tls: Separate TLS protection to abstracted AEAD modes
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * AEAD transform for inbound traffic
389 */
390 tls_aead_t *aead_in;
391
392 /**
393 * AEAD transform for outbound traffic
394 */
395 tls_aead_t *aead_out;
396
397 /**
398 * EAP-[T]TLS MSK
399 */
400 chunk_t msk;
401
402 /**
403 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
404 */
405 char *msk_label;
406 };
407
408 typedef struct {
409 tls_cipher_suite_t suite;
410 key_type_t key;
411 diffie_hellman_group_t dh;
412 hash_algorithm_t hash;
413 pseudo_random_function_t prf;
414 integrity_algorithm_t mac;
415 encryption_algorithm_t encr;
416 size_t encr_size;
417 } suite_algs_t;
418
419 /**
420 * Mapping suites to a set of algorithms
421 */
422 static suite_algs_t suite_algs[] = {
423 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
424 KEY_ECDSA, ECP_256_BIT,
425 HASH_SHA256, PRF_HMAC_SHA2_256,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
429 KEY_ECDSA, ECP_256_BIT,
430 HASH_SHA256, PRF_HMAC_SHA2_256,
431 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
432 },
433 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
434 KEY_ECDSA, ECP_384_BIT,
435 HASH_SHA256, PRF_HMAC_SHA2_256,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
437 },
438 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
439 KEY_ECDSA, ECP_384_BIT,
440 HASH_SHA384, PRF_HMAC_SHA2_384,
441 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
442 },
443 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
444 KEY_RSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
449 KEY_RSA, ECP_256_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
452 },
453 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
454 KEY_RSA, ECP_384_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
459 KEY_RSA, ECP_384_BIT,
460 HASH_SHA384, PRF_HMAC_SHA2_384,
461 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
462 },
463 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
464 KEY_RSA, MODP_2048_BIT,
465 HASH_SHA256,PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
467 },
468 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
469 KEY_RSA, MODP_3072_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
472 },
473 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
474 KEY_RSA, MODP_3072_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
477 },
478 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
479 KEY_RSA, MODP_4096_BIT,
480 HASH_SHA256, PRF_HMAC_SHA2_256,
481 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
482 },
483 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256, PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
504 KEY_RSA, MODP_2048_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
507 },
508 { TLS_RSA_WITH_AES_128_CBC_SHA,
509 KEY_RSA, MODP_NONE,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
512 },
513 { TLS_RSA_WITH_AES_128_CBC_SHA256,
514 KEY_RSA, MODP_NONE,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
517 },
518 { TLS_RSA_WITH_AES_256_CBC_SHA,
519 KEY_RSA, MODP_NONE,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
522 },
523 { TLS_RSA_WITH_AES_256_CBC_SHA256,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
527 },
528 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
532 },
533 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
537 },
538 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
542 },
543 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
547 },
548 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
549 KEY_ECDSA, ECP_256_BIT,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
552 },
553 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
554 KEY_RSA, ECP_256_BIT,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
557 },
558 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
562 },
563 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
564 KEY_ECDSA, ECP_256_BIT,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
567 },
568 { TLS_ECDHE_RSA_WITH_NULL_SHA,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
572 },
573 { TLS_RSA_WITH_NULL_SHA,
574 KEY_RSA, MODP_NONE,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
577 },
