1 /* 2 * TLSv1 server - write handshake message 3 * Copyright (c) 2006-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "crypto/random.h" 17 #include "x509v3.h" 18 #include "tlsv1_common.h" 19 #include "tlsv1_record.h" 20 #include "tlsv1_server.h" 21 #include "tlsv1_server_i.h" 22 23 24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn) 25 { 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 cert = conn->cred->cert; 30 while (cert) { 31 len += 3 + cert->cert_len; 32 if (x509_certificate_self_signed(cert)) 33 break; 34 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 35 &cert->issuer); 36 } 37 38 return len; 39 } 40 41 42 static int tls_write_server_hello(struct tlsv1_server *conn, 43 u8 **msgpos, u8 *end) 44 { 45 u8 *pos, *rhdr, *hs_start, *hs_length; 46 struct os_time now; 47 size_t rlen; 48 49 pos = *msgpos; 50 51 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello"); 52 rhdr = pos; 53 pos += TLS_RECORD_HEADER_LEN; 54 55 os_get_time(&now); 56 WPA_PUT_BE32(conn->server_random, now.sec); 57 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) { 58 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 59 "server_random"); 60 return -1; 61 } 62 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 63 conn->server_random, TLS_RANDOM_LEN); 64 65 conn->session_id_len = TLS_SESSION_ID_MAX_LEN; 66 if (random_get_bytes(conn->session_id, conn->session_id_len)) { 67 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 68 "session_id"); 69 return -1; 70 } 71 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 72 conn->session_id, conn->session_id_len); 73 74 /* opaque fragment[TLSPlaintext.length] */ 75 76 /* Handshake */ 77 hs_start = pos; 78 /* HandshakeType msg_type */ 79 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO; 80 /* uint24 length (to be filled) */ 81 hs_length = pos; 82 pos += 3; 83 /* body - ServerHello */ 84 /* ProtocolVersion server_version */ 85 WPA_PUT_BE16(pos, conn->rl.tls_version); 86 pos += 2; 87 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 88 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN); 89 pos += TLS_RANDOM_LEN; 90 /* SessionID session_id */ 91 *pos++ = conn->session_id_len; 92 os_memcpy(pos, conn->session_id, conn->session_id_len); 93 pos += conn->session_id_len; 94 /* CipherSuite cipher_suite */ 95 WPA_PUT_BE16(pos, conn->cipher_suite); 96 pos += 2; 97 /* CompressionMethod compression_method */ 98 *pos++ = TLS_COMPRESSION_NULL; 99 100 if (conn->session_ticket && conn->session_ticket_cb) { 101 int res = conn->session_ticket_cb( 102 conn->session_ticket_cb_ctx, 103 conn->session_ticket, conn->session_ticket_len, 104 conn->client_random, conn->server_random, 105 conn->master_secret); 106 if (res < 0) { 107 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 108 "indicated failure"); 109 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 110 TLS_ALERT_HANDSHAKE_FAILURE); 111 return -1; 112 } 113 conn->use_session_ticket = res; 114 115 if (conn->use_session_ticket) { 116 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) { 117 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 118 "derive keys"); 119 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 120 TLS_ALERT_INTERNAL_ERROR); 121 return -1; 122 } 123 } 124 125 /* 126 * RFC 4507 specifies that server would include an empty 127 * SessionTicket extension in ServerHello and a 128 * NewSessionTicket message after the ServerHello. However, 129 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket 130 * extension at the moment, does not use such extensions. 131 * 132 * TODO: Add support for configuring RFC 4507 behavior and make 133 * EAP-FAST disable it. 134 */ 135 } 136 137 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 138 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 139 140 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 141 rhdr, end - rhdr, hs_start, pos - hs_start, 142 &rlen) < 0) { 143 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 145 TLS_ALERT_INTERNAL_ERROR); 146 return -1; 147 } 148 pos = rhdr + rlen; 149 150 *msgpos = pos; 151 152 return 0; 153 } 154 155 156 static int tls_write_server_certificate(struct tlsv1_server *conn, 157 u8 **msgpos, u8 *end) 158 { 159 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 160 size_t rlen; 161 struct x509_certificate *cert; 162 const