06fd9229f29631a71e75fd63ab8037552f9078c5
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26
27 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
28 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
29 "TLS_NULL_WITH_NULL_NULL",
30 "TLS_RSA_WITH_NULL_MD5",
31 "TLS_RSA_WITH_NULL_SHA",
32 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
33 "TLS_RSA_WITH_RC4_128_MD5",
34 "TLS_RSA_WITH_RC4_128_SHA",
35 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
36 "TLS_RSA_WITH_IDEA_CBC_SHA",
37 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_RSA_WITH_DES_CBC_SHA",
39 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DH_DSS_WITH_DES_CBC_SHA",
42 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DH_RSA_WITH_DES_CBC_SHA",
45 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
47 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
48 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
49 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
50 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
51 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
52 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
53 "TLS_DH_anon_WITH_RC4_128_MD5",
54 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
55 "TLS_DH_anon_WITH_DES_CBC_SHA",
56 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
57 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
58 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
59 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
60 "TLS_KRB5_WITH_DES_CBC_SHA",
61 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
62 "TLS_KRB5_WITH_RC4_128_SHA",
63 "TLS_KRB5_WITH_IDEA_CBC_SHA",
64 "TLS_KRB5_WITH_DES_CBC_MD5",
65 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
66 "TLS_KRB5_WITH_RC4_128_MD5",
67 "TLS_KRB5_WITH_IDEA_CBC_MD5",
68 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
69 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
72 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
74 "TLS_PSK_WITH_NULL_SHA",
75 "TLS_DHE_PSK_WITH_NULL_SHA",
76 "TLS_RSA_PSK_WITH_NULL_SHA",
77 "TLS_RSA_WITH_AES_128_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
83 "TLS_RSA_WITH_AES_256_CBC_SHA",
84 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
85 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
89 "TLS_RSA_WITH_NULL_SHA256",
90 "TLS_RSA_WITH_AES_128_CBC_SHA256",
91 "TLS_RSA_WITH_AES_256_CBC_SHA256",
92 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
93 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
94 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
96 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
101 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
102 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
103 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
104 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
105 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
106 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
107 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
111 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
112 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
113 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
114 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
115 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_PSK_WITH_RC4_128_SHA",
121 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
122 "TLS_PSK_WITH_AES_128_CBC_SHA",
123 "TLS_PSK_WITH_AES_256_CBC_SHA",
124 "TLS_DHE_PSK_WITH_RC4_128_SHA",
125 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
126 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
128 "TLS_RSA_PSK_WITH_RC4_128_SHA",
129 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
130 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
132 "TLS_RSA_WITH_SEED_CBC_SHA",
133 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
134 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DH_anon_WITH_SEED_CBC_SHA",
138 "TLS_RSA_WITH_AES_128_GCM_SHA256",
139 "TLS_RSA_WITH_AES_256_GCM_SHA384",
140 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
145 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
146 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_GCM_SHA256",
151 "TLS_PSK_WITH_AES_256_GCM_SHA384",
152 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_PSK_WITH_AES_128_CBC_SHA256",
157 "TLS_PSK_WITH_AES_256_CBC_SHA384",
158 "TLS_PSK_WITH_NULL_SHA256",
159 "TLS_PSK_WITH_NULL_SHA384",
160 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
161 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
162 "TLS_DHE_PSK_WITH_NULL_SHA256",
163 "TLS_DHE_PSK_WITH_NULL_SHA384",
164 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
165 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
166 "TLS_RSA_PSK_WITH_NULL_SHA256",
167 "TLS_RSA_PSK_WITH_NULL_SHA384",
168 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
175 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
180 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
183 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
184 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
185 TLS_AES_128_CCM_8_SHA256,
186 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
187 "TLS_AES_128_GCM_SHA256",
188 "TLS_AES_256_GCM_SHA384",
189 "TLS_CHACHA20_POLY1305_SHA256",
190 "TLS_AES_128_CCM_SHA256",
191 "TLS_AES_128_CCM_8_SHA256");
192 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
193 TLS_ECDHE_PSK_WITH_NULL_SHA384,
194 TLS_AES_128_CCM_8_SHA256,
195 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
196 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
197 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
201 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
202 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
205 "TLS_ECDH_RSA_WITH_NULL_SHA",
206 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
207 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
210 "TLS_ECDHE_RSA_WITH_NULL_SHA",
211 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
212 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
213 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
215 "TLS_ECDH_anon_WITH_NULL_SHA",
216 "TLS_ECDH_anon_WITH_RC4_128_SHA",
217 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
218 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
220 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
221 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
224 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
227 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
229 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
230 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
231 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
238 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
239 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
246 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
247 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
251 "TLS_ECDHE_PSK_WITH_NULL_SHA",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
254 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
255
256 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
257 "NONE",
258 "MD5",
259 "SHA1",
260 "SHA224",
261 "SHA256",
262 "SHA384",
263 "SHA512",
264 );
265
266 ENUM_BEGIN(tls_signature_scheme_names,
267 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
268 "RSA_PKCS1_SHA1");
269 ENUM_NEXT(tls_signature_scheme_names,
270 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
271 "ECDSA_SHA1");
272 ENUM_NEXT(tls_signature_scheme_names,
273 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA1,
274 "RSA_PKCS1_SHA256");
275 ENUM_NEXT(tls_signature_scheme_names,
276 TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_RSA_PKCS1_SHA256,
277 "ECDSA_SHA256");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA256,
280 "RSA_PKCS1_SHA384");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_RSA_PKCS1_SHA384,
283 "ECDSA_SHA384");
284 ENUM_NEXT(tls_signature_scheme_names,
285 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA384,
286 "RSA_PKCS1_SHA512");
287 ENUM_NEXT(tls_signature_scheme_names,
288 TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_RSA_PKCS1_SHA512,
289 "ECDSA_SHA512");
290 ENUM_NEXT(tls_signature_scheme_names,
291 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
292 "RSA_PSS_RSAE_SHA256",
293 "RSA_PSS_RSAE_SHA384",
294 "RSA_PSS_RSAE_SHA512",
295 "ED25519",
296 "ED448",
297 "RSA_PSS_PSS_SHA256",
298 "RSA_PSS_PSS_SHA384",
299 "RSA_PSS_PSS_SHA512",
300 );
301 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
302
303 ENUM_BEGIN(tls_client_certificate_type_names,
304 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
305 "RSA_SIGN",
306 "DSA_SIGN",
307 "RSA_FIXED_DH",
308 "DSS_FIXED_DH",
309 "RSA_EPHEMERAL_DH",
310 "DSS_EPHEMERAL_DH");
311 ENUM_NEXT(tls_client_certificate_type_names,
312 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
313 "FORTEZZA_DMS");
314 ENUM_NEXT(tls_client_certificate_type_names,
315 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
316 "ECDSA_SIGN",
317 "RSA_FIXED_ECDH",
318 "ECDSA_FIXED_ECDH");
319 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
320
321 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
322 "EXPLICIT_PRIME",
323 "EXPLICIT_CHAR2",
324 "NAMED_CURVE",
325 );
326
327 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
328 "SECT163K1",
329 "SECT163R1",
330 "SECT163R2",
331 "SECT193R1",
332 "SECT193R2",
333 "SECT233K1",
334 "SECT233R1",
335 "SECT239K1",
336 "SECT283K1",
337 "SECT283R1",
338 "SECT409K1",
339 "SECT409R1",
340 "SECT571K1",
341 "SECT571R1",
342 "SECP160K1",
343 "SECP160R1",
344 "SECP160R2",
345 "SECP192K1",
346 "SECP192R1",
347 "SECP224K1",
348 "SECP224R1",
349 "SECP256K1",
350 "SECP256R1",
351 "SECP384R1",
352 "SECP521R1",
353 );
354 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
355 "CURVE25519",
356 "CURVE448",
357 );
358 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
359 "FFDHE2048",
360 "FFDHE3072",
361 "FFDHE4096",
362 "FFDHE6144",
363 "FFDHE8192",
364 );
365 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
366
367 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
368 "compressed",
369 "compressed y",
370 "uncompressed",
371 "uncompressed y",
372 "hybrid",
373 "hybrid y",
374 );
375
376 ENUM(tls_ec_point_format_names,
377 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
378 "uncompressed",
379 "ansiX962 compressed prime",
380 "ansiX962 compressed char2",
381 );
382
383 typedef struct private_tls_crypto_t private_tls_crypto_t;
384
385 /**
386 * Private data of an tls_crypto_t object.
