1/*
2 * TLSv1 common routines
3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/md5.h"
13#include "crypto/sha1.h"
14#include "crypto/sha256.h"
15#include "x509v3.h"
16#include "tlsv1_common.h"
17
18
19/*
20 * TODO:
21 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
22 * Add support for commonly used cipher suites; don't bother with exportable
23 * suites.
24 */
25
26static const struct tls_cipher_suite tls_cipher_suites[] = {
27	{ TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
28	  TLS_HASH_NULL },
29	{ TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
30	  TLS_HASH_MD5 },
31	{ TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
32	  TLS_HASH_SHA },
33	{ TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
34	  TLS_HASH_SHA },
35	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
36	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
37	{ TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
38	  TLS_HASH_SHA},
39	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
40	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
41 	{ TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
42	  TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
43 	{ TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
44	  TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
45 	{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
46	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
47	{ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
48	  TLS_HASH_SHA },
49	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
50	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
51	{ TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
52	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
53	{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
54	  TLS_HASH_SHA },
55	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
56	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
57	{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
58	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
59	{ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
60	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
61	{ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
62	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
63	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
64	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
65	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
66	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
67	{ TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
68	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
69	{ TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
70	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
71};
72
73#define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)
74
75
76static const struct tls_cipher_data tls_ciphers[] = {
77	{ TLS_CIPHER_NULL,         TLS_CIPHER_STREAM,  0,  0,  0,
78	  CRYPTO_CIPHER_NULL },
79	{ TLS_CIPHER_IDEA_CBC,     TLS_CIPHER_BLOCK,  16, 16,  8,
80	  CRYPTO_CIPHER_NULL },
81	{ TLS_CIPHER_RC2_CBC_40,   TLS_CIPHER_BLOCK,   5, 16,  0,
82	  CRYPTO_CIPHER_ALG_RC2 },
83	{ TLS_CIPHER_RC4_40,       TLS_CIPHER_STREAM,  5, 16,  0,
84	  CRYPTO_CIPHER_ALG_RC4 },
85	{ TLS_CIPHER_RC4_128,      TLS_CIPHER_STREAM, 16, 16,  0,
86	  CRYPTO_CIPHER_ALG_RC4 },
87	{ TLS_CIPHER_DES40_CBC,    TLS_CIPHER_BLOCK,   5,  8,  8,
88	  CRYPTO_CIPHER_ALG_DES },
89	{ TLS_CIPHER_DES_CBC,      TLS_CIPHER_BLOCK,   8,  8,  8,
90	  CRYPTO_CIPHER_ALG_DES },
91	{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK,  24, 24,  8,
92	  CRYPTO_CIPHER_ALG_3DES },
93	{ TLS_CIPHER_AES_128_CBC,  TLS_CIPHER_BLOCK,  16, 16, 16,
94	  CRYPTO_CIPHER_ALG_AES },
95	{ TLS_CIPHER_AES_256_CBC,  TLS_CIPHER_BLOCK,  32, 32, 16,
96	  CRYPTO_CIPHER_ALG_AES }
97};
98
99#define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)
100
101
102/**
103 * tls_get_cipher_suite - Get TLS cipher suite
104 * @suite: Cipher suite identifier
105 * Returns: Pointer to the cipher data or %NULL if not found
106 */
107const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
108{
109	size_t i;
110	for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
111		if (tls_cipher_suites[i].suite == suite)
112			return &tls_cipher_suites[i];
113	return NULL;
114}
115
116
117const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
118{
119	size_t i;
120	for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
121		if (tls_ciphers[i].cipher == cipher)
122			return &tls_ciphers[i];
123	return NULL;
124}
125
126
127int tls_server_key_exchange_allowed(tls_cipher cipher)
128{
129	const struct tls_cipher_suite *suite;
130
131	/* RFC 2246, Section 7.4.3 */
132	suite = tls_get_cipher_suite(cipher);
133	if (suite == NULL)
134		return 0;
135
136	switch (suite->key_exchange) {
137	case TLS_KEY_X_DHE_DSS:
138	case TLS_KEY_X_DHE_DSS_EXPORT:
139	case TLS_KEY_X_DHE_RSA:
140	case TLS_KEY_X_DHE_RSA_EXPORT:
141	case TLS_KEY_X_DH_anon_EXPORT:
142	case TLS_KEY_X_DH_anon:
143		return 1;
144	case TLS_KEY_X_RSA_EXPORT:
145		return 1 /* FIX: public key len > 512 bits */;
146	default:
147		return 0;
148	}
149}
150
151
152/**
153 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
154 * @buf: ASN.1 DER encoded certificate
155 * @len: Length of the buffer
156 * @pk: Buffer for returning the allocated public key
157 * Returns: 0 on success, -1 on failure
158 *
159 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
160 * the public key from it. The caller is responsible for freeing the public key
161 * by calling crypto_public_key_free().
