xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_write.c (revision 3a92d97ff0f22d21608e1c19b83104c4937523b6)
1 /*
2  * TLSv1 server - write handshake message
3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
17 #include "x509v3.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_server.h"
21 #include "tlsv1_server_i.h"
22 
23 
24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
25 {
26 	size_t len = 0;
27 	struct x509_certificate *cert;
28 
29 	cert = conn->cred->cert;
30 	while (cert) {
31 		len += 3 + cert->cert_len;
32 		if (x509_certificate_self_signed(cert))
33 			break;
34 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
35 						    &cert->issuer);
36 	}
37 
38 	return len;
39 }
40 
41 
42 static int tls_write_server_hello(struct tlsv1_server *conn,
43 				  u8 **msgpos, u8 *end)
44 {
45 	u8 *pos, *rhdr, *hs_start, *hs_length;
46 	struct os_time now;
47 	size_t rlen;
48 
49 	pos = *msgpos;
50 
51 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello");
52 	rhdr = pos;
53 	pos += TLS_RECORD_HEADER_LEN;
54 
55 	os_get_time(&now);
56 	WPA_PUT_BE32(conn->server_random, now.sec);
57 	if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
58 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
59 			   "server_random");
60 		return -1;
61 	}
62 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
63 		    conn->server_random, TLS_RANDOM_LEN);
64 
65 	conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
66 	if (random_get_bytes(conn->session_id, conn->session_id_len)) {
67 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
68 			   "session_id");
69 		return -1;
70 	}
71 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
72 		    conn->session_id, conn->session_id_len);
73 
74 	/* opaque fragment[TLSPlaintext.length] */
75 
76 	/* Handshake */
77 	hs_start = pos;
78 	/* HandshakeType msg_type */
79 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
80 	/* uint24 length (to be filled) */
81 	hs_length = pos;
82 	pos += 3;
83 	/* body - ServerHello */
84 	/* ProtocolVersion server_version */
85 	WPA_PUT_BE16(pos, conn->rl.tls_version);
86 	pos += 2;
87 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
88 	os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
89 	pos += TLS_RANDOM_LEN;
90 	/* SessionID session_id */
91 	*pos++ = conn->session_id_len;
92 	os_memcpy(pos, conn->session_id, conn->session_id_len);
93 	pos += conn->session_id_len;
94 	/* CipherSuite cipher_suite */
95 	WPA_PUT_BE16(pos, conn->cipher_suite);
96 	pos += 2;
97 	/* CompressionMethod compression_method */
98 	*pos++ = TLS_COMPRESSION_NULL;
99 
100 	if (conn->session_ticket && conn->session_ticket_cb) {
101 		int res = conn->session_ticket_cb(
102 			conn->session_ticket_cb_ctx,
103 			conn->session_ticket, conn->session_ticket_len,
104 			conn->client_random, conn->server_random,
105 			conn->master_secret);
106 		if (res < 0) {
107 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
108 				   "indicated failure");
109 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
110 					   TLS_ALERT_HANDSHAKE_FAILURE);
111 			return -1;
112 		}
113 		conn->use_session_ticket = res;
114 
115 		if (conn->use_session_ticket) {
116 			if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
117 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
118 					   "derive keys");
119 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
120 						   TLS_ALERT_INTERNAL_ERROR);
121 				return -1;
122 			}
123 		}
124 
125 		/*
126 		 * RFC 4507 specifies that server would include an empty
127 		 * SessionTicket extension in ServerHello and a
128 		 * NewSessionTicket message after the ServerHello. However,
129 		 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
130 		 * extension at the moment, does not use such extensions.
131 		 *
132 		 * TODO: Add support for configuring RFC 4507 behavior and make
133 		 * EAP-FAST disable it.
