0783b12b03918fe829117f787f0773ccacc52c1a
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * AEAD transform for inbound traffic
389 */
390 tls_aead_t *aead_in;
391
392 /**
393 * AEAD transform for outbound traffic
394 */
395 tls_aead_t *aead_out;
396
397 /**
398 * EAP-[T]TLS MSK
399 */
400 chunk_t msk;
401
402 /**
403 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
404 */
405 char *msk_label;
406 };
407
408 typedef struct {
409 tls_cipher_suite_t suite;
410 key_type_t key;
411 diffie_hellman_group_t dh;
412 hash_algorithm_t hash;
413 pseudo_random_function_t prf;
414 integrity_algorithm_t mac;
415 encryption_algorithm_t encr;
416 size_t encr_size;
417 } suite_algs_t;
418
419 /**
420 * Mapping suites to a set of algorithms
421 */
422 static suite_algs_t suite_algs[] = {
423 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
424 KEY_ECDSA, ECP_256_BIT,
425 HASH_SHA256, PRF_HMAC_SHA2_256,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
429 KEY_ECDSA, ECP_256_BIT,
430 HASH_SHA256, PRF_HMAC_SHA2_256,
431 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
432 },
433 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
434 KEY_ECDSA, ECP_384_BIT,
435 HASH_SHA256, PRF_HMAC_SHA2_256,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
437 },
438 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
439 KEY_ECDSA, ECP_384_BIT,
440 HASH_SHA384, PRF_HMAC_SHA2_384,
441 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
442 },
443 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
449 KEY_ECDSA, ECP_384_BIT,
450 HASH_SHA384, PRF_HMAC_SHA2_384,
451 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
452 },
453 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
454 KEY_RSA, ECP_256_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
457 },
458 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
459 KEY_RSA, ECP_256_BIT,
460 HASH_SHA256, PRF_HMAC_SHA2_256,
461 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
462 },
463 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
464 KEY_RSA, ECP_384_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
467 },
468 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
469 KEY_RSA, ECP_384_BIT,
470 HASH_SHA384, PRF_HMAC_SHA2_384,
471 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
472 },
473 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
474 KEY_RSA, ECP_256_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
477 },
478 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
479 KEY_RSA, ECP_384_BIT,
480 HASH_SHA384, PRF_HMAC_SHA2_384,
481 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256,PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
504 KEY_RSA, MODP_3072_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
507 },
508 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
509 KEY_RSA, MODP_4096_BIT,
510 HASH_SHA384, PRF_HMAC_SHA2_384,
511 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
514 KEY_RSA, MODP_2048_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
517 },
518 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
519 KEY_RSA, MODP_3072_BIT,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
522 },
523 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
524 KEY_RSA, MODP_3072_BIT,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
527 },
528 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
529 KEY_RSA, MODP_4096_BIT,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
532 },
533 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
534 KEY_RSA, MODP_2048_BIT,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
537 },
538 { TLS_RSA_WITH_AES_128_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
542 },
543 { TLS_RSA_WITH_AES_128_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
547 },
548 { TLS_RSA_WITH_AES_256_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
552 },
553 { TLS_RSA_WITH_AES_256_CBC_SHA256,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
557 },
558 { TLS_RSA_WITH_AES_128_GCM_SHA256,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
562 },
563 { TLS_RSA_WITH_AES_256_GCM_SHA384,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA384, PRF_HMAC_SHA2_384,
566 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
567 },
568 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
569 KEY_RSA, MODP_NONE,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
572 },
573 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
574 KEY_RSA, MODP_NONE,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
577 },
578 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
