xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_write.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a)
1 /*
2  * TLSv1 server - write handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
21 #include "x509v3.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_server.h"
25 #include "tlsv1_server_i.h"
26 
27 
28 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
29 {
30 	size_t len = 0;
31 	struct x509_certificate *cert;
32 
33 	cert = conn->cred->cert;
34 	while (cert) {
35 		len += 3 + cert->cert_len;
36 		if (x509_certificate_self_signed(cert))
37 			break;
38 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
39 						    &cert->issuer);
40 	}
41 
42 	return len;
43 }
44 
45 
46 static int tls_write_server_hello(struct tlsv1_server *conn,
47 				  u8 **msgpos, u8 *end)
48 {
49 	u8 *pos, *rhdr, *hs_start, *hs_length;
50 	struct os_time now;
51 	size_t rlen;
52 
53 	pos = *msgpos;
54 
55 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello");
56 	rhdr = pos;
57 	pos += TLS_RECORD_HEADER_LEN;
58 
59 	os_get_time(&now);
60 	WPA_PUT_BE32(conn->server_random, now.sec);
61 	if (os_get_random(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
62 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
63 			   "server_random");
64 		return -1;
65 	}
66 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
67 		    conn->server_random, TLS_RANDOM_LEN);
68 
69 	conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
70 	if (os_get_random(conn->session_id, conn->session_id_len)) {
71 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
72 			   "session_id");
73 		return -1;
74 	}
75 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
76 		    conn->session_id, conn->session_id_len);
77 
78 	/* opaque fragment[TLSPlaintext.length] */
79 
80 	/* Handshake */
81 	hs_start = pos;
82 	/* HandshakeType msg_type */
83 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
84 	/* uint24 length (to be filled) */
85 	hs_length = pos;
86 	pos += 3;
87 	/* body - ServerHello */
88 	/* ProtocolVersion server_version */
89 	WPA_PUT_BE16(pos, TLS_VERSION);
90 	pos += 2;
91 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
92 	os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
93 	pos += TLS_RANDOM_LEN;
94 	/* SessionID session_id */
95 	*pos++ = conn->session_id_len;
96 	os_memcpy(pos, conn->session_id, conn->session_id_len);
97 	pos += conn->session_id_len;
98 	/* CipherSuite cipher_suite */
99 	WPA_PUT_BE16(pos, conn->cipher_suite);
100 	pos += 2;
101 	/* CompressionMethod compression_method */
102 	*pos++ = TLS_COMPRESSION_NULL;
103 
104 	if (conn->session_ticket && conn->session_ticket_cb) {
105 		int res = conn->session_ticket_cb(
106 			conn->session_ticket_cb_ctx,
107 			conn->session_ticket, conn->session_ticket_len,
108 			conn->client_random, conn->server_random,
109 			conn->master_secret);
110 		if (res < 0) {
111 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
112 				   "indicated failure");
113 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
114 					   TLS_ALERT_HANDSHAKE_FAILURE);
115 			return -1;
116 		}
117 		conn->use_session_ticket = res;
118 
119 		if (conn->use_session_ticket) {
120 			if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
121 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
122 					   "derive keys");
123 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
124 						   TLS_ALERT_INTERNAL_ERROR);
125 				return -1;
126 			}
127 		}
128 
129 		/*
130 		 * RFC 4507 specifies that server would include an empty
131 		 * SessionTicket extension in ServerHello and a
132 		 * NewSessionTicket message after the ServerHello. However,
133 		 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
134 		 * extension at the moment, does not use such extensions.
135 		 *
136 		 * TODO: Add support for configuring RFC 4507 behavior and make
137 		 * EAP-FAST disable it.