387 */
388 struct private_tls_crypto_t {
389
390 /**
391 * Public tls_crypto_t interface.
392 */
393 tls_crypto_t public;
394
395 /**
396 * Protection layer
397 */
398 tls_protection_t *protection;
399
400 /**
401 * List of supported/acceptable cipher suites
402 */
403 tls_cipher_suite_t *suites;
404
405 /**
406 * Number of supported suites
407 */
408 int suite_count;
409
410 /**
411 * HKDF for TLS 1.3
412 */
413 tls_hkdf_t *hkdf;
414
415 /**
416 * Selected cipher suite
417 */
418 tls_cipher_suite_t suite;
419
420 /**
421 * RSA supported?
422 */
423 bool rsa;
424
425 /**
426 * ECDSA supported?
427 */
428 bool ecdsa;
429
430 /**
431 * TLS context
432 */
433 tls_t *tls;
434
435 /**
436 * TLS session cache
437 */
438 tls_cache_t *cache;
439
440 /**
441 * All handshake data concatenated
442 */
443 chunk_t handshake;
444
445 /**
446 * Connection state TLS PRF
447 */
448 tls_prf_t *prf;
449
450 /**
451 * AEAD transform for inbound traffic
452 */
453 tls_aead_t *aead_in;
454
455 /**
456 * AEAD transform for outbound traffic
457 */
458 tls_aead_t *aead_out;
459
460 /**
461 * EAP-[T]TLS MSK
462 */
463 chunk_t msk;
464
465 /**
466 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
467 */
468 char *msk_label;
469 };
470
471 typedef struct {
472 tls_cipher_suite_t suite;
473 key_type_t key;
474 diffie_hellman_group_t dh;
475 hash_algorithm_t hash;
476 pseudo_random_function_t prf;
477 integrity_algorithm_t mac;
478 encryption_algorithm_t encr;
479 size_t encr_size;
480 tls_version_t min_version;
481 tls_version_t max_version;
482 } suite_algs_t;
483
484 /**
485 * Mapping suites to a set of algorithms
486 */
487 static suite_algs_t suite_algs[] = {
488 /* Cipher suites of TLS 1.3: key exchange and authentication
489 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
490 { TLS_AES_128_GCM_SHA256,
491 KEY_ANY, MODP_NONE,
492 HASH_SHA256, PRF_UNDEFINED,
493 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
494 TLS_1_3, TLS_1_3,
495 },
496 { TLS_AES_256_GCM_SHA384,
497 KEY_ANY, MODP_NONE,
498 HASH_SHA384, PRF_UNDEFINED,
499 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
500 TLS_1_3, TLS_1_3,
501 },
502 { TLS_CHACHA20_POLY1305_SHA256,
503 KEY_ANY, MODP_NONE,
504 HASH_SHA256, PRF_UNDEFINED,
505 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
506 TLS_1_3, TLS_1_3,
507 },
508 { TLS_AES_128_CCM_SHA256,
509 KEY_ANY, MODP_NONE,
510 HASH_SHA256, PRF_UNDEFINED,
511 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
512 TLS_1_3, TLS_1_3,
513 },
514 { TLS_AES_128_CCM_8_SHA256,
515 KEY_ANY, MODP_NONE,
516 HASH_SHA256, PRF_UNDEFINED,
517 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
518 TLS_1_3, TLS_1_3,
519 },
520 /* Legacy TLS cipher suites */
521 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
522 KEY_ECDSA, ECP_256_BIT,
523 HASH_SHA256, PRF_HMAC_SHA2_256,
524 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
525 TLS_1_0, TLS_1_2,
526 },
527 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
528 KEY_ECDSA, ECP_256_BIT,
529 HASH_SHA256, PRF_HMAC_SHA2_256,
530 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
531 TLS_1_2, TLS_1_2,
532 },
533 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
534 KEY_ECDSA, ECP_384_BIT,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
537 TLS_1_0, TLS_1_2,
538 },
539 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
540 KEY_ECDSA, ECP_384_BIT,
541 HASH_SHA384, PRF_HMAC_SHA2_384,
542 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
543 TLS_1_2, TLS_1_2,
544 },
545 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
546 KEY_ECDSA, ECP_256_BIT,
547 HASH_SHA256, PRF_HMAC_SHA2_256,
548 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
549 TLS_1_2, TLS_1_2,
550 },
551 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
552 KEY_ECDSA, ECP_384_BIT,
553 HASH_SHA384, PRF_HMAC_SHA2_384,
554 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
555 TLS_1_2, TLS_1_2,
556 },
557 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
558 KEY_RSA, ECP_256_BIT,
559 HASH_SHA256, PRF_HMAC_SHA2_256,
560 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
561 TLS_1_0, TLS_1_2,
562 },
563 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
564 KEY_RSA, ECP_256_BIT,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
567 TLS_1_2, TLS_1_2,
568 },
569 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
570 KEY_RSA, ECP_384_BIT,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
573 TLS_1_0, TLS_1_2,
574 },
575 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
576 KEY_RSA, ECP_384_BIT,
577 HASH_SHA384, PRF_HMAC_SHA2_384,
578 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
579 TLS_1_2, TLS_1_2,
580 },
581 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
582 KEY_RSA, ECP_256_BIT,
583 HASH_SHA256, PRF_HMAC_SHA2_256,
584 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
585 TLS_1_2, TLS_1_2,
586 },
587 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
588 KEY_RSA, ECP_384_BIT,
589 HASH_SHA384, PRF_HMAC_SHA2_384,
590 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
591 TLS_1_2, TLS_1_2,
592 },
593 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
594 KEY_RSA, MODP_2048_BIT,
595 HASH_SHA256,PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
597 SSL_3_0, TLS_1_2,
598 },
599 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
600 KEY_RSA, MODP_3072_BIT,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
603 TLS_1_2, TLS_1_2,
604 },
605 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
606 KEY_RSA, MODP_3072_BIT,
607 HASH_SHA256, PRF_HMAC_SHA2_256,
608 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
609 SSL_3_0, TLS_1_2,
610 },
611 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
612 KEY_RSA, MODP_4096_BIT,
613 HASH_SHA256, PRF_HMAC_SHA2_256,
614 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
615 TLS_1_2, TLS_1_2,
616 },
617 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
618 KEY_RSA, MODP_3072_BIT,
619 HASH_SHA256, PRF_HMAC_SHA2_256,
620 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
621 TLS_1_2, TLS_1_2,
622 },
623 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
624 KEY_RSA, MODP_4096_BIT,
625 HASH_SHA384, PRF_HMAC_SHA2_384,
626 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
627 TLS_1_2, TLS_1_2,
628 },
629 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
630 KEY_RSA, MODP_2048_BIT,
631 HASH_SHA256, PRF_HMAC_SHA2_256,
632 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
633 SSL_3_0, TLS_1_2,
634 },
635 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
636 KEY_RSA, MODP_3072_BIT,
637 HASH_SHA256, PRF_HMAC_SHA2_256,
638 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
639 TLS_1_2, TLS_1_2,
640 },
641 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
642 KEY_RSA, MODP_3072_BIT,
643 HASH_SHA256, PRF_HMAC_SHA2_256,
644 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
645 SSL_3_0, TLS_1_2,
646 },
647 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
648 KEY_RSA, MODP_4096_BIT,
649 HASH_SHA256, PRF_HMAC_SHA2_256,
650 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
651 TLS_1_2, TLS_1_2,
652 },
653 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
654 KEY_RSA, MODP_2048_BIT,
655 HASH_SHA256, PRF_HMAC_SHA2_256,
656 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
657 SSL_3_0, TLS_1_2,
658 },
