1 /* 2 * TLSv1 client - write handshake message 3 * Copyright (c) 2006-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "crypto/random.h" 17 #include "x509v3.h" 18 #include "tlsv1_common.h" 19 #include "tlsv1_record.h" 20 #include "tlsv1_client.h" 21 #include "tlsv1_client_i.h" 22 23 24 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn) 25 { 26 size_t len = 0; 27 struct x509_certificate *cert; 28 29 if (conn->cred == NULL) 30 return 0; 31 32 cert = conn->cred->cert; 33 while (cert) { 34 len += 3 + cert->cert_len; 35 if (x509_certificate_self_signed(cert)) 36 break; 37 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 38 &cert->issuer); 39 } 40 41 return len; 42 } 43 44 45 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len) 46 { 47 u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr; 48 struct os_time now; 49 size_t len, i; 50 u8 *ext_start; 51 u16 tls_version = TLS_VERSION; 52 53 /* Pick the highest locally enabled TLS version */ 54 #ifdef CONFIG_TLSV12 55 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) && 56 tls_version == TLS_VERSION_1_2) 57 tls_version = TLS_VERSION_1_1; 58 #endif /* CONFIG_TLSV12 */ 59 #ifdef CONFIG_TLSV11 60 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) && 61 tls_version == TLS_VERSION_1_1) 62 tls_version = TLS_VERSION_1; 63 #endif /* CONFIG_TLSV11 */ 64 if ((conn->flags & TLS_CONN_DISABLE_TLSv1_0) && 65 tls_version == TLS_VERSION_1) { 66 wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed"); 67 return NULL; 68 } 69 70 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)", 71 tls_version_str(tls_version)); 72 *out_len = 0; 73 74 os_get_time(&now); 75 WPA_PUT_BE32(conn->client_random, now.sec); 76 if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) { 77 wpa_printf(MSG_ERROR, "TLSv1: Could not generate " 78 "client_random"); 79 return NULL; 80 } 81 wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random", 82 conn->client_random, TLS_RANDOM_LEN); 83 84 len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len; 85 hello = os_malloc(len); 86 if (hello == NULL) 87 return NULL; 88 end = hello + len; 89 90 rhdr = hello; 91 pos = rhdr + TLS_RECORD_HEADER_LEN; 92 93 /* opaque fragment[TLSPlaintext.length] */ 94 95 /* Handshake */ 96 hs_start = pos; 97 /* HandshakeType msg_type */ 98 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO; 99 /* uint24 length (to be filled) */ 100 hs_length = pos; 101 pos += 3; 102 /* body - ClientHello */ 103 /* ProtocolVersion client_version */ 104 WPA_PUT_BE16(pos, tls_version); 105 pos += 2; 106 /* Random random: uint32 gmt_unix_time, opaque random_bytes */ 107 os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN); 108 pos += TLS_RANDOM_LEN; 109 /* SessionID session_id */ 110 *pos++ = conn->session_id_len; 111 os_memcpy(pos, conn->session_id, conn->session_id_len); 112 pos += conn->session_id_len; 113 /* CipherSuite cipher_suites<2..2^16-1> */ 114 WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites); 115 pos += 2; 116 for (i = 0; i < conn->num_cipher_suites; i++) { 117 WPA_PUT_BE16(pos, conn->cipher_suites[i]); 118 pos += 2; 119 } 120 /* CompressionMethod compression_methods<1..2^8-1> */ 121 *pos++ = 1; 122 *pos++ = TLS_COMPRESSION_NULL; 123 124 /* Extension */ 125 ext_start = pos; 126 pos += 2; 127 128 #ifdef CONFIG_TLSV12 129 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 130 /* 131 * Add signature_algorithms extension since we support only 132 * SHA256 (and not the default SHA1) with TLSv1.2. 