• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * TLSv1 client - write handshake message
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "x509v3.h"
21 #include "tls.h"
22 #include "tlsv1_common.h"
23 #include "tlsv1_record.h"
24 #include "tlsv1_client.h"
25 #include "tlsv1_client_i.h"
26 
27 
tls_client_cert_chain_der_len(struct tlsv1_client * conn)28 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
29 {
30 	size_t len = 0;
31 	struct x509_certificate *cert;
32 
33 	if (conn->cred == NULL)
34 		return 0;
35 
36 	cert = conn->cred->cert;
37 	while (cert) {
38 		len += 3 + cert->cert_len;
39 		if (x509_certificate_self_signed(cert))
40 			break;
41 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
42 						    &cert->issuer);
43 	}
44 
45 	return len;
46 }
47 
48 
tls_send_client_hello(struct tlsv1_client * conn,size_t * out_len)49 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
50 {
51 	u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
52 	struct os_time now;
53 	size_t len, i;
54 
55 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello");
56 	*out_len = 0;
57 
58 	os_get_time(&now);
59 	WPA_PUT_BE32(conn->client_random, now.sec);
60 	if (os_get_random(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
61 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
62 			   "client_random");
63 		return NULL;
64 	}
65 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
66 		    conn->client_random, TLS_RANDOM_LEN);
67 
68 	len = 100 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
69 	hello = os_malloc(len);
70 	if (hello == NULL)
71 		return NULL;
72 	end = hello + len;
73 
74 	rhdr = hello;
75 	pos = rhdr + TLS_RECORD_HEADER_LEN;
76 
77 	/* opaque fragment[TLSPlaintext.length] */
78 
79 	/* Handshake */
80 	hs_start = pos;
81 	/* HandshakeType msg_type */
82 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
83 	/* uint24 length (to be filled) */
84 	hs_length = pos;
85 	pos += 3;
86 	/* body - ClientHello */
87 	/* ProtocolVersion client_version */
88 	WPA_PUT_BE16(pos, TLS_VERSION);
89 	pos += 2;
90 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
91 	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
92 	pos += TLS_RANDOM_LEN;
93 	/* SessionID session_id */
94 	*pos++ = conn->session_id_len;
95 	os_memcpy(pos, conn->session_id, conn->session_id_len);
96 	pos += conn->session_id_len;
97 	/* CipherSuite cipher_suites<2..2^16-1> */
98 	WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
99 	pos += 2;
100 	for (i = 0; i < conn->num_cipher_suites; i++) {
101 		WPA_PUT_BE16(pos, conn->cipher_suites[i]);
102 		pos += 2;
103 	}
104 	/* CompressionMethod compression_methods<1..2^8-1> */
105 	*pos++ = 1;
106 	*pos++ = TLS_COMPRESSION_NULL;
107 
108 	if (conn->client_hello_ext) {
109 		os_memcpy(pos, conn->client_hello_ext,
110 			  conn->client_hello_ext_len);
111 		pos += conn->client_hello_ext_len;
112 	}
113 
114 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
115 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
116 
117 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
118 			      rhdr, end - rhdr, pos - hs_start, out_len) < 0) {
119 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
120 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
121 			  TLS_ALERT_INTERNAL_ERROR);
122 		os_free(hello);
123 		return NULL;
124 	}
125 
126 	conn->state = SERVER_HELLO;
127 
128 	return hello;
129 }
130 
131 
tls_write_client_certificate(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)132 static int tls_write_client_certificate(struct tlsv1_client *conn,
133 					u8 **msgpos, u8 *end)
134 {
135 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
136 	size_t rlen;
137 	struct x509_certificate *cert;
138 
139 	pos = *msgpos;
140 
141 	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
142 	rhdr = pos;
143 	pos += TLS_RECORD_HEADER_LEN;
144 
145 	/* opaque fragment[TLSPlaintext.length] */
146 
