1 /*
2 * TLSv1 server - write handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
17 #include "x509v3.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_server.h"
21 #include "tlsv1_server_i.h"
22
23
tls_server_cert_chain_der_len(struct tlsv1_server * conn)24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
25 {
26 size_t len = 0;
27 struct x509_certificate *cert;
28
29 cert = conn->cred ? conn->cred->cert : NULL;
30 while (cert) {
31 len += 3 + cert->cert_len;
32 if (x509_certificate_self_signed(cert))
33 break;
34 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
35 &cert->issuer);
36 }
37
38 return len;
39 }
40
41
tls_write_server_hello(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)42 static int tls_write_server_hello(struct tlsv1_server *conn,
43 u8 **msgpos, u8 *end)
44 {
45 u8 *pos, *rhdr, *hs_start, *hs_length, *ext_start;
46 struct os_time now;
47 size_t rlen;
48
49 pos = *msgpos;
50
51 tlsv1_server_log(conn, "Send ServerHello");
52 rhdr = pos;
53 pos += TLS_RECORD_HEADER_LEN;
54
55 os_get_time(&now);
56 #ifdef TEST_FUZZ
57 now.sec = 0xfffefdfc;
58 #endif /* TEST_FUZZ */
59 WPA_PUT_BE32(conn->server_random, now.sec);
60 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
61 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
62 "server_random");
63 return -1;
64 }
65 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
66 conn->server_random, TLS_RANDOM_LEN);
67
68 conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
69 if (random_get_bytes(conn->session_id, conn->session_id_len)) {
70 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
71 "session_id");
72 return -1;
73 }
74 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
75 conn->session_id, conn->session_id_len);
76
77 /* opaque fragment[TLSPlaintext.length] */
78
79 /* Handshake */
80 hs_start = pos;
81 /* HandshakeType msg_type */
82 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
83 /* uint24 length (to be filled) */
84 hs_length = pos;
85 pos += 3;
86 /* body - ServerHello */
87 /* ProtocolVersion server_version */
88 WPA_PUT_BE16(pos, conn->rl.tls_version);
89 pos += 2;
90 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
91 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
92 pos += TLS_RANDOM_LEN;
93 /* SessionID session_id */
94 *pos++ = conn->session_id_len;
95 os_memcpy(pos, conn->session_id, conn->session_id_len);
96 pos += conn->session_id_len;
97 /* CipherSuite cipher_suite */
98 WPA_PUT_BE16(pos, conn->cipher_suite);
99 pos += 2;
100 /* CompressionMethod compression_method */
101 *pos++ = TLS_COMPRESSION_NULL;
102
103 /* Extension */
104 ext_start = pos;
105 pos += 2;
106
107 if (conn->status_request) {
108 /* Add a status_request extension with empty extension_data */
109 /* ExtensionsType extension_type = status_request(5) */
110 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
111 pos += 2;
112 /* opaque extension_data<0..2^16-1> length */
113 WPA_PUT_BE16(pos, 0);
114 pos += 2;
115 }
116
117 if (conn->status_request_v2) {
118 /*
119 Add a status_request_v2 extension with empty extension_data
120 */
121 /* ExtensionsType extension_type = status_request_v2(17) */
122 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
123 pos += 2;
124 /* opaque extension_data<0..2^16-1> length */
125 WPA_PUT_BE16(pos, 0);
126 pos += 2;
127 }
128
129 if (conn->session_ticket && conn->session_ticket_cb) {
130 int res = conn->session_ticket_cb(
131 conn->session_ticket_cb_ctx,
132 conn->session_ticket, conn->session_ticket_len,
133 conn->client_random, conn->server_random,
134 conn->master_secret);
135 if (res < 0) {
136 tlsv1_server_log(conn, "SessionTicket callback indicated failure");
137 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
138 TLS_ALERT_HANDSHAKE_FAILURE);
139 return -1;
140 }
141 conn->use_session_ticket = res;
142
143 if (conn->use_session_ticket) {
144 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
145 wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
146 "derive keys");
147 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
148 TLS_ALERT_INTERNAL_ERROR);
149 return -1;
150 }
151 }
152
153 /*
154 * RFC 4507 specifies that server would include an empty
155 * SessionTicket extension in ServerHello and a
156 * NewSessionTicket message after the ServerHello. However,
157 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
158 * extension at the moment, does not use such extensions.
