07d5ce71460fa85c674c36b125f6b6274343e338
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE)
841 { /* skip DH group, does not match nor NONE */
842 continue;
843 }
844 }
845 /* suite supported, apply */
846 suites[remaining] = suites[i];
847 remaining++;
848 break;
849 }
850 enumerator->destroy(enumerator);
851 }
852 *count = remaining;
853 }
854
855 /**
856 * Purge NULL encryption cipher suites from list
857 */
858 static void filter_null_suites(suite_algs_t suites[], int *count)
859 {
860 int i, remaining = 0;
861
862 for (i = 0; i < *count; i++)
863 {
864 if (suites[i].encr != ENCR_NULL)
865 {
866 suites[remaining] = suites[i];
867 remaining++;
868 }
869 }
870 *count = remaining;
871 }
872
873 /**
874 * Purge suites using a given key type
875 */
876 static void filter_key_suites(private_tls_crypto_t *this,
877 suite_algs_t suites[], int *count, key_type_t key)
878 {
879 int i, remaining = 0;
880
881 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
882 for (i = 0; i < *count; i++)
883 {
884 if (suites[i].key != key)
885 {
886 suites[remaining] = suites[i];
887 remaining++;
888 }
889 }
890 *count = remaining;
891 }
892
893 /**
894 * Filter suites by key exchange user config
895 */
896 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "ecdhe-ecdsa") &&
913 diffie_hellman_group_is_ec(suites[i].dh) &&
914 suites[i].key == KEY_ECDSA)
915 {
916 suites[remaining++] = suites[i];
917 break;
918 }
919 if (strcaseeq(token, "ecdhe-rsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_RSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "dhe-rsa") &&
927 !diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].dh != MODP_NONE &&
929 suites[i].key == KEY_RSA)
930 {
931 suites[remaining++] = suites[i];
932 break;
933 }
934 if (strcaseeq(token, "rsa") &&
935 suites[i].dh == MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 }
942 enumerator->destroy(enumerator);
943 }
944 *count = remaining;
945 }
946 }
947
948 /**
949 * Filter suites by cipher user config
950 */
951 static void filter_cipher_config_suites(private_tls_crypto_t *this,
952 suite_algs_t suites[], int *count)
953 {
954 enumerator_t *enumerator;
955 int i, remaining = 0;
956 char *token, *config;
957
958 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
959 lib->ns);
960 if (config)
961 {
962 for (i = 0; i < *count; i++)
963 {
964 enumerator = enumerator_create_token(config, ",", " ");
965 while (enumerator->enumerate(enumerator, &token))
966 {
967 if (strcaseeq(token, "aes128") &&
968 suites[i].encr == ENCR_AES_CBC &&
969 suites[i].encr_size == 16)
970 {
971 suites[remaining++] = suites[i];
972 break;
973 }
974 if (strcaseeq(token, "aes256") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 32)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes128gcm") &&
982 suites[i].encr == ENCR_AES_GCM_ICV16 &&
983 suites[i].encr_size == 16)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes256gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 32)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "camellia128") &&
996 suites[i].encr == ENCR_CAMELLIA_CBC &&
997 suites[i].encr_size == 16)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia256") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 32)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "null") &&
1010 suites[i].encr == ENCR_NULL)
1011 {
1012 suites[remaining++] = suites[i];
1013 break;
1014 }
1015 }
1016 enumerator->destroy(enumerator);
1017 }
1018 *count = remaining;
1019 }
1020 }
1021
1022 /**
1023 * Filter suites by mac user config
1024 */
1025 static void filter_mac_config_suites(private_tls_crypto_t *this,
1026 suite_algs_t suites[], int *count)
1027 {
1028 enumerator_t *enumerator;
1029 int i, remaining = 0;
1030 char *token, *config;
1031
1032 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1033 lib->ns);
1034 if (config)
1035 {
1036 for (i = 0; i < *count; i++)
1037 {
1038 enumerator = enumerator_create_token(config, ",", " ");
1039 while (enumerator->enumerate(enumerator, &token))
1040 {
1041 if (strcaseeq(token, "sha1") &&
1042 suites[i].mac == AUTH_HMAC_SHA1_160)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 if (strcaseeq(token, "sha256") &&
1048 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1049 {
1050 suites[remaining++] = suites[i];
1051 break;
1052 }
