HEADER_LEN; 59 60 os_get_time(&now); 61 WPA_PUT_BE32(conn->server_random, now.sec); 62 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) { 63 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 64 "server_random"); 65 return -1; 66 } 67 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 68 conn->server_random, TLS_RANDOM_LEN); 69 70 conn->session_id_len = TLS_SESSION_ID_MAX_LEN; 71 if (random_get_bytes(conn->session_id, conn->session_id_len)) { 72 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 73 "session_id"); 74 return -1; 75 } 76 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 77 conn->session_id, conn->session_id_len); 78 79 /* opaque fragment[TLSPlaintext.length] */ 80 81 /* Handshake */ 82 hs_start = pos; 83 /* HandshakeType msg_type */ 84 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO; 85 /* uint24 length (to be filled) */ 86 hs_length = pos; 87 pos += 3; 88 /* body - ServerHello */ 89 /* ProtocolVersion server_version */ 90 WPA_PUT_BE16(pos, conn->rl.tls_version); 91 pos += 2; 92 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 93 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN); 94 pos += TLS_RANDOM_LEN; 95 /* SessionID session_id */ 96 *pos++ = conn->session_id_len; 97 os_memcpy(pos, conn->session_id, conn->session_id_len); 98 pos += conn->session_id_len; 99 /* CipherSuite cipher_suite */ 100 WPA_PUT_BE16(pos, conn->cipher_suite); 101 pos += 2; 102 /* CompressionMethod compression_method */ 103 *pos++ = TLS_COMPRESSION_NULL; 104 105 if (conn->session_ticket && conn->session_ticket_cb) { 106 int res = conn->session_ticket_cb( 107 conn->session_ticket_cb_ctx, 108 conn->session_ticket, conn->session_ticket_len, 109 conn->client_random, conn->server_random, 110 conn->master_secret); 111 if (res < 0) { 112 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 113 "indicated failure"); 114 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 115 TLS_ALERT_HANDSHAKE_FAILURE); 116 return -1; 117 } 118 conn->use_session_ticket = res; 119 120 if (conn->use_session_ticket) { 121 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) { 122 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 123 "derive keys"); 124 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 125 TLS_ALERT_INTERNAL_ERROR); 126 return -1; 127 } 128 } 129 130 /* 131 * RFC 4507 specifies that server would include an empty 132 * SessionTicket extension in ServerHello and a 133 * NewSessionTicket message after the ServerHello. However, 134 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket 135 * extension at the moment, does not use such extensions. 136 * 137 * TODO: Add support for configuring RFC 4507 behavior and make 138 * EAP-FAST disable it. 139 */ 140 } 141 142 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 143 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 144 145 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 146 rhdr, end - rhdr, hs_start, pos - hs_start, 147 &rlen) < 0) { 148 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 149 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_INTERNAL_ERROR); 151 return -1; 152 } 153 pos = rhdr + rlen; 154 155 *msgpos = pos; 156 157 return 0; 158 } 159 160 161 static int tls_write_server_certificate(struct tlsv1_server *conn, 162 u8 **msgpos, u8 *end) 163 { 164 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 165 size_t rlen; 166 struct x509_certificate *cert; 167 const struct tls_cipher_suite *suite; 168 169 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 170 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 171 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when " 172 "using anonymous DH"); 173 return 0; 174 } 175 176 pos = *msgpos; 177 178 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 179 rhdr = pos; 180 pos += TLS_RECORD_HEADER_LEN; 181 182 /* opaque fragment[TLSPlaintext.length] */ 183 184 /* Handshake */ 185 hs_start = pos; 186 /* HandshakeType msg_type */ 187 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 188 /* uint24 length (to be filled) */ 189 hs_length = pos; 190 pos += 3; 191 /* body - Certificate */ 192 /* uint24 length (to be filled) */ 193 cert_start = pos; 194 pos += 3; 195 cert = conn->cred->cert; 196 while (cert) { 197 if (pos + 3 + cert->cert_len > end) { 198 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 199 "for Certificate (cert_len=%lu left=%lu)", 200 (unsigned long) cert->cert_len, 201 (unsigned long) (end - pos)); 202 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_INTERNAL_ERROR); 204 return -1; 205 } 206 WPA_PUT_BE24(pos, cert->cert_len); 207 pos += 3; 208 os_memcpy(pos, cert->cert_start, cert->cert_len); 209 pos += cert->cert_len; 210 211 if (x509_certificate_self_signed(cert)) 212 break; 213 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 214 &cert->issuer); 215 } 216 if (cert == conn->cred->cert || cert == NULL) { 217 /* 218 * Server was not configured with all the needed certificates 219 * to form a full certificate chain. The client may fail to 220 * validate the chain unless it is configured with all the 221 * missing CA certificates. 222 */ 223 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain " 224 "not configured - validation may fail"); 225 } 226 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 227 228 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 229 230 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 231 rhdr, end - rhdr, hs_start, pos - hs_start, 232 &rlen) < 0) { 233 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 234 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 235 TLS_ALERT_INTERNAL_ERROR); 236 return -1; 237 } 238 pos = rhdr + rlen; 239 240 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 241 242 *msgpos = pos; 243 244 return 0; 245 } 246 247 248 static int tls_write_server_key_exchange(struct tlsv1_server *conn, 249 u8 **msgpos, u8 *end) 250 { 251 tls_key_exchange keyx; 252 const struct tls_cipher_suite *suite; 253 u8 *pos, *rhdr, *hs_start, *hs_length; 254 size_t rlen; 255 u8 *dh_ys; 256 size_t dh_ys_len; 257 258 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 259 if (suite == NULL) 260 keyx = TLS_KEY_X_NULL; 261 else 262 keyx = suite->key_exchange; 263 264 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 265 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed"); 266 return 0; 267 } 268 269 if (keyx != TLS_KEY_X_DH_anon) { 270 /* TODO? */ 271 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet " 272 "supported with key exchange type %d", keyx); 273 return -1; 274 } 275 276 if (conn->cred == NULL || conn->cred->dh_p == NULL || 277 conn->cred->dh_g == NULL) { 278 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for " 279 "ServerKeyExhcange"); 280 return -1; 281 } 282 283 os_free(conn->dh_secret); 284 conn->dh_secret_len = conn->cred->dh_p_len; 285 conn->dh_secret = os_malloc(conn->dh_secret_len); 286 if (conn->dh_secret == NULL) { 287 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 288 "memory for secret (Diffie-Hellman)"); 289 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 290 TLS_ALERT_INTERNAL_ERROR); 291 return -1; 292 } 293 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) { 294 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 295 "data for Diffie-Hellman"); 296 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 297 TLS_ALERT_INTERNAL_ERROR); 298 os_free(conn->dh_secret); 299 conn->dh_secret = NULL; 300 return -1; 301 } 302 303 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) > 304 0) 305 conn->dh_secret[0] = 0; /* make sure secret < p */ 306 307 pos = conn->dh_secret; 308 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0) 309 pos++; 310 if (pos != conn->dh_secret) { 311 os_memmove(conn->dh_secret, pos, 312 conn->dh_secret_len - (pos - conn->dh_secret)); 313 conn->dh_secret_len -= pos - conn->dh_secret; 314 } 315 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value", 316 conn->dh_secret, conn->dh_secret_len); 317 318 /* Ys = g^secret mod p */ 319 dh_ys_len = conn->cred->dh_p_len; 320 dh_ys = os_malloc(dh_ys_len); 