2
* wpa_supplicant/hostapd: TLSv1 common routines
3
* Copyright (c) 2006, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
22
#include "tlsv1_common.h"
27
* RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
28
* Add support for commonly used cipher suites; don't bother with exportable
32
static const struct tls_cipher_suite tls_cipher_suites[] = {
33
{ TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
35
{ TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
37
{ TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
39
{ TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
41
{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
42
TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
43
{ TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
44
TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
45
{ TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
46
TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
47
{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
48
TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
49
{ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
51
{ TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
52
TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
53
{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
55
{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
56
TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }
59
#define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
60
#define NUM_TLS_CIPHER_SUITES NUM_ELEMS(tls_cipher_suites)
63
static const struct tls_cipher_data tls_ciphers[] = {
64
{ TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0,
66
{ TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8,
68
{ TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0,
69
CRYPTO_CIPHER_ALG_RC2 },
70
{ TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0,
71
CRYPTO_CIPHER_ALG_RC4 },
72
{ TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0,
73
CRYPTO_CIPHER_ALG_RC4 },
74
{ TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8,
75
CRYPTO_CIPHER_ALG_DES },
76
{ TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8,
77
CRYPTO_CIPHER_ALG_DES },
78
{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8,
79
CRYPTO_CIPHER_ALG_3DES },
80
{ TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16,
81
CRYPTO_CIPHER_ALG_AES },
82
{ TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16,
83
CRYPTO_CIPHER_ALG_AES }
86
#define NUM_TLS_CIPHER_DATA NUM_ELEMS(tls_ciphers)
90
* tls_get_cipher_suite - Get TLS cipher suite
91
* @suite: Cipher suite identifier
92
* Returns: Pointer to the cipher data or %NULL if not found
94
const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
97
for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
98
if (tls_cipher_suites[i].suite == suite)
99
return &tls_cipher_suites[i];
104
static const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
107
for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
108
if (tls_ciphers[i].cipher == cipher)
109
return &tls_ciphers[i];
115
* tls_parse_cert - Parse DER encoded X.509 certificate and get public key
116
* @buf: ASN.1 DER encoded certificate
117
* @len: Length of the buffer
118
* @pk: Buffer for returning the allocated public key
119
* Returns: 0 on success, -1 on failure
121
* This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
122
* the public key from it. The caller is responsible for freeing the public key
123
* by calling crypto_public_key_free().
125
int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
127
struct x509_certificate *cert;
129
wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
132
*pk = crypto_public_key_from_cert(buf, len);
136
cert = x509_certificate_parse(buf, len);
138
wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
144
* verify key usage (must allow encryption)
146
* All certificate profiles, key and cryptographic formats are
147
* defined by the IETF PKIX working group [PKIX]. When a key
148
* usage extension is present, the digitalSignature bit must be
149
* set for the key to be eligible for signing, as described
150
* above, and the keyEncipherment bit must be present to allow
151
* encryption, as described above. The keyAgreement bit must be
152
* set on Diffie-Hellman certificates. (PKIX: RFC 3280)
155
*pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
156
x509_certificate_free(cert);
159
wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
160
"server public key");
169
* tlsv1_record_set_cipher_suite - TLS record layer: Set cipher suite
170
* @rl: Pointer to TLS record layer data
171
* @cipher_suite: New cipher suite
172
* Returns: 0 on success, -1 on failure
174
* This function is used to prepare TLS record layer for cipher suite change.
175
* tlsv1_record_change_write_cipher() and
176
* tlsv1_record_change_read_cipher() functions can then be used to change the
177
* currently used ciphers.
179
int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer *rl,
182
const struct tls_cipher_suite *suite;
183
const struct tls_cipher_data *data;
185
wpa_printf(MSG_DEBUG, "TLSv1: Selected cipher suite: 0x%04x",
187
rl->cipher_suite = cipher_suite;
189
suite = tls_get_cipher_suite(cipher_suite);
193
if (suite->hash == TLS_HASH_MD5) {
194
rl->hash_alg = CRYPTO_HASH_ALG_HMAC_MD5;
195
rl->hash_size = MD5_MAC_LEN;
196
} else if (suite->hash == TLS_HASH_SHA) {
197
rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1;
198
rl->hash_size = SHA1_MAC_LEN;
201
data = tls_get_cipher_data(suite->cipher);
205
rl->key_material_len = data->key_material;
206
rl->iv_size = data->block_size;
207
rl->cipher_alg = data->alg;
214
* tlsv1_record_change_write_cipher - TLS record layer: Change write cipher
215
* @rl: Pointer to TLS record layer data
216
* Returns: 0 on success (cipher changed), -1 on failure
218
* This function changes TLS record layer to use the new cipher suite
219
* configured with tlsv1_record_set_cipher_suite() for writing.
