Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / cceee343eebe75736aecec7b78e3b78235ee585c / . / src / tls / tlsv1_common.c
blob: 6b28417e499c70680d7b64312c955ec12b202090 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * TLSv1 common routines
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]4 *
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]7 */
8
9#include "includes.h"
10
11#include "common.h"
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]12#include "crypto/md5.h"
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]13#include "crypto/sha1.h"
14#include "crypto/sha256.h"
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]15#include "x509v3.h"
16#include "tlsv1_common.h"
17
18
19/*
20 * TODO:
21 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
22 * Add support for commonly used cipher suites; don't bother with exportable
23 * suites.
24 */
25
26static const struct tls_cipher_suite tls_cipher_suites[] = {
27 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
28 TLS_HASH_NULL },
29 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
30 TLS_HASH_MD5 },
31 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
32 TLS_HASH_SHA },
33 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
34 TLS_HASH_SHA },
35 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
36 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]37 { TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
38 TLS_HASH_SHA},
39 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
40 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]41 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
42 TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
43 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
44 TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
45 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
46 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
47 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
48 TLS_HASH_SHA },
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]49 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
50 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]51 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
52 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
53 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
54 TLS_HASH_SHA },
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]55 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
56 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]57 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]58 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
59 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
60 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
61 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
62 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]63 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
64 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
65 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
66 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]67 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
68 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
69 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
70 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]71};
72
Dmitry Shmidt68d0e3e2013-10-28 17:59:21 -0700[diff] [blame]73#define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]74
75
76static const struct tls_cipher_data tls_ciphers[] = {
77 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0,
78 CRYPTO_CIPHER_NULL },
79 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8,
80 CRYPTO_CIPHER_NULL },
81 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0,
82 CRYPTO_CIPHER_ALG_RC2 },
83 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0,
84 CRYPTO_CIPHER_ALG_RC4 },
85 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0,
86 CRYPTO_CIPHER_ALG_RC4 },
87 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8,
88 CRYPTO_CIPHER_ALG_DES },
89 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8,
90 CRYPTO_CIPHER_ALG_DES },
91 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8,
92 CRYPTO_CIPHER_ALG_3DES },
93 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16,
94 CRYPTO_CIPHER_ALG_AES },
95 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16,
96 CRYPTO_CIPHER_ALG_AES }
97};
98
Dmitry Shmidt68d0e3e2013-10-28 17:59:21 -0700[diff] [blame]99#define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]100
101
102/**
103 * tls_get_cipher_suite - Get TLS cipher suite
104 * @suite: Cipher suite identifier
105 * Returns: Pointer to the cipher data or %NULL if not found
106 */
107const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
108{
109 size_t i;
110 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
111 if (tls_cipher_suites[i].suite == suite)
112 return &tls_cipher_suites[i];
113 return NULL;
114}
115
116
117const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
118{
119 size_t i;
120 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
121 if (tls_ciphers[i].cipher == cipher)
122 return &tls_ciphers[i];
123 return NULL;
124}
125
126
127int tls_server_key_exchange_allowed(tls_cipher cipher)
128{
129 const struct tls_cipher_suite *suite;
130
131 /* RFC 2246, Section 7.4.3 */
132 suite = tls_get_cipher_suite(cipher);
133 if (suite == NULL)
134 return 0;
135
136 switch (suite->key_exchange) {
137 case TLS_KEY_X_DHE_DSS:
138 case TLS_KEY_X_DHE_DSS_EXPORT:
139 case TLS_KEY_X_DHE_RSA:
140 case TLS_KEY_X_DHE_RSA_EXPORT:
141 case TLS_KEY_X_DH_anon_EXPORT:
142 case TLS_KEY_X_DH_anon:
143 return 1;
144 case TLS_KEY_X_RSA_EXPORT:
145 return 1 /* FIX: public key len > 512 bits */;
146 default:
147 return 0;
148 }
149}
150
151
152/**
153 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
154 * @buf: ASN.1 DER encoded certificate
155 * @len: Length of the buffer
156 * @pk: Buffer for returning the allocated public key
157 * Returns: 0 on success, -1 on failure
158 *
159 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
160 * the public key from it. The caller is responsible for freeing the public key
161 * by calling crypto_public_key_free().
