139beb93cSSam Leffler /*
239beb93cSSam Leffler * TLSv1 client - write handshake message
3780fb4a2SCy Schubert * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
439beb93cSSam Leffler *
5f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license.
6f05cddf9SRui Paulo * See README for more details.
739beb93cSSam Leffler */
839beb93cSSam Leffler
939beb93cSSam Leffler #include "includes.h"
1039beb93cSSam Leffler
1139beb93cSSam Leffler #include "common.h"
12e28a4053SRui Paulo #include "crypto/md5.h"
13e28a4053SRui Paulo #include "crypto/sha1.h"
14f05cddf9SRui Paulo #include "crypto/sha256.h"
15e28a4053SRui Paulo #include "crypto/tls.h"
16f05cddf9SRui Paulo #include "crypto/random.h"
1739beb93cSSam Leffler #include "x509v3.h"
1839beb93cSSam Leffler #include "tlsv1_common.h"
1939beb93cSSam Leffler #include "tlsv1_record.h"
2039beb93cSSam Leffler #include "tlsv1_client.h"
2139beb93cSSam Leffler #include "tlsv1_client_i.h"
2239beb93cSSam Leffler
2339beb93cSSam Leffler
tls_client_cert_chain_der_len(struct tlsv1_client * conn)2439beb93cSSam Leffler static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
2539beb93cSSam Leffler {
2639beb93cSSam Leffler size_t len = 0;
2739beb93cSSam Leffler struct x509_certificate *cert;
2839beb93cSSam Leffler
2939beb93cSSam Leffler if (conn->cred == NULL)
3039beb93cSSam Leffler return 0;
3139beb93cSSam Leffler
3239beb93cSSam Leffler cert = conn->cred->cert;
3339beb93cSSam Leffler while (cert) {
3439beb93cSSam Leffler len += 3 + cert->cert_len;
3539beb93cSSam Leffler if (x509_certificate_self_signed(cert))
3639beb93cSSam Leffler break;
3739beb93cSSam Leffler cert = x509_certificate_get_subject(conn->cred->trusted_certs,
3839beb93cSSam Leffler &cert->issuer);
3939beb93cSSam Leffler }
4039beb93cSSam Leffler
4139beb93cSSam Leffler return len;
4239beb93cSSam Leffler }
4339beb93cSSam Leffler
4439beb93cSSam Leffler
tls_send_client_hello(struct tlsv1_client * conn,size_t * out_len)4539beb93cSSam Leffler u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
4639beb93cSSam Leffler {
4739beb93cSSam Leffler u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
4839beb93cSSam Leffler struct os_time now;
4939beb93cSSam Leffler size_t len, i;
50780fb4a2SCy Schubert u8 *ext_start;
51*c1d255d3SCy Schubert u16 tls_version = tls_client_highest_ver(conn);
5239beb93cSSam Leffler
53*c1d255d3SCy Schubert if (!tls_version) {
54780fb4a2SCy Schubert wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed");
55780fb4a2SCy Schubert return NULL;
56780fb4a2SCy Schubert }
57780fb4a2SCy Schubert
58780fb4a2SCy Schubert wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)",
59780fb4a2SCy Schubert tls_version_str(tls_version));
6039beb93cSSam Leffler *out_len = 0;
6139beb93cSSam Leffler
6239beb93cSSam Leffler os_get_time(&now);
634bc52338SCy Schubert #ifdef TEST_FUZZ
644bc52338SCy Schubert now.sec = 0xfffefdfc;
654bc52338SCy Schubert #endif /* TEST_FUZZ */
6639beb93cSSam Leffler WPA_PUT_BE32(conn->client_random, now.sec);
67f05cddf9SRui Paulo if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
6839beb93cSSam Leffler wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
6939beb93cSSam Leffler "client_random");
7039beb93cSSam Leffler return NULL;
7139beb93cSSam Leffler }
7239beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
7339beb93cSSam Leffler conn->client_random, TLS_RANDOM_LEN);
7439beb93cSSam Leffler
75780fb4a2SCy Schubert len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
7639beb93cSSam Leffler hello = os_malloc(len);
7739beb93cSSam Leffler if (hello == NULL)
7839beb93cSSam Leffler return NULL;
7939beb93cSSam Leffler end = hello + len;
8039beb93cSSam Leffler
8139beb93cSSam Leffler rhdr = hello;
8239beb93cSSam Leffler pos = rhdr + TLS_RECORD_HEADER_LEN;
8339beb93cSSam Leffler
8439beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */
8539beb93cSSam Leffler
8639beb93cSSam Leffler /* Handshake */
8739beb93cSSam Leffler hs_start = pos;
8839beb93cSSam Leffler /* HandshakeType msg_type */
8939beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
9039beb93cSSam Leffler /* uint24 length (to be filled) */
9139beb93cSSam Leffler hs_length = pos;
9239beb93cSSam Leffler pos += 3;
9339beb93cSSam Leffler /* body - ClientHello */
9439beb93cSSam Leffler /* ProtocolVersion client_version */
95780fb4a2SCy Schubert WPA_PUT_BE16(pos, tls_version);
9639beb93cSSam Leffler pos += 2;
9739beb93cSSam Leffler /* Random random: uint32 gmt_unix_time, opaque random_bytes */
9839beb93cSSam Leffler os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
9939beb93cSSam Leffler pos += TLS_RANDOM_LEN;
10039beb93cSSam Leffler /* SessionID session_id */
10139beb93cSSam Leffler *pos++ = conn->session_id_len;
10239beb93cSSam Leffler os_memcpy(pos, conn->session_id, conn->session_id_len);
10339beb93cSSam Leffler pos += conn->session_id_len;
10439beb93cSSam Leffler /* CipherSuite cipher_suites<2..2^16-1> */
10539beb93cSSam Leffler WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
10639beb93cSSam Leffler pos += 2;
10739beb93cSSam Leffler for (i = 0; i < conn->num_cipher_suites; i++) {
10839beb93cSSam Leffler WPA_PUT_BE16(pos, conn->cipher_suites[i]);
10939beb93cSSam Leffler pos += 2;
11039beb93cSSam Leffler }
11139beb93cSSam Leffler /* CompressionMethod compression_methods<1..2^8-1> */
11239beb93cSSam Leffler *pos++ = 1;
11339beb93cSSam Leffler *pos++ = TLS_COMPRESSION_NULL;
11439beb93cSSam Leffler
115780fb4a2SCy Schubert /* Extension */
116780fb4a2SCy Schubert ext_start = pos;
117780fb4a2SCy Schubert pos += 2;
118780fb4a2SCy Schubert
119780fb4a2SCy Schubert #ifdef CONFIG_TLSV12
120780fb4a2SCy Schubert if (conn->rl.tls_version >= TLS_VERSION_1_2) {
121780fb4a2SCy Schubert /*
122780fb4a2SCy Schubert * Add signature_algorithms extension since we support only
123780fb4a2SCy Schubert * SHA256 (and not the default SHA1) with TLSv1.2.
