1  /*
2   * TLSv1 client - write handshake message
3   * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #include "includes.h"
10  
11  #include "common.h"
12  #include "crypto/md5.h"
13  #include "crypto/sha1.h"
14  #include "crypto/sha256.h"
15  #include "crypto/tls.h"
16  #include "crypto/random.h"
17  #include "x509v3.h"
18  #include "tlsv1_common.h"
19  #include "tlsv1_record.h"
20  #include "tlsv1_client.h"
21  #include "tlsv1_client_i.h"
22  
23  
tls_client_cert_chain_der_len(struct tlsv1_client * conn)24  static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
25  {
26  	size_t len = 0;
27  	struct x509_certificate *cert;
28  
29  	if (conn->cred == NULL)
30  		return 0;
31  
32  	cert = conn->cred->cert;
33  	while (cert) {
34  		len += 3 + cert->cert_len;
35  		if (x509_certificate_self_signed(cert))
36  			break;
37  		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
38  						    &cert->issuer);
39  	}
40  
41  	return len;
42  }
43  
44  
tls_send_client_hello(struct tlsv1_client * conn,size_t * out_len)45  u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
46  {
47  	u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
48  	struct os_time now;
49  	size_t len, i;
50  	u8 *ext_start;
51  	u16 tls_version = tls_client_highest_ver(conn);
52  
53  	if (!tls_version) {
54  		wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed");
55  		return NULL;
56  	}
57  
58  	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)",
59  		   tls_version_str(tls_version));
60  	*out_len = 0;
61  
62  	os_get_time(&now);
63  #ifdef TEST_FUZZ
64  	now.sec = 0xfffefdfc;
65  #endif /* TEST_FUZZ */
66  	WPA_PUT_BE32(conn->client_random, now.sec);
67  	if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
68  		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
69  			   "client_random");
70  		return NULL;
71  	}
72  	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
73  		    conn->client_random, TLS_RANDOM_LEN);
74  
75  	len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
76  	hello = os_malloc(len);
77  	if (hello == NULL)
78  		return NULL;
79  	end = hello + len;
80  
81  	rhdr = hello;
82  	pos = rhdr + TLS_RECORD_HEADER_LEN;
83  
84  	/* opaque fragment[TLSPlaintext.length] */
85  
86  	/* Handshake */
87  	hs_start = pos;
88  	/* HandshakeType msg_type */
89  	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
90  	/* uint24 length (to be filled) */
91  	hs_length = pos;
92  	pos += 3;
93  	/* body - ClientHello */
94  	/* ProtocolVersion client_version */
95  	WPA_PUT_BE16(pos, tls_version);
96  	pos += 2;
97  	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
98  	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
99  	pos += TLS_RANDOM_LEN;
100  	/* SessionID session_id */
101  	*pos++ = conn->session_id_len;
102  	os_memcpy(pos, conn->session_id, conn->session_id_len);
103  	pos += conn->session_id_len;
104  	/* CipherSuite cipher_suites<2..2^16-1> */
105  	WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
106  	pos += 2;
107  	for (i = 0; i < conn->num_cipher_suites; i++) {
108  		WPA_PUT_BE16(pos, conn->cipher_suites[i]);
109  		pos += 2;
110  	}
111  	/* CompressionMethod compression_methods<1..2^8-1> */
112  	*pos++ = 1;
113  	*pos++ = TLS_COMPRESSION_NULL;
114  
115  	/* Extension */
116  	ext_start = pos;
117  	pos += 2;
118  
119  #ifdef CONFIG_TLSV12
120  	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
121  		/*
122  		 * Add signature_algorithms extension since we support only
123  		 * SHA256 (and not the default SHA1) with TLSv1.2.