578 { TLS_RSA_WITH_NULL_SHA256,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
582 },
583 { TLS_RSA_WITH_NULL_MD5,
584 KEY_RSA, MODP_NONE,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_MD5_128, ENCR_NULL, 0
587 },
588 };
589
590 /**
591 * Look up algorithms by a suite
592 */
593 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
594 {
595 int i;
596
597 for (i = 0; i < countof(suite_algs); i++)
598 {
599 if (suite_algs[i].suite == suite)
600 {
601 return &suite_algs[i];
602 }
603 }
604 return NULL;
605 }
606
607 /**
608 * Filter a suite list using a transform enumerator
609 */
610 static void filter_suite(private_tls_crypto_t *this,
611 suite_algs_t suites[], int *count, int offset,
612 enumerator_t*(*create_enumerator)(crypto_factory_t*))
613 {
614 const char *plugin_name;
615 suite_algs_t current;
616 int *current_alg, i, remaining = 0;
617 enumerator_t *enumerator;
618
619 memset(&current, 0, sizeof(current));
620 current_alg = (int*)((char*)&current + offset);
621
622 for (i = 0; i < *count; i++)
623 {
624 enumerator = create_enumerator(lib->crypto);
625 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
626 {
627 if ((suites[i].encr == ENCR_NULL ||
628 !current.encr || current.encr == suites[i].encr) &&
629 (!current.mac || current.mac == suites[i].mac) &&
630 (!current.prf || current.prf == suites[i].prf) &&
631 (!current.hash || current.hash == suites[i].hash) &&
632 (suites[i].dh == MODP_NONE ||
633 !current.dh || current.dh == suites[i].dh))
634 {
635 suites[remaining] = suites[i];
636 remaining++;
637 break;
638 }
639 }
640 enumerator->destroy(enumerator);
641 }
642 *count = remaining;
643 }
644
645 /**
646 * Purge NULL encryption cipher suites from list
647 */
648 static void filter_null_suites(private_tls_crypto_t *this,
649 suite_algs_t suites[], int *count)
650 {
651 int i, remaining = 0;
652
653 for (i = 0; i < *count; i++)
654 {
655 if (suites[i].encr != ENCR_NULL)
656 {
657 suites[remaining] = suites[i];
658 remaining++;
659 }
660 }
661 *count = remaining;
662 }
663
664 /**
665 * Purge suites using a given key type
666 */
667 static void filter_key_suites(private_tls_crypto_t *this,
668 suite_algs_t suites[], int *count, key_type_t key)
669 {
670 int i, remaining = 0;
671
672 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
673 for (i = 0; i < *count; i++)
674 {
675 if (suites[i].key != key)
676 {
677 suites[remaining] = suites[i];
678 remaining++;
679 }
680 }
681 *count = remaining;
682 }
683
684 /**
685 * Filter suites by key exchange user config
686 */
687 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
688 suite_algs_t suites[], int *count)
689 {
690 enumerator_t *enumerator;
691 int i, remaining = 0;
692 char *token, *config;
693
694 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
695 lib->ns);
696 if (config)
697 {
698 for (i = 0; i < *count; i++)
699 {
700 enumerator = enumerator_create_token(config, ",", " ");
701 while (enumerator->enumerate(enumerator, &token))
702 {
703 if (strcaseeq(token, "ecdhe-ecdsa") &&
704 diffie_hellman_group_is_ec(suites[i].dh) &&
705 suites[i].key == KEY_ECDSA)
706 {
707 suites[remaining++] = suites[i];
708 break;
709 }
710 if (strcaseeq(token, "ecdhe-rsa") &&
711 diffie_hellman_group_is_ec(suites[i].dh) &&
712 suites[i].key == KEY_RSA)
713 {
714 suites[remaining++] = suites[i];
715 break;
716 }
717 if (strcaseeq(token, "dhe-rsa") &&
718 !diffie_hellman_group_is_ec(suites[i].dh) &&
719 suites[i].dh != MODP_NONE &&
720 suites[i].key == KEY_RSA)
721 {
722 suites[remaining++] = suites[i];
723 break;
724 }
725 if (strcaseeq(token, "rsa") &&
726 suites[i].dh == MODP_NONE &&
727 suites[i].key == KEY_RSA)
728 {
729 suites[remaining++] = suites[i];
730 break;
731 }
732 }
733 enumerator->destroy(enumerator);
734 }
735 *count = remaining;
736 }
737 }
738
739 /**
740 * Filter suites by cipher user config
741 */
742 static void filter_cipher_config_suites(private_tls_crypto_t *this,
743 suite_algs_t suites[], int *count)
744 {
745 enumerator_t *enumerator;
746 int i, remaining = 0;
747 char *token, *config;
748
749 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
750 lib->ns);
751 if (config)
752 {
753 for (i = 0; i < *count; i++)
754 {
755 enumerator = enumerator_create_token(config, ",", " ");