133 */ 134 /* ExtensionsType extension_type = signature_algorithms(13) */ 135 WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS); 136 pos += 2; 137 /* opaque extension_data<0..2^16-1> length */ 138 WPA_PUT_BE16(pos, 8); 139 pos += 2; 140 /* supported_signature_algorithms<2..2^16-2> length */ 141 WPA_PUT_BE16(pos, 6); 142 pos += 2; 143 /* supported_signature_algorithms */ 144 *pos++ = TLS_HASH_ALG_SHA512; 145 *pos++ = TLS_SIGN_ALG_RSA; 146 *pos++ = TLS_HASH_ALG_SHA384; 147 *pos++ = TLS_SIGN_ALG_RSA; 148 *pos++ = TLS_HASH_ALG_SHA256; 149 *pos++ = TLS_SIGN_ALG_RSA; 150 } 151 #endif /* CONFIG_TLSV12 */ 152 153 if (conn->client_hello_ext) { 154 os_memcpy(pos, conn->client_hello_ext, 155 conn->client_hello_ext_len); 156 pos += conn->client_hello_ext_len; 157 } 158 159 if (conn->flags & TLS_CONN_REQUEST_OCSP) { 160 wpa_printf(MSG_DEBUG, 161 "TLSv1: Add status_request extension for OCSP stapling"); 162 /* ExtensionsType extension_type = status_request(5) */ 163 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST); 164 pos += 2; 165 /* opaque extension_data<0..2^16-1> length */ 166 WPA_PUT_BE16(pos, 5); 167 pos += 2; 168 169 /* 170 * RFC 6066, 8: 171 * struct { 172 * CertificateStatusType status_type; 173 * select (status_type) { 174 * case ocsp: OCSPStatusRequest; 175 * } request; 176 * } CertificateStatusRequest; 177 * 178 * enum { ocsp(1), (255) } CertificateStatusType; 179 */ 180 *pos++ = 1; /* status_type = ocsp(1) */ 181 182 /* 183 * struct { 184 * ResponderID responder_id_list<0..2^16-1>; 185 * Extensions request_extensions; 186 * } OCSPStatusRequest; 187 * 188 * opaque ResponderID<1..2^16-1>; 189 * opaque Extensions<0..2^16-1>; 190 */ 191 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */ 192 pos += 2; 193 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */ 194 pos += 2; 195 196 wpa_printf(MSG_DEBUG, 197 "TLSv1: Add status_request_v2 extension for OCSP stapling"); 198 /* ExtensionsType extension_type = status_request_v2(17) */ 199 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2); 200 pos += 2; 201 /* opaque extension_data<0..2^16-1> length */ 202 WPA_PUT_BE16(pos, 7); 203 pos += 2; 204 205 /* 206 * RFC 6961, 2.2: 207 * struct { 208 * CertificateStatusType status_type; 209 * uint16 request_length; 210 * select (status_type) { 211 * case ocsp: OCSPStatusRequest; 212 * case ocsp_multi: OCSPStatusRequest; 213 * } request; 214 * } CertificateStatusRequestItemV2; 215 * 216 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType; 217 * 218 * struct { 219 * CertificateStatusRequestItemV2 220 * certificate_status_req_list<1..2^16-1>; 221 * } CertificateStatusRequestListV2; 222 */ 223 224 /* certificate_status_req_list<1..2^16-1> */ 225 WPA_PUT_BE16(pos, 5); 226 pos += 2; 227 228 /* CertificateStatusRequestItemV2 */ 229 *pos++ = 2; /* status_type = ocsp_multi(2) */ 230 /* OCSPStatusRequest as shown above for v1 */ 231 WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */ 232 pos += 2; 233 WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */ 234 pos += 2; 235 } 236 237 if (pos == ext_start + 2) 238 pos -= 2; /* no extensions */ 239 else 240 WPA_PUT_BE16(ext_start, pos - ext_start - 2); 241 242 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 243 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 244 245 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 246 rhdr, end - rhdr, hs_start, pos - hs_start, 247 out_len) < 0) { 248 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record"); 249 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 250 TLS_ALERT_INTERNAL_ERROR); 251 os_free(hello); 252 return NULL; 253 } 254 255 conn->state = SERVER_HELLO; 256 257 return hello; 258 } 259 260 261 static int tls_write_client_certificate(struct tlsv1_client *conn, 262 u8 **msgpos, u8 *end) 263 { 264 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start; 265 size_t rlen; 266 struct x509_certificate *cert; 267 268 pos = *msgpos; 269 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) { 270 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 271 TLS_ALERT_INTERNAL_ERROR); 272 return -1; 273 } 274 275 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate"); 276 rhdr = pos; 277 pos += TLS_RECORD_HEADER_LEN; 278 279 /* opaque fragment[TLSPlaintext.length] */ 280 281 /* Handshake */ 282 hs_start = pos; 283 /* HandshakeType msg_type */ 284 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE; 285 /* uint24 length (to be filled) */ 286 hs_length = pos; 287 pos += 3; 288 /* body - Certificate */ 289 /* uint24 length (to be filled) */ 290 cert_start = pos; 291 pos += 3; 292 cert = conn->cred ? conn->cred->cert : NULL; 293 while (cert) { 294 if (3 + cert->cert_len > (size_t) (end - pos)) { 295 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 296 "for Certificate (cert_len=%lu left=%lu)", 297 (unsigned long) cert->cert_len, 298 (unsigned long) (end - pos)); 299 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 300 TLS_ALERT_INTERNAL_ERROR); 301 return -1; 302 } 303 WPA_PUT_BE24(pos, cert->cert_len); 304 pos += 3; 305 os_memcpy(pos, cert->cert_start, cert->cert_len); 306 pos += cert->cert_len; 307 308 if (x509_certificate_self_signed(cert)) 309 break; 310 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 311 &cert->issuer); 312 } 313 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 314 /* 315 * Client was not configured with all the needed certificates 316 * to form a full certificate chain. The server may fail to 317 * validate the chain unless it is configured with all the 318 * missing CA certificates. 319 */ 320 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 321 "not configured - validation may fail"); 322 } 323 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 324 325 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 326 327 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 328 rhdr, end - rhdr, hs_start, pos - hs_start, 329 &rlen) < 0) { 330 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 332 TLS_ALERT_INTERNAL_ERROR); 333 return -1; 334 } 335 pos = rhdr + rlen; 336 337 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 338 339 *msgpos = pos; 340 341 return 0; 342 } 343 344 345 static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 346 { 347 /* ClientDiffieHellmanPublic */ 348 u8 *csecret, *csecret_start, *dh_yc, *shared; 349 size_t csecret_len, dh_yc_len, shared_len; 350 351 csecret_len = conn->dh_p_len; 352 csecret = os_malloc(csecret_len); 353 if (csecret == NULL) { 354 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 355 "memory for Yc (Diffie-Hellman)"); 356 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 357 TLS_ALERT_INTERNAL_ERROR); 358 return -1; 359 } 360 if (random_get_bytes(csecret, csecret_len)) { 361 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 362 "data for Diffie-Hellman"); 363 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 364 TLS_ALERT_INTERNAL_ERROR); 365 os_free(csecret); 366 return -1; 367 } 368 369 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 370 csecret[0] = 0; /* make sure Yc < p */ 371 372 csecret_start = csecret; 373 while (csecret_len > 1 && *csecret_start == 0) { 374 csecret_start++; 375 csecret_len--; 376 } 377 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 378 csecret_start, csecret_len); 379 380 /* Yc = g^csecret mod p */ 381 dh_yc_len = conn->dh_p_len; 382 dh_yc = os_malloc(dh_yc_len); 383 if (dh_yc == NULL) { 384 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 385 "memory for Diffie-Hellman"); 386 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 387 TLS_ALERT_INTERNAL_ERROR); 388 os_free(csecret); 389 return -1; 390 } 391 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 392 csecret_start, csecret_len, 393 conn->dh_p, conn->dh_p_len, 394 dh_yc, &dh_yc_len)) { 395 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 396 TLS_ALERT_INTERNAL_ERROR); 397 os_free(csecret); 398 os_free(dh_yc); 399 return -1; 400 } 401 402 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 403 dh_yc, dh_yc_len); 404 405 if (end - *pos < 2) { 406 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 407 TLS_ALERT_INTERNAL_ERROR); 408 os_free(csecret); 409 os_free(dh_yc); 410 return -1; 411 } 412 WPA_PUT_BE16(*pos, dh_yc_len); 413 *pos += 2; 414 if (dh_yc_len > (size_t) (end - *pos)) { 415 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 416 "message buffer for Yc"); 417 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 418 TLS_ALERT_INTERNAL_ERROR); 419 