Disconnect hostapd from building in base
[dragonfly.git] / contrib / hostapd / src / tls / tlsv1_server_write.c
CommitLineData
a875087d
JL
1/*
2 * TLSv1 server - write handshake message
4781064b 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
a875087d 4 *
4781064b
JM
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
a875087d
JL
7 */
8
9#include "includes.h"
10
11#include "common.h"
4781064b
JM
12#include "crypto/md5.h"
13#include "crypto/sha1.h"
14#include "crypto/sha256.h"
15#include "crypto/tls.h"
16#include "crypto/random.h"
a875087d 17#include "x509v3.h"
a875087d
JL
18#include "tlsv1_common.h"
19#include "tlsv1_record.h"
20#include "tlsv1_server.h"
21#include "tlsv1_server_i.h"
22
23
24static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
25{
26 size_t len = 0;
27 struct x509_certificate *cert;
28
29 cert = conn->cred->cert;
30 while (cert) {
31 len += 3 + cert->cert_len;
32 if (x509_certificate_self_signed(cert))
33 break;
34 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
35 &cert->issuer);
36 }
37
38 return len;
39}
40
41
42static int tls_write_server_hello(struct tlsv1_server *conn,
43 u8 **msgpos, u8 *end)
44{
45 u8 *pos, *rhdr, *hs_start, *hs_length;
46 struct os_time now;
47 size_t rlen;
48
49 pos = *msgpos;
50
51 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello");
52 rhdr = pos;
53 pos += TLS_RECORD_HEADER_LEN;
54
55 os_get_time(&now);
56 WPA_PUT_BE32(conn->server_random, now.sec);
4781064b 57 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
a875087d
JL
58 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
59 "server_random");
60 return -1;
61 }
62 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
63 conn->server_random, TLS_RANDOM_LEN);
64
65 conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
4781064b 66 if (random_get_bytes(conn->session_id, conn->session_id_len)) {
a875087d
JL
67 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
68 "session_id");
69 return -1;
70 }
71 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
72 conn->session_id, conn->session_id_len);
73
74 /* opaque fragment[TLSPlaintext.length] */
75
76 /* Handshake */
77 hs_start = pos;
78 /* HandshakeType msg_type */
79 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
80 /* uint24 length (to be filled) */
81 hs_length = pos;
82 pos += 3;
83 /* body - ServerHello */
84 /* ProtocolVersion server_version */
4781064b 85 WPA_PUT_BE16(pos, conn->rl.tls_version);
a875087d
JL
86 pos += 2;
87 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
88 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
89 pos += TLS_RANDOM_LEN;
90 /* SessionID session_id */
91 *pos++ = conn->session_id_len;
92 os_memcpy(pos, conn->session_id, conn->session_id_len);
93 pos += conn->session_id_len;
94 /* CipherSuite cipher_suite */
95 WPA_PUT_BE16(pos, conn->cipher_suite);
96 pos += 2;
97 /* CompressionMethod compression_method */
98 *pos++ = TLS_COMPRESSION_NULL;
99
100 if (conn->session_ticket && conn->session_ticket_cb) {
101 int res = conn->session_ticket_cb(
102 conn->session_ticket_cb_ctx,
103 conn->session_ticket, conn->session_ticket_len,
104 conn->client_random, conn->server_random,
105 conn->master_secret);
106 if (res < 0) {
107 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
108 "indicated failure");
109 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
110 TLS_ALERT_HANDSHAKE_FAILURE);
111 return -1;
112 }
113 conn->use_session_ticket = res;
114
115 if (conn->use_session_ticket) {
116 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
117 wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
118 "derive keys");
119 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
120 TLS_ALERT_INTERNAL_ERROR);
121 return -1;
122 }
123 }
124
125 /*
126 * RFC 4507 specifies that server would include an empty
127 * SessionTicket extension in ServerHello and a
128 * NewSessionTicket message after the ServerHello. However,
129 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
130 * extension at the moment, does not use such extensions.
131 *
132 * TODO: Add support for configuring RFC 4507 behavior and make
133 * EAP-FAST disable it.