756 while (enumerator->enumerate(enumerator, &token))
757 {
758 if (strcaseeq(token, "aes128") &&
759 suites[i].encr == ENCR_AES_CBC &&
760 suites[i].encr_size == 16)
761 {
762 suites[remaining++] = suites[i];
763 break;
764 }
765 if (strcaseeq(token, "aes256") &&
766 suites[i].encr == ENCR_AES_CBC &&
767 suites[i].encr_size == 32)
768 {
769 suites[remaining++] = suites[i];
770 break;
771 }
772 if (strcaseeq(token, "camellia128") &&
773 suites[i].encr == ENCR_CAMELLIA_CBC &&
774 suites[i].encr_size == 16)
775 {
776 suites[remaining++] = suites[i];
777 break;
778 }
779 if (strcaseeq(token, "camellia256") &&
780 suites[i].encr == ENCR_CAMELLIA_CBC &&
781 suites[i].encr_size == 32)
782 {
783 suites[remaining++] = suites[i];
784 break;
785 }
786 if (strcaseeq(token, "3des") &&
787 suites[i].encr == ENCR_3DES)
788 {
789 suites[remaining++] = suites[i];
790 break;
791 }
792 if (strcaseeq(token, "null") &&
793 suites[i].encr == ENCR_NULL)
794 {
795 suites[remaining++] = suites[i];
796 break;
797 }
798 }
799 enumerator->destroy(enumerator);
800 }
801 *count = remaining;
802 }
803 }
804
805 /**
806 * Filter suites by mac user config
807 */
808 static void filter_mac_config_suites(private_tls_crypto_t *this,
809 suite_algs_t suites[], int *count)
810 {
811 enumerator_t *enumerator;
812 int i, remaining = 0;
813 char *token, *config;
814
815 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
816 lib->ns);
817 if (config)
818 {
819 for (i = 0; i < *count; i++)
820 {
821 enumerator = enumerator_create_token(config, ",", " ");
822 while (enumerator->enumerate(enumerator, &token))
823 {
824 if (strcaseeq(token, "md5") &&
825 suites[i].mac == AUTH_HMAC_MD5_128)
826 {
827 suites[remaining++] = suites[i];
828 break;
829 }
830 if (strcaseeq(token, "sha1") &&
831 suites[i].mac == AUTH_HMAC_SHA1_160)
832 {
833 suites[remaining++] = suites[i];
834 break;
835 }
836 if (strcaseeq(token, "sha256") &&
837 suites[i].mac == AUTH_HMAC_SHA2_256_256)
838 {
839 suites[remaining++] = suites[i];
840 break;
841 }
842 if (strcaseeq(token, "sha384") &&
843 suites[i].mac == AUTH_HMAC_SHA2_384_384)
844 {
845 suites[remaining++] = suites[i];
846 break;
847 }
848 }
849 enumerator->destroy(enumerator);
850 }
851 *count = remaining;
852 }
853 }
854
855 /**
856 * Filter for specific suites specified in strongswan.conf
857 */
858 static void filter_specific_config_suites(private_tls_crypto_t *this,
859 suite_algs_t suites[], int *count)
860 {
861 enumerator_t *enumerator;
862 int i, remaining = 0, suite;
863 char *token, *config;
864
865 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
866 lib->ns);
867 if (config)
868 {
869 for (i = 0; i < *count; i++)
870 {
871 enumerator = enumerator_create_token(config, ",", " ");
872 while (enumerator->enumerate(enumerator, &token))
873 {
874 suite = enum_from_name(tls_cipher_suite_names, token);
875 if (suite == suites[i].suite)
876 {
877 suites[remaining++] = suites[i];
878 break;
879 }
880 }
881 enumerator->destroy(enumerator);
882 }
883 *count = remaining;
884 }
885 }
886
887 /**
888 * Initialize the cipher suite list
889 */
890 static void build_cipher_suite_list(private_tls_crypto_t *this,
891 bool require_encryption)
892 {
893 suite_algs_t suites[countof(suite_algs)];
894 int count = countof(suite_algs), i;
895
896 /* copy all suites */
897 for (i = 0; i < count; i++)
898 {
899 suites[i] = suite_algs[i];
900 }
901 if (require_encryption)
902 {
903 filter_null_suites(this, suites, &count);
904 }
905 if (!this->rsa)
906 {
907 filter_key_suites(this, suites, &count, KEY_RSA);
908 }
909 if (!this->ecdsa)
910 {
911 filter_key_suites(this, suites, &count, KEY_ECDSA);
912 }
913
914 /* filter suite list by each algorithm */
915 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
916 lib->crypto->create_crypter_enumerator);
917 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
918 lib->crypto->create_signer_enumerator);
919 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
920 lib->crypto->create_prf_enumerator);
921 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
922 lib->crypto->create_hasher_enumerator);
923 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
924 lib->crypto->create_dh_enumerator);
925