124780fb4a2SCy Schubert */
125780fb4a2SCy Schubert /* ExtensionsType extension_type = signature_algorithms(13) */
126780fb4a2SCy Schubert WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
127780fb4a2SCy Schubert pos += 2;
128780fb4a2SCy Schubert /* opaque extension_data<0..2^16-1> length */
129780fb4a2SCy Schubert WPA_PUT_BE16(pos, 8);
130780fb4a2SCy Schubert pos += 2;
131780fb4a2SCy Schubert /* supported_signature_algorithms<2..2^16-2> length */
132780fb4a2SCy Schubert WPA_PUT_BE16(pos, 6);
133780fb4a2SCy Schubert pos += 2;
134780fb4a2SCy Schubert /* supported_signature_algorithms */
135780fb4a2SCy Schubert *pos++ = TLS_HASH_ALG_SHA512;
136780fb4a2SCy Schubert *pos++ = TLS_SIGN_ALG_RSA;
137780fb4a2SCy Schubert *pos++ = TLS_HASH_ALG_SHA384;
138780fb4a2SCy Schubert *pos++ = TLS_SIGN_ALG_RSA;
139780fb4a2SCy Schubert *pos++ = TLS_HASH_ALG_SHA256;
140780fb4a2SCy Schubert *pos++ = TLS_SIGN_ALG_RSA;
141780fb4a2SCy Schubert }
142780fb4a2SCy Schubert #endif /* CONFIG_TLSV12 */
143780fb4a2SCy Schubert
14439beb93cSSam Leffler if (conn->client_hello_ext) {
14539beb93cSSam Leffler os_memcpy(pos, conn->client_hello_ext,
14639beb93cSSam Leffler conn->client_hello_ext_len);
14739beb93cSSam Leffler pos += conn->client_hello_ext_len;
14839beb93cSSam Leffler }
14939beb93cSSam Leffler
150780fb4a2SCy Schubert if (conn->flags & TLS_CONN_REQUEST_OCSP) {
151780fb4a2SCy Schubert wpa_printf(MSG_DEBUG,
152780fb4a2SCy Schubert "TLSv1: Add status_request extension for OCSP stapling");
153780fb4a2SCy Schubert /* ExtensionsType extension_type = status_request(5) */
154780fb4a2SCy Schubert WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
155780fb4a2SCy Schubert pos += 2;
156780fb4a2SCy Schubert /* opaque extension_data<0..2^16-1> length */
157780fb4a2SCy Schubert WPA_PUT_BE16(pos, 5);
158780fb4a2SCy Schubert pos += 2;
159780fb4a2SCy Schubert
160780fb4a2SCy Schubert /*
161780fb4a2SCy Schubert * RFC 6066, 8:
162780fb4a2SCy Schubert * struct {
163780fb4a2SCy Schubert * CertificateStatusType status_type;
164780fb4a2SCy Schubert * select (status_type) {
165780fb4a2SCy Schubert * case ocsp: OCSPStatusRequest;
166780fb4a2SCy Schubert * } request;
167780fb4a2SCy Schubert * } CertificateStatusRequest;
168780fb4a2SCy Schubert *
169780fb4a2SCy Schubert * enum { ocsp(1), (255) } CertificateStatusType;
170780fb4a2SCy Schubert */
171780fb4a2SCy Schubert *pos++ = 1; /* status_type = ocsp(1) */
172780fb4a2SCy Schubert
173780fb4a2SCy Schubert /*
174780fb4a2SCy Schubert * struct {
175780fb4a2SCy Schubert * ResponderID responder_id_list<0..2^16-1>;
176780fb4a2SCy Schubert * Extensions request_extensions;
177780fb4a2SCy Schubert * } OCSPStatusRequest;
178780fb4a2SCy Schubert *
179780fb4a2SCy Schubert * opaque ResponderID<1..2^16-1>;
180780fb4a2SCy Schubert * opaque Extensions<0..2^16-1>;
181780fb4a2SCy Schubert */
182780fb4a2SCy Schubert WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
183780fb4a2SCy Schubert pos += 2;
184780fb4a2SCy Schubert WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
185780fb4a2SCy Schubert pos += 2;
186780fb4a2SCy Schubert
187780fb4a2SCy Schubert wpa_printf(MSG_DEBUG,
188780fb4a2SCy Schubert "TLSv1: Add status_request_v2 extension for OCSP stapling");
189780fb4a2SCy Schubert /* ExtensionsType extension_type = status_request_v2(17) */
190780fb4a2SCy Schubert WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
191780fb4a2SCy Schubert pos += 2;
192780fb4a2SCy Schubert /* opaque extension_data<0..2^16-1> length */
193780fb4a2SCy Schubert WPA_PUT_BE16(pos, 7);
194780fb4a2SCy Schubert pos += 2;
195780fb4a2SCy Schubert
196780fb4a2SCy Schubert /*
197780fb4a2SCy Schubert * RFC 6961, 2.2:
198780fb4a2SCy Schubert * struct {
199780fb4a2SCy Schubert * CertificateStatusType status_type;
200780fb4a2SCy Schubert * uint16 request_length;
201780fb4a2SCy Schubert * select (status_type) {
202780fb4a2SCy Schubert * case ocsp: OCSPStatusRequest;
203780fb4a2SCy Schubert * case ocsp_multi: OCSPStatusRequest;
204780fb4a2SCy Schubert * } request;
205780fb4a2SCy Schubert * } CertificateStatusRequestItemV2;
206780fb4a2SCy Schubert *
207780fb4a2SCy Schubert * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
208780fb4a2SCy Schubert *
209780fb4a2SCy Schubert * struct {
210780fb4a2SCy Schubert * CertificateStatusRequestItemV2
211780fb4a2SCy Schubert * certificate_status_req_list<1..2^16-1>;
212780fb4a2SCy Schubert * } CertificateStatusRequestListV2;
213780fb4a2SCy Schubert */
214780fb4a2SCy Schubert
215780fb4a2SCy Schubert /* certificate_status_req_list<1..2^16-1> */
216780fb4a2SCy Schubert WPA_PUT_BE16(pos, 5);
