2 * TLS v1.0 (RFC 2246) and v1.1 (RFC 4346) server - write handshake message
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/md5.h"
19 #include "crypto/sha1.h"
20 #include "crypto/sha256.h"
21 #include "crypto/tls.h"
22 #include "crypto/random.h"
24 #include "tlsv1_common.h"
25 #include "tlsv1_record.h"
26 #include "tlsv1_server.h"
27 #include "tlsv1_server_i.h"
30 static size_t tls_server_cert_chain_der_len(struct tlsv1_server *conn)
33 struct x509_certificate *cert;
35 cert = conn->cred->cert;
37 len += 3 + cert->cert_len;
38 if (x509_certificate_self_signed(cert))
40 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
48 static int tls_write_server_hello(struct tlsv1_server *conn,
51 u8 *pos, *rhdr, *hs_start, *hs_length;
57 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHello");
59 pos += TLS_RECORD_HEADER_LEN;
62 WPA_PUT_BE32(conn->server_random, now.sec);
63 if (random_get_bytes(conn->server_random + 4, TLS_RANDOM_LEN - 4)) {
64 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
68 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
69 conn->server_random, TLS_RANDOM_LEN);
71 conn->session_id_len = TLS_SESSION_ID_MAX_LEN;
72 if (random_get_bytes(conn->session_id, conn->session_id_len)) {
73 wpa_printf(MSG_ERROR, "TLSv1: Could not generate "
77 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
78 conn->session_id, conn->session_id_len);
80 /* opaque fragment[TLSPlaintext.length] */
84 /* HandshakeType msg_type */
85 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO;
86 /* uint24 length (to be filled) */
89 /* body - ServerHello */
90 /* ProtocolVersion server_version */
91 WPA_PUT_BE16(pos, conn->rl.tls_version);
93 /* Random random: uint32 gmt_unix_time, opaque random_bytes */
94 os_memcpy(pos, conn->server_random, TLS_RANDOM_LEN);
95 pos += TLS_RANDOM_LEN;
96 /* SessionID session_id */
97 *pos++ = conn->session_id_len;
98 os_memcpy(pos, conn->session_id, conn->session_id_len);
99 pos += conn->session_id_len;
100 /* CipherSuite cipher_suite */
101 WPA_PUT_BE16(pos, conn->cipher_suite);
103 /* CompressionMethod compression_method */
104 *pos++ = TLS_COMPRESSION_NULL;
106 if (conn->session_ticket && conn->session_ticket_cb) {
107 int res = conn->session_ticket_cb(
108 conn->session_ticket_cb_ctx,
109 conn->session_ticket, conn->session_ticket_len,
110 conn->client_random, conn->server_random,
111 conn->master_secret);
113 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
114 "indicated failure");
115 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
116 TLS_ALERT_HANDSHAKE_FAILURE);
119 conn->use_session_ticket = res;
121 if (conn->use_session_ticket) {
122 if (tlsv1_server_derive_keys(conn, NULL, 0) < 0) {
123 wpa_printf(MSG_DEBUG, "TLSv1: Failed to "
125 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
126 TLS_ALERT_INTERNAL_ERROR);
132 * RFC 4507 specifies that server would include an empty
133 * SessionTicket extension in ServerHello and a
134 * NewSessionTicket message after the ServerHello. However,
135 * EAP-FAST (RFC 4851), i.e., the only user of SessionTicket
136 * extension at the moment, does not use such extensions.
138 * TODO: Add support for configuring RFC 4507 behavior and make
139 * EAP-FAST disable it.
