1  /*
2   * TLSv1 server - write handshake message
3   * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #include "includes.h"
10  
11  #include "common.h"
12  #include "crypto/md5.h"
13  #include "crypto/sha1.h"
14  #include "crypto/sha256.h"
15  #include "crypto/tls.h"
16  #include "crypto/random.h"
17  #include "x509v3.h"
18  #include "tlsv1_common.h"
19  #include "tlsv1_record.h"
20  #include "tlsv1_server.h"
21  #include "tlsv1_server_i.h"
22  
23  
tls_server_cert_chain_der_len(struct tlsv1_server * conn)24  static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
25  {
26  	size_t len = 0;
27  	struct x509_certificate *cert;
28  
29  	cert = conn->cred ? conn->cred->cert : NULL;
30  	while (cert) {
31  		len += 3 + cert->cert_len;
32  		if (x509_certificate_self_signed(cert))
33  			break;
34  		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
35  						    &cert->issuer);
36  	}
37  
38  	return len;
39  }
40  
41  
tls_write_server_hello(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)42  static int tls_write_server_hello(struct tlsv1_server *conn,
43  				  u8 **msgpos, u8 *end)
44  {
45  	u8 *pos, *rhdr, *hs_start, *hs_length, *ext_start;
46  	struct os_time now;
47  	size_t rlen;
48  
49  	pos = *msgpos;
50  
51  	tlsv1_server_log(conn, "Send ServerHello");
52  	rhdr = pos;
53  	pos += TLS_RECORD_HEADER_LEN;
54  
55  	os_get_time(&now);
56  #ifdef TEST_FUZZ
57  	now.sec = 0xfffefdfc;
58  #endif /* TEST_FUZZ */
59  	WPA_PUT_BE32(conn->server_random, now.sec);
60  	if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
61  		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
62  			   "server_random");
63  		return -1;
64  	}
65  	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
66  		    conn->server_random, TLS_RANDOM_LEN);
67  
68  	conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
69  	if (random_get_bytes(conn->session_id, conn->session_id_len)) {
70  		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
71  			   "session_id");
72  		return -1;
73  	}
74  	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
75  		    conn->session_id, conn->session_id_len);
76  
77  	/* opaque fragment[TLSPlaintext.length] */
78  
79  	/* Handshake */
80  	hs_start = pos;
81  	/* HandshakeType msg_type */
82  	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
83  	/* uint24 length (to be filled) */
84  	hs_length = pos;
85  	pos += 3;
86  	/* body - ServerHello */
87  	/* ProtocolVersion server_version */
88  	WPA_PUT_BE16(pos, conn->rl.tls_version);
89  	pos += 2;
90  	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
91  	os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
92  	pos += TLS_RANDOM_LEN;
93  	/* SessionID session_id */
94  	*pos++ = conn->session_id_len;
95  	os_memcpy(pos, conn->session_id, conn->session_id_len);
96  	pos += conn->session_id_len;
97  	/* CipherSuite cipher_suite */
98  	WPA_PUT_BE16(pos, conn->cipher_suite);
99  	pos += 2;
100  	/* CompressionMethod compression_method */
101  	*pos++ = TLS_COMPRESSION_NULL;
102  
103  	/* Extension */
104  	ext_start = pos;
105  	pos += 2;
106  
107  	if (conn->status_request) {
108  		/* Add a status_request extension with empty extension_data */
109  		/* ExtensionsType extension_type = status_request(5) */
110  		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
111  		pos += 2;
112  		/* opaque extension_data<0..2^16-1> length */
113  		WPA_PUT_BE16(pos, 0);
114  		pos += 2;
115  	}
116  
117  	if (conn->status_request_v2) {
118  		/*
119  		  Add a status_request_v2 extension with empty extension_data
120  		*/
121  		/* ExtensionsType extension_type = status_request_v2(17) */
122  		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
123  		pos += 2;
124  		/* opaque extension_data<0..2^16-1> length */
125  		WPA_PUT_BE16(pos, 0);
126  		pos += 2;
127  	}
128  
129  	if (conn->session_ticket && conn->session_ticket_cb) {
130  		int res = conn->session_ticket_cb(
131  			conn->session_ticket_cb_ctx,
132  			conn->session_ticket, conn->session_ticket_len,
133  			conn->client_random, conn->server_random,
134  			conn->master_secret);
135  		if (res < 0) {
136  			tlsv1_server_log(conn, "SessionTicket callback indicated failure");
137  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
138  					   TLS_ALERT_HANDSHAKE_FAILURE);
139  			return -1;
140  		}
141  		conn->use_session_ticket = res;
142  
143  		if (conn->use_session_ticket) {
144  			if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
145  				wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
146  					   "derive keys");
147  				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
148  						   TLS_ALERT_INTERNAL_ERROR);
149  				return -1;
150  			}
151  		}
152  
153  		/*
154  		 * RFC 4507 specifies that server would include an empty
155  		 * SessionTicket extension in ServerHello and a
156  		 * NewSessionTicket message after the ServerHello. However,
157  		 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
158  		 * extension at the moment, does not use such extensions.
