1 /* 2 * TLSv1 common routines 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "x509v3.h" 16 #include "tlsv1_common.h" 17 18 19 /* 20 * TODO: 21 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 22 * Add support for commonly used cipher suites; don't bother with exportable 23 * suites. 24 */ 25 26 static const struct tls_cipher_suite tls_cipher_suites[] = { 27 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL, 28 TLS_HASH_NULL }, 29 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 30 TLS_HASH_MD5 }, 31 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 32 TLS_HASH_SHA }, 33 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC, 34 TLS_HASH_SHA }, 35 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA, 36 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 37 { TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC, 38 TLS_HASH_SHA}, 39 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA, 40 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 41 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon, 42 TLS_CIPHER_RC4_128, TLS_HASH_MD5 }, 43 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon, 44 TLS_CIPHER_DES_CBC, TLS_HASH_SHA }, 45 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon, 46 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 47 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC, 48 TLS_HASH_SHA }, 49 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA, 50 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 51 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon, 52 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 53 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC, 54 TLS_HASH_SHA }, 55 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA, 56 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 57 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon, 58 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 59 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA, 60 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 61 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA, 62 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 63 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA, 64 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 65 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA, 66 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 67 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon, 68 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 69 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon, 70 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 } 71 }; 72 73 #define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites) 74 75 76 static const struct tls_cipher_data tls_ciphers[] = { 77 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0, 78 CRYPTO_CIPHER_NULL }, 79 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8, 80 CRYPTO_CIPHER_NULL }, 81 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0, 82 CRYPTO_CIPHER_ALG_RC2 }, 83 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0, 84 CRYPTO_CIPHER_ALG_RC4 }, 85 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0, 86 CRYPTO_CIPHER_ALG_RC4 }, 87 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8, 88 CRYPTO_CIPHER_ALG_DES }, 89 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8, 90 CRYPTO_CIPHER_ALG_DES }, 91 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8, 92 CRYPTO_CIPHER_ALG_3DES }, 93 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16, 94 CRYPTO_CIPHER_ALG_AES }, 95 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16, 96 CRYPTO_CIPHER_ALG_AES } 97 }; 98 99 #define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers) 100 101 102 /** 103 * tls_get_cipher_suite - Get TLS cipher suite 104 * @suite: Cipher suite identifier 105 * Returns: Pointer to the cipher data or %NULL if not found 106 */ 107 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite) 108 { 109 size_t i; 110 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++) 111 if (tls_cipher_suites[i].suite == suite) 112 return &tls_cipher_suites[i]; 113 return NULL; 114 } 115 116 117 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher) 118 { 119 size_t i; 120 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++) 121 if (tls_ciphers[i].cipher == cipher) 122 return &tls_ciphers[i]; 123 return NULL; 124 } 125 126 127 int tls_server_key_exchange_allowed(tls_cipher cipher) 128 { 129 const struct tls_cipher_suite *suite; 130 131 /* RFC 2246, Section 7.4.3 */ 132 suite = tls_get_cipher_suite(cipher); 133 if (suite == NULL) 134 return 0; 135 136 switch (suite->key_exchange) { 137 case TLS_KEY_X_DHE_DSS: 138 case TLS_KEY_X_DHE_DSS_EXPORT: 139 case TLS_KEY_X_DHE_RSA: 140 case TLS_KEY_X_DHE_RSA_EXPORT: 141 case TLS_KEY_X_DH_anon_EXPORT: 142 case TLS_KEY_X_DH_anon: 143 return 1; 144 case TLS_KEY_X_RSA_EXPORT: 145 return 1 /* FIX: public key len > 512 bits */; 146 default: 147 return 0; 148 } 149 } 150 151 152 /** 153 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key 154 * @buf: ASN.1 DER encoded certificate 155 * @len: Length of the buffer 156 * @pk: Buffer for returning the allocated public key 157 * Returns: 0 on success, -1 on failure 158 * 159 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves 160 * the public key from it. The caller is responsible for freeing the public key 161 * by calling crypto_public_key_free(). 