xref: /freebsd/contrib/wpa/src/tls/tlsv1_server_write.c (revision a0ee8cc636cd5c2374ec44ca71226564ea0bca95)
1 /*
2  * TLSv1 server - write handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
17 #include "x509v3.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_server.h"
21 #include "tlsv1_server_i.h"
22 
23 
24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
25 {
26 	size_t len = 0;
27 	struct x509_certificate *cert;
28 
29 	cert = conn->cred->cert;
30 	while (cert) {
31 		len += 3 + cert->cert_len;
32 		if (x509_certificate_self_signed(cert))
33 			break;
34 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
35 						    &cert->issuer);
36 	}
37 
38 	return len;
39 }
40 
41 
42 static int tls_write_server_hello(struct tlsv1_server *conn,
43 				  u8 **msgpos, u8 *end)
44 {
45 	u8 *pos, *rhdr, *hs_start, *hs_length;
46 	struct os_time now;
47 	size_t rlen;
48 
49 	pos = *msgpos;
50 
51 	tlsv1_server_log(conn, "Send ServerHello");
52 	rhdr = pos;
53 	pos += TLS_RECORD_HEADER_LEN;
54 
55 	os_get_time(&now);
56 	WPA_PUT_BE32(conn->server_random, now.sec);
57 	if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
58 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
59 			   "server_random");
60 		return -1;
61 	}
62 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
63 		    conn->server_random, TLS_RANDOM_LEN);
64 
65 	conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
66 	if (random_get_bytes(conn->session_id, conn->session_id_len)) {
67 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
68 			   "session_id");
69 		return -1;
70 	}
71 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
72 		    conn->session_id, conn->session_id_len);
73 
74 	/* opaque fragment[TLSPlaintext.length] */
75 
76 	/* Handshake */
77 	hs_start = pos;
78 	/* HandshakeType msg_type */
79 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
80 	/* uint24 length (to be filled) */
81 	hs_length = pos;
82 	pos += 3;
83 	/* body - ServerHello */
84 	/* ProtocolVersion server_version */
85 	WPA_PUT_BE16(pos, conn->rl.tls_version);
86 	pos += 2;
87 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
88 	os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
89 	pos += TLS_RANDOM_LEN;
90 	/* SessionID session_id */
91 	*pos++ = conn->session_id_len;
92 	os_memcpy(pos, conn->session_id, conn->session_id_len);
93 	pos += conn->session_id_len;
94 	/* CipherSuite cipher_suite */
95 	WPA_PUT_BE16(pos, conn->cipher_suite);
96 	pos += 2;
97 	/* CompressionMethod compression_method */
98 	*pos++ = TLS_COMPRESSION_NULL;
99 
100 	if (conn->session_ticket && conn->session_ticket_cb) {
101 		int res = conn->session_ticket_cb(
102 			conn->session_ticket_cb_ctx,
103 			conn->session_ticket, conn->session_ticket_len,
104 			conn->client_random, conn->server_random,
105 			conn->master_secret);
106 		if (res < 0) {
107 			tlsv1_server_log(conn, "SessionTicket callback indicated failure");
108 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
109 					   TLS_ALERT_HANDSHAKE_FAILURE);
110 			return -1;
111 		}
112 		conn->use_session_ticket = res;
113 
114 		if (conn->use_session_ticket) {
115 			if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
116 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
117 					   "derive keys");
118 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
119 						   TLS_ALERT_INTERNAL_ERROR);
120 				return -1;
121 			}
122 		}
123 
124 		/*
125 		 * RFC 4507 specifies that server would include an empty
126 		 * SessionTicket extension in ServerHello and a
127 		 * NewSessionTicket message after the ServerHello. However,
128 		 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
129 		 * extension at the moment, does not use such extensions.
130 		 *
131 		 * TODO: Add support for configuring RFC 4507 behavior and make
132 		 * EAP-FAST disable it.