162 */
163int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
164{
165 struct x509_certificate *cert;
166
167 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
168 buf, len);
169
170 *pk = crypto_public_key_from_cert(buf, len);
171 if (*pk)
172 return 0;
173
174 cert = x509_certificate_parse(buf, len);
175 if (cert == NULL) {
176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
177 "certificate");
178 return -1;
179 }
180
181 /* TODO
182 * verify key usage (must allow encryption)
183 *
184 * All certificate profiles, key and cryptographic formats are
185 * defined by the IETF PKIX working group [PKIX]. When a key
186 * usage extension is present, the digitalSignature bit must be
187 * set for the key to be eligible for signing, as described
188 * above, and the keyEncipherment bit must be present to allow
189 * encryption, as described above. The keyAgreement bit must be
190 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
191 */
192
193 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
194 x509_certificate_free(cert);
195
196 if (*pk == NULL) {
197 wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
198 "server public key");
199 return -1;
200 }
201
202 return 0;
203}
204
205
206int tls_verify_hash_init(struct tls_verify_hash *verify)
207{
208 tls_verify_hash_free(verify);
209 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
210 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
211 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
212 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
213 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
214 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
215 if (verify->md5_client == NULL || verify->md5_server == NULL ||
216 verify->md5_cert == NULL || verify->sha1_client == NULL ||
217 verify->sha1_server == NULL || verify->sha1_cert == NULL) {
218 tls_verify_hash_free(verify);
219 return -1;
220 }
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]221#ifdef CONFIG_TLSV12
222 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
223 0);
224 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
225 0);
226 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
227 0);
228 if (verify->sha256_client == NULL || verify->sha256_server == NULL ||
229 verify->sha256_cert == NULL) {
230 tls_verify_hash_free(verify);
231 return -1;
232 }
233#endif /* CONFIG_TLSV12 */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]234 return 0;
235}
236
237
238void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
239 size_t len)
240{
241 if (verify->md5_client && verify->sha1_client) {
242 crypto_hash_update(verify->md5_client, buf, len);
243 crypto_hash_update(verify->sha1_client, buf, len);
244 }
245 if (verify->md5_server && verify->sha1_server) {
246 crypto_hash_update(verify->md5_server, buf, len);
247 crypto_hash_update(verify->sha1_server, buf, len);
248 }
249 if (verify->md5_cert && verify->sha1_cert) {
250 crypto_hash_update(verify->md5_cert, buf, len);
251 crypto_hash_update(verify->sha1_cert, buf, len);
252 }
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]253#ifdef CONFIG_TLSV12
254 if (verify->sha256_client)
255 crypto_hash_update(verify->sha256_client, buf, len);
256 if (verify->sha256_server)
257 crypto_hash_update(verify->sha256_server, buf, len);
258 if (verify->sha256_cert)
259 crypto_hash_update(verify->sha256_cert, buf, len);
260#endif /* CONFIG_TLSV12 */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]261}
262
263
264void tls_verify_hash_free(struct tls_verify_hash *verify)
265{
266 crypto_hash_finish(verify->md5_client, NULL, NULL);
267 crypto_hash_finish(verify->md5_server, NULL, NULL);
268 crypto_hash_finish(verify->md5_cert, NULL, NULL);
269 crypto_hash_finish(verify->sha1_client, NULL, NULL);
270 crypto_hash_finish(verify->sha1_server, NULL, NULL);
271 crypto_hash_finish(verify->sha1_cert, NULL, NULL);
272 verify->md5_client = NULL;
273 verify->md5_server = NULL;
274 verify->md5_cert = NULL;
275 verify->sha1_client = NULL;
276 verify->sha1_server = NULL;
277 verify->sha1_cert = NULL;
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]278#ifdef CONFIG_TLSV12
279 crypto_hash_finish(verify->sha256_client, NULL, NULL);
280 crypto_hash_finish(verify->sha256_server, NULL, NULL);
281 crypto_hash_finish(verify->sha256_cert, NULL, NULL);
282 verify->sha256_client = NULL;
283 verify->sha256_server = NULL;
284 verify->sha256_cert = NULL;
285#endif /* CONFIG_TLSV12 */
286}
287
288
289int tls_version_ok(u16 ver)
290{
291 if (ver == TLS_VERSION_1)
292 return 1;
293#ifdef CONFIG_TLSV11
294 if (ver == TLS_VERSION_1_1)
295 return 1;
296#endif /* CONFIG_TLSV11 */
297#ifdef CONFIG_TLSV12
298 if (ver == TLS_VERSION_1_2)
299 return 1;
300#endif /* CONFIG_TLSV12 */
301
302 return 0;
303}
304
305
306const char * tls_version_str(u16 ver)
307{
308 switch (ver) {
309 case TLS_VERSION_1:
310 return "1.0";
311 case TLS_VERSION_1_1:
312 return "1.1";
313 case TLS_VERSION_1_2:
314 return "1.2";
315 }
316
317 return "?";
318}
319
320
321int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
322 const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
323{
324#ifdef CONFIG_TLSV12
325 if (ver >= TLS_VERSION_1_2) {
326 tls_prf_sha256(secret, secret_len, label, seed, seed_len,
327 out, outlen);
328 return 0;
329 }
330#endif /* CONFIG_TLSV12 */
331
332 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
333 outlen);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]334}
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]335
336
337#ifdef CONFIG_TLSV12
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]338int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]339 const u8 *client_random,
340 const u8 *server_random,
341 const u8 *server_params,
342 size_t server_params_len, u8 *hash)
343{
344 size_t hlen;
345 struct crypto_hash *ctx;