struct tls_cipher_suite *suite; 163 164 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 165 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) { 166 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when " 167 "using anonymous DH"); 168 return 0; 169 } 170 171 pos = *msgpos; 172 173 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 174 rhdr = pos; 175 pos += TLS_RECORD_HEADER_LEN; 176 177 /* opaque fragment[TLSPlaintext.length] */ 178 179 /* Handshake */ 180 hs_start = pos; 181 /* HandshakeType msg_type */ 182 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 183 /* uint24 length (to be filled) */ 184 hs_length = pos; 185 pos += 3; 186 /* body - Certificate */ 187 /* uint24 length (to be filled) */ 188 cert_start = pos; 189 pos += 3; 190 cert = conn->cred->cert; 191 while (cert) { 192 if (pos + 3 + cert->cert_len > end) { 193 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 194 "for Certificate (cert_len=%lu left=%lu)", 195 (unsigned long) cert->cert_len, 196 (unsigned long) (end - pos)); 197 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 198 TLS_ALERT_INTERNAL_ERROR); 199 return -1; 200 } 201 WPA_PUT_BE24(pos, cert->cert_len); 202 pos += 3; 203 os_memcpy(pos, cert->cert_start, cert->cert_len); 204 pos += cert->cert_len; 205 206 if (x509_certificate_self_signed(cert)) 207 break; 208 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 209 &cert->issuer); 210 } 211 if (cert == conn->cred->cert || cert == NULL) { 212 /* 213 * Server was not configured with all the needed certificates 214 * to form a full certificate chain. The client may fail to 215 * validate the chain unless it is configured with all the 216 * missing CA certificates. 217 */ 218 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain " 219 "not configured - validation may fail"); 220 } 221 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 222 223 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 224 225 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 226 rhdr, end - rhdr, hs_start, pos - hs_start, 227 &rlen) < 0) { 228 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 229 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 230 TLS_ALERT_INTERNAL_ERROR); 231 return -1; 232 } 233 pos = rhdr + rlen; 234 235 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 236 237 *msgpos = pos; 238 239 return 0; 240 } 241 242 243 static int tls_write_server_key_exchange(struct tlsv1_server *conn, 244 u8 **msgpos, u8 *end) 245 { 246 tls_key_exchange keyx; 247 const struct tls_cipher_suite *suite; 248 u8 *pos, *rhdr, *hs_start, *hs_length; 249 size_t rlen; 250 u8 *dh_ys; 251 size_t dh_ys_len; 252 253 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 254 if (suite == NULL) 255 keyx = TLS_KEY_X_NULL; 256 else 257 keyx = suite->key_exchange; 258 259 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 260 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed"); 261 return 0; 262 } 263 264 if (keyx != TLS_KEY_X_DH_anon) { 265 /* TODO? */ 266 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet " 267 "supported with key exchange type %d", keyx); 268 return -1; 269 } 270 271 if (conn->cred == NULL || conn->cred->dh_p == NULL || 272 conn->cred->dh_g == NULL) { 273 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for " 274 "ServerKeyExhcange"); 275 return -1; 276 } 277 278 os_free(conn->dh_secret); 279 conn->dh_secret_len = conn->cred->dh_p_len; 280 conn->dh_secret = os_malloc(conn->dh_secret_len); 281 if (conn->dh_secret == NULL) { 282 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 283 "memory for secret (Diffie-Hellman)"); 284 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 285 TLS_ALERT_INTERNAL_ERROR); 286 return -1; 287 } 288 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) { 289 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 290 "data for Diffie-Hellman"); 291 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 292 TLS_ALERT_INTERNAL_ERROR); 293 os_free(conn->dh_secret); 294 conn->dh_secret = NULL; 295 return -1; 296 } 297 298 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) > 299 0) 300 conn->dh_secret[0] = 0; /* make sure secret < p */ 301 302 pos = conn->dh_secret; 303 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0) 304 pos++; 305 if (pos != conn->dh_secret) { 306 os_memmove(conn->dh_secret, pos, 