582 },
583 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
584 KEY_RSA, MODP_NONE,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
587 },
588 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
589 KEY_ECDSA, ECP_256_BIT,
590 HASH_SHA256, PRF_HMAC_SHA2_256,
591 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
592 },
593 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
594 KEY_RSA, ECP_256_BIT,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
597 },
598 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
599 KEY_RSA, MODP_NONE,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
602 },
603 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
604 KEY_ECDSA, ECP_256_BIT,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
607 },
608 { TLS_ECDHE_RSA_WITH_NULL_SHA,
609 KEY_ECDSA, ECP_256_BIT,
610 HASH_SHA256, PRF_HMAC_SHA2_256,
611 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
612 },
613 { TLS_RSA_WITH_NULL_SHA,
614 KEY_RSA, MODP_NONE,
615 HASH_SHA256, PRF_HMAC_SHA2_256,
616 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
617 },
618 { TLS_RSA_WITH_NULL_SHA256,
619 KEY_RSA, MODP_NONE,
620 HASH_SHA256, PRF_HMAC_SHA2_256,
621 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
622 },
623 { TLS_RSA_WITH_NULL_MD5,
624 KEY_RSA, MODP_NONE,
625 HASH_SHA256, PRF_HMAC_SHA2_256,
626 AUTH_HMAC_MD5_128, ENCR_NULL, 0
627 },
628 };
629
630 /**
631 * Look up algorithms by a suite
632 */
633 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
634 {
635 int i;
636
637 for (i = 0; i < countof(suite_algs); i++)
638 {
639 if (suite_algs[i].suite == suite)
640 {
641 return &suite_algs[i];
642 }
643 }
644 return NULL;
645 }
646
647 /**
648 * Filter a suite list using a transform enumerator
649 */
650 static void filter_suite(private_tls_crypto_t *this, bool aead,
651 suite_algs_t suites[], int *count, int offset,
652 enumerator_t*(*create_enumerator)(crypto_factory_t*))
653 {
654 const char *plugin_name;
655 suite_algs_t current;
656 int *current_alg, i, remaining = 0;
657 enumerator_t *enumerator;
658
659 memset(&current, 0, sizeof(current));
660 current_alg = (int*)((char*)&current + offset);
661
662 for (i = 0; i < *count; i++)
663 {
664 enumerator = create_enumerator(lib->crypto);
665 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
666 {
667 if ((suites[i].encr == ENCR_NULL ||
668 aead != encryption_algorithm_is_aead(suites[i].encr) ||
669 !current.encr || current.encr == suites[i].encr) &&
670 (suites[i].mac == AUTH_UNDEFINED ||
671 !current.mac || current.mac == suites[i].mac) &&
672 (!current.prf || current.prf == suites[i].prf) &&
673 (!current.hash || current.hash == suites[i].hash) &&
674 (suites[i].dh == MODP_NONE ||
675 !current.dh || current.dh == suites[i].dh))
676 {
677 suites[remaining] = suites[i];
678 remaining++;
679 break;
680 }
681 }
682 enumerator->destroy(enumerator);
683 }
684 *count = remaining;
685 }
686
687 /**
688 * Purge NULL encryption cipher suites from list
689 */
690 static void filter_null_suites(private_tls_crypto_t *this,
691 suite_algs_t suites[], int *count)
692 {
693 int i, remaining = 0;
694
695 for (i = 0; i < *count; i++)
696 {
697 if (suites[i].encr != ENCR_NULL)
698 {
699 suites[remaining] = suites[i];
700 remaining++;
701 }
702 }
703 *count = remaining;
704 }
705
706 /**
707 * Purge suites using a given key type
708 */
709 static void filter_key_suites(private_tls_crypto_t *this,
710 suite_algs_t suites[], int *count, key_type_t key)
711 {
712 int i, remaining = 0;
713
714 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
715 for (i = 0; i < *count; i++)
716 {
717 if (suites[i].key != key)
718 {
719 suites[remaining] = suites[i];
720 remaining++;
721 }
722 }
723 *count = remaining;
724 }
725
726 /**
727 * Filter suites by key exchange user config
728 */
729 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
730 suite_algs_t suites[], int *count)
731 {
732 enumerator_t *enumerator;
733 int i, remaining = 0;
734 char *token, *config;
735
736 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
737 lib->ns);
738 if (config)
739 {
740 for (i = 0; i < *count; i++)
741 {
742 enumerator = enumerator_create_token(config, ",", " ");
743 while (enumerator->enumerate(enumerator, &token))
744 {
745 if (strcaseeq(token, "ecdhe-ecdsa") &&
746 diffie_hellman_group_is_ec(suites[i].dh) &&
747 suites[i].key == KEY_ECDSA)
748 {
749 suites[remaining++] = suites[i];
750 break;
751 }
752 if (strcaseeq(token, "ecdhe-rsa") &&
753 diffie_hellman_group_is_ec(suites[i].dh) &&
754 suites[i].key == KEY_RSA)
755 {