147 	/* Handshake */
148 	hs_start = pos;
149 	/* HandshakeType msg_type */
150 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
151 	/* uint24 length (to be filled) */
152 	hs_length = pos;
153 	pos += 3;
154 	/* body - Certificate */
155 	/* uint24 length (to be filled) */
156 	cert_start = pos;
157 	pos += 3;
158 	cert = conn->cred ? conn->cred->cert : NULL;
159 	while (cert) {
160 		if (pos + 3 + cert->cert_len > end) {
161 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
162 				   "for Certificate (cert_len=%lu left=%lu)",
163 				   (unsigned long) cert->cert_len,
164 				   (unsigned long) (end - pos));
165 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
166 				  TLS_ALERT_INTERNAL_ERROR);
167 			return -1;
168 		}
169 		WPA_PUT_BE24(pos, cert->cert_len);
170 		pos += 3;
171 		os_memcpy(pos, cert->cert_start, cert->cert_len);
172 		pos += cert->cert_len;
173 
174 		if (x509_certificate_self_signed(cert))
175 			break;
176 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
177 						    &cert->issuer);
178 	}
179 	if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
180 		/*
181 		 * Client was not configured with all the needed certificates
182 		 * to form a full certificate chain. The server may fail to
183 		 * validate the chain unless it is configured with all the
184 		 * missing CA certificates.
185 		 */
186 		wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
187 			   "not configured - validation may fail");
188 	}
189 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
190 
191 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
192 
193 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
194 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
195 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
196 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
197 			  TLS_ALERT_INTERNAL_ERROR);
198 		return -1;
199 	}
200 	pos = rhdr + rlen;
201 
202 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
203 
204 	*msgpos = pos;
205 
206 	return 0;
207 }
208 
209 
tlsv1_key_x_anon_dh(struct tlsv1_client * conn,u8 ** pos,u8 * end)210 static int tlsv1_key_x_anon_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
211 {
212 #ifdef EAP_FAST
213 	/* ClientDiffieHellmanPublic */
214 	u8 *csecret, *csecret_start, *dh_yc, *shared;
215 	size_t csecret_len, dh_yc_len, shared_len;
216 
217 	csecret_len = conn->dh_p_len;
218 	csecret = os_malloc(csecret_len);
219 	if (csecret == NULL) {
220 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
221 			   "memory for Yc (Diffie-Hellman)");
222 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
223 			  TLS_ALERT_INTERNAL_ERROR);
224 		return -1;
225 	}
226 	if (os_get_random(csecret, csecret_len)) {
227 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
228 			   "data for Diffie-Hellman");
229 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
230 			  TLS_ALERT_INTERNAL_ERROR);
231 		os_free(csecret);
232 		return -1;
233 	}
234 
235 	if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
236 		csecret[0] = 0; /* make sure Yc < p */
237 
238 	csecret_start = csecret;
239 	while (csecret_len > 1 && *csecret_start == 0) {
240 		csecret_start++;
241 		csecret_len--;
242 	}
243 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
244 			csecret_start, csecret_len);
245 
246 	/* Yc = g^csecret mod p */
247 	dh_yc_len = conn->dh_p_len;
248 	dh_yc = os_malloc(dh_yc_len);
249 	if (dh_yc == NULL) {
250 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
251 			   "memory for Diffie-Hellman");
252 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
253 			  TLS_ALERT_INTERNAL_ERROR);
254 		os_free(csecret);
255 		return -1;
256 	}
257 	if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
258 			   csecret_start, csecret_len,
259 			   conn->dh_p, conn->dh_p_len,
260 			   dh_yc, &dh_yc_len)) {
261 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
