2 * wpa_supplicant/hostapd: TLSv1 common routines
3 * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
22 #include "tlsv1_common.h"
27 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
28 * Add support for commonly used cipher suites; don't bother with exportable
32 static const struct tls_cipher_suite tls_cipher_suites
[] = {
33 { TLS_NULL_WITH_NULL_NULL
, TLS_KEY_X_NULL
, TLS_CIPHER_NULL
,
35 { TLS_RSA_WITH_RC4_128_MD5
, TLS_KEY_X_RSA
, TLS_CIPHER_RC4_128
,
37 { TLS_RSA_WITH_RC4_128_SHA
, TLS_KEY_X_RSA
, TLS_CIPHER_RC4_128
,
39 { TLS_RSA_WITH_DES_CBC_SHA
, TLS_KEY_X_RSA
, TLS_CIPHER_DES_CBC
,
41 { TLS_RSA_WITH_3DES_EDE_CBC_SHA
, TLS_KEY_X_RSA
,
42 TLS_CIPHER_3DES_EDE_CBC
, TLS_HASH_SHA
},
43 { TLS_DH_anon_WITH_RC4_128_MD5
, TLS_KEY_X_DH_anon
,
44 TLS_CIPHER_RC4_128
, TLS_HASH_MD5
},
45 { TLS_DH_anon_WITH_DES_CBC_SHA
, TLS_KEY_X_DH_anon
,
46 TLS_CIPHER_DES_CBC
, TLS_HASH_SHA
},
47 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
, TLS_KEY_X_DH_anon
,
48 TLS_CIPHER_3DES_EDE_CBC
, TLS_HASH_SHA
},
49 { TLS_RSA_WITH_AES_128_CBC_SHA
, TLS_KEY_X_RSA
, TLS_CIPHER_AES_128_CBC
,
51 { TLS_DH_anon_WITH_AES_128_CBC_SHA
, TLS_KEY_X_DH_anon
,
52 TLS_CIPHER_AES_128_CBC
, TLS_HASH_SHA
},
53 { TLS_RSA_WITH_AES_256_CBC_SHA
, TLS_KEY_X_RSA
, TLS_CIPHER_AES_256_CBC
,
55 { TLS_DH_anon_WITH_AES_256_CBC_SHA
, TLS_KEY_X_DH_anon
,
56 TLS_CIPHER_AES_256_CBC
, TLS_HASH_SHA
}
59 #define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
60 #define NUM_TLS_CIPHER_SUITES NUM_ELEMS(tls_cipher_suites)
63 static const struct tls_cipher_data tls_ciphers
[] = {
64 { TLS_CIPHER_NULL
, TLS_CIPHER_STREAM
, 0, 0, 0,
66 { TLS_CIPHER_IDEA_CBC
, TLS_CIPHER_BLOCK
, 16, 16, 8,
68 { TLS_CIPHER_RC2_CBC_40
, TLS_CIPHER_BLOCK
, 5, 16, 0,
69 CRYPTO_CIPHER_ALG_RC2
},
70 { TLS_CIPHER_RC4_40
, TLS_CIPHER_STREAM
, 5, 16, 0,
71 CRYPTO_CIPHER_ALG_RC4
},
72 { TLS_CIPHER_RC4_128
, TLS_CIPHER_STREAM
, 16, 16, 0,
73 CRYPTO_CIPHER_ALG_RC4
},
74 { TLS_CIPHER_DES40_CBC
, TLS_CIPHER_BLOCK
, 5, 8, 8,
75 CRYPTO_CIPHER_ALG_DES
},
76 { TLS_CIPHER_DES_CBC
, TLS_CIPHER_BLOCK
, 8, 8, 8,
77 CRYPTO_CIPHER_ALG_DES
},
78 { TLS_CIPHER_3DES_EDE_CBC
, TLS_CIPHER_BLOCK
, 24, 24, 8,
79 CRYPTO_CIPHER_ALG_3DES
},
80 { TLS_CIPHER_AES_128_CBC
, TLS_CIPHER_BLOCK
, 16, 16, 16,
81 CRYPTO_CIPHER_ALG_AES
},
82 { TLS_CIPHER_AES_256_CBC
, TLS_CIPHER_BLOCK
, 32, 32, 16,
83 CRYPTO_CIPHER_ALG_AES
}
86 #define NUM_TLS_CIPHER_DATA NUM_ELEMS(tls_ciphers)
90 * tls_get_cipher_suite - Get TLS cipher suite
91 * @suite: Cipher suite identifier
92 * Returns: Pointer to the cipher data or %NULL if not found
94 const struct tls_cipher_suite
* tls_get_cipher_suite(u16 suite
)
97 for (i
= 0; i
< NUM_TLS_CIPHER_SUITES
; i
++)
98 if (tls_cipher_suites
[i
].suite
== suite
)
99 return &tls_cipher_suites
[i
];
104 static const struct tls_cipher_data
* tls_get_cipher_data(tls_cipher cipher
)
107 for (i
= 0; i
< NUM_TLS_CIPHER_DATA
; i
++)
108 if (tls_ciphers
[i
].cipher
== cipher
)
109 return &tls_ciphers
[i
];