os_free(csecret); 420 os_free(dh_yc); 421 return -1; 422 } 423 os_memcpy(*pos, dh_yc, dh_yc_len); 424 *pos += dh_yc_len; 425 os_free(dh_yc); 426 427 shared_len = conn->dh_p_len; 428 shared = os_malloc(shared_len); 429 if (shared == NULL) { 430 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 431 "DH"); 432 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 433 TLS_ALERT_INTERNAL_ERROR); 434 os_free(csecret); 435 return -1; 436 } 437 438 /* shared = Ys^csecret mod p */ 439 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 440 csecret_start, csecret_len, 441 conn->dh_p, conn->dh_p_len, 442 shared, &shared_len)) { 443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 444 TLS_ALERT_INTERNAL_ERROR); 445 os_free(csecret); 446 os_free(shared); 447 return -1; 448 } 449 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 450 shared, shared_len); 451 452 os_memset(csecret_start, 0, csecret_len); 453 os_free(csecret); 454 if (tls_derive_keys(conn, shared, shared_len)) { 455 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 456 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 457 TLS_ALERT_INTERNAL_ERROR); 458 os_free(shared); 459 return -1; 460 } 461 os_memset(shared, 0, shared_len); 462 os_free(shared); 463 tlsv1_client_free_dh(conn); 464 return 0; 465 } 466 467 468 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 469 { 470 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 471 size_t clen; 472 int res; 473 474 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 475 tls_derive_keys(conn, pre_master_secret, 476 TLS_PRE_MASTER_SECRET_LEN)) { 477 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 478 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 479 TLS_ALERT_INTERNAL_ERROR); 480 return -1; 481 } 482 483 /* EncryptedPreMasterSecret */ 484 if (conn->server_rsa_key == NULL) { 485 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 486 "use for encrypting pre-master secret"); 487 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 488 TLS_ALERT_INTERNAL_ERROR); 489 return -1; 490 } 491 492 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 493 *pos += 2; 494 clen = end - *pos; 495 res = crypto_public_key_encrypt_pkcs1_v15( 496 conn->server_rsa_key, 497 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 498 *pos, &clen); 499 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 500 if (res < 0) { 501 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 502 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 503 TLS_ALERT_INTERNAL_ERROR); 504 return -1; 505 } 506 WPA_PUT_BE16(*pos - 2, clen); 507 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 508 *pos, clen); 509 *pos += clen; 510 511 return 0; 512 } 513 514 515 static int tls_write_client_key_exchange(struct tlsv1_client *conn, 516 u8 **msgpos, u8 *end) 517 { 518 u8 *pos, *rhdr, *hs_start, *hs_length; 519 size_t rlen; 520 tls_key_exchange keyx; 521 const struct tls_cipher_suite *suite; 522 523 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 524 if (suite == NULL) 525 keyx = TLS_KEY_X_NULL; 526 else 527 keyx = suite->key_exchange; 528 529 pos = *msgpos; 530 531 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 532 533 rhdr = pos; 534 pos += TLS_RECORD_HEADER_LEN; 535 536 /* opaque fragment[TLSPlaintext.length] */ 537 538 /* Handshake */ 539 hs_start = pos; 540 /* HandshakeType msg_type */ 541 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 542 /* uint24 length (to be filled) */ 543 hs_length = pos; 544 pos += 3; 545 /* body - ClientKeyExchange */ 546 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 547 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 548 return -1; 549 } else { 550 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 551 return -1; 552 } 553 554 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 555 556 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 557 rhdr, end - rhdr, hs_start, pos - hs_start, 558 &rlen) < 0) { 559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_INTERNAL_ERROR); 