134 */
135 }
136
137 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
138 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
139
140 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
141 rhdr, end - rhdr, hs_start, pos - hs_start,
142 &rlen) < 0) {
a875087d
JL
143 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
144 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
145 TLS_ALERT_INTERNAL_ERROR);
146 return -1;
147 }
148 pos = rhdr + rlen;
149
150 *msgpos = pos;
151
152 return 0;
153}
154
155
156static int tls_write_server_certificate(struct tlsv1_server *conn,
157 u8 **msgpos, u8 *end)
158{
159 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
160 size_t rlen;
161 struct x509_certificate *cert;
162 const struct tls_cipher_suite *suite;
163
164 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
165 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
166 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
167 "using anonymous DH");
168 return 0;
169 }
170
171 pos = *msgpos;
172
173 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
174 rhdr = pos;
175 pos += TLS_RECORD_HEADER_LEN;
176
177 /* opaque fragment[TLSPlaintext.length] */
178
179 /* Handshake */
180 hs_start = pos;
181 /* HandshakeType msg_type */
182 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
183 /* uint24 length (to be filled) */
184 hs_length = pos;
185 pos += 3;
186 /* body - Certificate */
187 /* uint24 length (to be filled) */
188 cert_start = pos;
189 pos += 3;
190 cert = conn->cred->cert;
191 while (cert) {
192 if (pos + 3 + cert->cert_len > end) {
193 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
194 "for Certificate (cert_len=%lu left=%lu)",
195 (unsigned long) cert->cert_len,
196 (unsigned long) (end - pos));
197 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
198 TLS_ALERT_INTERNAL_ERROR);
199 return -1;
200 }
201 WPA_PUT_BE24(pos, cert->cert_len);
202 pos += 3;
203 os_memcpy(pos, cert->cert_start, cert->cert_len);
204 pos += cert->cert_len;
205
206 if (x509_certificate_self_signed(cert))
207 break;
208 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
209 &cert->issuer);
210 }
211 if (cert == conn->cred->cert || cert == NULL) {
212 /*
213 * Server was not configured with all the needed certificates
214 * to form a full certificate chain. The client may fail to
215 * validate the chain unless it is configured with all the
216 * missing CA certificates.
217 */
218 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
219 "not configured - validation may fail");
220 }
221 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
222
223 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
224
225 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
226 rhdr, end - rhdr, hs_start, pos - hs_start,
227 &rlen) < 0) {
a875087d
JL
228 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
229 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
230 TLS_ALERT_INTERNAL_ERROR);
231 return -1;
232 }
233 pos = rhdr + rlen;
234
235 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
236
237 *msgpos = pos;
238
239 return 0;
240}
241
242
243static int tls_write_server_key_exchange(struct tlsv1_server *conn,
244 u8 **msgpos, u8 *end)
245{
246 tls_key_exchange keyx;
247 const struct tls_cipher_suite *suite;
a875087d
JL
248 u8 *pos, *rhdr, *hs_start, *hs_length;
249 size_t rlen;
250 u8 *dh_ys;
251 size_t dh_ys_len;
a875087d
JL
252
253 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
254 if (suite == NULL)
255 keyx = TLS_KEY_X_NULL;
256 else
257 keyx = suite->key_exchange;
258
259 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
260 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
261 return 0;
262 }
263
264 if (keyx != TLS_KEY_X_DH_anon) {
265 /* TODO? */
266 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
267 "supported with key exchange type %d", keyx);
268 return -1;
269 }
270
a875087d
JL
271 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
272 conn->cred->dh_g == NULL) {
273 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
274 "ServerKeyExhcange");
275 return -1;
276 }
277
278 os_free(conn->dh_secret);
279 conn->dh_secret_len = conn->cred->dh_p_len;
280 conn->dh_secret = os_malloc(conn->dh_secret_len);
281 if (conn->dh_secret == NULL) {
282 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
283 "memory for secret (Diffie-Hellman)");
284 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
285 TLS_ALERT_INTERNAL_ERROR);
286 return -1;
287 }
4781064b 288 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
a875087d
JL
289 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
290 "data for Diffie-Hellman");