926 /* filter suites with strongswan.conf options */
927 filter_key_exchange_config_suites(this, suites, &count);
928 filter_cipher_config_suites(this, suites, &count);
929 filter_mac_config_suites(this, suites, &count);
930 filter_specific_config_suites(this, suites, &count);
931
932 free(this->suites);
933 this->suite_count = count;
934 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
935
936 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
937 for (i = 0; i < count; i++)
938 {
939 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
940 this->suites[i] = suites[i].suite;
941 }
942 }
943
944 METHOD(tls_crypto_t, get_cipher_suites, int,
945 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
946 {
947 *suites = this->suites;
948 return this->suite_count;
949 }
950
951 /**
952 * Create NULL encryption transforms
953 */
954 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
955 {
956 this->aead_in = tls_aead_create_null(algs->mac);
957 this->aead_out = tls_aead_create_null(algs->mac);
958 if (!this->aead_in || !this->aead_out)
959 {
960 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
961 integrity_algorithm_names, algs->mac);
962 return FALSE;
963 }
964 return TRUE;
965 }
966
967 /**
968 * Create traditional transforms
969 */
970 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
971 {
972 if (this->tls->get_version(this->tls) < TLS_1_1)
973 {
974 this->aead_in = tls_aead_create_implicit(algs->mac,
975 algs->encr, algs->encr_size);
976 this->aead_out = tls_aead_create_implicit(algs->mac,
977 algs->encr, algs->encr_size);
978 }
979 else
980 {
981 this->aead_in = tls_aead_create_explicit(algs->mac,
982 algs->encr, algs->encr_size);
983 this->aead_out = tls_aead_create_explicit(algs->mac,
984 algs->encr, algs->encr_size);
985 }
986 if (!this->aead_in || !this->aead_out)
987 {
988 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
989 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
990 integrity_algorithm_names, algs->mac);
991 return FALSE;
992 }
993 return TRUE;
994 }
995
996 /**
997 * Clean up and unset AEAD transforms
998 */
999 static void destroy_aeads(private_tls_crypto_t *this)
1000 {
1001 DESTROY_IF(this->aead_in);
1002 DESTROY_IF(this->aead_out);
1003 this->aead_in = this->aead_out = NULL;
1004 }
1005
1006 /**
1007 * Create crypto primitives
1008 */
1009 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1010 {
1011 destroy_aeads(this);
1012 DESTROY_IF(this->prf);
1013 if (this->tls->get_version(this->tls) < TLS_1_2)
1014 {
1015 this->prf = tls_prf_create_10();
1016 }
1017 else
1018 {
1019 this->prf = tls_prf_create_12(algs->prf);
1020 }
1021 if (!this->prf)
1022 {
1023 DBG1(DBG_TLS, "selected TLS PRF not supported");
1024 return FALSE;
1025 }
1026 if (algs->encr == ENCR_NULL)
1027 {
1028 if (create_null(this, algs))
1029 {
1030 return TRUE;
1031 }
1032 }
1033 else
1034 {
1035 if (create_traditional(this, algs))
1036 {
1037 return TRUE;
1038 }
1039 }
1040 destroy_aeads(this);
1041 return FALSE;
1042 }
1043
1044 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1045 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1046 key_type_t key)
1047 {
1048 suite_algs_t *algs;
1049 int i, j;
1050
1051 for (i = 0; i < this->suite_count; i++)
1052 {
1053 for (j = 0; j < count; j++)
1054 {
1055 if (this->suites[i] == suites[j])
1056 {
1057 algs = find_suite(this->suites[i]);
1058 if (algs)
1059 {
1060 if (key == KEY_ANY || key == algs->key)
1061 {
1062 if (create_ciphers(this, algs))
1063 {
1064 this->suite = this->suites[i];
1065 return this->suite;
1066 }
1067 }
1068 }
1069 }
1070 }
1071 }
1072 return 0;
1073 }
1074
1075 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1076 private_tls_crypto_t *this)
1077 {
1078 suite_algs_t *algs;
1079
1080 algs = find_suite(this->suite);
1081 if (algs)
1082 {
1083 return algs->dh;
1084 }
1085 return MODP_NONE;
1086 }
1087
1088 METHOD(tls_crypto_t, get_signature_algorithms, void,
1089 private_tls_crypto_t *this, bio_writer_t *writer)
1090 {
1091 bio_writer_t *supported;
1092 enumerator_t *enumerator;
1093 hash_algorithm_t alg;
1094 tls_hash_algorithm_t hash;
1095 const char *plugin_name;
1096
1097 supported = bio_writer_create(32);
