1 /*
2  * TLSv1 client - write handshake message
3  * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
17 #include "x509v3.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_client.h"
21 #include "tlsv1_client_i.h"
22 
23 
24 static size_t tls_client_cert_chain_der_len(struct tlsv1_client *conn)
25 {
26 	size_t len = 0;
27 	struct x509_certificate *cert;
28 
29 	if (conn->cred == NULL)
30 		return 0;
31 
32 	cert = conn->cred->cert;
33 	while (cert) {
34 		len += 3 + cert->cert_len;
35 		if (x509_certificate_self_signed(cert))
36 			break;
37 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
38 						    &cert->issuer);
39 	}
40 
41 	return len;
42 }
43 
44 
45 u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
46 {
47 	u8 *hello, *end, *pos, *hs_length, *hs_start, *rhdr;
48 	struct os_time now;
49 	size_t len, i;
50 	u8 *ext_start;
51 	u16 tls_version = TLS_VERSION;
52 
53 	/* Pick the highest locally enabled TLS version */
54 #ifdef CONFIG_TLSV12
55 	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
56 	    tls_version == TLS_VERSION_1_2)
57 		tls_version = TLS_VERSION_1_1;
58 #endif /* CONFIG_TLSV12 */
59 #ifdef CONFIG_TLSV11
60 	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
61 	    tls_version == TLS_VERSION_1_1)
62 		tls_version = TLS_VERSION_1;
63 #endif /* CONFIG_TLSV11 */
64 	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
65 	    tls_version == TLS_VERSION_1) {
66 		wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed");
67 		return NULL;
68 	}
69 
70 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)",
71 		   tls_version_str(tls_version));
72 	*out_len = 0;
73 
74 	os_get_time(&now);
75 #ifdef TEST_FUZZ
76 	now.sec = 0xfffefdfc;
77 #endif /* TEST_FUZZ */
78 	WPA_PUT_BE32(conn->client_random, now.sec);
79 	if (random_get_bytes(conn->client_random + 4, TLS_RANDOM_LEN - 4)) {
80 		wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
81 			   "client_random");
82 		return NULL;
83 	}
84 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
85 		    conn->client_random, TLS_RANDOM_LEN);
86 
87 	len = 150 + conn->num_cipher_suites * 2 + conn->client_hello_ext_len;
88 	hello = os_malloc(len);
89 	if (hello == NULL)
90 		return NULL;
91 	end = hello + len;
92 
93 	rhdr = hello;
94 	pos = rhdr + TLS_RECORD_HEADER_LEN;
95 
96 	/* opaque fragment[TLSPlaintext.length] */
97 
98 	/* Handshake */
99 	hs_start = pos;
100 	/* HandshakeType msg_type */
101 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_HELLO;
102 	/* uint24 length (to be filled) */
103 	hs_length = pos;
104 	pos += 3;
105 	/* body - ClientHello */
106 	/* ProtocolVersion client_version */
107 	WPA_PUT_BE16(pos, tls_version);
108 	pos += 2;
109 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
110 	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
111 	pos += TLS_RANDOM_LEN;
112 	/* SessionID session_id */
113 	*pos++ = conn->session_id_len;
114 	os_memcpy(pos, conn->session_id, conn->session_id_len);
115 	pos += conn->session_id_len;
116 	/* CipherSuite cipher_suites<2..2^16-1> */
117 	WPA_PUT_BE16(pos, 2 * conn->num_cipher_suites);
118 	pos += 2;
119 	for (i = 0; i < conn->num_cipher_suites; i++) {
120 		WPA_PUT_BE16(pos, conn->cipher_suites[i]);
121 		pos += 2;
122 	}
123 	/* CompressionMethod compression_methods<1..2^8-1> */
124 	*pos++ = 1;
125 	*pos++ = TLS_COMPRESSION_NULL;
126 
127 	/* Extension */
128 	ext_start = pos;
129 	pos += 2;
130 
131 #ifdef CONFIG_TLSV12
132 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
133 		/*
134 		 * Add signature_algorithms extension since we support only
135 		 * SHA256 (and not the default SHA1) with TLSv1.2.
