xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_write.c (revision 6472ac3d8a86336899b6cfb789a4cd9897e3fab5)
1 /*
2  * TLSv1 client - write handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
21 #include "x509v3.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_client.h"
25 #include "tlsv1_client_i.h"
26 
27 
28 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
29 {
30 	size_t len = 0;
31 	struct x509_certificate *cert;
32 
33 	if (conn->cred == NULL)
34 		return 0;
35 
36 	cert = conn->cred->cert;
37 	while (cert) {
38 		len += 3 + cert->cert_len;
39 		if (x509_certificate_self_signed(cert))
40 			break;
41 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
42 						    &cert->issuer);
43 	}
44 
45 	return len;
46 }
47 
48 
49 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
50 {
51 	u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
52 	struct os_time now;
53 	size_t len, i;
54 
55 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello");
56 	*out_len = 0;
57 
58 	os_get_time(&now);
59 	WPA_PUT_BE32(conn->client_random, now.sec);
60 	if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
61 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
62 			   "client_random");
63 		return NULL;
64 	}
65 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
66 		    conn->client_random, TLS_RANDOM_LEN);
67 
68 	len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
69 	hello = os_malloc(len);
70 	if (hello == NULL)
71 		return NULL;
72 	end = hello + len;
73 
74 	rhdr = hello;
75 	pos = rhdr + TLS_RECORD_HEADER_LEN;
76 
77 	/* opaque fragment[TLSPlaintext.length] */
78 
79 	/* Handshake */
80 	hs_start = pos;
81 	/* HandshakeType msg_type */
82 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
83 	/* uint24 length (to be filled) */
84 	hs_length = pos;
85 	pos += 3;
86 	/* body - ClientHello */
87 	/* ProtocolVersion client_version */
88 	WPA_PUT_BE16(pos, TLS_VERSION);
89 	pos += 2;
90 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
91 	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
92 	pos += TLS_RANDOM_LEN;
93 	/* SessionID session_id */
94 	*pos++ = conn->session_id_len;
95 	os_memcpy(pos, conn->session_id, conn->session_id_len);
96 	pos += conn->session_id_len;
97 	/* CipherSuite cipher_suites<2..2^16-1> */
98 	WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
99 	pos += 2;
100 	for (i = 0; i < conn->num_cipher_suites; i++) {
101 		WPA_PUT_BE16(pos, conn->cipher_suites[i]);
102 		pos += 2;
103 	}
104 	/* CompressionMethod compression_methods<1..2^8-1> */
105 	*pos++ = 1;
106 	*pos++ = TLS_COMPRESSION_NULL;
107 
108 	if (conn->client_hello_ext) {
109 		os_memcpy(pos, conn->client_hello_ext,
110 			  conn->client_hello_ext_len);
111 		pos += conn->client_hello_ext_len;
112 	}
113 
114 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
115 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
116 
117 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
118 			      rhdr, end - rhdr, pos - hs_start, out_len) < 0) {
119 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
120 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
121 			  TLS_ALERT_INTERNAL_ERROR);
122 		os_free(hello);
123 		return NULL;
124 	}
125 
126 	conn->state = SERVER_HELLO;
127 
128 	return hello;
129 }
130 
131 
132 static int tls_write_client_certificate(struct tlsv1_client *conn,
133 					u8 **msgpos, u8 *end)
134 {
135 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
136 	size_t rlen;
137 	struct x509_certificate *cert;
138 
139 	pos = *msgpos;
140 
141 	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
142 	rhdr = pos;
143 	pos += TLS_RECORD_HEADER_LEN;
144 
145 	/* opaque fragment[TLSPlaintext.length] */
146 
147 	/* Handshake */
148 	hs_start = pos;
149 	/* HandshakeType msg_type */
150 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
151 	/* uint24 length (to be filled) */
152 	hs_length = pos;
153 	pos += 3;
154 	/* body - Certificate */
155 	/* uint24 length (to be filled) */
156 	cert_start = pos;
157 	pos += 3;
158 	cert = conn->cred ? conn->cred->cert : NULL;
159 	while (cert) {
160 		if (pos + 3 + cert->cert_len > end) {
161 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
162 				   "for Certificate (cert_len=%lu left=%lu)",
163 				   (unsigned long) cert->cert_len,
164 				   (unsigned long) (end - pos));
165 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
166 				  TLS_ALERT_INTERNAL_ERROR);
167 			return -1;
168 		}
169 		WPA_PUT_BE24(pos, cert->cert_len);
170 		pos += 3;
171 		os_memcpy(pos, cert->cert_start, cert->cert_len);
172 		pos += cert->cert_len;
173 
174 		if (x509_certificate_self_signed(cert))
175 			break;
176 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
177 						    &cert->issuer);
178 	}
179 	if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
180 		/*
181 		 * Client was not configured with all the needed certificates
182 		 * to form a full certificate chain. The server may fail to
183 		 * validate the chain unless it is configured with all the
184 		 * missing CA certificates.
