1 /* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "crypto/random.h" 17 #include "x509v3.h" 18 #include "tlsv1_common.h" 19 #include "tlsv1_record.h" 20 #include "tlsv1_client.h" 21 #include "tlsv1_client_i.h" 22 23 24 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 25 { 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 if (conn->cred == NULL) 30 return 0; 31 32 cert = conn->cred->cert; 33 while (cert) { 34 len += 3 + cert->cert_len; 35 if (x509_certificate_self_signed(cert)) 36 break; 37 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 38 &cert->issuer); 39 } 40 41 return len; 42 } 43 44 45 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 46 { 47 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 48 struct os_time now; 49 size_t len, i; 50 u8 *ext_start; 51 u16 tls_version = tls_client_highest_ver(conn); 52 53 if (!tls_version) { 54 wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed"); 55 return NULL; 56 } 57 58 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)", 59 tls_version_str(tls_version)); 60 *out_len = 0; 61 62 os_get_time(&now); 63 #ifdef TEST_FUZZ 64 now.sec = 0xfffefdfc; 65 #endif /* TEST_FUZZ */ 66 WPA_PUT_BE32(conn->client_random, now.sec); 67 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 68 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 69 "client_random"); 70 return NULL; 71 } 72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 73 conn->client_random, TLS_RANDOM_LEN); 74 75 len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 76 hello = os_malloc(len); 77 if (hello == NULL) 78 return NULL; 79 end = hello + len; 80 81 rhdr = hello; 82 pos = rhdr + TLS_RECORD_HEADER_LEN; 83 84 /* opaque fragment[TLSPlaintext.length] */ 85 86 /* Handshake */ 87 hs_start = pos; 88 /* HandshakeType msg_type */ 89 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 90 /* uint24 length (to be filled) */ 91 hs_length = pos; 92 pos += 3; 93 /* body - ClientHello */ 94 /* ProtocolVersion client_version */ 95 WPA_PUT_BE16(pos, tls_version); 96 pos += 2; 97 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 98 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 99 pos += TLS_RANDOM_LEN; 100 /* SessionID session_id */ 101 *pos++ = conn->session_id_len; 102 os_memcpy(pos, conn->session_id, conn->session_id_len); 103 pos += conn->session_id_len; 104 /* CipherSuite cipher_suites<2..2^16-1> */ 105 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 106 pos += 2; 107 for (i = 0; i < conn->num_cipher_suites; i++) { 108 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 109 pos += 2; 110 } 111 /* CompressionMethod compression_methods<1..2^8-1> */ 112 *pos++ = 1; 113 *pos++ = TLS_COMPRESSION_NULL; 114 115 /* Extension */ 116 ext_start = pos; 117 pos += 2; 118 119 #ifdef CONFIG_TLSV12 120 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 121 /* 122 * Add signature_algorithms extension since we support only 123 * SHA256 (and not the default SHA1) with TLSv1.2. 124 */ 125 /* ExtensionsType extension_type = signature_algorithms(13) */ 126 WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS); 127 pos += 2; 128 /* opaque extension_data<0..2^16-1> length */ 129 WPA_PUT_BE16(pos, 8); 130 pos += 2; 131 /* supported_signature_algorithms<2..2^16-2> length */ 132 WPA_PUT_BE16(pos, 6); 133 pos += 2; 134 /* supported_signature_algorithms */ 135 *pos++ = TLS_HASH_ALG_SHA512; 136 *pos++ = TLS_SIGN_ALG_RSA; 137 *pos++ = TLS_HASH_ALG_SHA384; 138 *pos++ = TLS_SIGN_ALG_RSA; 139 *pos++ = TLS_HASH_ALG_SHA256; 140 *pos++ = TLS_SIGN_ALG_RSA; 141 } 142 #endif /* CONFIG_TLSV12 */ 143 144 if (conn->client_hello_ext) { 145 os_memcpy(pos, conn->client_hello_ext, 146 conn->client_hello_ext_len); 147 pos += conn->client_hello_ext_len; 148 } 149 150 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 151 wpa_printf(MSG_DEBUG, 152 "TLSv1: Add status_request extension for OCSP stapling"); 153 /* ExtensionsType extension_type = status_request(5) */ 154 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST); 155 pos += 2; 156 /* opaque extension_data<0..2^16-1> length */ 157 WPA_PUT_BE16(pos, 5); 158 pos += 2; 159 160 /* 161 * RFC 6066, 8: 162 * struct { 163 * CertificateStatusType status_type; 164 * select (status_type) { 165 * case ocsp: OCSPStatusRequest; 166 * } request; 167 * } CertificateStatusRequest; 168 * 169 * enum { ocsp(1), (255) } CertificateStatusType; 170 */ 171 *pos++ = 1; /* status_type = ocsp(1) */ 172 173 /* 174 * struct { 175 * ResponderID responder_id_list<0..2^16-1>; 176 * Extensions request_extensions; 177 * } OCSPStatusRequest; 178 * 179 * opaque