1 /*
2 * TLSv1 common routines
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "tls/tls.h"
16 #include "tls/x509v3.h"
17 #include "tls/tlsv1_common.h"
18 #include "eap_peer/eap_i.h"
19
20
21 /*
22 * TODO:
23 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
24 * Add support for commonly used cipher suites; don't bother with exportable
25 * suites.
26 */
27
28 static const struct tls_cipher_suite tls_cipher_suites[] = {
29 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
30 TLS_HASH_NULL },
31 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
32 TLS_HASH_MD5 },
33 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
34 TLS_HASH_SHA },
35 #ifdef CONFIG_DES
36 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
37 TLS_HASH_SHA },
38 #endif
39 #ifdef CONFIG_DES3
40 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
41 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
42 #endif
43 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
44 TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
45 #ifdef CONFIG_DES
46 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
47 TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
48 #endif
49 #ifdef CONFIG_DES3
50 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
51 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
52 #endif
53 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
54 TLS_HASH_SHA },
55 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
56 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
57 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
58 TLS_HASH_SHA },
59 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
60 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
61 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
62 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
63 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
64 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
65 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
66 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
67 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
68 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
69 };
70
71 #define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
72 #define NUM_TLS_CIPHER_SUITES NUM_ELEMS(tls_cipher_suites)
73
74
75 static const struct tls_cipher_data tls_ciphers[] = {
76 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0,
77 CRYPTO_CIPHER_NULL },
78 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8,
79 CRYPTO_CIPHER_NULL },
80 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0,
81 CRYPTO_CIPHER_ALG_RC2 },
82 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0,
83 CRYPTO_CIPHER_ALG_RC4 },
84 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0,
85 CRYPTO_CIPHER_ALG_RC4 },
86 #ifdef CONFIG_DES
87 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8,
88 CRYPTO_CIPHER_ALG_DES },
89 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8,
90 CRYPTO_CIPHER_ALG_DES },
91 #endif
92 #ifdef CONFIG_DES3
93 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8,
94 CRYPTO_CIPHER_ALG_3DES },
95 #endif
96 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16,
97 CRYPTO_CIPHER_ALG_AES },
98 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16,
99 CRYPTO_CIPHER_ALG_AES }
100 };
101
102 #define NUM_TLS_CIPHER_DATA NUM_ELEMS(tls_ciphers)
103
104
105 /**
106 * tls_get_cipher_suite - Get TLS cipher suite
107 * @suite: Cipher suite identifier
108 * Returns: Pointer to the cipher data or %NULL if not found
109 */
tls_get_cipher_suite(u16 suite)110 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
111 {
112 size_t i;
113 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
114 if (tls_cipher_suites[i].suite == suite)
115 return &tls_cipher_suites[i];
116 return NULL;
117 }
118
119
tls_get_cipher_data(tls_cipher cipher)120 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
121 {
122 size_t i;
123 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
124 if (tls_ciphers[i].cipher == cipher)
125 return &tls_ciphers[i];
126 return NULL;
127 }
128
129
tls_server_key_exchange_allowed(tls_cipher cipher)130 int tls_server_key_exchange_allowed(tls_cipher cipher)
131 {
132 const struct tls_cipher_suite *suite;
133
134 /* RFC 2246, Section 7.4.3 */
135 suite = tls_get_cipher_suite(cipher);
136 if (suite == NULL)
137 return 0;
138
139 switch (suite->key_exchange) {
140 case TLS_KEY_X_DHE_DSS:
141 case TLS_KEY_X_DHE_DSS_EXPORT:
142 case TLS_KEY_X_DHE_RSA:
143 case TLS_KEY_X_DHE_RSA_EXPORT:
144 case TLS_KEY_X_DH_anon_EXPORT:
145 case TLS_KEY_X_DH_anon:
146 return 1;
147 case TLS_KEY_X_RSA_EXPORT:
148 return 1 /* FIX: public key len > 512 bits */;
149 default:
150 return 0;
151 }
152 }
153
154
155 /**
156 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
157 * @buf: ASN.1 DER encoded certificate
158 * @len: Length of the buffer
159 * @pk: Buffer for returning the allocated public key
160 * Returns: 0 on success, -1 on failure
161 *
162 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
163 * the public key from it. The caller is responsible for freeing the public key
164 * by calling crypto_public_key_free().
