00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015 #include "includes.h"
00016
00017 #include "common.h"
00018 #include "x509v3.h"
00019 #include "tlsv1_common.h"
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029 static const struct tls_cipher_suite tls_cipher_suites[] = {
00030 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
00031 TLS_HASH_NULL },
00032 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
00033 TLS_HASH_MD5 },
00034 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
00035 TLS_HASH_SHA },
00036 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
00037 TLS_HASH_SHA },
00038 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
00039 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
00040 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
00041 TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
00042 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
00043 TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
00044 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
00045 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
00046 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
00047 TLS_HASH_SHA },
00048 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
00049 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
00050 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
00051 TLS_HASH_SHA },
00052 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
00053 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }
00054 };
00055
00056 #define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
00057 #define NUM_TLS_CIPHER_SUITES NUM_ELEMS(tls_cipher_suites)
00058
00059
00060 static const struct tls_cipher_data tls_ciphers[] = {
00061 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0,
00062 CRYPTO_CIPHER_NULL },
00063 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8,
00064 CRYPTO_CIPHER_NULL },
00065 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0,
00066 CRYPTO_CIPHER_ALG_RC2 },
00067 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0,
00068 CRYPTO_CIPHER_ALG_RC4 },
00069 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0,
00070 CRYPTO_CIPHER_ALG_RC4 },
00071 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8,
00072 CRYPTO_CIPHER_ALG_DES },
00073 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8,
00074 CRYPTO_CIPHER_ALG_DES },
00075 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8,
00076 CRYPTO_CIPHER_ALG_3DES },
00077 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16,
00078 CRYPTO_CIPHER_ALG_AES },
00079 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16,
00080 CRYPTO_CIPHER_ALG_AES }
00081 };
00082
00083 #define NUM_TLS_CIPHER_DATA NUM_ELEMS(tls_ciphers)
00084
00085
00091 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
00092 {
00093 size_t i;
00094 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
00095 if (tls_cipher_suites[i].suite == suite)
00096 return &tls_cipher_suites[i];
00097 return NULL;
00098 }
00099
00100
00101 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
00102 {
00103 size_t i;
00104 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
00105 if (tls_ciphers[i].cipher == cipher)
00106 return &tls_ciphers[i];
00107 return NULL;
00108 }
00109
00110
00111 int tls_server_key_exchange_allowed(tls_cipher cipher)
00112 {
00113 const struct tls_cipher_suite *suite;
00114
00115
00116 suite = tls_get_cipher_suite(cipher);
00117 if (suite == NULL)
00118 return 0;
00119
00120 switch (suite->key_exchange) {
00121 case TLS_KEY_X_DHE_DSS:
00122 case TLS_KEY_X_DHE_DSS_EXPORT:
00123 case TLS_KEY_X_DHE_RSA:
00124 case TLS_KEY_X_DHE_RSA_EXPORT:
00125 case TLS_KEY_X_DH_anon_EXPORT:
00126 case TLS_KEY_X_DH_anon:
00127 return 1;
00128 case TLS_KEY_X_RSA_EXPORT:
00129 return 1 ;
00130 default:
00131 return 0;
00132 }
00133 }
00134
00135
00147 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
00148 {
00149 struct x509_certificate *cert;
00150
00151 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
00152 buf, len);
00153
00154 *pk = crypto_public_key_from_cert(buf, len);
00155 if (*pk)
00156 return 0;
00157
00158 cert = x509_certificate_parse(buf, len);
00159 if (cert == NULL) {
00160 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
00161 "certificate");
00162 return -1;
00163 }
00164
00165
00166
00167
00168
00169
00170
00171
00172
00173
00174
00175
00176
00177 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
00178 x509_certificate_free(cert);
00179
00180 if (*pk == NULL) {
00181 wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
00182 "server public key");
00183 return -1;
00184 }
00185
00186 return 0;
00187 }
00188
00189
00190 int tls_verify_hash_init(struct tls_verify_hash *verify)
00191 {
00192 tls_verify_hash_free(verify);
00193 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
00194 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
00195 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
00196 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
00197 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
00198 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
00199 if (verify->md5_client == NULL || verify->md5_server == NULL ||
00200 verify->md5_cert == NULL || verify->sha1_client == NULL ||
00201 verify->sha1_server == NULL || verify->sha1_cert == NULL) {
00202 tls_verify_hash_free(verify);
00203 return -1;
00204 }
00205 return 0;
00206 }
00207
00208
00209 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
00210 size_t len)
00211 {
00212 if (verify->md5_client && verify->sha1_client) {
00213 crypto_hash_update(verify->md5_client, buf, len);
00214 crypto_hash_update(verify->sha1_client, buf, len);
00215 }
00216 if (verify->md5_server && verify->sha1_server) {
00217 crypto_hash_update(verify->md5_server, buf, len);
00218 crypto_hash_update(verify->sha1_server, buf, len);
00219 }
00220 if (verify->md5_cert && verify->sha1_cert) {
00221 crypto_hash_update(verify->md5_cert, buf, len);
00222 crypto_hash_update(verify->sha1_cert, buf, len);
00223 }
00224 }
00225
00226
00227 void tls_verify_hash_free(struct tls_verify_hash *verify)
00228 {
00229 crypto_hash_finish(verify->md5_client, NULL, NULL);
00230 crypto_hash_finish(verify->md5_server, NULL, NULL);
00231 crypto_hash_finish(verify->md5_cert, NULL, NULL);
00232 crypto_hash_finish(verify->sha1_client, NULL, NULL);
00233 crypto_hash_finish(verify->sha1_server, NULL, NULL);
00234 crypto_hash_finish(verify->sha1_cert, NULL, NULL);
00235 verify->md5_client = NULL;
00236 verify->md5_server = NULL;
00237 verify->md5_cert = NULL;
00238 verify->sha1_client = NULL;
00239 verify->sha1_server = NULL;
00240 verify->sha1_cert = NULL;
00241 }