143 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
144 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
146 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
147 rhdr, end - rhdr, hs_start, pos - hs_start,
149 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create TLS record");
150 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
151 TLS_ALERT_INTERNAL_ERROR);
162 static int tls_write_server_certificate(struct tlsv1_server *conn,
163 u8 **msgpos, u8 *end)
165 u8 *pos, *rhdr, *hs_start, *hs_length, *cert_start;
167 struct x509_certificate *cert;
168 const struct tls_cipher_suite *suite;
170 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
171 if (suite && suite->key_exchange == TLS_KEY_X_DH_anon) {
172 wpa_printf(MSG_DEBUG, "TLSv1: Do not send Certificate when "
173 "using anonymous DH");
179 wpa_printf(MSG_DEBUG, "TLSv1: Send Certificate");
181 pos += TLS_RECORD_HEADER_LEN;
183 /* opaque fragment[TLSPlaintext.length] */
187 /* HandshakeType msg_type */
188 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE;
189 /* uint24 length (to be filled) */
192 /* body - Certificate */
193 /* uint24 length (to be filled) */
196 cert = conn->cred->cert;
198 if (pos + 3 + cert->cert_len > end) {
199 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space "
200 "for Certificate (cert_len=%lu left=%lu)",
201 (unsigned long) cert->cert_len,
202 (unsigned long) (end - pos));
203 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
204 TLS_ALERT_INTERNAL_ERROR);
207 WPA_PUT_BE24(pos, cert->cert_len);
209 os_memcpy(pos, cert->cert_start, cert->cert_len);
210 pos += cert->cert_len;
212 if (x509_certificate_self_signed(cert))
214 cert = x509_certificate_get_subject(conn->cred->trusted_certs,
217 if (cert == conn->cred->cert || cert == NULL) {
219 * Server was not configured with all the needed certificates
220 * to form a full certificate chain. The client may fail to
221 * validate the chain unless it is configured with all the
222 * missing CA certificates.
224 wpa_printf(MSG_DEBUG, "TLSv1: Full server certificate chain "
225 "not configured - validation may fail");
227 WPA_PUT_BE24(cert_start, pos - cert_start - 3);
229 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
231 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
232 rhdr, end - rhdr, hs_start, pos - hs_start,
234 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
235 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
236 TLS_ALERT_INTERNAL_ERROR);
241 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
249 static int tls_write_server_key_exchange(struct tlsv1_server *conn,
250 u8 **msgpos, u8 *end)
252 tls_key_exchange keyx;
253 const struct tls_cipher_suite *suite;
254 u8 *pos, *rhdr, *hs_start, *hs_length;
259 suite = tls_get_cipher_suite(conn->rl.cipher_suite);
261 keyx = TLS_KEY_X_NULL;
263 keyx = suite->key_exchange;
265 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
266 wpa_printf(MSG_DEBUG, "TLSv1: No ServerKeyExchange needed");
270 if (keyx != TLS_KEY_X_DH_anon) {
272 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not yet "
273 "supported with key exchange type %d", keyx);
277 if (conn->cred == NULL || conn->cred->dh_p == NULL ||
278 conn->cred->dh_g == NULL) {
279 wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available for "
280 "ServerKeyExhcange");
284 os_free(conn->dh_secret);
285 conn->dh_secret_len = conn->cred->dh_p_len;
286 conn->dh_secret = os_malloc(conn->dh_secret_len);
287 if (conn->dh_secret == NULL) {
288 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate "
289 "memory for secret (Diffie-Hellman)");
290 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
291 TLS_ALERT_INTERNAL_ERROR);
294 if (random_get_bytes(conn->dh_secret, conn->dh_secret_len)) {
295 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
296 "data for Diffie-Hellman");
297 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
298 TLS_ALERT_INTERNAL_ERROR);
299 os_free(conn->dh_secret);
300 conn->dh_secret = NULL;
304 if (os_memcmp(conn->dh_secret, conn->cred->dh_p, conn->dh_secret_len) >
306 conn->dh_secret[0] = 0; /* make sure secret < p */
308 pos = conn->dh_secret;
309 while (pos + 1 < conn->dh_secret + conn->dh_secret_len && *pos == 0)
311 if (pos != conn->dh_secret) {
312 os_memmove(conn->dh_secret, pos,
313 conn->dh_secret_len - (pos - conn->dh_secret));
314 conn->dh_secret_len -= pos - conn->dh_secret;
316 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH server's secret value",
317 conn->dh_secret, conn->dh_secret_len);
319 /* Ys = g^secret mod p */
320 dh_ys_len = conn->cred->dh_p_len;
321 dh_ys = os_malloc(dh_ys_len);
323 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate memory for "
325 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 TLS_ALERT_INTERNAL_ERROR);