321 if (dh_ys == NULL) { 322 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for " 323 "Diffie-Hellman"); 324 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 325 TLS_ALERT_INTERNAL_ERROR); 326 return -1; 327 } 328 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len, 329 conn->dh_secret, conn->dh_secret_len, 330 conn->cred->dh_p, conn->cred->dh_p_len, 331 dh_ys, &dh_ys_len)) { 332 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 333 TLS_ALERT_INTERNAL_ERROR); 334 os_free(dh_ys); 335 return -1; 336 } 337 338 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 339 dh_ys, dh_ys_len); 340 341 /* 342 * struct { 343 * select (KeyExchangeAlgorithm) { 344 * case diffie_hellman: 345 * ServerDHParams params; 346 * Signature signed_params; 347 * case rsa: 348 * ServerRSAParams params; 349 * Signature signed_params; 350 * }; 351 * } ServerKeyExchange; 352 * 353 * struct { 354 * opaque dh_p<1..2^16-1>; 355 * opaque dh_g<1..2^16-1>; 356 * opaque dh_Ys<1..2^16-1>; 357 * } ServerDHParams; 358 */ 359 360 pos = *msgpos; 361 362 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange"); 363 rhdr = pos; 364 pos += TLS_RECORD_HEADER_LEN; 365 366 /* opaque fragment[TLSPlaintext.length] */ 367 368 /* Handshake */ 369 hs_start = pos; 370 /* HandshakeType msg_type */ 371 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE; 372 /* uint24 length (to be filled) */ 373 hs_length = pos; 374 pos += 3; 375 376 /* body - ServerDHParams */ 377 /* dh_p */ 378 if (pos + 2 + conn->cred->dh_p_len > end) { 379 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 380 "dh_p"); 381 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 382 TLS_ALERT_INTERNAL_ERROR); 383 os_free(dh_ys); 384 return -1; 385 } 386 WPA_PUT_BE16(pos, conn->cred->dh_p_len); 387 pos += 2; 388 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len); 389 pos += conn->cred->dh_p_len; 390 391 /* dh_g */ 392 if (pos + 2 + conn->cred->dh_g_len > end) { 393 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 394 "dh_g"); 395 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 396 TLS_ALERT_INTERNAL_ERROR); 397 os_free(dh_ys); 398 return -1; 399 } 400 WPA_PUT_BE16(pos, conn->cred->dh_g_len); 401 pos += 2; 402 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len); 403 pos += conn->cred->dh_g_len; 404 405 /* dh_Ys */ 406 if (pos + 2 + dh_ys_len > end) { 407 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 408 "dh_Ys"); 409 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 410 TLS_ALERT_INTERNAL_ERROR); 411 os_free(dh_ys); 412 return -1; 413 } 414 WPA_PUT_BE16(pos, dh_ys_len); 415 pos += 2; 416 os_memcpy(pos, dh_ys, dh_ys_len); 417 pos += dh_ys_len; 418 os_free(dh_ys); 419 420 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 421 422 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 423 rhdr, end - rhdr, hs_start, pos - hs_start, 424 &rlen) < 0) { 425 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 426 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 427 TLS_ALERT_INTERNAL_ERROR); 428 return -1; 429 } 430 pos = rhdr + rlen; 431 432 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 433 434 *msgpos = pos; 435 436 return 0; 437 } 438 439 440 static int tls_write_server_certificate_request(struct tlsv1_server *conn, 441 u8 **msgpos, u8 *end) 442 { 443 u8 *pos, *rhdr, *hs_start, *hs_length; 444 size_t rlen; 445 446 if (!conn->verify_peer) { 447 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed"); 448 return 0; 449 } 450 451 pos = *msgpos; 452 453 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest"); 454 rhdr = pos; 455 pos += TLS_RECORD_HEADER_LEN; 456 457 /* opaque fragment[TLSPlaintext.length] */ 458 459 /* Handshake */ 460 hs_start = pos; 461 /* HandshakeType msg_type */ 462 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST; 463 /* uint24 length (to be filled) */ 464 hs_length = pos; 465 pos += 3; 466 /* body - CertificateRequest */ 467 468 /* 469 * enum { 470 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 471 * (255) 472 * } ClientCertificateType; 