115 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
116 * @buf: ASN.1 DER encoded certificate
117 * @len: Length of the buffer
118 * @pk: Buffer for returning the allocated public key
119 * Returns: 0 on success, -1 on failure
121 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
122 * the public key from it. The caller is responsible for freeing the public key
123 * by calling crypto_public_key_free().
125 int tls_parse_cert(const u8
*buf
, size_t len
, struct crypto_public_key
**pk
)
127 struct x509_certificate
*cert
;
129 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: Parse ASN.1 DER certificate",
132 *pk
= crypto_public_key_from_cert(buf
, len
);
136 cert
= x509_certificate_parse(buf
, len
);
138 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to parse X.509 "
144 * verify key usage (must allow encryption)
146 * All certificate profiles, key and cryptographic formats are
147 * defined by the IETF PKIX working group [PKIX]. When a key
148 * usage extension is present, the digitalSignature bit must be
149 * set for the key to be eligible for signing, as described
150 * above, and the keyEncipherment bit must be present to allow
151 * encryption, as described above. The keyAgreement bit must be
152 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
155 *pk
= crypto_public_key_import(cert
->public_key
, cert
->public_key_len
);
156 x509_certificate_free(cert
);
159 wpa_printf(MSG_ERROR
, "TLSv1: Failed to import "
160 "server public key");
169 * tlsv1_record_set_cipher_suite - TLS record layer: Set cipher suite
170 * @rl: Pointer to TLS record layer data
171 * @cipher_suite: New cipher suite
172 * Returns: 0 on success, -1 on failure
174 * This function is used to prepare TLS record layer for cipher suite change.
175 * tlsv1_record_change_write_cipher() and
176 * tlsv1_record_change_read_cipher() functions can then be used to change the
177 * currently used ciphers.
179 int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer
*rl
,
182 const struct tls_cipher_suite
*suite
;
183 const struct tls_cipher_data
*data
;
185 wpa_printf(MSG_DEBUG
, "TLSv1: Selected cipher suite: 0x%04x",
187 rl
->cipher_suite
= cipher_suite
;
189 suite
= tls_get_cipher_suite(cipher_suite
);
193 if (suite
->hash
== TLS_HASH_MD5
) {
194 rl
->hash_alg
= CRYPTO_HASH_ALG_HMAC_MD5
;
195 rl
->hash_size
= MD5_MAC_LEN
;
196 } else if (suite
->hash
== TLS_HASH_SHA
) {
197 rl
->hash_alg
= CRYPTO_HASH_ALG_HMAC_SHA1
;
198 rl
->hash_size
= SHA1_MAC_LEN
;
201 data
= tls_get_cipher_data(suite
->cipher
);
205 rl
->key_material_len
= data
->key_material
;
206 rl
->iv_size
= data
->block_size
;
207 rl
->cipher_alg
= data
->alg
;
214 * tlsv1_record_change_write_cipher - TLS record layer: Change write cipher
215 * @rl: Pointer to TLS record layer data
216 * Returns: 0 on success (cipher changed), -1 on failure
218 * This function changes TLS record layer to use the new cipher suite
219 * configured with tlsv1_record_set_cipher_suite() for writing.