1053 if (strcaseeq(token, "sha384") &&
1054 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1055 {
1056 suites[remaining++] = suites[i];
1057 break;
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061 }
1062 *count = remaining;
1063 }
1064 }
1065
1066 /**
1067 * Filter for specific suites specified in strongswan.conf
1068 */
1069 static void filter_specific_config_suites(private_tls_crypto_t *this,
1070 suite_algs_t suites[], int *count)
1071 {
1072 enumerator_t *enumerator;
1073 int i, remaining = 0, suite;
1074 char *token, *config;
1075
1076 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1077 lib->ns);
1078 if (config)
1079 {
1080 for (i = 0; i < *count; i++)
1081 {
1082 enumerator = enumerator_create_token(config, ",", " ");
1083 while (enumerator->enumerate(enumerator, &token))
1084 {
1085 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1086 suite == suites[i].suite)
1087 {
1088 suites[remaining++] = suites[i];
1089 break;
1090 }
1091 }
1092 enumerator->destroy(enumerator);
1093 }
1094 *count = remaining;
1095 }
1096 }
1097
1098 /**
1099 * Filter key exchange curves by curve user config
1100 */
1101 static bool filter_curve_config(tls_named_group_t curve)
1102 {
1103 enumerator_t *enumerator;
1104 char *token, *config;
1105
1106 config = lib->settings->get_str(lib->settings, "%s.tls.ke_group", NULL,
1107 lib->ns);
1108 if (config)
1109 {
1110 enumerator = enumerator_create_token(config, ",", " ");
1111 while (enumerator->enumerate(enumerator, &token))
1112 {
1113 const proposal_token_t *tok;
1114
1115 tok = lib->proposal->get_token(lib->proposal, token);
1116 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1117 curve == tls_ec_group_to_curve(tok->algorithm))
1118 {
1119 enumerator->destroy(enumerator);
1120 return TRUE;
1121 }
1122 }
1123 enumerator->destroy(enumerator);
1124 }
1125 return !config;
1126 }
1127
1128 /**
1129 * Filter out unsupported suites on given suite array
1130 */
1131 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1132 {
1133 /* filter suite list by each algorithm */
1134 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1135 lib->crypto->create_aead_enumerator);
1136 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1137 lib->crypto->create_prf_enumerator);
1138 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1139 lib->crypto->create_crypter_enumerator);
1140 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1141 lib->crypto->create_signer_enumerator);
1142 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1143 lib->crypto->create_hasher_enumerator);
1144 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1145 lib->crypto->create_dh_enumerator);
1146 }
1147
1148 /**
1149 * Initialize the cipher suite list
1150 */
1151 static void build_cipher_suite_list(private_tls_crypto_t *this)
1152 {
1153 suite_algs_t suites[countof(suite_algs)];
1154 tls_version_t min_version, max_version, new_min_version, new_max_version;
1155 bool require_encryption;
1156 int count = 0, i;
1157
1158 switch (this->tls->get_purpose(this->tls))
1159 {
1160 case TLS_PURPOSE_EAP_TLS:
1161 case TLS_PURPOSE_GENERIC_NULLOK:
1162 require_encryption = FALSE;
1163 break;
1164 case TLS_PURPOSE_EAP_PEAP:
1165 case TLS_PURPOSE_EAP_TTLS:
1166 case TLS_PURPOSE_GENERIC:
1167 require_encryption = TRUE;
1168 break;
1169 default:
1170 return;
1171 }
1172
1173 min_version = this->tls->get_version_min(this->tls);
1174 max_version = this->tls->get_version_max(this->tls);
1175
1176 /* copy all suites appropriate for the current min/max versions */
1177 for (i = 0; i < countof(suite_algs); i++)
1178 {
1179 if (suite_algs[i].min_version <= max_version &&
1180 suite_algs[i].max_version >= min_version)
1181 {
1182 suites[count++] = suite_algs[i];
1183 }
1184 }
1185
1186 if (require_encryption)
1187 {
1188 filter_null_suites(suites, &count);
1189 }
1190 if (!this->rsa)
1191 {
1192 filter_key_suites(this, suites, &count, KEY_RSA);
1193 }
1194 if (!this->ecdsa)
1195 {
1196 filter_key_suites(this, suites, &count, KEY_ECDSA);
1197 }
1198
1199 filter_unsupported_suites(suites, &count);
1200
1201 /* filter suites with strongswan.conf options */
1202 filter_key_exchange_config_suites(this, suites, &count);
1203 filter_cipher_config_suites(this, suites, &count);
1204 filter_mac_config_suites(this, suites, &count);