136 		 */
137 		/* ExtensionsType extension_type = signature_algorithms(13) */
138 		WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
139 		pos += 2;
140 		/* opaque extension_data<0..2^16-1> length */
141 		WPA_PUT_BE16(pos, 8);
142 		pos += 2;
143 		/* supported_signature_algorithms<2..2^16-2> length */
144 		WPA_PUT_BE16(pos, 6);
145 		pos += 2;
146 		/* supported_signature_algorithms */
147 		*pos++ = TLS_HASH_ALG_SHA512;
148 		*pos++ = TLS_SIGN_ALG_RSA;
149 		*pos++ = TLS_HASH_ALG_SHA384;
150 		*pos++ = TLS_SIGN_ALG_RSA;
151 		*pos++ = TLS_HASH_ALG_SHA256;
152 		*pos++ = TLS_SIGN_ALG_RSA;
153 	}
154 #endif /* CONFIG_TLSV12 */
155 
156 	if (conn->client_hello_ext) {
157 		os_memcpy(pos, conn->client_hello_ext,
158 			  conn->client_hello_ext_len);
159 		pos += conn->client_hello_ext_len;
160 	}
161 
162 	if (conn->flags & TLS_CONN_REQUEST_OCSP) {
163 		wpa_printf(MSG_DEBUG,
164 			   "TLSv1: Add status_request extension for OCSP stapling");
165 		/* ExtensionsType extension_type = status_request(5) */
166 		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
167 		pos += 2;
168 		/* opaque extension_data<0..2^16-1> length */
169 		WPA_PUT_BE16(pos, 5);
170 		pos += 2;
171 
172 		/*
173 		 * RFC 6066, 8:
174 		 * struct {
175 		 *     CertificateStatusType status_type;
176 		 *     select (status_type) {
177 		 *         case ocsp: OCSPStatusRequest;
178 		 *     } request;
179 		 * } CertificateStatusRequest;
180 		 *
181 		 * enum { ocsp(1), (255) } CertificateStatusType;
182 		 */
183 		*pos++ = 1; /* status_type = ocsp(1) */
184 
185 		/*
186 		 * struct {
187 		 *     ResponderID responder_id_list<0..2^16-1>;
188 		 *     Extensions  request_extensions;
189 		 * } OCSPStatusRequest;
190 		 *
191 		 * opaque ResponderID<1..2^16-1>;
192 		 * opaque Extensions<0..2^16-1>;
193 		 */
194 		WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
195 		pos += 2;
196 		WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
197 		pos += 2;
198 
199 		wpa_printf(MSG_DEBUG,
200 			   "TLSv1: Add status_request_v2 extension for OCSP stapling");
201 		/* ExtensionsType extension_type = status_request_v2(17) */
202 		WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
203 		pos += 2;
204 		/* opaque extension_data<0..2^16-1> length */
205 		WPA_PUT_BE16(pos, 7);
206 		pos += 2;
207 
208 		/*
209 		 * RFC 6961, 2.2:
210 		 * struct {
211 		 *     CertificateStatusType status_type;
212 		 *     uint16 request_length;
213 		 *     select (status_type) {
214 		 *         case ocsp: OCSPStatusRequest;
215 		 *         case ocsp_multi: OCSPStatusRequest;
216 		 *     } request;
217 		 * } CertificateStatusRequestItemV2;
218 		 *
219 		 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
220 		 *
221 		 * struct {
222 		 * CertificateStatusRequestItemV2
223 		 *     certificate_status_req_list<1..2^16-1>;
224 		 * } CertificateStatusRequestListV2;
225 		 */
226 
227 		/* certificate_status_req_list<1..2^16-1> */
228 		WPA_PUT_BE16(pos, 5);
