1 /* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/md5.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "x509v3.h" 22 #include "tlsv1_common.h" 23 #include "tlsv1_record.h" 24 #include "tlsv1_client.h" 25 #include "tlsv1_client_i.h" 26 27 28 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 29 { 30 size_t len = 0; 31 struct x509_certificate *cert; 32 33 if (conn->cred == NULL) 34 return 0; 35 36 cert = conn->cred->cert; 37 while (cert) { 38 len += 3 + cert->cert_len; 39 if (x509_certificate_self_signed(cert)) 40 break; 41 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 42 &cert->issuer); 43 } 44 45 return len; 46 } 47 48 49 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 50 { 51 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 52 struct os_time now; 53 size_t len, i; 54 55 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello"); 56 *out_len = 0; 57 58 os_get_time(&now); 59 WPA_PUT_BE32(conn->client_random, now.sec); 60 if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 61 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 62 "client_random"); 63 return NULL; 64 } 65 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 66 conn->client_random, TLS_RANDOM_LEN); 67 68 len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 69 hello = os_malloc(len); 70 if (hello == NULL) 71 return NULL; 72 end = hello + len; 73 74 rhdr = hello; 75 pos = rhdr + TLS_RECORD_HEADER_LEN; 76 77 /* opaque fragment[TLSPlaintext.length] */ 78 79 /* Handshake */ 80 hs_start = pos; 81 /* HandshakeType msg_type */ 82 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 83 /* uint24 length (to be filled) */ 84 hs_length = pos; 85 pos += 3; 86 /* body - ClientHello */ 87 /* ProtocolVersion client_version */ 88 WPA_PUT_BE16(pos, TLS_VERSION); 89 pos += 2; 90 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 91 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 92 pos += TLS_RANDOM_LEN; 93 /* SessionID session_id */ 94 *pos++ = conn->session_id_len; 95 os_memcpy(pos, conn->session_id, conn->session_id_len); 96 pos += conn->session_id_len; 97 /* CipherSuite cipher_suites<2..2^16-1> */ 98 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 99 pos += 2; 100 for (i = 0; i < conn->num_cipher_suites; i++) { 101 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 102 pos += 2; 103 } 104 /* CompressionMethod compression_methods<1..2^8-1> */ 105 *pos++ = 1; 106 *pos++ = TLS_COMPRESSION_NULL; 107 108 if (conn->client_hello_ext) { 109 os_memcpy(pos, conn->client_hello_ext, 110 conn->client_hello_ext_len); 111 pos += conn->client_hello_ext_len; 112 } 113 114 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 115 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 116 117 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 118 rhdr, end - rhdr, pos - hs_start, out_len) < 0) { 119 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 120 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 121 TLS_ALERT_INTERNAL_ERROR); 122 os_free(hello); 123 return NULL; 124 } 125 126 conn->state = SERVER_HELLO; 127 128 return hello; 129 } 130 131 132 static int tls_write_client_certificate(struct tlsv1_client *conn, 133 u8 **msgpos, u8 *end) 134 { 135 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 136 size_t rlen; 137 struct x509_certificate *cert; 138 139 pos = *msgpos; 140 141 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 142 rhdr = pos; 143 pos += TLS_RECORD_HEADER_LEN; 144 145 /* opaque fragment[TLSPlaintext.length] */ 146 147 /* Handshake */ 148 hs_start = pos; 149 /* HandshakeType msg_type */ 150 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 151 /* uint24 length (to be filled) */ 152 hs_length = pos; 153 pos += 3; 154 /* body - Certificate */ 155 /* uint24 length (to be filled) */ 156 cert_start = pos; 157 pos += 3; 158 cert = conn->cred ? conn->cred->cert : NULL; 159 while (cert) { 160 if (pos + 3 + cert->cert_len > end) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 162 "for Certificate (cert_len=%lu left=%lu)", 163 (unsigned long) cert->cert_len, 164 (unsigned long) (end - pos)); 165 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 166 TLS_ALERT_INTERNAL_ERROR); 167 return -1; 168 } 169 WPA_PUT_BE24(pos, cert->cert_len); 170 pos += 3; 171 os_memcpy(pos, cert->cert_start, cert->cert_len); 172 pos += cert->cert_len; 173 174 if (x509_certificate_self_signed(cert)) 175 break; 176 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 177 &cert->issuer); 178 } 179 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 180 /* 181 * Client was not configured with all the needed certificates 182 * to form a full certificate chain. The server may fail to 183 * validate the chain unless it is configured with all the 184 * missing CA certificates. 