134 		 */
135 	}
136 
137 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
138 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
139 
140 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
141 			      rhdr, end - rhdr, hs_start, pos - hs_start,
142 			      &rlen) < 0) {
143 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
144 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 				   TLS_ALERT_INTERNAL_ERROR);
146 		return -1;
147 	}
148 	pos = rhdr + rlen;
149 
150 	*msgpos = pos;
151 
152 	return 0;
153 }
154 
155 
156 static int tls_write_server_certificate(struct tlsv1_server *conn,
157 					u8 **msgpos, u8 *end)
158 {
159 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
160 	size_t rlen;
161 	struct x509_certificate *cert;
162 	const struct tls_cipher_suite *suite;
163 
164 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
165 	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
166 		wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
167 			   "using anonymous DH");
168 		return 0;
169 	}
170 
171 	pos = *msgpos;
172 
173 	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
174 	rhdr = pos;
175 	pos += TLS_RECORD_HEADER_LEN;
176 
177 	/* opaque fragment[TLSPlaintext.length] */
178 
179 	/* Handshake */
180 	hs_start = pos;
181 	/* HandshakeType msg_type */
182 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
183 	/* uint24 length (to be filled) */
184 	hs_length = pos;
185 	pos += 3;
186 	/* body - Certificate */
187 	/* uint24 length (to be filled) */
188 	cert_start = pos;
189 	pos += 3;
190 	cert = conn->cred->cert;
191 	while (cert) {
192 		if (pos + 3 + cert->cert_len > end) {
193 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
194 				   "for Certificate (cert_len=%lu left=%lu)",
195 				   (unsigned long) cert->cert_len,
196 				   (unsigned long) (end - pos));
197 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
198 					   TLS_ALERT_INTERNAL_ERROR);
199 			return -1;
200 		}
201 		WPA_PUT_BE24(pos, cert->cert_len);
202 		pos += 3;
203 		os_memcpy(pos, cert->cert_start, cert->cert_len);
204 		pos += cert->cert_len;
205 
206 		if (x509_certificate_self_signed(cert))
207 			break;
208 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
209 						    &cert->issuer);
210 	}
211 	if (cert == conn->cred->cert || cert == NULL) {
212 		/*
213 		 * Server was not configured with all the needed certificates
214 		 * to form a full certificate chain. The client may fail to
215 		 * validate the chain unless it is configured with all the
216 		 * missing CA certificates.
217 		 */
218 		wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
219 			   "not configured - validation may fail");
220 	}
221 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
222 
223 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
224 
225 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
226 			      rhdr, end - rhdr, hs_start, pos - hs_start,
227 			      &rlen) < 0) {
228 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
229 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
230 				   TLS_ALERT_INTERNAL_ERROR);
231 		return -1;
232 	}
233 	pos = rhdr + rlen;
234 
235 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
236 
237 	*msgpos = pos;
238 
239 	return 0;
240 }
241 
242 
243 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
244 					 u8 **msgpos, u8 *end)
245 {
246 	tls_key_exchange keyx;
247 	const struct tls_cipher_suite *suite;
248 	u8 *pos, *rhdr, *hs_start, *hs_length;
249 	size_t rlen;
250 	u8 *dh_ys;
251 	size_t dh_ys_len;
252 
253 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
254 	if (suite == NULL)
255 		keyx = TLS_KEY_X_NULL;
256 	else
257 		keyx = suite->key_exchange;
258 
259 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
260 		wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
261 		return 0;
262 	}
263 
264 	if (keyx != TLS_KEY_X_DH_anon) {
265 		/* TODO? */
266 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
267 			   "supported with key exchange type %d", keyx);
268 		return -1;
269 	}
270 
271 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
272 	    conn->cred->dh_g == NULL) {
273 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
274 			   "ServerKeyExhcange");
275 		return -1;
276 	}
277 
278 	os_free(conn->dh_secret);
279 	conn->dh_secret_len = conn->cred->dh_p_len;
280 	conn->dh_secret = os_malloc(conn->dh_secret_len);
281 	if (conn->dh_secret == NULL) {
282 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
283 			   "memory for secret (Diffie-Hellman)");
284 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
285 				   TLS_ALERT_INTERNAL_ERROR);
286 		return -1;
287 	}
288 	if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
289 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