659 { TLS_RSA_WITH_AES_128_CBC_SHA,
660 KEY_RSA, MODP_NONE,
661 HASH_SHA256, PRF_HMAC_SHA2_256,
662 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
663 SSL_3_0, TLS_1_2,
664 },
665 { TLS_RSA_WITH_AES_128_CBC_SHA256,
666 KEY_RSA, MODP_NONE,
667 HASH_SHA256, PRF_HMAC_SHA2_256,
668 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
669 TLS_1_2, TLS_1_2,
670 },
671 { TLS_RSA_WITH_AES_256_CBC_SHA,
672 KEY_RSA, MODP_NONE,
673 HASH_SHA256, PRF_HMAC_SHA2_256,
674 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
675 SSL_3_0, TLS_1_2,
676 },
677 { TLS_RSA_WITH_AES_256_CBC_SHA256,
678 KEY_RSA, MODP_NONE,
679 HASH_SHA256, PRF_HMAC_SHA2_256,
680 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
681 TLS_1_2, TLS_1_2,
682 },
683 { TLS_RSA_WITH_AES_128_GCM_SHA256,
684 KEY_RSA, MODP_NONE,
685 HASH_SHA256, PRF_HMAC_SHA2_256,
686 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
687 TLS_1_2, TLS_1_2,
688 },
689 { TLS_RSA_WITH_AES_256_GCM_SHA384,
690 KEY_RSA, MODP_NONE,
691 HASH_SHA384, PRF_HMAC_SHA2_384,
692 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
693 TLS_1_2, TLS_1_2,
694 },
695 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
696 KEY_RSA, MODP_NONE,
697 HASH_SHA256, PRF_HMAC_SHA2_256,
698 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
699 SSL_3_0, TLS_1_2,
700 },
701 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
702 KEY_RSA, MODP_NONE,
703 HASH_SHA256, PRF_HMAC_SHA2_256,
704 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
705 TLS_1_2, TLS_1_2,
706 },
707 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
708 KEY_RSA, MODP_NONE,
709 HASH_SHA256, PRF_HMAC_SHA2_256,
710 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
711 SSL_3_0, TLS_1_2,
712 },
713 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
714 KEY_RSA, MODP_NONE,
715 HASH_SHA256, PRF_HMAC_SHA2_256,
716 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
717 TLS_1_2, TLS_1_2,
718 },
719 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
720 KEY_ECDSA, ECP_256_BIT,
721 HASH_SHA256, PRF_HMAC_SHA2_256,
722 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
723 TLS_1_0, TLS_1_2,
724 },
725 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
726 KEY_RSA, ECP_256_BIT,
727 HASH_SHA256, PRF_HMAC_SHA2_256,
728 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
729 TLS_1_0, TLS_1_2,
730 },
731 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
732 KEY_RSA, MODP_NONE,
733 HASH_SHA256, PRF_HMAC_SHA2_256,
734 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
735 SSL_3_0, TLS_1_2,
736 },
737 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
738 KEY_ECDSA, ECP_256_BIT,
739 HASH_SHA256, PRF_HMAC_SHA2_256,
740 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
741 TLS_1_0, TLS_1_2,
742 },
743 { TLS_ECDHE_RSA_WITH_NULL_SHA,
744 KEY_ECDSA, ECP_256_BIT,
745 HASH_SHA256, PRF_HMAC_SHA2_256,
746 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
747 TLS_1_0, TLS_1_2,
748 },
749 { TLS_RSA_WITH_NULL_SHA,
750 KEY_RSA, MODP_NONE,
751 HASH_SHA256, PRF_HMAC_SHA2_256,
752 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
753 SSL_3_0, TLS_1_2,
754 },
755 { TLS_RSA_WITH_NULL_SHA256,
756 KEY_RSA, MODP_NONE,
757 HASH_SHA256, PRF_HMAC_SHA2_256,
758 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
759 TLS_1_2, TLS_1_2,
760 },
761 { TLS_RSA_WITH_NULL_MD5,
762 KEY_RSA, MODP_NONE,
763 HASH_SHA256, PRF_HMAC_SHA2_256,
764 AUTH_HMAC_MD5_128, ENCR_NULL, 0,
765 SSL_2_0, TLS_1_2,
766 },
767 };
768
769 /**
770 * Look up algorithms by a suite
771 */
772 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
773 {
774 int i;
775
776 for (i = 0; i < countof(suite_algs); i++)
777 {
778 if (suite_algs[i].suite == suite)
779 {
780 return &suite_algs[i];
781 }
782 }
783 return NULL;
784 }
785
786 /**
787 * Filter a suite list using a transform enumerator
788 */
789 static void filter_suite(suite_algs_t suites[], int *count, int offset,
790 enumerator_t*(*create_enumerator)(crypto_factory_t*))
791 {
792 const char *plugin_name;
793 suite_algs_t current;
794 int *current_alg, i, remaining = 0;
795 enumerator_t *enumerator;
796
797 memset(&current, 0, sizeof(current));
798 current_alg = (int*)((char*)&current + offset);
799
800 for (i = 0; i < *count; i++)
801 {
802 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
803 encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering crypters, but current suite uses an AEAD, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 if (create_enumerator == lib->crypto->create_aead_enumerator &&
810 !encryption_algorithm_is_aead(suites[i].encr))
811 { /* filtering AEADs, but current suite doesn't use one, apply */
812 suites[remaining] = suites[i];
813 remaining++;
814 continue;
815 }
816 enumerator = create_enumerator(lib->crypto);
817 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
818 {
819 if (current.encr && current.encr != suites[i].encr)
820 {
821 if (suites[i].encr != ENCR_NULL)
822 { /* skip, ENCR does not match nor is NULL */
823 continue;
824 }
825 }
826 if (current.mac && current.mac != suites[i].mac)
827 {
828 if (suites[i].mac != AUTH_UNDEFINED)
829 { /* skip, MAC does not match nor is it undefined */
830 continue;
831 }
832 }
833 if (current.prf && current.prf != suites[i].prf)
834 {
835 if (suites[i].prf != PRF_UNDEFINED)
836 {
837 /* skip, PRF does not match nor is it undefined */
838 continue;
839 }
840 }
841 if (current.hash && current.hash != suites[i].hash)
842 { /* skip, hash does not match */
843 continue;
844 }
845 if (current.dh && current.dh != suites[i].dh)
846 {
847 if (suites[i].dh != MODP_NONE)
848 { /* skip DH group, does not match nor NONE */
849 continue;
850 }
851 }
852 /* suite supported, apply */
853 suites[remaining] = suites[i];
854 remaining++;
855 break;
856 }
857 enumerator->destroy(enumerator);
858 }
859 *count = remaining;
860 }
861
862 /**
863 * Purge NULL encryption cipher suites from list
864 */
865 static void filter_null_suites(suite_algs_t suites[], int *count)
866 {
867 int i, remaining = 0;
868
869 for (i = 0; i < *count; i++)
870 {
871 if (suites[i].encr != ENCR_NULL)
872 {
873 suites[remaining] = suites[i];
874 remaining++;
875 }
876 }
877 *count = remaining;
878 }
879
880 /**
881 * Purge suites using a given key type
882 */
883 static void filter_key_suites(private_tls_crypto_t *this,
884 suite_algs_t suites[], int *count, key_type_t key)
885 {
886 int i, remaining = 0;
887
888 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
889 for (i = 0; i < *count; i++)
890 {
891 if (suites[i].key != key)
892 {
893 suites[remaining] = suites[i];
894 remaining++;
895 }
896 }
897 *count = remaining;
898 }
899
900 /**
901 * Filter suites by key exchange user config
902 */
903 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
904 suite_algs_t suites[], int *count)
905 {
906 enumerator_t *enumerator;
907 int i, remaining = 0;
908 char *token, *config;
909
910 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
911 lib->ns);
912 if (config)
913 {
914 for (i = 0; i < *count; i++)
915 {
916 enumerator = enumerator_create_token(config, ",", " ");
917 while (enumerator->enumerate(enumerator, &token))
918 {
919 if (strcaseeq(token, "ecdhe-ecdsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_ECDSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "ecdhe-rsa") &&