185 */ 186 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 187 "not configured - validation may fail"); 188 } 189 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 190 191 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 192 193 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 194 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 195 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 196 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 197 TLS_ALERT_INTERNAL_ERROR); 198 return -1; 199 } 200 pos = rhdr + rlen; 201 202 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 203 204 *msgpos = pos; 205 206 return 0; 207 } 208 209 210 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 211 { 212 /* ClientDiffieHellmanPublic */ 213 u8 *csecret, *csecret_start, *dh_yc, *shared; 214 size_t csecret_len, dh_yc_len, shared_len; 215 216 csecret_len = conn->dh_p_len; 217 csecret = os_malloc(csecret_len); 218 if (csecret == NULL) { 219 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 220 "memory for Yc (Diffie-Hellman)"); 221 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 222 TLS_ALERT_INTERNAL_ERROR); 223 return -1; 224 } 225 if (os_get_random(csecret, csecret_len)) { 226 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 227 "data for Diffie-Hellman"); 228 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 229 TLS_ALERT_INTERNAL_ERROR); 230 os_free(csecret); 231 return -1; 232 } 233 234 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 235 csecret[0] = 0; /* make sure Yc < p */ 236 237 csecret_start = csecret; 238 while (csecret_len > 1 && *csecret_start == 0) { 239 csecret_start++; 240 csecret_len--; 241 } 242 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 243 csecret_start, csecret_len); 244 245 /* Yc = g^csecret mod p */ 246 dh_yc_len = conn->dh_p_len; 247 dh_yc = os_malloc(dh_yc_len); 248 if (dh_yc == NULL) { 249 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 250 "memory for Diffie-Hellman"); 251 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 252 TLS_ALERT_INTERNAL_ERROR); 253 os_free(csecret); 254 return -1; 255 } 256 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 257 csecret_start, csecret_len, 258 conn->dh_p, conn->dh_p_len, 259 dh_yc, &dh_yc_len)) { 260 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 261 TLS_ALERT_INTERNAL_ERROR); 262 os_free(csecret); 263 os_free(dh_yc); 264 return -1; 265 } 266 267 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 268 dh_yc, dh_yc_len); 269 270 WPA_PUT_BE16(*pos, dh_yc_len); 271 *pos += 2; 272 if (*pos + dh_yc_len > end) { 273 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 274 "message buffer for Yc"); 275 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 276 TLS_ALERT_INTERNAL_ERROR); 277 os_free(csecret); 278 os_free(dh_yc); 279 return -1; 280 } 281 os_memcpy(*pos, dh_yc, dh_yc_len); 282 *pos += dh_yc_len; 283 os_free(dh_yc); 284 285 shared_len = conn->dh_p_len; 286 shared = os_malloc(shared_len); 287 if (shared == NULL) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 289 "DH"); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_INTERNAL_ERROR); 292 os_free(csecret); 293 return -1; 294 } 295 296 /* shared = Ys^csecret mod p */ 297 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 298 csecret_start, csecret_len, 299 conn->dh_p, conn->dh_p_len, 300 shared, &shared_len)) { 301 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 302 TLS_ALERT_INTERNAL_ERROR); 303 os_free(csecret); 304 os_free(shared); 305 return -1; 306 } 307 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 308 shared, shared_len); 309 310 os_memset(csecret_start, 0, csecret_len); 311 os_free(csecret); 312 if (tls_derive_keys(conn, shared, shared_len)) { 313 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 314 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 315 TLS_ALERT_INTERNAL_ERROR); 316 