159  		 *
160  		 * TODO: Add support for configuring RFC 4507 behavior and make
161  		 * EAP-FAST disable it.
162  		 */
163  	}
164  
165  	if (pos == ext_start + 2)
166  		pos -= 2; /* no extensions */
167  	else
168  		WPA_PUT_BE16(ext_start, pos - ext_start - 2);
169  
170  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
171  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
172  
173  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
174  			      rhdr, end - rhdr, hs_start, pos - hs_start,
175  			      &rlen) < 0) {
176  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
177  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
178  				   TLS_ALERT_INTERNAL_ERROR);
179  		return -1;
180  	}
181  	pos = rhdr + rlen;
182  
183  	*msgpos = pos;
184  
185  	return 0;
186  }
187  
188  
tls_write_server_certificate(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)189  static int tls_write_server_certificate(struct tlsv1_server *conn,
190  					u8 **msgpos, u8 *end)
191  {
192  	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
193  	size_t rlen;
194  	struct x509_certificate *cert;
195  	const struct tls_cipher_suite *suite;
196  
197  	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
198  	if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
199  		wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
200  			   "using anonymous DH");
201  		return 0;
202  	}
203  
204  	pos = *msgpos;
205  	if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
206  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
207  				   TLS_ALERT_INTERNAL_ERROR);
208  		return -1;
209  	}
210  
211  	tlsv1_server_log(conn, "Send Certificate");
212  	rhdr = pos;
213  	pos += TLS_RECORD_HEADER_LEN;
214  
215  	/* opaque fragment[TLSPlaintext.length] */
216  
217  	/* Handshake */
218  	hs_start = pos;
219  	/* HandshakeType msg_type */
220  	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
221  	/* uint24 length (to be filled) */
222  	hs_length = pos;
223  	pos += 3;
224  	/* body - Certificate */
225  	/* uint24 length (to be filled) */
226  	cert_start = pos;
227  	pos += 3;
228  	cert = conn->cred->cert;
229  	while (cert) {
230  		if (3 + cert->cert_len > (size_t) (end - pos)) {
231  			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
232  				   "for Certificate (cert_len=%lu left=%lu)",
233  				   (unsigned long) cert->cert_len,
234  				   (unsigned long) (end - pos));
235  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
236  					   TLS_ALERT_INTERNAL_ERROR);
237  			return -1;
238  		}
239  		WPA_PUT_BE24(pos, cert->cert_len);
240  		pos += 3;
241  		os_memcpy(pos, cert->cert_start, cert->cert_len);
242  		pos += cert->cert_len;
243  
244  		if (x509_certificate_self_signed(cert))
245  			break;
246  		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
247  						    &cert->issuer);
248  	}
249  	if (cert == conn->cred->cert || cert == NULL) {
250  		/*
251  		 * Server was not configured with all the needed certificates
252  		 * to form a full certificate chain. The client may fail to
253  		 * validate the chain unless it is configured with all the
254  		 * missing CA certificates.
255  		 */
256  		wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
257  			   "not configured - validation may fail");
258  	}
259  	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
260  
261  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
262  
263  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
264  			      rhdr, end - rhdr, hs_start, pos - hs_start,
265  			      &rlen) < 0) {
266  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
267  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
268  				   TLS_ALERT_INTERNAL_ERROR);
269  		return -1;
270  	}
271  	pos = rhdr + rlen;
272  
273  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
274  
275  	*msgpos = pos;
276  
277  	return 0;
278  }
279  
280  
tls_write_server_certificate_status(struct tlsv1_server * conn,u8 ** msgpos,u8 * end,int ocsp_multi,char * ocsp_resp,size_t ocsp_resp_len)281  static int tls_write_server_certificate_status(struct tlsv1_server *conn,
282  					       u8 **msgpos, u8 *end,
283  					       int ocsp_multi,
284  					       char *ocsp_resp,
285  					       size_t ocsp_resp_len)
286  {
287  	u8 *pos, *rhdr, *hs_start, *hs_length;
288  	size_t rlen;
289  
290  	if (!ocsp_resp) {
291  		 /*
292  		  * Client did not request certificate status or there is no
293  		  * matching response cached.