329 if (crypto_mod_exp(conn->cred->dh_g, conn->cred->dh_g_len,
330 conn->dh_secret, conn->dh_secret_len,
331 conn->cred->dh_p, conn->cred->dh_p_len,
332 dh_ys, &dh_ys_len)) {
333 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
334 TLS_ALERT_INTERNAL_ERROR);
339 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
344 * select (KeyExchangeAlgorithm) {
345 * case diffie_hellman:
346 * ServerDHParams params;
347 * Signature signed_params;
349 * ServerRSAParams params;
350 * Signature signed_params;
352 * } ServerKeyExchange;
355 * opaque dh_p<1..2^16-1>;
356 * opaque dh_g<1..2^16-1>;
357 * opaque dh_Ys<1..2^16-1>;
363 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerKeyExchange");
365 pos += TLS_RECORD_HEADER_LEN;
367 /* opaque fragment[TLSPlaintext.length] */
371 /* HandshakeType msg_type */
372 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE;
373 /* uint24 length (to be filled) */
377 /* body - ServerDHParams */
379 if (pos + 2 + conn->cred->dh_p_len > end) {
380 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
382 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
383 TLS_ALERT_INTERNAL_ERROR);
387 WPA_PUT_BE16(pos, conn->cred->dh_p_len);
389 os_memcpy(pos, conn->cred->dh_p, conn->cred->dh_p_len);
390 pos += conn->cred->dh_p_len;
393 if (pos + 2 + conn->cred->dh_g_len > end) {
394 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
396 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
397 TLS_ALERT_INTERNAL_ERROR);
401 WPA_PUT_BE16(pos, conn->cred->dh_g_len);
403 os_memcpy(pos, conn->cred->dh_g, conn->cred->dh_g_len);
404 pos += conn->cred->dh_g_len;
407 if (pos + 2 + dh_ys_len > end) {
408 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space for "
410 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
411 TLS_ALERT_INTERNAL_ERROR);
415 WPA_PUT_BE16(pos, dh_ys_len);
417 os_memcpy(pos, dh_ys, dh_ys_len);
421 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
423 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
424 rhdr, end - rhdr, hs_start, pos - hs_start,
426 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
427 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
428 TLS_ALERT_INTERNAL_ERROR);
433 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
441 static int tls_write_server_certificate_request(struct tlsv1_server *conn,
442 u8 **msgpos, u8 *end)
444 u8 *pos, *rhdr, *hs_start, *hs_length;
447 if (!conn->verify_peer) {
448 wpa_printf(MSG_DEBUG, "TLSv1: No CertificateRequest needed");
454 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateRequest");
456 pos += TLS_RECORD_HEADER_LEN;
458 /* opaque fragment[TLSPlaintext.length] */
462 /* HandshakeType msg_type */
463 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST;
464 /* uint24 length (to be filled) */
467 /* body - CertificateRequest */
471 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
473 * } ClientCertificateType;
474 * ClientCertificateType certificate_types<1..2^8-1>
477 *pos++ = 1; /* rsa_sign */
480 * opaque DistinguishedName<1..2^16-1>
481 * DistinguishedName certificate_authorities<3..2^16-1>
483 /* TODO: add support for listing DNs for trusted CAs */
484 WPA_PUT_BE16(pos, 0);
487 WPA_PUT_BE24(hs_length, pos - hs_length - 3);
489 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
490 rhdr, end - rhdr, hs_start, pos - hs_start,
492 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
493 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
494 TLS_ALERT_INTERNAL_ERROR);
499 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
507 static int tls_write_server_hello_done(struct tlsv1_server *conn,
508 u8 **msgpos, u8 *end)
514 wpa_printf(MSG_DEBUG, "TLSv1: Send ServerHelloDone");
516 /* opaque fragment[TLSPlaintext.length] */
520 /* HandshakeType msg_type */
521 *pos++ = TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE;
523 WPA_PUT_BE24(pos, 0);
525 /* body - ServerHelloDone (empty) */
527 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
528 *msgpos, end - *msgpos, payload, pos - payload,
530 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record");
531 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
532 TLS_ALERT_INTERNAL_ERROR);
536 tls_verify_hash_add(&conn->verify, payload, pos - payload);
544 static int tls_write_server_change_cipher_spec(struct tlsv1_server *conn,
545 u8 **msgpos, u8 *end)
550 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec");
552 payload[0] = TLS_CHANGE_CIPHER_SPEC;
554 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC,
555 *msgpos, end - *msgpos, payload, sizeof(payload),
557 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
558 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
559 TLS_ALERT_INTERNAL_ERROR);
563 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) {
564 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for "