756 suites[remaining++] = suites[i];
757 break;
758 }
759 if (strcaseeq(token, "dhe-rsa") &&
760 !diffie_hellman_group_is_ec(suites[i].dh) &&
761 suites[i].dh != MODP_NONE &&
762 suites[i].key == KEY_RSA)
763 {
764 suites[remaining++] = suites[i];
765 break;
766 }
767 if (strcaseeq(token, "rsa") &&
768 suites[i].dh == MODP_NONE &&
769 suites[i].key == KEY_RSA)
770 {
771 suites[remaining++] = suites[i];
772 break;
773 }
774 }
775 enumerator->destroy(enumerator);
776 }
777 *count = remaining;
778 }
779 }
780
781 /**
782 * Filter suites by cipher user config
783 */
784 static void filter_cipher_config_suites(private_tls_crypto_t *this,
785 suite_algs_t suites[], int *count)
786 {
787 enumerator_t *enumerator;
788 int i, remaining = 0;
789 char *token, *config;
790
791 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
792 lib->ns);
793 if (config)
794 {
795 for (i = 0; i < *count; i++)
796 {
797 enumerator = enumerator_create_token(config, ",", " ");
798 while (enumerator->enumerate(enumerator, &token))
799 {
800 if (strcaseeq(token, "aes128") &&
801 suites[i].encr == ENCR_AES_CBC &&
802 suites[i].encr_size == 16)
803 {
804 suites[remaining++] = suites[i];
805 break;
806 }
807 if (strcaseeq(token, "aes256") &&
808 suites[i].encr == ENCR_AES_CBC &&
809 suites[i].encr_size == 32)
810 {
811 suites[remaining++] = suites[i];
812 break;
813 }
814 if (strcaseeq(token, "aes128gcm") &&
815 suites[i].encr == ENCR_AES_GCM_ICV16 &&
816 suites[i].encr_size == 16)
817 {
818 suites[remaining++] = suites[i];
819 break;
820 }
821 if (strcaseeq(token, "aes256gcm") &&
822 suites[i].encr == ENCR_AES_GCM_ICV16 &&
823 suites[i].encr_size == 32)
824 {
825 suites[remaining++] = suites[i];
826 break;
827 }
828 if (strcaseeq(token, "camellia128") &&
829 suites[i].encr == ENCR_CAMELLIA_CBC &&
830 suites[i].encr_size == 16)
831 {
832 suites[remaining++] = suites[i];
833 break;
834 }
835 if (strcaseeq(token, "camellia256") &&
836 suites[i].encr == ENCR_CAMELLIA_CBC &&
837 suites[i].encr_size == 32)
838 {
839 suites[remaining++] = suites[i];
840 break;
841 }
842 if (strcaseeq(token, "3des") &&
843 suites[i].encr == ENCR_3DES)
844 {
845 suites[remaining++] = suites[i];
846 break;
847 }
848 if (strcaseeq(token, "null") &&
849 suites[i].encr == ENCR_NULL)
850 {
851 suites[remaining++] = suites[i];
852 break;
853 }
854 }
855 enumerator->destroy(enumerator);
856 }
857 *count = remaining;
858 }
859 }
860
861 /**
862 * Filter suites by mac user config
863 */
864 static void filter_mac_config_suites(private_tls_crypto_t *this,
865 suite_algs_t suites[], int *count)
866 {
867 enumerator_t *enumerator;
868 int i, remaining = 0;
869 char *token, *config;
870
871 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
872 lib->ns);
873 if (config)
874 {
875 for (i = 0; i < *count; i++)
876 {
877 enumerator = enumerator_create_token(config, ",", " ");
878 while (enumerator->enumerate(enumerator, &token))
879 {
880 if (strcaseeq(token, "md5") &&
881 suites[i].mac == AUTH_HMAC_MD5_128)
882 {
883 suites[remaining++] = suites[i];
884 break;
885 }
886 if (strcaseeq(token, "sha1") &&
887 suites[i].mac == AUTH_HMAC_SHA1_160)
888 {
889 suites[remaining++] = suites[i];
890 break;
891 }
892 if (strcaseeq(token, "sha256") &&
893 suites[i].mac == AUTH_HMAC_SHA2_256_256)
894 {
895 suites[remaining++] = suites[i];
896 break;
897 }
898 if (strcaseeq(token, "sha384") &&
899 suites[i].mac == AUTH_HMAC_SHA2_384_384)
900 {
901 suites[remaining++] = suites[i];
902 break;
903 }
904 }
905 enumerator->destroy(enumerator);
906 }
907 *count = remaining;
908 }
909 }
910
911 /**
912 * Filter for specific suites specified in strongswan.conf
913 */
914 static void filter_specific_config_suites(private_tls_crypto_t *this,
915 suite_algs_t suites[], int *count)
916 {
917 enumerator_t *enumerator;
918 int i, remaining = 0, suite;
919 char *token, *config;
920
921 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
922 lib->ns);
923 if (config)
924 {
925 for (i = 0; i < *count; i++)
926 {
927 enumerator = enumerator_create_token(config, ",", " ");
928 while (enumerator->enumerate(enumerator, &token))
929 {
930 suite = enum_from_name(tls_cipher_suite_names, token);
931 if (suite == suites[i].suite)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 }
937 enumerator->destroy(enumerator);
938 }
939 *count = remaining;
940 }
941 }
942
943 /**
944 * Initialize the cipher suite list
945 */
946 static void build_cipher_suite_list(private_tls_crypto_t *this,
947 bool require_encryption)
948 {
949 suite_algs_t suites[countof(suite_algs)];
950 int count = countof(suite_algs), i;