133 		 */
134 	}
135 
136 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
137 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
138 
139 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
140 			      rhdr, end - rhdr, hs_start, pos - hs_start,
141 			      &rlen) < 0) {
142 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
143 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
144 				   TLS_ALERT_INTERNAL_ERROR);
145 		return -1;
146 	}
147 	pos = rhdr + rlen;
148 
149 	*msgpos = pos;
150 
151 	return 0;
152 }
153 
154 
155 static int tls_write_server_certificate(struct tlsv1_server *conn,
156 					u8 **msgpos, u8 *end)
157 {
158 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
159 	size_t rlen;
160 	struct x509_certificate *cert;
161 	const struct tls_cipher_suite *suite;
162 
163 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
164 	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
165 		wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
166 			   "using anonymous DH");
167 		return 0;
168 	}
169 
170 	pos = *msgpos;
171 
172 	tlsv1_server_log(conn, "Send Certificate");
173 	rhdr = pos;
174 	pos += TLS_RECORD_HEADER_LEN;
175 
176 	/* opaque fragment[TLSPlaintext.length] */
177 
178 	/* Handshake */
179 	hs_start = pos;
180 	/* HandshakeType msg_type */
181 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
182 	/* uint24 length (to be filled) */
183 	hs_length = pos;
184 	pos += 3;
185 	/* body - Certificate */
186 	/* uint24 length (to be filled) */
187 	cert_start = pos;
188 	pos += 3;
189 	cert = conn->cred->cert;
190 	while (cert) {
191 		if (pos + 3 + cert->cert_len > end) {
192 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
193 				   "for Certificate (cert_len=%lu left=%lu)",
194 				   (unsigned long) cert->cert_len,
195 				   (unsigned long) (end - pos));
196 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
197 					   TLS_ALERT_INTERNAL_ERROR);
198 			return -1;
199 		}
200 		WPA_PUT_BE24(pos, cert->cert_len);
201 		pos += 3;
202 		os_memcpy(pos, cert->cert_start, cert->cert_len);
203 		pos += cert->cert_len;
204 
205 		if (x509_certificate_self_signed(cert))
206 			break;
207 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
208 						    &cert->issuer);
209 	}
210 	if (cert == conn->cred->cert || cert == NULL) {
211 		/*
212 		 * Server was not configured with all the needed certificates
213 		 * to form a full certificate chain. The client may fail to
214 		 * validate the chain unless it is configured with all the
215 		 * missing CA certificates.
216 		 */
217 		wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
218 			   "not configured - validation may fail");
219 	}
220 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
221 
222 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
223 
224 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
225 			      rhdr, end - rhdr, hs_start, pos - hs_start,
226 			      &rlen) < 0) {
227 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
228 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
229 				   TLS_ALERT_INTERNAL_ERROR);
230 		return -1;
231 	}
232 	pos = rhdr + rlen;
233 
234 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
235 
236 	*msgpos = pos;
237 
238 	return 0;
239 }
240 
241 
242 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
243 					 u8 **msgpos, u8 *end)
244 {
245 	tls_key_exchange keyx;
246 	const struct tls_cipher_suite *suite;
247 	u8 *pos, *rhdr, *hs_start, *hs_length, *server_params;
248 	size_t rlen;
249 	u8 *dh_ys;
250 	size_t dh_ys_len;
251 	const u8 *dh_p;
252 	size_t dh_p_len;
253 
254 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
255 	if (suite == NULL)
256 		keyx = TLS_KEY_X_NULL;
257 	else
258 		keyx = suite->key_exchange;
259 
260 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
261 		wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
262 		return 0;
263 	}
264 
265 	if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) {