566 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
567 TLS_ALERT_INTERNAL_ERROR);
577 static int tls_write_server_finished(struct tlsv1_server *conn,
578 u8 **msgpos, u8 *end)
582 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN];
583 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
587 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished");
589 /* Encrypted Handshake Message: Finished */
592 if (conn->rl.tls_version >= TLS_VERSION_1_2) {
593 hlen = SHA256_MAC_LEN;
594 if (conn->verify.sha256_server == NULL ||
595 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
597 conn->verify.sha256_server = NULL;
598 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
599 TLS_ALERT_INTERNAL_ERROR);
602 conn->verify.sha256_server = NULL;
604 #endif /* CONFIG_TLSV12 */
607 if (conn->verify.md5_server == NULL ||
608 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
609 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
610 TLS_ALERT_INTERNAL_ERROR);
611 conn->verify.md5_server = NULL;
612 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
613 conn->verify.sha1_server = NULL;
616 conn->verify.md5_server = NULL;
618 if (conn->verify.sha1_server == NULL ||
619 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
621 conn->verify.sha1_server = NULL;
622 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
623 TLS_ALERT_INTERNAL_ERROR);
626 conn->verify.sha1_server = NULL;
627 hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
631 #endif /* CONFIG_TLSV12 */
633 if (tls_prf(conn->rl.tls_version,
634 conn->master_secret, TLS_MASTER_SECRET_LEN,
635 "server finished", hash, hlen,
636 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
637 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
638 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
639 TLS_ALERT_INTERNAL_ERROR);
642 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
643 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN);
646 pos = hs_start = verify_data;
647 /* HandshakeType msg_type */
648 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED;
650 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN);
652 pos += TLS_VERIFY_DATA_LEN;
653 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start);
655 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE,
656 *msgpos, end - *msgpos, hs_start, pos - hs_start,
658 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record");
659 tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
660 TLS_ALERT_INTERNAL_ERROR);
670 static u8 * tls_send_server_hello(struct tlsv1_server *conn, size_t *out_len)
677 msglen = 1000 + tls_server_cert_chain_der_len(conn);
679 msg = os_malloc(msglen);
686 if (tls_write_server_hello(conn, &pos, end) < 0) {
691 if (conn->use_session_ticket) {
692 /* Abbreviated handshake using session ticket; RFC 4507 */
693 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
694 tls_write_server_finished(conn, &pos, end) < 0) {
699 *out_len = pos - msg;
701 conn->state = CHANGE_CIPHER_SPEC;
707 if (tls_write_server_certificate(conn, &pos, end) < 0 ||
708 tls_write_server_key_exchange(conn, &pos, end) < 0 ||
709 tls_write_server_certificate_request(conn, &pos, end) < 0 ||
710 tls_write_server_hello_done(conn, &pos, end) < 0) {
715 *out_len = pos - msg;
717 conn->state = CLIENT_CERTIFICATE;
723 static u8 * tls_send_change_cipher_spec(struct tlsv1_server *conn,
730 msg = os_malloc(1000);
737 if (tls_write_server_change_cipher_spec(conn, &pos, end) < 0 ||
738 tls_write_server_finished(conn, &pos, end) < 0) {
743 *out_len = pos - msg;
745 wpa_printf(MSG_DEBUG, "TLSv1: Handshake completed successfully");
746 conn->state = ESTABLISHED;
752 u8 * tlsv1_server_handshake_write(struct tlsv1_server *conn, size_t *out_len)
754 switch (conn->state) {
756 return tls_send_server_hello(conn, out_len);
757 case SERVER_CHANGE_CIPHER_SPEC:
758 return tls_send_change_cipher_spec(conn, out_len);
760 if (conn->state == ESTABLISHED && conn->use_session_ticket) {
761 /* Abbreviated handshake was already completed. */
764 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d while "
765 "generating reply", conn->state);
771 u8 * tlsv1_server_send_alert(struct tlsv1_server *conn, u8 level,
772 u8 description, size_t *out_len)
774 u8 *alert, *pos, *length;
776 wpa_printf(MSG_DEBUG, "TLSv1: Send Alert(%d:%d)", level, description);
779 alert = os_malloc(10);
786 /* ContentType type */
787 *pos++ = TLS_CONTENT_TYPE_ALERT;
788 /* ProtocolVersion version */
789 WPA_PUT_BE16(pos, conn->rl.tls_version ? conn->rl.tls_version :
792 /* uint16 length (to be filled) */
795 /* opaque fragment[TLSPlaintext.length] */
798 /* AlertLevel level */
800 /* AlertDescription description */
801 *pos++ = description;
803 WPA_PUT_BE16(length, pos - length - 2);
804 *out_len = pos - alert;