290 			   "data for Diffie-Hellman");
291 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
292 				   TLS_ALERT_INTERNAL_ERROR);
293 		os_free(conn->dh_secret);
294 		conn->dh_secret = NULL;
295 		return -1;
296 	}
297 
298 	if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
299 	    0)
300 		conn->dh_secret[0] = 0; /* make sure secret < p */
301 
302 	pos = conn->dh_secret;
303 	while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
304 		pos++;
305 	if (pos != conn->dh_secret) {
306 		os_memmove(conn->dh_secret, pos,
307 			   conn->dh_secret_len - (pos - conn->dh_secret));
308 		conn->dh_secret_len -= pos - conn->dh_secret;
309 	}
310 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
311 			conn->dh_secret, conn->dh_secret_len);
312 
313 	/* Ys = g^secret mod p */
314 	dh_ys_len = conn->cred->dh_p_len;
315 	dh_ys = os_malloc(dh_ys_len);
316 	if (dh_ys == NULL) {
317 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
318 			   "Diffie-Hellman");
319 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
320 				   TLS_ALERT_INTERNAL_ERROR);
321 		return -1;
322 	}
323 	if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
324 			   conn->dh_secret, conn->dh_secret_len,
325 			   conn->cred->dh_p, conn->cred->dh_p_len,
326 			   dh_ys, &dh_ys_len)) {
327 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
328 				   TLS_ALERT_INTERNAL_ERROR);
329 		os_free(dh_ys);
330 		return -1;
331 	}
332 
333 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
334 		    dh_ys, dh_ys_len);
335 
336 	/*
337 	 * struct {
338 	 *    select (KeyExchangeAlgorithm) {
339 	 *       case diffie_hellman:
340 	 *          ServerDHParams params;
341 	 *          Signature signed_params;
342 	 *       case rsa:
343 	 *          ServerRSAParams params;
344 	 *          Signature signed_params;
345 	 *    };
346 	 * } ServerKeyExchange;
347 	 *
348 	 * struct {
349 	 *    opaque dh_p<1..2^16-1>;
350 	 *    opaque dh_g<1..2^16-1>;
351 	 *    opaque dh_Ys<1..2^16-1>;
352 	 * } ServerDHParams;
353 	 */
354 
355 	pos = *msgpos;
356 
357 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
358 	rhdr = pos;
359 	pos += TLS_RECORD_HEADER_LEN;
360 
361 	/* opaque fragment[TLSPlaintext.length] */
362 
363 	/* Handshake */
364 	hs_start = pos;
365 	/* HandshakeType msg_type */
366 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
367 	/* uint24 length (to be filled) */
368 	hs_length = pos;
369 	pos += 3;
370 
371 	/* body - ServerDHParams */
372 	/* dh_p */
373 	if (pos + 2 + conn->cred->dh_p_len > end) {
374 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
375 			   "dh_p");
376 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
377 				   TLS_ALERT_INTERNAL_ERROR);
378 		os_free(dh_ys);
379 		return -1;
380 	}
381 	WPA_PUT_BE16(pos, conn->cred->dh_p_len);
382 	pos += 2;
383 	os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
384 	pos += conn->cred->dh_p_len;
385 
386 	/* dh_g */
387 	if (pos + 2 + conn->cred->dh_g_len > end) {
388 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
389 			   "dh_g");
390 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 				   TLS_ALERT_INTERNAL_ERROR);
392 		os_free(dh_ys);
393 		return -1;
394 	}
395 	WPA_PUT_BE16(pos, conn->cred->dh_g_len);
396 	pos += 2;
397 	os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
398 	pos += conn->cred->dh_g_len;
399 
400 	/* dh_Ys */
401 	if (pos + 2 + dh_ys_len > end) {
402 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
403 			   "dh_Ys");
404 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
405 				   TLS_ALERT_INTERNAL_ERROR);
406 		os_free(dh_ys);
407 		return -1;
408 	}
409 	WPA_PUT_BE16(pos, dh_ys_len);
410 	pos += 2;
411 	os_memcpy(pos, dh_ys, dh_ys_len);
412 	pos += dh_ys_len;
413 	os_free(dh_ys);
414 
415 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
416 
417 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
418 			      rhdr, end - rhdr, hs_start, pos - hs_start,
419 			      &rlen) < 0) {
420 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
421 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
422 				   TLS_ALERT_INTERNAL_ERROR);
423 		return -1;
424 	}
425 	pos = rhdr + rlen;
426 
427 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
428 
429 	*msgpos = pos;
430 
431 	return 0;
432 }
433 
434 
435 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
436 						u8 **msgpos, u8 *end)
437 {
438 	u8 *pos, *rhdr, *hs_start, *hs_length;
439 	size_t rlen;
440 
441 	if (!conn->verify_peer) {
442 		wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
443 		return 0;
444 	}
445 
446 	pos = *msgpos;
447 
448 	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest");
449 	rhdr = pos;
450 	pos += TLS_RECORD_HEADER_LEN;
451 
452 	/* opaque fragment[TLSPlaintext.length] */