217780fb4a2SCy Schubert pos += 2;
218780fb4a2SCy Schubert
219780fb4a2SCy Schubert /* CertificateStatusRequestItemV2 */
220780fb4a2SCy Schubert *pos++ = 2; /* status_type = ocsp_multi(2) */
221780fb4a2SCy Schubert /* OCSPStatusRequest as shown above for v1 */
222780fb4a2SCy Schubert WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
223780fb4a2SCy Schubert pos += 2;
224780fb4a2SCy Schubert WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
225780fb4a2SCy Schubert pos += 2;
226780fb4a2SCy Schubert }
227780fb4a2SCy Schubert
228780fb4a2SCy Schubert if (pos == ext_start + 2)
229780fb4a2SCy Schubert pos -= 2; /* no extensions */
230780fb4a2SCy Schubert else
231780fb4a2SCy Schubert WPA_PUT_BE16(ext_start, pos - ext_start - 2);
232780fb4a2SCy Schubert
23339beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3);
23439beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
23539beb93cSSam Leffler
23639beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
237f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start,
238f05cddf9SRui Paulo out_len) < 0) {
23939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
24039beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
24139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
24239beb93cSSam Leffler os_free(hello);
24339beb93cSSam Leffler return NULL;
24439beb93cSSam Leffler }
24539beb93cSSam Leffler
24639beb93cSSam Leffler conn->state = SERVER_HELLO;
24739beb93cSSam Leffler
24839beb93cSSam Leffler return hello;
24939beb93cSSam Leffler }
25039beb93cSSam Leffler
25139beb93cSSam Leffler
tls_write_client_certificate(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)25239beb93cSSam Leffler static int tls_write_client_certificate(struct tlsv1_client *conn,
25339beb93cSSam Leffler u8 **msgpos, u8 *end)
25439beb93cSSam Leffler {
25539beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
25639beb93cSSam Leffler size_t rlen;
25739beb93cSSam Leffler struct x509_certificate *cert;
25839beb93cSSam Leffler
25939beb93cSSam Leffler pos = *msgpos;
260780fb4a2SCy Schubert if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
261780fb4a2SCy Schubert tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
262780fb4a2SCy Schubert TLS_ALERT_INTERNAL_ERROR);
263780fb4a2SCy Schubert return -1;
264780fb4a2SCy Schubert }
26539beb93cSSam Leffler
26639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
26739beb93cSSam Leffler rhdr = pos;
26839beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN;
26939beb93cSSam Leffler
27039beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */
27139beb93cSSam Leffler
27239beb93cSSam Leffler /* Handshake */
27339beb93cSSam Leffler hs_start = pos;
27439beb93cSSam Leffler /* HandshakeType msg_type */
27539beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
27639beb93cSSam Leffler /* uint24 length (to be filled) */
27739beb93cSSam Leffler hs_length = pos;
27839beb93cSSam Leffler pos += 3;
27939beb93cSSam Leffler /* body - Certificate */
28039beb93cSSam Leffler /* uint24 length (to be filled) */
28139beb93cSSam Leffler cert_start = pos;
28239beb93cSSam Leffler pos += 3;
28339beb93cSSam Leffler cert = conn->cred ? conn->cred->cert : NULL;
28439beb93cSSam Leffler while (cert) {
285780fb4a2SCy Schubert if (3 + cert->cert_len > (size_t) (end - pos)) {
28639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
28739beb93cSSam Leffler "for Certificate (cert_len=%lu left=%lu)",
28839beb93cSSam Leffler (unsigned long) cert->cert_len,
28939beb93cSSam Leffler (unsigned long) (end - pos));
29039beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
29139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
29239beb93cSSam Leffler return -1;
29339beb93cSSam Leffler }
29439beb93cSSam Leffler WPA_PUT_BE24(pos, cert->cert_len);
29539beb93cSSam Leffler pos += 3;
29639beb93cSSam Leffler os_memcpy(pos, cert->cert_start, cert->cert_len);
29739beb93cSSam Leffler pos += cert->cert_len;
29839beb93cSSam Leffler
29939beb93cSSam Leffler if (x509_certificate_self_signed(cert))
30039beb93cSSam Leffler break;
30139beb93cSSam Leffler cert = x509_certificate_get_subject(conn->cred->trusted_certs,
30239beb93cSSam Leffler &cert->issuer);
30339beb93cSSam Leffler }
30439beb93cSSam Leffler if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
30539beb93cSSam Leffler /*
30639beb93cSSam Leffler * Client was not configured with all the needed certificates
30739beb93cSSam Leffler * to form a full certificate chain. The server may fail to
30839beb93cSSam Leffler * validate the chain unless it is configured with all the
30939beb93cSSam Leffler * missing CA certificates.