927 diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].key == KEY_RSA)
929 {
930 suites[remaining++] = suites[i];
931 break;
932 }
933 if (strcaseeq(token, "dhe-rsa") &&
934 !diffie_hellman_group_is_ec(suites[i].dh) &&
935 suites[i].dh != MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 if (strcaseeq(token, "rsa") &&
942 suites[i].dh == MODP_NONE &&
943 suites[i].key == KEY_RSA)
944 {
945 suites[remaining++] = suites[i];
946 break;
947 }
948 }
949 enumerator->destroy(enumerator);
950 }
951 *count = remaining;
952 }
953 }
954
955 /**
956 * Filter suites by cipher user config
957 */
958 static void filter_cipher_config_suites(private_tls_crypto_t *this,
959 suite_algs_t suites[], int *count)
960 {
961 enumerator_t *enumerator;
962 int i, remaining = 0;
963 char *token, *config;
964
965 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
966 lib->ns);
967 if (config)
968 {
969 for (i = 0; i < *count; i++)
970 {
971 enumerator = enumerator_create_token(config, ",", " ");
972 while (enumerator->enumerate(enumerator, &token))
973 {
974 if (strcaseeq(token, "aes128") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 16)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes256") &&
982 suites[i].encr == ENCR_AES_CBC &&
983 suites[i].encr_size == 32)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes128gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 16)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "aes256gcm") &&
996 suites[i].encr == ENCR_AES_GCM_ICV16 &&
997 suites[i].encr_size == 32)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia128") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 16)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "camellia256") &&
1010 suites[i].encr == ENCR_CAMELLIA_CBC &&
1011 suites[i].encr_size == 32)
1012 {
1013 suites[remaining++] = suites[i];
1014 break;
1015 }
1016 if (strcaseeq(token, "3des") &&
1017 suites[i].encr == ENCR_3DES)
1018 {
1019 suites[remaining++] = suites[i];
1020 break;
1021 }
1022 if (strcaseeq(token, "null") &&
1023 suites[i].encr == ENCR_NULL)
1024 {
1025 suites[remaining++] = suites[i];
1026 break;
1027 }
1028 }
1029 enumerator->destroy(enumerator);
1030 }
1031 *count = remaining;
1032 }
1033 }
1034
1035 /**
1036 * Filter suites by mac user config
1037 */
1038 static void filter_mac_config_suites(private_tls_crypto_t *this,
1039 suite_algs_t suites[], int *count)
1040 {
1041 enumerator_t *enumerator;
1042 int i, remaining = 0;
1043 char *token, *config;
1044
1045 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1046 lib->ns);
1047 if (config)
1048 {
1049 for (i = 0; i < *count; i++)
1050 {
1051 enumerator = enumerator_create_token(config, ",", " ");
1052 while (enumerator->enumerate(enumerator, &token))
1053 {
1054 if (strcaseeq(token, "md5") &&
1055 suites[i].mac == AUTH_HMAC_MD5_128)
1056 {
1057 suites[remaining++] = suites[i];
1058 break;
1059 }
1060 if (strcaseeq(token, "sha1") &&
1061 suites[i].mac == AUTH_HMAC_SHA1_160)
1062 {
1063 suites[remaining++] = suites[i];
1064 break;
1065 }
1066 if (strcaseeq(token, "sha256") &&
1067 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1068 {
1069 suites[remaining++] = suites[i];
1070 break;
1071 }
1072 if (strcaseeq(token, "sha384") &&
1073 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1074 {
1075 suites[remaining++] = suites[i];
1076 break;
1077 }
1078 }
1079 enumerator->destroy(enumerator);
1080 }
1081 *count = remaining;
1082 }
1083 }
1084
1085 /**
1086 * Filter for specific suites specified in strongswan.conf
1087 */
1088 static void filter_specific_config_suites(private_tls_crypto_t *this,
1089 suite_algs_t suites[], int *count)
1090 {
1091 enumerator_t *enumerator;
1092 int i, remaining = 0, suite;
1093 char *token, *config;
1094
1095 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1096 lib->ns);
1097 if (config)
1098 {
1099 for (i = 0; i < *count; i++)
1100 {
1101 enumerator = enumerator_create_token(config, ",", " ");
1102 while (enumerator->enumerate(enumerator, &token))
1103 {
1104 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1105 suite == suites[i].suite)
1106 {
1107 suites[remaining++] = suites[i];
1108 break;
1109 }
1110 }
1111 enumerator->destroy(enumerator);
1112 }
1113 *count = remaining;
1114 }
1115 }
1116
1117 /**
1118 * Filter out unsupported suites on given suite array
1119 */
1120 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1121 {
1122 /* filter suite list by each algorithm */
1123 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1124 lib->crypto->create_aead_enumerator);
1125 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1126 lib->crypto->create_prf_enumerator);
1127 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1128 lib->crypto->create_crypter_enumerator);
1129 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1130 lib->crypto->create_signer_enumerator);
1131 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1132 lib->crypto->create_hasher_enumerator);
1133 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1134 lib->crypto->create_dh_enumerator);
1135 }
1136
1137 /**
1138 * Initialize the cipher suite list
1139 */
1140 static void build_cipher_suite_list(private_tls_crypto_t *this)
1141 {
1142 suite_algs_t suites[countof(suite_algs)];
1143 tls_version_t min_version, max_version, new_min_version, new_max_version;
1144 bool require_encryption;
1145 int count = 0, i;
1146
1147 switch (this->tls->get_purpose(this->tls))
1148 {
1149 case TLS_PURPOSE_EAP_TLS:
1150 case TLS_PURPOSE_GENERIC_NULLOK:
1151 require_encryption = FALSE;
1152 break;
1153 case TLS_PURPOSE_EAP_PEAP:
1154 case TLS_PURPOSE_EAP_TTLS:
1155 case TLS_PURPOSE_GENERIC:
1156 require_encryption = TRUE;
1157 break;
1158 default:
1159 return;
1160 }
1161
1162 min_version = this->tls->get_version_min(this->tls);
1163 max_version = this->tls->get_version_max(this->tls);
1164
1165 /* copy all suites appropriate for the current min/max versions */
1166 for (i = 0; i < countof(suite_algs); i++)
1167 {
1168 if (suite_algs[i].min_version <= max_version &&
1169 suite_algs[i].max_version >= min_version)
1170 {
1171 suites[count++] = suite_algs[i];
1172 }
1173 }
1174
1175 if (require_encryption)
1176 {
1177 filter_null_suites(suites, &count);
1178 }
1179 if (!this->rsa)
1180 {
1181 filter_key_suites(this, suites, &count, KEY_RSA);
1182 }
1183 if (!this->ecdsa)
1184 {
1185 filter_key_suites(this, suites, &count, KEY_ECDSA);
1186 }
1187
1188 filter_unsupported_suites(suites, &count);
1189
1190 /* filter suites with strongswan.conf options */
1191 filter_key_exchange_config_suites(this, suites, &count);
1192 filter_cipher_config_suites(this, suites, &count);
1193 filter_mac_config_suites(this, suites, &count);
1194 filter_specific_config_suites(this, suites, &count);
1195
1196 free(this->suites);
1197 this->suite_count = count;
1198 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1199
1200 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1201 new_min_version = max_version;
1202 new_max_version = min_version;
1203 for (i = 0; i < count; i++)
1204 {
1205 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1206 this->suites[i] = suites[i].suite;
1207
1208 /* set TLS min/max versions appropriate to the final cipher suites */
1209 new_max_version = max(new_max_version, suites[i].max_version);