229 		pos += 2;
230 
231 		/* CertificateStatusRequestItemV2 */
232 		*pos++ = 2; /* status_type = ocsp_multi(2) */
233 		/* OCSPStatusRequest as shown above for v1 */
234 		WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
235 		pos += 2;
236 		WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
237 		pos += 2;
238 	}
239 
240 	if (pos == ext_start + 2)
241 		pos -= 2; /* no extensions */
242 	else
243 		WPA_PUT_BE16(ext_start, pos - ext_start - 2);
244 
245 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
246 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
247 
248 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
249 			      rhdr, end - rhdr, hs_start, pos - hs_start,
250 			      out_len) < 0) {
251 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
252 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
253 			  TLS_ALERT_INTERNAL_ERROR);
254 		os_free(hello);
255 		return NULL;
256 	}
257 
258 	conn->state = SERVER_HELLO;
259 
260 	return hello;
261 }
262 
263 
264 static int tls_write_client_certificate(struct tlsv1_client *conn,
265 					u8 **msgpos, u8 *end)
266 {
267 	u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
268 	size_t rlen;
269 	struct x509_certificate *cert;
270 
271 	pos = *msgpos;
272 	if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
273 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
274 			  TLS_ALERT_INTERNAL_ERROR);
275 		return -1;
276 	}
277 
278 	wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
279 	rhdr = pos;
280 	pos += TLS_RECORD_HEADER_LEN;
281 
282 	/* opaque fragment[TLSPlaintext.length] */
283 
284 	/* Handshake */
285 	hs_start = pos;
286 	/* HandshakeType msg_type */
287 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
288 	/* uint24 length (to be filled) */
289 	hs_length = pos;
290 	pos += 3;
291 	/* body - Certificate */
292 	/* uint24 length (to be filled) */
293 	cert_start = pos;
294 	pos += 3;
295 	cert = conn->cred ? conn->cred->cert : NULL;
296 	while (cert) {
297 		if (3 + cert->cert_len > (size_t) (end - pos)) {
298 			wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
299 				   "for Certificate (cert_len=%lu left=%lu)",
300 				   (unsigned long) cert->cert_len,
301 				   (unsigned long) (end - pos));
302 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
303 				  TLS_ALERT_INTERNAL_ERROR);
304 			return -1;
305 		}
306 		WPA_PUT_BE24(pos, cert->cert_len);
307 		pos += 3;
308 		os_memcpy(pos, cert->cert_start, cert->cert_len);
309 		pos += cert->cert_len;
310 
311 		if (x509_certificate_self_signed(cert))
312 			break;
313 		cert = x509_certificate_get_subject(conn->cred->trusted_certs,
314 						    &cert->issuer);
315 	}
316 	if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) {
317 		/*
318 		 * Client was not configured with all the needed certificates
319 		 * to form a full certificate chain. The server may fail to
320 		 * validate the chain unless it is configured with all the
321 		 * missing CA certificates.