951
952 /* copy all suites */
953 for (i = 0; i < count; i++)
954 {
955 suites[i] = suite_algs[i];
956 }
957 if (require_encryption)
958 {
959 filter_null_suites(this, suites, &count);
960 }
961 if (!this->rsa)
962 {
963 filter_key_suites(this, suites, &count, KEY_RSA);
964 }
965 if (!this->ecdsa)
966 {
967 filter_key_suites(this, suites, &count, KEY_ECDSA);
968 }
969
970 /* filter suite list by each algorithm */
971 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, encr),
972 lib->crypto->create_crypter_enumerator);
973 filter_suite(this, TRUE, suites, &count, offsetof(suite_algs_t, encr),
974 lib->crypto->create_aead_enumerator);
975 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, mac),
976 lib->crypto->create_signer_enumerator);
977 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, prf),
978 lib->crypto->create_prf_enumerator);
979 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, hash),
980 lib->crypto->create_hasher_enumerator);
981 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, dh),
982 lib->crypto->create_dh_enumerator);
983
984 /* filter suites with strongswan.conf options */
985 filter_key_exchange_config_suites(this, suites, &count);
986 filter_cipher_config_suites(this, suites, &count);
987 filter_mac_config_suites(this, suites, &count);
988 filter_specific_config_suites(this, suites, &count);
989
990 free(this->suites);
991 this->suite_count = count;
992 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
993
994 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
995 for (i = 0; i < count; i++)
996 {
997 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
998 this->suites[i] = suites[i].suite;
999 }
1000 }
1001
1002 METHOD(tls_crypto_t, get_cipher_suites, int,
1003 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1004 {
1005 *suites = this->suites;
1006 return this->suite_count;
1007 }
1008
1009 /**
1010 * Create NULL encryption transforms
1011 */
1012 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1013 {
1014 this->aead_in = tls_aead_create_null(algs->mac);
1015 this->aead_out = tls_aead_create_null(algs->mac);
1016 if (!this->aead_in || !this->aead_out)
1017 {
1018 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1019 integrity_algorithm_names, algs->mac);
1020 return FALSE;
1021 }
1022 return TRUE;
1023 }
1024
1025 /**
1026 * Create traditional transforms
1027 */
1028 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1029 {
1030 if (this->tls->get_version(this->tls) < TLS_1_1)
1031 {
1032 this->aead_in = tls_aead_create_implicit(algs->mac,
1033 algs->encr, algs->encr_size);
1034 this->aead_out = tls_aead_create_implicit(algs->mac,
1035 algs->encr, algs->encr_size);
1036 }
1037 else
1038 {
1039 this->aead_in = tls_aead_create_explicit(algs->mac,
1040 algs->encr, algs->encr_size);
1041 this->aead_out = tls_aead_create_explicit(algs->mac,
1042 algs->encr, algs->encr_size);
1043 }
1044 if (!this->aead_in || !this->aead_out)
1045 {
1046 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1047 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1048 integrity_algorithm_names, algs->mac);
1049 return FALSE;
1050 }
1051 return TRUE;
1052 }
1053
1054 /**
1055 * Create AEAD transforms
1056 */
1057 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1058 {
1059 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1060 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1061 if (!this->aead_in || !this->aead_out)
1062 {
1063 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1064 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1065 return FALSE;
1066 }
1067 return TRUE;
1068 }
1069
1070 /**
1071 * Clean up and unset AEAD transforms
1072 */
1073 static void destroy_aeads(private_tls_crypto_t *this)
1074 {
1075 DESTROY_IF(this->aead_in);
1076 DESTROY_IF(this->aead_out);
1077 this->aead_in = this->aead_out = NULL;
1078 }
1079
1080 /**
1081 * Create crypto primitives
1082 */
1083 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1084 {
1085 destroy_aeads(this);
1086 DESTROY_IF(this->prf);
1087 if (this->tls->get_version(this->tls) < TLS_1_2)
1088 {
1089 this->prf = tls_prf_create_10();
1090 }
1091 else
1092 {
1093 this->prf = tls_prf_create_12(algs->prf);
1094 }
1095 if (!this->prf)
1096 {
1097 DBG1(DBG_TLS, "selected TLS PRF not supported");
1098 return FALSE;
1099 }
1100 if (algs->encr == ENCR_NULL)
1101 {
1102 if (create_null(this, algs))
1103 {
1104 return TRUE;
1105 }
1106 }
1107 else if (encryption_algorithm_is_aead(algs->encr))
1108 {
1109 if (create_aead(this, algs))
1110 {
1111 return TRUE;
1112 }
1113 }