159 *
160 * TODO: Add support for configuring RFC 4507 behavior and make
161 * EAP-FAST disable it.
162 */
163 }
164
165 if (pos == ext_start + 2)
166 pos -= 2; /* no extensions */
167 else
168 WPA_PUT_BE16(ext_start, pos - ext_start - 2);
169
170 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
171 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
172
173 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
174 rhdr, end - rhdr, hs_start, pos - hs_start,
175 &rlen) < 0) {
176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
178 TLS_ALERT_INTERNAL_ERROR);
179 return -1;
180 }
181 pos = rhdr + rlen;
182
183 *msgpos = pos;
184
185 return 0;
186 }
187
188
tls_write_server_certificate(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)189 static int tls_write_server_certificate(struct tlsv1_server *conn,
190 u8 **msgpos, u8 *end)
191 {
192 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
193 size_t rlen;
194 struct x509_certificate *cert;
195 const struct tls_cipher_suite *suite;
196
197 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
198 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
199 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
200 "using anonymous DH");
201 return 0;
202 }
203
204 pos = *msgpos;
205 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
206 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
207 TLS_ALERT_INTERNAL_ERROR);
208 return -1;
209 }
210
211 tlsv1_server_log(conn, "Send Certificate");
212 rhdr = pos;
213 pos += TLS_RECORD_HEADER_LEN;
214
215 /* opaque fragment[TLSPlaintext.length] */
216
217 /* Handshake */
218 hs_start = pos;
219 /* HandshakeType msg_type */
220 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
221 /* uint24 length (to be filled) */
222 hs_length = pos;
223 pos += 3;
224 /* body - Certificate */
225 /* uint24 length (to be filled) */
226 cert_start = pos;
227 pos += 3;
228 cert = conn->cred->cert;
229 while (cert) {
230 if (3 + cert->cert_len > (size_t) (end - pos)) {
231 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
232 "for Certificate (cert_len=%lu left=%lu)",
233 (unsigned long) cert->cert_len,
234 (unsigned long) (end - pos));
235 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
236 TLS_ALERT_INTERNAL_ERROR);
237 return -1;
238 }
239 WPA_PUT_BE24(pos, cert->cert_len);
240 pos += 3;
241 os_memcpy(pos, cert->cert_start, cert->cert_len);
242 pos += cert->cert_len;
243
244 if (x509_certificate_self_signed(cert))
245 break;
246 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
247 &cert->issuer);
248 }
249 if (cert == conn->cred->cert || cert == NULL) {
250 /*
251 * Server was not configured with all the needed certificates
252 * to form a full certificate chain. The client may fail to
253 * validate the chain unless it is configured with all the
254 * missing CA certificates.
255 */
256 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
257 "not configured - validation may fail");
258 }
259 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
260
261 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
262
263 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
264 rhdr, end - rhdr, hs_start, pos - hs_start,
265 &rlen) < 0) {
266 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
267 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
268 TLS_ALERT_INTERNAL_ERROR);
269 return -1;
270 }
271 pos = rhdr + rlen;
272
273 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
274
275 *msgpos = pos;
276
277 return 0;
278 }
279
280
tls_write_server_certificate_status(struct tlsv1_server * conn,u8 ** msgpos,u8 * end,int ocsp_multi,char * ocsp_resp,size_t ocsp_resp_len)281 static int tls_write_server_certificate_status(struct tlsv1_server *conn,
282 u8 **msgpos, u8 *end,
283 int ocsp_multi,
284 char *ocsp_resp,
285 size_t ocsp_resp_len)
286 {
287 u8 *pos, *rhdr, *hs_start, *hs_length;
288 size_t rlen;
289
290 if (!ocsp_resp) {
291 /*
292 * Client did not request certificate status or there is no
293 * matching response cached.
