1 /* 2 * TLSv1 common routines 3 * Copyright (c) 2006-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/sha256.h" 14 #include "x509v3.h" 15 #include "tlsv1_common.h" 16 17 18 /* 19 * TODO: 20 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 21 * Add support for commonly used cipher suites; don't bother with exportable 22 * suites. 23 */ 24 25 static const struct tls_cipher_suite tls_cipher_suites[] = { 26 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL, 27 TLS_HASH_NULL }, 28 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 29 TLS_HASH_MD5 }, 30 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 31 TLS_HASH_SHA }, 32 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC, 33 TLS_HASH_SHA }, 34 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA, 35 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 36 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon, 37 TLS_CIPHER_RC4_128, TLS_HASH_MD5 }, 38 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon, 39 TLS_CIPHER_DES_CBC, TLS_HASH_SHA }, 40 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon, 41 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 42 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC, 43 TLS_HASH_SHA }, 44 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon, 45 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 46 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC, 47 TLS_HASH_SHA }, 48 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon, 49 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 50 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA, 51 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 52 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA, 53 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 54 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon, 55 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 56 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon, 57 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 } 58 }; 59 60 #define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0])) 61 #define NUM_TLS_CIPHER_SUITES NUM_ELEMS(tls_cipher_suites) 62 63 64 static const struct tls_cipher_data tls_ciphers[] = { 65 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0, 66 CRYPTO_CIPHER_NULL }, 67 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8, 68 CRYPTO_CIPHER_NULL }, 69 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0, 70 CRYPTO_CIPHER_ALG_RC2 }, 71 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0, 72 CRYPTO_CIPHER_ALG_RC4 }, 73 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0, 74 CRYPTO_CIPHER_ALG_RC4 }, 75 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8, 76 CRYPTO_CIPHER_ALG_DES }, 77 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8, 78 CRYPTO_CIPHER_ALG_DES }, 79 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8, 80 CRYPTO_CIPHER_ALG_3DES }, 81 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16, 82 CRYPTO_CIPHER_ALG_AES }, 83 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16, 84 CRYPTO_CIPHER_ALG_AES } 85 }; 86 87 #define NUM_TLS_CIPHER_DATA NUM_ELEMS(tls_ciphers) 88 89 90 /** 91 * tls_get_cipher_suite - Get TLS cipher suite 92 * @suite: Cipher suite identifier 93 * Returns: Pointer to the cipher data or %NULL if not found 94 */ 95 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite) 96 { 97 size_t i; 98 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++) 99 if (tls_cipher_suites[i].suite == suite) 100 return &tls_cipher_suites[i]; 101 return NULL; 102 } 103 104 105 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher) 106 { 107 size_t i; 108 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++) 109 if (tls_ciphers[i].cipher == cipher) 110 return &tls_ciphers[i]; 111 return NULL; 112 } 113 114 115 int tls_server_key_exchange_allowed(tls_cipher cipher) 116 { 117 const struct tls_cipher_suite *suite; 118 119 /* RFC 2246, Section 7.4.3 */ 120 suite = tls_get_cipher_suite(cipher); 121 if (suite == NULL) 122 return 0; 123 124 switch (suite->key_exchange) { 125 case TLS_KEY_X_DHE_DSS: 126 case TLS_KEY_X_DHE_DSS_EXPORT: 127 case TLS_KEY_X_DHE_RSA: 128 case TLS_KEY_X_DHE_RSA_EXPORT: 129 case TLS_KEY_X_DH_anon_EXPORT: 130 case TLS_KEY_X_DH_anon: 131 return 1; 132 case TLS_KEY_X_RSA_EXPORT: 133 return 1 /* FIX: public key len > 512 bits */; 134 default: 135 return 0; 136 } 137 } 138 139 140 /** 141 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key 142 * @buf: ASN.1 DER encoded certificate 143 * @len: Length of the buffer 144 * @pk: Buffer for returning the allocated public key 145 * Returns: 0 on success, -1 on failure 146 * 147 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves 148 * the public key from it. The caller is responsible for freeing the public key 149 * by calling crypto_public_key_free(). 