1 /* 2 * TLSv1 server - write handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "crypto/random.h" 17 #include "x509v3.h" 18 #include "tlsv1_common.h" 19 #include "tlsv1_record.h" 20 #include "tlsv1_server.h" 21 #include "tlsv1_server_i.h" 22 23 24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn) 25 { 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 cert = conn->cred ? conn->cred->cert : NULL; 30 while (cert) { 31 len += 3 + cert->cert_len; 32 if (x509_certificate_self_signed(cert)) 33 break; 34 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 35 &cert->issuer); 36 } 37 38 return len; 39 } 40 41 42 static int tls_write_server_hello(struct tlsv1_server *conn, 43 u8 **msgpos, u8 *end) 44 { 45 u8 *pos, *rhdr, *hs_start, *hs_length, *ext_start; 46 struct os_time now; 47 size_t rlen; 48 49 pos = *msgpos; 50 51 tlsv1_server_log(conn, "Send ServerHello"); 52 rhdr = pos; 53 pos += TLS_RECORD_HEADER_LEN; 54 55 os_get_time(&now); 56 #ifdef TEST_FUZZ 57 now.sec = 0xfffefdfc; 58 #endif /* TEST_FUZZ */ 59 WPA_PUT_BE32(conn->server_random, now.sec); 60 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) { 61 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 62 "server_random"); 63 return -1; 64 } 65 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 66 conn->server_random, TLS_RANDOM_LEN); 67 68 conn->session_id_len = TLS_SESSION_ID_MAX_LEN; 69 if (random_get_bytes(conn->session_id, conn->session_id_len)) { 70 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 71 "session_id"); 72 return -1; 73 } 74 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 75 conn->session_id, conn->session_id_len); 76 77 /* opaque fragment[TLSPlaintext.length] */ 78 79 /* Handshake */ 80 hs_start = pos; 81 /* HandshakeType msg_type */ 82 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO; 83 /* uint24 length (to be filled) */ 84 hs_length = pos; 85 pos += 3; 86 /* body - ServerHello */ 87 /* ProtocolVersion server_version */ 88 WPA_PUT_BE16(pos, conn->rl.tls_version); 89 pos += 2; 90 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 91 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN); 92 pos += TLS_RANDOM_LEN; 93 /* SessionID session_id */ 94 *pos++ = conn->session_id_len; 95 os_memcpy(pos, conn->session_id, conn->session_id_len); 96 pos += conn->session_id_len; 97 /* CipherSuite cipher_suite */ 98 WPA_PUT_BE16(pos, conn->cipher_suite); 99 pos += 2; 100 /* CompressionMethod compression_method */ 101 *pos++ = TLS_COMPRESSION_NULL; 102 103 /* Extension */ 104 ext_start = pos; 105 pos += 2; 106 107 if (conn->status_request) { 108 /* Add a status_request extension with empty extension_data */ 109 /* ExtensionsType extension_type = status_request(5) */ 110 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST); 111 pos += 2; 112 /* opaque extension_data<0..2^16-1> length */ 113 WPA_PUT_BE16(pos, 0); 114 pos += 2; 115 } 116 117 if (conn->status_request_v2) { 118 /* 119 Add a status_request_v2 extension with empty extension_data 120 */ 121 /* ExtensionsType extension_type = status_request_v2(17) */ 122 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2); 123 pos += 2; 124 /* opaque extension_data<0..2^16-1> length */ 125 WPA_PUT_BE16(pos, 0); 126 pos += 2; 127 } 128 129 if (conn->session_ticket && conn->session_ticket_cb) { 130 int res = conn->session_ticket_cb( 131 conn->session_ticket_cb_ctx, 132 conn->session_ticket, conn->session_ticket_len, 133 conn->client_random, conn->server_random, 134 conn->master_secret); 135 if (res < 0) { 136 tlsv1_server_log(conn, "SessionTicket callback indicated failure"); 137 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 138 TLS_ALERT_HANDSHAKE_FAILURE); 139 return -1; 140 } 141 conn->use_session_ticket = res; 142 143 