1205 filter_specific_config_suites(this, suites, &count);
1206
1207 free(this->suites);
1208 this->suite_count = count;
1209 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1210
1211 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1212 new_min_version = max_version;
1213 new_max_version = min_version;
1214 for (i = 0; i < count; i++)
1215 {
1216 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1217 this->suites[i] = suites[i].suite;
1218
1219 /* set TLS min/max versions appropriate to the final cipher suites */
1220 new_max_version = max(new_max_version, suites[i].max_version);
1221 new_min_version = min(new_min_version, suites[i].min_version);
1222 }
1223 new_max_version = min(new_max_version, max_version);
1224 new_min_version = max(new_min_version, min_version);
1225
1226 if ((min_version != new_min_version || max_version != new_max_version) &&
1227 this->tls->set_version(this->tls, new_min_version, new_max_version))
1228 {
1229 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1230 tls_numeric_version_names, new_min_version,
1231 tls_numeric_version_names, new_max_version);
1232 }
1233 }
1234
1235 METHOD(tls_crypto_t, get_cipher_suites, int,
1236 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1237 {
1238 if (!this->suites)
1239 {
1240 build_cipher_suite_list(this);
1241 }
1242 if (suites)
1243 {
1244 *suites = this->suites;
1245 }
1246 return this->suite_count;
1247 }
1248
1249 /**
1250 * Create NULL encryption transforms
1251 */
1252 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1253 {
1254 this->aead_in = tls_aead_create_null(algs->mac);
1255 this->aead_out = tls_aead_create_null(algs->mac);
1256 if (!this->aead_in || !this->aead_out)
1257 {
1258 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1259 integrity_algorithm_names, algs->mac);
1260 return FALSE;
1261 }
1262 return TRUE;
1263 }
1264
1265 /**
1266 * Create traditional transforms
1267 */
1268 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1269 {
1270 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1271 {
1272 this->aead_in = tls_aead_create_implicit(algs->mac,
1273 algs->encr, algs->encr_size);
1274 this->aead_out = tls_aead_create_implicit(algs->mac,
1275 algs->encr, algs->encr_size);
1276 }
1277 else
1278 {
1279 this->aead_in = tls_aead_create_explicit(algs->mac,
1280 algs->encr, algs->encr_size);
1281 this->aead_out = tls_aead_create_explicit(algs->mac,
1282 algs->encr, algs->encr_size);
1283 }
1284 if (!this->aead_in || !this->aead_out)
1285 {
1286 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1287 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1288 integrity_algorithm_names, algs->mac);
1289 return FALSE;
1290 }
1291 return TRUE;
1292 }
1293
1294 /**
1295 * Create AEAD transforms
1296 */
1297 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1298 {
1299 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1300 {
1301 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1302 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1303 }
1304 else
1305 {
1306 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1307 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1308 }
1309 if (!this->aead_in || !this->aead_out)
1310 {
1311 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1312 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1313 return FALSE;
1314 }
1315 return TRUE;
1316 }
1317
1318 /**
1319 * Clean up and unset AEAD transforms
1320 */
1321 static void destroy_aeads(private_tls_crypto_t *this)
1322 {
1323 DESTROY_IF(this->aead_in);
1324 DESTROY_IF(this->aead_out);
1325 this->aead_in = this->aead_out = NULL;
1326 }
1327
1328 /**
1329 * Create crypto primitives
1330 */
1331 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1332 {
1333 destroy_aeads(this);
1334 DESTROY_IF(this->hkdf);
1335 DESTROY_IF(this->prf);
1336 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1337 {
1338 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1339 {
1340 this->prf = tls_prf_create_10();
1341 }
1342 else
1343 {
1344 this->prf = tls_prf_create_12(algs->prf);
1345 }
1346 if (!this->prf)
1347 {
1348 DBG1(DBG_TLS, "selected TLS PRF not supported");
1349 return FALSE;
1350 }
1351 }
1352 else
1353 {
1354 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1355 if (!this->hkdf)
1356 {