266 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
267 			   "supported with key exchange type %d", keyx);
268 		return -1;
269 	}
270 
271 	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
272 	    conn->cred->dh_g == NULL) {
273 		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
274 			   "ServerKeyExhcange");
275 		return -1;
276 	}
277 
278 	tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
279 
280 	os_free(conn->dh_secret);
281 	conn->dh_secret_len = dh_p_len;
282 	conn->dh_secret = os_malloc(conn->dh_secret_len);
283 	if (conn->dh_secret == NULL) {
284 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
285 			   "memory for secret (Diffie-Hellman)");
286 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
287 				   TLS_ALERT_INTERNAL_ERROR);
288 		return -1;
289 	}
290 	if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
291 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
292 			   "data for Diffie-Hellman");
293 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
294 				   TLS_ALERT_INTERNAL_ERROR);
295 		os_free(conn->dh_secret);
296 		conn->dh_secret = NULL;
297 		return -1;
298 	}
299 
300 	if (os_memcmp(conn->dh_secret, dh_p, conn->dh_secret_len) > 0)
301 		conn->dh_secret[0] = 0; /* make sure secret < p */
302 
303 	pos = conn->dh_secret;
304 	while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
305 		pos++;
306 	if (pos != conn->dh_secret) {
307 		os_memmove(conn->dh_secret, pos,
308 			   conn->dh_secret_len - (pos - conn->dh_secret));
309 		conn->dh_secret_len -= pos - conn->dh_secret;
310 	}
311 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
312 			conn->dh_secret, conn->dh_secret_len);
313 
314 	/* Ys = g^secret mod p */
315 	dh_ys_len = dh_p_len;
316 	dh_ys = os_malloc(dh_ys_len);
317 	if (dh_ys == NULL) {
318 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
319 			   "Diffie-Hellman");
320 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
321 				   TLS_ALERT_INTERNAL_ERROR);
322 		return -1;
323 	}
324 	if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
325 			   conn->dh_secret, conn->dh_secret_len,
326 			   dh_p, dh_p_len, dh_ys, &dh_ys_len)) {
327 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
328 				   TLS_ALERT_INTERNAL_ERROR);
329 		os_free(dh_ys);
330 		return -1;
331 	}
332 
333 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
334 		    dh_ys, dh_ys_len);
335 
336 	/*
337 	 * struct {
338 	 *    select (KeyExchangeAlgorithm) {
339 	 *       case diffie_hellman:
340 	 *          ServerDHParams params;
341 	 *          Signature signed_params;
342 	 *       case rsa:
343 	 *          ServerRSAParams params;
344 	 *          Signature signed_params;
345 	 *    };
346 	 * } ServerKeyExchange;
347 	 *
348 	 * struct {
349 	 *    opaque dh_p<1..2^16-1>;
350 	 *    opaque dh_g<1..2^16-1>;
351 	 *    opaque dh_Ys<1..2^16-1>;
352 	 * } ServerDHParams;
353 	 */
354 
355 	pos = *msgpos;
356 
357 	tlsv1_server_log(conn, "Send ServerKeyExchange");
358 	rhdr = pos;
359 	pos += TLS_RECORD_HEADER_LEN;
360 
361 	/* opaque fragment[TLSPlaintext.length] */
362 
363 	/* Handshake */
364 	hs_start = pos;
365 	/* HandshakeType msg_type */
366 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
367 	/* uint24 length (to be filled) */
368 	hs_length = pos;
369 	pos += 3;
370 
371 	/* body - ServerDHParams */
372 	server_params = pos;
373 	/* dh_p */
374 	if (pos + 2 + dh_p_len > end) {
375 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
376 			   "dh_p");
377 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
378 				   TLS_ALERT_INTERNAL_ERROR);
379 		os_free(dh_ys);
380 		return -1;
381 	}
382 	WPA_PUT_BE16(pos, dh_p_len);
383 	pos += 2;
384 	os_memcpy(pos, dh_p, dh_p_len);
385 	pos += dh_p_len;
386 
387 	/* dh_g */
388 	if (pos + 2 + conn->cred->dh_g_len > end) {
389 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
390 			   "dh_g");
391 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