185 		 */
186 		wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
187 			   "not configured - validation may fail");
188 	}
189 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
190 
191 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
192 
193 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
194 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
195 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
196 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
197 			  TLS_ALERT_INTERNAL_ERROR);
198 		return -1;
199 	}
200 	pos = rhdr + rlen;
201 
202 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
203 
204 	*msgpos = pos;
205 
206 	return 0;
207 }
208 
209 
210 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
211 {
212 	/* ClientDiffieHellmanPublic */
213 	u8 *csecret, *csecret_start, *dh_yc, *shared;
214 	size_t csecret_len, dh_yc_len, shared_len;
215 
216 	csecret_len = conn->dh_p_len;
217 	csecret = os_malloc(csecret_len);
218 	if (csecret == NULL) {
219 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
220 			   "memory for Yc (Diffie-Hellman)");
221 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
222 			  TLS_ALERT_INTERNAL_ERROR);
223 		return -1;
224 	}
225 	if (os_get_random(csecret, csecret_len)) {
226 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
227 			   "data for Diffie-Hellman");
228 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
229 			  TLS_ALERT_INTERNAL_ERROR);
230 		os_free(csecret);
231 		return -1;
232 	}
233 
234 	if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
235 		csecret[0] = 0; /* make sure Yc < p */
236 
237 	csecret_start = csecret;
238 	while (csecret_len > 1 && *csecret_start == 0) {
239 		csecret_start++;
240 		csecret_len--;
241 	}
242 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
243 			csecret_start, csecret_len);
244 
245 	/* Yc = g^csecret mod p */
246 	dh_yc_len = conn->dh_p_len;
247 	dh_yc = os_malloc(dh_yc_len);
248 	if (dh_yc == NULL) {
249 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
250 			   "memory for Diffie-Hellman");
251 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
252 			  TLS_ALERT_INTERNAL_ERROR);
253 		os_free(csecret);
254 		return -1;
255 	}
256 	if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
257 			   csecret_start, csecret_len,
258 			   conn->dh_p, conn->dh_p_len,
259 			   dh_yc, &dh_yc_len)) {
260 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
261 			  TLS_ALERT_INTERNAL_ERROR);
262 		os_free(csecret);
263 		os_free(dh_yc);
264 		return -1;
265 	}
266 
267 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
268 		    dh_yc, dh_yc_len);
269 
270 	WPA_PUT_BE16(*pos, dh_yc_len);
271 	*pos += 2;
272 	if (*pos + dh_yc_len > end) {
273 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
274 			   "message buffer for Yc");
275 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
276 			  TLS_ALERT_INTERNAL_ERROR);
277 		os_free(csecret);
278 		os_free(dh_yc);
279 		return -1;
280 	}
281 	os_memcpy(*pos, dh_yc, dh_yc_len);
282 	*pos += dh_yc_len;
283 	os_free(dh_yc);
284 
285 	shared_len = conn->dh_p_len;
286 	shared = os_malloc(shared_len);
287 	if (shared == NULL) {
288 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
289 			   "DH");
290 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 			  TLS_ALERT_INTERNAL_ERROR);
292 		os_free(csecret);
293 		return -1;
294 	}
295 
296 	/* shared = Ys^csecret mod p */
297 	if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
298 			   csecret_start, csecret_len,
299 			   conn->dh_p, conn->dh_p_len,
300 			   shared, &shared_len)) {
301 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
302 			  TLS_ALERT_INTERNAL_ERROR);
303 		os_free(csecret);
304 		os_free(shared);
305 		return -1;
306 	}
307 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
308 			shared, shared_len);
309 
310 	os_memset(csecret_start, 0, csecret_len);
311 	os_free(csecret);
312 	if (tls_derive_keys(conn, shared, shared_len)) {
313 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
314 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
315 			  TLS_ALERT_INTERNAL_ERROR);
316 		os_free(shared);
317 		return -1;
318 	}
319 	os_memset(shared, 0, shared_len);
320 	os_free(shared);
321 	tlsv1_client_free_dh(conn);
322 	return 0;
323 }