1357 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1358 return FALSE;
1359 }
1360 }
1361 if (algs->encr == ENCR_NULL)
1362 {
1363 if (create_null(this, algs))
1364 {
1365 return TRUE;
1366 }
1367 }
1368 else if (encryption_algorithm_is_aead(algs->encr))
1369 {
1370 if (create_aead(this, algs))
1371 {
1372 return TRUE;
1373 }
1374 }
1375 else
1376 {
1377 if (create_traditional(this, algs))
1378 {
1379 return TRUE;
1380 }
1381 }
1382 destroy_aeads(this);
1383 return FALSE;
1384 }
1385
1386 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1387 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1388 key_type_t key)
1389 {
1390 suite_algs_t *algs;
1391 int i, j;
1392
1393 for (i = 0; i < this->suite_count; i++)
1394 {
1395 for (j = 0; j < count; j++)
1396 {
1397 if (this->suites[i] == suites[j])
1398 {
1399 algs = find_suite(this->suites[i]);
1400 if (algs)
1401 {
1402 if (key == KEY_ANY || key == algs->key ||
1403 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1404 (algs->key == KEY_ECDSA && key == KEY_ED448))
1405 {
1406 if (create_ciphers(this, algs))
1407 {
1408 this->suite = this->suites[i];
1409 return this->suite;
1410 }
1411 }
1412 }
1413 }
1414 }
1415 }
1416 return 0;
1417 }
1418
1419 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1420 private_tls_crypto_t *this)
1421 {
1422 suite_algs_t *algs;
1423
1424 algs = find_suite(this->suite);
1425 if (algs)
1426 {
1427 return algs->dh;
1428 }
1429 return MODP_NONE;
1430 }
1431
1432 /**
1433 * Parameters for RSA/PSS signature schemes
1434 */
1435 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1436 .hash = HASH_SHA##bits, \
1437 .mgf1_hash = HASH_SHA##bits, \
1438 .salt_len = HASH_SIZE_SHA##bits, \
1439 }
1440
1441 PSS_PARAMS(256);
1442 PSS_PARAMS(384);
1443 PSS_PARAMS(512);
1444
1445 typedef struct {
1446 tls_signature_scheme_t sig;
1447 signature_params_t params;
1448 /* min/max versions for use in CertificateVerify */
1449 tls_version_t min_version;
1450 tls_version_t max_version;
1451 } scheme_algs_t;
1452
1453 /**
1454 * Map TLS signature schemes, ordered by preference
1455 */
1456 static scheme_algs_t schemes[] = {
1457 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1458 TLS_1_0, TLS_1_3 },
1459 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1460 TLS_1_0, TLS_1_3 },
1461 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1462 TLS_1_0, TLS_1_3 },
1463 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1464 TLS_1_0, TLS_1_3 },
1465 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1466 TLS_1_0, TLS_1_3 },
1467 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1468 TLS_1_2, TLS_1_3 },
1469 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1470 TLS_1_2, TLS_1_3 },
1471 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1472 TLS_1_2, TLS_1_3 },
1473 /* the parameters for the next three should actually be taken from the
1474 * public key, we currently don't have an API for that, so assume defaults */
1475 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1476 TLS_1_2, TLS_1_3 },
1477 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1478 TLS_1_2, TLS_1_3 },
1479 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1480 TLS_1_2, TLS_1_3 },
1481 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1482 TLS_1_0, TLS_1_2 },
1483 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1484 TLS_1_0, TLS_1_2 },
1485 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1486 TLS_1_0, TLS_1_2 },
1487 };
1488
1489 /**
1490 * Filter signature scheme config
1491 */
1492 static bool filter_signature_scheme_config(tls_signature_scheme_t signature)
1493 {
1494 enumerator_t *enumerator;
1495 char *token, *config;
1496
1497 config = lib->settings->get_str(lib->settings, "%s.tls.signature", NULL,
1498 lib->ns);
1499 if (config)
1500 {
1501 enumerator = enumerator_create_token(config, ",", " ");
1502 while (enumerator->enumerate(enumerator, &token))
1503 {
1504 tls_signature_scheme_t sig;
1505
1506 if (enum_from_name(tls_signature_scheme_names, token, &sig) &&
1507 sig == signature)
1508 {
1509 enumerator->destroy(enumerator);
1510 return TRUE;
1511 }
1512 }
1513 enumerator->destroy(enumerator);
1514 }
1515 return !config;
1516 }
1517
1518 METHOD(tls_crypto_t, get_signature_algorithms, void,
1519 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1520 {
1521 bio_writer_t *supported;