294  		  */
295  		return 0;
296  	}
297  
298  	pos = *msgpos;
299  	if (TLS_RECORD_HEADER_LEN + 1 + 3 + 1 + 3 + ocsp_resp_len >
300  	    (unsigned int) (end - pos)) {
301  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
302  				   TLS_ALERT_INTERNAL_ERROR);
303  		return -1;
304  	}
305  
306  	tlsv1_server_log(conn, "Send CertificateStatus (multi=%d)", ocsp_multi);
307  	rhdr = pos;
308  	pos += TLS_RECORD_HEADER_LEN;
309  
310  	/* opaque fragment[TLSPlaintext.length] */
311  
312  	/* Handshake */
313  	hs_start = pos;
314  	/* HandshakeType msg_type */
315  	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS;
316  	/* uint24 length (to be filled) */
317  	hs_length = pos;
318  	pos += 3;
319  
320  	/* body - CertificateStatus
321  	 *
322  	 * struct {
323  	 *     CertificateStatusType status_type;
324  	 *     select (status_type) {
325  	 *         case ocsp: OCSPResponse;
326  	 *         case ocsp_multi: OCSPResponseList;
327  	 *     } response;
328  	 * } CertificateStatus;
329  	 *
330  	 * opaque OCSPResponse<1..2^24-1>;
331  	 *
332  	 * struct {
333  	 *   OCSPResponse ocsp_response_list<1..2^24-1>;
334  	 * } OCSPResponseList;
335  	 */
336  
337  	/* CertificateStatusType status_type */
338  	if (ocsp_multi)
339  		*pos++ = 2; /* ocsp_multi(2) */
340  	else
341  		*pos++ = 1; /* ocsp(1) */
342  	/* uint24 length of OCSPResponse */
343  	WPA_PUT_BE24(pos, ocsp_resp_len);
344  	pos += 3;
345  	os_memcpy(pos, ocsp_resp, ocsp_resp_len);
346  	pos += ocsp_resp_len;
347  
348  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
349  
350  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
351  			      rhdr, end - rhdr, hs_start, pos - hs_start,
352  			      &rlen) < 0) {
353  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
354  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
355  				   TLS_ALERT_INTERNAL_ERROR);
356  		return -1;
357  	}
358  	pos = rhdr + rlen;
359  
360  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
361  
362  	*msgpos = pos;
363  
364  	return 0;
365  }
366  
367  
tls_write_server_key_exchange(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)368  static int tls_write_server_key_exchange(struct tlsv1_server *conn,
369  					 u8 **msgpos, u8 *end)
370  {
371  	tls_key_exchange keyx;
372  	const struct tls_cipher_suite *suite;
373  	u8 *pos, *rhdr, *hs_start, *hs_length, *server_params;
374  	size_t rlen;
375  	u8 *dh_ys;
376  	size_t dh_ys_len;
377  	const u8 *dh_p;
378  	size_t dh_p_len;
379  
380  	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
381  	if (suite == NULL)
382  		keyx = TLS_KEY_X_NULL;
383  	else
384  		keyx = suite->key_exchange;
385  
386  	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
387  		wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
388  		return 0;
389  	}
390  
391  	if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) {
392  		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
393  			   "supported with key exchange type %d", keyx);
394  		return -1;
395  	}
396  
397  	if (conn->cred == NULL || conn->cred->dh_p == NULL ||
398  	    conn->cred->dh_g == NULL) {
399  		wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
400  			   "ServerKeyExhcange");
401  		return -1;
402  	}
403  
404  	tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
405  
406  	os_free(conn->dh_secret);
407  	conn->dh_secret_len = dh_p_len;
408  	conn->dh_secret = os_malloc(conn->dh_secret_len);
409  	if (conn->dh_secret == NULL) {
410  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
411  			   "memory for secret (Diffie-Hellman)");
412  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
413  				   TLS_ALERT_INTERNAL_ERROR);
414  		return -1;
415  	}
416  	if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
417  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
418  			   "data for Diffie-Hellman");
419  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420  				   TLS_ALERT_INTERNAL_ERROR);
421  		os_free(conn->dh_secret);
422  		conn->dh_secret = NULL;
423  		return -1;
424  	}
425  
426  	if (os_memcmp(conn->dh_secret, dh_p, conn->dh_secret_len) > 0)
427  		conn->dh_secret[0] = 0; /* make sure secret < p */
428  
429  	pos = conn->dh_secret;
430  	while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
431  		pos++;
432  	if (pos != conn->dh_secret) {
433  		os_memmove(conn->dh_secret, pos,
434  			   conn->dh_secret_len - (pos - conn->dh_secret));
