2 * TLSv1 server - write handshake message
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "crypto/random.h"
18 #include "tlsv1_common.h"
19 #include "tlsv1_record.h"
20 #include "tlsv1_server.h"
21 #include "tlsv1_server_i.h"
24 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
27 struct x509_certificate *cert;
29 cert = conn->cred ? conn->cred->cert : NULL;
31 len += 3 + cert->cert_len;
32 if (x509_certificate_self_signed(cert))
34 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
42 static int tls_write_server_hello(struct tlsv1_server *conn,
45 u8 *pos, *rhdr, *hs_start, *hs_length, *ext_start;
51 tlsv1_server_log(conn, "Send ServerHello");
53 pos += TLS_RECORD_HEADER_LEN;
58 #endif /* TEST_FUZZ */
59 WPA_PUT_BE32(conn->server_random, now.sec);
60 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
61 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
65 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
66 conn->server_random, TLS_RANDOM_LEN);
68 conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
69 if (random_get_bytes(conn->session_id, conn->session_id_len)) {
70 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
74 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
75 conn->session_id, conn->session_id_len);
77 /* opaque fragment[TLSPlaintext.length] */
81 /* HandshakeType msg_type */
82 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
83 /* uint24 length (to be filled) */
86 /* body - ServerHello */
87 /* ProtocolVersion server_version */
88 WPA_PUT_BE16(pos, conn->rl.tls_version);
90 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
91 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
92 pos += TLS_RANDOM_LEN;
93 /* SessionID session_id */
94 *pos++ = conn->session_id_len;
95 os_memcpy(pos, conn->session_id, conn->session_id_len);
96 pos += conn->session_id_len;
97 /* CipherSuite cipher_suite */
98 WPA_PUT_BE16(pos, conn->cipher_suite);
100 /* CompressionMethod compression_method */
101 *pos++ = TLS_COMPRESSION_NULL;
107 if (conn->status_request) {
108 /* Add a status_request extension with empty extension_data */
109 /* ExtensionsType extension_type = status_request(5) */
110 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
112 /* opaque extension_data<0..2^16-1> length */
113 WPA_PUT_BE16(pos, 0);
117 if (conn->status_request_v2) {
119 Add a status_request_v2 extension with empty extension_data
121 /* ExtensionsType extension_type = status_request_v2(17) */
122 WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST_V2);
124 /* opaque extension_data<0..2^16-1> length */
125 WPA_PUT_BE16(pos, 0);
129 if (conn->session_ticket && conn->session_ticket_cb) {
130 int res = conn->session_ticket_cb(
131 conn->session_ticket_cb_ctx,
132 conn->session_ticket, conn->session_ticket_len,
133 conn->client_random, conn->server_random,
134 conn->master_secret);
136 tlsv1_server_log(conn, "SessionTicket callback indicated failure");
137 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
138 TLS_ALERT_HANDSHAKE_FAILURE);
141 conn->use_session_ticket = res;
143 if (conn->use_session_ticket) {
144 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
145 wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
147 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
148 TLS_ALERT_INTERNAL_ERROR);
154 * RFC 4507 specifies that server would include an empty
155 * SessionTicket extension in ServerHello and a
156 * NewSessionTicket message after the ServerHello. However,
157 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
158 * extension at the moment, does not use such extensions.
160 * TODO: Add support for configuring RFC 4507 behavior and make
161 * EAP-FAST disable it.
165 if (pos == ext_start + 2)
166 pos -= 2; /* no extensions */
168 WPA_PUT_BE16(ext_start, pos - ext_start - 2);
170 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
171 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
173 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
174 rhdr, end - rhdr, hs_start, pos - hs_start,
176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
177 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
178 TLS_ALERT_INTERNAL_ERROR);
189 static int tls_write_server_certificate(struct tlsv1_server *conn,
190 u8 **msgpos, u8 *end)
192 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
194 struct x509_certificate *cert;
195 const struct tls_cipher_suite *suite;
197 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
198 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
199 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
200 "using anonymous DH");
205 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 3 > end - pos) {
206 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
207 TLS_ALERT_INTERNAL_ERROR);
211 tlsv1_server_log(conn, "Send Certificate");
213 pos += TLS_RECORD_HEADER_LEN;
215 /* opaque fragment[TLSPlaintext.length] */
219 /* HandshakeType msg_type */
220 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
221 /* uint24 length (to be filled) */
224 /* body - Certificate */
225 /* uint24 length (to be filled) */
228 cert = conn->cred->cert;
230 if (3 + cert->cert_len > (size_t) (end - pos)) {
231 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
232 "for Certificate (cert_len=%lu left=%lu)",
233 (unsigned long) cert->cert_len,
234 (unsigned long) (end - pos));
235 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
236 TLS_ALERT_INTERNAL_ERROR);
239 WPA_PUT_BE24(pos, cert->cert_len);
241 os_memcpy(pos, cert->cert_start, cert->cert_len);
242 pos += cert->cert_len;
244 if (x509_certificate_self_signed(cert))
246 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
249 if (cert == conn->cred->cert || cert == NULL) {
251 * Server was not configured with all the needed certificates
252 * to form a full certificate chain. The client may fail to
253 * validate the chain unless it is configured with all the
254 * missing CA certificates.