322 		 */
323 		wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain "
324 			   "not configured - validation may fail");
325 	}
326 	WPA_PUT_BE24(cert_start, pos - cert_start - 3);
327 
328 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
329 
330 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
331 			      rhdr, end - rhdr, hs_start, pos - hs_start,
332 			      &rlen) < 0) {
333 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
334 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
335 			  TLS_ALERT_INTERNAL_ERROR);
336 		return -1;
337 	}
338 	pos = rhdr + rlen;
339 
340 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
341 
342 	*msgpos = pos;
343 
344 	return 0;
345 }
346 
347 
348 static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end)
349 {
350 	/* ClientDiffieHellmanPublic */
351 	u8 *csecret, *csecret_start, *dh_yc, *shared;
352 	size_t csecret_len, dh_yc_len, shared_len;
353 
354 	csecret_len = conn->dh_p_len;
355 	csecret = os_malloc(csecret_len);
356 	if (csecret == NULL) {
357 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
358 			   "memory for Yc (Diffie-Hellman)");
359 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
360 			  TLS_ALERT_INTERNAL_ERROR);
361 		return -1;
362 	}
363 	if (random_get_bytes(csecret, csecret_len)) {
364 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
365 			   "data for Diffie-Hellman");
366 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
367 			  TLS_ALERT_INTERNAL_ERROR);
368 		os_free(csecret);
369 		return -1;
370 	}
371 
372 	if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0)
373 		csecret[0] = 0; /* make sure Yc < p */
374 
375 	csecret_start = csecret;
376 	while (csecret_len > 1 && *csecret_start == 0) {
377 		csecret_start++;
378 		csecret_len--;
379 	}
380 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value",
381 			csecret_start, csecret_len);
382 
383 	/* Yc = g^csecret mod p */
384 	dh_yc_len = conn->dh_p_len;
385 	dh_yc = os_malloc(dh_yc_len);
386 	if (dh_yc == NULL) {
387 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
388 			   "memory for Diffie-Hellman");
389 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
390 			  TLS_ALERT_INTERNAL_ERROR);
391 		os_free(csecret);
392 		return -1;
393 	}
394 	if (crypto_mod_exp(conn->dh_g, conn->dh_g_len,
395 			   csecret_start, csecret_len,
396 			   conn->dh_p, conn->dh_p_len,
397 			   dh_yc, &dh_yc_len)) {
398 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
399 			  TLS_ALERT_INTERNAL_ERROR);
400 		os_free(csecret);
401 		os_free(dh_yc);
402 		return -1;
403 	}
404 
405 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
406 		    dh_yc, dh_yc_len);
407 
408 	if (end - *pos < 2) {
409 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
410 			  TLS_ALERT_INTERNAL_ERROR);
411 		os_free(csecret);
412 		os_free(dh_yc);
413 		return -1;
414 	}
415 	WPA_PUT_BE16(*pos, dh_yc_len);
416 	*pos += 2;
417 	if (dh_yc_len > (size_t) (end - *pos)) {
418 		wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the "
419 			   "message buffer for Yc");
420 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
421 			  TLS_ALERT_INTERNAL_ERROR);
422 		os_free(csecret);
423 		os_free(dh_yc);
424 		return -1;
425 	}
426 	os_memcpy(*pos, dh_yc, dh_yc_len);
427 	*pos += dh_yc_len;
428 	os_free(dh_yc);
429 
430 	shared_len = conn->dh_p_len;
431 	shared = os_malloc(shared_len);
432 	if (shared == NULL) {
433 		wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
434 			   "DH");
435 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
436 			  TLS_ALERT_INTERNAL_ERROR);
437 		os_free(csecret);
438 		return -1;
439 	}
440 
441 	/* shared = Ys^csecret mod p */
442 	if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len,
443 			   csecret_start, csecret_len,
444 			   conn->dh_p, conn->dh_p_len,
445 			   shared, &shared_len)) {
446 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
447 			  TLS_ALERT_INTERNAL_ERROR);
448 		os_free(csecret);
449 		os_free(shared);
450 		return -1;
451 	}
452 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
453 			shared, shared_len);
454 
455 	os_memset(csecret_start, 0, csecret_len);
456 	os_free(csecret);
457 	if (tls_derive_keys(conn, shared, shared_len)) {
458 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
459 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
460 			  TLS_ALERT_INTERNAL_ERROR);
461 		os_free(shared);
462 		return -1;