294 */
295 return 0;
296 }
297
298 pos = *msgpos;
299 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 1 + 3 + ocsp_resp_len >
300 (unsigned int) (end - pos)) {
301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
302 TLS_ALERT_INTERNAL_ERROR);
303 return -1;
304 }
305
306 tlsv1_server_log(conn, "Send CertificateStatus (multi=%d)", ocsp_multi);
307 rhdr = pos;
308 pos += TLS_RECORD_HEADER_LEN;
309
310 /* opaque fragment[TLSPlaintext.length] */
311
312 /* Handshake */
313 hs_start = pos;
314 /* HandshakeType msg_type */
315 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS;
316 /* uint24 length (to be filled) */
317 hs_length = pos;
318 pos += 3;
319
320 /* body - CertificateStatus
321 *
322 * struct {
323 * CertificateStatusType status_type;
324 * select (status_type) {
325 * case ocsp: OCSPResponse;
326 * case ocsp_multi: OCSPResponseList;
327 * } response;
328 * } CertificateStatus;
329 *
330 * opaque OCSPResponse<1..2^24-1>;
331 *
332 * struct {
333 * OCSPResponse ocsp_response_list<1..2^24-1>;
334 * } OCSPResponseList;
335 */
336
337 /* CertificateStatusType status_type */
338 if (ocsp_multi)
339 *pos++ = 2; /* ocsp_multi(2) */
340 else
341 *pos++ = 1; /* ocsp(1) */
342 /* uint24 length of OCSPResponse */
343 WPA_PUT_BE24(pos, ocsp_resp_len);
344 pos += 3;
345 os_memcpy(pos, ocsp_resp, ocsp_resp_len);
346 pos += ocsp_resp_len;
347
348 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
349
350 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
351 rhdr, end - rhdr, hs_start, pos - hs_start,
352 &rlen) < 0) {
353 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
354 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
355 TLS_ALERT_INTERNAL_ERROR);
356 return -1;
357 }
358 pos = rhdr + rlen;
359
360 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
361
362 *msgpos = pos;
363
364 return 0;
365 }
366
367
tls_write_server_key_exchange(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)368 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
369 u8 **msgpos, u8 *end)
370 {
371 tls_key_exchange keyx;
372 const struct tls_cipher_suite *suite;
373 u8 *pos, *rhdr, *hs_start, *hs_length, *server_params;
374 size_t rlen;
375 u8 *dh_ys;
376 size_t dh_ys_len;
377 const u8 *dh_p;
378 size_t dh_p_len;
379
380 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
381 if (suite == NULL)
382 keyx = TLS_KEY_X_NULL;
383 else
384 keyx = suite->key_exchange;
385
386 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
387 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
388 return 0;
389 }
390
391 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) {
392 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
393 "supported with key exchange type %d", keyx);
394 return -1;
395 }
396
397 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
398 conn->cred->dh_g == NULL) {
399 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
400 "ServerKeyExhcange");
401 return -1;
402 }
403
404 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
405
406 os_free(conn->dh_secret);
407 conn->dh_secret_len = dh_p_len;
408 conn->dh_secret = os_malloc(conn->dh_secret_len);
409 if (conn->dh_secret == NULL) {
410 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
411 "memory for secret (Diffie-Hellman)");
412 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
413 TLS_ALERT_INTERNAL_ERROR);
414 return -1;
415 }
416 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
417 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
418 "data for Diffie-Hellman");
419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420 TLS_ALERT_INTERNAL_ERROR);
421 os_free(conn->dh_secret);
422 conn->dh_secret = NULL;
423 return -1;
424 }
425
426 if (os_memcmp(conn->dh_secret, dh_p, conn->dh_secret_len) > 0)
427 conn->dh_secret[0] = 0; /* make sure secret < p */
428
429 pos = conn->dh_secret;
430 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
431 pos++;
432 if (pos != conn->dh_secret) {