256 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
257 "not configured - validation may fail");
259 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
261 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
263 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
264 rhdr, end - rhdr, hs_start, pos - hs_start,
266 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
267 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
268 TLS_ALERT_INTERNAL_ERROR);
273 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
281 static int tls_write_server_certificate_status(struct tlsv1_server *conn,
282 u8 **msgpos, u8 *end,
285 size_t ocsp_resp_len)
287 u8 *pos, *rhdr, *hs_start, *hs_length;
292 * Client did not request certificate status or there is no
293 * matching response cached.
299 if (TLS_RECORD_HEADER_LEN + 1 + 3 + 1 + 3 + ocsp_resp_len >
300 (unsigned int) (end - pos)) {
301 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
302 TLS_ALERT_INTERNAL_ERROR);
306 tlsv1_server_log(conn, "Send CertificateStatus (multi=%d)", ocsp_multi);
308 pos += TLS_RECORD_HEADER_LEN;
310 /* opaque fragment[TLSPlaintext.length] */
314 /* HandshakeType msg_type */
315 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS;
316 /* uint24 length (to be filled) */
320 /* body - CertificateStatus
323 * CertificateStatusType status_type;
324 * select (status_type) {
325 * case ocsp: OCSPResponse;
326 * case ocsp_multi: OCSPResponseList;
328 * } CertificateStatus;
330 * opaque OCSPResponse<1..2^24-1>;
333 * OCSPResponse ocsp_response_list<1..2^24-1>;
334 * } OCSPResponseList;
337 /* CertificateStatusType status_type */
339 *pos++ = 2; /* ocsp_multi(2) */
341 *pos++ = 1; /* ocsp(1) */
342 /* uint24 length of OCSPResponse */
343 WPA_PUT_BE24(pos, ocsp_resp_len);
345 os_memcpy(pos, ocsp_resp, ocsp_resp_len);
346 pos += ocsp_resp_len;
348 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
350 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
351 rhdr, end - rhdr, hs_start, pos - hs_start,
353 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
354 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
355 TLS_ALERT_INTERNAL_ERROR);
360 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
368 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
369 u8 **msgpos, u8 *end)
371 tls_key_exchange keyx;
372 const struct tls_cipher_suite *suite;
373 u8 *pos, *rhdr, *hs_start, *hs_length, *server_params;
380 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
382 keyx = TLS_KEY_X_NULL;
384 keyx = suite->key_exchange;
386 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
387 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
391 if (keyx != TLS_KEY_X_DH_anon && keyx != TLS_KEY_X_DHE_RSA) {
392 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
393 "supported with key exchange type %d", keyx);
397 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
398 conn->cred->dh_g == NULL) {
399 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
400 "ServerKeyExhcange");
404 tlsv1_server_get_dh_p(conn, &dh_p, &dh_p_len);
406 os_free(conn->dh_secret);
407 conn->dh_secret_len = dh_p_len;
408 conn->dh_secret = os_malloc(conn->dh_secret_len);
409 if (conn->dh_secret == NULL) {
410 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
411 "memory for secret (Diffie-Hellman)");
412 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
413 TLS_ALERT_INTERNAL_ERROR);
416 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
417 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
418 "data for Diffie-Hellman");
419 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
420 TLS_ALERT_INTERNAL_ERROR);
421 os_free(conn->dh_secret);
422 conn->dh_secret = NULL;
426 if (os_memcmp(conn->dh_secret, dh_p, conn->dh_secret_len) > 0)
427 conn->dh_secret[0] = 0; /* make sure secret < p */
429 pos = conn->dh_secret;
430 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
432 if (pos != conn->dh_secret) {
433 os_memmove(conn->dh_secret, pos,
434 conn->dh_secret_len - (pos - conn->dh_secret));
435 conn->dh_secret_len -= pos - conn->dh_secret;
437 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
438 conn->dh_secret, conn->dh_secret_len);
440 /* Ys = g^secret mod p */
441 dh_ys_len = dh_p_len;