1098 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1099 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1100 {
1101 switch (alg)
1102 {
1103 case HASH_MD5:
1104 hash = TLS_HASH_MD5;
1105 break;
1106 case HASH_SHA1:
1107 hash = TLS_HASH_SHA1;
1108 break;
1109 case HASH_SHA224:
1110 hash = TLS_HASH_SHA224;
1111 break;
1112 case HASH_SHA256:
1113 hash = TLS_HASH_SHA256;
1114 break;
1115 case HASH_SHA384:
1116 hash = TLS_HASH_SHA384;
1117 break;
1118 case HASH_SHA512:
1119 hash = TLS_HASH_SHA512;
1120 break;
1121 default:
1122 continue;
1123 }
1124 if (this->rsa)
1125 {
1126 supported->write_uint8(supported, hash);
1127 supported->write_uint8(supported, TLS_SIG_RSA);
1128 }
1129 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1130 { /* currently we have no signature scheme for MD5/SHA224 */
1131 supported->write_uint8(supported, hash);
1132 supported->write_uint8(supported, TLS_SIG_ECDSA);
1133 }
1134 }
1135 enumerator->destroy(enumerator);
1136
1137 supported->wrap16(supported);
1138 writer->write_data16(writer, supported->get_buf(supported));
1139 supported->destroy(supported);
1140 }
1141
1142 /**
1143 * Mapping groups to TLS named curves
1144 */
1145 static struct {
1146 diffie_hellman_group_t group;
1147 tls_named_curve_t curve;
1148 } curves[] = {
1149 { ECP_256_BIT, TLS_SECP256R1},
1150 { ECP_384_BIT, TLS_SECP384R1},
1151 { ECP_521_BIT, TLS_SECP521R1},
1152 { ECP_224_BIT, TLS_SECP224R1},
1153 { ECP_192_BIT, TLS_SECP192R1},
1154 };
1155
1156 /**
1157 * Filter EC groups, add TLS curve
1158 */
1159 static bool group_filter(void *null,
1160 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1161 void* dummy1, tls_named_curve_t *curve)
1162 {
1163 int i;
1164
1165 for (i = 0; i < countof(curves); i++)
1166 {
1167 if (curves[i].group == *in)
1168 {
1169 if (out)
1170 {
1171 *out = curves[i].group;
1172 }
1173 if (curve)
1174 {
1175 *curve = curves[i].curve;
1176 }
1177 return TRUE;
1178 }
1179 }
1180 return FALSE;
1181 }
1182
1183 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1184 private_tls_crypto_t *this)
1185 {
1186 return enumerator_create_filter(
1187 lib->crypto->create_dh_enumerator(lib->crypto),
1188 (void*)group_filter, NULL, NULL);
1189 }
1190
1191 METHOD(tls_crypto_t, set_protection, void,
1192 private_tls_crypto_t *this, tls_protection_t *protection)
1193 {
1194 this->protection = protection;
1195 }
1196
1197 METHOD(tls_crypto_t, append_handshake, void,
1198 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1199 {
1200 u_int32_t header;
1201
1202 /* reconstruct handshake header */
1203 header = htonl(data.len | (type << 24));
1204 this->handshake = chunk_cat("mcc", this->handshake,
1205 chunk_from_thing(header), data);
1206 }
1207
1208 /**
1209 * Create a hash using the suites HASH algorithm
1210 */
1211 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1212 {
1213 if (this->tls->get_version(this->tls) >= TLS_1_2)
1214 {
1215 hasher_t *hasher;
1216 suite_algs_t *alg;
1217
1218 alg = find_suite(this->suite);
1219 if (!alg)
1220 {
1221 return FALSE;
1222 }
1223 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1224 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1225 {
1226 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1227 DESTROY_IF(hasher);
1228 return FALSE;
1229 }
1230 hasher->destroy(hasher);
1231 }
1232 else
1233 {
1234 hasher_t *md5, *sha1;
1235 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1236
1237 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1238 if (!md5 || !md5->get_hash(md5, data, buf))
1239 {
1240 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1241 DESTROY_IF(md5);
1242 return FALSE;
1243 }
1244 md5->destroy(md5);
1245 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1246 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1247 {
1248 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1249 DESTROY_IF(sha1);
1250 return FALSE;
1251 }
1252 sha1->destroy(sha1);
1253
1254 *hash = chunk_clone(chunk_from_thing(buf));
1255 }
1256 return TRUE;
1257 }
1258
1259 /**
1260 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1261 */
1262 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1263 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1264 {
1265 switch (sig)
1266 {
1267 case TLS_SIG_RSA:
1268 if (type != KEY_RSA)