433 os_memmove(conn->dh_secret, pos,
434 conn->dh_secret_len - (pos - conn->dh_secret));
435 conn->dh_secret_len -= pos - conn->dh_secret;
436 }
437 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
438 conn->dh_secret, conn->dh_secret_len);
439
440 /* Ys = g^secret mod p */
441 dh_ys_len = dh_p_len;
442 dh_ys = os_malloc(dh_ys_len);
443 if (dh_ys == NULL) {
444 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
445 "Diffie-Hellman");
446 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
447 TLS_ALERT_INTERNAL_ERROR);
448 return -1;
449 }
450 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
451 conn->dh_secret, conn->dh_secret_len,
452 dh_p, dh_p_len, dh_ys, &dh_ys_len)) {
453 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
454 TLS_ALERT_INTERNAL_ERROR);
455 os_free(dh_ys);
456 return -1;
457 }
458
459 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
460 dh_ys, dh_ys_len);
461
462 /*
463 * struct {
464 * select (KeyExchangeAlgorithm) {
465 * case diffie_hellman:
466 * ServerDHParams params;
467 * Signature signed_params;
468 * case rsa:
469 * ServerRSAParams params;
470 * Signature signed_params;
471 * };
472 * } ServerKeyExchange;
473 *
474 * struct {
475 * opaque dh_p<1..2^16-1>;
476 * opaque dh_g<1..2^16-1>;
477 * opaque dh_Ys<1..2^16-1>;
478 * } ServerDHParams;
479 */
480
481 pos = *msgpos;
482
483 tlsv1_server_log(conn, "Send ServerKeyExchange");
484 rhdr = pos;
485 pos += TLS_RECORD_HEADER_LEN;
486
487 /* opaque fragment[TLSPlaintext.length] */
488
489 /* Handshake */
490 hs_start = pos;
491 /* HandshakeType msg_type */
492 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
493 /* uint24 length (to be filled) */
494 hs_length = pos;
495 pos += 3;
496
497 /* body - ServerDHParams */
498 server_params = pos;
499 /* dh_p */
500 if (2 + dh_p_len > (size_t) (end - pos)) {
501 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
502 "dh_p");
503 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
504 TLS_ALERT_INTERNAL_ERROR);
505 os_free(dh_ys);
506 return -1;
507 }
508 WPA_PUT_BE16(pos, dh_p_len);
509 pos += 2;
510 os_memcpy(pos, dh_p, dh_p_len);
511 pos += dh_p_len;
512
513 /* dh_g */
514 if (2 + conn->cred->dh_g_len > (size_t) (end - pos)) {
515 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
516 "dh_g");
517 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
518 TLS_ALERT_INTERNAL_ERROR);
519 os_free(dh_ys);
520 return -1;
521 }
522 WPA_PUT_BE16(pos, conn->cred->dh_g_len);
523 pos += 2;
524 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
525 pos += conn->cred->dh_g_len;
526
527 /* dh_Ys */
528 if (2 + dh_ys_len > (size_t) (end - pos)) {
529 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
530 "dh_Ys");
531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
532 TLS_ALERT_INTERNAL_ERROR);
533 os_free(dh_ys);
534 return -1;
535 }
536 WPA_PUT_BE16(pos, dh_ys_len);
537 pos += 2;
538 os_memcpy(pos, dh_ys, dh_ys_len);
539 pos += dh_ys_len;
540 os_free(dh_ys);
541
542 /*
543 * select (SignatureAlgorithm)
544 * { case anonymous: struct { };
545 * case rsa:
546 * digitally-signed struct {
547 * opaque md5_hash[16];
548 * opaque sha_hash[20];
549 * };
550 * case dsa:
551 * digitally-signed struct {
552 * opaque sha_hash[20];
553 * };
554 * } Signature;
555 *
556 * md5_hash
557 * MD5(ClientHello.random + ServerHello.random + ServerParams);
558 *
559 * sha_hash
560 * SHA(ClientHello.random + ServerHello.random + ServerParams);
561 */
562
563 if (keyx == TLS_KEY_X_DHE_RSA) {
564 u8 hash[100];
565 u8 *signed_start;
566 size_t clen;
567 int hlen;
568
569 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
570 #ifdef CONFIG_TLSV12
571 hlen = tlsv12_key_x_server_params_hash(
572 conn->rl.tls_version, TLS_HASH_ALG_SHA256,
573 conn->client_random,
574 conn->server_random, server_params,
575 pos - server_params, hash + 19);
576
577 /*
578 * RFC 5246, 4.7:
579 * TLS v1.2 adds explicit indication of the used
580 * signature and hash algorithms.