1210 new_min_version = min(new_min_version, suites[i].min_version);
1211 }
1212 new_max_version = min(new_max_version, max_version);
1213 new_min_version = max(new_min_version, min_version);
1214
1215 if (min_version != new_min_version || max_version != new_max_version)
1216 {
1217 this->tls->set_version(this->tls, new_min_version, new_max_version);
1218 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1219 tls_version_names, new_min_version,
1220 tls_version_names, new_max_version);
1221 }
1222 }
1223
1224 METHOD(tls_crypto_t, get_cipher_suites, int,
1225 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1226 {
1227 if (!this->suites)
1228 {
1229 build_cipher_suite_list(this);
1230 }
1231 *suites = this->suites;
1232 return this->suite_count;
1233 }
1234
1235 /**
1236 * Create NULL encryption transforms
1237 */
1238 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1239 {
1240 this->aead_in = tls_aead_create_null(algs->mac);
1241 this->aead_out = tls_aead_create_null(algs->mac);
1242 if (!this->aead_in || !this->aead_out)
1243 {
1244 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1245 integrity_algorithm_names, algs->mac);
1246 return FALSE;
1247 }
1248 return TRUE;
1249 }
1250
1251 /**
1252 * Create traditional transforms
1253 */
1254 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1255 {
1256 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1257 {
1258 this->aead_in = tls_aead_create_implicit(algs->mac,
1259 algs->encr, algs->encr_size);
1260 this->aead_out = tls_aead_create_implicit(algs->mac,
1261 algs->encr, algs->encr_size);
1262 }
1263 else
1264 {
1265 this->aead_in = tls_aead_create_explicit(algs->mac,
1266 algs->encr, algs->encr_size);
1267 this->aead_out = tls_aead_create_explicit(algs->mac,
1268 algs->encr, algs->encr_size);
1269 }
1270 if (!this->aead_in || !this->aead_out)
1271 {
1272 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1273 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1274 integrity_algorithm_names, algs->mac);
1275 return FALSE;
1276 }
1277 return TRUE;
1278 }
1279
1280 /**
1281 * Create AEAD transforms
1282 */
1283 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1284 {
1285 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1286 {
1287 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1288 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1289 }
1290 else
1291 {
1292 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1293 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1294 }
1295 if (!this->aead_in || !this->aead_out)
1296 {
1297 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1298 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1299 return FALSE;
1300 }
1301 return TRUE;
1302 }
1303
1304 /**
1305 * Clean up and unset AEAD transforms
1306 */
1307 static void destroy_aeads(private_tls_crypto_t *this)
1308 {
1309 DESTROY_IF(this->aead_in);
1310 DESTROY_IF(this->aead_out);
1311 this->aead_in = this->aead_out = NULL;
1312 }
1313
1314 /**
1315 * Create crypto primitives
1316 */
1317 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1318 {
1319 destroy_aeads(this);
1320 DESTROY_IF(this->hkdf);
1321 DESTROY_IF(this->prf);
1322 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1323 {
1324 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1325 {
1326 this->prf = tls_prf_create_10();
1327 }
1328 else
1329 {
1330 this->prf = tls_prf_create_12(algs->prf);
1331 }
1332 if (!this->prf)
1333 {
1334 DBG1(DBG_TLS, "selected TLS PRF not supported");
1335 return FALSE;
1336 }
1337 }
1338 else
1339 {
1340 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1341 if (!this->hkdf)
1342 {
1343 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1344 return FALSE;
1345 }
1346 }
1347 if (algs->encr == ENCR_NULL)
1348 {
1349 if (create_null(this, algs))
1350 {
1351 return TRUE;
1352 }
1353 }
1354 else if (encryption_algorithm_is_aead(algs->encr))
1355 {
1356 if (create_aead(this, algs))
1357 {
1358 return TRUE;
1359 }
1360 }
1361 else
1362 {
1363 if (create_traditional(this, algs))
1364 {
1365 return TRUE;
1366 }
1367 }
1368 destroy_aeads(this);
1369 return FALSE;
1370 }
1371
1372 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1373 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1374 key_type_t key)
1375 {
1376 suite_algs_t *algs;
1377 int i, j;
1378
1379 if (!this->suites)
1380 {
1381 build_cipher_suite_list(this);
1382 }
1383
1384 for (i = 0; i < this->suite_count; i++)
1385 {
1386 for (j = 0; j < count; j++)
1387 {
1388 if (this->suites[i] == suites[j])
1389 {
1390 algs = find_suite(this->suites[i]);
1391 if (algs)
1392 {
1393 if (key == KEY_ANY || key == algs->key)
1394 {
1395 if (create_ciphers(this, algs))
1396 {
1397 this->suite = this->suites[i];
1398 return this->suite;
1399 }
1400 }
1401 }
1402 }
1403 }
1404 }
1405 return 0;
1406 }
1407
1408 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1409 private_tls_crypto_t *this)
1410 {
1411 suite_algs_t *algs;
1412
1413 algs = find_suite(this->suite);
1414 if (algs)
1415 {
1416 return algs->dh;
1417 }
1418 return MODP_NONE;
1419 }
1420
1421 /**
1422 * Parameters for RSA/PSS signature schemes
1423 */
1424 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1425 .hash = HASH_SHA##bits, \
1426 .mgf1_hash = HASH_SHA##bits, \
1427 .salt_len = HASH_SIZE_SHA##bits, \
1428 }
1429
1430 PSS_PARAMS(256);
1431 PSS_PARAMS(384);
1432 PSS_PARAMS(512);
1433
1434 /**
1435 * Map TLS signature schemes, ordered by preference
1436 */
1437 static struct {
1438 tls_signature_scheme_t sig;
1439 signature_params_t params;
1440 /* min/max versions for use in CertificateVerify */
1441 tls_version_t min_version;
1442 tls_version_t max_version;
1443 } schemes[] = {
1444 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1445 TLS_1_0, TLS_1_3 },
1446 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1447 TLS_1_0, TLS_1_3 },
1448 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1449 TLS_1_0, TLS_1_3 },
1450 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1451 TLS_1_3, TLS_1_3 },
1452 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1453 TLS_1_3, TLS_1_3 },
1454 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1455 TLS_1_2, TLS_1_3 },
1456 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1457 TLS_1_2, TLS_1_3 },
1458 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1459 TLS_1_2, TLS_1_3 },
1460 /* the parameters for the next three should actually be taken from the
1461 * public key, we currently don't have an API for that, so assume defaults */
1462 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1463 TLS_1_2, TLS_1_3 },
1464 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1465 TLS_1_2, TLS_1_3 },
1466 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1467 TLS_1_2, TLS_1_3 },
1468 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1469 TLS_1_0, TLS_1_2 },
1470 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1471 TLS_1_0, TLS_1_2 },
1472 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1473 TLS_1_0, TLS_1_2 },
1474 };
1475
1476 METHOD(tls_crypto_t, get_signature_algorithms, void,
1477 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1478 {
1479 bio_writer_t *supported;
1480 tls_version_t min_version, max_version;
1481 int i;
1482
1483 supported = bio_writer_create(32);
1484
1485 if (!cert)
1486 {