138 		 */
139 	}
140 
141 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
142 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
143 
144 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
145 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
146 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
147 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
148 				   TLS_ALERT_INTERNAL_ERROR);
149 		return -1;
150 	}
151 	pos = rhdr + rlen;
152 
153 	*msgpos = pos;
154 
155 	return 0;
156 }
157 
158 
159 static int tls_write_server_certificate(struct tlsv1_server *conn,
160 					u8 **msgpos, u8 *end)
161 {
162 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
163 	size_t rlen;
164 	struct x509_certificate *cert;
165 	const struct tls_cipher_suite *suite;
166 
167 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
168 	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
169 		wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
170 			   "using anonymous DH");
171 		return 0;
172 	}
173 
174 	pos = *msgpos;
175 
176 	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
177 	rhdr = pos;
178 	pos += TLS_RECORD_HEADER_LEN;
179 
180 	/* opaque fragment[TLSPlaintext.length] */
181 
182 	/* Handshake */
183 	hs_start = pos;
184 	/* HandshakeType msg_type */
185 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
186 	/* uint24 length (to be filled) */
187 	hs_length = pos;
188 	pos += 3;
189 	/* body - Certificate */
190 	/* uint24 length (to be filled) */
191 	cert_start = pos;
192 	pos += 3;
193 	cert = conn->cred->cert;
194 	while (cert) {
195 		if (pos + 3 + cert->cert_len > end) {
196 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
197 				   "for Certificate (cert_len=%lu left=%lu)",
198 				   (unsigned long) cert->cert_len,
199 				   (unsigned long) (end - pos));
200 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
201 					   TLS_ALERT_INTERNAL_ERROR);
202 			return -1;
203 		}
204 		WPA_PUT_BE24(pos, cert->cert_len);
205 		pos += 3;
206 		os_memcpy(pos, cert->cert_start, cert->cert_len);
207 		pos += cert->cert_len;
208 
209 		if (x509_certificate_self_signed(cert))
210 			break;
211 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
212 						    &cert->issuer);
213 	}
214 	if (cert == conn->cred->cert || cert == NULL) {
215 		/*
216 		 * Server was not configured with all the needed certificates
217 		 * to form a full certificate chain. The client may fail to
218 		 * validate the chain unless it is configured with all the
219 		 * missing CA certificates.
220 		 */
221 		wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
222 			   "not configured - validation may fail");
223 	}
224 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
225 
226 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
227 
228 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
229 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
230 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
231 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
232 				   TLS_ALERT_INTERNAL_ERROR);
233 		return -1;
234 	}
235 	pos = rhdr + rlen;
236 
237 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
238 
239 	*msgpos = pos;
240 
241 	return 0;
242 }
243 
244 
245 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
246 					 u8 **msgpos, u8 *end)
247 {
248 	tls_key_exchange keyx;
249 	const struct tls_cipher_suite *suite;
250 	u8 *pos, *rhdr, *hs_start, *hs_length;
251 	size_t rlen;
252 	u8 *dh_ys;
253 	size_t dh_ys_len;
254 
255 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
256 	if (suite == NULL)
257 		keyx = TLS_KEY_X_NULL;
258 	else
259 		keyx = suite->key_exchange;
260 
261 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
262 		wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
263 		return 0;
264 	}
265 
266 	if (keyx != TLS_KEY_X_DH_anon) {
267 		/* TODO? */
268 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
269 			   "supported with key exchange type %d", keyx);
270 		return -1;
271 	}
272 
273 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
274 	    conn->cred->dh_g == NULL) {
275 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
276 			   "ServerKeyExhcange");
277 		return -1;
278 	}
279 
280 	os_free(conn->dh_secret);
281 	conn->dh_secret_len = conn->cred->dh_p_len;
282 	conn->dh_secret = os_malloc(conn->dh_secret_len);
283 	if (conn->dh_secret == NULL) {
284 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
285 			   "memory for secret (Diffie-Hellman)");
286 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
287 				   TLS_ALERT_INTERNAL_ERROR);
288 		return -1;
289 	}
290 	if (os_get_random(conn->dh_secret, conn->dh_secret_len)) {