581 *
582 * struct {
583 * HashAlgorithm hash;
584 * SignatureAlgorithm signature;
585 * } SignatureAndHashAlgorithm;
586 */
587 if (hlen < 0 || end - pos < 2) {
588 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
589 TLS_ALERT_INTERNAL_ERROR);
590 return -1;
591 }
592 *pos++ = TLS_HASH_ALG_SHA256;
593 *pos++ = TLS_SIGN_ALG_RSA;
594
595 /*
596 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
597 *
598 * DigestInfo ::= SEQUENCE {
599 * digestAlgorithm DigestAlgorithm,
600 * digest OCTET STRING
601 * }
602 *
603 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
604 *
605 * DER encoded DigestInfo for SHA256 per RFC 3447:
606 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
607 * 04 20 || H
608 */
609 hlen += 19;
610 os_memcpy(hash,
611 "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
612 "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
613
614 #else /* CONFIG_TLSV12 */
615 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
616 TLS_ALERT_INTERNAL_ERROR);
617 return -1;
618 #endif /* CONFIG_TLSV12 */
619 } else {
620 hlen = tls_key_x_server_params_hash(
621 conn->rl.tls_version, conn->client_random,
622 conn->server_random, server_params,
623 pos - server_params, hash);
624 }
625
626 if (hlen < 0) {
627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 TLS_ALERT_INTERNAL_ERROR);
629 return -1;
630 }
631
632 wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash",
633 hash, hlen);
634 #ifdef CONFIG_TESTING_OPTIONS
635 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) {
636 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash");
637 hash[hlen - 1] ^= 0x80;
638 }
639 #endif /* CONFIG_TESTING_OPTIONS */
640
641 /*
642 * RFC 2246, 4.7:
643 * In digital signing, one-way hash functions are used as input
644 * for a signing algorithm. A digitally-signed element is
645 * encoded as an opaque vector <0..2^16-1>, where the length is
646 * specified by the signing algorithm and key.
647 *
648 * In RSA signing, a 36-byte structure of two hashes (one SHA
649 * and one MD5) is signed (encrypted with the private key). It
650 * is encoded with PKCS #1 block type 0 or type 1 as described
651 * in [PKCS1].