ResponderID<1..2^16-1>; 180 * opaque Extensions<0..2^16-1>; 181 */ 182 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */ 183 pos += 2; 184 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */ 185 pos += 2; 186 187 wpa_printf(MSG_DEBUG, 188 "TLSv1: Add status_request_v2 extension for OCSP stapling"); 189 /* ExtensionsType extension_type = status_request_v2(17) */ 190 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2); 191 pos += 2; 192 /* opaque extension_data<0..2^16-1> length */ 193 WPA_PUT_BE16(pos, 7); 194 pos += 2; 195 196 /* 197 * RFC 6961, 2.2: 198 * struct { 199 * CertificateStatusType status_type; 200 * uint16 request_length; 201 * select (status_type) { 202 * case ocsp: OCSPStatusRequest; 203 * case ocsp_multi: OCSPStatusRequest; 204 * } request; 205 * } CertificateStatusRequestItemV2; 206 * 207 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType; 208 * 209 * struct { 210 * CertificateStatusRequestItemV2 211 * certificate_status_req_list<1..2^16-1>; 212 * } CertificateStatusRequestListV2; 213 */ 214 215 /* certificate_status_req_list<1..2^16-1> */ 216 WPA_PUT_BE16(pos, 5); 217 pos += 2; 218 219 /* CertificateStatusRequestItemV2 */ 220 *pos++ = 2; /* status_type = ocsp_multi(2) */ 221 /* OCSPStatusRequest as shown above for v1 */ 222 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */ 223 pos += 2; 224 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */ 225 pos += 2; 226 } 227 228 if (pos == ext_start + 2) 229 pos -= 2; /* no extensions */ 230 else 231 WPA_PUT_BE16(ext_start, pos - ext_start - 2); 232 233 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 234 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 235 236 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 237 rhdr, end - rhdr, hs_start, pos - hs_start, 238 out_len) < 0) { 239 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 240 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 241 TLS_ALERT_INTERNAL_ERROR); 242 os_free(hello); 243 return NULL; 244 } 245 246 conn->state = SERVER_HELLO; 247 248 return hello; 249 } 250 251 252 static int tls_write_client_certificate(struct tlsv1_client *conn, 253 u8 **msgpos, u8 *end) 254 { 255 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 256 size_t rlen; 257 struct x509_certificate *cert; 258 259 pos = *msgpos; 260 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) { 261 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 262 TLS_ALERT_INTERNAL_ERROR); 263 return -1; 264 } 265 266 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 267 rhdr = pos; 268 pos += TLS_RECORD_HEADER_LEN; 269 270 /* opaque fragment[TLSPlaintext.length] */ 271 272 /* Handshake */ 273 hs_start = pos; 274 /* HandshakeType msg_type */ 275 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 276 /* uint24 length (to be filled) */ 277 hs_length = pos; 278 pos += 3; 279 /* body - Certificate */ 280 /* uint24 length (to be filled) */ 281 cert_start = pos; 282 pos += 3; 283 cert = conn->cred ? conn->cred->cert : NULL; 284 while (cert) { 285 if (3 + cert->cert_len > (size_t) (end - pos)) { 286 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 287 "for Certificate (cert_len=%lu left=%lu)", 288 (unsigned long) cert->cert_len, 289 (unsigned long) (end - pos)); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 291 TLS_ALERT_INTERNAL_ERROR); 292 return -1; 293 } 294 WPA_PUT_BE24(pos, cert->cert_len); 295 pos += 3; 296 os_memcpy(pos, cert->cert_start, cert->cert_len); 297 pos += cert->cert_len; 298 299 if (x509_certificate_self_signed(cert)) 300 break; 301 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 302 &cert->issuer); 303 } 304 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 305 /* 306 * Client was not configured with all the needed certificates 307 * to form a full certificate chain. The server may fail to 308 * validate the chain unless it is configured with all the 309 * missing CA certificates. 