1487 min_version = this->tls->get_version_min(this->tls);
1488 max_version = this->tls->get_version_max(this->tls);
1489 }
1490
1491 for (i = 0; i < countof(schemes); i++)
1492 {
1493 if ((cert || (schemes[i].min_version <= max_version &&
1494 schemes[i].max_version >= min_version)) &&
1495 lib->plugins->has_feature(lib->plugins,
1496 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1497 {
1498 supported->write_uint16(supported, schemes[i].sig);
1499 }
1500 }
1501
1502 supported->wrap16(supported);
1503 writer->write_data16(writer, supported->get_buf(supported));
1504 supported->destroy(supported);
1505 }
1506
1507 /**
1508 * Get the signature parameters from a TLS signature scheme
1509 */
1510 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig)
1511 {
1512 int i;
1513
1514 for (i = 0; i < countof(schemes); i++)
1515 {
1516 if (schemes[i].sig == sig)
1517 {
1518 return &schemes[i].params;
1519 }
1520 }
1521 return NULL;
1522 }
1523
1524 /**
1525 * Mapping groups to TLS named curves
1526 */
1527 static struct {
1528 diffie_hellman_group_t group;
1529 tls_named_group_t curve;
1530 } curves[] = {
1531 { ECP_256_BIT, TLS_SECP256R1},
1532 { ECP_384_BIT, TLS_SECP384R1},
1533 { ECP_521_BIT, TLS_SECP521R1},
1534 { ECP_224_BIT, TLS_SECP224R1},
1535 { ECP_192_BIT, TLS_SECP192R1},
1536 { CURVE_25519, TLS_CURVE25519},
1537 { CURVE_448, TLS_CURVE448},
1538 };
1539
1540 CALLBACK(group_filter, bool,
1541 void *null, enumerator_t *orig, va_list args)
1542 {
1543 diffie_hellman_group_t group, *out;
1544 tls_named_group_t *curve;
1545 char *plugin;
1546 int i;
1547
1548 VA_ARGS_VGET(args, out, curve);
1549
1550 while (orig->enumerate(orig, &group, &plugin))
1551 {
1552 for (i = 0; i < countof(curves); i++)
1553 {
1554 if (curves[i].group == group)
1555 {
1556 if (out)
1557 {
1558 *out = curves[i].group;
1559 }
1560 if (curve)
1561 {
1562 *curve = curves[i].curve;
1563 }
1564 return TRUE;
1565 }
1566 }
1567 }
1568 return FALSE;
1569 }
1570
1571 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1572 private_tls_crypto_t *this)
1573 {
1574 return enumerator_create_filter(
1575 lib->crypto->create_dh_enumerator(lib->crypto),
1576 group_filter, NULL, NULL);
1577 }
1578
1579 METHOD(tls_crypto_t, set_protection, void,
1580 private_tls_crypto_t *this, tls_protection_t *protection)
1581 {
1582 this->protection = protection;
1583 }
1584
1585 METHOD(tls_crypto_t, append_handshake, void,
1586 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1587 {
1588 uint32_t header;
1589
1590 /* reconstruct handshake header */
1591 header = htonl(data.len | (type << 24));
1592 this->handshake = chunk_cat("mcc", this->handshake,
1593 chunk_from_thing(header), data);
1594 }
1595
1596 /**
1597 * Create a hash using the suites HASH algorithm
1598 */
1599 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1600 {
1601 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1602 {
1603 hasher_t *hasher;
1604 suite_algs_t *alg;
1605
1606 alg = find_suite(this->suite);
1607 if (!alg)
1608 {
1609 return FALSE;
1610 }
1611 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1612 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1613 {
1614 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1615 DESTROY_IF(hasher);
1616 return FALSE;
1617 }
1618 hasher->destroy(hasher);
1619 }
1620 else
1621 {
1622 hasher_t *md5, *sha1;
1623 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1624
1625 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1626 if (!md5 || !md5->get_hash(md5, data, buf))
1627 {
1628 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1629 DESTROY_IF(md5);
1630 return FALSE;
1631 }
1632 md5->destroy(md5);
1633 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1634 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1635 {
1636 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1637 DESTROY_IF(sha1);
1638 return FALSE;
1639 }
1640 sha1->destroy(sha1);
1641
1642 *hash = chunk_clone(chunk_from_thing(buf));
1643 }
1644 return TRUE;
1645 }
1646
1647 METHOD(tls_crypto_t, hash_handshake, bool,
1648 private_tls_crypto_t *this, chunk_t *out)
1649 {
1650 chunk_t hash;
1651
1652 if (!hash_data(this, this->handshake, &hash))
1653 {
1654 return FALSE;
1655 }
1656
1657 chunk_free(&this->handshake);
1658 append_handshake(this, TLS_MESSAGE_HASH, hash);
1659
1660 if (out)
1661 {
1662 *out = hash;
1663 }
1664 else
1665 {
1666 free(hash.ptr);
1667 }
1668 return TRUE;
1669 }
1670
1671 /**
1672 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1673 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1674 */
1675 static chunk_t tls13_sig_data_server = chunk_from_chars(
1676 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1677 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1678 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1679 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1680 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1681 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1682 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1683 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1684 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1685 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1686 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1687 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1688 0x79, 0x00,
1689 );
1690
1691 METHOD(tls_crypto_t, sign, bool,
1692 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1693 chunk_t data, chunk_t hashsig)
1694 {
1695 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1696 {
1697 /* fallback to SHA1/RSA and SHA1/ECDSA */
1698 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1699 signature_params_t *params;
1700 key_type_t type;
1701 uint16_t scheme;
1702 bio_reader_t *reader;
1703 chunk_t sig;
1704 bool done = FALSE;
1705
1706 if (!hashsig.len)
1707 { /* fallback if none given */
1708 hashsig = hashsig_def;
1709 }
1710 type = key->get_type(key);
1711 reader = bio_reader_create(hashsig);
1712 while (reader->remaining(reader) >= 2)
1713 {
1714 if (reader->read_uint16(reader, &scheme))
1715 {
1716 params = params_for_scheme(scheme);
1717 if (params &&
1718 type == key_type_from_signature_scheme(params->scheme) &&
1719 key->sign(key, params->scheme, params->params, data, &sig))
1720 {
1721 done = TRUE;
1722 break;
1723 }
1724 }
1725 }
1726 reader->destroy(reader);
1727 if (!done)
1728 {
1729 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1730 return FALSE;
1731 }
1732 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1733 scheme);
1734 writer->write_uint16(writer, scheme);
1735 writer->write_data16(writer, sig);
1736 free(sig.ptr);
1737 }
1738 else
1739 {
1740 chunk_t sig, hash;
1741 bool done;
1742
1743 switch (key->get_type(key))
1744 {
1745 case KEY_RSA:
1746 if (!hash_data(this, data, &hash))
1747 {
1748 return FALSE;
1749 }
1750 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1751 &sig);
1752 free(hash.ptr);
1753 if (!done)
1754 {
1755 return FALSE;
1756 }
1757 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1758 break;
1759 case KEY_ECDSA:
1760 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1761 {
1762 return FALSE;
1763 }
1764 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1765 break;
1766 default:
1767 return FALSE;
1768 }
1769 writer->write_data16(writer, sig);