324 
325 
326 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
327 {
328 	u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
329 	size_t clen;
330 	int res;
331 
332 	if (tls_derive_pre_master_secret(pre_master_secret) < 0 ||
333 	    tls_derive_keys(conn, pre_master_secret,
334 			    TLS_PRE_MASTER_SECRET_LEN)) {
335 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
336 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
337 			  TLS_ALERT_INTERNAL_ERROR);
338 		return -1;
339 	}
340 
341 	/* EncryptedPreMasterSecret */
342 	if (conn->server_rsa_key == NULL) {
343 		wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
344 			   "use for encrypting pre-master secret");
345 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
346 			  TLS_ALERT_INTERNAL_ERROR);
347 		return -1;
348 	}
349 
350 	/* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
351 	*pos += 2;
352 	clen = end - *pos;
353 	res = crypto_public_key_encrypt_pkcs1_v15(
354 		conn->server_rsa_key,
355 		pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
356 		*pos, &clen);
357 	os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
358 	if (res < 0) {
359 		wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
360 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
361 			  TLS_ALERT_INTERNAL_ERROR);
362 		return -1;
363 	}
364 	WPA_PUT_BE16(*pos - 2, clen);
365 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
366 		    *pos, clen);
367 	*pos += clen;
368 
369 	return 0;
370 }
371 
372 
373 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
374 					 u8 **msgpos, u8 *end)
375 {
376 	u8 *pos, *rhdr, *hs_start, *hs_length;
377 	size_t rlen;
378 	tls_key_exchange keyx;
379 	const struct tls_cipher_suite *suite;
380 
381 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
382 	if (suite == NULL)
383 		keyx = TLS_KEY_X_NULL;
384 	else
385 		keyx = suite->key_exchange;
386 
387 	pos = *msgpos;
388 
389 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
390 
391 	rhdr = pos;
392 	pos += TLS_RECORD_HEADER_LEN;
393 
394 	/* opaque fragment[TLSPlaintext.length] */
395 
396 	/* Handshake */
397 	hs_start = pos;
398 	/* HandshakeType msg_type */
399 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
400 	/* uint24 length (to be filled) */
401 	hs_length = pos;
402 	pos += 3;
403 	/* body - ClientKeyExchange */
404 	if (keyx == TLS_KEY_X_DH_anon) {
405 		if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0)
406 			return -1;
407 	} else {
408 		if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
409 			return -1;
410 	}
411 
412 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
413 
414 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
415 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
416 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
417 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
418 			  TLS_ALERT_INTERNAL_ERROR);
419 		return -1;
420 	}
421 	pos = rhdr + rlen;
422 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
423 
424 	*msgpos = pos;
425 
426 	return 0;
427 }
428 
429 
430 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
431 					       u8 **msgpos, u8 *end)
432 {
433 	u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
434 	size_t rlen, hlen, clen;
435 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
436 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
437 
438 	pos = *msgpos;
439 
440 	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
441 	rhdr = pos;
442 	pos += TLS_RECORD_HEADER_LEN;
443 
444 	/* Handshake */
445 	hs_start = pos;
446 	/* HandshakeType msg_type */
447 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
448 	/* uint24 length (to be filled) */
449 	hs_length = pos;
450 	pos += 3;
451 
452 	/*
453 	 * RFC 2246: 7.4.3 and 7.4.8:
454 	 * Signature signature
455 	 *
456 	 * RSA:
457 	 * digitally-signed struct {
458 	 *     opaque md5_hash[16];
459 	 *     opaque sha_hash[20];
460 	 * };
461 	 *
462 	 * DSA:
463 	 * digitally-signed struct {
464 	 *     opaque sha_hash[20];
465 	 * };
466 	 *
467 	 * The hash values are calculated over all handshake messages sent or
468 	 * received starting at ClientHello up to, but not including, this
469 	 * CertificateVerify message, including the type and length fields of
470 	 * the handshake messages.