291 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
292 			   "data for Diffie-Hellman");
293 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
294 				   TLS_ALERT_INTERNAL_ERROR);
295 		os_free(conn->dh_secret);
296 		conn->dh_secret = NULL;
297 		return -1;
298 	}
299 
300 	if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
301 	    0)
302 		conn->dh_secret[0] = 0; /* make sure secret < p */
303 
304 	pos = conn->dh_secret;
305 	while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
306 		pos++;
307 	if (pos != conn->dh_secret) {
308 		os_memmove(conn->dh_secret, pos,
309 			   conn->dh_secret_len - (pos - conn->dh_secret));
310 		conn->dh_secret_len -= pos - conn->dh_secret;
311 	}
312 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
313 			conn->dh_secret, conn->dh_secret_len);
314 
315 	/* Ys = g^secret mod p */
316 	dh_ys_len = conn->cred->dh_p_len;
317 	dh_ys = os_malloc(dh_ys_len);
318 	if (dh_ys == NULL) {
319 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
320 			   "Diffie-Hellman");
321 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
322 				   TLS_ALERT_INTERNAL_ERROR);
323 		return -1;
324 	}
325 	if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
326 			   conn->dh_secret, conn->dh_secret_len,
327 			   conn->cred->dh_p, conn->cred->dh_p_len,
328 			   dh_ys, &dh_ys_len)) {
329 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
330 				   TLS_ALERT_INTERNAL_ERROR);
331 		os_free(dh_ys);
332 		return -1;
333 	}
334 
335 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
336 		    dh_ys, dh_ys_len);
337 
338 	/*
339 	 * struct {
340 	 *    select (KeyExchangeAlgorithm) {
341 	 *       case diffie_hellman:
342 	 *          ServerDHParams params;
343 	 *          Signature signed_params;
344 	 *       case rsa:
345 	 *          ServerRSAParams params;
346 	 *          Signature signed_params;
347 	 *    };
348 	 * } ServerKeyExchange;
349 	 *
350 	 * struct {
351 	 *    opaque dh_p<1..2^16-1>;
352 	 *    opaque dh_g<1..2^16-1>;
353 	 *    opaque dh_Ys<1..2^16-1>;
354 	 * } ServerDHParams;
355 	 */
356 
357 	pos = *msgpos;
358 
359 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
360 	rhdr = pos;
361 	pos += TLS_RECORD_HEADER_LEN;
362 
363 	/* opaque fragment[TLSPlaintext.length] */
364 
365 	/* Handshake */
366 	hs_start = pos;
367 	/* HandshakeType msg_type */
368 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
369 	/* uint24 length (to be filled) */
370 	hs_length = pos;
371 	pos += 3;
372 
373 	/* body - ServerDHParams */
374 	/* dh_p */
375 	if (pos + 2 + conn->cred->dh_p_len > end) {
376 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
377 			   "dh_p");
378 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
379 				   TLS_ALERT_INTERNAL_ERROR);
380 		os_free(dh_ys);
381 		return -1;
382 	}
383 	WPA_PUT_BE16(pos, conn->cred->dh_p_len);
384 	pos += 2;
385 	os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
386 	pos += conn->cred->dh_p_len;
387 
388 	/* dh_g */
389 	if (pos + 2 + conn->cred->dh_g_len > end) {
390 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
391 			   "dh_g");
392 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
393 				   TLS_ALERT_INTERNAL_ERROR);
394 		os_free(dh_ys);
395 		return -1;
396 	}
397 	WPA_PUT_BE16(pos, conn->cred->dh_g_len);
398 	pos += 2;
399 	os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
400 	pos += conn->cred->dh_g_len;
401 
402 	/* dh_Ys */
403 	if (pos + 2 + dh_ys_len > end) {
404 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
405 			   "dh_Ys");
406 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
407 				   TLS_ALERT_INTERNAL_ERROR);
408 		os_free(dh_ys);
409 		return -1;
410 	}
411 	WPA_PUT_BE16(pos, dh_ys_len);
412 	pos += 2;
413 	os_memcpy(pos, dh_ys, dh_ys_len);
414 	pos += dh_ys_len;
415 	os_free(dh_ys);
416 
417 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
418 
419 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
420 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
421 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
422 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
423 				   TLS_ALERT_INTERNAL_ERROR);
424 		return -1;
425 	}
426 	pos = rhdr + rlen;
427 
428 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
429 
430 	*msgpos = pos;
431 
432 	return 0;
433 }
434 
435 
436 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
437 						u8 **msgpos, u8 *end)
438 {
439 	u8 *pos, *rhdr, *hs_start, *hs_length;
440 	size_t rlen;
441 
442 	if (!conn->verify_peer) {
443 		wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
444 		return 0;
445 	}
446 
447 	pos = *msgpos;
