/src/hostap/src/tls/tlsv1_common.c

Source (jump to first uncovered line)
/*
 * TLSv1 common routines
 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "crypto/md5.h"
#include "crypto/sha1.h"
#include "crypto/sha256.h"
#include "x509v3.h"
#include "tlsv1_common.h"


/*
 * TODO:
 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 * Add support for commonly used cipher suites; don't bother with exportable
 * suites.
 */

static const struct tls_cipher_suite tls_cipher_suites[] = {
  { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
    TLS_HASH_NULL },
  { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
    TLS_HASH_MD5 },
  { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
    TLS_HASH_SHA },
  { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
    TLS_HASH_SHA },
  { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
    TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
  { TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
    TLS_HASH_SHA},
  { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
    TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
  { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
    TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
  { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
    TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
  { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
    TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
  { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
    TLS_HASH_SHA },
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
    TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
  { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
    TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
  { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
    TLS_HASH_SHA },
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
    TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
  { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
    TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
  { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
    TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
  { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
    TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
    TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
    TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
  { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
    TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
  { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
    TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
};

#define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)


static const struct tls_cipher_data tls_ciphers[] = {
  { TLS_CIPHER_NULL,         TLS_CIPHER_STREAM,  0,  0,  0,
    CRYPTO_CIPHER_NULL },
  { TLS_CIPHER_IDEA_CBC,     TLS_CIPHER_BLOCK,  16, 16,  8,
    CRYPTO_CIPHER_NULL },
  { TLS_CIPHER_RC2_CBC_40,   TLS_CIPHER_BLOCK,   5, 16,  0,
    CRYPTO_CIPHER_ALG_RC2 },
  { TLS_CIPHER_RC4_40,       TLS_CIPHER_STREAM,  5, 16,  0,
    CRYPTO_CIPHER_ALG_RC4 },
  { TLS_CIPHER_RC4_128,      TLS_CIPHER_STREAM, 16, 16,  0,
    CRYPTO_CIPHER_ALG_RC4 },
  { TLS_CIPHER_DES40_CBC,    TLS_CIPHER_BLOCK,   5,  8,  8,
    CRYPTO_CIPHER_ALG_DES },
  { TLS_CIPHER_DES_CBC,      TLS_CIPHER_BLOCK,   8,  8,  8,
    CRYPTO_CIPHER_ALG_DES },
  { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK,  24, 24,  8,
    CRYPTO_CIPHER_ALG_3DES },
  { TLS_CIPHER_AES_128_CBC,  TLS_CIPHER_BLOCK,  16, 16, 16,
    CRYPTO_CIPHER_ALG_AES },
  { TLS_CIPHER_AES_256_CBC,  TLS_CIPHER_BLOCK,  32, 32, 16,
    CRYPTO_CIPHER_ALG_AES }
};

#define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)


/**
 * tls_get_cipher_suite - Get TLS cipher suite
 * @suite: Cipher suite identifier
 * Returns: Pointer to the cipher data or %NULL if not found
 */
const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
{
  size_t i;
  for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
    if (tls_cipher_suites[i].suite == suite)
      return &tls_cipher_suites[i];
  return NULL;
}


const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
{
  size_t i;
  for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
    if (tls_ciphers[i].cipher == cipher)
      return &tls_ciphers[i];
  return NULL;
}


int tls_server_key_exchange_allowed(tls_cipher cipher)
{
  const struct tls_cipher_suite *suite;

  /* RFC 2246, Section 7.4.3 */
  suite = tls_get_cipher_suite(cipher);
  if (suite == NULL)
    return 0;

  switch (suite->key_exchange) {
  case TLS_KEY_X_DHE_DSS:
  case TLS_KEY_X_DHE_DSS_EXPORT:
  case TLS_KEY_X_DHE_RSA:
  case TLS_KEY_X_DHE_RSA_EXPORT:
  case TLS_KEY_X_DH_anon_EXPORT:
  case TLS_KEY_X_DH_anon:
    return 1;
  case TLS_KEY_X_RSA_EXPORT:
    return 1 /* FIX: public key len > 512 bits */;
  default:
    return 0;
  }
}