262 			  TLS_ALERT_INTERNAL_ERROR);
263 		os_free(csecret);
264 		os_free(dh_yc);
265 		return -1;
266 	}
267 
268 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
269 		    dh_yc, dh_yc_len);
270 
271 	WPA_PUT_BE16(*pos, dh_yc_len);
272 	*pos += 2;
273 	if (*pos + dh_yc_len > end) {
274 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
275 			   "message buffer for Yc");
276 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
277 			  TLS_ALERT_INTERNAL_ERROR);
278 		os_free(csecret);
279 		os_free(dh_yc);
280 		return -1;
281 	}
282 	os_memcpy(*pos, dh_yc, dh_yc_len);
283 	*pos += dh_yc_len;
284 	os_free(dh_yc);
285 
286 	shared_len = conn->dh_p_len;
287 	shared = os_malloc(shared_len);
288 	if (shared == NULL) {
289 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
290 			   "DH");
291 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
292 			  TLS_ALERT_INTERNAL_ERROR);
293 		os_free(csecret);
294 		return -1;
295 	}
296 
297 	/* shared = Ys^csecret mod p */
298 	if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
299 			   csecret_start, csecret_len,
300 			   conn->dh_p, conn->dh_p_len,
301 			   shared, &shared_len)) {
302 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
303 			  TLS_ALERT_INTERNAL_ERROR);
304 		os_free(csecret);
305 		os_free(shared);
306 		return -1;
307 	}
308 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
309 			shared, shared_len);
310 
311 	os_memset(csecret_start, 0, csecret_len);
312 	os_free(csecret);
313 	if (tls_derive_keys(conn, shared, shared_len)) {
314 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
315 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
316 			  TLS_ALERT_INTERNAL_ERROR);
317 		os_free(shared);
318 		return -1;
319 	}
320 	os_memset(shared, 0, shared_len);
321 	os_free(shared);
322 	tlsv1_client_free_dh(conn);
323 	return 0;
324 #else /* EAP_FAST */
325 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_INTERNAL_ERROR);
326 	return -1;
327 #endif /* EAP_FAST */
328 }
329 
330 
tlsv1_key_x_rsa(struct tlsv1_client * conn,u8 ** pos,u8 * end)331 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
332 {
333 	u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
334 	size_t clen;
335 	int res;
336 
337 	if (tls_derive_pre_master_secret(pre_master_secret) < 0 ||
338 	    tls_derive_keys(conn, pre_master_secret,
339 			    TLS_PRE_MASTER_SECRET_LEN)) {
340 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
341 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
342 			  TLS_ALERT_INTERNAL_ERROR);
343 		return -1;
344 	}
345 
346 	/* EncryptedPreMasterSecret */
347 	if (conn->server_rsa_key == NULL) {
348 		wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
349 			   "use for encrypting pre-master secret");
350 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
351 			  TLS_ALERT_INTERNAL_ERROR);
352 		return -1;
353 	}
354 
355 	/* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
356 	*pos += 2;
357 	clen = end - *pos;
358 	res = crypto_public_key_encrypt_pkcs1_v15(
359 		conn->server_rsa_key,
360 		pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
361 		*pos, &clen);
362 	os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
363 	if (res < 0) {
364 		wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
365 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
366 			  TLS_ALERT_INTERNAL_ERROR);
367 		return -1;
368 	}
369 	WPA_PUT_BE16(*pos - 2, clen);
370 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
371 		    *pos, clen);
372 	*pos += clen;
373 
374 	return 0;
375 }
376 
377 
tls_write_client_key_exchange(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)378 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
379 					 u8 **msgpos, u8 *end)
380 {
381 	u8 *pos, *rhdr, *hs_start, *hs_length;
382 	size_t rlen;
383 	tls_key_exchange keyx;
384 	const struct tls_cipher_suite *suite;
385 
386 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