124  		 */
125  		/* ExtensionsType extension_type = signature_algorithms(13) */
126  		WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
127  		pos += 2;
128  		/* opaque extension_data<0..2^16-1> length */
129  		WPA_PUT_BE16(pos, 8);
130  		pos += 2;
131  		/* supported_signature_algorithms<2..2^16-2> length */
132  		WPA_PUT_BE16(pos, 6);
133  		pos += 2;
134  		/* supported_signature_algorithms */
135  		*pos++ = TLS_HASH_ALG_SHA512;
136  		*pos++ = TLS_SIGN_ALG_RSA;
137  		*pos++ = TLS_HASH_ALG_SHA384;
138  		*pos++ = TLS_SIGN_ALG_RSA;
139  		*pos++ = TLS_HASH_ALG_SHA256;
140  		*pos++ = TLS_SIGN_ALG_RSA;
141  	}
142  #endif /* CONFIG_TLSV12 */
143  
144  	if (conn->client_hello_ext) {
145  		os_memcpy(pos, conn->client_hello_ext,
146  			  conn->client_hello_ext_len);
147  		pos += conn->client_hello_ext_len;
148  	}
149  
150  	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
151  		wpa_printf(MSG_DEBUG,
152  			   "TLSv1: Add status_request extension for OCSP stapling");
153  		/* ExtensionsType extension_type = status_request(5) */
154  		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
155  		pos += 2;
156  		/* opaque extension_data<0..2^16-1> length */
157  		WPA_PUT_BE16(pos, 5);
158  		pos += 2;
159  
160  		/*
161  		 * RFC 6066, 8:
162  		 * struct {
163  		 *     CertificateStatusType status_type;
164  		 *     select (status_type) {
165  		 *         case ocsp: OCSPStatusRequest;
166  		 *     } request;
167  		 * } CertificateStatusRequest;
168  		 *
169  		 * enum { ocsp(1), (255) } CertificateStatusType;
170  		 */
171  		*pos++ = 1; /* status_type = ocsp(1) */
172  
173  		/*
174  		 * struct {
175  		 *     ResponderID responder_id_list<0..2^16-1>;
176  		 *     Extensions  request_extensions;
177  		 * } OCSPStatusRequest;
178  		 *
179  		 * opaque ResponderID<1..2^16-1>;
180  		 * opaque Extensions<0..2^16-1>;
181  		 */
182  		WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
183  		pos += 2;
184  		WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
185  		pos += 2;
186  
187  		wpa_printf(MSG_DEBUG,
188  			   "TLSv1: Add status_request_v2 extension for OCSP stapling");
189  		/* ExtensionsType extension_type = status_request_v2(17) */
190  		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
191  		pos += 2;
192  		/* opaque extension_data<0..2^16-1> length */
193  		WPA_PUT_BE16(pos, 7);
194  		pos += 2;
195  
196  		/*
197  		 * RFC 6961, 2.2:
198  		 * struct {
199  		 *     CertificateStatusType status_type;
200  		 *     uint16 request_length;
201  		 *     select (status_type) {
202  		 *         case ocsp: OCSPStatusRequest;
203  		 *         case ocsp_multi: OCSPStatusRequest;
204  		 *     } request;
205  		 * } CertificateStatusRequestItemV2;
206  		 *
207  		 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
208  		 *
209  		 * struct {
210  		 * CertificateStatusRequestItemV2
211  		 *     certificate_status_req_list<1..2^16-1>;
212  		 * } CertificateStatusRequestListV2;
213  		 */
214  
215  		/* certificate_status_req_list<1..2^16-1> */
216  		WPA_PUT_BE16(pos, 5);
217  		pos += 2;
218  
219  		/* CertificateStatusRequestItemV2 */
220  		*pos++ = 2; /* status_type = ocsp_multi(2) */
221  		/* OCSPStatusRequest as shown above for v1 */
222  		WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
223  		pos += 2;
224  		WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
225  		pos += 2;
226  	}
227  
228  	if (pos == ext_start + 2)
229  		pos -= 2; /* no extensions */
230  	else
231  		WPA_PUT_BE16(ext_start, pos - ext_start - 2);
232  
233  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
234  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
235  
236  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
237  			      rhdr, end - rhdr, hs_start, pos - hs_start,
238  			      out_len) < 0) {
239  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
240  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
241  			  TLS_ALERT_INTERNAL_ERROR);
242  		os_free(hello);
243  		return NULL;
244  	}
245  
246  	conn->state = SERVER_HELLO;
247  
248  	return hello;
249  }
250  
251  
tls_write_client_certificate(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)252  static int tls_write_client_certificate(struct tlsv1_client *conn,
253  					u8 **msgpos, u8 *end)
254  {
255  	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
256  	size_t rlen;
257  	struct x509_certificate *cert;
258  
259  	pos = *msgpos;
260  	if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
261  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
262  			  TLS_ALERT_INTERNAL_ERROR);
263  		return -1;