463 	}
464 	os_memset(shared, 0, shared_len);
465 	os_free(shared);
466 	tlsv1_client_free_dh(conn);
467 	return 0;
468 }
469 
470 
471 static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end)
472 {
473 	u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN];
474 	size_t clen;
475 	int res;
476 
477 	if (tls_derive_pre_master_secret(pre_master_secret) < 0 ||
478 	    tls_derive_keys(conn, pre_master_secret,
479 			    TLS_PRE_MASTER_SECRET_LEN)) {
480 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
481 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
482 			  TLS_ALERT_INTERNAL_ERROR);
483 		return -1;
484 	}
485 
486 	/* EncryptedPreMasterSecret */
487 	if (conn->server_rsa_key == NULL) {
488 		wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to "
489 			   "use for encrypting pre-master secret");
490 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
491 			  TLS_ALERT_INTERNAL_ERROR);
492 		return -1;
493 	}
494 
495 	/* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */
496 	*pos += 2;
497 	clen = end - *pos;
498 	res = crypto_public_key_encrypt_pkcs1_v15(
499 		conn->server_rsa_key,
500 		pre_master_secret, TLS_PRE_MASTER_SECRET_LEN,
501 		*pos, &clen);
502 	os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN);
503 	if (res < 0) {
504 		wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed");
505 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
506 			  TLS_ALERT_INTERNAL_ERROR);
507 		return -1;
508 	}
509 	WPA_PUT_BE16(*pos - 2, clen);
510 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret",
511 		    *pos, clen);
512 	*pos += clen;
513 
514 	return 0;
515 }
516 
517 
518 static int tls_write_client_key_exchange(struct tlsv1_client *conn,
519 					 u8 **msgpos, u8 *end)
520 {
521 	u8 *pos, *rhdr, *hs_start, *hs_length;
522 	size_t rlen;
523 	tls_key_exchange keyx;
524 	const struct tls_cipher_suite *suite;
525 
526 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
527 	if (suite == NULL)
528 		keyx = TLS_KEY_X_NULL;
529 	else
530 		keyx = suite->key_exchange;
531 
532 	pos = *msgpos;
533 
534 	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange");
535 
536 	rhdr = pos;
537 	pos += TLS_RECORD_HEADER_LEN;
538 
539 	/* opaque fragment[TLSPlaintext.length] */
540 
541 	/* Handshake */
542 	hs_start = pos;
543 	/* HandshakeType msg_type */
544 	*pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE;
545 	/* uint24 length (to be filled) */
546 	hs_length = pos;
547 	pos += 3;
548 	/* body - ClientKeyExchange */
549 	if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) {
550 		if (tlsv1_key_x_dh(conn, &pos, end) < 0)
551 			return -1;
552 	} else {
553 		if (tlsv1_key_x_rsa(conn, &pos, end) < 0)
554 			return -1;
555 	}
556 
557 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
558 
559 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
560 			      rhdr, end - rhdr, hs_start, pos - hs_start,
561 			      &rlen) < 0) {
562 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
563 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
564 			  TLS_ALERT_INTERNAL_ERROR);
565 		return -1;
566 	}
567 	pos = rhdr + rlen;
568 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
569 
570 	*msgpos = pos;
571 
572 	return 0;
573 }
574 
575 
576 static int tls_write_client_certificate_verify(struct tlsv1_client *conn,
577 					       u8 **msgpos, u8 *end)
578 {
579 	u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start;
580 	size_t rlen, hlen, clen;
581 	u8 hash[100], *hpos;
582 
583 	pos = *msgpos;
584 
585 	wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify");
586 	rhdr = pos;
587 	pos += TLS_RECORD_HEADER_LEN;
588 
589 	/* Handshake */
590 	hs_start = pos;
591 	/* HandshakeType msg_type */
592 	*pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY;
593 	/* uint24 length (to be filled) */
594 	hs_length = pos;
595 	pos += 3;
596 
597 	/*
598 	 * RFC 2246: 7.4.3 and 7.4.8:
599 	 * Signature signature
600 	 *
601 	 * RSA:
602 	 * digitally-signed struct {
603 	 *     opaque md5_hash[16];
604 	 *     opaque sha_hash[20];
605 	 * };
606 	 *
607 	 * DSA:
608 	 * digitally-signed struct {
609 	 *     opaque sha_hash[20];
610 	 * };
611 	 *
612 	 * The hash values are calculated over all handshake messages sent or
613 	 * received starting at ClientHello up to, but not including, this
614 	 * CertificateVerify message, including the type and length fields of
615 	 * the handshake messages.