387 	if (suite == NULL)
388 		keyx = TLS_KEY_X_NULL;
389 	else
390 		keyx = suite->key_exchange;
391 
392 	pos = *msgpos;
393 
394 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
395 
396 	rhdr = pos;
397 	pos += TLS_RECORD_HEADER_LEN;
398 
399 	/* opaque fragment[TLSPlaintext.length] */
400 
401 	/* Handshake */
402 	hs_start = pos;
403 	/* HandshakeType msg_type */
404 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
405 	/* uint24 length (to be filled) */
406 	hs_length = pos;
407 	pos += 3;
408 	/* body - ClientKeyExchange */
409 	if (keyx == TLS_KEY_X_DH_anon) {
410 		if (tlsv1_key_x_anon_dh(conn, &pos, end) < 0)
411 			return -1;
412 	} else {
413 		if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
414 			return -1;
415 	}
416 
417 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
418 
419 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
420 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
421 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
422 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
423 			  TLS_ALERT_INTERNAL_ERROR);
424 		return -1;
425 	}
426 	pos = rhdr + rlen;
427 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
428 
429 	*msgpos = pos;
430 
431 	return 0;
432 }
433 
434 
tls_write_client_certificate_verify(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)435 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
436 					       u8 **msgpos, u8 *end)
437 {
438 	u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
439 	size_t rlen, hlen, clen;
440 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos;
441 	enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
442 
443 	pos = *msgpos;
444 
445 	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
446 	rhdr = pos;
447 	pos += TLS_RECORD_HEADER_LEN;
448 
449 	/* Handshake */
450 	hs_start = pos;
451 	/* HandshakeType msg_type */
452 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
453 	/* uint24 length (to be filled) */
454 	hs_length = pos;
455 	pos += 3;
456 
457 	/*
458 	 * RFC 2246: 7.4.3 and 7.4.8:
459 	 * Signature signature
460 	 *
461 	 * RSA:
462 	 * digitally-signed struct {
463 	 *     opaque md5_hash[16];
464 	 *     opaque sha_hash[20];
465 	 * };
466 	 *
467 	 * DSA:
468 	 * digitally-signed struct {
469 	 *     opaque sha_hash[20];
470 	 * };
471 	 *
472 	 * The hash values are calculated over all handshake messages sent or
473 	 * received starting at ClientHello up to, but not including, this
474 	 * CertificateVerify message, including the type and length fields of
475 	 * the handshake messages.
476 	 */
477 
478 	hpos = hash;
479 
480 	if (alg == SIGN_ALG_RSA) {
481 		hlen = MD5_MAC_LEN;
482 		if (conn->verify.md5_cert == NULL ||
483 		    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
484 		{
485 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
486 				  TLS_ALERT_INTERNAL_ERROR);
487 			conn->verify.md5_cert = NULL;
488 			crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
489 			conn->verify.sha1_cert = NULL;
490 			return -1;
491 		}
492 		hpos += MD5_MAC_LEN;
493 	} else
494 		crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);
495 
496 	conn->verify.md5_cert = NULL;
497 	hlen = SHA1_MAC_LEN;
498 	if (conn->verify.sha1_cert == NULL ||
499 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
500 		conn->verify.sha1_cert = NULL;
501 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
502 			  TLS_ALERT_INTERNAL_ERROR);
503 		return -1;
504 	}
505 	conn->verify.sha1_cert = NULL;
506 
507 	if (alg == SIGN_ALG_RSA)
508 		hlen += MD5_MAC_LEN;
509 
510 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
511 
512 	/*
513 	 * RFC 2246, 4.7:
514 	 * In digital signing, one-way hash functions are used as input for a
515 	 * signing algorithm. A digitally-signed element is encoded as an
516 	 * opaque vector <0..2^16-1>, where the length is specified by the
517 	 * signing algorithm and key.