264  	}
265  
266  	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
267  	rhdr = pos;
268  	pos += TLS_RECORD_HEADER_LEN;
269  
270  	/* opaque fragment[TLSPlaintext.length] */
271  
272  	/* Handshake */
273  	hs_start = pos;
274  	/* HandshakeType msg_type */
275  	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
276  	/* uint24 length (to be filled) */
277  	hs_length = pos;
278  	pos += 3;
279  	/* body - Certificate */
280  	/* uint24 length (to be filled) */
281  	cert_start = pos;
282  	pos += 3;
283  	cert = conn->cred ? conn->cred->cert : NULL;
284  	while (cert) {
285  		if (3 + cert->cert_len > (size_t) (end - pos)) {
286  			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
287  				   "for Certificate (cert_len=%lu left=%lu)",
288  				   (unsigned long) cert->cert_len,
289  				   (unsigned long) (end - pos));
290  			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
291  				  TLS_ALERT_INTERNAL_ERROR);
292  			return -1;
293  		}
294  		WPA_PUT_BE24(pos, cert->cert_len);
295  		pos += 3;
296  		os_memcpy(pos, cert->cert_start, cert->cert_len);
297  		pos += cert->cert_len;
298  
299  		if (x509_certificate_self_signed(cert))
300  			break;
301  		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
302  						    &cert->issuer);
303  	}
304  	if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
305  		/*
306  		 * Client was not configured with all the needed certificates
307  		 * to form a full certificate chain. The server may fail to
308  		 * validate the chain unless it is configured with all the
309  		 * missing CA certificates.
310  		 */
311  		wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
312  			   "not configured - validation may fail");
313  	}
314  	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
315  
316  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
317  
318  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
319  			      rhdr, end - rhdr, hs_start, pos - hs_start,
320  			      &rlen) < 0) {
321  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
322  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
323  			  TLS_ALERT_INTERNAL_ERROR);
324  		return -1;
325  	}
326  	pos = rhdr + rlen;
327  
328  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
329  
330  	*msgpos = pos;
331  
332  	return 0;
333  }
334  
335  
tlsv1_key_x_dh(struct tlsv1_client * conn,u8 ** pos,u8 * end)336  static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
337  {
338  	/* ClientDiffieHellmanPublic */
339  	u8 *csecret, *csecret_start, *dh_yc, *shared;
340  	size_t csecret_len, dh_yc_len, shared_len;
341  
342  	csecret_len = conn->dh_p_len;
343  	csecret = os_malloc(csecret_len);
344  	if (csecret == NULL) {
345  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
346  			   "memory for Yc (Diffie-Hellman)");
347  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
348  			  TLS_ALERT_INTERNAL_ERROR);
349  		return -1;
350  	}
351  	if (random_get_bytes(csecret, csecret_len)) {
352  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
353  			   "data for Diffie-Hellman");
354  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
355  			  TLS_ALERT_INTERNAL_ERROR);
356  		os_free(csecret);
357  		return -1;
358  	}
359  
360  	if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
361  		csecret[0] = 0; /* make sure Yc < p */
362  
363  	csecret_start = csecret;
364  	while (csecret_len > 1 && *csecret_start == 0) {
365  		csecret_start++;
366  		csecret_len--;
367  	}
368  	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
369  			csecret_start, csecret_len);
370  
371  	/* Yc = g^csecret mod p */
372  	dh_yc_len = conn->dh_p_len;
373  	dh_yc = os_malloc(dh_yc_len);
374  	if (dh_yc == NULL) {
375  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
376  			   "memory for Diffie-Hellman");
377  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
378  			  TLS_ALERT_INTERNAL_ERROR);
379  		os_free(csecret);
380  		return -1;
381  	}
382  	if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
383  			   csecret_start, csecret_len,
384  			   conn->dh_p, conn->dh_p_len,
385  			   dh_yc, &dh_yc_len)) {
386  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
387  			  TLS_ALERT_INTERNAL_ERROR);
388  		os_free(csecret);
389  		os_free(dh_yc);
390  		return -1;
391  	}
392  
393  	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
394  		    dh_yc, dh_yc_len);
395  
396  	if (end - *pos < 2) {
397  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
398  			  TLS_ALERT_INTERNAL_ERROR);
399  		os_free(csecret);
400  		os_free(dh_yc);
401  		return -1;
402  	}