1114 else
1115 {
1116 if (create_traditional(this, algs))
1117 {
1118 return TRUE;
1119 }
1120 }
1121 destroy_aeads(this);
1122 return FALSE;
1123 }
1124
1125 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1126 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1127 key_type_t key)
1128 {
1129 suite_algs_t *algs;
1130 int i, j;
1131
1132 for (i = 0; i < this->suite_count; i++)
1133 {
1134 for (j = 0; j < count; j++)
1135 {
1136 if (this->suites[i] == suites[j])
1137 {
1138 algs = find_suite(this->suites[i]);
1139 if (algs)
1140 {
1141 if (key == KEY_ANY || key == algs->key)
1142 {
1143 if (create_ciphers(this, algs))
1144 {
1145 this->suite = this->suites[i];
1146 return this->suite;
1147 }
1148 }
1149 }
1150 }
1151 }
1152 }
1153 return 0;
1154 }
1155
1156 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1157 private_tls_crypto_t *this)
1158 {
1159 suite_algs_t *algs;
1160
1161 algs = find_suite(this->suite);
1162 if (algs)
1163 {
1164 return algs->dh;
1165 }
1166 return MODP_NONE;
1167 }
1168
1169 METHOD(tls_crypto_t, get_signature_algorithms, void,
1170 private_tls_crypto_t *this, bio_writer_t *writer)
1171 {
1172 bio_writer_t *supported;
1173 enumerator_t *enumerator;
1174 hash_algorithm_t alg;
1175 tls_hash_algorithm_t hash;
1176 const char *plugin_name;
1177
1178 supported = bio_writer_create(32);
1179 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1180 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1181 {
1182 switch (alg)
1183 {
1184 case HASH_MD5:
1185 hash = TLS_HASH_MD5;
1186 break;
1187 case HASH_SHA1:
1188 hash = TLS_HASH_SHA1;
1189 break;
1190 case HASH_SHA224:
1191 hash = TLS_HASH_SHA224;
1192 break;
1193 case HASH_SHA256:
1194 hash = TLS_HASH_SHA256;
1195 break;
1196 case HASH_SHA384:
1197 hash = TLS_HASH_SHA384;
1198 break;
1199 case HASH_SHA512:
1200 hash = TLS_HASH_SHA512;
1201 break;
1202 default:
1203 continue;
1204 }
1205 if (this->rsa)
1206 {
1207 supported->write_uint8(supported, hash);
1208 supported->write_uint8(supported, TLS_SIG_RSA);
1209 }
1210 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1211 { /* currently we have no signature scheme for MD5/SHA224 */
1212 supported->write_uint8(supported, hash);
1213 supported->write_uint8(supported, TLS_SIG_ECDSA);
1214 }
1215 }
1216 enumerator->destroy(enumerator);
1217
1218 supported->wrap16(supported);
1219 writer->write_data16(writer, supported->get_buf(supported));
1220 supported->destroy(supported);
1221 }
1222
1223 /**
1224 * Mapping groups to TLS named curves
1225 */
1226 static struct {
1227 diffie_hellman_group_t group;
1228 tls_named_curve_t curve;
1229 } curves[] = {
1230 { ECP_256_BIT, TLS_SECP256R1},
1231 { ECP_384_BIT, TLS_SECP384R1},
1232 { ECP_521_BIT, TLS_SECP521R1},
1233 { ECP_224_BIT, TLS_SECP224R1},
1234 { ECP_192_BIT, TLS_SECP192R1},
1235 };
1236
1237 /**
1238 * Filter EC groups, add TLS curve
1239 */
1240 static bool group_filter(void *null,
1241 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1242 void* dummy1, tls_named_curve_t *curve)
1243 {
1244 int i;
1245
1246 for (i = 0; i < countof(curves); i++)
1247 {
1248 if (curves[i].group == *in)
1249 {
1250 if (out)
1251 {
1252 *out = curves[i].group;
1253 }
1254 if (curve)
1255 {
1256 *curve = curves[i].curve;
1257 }
1258 return TRUE;
1259 }
1260 }
1261 return FALSE;
1262 }
1263
1264 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1265 private_tls_crypto_t *this)
1266 {
1267 return enumerator_create_filter(
1268 lib->crypto->create_dh_enumerator(lib->crypto),
1269 (void*)group_filter, NULL, NULL);
1270 }
1271
1272 METHOD(tls_crypto_t, set_protection, void,
1273 private_tls_crypto_t *this, tls_protection_t *protection)
1274 {
1275 this->protection = protection;
1276 }
1277
1278 METHOD(tls_crypto_t, append_handshake, void,
1279 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1280 {
1281 u_int32_t header;
1282
1283 /* reconstruct handshake header */
1284 header = htonl(data.len | (type << 24));
1285 this->handshake = chunk_cat("mcc", this->handshake,
1286 chunk_from_thing(header), data);
1287 }
1288
1289 /**
1290 * Create a hash using the suites HASH algorithm
1291 */
1292 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1293 {
1294 if (this->tls->get_version(this->tls) >= TLS_1_2)
1295 {
1296 hasher_t *hasher;
1297 suite_algs_t *alg;
1298
1299 alg = find_suite(this->suite);
1300 if (!alg)
1301 {
1302 return FALSE;
1303 }
1304 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1305 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1306 {
1307 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1308 DESTROY_IF(hasher);