1770 free(sig.ptr);
1771 }
1772 return TRUE;
1773 }
1774
1775 METHOD(tls_crypto_t, verify, bool,
1776 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1777 chunk_t data)
1778 {
1779 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1780 {
1781 signature_params_t *params;
1782 uint16_t scheme;
1783 chunk_t sig;
1784
1785 if (!reader->read_uint16(reader, &scheme) ||
1786 !reader->read_data16(reader, &sig))
1787 {
1788 DBG1(DBG_TLS, "received invalid signature");
1789 return FALSE;
1790 }
1791 params = params_for_scheme(scheme);
1792 if (!params)
1793 {
1794 DBG1(DBG_TLS, "signature algorithms %N not supported",
1795 tls_signature_scheme_names, scheme);
1796 return FALSE;
1797 }
1798 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1799 {
1800 chunk_t transcript_hash;
1801
1802 if (!hash_data(this, data, &transcript_hash))
1803 {
1804 DBG1(DBG_TLS, "Unable to create transcript hash");
1805 return FALSE;
1806 }
1807
1808 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1809 }
1810 if (!key->verify(key, params->scheme, params->params, data, sig))
1811 {
1812 DBG1(DBG_TLS, "signature verification with %N failed",
1813 tls_signature_scheme_names, scheme);
1814 return FALSE;
1815 }
1816 DBG2(DBG_TLS, "verified signature with %N",
1817 tls_signature_scheme_names, scheme);
1818 }
1819 else
1820 {
1821 chunk_t sig, hash;
1822 bool done;
1823
1824 if (!reader->read_data16(reader, &sig))
1825 {
1826 DBG1(DBG_TLS, "received invalid signature");
1827 return FALSE;
1828 }
1829 switch (key->get_type(key))
1830 {
1831 case KEY_RSA:
1832 if (!hash_data(this, data, &hash))
1833 {
1834 return FALSE;
1835 }
1836 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1837 sig);
1838 free(hash.ptr);
1839 if (!done)
1840 {
1841 return FALSE;
1842 }
1843 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1844 break;
1845 case KEY_ECDSA:
1846 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1847 sig))
1848 {
1849 return FALSE;
1850 }
1851 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1852 break;
1853 default:
1854 return FALSE;
1855 }
1856 }
1857 return TRUE;
1858 }
1859
1860 METHOD(tls_crypto_t, sign_handshake, bool,
1861 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1862 chunk_t hashsig)
1863 {
1864 return sign(this, key, writer, this->handshake, hashsig);
1865 }
1866
1867 METHOD(tls_crypto_t, verify_handshake, bool,
1868 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1869 {
1870 return verify(this, key, reader, this->handshake);
1871 }
1872
1873 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1874 private_tls_crypto_t *this, char *label, char out[12])
1875 {
1876 chunk_t seed;
1877
1878 if (!this->prf)
1879 {
1880 return FALSE;
1881 }
1882 if (!hash_data(this, this->handshake, &seed))
1883 {
1884 return FALSE;
1885 }
1886 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1887 {
1888 free(seed.ptr);
1889 return FALSE;
1890 }
1891 free(seed.ptr);
1892 return TRUE;
1893 }
1894
1895 METHOD(tls_crypto_t, calculate_finished, bool,
1896 private_tls_crypto_t *this, bool is_server, chunk_t *out)
1897 {
1898 chunk_t finished_key, finished_hash;
1899
1900 if (!this->hkdf)
1901 {
1902 return FALSE;
1903 }
1904 if (!hash_data(this, this->handshake, &finished_hash))
1905 {
1906 DBG1(DBG_TLS, "creating hash of handshake failed");
1907 return FALSE;
1908 }
1909 if (!this->hkdf->derive_finished(this->hkdf, is_server, &finished_key))
1910 {
1911 DBG1(DBG_TLS, "generating finished key failed");
1912 chunk_clear(&finished_hash);
1913 return FALSE;
1914 }
1915 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
1916 {
1917 DBG1(DBG_TLS, "generating finished HMAC failed");
1918 chunk_clear(&finished_key);
1919 chunk_clear(&finished_hash);
1920 return FALSE;
1921 }
1922 chunk_clear(&finished_key);
1923 chunk_clear(&finished_hash);
1924 return TRUE;
1925 }
1926
1927 /**
1928 * Derive master secret from premaster, optionally save session
1929 */
1930 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1931 chunk_t session, identification_t *id,
1932 chunk_t client_random, chunk_t server_random)
1933 {
1934 char master[48];
1935 chunk_t seed;
1936
1937 /* derive master secret */
1938 seed = chunk_cata("cc", client_random, server_random);
1939
1940 if (!this->prf->set_key(this->prf, premaster) ||
1941 !this->prf->get_bytes(this->prf, "master secret", seed,
1942 sizeof(master), master) ||
1943 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1944 {
1945 return FALSE;
1946 }
1947
1948 if (this->cache && session.len)
1949 {
1950 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1951 this->suite);
1952 }
1953 memwipe(master, sizeof(master));
1954 return TRUE;
1955 }
1956
1957 /**
1958 * Expand key material from master secret
1959 */
1960 static bool expand_keys(private_tls_crypto_t *this,
1961 chunk_t client_random, chunk_t server_random)
1962 {
1963 chunk_t seed, block;
1964 chunk_t cw_mac, cw, cw_iv;
1965 chunk_t sw_mac, sw, sw_iv;
1966 int mklen, eklen, ivlen;
1967
1968 if (!this->aead_in || !this->aead_out)
1969 {
1970 return FALSE;
1971 }
1972
1973 /* derive key block for key expansion */
1974 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1975 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1976 ivlen = this->aead_in->get_iv_size(this->aead_in);
1977 seed = chunk_cata("cc", server_random, client_random);
1978 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1979 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1980 block.len, block.ptr))
1981 {
1982 return FALSE;
1983 }
1984
1985 /* client/server write signer keys */
1986 cw_mac = chunk_create(block.ptr, mklen);
1987 block = chunk_skip(block, mklen);
1988 sw_mac = chunk_create(block.ptr, mklen);
1989 block = chunk_skip(block, mklen);
1990
1991 /* client/server write encryption keys */
1992 cw = chunk_create(block.ptr, eklen);
1993 block = chunk_skip(block, eklen);
1994 sw = chunk_create(block.ptr, eklen);
1995 block = chunk_skip(block, eklen);
1996
1997 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1998 cw_iv = chunk_create(block.ptr, ivlen);
1999 block = chunk_skip(block, ivlen);
2000 sw_iv = chunk_create(block.ptr, ivlen);
2001 block = chunk_skip(block, ivlen);
2002
2003 if (this->tls->is_server(this->tls))
2004 {
2005 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2006 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2007 {
2008 return FALSE;
2009 }
2010 }
2011 else
2012 {
2013 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2014 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2015 {
2016 return FALSE;
2017 }
2018 }
2019
2020 /* EAP-MSK */
2021 if (this->msk_label)
2022 {
2023 seed = chunk_cata("cc", client_random, server_random);
2024 this->msk = chunk_alloc(64);
2025 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2026 this->msk.len, this->msk.ptr))
2027 {
2028 return FALSE;
2029 }
2030 }
2031 return TRUE;
2032 }
2033
2034 METHOD(tls_crypto_t, derive_secrets, bool,
2035 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2036 identification_t *id, chunk_t client_random, chunk_t server_random)
2037 {
2038 return derive_master(this, premaster, session, id,
2039 client_random, server_random) &&
2040 expand_keys(this, client_random, server_random);
2041 }
2042
2043 /**
2044 * Derive and configure the client/server key/IV on an AEAD using a given label.