562 return -1; 563 } 564 pos = rhdr + rlen; 565 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 566 567 *msgpos = pos; 568 569 return 0; 570 } 571 572 573 static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 574 u8 **msgpos, u8 *end) 575 { 576 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 577 size_t rlen, hlen, clen; 578 u8 hash[100], *hpos; 579 580 pos = *msgpos; 581 582 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 583 rhdr = pos; 584 pos += TLS_RECORD_HEADER_LEN; 585 586 /* Handshake */ 587 hs_start = pos; 588 /* HandshakeType msg_type */ 589 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 590 /* uint24 length (to be filled) */ 591 hs_length = pos; 592 pos += 3; 593 594 /* 595 * RFC 2246: 7.4.3 and 7.4.8: 596 * Signature signature 597 * 598 * RSA: 599 * digitally-signed struct { 600 * opaque md5_hash[16]; 601 * opaque sha_hash[20]; 602 * }; 603 * 604 * DSA: 605 * digitally-signed struct { 606 * opaque sha_hash[20]; 607 * }; 608 * 609 * The hash values are calculated over all handshake messages sent or 610 * received starting at ClientHello up to, but not including, this 611 * CertificateVerify message, including the type and length fields of 612 * the handshake messages. 613 */ 614 615 hpos = hash; 616 617 #ifdef CONFIG_TLSV12 618 if (conn->rl.tls_version == TLS_VERSION_1_2) { 619 hlen = SHA256_MAC_LEN; 620 if (conn->verify.sha256_cert == NULL || 621 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 622 0) { 623 conn->verify.sha256_cert = NULL; 624 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 625 TLS_ALERT_INTERNAL_ERROR); 626 return -1; 627 } 628 conn->verify.sha256_cert = NULL; 629 630 /* 631 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 632 * 633 * DigestInfo ::= SEQUENCE { 634 * digestAlgorithm DigestAlgorithm, 635 * digest OCTET STRING 636 * } 637 * 638 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 639 * 640 * DER encoded DigestInfo for SHA256 per RFC 3447: 641 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 642 * H 643 */ 644 os_memmove(hash + 19, hash, hlen); 645 hlen += 19; 646 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 647 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 648 } else { 649 #endif /* CONFIG_TLSV12 */ 650 651 hlen = MD5_MAC_LEN; 652 if (conn->verify.md5_cert == NULL || 653 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 654 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 655 TLS_ALERT_INTERNAL_ERROR); 656 conn->verify.md5_cert = NULL; 657 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 658 conn->verify.sha1_cert = NULL; 659 return -1; 660 } 661 hpos += MD5_MAC_LEN; 662 663 conn->verify.md5_cert = NULL; 664 hlen = SHA1_MAC_LEN; 665 if (conn->verify.sha1_cert == NULL || 666 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 667 conn->verify.sha1_cert = NULL; 668 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 669 TLS_ALERT_INTERNAL_ERROR); 670 return -1; 671 } 672 conn->verify.sha1_cert = NULL; 673 674 hlen += MD5_MAC_LEN; 675 676 #ifdef CONFIG_TLSV12 677 } 678 #endif /* CONFIG_TLSV12 */ 679 680 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 681 682 #ifdef CONFIG_TLSV12 683 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 684 /* 685 * RFC 5246, 4.7: 686 * TLS v1.2 adds explicit indication of the used signature and 687 * hash algorithms. 688 * 689 * struct { 690 * HashAlgorithm hash; 691 * SignatureAlgorithm signature; 692 * } SignatureAndHashAlgorithm; 693 */ 694 *pos++ = TLS_HASH_ALG_SHA256; 695 *pos++ = TLS_SIGN_ALG_RSA; 696 } 697 #endif /* CONFIG_TLSV12 */ 698 699 /* 700 * RFC 2246, 4.7: 701 * In digital signing, one-way hash functions are used as input for a 702 * signing algorithm. A digitally-signed element is encoded as an 703 * opaque vector <0..2^16-1>, where the length is specified by the 704 * signing algorithm and key. 705 * 706 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 707 * MD5) is signed (encrypted with the private