307 conn->dh_secret_len - (pos - conn->dh_secret)); 308 conn->dh_secret_len -= pos - conn->dh_secret; 309 } 310 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value", 311 conn->dh_secret, conn->dh_secret_len); 312 313 /* Ys = g^secret mod p */ 314 dh_ys_len = conn->cred->dh_p_len; 315 dh_ys = os_malloc(dh_ys_len); 316 if (dh_ys == NULL) { 317 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for " 318 "Diffie-Hellman"); 319 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 320 TLS_ALERT_INTERNAL_ERROR); 321 return -1; 322 } 323 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len, 324 conn->dh_secret, conn->dh_secret_len, 325 conn->cred->dh_p, conn->cred->dh_p_len, 326 dh_ys, &dh_ys_len)) { 327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 328 TLS_ALERT_INTERNAL_ERROR); 329 os_free(dh_ys); 330 return -1; 331 } 332 333 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 334 dh_ys, dh_ys_len); 335 336 /* 337 * struct { 338 * select (KeyExchangeAlgorithm) { 339 * case diffie_hellman: 340 * ServerDHParams params; 341 * Signature signed_params; 342 * case rsa: 343 * ServerRSAParams params; 344 * Signature signed_params; 345 * }; 346 * } ServerKeyExchange; 347 * 348 * struct { 349 * opaque dh_p<1..2^16-1>; 350 * opaque dh_g<1..2^16-1>; 351 * opaque dh_Ys<1..2^16-1>; 352 * } ServerDHParams; 353 */ 354 355 pos = *msgpos; 356 357 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange"); 358 rhdr = pos; 359 pos += TLS_RECORD_HEADER_LEN; 360 361 /* opaque fragment[TLSPlaintext.length] */ 362 363 /* Handshake */ 364 hs_start = pos; 365 /* HandshakeType msg_type */ 366 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE; 367 /* uint24 length (to be filled) */ 368 hs_length = pos; 369 pos += 3; 370 371 /* body - ServerDHParams */ 372 /* dh_p */ 373 if (pos + 2 + conn->cred->dh_p_len > end) { 374 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 375 "dh_p"); 376 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 377 TLS_ALERT_INTERNAL_ERROR); 378 os_free(dh_ys); 379 return -1; 380 } 381 WPA_PUT_BE16(pos, conn->cred->dh_p_len); 382 pos += 2; 383 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len); 384 pos += conn->cred->dh_p_len; 385 386 /* dh_g */ 387 if (pos + 2 + conn->cred->dh_g_len > end) { 388 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 389 "dh_g"); 390 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 391 TLS_ALERT_INTERNAL_ERROR); 392 os_free(dh_ys); 393 return -1; 394 } 395 WPA_PUT_BE16(pos, conn->cred->dh_g_len); 396 pos += 2; 397 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len); 398 pos += conn->cred->dh_g_len; 399 400 /* dh_Ys */ 401 if (pos + 2 + dh_ys_len > end) { 402 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for " 403 "dh_Ys"); 404 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 405 TLS_ALERT_INTERNAL_ERROR); 406 os_free(dh_ys); 407 return -1; 408 } 409 WPA_PUT_BE16(pos, dh_ys_len); 410 pos += 2; 411 os_memcpy(pos, dh_ys, dh_ys_len); 412 pos += dh_ys_len; 413 os_free(dh_ys); 414 415 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 416 417 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 418 rhdr, end - rhdr, hs_start, pos - hs_start, 419 &rlen) < 0) { 420 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 421 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 422 TLS_ALERT_INTERNAL_ERROR); 423 return -1; 424 } 425 pos = rhdr + rlen; 426 427 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 428 429 *msgpos = pos; 430 431 return 0; 432 } 433 434 435 static int tls_write_server_certificate_request(struct tlsv1_server *conn, 436 u8 **msgpos, u8 *end) 437 { 438 u8 *pos, *rhdr, *hs_start, *hs_length; 439 size_t rlen; 440 441 if (!conn->verify_peer) { 442 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed"); 443 return 0; 444 } 445 446 pos = *msgpos; 447 448 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest"); 449 rhdr = pos; 450 pos += TLS_RECORD_HEADER_LEN; 451 452 /* opaque fragment[TLSPlaintext.length] */ 453 454 /* Handshake */ 455 hs_start = pos; 456 /* HandshakeType msg_type */ 457 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST; 458 /* uint24 length (to be filled) */ 459 hs_length = pos; 460 pos += 3; 461 /* body - CertificateRequest */ 462 463 /* 464 * enum { 465 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 