if (conn->use_session_ticket) { 144 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) { 145 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 146 "derive keys"); 147 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 148 TLS_ALERT_INTERNAL_ERROR); 149 return -1; 150 } 151 } 152 153 /* 154 * RFC 4507 specifies that server would include an empty 155 * SessionTicket extension in ServerHello and a 156 * NewSessionTicket message after the ServerHello. However, 157 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket 158 * extension at the moment, does not use such extensions. 159 * 160 * TODO: Add support for configuring RFC 4507 behavior and make 161 * EAP-FAST disable it. 162 */ 163 } 164 165 if (pos == ext_start + 2) 166 pos -= 2; /* no extensions */ 167 else 168 WPA_PUT_BE16(ext_start, pos - ext_start - 2); 169 170 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 171 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 172 173 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 174 rhdr, end - rhdr, hs_start, pos - hs_start, 175 &rlen) < 0) { 176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 178 TLS_ALERT_INTERNAL_ERROR); 179 return -1; 180 } 181 pos = rhdr + rlen; 182 183 *msgpos = pos; 184 185 return 0; 186 } 187 188 189 static int tls_write_server_certificate(struct tlsv1_server *conn, 190 u8 **msgpos, u8 *end) 191 { 192 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 193 size_t rlen; 194 struct x509_certificate *cert; 195 const struct tls_cipher_suite *suite; 196 197 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 198 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 199 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when " 200 "using anonymous DH"); 201 return 0; 202 } 203 204 pos = *msgpos; 205 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) { 206 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 207 TLS_ALERT_INTERNAL_ERROR); 208 return -1; 209 } 210 211 tlsv1_server_log(conn, "Send Certificate"); 212 rhdr = pos; 213 pos += TLS_RECORD_HEADER_LEN; 214 215 /* opaque fragment[TLSPlaintext.length] */ 216 217 /* Handshake */ 218 hs_start = pos; 219 /* HandshakeType msg_type */ 220 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 221 /* uint24 length (to be filled) */ 222 hs_length = pos; 223 pos += 3; 224 /* body - Certificate */ 225 /* uint24 length (to be filled) */ 226 cert_start = pos; 227 pos += 3; 228 cert = conn->cred->cert; 229 while (cert) { 230 if (3 + cert->cert_len > (size_t) (end - pos)) { 231 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 232 "for Certificate (cert_len=%lu left=%lu)", 233 (unsigned long) cert->cert_len, 234 (unsigned long) (end - pos)); 235 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 236 TLS_ALERT_INTERNAL_ERROR); 237 return -1; 238 } 239 WPA_PUT_BE24(pos, cert->cert_len); 240 pos += 3; 241 os_memcpy(pos, cert->cert_start, cert->cert_len); 242 pos += cert->cert_len; 243 244 if (x509_certificate_self_signed(cert)) 245 break; 246 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 247 &cert->issuer); 248 } 249 if (cert == conn->cred->cert || cert == NULL) { 250 /* 251 * Server was not configured with all the needed certificates 252 * to form a full certificate chain. The client may fail to 253 * validate the chain unless it is configured with all the 254 * missing CA certificates. 