442 dh_ys = os_malloc(dh_ys_len);
444 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
446 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
447 TLS_ALERT_INTERNAL_ERROR);
450 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
451 conn->dh_secret, conn->dh_secret_len,
452 dh_p, dh_p_len, dh_ys, &dh_ys_len)) {
453 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
454 TLS_ALERT_INTERNAL_ERROR);
459 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
464 * select (KeyExchangeAlgorithm) {
465 * case diffie_hellman:
466 * ServerDHParams params;
467 * Signature signed_params;
469 * ServerRSAParams params;
470 * Signature signed_params;
472 * } ServerKeyExchange;
475 * opaque dh_p<1..2^16-1>;
476 * opaque dh_g<1..2^16-1>;
477 * opaque dh_Ys<1..2^16-1>;
483 tlsv1_server_log(conn, "Send ServerKeyExchange");
485 pos += TLS_RECORD_HEADER_LEN;
487 /* opaque fragment[TLSPlaintext.length] */
491 /* HandshakeType msg_type */
492 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
493 /* uint24 length (to be filled) */
497 /* body - ServerDHParams */
500 if (2 + dh_p_len > (size_t) (end - pos)) {
501 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
503 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
504 TLS_ALERT_INTERNAL_ERROR);
508 WPA_PUT_BE16(pos, dh_p_len);
510 os_memcpy(pos, dh_p, dh_p_len);
514 if (2 + conn->cred->dh_g_len > (size_t) (end - pos)) {
515 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
517 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
518 TLS_ALERT_INTERNAL_ERROR);
522 WPA_PUT_BE16(pos, conn->cred->dh_g_len);
524 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
525 pos += conn->cred->dh_g_len;
528 if (2 + dh_ys_len > (size_t) (end - pos)) {
529 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
532 TLS_ALERT_INTERNAL_ERROR);
536 WPA_PUT_BE16(pos, dh_ys_len);
538 os_memcpy(pos, dh_ys, dh_ys_len);
543 * select (SignatureAlgorithm)
544 * { case anonymous: struct { };
546 * digitally-signed struct {
547 * opaque md5_hash[16];
548 * opaque sha_hash[20];
551 * digitally-signed struct {
552 * opaque sha_hash[20];
557 * MD5(ClientHello.random + ServerHello.random + ServerParams);
560 * SHA(ClientHello.random + ServerHello.random + ServerParams);
563 if (keyx == TLS_KEY_X_DHE_RSA) {
569 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
571 hlen = tlsv12_key_x_server_params_hash(
572 conn->rl.tls_version, TLS_HASH_ALG_SHA256,
574 conn->server_random, server_params,
575 pos - server_params, hash + 19);
579 * TLS v1.2 adds explicit indication of the used
580 * signature and hash algorithms.
583 * HashAlgorithm hash;
584 * SignatureAlgorithm signature;
585 * } SignatureAndHashAlgorithm;
587 if (hlen < 0 || end - pos < 2) {
588 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
589 TLS_ALERT_INTERNAL_ERROR);
592 *pos++ = TLS_HASH_ALG_SHA256;
593 *pos++ = TLS_SIGN_ALG_RSA;
596 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
598 * DigestInfo ::= SEQUENCE {
599 * digestAlgorithm DigestAlgorithm,
600 * digest OCTET STRING
603 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
605 * DER encoded DigestInfo for SHA256 per RFC 3447:
606 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00
611 "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65"
612 "\x03\x04\x02\x01\x05\x00\x04\x20", 19);
614 #else /* CONFIG_TLSV12 */
615 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
616 TLS_ALERT_INTERNAL_ERROR);
618 #endif /* CONFIG_TLSV12 */
620 hlen = tls_key_x_server_params_hash(
621 conn->rl.tls_version, conn->client_random,
622 conn->server_random, server_params,
623 pos - server_params, hash);
627 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
628 TLS_ALERT_INTERNAL_ERROR);
632 wpa_hexdump(MSG_MSGDUMP, "TLS: ServerKeyExchange signed_params hash",
634 #ifdef CONFIG_TESTING_OPTIONS
635 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_HASH) {
636 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params hash");
637 hash[hlen - 1] ^= 0x80;
639 #endif /* CONFIG_TESTING_OPTIONS */
643 * In digital signing, one-way hash functions are used as input
644 * for a signing algorithm. A digitally-signed element is
645 * encoded as an opaque vector <0..2^16-1>, where the length is
646 * specified by the signing algorithm and key.