403  	WPA_PUT_BE16(*pos, dh_yc_len);
404  	*pos += 2;
405  	if (dh_yc_len > (size_t) (end - *pos)) {
406  		wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
407  			   "message buffer for Yc");
408  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
409  			  TLS_ALERT_INTERNAL_ERROR);
410  		os_free(csecret);
411  		os_free(dh_yc);
412  		return -1;
413  	}
414  	os_memcpy(*pos, dh_yc, dh_yc_len);
415  	*pos += dh_yc_len;
416  	os_free(dh_yc);
417  
418  	shared_len = conn->dh_p_len;
419  	shared = os_malloc(shared_len);
420  	if (shared == NULL) {
421  		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
422  			   "DH");
423  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
424  			  TLS_ALERT_INTERNAL_ERROR);
425  		os_free(csecret);
426  		return -1;
427  	}
428  
429  	/* shared = Ys^csecret mod p */
430  	if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
431  			   csecret_start, csecret_len,
432  			   conn->dh_p, conn->dh_p_len,
433  			   shared, &shared_len)) {
434  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
435  			  TLS_ALERT_INTERNAL_ERROR);
436  		os_free(csecret);
437  		os_free(shared);
438  		return -1;
439  	}
440  	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
441  			shared, shared_len);
442  
443  	os_memset(csecret_start, 0, csecret_len);
444  	os_free(csecret);
445  	if (tls_derive_keys(conn, shared, shared_len)) {
446  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
447  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
448  			  TLS_ALERT_INTERNAL_ERROR);
449  		os_free(shared);
450  		return -1;
451  	}
452  	os_memset(shared, 0, shared_len);
453  	os_free(shared);
454  	tlsv1_client_free_dh(conn);
455  	return 0;
456  }
457  
458  
tlsv1_key_x_rsa(struct tlsv1_client * conn,u8 ** pos,u8 * end)459  static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
460  {
461  	u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
462  	size_t clen;
463  	int res;
464  
465  	if (tls_derive_pre_master_secret(conn, pre_master_secret) < 0 ||
466  	    tls_derive_keys(conn, pre_master_secret,
467  			    TLS_PRE_MASTER_SECRET_LEN)) {
468  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
469  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
470  			  TLS_ALERT_INTERNAL_ERROR);
471  		return -1;
472  	}
473  
474  	/* EncryptedPreMasterSecret */
475  	if (conn->server_rsa_key == NULL) {
476  		wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
477  			   "use for encrypting pre-master secret");
478  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
479  			  TLS_ALERT_INTERNAL_ERROR);
480  		return -1;
481  	}
482  
483  	/* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
484  	*pos += 2;
485  	clen = end - *pos;
486  	res = crypto_public_key_encrypt_pkcs1_v15(
487  		conn->server_rsa_key,
488  		pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
489  		*pos, &clen);
490  	os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
491  	if (res < 0) {
492  		wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
493  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
494  			  TLS_ALERT_INTERNAL_ERROR);
495  		return -1;
496  	}
497  	WPA_PUT_BE16(*pos - 2, clen);
498  	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
499  		    *pos, clen);
500  	*pos += clen;
501  
502  	return 0;
503  }
504  
505  
tls_write_client_key_exchange(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)506  static int tls_write_client_key_exchange(struct tlsv1_client *conn,
507  					 u8 **msgpos, u8 *end)
508  {
509  	u8 *pos, *rhdr, *hs_start, *hs_length;
510  	size_t rlen;
511  	tls_key_exchange keyx;
512  	const struct tls_cipher_suite *suite;
513  
514  	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
515  	if (suite == NULL)
516  		keyx = TLS_KEY_X_NULL;
517  	else
518  		keyx = suite->key_exchange;
519  
520  	pos = *msgpos;
521  
522  	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
523  
524  	rhdr = pos;
525  	pos += TLS_RECORD_HEADER_LEN;
526  
527  	/* opaque fragment[TLSPlaintext.length] */
528  
529  	/* Handshake */
530  	hs_start = pos;
531  	/* HandshakeType msg_type */
532  	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
533  	/* uint24 length (to be filled) */
534  	hs_length = pos;
535  	pos += 3;
536  	/* body - ClientKeyExchange */
537  	if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) {
538  		if (tlsv1_key_x_dh(conn, &pos, end) < 0)
539  			return -1;
540  	} else {
541  		if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
542  			return -1;
543  	}
544  
545  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
546  
