1 /* 2 * TLSv1 common routines 3 * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "x509v3.h" 16 #include "tlsv1_common.h" 17 18 19 /* 20 * TODO: 21 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 22 * Add support for commonly used cipher suites; don't bother with exportable 23 * suites. 24 */ 25 26 static const struct tls_cipher_suite tls_cipher_suites[] = { 27 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL, 28 TLS_HASH_NULL }, 29 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 30 TLS_HASH_MD5 }, 31 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 32 TLS_HASH_SHA }, 33 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC, 34 TLS_HASH_SHA }, 35 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA, 36 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 37 { TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC, 38 TLS_HASH_SHA}, 39 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA, 40 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 41 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon, 42 TLS_CIPHER_RC4_128, TLS_HASH_MD5 }, 43 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon, 44 TLS_CIPHER_DES_CBC, TLS_HASH_SHA }, 45 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon, 46 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 47 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC, 48 TLS_HASH_SHA }, 49 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA, 50 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 51 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon, 52 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 53 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC, 54 TLS_HASH_SHA }, 55 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA, 56 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 57 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon, 58 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 59 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA, 60 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 61 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA, 62 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 63 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA, 64 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 65 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA, 66 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 67 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon, 68 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 69 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon, 70 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 } 71 }; 72 73 #define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites) 74 75 76 static const struct tls_cipher_data tls_ciphers[] = { 77 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0, 78 CRYPTO_CIPHER_NULL }, 79 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8, 80 CRYPTO_CIPHER_NULL }, 81 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0, 82 CRYPTO_CIPHER_ALG_RC2 }, 83 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0, 84 CRYPTO_CIPHER_ALG_RC4 }, 85 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0, 86 CRYPTO_CIPHER_ALG_RC4 }, 87 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8, 88 CRYPTO_CIPHER_ALG_DES }, 89 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8, 90 CRYPTO_CIPHER_ALG_DES }, 91 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8, 92 CRYPTO_CIPHER_ALG_3DES }, 93 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16, 94 CRYPTO_CIPHER_ALG_AES }, 95 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16, 96 CRYPTO_CIPHER_ALG_AES } 97 }; 98 99 #define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers) 100 101 102 /** 103 * tls_get_cipher_suite - Get TLS cipher suite 104 * @suite: Cipher suite identifier 105 * Returns: Pointer to the cipher data or %NULL if not found 106 */ 107 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite) 108 { 109 size_t i; 110 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++) 111 if (tls_cipher_suites[i].suite == suite) 112 return &tls_cipher_suites[i]; 113 return NULL; 114 } 115 116 117 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher) 118 { 119 size_t i; 120 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++) 121 if (tls_ciphers[i].cipher == cipher) 122 return &tls_ciphers[i]; 123 return NULL; 124 } 125 126 127 int tls_server_key_exchange_allowed(tls_cipher cipher) 128 { 129 const struct tls_cipher_suite *suite; 130 131 /* RFC 2246, Section 7.4.3 */ 132 suite = tls_get_cipher_suite(cipher); 133 if (suite == NULL) 134 return 0; 135 136 switch (suite->key_exchange) { 137 case TLS_KEY_X_DHE_DSS: 138 case TLS_KEY_X_DHE_DSS_EXPORT: 139 case TLS_KEY_X_DHE_RSA: 140 case TLS_KEY_X_DHE_RSA_EXPORT: 141 case TLS_KEY_X_DH_anon_EXPORT: 142 case TLS_KEY_X_DH_anon: 143 return 1; 144 case TLS_KEY_X_RSA_EXPORT: 145 return 1 /* FIX: public key len > 512 bits */; 146 default: 147 return 0; 148 } 149 } 150 151 152 /** 153 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key 154 * @buf: ASN.1 DER encoded certificate 155 * @len: Length of the buffer 156 * @pk: Buffer for returning the allocated public key 157 * Returns: 0 on success, -1 on failure 158 * 159 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves 160 * the public key from it. The caller is responsible for freeing the public key 161 * by calling crypto_public_key_free(). 