os_free(shared); 317 return -1; 318 } 319 os_memset(shared, 0, shared_len); 320 os_free(shared); 321 tlsv1_client_free_dh(conn); 322 return 0; 323 } 324 325 326 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 327 { 328 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 329 size_t clen; 330 int res; 331 332 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 333 tls_derive_keys(conn, pre_master_secret, 334 TLS_PRE_MASTER_SECRET_LEN)) { 335 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 336 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 337 TLS_ALERT_INTERNAL_ERROR); 338 return -1; 339 } 340 341 /* EncryptedPreMasterSecret */ 342 if (conn->server_rsa_key == NULL) { 343 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 344 "use for encrypting pre-master secret"); 345 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 346 TLS_ALERT_INTERNAL_ERROR); 347 return -1; 348 } 349 350 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 351 *pos += 2; 352 clen = end - *pos; 353 res = crypto_public_key_encrypt_pkcs1_v15( 354 conn->server_rsa_key, 355 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 356 *pos, &clen); 357 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 358 if (res < 0) { 359 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 360 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 361 TLS_ALERT_INTERNAL_ERROR); 362 return -1; 363 } 364 WPA_PUT_BE16(*pos - 2, clen); 365 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 366 *pos, clen); 367 *pos += clen; 368 369 return 0; 370 } 371 372 373 static int tls_write_client_key_exchange(struct tlsv1_client *conn, 374 u8 **msgpos, u8 *end) 375 { 376 u8 *pos, *rhdr, *hs_start, *hs_length; 377 size_t rlen; 378 tls_key_exchange keyx; 379 const struct tls_cipher_suite *suite; 380 381 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 382 if (suite == NULL) 383 keyx = TLS_KEY_X_NULL; 384 else 385 keyx = suite->key_exchange; 386 387 pos = *msgpos; 388 389 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 390 391 rhdr = pos; 392 pos += TLS_RECORD_HEADER_LEN; 393 394 /* opaque fragment[TLSPlaintext.length] */ 395 396 /* Handshake */ 397 hs_start = pos; 398 /* HandshakeType msg_type */ 399 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 400 /* uint24 length (to be filled) */ 401 hs_length = pos; 402 pos += 3; 403 /* body - ClientKeyExchange */ 404 if (keyx == TLS_KEY_X_DH_anon) { 405 if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0) 406 return -1; 407 } else { 408 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 409 return -1; 410 } 411 412 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 413 414 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 415 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 416 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 417 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 418 TLS_ALERT_INTERNAL_ERROR); 419 return -1; 420 } 421 pos = rhdr + rlen; 422 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 423 424 *msgpos = pos; 425 426 return 0; 427 } 428 429 430 static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 431 u8 **msgpos, u8 *end) 432 { 433 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 434 size_t rlen, hlen, clen; 435 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos; 436 enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA; 437 438 pos = *msgpos; 439 440 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 441 rhdr = pos; 442 pos += TLS_RECORD_HEADER_LEN; 443 444 /* Handshake */ 445 hs_start = pos; 446 /* HandshakeType msg_type */ 447 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 448 /* uint24 length (to be filled) */ 449 hs_length = pos; 450 pos += 3; 451 452 /* 453 * RFC 2246: 7.4.3 and 7.4.8: 454 * Signature signature 455 * 456 * RSA: 457 * digitally-signed struct { 458 * opaque md5_hash[16]; 459 * opaque sha_hash[20]; 460 * }; 461 * 462 * DSA: 463 * digitally-signed struct { 464 * opaque sha_hash[20]; 465 * }; 466 * 467 * The hash values are calculated over all handshake messages sent or 468 * received starting at ClientHello up to, but not including, this 469 * CertificateVerify message, including the type and length fields of 470 * the handshake messages. 