547  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
548  			      rhdr, end - rhdr, hs_start, pos - hs_start,
549  			      &rlen) < 0) {
550  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
551  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
552  			  TLS_ALERT_INTERNAL_ERROR);
553  		return -1;
554  	}
555  	pos = rhdr + rlen;
556  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
557  
558  	*msgpos = pos;
559  
560  	return 0;
561  }
562  
563  
tls_write_client_certificate_verify(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)564  static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
565  					       u8 **msgpos, u8 *end)
566  {
567  	u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
568  	size_t rlen, hlen, clen;
569  	u8 hash[100], *hpos;
570  
571  	pos = *msgpos;
572  
573  	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
574  	rhdr = pos;
575  	pos += TLS_RECORD_HEADER_LEN;
576  
577  	/* Handshake */
578  	hs_start = pos;
579  	/* HandshakeType msg_type */
580  	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
581  	/* uint24 length (to be filled) */
582  	hs_length = pos;
583  	pos += 3;
584  
585  	/*
586  	 * RFC 2246: 7.4.3 and 7.4.8:
587  	 * Signature signature
588  	 *
589  	 * RSA:
590  	 * digitally-signed struct {
591  	 *     opaque md5_hash[16];
592  	 *     opaque sha_hash[20];
593  	 * };
594  	 *
595  	 * DSA:
596  	 * digitally-signed struct {
597  	 *     opaque sha_hash[20];
598  	 * };
599  	 *
600  	 * The hash values are calculated over all handshake messages sent or
601  	 * received starting at ClientHello up to, but not including, this
602  	 * CertificateVerify message, including the type and length fields of
603  	 * the handshake messages.
604  	 */
605  
606  	hpos = hash;
607  
608  #ifdef CONFIG_TLSV12
609  	if (conn->rl.tls_version == TLS_VERSION_1_2) {
610  		hlen = SHA256_MAC_LEN;
611  		if (conn->verify.sha256_cert == NULL ||
612  		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
613  		    0) {
614  			conn->verify.sha256_cert = NULL;
615  			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
616  				  TLS_ALERT_INTERNAL_ERROR);
617  			return -1;
618  		}
619  		conn->verify.sha256_cert = NULL;
620  
621  		/*
622  		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
623  		 *
624  		 * DigestInfo ::= SEQUENCE {
625  		 *   digestAlgorithm DigestAlgorithm,
626  		 *   digest OCTET STRING
627  		 * }
628  		 *
629  		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
630  		 *
631  		 * DER encoded DigestInfo for SHA256 per RFC 3447:
632  		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
633  		 * H
634  		 */
635  		os_memmove(hash + 19, hash, hlen);
636  		hlen += 19;
637  		os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
638  			  "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
639  	} else {
640  #endif /* CONFIG_TLSV12 */
641  
642  	hlen = MD5_MAC_LEN;
643  	if (conn->verify.md5_cert == NULL ||
644  	    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
645  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
646  			  TLS_ALERT_INTERNAL_ERROR);
647  		conn->verify.md5_cert = NULL;
648  		crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
649  		conn->verify.sha1_cert = NULL;
650  		return -1;
651  	}
652  	hpos += MD5_MAC_LEN;
653  
654  	conn->verify.md5_cert = NULL;
655  	hlen = SHA1_MAC_LEN;
656  	if (conn->verify.sha1_cert == NULL ||
657  	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
658  		conn->verify.sha1_cert = NULL;
659  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
660  			  TLS_ALERT_INTERNAL_ERROR);
661  		return -1;
662  	}
663  	conn->verify.sha1_cert = NULL;
664  
665  	hlen += MD5_MAC_LEN;
666  
667  #ifdef CONFIG_TLSV12
668  	}
669  #endif /* CONFIG_TLSV12 */
670  
671  	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
672  
673  #ifdef CONFIG_TLSV12
674  	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
675  		/*
676  		 * RFC 5246, 4.7:
677  		 * TLS v1.2 adds explicit indication of the used signature and
678  		 * hash algorithms.
679  		 *
680  		 * struct {
681  		 *   HashAlgorithm hash;
682  		 *   SignatureAlgorithm signature;
683  		 * } SignatureAndHashAlgorithm;
684  		 */
685  		*pos++ = TLS_HASH_ALG_SHA256;
686  		*pos++ = TLS_SIGN_ALG_RSA;
687  	}
688  #endif /* CONFIG_TLSV12 */
689  
690  	/*
691  	 * RFC 2246, 4.7:
692  	 * In digital signing, one-way hash functions are used as input for a
693  	 * signing algorithm. A digitally-signed element is encoded as an
694  	 * opaque vector <0..2^16-1>, where the length is specified by the
695  	 * signing algorithm and key.