310 */ 311 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 312 "not configured - validation may fail"); 313 } 314 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 315 316 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 317 318 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 319 rhdr, end - rhdr, hs_start, pos - hs_start, 320 &rlen) < 0) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 322 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 323 TLS_ALERT_INTERNAL_ERROR); 324 return -1; 325 } 326 pos = rhdr + rlen; 327 328 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 329 330 *msgpos = pos; 331 332 return 0; 333 } 334 335 336 static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 337 { 338 /* ClientDiffieHellmanPublic */ 339 u8 *csecret, *csecret_start, *dh_yc, *shared; 340 size_t csecret_len, dh_yc_len, shared_len; 341 342 csecret_len = conn->dh_p_len; 343 csecret = os_malloc(csecret_len); 344 if (csecret == NULL) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 346 "memory for Yc (Diffie-Hellman)"); 347 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 348 TLS_ALERT_INTERNAL_ERROR); 349 return -1; 350 } 351 if (random_get_bytes(csecret, csecret_len)) { 352 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 353 "data for Diffie-Hellman"); 354 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 355 TLS_ALERT_INTERNAL_ERROR); 356 os_free(csecret); 357 return -1; 358 } 359 360 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 361 csecret[0] = 0; /* make sure Yc < p */ 362 363 csecret_start = csecret; 364 while (csecret_len > 1 && *csecret_start == 0) { 365 csecret_start++; 366 csecret_len--; 367 } 368 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 369 csecret_start, csecret_len); 370 371 /* Yc = g^csecret mod p */ 372 dh_yc_len = conn->dh_p_len; 373 dh_yc = os_malloc(dh_yc_len); 374 if (dh_yc == NULL) { 375 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 376 "memory for Diffie-Hellman"); 377 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 378 TLS_ALERT_INTERNAL_ERROR); 379 os_free(csecret); 380 return -1; 381 } 382 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 383 csecret_start, csecret_len, 384 conn->dh_p, conn->dh_p_len, 385 dh_yc, &dh_yc_len)) { 386 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 387 TLS_ALERT_INTERNAL_ERROR); 388 os_free(csecret); 389 os_free(dh_yc); 390 return -1; 391 } 392 393 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 394 dh_yc, dh_yc_len); 395 396 if (end - *pos < 2) { 397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 398 TLS_ALERT_INTERNAL_ERROR); 399 os_free(csecret); 400 os_free(dh_yc); 401 return -1; 402 } 403 WPA_PUT_BE16(*pos, dh_yc_len); 404 *pos += 2; 405 if (dh_yc_len > (size_t) (end - *pos)) { 406 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 407 "message buffer for Yc"); 408 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 409 TLS_ALERT_INTERNAL_ERROR); 410 os_free(csecret); 411 os_free(dh_yc); 412 return -1; 413 } 414 os_memcpy(*pos, dh_yc, dh_yc_len); 415 *pos += dh_yc_len; 416 os_free(dh_yc); 417 418 shared_len = conn->dh_p_len; 419 shared = os_malloc(shared_len); 420 if (shared == NULL) { 421 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 422 "DH"); 423 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 424 TLS_ALERT_INTERNAL_ERROR); 425 os_free(csecret); 426 return -1; 427 } 428 429 /* shared = Ys^csecret mod p */ 430 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 431 csecret_start, csecret_len, 432 conn->dh_p, conn->dh_p_len, 433 shared, &shared_len)) { 434 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 435 TLS_ALERT_INTERNAL_ERROR); 436 os_free(csecret); 437 os_free(shared); 438 return -1; 439 } 440 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 441 shared, shared_len); 442 443 os_memset(csecret_start, 0, csecret_len); 444 os_free(csecret); 445 if (tls_derive_keys(conn, shared, shared_len)) { 446 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 447 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 448 TLS_ALERT_INTERNAL_ERROR); 449 os_free(shared); 450 return -1; 451 } 452 os_memset(shared, 0, shared_len); 453 os_free(shared); 454 tlsv1_client_free_dh(conn); 455 return 0; 456 } 457 458 459 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 460 { 461 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 462 size_t clen; 463 int res; 464 465 if (tls_derive_pre_master_secret(conn, pre_master_secret) < 0 || 466 tls_derive_keys(conn, pre_master_secret, 467 TLS_PRE_MASTER_SECRET_LEN)) { 468 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 469 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 470 TLS_ALERT_INTERNAL_ERROR); 471 return -1; 472 } 473 474 /* EncryptedPreMasterSecret */ 475 if (conn->server_rsa_key == NULL) { 476 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 477 "use for encrypting pre-master secret"); 478 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 479 TLS_ALERT_INTERNAL_ERROR); 480 return -1; 481 } 482 483 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 484 *pos += 2; 485 clen = end - *pos; 486 res = crypto_public_key_encrypt_pkcs1_v15( 487 conn->server_rsa_key, 488 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 