471 */ 472 473 hpos = hash; 474 475 if (alg == SIGN_ALG_RSA) { 476 hlen = MD5_MAC_LEN; 477 if (conn->verify.md5_cert == NULL || 478 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) 479 { 480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 481 TLS_ALERT_INTERNAL_ERROR); 482 conn->verify.md5_cert = NULL; 483 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 484 conn->verify.sha1_cert = NULL; 485 return -1; 486 } 487 hpos += MD5_MAC_LEN; 488 } else 489 crypto_hash_finish(conn->verify.md5_cert, NULL, NULL); 490 491 conn->verify.md5_cert = NULL; 492 hlen = SHA1_MAC_LEN; 493 if (conn->verify.sha1_cert == NULL || 494 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 495 conn->verify.sha1_cert = NULL; 496 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 497 TLS_ALERT_INTERNAL_ERROR); 498 return -1; 499 } 500 conn->verify.sha1_cert = NULL; 501 502 if (alg == SIGN_ALG_RSA) 503 hlen += MD5_MAC_LEN; 504 505 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 506 507 /* 508 * RFC 2246, 4.7: 509 * In digital signing, one-way hash functions are used as input for a 510 * signing algorithm. A digitally-signed element is encoded as an 511 * opaque vector <0..2^16-1>, where the length is specified by the 512 * signing algorithm and key. 513 * 514 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 515 * MD5) is signed (encrypted with the private key). It is encoded with 516 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 517 */ 518 signed_start = pos; /* length to be filled */ 519 pos += 2; 520 clen = end - pos; 521 if (conn->cred == NULL || 522 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 523 pos, &clen) < 0) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 525 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 526 TLS_ALERT_INTERNAL_ERROR); 527 return -1; 528 } 529 WPA_PUT_BE16(signed_start, clen); 530 531 pos += clen; 532 533 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 534 535 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 536 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 537 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 538 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 539 TLS_ALERT_INTERNAL_ERROR); 540 return -1; 541 } 542 pos = rhdr + rlen; 543 544 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 545 546 *msgpos = pos; 547 548 return 0; 549 } 550 551 552 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 553 u8 **msgpos, u8 *end) 554 { 555 u8 *pos, *rhdr; 556 size_t rlen; 557 558 pos = *msgpos; 559 560 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 561 rhdr = pos; 562 pos += TLS_RECORD_HEADER_LEN; 563 *pos = TLS_CHANGE_CIPHER_SPEC; 564 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 565 rhdr, end - rhdr, 1, &rlen) < 0) { 566 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 567 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 568 TLS_ALERT_INTERNAL_ERROR); 569 return -1; 570 } 571 572 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 573 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 574 "record layer"); 575 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 576 TLS_ALERT_INTERNAL_ERROR); 577 return -1; 578 } 579 580 *msgpos = rhdr + rlen; 581 582 return 0; 583 } 584 585 586 static int tls_write_client_finished(struct tlsv1_client *conn, 587 u8 **msgpos, u8 *end) 588 { 589 u8 *pos, *rhdr, *hs_start, *hs_length; 590 size_t rlen, hlen; 591 u8 verify_data[TLS_VERIFY_DATA_LEN]; 592 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 593 594 pos = *msgpos; 595 596 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 597 598 /* Encrypted Handshake Message: Finished */ 599 600 hlen = MD5_MAC_LEN; 601 if (conn->verify.md5_client == NULL || 602 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 603 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 604 TLS_ALERT_INTERNAL_ERROR); 605 conn->verify.md5_client = NULL; 606 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 607 conn->verify.sha1_client = NULL; 608 return -1; 609 } 610 conn->verify.md5_client = NULL; 611 hlen = SHA1_MAC_LEN; 612 if (conn->verify.sha1_client == NULL || 613 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 614 &hlen) < 0) { 615 conn->verify.sha1_client = NULL; 616 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 617 TLS_ALERT_INTERNAL_ERROR); 618 return -1; 619 } 620 conn->verify.sha1_client = NULL; 621 622 if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN, 