/**
 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
 * @buf: ASN.1 DER encoded certificate
 * @len: Length of the buffer
 * @pk: Buffer for returning the allocated public key
 * Returns: 0 on success, -1 on failure
 *
 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
 * the public key from it. The caller is responsible for freeing the public key
 * by calling crypto_public_key_free().
 */
int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
{
  struct x509_certificate *cert;

  wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
        buf, len);

  *pk = crypto_public_key_from_cert(buf, len);
  if (*pk)
    return 0;

  cert = x509_certificate_parse(buf, len);
  if (cert == NULL) {
    wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
         "certificate");
    return -1;
  }

  /* TODO
   * verify key usage (must allow encryption)
   *
   * All certificate profiles, key and cryptographic formats are
   * defined by the IETF PKIX working group [PKIX]. When a key
   * usage extension is present, the digitalSignature bit must be
   * set for the key to be eligible for signing, as described
   * above, and the keyEncipherment bit must be present to allow
   * encryption, as described above. The keyAgreement bit must be
   * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
   */

  *pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
  x509_certificate_free(cert);

  if (*pk == NULL) {
    wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
         "server public key");
    return -1;
  }

  return 0;
}


int tls_verify_hash_init(struct tls_verify_hash *verify)
{
  tls_verify_hash_free(verify);
  verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
  verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
  verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
  verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
  verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
  verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
  if (verify->md5_client == NULL || verify->md5_server == NULL ||
      verify->md5_cert == NULL || verify->sha1_client == NULL ||
      verify->sha1_server == NULL || verify->sha1_cert == NULL) {
    tls_verify_hash_free(verify);
    return -1;
  }
#ifdef CONFIG_TLSV12
  verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
             0);
  verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
             0);
  verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
                 0);
  if (verify->sha256_client == NULL || verify->sha256_server == NULL ||
      verify->sha256_cert == NULL) {
    tls_verify_hash_free(verify);
    return -1;
  }
#endif /* CONFIG_TLSV12 */
  return 0;
}


void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
       size_t len)
{
  if (verify->md5_client && verify->sha1_client) {
    crypto_hash_update(verify->md5_client, buf, len);
    crypto_hash_update(verify->sha1_client, buf, len);
  }
  if (verify->md5_server && verify->sha1_server) {
    crypto_hash_update(verify->md5_server, buf, len);
    crypto_hash_update(verify->sha1_server, buf, len);
  }
  if (verify->md5_cert && verify->sha1_cert) {
    crypto_hash_update(verify->md5_cert, buf, len);
    crypto_hash_update(verify->sha1_cert, buf, len);
  }
#ifdef CONFIG_TLSV12
  if (verify->sha256_client)
    crypto_hash_update(verify->sha256_client, buf, len);
  if (verify->sha256_server)
    crypto_hash_update(verify->sha256_server, buf, len);
  if (verify->sha256_cert)
    crypto_hash_update(verify->sha256_cert, buf, len);
#endif /* CONFIG_TLSV12 */
}


void tls_verify_hash_free(struct tls_verify_hash *verify)
{
  crypto_hash_finish(verify->md5_client, NULL, NULL);
  crypto_hash_finish(verify->md5_server, NULL, NULL);
  crypto_hash_finish(verify->md5_cert, NULL, NULL);
  crypto_hash_finish(verify->sha1_client, NULL, NULL);
  crypto_hash_finish(verify->sha1_server, NULL, NULL);
  crypto_hash_finish(verify->sha1_cert, NULL, NULL);
  verify->md5_client = NULL;
  verify->md5_server = NULL;
  verify->md5_cert = NULL;
  verify->sha1_client = NULL;
  verify->sha1_server = NULL;
  verify->sha1_cert = NULL;
#ifdef CONFIG_TLSV12
  crypto_hash_finish(verify->sha256_client, NULL, NULL);
  crypto_hash_finish(verify->sha256_server, NULL, NULL);
  crypto_hash_finish(verify->sha256_cert, NULL, NULL);
  verify->sha256_client = NULL;
  verify->sha256_server = NULL;
  verify->sha256_cert = NULL;
#endif /* CONFIG_TLSV12 */
}