165 */
tls_parse_cert(const u8 * buf,size_t len,struct crypto_public_key ** pk)166 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
167 {
168 struct x509_certificate *cert;
169
170 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
171 buf, len);
172
173 *pk = crypto_public_key_from_cert(buf, len);
174 if (*pk)
175 return 0;
176
177 cert = x509_certificate_parse(buf, len);
178 if (cert == NULL) {
179 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
180 "certificate");
181 return -1;
182 }
183
184 /* TODO
185 * verify key usage (must allow encryption)
186 *
187 * All certificate profiles, key and cryptographic formats are
188 * defined by the IETF PKIX working group [PKIX]. When a key
189 * usage extension is present, the digitalSignature bit must be
190 * set for the key to be eligible for signing, as described
191 * above, and the keyEncipherment bit must be present to allow
192 * encryption, as described above. The keyAgreement bit must be
193 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
194 */
195
196 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
197 x509_certificate_free(cert);
198
199 if (*pk == NULL) {
200 wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
201 "server public key");
202 return -1;
203 }
204
205 return 0;
206 }
207
208
tls_verify_hash_init(struct tls_verify_hash * verify)209 int tls_verify_hash_init(struct tls_verify_hash *verify)
210 {
211 tls_verify_hash_free(verify);
212 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
213 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
214 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
215 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
216 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
217 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
218 if (verify->md5_client == NULL || verify->md5_server == NULL ||
219 verify->md5_cert == NULL || verify->sha1_client == NULL ||
220 verify->sha1_server == NULL || verify->sha1_cert == NULL) {
221 tls_verify_hash_free(verify);
222 return -1;
223 }
224 #ifdef CONFIG_TLSV12
225 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0);
226 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0);
227 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 0);
228
229 if (verify->sha256_client == NULL ||
230 verify->sha256_server == NULL ||
231 verify->sha256_cert == NULL) {
232 tls_verify_hash_free(verify);
233 return -1;
234 }
235 #endif /* CONFIG_TLSV12 */
236 return 0;
237 }
238
239
tls_verify_hash_add(struct tls_verify_hash * verify,const u8 * buf,size_t len)240 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
241 size_t len)
242 {
243 if (verify->md5_client && verify->sha1_client) {
244 crypto_hash_update(verify->md5_client, buf, len);
245 crypto_hash_update(verify->sha1_client, buf, len);
246 }
247 if (verify->md5_server && verify->sha1_server) {
248 crypto_hash_update(verify->md5_server, buf, len);
249 crypto_hash_update(verify->sha1_server, buf, len);
250 }
251 if (verify->md5_cert && verify->sha1_cert) {
252 crypto_hash_update(verify->md5_cert, buf, len);
253 crypto_hash_update(verify->sha1_cert, buf, len);
254 }
255 #ifdef CONFIG_TLSV12
256 if (verify->sha256_client)
257 crypto_hash_update(verify->sha256_client, buf, len);
258 if (verify->sha256_server)
259 crypto_hash_update(verify->sha256_server, buf, len);
260 if (verify->sha256_cert)
261 crypto_hash_update(verify->sha256_cert, buf, len);
262 #endif /* CONFIG_TLSV12 */
263 }
264
265
tls_verify_hash_free(struct tls_verify_hash * verify)266 void tls_verify_hash_free(struct tls_verify_hash *verify)
267 {
268 crypto_hash_finish(verify->md5_client, NULL, NULL);
269 crypto_hash_finish(verify->md5_server, NULL, NULL);
270 crypto_hash_finish(verify->md5_cert, NULL, NULL);
271 crypto_hash_finish(verify->sha1_client, NULL, NULL);
272 crypto_hash_finish(verify->sha1_server, NULL, NULL);
273 crypto_hash_finish(verify->sha1_cert, NULL, NULL);
274 verify->md5_client = NULL;
275 verify->md5_server = NULL;
276 verify->md5_cert = NULL;
277 verify->sha1_client = NULL;
278 verify->sha1_server = NULL;
279 verify->sha1_cert = NULL;
280 #ifdef CONFIG_TLSV12
281 crypto_hash_finish(verify->sha256_client, NULL, NULL);
282 crypto_hash_finish(verify->sha256_server, NULL, NULL);
283 crypto_hash_finish(verify->sha256_cert, NULL, NULL);
284 verify->sha256_client = NULL;
285 verify->sha256_server = NULL;
286 verify->sha256_cert = NULL;
287 #endif /* CONFIG_TLSV12 */
288 }
289
290
tls_version_ok(u16 ver)291 int tls_version_ok(u16 ver)
292 {
293 if (ver == TLS_VERSION_1)
294 return 1;
295 #ifdef CONFIG_TLSV11
296 if (ver == TLS_VERSION_1_1)
297 return 1;
298 #endif /* CONFIG_TLSV11 */
299 #ifdef CONFIG_TLSV12
300 if (ver == TLS_VERSION_1_2)
301 return 1;
302 #endif /* CONFIG_TLSV12 */
303
304 return 0;
305 }
306
307
tls_version_str(u16 ver)308 const char * tls_version_str(u16 ver)
309 {
310 switch (ver) {
311 case TLS_VERSION_1:
312 return "1.0";
313 case TLS_VERSION_1_1:
314 return "1.1";
315 case TLS_VERSION_1_2:
316 return "1.2";
317 }
318
319 return "?";
320 }
321
322
tls_prf(u16 ver,const u8 * secret,size_t secret_len,const char * label,const u8 * seed,size_t seed_len,u8 * out,size_t outlen)323 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
324 const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
325 {
326 #ifdef CONFIG_TLSV12
327 if (ver >= TLS_VERSION_1_2) {
328 tls_prf_sha256(secret, secret_len, label, seed, seed_len,