221
int tlsv1_record_change_write_cipher(struct tlsv1_record_layer *rl)
223
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New write cipher suite "
224
"0x%04x", rl->cipher_suite);
225
rl->write_cipher_suite = rl->cipher_suite;
226
os_memset(rl->write_seq_num, 0, TLS_SEQ_NUM_LEN);
229
crypto_cipher_deinit(rl->write_cbc);
230
rl->write_cbc = NULL;
232
if (rl->cipher_alg != CRYPTO_CIPHER_NULL) {
233
rl->write_cbc = crypto_cipher_init(rl->cipher_alg,
234
rl->write_iv, rl->write_key,
235
rl->key_material_len);
236
if (rl->write_cbc == NULL) {
237
wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize "
248
* tlsv1_record_change_read_cipher - TLS record layer: Change read cipher
249
* @rl: Pointer to TLS record layer data
250
* Returns: 0 on success (cipher changed), -1 on failure
252
* This function changes TLS record layer to use the new cipher suite
253
* configured with tlsv1_record_set_cipher_suite() for reading.
255
int tlsv1_record_change_read_cipher(struct tlsv1_record_layer *rl)
257
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New read cipher suite "
258
"0x%04x", rl->cipher_suite);
259
rl->read_cipher_suite = rl->cipher_suite;
260
os_memset(rl->read_seq_num, 0, TLS_SEQ_NUM_LEN);
263
crypto_cipher_deinit(rl->read_cbc);
266
if (rl->cipher_alg != CRYPTO_CIPHER_NULL) {
267
rl->read_cbc = crypto_cipher_init(rl->cipher_alg,
268
rl->read_iv, rl->read_key,
269
rl->key_material_len);
270
if (rl->read_cbc == NULL) {
271
wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize "
282
* tlsv1_record_send - TLS record layer: Send a message
283
* @rl: Pointer to TLS record layer data
284
* @content_type: Content type (TLS_CONTENT_TYPE_*)
285
* @buf: Buffer to send (with TLS_RECORD_HEADER_LEN octets reserved in the
286
* beginning for record layer to fill in; payload filled in after this and
287
* extra space in the end for HMAC).
288
* @buf_size: Maximum buf size
289
* @payload_len: Length of the payload
290
* @out_len: Buffer for returning the used buf length
291
* Returns: 0 on success, -1 on failure
293
* This function fills in the TLS record layer header, adds HMAC, and encrypts
294
* the data using the current write cipher.
296
int tlsv1_record_send(struct tlsv1_record_layer *rl, u8 content_type, u8 *buf,
297
size_t buf_size, size_t payload_len, size_t *out_len)
299
u8 *pos, *ct_start, *length, *payload;
300
struct crypto_hash *hmac;
304
/* ContentType type */
306
*pos++ = content_type;
307
/* ProtocolVersion version */
308
WPA_PUT_BE16(pos, TLS_VERSION);
312
WPA_PUT_BE16(length, payload_len);
315
/* opaque fragment[TLSPlaintext.length] */
319
if (rl->write_cipher_suite != TLS_NULL_WITH_NULL_NULL) {
320
hmac = crypto_hash_init(rl->hash_alg, rl->write_mac_secret,
323
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
324
"to initialize HMAC");
327
crypto_hash_update(hmac, rl->write_seq_num, TLS_SEQ_NUM_LEN);
328
/* type + version + length + fragment */
329
crypto_hash_update(hmac, ct_start, pos - ct_start);
330
clen = buf + buf_size - pos;
331
if (clen < rl->hash_size) {
332
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Not "
333
"enough room for MAC");
334
crypto_hash_finish(hmac, NULL, NULL);
338
if (crypto_hash_finish(hmac, pos, &clen) < 0) {
339
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
340
"to calculate HMAC");
343
wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Write HMAC",
347
size_t len = pos - payload;
349
pad = (len + 1) % rl->iv_size;
351
pad = rl->iv_size - pad;
352
if (pos + pad + 1 > buf + buf_size) {
353
wpa_printf(MSG_DEBUG, "TLSv1: No room for "
354
"block cipher padding");
357
os_memset(pos, pad, pad + 1);
361
if (crypto_cipher_encrypt(rl->write_cbc, payload,
362
payload, pos - payload) < 0)
366
WPA_PUT_BE16(length, pos - length - 2);
367
inc_byte_array(rl->write_seq_num, TLS_SEQ_NUM_LEN);
369
*out_len = pos - buf;
376
* tlsv1_record_receive - TLS record layer: Process a received message
377
* @rl: Pointer to TLS record layer data
378
* @in_data: Received data
379
* @in_len: Length of the received data
380
* @out_data: Buffer for output data (must be at least as long as in_data)
381
* @out_len: Set to maximum out_data length by caller; used to return the
382