221 int tlsv1_record_change_write_cipher(struct tlsv1_record_layer
*rl
)
223 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - New write cipher suite "
224 "0x%04x", rl
->cipher_suite
);
225 rl
->write_cipher_suite
= rl
->cipher_suite
;
226 os_memset(rl
->write_seq_num
, 0, TLS_SEQ_NUM_LEN
);
229 crypto_cipher_deinit(rl
->write_cbc
);
230 rl
->write_cbc
= NULL
;
232 if (rl
->cipher_alg
!= CRYPTO_CIPHER_NULL
) {
233 rl
->write_cbc
= crypto_cipher_init(rl
->cipher_alg
,
234 rl
->write_iv
, rl
->write_key
,
235 rl
->key_material_len
);
236 if (rl
->write_cbc
== NULL
) {
237 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to initialize "
248 * tlsv1_record_change_read_cipher - TLS record layer: Change read cipher
249 * @rl: Pointer to TLS record layer data
250 * Returns: 0 on success (cipher changed), -1 on failure
252 * This function changes TLS record layer to use the new cipher suite
253 * configured with tlsv1_record_set_cipher_suite() for reading.
255 int tlsv1_record_change_read_cipher(struct tlsv1_record_layer
*rl
)
257 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - New read cipher suite "
258 "0x%04x", rl
->cipher_suite
);
259 rl
->read_cipher_suite
= rl
->cipher_suite
;
260 os_memset(rl
->read_seq_num
, 0, TLS_SEQ_NUM_LEN
);
263 crypto_cipher_deinit(rl
->read_cbc
);
266 if (rl
->cipher_alg
!= CRYPTO_CIPHER_NULL
) {
267 rl
->read_cbc
= crypto_cipher_init(rl
->cipher_alg
,
268 rl
->read_iv
, rl
->read_key
,
269 rl
->key_material_len
);
270 if (rl
->read_cbc
== NULL
) {
271 wpa_printf(MSG_DEBUG
, "TLSv1: Failed to initialize "
282 * tlsv1_record_send - TLS record layer: Send a message
283 * @rl: Pointer to TLS record layer data
284 * @content_type: Content type (TLS_CONTENT_TYPE_*)
285 * @buf: Buffer to send (with TLS_RECORD_HEADER_LEN octets reserved in the
286 * beginning for record layer to fill in; payload filled in after this and
287 * extra space in the end for HMAC).
288 * @buf_size: Maximum buf size
289 * @payload_len: Length of the payload
290 * @out_len: Buffer for returning the used buf length
291 * Returns: 0 on success, -1 on failure
293 * This function fills in the TLS record layer header, adds HMAC, and encrypts
294 * the data using the current write cipher.