466 * (255) 467 * } ClientCertificateType; 468 * ClientCertificateType certificate_types<1..2^8-1> 469 */ 470 *pos++ = 1; 471 *pos++ = 1; /* rsa_sign */ 472 473 /* 474 * opaque DistinguishedName<1..2^16-1> 475 * DistinguishedName certificate_authorities<3..2^16-1> 476 */ 477 /* TODO: add support for listing DNs for trusted CAs */ 478 WPA_PUT_BE16(pos, 0); 479 pos += 2; 480 481 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 482 483 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 484 rhdr, end - rhdr, hs_start, pos - hs_start, 485 &rlen) < 0) { 486 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 487 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 488 TLS_ALERT_INTERNAL_ERROR); 489 return -1; 490 } 491 pos = rhdr + rlen; 492 493 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 494 495 *msgpos = pos; 496 497 return 0; 498 } 499 500 501 static int tls_write_server_hello_done(struct tlsv1_server *conn, 502 u8 **msgpos, u8 *end) 503 { 504 u8 *pos; 505 size_t rlen; 506 u8 payload[4]; 507 508 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone"); 509 510 /* opaque fragment[TLSPlaintext.length] */ 511 512 /* Handshake */ 513 pos = payload; 514 /* HandshakeType msg_type */ 515 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE; 516 /* uint24 length */ 517 WPA_PUT_BE24(pos, 0); 518 pos += 3; 519 /* body - ServerHelloDone (empty) */ 520 521 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 522 *msgpos, end - *msgpos, payload, pos - payload, 523 &rlen) < 0) { 524 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 525 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 526 TLS_ALERT_INTERNAL_ERROR); 527 return -1; 528 } 529 530 tls_verify_hash_add(&conn->verify, payload, pos - payload); 531 532 *msgpos += rlen; 533 534 return 0; 535 } 536 537 538 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn, 539 u8 **msgpos, u8 *end) 540 { 541 size_t rlen; 542 u8 payload[1]; 543 544 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 545 546 payload[0] = TLS_CHANGE_CIPHER_SPEC; 547 548 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 549 *msgpos, end - *msgpos, payload, sizeof(payload), 550 &rlen) < 0) { 551 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 552 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 553 TLS_ALERT_INTERNAL_ERROR); 554 return -1; 555 } 556 557 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 558 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 559 "record layer"); 560 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_INTERNAL_ERROR); 562 return -1; 563 } 564 565 *msgpos += rlen; 566 567 return 0; 568 } 569 570 571 static int tls_write_server_finished(struct tlsv1_server *conn, 572 u8 **msgpos, u8 *end) 573 { 574 u8 *pos, *hs_start; 575 size_t rlen, hlen; 576 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 577 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 578 579 pos = *msgpos; 580 581 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 582 583 /* Encrypted Handshake Message: Finished */ 584 585 #ifdef CONFIG_TLSV12 586 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 587 hlen = SHA256_MAC_LEN; 588 if (conn->verify.sha256_server == NULL || 589 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 590 < 0) { 591 conn->verify.sha256_server = NULL; 592 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 593 TLS_ALERT_INTERNAL_ERROR); 594 return -1; 595 } 596 conn->verify.sha256_server = NULL; 597 } else { 598 #endif /* CONFIG_TLSV12 */ 599 600 hlen = MD5_MAC_LEN; 601 if (conn->verify.md5_server == NULL || 602 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 603 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 604 TLS_ALERT_INTERNAL_ERROR); 605 conn->verify.md5_server = NULL; 606 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 607 conn->verify.sha1_server = NULL; 608 return -1; 609 } 610 conn->verify.md5_server = NULL; 611 hlen = SHA1_MAC_LEN; 612 if (conn->verify.sha1_server == NULL || 613 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 614 &hlen) < 0) { 615 conn->verify.sha1_server = NULL; 616 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 617 TLS_ALERT_INTERNAL_ERROR); 618 return -1; 619 } 620 conn->verify.sha1_server = NULL; 621 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 622 623 #ifdef CONFIG_TLSV12 