31039beb93cSSam Leffler */
31139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
31239beb93cSSam Leffler "not configured - validation may fail");
31339beb93cSSam Leffler }
31439beb93cSSam Leffler WPA_PUT_BE24(cert_start, pos - cert_start - 3);
31539beb93cSSam Leffler
31639beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3);
31739beb93cSSam Leffler
31839beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
319f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start,
320f05cddf9SRui Paulo &rlen) < 0) {
32139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
32239beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
32339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
32439beb93cSSam Leffler return -1;
32539beb93cSSam Leffler }
32639beb93cSSam Leffler pos = rhdr + rlen;
32739beb93cSSam Leffler
32839beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
32939beb93cSSam Leffler
33039beb93cSSam Leffler *msgpos = pos;
33139beb93cSSam Leffler
33239beb93cSSam Leffler return 0;
33339beb93cSSam Leffler }
33439beb93cSSam Leffler
33539beb93cSSam Leffler
tlsv1_key_x_dh(struct tlsv1_client * conn,u8 ** pos,u8 * end)3365b9c547cSRui Paulo static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
33739beb93cSSam Leffler {
33839beb93cSSam Leffler /* ClientDiffieHellmanPublic */
33939beb93cSSam Leffler u8 *csecret, *csecret_start, *dh_yc, *shared;
34039beb93cSSam Leffler size_t csecret_len, dh_yc_len, shared_len;
34139beb93cSSam Leffler
34239beb93cSSam Leffler csecret_len = conn->dh_p_len;
34339beb93cSSam Leffler csecret = os_malloc(csecret_len);
34439beb93cSSam Leffler if (csecret == NULL) {
34539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
34639beb93cSSam Leffler "memory for Yc (Diffie-Hellman)");
34739beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
34839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
34939beb93cSSam Leffler return -1;
35039beb93cSSam Leffler }
351f05cddf9SRui Paulo if (random_get_bytes(csecret, csecret_len)) {
35239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
35339beb93cSSam Leffler "data for Diffie-Hellman");
35439beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
35539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
35639beb93cSSam Leffler os_free(csecret);
35739beb93cSSam Leffler return -1;
35839beb93cSSam Leffler }
35939beb93cSSam Leffler
36039beb93cSSam Leffler if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
36139beb93cSSam Leffler csecret[0] = 0; /* make sure Yc < p */
36239beb93cSSam Leffler
36339beb93cSSam Leffler csecret_start = csecret;
36439beb93cSSam Leffler while (csecret_len > 1 && *csecret_start == 0) {
36539beb93cSSam Leffler csecret_start++;
36639beb93cSSam Leffler csecret_len--;
36739beb93cSSam Leffler }
36839beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
36939beb93cSSam Leffler csecret_start, csecret_len);
37039beb93cSSam Leffler
37139beb93cSSam Leffler /* Yc = g^csecret mod p */
37239beb93cSSam Leffler dh_yc_len = conn->dh_p_len;
37339beb93cSSam Leffler dh_yc = os_malloc(dh_yc_len);
37439beb93cSSam Leffler if (dh_yc == NULL) {
37539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
37639beb93cSSam Leffler "memory for Diffie-Hellman");
37739beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
37839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
37939beb93cSSam Leffler os_free(csecret);
38039beb93cSSam Leffler return -1;
38139beb93cSSam Leffler }
38239beb93cSSam Leffler if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
38339beb93cSSam Leffler csecret_start, csecret_len,
38439beb93cSSam Leffler conn->dh_p, conn->dh_p_len,
38539beb93cSSam Leffler dh_yc, &dh_yc_len)) {
38639beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
38739beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
38839beb93cSSam Leffler os_free(csecret);
38939beb93cSSam Leffler os_free(dh_yc);
39039beb93cSSam Leffler return -1;
39139beb93cSSam Leffler }
39239beb93cSSam Leffler
39339beb93cSSam Leffler wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
39439beb93cSSam Leffler dh_yc, dh_yc_len);
39539beb93cSSam Leffler
396780fb4a2SCy Schubert if (end - *pos < 2) {
397780fb4a2SCy Schubert tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
398780fb4a2SCy Schubert TLS_ALERT_INTERNAL_ERROR);
399780fb4a2SCy Schubert os_free(csecret);
400780fb4a2SCy Schubert os_free(dh_yc);
401780fb4a2SCy Schubert return -1;
402780fb4a2SCy Schubert }
40339beb93cSSam Leffler WPA_PUT_BE16(*pos, dh_yc_len);
40439beb93cSSam Leffler *pos += 2;
405780fb4a2SCy Schubert if (dh_yc_len > (size_t) (end - *pos)) {
40639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
40739beb93cSSam Leffler "message buffer for Yc");
40839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
40939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
41039beb93cSSam Leffler os_free(csecret);
41139beb93cSSam Leffler os_free(dh_yc);
41239beb93cSSam Leffler return -1;
41339beb93cSSam Leffler }
41439beb93cSSam Leffler os_memcpy(*pos, dh_yc, dh_yc_len);
41539beb93cSSam Leffler *pos += dh_yc_len;
41639beb93cSSam Leffler os_free(dh_yc);
41739beb93cSSam Leffler
41839beb93cSSam Leffler shared_len = conn->dh_p_len;
41939beb93cSSam Leffler shared = os_malloc(shared_len);
42039beb93cSSam Leffler if (shared == NULL) {
42139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
42239beb93cSSam Leffler "DH");
42339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
42539beb93cSSam Leffler os_free(csecret);
42639beb93cSSam Leffler return -1;
42739beb93cSSam Leffler }
42839beb93cSSam Leffler
42939beb93cSSam Leffler /* shared = Ys^csecret mod p */
43039beb93cSSam Leffler if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
43139beb93cSSam Leffler csecret_start, csecret_len,
43239beb93cSSam Leffler conn->dh_p, conn->dh_p_len,
43339beb93cSSam Leffler shared, &shared_len)) {
43439beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
43539beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
43639beb93cSSam Leffler os_free(csecret);
43739beb93cSSam Leffler os_free(shared);
43839beb93cSSam Leffler return -1;
43939beb93cSSam Leffler }
44039beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
44139beb93cSSam Leffler shared, shared_len);
44239beb93cSSam Leffler
44339beb93cSSam Leffler os_memset(csecret_start, 0, csecret_len);
44439beb93cSSam Leffler os_free(csecret);
44539beb93cSSam Leffler if (tls_derive_keys(conn, shared, shared_len)) {
44639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
44739beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
44839beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
44939beb93cSSam Leffler os_free(shared);
45039beb93cSSam Leffler return -1;
45139beb93cSSam Leffler }
45239beb93cSSam Leffler os_memset(shared, 0, shared_len);
45339beb93cSSam Leffler os_free(shared);
45439beb93cSSam Leffler tlsv1_client_free_dh(conn);
45539beb93cSSam Leffler return 0;
45639beb93cSSam Leffler }
45739beb93cSSam Leffler
45839beb93cSSam Leffler