150 */ 151 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk) 152 { 153 struct x509_certificate *cert; 154 155 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate", 156 buf, len); 157 158 *pk = crypto_public_key_from_cert(buf, len); 159 if (*pk) 160 return 0; 161 162 cert = x509_certificate_parse(buf, len); 163 if (cert == NULL) { 164 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 " 165 "certificate"); 166 return -1; 167 } 168 169 /* TODO 170 * verify key usage (must allow encryption) 171 * 172 * All certificate profiles, key and cryptographic formats are 173 * defined by the IETF PKIX working group [PKIX]. When a key 174 * usage extension is present, the digitalSignature bit must be 175 * set for the key to be eligible for signing, as described 176 * above, and the keyEncipherment bit must be present to allow 177 * encryption, as described above. The keyAgreement bit must be 178 * set on Diffie-Hellman certificates. (PKIX: RFC 3280) 179 */ 180 181 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len); 182 x509_certificate_free(cert); 183 184 if (*pk == NULL) { 185 wpa_printf(MSG_ERROR, "TLSv1: Failed to import " 186 "server public key"); 187 return -1; 188 } 189 190 return 0; 191 } 192 193 194 int tls_verify_hash_init(struct tls_verify_hash *verify) 195 { 196 tls_verify_hash_free(verify); 197 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 198 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 199 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 200 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 201 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 202 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 203 if (verify->md5_client == NULL || verify->md5_server == NULL || 204 verify->md5_cert == NULL || verify->sha1_client == NULL || 205 verify->sha1_server == NULL || verify->sha1_cert == NULL) { 206 tls_verify_hash_free(verify); 207 return -1; 208 } 209 #ifdef CONFIG_TLSV12 210 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 211 0); 212 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 213 0); 214 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 215 0); 216 if (verify->sha256_client == NULL || verify->sha256_server == NULL || 217 verify->sha256_cert == NULL) { 218 tls_verify_hash_free(verify); 219 return -1; 220 } 221 #endif /* CONFIG_TLSV12 */ 222 return 0; 223 } 224 225 226 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 227 size_t len) 228 { 229 if (verify->md5_client && verify->sha1_client) { 230 crypto_hash_update(verify->md5_client, buf, len); 231 crypto_hash_update(verify->sha1_client, buf, len); 232 } 233 if (verify->md5_server && verify->sha1_server) { 234 crypto_hash_update(verify->md5_server, buf, len); 235 crypto_hash_update(verify->sha1_server, buf, len); 236 } 237 if (verify->md5_cert && verify->sha1_cert) { 238 crypto_hash_update(verify->md5_cert, buf, len); 239 crypto_hash_update(verify->sha1_cert, buf, len); 240 } 241 #ifdef CONFIG_TLSV12 242 if (verify->sha256_client) 243 crypto_hash_update(verify->sha256_client, buf, len); 244 if (verify->sha256_server) 245 crypto_hash_update(verify->sha256_server, buf, len); 246 if (verify->sha256_cert) 247 crypto_hash_update(verify->sha256_cert, buf, len); 248 #endif /* CONFIG_TLSV12 */ 249 } 250 251 252 void tls_verify_hash_free(struct tls_verify_hash *verify) 253 { 254 crypto_hash_finish(verify->md5_client, NULL, NULL); 255 crypto_hash_finish(verify->md5_server, NULL, NULL); 256 crypto_hash_finish(verify->md5_cert, NULL, NULL); 257 crypto_hash_finish(verify->sha1_client, NULL, NULL); 258 crypto_hash_finish(verify->sha1_server, NULL, NULL); 259 crypto_hash_finish(verify->sha1_cert, NULL, NULL); 260 verify->md5_client = NULL; 261 verify->md5_server = NULL; 262 verify->md5_cert = NULL; 263 verify->sha1_client = NULL; 264 verify->sha1_server = NULL; 265 verify->sha1_cert = NULL; 266 #ifdef CONFIG_TLSV12 267 crypto_hash_finish(verify->sha256_client, NULL, NULL); 268 crypto_hash_finish(verify->sha256_server, NULL, NULL); 269 crypto_hash_finish(verify->sha256_cert, NULL, NULL); 270 verify->sha256_client = NULL; 271 verify->sha256_server = NULL; 272 verify->sha256_cert = NULL; 273 #endif /* CONFIG_TLSV12 */ 274 } 275 276 277 int tls_version_ok(u16 ver) 278 { 279 if (ver == TLS_VERSION_1) 280 return 1; 281 #ifdef CONFIG_TLSV11 282 if (ver == TLS_VERSION_1_1) 283 return 1; 284 #endif /* CONFIG_TLSV11 */ 285 #ifdef CONFIG_TLSV12 286 if (ver == TLS_VERSION_1_2) 287 return 1; 288 #endif /* CONFIG_TLSV12 */ 289 290 return 0; 291 } 292 293 294 const char * tls_version_str(u16 ver) 295 { 296 switch (ver) { 297 case TLS_VERSION_1: 298 return "1.0"; 299 case TLS_VERSION_1_1: 300 return "1.1"; 301 case TLS_VERSION_1_2: 302 return "1.2"; 303 } 304 305 return "?"; 306 } 307 308 309 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, 310 const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 311 { 312 #ifdef CONFIG_TLSV12 313 if (ver >= TLS_VERSION_1_2) { 314 tls_prf_sha256(secret, secret_len, label, seed, seed_len, 315 out, outlen); 316 return 0; 317 } 318 #endif /* CONFIG_TLSV12 */ 319 320 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, 321 outlen); 322 } 323