489 *pos, &clen); 490 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 491 if (res < 0) { 492 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 493 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 494 TLS_ALERT_INTERNAL_ERROR); 495 return -1; 496 } 497 WPA_PUT_BE16(*pos - 2, clen); 498 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 499 *pos, clen); 500 *pos += clen; 501 502 return 0; 503 } 504 505 506 static int tls_write_client_key_exchange(struct tlsv1_client *conn, 507 u8 **msgpos, u8 *end) 508 { 509 u8 *pos, *rhdr, *hs_start, *hs_length; 510 size_t rlen; 511 tls_key_exchange keyx; 512 const struct tls_cipher_suite *suite; 513 514 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 515 if (suite == NULL) 516 keyx = TLS_KEY_X_NULL; 517 else 518 keyx = suite->key_exchange; 519 520 pos = *msgpos; 521 522 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 523 524 rhdr = pos; 525 pos += TLS_RECORD_HEADER_LEN; 526 527 /* opaque fragment[TLSPlaintext.length] */ 528 529 /* Handshake */ 530 hs_start = pos; 531 /* HandshakeType msg_type */ 532 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 533 /* uint24 length (to be filled) */ 534 hs_length = pos; 535 pos += 3; 536 /* body - ClientKeyExchange */ 537 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 538 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 539 return -1; 540 } else { 541 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 542 return -1; 543 } 544 545 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 546 547 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 548 rhdr, end - rhdr, hs_start, pos - hs_start, 549 &rlen) < 0) { 550 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 551 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 552 TLS_ALERT_INTERNAL_ERROR); 553 return -1; 554 } 555 pos = rhdr + rlen; 556 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 557 558 *msgpos = pos; 559 560 return 0; 561 } 562 563 564 static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 565 u8 **msgpos, u8 *end) 566 { 567 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 568 size_t rlen, hlen, clen; 569 u8 hash[100], *hpos; 570 571 pos = *msgpos; 572 573 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 574 rhdr = pos; 575 pos += TLS_RECORD_HEADER_LEN; 576 577 /* Handshake */ 578 hs_start = pos; 579 /* HandshakeType msg_type */ 580 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 581 /* uint24 length (to be filled) */ 582 hs_length = pos; 583 pos += 3; 584 585 /* 586 * RFC 2246: 7.4.3 and 7.4.8: 587 * Signature signature 588 * 589 * RSA: 590 * digitally-signed struct { 591 * opaque md5_hash[16]; 592 * opaque sha_hash[20]; 593 * }; 594 * 595 * DSA: 596 * digitally-signed struct { 597 * opaque sha_hash[20]; 598 * }; 599 * 600 * The hash values are calculated over all handshake messages sent or 601 * received starting at ClientHello up to, but not including, this 602 * CertificateVerify message, including the type and length fields of 603 * the handshake messages. 604 */ 605 606 hpos = hash; 607 608 #ifdef CONFIG_TLSV12 609 if (conn->rl.tls_version == TLS_VERSION_1_2) { 610 hlen = SHA256_MAC_LEN; 611 if (conn->verify.sha256_cert == NULL || 612 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 613 0) { 614 conn->verify.sha256_cert = NULL; 615 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 616 TLS_ALERT_INTERNAL_ERROR); 617 return -1; 618 } 619 conn->verify.sha256_cert = NULL; 620 621 /* 622 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 623 * 624 * DigestInfo ::= SEQUENCE { 625 * digestAlgorithm DigestAlgorithm, 626 * digest OCTET STRING 627 * } 628 * 629 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 630 * 631 * DER encoded DigestInfo for SHA256 per RFC 3447: 632 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 633 * H 634 */ 635 os_memmove(hash + 19, hash, hlen); 636 hlen += 19; 637 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 638 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 639 } else { 640 #endif /* CONFIG_TLSV12 */ 641 642 hlen = MD5_MAC_LEN; 643 if (conn->verify.md5_cert == NULL || 644 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 645 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 646 TLS_ALERT_INTERNAL_ERROR); 647 conn->verify.md5_cert = NULL; 648 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 649 conn->verify.sha1_cert = NULL; 650 return -1; 651 } 652 hpos += MD5_MAC_LEN; 653 654 conn->verify.md5_cert = NULL; 655 hlen = SHA1_MAC_LEN; 656 if (conn->verify.sha1_cert == NULL || 657 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 658 conn->verify.sha1_cert = NULL; 659 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 660 TLS_ALERT_INTERNAL_ERROR); 661 return -1; 662 } 663 conn->verify.sha1_cert = NULL; 664 665 hlen += MD5_MAC_LEN; 666 667 #ifdef CONFIG_TLSV12 668 } 669 #endif /* CONFIG_TLSV12 */ 670 671 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 672 673 #ifdef CONFIG_TLSV12 674 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 675 /* 676 * RFC 5246, 4.7: 677 * TLS v1.2 adds explicit indication of the used signature and 678 * hash algorithms. 