1522 tls_version_t min_version, max_version;
1523 int i;
1524
1525 supported = bio_writer_create(32);
1526
1527 if (!cert)
1528 {
1529 min_version = this->tls->get_version_min(this->tls);
1530 max_version = this->tls->get_version_max(this->tls);
1531 }
1532
1533 for (i = 0; i < countof(schemes); i++)
1534 {
1535 if ((cert || (schemes[i].min_version <= max_version &&
1536 schemes[i].max_version >= min_version)) &&
1537 lib->plugins->has_feature(lib->plugins,
1538 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)) &&
1539 filter_signature_scheme_config(schemes[i].sig))
1540 {
1541 supported->write_uint16(supported, schemes[i].sig);
1542 }
1543 }
1544
1545 writer->write_data16(writer, supported->get_buf(supported));
1546 supported->destroy(supported);
1547 }
1548
1549 /**
1550 * Get the signature parameters from a TLS signature scheme
1551 */
1552 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1553 bool sign)
1554 {
1555 int i;
1556
1557 for (i = 0; i < countof(schemes); i++)
1558 {
1559 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1560 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1561 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1562 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1563 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1564 {
1565 continue;
1566 }
1567 if (schemes[i].sig == sig)
1568 {
1569 return &schemes[i].params;
1570 }
1571 }
1572 return NULL;
1573 }
1574
1575 /**
1576 * Mapping groups to TLS named curves
1577 */
1578 static struct {
1579 diffie_hellman_group_t group;
1580 tls_named_group_t curve;
1581 } curves[] = {
1582 { ECP_256_BIT, TLS_SECP256R1},
1583 { ECP_384_BIT, TLS_SECP384R1},
1584 { ECP_521_BIT, TLS_SECP521R1},
1585 { ECP_224_BIT, TLS_SECP224R1},
1586 { ECP_192_BIT, TLS_SECP192R1},
1587 { CURVE_25519, TLS_CURVE25519},
1588 { CURVE_448, TLS_CURVE448},
1589 };
1590
1591 CALLBACK(group_filter, bool,
1592 void *null, enumerator_t *orig, va_list args)
1593 {
1594 diffie_hellman_group_t group, *group_out;
1595 tls_named_group_t curve, *curve_out;
1596 char *plugin;
1597
1598 VA_ARGS_VGET(args, group_out, curve_out);
1599
1600 while (orig->enumerate(orig, &group, &plugin))
1601 {
1602 curve = tls_ec_group_to_curve(group);
1603 if (curve)
1604 {
1605 if (group_out)
1606 {
1607 *group_out = group;
1608 }
1609 if (curve_out)
1610 {
1611 *curve_out = curve;
1612 }
1613 return TRUE;
1614 }
1615 }
1616 return FALSE;
1617 }
1618
1619 CALLBACK(config_filter, bool,
1620 void *null, enumerator_t *orig, va_list args)
1621 {
1622 diffie_hellman_group_t group, *group_out;
1623 tls_named_group_t curve, *curve_out;
1624
1625 VA_ARGS_VGET(args, group_out, curve_out);
1626
1627 while (orig->enumerate(orig, &group, &curve))
1628 {
1629 if (filter_curve_config(curve))
1630 {
1631 if (group_out)
1632 {
1633 *group_out = group;
1634 }
1635 if (curve_out)
1636 {
1637 *curve_out = curve;
1638 }
1639 return TRUE;
1640 }
1641 }
1642 return FALSE;
1643 }
1644
1645 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1646 private_tls_crypto_t *this)
1647 {
1648 return enumerator_create_filter(
1649 enumerator_create_filter(
1650 lib->crypto->create_dh_enumerator(lib->crypto),
1651 group_filter, NULL, NULL),
1652 config_filter, NULL, NULL);
1653 }
1654
1655 METHOD(tls_crypto_t, set_protection, void,
1656 private_tls_crypto_t *this, tls_protection_t *protection)
1657 {
1658 this->protection = protection;
1659 }
1660
1661 METHOD(tls_crypto_t, append_handshake, void,
1662 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1663 {
1664 uint32_t header;
1665
1666 /* reconstruct handshake header */
1667 header = htonl(data.len | (type << 24));
1668 this->handshake = chunk_cat("mcc", this->handshake,
1669 chunk_from_thing(header), data);
1670 }
1671
1672 /**
1673 * Create a hash using the suites HASH algorithm
1674 */
1675 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1676 {
1677 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1678 {
1679 hasher_t *hasher;
1680 suite_algs_t *alg;
1681
1682 alg = find_suite(this->suite);
1683 if (!alg)
1684 {
1685 return FALSE;
1686 }
1687 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1688 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1689 {
1690 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1691 DESTROY_IF(hasher);