623 "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN, 624 verify_data, TLS_VERIFY_DATA_LEN)) { 625 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 626 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 627 TLS_ALERT_INTERNAL_ERROR); 628 return -1; 629 } 630 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 631 verify_data, TLS_VERIFY_DATA_LEN); 632 633 rhdr = pos; 634 pos += TLS_RECORD_HEADER_LEN; 635 /* Handshake */ 636 hs_start = pos; 637 /* HandshakeType msg_type */ 638 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 639 /* uint24 length (to be filled) */ 640 hs_length = pos; 641 pos += 3; 642 os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN); 643 pos += TLS_VERIFY_DATA_LEN; 644 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 645 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 646 647 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 648 rhdr, end - rhdr, pos - hs_start, &rlen) < 0) { 649 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 650 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 651 TLS_ALERT_INTERNAL_ERROR); 652 return -1; 653 } 654 655 pos = rhdr + rlen; 656 657 *msgpos = pos; 658 659 return 0; 660 } 661 662 663 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 664 size_t *out_len) 665 { 666 u8 *msg, *end, *pos; 667 size_t msglen; 668 669 *out_len = 0; 670 671 msglen = 1000; 672 if (conn->certificate_requested) 673 msglen += tls_client_cert_chain_der_len(conn); 674 675 msg = os_malloc(msglen); 676 if (msg == NULL) 677 return NULL; 678 679 pos = msg; 680 end = msg + msglen; 681 682 if (conn->certificate_requested) { 683 if (tls_write_client_certificate(conn, &pos, end) < 0) { 684 os_free(msg); 685 return NULL; 686 } 687 } 688 689 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 690 (conn->certificate_requested && conn->cred && conn->cred->key && 691 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 692 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 693 tls_write_client_finished(conn, &pos, end) < 0) { 694 os_free(msg); 695 return NULL; 696 } 697 698 *out_len = pos - msg; 699 700 conn->state = SERVER_CHANGE_CIPHER_SPEC; 701 702 return msg; 703 } 704 705 706 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 707 size_t *out_len) 708 { 709 u8 *msg, *end, *pos; 710 711 *out_len = 0; 712 713 msg = os_malloc(1000); 714 if (msg == NULL) 715 return NULL; 716 717 pos = msg; 718 end = msg + 1000; 719 720 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 721 tls_write_client_finished(conn, &pos, end) < 0) { 722 os_free(msg); 723 return NULL; 724 } 725 726 *out_len = pos - msg; 727 728 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 729 "successfully"); 730 conn->state = ESTABLISHED; 731 732 return msg; 733 } 734 735 736 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 737 int no_appl_data) 738 { 739 switch (conn->state) { 740 case CLIENT_KEY_EXCHANGE: 741 return tls_send_client_key_exchange(conn, out_len); 742 case CHANGE_CIPHER_SPEC: 743 return tls_send_change_cipher_spec(conn, out_len); 744 case ACK_FINISHED: 745 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 746 "successfully"); 747 conn->state = ESTABLISHED; 748 *out_len = 0; 749 if (no_appl_data) { 750 /* Need to return something to get final TLS ACK. */ 751 return os_malloc(1); 752 } 753 return NULL; 754 default: 755 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 756 "generating reply", conn->state); 757 return NULL; 758 } 759 } 760 761 762 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 763 u8 description, size_t *out_len) 764 { 765 u8 *alert, *pos, *length; 766 767 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 768 *out_len = 0; 769 770 alert = os_malloc(10); 771 if (alert == NULL) 772 return NULL; 773 774 pos = alert; 775 776 /* TLSPlaintext */ 777 /* ContentType type */ 778 *pos++ = TLS_CONTENT_TYPE_ALERT; 779 /* ProtocolVersion version */ 780 WPA_PUT_BE16(pos, TLS_VERSION); 781 pos += 2; 782 /* uint16 length (to be filled) */ 783 length = pos; 784 pos += 2; 785 /* opaque fragment[TLSPlaintext.length] */ 786 787 /* Alert */ 788 /* AlertLevel level */ 789 *pos++ = level; 790 /* AlertDescription description */ 791 *pos++ = description; 792 793 WPA_PUT_BE16(length, pos - length - 2); 794 *out_len = pos - alert; 795 796 return alert; 797 } 798