tlsv1_key_x_rsa(struct tlsv1_client * conn,u8 ** pos,u8 * end)45939beb93cSSam Leffler static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
46039beb93cSSam Leffler {
46139beb93cSSam Leffler u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
46239beb93cSSam Leffler size_t clen;
46339beb93cSSam Leffler int res;
46439beb93cSSam Leffler
465*c1d255d3SCy Schubert if (tls_derive_pre_master_secret(conn, pre_master_secret) < 0 ||
46639beb93cSSam Leffler tls_derive_keys(conn, pre_master_secret,
46739beb93cSSam Leffler TLS_PRE_MASTER_SECRET_LEN)) {
46839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
46939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
47039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
47139beb93cSSam Leffler return -1;
47239beb93cSSam Leffler }
47339beb93cSSam Leffler
47439beb93cSSam Leffler /* EncryptedPreMasterSecret */
47539beb93cSSam Leffler if (conn->server_rsa_key == NULL) {
47639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
47739beb93cSSam Leffler "use for encrypting pre-master secret");
47839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
47939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
48039beb93cSSam Leffler return -1;
48139beb93cSSam Leffler }
48239beb93cSSam Leffler
48339beb93cSSam Leffler /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
48439beb93cSSam Leffler *pos += 2;
48539beb93cSSam Leffler clen = end - *pos;
48639beb93cSSam Leffler res = crypto_public_key_encrypt_pkcs1_v15(
48739beb93cSSam Leffler conn->server_rsa_key,
48839beb93cSSam Leffler pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
48939beb93cSSam Leffler *pos, &clen);
49039beb93cSSam Leffler os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
49139beb93cSSam Leffler if (res < 0) {
49239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
49339beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
49439beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
49539beb93cSSam Leffler return -1;
49639beb93cSSam Leffler }
49739beb93cSSam Leffler WPA_PUT_BE16(*pos - 2, clen);
49839beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
49939beb93cSSam Leffler *pos, clen);
50039beb93cSSam Leffler *pos += clen;
50139beb93cSSam Leffler
50239beb93cSSam Leffler return 0;
50339beb93cSSam Leffler }
50439beb93cSSam Leffler
50539beb93cSSam Leffler
tls_write_client_key_exchange(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)50639beb93cSSam Leffler static int tls_write_client_key_exchange(struct tlsv1_client *conn,
50739beb93cSSam Leffler u8 **msgpos, u8 *end)
50839beb93cSSam Leffler {
50939beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length;
51039beb93cSSam Leffler size_t rlen;
51139beb93cSSam Leffler tls_key_exchange keyx;
51239beb93cSSam Leffler const struct tls_cipher_suite *suite;
51339beb93cSSam Leffler
51439beb93cSSam Leffler suite = tls_get_cipher_suite(conn->rl.cipher_suite);
51539beb93cSSam Leffler if (suite == NULL)
51639beb93cSSam Leffler keyx = TLS_KEY_X_NULL;
51739beb93cSSam Leffler else
51839beb93cSSam Leffler keyx = suite->key_exchange;
51939beb93cSSam Leffler
52039beb93cSSam Leffler pos = *msgpos;
52139beb93cSSam Leffler
52239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
52339beb93cSSam Leffler
52439beb93cSSam Leffler rhdr = pos;
52539beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN;
52639beb93cSSam Leffler
52739beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */
52839beb93cSSam Leffler
52939beb93cSSam Leffler /* Handshake */
53039beb93cSSam Leffler hs_start = pos;
53139beb93cSSam Leffler /* HandshakeType msg_type */
53239beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
53339beb93cSSam Leffler /* uint24 length (to be filled) */
53439beb93cSSam Leffler hs_length = pos;
53539beb93cSSam Leffler pos += 3;
53639beb93cSSam Leffler /* body - ClientKeyExchange */
5375b9c547cSRui Paulo if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) {
5385b9c547cSRui Paulo if (tlsv1_key_x_dh(conn, &pos, end) < 0)
53939beb93cSSam Leffler return -1;
54039beb93cSSam Leffler } else {
54139beb93cSSam Leffler if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
54239beb93cSSam Leffler return -1;
54339beb93cSSam Leffler }
54439beb93cSSam Leffler
54539beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3);
54639beb93cSSam Leffler
54739beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
548f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start,
549f05cddf9SRui Paulo &rlen) < 0) {
55039beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
55139beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
55239beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
55339beb93cSSam Leffler return -1;
55439beb93cSSam Leffler }
55539beb93cSSam Leffler pos = rhdr + rlen;
55639beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
55739beb93cSSam Leffler
55839beb93cSSam Leffler *msgpos = pos;
55939beb93cSSam Leffler
56039beb93cSSam Leffler return 0;
56139beb93cSSam Leffler }
56239beb93cSSam Leffler
56339beb93cSSam Leffler
tls_write_client_certificate_verify(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)56439beb93cSSam Leffler static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
56539beb93cSSam Leffler u8 **msgpos, u8 *end)
56639beb93cSSam Leffler {
56739beb93cSSam Leffler u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
56839beb93cSSam Leffler size_t rlen, hlen, clen;
569f05cddf9SRui Paulo u8 hash[100], *hpos;
57039beb93cSSam Leffler
57139beb93cSSam Leffler pos = *msgpos;
57239beb93cSSam Leffler
57339beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
57439beb93cSSam Leffler rhdr = pos;
57539beb93cSSam Leffler pos += TLS_RECORD_HEADER_LEN;
57639beb93cSSam Leffler
57739beb93cSSam Leffler /* Handshake */
57839beb93cSSam Leffler hs_start = pos;
57939beb93cSSam Leffler /* HandshakeType msg_type */
58039beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
58139beb93cSSam Leffler /* uint24 length (to be filled) */
58239beb93cSSam Leffler hs_length = pos;
58339beb93cSSam Leffler pos += 3;
58439beb93cSSam Leffler
58539beb93cSSam Leffler /*
58639beb93cSSam Leffler * RFC 2246: 7.4.3 and 7.4.8:
58739beb93cSSam Leffler * Signature signature
58839beb93cSSam Leffler *
58939beb93cSSam Leffler * RSA:
59039beb93cSSam Leffler * digitally-signed struct {
59139beb93cSSam Leffler * opaque md5_hash[16];
59239beb93cSSam Leffler * opaque sha_hash[20];
59339beb93cSSam Leffler * };
59439beb93cSSam Leffler *
59539beb93cSSam Leffler * DSA:
59639beb93cSSam Leffler * digitally-signed struct {
59739beb93cSSam Leffler * opaque sha_hash[20];
59839beb93cSSam Leffler * };
59939beb93cSSam Leffler *
60039beb93cSSam Leffler * The hash values are calculated over all handshake messages sent or
60139beb93cSSam Leffler * received starting at ClientHello up to, but not including, this
60239beb93cSSam Leffler * CertificateVerify message, including the type and length fields of
60339beb93cSSam Leffler * the handshake messages.