int tls_version_ok(u16 ver)
{
  if (ver == TLS_VERSION_1)
    return 1;
#ifdef CONFIG_TLSV11
  if (ver == TLS_VERSION_1_1)
    return 1;
#endif /* CONFIG_TLSV11 */
#ifdef CONFIG_TLSV12
  if (ver == TLS_VERSION_1_2)
    return 1;
#endif /* CONFIG_TLSV12 */

  return 0;
}


const char * tls_version_str(u16 ver)
{
  switch (ver) {
  case TLS_VERSION_1:
    return "1.0";
  case TLS_VERSION_1_1:
    return "1.1";
  case TLS_VERSION_1_2:
    return "1.2";
  }

  return "?";
}


int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
      const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
{
#ifdef CONFIG_TLSV12
  if (ver >= TLS_VERSION_1_2) {
    tls_prf_sha256(secret, secret_len, label, seed, seed_len,
             out, outlen);
    return 0;
  }
#endif /* CONFIG_TLSV12 */

  return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
        outlen);
}


#ifdef CONFIG_TLSV12
int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
            const u8 *client_random,
            const u8 *server_random,
            const u8 *server_params,
            size_t server_params_len, u8 *hash)
{
  size_t hlen;
  struct crypto_hash *ctx;
  enum crypto_hash_alg alg;

  switch (hash_alg) {
  case TLS_HASH_ALG_SHA256:
    alg = CRYPTO_HASH_ALG_SHA256;
    hlen = SHA256_MAC_LEN;
    break;
  case TLS_HASH_ALG_SHA384:
    alg = CRYPTO_HASH_ALG_SHA384;
    hlen = 48;
    break;
  case TLS_HASH_ALG_SHA512:
    alg = CRYPTO_HASH_ALG_SHA512;
    hlen = 64;
    break;
  default:
    return -1;
  }
  ctx = crypto_hash_init(alg, NULL, 0);
  if (ctx == NULL)
    return -1;
  crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_params, server_params_len);
  if (crypto_hash_finish(ctx, hash, &hlen) < 0)
    return -1;

  return hlen;
}
#endif /* CONFIG_TLSV12 */


int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
         const u8 *server_random,
         const u8 *server_params,
         size_t server_params_len, u8 *hash, size_t hsz)
{
  u8 *hpos;
  size_t hlen;
  struct crypto_hash *ctx;

  hpos = hash;

  ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
  if (ctx == NULL)
    return -1;
  crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_params, server_params_len);
  hlen = MD5_MAC_LEN;
  if (hsz < hlen)
    return -1;
  if (crypto_hash_finish(ctx, hash, &hlen) < 0)
    return -1;
  hpos += hlen;

  ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
  if (ctx == NULL)
    return -1;
  crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
  crypto_hash_update(ctx, server_params, server_params_len);
  hlen = hsz - hlen;
  if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
    return -1;
  hpos += hlen;
  return hpos - hash;
}


int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
       const u8 *data, size_t data_len,
       const u8 *pos, size_t len, u8 *alert)
{
  u8 *buf;
  const u8 *end = pos + len;
  const u8 *decrypted;
  u16 slen;
  size_t buflen;

  if (end - pos < 2) {
    *alert = TLS_ALERT_DECODE_ERROR;
    return -1;
  }
  slen = WPA_GET_BE16(pos);
  pos += 2;
  if (end - pos < slen) {
    *alert = TLS_ALERT_DECODE_ERROR;
    return -1;
  }
  if (end - pos > slen) {
    wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
          pos + slen, end - pos - slen);
    end = pos + slen;
  }

  wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
  if (pk == NULL) {
    wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
    *alert = TLS_ALERT_INTERNAL_ERROR;
    return -1;
  }

  buflen = end - pos;
  buf = os_malloc(end - pos);
  if (buf == NULL) {
    *alert = TLS_ALERT_INTERNAL_ERROR;
    return -1;
  }
  if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
      0) {
    wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
    os_free(buf);
    *alert = TLS_ALERT_DECRYPT_ERROR;
    return -1;
  }
  decrypted = buf;

  wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
      decrypted, buflen);

#ifdef CONFIG_TLSV12
  if (tls_version >= TLS_VERSION_1_2) {
    /*
     * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
     *
     * DigestInfo ::= SEQUENCE {
     *   digestAlgorithm DigestAlgorithm,
     *   digest OCTET STRING
     * }
     *
     * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
     *
     * DER encoded DigestInfo for SHA256 per RFC 3447:
     * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
     * H
     */
    if (buflen >= 19 + 32 &&
        os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
            "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
    {
      wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256");
      decrypted = buf + 19;
      buflen -= 19;
    } else if (buflen >= 19 + 48 &&
        os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
            "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
    {
      wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384");
      decrypted = buf + 19;
      buflen -= 19;
    } else if (buflen >= 19 + 64 &&
        os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
            "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
    {
      wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512");
      decrypted = buf + 19;
      buflen -= 19;

    } else {
      wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
      os_free(buf);
      *alert = TLS_ALERT_DECRYPT_ERROR;
      return -1;
    }
  }
#endif /* CONFIG_TLSV12 */

  if (buflen != data_len ||
      os_memcmp_const(decrypted, data, data_len) != 0) {
    wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
    os_free(buf);
    *alert = TLS_ALERT_DECRYPT_ERROR;
    return -1;
  }

  os_free(buf);