1269 {
1270 return SIGN_UNKNOWN;
1271 }
1272 switch (hash)
1273 {
1274 case TLS_HASH_MD5:
1275 return SIGN_RSA_EMSA_PKCS1_MD5;
1276 case TLS_HASH_SHA1:
1277 return SIGN_RSA_EMSA_PKCS1_SHA1;
1278 case TLS_HASH_SHA224:
1279 return SIGN_RSA_EMSA_PKCS1_SHA224;
1280 case TLS_HASH_SHA256:
1281 return SIGN_RSA_EMSA_PKCS1_SHA256;
1282 case TLS_HASH_SHA384:
1283 return SIGN_RSA_EMSA_PKCS1_SHA384;
1284 case TLS_HASH_SHA512:
1285 return SIGN_RSA_EMSA_PKCS1_SHA512;
1286 default:
1287 return SIGN_UNKNOWN;
1288 }
1289 case TLS_SIG_ECDSA:
1290 if (type != KEY_ECDSA)
1291 {
1292 return SIGN_UNKNOWN;
1293 }
1294 switch (hash)
1295 {
1296 case TLS_HASH_SHA224:
1297 return SIGN_ECDSA_WITH_SHA1_DER;
1298 case TLS_HASH_SHA256:
1299 return SIGN_ECDSA_WITH_SHA256_DER;
1300 case TLS_HASH_SHA384:
1301 return SIGN_ECDSA_WITH_SHA384_DER;
1302 case TLS_HASH_SHA512:
1303 return SIGN_ECDSA_WITH_SHA512_DER;
1304 default:
1305 return SIGN_UNKNOWN;
1306 }
1307 default:
1308 return SIGN_UNKNOWN;
1309 }
1310 }
1311
1312 METHOD(tls_crypto_t, sign, bool,
1313 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1314 chunk_t data, chunk_t hashsig)
1315 {
1316 if (this->tls->get_version(this->tls) >= TLS_1_2)
1317 {
1318 signature_scheme_t scheme;
1319 bio_reader_t *reader;
1320 u_int8_t hash, alg;
1321 chunk_t sig;
1322 bool done = FALSE;
1323
1324 if (!hashsig.len)
1325 { /* fallback if none given */
1326 hashsig = chunk_from_chars(
1327 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1328 }
1329 reader = bio_reader_create(hashsig);
1330 while (reader->remaining(reader) >= 2)
1331 {
1332 if (reader->read_uint8(reader, &hash) &&
1333 reader->read_uint8(reader, &alg))
1334 {
1335 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1336 if (scheme != SIGN_UNKNOWN &&
1337 key->sign(key, scheme, data, &sig))
1338 {
1339 done = TRUE;
1340 break;
1341 }
1342 }
1343 }
1344 reader->destroy(reader);
1345 if (!done)
1346 {
1347 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1348 return FALSE;
1349 }
1350 DBG2(DBG_TLS, "created signature with %N/%N",
1351 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1352 writer->write_uint8(writer, hash);
1353 writer->write_uint8(writer, alg);
1354 writer->write_data16(writer, sig);
1355 free(sig.ptr);
1356 }
1357 else
1358 {
1359 chunk_t sig, hash;
1360 bool done;
1361
1362 switch (key->get_type(key))
1363 {
1364 case KEY_RSA:
1365 if (!hash_data(this, data, &hash))
1366 {
1367 return FALSE;
1368 }
1369 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1370 free(hash.ptr);
1371 if (!done)
1372 {
1373 return FALSE;
1374 }
1375 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1376 break;
1377 case KEY_ECDSA:
1378 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1379 {
1380 return FALSE;
1381 }
1382 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1383 break;
1384 default:
1385 return FALSE;
1386 }
1387 writer->write_data16(writer, sig);
1388 free(sig.ptr);
1389 }
1390 return TRUE;
1391 }
1392
1393 METHOD(tls_crypto_t, verify, bool,
1394 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1395 chunk_t data)
1396 {
1397 if (this->tls->get_version(this->tls) >= TLS_1_2)
1398 {
1399 signature_scheme_t scheme = SIGN_UNKNOWN;
1400 u_int8_t hash, alg;
1401 chunk_t sig;
1402
1403 if (!reader->read_uint8(reader, &hash) ||
1404 !reader->read_uint8(reader, &alg) ||
1405 !reader->read_data16(reader, &sig))
1406 {
1407 DBG1(DBG_TLS, "received invalid signature");
1408 return FALSE;
1409 }
1410 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1411 if (scheme == SIGN_UNKNOWN)
1412 {
1413 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1414 tls_hash_algorithm_names, hash,
1415 tls_signature_algorithm_names, alg);
1416 return FALSE;
1417 }
1418 if (!key->verify(key, scheme, data, sig))
1419 {
1420 return FALSE;
1421 }
1422 DBG2(DBG_TLS, "verified signature with %N/%N",
1423 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1424 }
1425 else
1426 {
1427 chunk_t sig, hash;
1428 bool done;
1429
1430 if (!reader->read_data16(reader, &sig))
1431 {
1432 DBG1(DBG_TLS, "received invalid signature");
1433 return FALSE;
1434 }
1435 switch (key->get_type(key))
1436 {
1437 case KEY_RSA:
1438 if (!hash_data(this, data, &hash))
1439 {