696  	 *
697  	 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
698  	 * MD5) is signed (encrypted with the private key). It is encoded with
699  	 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
700  	 */
701  	signed_start = pos; /* length to be filled */
702  	pos += 2;
703  	clen = end - pos;
704  	if (conn->cred == NULL ||
705  	    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
706  					  pos, &clen) < 0) {
707  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
708  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
709  			  TLS_ALERT_INTERNAL_ERROR);
710  		return -1;
711  	}
712  	WPA_PUT_BE16(signed_start, clen);
713  
714  	pos += clen;
715  
716  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
717  
718  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
719  			      rhdr, end - rhdr, hs_start, pos - hs_start,
720  			      &rlen) < 0) {
721  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
722  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
723  			  TLS_ALERT_INTERNAL_ERROR);
724  		return -1;
725  	}
726  	pos = rhdr + rlen;
727  
728  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
729  
730  	*msgpos = pos;
731  
732  	return 0;
733  }
734  
735  
tls_write_client_change_cipher_spec(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)736  static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
737  					       u8 **msgpos, u8 *end)
738  {
739  	size_t rlen;
740  	u8 payload[1];
741  
742  	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
743  
744  	payload[0] = TLS_CHANGE_CIPHER_SPEC;
745  
746  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
747  			      *msgpos, end - *msgpos, payload, sizeof(payload),
748  			      &rlen) < 0) {
749  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
750  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
751  			  TLS_ALERT_INTERNAL_ERROR);
752  		return -1;
753  	}
754  
755  	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
756  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
757  			   "record layer");
758  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
759  			  TLS_ALERT_INTERNAL_ERROR);
760  		return -1;
761  	}
762  
763  	*msgpos += rlen;
764  
765  	return 0;
766  }
767  
768  
tls_write_client_finished(struct tlsv1_client * conn,u8 ** msgpos,u8 * end)769  static int tls_write_client_finished(struct tlsv1_client *conn,
770  				     u8 **msgpos, u8 *end)
771  {
772  	u8 *pos, *hs_start;
773  	size_t rlen, hlen;
774  	u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
775  	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
776  
777  	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
778  
779  	/* Encrypted Handshake Message: Finished */
780  
781  #ifdef CONFIG_TLSV12
782  	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
783  		hlen = SHA256_MAC_LEN;
784  		if (conn->verify.sha256_client == NULL ||
785  		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
786  		    < 0) {
787  			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
788  				  TLS_ALERT_INTERNAL_ERROR);
789  			conn->verify.sha256_client = NULL;
790  			return -1;
791  		}
792  		conn->verify.sha256_client = NULL;
793  	} else {
794  #endif /* CONFIG_TLSV12 */
795  
796  	hlen = MD5_MAC_LEN;
797  	if (conn->verify.md5_client == NULL ||
798  	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
799  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
800  			  TLS_ALERT_INTERNAL_ERROR);
801  		conn->verify.md5_client = NULL;
802  		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
803  		conn->verify.sha1_client = NULL;
804  		return -1;
805  	}
806  	conn->verify.md5_client = NULL;
807  	hlen = SHA1_MAC_LEN;
808  	if (conn->verify.sha1_client == NULL ||
809  	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
810  			       &hlen) < 0) {
811  		conn->verify.sha1_client = NULL;
812  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
813  			  TLS_ALERT_INTERNAL_ERROR);
814  		return -1;
815  	}
816  	conn->verify.sha1_client = NULL;
817  	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
818  
819  #ifdef CONFIG_TLSV12
820  	}
821  #endif /* CONFIG_TLSV12 */
822  
823  	if (tls_prf(conn->rl.tls_version,
824  		    conn->master_secret, TLS_MASTER_SECRET_LEN,
825  		    "client finished", hash, hlen,
826  		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
827  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
828  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
829  			  TLS_ALERT_INTERNAL_ERROR);
830  		return -1;
831  	}
832  	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
833  			verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
834  