  return 0;
}

Coverage Report

Created: 2025-08-28 07:04

Line	Count	Source (jump to first uncovered line)
1		/*
2		* TLSv1 common routines
3		* Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4		*
5		* This software may be distributed under the terms of the BSD license.
6		* See README for more details.
7		*/
8
9		#include "includes.h"
10
11		#include "common.h"
12		#include "crypto/md5.h"
13		#include "crypto/sha1.h"
14		#include "crypto/sha256.h"
15		#include "x509v3.h"
16		#include "tlsv1_common.h"
17
18
19		/*
20		* TODO:
21		* RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
22		* Add support for commonly used cipher suites; don't bother with exportable
23		* suites.
24		*/
25
26		static const struct tls_cipher_suite tls_cipher_suites[] = {
27		{ TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
28		TLS_HASH_NULL },
29		{ TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
30		TLS_HASH_MD5 },
31		{ TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
32		TLS_HASH_SHA },
33		{ TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
34		TLS_HASH_SHA },
35		{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
36		TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
37		{ TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
38		TLS_HASH_SHA},
39		{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
40		TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
41		{ TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
42		TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
43		{ TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
44		TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
45		{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
46		TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
47		{ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
48		TLS_HASH_SHA },
49		{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
50		TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
51		{ TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
52		TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
53		{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
54		TLS_HASH_SHA },
55		{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
56		TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
57		{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
58		TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
59		{ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
60		TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
61		{ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
62		TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
63		{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
64		TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
65		{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
66		TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
67		{ TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
68		TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
69		{ TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
70		TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
71		};
72
73	57.1k	#define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)
74
75
76		static const struct tls_cipher_data tls_ciphers[] = {
77		{ TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0,
78		CRYPTO_CIPHER_NULL },
79		{ TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8,
80		CRYPTO_CIPHER_NULL },
81		{ TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0,
82		CRYPTO_CIPHER_ALG_RC2 },
83		{ TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0,
84		CRYPTO_CIPHER_ALG_RC4 },
85		{ TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0,
86		CRYPTO_CIPHER_ALG_RC4 },
87		{ TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8,
88		CRYPTO_CIPHER_ALG_DES },
89		{ TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8,
90		CRYPTO_CIPHER_ALG_DES },
91		{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8,
92		CRYPTO_CIPHER_ALG_3DES },
93		{ TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16,
94		CRYPTO_CIPHER_ALG_AES },
95		{ TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16,
96		CRYPTO_CIPHER_ALG_AES }
97		};
98
99	25.5k	#define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)
100
101
102		/**
103		* tls_get_cipher_suite - Get TLS cipher suite
104		* @suite: Cipher suite identifier
105		* Returns: Pointer to the cipher data or %NULL if not found
106		*/