473 * ClientCertificateType certificate_types<1..2^8-1> 474 */ 475 *pos++ = 1; 476 *pos++ = 1; /* rsa_sign */ 477 478 /* 479 * opaque DistinguishedName<1..2^16-1> 480 * DistinguishedName certificate_authorities<3..2^16-1> 481 */ 482 /* TODO: add support for listing DNs for trusted CAs */ 483 WPA_PUT_BE16(pos, 0); 484 pos += 2; 485 486 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 487 488 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 489 rhdr, end - rhdr, hs_start, pos - hs_start, 490 &rlen) < 0) { 491 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 492 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 493 TLS_ALERT_INTERNAL_ERROR); 494 return -1; 495 } 496 pos = rhdr + rlen; 497 498 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 499 500 *msgpos = pos; 501 502 return 0; 503 } 504 505 506 static int tls_write_server_hello_done(struct tlsv1_server *conn, 507 u8 **msgpos, u8 *end) 508 { 509 u8 *pos; 510 size_t rlen; 511 u8 payload[4]; 512 513 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone"); 514 515 /* opaque fragment[TLSPlaintext.length] */ 516 517 /* Handshake */ 518 pos = payload; 519 /* HandshakeType msg_type */ 520 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE; 521 /* uint24 length */ 522 WPA_PUT_BE24(pos, 0); 523 pos += 3; 524 /* body - ServerHelloDone (empty) */ 525 526 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 527 *msgpos, end - *msgpos, payload, pos - payload, 528 &rlen) < 0) { 529 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 530 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 531 TLS_ALERT_INTERNAL_ERROR); 532 return -1; 533 } 534 535 tls_verify_hash_add(&conn->verify, payload, pos - payload); 536 537 *msgpos += rlen; 538 539 return 0; 540 } 541 542 543 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn, 544 u8 **msgpos, u8 *end) 545 { 546 size_t rlen; 547 u8 payload[1]; 548 549 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 550 551 payload[0] = TLS_CHANGE_CIPHER_SPEC; 552 553 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 554 *msgpos, end - *msgpos, payload, sizeof(payload), 555 &rlen) < 0) { 556 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 557 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 558 TLS_ALERT_INTERNAL_ERROR); 559 return -1; 560 } 561 562 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 563 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 564 "record layer"); 565 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 566 TLS_ALERT_INTERNAL_ERROR); 567 return -1; 568 } 569 570 *msgpos += rlen; 571 572 return 0; 573 } 574 575 576 static int tls_write_server_finished(struct tlsv1_server *conn, 577 u8 **msgpos, u8 *end) 578 { 579 u8 *pos, *hs_start; 580 size_t rlen, hlen; 581 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 582 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 583 584 pos = *msgpos; 585 586 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 587 588 /* Encrypted Handshake Message: Finished */ 589 590 hlen = MD5_MAC_LEN; 591 if (conn->verify.md5_server == NULL || 592 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 593 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 594 TLS_ALERT_INTERNAL_ERROR); 595 conn->verify.md5_server = NULL; 596 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 597 conn->verify.sha1_server = NULL; 598 return -1; 599 } 600 conn->verify.md5_server = NULL; 601 hlen = SHA1_MAC_LEN; 602 if (conn->verify.sha1_server == NULL || 603 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 604 &hlen) < 0) { 605 conn->verify.sha1_server = NULL; 606 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 607 TLS_ALERT_INTERNAL_ERROR); 608 return -1; 609 } 610 conn->verify.sha1_server = NULL; 611 612 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 613 "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 614 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 615 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 616 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 