key). It is encoded with 708 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 709 */ 710 signed_start = pos; /* length to be filled */ 711 pos += 2; 712 clen = end - pos; 713 if (conn->cred == NULL || 714 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 715 pos, &clen) < 0) { 716 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 717 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 718 TLS_ALERT_INTERNAL_ERROR); 719 return -1; 720 } 721 WPA_PUT_BE16(signed_start, clen); 722 723 pos += clen; 724 725 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 726 727 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 728 rhdr, end - rhdr, hs_start, pos - hs_start, 729 &rlen) < 0) { 730 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 731 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 732 TLS_ALERT_INTERNAL_ERROR); 733 return -1; 734 } 735 pos = rhdr + rlen; 736 737 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 738 739 *msgpos = pos; 740 741 return 0; 742 } 743 744 745 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 746 u8 **msgpos, u8 *end) 747 { 748 size_t rlen; 749 u8 payload[1]; 750 751 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 752 753 payload[0] = TLS_CHANGE_CIPHER_SPEC; 754 755 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 756 *msgpos, end - *msgpos, payload, sizeof(payload), 757 &rlen) < 0) { 758 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 759 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 760 TLS_ALERT_INTERNAL_ERROR); 761 return -1; 762 } 763 764 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 765 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 766 "record layer"); 767 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 768 TLS_ALERT_INTERNAL_ERROR); 769 return -1; 770 } 771 772 *msgpos += rlen; 773 774 return 0; 775 } 776 777 778 static int tls_write_client_finished(struct tlsv1_client *conn, 779 u8 **msgpos, u8 *end) 780 { 781 u8 *pos, *hs_start; 782 size_t rlen, hlen; 783 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 784 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 785 786 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 787 788 /* Encrypted Handshake Message: Finished */ 789 790 #ifdef CONFIG_TLSV12 791 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 792 hlen = SHA256_MAC_LEN; 793 if (conn->verify.sha256_client == NULL || 794 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 795 < 0) { 796 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 797 TLS_ALERT_INTERNAL_ERROR); 798 conn->verify.sha256_client = NULL; 799 return -1; 800 } 801 conn->verify.sha256_client = NULL; 802 } else { 803 #endif /* CONFIG_TLSV12 */ 804 805 hlen = MD5_MAC_LEN; 806 if (conn->verify.md5_client == NULL || 807 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 808 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 809 TLS_ALERT_INTERNAL_ERROR); 810 conn->verify.md5_client = NULL; 811 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 812 conn->verify.sha1_client = NULL; 813 return -1; 814 } 815 conn->verify.md5_client = NULL; 816 hlen = SHA1_MAC_LEN; 817 if (conn->verify.sha1_client == NULL || 818 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 819 &hlen) < 0) { 820 conn->verify.sha1_client = NULL; 821 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 822 TLS_ALERT_INTERNAL_ERROR); 823 return -1; 824 } 825 conn->verify.sha1_client = NULL; 826 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 827 828 #ifdef CONFIG_TLSV12 829 } 830 #endif /* CONFIG_TLSV12 */ 831 832 if (tls_prf(conn->rl.tls_version, 833 conn->master_secret, TLS_MASTER_SECRET_LEN, 834 "client finished", hash, hlen, 835 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 836 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 838 TLS_ALERT_INTERNAL_ERROR); 839 return -1; 840 } 841 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 842 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 843 844 /* Handshake */ 845 pos = hs_start = verify_data; 846 /* HandshakeType msg_type */ 847 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 848 /* uint24 length */ 849 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 850 pos += 3; 851 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 852 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 853 854 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 855 *msgpos, end - *msgpos, hs_start, pos - hs_start, 856 &rlen) < 0) { 857 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 858 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 859 TLS_ALERT_INTERNAL_ERROR); 860 return -1; 861 } 862 863 *msgpos += rlen; 864 865 return 0; 866 } 867 868 869 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 870 size_t *out_len) 871 { 872 u8 *msg, *end, *pos; 873 size_t msglen; 874 875 *out_len = 0; 876 877 msglen = 2000; 878 if (conn->certificate_requested) 879 msglen += tls_client_cert_chain_der_len(conn); 880 881 msg = os_malloc(msglen); 882 if (msg == NULL) 883 return NULL; 884 885 pos = msg; 886 end = msg + msglen; 887 888 if (conn->certificate_requested) { 889 if (tls_write_client_certificate(conn, &pos, end) < 0) { 890 os_free(msg); 891 return NULL; 892 } 893 } 894 895 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 896 (conn->certificate_requested && conn->cred && conn->cred->key && 897 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 898 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 899 tls_write_client_finished(conn, &pos, end) < 0) { 900 os_free(msg); 901 return NULL; 902 } 903 904 *out_len = pos - msg; 905 906 conn->state = SERVER_CHANGE_CIPHER_SPEC; 907 908 return msg; 909 } 910 911 912 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 913 size_t *out_len) 914 { 915 u8 *msg, *end, *pos; 916 917 *out_len = 0; 918 919 msg = os_malloc(1000); 920 if (msg == NULL) 921 return NULL; 922 923 pos = msg; 924 end = msg + 1000; 925 926 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 927 tls_write_client_finished(conn, &pos, end) < 0) { 928 os_free(msg); 929 return NULL; 930 } 931 932 *out_len = pos - msg; 933 934 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 935 "successfully"); 936 if (!conn->session_resumed && conn->use_session_ticket) 937 conn->session_resumed = 1; 938 conn->state = ESTABLISHED; 939 940 return msg; 941 } 942 943 944 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len, 945 int no_appl_data) 946 { 947 switch (conn->state) { 948 case CLIENT_KEY_EXCHANGE: 949 return tls_send_client_key_exchange(conn, out_len); 950 case CHANGE_CIPHER_SPEC: 951 return tls_send_change_cipher_spec(conn, out_len); 952 case ACK_FINISHED: 953 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed " 954 "successfully"); 955 conn->state = ESTABLISHED; 956 *out_len = 0; 957 if (no_appl_data) { 958 /* Need to return something to get final TLS ACK. */ 959 return os_malloc(1); 960 } 961 return NULL; 962 default: 963 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while " 964 "generating reply", conn->state); 965 return NULL; 966 } 967 } 968 969 970 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level, 971 u8 description, size_t *out_len) 972 { 973 u8 *alert, *pos, *length; 974 975 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description); 976 *out_len = 0; 977 978 alert = os_malloc(10); 979 if (alert == NULL) 980 return NULL; 981 982 pos = alert; 983 984 /* TLSPlaintext */ 985 /* ContentType type */ 986 *pos++ = TLS_CONTENT_TYPE_ALERT; 987 /* ProtocolVersion version */ 988 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version : 989 TLS_VERSION); 990 pos += 2; 991 /* uint16 length (to be filled) */ 992 length = pos; 993 pos += 2; 994 /* opaque fragment[TLSPlaintext.length] */ 995 996 /* Alert */ 997 /* AlertLevel level */ 998 *pos++ = level; 999 /* AlertDescription description */ 1000 *pos++ = description; 1001 1002 WPA_PUT_BE16(length, pos - length - 2); 1003 *out_len = pos - alert; 1004 1005 return alert; 1006 } 1007