652 */
653 signed_start = pos; /* length to be filled */
654 pos += 2;
655 clen = end - pos;
656 if (conn->cred == NULL ||
657 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
658 pos, &clen) < 0) {
659 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661 TLS_ALERT_INTERNAL_ERROR);
662 return -1;
663 }
664 WPA_PUT_BE16(signed_start, clen);
665 #ifdef CONFIG_TESTING_OPTIONS
666 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) {
667 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature");
668 pos[clen - 1] ^= 0x80;
669 }
670 #endif /* CONFIG_TESTING_OPTIONS */
671
672 pos += clen;
673 }
674
675 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
676
677 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
678 rhdr, end - rhdr, hs_start, pos - hs_start,
679 &rlen) < 0) {
680 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
681 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
682 TLS_ALERT_INTERNAL_ERROR);
683 return -1;
684 }
685 pos = rhdr + rlen;
686
687 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
688
689 *msgpos = pos;
690
691 return 0;
692 }
693
694
tls_write_server_certificate_request(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)695 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
696 u8 **msgpos, u8 *end)
697 {
698 u8 *pos, *rhdr, *hs_start, *hs_length;
699 size_t rlen;
700
701 if (!conn->verify_peer) {
702 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
703 return 0;
704 }
705
706 pos = *msgpos;
707
708 tlsv1_server_log(conn, "Send CertificateRequest");
709 rhdr = pos;
710 pos += TLS_RECORD_HEADER_LEN;
711
712 /* opaque fragment[TLSPlaintext.length] */
713
714 /* Handshake */
715 hs_start = pos;
716 /* HandshakeType msg_type */
717 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
718 /* uint24 length (to be filled) */
719 hs_length = pos;
720 pos += 3;
721 /* body - CertificateRequest */
722
723 /*
724 * enum {
725 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
726 * (255)
727 * } ClientCertificateType;
728 * ClientCertificateType certificate_types<1..2^8-1>
729 */
730 *pos++ = 1;
731 *pos++ = 1; /* rsa_sign */
732
733 /*
734 * opaque DistinguishedName<1..2^16-1>
735 * DistinguishedName certificate_authorities<3..2^16-1>
736 */
737 /* TODO: add support for listing DNs for trusted CAs */
738 WPA_PUT_BE16(pos, 0);
739 pos += 2;
740
741 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
742
743 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
744 rhdr, end - rhdr, hs_start, pos - hs_start,
745 &rlen) < 0) {
746 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
747 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
748 TLS_ALERT_INTERNAL_ERROR);
749 return -1;
750 }
751 pos = rhdr + rlen;
752
753 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
754
755 *msgpos = pos;
756
757 return 0;
758 }
759
760
tls_write_server_hello_done(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)761 static int tls_write_server_hello_done(struct tlsv1_server *conn,
762 u8 **msgpos, u8 *end)
763 {
764 u8 *pos;
765 size_t rlen;
766 u8 payload[4];
767
768 tlsv1_server_log(conn, "Send ServerHelloDone");
769
770 /* opaque fragment[TLSPlaintext.length] */
771
772 /* Handshake */
773 pos = payload;
774 /* HandshakeType msg_type */
775 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
776 /* uint24 length */
777 WPA_PUT_BE24(pos, 0);
778 pos += 3;
779 /* body - ServerHelloDone (empty) */
780
781 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
782 *msgpos, end - *msgpos, payload, pos - payload,
783 &rlen) < 0) {
784 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
785 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
786 TLS_ALERT_INTERNAL_ERROR);
787 return -1;
788 }
789
790 tls_verify_hash_add(&conn->verify, payload, pos - payload);
791
792 *msgpos += rlen;
793
794 return 0;
795 }
796
797
tls_write_server_change_cipher_spec(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)798 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
799 u8 **msgpos, u8 *end)
800 {
801 size_t rlen;
802 u8 payload[1];
803
804 tlsv1_server_log(conn, "Send ChangeCipherSpec");