616 	 */
617 
618 	hpos = hash;
619 
620 #ifdef CONFIG_TLSV12
621 	if (conn->rl.tls_version == TLS_VERSION_1_2) {
622 		hlen = SHA256_MAC_LEN;
623 		if (conn->verify.sha256_cert == NULL ||
624 		    crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) <
625 		    0) {
626 			conn->verify.sha256_cert = NULL;
627 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 				  TLS_ALERT_INTERNAL_ERROR);
629 			return -1;
630 		}
631 		conn->verify.sha256_cert = NULL;
632 
633 		/*
634 		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
635 		 *
636 		 * DigestInfo ::= SEQUENCE {
637 		 *   digestAlgorithm DigestAlgorithm,
638 		 *   digest OCTET STRING
639 		 * }
640 		 *
641 		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
642 		 *
643 		 * DER encoded DigestInfo for SHA256 per RFC 3447:
644 		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
645 		 * H
646 		 */
647 		os_memmove(hash + 19, hash, hlen);
648 		hlen += 19;
649 		os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
650 			  "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
651 	} else {
652 #endif /* CONFIG_TLSV12 */
653 
654 	hlen = MD5_MAC_LEN;
655 	if (conn->verify.md5_cert == NULL ||
656 	    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) {
657 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
658 			  TLS_ALERT_INTERNAL_ERROR);
659 		conn->verify.md5_cert = NULL;
660 		crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
661 		conn->verify.sha1_cert = NULL;
662 		return -1;
663 	}
664 	hpos += MD5_MAC_LEN;
665 
666 	conn->verify.md5_cert = NULL;
667 	hlen = SHA1_MAC_LEN;
668 	if (conn->verify.sha1_cert == NULL ||
669 	    crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
670 		conn->verify.sha1_cert = NULL;
671 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 			  TLS_ALERT_INTERNAL_ERROR);
673 		return -1;
674 	}
675 	conn->verify.sha1_cert = NULL;
676 
677 	hlen += MD5_MAC_LEN;
678 
679 #ifdef CONFIG_TLSV12
680 	}
681 #endif /* CONFIG_TLSV12 */
682 
683 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);
684 
685 #ifdef CONFIG_TLSV12
686 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
687 		/*
688 		 * RFC 5246, 4.7:
689 		 * TLS v1.2 adds explicit indication of the used signature and
690 		 * hash algorithms.
691 		 *
692 		 * struct {
693 		 *   HashAlgorithm hash;
694 		 *   SignatureAlgorithm signature;
695 		 * } SignatureAndHashAlgorithm;
696 		 */
697 		*pos++ = TLS_HASH_ALG_SHA256;
698 		*pos++ = TLS_SIGN_ALG_RSA;
699 	}
700 #endif /* CONFIG_TLSV12 */
701 
702 	/*
703 	 * RFC 2246, 4.7:
704 	 * In digital signing, one-way hash functions are used as input for a
705 	 * signing algorithm. A digitally-signed element is encoded as an
706 	 * opaque vector <0..2^16-1>, where the length is specified by the
707 	 * signing algorithm and key.
708 	 *
709 	 * In RSA signing, a 36-byte structure of two hashes (one SHA and one
710 	 * MD5) is signed (encrypted with the private key). It is encoded with
711 	 * PKCS #1 block type 0 or type 1 as described in [PKCS1].