392 				   TLS_ALERT_INTERNAL_ERROR);
393 		os_free(dh_ys);
394 		return -1;
395 	}
396 	WPA_PUT_BE16(pos, conn->cred->dh_g_len);
397 	pos += 2;
398 	os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
399 	pos += conn->cred->dh_g_len;
400 
401 	/* dh_Ys */
402 	if (pos + 2 + dh_ys_len > end) {
403 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
404 			   "dh_Ys");
405 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
406 				   TLS_ALERT_INTERNAL_ERROR);
407 		os_free(dh_ys);
408 		return -1;
409 	}
410 	WPA_PUT_BE16(pos, dh_ys_len);
411 	pos += 2;
412 	os_memcpy(pos, dh_ys, dh_ys_len);
413 	pos += dh_ys_len;
414 	os_free(dh_ys);
415 
416 	/*
417 	 * select (SignatureAlgorithm)
418 	 * {   case anonymous: struct { };
419 	 *     case rsa:
420 	 *         digitally-signed struct {
421 	 *             opaque md5_hash[16];
422 	 *             opaque sha_hash[20];
423 	 *         };
424 	 *     case dsa:
425 	 *         digitally-signed struct {
426 	 *             opaque sha_hash[20];
427 	 *         };
428 	 * } Signature;
429 	 *
430 	 * md5_hash
431 	 *     MD5(ClientHello.random + ServerHello.random + ServerParams);
432 	 *
433 	 * sha_hash
434 	 *     SHA(ClientHello.random + ServerHello.random + ServerParams);
435 	 */
436 
437 	if (keyx == TLS_KEY_X_DHE_RSA) {
438 		u8 hash[100];
439 		u8 *signed_start;
440 		size_t clen;
441 		int hlen;
442 
443 		if (conn->rl.tls_version >= TLS_VERSION_1_2) {
444 #ifdef CONFIG_TLSV12
445 			hlen = tlsv12_key_x_server_params_hash(
446 				conn->rl.tls_version, conn->client_random,
447 				conn->server_random, server_params,
448 				pos - server_params, hash + 19);
449 
450 			/*
451 			 * RFC 5246, 4.7:
452 			 * TLS v1.2 adds explicit indication of the used
453 			 * signature and hash algorithms.
454 			 *
455 			 * struct {
456 			 *   HashAlgorithm hash;
457 			 *   SignatureAlgorithm signature;
458 			 * } SignatureAndHashAlgorithm;
459 			 */
460 			if (hlen < 0 || pos + 2 > end) {
461 				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
462 						   TLS_ALERT_INTERNAL_ERROR);
463 				return -1;
464 			}
465 			*pos++ = TLS_HASH_ALG_SHA256;
466 			*pos++ = TLS_SIGN_ALG_RSA;
467 
468 			/*
469 			 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
470 			 *
471 			 * DigestInfo ::= SEQUENCE {
472 			 *   digestAlgorithm DigestAlgorithm,
473 			 *   digest OCTET STRING
474 			 * }
475 			 *
476 			 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
477 			 *
478 			 * DER encoded DigestInfo for SHA256 per RFC 3447:
479 			 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
480 			 * 04 20 || H
481 			 */
482 			hlen += 19;
483 			os_memcpy(hash,
484 				  "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
485 				  "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
486 
487 #else /* CONFIG_TLSV12 */
488 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
489 					   TLS_ALERT_INTERNAL_ERROR);
490 			return -1;
491 #endif /* CONFIG_TLSV12 */
492 		} else {
493 			hlen = tls_key_x_server_params_hash(
494 				conn->rl.tls_version, conn->client_random,
495 				conn->server_random, server_params,
496 				pos - server_params, hash);
497 		}
498 
499 		if (hlen < 0) {
500 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
501 					   TLS_ALERT_INTERNAL_ERROR);
502 			return -1;
503 		}
504 
505 		wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash",
506 			    hash, hlen);
507 #ifdef CONFIG_TESTING_OPTIONS
508 		if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) {
509 			tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash");
510 			hash[hlen - 1] ^= 0x80;
511 		}
512 #endif /* CONFIG_TESTING_OPTIONS */
513 
514 		/*
515 		 * RFC 2246, 4.7:
516 		 * In digital signing, one-way hash functions are used as input
517 		 * for a signing algorithm. A digitally-signed element is
518 		 * encoded as an opaque vector <0..2^16-1>, where the length is
519 		 * specified by the signing algorithm and key.