805
806 payload[0] = TLS_CHANGE_CIPHER_SPEC;
807
808 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
809 *msgpos, end - *msgpos, payload, sizeof(payload),
810 &rlen) < 0) {
811 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
812 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
813 TLS_ALERT_INTERNAL_ERROR);
814 return -1;
815 }
816
817 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
818 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
819 "record layer");
820 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
821 TLS_ALERT_INTERNAL_ERROR);
822 return -1;
823 }
824
825 *msgpos += rlen;
826
827 return 0;
828 }
829
830
tls_write_server_finished(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)831 static int tls_write_server_finished(struct tlsv1_server *conn,
832 u8 **msgpos, u8 *end)
833 {
834 u8 *pos, *hs_start;
835 size_t rlen, hlen;
836 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
837 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
838
839 pos = *msgpos;
840
841 tlsv1_server_log(conn, "Send Finished");
842
843 /* Encrypted Handshake Message: Finished */
844
845 #ifdef CONFIG_TLSV12
846 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
847 hlen = SHA256_MAC_LEN;
848 if (conn->verify.sha256_server == NULL ||
849 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
850 < 0) {
851 conn->verify.sha256_server = NULL;
852 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
853 TLS_ALERT_INTERNAL_ERROR);
854 return -1;
855 }
856 conn->verify.sha256_server = NULL;
857 } else {
858 #endif /* CONFIG_TLSV12 */
859
860 hlen = MD5_MAC_LEN;
861 if (conn->verify.md5_server == NULL ||
862 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
863 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
864 TLS_ALERT_INTERNAL_ERROR);
865 conn->verify.md5_server = NULL;
866 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
867 conn->verify.sha1_server = NULL;
868 return -1;
869 }
870 conn->verify.md5_server = NULL;
871 hlen = SHA1_MAC_LEN;
872 if (conn->verify.sha1_server == NULL ||
873 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
874 &hlen) < 0) {
875 conn->verify.sha1_server = NULL;
876 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 TLS_ALERT_INTERNAL_ERROR);
878 return -1;
879 }
880 conn->verify.sha1_server = NULL;
881 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
882
883 #ifdef CONFIG_TLSV12
884 }
885 #endif /* CONFIG_TLSV12 */
886
887 if (tls_prf(conn->rl.tls_version,
888 conn->master_secret, TLS_MASTER_SECRET_LEN,
889 "server finished", hash, hlen,
890 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
891 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
892 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
893 TLS_ALERT_INTERNAL_ERROR);
894 return -1;
895 }
896 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
897 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
898 #ifdef CONFIG_TESTING_OPTIONS
899 if (conn->test_flags & TLS_BREAK_VERIFY_DATA) {
900 tlsv1_server_log(conn, "TESTING: Break verify_data (server)");
901 verify_data[1 + 3 + 1] ^= 0x80;
902 }
903 #endif /* CONFIG_TESTING_OPTIONS */
904
905 /* Handshake */
906 pos = hs_start = verify_data;
907 /* HandshakeType msg_type */
908 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
909 /* uint24 length */
910 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
911 pos += 3;
912 pos += TLS_VERIFY_DATA_LEN;
913 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
914
915 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
916 *msgpos, end - *msgpos, hs_start, pos - hs_start,
917 &rlen) < 0) {
918 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
919 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
920 TLS_ALERT_INTERNAL_ERROR);
921 return -1;
922 }
923
924 *msgpos += rlen;
925
926 return 0;
927 }
928
929
tls_send_server_hello(struct tlsv1_server * conn,size_t * out_len)930 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
931 {
932 u8 *msg, *end, *pos;
933 size_t msglen;
934 int ocsp_multi = 0;
935 char *ocsp_resp = NULL;
936 size_t ocsp_resp_len = 0;