1692 return FALSE;
1693 }
1694 hasher->destroy(hasher);
1695 }
1696 else
1697 {
1698 hasher_t *md5, *sha1;
1699 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1700
1701 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1702 if (!md5 || !md5->get_hash(md5, data, buf))
1703 {
1704 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1705 DESTROY_IF(md5);
1706 return FALSE;
1707 }
1708 md5->destroy(md5);
1709 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1710 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1711 {
1712 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1713 DESTROY_IF(sha1);
1714 return FALSE;
1715 }
1716 sha1->destroy(sha1);
1717
1718 *hash = chunk_clone(chunk_from_thing(buf));
1719 }
1720 return TRUE;
1721 }
1722
1723 METHOD(tls_crypto_t, hash_handshake, bool,
1724 private_tls_crypto_t *this, chunk_t *out)
1725 {
1726 chunk_t hash;
1727
1728 if (!hash_data(this, this->handshake, &hash))
1729 {
1730 return FALSE;
1731 }
1732
1733 chunk_free(&this->handshake);
1734 append_handshake(this, TLS_MESSAGE_HASH, hash);
1735
1736 if (out)
1737 {
1738 *out = hash;
1739 }
1740 else
1741 {
1742 free(hash.ptr);
1743 }
1744 return TRUE;
1745 }
1746
1747 /**
1748 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1749 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1750 */
1751 static chunk_t tls13_sig_data_server = chunk_from_chars(
1752 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1753 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1754 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1755 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1756 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1757 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1758 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1759 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1760 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1761 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1762 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1763 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1764 0x79, 0x00,
1765 );
1766
1767 /**
1768 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1769 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1770 */
1771 static chunk_t tls13_sig_data_client = chunk_from_chars(
1772 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1773 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1774 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1775 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1776 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1777 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1778 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1779 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1780 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1781 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1782 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1783 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1784 0x79, 0x00,
1785 );
1786
1787 METHOD(tls_crypto_t, sign, bool,
1788 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1789 chunk_t data, chunk_t hashsig)
1790 {
1791 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1792 {
1793 /* fallback to SHA1/RSA and SHA1/ECDSA */
1794 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1795 signature_params_t *params;
1796 key_type_t type;
1797 uint16_t scheme;
1798 bio_reader_t *reader;
1799 chunk_t sig;
1800 bool done = FALSE;
1801
1802 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1803 {
1804 chunk_t transcript_hash;
1805
1806 if (!hash_data(this, data, &transcript_hash))
1807 {
1808 DBG1(DBG_TLS, "unable to create transcript hash");
1809 return FALSE;
1810 }
1811 if (this->tls->is_server(this->tls))
1812 {
1813 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1814 }
1815 else
1816 {
1817 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1818 }
1819 }
1820
1821 if (!hashsig.len)
1822 { /* fallback if none given */
1823 hashsig = hashsig_def;
1824 }
1825 type = key->get_type(key);
1826 reader = bio_reader_create(hashsig);
1827 while (reader->remaining(reader) >= 2)
1828 {
1829 if (reader->read_uint16(reader, &scheme))
1830 {
1831 params = params_for_scheme(scheme, TRUE);
1832 if (params &&
1833 type == key_type_from_signature_scheme(params->scheme) &&