1309 return FALSE;
1310 }
1311 hasher->destroy(hasher);
1312 }
1313 else
1314 {
1315 hasher_t *md5, *sha1;
1316 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1317
1318 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1319 if (!md5 || !md5->get_hash(md5, data, buf))
1320 {
1321 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1322 DESTROY_IF(md5);
1323 return FALSE;
1324 }
1325 md5->destroy(md5);
1326 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1327 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1328 {
1329 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1330 DESTROY_IF(sha1);
1331 return FALSE;
1332 }
1333 sha1->destroy(sha1);
1334
1335 *hash = chunk_clone(chunk_from_thing(buf));
1336 }
1337 return TRUE;
1338 }
1339
1340 /**
1341 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1342 */
1343 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1344 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1345 {
1346 switch (sig)
1347 {
1348 case TLS_SIG_RSA:
1349 if (type != KEY_RSA)
1350 {
1351 return SIGN_UNKNOWN;
1352 }
1353 switch (hash)
1354 {
1355 case TLS_HASH_MD5:
1356 return SIGN_RSA_EMSA_PKCS1_MD5;
1357 case TLS_HASH_SHA1:
1358 return SIGN_RSA_EMSA_PKCS1_SHA1;
1359 case TLS_HASH_SHA224:
1360 return SIGN_RSA_EMSA_PKCS1_SHA224;
1361 case TLS_HASH_SHA256:
1362 return SIGN_RSA_EMSA_PKCS1_SHA256;
1363 case TLS_HASH_SHA384:
1364 return SIGN_RSA_EMSA_PKCS1_SHA384;
1365 case TLS_HASH_SHA512:
1366 return SIGN_RSA_EMSA_PKCS1_SHA512;
1367 default:
1368 return SIGN_UNKNOWN;
1369 }
1370 case TLS_SIG_ECDSA:
1371 if (type != KEY_ECDSA)
1372 {
1373 return SIGN_UNKNOWN;
1374 }
1375 switch (hash)
1376 {
1377 case TLS_HASH_SHA224:
1378 return SIGN_ECDSA_WITH_SHA1_DER;
1379 case TLS_HASH_SHA256:
1380 return SIGN_ECDSA_WITH_SHA256_DER;
1381 case TLS_HASH_SHA384:
1382 return SIGN_ECDSA_WITH_SHA384_DER;
1383 case TLS_HASH_SHA512:
1384 return SIGN_ECDSA_WITH_SHA512_DER;
1385 default:
1386 return SIGN_UNKNOWN;
1387 }
1388 default:
1389 return SIGN_UNKNOWN;
1390 }
1391 }
1392
1393 METHOD(tls_crypto_t, sign, bool,
1394 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1395 chunk_t data, chunk_t hashsig)
1396 {
1397 if (this->tls->get_version(this->tls) >= TLS_1_2)
1398 {
1399 signature_scheme_t scheme;
1400 bio_reader_t *reader;
1401 u_int8_t hash, alg;
1402 chunk_t sig;
1403 bool done = FALSE;
1404
1405 if (!hashsig.len)
1406 { /* fallback if none given */
1407 hashsig = chunk_from_chars(
1408 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1409 }
1410 reader = bio_reader_create(hashsig);
1411 while (reader->remaining(reader) >= 2)
1412 {
1413 if (reader->read_uint8(reader, &hash) &&
1414 reader->read_uint8(reader, &alg))
1415 {
1416 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1417 if (scheme != SIGN_UNKNOWN &&
1418 key->sign(key, scheme, data, &sig))
1419 {
1420 done = TRUE;
1421 break;
1422 }
1423 }
1424 }
1425 reader->destroy(reader);
1426 if (!done)
1427 {
1428 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1429 return FALSE;
1430 }
1431 DBG2(DBG_TLS, "created signature with %N/%N",
1432 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1433 writer->write_uint8(writer, hash);
1434 writer->write_uint8(writer, alg);
1435 writer->write_data16(writer, sig);
1436 free(sig.ptr);
1437 }
1438 else
1439 {
1440 chunk_t sig, hash;
1441 bool done;
1442
1443 switch (key->get_type(key))
1444 {
1445 case KEY_RSA:
1446 if (!hash_data(this, data, &hash))
1447 {
1448 return FALSE;
1449 }
1450 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1451 free(hash.ptr);
1452 if (!done)
1453 {
1454 return FALSE;
1455 }
1456 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1457 break;
1458 case KEY_ECDSA:
1459 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1460 {
1461 return FALSE;
1462 }
1463 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1464 break;
1465 default:
1466 return FALSE;
1467 }
1468 writer->write_data16(writer, sig);
1469 free(sig.ptr);
1470 }
1471 return TRUE;
1472 }
1473
1474 METHOD(tls_crypto_t, verify, bool,
1475 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1476 chunk_t data)
1477 {
1478 if (this->tls->get_version(this->tls) >= TLS_1_2)
1479 {
1480 signature_scheme_t scheme = SIGN_UNKNOWN;
1481 u_int8_t hash, alg;
1482 chunk_t sig;
1483
1484 if (!reader->read_uint8(reader, &hash) ||
1485 !reader->read_uint8(reader, &alg) ||
1486 !reader->read_data16(reader, &sig))
1487 {
1488 DBG1(DBG_TLS, "received invalid signature");
1489 return FALSE;
1490 }
1491 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1492 if (scheme == SIGN_UNKNOWN)