162 */ 163 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk) 164 { 165 struct x509_certificate *cert; 166 167 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate", 168 buf, len); 169 170 *pk = crypto_public_key_from_cert(buf, len); 171 if (*pk) 172 return 0; 173 174 cert = x509_certificate_parse(buf, len); 175 if (cert == NULL) { 176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 " 177 "certificate"); 178 return -1; 179 } 180 181 /* TODO 182 * verify key usage (must allow encryption) 183 * 184 * All certificate profiles, key and cryptographic formats are 185 * defined by the IETF PKIX working group [PKIX]. When a key 186 * usage extension is present, the digitalSignature bit must be 187 * set for the key to be eligible for signing, as described 188 * above, and the keyEncipherment bit must be present to allow 189 * encryption, as described above. The keyAgreement bit must be 190 * set on Diffie-Hellman certificates. (PKIX: RFC 3280) 191 */ 192 193 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len); 194 x509_certificate_free(cert); 195 196 if (*pk == NULL) { 197 wpa_printf(MSG_ERROR, "TLSv1: Failed to import " 198 "server public key"); 199 return -1; 200 } 201 202 return 0; 203 } 204 205 206 int tls_verify_hash_init(struct tls_verify_hash *verify) 207 { 208 tls_verify_hash_free(verify); 209 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 210 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 211 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 212 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 213 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 214 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 215 if (verify->md5_client == NULL || verify->md5_server == NULL || 216 verify->md5_cert == NULL || verify->sha1_client == NULL || 217 verify->sha1_server == NULL || verify->sha1_cert == NULL) { 218 tls_verify_hash_free(verify); 219 return -1; 220 } 221 #ifdef CONFIG_TLSV12 222 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 223 0); 224 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 225 0); 226 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 227 0); 228 if (verify->sha256_client == NULL || verify->sha256_server == NULL || 229 verify->sha256_cert == NULL) { 230 tls_verify_hash_free(verify); 231 return -1; 232 } 233 #endif /* CONFIG_TLSV12 */ 234 return 0; 235 } 236 237 238 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 239 size_t len) 240 { 241 if (verify->md5_client && verify->sha1_client) { 242 crypto_hash_update(verify->md5_client, buf, len); 243 crypto_hash_update(verify->sha1_client, buf, len); 244 } 245 if (verify->md5_server && verify->sha1_server) { 246 crypto_hash_update(verify->md5_server, buf, len); 247 crypto_hash_update(verify->sha1_server, buf, len); 248 } 249 if (verify->md5_cert && verify->sha1_cert) { 250 crypto_hash_update(verify->md5_cert, buf, len); 251 crypto_hash_update(verify->sha1_cert, buf, len); 252 } 253 #ifdef CONFIG_TLSV12 254 if (verify->sha256_client) 255 crypto_hash_update(verify->sha256_client, buf, len); 256 if (verify->sha256_server) 257 crypto_hash_update(verify->sha256_server, buf, len); 258 if (verify->sha256_cert) 259 crypto_hash_update(verify->sha256_cert, buf, len); 260 #endif /* CONFIG_TLSV12 */ 261 } 262 263 264 void tls_verify_hash_free(struct tls_verify_hash *verify) 265 { 266 crypto_hash_finish(verify->md5_client, NULL, NULL); 267 crypto_hash_finish(verify->md5_server, NULL, NULL); 268 crypto_hash_finish(verify->md5_cert, NULL, NULL); 269 crypto_hash_finish(verify->sha1_client, NULL, NULL); 270 crypto_hash_finish(verify->sha1_server, NULL, NULL); 271 crypto_hash_finish(verify->sha1_cert, NULL, NULL); 272 verify->md5_client = NULL; 273 verify->md5_server = NULL; 274 verify->md5_cert = NULL; 275 verify->sha1_client = NULL; 276 verify->sha1_server = NULL; 277 verify->sha1_cert = NULL; 278 #ifdef CONFIG_TLSV12 279 crypto_hash_finish(verify->sha256_client, NULL, NULL); 280 crypto_hash_finish(verify->sha256_server, NULL, NULL); 281 crypto_hash_finish(verify->sha256_cert, NULL, NULL); 282 verify->sha256_client = NULL; 283 verify->sha256_server = NULL; 284 verify->sha256_cert = NULL; 285 #endif /* CONFIG_TLSV12 */ 286 } 287 288 289 int tls_version_ok(u16 ver) 290 { 291 if (ver == TLS_VERSION_1) 292 return 1; 293 #ifdef CONFIG_TLSV11 294 if (ver == TLS_VERSION_1_1) 295 return 1; 296 #endif /* CONFIG_TLSV11 */ 297 #ifdef CONFIG_TLSV12 298 if (ver == TLS_VERSION_1_2) 299 return 1; 300 #endif /* CONFIG_TLSV12 */ 301 302 return 0; 303 } 304 305 306 const char * tls_version_str(u16 ver) 307 { 308 switch (ver) { 309 case TLS_VERSION_1: 310 return "1.0"; 311 case TLS_VERSION_1_1: 312 return "1.1"; 313 case TLS_VERSION_1_2: 314 return "1.2"; 315 } 316 317 return "?"; 318 } 319 320 321 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, 322 const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 323 { 324 #ifdef CONFIG_TLSV12 325 if (ver >= TLS_VERSION_1_2) { 326 tls_prf_sha256(secret, secret_len, label, seed, seed_len, 327 out, outlen); 328 return 0; 329 } 330 #endif /* CONFIG_TLSV12 */ 331 332 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, 333 outlen); 334 } 335 336 337 #ifdef CONFIG_TLSV12 338 int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg, 339 const u8 *client_random, 340 const u8 *server_random, 341 const u8 *server_params, 342 size_t server_params_len, u8 *hash) 343 { 344 size_t hlen; 345 struct crypto_hash *ctx; 346 enum crypto_hash_alg alg; 347 348 switch (hash_alg) { 349 case TLS_HASH_ALG_SHA256: 350 alg = CRYPTO_HASH_ALG_SHA256; 351 hlen = SHA256_MAC_LEN; 352 break; 353 case TLS_HASH_ALG_SHA384: 354 alg = CRYPTO_HASH_ALG_SHA384; 355 hlen = 48; 356 break; 357 case TLS_HASH_ALG_SHA512: 358 alg = CRYPTO_HASH_ALG_SHA512; 359 hlen = 64; 360 break; 361 default: 362 return -1; 363 } 364 ctx = crypto_hash_init(alg, NULL, 0); 365 if (ctx == NULL) 366 return -1; 367 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 368 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 369 crypto_hash_update(ctx, server_params, server_params_len); 370 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 371 return -1; 372 373 return hlen; 374 } 375 #endif /* CONFIG_TLSV12 */ 376 377 378 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random, 379 const u8 *server_random, 380 const u8 *server_params, 381 size_t server_params_len, u8 *hash) 382 { 383 u8 *hpos; 384 size_t hlen; 385 struct crypto_hash *ctx; 386 387 hpos = hash; 388 389 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 390 if (ctx == NULL) 391 return -1; 392 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 393 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 394 crypto_hash_update(ctx, server_params, server_params_len); 395 hlen = MD5_MAC_LEN; 396 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 397 return -1; 398 hpos += hlen; 399 400 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 401 if (ctx == NULL) 402 return -1; 403 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 404 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 405 crypto_hash_update(ctx, server_params, server_params_len); 406 hlen = hash + sizeof(hash) - hpos; 407 if (crypto_hash_finish(ctx, hpos, &hlen) < 0) 408 return -1; 409 hpos += hlen; 410 return hpos - hash; 411 } 412 413 414 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk, 415 const u8 *data, size_t data_len, 416 const u8 *pos, size_t len, u8 *alert) 417 { 418 u8 *buf; 419 const u8 *end = pos + len; 420 const u8 *decrypted; 421 u16 slen; 422 size_t buflen; 423 424 if (end - pos < 2) { 425 *alert = TLS_ALERT_DECODE_ERROR; 426 return -1; 427 } 428 slen = WPA_GET_BE16(pos); 429 pos += 2; 430 if (end - pos < slen) { 431 *alert = TLS_ALERT_DECODE_ERROR; 432 return -1; 433 } 434 if (end - pos > slen) { 435 wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature", 436 pos + slen, end - pos - slen); 437 end = pos + slen; 438 } 439 440 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 441 if (pk == NULL) { 442 wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature"); 443 *alert = TLS_ALERT_INTERNAL_ERROR; 444 return -1; 445 } 446 447 buflen = end - pos; 448 buf = os_malloc(end - pos); 449 if (buf == NULL) { 450 *alert = TLS_ALERT_INTERNAL_ERROR; 451 return -1; 452 } 453 if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) < 454 0) { 455 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 456 os_free(buf); 457 *alert = TLS_ALERT_DECRYPT_ERROR; 458 return -1; 459 } 460 decrypted = buf; 461 462 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 463 decrypted, buflen); 464 465 #ifdef CONFIG_TLSV12 466 if (tls_version >= TLS_VERSION_1_2) { 467 /* 468 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 469 * 470 * DigestInfo ::= SEQUENCE { 471 * digestAlgorithm DigestAlgorithm, 472 * digest OCTET STRING 473 * } 474 * 475 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 476 * 477 * DER encoded DigestInfo for SHA256 per RFC 3447: 478 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 479 * H 480 */ 481 if (buflen >= 19 + 32 && 482 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" 483 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) 484 { 485 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256"); 486 decrypted = buf + 19; 487 buflen -= 19; 488 } else if (buflen >= 19 + 48 && 489 os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01" 490 "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0) 491 { 492 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384"); 493 decrypted = buf + 19; 494 buflen -= 19; 495 } else if (buflen >= 19 + 64 && 496 os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01" 497 "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0) 498 { 499 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512"); 500 decrypted = buf + 19; 501 buflen -= 19; 502 503 } else { 504 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo"); 505 os_free(buf); 506 *alert = TLS_ALERT_DECRYPT_ERROR; 507 return -1; 508 } 509 } 510 #endif /* CONFIG_TLSV12 */ 511 512 if (buflen != data_len || 513 os_memcmp_const(decrypted, data, data_len) != 0) { 514 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash"); 515 os_free(buf); 516 *alert = TLS_ALERT_DECRYPT_ERROR; 517 return -1; 518 } 519 520 os_free(buf); 521 522 return 0; 523 } 524