255 */ 256 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain " 257 "not configured - validation may fail"); 258 } 259 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 260 261 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 262 263 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 264 rhdr, end - rhdr, hs_start, pos - hs_start, 265 &rlen) < 0) { 266 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 267 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 268 TLS_ALERT_INTERNAL_ERROR); 269 return -1; 270 } 271 pos = rhdr + rlen; 272 273 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 274 275 *msgpos = pos; 276 277 return 0; 278 } 279 280 281 static int tls_write_server_certificate_status(struct tlsv1_server *conn, 282 u8 **msgpos, u8 *end, 283 int ocsp_multi, 284 char *ocsp_resp, 285 size_t ocsp_resp_len) 286 { 287 u8 *pos, *rhdr, *hs_start, *hs_length; 288 size_t rlen; 289 290 if (!ocsp_resp) { 291 /* 292 * Client did not request certificate status or there is no 293 * matching response cached. 294 */ 295 return 0; 296 } 297 298 pos = *msgpos; 299 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 1 + 3 + ocsp_resp_len > 300 (unsigned int) (end - pos)) { 301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 302 TLS_ALERT_INTERNAL_ERROR); 303 return -1; 304 } 305 306 tlsv1_server_log(conn, "Send CertificateStatus (multi=%d)", ocsp_multi); 307 rhdr = pos; 308 pos += TLS_RECORD_HEADER_LEN; 309 310 /* opaque fragment[TLSPlaintext.length] */ 311 312 /* Handshake */ 313 hs_start = pos; 314 /* HandshakeType msg_type */ 315 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS; 316 /* uint24 length (to be filled) */ 317 hs_length = pos; 318 pos += 3; 319 320 /* body - CertificateStatus 321 * 322 * struct { 323 * CertificateStatusType status_type; 324 * select (status_type) { 325 * case ocsp: OCSPResponse; 326 * case ocsp_multi: OCSPResponseList; 327 * } response; 328 * } CertificateStatus; 329 * 330 * opaque OCSPResponse<1..2^24-1>; 331 * 332 * struct { 333 * OCSPResponse ocsp_response_list<1..2^24-1>; 334 * } OCSPResponseList; 335 */ 336 337 /* CertificateStatusType status_type */ 338 if (ocsp_multi) 339 *pos++ = 2; /* ocsp_multi(2) */ 340 else 341 *pos++ = 1; /* ocsp(1) */ 342 /* uint24 length of OCSPResponse */ 343 WPA_PUT_BE24(pos, ocsp_resp_len); 344 pos += 3; 345 os_memcpy(pos, ocsp_resp, ocsp_resp_len); 346 pos += ocsp_resp_len; 347 348 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 349 350 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 351 rhdr, end - rhdr, hs_start, pos - hs_start, 352 &rlen) < 0) { 353 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 354 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 355 TLS_ALERT_INTERNAL_ERROR); 356 return -1; 357 } 358 pos = rhdr + rlen; 359 360 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 361 362 *msgpos = pos; 363 364 return 0; 365 } 366 367 368 static int tls_write_server_key_exchange(struct tlsv1_server *conn, 369 u8 **msgpos, u8 *end) 370 { 371 tls_key_exchange keyx; 372 const struct tls_cipher_suite *suite; 373 u8 *pos, *rhdr, *hs_start, *hs_length, *server_params; 374 size_t rlen; 375 u8 *dh_ys; 376 size_t dh_ys_len; 377 const u8 *dh_p; 378 size_t dh_p_len; 379 380 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 381 if (suite == NULL) 382 keyx = TLS_KEY_X_NULL; 383 else 384 keyx = suite->key_exchange; 385 386 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 387 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed"); 388 return 0; 389 } 390 391 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) { 392 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet " 393 "supported with key exchange type %d", keyx); 394 return -1; 395 } 396 397 if (conn->cred == NULL || conn->cred->dh_p == NULL || 398 conn->cred->dh_g == NULL) { 399 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for " 400 "ServerKeyExhcange"); 401 return -1; 402 } 403 404 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len); 405 406 os_free(conn->dh_secret); 407 conn->dh_secret_len = dh_p_len; 408 conn->dh_secret = os_malloc(conn->dh_secret_len); 