1493 {
1494 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1495 tls_hash_algorithm_names, hash,
1496 tls_signature_algorithm_names, alg);
1497 return FALSE;
1498 }
1499 if (!key->verify(key, scheme, data, sig))
1500 {
1501 return FALSE;
1502 }
1503 DBG2(DBG_TLS, "verified signature with %N/%N",
1504 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1505 }
1506 else
1507 {
1508 chunk_t sig, hash;
1509 bool done;
1510
1511 if (!reader->read_data16(reader, &sig))
1512 {
1513 DBG1(DBG_TLS, "received invalid signature");
1514 return FALSE;
1515 }
1516 switch (key->get_type(key))
1517 {
1518 case KEY_RSA:
1519 if (!hash_data(this, data, &hash))
1520 {
1521 return FALSE;
1522 }
1523 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1524 free(hash.ptr);
1525 if (!done)
1526 {
1527 return FALSE;
1528 }
1529 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1530 break;
1531 case KEY_ECDSA:
1532 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1533 {
1534 return FALSE;
1535 }
1536 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1537 break;
1538 default:
1539 return FALSE;
1540 }
1541 }
1542 return TRUE;
1543 }
1544
1545 METHOD(tls_crypto_t, sign_handshake, bool,
1546 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1547 chunk_t hashsig)
1548 {
1549 return sign(this, key, writer, this->handshake, hashsig);
1550 }
1551
1552 METHOD(tls_crypto_t, verify_handshake, bool,
1553 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1554 {
1555 return verify(this, key, reader, this->handshake);
1556 }
1557
1558 METHOD(tls_crypto_t, calculate_finished, bool,
1559 private_tls_crypto_t *this, char *label, char out[12])
1560 {
1561 chunk_t seed;
1562
1563 if (!this->prf)
1564 {
1565 return FALSE;
1566 }
1567 if (!hash_data(this, this->handshake, &seed))
1568 {
1569 return FALSE;
1570 }
1571 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1572 {
1573 free(seed.ptr);
1574 return FALSE;
1575 }
1576 free(seed.ptr);
1577 return TRUE;
1578 }
1579
1580 /**
1581 * Derive master secret from premaster, optionally save session
1582 */
1583 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1584 chunk_t session, identification_t *id,
1585 chunk_t client_random, chunk_t server_random)
1586 {
1587 char master[48];
1588 chunk_t seed;
1589
1590 /* derive master secret */
1591 seed = chunk_cata("cc", client_random, server_random);
1592
1593 if (!this->prf->set_key(this->prf, premaster) ||
1594 !this->prf->get_bytes(this->prf, "master secret", seed,
1595 sizeof(master), master) ||
1596 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1597 {
1598 return FALSE;
1599 }
1600
1601 if (this->cache && session.len)
1602 {
1603 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1604 this->suite);
1605 }
1606 memwipe(master, sizeof(master));
1607 return TRUE;
1608 }
1609
1610 /**
1611 * Expand key material from master secret
1612 */
1613 static bool expand_keys(private_tls_crypto_t *this,
1614 chunk_t client_random, chunk_t server_random)
1615 {
1616 chunk_t seed, block;
1617 chunk_t cw_mac, cw, cw_iv;
1618 chunk_t sw_mac, sw, sw_iv;
1619 int mklen, eklen, ivlen;
1620
1621 if (!this->aead_in || !this->aead_out)
1622 {
1623 return FALSE;
1624 }
1625
1626 /* derive key block for key expansion */
1627 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1628 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1629 ivlen = this->aead_in->get_iv_size(this->aead_in);
1630 seed = chunk_cata("cc", server_random, client_random);
1631 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1632 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1633 block.len, block.ptr))
1634 {
1635 return FALSE;
1636 }
1637
1638 /* client/server write signer keys */
1639 cw_mac = chunk_create(block.ptr, mklen);
1640 block = chunk_skip(block, mklen);
1641 sw_mac = chunk_create(block.ptr, mklen);
1642 block = chunk_skip(block, mklen);
1643
1644 /* client/server write encryption keys */
1645 cw = chunk_create(block.ptr, eklen);
1646 block = chunk_skip(block, eklen);
1647 sw = chunk_create(block.ptr, eklen);
1648 block = chunk_skip(block, eklen);
1649
1650 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1651 cw_iv = chunk_create(block.ptr, ivlen);
1652 block = chunk_skip(block, ivlen);
1653 sw_iv = chunk_create(block.ptr, ivlen);
1654 block = chunk_skip(block, ivlen);
1655
1656 if (this->tls->is_server(this->tls))
1657 {
1658 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1659 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1660 {
1661 return FALSE;
1662 }
1663 }
1664 else
1665 {