60439beb93cSSam Leffler */
60539beb93cSSam Leffler
60639beb93cSSam Leffler hpos = hash;
60739beb93cSSam Leffler
608f05cddf9SRui Paulo #ifdef CONFIG_TLSV12
609f05cddf9SRui Paulo if (conn->rl.tls_version == TLS_VERSION_1_2) {
610f05cddf9SRui Paulo hlen = SHA256_MAC_LEN;
611f05cddf9SRui Paulo if (conn->verify.sha256_cert == NULL ||
612f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
613f05cddf9SRui Paulo 0) {
614f05cddf9SRui Paulo conn->verify.sha256_cert = NULL;
615f05cddf9SRui Paulo tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
616f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR);
617f05cddf9SRui Paulo return -1;
618f05cddf9SRui Paulo }
619f05cddf9SRui Paulo conn->verify.sha256_cert = NULL;
620f05cddf9SRui Paulo
621f05cddf9SRui Paulo /*
622f05cddf9SRui Paulo * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
623f05cddf9SRui Paulo *
624f05cddf9SRui Paulo * DigestInfo ::= SEQUENCE {
625f05cddf9SRui Paulo * digestAlgorithm DigestAlgorithm,
626f05cddf9SRui Paulo * digest OCTET STRING
627f05cddf9SRui Paulo * }
628f05cddf9SRui Paulo *
629f05cddf9SRui Paulo * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
630f05cddf9SRui Paulo *
631f05cddf9SRui Paulo * DER encoded DigestInfo for SHA256 per RFC 3447:
632f05cddf9SRui Paulo * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
633f05cddf9SRui Paulo * H
634f05cddf9SRui Paulo */
635f05cddf9SRui Paulo os_memmove(hash + 19, hash, hlen);
636f05cddf9SRui Paulo hlen += 19;
637f05cddf9SRui Paulo os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
638f05cddf9SRui Paulo "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
639f05cddf9SRui Paulo } else {
640f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */
641f05cddf9SRui Paulo
64239beb93cSSam Leffler hlen = MD5_MAC_LEN;
64339beb93cSSam Leffler if (conn->verify.md5_cert == NULL ||
6445b9c547cSRui Paulo crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
64539beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
64639beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
64739beb93cSSam Leffler conn->verify.md5_cert = NULL;
64839beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
64939beb93cSSam Leffler conn->verify.sha1_cert = NULL;
65039beb93cSSam Leffler return -1;
65139beb93cSSam Leffler }
65239beb93cSSam Leffler hpos += MD5_MAC_LEN;
65339beb93cSSam Leffler
65439beb93cSSam Leffler conn->verify.md5_cert = NULL;
65539beb93cSSam Leffler hlen = SHA1_MAC_LEN;
65639beb93cSSam Leffler if (conn->verify.sha1_cert == NULL ||
65739beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
65839beb93cSSam Leffler conn->verify.sha1_cert = NULL;
65939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
66039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
66139beb93cSSam Leffler return -1;
66239beb93cSSam Leffler }
66339beb93cSSam Leffler conn->verify.sha1_cert = NULL;
66439beb93cSSam Leffler
66539beb93cSSam Leffler hlen += MD5_MAC_LEN;
66639beb93cSSam Leffler
667f05cddf9SRui Paulo #ifdef CONFIG_TLSV12
668f05cddf9SRui Paulo }
669f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */
670f05cddf9SRui Paulo
67139beb93cSSam Leffler wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
67239beb93cSSam Leffler
673f05cddf9SRui Paulo #ifdef CONFIG_TLSV12
674f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) {
675f05cddf9SRui Paulo /*
676f05cddf9SRui Paulo * RFC 5246, 4.7:
677f05cddf9SRui Paulo * TLS v1.2 adds explicit indication of the used signature and
678f05cddf9SRui Paulo * hash algorithms.
679f05cddf9SRui Paulo *
680f05cddf9SRui Paulo * struct {
681f05cddf9SRui Paulo * HashAlgorithm hash;
682f05cddf9SRui Paulo * SignatureAlgorithm signature;
683f05cddf9SRui Paulo * } SignatureAndHashAlgorithm;
684f05cddf9SRui Paulo */
685f05cddf9SRui Paulo *pos++ = TLS_HASH_ALG_SHA256;
686f05cddf9SRui Paulo *pos++ = TLS_SIGN_ALG_RSA;
687f05cddf9SRui Paulo }
688f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */
689f05cddf9SRui Paulo
69039beb93cSSam Leffler /*
69139beb93cSSam Leffler * RFC 2246, 4.7:
69239beb93cSSam Leffler * In digital signing, one-way hash functions are used as input for a
69339beb93cSSam Leffler * signing algorithm. A digitally-signed element is encoded as an
69439beb93cSSam Leffler * opaque vector <0..2^16-1>, where the length is specified by the
69539beb93cSSam Leffler * signing algorithm and key.
69639beb93cSSam Leffler *
69739beb93cSSam Leffler * In RSA signing, a 36-byte structure of two hashes (one SHA and one
69839beb93cSSam Leffler * MD5) is signed (encrypted with the private key). It is encoded with
69939beb93cSSam Leffler * PKCS #1 block type 0 or type 1 as described in [PKCS1].
70039beb93cSSam Leffler */
70139beb93cSSam Leffler signed_start = pos; /* length to be filled */
70239beb93cSSam Leffler pos += 2;
70339beb93cSSam Leffler clen = end - pos;
70439beb93cSSam Leffler if (conn->cred == NULL ||
70539beb93cSSam Leffler crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
70639beb93cSSam Leffler pos, &clen) < 0) {
70739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
70839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
70939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
71039beb93cSSam Leffler return -1;
71139beb93cSSam Leffler }
71239beb93cSSam Leffler WPA_PUT_BE16(signed_start, clen);
71339beb93cSSam Leffler
71439beb93cSSam Leffler pos += clen;
71539beb93cSSam Leffler
71639beb93cSSam Leffler WPA_PUT_BE24(hs_length, pos - hs_length - 3);
71739beb93cSSam Leffler
71839beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
719f05cddf9SRui Paulo rhdr, end - rhdr, hs_start, pos - hs_start,
720f05cddf9SRui Paulo &rlen) < 0) {
72139beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
72239beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
72339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
72439beb93cSSam Leffler return -1;
72539beb93cSSam Leffler }
72639beb93cSSam Leffler pos = rhdr + rlen;
72739beb93cSSam Leffler
72839beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
72939beb93cSSam Leffler
73039beb93cSSam Leffler *msgpos = pos;
73139beb93cSSam Leffler
73239beb93cSSam Leffler return 0;
73339beb93cSSam Leffler }
73439beb93cSSam Leffler
73539beb93cSSam Leffler