291 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
292 TLS_ALERT_INTERNAL_ERROR);
293 os_free(conn->dh_secret);
294 conn->dh_secret = NULL;
295 return -1;
296 }
297
298 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
299 0)
300 conn->dh_secret[0] = 0; /* make sure secret < p */
301
302 pos = conn->dh_secret;
303 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
304 pos++;
305 if (pos != conn->dh_secret) {
306 os_memmove(conn->dh_secret, pos,
307 conn->dh_secret_len - (pos - conn->dh_secret));
308 conn->dh_secret_len -= pos - conn->dh_secret;
309 }
310 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
311 conn->dh_secret, conn->dh_secret_len);
312
313 /* Ys = g^secret mod p */
314 dh_ys_len = conn->cred->dh_p_len;
315 dh_ys = os_malloc(dh_ys_len);
316 if (dh_ys == NULL) {
317 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
318 "Diffie-Hellman");
319 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
320 TLS_ALERT_INTERNAL_ERROR);
321 return -1;
322 }
323 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
324 conn->dh_secret, conn->dh_secret_len,
325 conn->cred->dh_p, conn->cred->dh_p_len,
326 dh_ys, &dh_ys_len)) {
327 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
328 TLS_ALERT_INTERNAL_ERROR);
329 os_free(dh_ys);
330 return -1;
331 }
332
333 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
334 dh_ys, dh_ys_len);
335
336 /*
337 * struct {
338 * select (KeyExchangeAlgorithm) {
339 * case diffie_hellman:
340 * ServerDHParams params;
341 * Signature signed_params;
342 * case rsa:
343 * ServerRSAParams params;
344 * Signature signed_params;
345 * };
346 * } ServerKeyExchange;
347 *
348 * struct {
349 * opaque dh_p<1..2^16-1>;
350 * opaque dh_g<1..2^16-1>;
351 * opaque dh_Ys<1..2^16-1>;
352 * } ServerDHParams;
353 */
354
355 pos = *msgpos;
356
357 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
358 rhdr = pos;
359 pos += TLS_RECORD_HEADER_LEN;
360
361 /* opaque fragment[TLSPlaintext.length] */
362
363 /* Handshake */
364 hs_start = pos;
365 /* HandshakeType msg_type */
366 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
367 /* uint24 length (to be filled) */
368 hs_length = pos;
369 pos += 3;
370
371 /* body - ServerDHParams */
372 /* dh_p */
373 if (pos + 2 + conn->cred->dh_p_len > end) {
374 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
375 "dh_p");
376 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
377 TLS_ALERT_INTERNAL_ERROR);
378 os_free(dh_ys);
379 return -1;
380 }
381 WPA_PUT_BE16(pos, conn->cred->dh_p_len);
382 pos += 2;
383 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
384 pos += conn->cred->dh_p_len;
385
386 /* dh_g */
387 if (pos + 2 + conn->cred->dh_g_len > end) {
388 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
389 "dh_g");
390 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
391 TLS_ALERT_INTERNAL_ERROR);
392 os_free(dh_ys);
393 return -1;
394 }
395 WPA_PUT_BE16(pos, conn->cred->dh_g_len);
396 pos += 2;
397 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
398 pos += conn->cred->dh_g_len;
399
400 /* dh_Ys */
401 if (pos + 2 + dh_ys_len > end) {
402 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
403 "dh_Ys");
404 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
405 TLS_ALERT_INTERNAL_ERROR);
406 os_free(dh_ys);
407 return -1;
408 }
409 WPA_PUT_BE16(pos, dh_ys_len);
410 pos += 2;
411 os_memcpy(pos, dh_ys, dh_ys_len);
412 pos += dh_ys_len;
413 os_free(dh_ys);
414
415 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
416
417 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
418 rhdr, end - rhdr, hs_start, pos - hs_start,
419 &rlen) < 0) {
a875087d
JL
420 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
421 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
422 TLS_ALERT_INTERNAL_ERROR);
423 return -1;
424 }
425 pos = rhdr + rlen;
426
427 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
428
429 *msgpos = pos;
430
431 return 0;
a875087d
JL
432}
433
434
435static int tls_write_server_certificate_request(struct tlsv1_server *conn,
436 u8 **msgpos, u8 *end)
437{
438 u8 *pos, *rhdr, *hs_start, *hs_length;
439 size_t rlen;
440
441 if (!conn->verify_peer) {
442 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
443 return 0;
444 }
445
446 pos = *msgpos;
447
448 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest");
449 rhdr = pos;
450 pos += TLS_RECORD_HEADER_LEN;
451
452 /* opaque fragment[TLSPlaintext.length] */
453
454 /* Handshake */
455 hs_start = pos;
456 /* HandshakeType msg_type */
457 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
458 /* uint24 length (to be filled) */
459 hs_length = pos;
460 pos += 3;
461 /* body - CertificateRequest */