1834 key->sign(key, params->scheme, params->params, data, &sig))
1835 {
1836 done = TRUE;
1837 break;
1838 }
1839 }
1840 }
1841 reader->destroy(reader);
1842 if (!done)
1843 {
1844 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1845 return FALSE;
1846 }
1847 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1848 scheme);
1849 writer->write_uint16(writer, scheme);
1850 writer->write_data16(writer, sig);
1851 free(sig.ptr);
1852 }
1853 else
1854 {
1855 chunk_t sig, hash;
1856 bool done;
1857
1858 switch (key->get_type(key))
1859 {
1860 case KEY_RSA:
1861 if (!hash_data(this, data, &hash))
1862 {
1863 return FALSE;
1864 }
1865 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1866 &sig);
1867 free(hash.ptr);
1868 if (!done)
1869 {
1870 return FALSE;
1871 }
1872 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1873 break;
1874 case KEY_ECDSA:
1875 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1876 {
1877 return FALSE;
1878 }
1879 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1880 break;
1881 case KEY_ED25519:
1882 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1883 {
1884 return FALSE;
1885 }
1886 DBG2(DBG_TLS, "created signature with Ed25519");
1887 break;
1888 case KEY_ED448:
1889 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1890 {
1891 return FALSE;
1892 }
1893 DBG2(DBG_TLS, "created signature with Ed448");
1894 break;
1895 default:
1896 return FALSE;
1897 }
1898 writer->write_data16(writer, sig);
1899 free(sig.ptr);
1900 }
1901 return TRUE;
1902 }
1903
1904 METHOD(tls_crypto_t, verify, bool,
1905 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1906 chunk_t data)
1907 {
1908 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1909 {
1910 signature_params_t *params;
1911 uint16_t scheme;
1912 chunk_t sig;
1913
1914 if (!reader->read_uint16(reader, &scheme) ||
1915 !reader->read_data16(reader, &sig))
1916 {
1917 DBG1(DBG_TLS, "received invalid signature");
1918 return FALSE;
1919 }
1920 params = params_for_scheme(scheme, FALSE);
1921 if (!params)
1922 {
1923 DBG1(DBG_TLS, "signature algorithms %N not supported",
1924 tls_signature_scheme_names, scheme);
1925 return FALSE;
1926 }
1927 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1928 {
1929 chunk_t transcript_hash;
1930
1931 if (!hash_data(this, data, &transcript_hash))
1932 {
1933 DBG1(DBG_TLS, "Unable to create transcript hash");
1934 return FALSE;
1935 }
1936
1937 if (this->tls->is_server(this->tls))
1938 {
1939 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1940 }
1941 else
1942 {
1943 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1944 }
1945 }
1946 if (!key->verify(key, params->scheme, params->params, data, sig))
1947 {
1948 DBG1(DBG_TLS, "signature verification with %N failed",
1949 tls_signature_scheme_names, scheme);
1950 return FALSE;
1951 }
1952 DBG2(DBG_TLS, "verified signature with %N",
1953 tls_signature_scheme_names, scheme);
1954 }
1955 else
1956 {
1957 chunk_t sig, hash;
1958 bool done;
1959
1960 if (!reader->read_data16(reader, &sig))
1961 {
1962 DBG1(DBG_TLS, "received invalid signature");
1963 return FALSE;
1964 }
1965 switch (key->get_type(key))
1966 {
1967 case KEY_RSA:
1968 if (!hash_data(this, data, &hash))
1969 {
1970 return FALSE;
1971 }
1972 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1973 sig);
1974 free(hash.ptr);
1975 if (!done)
1976 {
1977 return FALSE;
1978 }
1979 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1980 break;
1981 case KEY_ECDSA:
1982 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1983 sig))
1984 {
1985 return FALSE;
1986 }
1987 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1988 break;
1989 case KEY_ED25519:
1990 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1991 {
1992 return FALSE;
1993 }
1994 DBG2(DBG_TLS, "verified signature with Ed25519");
1995 break;
1996 case KEY_ED448:
1997 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1998 {
1999 return FALSE;
2000 }
2001 DBG2(DBG_TLS, "verified signature with Ed448");
2002 break;
2003 default:
2004 return FALSE;
2005 }
2006 }
2007 return TRUE;
2008 }
2009
2010 METHOD(tls_crypto_t, sign_handshake, bool,
2011 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
2012 chunk_t hashsig)
2013 {
2014 return sign(this, key, writer, this->handshake, hashsig);
2015 }
2016