1666 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1667 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1668 {
1669 return FALSE;
1670 }
1671 }
1672
1673 /* EAP-MSK */
1674 if (this->msk_label)
1675 {
1676 seed = chunk_cata("cc", client_random, server_random);
1677 this->msk = chunk_alloc(64);
1678 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1679 this->msk.len, this->msk.ptr))
1680 {
1681 return FALSE;
1682 }
1683 }
1684 return TRUE;
1685 }
1686
1687 METHOD(tls_crypto_t, derive_secrets, bool,
1688 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1689 identification_t *id, chunk_t client_random, chunk_t server_random)
1690 {
1691 return derive_master(this, premaster, session, id,
1692 client_random, server_random) &&
1693 expand_keys(this, client_random, server_random);
1694 }
1695
1696 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1697 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1698 chunk_t client_random, chunk_t server_random)
1699 {
1700 chunk_t master;
1701
1702 if (this->cache && session.len)
1703 {
1704 this->suite = this->cache->lookup(this->cache, session, id, &master);
1705 if (this->suite)
1706 {
1707 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1708 if (this->suite)
1709 {
1710 if (!this->prf->set_key(this->prf, master) ||
1711 !expand_keys(this, client_random, server_random))
1712 {
1713 this->suite = 0;
1714 }
1715 }
1716 chunk_clear(&master);
1717 }
1718 return this->suite;
1719 }
1720 return 0;
1721 }
1722
1723 METHOD(tls_crypto_t, get_session, chunk_t,
1724 private_tls_crypto_t *this, identification_t *server)
1725 {
1726 if (this->cache)
1727 {
1728 return this->cache->check(this->cache, server);
1729 }
1730 return chunk_empty;
1731 }
1732
1733 METHOD(tls_crypto_t, change_cipher, void,
1734 private_tls_crypto_t *this, bool inbound)
1735 {
1736 if (this->protection)
1737 {
1738 if (inbound)
1739 {
1740 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1741 }
1742 else
1743 {
1744 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1745 }
1746 }
1747 }
1748
1749 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1750 private_tls_crypto_t *this)
1751 {
1752 return this->msk;
1753 }
1754
1755 METHOD(tls_crypto_t, destroy, void,
1756 private_tls_crypto_t *this)
1757 {
1758 destroy_aeads(this);
1759 free(this->handshake.ptr);
1760 free(this->msk.ptr);
1761 DESTROY_IF(this->prf);
1762 free(this->suites);
1763 free(this);
1764 }
1765
1766 /**
1767 * See header
1768 */
1769 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1770 {
1771 private_tls_crypto_t *this;
1772 enumerator_t *enumerator;
1773 credential_type_t type;
1774 int subtype;
1775
1776 INIT(this,
1777 .public = {
1778 .get_cipher_suites = _get_cipher_suites,
1779 .select_cipher_suite = _select_cipher_suite,
1780 .get_dh_group = _get_dh_group,
1781 .get_signature_algorithms = _get_signature_algorithms,
1782 .create_ec_enumerator = _create_ec_enumerator,
1783 .set_protection = _set_protection,
1784 .append_handshake = _append_handshake,
1785 .sign = _sign,
1786 .verify = _verify,
1787 .sign_handshake = _sign_handshake,
1788 .verify_handshake = _verify_handshake,
1789 .calculate_finished = _calculate_finished,
1790 .derive_secrets = _derive_secrets,
1791 .resume_session = _resume_session,
1792 .get_session = _get_session,
1793 .change_cipher = _change_cipher,
1794 .get_eap_msk = _get_eap_msk,
1795 .destroy = _destroy,
1796 },
1797 .tls = tls,
1798 .cache = cache,
1799 );
1800
1801 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1802 while (enumerator->enumerate(enumerator, &type, &subtype))
1803 {
1804 if (type == CRED_PUBLIC_KEY)
1805 {
1806 switch (subtype)
1807 {
1808 case KEY_RSA:
1809 this->rsa = TRUE;
1810 break;
1811 case KEY_ECDSA:
1812 this->ecdsa = TRUE;
1813 break;
1814 default:
1815 break;
1816 }
1817 }
1818 }
1819 enumerator->destroy(enumerator);
1820
1821 switch (tls->get_purpose(tls))
1822 {
1823 case TLS_PURPOSE_EAP_TLS:
1824 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1825 this->msk_label = "client EAP encryption";
1826 build_cipher_suite_list(this, FALSE);
1827 break;
1828 case TLS_PURPOSE_EAP_PEAP:
1829 this->msk_label = "client EAP encryption";
1830 build_cipher_suite_list(this, TRUE);
1831 break;
1832 case TLS_PURPOSE_EAP_TTLS:
1833 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1834 this->msk_label = "ttls keying material";
1835 build_cipher_suite_list(this, TRUE);
1836 break;
1837 case TLS_PURPOSE_GENERIC:
1838 build_cipher_suite_list(this, TRUE);
1839 break;
1840 default:
1841 break;
1842 }
1843 return &this->public;
1844 }