471 	 */
472 
473 	hpos = hash;
474 
475 	if (alg == SIGN_ALG_RSA) {
476 		hlen = MD5_MAC_LEN;
477 		if (conn->verify.md5_cert == NULL ||
478 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
479 		{
480 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
481 				  TLS_ALERT_INTERNAL_ERROR);
482 			conn->verify.md5_cert = NULL;
483 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
484 			conn->verify.sha1_cert = NULL;
485 			return -1;
486 		}
487 		hpos += MD5_MAC_LEN;
488 	} else
489 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
490 
491 	conn->verify.md5_cert = NULL;
492 	hlen = SHA1_MAC_LEN;
493 	if (conn->verify.sha1_cert == NULL ||
494 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
495 		conn->verify.sha1_cert = NULL;
496 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
497 			  TLS_ALERT_INTERNAL_ERROR);
498 		return -1;
499 	}
500 	conn->verify.sha1_cert = NULL;
501 
502 	if (alg == SIGN_ALG_RSA)
503 		hlen += MD5_MAC_LEN;
504 
505 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
506 
507 	/*
508 	 * RFC 2246, 4.7:
509 	 * In digital signing, one-way hash functions are used as input for a
510 	 * signing algorithm. A digitally-signed element is encoded as an
511 	 * opaque vector <0..2^16-1>, where the length is specified by the
512 	 * signing algorithm and key.
513 	 *
514 	 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
515 	 * MD5) is signed (encrypted with the private key). It is encoded with
516 	 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
517 	 */
518 	signed_start = pos; /* length to be filled */
519 	pos += 2;
520 	clen = end - pos;
521 	if (conn->cred == NULL ||
522 	    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
523 					  pos, &clen) < 0) {
524 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
525 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
526 			  TLS_ALERT_INTERNAL_ERROR);
527 		return -1;
528 	}
529 	WPA_PUT_BE16(signed_start, clen);
530 
531 	pos += clen;
532 
533 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
534 
535 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
536 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
537 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
538 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
539 			  TLS_ALERT_INTERNAL_ERROR);
540 		return -1;
541 	}
542 	pos = rhdr + rlen;
543 
544 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
545 
546 	*msgpos = pos;
547 
548 	return 0;
549 }
550 
551 
552 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
553 					       u8 **msgpos, u8 *end)
554 {
555 	u8 *pos, *rhdr;
556 	size_t rlen;
557 
558 	pos = *msgpos;
559 
560 	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
561 	rhdr = pos;
562 	pos += TLS_RECORD_HEADER_LEN;
563 	*pos = TLS_CHANGE_CIPHER_SPEC;
564 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
565 			      rhdr, end - rhdr, 1, &rlen) < 0) {
566 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
567 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
568 			  TLS_ALERT_INTERNAL_ERROR);
569 		return -1;
570 	}
571 
572 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
573 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
574 			   "record layer");
575 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
576 			  TLS_ALERT_INTERNAL_ERROR);
577 		return -1;
578 	}
579 
580 	*msgpos = rhdr + rlen;
581 
582 	return 0;
583 }
584 
585 
586 static int tls_write_client_finished(struct tlsv1_client *conn,
587 				     u8 **msgpos, u8 *end)
588 {
589 	u8 *pos, *rhdr, *hs_start, *hs_length;
590 	size_t rlen, hlen;
591 	u8 verify_data[TLS_VERIFY_DATA_LEN];
592 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
593 
594 	pos = *msgpos;
595 
596 	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
597 
598 	/* Encrypted Handshake Message: Finished */
599 
600 	hlen = MD5_MAC_LEN;
601 	if (conn->verify.md5_client == NULL ||
602 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
603 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
604 			  TLS_ALERT_INTERNAL_ERROR);
605 		conn->verify.md5_client = NULL;
606 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
607 		conn->verify.sha1_client = NULL;
608 		return -1;
609 	}
610 	conn->verify.md5_client = NULL;
611 	hlen = SHA1_MAC_LEN;
612 	if (conn->verify.sha1_client == NULL ||
613 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
614 			       &hlen) < 0) {
615 		conn->verify.sha1_client = NULL;
616 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
617 			  TLS_ALERT_INTERNAL_ERROR);
618 		return -1;
619 	}
620 	conn->verify.sha1_client = NULL;