409 if (conn->dh_secret == NULL) { 410 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 411 "memory for secret (Diffie-Hellman)"); 412 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 413 TLS_ALERT_INTERNAL_ERROR); 414 return -1; 415 } 416 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) { 417 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 418 "data for Diffie-Hellman"); 419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 420 TLS_ALERT_INTERNAL_ERROR); 421 os_free(conn->dh_secret); 422 conn->dh_secret = NULL; 423 return -1; 424 } 425 426 if (os_memcmp(conn->dh_secret, dh_p, conn->dh_secret_len) > 0) 427 conn->dh_secret[0] = 0; /* make sure secret < p */ 428 429 pos = conn->dh_secret; 430 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0) 431 pos++; 432 if (pos != conn->dh_secret) { 433 os_memmove(conn->dh_secret, pos, 434 conn->dh_secret_len - (pos - conn->dh_secret)); 435 conn->dh_secret_len -= pos - conn->dh_secret; 436 } 437 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value", 438 conn->dh_secret, conn->dh_secret_len); 439 440 /* Ys = g^secret mod p */ 441 dh_ys_len = dh_p_len; 442 dh_ys = os_malloc(dh_ys_len); 443 if (dh_ys == NULL) { 444 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for " 445 "Diffie-Hellman"); 446 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 447 TLS_ALERT_INTERNAL_ERROR); 448 return -1; 449 } 450 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len, 451 conn->dh_secret, conn->dh_secret_len, 452 dh_p, dh_p_len, dh_ys, &dh_ys_len)) { 453 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 454 TLS_ALERT_INTERNAL_ERROR); 455 os_free(dh_ys); 456 return -1; 457 } 458 459 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 460 dh_ys, dh_ys_len); 461 462 /* 463 * struct { 464 * select (KeyExchangeAlgorithm) { 465 * case diffie_hellman: 466 * ServerDHParams params; 467 * Signature signed_params; 468 * case rsa: 469 * ServerRSAParams params; 470 * Signature signed_params; 471 * }; 472 * } ServerKeyExchange; 473 * 474 * struct { 475 * opaque dh_p<1..2^16-1>; 476 * opaque dh_g<1..2^16-1>; 477 * opaque dh_Ys<1..2^16-1>; 478 * } ServerDHParams; 479 */ 480 481 pos = *msgpos; 482 483 tlsv1_server_log(conn, "Send ServerKeyExchange"); 484 rhdr = pos; 485 pos += TLS_RECORD_HEADER_LEN; 486 487 /* opaque fragment[TLSPlaintext.length] */ 488 489 /* Handshake */ 490 hs_start = pos; 491 /* HandshakeType msg_type */ 492 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE; 493 /* uint24 length (to be filled) */ 494 hs_length = pos; 495 pos += 3; 496 497 /* body - ServerDHParams */ 498 server_params = pos; 499 /* dh_p */ 500 if (2 + dh_p_len > (size_t) (end - pos)) { 501 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 502 "dh_p"); 503 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 504 TLS_ALERT_INTERNAL_ERROR); 505 os_free(dh_ys); 506 return -1; 507 } 508 WPA_PUT_BE16(pos, dh_p_len); 509 pos += 2; 510 os_memcpy(pos, dh_p, dh_p_len); 511 pos += dh_p_len; 512 513 /* dh_g */ 514 if (2 + conn->cred->dh_g_len > (size_t) (end - pos)) { 515 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 516 "dh_g"); 517 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 518 TLS_ALERT_INTERNAL_ERROR); 519 os_free(dh_ys); 520 return -1; 521 } 522 WPA_PUT_BE16(pos, conn->cred->dh_g_len); 523 pos += 2; 524 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len); 525 pos += conn->cred->dh_g_len; 526 527 /* dh_Ys */ 528 if (2 + dh_ys_len > (size_t) (end - pos)) { 529 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 530 "dh_Ys"); 531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 532 TLS_ALERT_INTERNAL_ERROR); 533 os_free(dh_ys); 534 return -1; 535 } 536 WPA_PUT_BE16(pos, dh_ys_len); 537 pos += 2; 538 