107		const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
108	6.79k	{
109	6.79k	size_t i;
110	57.1k	for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
111	57.1k	if (tls_cipher_suites[i].suite == suite)
112	6.79k	return &tls_cipher_suites[i];
113	0	return NULL;
114	6.79k	}
115
116
117		const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
118	5.42k	{
119	5.42k	size_t i;
120	25.5k	for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
121	25.5k	if (tls_ciphers[i].cipher == cipher)
122	5.42k	return &tls_ciphers[i];
123	0	return NULL;
124	5.42k	}
125
126
127		int tls_server_key_exchange_allowed(tls_cipher cipher)
128	467	{
129	467	const struct tls_cipher_suite *suite;
130
131		/* RFC 2246, Section 7.4.3 */
132	467	suite = tls_get_cipher_suite(cipher);
133	467	if (suite == NULL)
134	0	return 0;
135
136	467	switch (suite->key_exchange) {
137	0	case TLS_KEY_X_DHE_DSS:
138	0	case TLS_KEY_X_DHE_DSS_EXPORT:
139	460	case TLS_KEY_X_DHE_RSA:
140	460	case TLS_KEY_X_DHE_RSA_EXPORT:
141	460	case TLS_KEY_X_DH_anon_EXPORT:
142	460	case TLS_KEY_X_DH_anon:
143	460	return 1;
144	0	case TLS_KEY_X_RSA_EXPORT:
145	0	return 1 /* FIX: public key len > 512 bits */;
146	7	default:
147	7	return 0;
148	467	}
149	467	}
150
151
152		/**
153		* tls_parse_cert - Parse DER encoded X.509 certificate and get public key
154		* @buf: ASN.1 DER encoded certificate
155		* @len: Length of the buffer
156		* @pk: Buffer for returning the allocated public key
157		* Returns: 0 on success, -1 on failure
158		*
159		* This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
160		* the public key from it. The caller is responsible for freeing the public key
161		* by calling crypto_public_key_free().
162		*/
163		int tls_parse_cert(const u8 buf, size_t len, struct crypto_public_key *pk)
164	2.07k	{
165	2.07k	struct x509_certificate *cert;
166
167	2.07k	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
168	2.07k	buf, len);
169
170	2.07k	*pk = crypto_public_key_from_cert(buf, len);
171	2.07k	if (*pk)
172	0	return 0;
173
174	2.07k	cert = x509_certificate_parse(buf, len);
175	2.07k	if (cert == NULL) {
176	1.26k	wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
177	1.26k	"certificate");
178	1.26k	return -1;
179	1.26k	}
180
181		/* TODO
182		* verify key usage (must allow encryption)
183		*
184		* All certificate profiles, key and cryptographic formats are
185		* defined by the IETF PKIX working group [PKIX]. When a key
186		* usage extension is present, the digitalSignature bit must be
187		* set for the key to be eligible for signing, as described
188		* above, and the keyEncipherment bit must be present to allow
189		* encryption, as described above. The keyAgreement bit must be
190		* set on Diffie-Hellman certificates. (PKIX: RFC 3280)
191		*/
192
193	808	*pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
194	808	x509_certificate_free(cert);
195
196	808	if (*pk == NULL) {
197	32	wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
198	32	"server public key");
199	32	return -1;
200	32	}
201
202	776	return 0;
203	808	}
204
205
206		int tls_verify_hash_init(struct tls_verify_hash *verify)
207	2.93k	{
208	2.93k	tls_verify_hash_free(verify);
209	2.93k	verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
210	2.93k	verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
211	2.93k	verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
212	2.93k	verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
213	2.93k	verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
214	2.93k	verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
215	2.93k	if (verify->md5_client == NULL \|\| verify->md5_server == NULL \|\|
216	2.93k	verify->md5_cert == NULL \|\| verify->sha1_client == NULL \|\|
217	2.93k	verify->sha1_server == NULL \|\| verify->sha1_cert == NULL) {
218	0	tls_verify_hash_free(verify);
219	0	return -1;
220	0	}
221	2.93k	#ifdef CONFIG_TLSV12
222	2.93k	verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
223	2.93k	0);
224	2.93k	verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
225	2.93k	0);
226	2.93k	verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
227	2.93k	0);
228	2.93k	if (verify->sha256_client == NULL \|\| verify->sha256_server == NULL \|\|
229	2.93k	verify->sha256_cert == NULL) {
230	0	tls_verify_hash_free(verify);
231	0	return -1;
232	0	}
233	2.93k	#endif /* CONFIG_TLSV12 */
234	2.93k	return 0;
235	2.93k	}
236
237