648 * In RSA signing, a 36-byte structure of two hashes (one SHA
649 * and one MD5) is signed (encrypted with the private key). It
650 * is encoded with PKCS #1 block type 0 or type 1 as described
653 signed_start = pos; /* length to be filled */
656 if (conn->cred == NULL ||
657 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen,
659 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)");
660 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
661 TLS_ALERT_INTERNAL_ERROR);
664 WPA_PUT_BE16(signed_start, clen);
665 #ifdef CONFIG_TESTING_OPTIONS
666 if (conn->test_flags & TLS_BREAK_SRV_KEY_X_SIGNATURE) {
667 tlsv1_server_log(conn, "TESTING: Break ServerKeyExchange signed params signature");
668 pos[clen - 1] ^= 0x80;
670 #endif /* CONFIG_TESTING_OPTIONS */
675 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
677 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
678 rhdr, end - rhdr, hs_start, pos - hs_start,
680 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
681 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
682 TLS_ALERT_INTERNAL_ERROR);
687 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
695 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
696 u8 **msgpos, u8 *end)
698 u8 *pos, *rhdr, *hs_start, *hs_length;
701 if (!conn->verify_peer) {
702 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
708 tlsv1_server_log(conn, "Send CertificateRequest");
710 pos += TLS_RECORD_HEADER_LEN;
712 /* opaque fragment[TLSPlaintext.length] */
716 /* HandshakeType msg_type */
717 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
718 /* uint24 length (to be filled) */
721 /* body - CertificateRequest */
725 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
727 * } ClientCertificateType;
728 * ClientCertificateType certificate_types<1..2^8-1>
731 *pos++ = 1; /* rsa_sign */
734 * opaque DistinguishedName<1..2^16-1>
735 * DistinguishedName certificate_authorities<3..2^16-1>
737 /* TODO: add support for listing DNs for trusted CAs */
738 WPA_PUT_BE16(pos, 0);
741 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
743 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
744 rhdr, end - rhdr, hs_start, pos - hs_start,
746 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
747 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
748 TLS_ALERT_INTERNAL_ERROR);
753 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
761 static int tls_write_server_hello_done(struct tlsv1_server *conn,
762 u8 **msgpos, u8 *end)
768 tlsv1_server_log(conn, "Send ServerHelloDone");
770 /* opaque fragment[TLSPlaintext.length] */
774 /* HandshakeType msg_type */
775 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
777 WPA_PUT_BE24(pos, 0);
779 /* body - ServerHelloDone (empty) */
781 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
782 *msgpos, end - *msgpos, payload, pos - payload,
784 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
785 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
786 TLS_ALERT_INTERNAL_ERROR);
790 tls_verify_hash_add(&conn->verify, payload, pos - payload);
798 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
799 u8 **msgpos, u8 *end)
804 tlsv1_server_log(conn, "Send ChangeCipherSpec");
806 payload[0] = TLS_CHANGE_CIPHER_SPEC;
808 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
809 *msgpos, end - *msgpos, payload, sizeof(payload),
811 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
812 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
813 TLS_ALERT_INTERNAL_ERROR);
817 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
818 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
820 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
821 TLS_ALERT_INTERNAL_ERROR);
831 static int tls_write_server_finished(struct tlsv1_server *conn,
832 u8 **msgpos, u8 *end)
836 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
837 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
841 tlsv1_server_log(conn, "Send Finished");
843 /* Encrypted Handshake Message: Finished */
846 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
847 hlen = SHA256_MAC_LEN;
848 if (conn->verify.sha256_server == NULL ||
849 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
851 conn->verify.sha256_server = NULL;
852 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
853 TLS_ALERT_INTERNAL_ERROR);
856 conn->verify.sha256_server = NULL;
858 #endif /* CONFIG_TLSV12 */
861 if (conn->verify.md5_server == NULL ||
862 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