453 
454 	/* Handshake */
455 	hs_start = pos;
456 	/* HandshakeType msg_type */
457 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
458 	/* uint24 length (to be filled) */
459 	hs_length = pos;
460 	pos += 3;
461 	/* body - CertificateRequest */
462 
463 	/*
464 	 * enum {
465 	 *   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
466 	 *   (255)
467 	 * } ClientCertificateType;
468 	 * ClientCertificateType certificate_types<1..2^8-1>
469 	 */
470 	*pos++ = 1;
471 	*pos++ = 1; /* rsa_sign */
472 
473 	/*
474 	 * opaque DistinguishedName<1..2^16-1>
475 	 * DistinguishedName certificate_authorities<3..2^16-1>
476 	 */
477 	/* TODO: add support for listing DNs for trusted CAs */
478 	WPA_PUT_BE16(pos, 0);
479 	pos += 2;
480 
481 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
482 
483 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
484 			      rhdr, end - rhdr, hs_start, pos - hs_start,
485 			      &rlen) < 0) {
486 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
487 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
488 				   TLS_ALERT_INTERNAL_ERROR);
489 		return -1;
490 	}
491 	pos = rhdr + rlen;
492 
493 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
494 
495 	*msgpos = pos;
496 
497 	return 0;
498 }
499 
500 
501 static int tls_write_server_hello_done(struct tlsv1_server *conn,
502 				       u8 **msgpos, u8 *end)
503 {
504 	u8 *pos;
505 	size_t rlen;
506 	u8 payload[4];
507 
508 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone");
509 
510 	/* opaque fragment[TLSPlaintext.length] */
511 
512 	/* Handshake */
513 	pos = payload;
514 	/* HandshakeType msg_type */
515 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
516 	/* uint24 length */
517 	WPA_PUT_BE24(pos, 0);
518 	pos += 3;
519 	/* body - ServerHelloDone (empty) */
520 
521 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
522 			      *msgpos, end - *msgpos, payload, pos - payload,
523 			      &rlen) < 0) {
524 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
525 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
526 				   TLS_ALERT_INTERNAL_ERROR);
527 		return -1;
528 	}
529 
530 	tls_verify_hash_add(&conn->verify, payload, pos - payload);
531 
532 	*msgpos += rlen;
533 
534 	return 0;
535 }
536 
537 
538 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
539 					       u8 **msgpos, u8 *end)
540 {
541 	size_t rlen;
542 	u8 payload[1];
543 
544 	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
545 
546 	payload[0] = TLS_CHANGE_CIPHER_SPEC;
547 
548 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
549 			      *msgpos, end - *msgpos, payload, sizeof(payload),
550 			      &rlen) < 0) {
551 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
552 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 				   TLS_ALERT_INTERNAL_ERROR);
554 		return -1;
555 	}
556 
557 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
558 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
559 			   "record layer");
560 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 				   TLS_ALERT_INTERNAL_ERROR);
562 		return -1;
563 	}
564 
565 	*msgpos += rlen;
566 
567 	return 0;
568 }
569 
570 
571 static int tls_write_server_finished(struct tlsv1_server *conn,
572 				     u8 **msgpos, u8 *end)
573 {
574 	u8 *pos, *hs_start;
575 	size_t rlen, hlen;
576 	u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
577 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
578 
579 	pos = *msgpos;
580 
581 	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
582 
583 	/* Encrypted Handshake Message: Finished */
584 
585 #ifdef CONFIG_TLSV12
586 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
587 		hlen = SHA256_MAC_LEN;
588 		if (conn->verify.sha256_server == NULL ||
589 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
590 		    < 0) {
591 			conn->verify.sha256_server = NULL;
592 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
593 					   TLS_ALERT_INTERNAL_ERROR);
594 			return -1;
595 		}
596 		conn->verify.sha256_server = NULL;
597 	} else {
598 #endif /* CONFIG_TLSV12 */
599 
600 	hlen = MD5_MAC_LEN;
601 	if (conn->verify.md5_server == NULL ||
602 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
603 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
604 				   TLS_ALERT_INTERNAL_ERROR);
605 		conn->verify.md5_server = NULL;
606 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
607 		conn->verify.sha1_server = NULL;
608 		return -1;
609 	}
610 	conn->verify.md5_server = NULL;
611 	hlen = SHA1_MAC_LEN;
612 	if (conn->verify.sha1_server == NULL ||
613 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
614 			       &hlen) < 0) {
615 		conn->verify.sha1_server = NULL;
616 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
617 				   TLS_ALERT_INTERNAL_ERROR);