435  		conn->dh_secret_len -= pos - conn->dh_secret;
436  	}
437  	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
438  			conn->dh_secret, conn->dh_secret_len);
439  
440  	/* Ys = g^secret mod p */
441  	dh_ys_len = dh_p_len;
442  	dh_ys = os_malloc(dh_ys_len);
443  	if (dh_ys == NULL) {
444  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
445  			   "Diffie-Hellman");
446  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
447  				   TLS_ALERT_INTERNAL_ERROR);
448  		return -1;
449  	}
450  	if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
451  			   conn->dh_secret, conn->dh_secret_len,
452  			   dh_p, dh_p_len, dh_ys, &dh_ys_len)) {
453  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
454  				   TLS_ALERT_INTERNAL_ERROR);
455  		os_free(dh_ys);
456  		return -1;
457  	}
458  
459  	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
460  		    dh_ys, dh_ys_len);
461  
462  	/*
463  	 * struct {
464  	 *    select (KeyExchangeAlgorithm) {
465  	 *       case diffie_hellman:
466  	 *          ServerDHParams params;
467  	 *          Signature signed_params;
468  	 *       case rsa:
469  	 *          ServerRSAParams params;
470  	 *          Signature signed_params;
471  	 *    };
472  	 * } ServerKeyExchange;
473  	 *
474  	 * struct {
475  	 *    opaque dh_p<1..2^16-1>;
476  	 *    opaque dh_g<1..2^16-1>;
477  	 *    opaque dh_Ys<1..2^16-1>;
478  	 * } ServerDHParams;
479  	 */
480  
481  	pos = *msgpos;
482  
483  	tlsv1_server_log(conn, "Send ServerKeyExchange");
484  	rhdr = pos;
485  	pos += TLS_RECORD_HEADER_LEN;
486  
487  	/* opaque fragment[TLSPlaintext.length] */
488  
489  	/* Handshake */
490  	hs_start = pos;
491  	/* HandshakeType msg_type */
492  	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
493  	/* uint24 length (to be filled) */
494  	hs_length = pos;
495  	pos += 3;
496  
497  	/* body - ServerDHParams */
498  	server_params = pos;
499  	/* dh_p */
500  	if (2 + dh_p_len > (size_t) (end - pos)) {
501  		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
502  			   "dh_p");
503  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
504  				   TLS_ALERT_INTERNAL_ERROR);
505  		os_free(dh_ys);
506  		return -1;
507  	}
508  	WPA_PUT_BE16(pos, dh_p_len);
509  	pos += 2;
510  	os_memcpy(pos, dh_p, dh_p_len);
511  	pos += dh_p_len;
512  
513  	/* dh_g */
514  	if (2 + conn->cred->dh_g_len > (size_t) (end - pos)) {
515  		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
516  			   "dh_g");
517  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
518  				   TLS_ALERT_INTERNAL_ERROR);
519  		os_free(dh_ys);
520  		return -1;
521  	}
522  	WPA_PUT_BE16(pos, conn->cred->dh_g_len);
523  	pos += 2;
524  	os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
525  	pos += conn->cred->dh_g_len;
526  
527  	/* dh_Ys */
528  	if (2 + dh_ys_len > (size_t) (end - pos)) {
529  		wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
530  			   "dh_Ys");
531  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
532  				   TLS_ALERT_INTERNAL_ERROR);
533  		os_free(dh_ys);
534  		return -1;
535  	}
536  	WPA_PUT_BE16(pos, dh_ys_len);
537  	pos += 2;
538  	os_memcpy(pos, dh_ys, dh_ys_len);
539  	pos += dh_ys_len;
540  	os_free(dh_ys);
541  
542  	/*
543  	 * select (SignatureAlgorithm)
544  	 * {   case anonymous: struct { };
545  	 *     case rsa:
546  	 *         digitally-signed struct {
547  	 *             opaque md5_hash[16];
548  	 *             opaque sha_hash[20];
549  	 *         };
550  	 *     case dsa:
551  	 *         digitally-signed struct {
552  	 *             opaque sha_hash[20];
553  	 *         };
554  	 * } Signature;
555  	 *
556  	 * md5_hash
557  	 *     MD5(ClientHello.random + ServerHello.random + ServerParams);
558  	 *
559  	 * sha_hash
560  	 *     SHA(ClientHello.random + ServerHello.random + ServerParams);
561  	 */
562  
563  	if (keyx == TLS_KEY_X_DHE_RSA) {
564  		u8 hash[100];
565  		u8 *signed_start;
566  		size_t clen;
567  		int hlen;
568  
569  		if (conn->rl.tls_version >= TLS_VERSION_1_2) {
570  #ifdef CONFIG_TLSV12
571  			hlen = tlsv12_key_x_server_params_hash(
572  				conn->rl.tls_version, TLS_HASH_ALG_SHA256,
573  				conn->client_random,
574  				conn->server_random, server_params,
575  				pos - server_params, hash + 19);
576  
577  			/*
578  			 * RFC 5246, 4.7:
579  			 * TLS v1.2 adds explicit indication of the used
580  			 * signature and hash algorithms.