624 } 625 #endif /* CONFIG_TLSV12 */ 626 627 if (tls_prf(conn->rl.tls_version, 628 conn->master_secret, TLS_MASTER_SECRET_LEN, 629 "server finished", hash, hlen, 630 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 631 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 633 TLS_ALERT_INTERNAL_ERROR); 634 return -1; 635 } 636 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 637 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 638 639 /* Handshake */ 640 pos = hs_start = verify_data; 641 /* HandshakeType msg_type */ 642 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 643 /* uint24 length */ 644 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 645 pos += 3; 646 pos += TLS_VERIFY_DATA_LEN; 647 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 648 649 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 650 *msgpos, end - *msgpos, hs_start, pos - hs_start, 651 &rlen) < 0) { 652 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 653 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, 654 TLS_ALERT_INTERNAL_ERROR); 655 return -1; 656 } 657 658 *msgpos += rlen; 659 660 return 0; 661 } 662 663 664 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len) 665 { 666 u8 *msg, *end, *pos; 667 size_t msglen; 668 669 *out_len = 0; 670 671 msglen = 1000 + tls_server_cert_chain_der_len(conn); 672 673 msg = os_malloc(msglen); 674 if (msg == NULL) 675 return NULL; 676 677 pos = msg; 678 end = msg + msglen; 679 680 if (tls_write_server_hello(conn, &pos, end) < 0) { 681 os_free(msg); 682 return NULL; 683 } 684 685 if (conn->use_session_ticket) { 686 /* Abbreviated handshake using session ticket; RFC 4507 */ 687 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 688 tls_write_server_finished(conn, &pos, end) < 0) { 689 os_free(msg); 690 return NULL; 691 } 692 693 *out_len = pos - msg; 694 695 conn->state = CHANGE_CIPHER_SPEC; 696 697 return msg; 698 } 699 700 /* Full handshake */ 701 if (tls_write_server_certificate(conn, &pos, end) < 0 || 702 tls_write_server_key_exchange(conn, &pos, end) < 0 || 703 tls_write_server_certificate_request(conn, &pos, end) < 0 || 704 tls_write_server_hello_done(conn, &pos, end) < 0) { 705 os_free(msg); 706 return NULL; 707 } 708 709 *out_len = pos - msg; 710 711 conn->state = CLIENT_CERTIFICATE; 712 713 return msg; 714 } 715 716 717 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn, 718 size_t *out_len) 719 { 720 u8 *msg, *end, *pos; 721 722 *out_len = 0; 723 724 msg = os_malloc(1000); 725 if (msg == NULL) 726 return NULL; 727 728 pos = msg; 729 end = msg + 1000; 730 731 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 || 732 tls_write_server_finished(conn, &pos, end) < 0) { 733 os_free(msg); 734 return NULL; 735 } 736 737 *out_len = pos - msg; 738 739 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully"); 740 conn->state = ESTABLISHED; 741 742 return msg; 743 } 744 745 746 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len) 747 { 748 switch (conn->state) { 749 case SERVER_HELLO: 750 return tls_send_server_hello(conn, out_len); 751 case SERVER_CHANGE_CIPHER_SPEC: 752 return tls_send_change_cipher_spec(conn, out_len); 753 default: 754 if (conn->state == ESTABLISHED && conn->use_session_ticket) { 755 /* Abbreviated handshake was already completed. */ 756 return NULL; 757 } 758 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 759 "generating reply", conn->state); 760 return NULL; 761 } 762 } 763 764 765 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level, 766 u8 description, size_t *out_len) 767 { 768 u8 *alert, *pos, *length; 769 770 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 771 *out_len = 0; 772 773 alert = os_malloc(10); 774 if (alert == NULL) 775 return NULL; 776 777 pos = alert; 778 779 /* TLSPlaintext */ 780 /* ContentType type */ 781 *pos++ = TLS_CONTENT_TYPE_ALERT; 782 /* ProtocolVersion version */ 783 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 784 TLS_VERSION); 785 pos += 2; 786 /* uint16 length (to be filled) */ 787 length = pos; 788 pos += 2; 789 /* opaque fragment[TLSPlaintext.length] */ 790 791 /* Alert */ 792 /* AlertLevel level */ 793 *pos++ = level; 794 /* AlertDescription description */ 795 *pos++ = description; 796 797 WPA_PUT_BE16(length, pos - length - 2); 798 *out_len = pos - alert; 799 800 return alert; 801 } 802