162 */
163int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
164{
165	struct x509_certificate *cert;
166
167	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
168		    buf, len);
169
170	*pk = crypto_public_key_from_cert(buf, len);
171	if (*pk)
172		return 0;
173
174	cert = x509_certificate_parse(buf, len);
175	if (cert == NULL) {
176		wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
177			   "certificate");
178		return -1;
179	}
180
181	/* TODO
182	 * verify key usage (must allow encryption)
183	 *
184	 * All certificate profiles, key and cryptographic formats are
185	 * defined by the IETF PKIX working group [PKIX]. When a key
186	 * usage extension is present, the digitalSignature bit must be
187	 * set for the key to be eligible for signing, as described
188	 * above, and the keyEncipherment bit must be present to allow
189	 * encryption, as described above. The keyAgreement bit must be
190	 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
191	 */
192
193	*pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
194	x509_certificate_free(cert);
195
196	if (*pk == NULL) {
197		wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
198			   "server public key");
199		return -1;
200	}
201
202	return 0;
203}
204
205
206int tls_verify_hash_init(struct tls_verify_hash *verify)
207{
208	tls_verify_hash_free(verify);
209	verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
210	verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
211	verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
212	verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
213	verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
214	verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
215	if (verify->md5_client == NULL || verify->md5_server == NULL ||
216	    verify->md5_cert == NULL || verify->sha1_client == NULL ||
217	    verify->sha1_server == NULL || verify->sha1_cert == NULL) {
218		tls_verify_hash_free(verify);
219		return -1;
220	}
221#ifdef CONFIG_TLSV12
222	verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
223						 0);
224	verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
225						 0);
226	verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
227					       0);
228	if (verify->sha256_client == NULL || verify->sha256_server == NULL ||
229	    verify->sha256_cert == NULL) {
230		tls_verify_hash_free(verify);
231		return -1;
232	}
233#endif /* CONFIG_TLSV12 */
234	return 0;
235}
236
237
238void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
239			 size_t len)
240{
241	if (verify->md5_client && verify->sha1_client) {
242		crypto_hash_update(verify->md5_client, buf, len);
243		crypto_hash_update(verify->sha1_client, buf, len);
244	}
245	if (verify->md5_server && verify->sha1_server) {
246		crypto_hash_update(verify->md5_server, buf, len);
247		crypto_hash_update(verify->sha1_server, buf, len);
248	}
249	if (verify->md5_cert && verify->sha1_cert) {
250		crypto_hash_update(verify->md5_cert, buf, len);
251		crypto_hash_update(verify->sha1_cert, buf, len);
252	}
253#ifdef CONFIG_TLSV12
254	if (verify->sha256_client)
255		crypto_hash_update(verify->sha256_client, buf, len);
256	if (verify->sha256_server)
257		crypto_hash_update(verify->sha256_server, buf, len);
258	if (verify->sha256_cert)
259		crypto_hash_update(verify->sha256_cert, buf, len);
260#endif /* CONFIG_TLSV12 */
261}
262
263
264void tls_verify_hash_free(struct tls_verify_hash *verify)
265{
266	crypto_hash_finish(verify->md5_client, NULL, NULL);
267	crypto_hash_finish(verify->md5_server, NULL, NULL);
268	crypto_hash_finish(verify->md5_cert, NULL, NULL);
269	crypto_hash_finish(verify->sha1_client, NULL, NULL);
270	crypto_hash_finish(verify->sha1_server, NULL, NULL);
271	crypto_hash_finish(verify->sha1_cert, NULL, NULL);
272	verify->md5_client = NULL;
273	verify->md5_server = NULL;
274	verify->md5_cert = NULL;
275	verify->sha1_client = NULL;
276	verify->sha1_server = NULL;
277	verify->sha1_cert = NULL;
278#ifdef CONFIG_TLSV12
279	crypto_hash_finish(verify->sha256_client, NULL, NULL);
280	crypto_hash_finish(verify->sha256_server, NULL, NULL);
281	crypto_hash_finish(verify->sha256_cert, NULL, NULL);
282	verify->sha256_client = NULL;
283	verify->sha256_server = NULL;
284	verify->sha256_cert = NULL;
285#endif /* CONFIG_TLSV12 */
286}
287
288
289int tls_version_ok(u16 ver)
290{
291	if (ver == TLS_VERSION_1)
292		return 1;
293#ifdef CONFIG_TLSV11
294	if (ver == TLS_VERSION_1_1)
295		return 1;
296#endif /* CONFIG_TLSV11 */
297#ifdef CONFIG_TLSV12
298	if (ver == TLS_VERSION_1_2)
299		return 1;
300#endif /* CONFIG_TLSV12 */
301
302	return 0;
303}
304
305
306const char * tls_version_str(u16 ver)
307{
308	switch (ver) {
309	case TLS_VERSION_1:
310		return "1.0";
311	case TLS_VERSION_1_1:
312		return "1.1";
313	case TLS_VERSION_1_2:
314		return "1.2";
315	}
316
317	return "?";
318}
319
320
321int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
322	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
323{
324#ifdef CONFIG_TLSV12
325	if (ver >= TLS_VERSION_1_2) {
326		tls_prf_sha256(secret, secret_len, label, seed, seed_len,
327			       out, outlen);
328		return 0;
329	}
330#endif /* CONFIG_TLSV12 */
331
332	return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
333				outlen);
334}
335
336