448 
449 	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest");
450 	rhdr = pos;
451 	pos += TLS_RECORD_HEADER_LEN;
452 
453 	/* opaque fragment[TLSPlaintext.length] */
454 
455 	/* Handshake */
456 	hs_start = pos;
457 	/* HandshakeType msg_type */
458 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
459 	/* uint24 length (to be filled) */
460 	hs_length = pos;
461 	pos += 3;
462 	/* body - CertificateRequest */
463 
464 	/*
465 	 * enum {
466 	 *   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
467 	 *   (255)
468 	 * } ClientCertificateType;
469 	 * ClientCertificateType certificate_types<1..2^8-1>
470 	 */
471 	*pos++ = 1;
472 	*pos++ = 1; /* rsa_sign */
473 
474 	/*
475 	 * opaque DistinguishedName<1..2^16-1>
476 	 * DistinguishedName certificate_authorities<3..2^16-1>
477 	 */
478 	/* TODO: add support for listing DNs for trusted CAs */
479 	WPA_PUT_BE16(pos, 0);
480 	pos += 2;
481 
482 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
483 
484 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
485 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
486 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
487 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
488 				   TLS_ALERT_INTERNAL_ERROR);
489 		return -1;
490 	}
491 	pos = rhdr + rlen;
492 
493 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
494 
495 	*msgpos = pos;
496 
497 	return 0;
498 }
499 
500 
501 static int tls_write_server_hello_done(struct tlsv1_server *conn,
502 				       u8 **msgpos, u8 *end)
503 {
504 	u8 *pos, *rhdr, *hs_start, *hs_length;
505 	size_t rlen;
506 
507 	pos = *msgpos;
508 
509 	wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone");
510 	rhdr = pos;
511 	pos += TLS_RECORD_HEADER_LEN;
512 
513 	/* opaque fragment[TLSPlaintext.length] */
514 
515 	/* Handshake */
516 	hs_start = pos;
517 	/* HandshakeType msg_type */
518 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
519 	/* uint24 length (to be filled) */
520 	hs_length = pos;
521 	pos += 3;
522 	/* body - ServerHelloDone (empty) */
523 
524 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
525 
526 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
527 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
528 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
529 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
530 				   TLS_ALERT_INTERNAL_ERROR);
531 		return -1;
532 	}
533 	pos = rhdr + rlen;
534 
535 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
536 
537 	*msgpos = pos;
538 
539 	return 0;
540 }
541 
542 
543 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
544 					       u8 **msgpos, u8 *end)
545 {
546 	u8 *pos, *rhdr;
547 	size_t rlen;
548 
549 	pos = *msgpos;
550 
551 	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
552 	rhdr = pos;
553 	pos += TLS_RECORD_HEADER_LEN;
554 	*pos = TLS_CHANGE_CIPHER_SPEC;
555 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
556 			      rhdr, end - rhdr, 1, &rlen) < 0) {
557 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
558 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 				   TLS_ALERT_INTERNAL_ERROR);
560 		return -1;
561 	}
562 
563 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
564 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
565 			   "record layer");
566 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
567 				   TLS_ALERT_INTERNAL_ERROR);
568 		return -1;
569 	}
570 
571 	*msgpos = rhdr + rlen;
572 
573 	return 0;
574 }
575 
576 
577 static int tls_write_server_finished(struct tlsv1_server *conn,
578 				     u8 **msgpos, u8 *end)
579 {
580 	u8 *pos, *rhdr, *hs_start, *hs_length;
581 	size_t rlen, hlen;
582 	u8 verify_data[TLS_VERIFY_DATA_LEN];
583 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
584 
585 	pos = *msgpos;
586 
587 	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
588 
589 	/* Encrypted Handshake Message: Finished */
590 
591 	hlen = MD5_MAC_LEN;
592 	if (conn->verify.md5_server == NULL ||
593 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
594 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
595 				   TLS_ALERT_INTERNAL_ERROR);
596 		conn->verify.md5_server = NULL;
597 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
598 		conn->verify.sha1_server = NULL;
599 		return -1;
600 	}
601 	conn->verify.md5_server = NULL;
602 	hlen = SHA1_MAC_LEN;
603 	if (conn->verify.sha1_server == NULL ||
604 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
605 			       &hlen) < 0) {
606 		conn->verify.sha1_server = NULL;
607 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
608 				   TLS_ALERT_INTERNAL_ERROR);
609 		return -1;
610 	}