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]346 enum crypto_hash_alg alg;
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]347
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]348 switch (hash_alg) {
349 case TLS_HASH_ALG_SHA256:
350 alg = CRYPTO_HASH_ALG_SHA256;
351 hlen = SHA256_MAC_LEN;
352 break;
353 case TLS_HASH_ALG_SHA384:
354 alg = CRYPTO_HASH_ALG_SHA384;
355 hlen = 48;
356 break;
357 case TLS_HASH_ALG_SHA512:
358 alg = CRYPTO_HASH_ALG_SHA512;
359 hlen = 64;
360 break;
361 default:
362 return -1;
363 }
364 ctx = crypto_hash_init(alg, NULL, 0);
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]365 if (ctx == NULL)
366 return -1;
367 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
368 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
369 crypto_hash_update(ctx, server_params, server_params_len);
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]370 if (crypto_hash_finish(ctx, hash, &hlen) < 0)
371 return -1;
372
373 return hlen;
374}
375#endif /* CONFIG_TLSV12 */
376
377
378int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
379 const u8 *server_random,
380 const u8 *server_params,
381 size_t server_params_len, u8 *hash)
382{
383 u8 *hpos;
384 size_t hlen;
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]385 struct crypto_hash *ctx;
386
387 hpos = hash;
388
Dmitry Shmidt203eadb2015-03-05 14:16:04 -0800[diff] [blame]389 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
390 if (ctx == NULL)
391 return -1;
392 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
393 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
394 crypto_hash_update(ctx, server_params, server_params_len);
395 hlen = MD5_MAC_LEN;
396 if (crypto_hash_finish(ctx, hash, &hlen) < 0)
397 return -1;
398 hpos += hlen;
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]399
400 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
401 if (ctx == NULL)
402 return -1;
403 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
404 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
405 crypto_hash_update(ctx, server_params, server_params_len);
406 hlen = hash + sizeof(hash) - hpos;
407 if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
408 return -1;
409 hpos += hlen;
410 return hpos - hash;
411}
412
413
414int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
415 const u8 *data, size_t data_len,
416 const u8 *pos, size_t len, u8 *alert)
417{
418 u8 *buf;
419 const u8 *end = pos + len;
420 const u8 *decrypted;
421 u16 slen;
422 size_t buflen;
423
424 if (end - pos < 2) {
425 *alert = TLS_ALERT_DECODE_ERROR;
426 return -1;
427 }
428 slen = WPA_GET_BE16(pos);
429 pos += 2;
430 if (end - pos < slen) {
431 *alert = TLS_ALERT_DECODE_ERROR;
432 return -1;
433 }
434 if (end - pos > slen) {
435 wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
436 pos + slen, end - pos - slen);
437 end = pos + slen;
438 }
439
440 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
441 if (pk == NULL) {
442 wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
443 *alert = TLS_ALERT_INTERNAL_ERROR;
444 return -1;
445 }
446
447 buflen = end - pos;
448 buf = os_malloc(end - pos);
449 if (buf == NULL) {
450 *alert = TLS_ALERT_INTERNAL_ERROR;
451 return -1;
452 }
453 if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
454 0) {
455 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
456 os_free(buf);
457 *alert = TLS_ALERT_DECRYPT_ERROR;
458 return -1;
459 }
460 decrypted = buf;
461
462 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
463 decrypted, buflen);
464
465#ifdef CONFIG_TLSV12
466 if (tls_version >= TLS_VERSION_1_2) {
467 /*
468 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
469 *
470 * DigestInfo ::= SEQUENCE {
471 * digestAlgorithm DigestAlgorithm,
472 * digest OCTET STRING
473 * }
474 *
475 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
476 *
477 * DER encoded DigestInfo for SHA256 per RFC 3447:
478 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
479 * H
480 */
481 if (buflen >= 19 + 32 &&
482 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
483 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
484 {
Dmitry Shmidtfe31a9a2016-11-09 13:43:31 -0800[diff] [blame]485 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-256");
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]486 decrypted = buf + 19;
487 buflen -= 19;
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]488 } else if (buflen >= 19 + 48 &&
489 os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
490 "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
491 {
Dmitry Shmidtfe31a9a2016-11-09 13:43:31 -0800[diff] [blame]492 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-384");
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]493 decrypted = buf + 19;
494 buflen -= 19;
495 } else if (buflen >= 19 + 64 &&
496 os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
497 "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
498 {
Dmitry Shmidtfe31a9a2016-11-09 13:43:31 -0800[diff] [blame]499 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithn = SHA-512");
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]500 decrypted = buf + 19;
501 buflen -= 19;
502
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]503 } else {
504 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
505 os_free(buf);
506 *alert = TLS_ALERT_DECRYPT_ERROR;
507 return -1;
508 }
509 }
510#endif /* CONFIG_TLSV12 */
511
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]512 if (buflen != data_len ||
513 os_memcmp_const(decrypted, data, data_len) != 0) {
Dmitry Shmidt818ea482014-03-10 13:15:21 -0700[diff] [blame]514 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
515 os_free(buf);
516 *alert = TLS_ALERT_DECRYPT_ERROR;
517 return -1;
518 }
519
520 os_free(buf);
521
522 return 0;
523}