2045 */
2046 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2047 tls_hkdf_label_t label, tls_aead_t *aead)
2048 {
2049 chunk_t key = chunk_empty, iv = chunk_empty;
2050 bool success = FALSE;
2051
2052 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2053 NULL) ||
2054 !this->hkdf->derive_key(this->hkdf, server,
2055 aead->get_encr_key_size(aead), &key) ||
2056 !this->hkdf->derive_iv(this->hkdf, server,
2057 aead->get_iv_size(aead), &iv))
2058 {
2059 DBG1(DBG_TLS, "deriving key material failed");
2060 goto out;
2061 }
2062
2063 if (!aead->set_keys(aead, chunk_empty, key, iv))
2064 {
2065 DBG1(DBG_TLS, "setting AEAD key material failed");
2066 goto out;
2067 }
2068 success = TRUE;
2069
2070 out:
2071 chunk_clear(&key);
2072 chunk_clear(&iv);
2073 return success;
2074 }
2075
2076 /**
2077 * Derive and configure the keys/IVs using the given labels.
2078 */
2079 static bool derive_labeled_keys(private_tls_crypto_t *this,
2080 tls_hkdf_label_t client_label,
2081 tls_hkdf_label_t server_label)
2082 {
2083 tls_aead_t *aead_c = this->aead_out, *aead_s = this->aead_in;
2084
2085 if (this->tls->is_server(this->tls))
2086 {
2087 aead_c = this->aead_in;
2088 aead_s = this->aead_out;
2089 }
2090 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2091 derive_labeled_key(this, TRUE, server_label, aead_s);
2092 }
2093
2094 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2095 private_tls_crypto_t *this, chunk_t shared_secret)
2096 {
2097 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2098 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2099 TLS_HKDF_S_HS_TRAFFIC);
2100 }
2101
2102 METHOD(tls_crypto_t, derive_app_keys, bool,
2103 private_tls_crypto_t *this)
2104 {
2105 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2106 TLS_HKDF_S_AP_TRAFFIC))
2107 {
2108 return FALSE;
2109 }
2110
2111 /* EAP-MSK */
2112 if (this->msk_label)
2113 {
2114 /* because the length is encoded when expanding key material, we
2115 * request the same number of bytes as FreeRADIUS (the first 64 for
2116 * the MSK, the next for the EMSK, which we just ignore) */
2117 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2118 this->handshake, 128, &this->msk))
2119 {
2120 return FALSE;
2121 }
2122 this->msk.len = 64;
2123 }
2124 return TRUE;
2125 }
2126
2127 METHOD(tls_crypto_t, update_app_keys, bool,
2128 private_tls_crypto_t *this, bool inbound)
2129 {
2130 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2131
2132 if (this->tls->is_server(this->tls) != inbound)
2133 {
2134 label = TLS_HKDF_UPD_S_TRAFFIC;
2135 }
2136 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2137 inbound ? this->aead_in : this->aead_out);
2138 }
2139
2140 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2141 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2142 chunk_t client_random, chunk_t server_random)
2143 {
2144 chunk_t master;
2145
2146 if (this->cache && session.len)
2147 {
2148 this->suite = this->cache->lookup(this->cache, session, id, &master);
2149 if (this->suite)
2150 {
2151 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2152 if (this->suite)
2153 {
2154 if (!this->prf->set_key(this->prf, master) ||
2155 !expand_keys(this, client_random, server_random))
2156 {
2157 this->suite = 0;
2158 }
2159 }
2160 chunk_clear(&master);
2161 }
2162 return this->suite;
2163 }
2164 return 0;
2165 }
2166
2167 METHOD(tls_crypto_t, get_session, chunk_t,
2168 private_tls_crypto_t *this, identification_t *server)
2169 {
2170 if (this->cache)
2171 {
2172 return this->cache->check(this->cache, server);
2173 }
2174 return chunk_empty;
2175 }
2176
2177 METHOD(tls_crypto_t, change_cipher, void,
2178 private_tls_crypto_t *this, bool inbound)
2179 {
2180 if (this->protection)
2181 {
2182 if (inbound)
2183 {
2184 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2185 }
2186 else
2187 {
2188 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2189 }
2190 }
2191 }
2192
2193 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2194 private_tls_crypto_t *this)
2195 {
2196 return this->msk;
2197 }
2198
2199 METHOD(tls_crypto_t, destroy, void,
2200 private_tls_crypto_t *this)
2201 {
2202 destroy_aeads(this);
2203 free(this->handshake.ptr);
2204 free(this->msk.ptr);
2205 DESTROY_IF(this->prf);
2206 DESTROY_IF(this->hkdf);
2207 free(this->suites);
2208 free(this);
2209 }
2210
2211 /**
2212 * See header
2213 */
2214 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2215 {
2216 private_tls_crypto_t *this;
2217 enumerator_t *enumerator;
2218 credential_type_t type;
2219 int subtype;
2220
2221 INIT(this,
2222 .public = {
2223 .get_cipher_suites = _get_cipher_suites,
2224 .select_cipher_suite = _select_cipher_suite,
2225 .get_dh_group = _get_dh_group,
2226 .get_signature_algorithms = _get_signature_algorithms,
2227 .create_ec_enumerator = _create_ec_enumerator,
2228 .set_protection = _set_protection,
2229 .append_handshake = _append_handshake,
2230 .hash_handshake = _hash_handshake,
2231 .sign = _sign,
2232 .verify = _verify,
2233 .sign_handshake = _sign_handshake,
2234 .verify_handshake = _verify_handshake,
2235 .calculate_finished_legacy = _calculate_finished_legacy,
2236 .calculate_finished = _calculate_finished,
2237 .derive_secrets = _derive_secrets,
2238 .derive_handshake_keys = _derive_handshake_keys,
2239 .derive_app_keys = _derive_app_keys,
2240 .update_app_keys = _update_app_keys,
2241 .resume_session = _resume_session,
2242 .get_session = _get_session,
2243 .change_cipher = _change_cipher,
2244 .get_eap_msk = _get_eap_msk,
2245 .destroy = _destroy,
2246 },
2247 .tls = tls,
2248 .cache = cache,
2249 );
2250
2251 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2252 while (enumerator->enumerate(enumerator, &type, &subtype))
2253 {
2254 if (type == CRED_PUBLIC_KEY)
2255 {
2256 switch (subtype)
2257 {
2258 case KEY_RSA:
2259 this->rsa = TRUE;
2260 break;
2261 case KEY_ECDSA:
2262 this->ecdsa = TRUE;
2263 break;
2264 default:
2265 break;
2266 }
2267 }
2268 }
2269 enumerator->destroy(enumerator);
2270
2271 switch (tls->get_purpose(tls))
2272 {
2273 case TLS_PURPOSE_EAP_TLS:
2274 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2275 this->msk_label = "client EAP encryption";
2276 break;
2277 case TLS_PURPOSE_EAP_PEAP:
2278 this->msk_label = "client EAP encryption";
2279 break;
2280 case TLS_PURPOSE_EAP_TTLS:
2281 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2282 this->msk_label = "ttls keying material";
2283 break;
2284 default:
2285 break;
2286 }
2287 return &this->public;
2288 }
2289
2290 /**
2291 * See header.
2292 */
2293 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2294 tls_cipher_suite_t **out)
2295 {
2296 suite_algs_t suites[countof(suite_algs)];
2297 int count = 0, i;
2298
2299 /* initialize copy of suite list */
2300 for (i = 0; i < countof(suite_algs); i++)
2301 {
2302 if (suite_algs[i].min_version <= version &&
2303 suite_algs[i].max_version >= version)
2304 {
2305 suites[count++] = suite_algs[i];
2306 }
2307 }
2308
2309 filter_unsupported_suites(suites, &count);
2310
2311 if (!null)
2312 {
2313 filter_null_suites(suites, &count);
2314 }
2315
2316 if (out)
2317 {
2318 *out = calloc(count, sizeof(tls_cipher_suite_t));
2319 for (i = 0; i < count; i++)
2320 {
2321 (*out)[i] = suites[i].suite;
2322 }
2323 }
2324 return count;
2325 }