611 	conn->verify.sha1_server = NULL;
612 
613 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
614 		    "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
615 		    verify_data, TLS_VERIFY_DATA_LEN)) {
616 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
617 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
618 				   TLS_ALERT_INTERNAL_ERROR);
619 		return -1;
620 	}
621 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
622 			verify_data, TLS_VERIFY_DATA_LEN);
623 
624 	rhdr = pos;
625 	pos += TLS_RECORD_HEADER_LEN;
626 	/* Handshake */
627 	hs_start = pos;
628 	/* HandshakeType msg_type */
629 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
630 	/* uint24 length (to be filled) */
631 	hs_length = pos;
632 	pos += 3;
633 	os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN);
634 	pos += TLS_VERIFY_DATA_LEN;
635 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
636 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
637 
638 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
639 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
640 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
641 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
642 				   TLS_ALERT_INTERNAL_ERROR);
643 		return -1;
644 	}
645 
646 	pos = rhdr + rlen;
647 
648 	*msgpos = pos;
649 
650 	return 0;
651 }
652 
653 
654 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
655 {
656 	u8 *msg, *end, *pos;
657 	size_t msglen;
658 
659 	*out_len = 0;
660 
661 	msglen = 1000 + tls_server_cert_chain_der_len(conn);
662 
663 	msg = os_malloc(msglen);
664 	if (msg == NULL)
665 		return NULL;
666 
667 	pos = msg;
668 	end = msg + msglen;
669 
670 	if (tls_write_server_hello(conn, &pos, end) < 0) {
671 		os_free(msg);
672 		return NULL;
673 	}
674 
675 	if (conn->use_session_ticket) {
676 		/* Abbreviated handshake using session ticket; RFC 4507 */
677 		if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
678 		    tls_write_server_finished(conn, &pos, end) < 0) {
679 			os_free(msg);
680 			return NULL;
681 		}
682 
683 		*out_len = pos - msg;
684 
685 		conn->state = CHANGE_CIPHER_SPEC;
686 
687 		return msg;
688 	}
689 
690 	/* Full handshake */
691 	if (tls_write_server_certificate(conn, &pos, end) < 0 ||
692 	    tls_write_server_key_exchange(conn, &pos, end) < 0 ||
693 	    tls_write_server_certificate_request(conn, &pos, end) < 0 ||
694 	    tls_write_server_hello_done(conn, &pos, end) < 0) {
695 		os_free(msg);
696 		return NULL;
697 	}
698 
699 	*out_len = pos - msg;
700 
701 	conn->state = CLIENT_CERTIFICATE;
702 
703 	return msg;
704 }
705 
706 
707 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
708 					size_t *out_len)
709 {
710 	u8 *msg, *end, *pos;
711 
712 	*out_len = 0;
713 
714 	msg = os_malloc(1000);
715 	if (msg == NULL)
716 		return NULL;
717 
718 	pos = msg;
719 	end = msg + 1000;
720 
721 	if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
722 	    tls_write_server_finished(conn, &pos, end) < 0) {
723 		os_free(msg);
724 		return NULL;
725 	}
726 
727 	*out_len = pos - msg;
728 
729 	wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully");
730 	conn->state = ESTABLISHED;
731 
732 	return msg;
733 }
734 
735 
736 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
737 {
738 	switch (conn->state) {
739 	case SERVER_HELLO:
740 		return tls_send_server_hello(conn, out_len);
741 	case SERVER_CHANGE_CIPHER_SPEC:
742 		return tls_send_change_cipher_spec(conn, out_len);
743 	default:
744 		if (conn->state == ESTABLISHED && conn->use_session_ticket) {
745 			/* Abbreviated handshake was already completed. */
746 			return NULL;
747 		}
748 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
749 			   "generating reply", conn->state);
750 		return NULL;
751 	}
752 }
753 
754 
755 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
756 			     u8 description, size_t *out_len)
757 {
758 	u8 *alert, *pos, *length;
759 
760 	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
761 	*out_len = 0;
762 
763 	alert = os_malloc(10);
764 	if (alert == NULL)
765 		return NULL;
766 
767 	pos = alert;
768 
769 	/* TLSPlaintext */
770 	/* ContentType type */
771 	*pos++ = TLS_CONTENT_TYPE_ALERT;
772 	/* ProtocolVersion version */
773 	WPA_PUT_BE16(pos, TLS_VERSION);
774 	pos += 2;
775 	/* uint16 length (to be filled) */
776 	length = pos;
777 	pos += 2;
778 	/* opaque fragment[TLSPlaintext.length] */
779 
780 	/* Alert */
781 	/* AlertLevel level */
782 	*pos++ = level;
783 	/* AlertDescription description */
784 	*pos++ = description;
785 
786 	WPA_PUT_BE16(length, pos - length - 2);
787 	*out_len = pos - alert;
788 
789 	return alert;
790 }
791