937
938 *out_len = 0;
939
940 if (conn->status_request_multi &&
941 conn->cred->ocsp_stapling_response_multi) {
942 ocsp_resp = os_readfile(
943 conn->cred->ocsp_stapling_response_multi,
944 &ocsp_resp_len);
945 ocsp_multi = 1;
946 } else if ((conn->status_request || conn->status_request_v2) &&
947 conn->cred->ocsp_stapling_response) {
948 ocsp_resp = os_readfile(conn->cred->ocsp_stapling_response,
949 &ocsp_resp_len);
950 }
951 if (!ocsp_resp)
952 ocsp_resp_len = 0;
953
954 msglen = 1000 + tls_server_cert_chain_der_len(conn) + ocsp_resp_len;
955
956 msg = os_malloc(msglen);
957 if (msg == NULL) {
958 os_free(ocsp_resp);
959 return NULL;
960 }
961
962 pos = msg;
963 end = msg + msglen;
964
965 if (tls_write_server_hello(conn, &pos, end) < 0) {
966 os_free(msg);
967 os_free(ocsp_resp);
968 return NULL;
969 }
970
971 if (conn->use_session_ticket) {
972 os_free(ocsp_resp);
973
974 /* Abbreviated handshake using session ticket; RFC 4507 */
975 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
976 tls_write_server_finished(conn, &pos, end) < 0) {
977 os_free(msg);
978 return NULL;
979 }
980
981 *out_len = pos - msg;
982
983 conn->state = CHANGE_CIPHER_SPEC;
984
985 return msg;
986 }
987
988 /* Full handshake */
989 if (tls_write_server_certificate(conn, &pos, end) < 0 ||
990 tls_write_server_certificate_status(conn, &pos, end, ocsp_multi,
991 ocsp_resp, ocsp_resp_len) < 0 ||
992 tls_write_server_key_exchange(conn, &pos, end) < 0 ||
993 tls_write_server_certificate_request(conn, &pos, end) < 0 ||
994 tls_write_server_hello_done(conn, &pos, end) < 0) {
995 os_free(msg);
996 os_free(ocsp_resp);
997 return NULL;
998 }
999 os_free(ocsp_resp);
1000
1001 *out_len = pos - msg;
1002
1003 conn->state = CLIENT_CERTIFICATE;
1004
1005 return msg;
1006 }
1007
1008
tls_send_change_cipher_spec(struct tlsv1_server * conn,size_t * out_len)1009 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
1010 size_t *out_len)
1011 {
1012 u8 *msg, *end, *pos;
1013
1014 *out_len = 0;
1015
1016 msg = os_malloc(1000);
1017 if (msg == NULL)
1018 return NULL;
1019
1020 pos = msg;
1021 end = msg + 1000;
1022
1023 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
1024 tls_write_server_finished(conn, &pos, end) < 0) {
1025 os_free(msg);
1026 return NULL;
1027 }
1028
1029 *out_len = pos - msg;
1030
1031 tlsv1_server_log(conn, "Handshake completed successfully");
1032 conn->state = ESTABLISHED;
1033
1034 return msg;
1035 }
1036
1037
tlsv1_server_handshake_write(struct tlsv1_server * conn,size_t * out_len)1038 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
1039 {
1040 switch (conn->state) {
1041 case SERVER_HELLO:
1042 return tls_send_server_hello(conn, out_len);
1043 case SERVER_CHANGE_CIPHER_SPEC:
1044 return tls_send_change_cipher_spec(conn, out_len);
1045 default:
1046 if (conn->state == ESTABLISHED && conn->use_session_ticket) {
1047 /* Abbreviated handshake was already completed. */
1048 return NULL;
1049 }
1050 tlsv1_server_log(conn, "Unexpected state %d while generating reply",
1051 conn->state);
1052 return NULL;
1053 }
1054 }
1055
1056
tlsv1_server_send_alert(struct tlsv1_server * conn,u8 level,u8 description,size_t * out_len)1057 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
1058 u8 description, size_t *out_len)
1059 {
1060 u8 *alert, *pos, *length;
1061
1062 tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description);
1063 *out_len = 0;
1064
1065 alert = os_malloc(10);
1066 if (alert == NULL)
1067 return NULL;
1068
1069 pos = alert;
1070
1071 /* TLSPlaintext */
1072 /* ContentType type */
1073 *pos++ = TLS_CONTENT_TYPE_ALERT;
1074 /* ProtocolVersion version */
1075 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
1076 TLS_VERSION);
1077 pos += 2;
1078 /* uint16 length (to be filled) */
1079 length = pos;
1080 pos += 2;
1081 /* opaque fragment[TLSPlaintext.length] */
1082
1083 /* Alert */
1084 /* AlertLevel level */
1085 *pos++ = level;
1086 /* AlertDescription description */
1087 *pos++ = description;
1088
1089 WPA_PUT_BE16(length, pos - length - 2);
1090 *out_len = pos - alert;
1091
1092 return alert;
1093 }
1094