581  			 *
582  			 * struct {
583  			 *   HashAlgorithm hash;
584  			 *   SignatureAlgorithm signature;
585  			 * } SignatureAndHashAlgorithm;
586  			 */
587  			if (hlen < 0 || end - pos < 2) {
588  				tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
589  						   TLS_ALERT_INTERNAL_ERROR);
590  				return -1;
591  			}
592  			*pos++ = TLS_HASH_ALG_SHA256;
593  			*pos++ = TLS_SIGN_ALG_RSA;
594  
595  			/*
596  			 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
597  			 *
598  			 * DigestInfo ::= SEQUENCE {
599  			 *   digestAlgorithm DigestAlgorithm,
600  			 *   digest OCTET STRING
601  			 * }
602  			 *
603  			 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
604  			 *
605  			 * DER encoded DigestInfo for SHA256 per RFC 3447:
606  			 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
607  			 * 04 20 || H
608  			 */
609  			hlen += 19;
610  			os_memcpy(hash,
611  				  "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
612  				  "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
613  
614  #else /* CONFIG_TLSV12 */
615  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
616  					   TLS_ALERT_INTERNAL_ERROR);
617  			return -1;
618  #endif /* CONFIG_TLSV12 */
619  		} else {
620  			hlen = tls_key_x_server_params_hash(
621  				conn->rl.tls_version, conn->client_random,
622  				conn->server_random, server_params,
623  				pos - server_params, hash, sizeof(hash));
624  		}
625  
626  		if (hlen < 0) {
627  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628  					   TLS_ALERT_INTERNAL_ERROR);
629  			return -1;
630  		}
631  
632  		wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash",
633  			    hash, hlen);
634  #ifdef CONFIG_TESTING_OPTIONS
635  		if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) {
636  			tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash");
637  			hash[hlen - 1] ^= 0x80;
638  		}
639  #endif /* CONFIG_TESTING_OPTIONS */
640  
641  		/*
642  		 * RFC 2246, 4.7:
643  		 * In digital signing, one-way hash functions are used as input
644  		 * for a signing algorithm. A digitally-signed element is
645  		 * encoded as an opaque vector <0..2^16-1>, where the length is
646  		 * specified by the signing algorithm and key.
647  		 *
648  		 * In RSA signing, a 36-byte structure of two hashes (one SHA
649  		 * and one MD5) is signed (encrypted with the private key). It
650  		 * is encoded with PKCS #1 block type 0 or type 1 as described
651  		 * in [PKCS1].