835  	/* Handshake */
836  	pos = hs_start = verify_data;
837  	/* HandshakeType msg_type */
838  	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
839  	/* uint24 length */
840  	WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
841  	pos += 3;
842  	pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */
843  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
844  
845  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
846  			      *msgpos, end - *msgpos, hs_start, pos - hs_start,
847  			      &rlen) < 0) {
848  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
849  		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
850  			  TLS_ALERT_INTERNAL_ERROR);
851  		return -1;
852  	}
853  
854  	*msgpos += rlen;
855  
856  	return 0;
857  }
858  
859  
tls_send_client_key_exchange(struct tlsv1_client * conn,size_t * out_len)860  static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
861  					 size_t *out_len)
862  {
863  	u8 *msg, *end, *pos;
864  	size_t msglen;
865  
866  	*out_len = 0;
867  
868  	msglen = 2000;
869  	if (conn->certificate_requested)
870  		msglen += tls_client_cert_chain_der_len(conn);
871  
872  	msg = os_malloc(msglen);
873  	if (msg == NULL)
874  		return NULL;
875  
876  	pos = msg;
877  	end = msg + msglen;
878  
879  	if (conn->certificate_requested) {
880  		if (tls_write_client_certificate(conn, &pos, end) < 0) {
881  			os_free(msg);
882  			return NULL;
883  		}
884  	}
885  
886  	if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
887  	    (conn->certificate_requested && conn->cred && conn->cred->key &&
888  	     tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
889  	    tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
890  	    tls_write_client_finished(conn, &pos, end) < 0) {
891  		os_free(msg);
892  		return NULL;
893  	}
894  
895  	*out_len = pos - msg;
896  
897  	conn->state = SERVER_CHANGE_CIPHER_SPEC;
898  
899  	return msg;
900  }
901  
902  
tls_send_change_cipher_spec(struct tlsv1_client * conn,size_t * out_len)903  static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
904  					size_t *out_len)
905  {
906  	u8 *msg, *end, *pos;
907  
908  	*out_len = 0;
909  
910  	msg = os_malloc(1000);
911  	if (msg == NULL)
912  		return NULL;
913  
914  	pos = msg;
915  	end = msg + 1000;
916  
917  	if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
918  	    tls_write_client_finished(conn, &pos, end) < 0) {
919  		os_free(msg);
920  		return NULL;
921  	}
922  
923  	*out_len = pos - msg;
924  
925  	wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
926  		   "successfully");
927  	if (!conn->session_resumed && conn->use_session_ticket)
928  		conn->session_resumed = 1;
929  	conn->state = ESTABLISHED;
930  
931  	return msg;
932  }
933  
934  
tlsv1_client_handshake_write(struct tlsv1_client * conn,size_t * out_len,int no_appl_data)935  u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
936  				  int no_appl_data)
937  {
938  	switch (conn->state) {
939  	case CLIENT_KEY_EXCHANGE:
940  		return tls_send_client_key_exchange(conn, out_len);
941  	case CHANGE_CIPHER_SPEC:
942  		return tls_send_change_cipher_spec(conn, out_len);
943  	case ACK_FINISHED:
944  		wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
945  			   "successfully");
946  		conn->state = ESTABLISHED;
947  		*out_len = 0;
948  		if (no_appl_data) {
949  			/* Need to return something to get final TLS ACK. */
950  			return os_malloc(1);
951  		}
952  		return NULL;
953  	default:
954  		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
955  			   "generating reply", conn->state);
956  		return NULL;
957  	}
958  }
959  
960  
tlsv1_client_send_alert(struct tlsv1_client * conn,u8 level,u8 description,size_t * out_len)961  u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
962  			     u8 description, size_t *out_len)
963  {
964  	u8 *alert, *pos, *length;
965  
966  	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
967  	*out_len = 0;
968  
969  	alert = os_malloc(10);
970  	if (alert == NULL)
971  		return NULL;
972  
973  	pos = alert;
974  
975  	/* TLSPlaintext */
976  	/* ContentType type */
977  	*pos++ = TLS_CONTENT_TYPE_ALERT;
978  	/* ProtocolVersion version */
979  	WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
980  		     TLS_VERSION);
981  	pos += 2;
982  	/* uint16 length (to be filled) */
983  	length = pos;
984  	pos += 2;
985  	/* opaque fragment[TLSPlaintext.length] */
986  
987  	/* Alert */
988  	/* AlertLevel level */
989  	*pos++ = level;
990  	/* AlertDescription description */
991  	*pos++ = description;
992  
993  	WPA_PUT_BE16(length, pos - length - 2);
994  	*out_len = pos - alert;
995  
996  	return alert;
997  }
998