os_memcpy(pos, dh_ys, dh_ys_len); 539 pos += dh_ys_len; 540 os_free(dh_ys); 541 542 /* 543 * select (SignatureAlgorithm) 544 * { case anonymous: struct { }; 545 * case rsa: 546 * digitally-signed struct { 547 * opaque md5_hash[16]; 548 * opaque sha_hash[20]; 549 * }; 550 * case dsa: 551 * digitally-signed struct { 552 * opaque sha_hash[20]; 553 * }; 554 * } Signature; 555 * 556 * md5_hash 557 * MD5(ClientHello.random + ServerHello.random + ServerParams); 558 * 559 * sha_hash 560 * SHA(ClientHello.random + ServerHello.random + ServerParams); 561 */ 562 563 if (keyx == TLS_KEY_X_DHE_RSA) { 564 u8 hash[100]; 565 u8 *signed_start; 566 size_t clen; 567 int hlen; 568 569 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 570 #ifdef CONFIG_TLSV12 571 hlen = tlsv12_key_x_server_params_hash( 572 conn->rl.tls_version, TLS_HASH_ALG_SHA256, 573 conn->client_random, 574 conn->server_random, server_params, 575 pos - server_params, hash + 19); 576 577 /* 578 * RFC 5246, 4.7: 579 * TLS v1.2 adds explicit indication of the used 580 * signature and hash algorithms. 581 * 582 * struct { 583 * HashAlgorithm hash; 584 * SignatureAlgorithm signature; 585 * } SignatureAndHashAlgorithm; 586 */ 587 if (hlen < 0 || end - pos < 2) { 588 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 589 TLS_ALERT_INTERNAL_ERROR); 590 return -1; 591 } 592 *pos++ = TLS_HASH_ALG_SHA256; 593 *pos++ = TLS_SIGN_ALG_RSA; 594 595 /* 596 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 597 * 598 * DigestInfo ::= SEQUENCE { 599 * digestAlgorithm DigestAlgorithm, 600 * digest OCTET STRING 601 * } 602 * 603 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 604 * 605 * DER encoded DigestInfo for SHA256 per RFC 3447: 606 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 607 * 04 20 || H 608 */ 609 hlen += 19; 610 os_memcpy(hash, 611 "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 612 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 613 614 #else /* CONFIG_TLSV12 */ 615 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 616 TLS_ALERT_INTERNAL_ERROR); 617 return -1; 618 #endif /* CONFIG_TLSV12 */ 619 } else { 620 hlen = tls_key_x_server_params_hash( 621 conn->rl.tls_version, conn->client_random, 622 conn->server_random, server_params, 623 pos - server_params, hash, sizeof(hash)); 624 } 625 626 if (hlen < 0) { 627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 628 TLS_ALERT_INTERNAL_ERROR); 629 return -1; 630 } 631 632 wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash", 633 hash, hlen); 634 #ifdef CONFIG_TESTING_OPTIONS 635 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) { 636 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash"); 637 hash[hlen - 1] ^= 0x80; 638 } 639 #endif /* CONFIG_TESTING_OPTIONS */ 640 641 /* 642 * RFC 2246, 4.7: 643 * In digital signing, one-way hash functions are used as input 644 * for a signing algorithm. A digitally-signed element is 645 * encoded as an opaque vector <0..2^16-1>, where the length is 646 * specified by the signing algorithm and key. 647 * 648 * In RSA signing, a 36-byte structure of two hashes (one SHA 649 * and one MD5) is signed (encrypted with the private key). It 650 * is encoded with PKCS #1 block type 0 or type 1 as described 651 * in [PKCS1]. 