652  		 */
653  		signed_start = pos; /* length to be filled */
654  		pos += 2;
655  		clen = end - pos;
656  		if (conn->cred == NULL ||
657  		    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
658  						  pos, &clen) < 0) {
659  			wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
660  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661  					   TLS_ALERT_INTERNAL_ERROR);
662  			return -1;
663  		}
664  		WPA_PUT_BE16(signed_start, clen);
665  #ifdef CONFIG_TESTING_OPTIONS
666  		if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) {
667  			tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature");
668  			pos[clen - 1] ^= 0x80;
669  		}
670  #endif /* CONFIG_TESTING_OPTIONS */
671  
672  		pos += clen;
673  	}
674  
675  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
676  
677  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
678  			      rhdr, end - rhdr, hs_start, pos - hs_start,
679  			      &rlen) < 0) {
680  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
681  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
682  				   TLS_ALERT_INTERNAL_ERROR);
683  		return -1;
684  	}
685  	pos = rhdr + rlen;
686  
687  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
688  
689  	*msgpos = pos;
690  
691  	return 0;
692  }
693  
694  
tls_write_server_certificate_request(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)695  static int tls_write_server_certificate_request(struct tlsv1_server *conn,
696  						u8 **msgpos, u8 *end)
697  {
698  	u8 *pos, *rhdr, *hs_start, *hs_length;
699  	size_t rlen;
700  
701  	if (!conn->verify_peer) {
702  		wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
703  		return 0;
704  	}
705  
706  	pos = *msgpos;
707  
708  	tlsv1_server_log(conn, "Send CertificateRequest");
709  	rhdr = pos;
710  	pos += TLS_RECORD_HEADER_LEN;
711  
712  	/* opaque fragment[TLSPlaintext.length] */
713  
714  	/* Handshake */
715  	hs_start = pos;
716  	/* HandshakeType msg_type */
717  	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
718  	/* uint24 length (to be filled) */
719  	hs_length = pos;
720  	pos += 3;
721  	/* body - CertificateRequest */
722  
723  	/*
724  	 * enum {
725  	 *   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
726  	 *   (255)
727  	 * } ClientCertificateType;
728  	 * ClientCertificateType certificate_types<1..2^8-1>
729  	 */
730  	*pos++ = 1;
731  	*pos++ = 1; /* rsa_sign */
732  
733  	/*
734  	 * opaque DistinguishedName<1..2^16-1>
735  	 * DistinguishedName certificate_authorities<3..2^16-1>
736  	 */
737  	/* TODO: add support for listing DNs for trusted CAs */
738  	WPA_PUT_BE16(pos, 0);
739  	pos += 2;
740  
741  	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
742  
743  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
744  			      rhdr, end - rhdr, hs_start, pos - hs_start,
745  			      &rlen) < 0) {
746  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
747  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
748  				   TLS_ALERT_INTERNAL_ERROR);
749  		return -1;
750  	}
751  	pos = rhdr + rlen;
752  
753  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
754  
755  	*msgpos = pos;
756  
757  	return 0;
758  }
759  
760  
tls_write_server_hello_done(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)761  static int tls_write_server_hello_done(struct tlsv1_server *conn,
762  				       u8 **msgpos, u8 *end)
763  {
764  	u8 *pos;
765  	size_t rlen;
766  	u8 payload[4];
767  
768  	tlsv1_server_log(conn, "Send ServerHelloDone");
769  
770  	/* opaque fragment[TLSPlaintext.length] */
771  
772  	/* Handshake */
773  	pos = payload;
774  	/* HandshakeType msg_type */
775  	*pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
776  	/* uint24 length */
777  	WPA_PUT_BE24(pos, 0);
778  	pos += 3;
779  	/* body - ServerHelloDone (empty) */
780  
781  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
782  			      *msgpos, end - *msgpos, payload, pos - payload,
783  			      &rlen) < 0) {
784  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
785  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
786  				   TLS_ALERT_INTERNAL_ERROR);
787  		return -1;
788  	}
789  
790  	tls_verify_hash_add(&conn->verify, payload, pos - payload);
791  
792  	*msgpos += rlen;
793  
794  	return 0;
795  }
796  
797  
tls_write_server_change_cipher_spec(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)798  static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
799  					       u8 **msgpos, u8 *end)
800  {