337#ifdef CONFIG_TLSV12
338int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
339				    const u8 *client_random,
340				    const u8 *server_random,
341				    const u8 *server_params,
342				    size_t server_params_len, u8 *hash)
343{
344	size_t hlen;
345	struct crypto_hash *ctx;
346	enum crypto_hash_alg alg;
347
348	switch (hash_alg) {
349	case TLS_HASH_ALG_SHA256:
350		alg = CRYPTO_HASH_ALG_SHA256;
351		hlen = SHA256_MAC_LEN;
352		break;
353	case TLS_HASH_ALG_SHA384:
354		alg = CRYPTO_HASH_ALG_SHA384;
355		hlen = 48;
356		break;
357	case TLS_HASH_ALG_SHA512:
358		alg = CRYPTO_HASH_ALG_SHA512;
359		hlen = 64;
360		break;
361	default:
362		return -1;
363	}
364	ctx = crypto_hash_init(alg, NULL, 0);
365	if (ctx == NULL)
366		return -1;
367	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
368	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
369	crypto_hash_update(ctx, server_params, server_params_len);
370	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
371		return -1;
372
373	return hlen;
374}
375#endif /* CONFIG_TLSV12 */
376
377
378int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
379				 const u8 *server_random,
380				 const u8 *server_params,
381				 size_t server_params_len, u8 *hash)
382{
383	u8 *hpos;
384	size_t hlen;
385	struct crypto_hash *ctx;
386
387	hpos = hash;
388
389	ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
390	if (ctx == NULL)
391		return -1;
392	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
393	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
394	crypto_hash_update(ctx, server_params, server_params_len);
395	hlen = MD5_MAC_LEN;
396	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
397		return -1;
398	hpos += hlen;
399
400	ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
401	if (ctx == NULL)
402		return -1;
403	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
404	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
405	crypto_hash_update(ctx, server_params, server_params_len);
406	hlen = hash + sizeof(hash) - hpos;
407	if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
408		return -1;
409	hpos += hlen;
410	return hpos - hash;
411}
412
413
414int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
415			 const u8 *data, size_t data_len,
416			 const u8 *pos, size_t len, u8 *alert)
417{
418	u8 *buf;
419	const u8 *end = pos + len;
420	const u8 *decrypted;
421	u16 slen;
422	size_t buflen;
423
424	if (end - pos < 2) {
425		*alert = TLS_ALERT_DECODE_ERROR;
426		return -1;
427	}
428	slen = WPA_GET_BE16(pos);
429	pos += 2;
430	if (end - pos < slen) {
431		*alert = TLS_ALERT_DECODE_ERROR;
432		return -1;
433	}
434	if (end - pos > slen) {
435		wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
436			    pos + slen, end - pos - slen);
437		end = pos + slen;
438	}
439
440	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
441	if (pk == NULL) {
442		wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
443		*alert = TLS_ALERT_INTERNAL_ERROR;
444		return -1;
445	}
446
447	buflen = end - pos;
448	buf = os_malloc(end - pos);
449	if (buf == NULL) {
450		*alert = TLS_ALERT_INTERNAL_ERROR;
451		return -1;
452	}
453	if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
454	    0) {
455		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
456		os_free(buf);
457		*alert = TLS_ALERT_DECRYPT_ERROR;
458		return -1;
459	}
460	decrypted = buf;
461
462	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
463			decrypted, buflen);
464
465#ifdef CONFIG_TLSV12
466	if (tls_version >= TLS_VERSION_1_2) {
467		/*
468		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
469		 *
470		 * DigestInfo ::= SEQUENCE {
471		 *   digestAlgorithm DigestAlgorithm,
472		 *   digest OCTET STRING
473		 * }
474		 *
475		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
476		 *
477		 * DER encoded DigestInfo for SHA256 per RFC 3447:
478		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
479		 * H
480		 */
481		if (buflen >= 19 + 32 &&
482		    os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
483			      "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
484		{
485			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-256");
486			decrypted = buf + 19;
487			buflen -= 19;
488		} else if (buflen >= 19 + 48 &&
489		    os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
490			      "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
491		{
492			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-384");
493			decrypted = buf + 19;
494			buflen -= 19;
495		} else if (buflen >= 19 + 64 &&
496		    os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
497			      "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
498		{
499			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-512");
500			decrypted = buf + 19;
501			buflen -= 19;
502
503		} else {
504			wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
505			os_free(buf);
506			*alert = TLS_ALERT_DECRYPT_ERROR;
507			return -1;
508		}
509	}
510#endif /* CONFIG_TLSV12 */
511
512	if (buflen != data_len ||
513	    os_memcmp_const(decrypted, data, data_len) != 0) {
514		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
515		os_free(buf);
516		*alert = TLS_ALERT_DECRYPT_ERROR;
517		return -1;
518	}
519
520	os_free(buf);
521
522	return 0;
523}
524