tls_write_client_change_cipher_spec(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)73639beb93cSSam Leffler static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
73739beb93cSSam Leffler u8 **msgpos, u8 *end)
73839beb93cSSam Leffler {
73939beb93cSSam Leffler size_t rlen;
740f05cddf9SRui Paulo u8 payload[1];
74139beb93cSSam Leffler
74239beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
743f05cddf9SRui Paulo
744f05cddf9SRui Paulo payload[0] = TLS_CHANGE_CIPHER_SPEC;
745f05cddf9SRui Paulo
74639beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
747f05cddf9SRui Paulo *msgpos, end - *msgpos, payload, sizeof(payload),
748f05cddf9SRui Paulo &rlen) < 0) {
74939beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
75039beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
75139beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
75239beb93cSSam Leffler return -1;
75339beb93cSSam Leffler }
75439beb93cSSam Leffler
75539beb93cSSam Leffler if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
75639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
75739beb93cSSam Leffler "record layer");
75839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
75939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
76039beb93cSSam Leffler return -1;
76139beb93cSSam Leffler }
76239beb93cSSam Leffler
763f05cddf9SRui Paulo *msgpos += rlen;
76439beb93cSSam Leffler
76539beb93cSSam Leffler return 0;
76639beb93cSSam Leffler }
76739beb93cSSam Leffler
76839beb93cSSam Leffler
tls_write_client_finished(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)76939beb93cSSam Leffler static int tls_write_client_finished(struct tlsv1_client *conn,
77039beb93cSSam Leffler u8 **msgpos, u8 *end)
77139beb93cSSam Leffler {
772f05cddf9SRui Paulo u8 *pos, *hs_start;
77339beb93cSSam Leffler size_t rlen, hlen;
774f05cddf9SRui Paulo u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
77539beb93cSSam Leffler u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
77639beb93cSSam Leffler
77739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
77839beb93cSSam Leffler
77939beb93cSSam Leffler /* Encrypted Handshake Message: Finished */
78039beb93cSSam Leffler
781f05cddf9SRui Paulo #ifdef CONFIG_TLSV12
782f05cddf9SRui Paulo if (conn->rl.tls_version >= TLS_VERSION_1_2) {
783f05cddf9SRui Paulo hlen = SHA256_MAC_LEN;
784f05cddf9SRui Paulo if (conn->verify.sha256_client == NULL ||
785f05cddf9SRui Paulo crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
786f05cddf9SRui Paulo < 0) {
787f05cddf9SRui Paulo tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
788f05cddf9SRui Paulo TLS_ALERT_INTERNAL_ERROR);
789f05cddf9SRui Paulo conn->verify.sha256_client = NULL;
790f05cddf9SRui Paulo return -1;
791f05cddf9SRui Paulo }
792f05cddf9SRui Paulo conn->verify.sha256_client = NULL;
793f05cddf9SRui Paulo } else {
794f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */
795f05cddf9SRui Paulo
79639beb93cSSam Leffler hlen = MD5_MAC_LEN;
79739beb93cSSam Leffler if (conn->verify.md5_client == NULL ||
79839beb93cSSam Leffler crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
79939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
80039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
80139beb93cSSam Leffler conn->verify.md5_client = NULL;
80239beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
80339beb93cSSam Leffler conn->verify.sha1_client = NULL;
80439beb93cSSam Leffler return -1;
80539beb93cSSam Leffler }
80639beb93cSSam Leffler conn->verify.md5_client = NULL;
80739beb93cSSam Leffler hlen = SHA1_MAC_LEN;
80839beb93cSSam Leffler if (conn->verify.sha1_client == NULL ||
80939beb93cSSam Leffler crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
81039beb93cSSam Leffler &hlen) < 0) {
81139beb93cSSam Leffler conn->verify.sha1_client = NULL;
81239beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
81339beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
81439beb93cSSam Leffler return -1;
81539beb93cSSam Leffler }
81639beb93cSSam Leffler conn->verify.sha1_client = NULL;
817f05cddf9SRui Paulo hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
81839beb93cSSam Leffler
819f05cddf9SRui Paulo #ifdef CONFIG_TLSV12
820f05cddf9SRui Paulo }
821f05cddf9SRui Paulo #endif /* CONFIG_TLSV12 */
822f05cddf9SRui Paulo
823f05cddf9SRui Paulo if (tls_prf(conn->rl.tls_version,
824f05cddf9SRui Paulo conn->master_secret, TLS_MASTER_SECRET_LEN,
825f05cddf9SRui Paulo "client finished", hash, hlen,
826f05cddf9SRui Paulo verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
82739beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
82839beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
82939beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
83039beb93cSSam Leffler return -1;
83139beb93cSSam Leffler }
83239beb93cSSam Leffler wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
833f05cddf9SRui Paulo verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
83439beb93cSSam Leffler
83539beb93cSSam Leffler /* Handshake */
836f05cddf9SRui Paulo pos = hs_start = verify_data;
83739beb93cSSam Leffler /* HandshakeType msg_type */
83839beb93cSSam Leffler *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
839f05cddf9SRui Paulo /* uint24 length */
840f05cddf9SRui Paulo WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
84139beb93cSSam Leffler pos += 3;
842f05cddf9SRui Paulo pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */
84339beb93cSSam Leffler tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
84439beb93cSSam Leffler
84539beb93cSSam Leffler if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
846f05cddf9SRui Paulo *msgpos, end - *msgpos, hs_start, pos - hs_start,
847f05cddf9SRui Paulo &rlen) < 0) {
84839beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
84939beb93cSSam Leffler tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
85039beb93cSSam Leffler TLS_ALERT_INTERNAL_ERROR);
85139beb93cSSam Leffler return -1;
85239beb93cSSam Leffler }
85339beb93cSSam Leffler
854f05cddf9SRui Paulo *msgpos += rlen;
85539beb93cSSam Leffler
85639beb93cSSam Leffler return 0;
85739beb93cSSam Leffler }
85839beb93cSSam Leffler
85939beb93cSSam Leffler
tls_send_client_key_exchange(struct tlsv1_client * conn,size_t * out_len)86039beb93cSSam Leffler static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