679 * 680 * struct { 681 * HashAlgorithm hash; 682 * SignatureAlgorithm signature; 683 * } SignatureAndHashAlgorithm; 684 */ 685 *pos++ = TLS_HASH_ALG_SHA256; 686 *pos++ = TLS_SIGN_ALG_RSA; 687 } 688 #endif /* CONFIG_TLSV12 */ 689 690 /* 691 * RFC 2246, 4.7: 692 * In digital signing, one-way hash functions are used as input for a 693 * signing algorithm. A digitally-signed element is encoded as an 694 * opaque vector <0..2^16-1>, where the length is specified by the 695 * signing algorithm and key. 696 * 697 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 698 * MD5) is signed (encrypted with the private key). It is encoded with 699 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 700 */ 701 signed_start = pos; /* length to be filled */ 702 pos += 2; 703 clen = end - pos; 704 if (conn->cred == NULL || 705 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 706 pos, &clen) < 0) { 707 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 708 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 709 TLS_ALERT_INTERNAL_ERROR); 710 return -1; 711 } 712 WPA_PUT_BE16(signed_start, clen); 713 714 pos += clen; 715 716 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 717 718 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 719 rhdr, end - rhdr, hs_start, pos - hs_start, 720 &rlen) < 0) { 721 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 722 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 723 TLS_ALERT_INTERNAL_ERROR); 724 return -1; 725 } 726 pos = rhdr + rlen; 727 728 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 729 730 *msgpos = pos; 731 732 return 0; 733 } 734 735 736 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 737 u8 **msgpos, u8 *end) 738 { 739 size_t rlen; 740 u8 payload[1]; 741 742 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 743 744 payload[0] = TLS_CHANGE_CIPHER_SPEC; 745 746 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 747 *msgpos, end - *msgpos, payload, sizeof(payload), 748 &rlen) < 0) { 749 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 750 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 751 TLS_ALERT_INTERNAL_ERROR); 752 return -1; 753 } 754 755 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 756 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 757 "record layer"); 758 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 759 TLS_ALERT_INTERNAL_ERROR); 760 return -1; 761 } 762 763 *msgpos += rlen; 764 765 return 0; 766 } 767 768 769 static int tls_write_client_finished(struct tlsv1_client *conn, 770 u8 **msgpos, u8 *end) 771 { 772 u8 *pos, *hs_start; 773 size_t rlen, hlen; 774 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 775 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 776 777 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 778 779 /* Encrypted Handshake Message: Finished */ 780 781 #ifdef CONFIG_TLSV12 782 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 783 hlen = SHA256_MAC_LEN; 784 if (conn->verify.sha256_client == NULL || 785 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 786 < 0) { 787 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 788 TLS_ALERT_INTERNAL_ERROR); 789 conn->verify.sha256_client = NULL; 790 return -1; 791 } 792 conn->verify.sha256_client = NULL; 793 } else { 794 #endif /* CONFIG_TLSV12 */ 795 796 hlen = MD5_MAC_LEN; 797 if (conn->verify.md5_client == NULL || 798 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 799 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 800 TLS_ALERT_INTERNAL_ERROR); 801 conn->verify.md5_client = NULL; 802 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 803 conn->verify.sha1_client = NULL; 804 return -1; 805 } 806 conn->verify.md5_client = NULL; 807 hlen = SHA1_MAC_LEN; 808 if (conn->verify.sha1_client == NULL || 809 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 810 &hlen) < 0) { 811 conn->verify.sha1_client = NULL; 812 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 813 TLS_ALERT_INTERNAL_ERROR); 814 return -1; 815 } 