518 	 *
519 	 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
520 	 * MD5) is signed (encrypted with the private key). It is encoded with
521 	 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
522 	 */
523 	signed_start = pos; /* length to be filled */
524 	pos += 2;
525 	clen = end - pos;
526 	if (conn->cred == NULL ||
527 	    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
528 					  pos, &clen) < 0) {
529 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
530 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
531 			  TLS_ALERT_INTERNAL_ERROR);
532 		return -1;
533 	}
534 	WPA_PUT_BE16(signed_start, clen);
535 
536 	pos += clen;
537 
538 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
539 
540 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
541 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
542 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
543 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
544 			  TLS_ALERT_INTERNAL_ERROR);
545 		return -1;
546 	}
547 	pos = rhdr + rlen;
548 
549 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
550 
551 	*msgpos = pos;
552 
553 	return 0;
554 }
555 
556 
tls_write_client_change_cipher_spec(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)557 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
558 					       u8 **msgpos, u8 *end)
559 {
560 	u8 *pos, *rhdr;
561 	size_t rlen;
562 
563 	pos = *msgpos;
564 
565 	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
566 	rhdr = pos;
567 	pos += TLS_RECORD_HEADER_LEN;
568 	*pos = TLS_CHANGE_CIPHER_SPEC;
569 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
570 			      rhdr, end - rhdr, 1, &rlen) < 0) {
571 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
572 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
573 			  TLS_ALERT_INTERNAL_ERROR);
574 		return -1;
575 	}
576 
577 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
578 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
579 			   "record layer");
580 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
581 			  TLS_ALERT_INTERNAL_ERROR);
582 		return -1;
583 	}
584 
585 	*msgpos = rhdr + rlen;
586 
587 	return 0;
588 }
589 
590 
tls_write_client_finished(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)591 static int tls_write_client_finished(struct tlsv1_client *conn,
592 				     u8 **msgpos, u8 *end)
593 {
594 	u8 *pos, *rhdr, *hs_start, *hs_length;
595 	size_t rlen, hlen;
596 	u8 verify_data[TLS_VERIFY_DATA_LEN];
597 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
598 
599 	pos = *msgpos;
600 
601 	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
602 
603 	/* Encrypted Handshake Message: Finished */
604 
605 	hlen = MD5_MAC_LEN;
606 	if (conn->verify.md5_client == NULL ||
607 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
608 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
609 			  TLS_ALERT_INTERNAL_ERROR);
610 		conn->verify.md5_client = NULL;
611 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
612 		conn->verify.sha1_client = NULL;
613 		return -1;
614 	}
615 	conn->verify.md5_client = NULL;
616 	hlen = SHA1_MAC_LEN;
617 	if (conn->verify.sha1_client == NULL ||
618 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
619 			       &hlen) < 0) {
620 		conn->verify.sha1_client = NULL;
621 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 			  TLS_ALERT_INTERNAL_ERROR);
623 		return -1;
624 	}
625 	conn->verify.sha1_client = NULL;
626 
627 	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
628 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
629 		    verify_data, TLS_VERIFY_DATA_LEN)) {
630 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
631 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
632 			  TLS_ALERT_INTERNAL_ERROR);
633 		return -1;
634 	}
635 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
636 			verify_data, TLS_VERIFY_DATA_LEN);
637 
638 	rhdr = pos;
639 	pos += TLS_RECORD_HEADER_LEN;
640 	/* Handshake */
641 	hs_start = pos;
642 	/* HandshakeType msg_type */
643 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
644 	/* uint24 length (to be filled) */
645 	hs_length = pos;
646 	pos += 3;
647 	os_memcpy(pos, verify_data, TLS_VERIFY_DATA_LEN);