462
463 /*
464 * enum {
465 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
466 * (255)
467 * } ClientCertificateType;
468 * ClientCertificateType certificate_types<1..2^8-1>
469 */
470 *pos++ = 1;
471 *pos++ = 1; /* rsa_sign */
472
473 /*
474 * opaque DistinguishedName<1..2^16-1>
475 * DistinguishedName certificate_authorities<3..2^16-1>
476 */
477 /* TODO: add support for listing DNs for trusted CAs */
478 WPA_PUT_BE16(pos, 0);
479 pos += 2;
480
481 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
482
483 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
484 rhdr, end - rhdr, hs_start, pos - hs_start,
485 &rlen) < 0) {
a875087d
JL
486 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
487 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
488 TLS_ALERT_INTERNAL_ERROR);
489 return -1;
490 }
491 pos = rhdr + rlen;
492
493 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
494
495 *msgpos = pos;
496
497 return 0;
498}
499
500
501static int tls_write_server_hello_done(struct tlsv1_server *conn,
502 u8 **msgpos, u8 *end)
503{
4781064b 504 u8 *pos;
a875087d 505 size_t rlen;
4781064b 506 u8 payload[4];
a875087d
JL
507
508 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone");
a875087d
JL
509
510 /* opaque fragment[TLSPlaintext.length] */
511
512 /* Handshake */
4781064b 513 pos = payload;
a875087d
JL
514 /* HandshakeType msg_type */
515 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
4781064b
JM
516 /* uint24 length */
517 WPA_PUT_BE24(pos, 0);
a875087d
JL
518 pos += 3;
519 /* body - ServerHelloDone (empty) */
520
a875087d 521 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
522 *msgpos, end - *msgpos, payload, pos - payload,
523 &rlen) < 0) {
a875087d
JL
524 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
525 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
526 TLS_ALERT_INTERNAL_ERROR);
527 return -1;
528 }
a875087d 529
4781064b 530 tls_verify_hash_add(&conn->verify, payload, pos - payload);
a875087d 531
4781064b 532 *msgpos += rlen;
a875087d
JL
533
534 return 0;
535}
536
537
538static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
539 u8 **msgpos, u8 *end)
540{
a875087d 541 size_t rlen;
4781064b 542 u8 payload[1];
a875087d
JL
543
544 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
4781064b
JM
545
546 payload[0] = TLS_CHANGE_CIPHER_SPEC;
547
a875087d 548 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
4781064b
JM
549 *msgpos, end - *msgpos, payload, sizeof(payload),
550 &rlen) < 0) {
a875087d
JL
551 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
552 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
553 TLS_ALERT_INTERNAL_ERROR);
554 return -1;
555 }
556
557 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
558 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
559 "record layer");
560 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
561 TLS_ALERT_INTERNAL_ERROR);
562 return -1;
563 }
564
4781064b 565 *msgpos += rlen;
a875087d
JL
566
567 return 0;
568}
569
570
571static int tls_write_server_finished(struct tlsv1_server *conn,
572 u8 **msgpos, u8 *end)
573{
4781064b 574 u8 *pos, *hs_start;
a875087d 575 size_t rlen, hlen;
4781064b 576 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
a875087d
JL
577 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
578
579 pos = *msgpos;
580
581 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
582
583 /* Encrypted Handshake Message: Finished */
584
4781064b
JM
585#ifdef CONFIG_TLSV12
586 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
587 hlen = SHA256_MAC_LEN;
588 if (conn->verify.sha256_server == NULL ||
589 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
590 < 0) {
591 conn->verify.sha256_server = NULL;
592 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
593 TLS_ALERT_INTERNAL_ERROR);
594 return -1;
595 }
596 conn->verify.sha256_server = NULL;
597 } else {
598#endif /* CONFIG_TLSV12 */
599
a875087d
JL
600 hlen = MD5_MAC_LEN;
601 if (conn->verify.md5_server == NULL ||
602 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
603 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
604 TLS_ALERT_INTERNAL_ERROR);
605 conn->verify.md5_server = NULL;
606 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
607 conn->verify.sha1_server = NULL;
608 return -1;
609 }
610 conn->verify.md5_server = NULL;
611 hlen = SHA1_MAC_LEN;
612 if (conn->verify.sha1_server == NULL ||
613 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
614 &hlen) < 0) {
615 conn->verify.sha1_server = NULL;
616 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
617 TLS_ALERT_INTERNAL_ERROR);
618 return -1;
619 }
620 conn->verify.sha1_server = NULL;