* length of the used data
383
* @alert: Buffer for returning an alert value on failure
384
* Returns: 0 on success, -1 on failure
386
* This function decrypts the received message, verifies HMAC and TLS record
389
int tlsv1_record_receive(struct tlsv1_record_layer *rl,
390
const u8 *in_data, size_t in_len,
391
u8 *out_data, size_t *out_len, u8 *alert)
393
size_t i, rlen, hlen;
395
struct crypto_hash *hmac;
396
u8 len[2], hash[100];
398
wpa_hexdump(MSG_MSGDUMP, "TLSv1: Record Layer - Received",
401
if (in_len < TLS_RECORD_HEADER_LEN) {
402
wpa_printf(MSG_DEBUG, "TLSv1: Too short record (in_len=%lu)",
403
(unsigned long) in_len);
404
*alert = TLS_ALERT_DECODE_ERROR;
408
wpa_printf(MSG_DEBUG, "TLSv1: Received content type %d version %d.%d "
409
"length %d", in_data[0], in_data[1], in_data[2],
410
WPA_GET_BE16(in_data + 3));
412
if (in_data[0] != TLS_CONTENT_TYPE_HANDSHAKE &&
413
in_data[0] != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC &&
414
in_data[0] != TLS_CONTENT_TYPE_APPLICATION_DATA) {
415
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type 0x%x",
417
*alert = TLS_ALERT_UNEXPECTED_MESSAGE;
421
if (WPA_GET_BE16(in_data + 1) != TLS_VERSION) {
422
wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version "
423
"%d.%d", in_data[1], in_data[2]);
424
*alert = TLS_ALERT_PROTOCOL_VERSION;
428
rlen = WPA_GET_BE16(in_data + 3);
430
/* TLSCiphertext must not be more than 2^14+2048 bytes */
431
if (TLS_RECORD_HEADER_LEN + rlen > 18432) {
432
wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)",
433
(unsigned long) (TLS_RECORD_HEADER_LEN + rlen));
434
*alert = TLS_ALERT_RECORD_OVERFLOW;
438
in_data += TLS_RECORD_HEADER_LEN;
439
in_len -= TLS_RECORD_HEADER_LEN;
442
wpa_printf(MSG_DEBUG, "TLSv1: Not all record data included "
443
"(rlen=%lu > in_len=%lu)",
444
(unsigned long) rlen, (unsigned long) in_len);
445
*alert = TLS_ALERT_DECODE_ERROR;
451
if (*out_len < in_len) {
452
wpa_printf(MSG_DEBUG, "TLSv1: Not enough output buffer for "
453
"processing received record");
454
*alert = TLS_ALERT_INTERNAL_ERROR;
458
os_memcpy(out_data, in_data, in_len);
461
if (rl->read_cipher_suite != TLS_NULL_WITH_NULL_NULL) {
462
if (crypto_cipher_decrypt(rl->read_cbc, out_data,
463
out_data, in_len) < 0) {
464
*alert = TLS_ALERT_DECRYPTION_FAILED;
469
wpa_printf(MSG_DEBUG, "TLSv1: Too short record"
471
*alert = TLS_ALERT_DECODE_ERROR;
474
padlen = out_data[in_len - 1];
475
if (padlen >= in_len) {
476
wpa_printf(MSG_DEBUG, "TLSv1: Incorrect pad "
477
"length (%u, in_len=%lu) in "
479
padlen, (unsigned long) in_len);
480
*alert = TLS_ALERT_DECRYPTION_FAILED;
483
for (i = in_len - padlen; i < in_len; i++) {
484
if (out_data[i] != padlen) {
485
wpa_hexdump(MSG_DEBUG,
486
"TLSv1: Invalid pad in "
488
out_data + in_len - padlen,
490
*alert = TLS_ALERT_DECRYPTION_FAILED;
495
*out_len -= padlen + 1;
498
wpa_hexdump(MSG_MSGDUMP,
499
"TLSv1: Record Layer - Decrypted data",
502
if (*out_len < rl->hash_size) {
503
wpa_printf(MSG_DEBUG, "TLSv1: Too short record; no "
505
*alert = TLS_ALERT_INTERNAL_ERROR;
509
*out_len -= rl->hash_size;
511
hmac = crypto_hash_init(rl->hash_alg, rl->read_mac_secret,
514
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
515
"to initialize HMAC");
516
*alert = TLS_ALERT_INTERNAL_ERROR;
520
crypto_hash_update(hmac, rl->read_seq_num, TLS_SEQ_NUM_LEN);
521
/* type + version + length + fragment */
522
crypto_hash_update(hmac, in_data - TLS_RECORD_HEADER_LEN, 3);
523
WPA_PUT_BE16(len, *out_len);
524
crypto_hash_update(hmac, len, 2);
525
crypto_hash_update(hmac, out_data, *out_len);
527
if (crypto_hash_finish(hmac, hash, &hlen) < 0) {
528
wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - Failed "
529
"to calculate HMAC");
532
if (hlen != rl->hash_size ||
533
os_memcmp(hash, out_data + *out_len, hlen) != 0) {
534
wpa_printf(MSG_DEBUG, "TLSv1: Invalid HMAC value in "
536
*alert = TLS_ALERT_BAD_RECORD_MAC;
541
/* TLSCompressed must not be more than 2^14+1024 bytes */
542
if (TLS_RECORD_HEADER_LEN + *out_len > 17408) {
543
wpa_printf(MSG_DEBUG, "TLSv1: Record overflow (len=%lu)",
544
(unsigned long) (TLS_RECORD_HEADER_LEN + *out_len));
545
*alert = TLS_ALERT_RECORD_OVERFLOW;
549
inc_byte_array(rl->read_seq_num, TLS_SEQ_NUM_LEN);