1440 return FALSE;
1441 }
1442 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1443 free(hash.ptr);
1444 if (!done)
1445 {
1446 return FALSE;
1447 }
1448 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1449 break;
1450 case KEY_ECDSA:
1451 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1452 {
1453 return FALSE;
1454 }
1455 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1456 break;
1457 default:
1458 return FALSE;
1459 }
1460 }
1461 return TRUE;
1462 }
1463
1464 METHOD(tls_crypto_t, sign_handshake, bool,
1465 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1466 chunk_t hashsig)
1467 {
1468 return sign(this, key, writer, this->handshake, hashsig);
1469 }
1470
1471 METHOD(tls_crypto_t, verify_handshake, bool,
1472 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1473 {
1474 return verify(this, key, reader, this->handshake);
1475 }
1476
1477 METHOD(tls_crypto_t, calculate_finished, bool,
1478 private_tls_crypto_t *this, char *label, char out[12])
1479 {
1480 chunk_t seed;
1481
1482 if (!this->prf)
1483 {
1484 return FALSE;
1485 }
1486 if (!hash_data(this, this->handshake, &seed))
1487 {
1488 return FALSE;
1489 }
1490 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1491 {
1492 free(seed.ptr);
1493 return FALSE;
1494 }
1495 free(seed.ptr);
1496 return TRUE;
1497 }
1498
1499 /**
1500 * Derive master secret from premaster, optionally save session
1501 */
1502 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1503 chunk_t session, identification_t *id,
1504 chunk_t client_random, chunk_t server_random)
1505 {
1506 char master[48];
1507 chunk_t seed;
1508
1509 /* derive master secret */
1510 seed = chunk_cata("cc", client_random, server_random);
1511
1512 if (!this->prf->set_key(this->prf, premaster) ||
1513 !this->prf->get_bytes(this->prf, "master secret", seed,
1514 sizeof(master), master) ||
1515 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1516 {
1517 return FALSE;
1518 }
1519
1520 if (this->cache && session.len)
1521 {
1522 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1523 this->suite);
1524 }
1525 memwipe(master, sizeof(master));
1526 return TRUE;
1527 }
1528
1529 /**
1530 * Expand key material from master secret
1531 */
1532 static bool expand_keys(private_tls_crypto_t *this,
1533 chunk_t client_random, chunk_t server_random)
1534 {
1535 chunk_t seed, block;
1536 chunk_t cw_mac, cw, cw_iv;
1537 chunk_t sw_mac, sw, sw_iv;
1538 int mklen, eklen, ivlen;
1539
1540 if (!this->aead_in || !this->aead_out)
1541 {
1542 return FALSE;
1543 }
1544
1545 /* derive key block for key expansion */
1546 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1547 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1548 ivlen = this->aead_in->get_iv_size(this->aead_in);
1549 seed = chunk_cata("cc", server_random, client_random);
1550 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1551 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1552 block.len, block.ptr))
1553 {
1554 return FALSE;
1555 }
1556
1557 /* client/server write signer keys */
1558 cw_mac = chunk_create(block.ptr, mklen);
1559 block = chunk_skip(block, mklen);
1560 sw_mac = chunk_create(block.ptr, mklen);
1561 block = chunk_skip(block, mklen);
1562
1563 /* client/server write encryption keys */
1564 cw = chunk_create(block.ptr, eklen);
1565 block = chunk_skip(block, eklen);
1566 sw = chunk_create(block.ptr, eklen);
1567 block = chunk_skip(block, eklen);
1568
1569 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1570 cw_iv = chunk_create(block.ptr, ivlen);
1571 block = chunk_skip(block, ivlen);
1572 sw_iv = chunk_create(block.ptr, ivlen);
1573 block = chunk_skip(block, ivlen);
1574
1575 if (this->tls->is_server(this->tls))
1576 {
1577 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1578 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1579 {
1580 return FALSE;
1581 }
1582 }
1583 else
1584 {
1585 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1586 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1587 {
1588 return FALSE;
1589 }
1590 }
1591
1592 /* EAP-MSK */
1593 if (this->msk_label)
1594 {
1595 seed = chunk_cata("cc", client_random, server_random);
1596 this->msk = chunk_alloc(64);