520 		 *
521 		 * In RSA signing, a 36-byte structure of two hashes (one SHA
522 		 * and one MD5) is signed (encrypted with the private key). It
523 		 * is encoded with PKCS #1 block type 0 or type 1 as described
524 		 * in [PKCS1].
525 		 */
526 		signed_start = pos; /* length to be filled */
527 		pos += 2;
528 		clen = end - pos;
529 		if (conn->cred == NULL ||
530 		    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
531 						  pos, &clen) < 0) {
532 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
533 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
534 					   TLS_ALERT_INTERNAL_ERROR);
535 			return -1;
536 		}
537 		WPA_PUT_BE16(signed_start, clen);
538 #ifdef CONFIG_TESTING_OPTIONS
539 		if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) {
540 			tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature");
541 			pos[clen - 1] ^= 0x80;
542 		}
543 #endif /* CONFIG_TESTING_OPTIONS */
544 
545 		pos += clen;
546 	}
547 
548 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
549 
550 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
551 			      rhdr, end - rhdr, hs_start, pos - hs_start,
552 			      &rlen) < 0) {
553 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
554 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
555 				   TLS_ALERT_INTERNAL_ERROR);
556 		return -1;
557 	}
558 	pos = rhdr + rlen;
559 
560 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
561 
562 	*msgpos = pos;
563 
564 	return 0;
565 }
566 
567 
568 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
569 						u8 **msgpos, u8 *end)
570 {
571 	u8 *pos, *rhdr, *hs_start, *hs_length;
572 	size_t rlen;
573 
574 	if (!conn->verify_peer) {
575 		wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
576 		return 0;
577 	}
578 
579 	pos = *msgpos;
580 
581 	tlsv1_server_log(conn, "Send CertificateRequest");
582 	rhdr = pos;
583 	pos += TLS_RECORD_HEADER_LEN;
584 
585 	/* opaque fragment[TLSPlaintext.length] */
586 
587 	/* Handshake */
588 	hs_start = pos;
589 	/* HandshakeType msg_type */
590 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
591 	/* uint24 length (to be filled) */
592 	hs_length = pos;
593 	pos += 3;
594 	/* body - CertificateRequest */
595 
596 	/*
597 	 * enum {
598 	 *   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
599 	 *   (255)
600 	 * } ClientCertificateType;
601 	 * ClientCertificateType certificate_types<1..2^8-1>
602 	 */
603 	*pos++ = 1;
604 	*pos++ = 1; /* rsa_sign */
605 
606 	/*
607 	 * opaque DistinguishedName<1..2^16-1>
608 	 * DistinguishedName certificate_authorities<3..2^16-1>
609 	 */
610 	/* TODO: add support for listing DNs for trusted CAs */
611 	WPA_PUT_BE16(pos, 0);
612 	pos += 2;
613 
614 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
615 
616 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
617 			      rhdr, end - rhdr, hs_start, pos - hs_start,
618 			      &rlen) < 0) {
619 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
620 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
621 				   TLS_ALERT_INTERNAL_ERROR);
622 		return -1;
623 	}
624 	pos = rhdr + rlen;
625 
626 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
627 
628 	*msgpos = pos;
629 
630 	return 0;
631 }
632 
633 
634 static int tls_write_server_hello_done(struct tlsv1_server *conn,
635 				       u8 **msgpos, u8 *end)
636 {
637 	u8 *pos;
638 	size_t rlen;
639 	u8 payload[4];
640 
641 	tlsv1_server_log(conn, "Send ServerHelloDone");
642 
643 	/* opaque fragment[TLSPlaintext.length] */
644 
645 	/* Handshake */
646 	pos = payload;
647 	/* HandshakeType msg_type */
648 	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
649 	/* uint24 length */
650 	WPA_PUT_BE24(pos, 0);
651 	pos += 3;
652 	/* body - ServerHelloDone (empty) */
653 
654 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
655 			      *msgpos, end - *msgpos, payload, pos - payload,
656 			      &rlen) < 0) {