618 		return -1;
619 	}
620 	conn->verify.sha1_server = NULL;
621 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
622 
623 #ifdef CONFIG_TLSV12
624 	}
625 #endif /* CONFIG_TLSV12 */
626 
627 	if (tls_prf(conn->rl.tls_version,
628 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
629 		    "server finished", hash, hlen,
630 		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
631 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
632 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 				   TLS_ALERT_INTERNAL_ERROR);
634 		return -1;
635 	}
636 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
637 			verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
638 
639 	/* Handshake */
640 	pos = hs_start = verify_data;
641 	/* HandshakeType msg_type */
642 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
643 	/* uint24 length */
644 	WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
645 	pos += 3;
646 	pos += TLS_VERIFY_DATA_LEN;
647 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
648 
649 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
650 			      *msgpos, end - *msgpos, hs_start, pos - hs_start,
651 			      &rlen) < 0) {
652 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
653 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
654 				   TLS_ALERT_INTERNAL_ERROR);
655 		return -1;
656 	}
657 
658 	*msgpos += rlen;
659 
660 	return 0;
661 }
662 
663 
664 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
665 {
666 	u8 *msg, *end, *pos;
667 	size_t msglen;
668 
669 	*out_len = 0;
670 
671 	msglen = 1000 + tls_server_cert_chain_der_len(conn);
672 
673 	msg = os_malloc(msglen);
674 	if (msg == NULL)
675 		return NULL;
676 
677 	pos = msg;
678 	end = msg + msglen;
679 
680 	if (tls_write_server_hello(conn, &pos, end) < 0) {
681 		os_free(msg);
682 		return NULL;
683 	}
684 
685 	if (conn->use_session_ticket) {
686 		/* Abbreviated handshake using session ticket; RFC 4507 */
687 		if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
688 		    tls_write_server_finished(conn, &pos, end) < 0) {
689 			os_free(msg);
690 			return NULL;
691 		}
692 
693 		*out_len = pos - msg;
694 
695 		conn->state = CHANGE_CIPHER_SPEC;
696 
697 		return msg;
698 	}
699 
700 	/* Full handshake */
701 	if (tls_write_server_certificate(conn, &pos, end) < 0 ||
702 	    tls_write_server_key_exchange(conn, &pos, end) < 0 ||
703 	    tls_write_server_certificate_request(conn, &pos, end) < 0 ||
704 	    tls_write_server_hello_done(conn, &pos, end) < 0) {
705 		os_free(msg);
706 		return NULL;
707 	}
708 
709 	*out_len = pos - msg;
710 
711 	conn->state = CLIENT_CERTIFICATE;
712 
713 	return msg;
714 }
715 
716 
717 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
718 					size_t *out_len)
719 {
720 	u8 *msg, *end, *pos;
721 
722 	*out_len = 0;
723 
724 	msg = os_malloc(1000);
725 	if (msg == NULL)
726 		return NULL;
727 
728 	pos = msg;
729 	end = msg + 1000;
730 
731 	if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
732 	    tls_write_server_finished(conn, &pos, end) < 0) {
733 		os_free(msg);
734 		return NULL;
735 	}
736 
737 	*out_len = pos - msg;
738 
739 	wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully");
740 	conn->state = ESTABLISHED;
741 
742 	return msg;
743 }
744 
745 
746 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
747 {
748 	switch (conn->state) {
749 	case SERVER_HELLO:
750 		return tls_send_server_hello(conn, out_len);
751 	case SERVER_CHANGE_CIPHER_SPEC:
752 		return tls_send_change_cipher_spec(conn, out_len);
753 	default:
754 		if (conn->state == ESTABLISHED && conn->use_session_ticket) {
755 			/* Abbreviated handshake was already completed. */
756 			return NULL;
757 		}
758 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
759 			   "generating reply", conn->state);
760 		return NULL;
761 	}
762 }
763 
764 
765 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
766 			     u8 description, size_t *out_len)
767 {
768 	u8 *alert, *pos, *length;
769 
770 	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
771 	*out_len = 0;
772 
773 	alert = os_malloc(10);
774 	if (alert == NULL)
775 		return NULL;
776 
777 	pos = alert;
778 
779 	/* TLSPlaintext */
780 	/* ContentType type */
781 	*pos++ = TLS_CONTENT_TYPE_ALERT;
782 	/* ProtocolVersion version */
783 	WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
784 		     TLS_VERSION);
785 	pos += 2;
786 	/* uint16 length (to be filled) */
787 	length = pos;
788 	pos += 2;
789 	/* opaque fragment[TLSPlaintext.length] */
790 
791 	/* Alert */
792 	/* AlertLevel level */
793 	*pos++ = level;
794 	/* AlertDescription description */
795 	*pos++ = description;
796 
797 	WPA_PUT_BE16(length, pos - length - 2);
798 	*out_len = pos - alert;
799 
800 	return alert;
801 }
802