296 int tlsv1_record_send(struct tlsv1_record_layer
*rl
, u8 content_type
, u8
*buf
,
297 size_t buf_size
, size_t payload_len
, size_t *out_len
)
299 u8
*pos
, *ct_start
, *length
, *payload
;
300 struct crypto_hash
*hmac
;
304 /* ContentType type */
306 *pos
++ = content_type
;
307 /* ProtocolVersion version */
308 WPA_PUT_BE16(pos
, TLS_VERSION
);
312 WPA_PUT_BE16(length
, payload_len
);
315 /* opaque fragment[TLSPlaintext.length] */
319 if (rl
->write_cipher_suite
!= TLS_NULL_WITH_NULL_NULL
) {
320 hmac
= crypto_hash_init(rl
->hash_alg
, rl
->write_mac_secret
,
323 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - Failed "
324 "to initialize HMAC");
327 crypto_hash_update(hmac
, rl
->write_seq_num
, TLS_SEQ_NUM_LEN
);
328 /* type + version + length + fragment */
329 crypto_hash_update(hmac
, ct_start
, pos
- ct_start
);
330 clen
= buf
+ buf_size
- pos
;
331 if (clen
< rl
->hash_size
) {
332 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - Not "
333 "enough room for MAC");
334 crypto_hash_finish(hmac
, NULL
, NULL
);
338 if (crypto_hash_finish(hmac
, pos
, &clen
) < 0) {
339 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - Failed "
340 "to calculate HMAC");
343 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: Record Layer - Write HMAC",
347 size_t len
= pos
- payload
;
349 pad
= (len
+ 1) % rl
->iv_size
;
351 pad
= rl
->iv_size
- pad
;
352 if (pos
+ pad
+ 1 > buf
+ buf_size
) {
353 wpa_printf(MSG_DEBUG
, "TLSv1: No room for "
354 "block cipher padding");
357 os_memset(pos
, pad
, pad
+ 1);
361 if (crypto_cipher_encrypt(rl
->write_cbc
, payload
,
362 payload
, pos
- payload
) < 0)
366 WPA_PUT_BE16(length
, pos
- length
- 2);
367 inc_byte_array(rl
->write_seq_num
, TLS_SEQ_NUM_LEN
);
369 *out_len
= pos
- buf
;
376 * tlsv1_record_receive - TLS record layer: Process a received message
377 * @rl: Pointer to TLS record layer data
378 * @in_data: Received data
379 * @in_len: Length of the received data
380 * @out_data: Buffer for output data (must be at least as long as in_data)
381 * @out_len: Set to maximum out_data length by caller; used to return the
382 * length of the used data
383 * @alert: Buffer for returning an alert value on failure
384 * Returns: 0 on success, -1 on failure
386 * This function decrypts the received message, verifies HMAC and TLS record
389 int tlsv1_record_receive(struct tlsv1_record_layer
*rl
,
390 const u8
*in_data
, size_t in_len
,
391 u8
*out_data
, size_t *out_len
, u8
*alert
)
393 size_t i
, rlen
, hlen
;
395 struct crypto_hash
*hmac
;
396 u8 len
[2], hash
[100];
398 wpa_hexdump(MSG_MSGDUMP
, "TLSv1: Record Layer - Received",
401 if (in_len
< TLS_RECORD_HEADER_LEN
) {
402 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record (in_len=%lu)",
403 (unsigned long) in_len
);
404 *alert
= TLS_ALERT_DECODE_ERROR
;
408 wpa_printf(MSG_DEBUG
, "TLSv1: Received content type %d version %d.%d "
409 "length %d", in_data
[0], in_data
[1], in_data
[2],
410 WPA_GET_BE16(in_data
+ 3));
412 if (in_data
[0] != TLS_CONTENT_TYPE_HANDSHAKE
&&
413 in_data
[0] != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC
&&
414 in_data
[0] != TLS_CONTENT_TYPE_APPLICATION_DATA
) {
415 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected content type 0x%x",