801  	size_t rlen;
802  	u8 payload[1];
803  
804  	tlsv1_server_log(conn, "Send ChangeCipherSpec");
805  
806  	payload[0] = TLS_CHANGE_CIPHER_SPEC;
807  
808  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
809  			      *msgpos, end - *msgpos, payload, sizeof(payload),
810  			      &rlen) < 0) {
811  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
812  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
813  				   TLS_ALERT_INTERNAL_ERROR);
814  		return -1;
815  	}
816  
817  	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
818  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
819  			   "record layer");
820  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
821  				   TLS_ALERT_INTERNAL_ERROR);
822  		return -1;
823  	}
824  
825  	*msgpos += rlen;
826  
827  	return 0;
828  }
829  
830  
tls_write_server_finished(struct tlsv1_server * conn,u8 ** msgpos,u8 * end)831  static int tls_write_server_finished(struct tlsv1_server *conn,
832  				     u8 **msgpos, u8 *end)
833  {
834  	u8 *pos, *hs_start;
835  	size_t rlen, hlen;
836  	u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
837  	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
838  
839  	pos = *msgpos;
840  
841  	tlsv1_server_log(conn, "Send Finished");
842  
843  	/* Encrypted Handshake Message: Finished */
844  
845  #ifdef CONFIG_TLSV12
846  	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
847  		hlen = SHA256_MAC_LEN;
848  		if (conn->verify.sha256_server == NULL ||
849  		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
850  		    < 0) {
851  			conn->verify.sha256_server = NULL;
852  			tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
853  					   TLS_ALERT_INTERNAL_ERROR);
854  			return -1;
855  		}
856  		conn->verify.sha256_server = NULL;
857  	} else {
858  #endif /* CONFIG_TLSV12 */
859  
860  	hlen = MD5_MAC_LEN;
861  	if (conn->verify.md5_server == NULL ||
862  	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
863  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
864  				   TLS_ALERT_INTERNAL_ERROR);
865  		conn->verify.md5_server = NULL;
866  		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
867  		conn->verify.sha1_server = NULL;
868  		return -1;
869  	}
870  	conn->verify.md5_server = NULL;
871  	hlen = SHA1_MAC_LEN;
872  	if (conn->verify.sha1_server == NULL ||
873  	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
874  			       &hlen) < 0) {
875  		conn->verify.sha1_server = NULL;
876  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
877  				   TLS_ALERT_INTERNAL_ERROR);
878  		return -1;
879  	}
880  	conn->verify.sha1_server = NULL;
881  	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
882  
883  #ifdef CONFIG_TLSV12
884  	}
885  #endif /* CONFIG_TLSV12 */
886  
887  	if (tls_prf(conn->rl.tls_version,
888  		    conn->master_secret, TLS_MASTER_SECRET_LEN,
889  		    "server finished", hash, hlen,
890  		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
891  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
892  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
893  				   TLS_ALERT_INTERNAL_ERROR);
894  		return -1;
895  	}
896  	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
897  			verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
898  #ifdef CONFIG_TESTING_OPTIONS
899  	if (conn->test_flags & TLS_BREAK_VERIFY_DATA) {
900  		tlsv1_server_log(conn, "TESTING: Break verify_data (server)");
901  		verify_data[1 + 3 + 1] ^= 0x80;
902  	}
903  #endif /* CONFIG_TESTING_OPTIONS */
904  
905  	/* Handshake */
906  	pos = hs_start = verify_data;
907  	/* HandshakeType msg_type */
908  	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
909  	/* uint24 length */
910  	WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
911  	pos += 3;
912  	pos += TLS_VERIFY_DATA_LEN;
913  	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
914  
915  	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
916  			      *msgpos, end - *msgpos, hs_start, pos - hs_start,
917  			      &rlen) < 0) {
918  		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
919  		tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
920  				   TLS_ALERT_INTERNAL_ERROR);
921  		return -1;
922  	}
923  
924  	*msgpos += rlen;
925  
926  	return 0;
927  }
928  
929  
tls_send_server_hello(struct tlsv1_server * conn,size_t * out_len)930  static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
931  {
932  	u8 *msg, *end, *pos;
933  	size_t msglen;
934  	int ocsp_multi = 0;
935  	char *ocsp_resp = NULL;