648 	pos += TLS_VERIFY_DATA_LEN;
649 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
650 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
651 
652 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
653 			      rhdr, end - rhdr, pos - hs_start, &rlen) < 0) {
654 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
655 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
656 			  TLS_ALERT_INTERNAL_ERROR);
657 		return -1;
658 	}
659 
660 	pos = rhdr + rlen;
661 
662 	*msgpos = pos;
663 
664 	return 0;
665 }
666 
667 
tls_send_client_key_exchange(struct tlsv1_client * conn,size_t * out_len)668 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
669 					 size_t *out_len)
670 {
671 	u8 *msg, *end, *pos;
672 	size_t msglen;
673 
674 	*out_len = 0;
675 
676 	msglen = 1000;
677 	if (conn->certificate_requested)
678 		msglen += tls_client_cert_chain_der_len(conn);
679 
680 	msg = os_malloc(msglen);
681 	if (msg == NULL)
682 		return NULL;
683 
684 	pos = msg;
685 	end = msg + msglen;
686 
687 	if (conn->certificate_requested) {
688 		if (tls_write_client_certificate(conn, &pos, end) < 0) {
689 			os_free(msg);
690 			return NULL;
691 		}
692 	}
693 
694 	if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
695 	    (conn->certificate_requested && conn->cred && conn->cred->key &&
696 	     tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
697 	    tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
698 	    tls_write_client_finished(conn, &pos, end) < 0) {
699 		os_free(msg);
700 		return NULL;
701 	}
702 
703 	*out_len = pos - msg;
704 
705 	conn->state = SERVER_CHANGE_CIPHER_SPEC;
706 
707 	return msg;
708 }
709 
710 
tls_send_change_cipher_spec(struct tlsv1_client * conn,size_t * out_len)711 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
712 					size_t *out_len)
713 {
714 	u8 *msg, *end, *pos;
715 
716 	*out_len = 0;
717 
718 	msg = os_malloc(1000);
719 	if (msg == NULL)
720 		return NULL;
721 
722 	pos = msg;
723 	end = msg + 1000;
724 
725 	if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
726 	    tls_write_client_finished(conn, &pos, end) < 0) {
727 		os_free(msg);
728 		return NULL;
729 	}
730 
731 	*out_len = pos - msg;
732 
733 	wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
734 		   "successfully");
735 	conn->state = ESTABLISHED;
736 
737 	return msg;
738 }
739 
740 
tlsv1_client_handshake_write(struct tlsv1_client * conn,size_t * out_len,int no_appl_data)741 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
742 				  int no_appl_data)
743 {
744 	switch (conn->state) {
745 	case CLIENT_KEY_EXCHANGE:
746 		return tls_send_client_key_exchange(conn, out_len);
747 	case CHANGE_CIPHER_SPEC:
748 		return tls_send_change_cipher_spec(conn, out_len);
749 	case ACK_FINISHED:
750 		wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
751 			   "successfully");
752 		conn->state = ESTABLISHED;
753 		*out_len = 0;
754 		if (no_appl_data) {
755 			/* Need to return something to get final TLS ACK. */
756 			return os_malloc(1);
757 		}
758 		return NULL;
759 	default:
760 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
761 			   "generating reply", conn->state);
762 		return NULL;
763 	}
764 }
765 
766 
tlsv1_client_send_alert(struct tlsv1_client * conn,u8 level,u8 description,size_t * out_len)767 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
768 			     u8 description, size_t *out_len)
769 {
770 	u8 *alert, *pos, *length;
771 
772 	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
773 	*out_len = 0;
774 
775 	alert = os_malloc(10);
776 	if (alert == NULL)
777 		return NULL;
778 
779 	pos = alert;
780 
781 	/* TLSPlaintext */
782 	/* ContentType type */
783 	*pos++ = TLS_CONTENT_TYPE_ALERT;
784 	/* ProtocolVersion version */
785 	WPA_PUT_BE16(pos, TLS_VERSION);
786 	pos += 2;
787 	/* uint16 length (to be filled) */
788 	length = pos;
789 	pos += 2;
790 	/* opaque fragment[TLSPlaintext.length] */
791 
792 	/* Alert */
793 	/* AlertLevel level */
794 	*pos++ = level;
795 	/* AlertDescription description */
796 	*pos++ = description;
797 
798 	WPA_PUT_BE16(length, pos - length - 2);
799 	*out_len = pos - alert;
800 
801 	return alert;
802 }
803