417 *alert
= TLS_ALERT_UNEXPECTED_MESSAGE
;
421 if (WPA_GET_BE16(in_data
+ 1) != TLS_VERSION
) {
422 wpa_printf(MSG_DEBUG
, "TLSv1: Unexpected protocol version "
423 "%d.%d", in_data
[1], in_data
[2]);
424 *alert
= TLS_ALERT_PROTOCOL_VERSION
;
428 rlen
= WPA_GET_BE16(in_data
+ 3);
430 /* TLSCiphertext must not be more than 2^14+2048 bytes */
431 if (TLS_RECORD_HEADER_LEN
+ rlen
> 18432) {
432 wpa_printf(MSG_DEBUG
, "TLSv1: Record overflow (len=%lu)",
433 (unsigned long) (TLS_RECORD_HEADER_LEN
+ rlen
));
434 *alert
= TLS_ALERT_RECORD_OVERFLOW
;
438 in_data
+= TLS_RECORD_HEADER_LEN
;
439 in_len
-= TLS_RECORD_HEADER_LEN
;
442 wpa_printf(MSG_DEBUG
, "TLSv1: Not all record data included "
443 "(rlen=%lu > in_len=%lu)",
444 (unsigned long) rlen
, (unsigned long) in_len
);
445 *alert
= TLS_ALERT_DECODE_ERROR
;
451 if (*out_len
< in_len
) {
452 wpa_printf(MSG_DEBUG
, "TLSv1: Not enough output buffer for "
453 "processing received record");
454 *alert
= TLS_ALERT_INTERNAL_ERROR
;
458 os_memcpy(out_data
, in_data
, in_len
);
461 if (rl
->read_cipher_suite
!= TLS_NULL_WITH_NULL_NULL
) {
462 if (crypto_cipher_decrypt(rl
->read_cbc
, out_data
,
463 out_data
, in_len
) < 0) {
464 *alert
= TLS_ALERT_DECRYPTION_FAILED
;
469 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record"
471 *alert
= TLS_ALERT_DECODE_ERROR
;
474 padlen
= out_data
[in_len
- 1];
475 if (padlen
>= in_len
) {
476 wpa_printf(MSG_DEBUG
, "TLSv1: Incorrect pad "
477 "length (%u, in_len=%lu) in "
479 padlen
, (unsigned long) in_len
);
480 *alert
= TLS_ALERT_DECRYPTION_FAILED
;
483 for (i
= in_len
- padlen
; i
< in_len
; i
++) {
484 if (out_data
[i
] != padlen
) {
485 wpa_hexdump(MSG_DEBUG
,
486 "TLSv1: Invalid pad in "
488 out_data
+ in_len
- padlen
,
490 *alert
= TLS_ALERT_DECRYPTION_FAILED
;
495 *out_len
-= padlen
+ 1;
498 wpa_hexdump(MSG_MSGDUMP
,
499 "TLSv1: Record Layer - Decrypted data",
502 if (*out_len
< rl
->hash_size
) {
503 wpa_printf(MSG_DEBUG
, "TLSv1: Too short record; no "
505 *alert
= TLS_ALERT_INTERNAL_ERROR
;
509 *out_len
-= rl
->hash_size
;
511 hmac
= crypto_hash_init(rl
->hash_alg
, rl
->read_mac_secret
,
514 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - Failed "
515 "to initialize HMAC");
516 *alert
= TLS_ALERT_INTERNAL_ERROR
;
520 crypto_hash_update(hmac
, rl
->read_seq_num
, TLS_SEQ_NUM_LEN
);
521 /* type + version + length + fragment */
522 crypto_hash_update(hmac
, in_data
- TLS_RECORD_HEADER_LEN
, 3);
523 WPA_PUT_BE16(len
, *out_len
);
524 crypto_hash_update(hmac
, len
, 2);
525 crypto_hash_update(hmac
, out_data
, *out_len
);
527 if (crypto_hash_finish(hmac
, hash
, &hlen
) < 0) {
528 wpa_printf(MSG_DEBUG
, "TLSv1: Record Layer - Failed "
529 "to calculate HMAC");
532 if (hlen
!= rl
->hash_size
||
533 os_memcmp(hash
, out_data
+ *out_len
, hlen
) != 0) {
534 wpa_printf(MSG_DEBUG
, "TLSv1: Invalid HMAC value in "
536 *alert
= TLS_ALERT_BAD_RECORD_MAC
;
541 /* TLSCompressed must not be more than 2^14+1024 bytes */
542 if (TLS_RECORD_HEADER_LEN
+ *out_len
> 17408) {
543 wpa_printf(MSG_DEBUG
, "TLSv1: Record overflow (len=%lu)",
544 (unsigned long) (TLS_RECORD_HEADER_LEN
+ *out_len
));
545 *alert
= TLS_ALERT_RECORD_OVERFLOW
;
549 inc_byte_array(rl
->read_seq_num
, TLS_SEQ_NUM_LEN
);