4781064b
JM
621 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
622
623#ifdef CONFIG_TLSV12
624 }
625#endif /* CONFIG_TLSV12 */
a875087d 626
4781064b
JM
627 if (tls_prf(conn->rl.tls_version,
628 conn->master_secret, TLS_MASTER_SECRET_LEN,
629 "server finished", hash, hlen,
630 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
a875087d
JL
631 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
632 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
633 TLS_ALERT_INTERNAL_ERROR);
634 return -1;
635 }
636 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
4781064b 637 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
a875087d 638
a875087d 639 /* Handshake */
4781064b 640 pos = hs_start = verify_data;
a875087d
JL
641 /* HandshakeType msg_type */
642 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
4781064b
JM
643 /* uint24 length */
644 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
a875087d 645 pos += 3;
a875087d 646 pos += TLS_VERIFY_DATA_LEN;
a875087d
JL
647 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
648
649 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
4781064b
JM
650 *msgpos, end - *msgpos, hs_start, pos - hs_start,
651 &rlen) < 0) {
a875087d
JL
652 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
653 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
654 TLS_ALERT_INTERNAL_ERROR);
655 return -1;
656 }
657
4781064b 658 *msgpos += rlen;
a875087d
JL
659
660 return 0;
661}
662
663
664static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
665{
666 u8 *msg, *end, *pos;
667 size_t msglen;
668
669 *out_len = 0;
670
671 msglen = 1000 + tls_server_cert_chain_der_len(conn);
672
673 msg = os_malloc(msglen);
674 if (msg == NULL)
675 return NULL;
676
677 pos = msg;
678 end = msg + msglen;
679
680 if (tls_write_server_hello(conn, &pos, end) < 0) {
681 os_free(msg);
682 return NULL;
683 }
684
685 if (conn->use_session_ticket) {
686 /* Abbreviated handshake using session ticket; RFC 4507 */
687 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
688 tls_write_server_finished(conn, &pos, end) < 0) {
689 os_free(msg);
690 return NULL;
691 }
692
693 *out_len = pos - msg;
694
695 conn->state = CHANGE_CIPHER_SPEC;
696
697 return msg;
698 }
699
700 /* Full handshake */
701 if (tls_write_server_certificate(conn, &pos, end) < 0 ||
702 tls_write_server_key_exchange(conn, &pos, end) < 0 ||
703 tls_write_server_certificate_request(conn, &pos, end) < 0 ||
704 tls_write_server_hello_done(conn, &pos, end) < 0) {
705 os_free(msg);
706 return NULL;
707 }
708
709 *out_len = pos - msg;
710
711 conn->state = CLIENT_CERTIFICATE;
712
713 return msg;
714}
715
716
717static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
718 size_t *out_len)
719{
720 u8 *msg, *end, *pos;
721
722 *out_len = 0;
723
724 msg = os_malloc(1000);
725 if (msg == NULL)
726 return NULL;
727
728 pos = msg;
729 end = msg + 1000;
730
731 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
732 tls_write_server_finished(conn, &pos, end) < 0) {
733 os_free(msg);
734 return NULL;
735 }
736
737 *out_len = pos - msg;
738
739 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully");
740 conn->state = ESTABLISHED;
741
742 return msg;
743}
744
745
746u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
747{
748 switch (conn->state) {
749 case SERVER_HELLO:
750 return tls_send_server_hello(conn, out_len);
751 case SERVER_CHANGE_CIPHER_SPEC:
752 return tls_send_change_cipher_spec(conn, out_len);
753 default:
754 if (conn->state == ESTABLISHED && conn->use_session_ticket) {
755 /* Abbreviated handshake was already completed. */
756 return NULL;
757 }
758 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
759 "generating reply", conn->state);
760 return NULL;
761 }
762}
763
764
765u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
766 u8 description, size_t *out_len)
767{
768 u8 *alert, *pos, *length;
769
770 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
771 *out_len = 0;
772
773 alert = os_malloc(10);
774 if (alert == NULL)
775 return NULL;
776
777 pos = alert;
778
779 /* TLSPlaintext */
780 /* ContentType type */
781 *pos++ = TLS_CONTENT_TYPE_ALERT;
782 /* ProtocolVersion version */
4781064b
JM
783 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
784 TLS_VERSION);
a875087d
JL
785 pos += 2;
786 /* uint16 length (to be filled) */
787 length = pos;
788 pos += 2;
789 /* opaque fragment[TLSPlaintext.length] */
790
791 /* Alert */
792 /* AlertLevel level */
793 *pos++ = level;
794 /* AlertDescription description */
795 *pos++ = description;
796
797 WPA_PUT_BE16(length, pos - length - 2);
798 *out_len = pos - alert;
799
800 return alert;
801}