657 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
658 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
659 				   TLS_ALERT_INTERNAL_ERROR);
660 		return -1;
661 	}
662 
663 	tls_verify_hash_add(&conn->verify, payload, pos - payload);
664 
665 	*msgpos += rlen;
666 
667 	return 0;
668 }
669 
670 
671 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
672 					       u8 **msgpos, u8 *end)
673 {
674 	size_t rlen;
675 	u8 payload[1];
676 
677 	tlsv1_server_log(conn, "Send ChangeCipherSpec");
678 
679 	payload[0] = TLS_CHANGE_CIPHER_SPEC;
680 
681 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
682 			      *msgpos, end - *msgpos, payload, sizeof(payload),
683 			      &rlen) < 0) {
684 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
685 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
686 				   TLS_ALERT_INTERNAL_ERROR);
687 		return -1;
688 	}
689 
690 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
691 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
692 			   "record layer");
693 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
694 				   TLS_ALERT_INTERNAL_ERROR);
695 		return -1;
696 	}
697 
698 	*msgpos += rlen;
699 
700 	return 0;
701 }
702 
703 
704 static int tls_write_server_finished(struct tlsv1_server *conn,
705 				     u8 **msgpos, u8 *end)
706 {
707 	u8 *pos, *hs_start;
708 	size_t rlen, hlen;
709 	u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
710 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
711 
712 	pos = *msgpos;
713 
714 	tlsv1_server_log(conn, "Send Finished");
715 
716 	/* Encrypted Handshake Message: Finished */
717 
718 #ifdef CONFIG_TLSV12
719 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
720 		hlen = SHA256_MAC_LEN;
721 		if (conn->verify.sha256_server == NULL ||
722 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
723 		    < 0) {
724 			conn->verify.sha256_server = NULL;
725 			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
726 					   TLS_ALERT_INTERNAL_ERROR);
727 			return -1;
728 		}
729 		conn->verify.sha256_server = NULL;
730 	} else {
731 #endif /* CONFIG_TLSV12 */
732 
733 	hlen = MD5_MAC_LEN;
734 	if (conn->verify.md5_server == NULL ||
735 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
736 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
737 				   TLS_ALERT_INTERNAL_ERROR);
738 		conn->verify.md5_server = NULL;
739 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
740 		conn->verify.sha1_server = NULL;
741 		return -1;
742 	}
743 	conn->verify.md5_server = NULL;
744 	hlen = SHA1_MAC_LEN;
745 	if (conn->verify.sha1_server == NULL ||
746 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
747 			       &hlen) < 0) {
748 		conn->verify.sha1_server = NULL;
749 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
750 				   TLS_ALERT_INTERNAL_ERROR);
751 		return -1;
752 	}
753 	conn->verify.sha1_server = NULL;
754 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
755 
756 #ifdef CONFIG_TLSV12
757 	}
758 #endif /* CONFIG_TLSV12 */
759 
760 	if (tls_prf(conn->rl.tls_version,
761 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
762 		    "server finished", hash, hlen,
763 		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
764 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
765 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
766 				   TLS_ALERT_INTERNAL_ERROR);
767 		return -1;
768 	}
769 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
770 			verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
771 #ifdef CONFIG_TESTING_OPTIONS
772 	if (conn->test_flags & TLS_BREAK_VERIFY_DATA) {
773 		tlsv1_server_log(conn, "TESTING: Break verify_data (server)");
774 		verify_data[1 + 3 + 1] ^= 0x80;
775 	}
776 #endif /* CONFIG_TESTING_OPTIONS */
777 
778 	/* Handshake */
779 	pos = hs_start = verify_data;
780 	/* HandshakeType msg_type */
781 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
782 	/* uint24 length */