712 	 */
713 	signed_start = pos; /* length to be filled */
714 	pos += 2;
715 	clen = end - pos;
716 	if (conn->cred == NULL ||
717 	    crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
718 					  pos, &clen) < 0) {
719 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
720 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
721 			  TLS_ALERT_INTERNAL_ERROR);
722 		return -1;
723 	}
724 	WPA_PUT_BE16(signed_start, clen);
725 
726 	pos += clen;
727 
728 	WPA_PUT_BE24(hs_length, pos - hs_length - 3);
729 
730 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
731 			      rhdr, end - rhdr, hs_start, pos - hs_start,
732 			      &rlen) < 0) {
733 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
734 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
735 			  TLS_ALERT_INTERNAL_ERROR);
736 		return -1;
737 	}
738 	pos = rhdr + rlen;
739 
740 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
741 
742 	*msgpos = pos;
743 
744 	return 0;
745 }
746 
747 
748 static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn,
749 					       u8 **msgpos, u8 *end)
750 {
751 	size_t rlen;
752 	u8 payload[1];
753 
754 	wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
755 
756 	payload[0] = TLS_CHANGE_CIPHER_SPEC;
757 
758 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
759 			      *msgpos, end - *msgpos, payload, sizeof(payload),
760 			      &rlen) < 0) {
761 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
762 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
763 			  TLS_ALERT_INTERNAL_ERROR);
764 		return -1;
765 	}
766 
767 	if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
768 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
769 			   "record layer");
770 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
771 			  TLS_ALERT_INTERNAL_ERROR);
772 		return -1;
773 	}
774 
775 	*msgpos += rlen;
776 
777 	return 0;
778 }
779 
780 
781 static int tls_write_client_finished(struct tlsv1_client *conn,
782 				     u8 **msgpos, u8 *end)
783 {
784 	u8 *pos, *hs_start;
785 	size_t rlen, hlen;
786 	u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
787 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
788 
789 	wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
790 
791 	/* Encrypted Handshake Message: Finished */
792 
793 #ifdef CONFIG_TLSV12
794 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
795 		hlen = SHA256_MAC_LEN;
796 		if (conn->verify.sha256_client == NULL ||
797 		    crypto_hash_finish(conn->verify.sha256_client, hash, &hlen)
798 		    < 0) {
799 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
800 				  TLS_ALERT_INTERNAL_ERROR);
801 			conn->verify.sha256_client = NULL;
802 			return -1;
803 		}
804 		conn->verify.sha256_client = NULL;
805 	} else {
806 #endif /* CONFIG_TLSV12 */
807 
808 	hlen = MD5_MAC_LEN;
809 	if (conn->verify.md5_client == NULL ||
810 	    crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
811 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
812 			  TLS_ALERT_INTERNAL_ERROR);
813 		conn->verify.md5_client = NULL;
814 		crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
815 		conn->verify.sha1_client = NULL;
816 		return -1;
817 	}
818 	conn->verify.md5_client = NULL;
819 	hlen = SHA1_MAC_LEN;
820 	if (conn->verify.sha1_client == NULL ||
821 	    crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
822 			       &hlen) < 0) {
823 		conn->verify.sha1_client = NULL;
824 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
825 			  TLS_ALERT_INTERNAL_ERROR);
826 		return -1;
827 	}
828 	conn->verify.sha1_client = NULL;
829 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
830 
831 #ifdef CONFIG_TLSV12
832 	}
833 #endif /* CONFIG_TLSV12 */
834 
835 	if (tls_prf(conn->rl.tls_version,
836 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
837 		    "client finished", hash, hlen,
838 		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
839 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
840 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
841 			  TLS_ALERT_INTERNAL_ERROR);
842 		return -1;
843 	}
844 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
845 			verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
846 
847 	/* Handshake */