238		void tls_verify_hash_add(struct tls_verify_hash verify, const u8 buf,
239		size_t len)
240	7.62k	{
241	7.62k	if (verify->md5_client && verify->sha1_client) {
242	7.36k	crypto_hash_update(verify->md5_client, buf, len);
243	7.36k	crypto_hash_update(verify->sha1_client, buf, len);
244	7.36k	}
245	7.62k	if (verify->md5_server && verify->sha1_server) {
246	7.62k	crypto_hash_update(verify->md5_server, buf, len);
247	7.62k	crypto_hash_update(verify->sha1_server, buf, len);
248	7.62k	}
249	7.62k	if (verify->md5_cert && verify->sha1_cert) {
250	7.62k	crypto_hash_update(verify->md5_cert, buf, len);
251	7.62k	crypto_hash_update(verify->sha1_cert, buf, len);
252	7.62k	}
253	7.62k	#ifdef CONFIG_TLSV12
254	7.62k	if (verify->sha256_client)
255	7.43k	crypto_hash_update(verify->sha256_client, buf, len);
256	7.62k	if (verify->sha256_server)
257	7.60k	crypto_hash_update(verify->sha256_server, buf, len);
258	7.62k	if (verify->sha256_cert)
259	7.62k	crypto_hash_update(verify->sha256_cert, buf, len);
260	7.62k	#endif /* CONFIG_TLSV12 */
261	7.62k	}
262
263
264		void tls_verify_hash_free(struct tls_verify_hash *verify)
265	5.87k	{
266	5.87k	crypto_hash_finish(verify->md5_client, NULL, NULL);
267	5.87k	crypto_hash_finish(verify->md5_server, NULL, NULL);
268	5.87k	crypto_hash_finish(verify->md5_cert, NULL, NULL);
269	5.87k	crypto_hash_finish(verify->sha1_client, NULL, NULL);
270	5.87k	crypto_hash_finish(verify->sha1_server, NULL, NULL);
271	5.87k	crypto_hash_finish(verify->sha1_cert, NULL, NULL);
272	5.87k	verify->md5_client = NULL;
273	5.87k	verify->md5_server = NULL;
274	5.87k	verify->md5_cert = NULL;
275	5.87k	verify->sha1_client = NULL;
276	5.87k	verify->sha1_server = NULL;
277	5.87k	verify->sha1_cert = NULL;
278	5.87k	#ifdef CONFIG_TLSV12
279	5.87k	crypto_hash_finish(verify->sha256_client, NULL, NULL);
280	5.87k	crypto_hash_finish(verify->sha256_server, NULL, NULL);
281	5.87k	crypto_hash_finish(verify->sha256_cert, NULL, NULL);
282	5.87k	verify->sha256_client = NULL;
283	5.87k	verify->sha256_server = NULL;
284	5.87k	verify->sha256_cert = NULL;
285	5.87k	#endif /* CONFIG_TLSV12 */
286	5.87k	}
287
288
289		int tls_version_ok(u16 ver)
290	2.57k	{
291	2.57k	if (ver == TLS_VERSION_1)
292	629	return 1;
293	1.94k	#ifdef CONFIG_TLSV11
294	1.94k	if (ver == TLS_VERSION_1_1)
295	552	return 1;
296	1.38k	#endif /* CONFIG_TLSV11 */
297	1.38k	#ifdef CONFIG_TLSV12
298	1.38k	if (ver == TLS_VERSION_1_2)
299	1.36k	return 1;
300	25	#endif /* CONFIG_TLSV12 */
301
302	25	return 0;
303	1.38k	}
304
305
306		const char * tls_version_str(u16 ver)
307	5.48k	{
308	5.48k	switch (ver) {
309	629	case TLS_VERSION_1:
310	629	return "1.0";
311	552	case TLS_VERSION_1_1:
312	552	return "1.1";
313	4.30k	case TLS_VERSION_1_2:
314	4.30k	return "1.2";
315	5.48k	}
316
317	0	return "?";
318	5.48k	}
319
320
321		int tls_prf(u16 ver, const u8 secret, size_t secret_len, const char label,
322		const u8 seed, size_t seed_len, u8 out, size_t outlen)
323	1.31k	{
324	1.31k	#ifdef CONFIG_TLSV12
325	1.31k	if (ver >= TLS_VERSION_1_2) {
326	534	tls_prf_sha256(secret, secret_len, label, seed, seed_len,
327	534	out, outlen);
328	534	return 0;
329	534	}
330	782	#endif /* CONFIG_TLSV12 */
331
332	782	return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
333	782	outlen);
334	1.31k	}
335
336
337		#ifdef CONFIG_TLSV12
338		int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
339		const u8 *client_random,
340		const u8 *server_random,
341		const u8 *server_params,
342		size_t server_params_len, u8 *hash)
343	247	{
344	247	size_t hlen;
345	247	struct crypto_hash *ctx;
346	247	enum crypto_hash_alg alg;
347
348	247	switch (hash_alg) {
349	121	case TLS_HASH_ALG_SHA256:
350	121	alg = CRYPTO_HASH_ALG_SHA256;
351	121	hlen = SHA256_MAC_LEN;
352	121	break;
353	125	case TLS_HASH_ALG_SHA384:
354	125	alg = CRYPTO_HASH_ALG_SHA384;
355	125	hlen = 48;
356	125	break;
357	1	case TLS_HASH_ALG_SHA512:
358	1	alg = CRYPTO_HASH_ALG_SHA512;
359	1	hlen = 64;
360	1	break;
361	0	default:
362	0	return -1;
363	247	}
364	247	ctx = crypto_hash_init(alg, NULL, 0);
365	247	if (ctx == NULL)
366	1	return -1;
367	246	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
368	246	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
369	246	crypto_hash_update(ctx, server_params, server_params_len);
370	246	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
371	0	return -1;
372
373	246	return hlen;
374	246	}
375		#endif /* CONFIG_TLSV12 */
376
377
378		int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