783 	WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
784 	pos += 3;
785 	pos += TLS_VERIFY_DATA_LEN;
786 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
787 
788 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
789 			      *msgpos, end - *msgpos, hs_start, pos - hs_start,
790 			      &rlen) < 0) {
791 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
792 		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
793 				   TLS_ALERT_INTERNAL_ERROR);
794 		return -1;
795 	}
796 
797 	*msgpos += rlen;
798 
799 	return 0;
800 }
801 
802 
803 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
804 {
805 	u8 *msg, *end, *pos;
806 	size_t msglen;
807 
808 	*out_len = 0;
809 
810 	msglen = 1000 + tls_server_cert_chain_der_len(conn);
811 
812 	msg = os_malloc(msglen);
813 	if (msg == NULL)
814 		return NULL;
815 
816 	pos = msg;
817 	end = msg + msglen;
818 
819 	if (tls_write_server_hello(conn, &pos, end) < 0) {
820 		os_free(msg);
821 		return NULL;
822 	}
823 
824 	if (conn->use_session_ticket) {
825 		/* Abbreviated handshake using session ticket; RFC 4507 */
826 		if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
827 		    tls_write_server_finished(conn, &pos, end) < 0) {
828 			os_free(msg);
829 			return NULL;
830 		}
831 
832 		*out_len = pos - msg;
833 
834 		conn->state = CHANGE_CIPHER_SPEC;
835 
836 		return msg;
837 	}
838 
839 	/* Full handshake */
840 	if (tls_write_server_certificate(conn, &pos, end) < 0 ||
841 	    tls_write_server_key_exchange(conn, &pos, end) < 0 ||
842 	    tls_write_server_certificate_request(conn, &pos, end) < 0 ||
843 	    tls_write_server_hello_done(conn, &pos, end) < 0) {
844 		os_free(msg);
845 		return NULL;
846 	}
847 
848 	*out_len = pos - msg;
849 
850 	conn->state = CLIENT_CERTIFICATE;
851 
852 	return msg;
853 }
854 
855 
856 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
857 					size_t *out_len)
858 {
859 	u8 *msg, *end, *pos;
860 
861 	*out_len = 0;
862 
863 	msg = os_malloc(1000);
864 	if (msg == NULL)
865 		return NULL;
866 
867 	pos = msg;
868 	end = msg + 1000;
869 
870 	if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
871 	    tls_write_server_finished(conn, &pos, end) < 0) {
872 		os_free(msg);
873 		return NULL;
874 	}
875 
876 	*out_len = pos - msg;
877 
878 	tlsv1_server_log(conn, "Handshake completed successfully");
879 	conn->state = ESTABLISHED;
880 
881 	return msg;
882 }
883 
884 
885 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
886 {
887 	switch (conn->state) {
888 	case SERVER_HELLO:
889 		return tls_send_server_hello(conn, out_len);
890 	case SERVER_CHANGE_CIPHER_SPEC:
891 		return tls_send_change_cipher_spec(conn, out_len);
892 	default:
893 		if (conn->state == ESTABLISHED && conn->use_session_ticket) {
894 			/* Abbreviated handshake was already completed. */
895 			return NULL;
896 		}
897 		tlsv1_server_log(conn, "Unexpected state %d while generating reply",
898 				 conn->state);
899 		return NULL;
900 	}
901 }
902 
903 
904 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
905 			     u8 description, size_t *out_len)
906 {
907 	u8 *alert, *pos, *length;
908 
909 	tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description);
910 	*out_len = 0;
911 
912 	alert = os_malloc(10);
913 	if (alert == NULL)
914 		return NULL;
915 
916 	pos = alert;
917 
918 	/* TLSPlaintext */
919 	/* ContentType type */
920 	*pos++ = TLS_CONTENT_TYPE_ALERT;
921 	/* ProtocolVersion version */
922 	WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
923 		     TLS_VERSION);
924 	pos += 2;
925 	/* uint16 length (to be filled) */
926 	length = pos;
927 	pos += 2;
928 	/* opaque fragment[TLSPlaintext.length] */
929 
930 	/* Alert */
931 	/* AlertLevel level */
932 	*pos++ = level;
933 	/* AlertDescription description */
934 	*pos++ = description;
935 
936 	WPA_PUT_BE16(length, pos - length - 2);
937 	*out_len = pos - alert;
938 
939 	return alert;
940 }
941