816 conn->verify.sha1_client = NULL; 817 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 818 819 #ifdef CONFIG_TLSV12 820 } 821 #endif /* CONFIG_TLSV12 */ 822 823 if (tls_prf(conn->rl.tls_version, 824 conn->master_secret, TLS_MASTER_SECRET_LEN, 825 "client finished", hash, hlen, 826 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 827 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 828 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 829 TLS_ALERT_INTERNAL_ERROR); 830 return -1; 831 } 832 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 833 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 834 835 /* Handshake */ 836 pos = hs_start = verify_data; 837 /* HandshakeType msg_type */ 838 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 839 /* uint24 length */ 840 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 841 pos += 3; 842 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 843 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 844 845 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 846 *msgpos, end - *msgpos, hs_start, pos - hs_start, 847 &rlen) < 0) { 848 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 849 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 850 TLS_ALERT_INTERNAL_ERROR); 851 return -1; 852 } 853 854 *msgpos += rlen; 855 856 return 0; 857 } 858 859 860 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 861 size_t *out_len) 862 { 863 u8 *msg, *end, *pos; 864 size_t msglen; 865 866 *out_len = 0; 867 868 msglen = 2000; 869 if (conn->certificate_requested) 870 msglen += tls_client_cert_chain_der_len(conn); 871 872 msg = os_malloc(msglen); 873 if (msg == NULL) 874 return NULL; 875 876 pos = msg; 877 end = msg + msglen; 878 879 if (conn->certificate_requested) { 880 if (tls_write_client_certificate(conn, &pos, end) < 0) { 881 os_free(msg); 882 return NULL; 883 } 884 } 885 886 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 887 (conn->certificate_requested && conn->cred && conn->cred->key && 888 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 889 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 890 tls_write_client_finished(conn, &pos, end) < 0) { 891 os_free(msg); 892 return NULL; 893 } 894 895 *out_len = pos - msg; 896 897 conn->state = SERVER_CHANGE_CIPHER_SPEC; 898 899 return msg; 900 } 901 902 903 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 904 size_t *out_len) 905 { 906 u8 *msg, *end, *pos; 907 908 *out_len = 0; 909 910 msg = os_malloc(1000); 911 if (msg == NULL) 912 return NULL; 913 914 pos = msg; 915 end = msg + 1000; 916 917 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 918 tls_write_client_finished(conn, &pos, end) < 0) { 919 os_free(msg); 920 return NULL; 921 } 922 923 *out_len = pos - msg; 924 925 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 926 "successfully"); 927 if (!conn->session_resumed && conn->use_session_ticket) 928 conn->session_resumed = 1; 929 conn->state = ESTABLISHED; 930 931 return msg; 932 } 933 934 935 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 936 int no_appl_data) 937 { 938 switch (conn->state) { 939 case CLIENT_KEY_EXCHANGE: 940 return tls_send_client_key_exchange(conn, out_len); 941 case CHANGE_CIPHER_SPEC: 942 return tls_send_change_cipher_spec(conn, out_len); 943 case ACK_FINISHED: 944 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 945 "successfully"); 946 conn->state = ESTABLISHED; 947 *out_len = 0; 948 if (no_appl_data) { 949 /* Need to return something to get final TLS ACK. */ 950 return os_malloc(1); 951 } 952 return NULL; 953 default: 954 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 955 "generating reply", conn->state); 956 return NULL; 957 } 958 } 959 960 961 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 962 u8 description, size_t *out_len) 963 { 964 u8 *alert, *pos, *length; 965 966 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 967 *out_len = 0; 968 969 alert = os_malloc(10); 970 if (alert == NULL) 971 return NULL; 972 973 pos = alert; 974 975 /* TLSPlaintext */ 976 /* ContentType type */ 977 *pos++ = TLS_CONTENT_TYPE_ALERT; 978 /* ProtocolVersion version */ 979 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 980 TLS_VERSION); 981 pos += 2; 982 /* uint16 length (to be filled) */ 983 length = pos; 984 pos += 2; 985 /* opaque fragment[TLSPlaintext.length] */ 986 987 /* Alert */ 988 /* AlertLevel level */ 989 *pos++ = level; 990 /* AlertDescription description */ 991 *pos++ = description; 992 993 WPA_PUT_BE16(length, pos - length - 2); 994 *out_len = pos - alert; 995 996 return alert; 997 } 998