621 
622 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
623 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
624 		    verify_data, TLS_VERIFY_DATA_LEN)) {
625 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
626 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
627 			  TLS_ALERT_INTERNAL_ERROR);
628 		return -1;
629 	}
630 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
631 			verify_data, TLS_VERIFY_DATA_LEN);
632 
633 	rhdr = pos;
634 	pos += TLS_RECORD_HEADER_LEN;
635 	/* Handshake */
636 	hs_start = pos;
637 	/* HandshakeType msg_type */
638 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
639 	/* uint24 length (to be filled) */
640 	hs_length = pos;
641 	pos += 3;
642 	os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN);
643 	pos += TLS_VERIFY_DATA_LEN;
644 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
645 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
646 
647 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
648 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
649 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
650 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
651 			  TLS_ALERT_INTERNAL_ERROR);
652 		return -1;
653 	}
654 
655 	pos = rhdr + rlen;
656 
657 	*msgpos = pos;
658 
659 	return 0;
660 }
661 
662 
663 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
664 					 size_t *out_len)
665 {
666 	u8 *msg, *end, *pos;
667 	size_t msglen;
668 
669 	*out_len = 0;
670 
671 	msglen = 1000;
672 	if (conn->certificate_requested)
673 		msglen += tls_client_cert_chain_der_len(conn);
674 
675 	msg = os_malloc(msglen);
676 	if (msg == NULL)
677 		return NULL;
678 
679 	pos = msg;
680 	end = msg + msglen;
681 
682 	if (conn->certificate_requested) {
683 		if (tls_write_client_certificate(conn, &pos, end) < 0) {
684 			os_free(msg);
685 			return NULL;
686 		}
687 	}
688 
689 	if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
690 	    (conn->certificate_requested && conn->cred && conn->cred->key &&
691 	     tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
692 	    tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
693 	    tls_write_client_finished(conn, &pos, end) < 0) {
694 		os_free(msg);
695 		return NULL;
696 	}
697 
698 	*out_len = pos - msg;
699 
700 	conn->state = SERVER_CHANGE_CIPHER_SPEC;
701 
702 	return msg;
703 }
704 
705 
706 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
707 					size_t *out_len)
708 {
709 	u8 *msg, *end, *pos;
710 
711 	*out_len = 0;
712 
713 	msg = os_malloc(1000);
714 	if (msg == NULL)
715 		return NULL;
716 
717 	pos = msg;
718 	end = msg + 1000;
719 
720 	if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
721 	    tls_write_client_finished(conn, &pos, end) < 0) {
722 		os_free(msg);
723 		return NULL;
724 	}
725 
726 	*out_len = pos - msg;
727 
728 	wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
729 		   "successfully");
730 	conn->state = ESTABLISHED;
731 
732 	return msg;
733 }
734 
735 
736 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
737 				  int no_appl_data)
738 {
739 	switch (conn->state) {
740 	case CLIENT_KEY_EXCHANGE:
741 		return tls_send_client_key_exchange(conn, out_len);
742 	case CHANGE_CIPHER_SPEC:
743 		return tls_send_change_cipher_spec(conn, out_len);
744 	case ACK_FINISHED:
745 		wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
746 			   "successfully");
747 		conn->state = ESTABLISHED;
748 		*out_len = 0;
749 		if (no_appl_data) {
750 			/* Need to return something to get final TLS ACK. */
751 			return os_malloc(1);
752 		}
753 		return NULL;
754 	default:
755 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
756 			   "generating reply", conn->state);
757 		return NULL;
758 	}
759 }
760 
761 
762 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
763 			     u8 description, size_t *out_len)
764 {
765 	u8 *alert, *pos, *length;
766 
767 	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
768 	*out_len = 0;
769 
770 	alert = os_malloc(10);
771 	if (alert == NULL)
772 		return NULL;
773 
774 	pos = alert;
775 
776 	/* TLSPlaintext */
777 	/* ContentType type */
778 	*pos++ = TLS_CONTENT_TYPE_ALERT;
779 	/* ProtocolVersion version */
780 	WPA_PUT_BE16(pos, TLS_VERSION);
781 	pos += 2;
782 	/* uint16 length (to be filled) */
783 	length = pos;
784 	pos += 2;
785 	/* opaque fragment[TLSPlaintext.length] */
786 
787 	/* Alert */
788 	/* AlertLevel level */
789 	*pos++ = level;
790 	/* AlertDescription description */
791 	*pos++ = description;
792 
793 	WPA_PUT_BE16(length, pos - length - 2);
794 	*out_len = pos - alert;
795 
796 	return alert;
797 }
798