617 TLS_ALERT_INTERNAL_ERROR); 618 return -1; 619 } 620 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 621 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 622 623 /* Handshake */ 624 pos = hs_start = verify_data; 625 /* HandshakeType msg_type */ 626 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 627 /* uint24 length */ 628 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 629 pos += 3; 630 pos += TLS_VERIFY_DATA_LEN; 631 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 632 633 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 634 *msgpos, end - *msgpos, hs_start, pos - hs_start, 635 &rlen) < 0) { 636 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 637 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 638 TLS_ALERT_INTERNAL_ERROR); 639 return -1; 640 } 641 642 *msgpos += rlen; 643 644 return 0; 645 } 646 647 648 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len) 649 { 650 u8 *msg, *end, *pos; 651 size_t msglen; 652 653 *out_len = 0; 654 655 msglen = 1000 + tls_server_cert_chain_der_len(conn); 656 657 msg = os_malloc(msglen); 658 if (msg == NULL) 659 return NULL; 660 661 pos = msg; 662 end = msg + msglen; 663 664 if (tls_write_server_hello(conn, &pos, end) < 0) { 665 os_free(msg); 666 return NULL; 667 } 668 669 if (conn->use_session_ticket) { 670 /* Abbreviated handshake using session ticket; RFC 4507 */ 671 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 672 tls_write_server_finished(conn, &pos, end) < 0) { 673 os_free(msg); 674 return NULL; 675 } 676 677 *out_len = pos - msg; 678 679 conn->state = CHANGE_CIPHER_SPEC; 680 681 return msg; 682 } 683 684 /* Full handshake */ 685 if (tls_write_server_certificate(conn, &pos, end) < 0 || 686 tls_write_server_key_exchange(conn, &pos, end) < 0 || 687 tls_write_server_certificate_request(conn, &pos, end) < 0 || 688 tls_write_server_hello_done(conn, &pos, end) < 0) { 689 os_free(msg); 690 return NULL; 691 } 692 693 *out_len = pos - msg; 694 695 conn->state = CLIENT_CERTIFICATE; 696 697 return msg; 698 } 699 700 701 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn, 702 size_t *out_len) 703 { 704 u8 *msg, *end, *pos; 705 706 *out_len = 0; 707 708 msg = os_malloc(1000); 709 if (msg == NULL) 710 return NULL; 711 712 pos = msg; 713 end = msg + 1000; 714 715 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 716 tls_write_server_finished(conn, &pos, end) < 0) { 717 os_free(msg); 718 return NULL; 719 } 720 721 *out_len = pos - msg; 722 723 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully"); 724 conn->state = ESTABLISHED; 725 726 return msg; 727 } 728 729 730 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len) 731 { 732 switch (conn->state) { 733 case SERVER_HELLO: 734 return tls_send_server_hello(conn, out_len); 735 case SERVER_CHANGE_CIPHER_SPEC: 736 return tls_send_change_cipher_spec(conn, out_len); 737 default: 738 if (conn->state == ESTABLISHED && conn->use_session_ticket) { 739 /* Abbreviated handshake was already completed. */ 740 return NULL; 741 } 742 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 743 "generating reply", conn->state); 744 return NULL; 745 } 746 } 747 748 749 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level, 750 u8 description, size_t *out_len) 751 { 752 u8 *alert, *pos, *length; 753 754 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 755 *out_len = 0; 756 757 alert = os_malloc(10); 758 if (alert == NULL) 759 return NULL; 760 761 pos = alert; 762 763 /* TLSPlaintext */ 764 /* ContentType type */ 765 *pos++ = TLS_CONTENT_TYPE_ALERT; 766 /* ProtocolVersion version */ 767 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 768 TLS_VERSION); 769 pos += 2; 770 /* uint16 length (to be filled) */ 771 length = pos; 772 pos += 2; 773 /* opaque fragment[TLSPlaintext.length] */ 774 775 /* Alert */ 776 /* AlertLevel level */ 777 *pos++ = level; 778 /* AlertDescription description */ 779 *pos++ = description; 780 781 WPA_PUT_BE16(length, pos - length - 2); 782 *out_len = pos - alert; 783 784 return alert; 785 } 786