86139beb93cSSam Leffler size_t *out_len)
86239beb93cSSam Leffler {
86339beb93cSSam Leffler u8 *msg, *end, *pos;
86439beb93cSSam Leffler size_t msglen;
86539beb93cSSam Leffler
86639beb93cSSam Leffler *out_len = 0;
86739beb93cSSam Leffler
868f05cddf9SRui Paulo msglen = 2000;
86939beb93cSSam Leffler if (conn->certificate_requested)
87039beb93cSSam Leffler msglen += tls_client_cert_chain_der_len(conn);
87139beb93cSSam Leffler
87239beb93cSSam Leffler msg = os_malloc(msglen);
87339beb93cSSam Leffler if (msg == NULL)
87439beb93cSSam Leffler return NULL;
87539beb93cSSam Leffler
87639beb93cSSam Leffler pos = msg;
87739beb93cSSam Leffler end = msg + msglen;
87839beb93cSSam Leffler
87939beb93cSSam Leffler if (conn->certificate_requested) {
88039beb93cSSam Leffler if (tls_write_client_certificate(conn, &pos, end) < 0) {
88139beb93cSSam Leffler os_free(msg);
88239beb93cSSam Leffler return NULL;
88339beb93cSSam Leffler }
88439beb93cSSam Leffler }
88539beb93cSSam Leffler
88639beb93cSSam Leffler if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
88739beb93cSSam Leffler (conn->certificate_requested && conn->cred && conn->cred->key &&
88839beb93cSSam Leffler tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
88939beb93cSSam Leffler tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
89039beb93cSSam Leffler tls_write_client_finished(conn, &pos, end) < 0) {
89139beb93cSSam Leffler os_free(msg);
89239beb93cSSam Leffler return NULL;
89339beb93cSSam Leffler }
89439beb93cSSam Leffler
89539beb93cSSam Leffler *out_len = pos - msg;
89639beb93cSSam Leffler
89739beb93cSSam Leffler conn->state = SERVER_CHANGE_CIPHER_SPEC;
89839beb93cSSam Leffler
89939beb93cSSam Leffler return msg;
90039beb93cSSam Leffler }
90139beb93cSSam Leffler
90239beb93cSSam Leffler
tls_send_change_cipher_spec(struct tlsv1_client * conn,size_t * out_len)90339beb93cSSam Leffler static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
90439beb93cSSam Leffler size_t *out_len)
90539beb93cSSam Leffler {
90639beb93cSSam Leffler u8 *msg, *end, *pos;
90739beb93cSSam Leffler
90839beb93cSSam Leffler *out_len = 0;
90939beb93cSSam Leffler
91039beb93cSSam Leffler msg = os_malloc(1000);
91139beb93cSSam Leffler if (msg == NULL)
91239beb93cSSam Leffler return NULL;
91339beb93cSSam Leffler
91439beb93cSSam Leffler pos = msg;
91539beb93cSSam Leffler end = msg + 1000;
91639beb93cSSam Leffler
91739beb93cSSam Leffler if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
91839beb93cSSam Leffler tls_write_client_finished(conn, &pos, end) < 0) {
91939beb93cSSam Leffler os_free(msg);
92039beb93cSSam Leffler return NULL;
92139beb93cSSam Leffler }
92239beb93cSSam Leffler
92339beb93cSSam Leffler *out_len = pos - msg;
92439beb93cSSam Leffler
92539beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
92639beb93cSSam Leffler "successfully");
927780fb4a2SCy Schubert if (!conn->session_resumed && conn->use_session_ticket)
928780fb4a2SCy Schubert conn->session_resumed = 1;
92939beb93cSSam Leffler conn->state = ESTABLISHED;
93039beb93cSSam Leffler
93139beb93cSSam Leffler return msg;
93239beb93cSSam Leffler }
93339beb93cSSam Leffler
93439beb93cSSam Leffler
tlsv1_client_handshake_write(struct tlsv1_client * conn,size_t * out_len,int no_appl_data)93539beb93cSSam Leffler u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
93639beb93cSSam Leffler int no_appl_data)
93739beb93cSSam Leffler {
93839beb93cSSam Leffler switch (conn->state) {
93939beb93cSSam Leffler case CLIENT_KEY_EXCHANGE:
94039beb93cSSam Leffler return tls_send_client_key_exchange(conn, out_len);
94139beb93cSSam Leffler case CHANGE_CIPHER_SPEC:
94239beb93cSSam Leffler return tls_send_change_cipher_spec(conn, out_len);
94339beb93cSSam Leffler case ACK_FINISHED:
94439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
94539beb93cSSam Leffler "successfully");
94639beb93cSSam Leffler conn->state = ESTABLISHED;
94739beb93cSSam Leffler *out_len = 0;
94839beb93cSSam Leffler if (no_appl_data) {
94939beb93cSSam Leffler /* Need to return something to get final TLS ACK. */
95039beb93cSSam Leffler return os_malloc(1);
95139beb93cSSam Leffler }
95239beb93cSSam Leffler return NULL;
95339beb93cSSam Leffler default:
95439beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
95539beb93cSSam Leffler "generating reply", conn->state);
95639beb93cSSam Leffler return NULL;
95739beb93cSSam Leffler }
95839beb93cSSam Leffler }
95939beb93cSSam Leffler
96039beb93cSSam Leffler
tlsv1_client_send_alert(struct tlsv1_client * conn,u8 level,u8 description,size_t * out_len)96139beb93cSSam Leffler u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
96239beb93cSSam Leffler u8 description, size_t *out_len)
96339beb93cSSam Leffler {
96439beb93cSSam Leffler u8 *alert, *pos, *length;
96539beb93cSSam Leffler
96639beb93cSSam Leffler wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
96739beb93cSSam Leffler *out_len = 0;
96839beb93cSSam Leffler
96939beb93cSSam Leffler alert = os_malloc(10);
97039beb93cSSam Leffler if (alert == NULL)
97139beb93cSSam Leffler return NULL;
97239beb93cSSam Leffler
97339beb93cSSam Leffler pos = alert;
97439beb93cSSam Leffler
97539beb93cSSam Leffler /* TLSPlaintext */
97639beb93cSSam Leffler /* ContentType type */
97739beb93cSSam Leffler *pos++ = TLS_CONTENT_TYPE_ALERT;
97839beb93cSSam Leffler /* ProtocolVersion version */
979f05cddf9SRui Paulo WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
980f05cddf9SRui Paulo TLS_VERSION);
98139beb93cSSam Leffler pos += 2;
98239beb93cSSam Leffler /* uint16 length (to be filled) */
98339beb93cSSam Leffler length = pos;
98439beb93cSSam Leffler pos += 2;
98539beb93cSSam Leffler /* opaque fragment[TLSPlaintext.length] */
98639beb93cSSam Leffler
98739beb93cSSam Leffler /* Alert */
98839beb93cSSam Leffler /* AlertLevel level */
98939beb93cSSam Leffler *pos++ = level;
99039beb93cSSam Leffler /* AlertDescription description */
99139beb93cSSam Leffler *pos++ = description;
99239beb93cSSam Leffler
99339beb93cSSam Leffler WPA_PUT_BE16(length, pos - length - 2);
99439beb93cSSam Leffler *out_len = pos - alert;
99539beb93cSSam Leffler
99639beb93cSSam Leffler return alert;
99739beb93cSSam Leffler }
998