1597 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1598 this->msk.len, this->msk.ptr))
1599 {
1600 return FALSE;
1601 }
1602 }
1603 return TRUE;
1604 }
1605
1606 METHOD(tls_crypto_t, derive_secrets, bool,
1607 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1608 identification_t *id, chunk_t client_random, chunk_t server_random)
1609 {
1610 return derive_master(this, premaster, session, id,
1611 client_random, server_random) &&
1612 expand_keys(this, client_random, server_random);
1613 }
1614
1615 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1616 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1617 chunk_t client_random, chunk_t server_random)
1618 {
1619 chunk_t master;
1620
1621 if (this->cache && session.len)
1622 {
1623 this->suite = this->cache->lookup(this->cache, session, id, &master);
1624 if (this->suite)
1625 {
1626 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1627 if (this->suite)
1628 {
1629 if (!this->prf->set_key(this->prf, master) ||
1630 !expand_keys(this, client_random, server_random))
1631 {
1632 this->suite = 0;
1633 }
1634 }
1635 chunk_clear(&master);
1636 }
1637 return this->suite;
1638 }
1639 return 0;
1640 }
1641
1642 METHOD(tls_crypto_t, get_session, chunk_t,
1643 private_tls_crypto_t *this, identification_t *server)
1644 {
1645 if (this->cache)
1646 {
1647 return this->cache->check(this->cache, server);
1648 }
1649 return chunk_empty;
1650 }
1651
1652 METHOD(tls_crypto_t, change_cipher, void,
1653 private_tls_crypto_t *this, bool inbound)
1654 {
1655 if (this->protection)
1656 {
1657 if (inbound)
1658 {
1659 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1660 }
1661 else
1662 {
1663 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1664 }
1665 }
1666 }
1667
1668 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1669 private_tls_crypto_t *this)
1670 {
1671 return this->msk;
1672 }
1673
1674 METHOD(tls_crypto_t, destroy, void,
1675 private_tls_crypto_t *this)
1676 {
1677 destroy_aeads(this);
1678 free(this->handshake.ptr);
1679 free(this->msk.ptr);
1680 DESTROY_IF(this->prf);
1681 free(this->suites);
1682 free(this);
1683 }
1684
1685 /**
1686 * See header
1687 */
1688 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1689 {
1690 private_tls_crypto_t *this;
1691 enumerator_t *enumerator;
1692 credential_type_t type;
1693 int subtype;
1694
1695 INIT(this,
1696 .public = {
1697 .get_cipher_suites = _get_cipher_suites,
1698 .select_cipher_suite = _select_cipher_suite,
1699 .get_dh_group = _get_dh_group,
1700 .get_signature_algorithms = _get_signature_algorithms,
1701 .create_ec_enumerator = _create_ec_enumerator,
1702 .set_protection = _set_protection,
1703 .append_handshake = _append_handshake,
1704 .sign = _sign,
1705 .verify = _verify,
1706 .sign_handshake = _sign_handshake,
1707 .verify_handshake = _verify_handshake,
1708 .calculate_finished = _calculate_finished,
1709 .derive_secrets = _derive_secrets,
1710 .resume_session = _resume_session,
1711 .get_session = _get_session,
1712 .change_cipher = _change_cipher,
1713 .get_eap_msk = _get_eap_msk,
1714 .destroy = _destroy,
1715 },
1716 .tls = tls,
1717 .cache = cache,
1718 );
1719
1720 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1721 while (enumerator->enumerate(enumerator, &type, &subtype))
1722 {
1723 if (type == CRED_PUBLIC_KEY)
1724 {
1725 switch (subtype)
1726 {
1727 case KEY_RSA:
1728 this->rsa = TRUE;
1729 break;
1730 case KEY_ECDSA:
1731 this->ecdsa = TRUE;
1732 break;
1733 default:
1734 break;
1735 }
1736 }
1737 }
1738 enumerator->destroy(enumerator);
1739
1740 switch (tls->get_purpose(tls))
1741 {
1742 case TLS_PURPOSE_EAP_TLS:
1743 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1744 this->msk_label = "client EAP encryption";
1745 build_cipher_suite_list(this, FALSE);
1746 break;
1747 case TLS_PURPOSE_EAP_PEAP:
1748 this->msk_label = "client EAP encryption";
1749 build_cipher_suite_list(this, TRUE);
1750 break;
1751 case TLS_PURPOSE_EAP_TTLS:
1752 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1753 this->msk_label = "ttls keying material";
1754 build_cipher_suite_list(this, TRUE);
1755 break;
1756 case TLS_PURPOSE_GENERIC:
1757 build_cipher_suite_list(this, TRUE);
1758 break;
1759 default:
1760 break;
1761 }
1762 return &this->public;
1763 }