848 	pos = hs_start = verify_data;
849 	/* HandshakeType msg_type */
850 	*pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
851 	/* uint24 length */
852 	WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
853 	pos += 3;
854 	pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */
855 	tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
856 
857 	if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
858 			      *msgpos, end - *msgpos, hs_start, pos - hs_start,
859 			      &rlen) < 0) {
860 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
861 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
862 			  TLS_ALERT_INTERNAL_ERROR);
863 		return -1;
864 	}
865 
866 	*msgpos += rlen;
867 
868 	return 0;
869 }
870 
871 
872 static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
873 					 size_t *out_len)
874 {
875 	u8 *msg, *end, *pos;
876 	size_t msglen;
877 
878 	*out_len = 0;
879 
880 	msglen = 2000;
881 	if (conn->certificate_requested)
882 		msglen += tls_client_cert_chain_der_len(conn);
883 
884 	msg = os_malloc(msglen);
885 	if (msg == NULL)
886 		return NULL;
887 
888 	pos = msg;
889 	end = msg + msglen;
890 
891 	if (conn->certificate_requested) {
892 		if (tls_write_client_certificate(conn, &pos, end) < 0) {
893 			os_free(msg);
894 			return NULL;
895 		}
896 	}
897 
898 	if (tls_write_client_key_exchange(conn, &pos, end) < 0 ||
899 	    (conn->certificate_requested && conn->cred && conn->cred->key &&
900 	     tls_write_client_certificate_verify(conn, &pos, end) < 0) ||
901 	    tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
902 	    tls_write_client_finished(conn, &pos, end) < 0) {
903 		os_free(msg);
904 		return NULL;
905 	}
906 
907 	*out_len = pos - msg;
908 
909 	conn->state = SERVER_CHANGE_CIPHER_SPEC;
910 
911 	return msg;
912 }
913 
914 
915 static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn,
916 					size_t *out_len)
917 {
918 	u8 *msg, *end, *pos;
919 
920 	*out_len = 0;
921 
922 	msg = os_malloc(1000);
923 	if (msg == NULL)
924 		return NULL;
925 
926 	pos = msg;
927 	end = msg + 1000;
928 
929 	if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 ||
930 	    tls_write_client_finished(conn, &pos, end) < 0) {
931 		os_free(msg);
932 		return NULL;
933 	}
934 
935 	*out_len = pos - msg;
936 
937 	wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed "
938 		   "successfully");
939 	if (!conn->session_resumed && conn->use_session_ticket)
940 		conn->session_resumed = 1;
941 	conn->state = ESTABLISHED;
942 
943 	return msg;
944 }
945 
946 
947 u8 * tlsv1_client_handshake_write(struct tlsv1_client *conn, size_t *out_len,
948 				  int no_appl_data)
949 {
950 	switch (conn->state) {
951 	case CLIENT_KEY_EXCHANGE:
952 		return tls_send_client_key_exchange(conn, out_len);
953 	case CHANGE_CIPHER_SPEC:
954 		return tls_send_change_cipher_spec(conn, out_len);
955 	case ACK_FINISHED:
956 		wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed "
957 			   "successfully");
958 		conn->state = ESTABLISHED;
959 		*out_len = 0;
960 		if (no_appl_data) {
961 			/* Need to return something to get final TLS ACK. */
962 			return os_malloc(1);
963 		}
964 		return NULL;
965 	default:
966 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
967 			   "generating reply", conn->state);
968 		return NULL;
969 	}
970 }
971 
972 
973 u8 * tlsv1_client_send_alert(struct tlsv1_client *conn, u8 level,
974 			     u8 description, size_t *out_len)
975 {
976 	u8 *alert, *pos, *length;
977 
978 	wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
979 	*out_len = 0;
980 
981 	alert = os_malloc(10);
982 	if (alert == NULL)
983 		return NULL;
984 
985 	pos = alert;
986 
987 	/* TLSPlaintext */
988 	/* ContentType type */
989 	*pos++ = TLS_CONTENT_TYPE_ALERT;
990 	/* ProtocolVersion version */
991 	WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
992 		     TLS_VERSION);
993 	pos += 2;
994 	/* uint16 length (to be filled) */
995 	length = pos;
996 	pos += 2;
997 	/* opaque fragment[TLSPlaintext.length] */
998 
999 	/* Alert */
1000 	/* AlertLevel level */
1001 	*pos++ = level;
1002 	/* AlertDescription description */
1003 	*pos++ = description;
1004 
1005 	WPA_PUT_BE16(length, pos - length - 2);
1006 	*out_len = pos - alert;
1007 
1008 	return alert;
1009 }
1010