863 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
864 TLS_ALERT_INTERNAL_ERROR);
865 conn->verify.md5_server = NULL;
866 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
867 conn->verify.sha1_server = NULL;
870 conn->verify.md5_server = NULL;
872 if (conn->verify.sha1_server == NULL ||
873 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
875 conn->verify.sha1_server = NULL;
876 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 TLS_ALERT_INTERNAL_ERROR);
880 conn->verify.sha1_server = NULL;
881 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
885 #endif /* CONFIG_TLSV12 */
887 if (tls_prf(conn->rl.tls_version,
888 conn->master_secret, TLS_MASTER_SECRET_LEN,
889 "server finished", hash, hlen,
890 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
891 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
892 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
893 TLS_ALERT_INTERNAL_ERROR);
896 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
897 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
898 #ifdef CONFIG_TESTING_OPTIONS
899 if (conn->test_flags & TLS_BREAK_VERIFY_DATA) {
900 tlsv1_server_log(conn, "TESTING: Break verify_data (server)");
901 verify_data[1 + 3 + 1] ^= 0x80;
903 #endif /* CONFIG_TESTING_OPTIONS */
906 pos = hs_start = verify_data;
907 /* HandshakeType msg_type */
908 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
910 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
912 pos += TLS_VERIFY_DATA_LEN;
913 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
915 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
916 *msgpos, end - *msgpos, hs_start, pos - hs_start,
918 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
919 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
920 TLS_ALERT_INTERNAL_ERROR);
930 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
935 char *ocsp_resp = NULL;
936 size_t ocsp_resp_len = 0;
940 if (conn->status_request_multi &&
941 conn->cred->ocsp_stapling_response_multi) {
942 ocsp_resp = os_readfile(
943 conn->cred->ocsp_stapling_response_multi,
946 } else if ((conn->status_request || conn->status_request_v2) &&
947 conn->cred->ocsp_stapling_response) {
948 ocsp_resp = os_readfile(conn->cred->ocsp_stapling_response,
954 msglen = 1000 + tls_server_cert_chain_der_len(conn) + ocsp_resp_len;
956 msg = os_malloc(msglen);
965 if (tls_write_server_hello(conn, &pos, end) < 0) {
971 if (conn->use_session_ticket) {
974 /* Abbreviated handshake using session ticket; RFC 4507 */
975 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
976 tls_write_server_finished(conn, &pos, end) < 0) {
981 *out_len = pos - msg;
983 conn->state = CHANGE_CIPHER_SPEC;
989 if (tls_write_server_certificate(conn, &pos, end) < 0 ||
990 tls_write_server_certificate_status(conn, &pos, end, ocsp_multi,
991 ocsp_resp, ocsp_resp_len) < 0 ||
992 tls_write_server_key_exchange(conn, &pos, end) < 0 ||
993 tls_write_server_certificate_request(conn, &pos, end) < 0 ||
994 tls_write_server_hello_done(conn, &pos, end) < 0) {
1001 *out_len = pos - msg;
1003 conn->state = CLIENT_CERTIFICATE;
1009 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
1012 u8 *msg, *end, *pos;
1016 msg = os_malloc(1000);
1023 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
1024 tls_write_server_finished(conn, &pos, end) < 0) {
1029 *out_len = pos - msg;
1031 tlsv1_server_log(conn, "Handshake completed successfully");
1032 conn->state = ESTABLISHED;
1038 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
1040 switch (conn->state) {
1042 return tls_send_server_hello(conn, out_len);
1043 case SERVER_CHANGE_CIPHER_SPEC:
1044 return tls_send_change_cipher_spec(conn, out_len);
1046 if (conn->state == ESTABLISHED && conn->use_session_ticket) {
1047 /* Abbreviated handshake was already completed. */
1050 tlsv1_server_log(conn, "Unexpected state %d while generating reply",
1057 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
1058 u8 description, size_t *out_len)
1060 u8 *alert, *pos, *length;
1062 tlsv1_server_log(conn, "Send Alert(%d:%d)", level, description);
1065 alert = os_malloc(10);
1072 /* ContentType type */
1073 *pos++ = TLS_CONTENT_TYPE_ALERT;
1074 /* ProtocolVersion version */
1075 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
1078 /* uint16 length (to be filled) */
1081 /* opaque fragment[TLSPlaintext.length] */
1084 /* AlertLevel level */
1086 /* AlertDescription description */
1087 *pos++ = description;
1089 WPA_PUT_BE16(length, pos - length - 2);
1090 *out_len = pos - alert;