379		const u8 *server_random,
380		const u8 *server_params,
381		size_t server_params_len, u8 *hash, size_t hsz)
382	89	{
383	89	u8 *hpos;
384	89	size_t hlen;
385	89	struct crypto_hash *ctx;
386
387	89	hpos = hash;
388
389	89	ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
390	89	if (ctx == NULL)
391	0	return -1;
392	89	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
393	89	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
394	89	crypto_hash_update(ctx, server_params, server_params_len);
395	89	hlen = MD5_MAC_LEN;
396	89	if (hsz < hlen)
397	0	return -1;
398	89	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
399	0	return -1;
400	89	hpos += hlen;
401
402	89	ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
403	89	if (ctx == NULL)
404	0	return -1;
405	89	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
406	89	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
407	89	crypto_hash_update(ctx, server_params, server_params_len);
408	89	hlen = hsz - hlen;
409	89	if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
410	0	return -1;
411	89	hpos += hlen;
412	89	return hpos - hash;
413	89	}
414
415
416		int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
417		const u8 *data, size_t data_len,
418		const u8 pos, size_t len, u8 alert)
419	335	{
420	335	u8 *buf;
421	335	const u8 *end = pos + len;
422	335	const u8 *decrypted;
423	335	u16 slen;
424	335	size_t buflen;
425
426	335	if (end - pos < 2) {
427	5	*alert = TLS_ALERT_DECODE_ERROR;
428	5	return -1;
429	5	}
430	330	slen = WPA_GET_BE16(pos);
431	330	pos += 2;
432	330	if (end - pos < slen) {
433	34	*alert = TLS_ALERT_DECODE_ERROR;
434	34	return -1;
435	34	}
436	296	if (end - pos > slen) {
437	187	wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
438	187	pos + slen, end - pos - slen);
439	187	end = pos + slen;
440	187	}
441
442	296	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
443	296	if (pk == NULL) {
444	14	wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
445	14	*alert = TLS_ALERT_INTERNAL_ERROR;
446	14	return -1;
447	14	}
448
449	282	buflen = end - pos;
450	282	buf = os_malloc(end - pos);
451	282	if (buf == NULL) {
452	0	*alert = TLS_ALERT_INTERNAL_ERROR;
453	0	return -1;
454	0	}
455	282	if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
456	282	0) {
457	194	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
458	194	os_free(buf);
459	194	*alert = TLS_ALERT_DECRYPT_ERROR;
460	194	return -1;
461	194	}
462	88	decrypted = buf;
463
464	88	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
465	88	decrypted, buflen);
466
467	88	#ifdef CONFIG_TLSV12
468	88	if (tls_version >= TLS_VERSION_1_2) {
469		/*
470		* RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
471		*
472		* DigestInfo ::= SEQUENCE {
473		* digestAlgorithm DigestAlgorithm,
474		* digest OCTET STRING
475		* }
476		*
477		* SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
478		*
479		* DER encoded DigestInfo for SHA256 per RFC 3447:
480		* 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 \|\|
481		* H
482		*/
483	84	if (buflen >= 19 + 32 &&
484	84	os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
485	77	"\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
486	52	{
487	52	wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256");
488	52	decrypted = buf + 19;
489	52	buflen -= 19;
490	52	} else if (buflen >= 19 + 48 &&
491	32	os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
492	20	"\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
493	1	{
494	1	wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384");
495	1	decrypted = buf + 19;
496	1	buflen -= 19;
497	31	} else if (buflen >= 19 + 64 &&
498	31	os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
499	18	"\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
500	1	{
501	1	wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512");
502	1	decrypted = buf + 19;
503	1	buflen -= 19;
504
505	30	} else {
506	30	wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
507	30	os_free(buf);
508	30	*alert = TLS_ALERT_DECRYPT_ERROR;
509	30	return -1;
510	30	}
511	84	}
512	58	#endif /* CONFIG_TLSV12 */
513
514	58	if (buflen != data_len \|\|
515	58	os_memcmp_const(decrypted, data, data_len) != 0) {
516	7	wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
517	7	os_free(buf);
518	7	*alert = TLS_ALERT_DECRYPT_ERROR;
519	7	return -1;
520	7	}
521
522	51	os_free(buf);
523
524	51	return 0;
525	58	}