652 */ 653 signed_start = pos; /* length to be filled */ 654 pos += 2; 655 clen = end - pos; 656 if (conn->cred == NULL || 657 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 658 pos, &clen) < 0) { 659 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 661 TLS_ALERT_INTERNAL_ERROR); 662 return -1; 663 } 664 WPA_PUT_BE16(signed_start, clen); 665 #ifdef CONFIG_TESTING_OPTIONS 666 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) { 667 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature"); 668 pos[clen - 1] ^= 0x80; 669 } 670 #endif /* CONFIG_TESTING_OPTIONS */ 671 672 pos += clen; 673 } 674 675 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 676 677 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 678 rhdr, end - rhdr, hs_start, pos - hs_start, 679 &rlen) < 0) { 680 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 681 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 682 TLS_ALERT_INTERNAL_ERROR); 683 return -1; 684 } 685 pos = rhdr + rlen; 686 687 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 688 689 *msgpos = pos; 690 691 return 0; 692 } 693 694 695 static int tls_write_server_certificate_request(struct tlsv1_server *conn, 696 u8 **msgpos, u8 *end) 697 { 698 u8 *pos, *rhdr, *hs_start, *hs_length; 699 size_t rlen; 700 701 if (!conn->verify_peer) { 702 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed"); 703 return 0; 704 } 705 706 pos = *msgpos; 707 708 tlsv1_server_log(conn, "Send CertificateRequest"); 709 rhdr = pos; 710 pos += TLS_RECORD_HEADER_LEN; 711 712 /* opaque fragment[TLSPlaintext.length] */ 713 714 /* Handshake */ 715 hs_start = pos; 716 /* HandshakeType msg_type */ 717 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST; 718 /* uint24 length (to be filled) */ 719 hs_length = pos; 720 pos += 3; 721 /* body - CertificateRequest */ 722 723 /* 724 * enum { 725 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 726 * (255) 727 * } ClientCertificateType; 728 * ClientCertificateType certificate_types<1..2^8-1> 729 */ 730 *pos++ = 1; 731 *pos++ = 1; /* rsa_sign */ 732 733 /* 734 * opaque DistinguishedName<1..2^16-1> 735 * DistinguishedName certificate_authorities<3..2^16-1> 736 */ 737 /* TODO: add support for listing DNs for trusted CAs */ 738 WPA_PUT_BE16(pos, 0); 739 pos += 2; 740 741 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 742 743 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 744 rhdr, end - rhdr, hs_start, pos - hs_start, 745 &rlen) < 0) { 746 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 747 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 748 TLS_ALERT_INTERNAL_ERROR); 749 return -1; 750 } 751 pos = rhdr + rlen; 752 753 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 754 755 *msgpos = pos; 756 757 return 0; 758 } 759 760 761 static int tls_write_server_hello_done(struct tlsv1_server *conn, 762 u8 **msgpos, u8 *end) 763 { 764 u8 *pos; 765 size_t rlen; 766 u8 payload[4]; 767 768 tlsv1_server_log(conn, "Send ServerHelloDone"); 769 770 /* opaque fragment[TLSPlaintext.length] */ 771 772 /* Handshake */ 773 pos = payload; 774 /* HandshakeType msg_type */ 775 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE; 776 /* uint24 length */ 777 WPA_PUT_BE24(pos, 0); 778 pos += 3; 779 /* body - ServerHelloDone (empty) */ 780 781 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 782 *msgpos, end - *msgpos, payload, pos - payload, 783 &rlen) < 0) { 784 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 785 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 786 TLS_ALERT_INTERNAL_ERROR); 787 return -1; 788 } 789 790 tls_verify_hash_add(&conn->verify, payload, pos - payload); 791 792 *msgpos += rlen; 793 794 return 0; 795 } 796 797 798 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn, 799 u8 **msgpos, u8 *end) 800 { 801 size_t rlen; 802 u8 payload[1]; 803 804 tlsv1_server_log(conn, "Send ChangeCipherSpec"); 805 806 payload[0] = TLS_CHANGE_CIPHER_SPEC; 807 808 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 809 *msgpos, end - *msgpos, payload, sizeof(payload), 810 &rlen) < 0) { 811 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 812 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 813 TLS_ALERT_INTERNAL_ERROR); 814 return -1; 815 } 816 817 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 818 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 819 "record layer"); 820 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 821 TLS_ALERT_INTERNAL_ERROR); 822 return -1; 823 } 824 825 *msgpos += rlen; 826 827 return 0; 828 } 829 830 831 static int tls_write_server_finished(struct tlsv1_server *conn, 832 u8 **msgpos, u8 *end) 833 { 834 u8 *pos, *hs_start; 835 size_t rlen, hlen; 836 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 837 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 838 839 pos = *msgpos; 840 841 tlsv1_server_log(conn, "Send Finished"); 842 843 /* Encrypted Handshake Message: Finished */ 844 845 #ifdef CONFIG_TLSV12 846 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 847 hlen = SHA256_MAC_LEN; 848 if (conn->verify.sha256_server == NULL || 849 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 850 < 0) { 851 conn->verify.sha256_server = NULL; 852 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 853 TLS_ALERT_INTERNAL_ERROR); 854 return -1; 855 } 856 conn->verify.sha256_server = NULL; 857 } else { 858 #endif /* CONFIG_TLSV12 */ 859 860 hlen = MD5_MAC_LEN; 861 if (conn->verify.md5_server == NULL || 862 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 863 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 864 TLS_ALERT_INTERNAL_ERROR); 865 conn->verify.md5_server = NULL; 866 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 867 conn->verify.sha1_server = NULL; 868 return -1; 869 } 870 conn->verify.md5_server = NULL; 871 hlen = SHA1_MAC_LEN; 872 if (conn->verify.sha1_server == NULL || 873 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 874 &hlen) < 0) { 875 conn->verify.sha1_server = NULL; 876 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 877 TLS_ALERT_INTERNAL_ERROR); 878 return -1; 879 } 880 conn->verify.sha1_server = NULL; 881 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 882 883 #ifdef CONFIG_TLSV12 884 } 885 #endif /* CONFIG_TLSV12 */ 886 887 if (tls_prf(conn->rl.tls_version, 888 conn->master_secret, TLS_MASTER_SECRET_LEN, 889 "server finished", hash, hlen, 890 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 891 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 892 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 893 TLS_ALERT_INTERNAL_ERROR); 894 return -1; 895 } 896 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 897 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 898 #ifdef CONFIG_TESTING_OPTIONS 899 if (conn->test_flags & TLS_BREAK_VERIFY_DATA) { 900 tlsv1_server_log(conn, "TESTING: Break verify_data (server)"); 901 verify_data[1 + 3 + 1] ^= 0x80; 902 } 903 #endif /* CONFIG_TESTING_OPTIONS */ 904 905 /* Handshake */ 906 pos = hs_start = verify_data; 907 /* HandshakeType msg_type */ 908 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 909 /* uint24 length */ 910 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 911 pos += 3; 912 pos += TLS_VERIFY_DATA_LEN; 913 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 914 915 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 916 *msgpos, end - *msgpos, hs_start, pos - hs_start, 917 &rlen) < 0) { 918 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 919 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 920 TLS_ALERT_INTERNAL_ERROR); 921 return -1; 922 } 923 924 *msgpos += rlen; 925 926 return 0; 927 } 928 929 930 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len) 931 { 932 u8 *msg, *end, *pos; 933 size_t msglen; 934 int ocsp_multi = 0; 935 char *ocsp_resp = NULL; 936 size_t ocsp_resp_len = 0; 937 938 *out_len = 0; 939 940 if (conn->status_request_multi && 941 conn->cred->ocsp_stapling_response_multi) { 942 ocsp_resp = os_readfile( 943 conn->cred->ocsp_stapling_response_multi, 944 &ocsp_resp_len); 945 ocsp_multi = 1; 946 } else if ((conn->status_request || conn->status_request_v2) && 947 conn->cred->ocsp_stapling_response) { 948 ocsp_resp = os_readfile(conn->cred->ocsp_stapling_response, 949 &ocsp_resp_len); 950 } 951 if (!ocsp_resp) 952 ocsp_resp_len = 0; 953 954 msglen = 1000 + tls_server_cert_chain_der_len(conn) + ocsp_resp_len; 955 956 msg = os_malloc(msglen); 957 if (msg == NULL) { 958 os_free(ocsp_resp); 959 return NULL; 960 } 961 962 pos = msg; 963 end = msg + msglen; 964 965 if (tls_write_server_hello(conn, &pos, end) < 0) { 966 os_free(msg); 967 os_free(ocsp_resp); 968 return NULL; 969 } 970 971 if (conn->use_session_ticket) { 972 os_free(ocsp_resp); 973 974 /* Abbreviated handshake using session ticket; RFC 4507 */ 975 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 976 tls_write_server_finished(conn, &pos, end) < 0) { 977 os_free(msg); 978 return NULL; 979 } 980 981 *out_len = pos - msg; 982 983 conn->state = CHANGE_CIPHER_SPEC; 984 985 return msg; 986 } 987 988 /* Full handshake */ 989 if (tls_write_server_certificate(conn, &pos, end) < 0 || 990 tls_write_server_certificate_status(conn, &pos, end, ocsp_multi, 991 ocsp_resp, ocsp_resp_len) < 0 || 992 tls_write_server_key_exchange(conn, &pos, end) < 0 || 993 tls_write_server_certificate_request(conn, &pos, end) < 0 || 994 tls_write_server_hello_done(conn, &pos, end) < 0) { 995 os_free(msg); 996 os_free(ocsp_resp); 997 return NULL; 998 } 999 os_free(ocsp_resp); 1000 1001 *out_len = pos - msg; 1002 1003 conn->state = CLIENT_CERTIFICATE; 1004 1005 return msg; 1006 } 1007 1008 1009 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn, 1010 size_t *out_len) 1011 { 1012 u8 *msg, *end, *pos; 1013 1014 *out_len = 0; 1015 1016 msg = os_malloc(1000); 1017 if (msg == NULL) 1018 return NULL; 1019 1020 pos = msg; 1021 end = msg + 1000; 1022 1023 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 1024 tls_write_server_finished(conn, &pos, end) < 0) { 1025 os_free(msg); 1026 return NULL; 1027 } 1028 1029 *out_len = pos - msg; 1030 1031 tlsv1_server_log(conn, "Handshake completed successfully"); 1032 conn->state = ESTABLISHED; 1033 1034 return msg; 1035 } 1036 1037 1038 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len) 1039 { 1040 switch (conn->state) { 1041 case SERVER_HELLO: 1042 return tls_send_server_hello(conn, out_len); 1043 case SERVER_CHANGE_CIPHER_SPEC: 1044 return tls_send_change_cipher_spec(conn, out_len); 1045 default: 1046 if (conn->state == ESTABLISHED && conn->use_session_ticket) { 1047 /* Abbreviated handshake was already completed. */ 1048 return NULL; 1049 } 1050 tlsv1_server_log(conn, "Unexpected state %d while generating reply", 1051 conn->state); 1052 return NULL; 1053 } 1054 } 1055 1056 1057 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level, 1058 u8 description, size_t *out_len) 1059 { 1060 u8 *alert, *pos, *length; 1061 1062 tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description); 1063 *out_len = 0; 1064 1065 alert = os_malloc(10); 1066 if (alert == NULL) 1067 return NULL; 1068 1069 pos = alert; 1070 1071 /* TLSPlaintext */ 1072 /* ContentType type */ 1073 *pos++ = TLS_CONTENT_TYPE_ALERT; 1074 /* ProtocolVersion version */ 1075 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 1076 TLS_VERSION); 1077 pos += 2; 1078 /* uint16 length (to be filled) */ 1079 length = pos; 1080 pos += 2; 1081 /* opaque fragment[TLSPlaintext.length] */ 1082 1083 /* Alert */ 1084 /* AlertLevel level */ 1085 *pos++ = level; 1086 /* AlertDescription description */ 1087 *pos++ = description; 1088 1089 WPA_PUT_BE16(length, pos - length - 2); 1090 *out_len = pos - alert; 1091 1092 return alert; 1093 } 1094