162 */ 163 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk) 164 { 165 struct x509_certificate *cert; 166 167 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate", 168 buf, len); 169 170 *pk = crypto_public_key_from_cert(buf, len); 171 if (*pk) 172 return 0; 173 174 cert = x509_certificate_parse(buf, len); 175 if (cert == NULL) { 176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 " 177 "certificate"); 178 return -1; 179 } 180 181 /* TODO 182 * verify key usage (must allow encryption) 183 * 184 * All certificate profiles, key and cryptographic formats are 185 * defined by the IETF PKIX working group [PKIX]. When a key 186 * usage extension is present, the digitalSignature bit must be 187 * set for the key to be eligible for signing, as described 188 * above, and the keyEncipherment bit must be present to allow 189 * encryption, as described above. The keyAgreement bit must be 190 * set on Diffie-Hellman certificates. (PKIX: RFC 3280) 191 */ 192 193 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len); 194 x509_certificate_free(cert); 195 196 if (*pk == NULL) { 197 wpa_printf(MSG_ERROR, "TLSv1: Failed to import " 198 "server public key"); 199 return -1; 200 } 201 202 return 0; 203 } 204 205 206 int tls_verify_hash_init(struct tls_verify_hash *verify) 207 { 208 tls_verify_hash_free(verify); 209 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 210 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 211 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 212 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 213 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 214 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 215 if (verify->md5_client == NULL || verify->md5_server == NULL || 216 verify->md5_cert == NULL || verify->sha1_client == NULL || 217 verify->sha1_server == NULL || verify->sha1_cert == NULL) { 218 tls_verify_hash_free(verify); 219 return -1; 220 } 221 #ifdef CONFIG_TLSV12 222 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 223 0); 224 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 225 0); 226 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 227 0); 228 if (verify->sha256_client == NULL || verify->sha256_server == NULL || 229 verify->sha256_cert == NULL) { 230 tls_verify_hash_free(verify); 231 return -1; 232 } 233 #endif /* CONFIG_TLSV12 */ 234 return 0; 235 } 236 237 238 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 239 size_t len) 240 { 241 if (verify->md5_client && verify->sha1_client) { 242 crypto_hash_update(verify->md5_client, buf, len); 243 crypto_hash_update(verify->sha1_client, buf, len); 244 } 245 if (verify->md5_server && verify->sha1_server) { 246 crypto_hash_update(verify->md5_server, buf, len); 247 crypto_hash_update(verify->sha1_server, buf, len); 248 } 249 if (verify->md5_cert && verify->sha1_cert) { 250 crypto_hash_update(verify->md5_cert, buf, len); 251 crypto_hash_update(verify->sha1_cert, buf, len); 252 } 253 #ifdef CONFIG_TLSV12 254 if (verify->sha256_client) 255 crypto_hash_update(verify->sha256_client, buf, len); 256 if (verify->sha256_server) 257 crypto_hash_update(verify->sha256_server, buf, len); 258 if (verify->sha256_cert) 259 crypto_hash_update(verify->sha256_cert, buf, len); 260 #endif /* CONFIG_TLSV12 */ 261 } 262 263 264 void tls_verify_hash_free(struct tls_verify_hash *verify) 265 { 266 crypto_hash_finish(verify->md5_client, NULL, NULL); 267 crypto_hash_finish(verify->md5_server, NULL, NULL); 268 crypto_hash_finish(verify->md5_cert, NULL, NULL); 269 crypto_hash_finish(verify->sha1_client, NULL, NULL); 270 crypto_hash_finish(verify->sha1_server, NULL, NULL); 271 crypto_hash_finish(verify->sha1_cert, NULL, NULL); 272 verify->md5_client = NULL; 273 verify->md5_server = NULL; 274 verify->md5_cert = NULL; 275 verify->sha1_client = NULL; 276 verify->sha1_server = NULL; 277 verify->sha1_cert = NULL; 278 #ifdef CONFIG_TLSV12 279 crypto_hash_finish(verify->sha256_client, NULL, NULL); 280 crypto_hash_finish(verify->sha256_server, NULL, NULL); 281 crypto_hash_finish(verify->sha256_cert, NULL, NULL); 282 verify->sha256_client = NULL; 283 verify->sha256_server = NULL; 284 verify->sha256_cert = NULL; 285 #endif /* CONFIG_TLSV12 */ 286 } 287 288 289 int tls_version_ok(u16 ver) 290 { 291 if (ver == TLS_VERSION_1) 292 return 1; 293 #ifdef CONFIG_TLSV11 294 if (ver == TLS_VERSION_1_1) 295 return 1; 296 #endif /* CONFIG_TLSV11 */ 297 #ifdef CONFIG_TLSV12 298 if (ver == TLS_VERSION_1_2) 299 return 1; 300 #endif /* CONFIG_TLSV12 */ 301 302 return 0; 303 } 304 305 306 const char * tls_version_str(u16 ver) 307 { 308 switch (ver) { 309 case TLS_VERSION_1: 310 return "1.0"; 311 case TLS_VERSION_1_1: 312 return "1.1"; 313 case TLS_VERSION_1_2: 314 return "1.2"; 315 } 316 317 return "?"; 318 } 319 320 321 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, 322 const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 323 { 324 #ifdef CONFIG_TLSV12 325 if (ver >= TLS_VERSION_1_2) { 326 tls_prf_sha256(secret, secret_len, label, seed, seed_len, 327 out, outlen); 328 return 0; 329 } 330 #endif /* CONFIG_TLSV12 */ 331 332 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, 333 outlen); 334 } 335 336 337 #ifdef CONFIG_TLSV12 338 int tlsv12_key_x_server_params_hash(u16 tls_version, 339 const u8 *client_random, 340 const u8 *server_random, 341 const u8 *server_params, 342 size_t server_params_len, u8 *hash) 343 { 344 size_t hlen; 345 struct crypto_hash *ctx; 346 347 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0); 348 if (ctx == NULL) 349 return -1; 350 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 351 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 352 crypto_hash_update(ctx, server_params, server_params_len); 353 hlen = SHA256_MAC_LEN; 354 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 355 return -1; 356 357 return hlen; 358 } 359 #endif /* CONFIG_TLSV12 */ 360 361 362 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random, 363 const u8 *server_random, 364 const u8 *server_params, 365 size_t server_params_len, u8 *hash) 366 { 367 u8 *hpos; 368 size_t hlen; 369 struct crypto_hash *ctx; 370 371 hpos = hash; 372 373 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 374 if (ctx == NULL) 375 return -1; 376 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 377 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 378 crypto_hash_update(ctx, server_params, server_params_len); 379 hlen = MD5_MAC_LEN; 380 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 381 return -1; 382 hpos += hlen; 383 384 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 385 if (ctx == NULL) 386 return -1; 387 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 388 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 389 crypto_hash_update(ctx, server_params, server_params_len); 390 hlen = hash + sizeof(hash) - hpos; 391 if (crypto_hash_finish(ctx, hpos, &hlen) < 0) 392 return -1; 393 hpos += hlen; 394 return hpos - hash; 395 } 396 397 398 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk, 399 const u8 *data, size_t data_len, 400 const u8 *pos, size_t len, u8 *alert) 401 { 402 u8 *buf; 403 const u8 *end = pos + len; 404 const u8 *decrypted; 405 u16 slen; 406 size_t buflen; 407 408 if (end - pos < 2) { 409 *alert = TLS_ALERT_DECODE_ERROR; 410 return -1; 411 } 412 slen = WPA_GET_BE16(pos); 413 pos += 2; 414 if (end - pos < slen) { 415 *alert = TLS_ALERT_DECODE_ERROR; 416 return -1; 417 } 418 if (end - pos > slen) { 419 wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature", 420 pos + slen, end - pos - slen); 421 end = pos + slen; 422 } 423 424 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 425 if (pk == NULL) { 426 wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature"); 427 *alert = TLS_ALERT_INTERNAL_ERROR; 428 return -1; 429 } 430 431 buflen = end - pos; 432 buf = os_malloc(end - pos); 433 if (buf == NULL) { 434 *alert = TLS_ALERT_INTERNAL_ERROR; 435 return -1; 436 } 437 if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) < 438 0) { 439 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 440 os_free(buf); 441 *alert = TLS_ALERT_DECRYPT_ERROR; 442 return -1; 443 } 444 decrypted = buf; 445 446 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 447 decrypted, buflen); 448 449 #ifdef CONFIG_TLSV12 450 if (tls_version >= TLS_VERSION_1_2) { 451 /* 452 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 453 * 454 * DigestInfo ::= SEQUENCE { 455 * digestAlgorithm DigestAlgorithm, 456 * digest OCTET STRING 457 * } 458 * 459 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 460 * 461 * DER encoded DigestInfo for SHA256 per RFC 3447: 462 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 463 * H 464 */ 465 if (buflen >= 19 + 32 && 466 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" 467 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) 468 { 469 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-256"); 470 decrypted = buf + 19; 471 buflen -= 19; 472 } else { 473 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo"); 474 os_free(buf); 475 *alert = TLS_ALERT_DECRYPT_ERROR; 476 return -1; 477 } 478 } 479 #endif /* CONFIG_TLSV12 */ 480 481 if (buflen != data_len || 482 os_memcmp_const(decrypted, data, data_len) != 0) { 483 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash"); 484 os_free(buf); 485 *alert = TLS_ALERT_DECRYPT_ERROR; 486 return -1; 487 } 488 489 os_free(buf); 490 491 return 0; 492 } 493