329 out, outlen);
330 return 0;
331 }
332 #endif /* CONFIG_TLSV12 */
333
334 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
335 outlen);
336 }
337
338
339 #ifdef CONFIG_TLSV12
tlsv12_key_x_server_params_hash(u16 tls_version,u8 hash_alg,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash)340 int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
341 const u8 *client_random,
342 const u8 *server_random,
343 const u8 *server_params,
344 size_t server_params_len, u8 *hash)
345 {
346 size_t hlen;
347 struct crypto_hash *ctx;
348 enum crypto_hash_alg alg;
349
350 switch (hash_alg) {
351 case TLS_HASH_ALG_SHA256:
352 alg = CRYPTO_HASH_ALG_SHA256;
353 hlen = SHA256_MAC_LEN;
354 break;
355 default:
356 return -1;
357 }
358 ctx = crypto_hash_init(alg, NULL, 0);
359 if (ctx == NULL)
360 return -1;
361 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
362 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
363 crypto_hash_update(ctx, server_params, server_params_len);
364 if (crypto_hash_finish(ctx, hash, &hlen) < 0)
365 return -1;
366
367 return hlen;
368 }
369 #endif /* CONFIG_TLSV12 */
370
371
tls_key_x_server_params_hash(u16 tls_version,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash)372 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
373 const u8 *server_random,
374 const u8 *server_params,
375 size_t server_params_len, u8 *hash)
376 {
377 u8 *hpos;
378 size_t hlen;
379 struct crypto_hash *ctx;
380
381 hpos = hash;
382
383 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
384 if (ctx == NULL)
385 return -1;
386 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
387 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
388 crypto_hash_update(ctx, server_params, server_params_len);
389 hlen = MD5_MAC_LEN;
390 if (crypto_hash_finish(ctx, hash, &hlen) < 0)
391 return -1;
392 hpos += hlen;
393
394 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
395 if (ctx == NULL)
396 return -1;
397 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
398 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
399 crypto_hash_update(ctx, server_params, server_params_len);
400 hlen = hash + sizeof(hash) - hpos;
401 if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
402 return -1;
403 hpos += hlen;
404 return hpos - hash;
405 }
406
407
tls_verify_signature(u16 tls_version,struct crypto_public_key * pk,const u8 * data,size_t data_len,const u8 * pos,size_t len,u8 * alert)408 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
409 const u8 *data, size_t data_len,
410 const u8 *pos, size_t len, u8 *alert)
411 {
412 u8 *buf;
413 const u8 *end = pos + len;
414 const u8 *decrypted;
415 u16 slen;
416 size_t buflen;
417
418 if (end - pos < 2) {
419 *alert = TLS_ALERT_DECODE_ERROR;
420 return -1;
421 }
422 slen = WPA_GET_BE16(pos);
423 pos += 2;
424 if (end - pos < slen) {
425 *alert = TLS_ALERT_DECODE_ERROR;
426 return -1;
427 }
428 if (end - pos > slen) {
429 wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
430 pos + slen, end - pos - slen);
431 end = pos + slen;
432 }
433
434 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
435 if (pk == NULL) {
436 wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
437 *alert = TLS_ALERT_INTERNAL_ERROR;
438 return -1;
439 }
440
441 buflen = end - pos;
442 buf = os_malloc(end - pos);
443 if (buf == NULL) {
444 *alert = TLS_ALERT_INTERNAL_ERROR;
445 return -1;
446 }
447 if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
448 0) {
449 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
450 os_free(buf);
451 *alert = TLS_ALERT_DECRYPT_ERROR;
452 return -1;
453 }
454 decrypted = buf;
455
456 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
457 decrypted, buflen);
458
459 #ifdef CONFIG_TLSV12
460 if (tls_version >= TLS_VERSION_1_2) {
461 /*
462 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
463 *
464 * DigestInfo ::= SEQUENCE {
465 * digestAlgorithm DigestAlgorithm,
466 * digest OCTET STRING
467 * }
468 *
469 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
470 *
471 * DER encoded DigestInfo for SHA256 per RFC 3447:
472 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
473 * H
474 */
475 if (buflen >= 19 + 32 &&
476 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
477 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
478 {
479 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256");
480 decrypted = buf + 19;
481 buflen -= 19;
482 } else if (buflen >= 19 + 48 &&
483 os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
484 "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
485 {
486 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384");
487 decrypted = buf + 19;
488 buflen -= 19;
489 } else if (buflen >= 19 + 64 &&
490 os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
491 "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
492 {
493 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512");
494 decrypted = buf + 19;
495 buflen -= 19;
496
497 } else {
498 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
499 os_free(buf);
500 *alert = TLS_ALERT_DECRYPT_ERROR;
501 return -1;
502 }
503 }
504 #endif /* CONFIG_TLSV12 */
505
506 if (buflen != data_len ||
507 os_memcmp_const(decrypted, data, data_len) != 0) {
508 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
509 os_free(buf);
510 *alert = TLS_ALERT_DECRYPT_ERROR;
511 return -1;
512 }
513
514 os_free(buf);
515
516 return 0;
517 }
518