936  	size_t ocsp_resp_len = 0;
937  
938  	*out_len = 0;
939  
940  	if (conn->status_request_multi &&
941  	    conn->cred->ocsp_stapling_response_multi) {
942  		ocsp_resp = os_readfile(
943  			conn->cred->ocsp_stapling_response_multi,
944  			&ocsp_resp_len);
945  		ocsp_multi = 1;
946  	} else if ((conn->status_request || conn->status_request_v2) &&
947  		   conn->cred->ocsp_stapling_response) {
948  		ocsp_resp = os_readfile(conn->cred->ocsp_stapling_response,
949  					&ocsp_resp_len);
950  	}
951  	if (!ocsp_resp)
952  		ocsp_resp_len = 0;
953  
954  	msglen = 1000 + tls_server_cert_chain_der_len(conn) + ocsp_resp_len;
955  
956  	msg = os_malloc(msglen);
957  	if (msg == NULL) {
958  		os_free(ocsp_resp);
959  		return NULL;
960  	}
961  
962  	pos = msg;
963  	end = msg + msglen;
964  
965  	if (tls_write_server_hello(conn, &pos, end) < 0) {
966  		os_free(msg);
967  		os_free(ocsp_resp);
968  		return NULL;
969  	}
970  
971  	if (conn->use_session_ticket) {
972  		os_free(ocsp_resp);
973  
974  		/* Abbreviated handshake using session ticket; RFC 4507 */
975  		if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
976  		    tls_write_server_finished(conn, &pos, end) < 0) {
977  			os_free(msg);
978  			return NULL;
979  		}
980  
981  		*out_len = pos - msg;
982  
983  		conn->state = CHANGE_CIPHER_SPEC;
984  
985  		return msg;
986  	}
987  
988  	/* Full handshake */
989  	if (tls_write_server_certificate(conn, &pos, end) < 0 ||
990  	    tls_write_server_certificate_status(conn, &pos, end, ocsp_multi,
991  						ocsp_resp, ocsp_resp_len) < 0 ||
992  	    tls_write_server_key_exchange(conn, &pos, end) < 0 ||
993  	    tls_write_server_certificate_request(conn, &pos, end) < 0 ||
994  	    tls_write_server_hello_done(conn, &pos, end) < 0) {
995  		os_free(msg);
996  		os_free(ocsp_resp);
997  		return NULL;
998  	}
999  	os_free(ocsp_resp);
1000  
1001  	*out_len = pos - msg;
1002  
1003  	conn->state = CLIENT_CERTIFICATE;
1004  
1005  	return msg;
1006  }
1007  
1008  
tls_send_change_cipher_spec(struct tlsv1_server * conn,size_t * out_len)1009  static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
1010  					size_t *out_len)
1011  {
1012  	u8 *msg, *end, *pos;
1013  
1014  	*out_len = 0;
1015  
1016  	msg = os_malloc(1000);
1017  	if (msg == NULL)
1018  		return NULL;
1019  
1020  	pos = msg;
1021  	end = msg + 1000;
1022  
1023  	if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
1024  	    tls_write_server_finished(conn, &pos, end) < 0) {
1025  		os_free(msg);
1026  		return NULL;
1027  	}
1028  
1029  	*out_len = pos - msg;
1030  
1031  	tlsv1_server_log(conn, "Handshake completed successfully");
1032  	conn->state = ESTABLISHED;
1033  
1034  	return msg;
1035  }
1036  
1037  
tlsv1_server_handshake_write(struct tlsv1_server * conn,size_t * out_len)1038  u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
1039  {
1040  	switch (conn->state) {
1041  	case SERVER_HELLO:
1042  		return tls_send_server_hello(conn, out_len);
1043  	case SERVER_CHANGE_CIPHER_SPEC:
1044  		return tls_send_change_cipher_spec(conn, out_len);
1045  	default:
1046  		if (conn->state == ESTABLISHED && conn->use_session_ticket) {
1047  			/* Abbreviated handshake was already completed. */
1048  			return NULL;
1049  		}
1050  		tlsv1_server_log(conn, "Unexpected state %d while generating reply",
1051  				 conn->state);
1052  		return NULL;
1053  	}
1054  }
1055  
1056  
tlsv1_server_send_alert(struct tlsv1_server * conn,u8 level,u8 description,size_t * out_len)1057  u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
1058  			     u8 description, size_t *out_len)
1059  {
1060  	u8 *alert, *pos, *length;
1061  
1062  	tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description);
1063  	*out_len = 0;
1064  
1065  	alert = os_malloc(10);
1066  	if (alert == NULL)
1067  		return NULL;
1068  
1069  	pos = alert;
1070  
1071  	/* TLSPlaintext */
1072  	/* ContentType type */
1073  	*pos++ = TLS_CONTENT_TYPE_ALERT;
1074  	/* ProtocolVersion version */
1075  	WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
1076  		     TLS_VERSION);
1077  	pos += 2;
1078  	/* uint16 length (to be filled) */
1079  	length = pos;
1080  	pos += 2;
1081  	/* opaque fragment[TLSPlaintext.length] */
1082  
1083  	/* Alert */
1084  	/* AlertLevel level */
1085  	*pos++ = level;
1086  	/* AlertDescription description */
1087  	*pos++ = description;
1088  
1089  	WPA_PUT_BE16(length, pos - length - 2);
1090  	*out_len = pos - alert;
1091  
1092  	return alert;
1093  }
1094