2017 METHOD(tls_crypto_t, verify_handshake, bool,
2018 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
2019 {
2020 return verify(this, key, reader, this->handshake);
2021 }
2022
2023 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
2024 private_tls_crypto_t *this, char *label, char out[12])
2025 {
2026 chunk_t seed;
2027
2028 if (!this->prf)
2029 {
2030 return FALSE;
2031 }
2032 if (!hash_data(this, this->handshake, &seed))
2033 {
2034 return FALSE;
2035 }
2036 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2037 {
2038 free(seed.ptr);
2039 return FALSE;
2040 }
2041 free(seed.ptr);
2042 return TRUE;
2043 }
2044
2045 METHOD(tls_crypto_t, calculate_finished, bool,
2046 private_tls_crypto_t *this, bool server, chunk_t *out)
2047 {
2048 chunk_t finished_key, finished_hash;
2049
2050 if (!this->hkdf)
2051 {
2052 return FALSE;
2053 }
2054 if (!hash_data(this, this->handshake, &finished_hash))
2055 {
2056 DBG1(DBG_TLS, "creating hash of handshake failed");
2057 return FALSE;
2058 }
2059 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2060 {
2061 DBG1(DBG_TLS, "generating finished key failed");
2062 chunk_clear(&finished_hash);
2063 return FALSE;
2064 }
2065 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2066 {
2067 DBG1(DBG_TLS, "generating finished HMAC failed");
2068 chunk_clear(&finished_key);
2069 chunk_clear(&finished_hash);
2070 return FALSE;
2071 }
2072 chunk_clear(&finished_key);
2073 chunk_clear(&finished_hash);
2074 return TRUE;
2075 }
2076
2077 /**
2078 * Derive master secret from premaster, optionally save session
2079 */
2080 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2081 chunk_t session, identification_t *id,
2082 chunk_t client_random, chunk_t server_random)
2083 {
2084 char master[48];
2085 chunk_t seed;
2086
2087 /* derive master secret */
2088 seed = chunk_cata("cc", client_random, server_random);
2089
2090 if (!this->prf->set_key(this->prf, premaster) ||
2091 !this->prf->get_bytes(this->prf, "master secret", seed,
2092 sizeof(master), master) ||
2093 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2094 {
2095 return FALSE;
2096 }
2097
2098 if (this->cache && session.len)
2099 {
2100 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2101 this->suite);
2102 }
2103 memwipe(master, sizeof(master));
2104 return TRUE;
2105 }
2106
2107 /**
2108 * Expand key material from master secret
2109 */
2110 static bool expand_keys(private_tls_crypto_t *this,
2111 chunk_t client_random, chunk_t server_random)
2112 {
2113 chunk_t seed, block;
2114 chunk_t cw_mac, cw, cw_iv;
2115 chunk_t sw_mac, sw, sw_iv;
2116 int mklen, eklen, ivlen;
2117
2118 if (!this->aead_in || !this->aead_out)
2119 {
2120 return FALSE;
2121 }
2122
2123 /* derive key block for key expansion */
2124 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2125 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2126 ivlen = this->aead_in->get_iv_size(this->aead_in);
2127 seed = chunk_cata("cc", server_random, client_random);
2128 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2129 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2130 block.len, block.ptr))
2131 {
2132 return FALSE;
2133 }
2134
2135 /* client/server write signer keys */
2136 cw_mac = chunk_create(block.ptr, mklen);
2137 block = chunk_skip(block, mklen);
2138 sw_mac = chunk_create(block.ptr, mklen);
2139 block = chunk_skip(block, mklen);
2140
2141 /* client/server write encryption keys */
2142 cw = chunk_create(block.ptr, eklen);
2143 block = chunk_skip(block, eklen);
2144 sw = chunk_create(block.ptr, eklen);
2145 block = chunk_skip(block, eklen);
2146
2147 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2148 cw_iv = chunk_create(block.ptr, ivlen);
2149 block = chunk_skip(block, ivlen);
2150 sw_iv = chunk_create(block.ptr, ivlen);
2151 block = chunk_skip(block, ivlen);
2152
2153 if (this->tls->is_server(this->tls))
2154 {
2155 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2156 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2157 {
2158 return FALSE;
2159 }
2160 }
2161 else
2162 {
2163 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2164 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2165 {
2166 return FALSE;
2167 }
2168 }
2169
2170 /* EAP-MSK */
2171 if (this->msk_label)
2172 {
2173 seed = chunk_cata("cc", client_random, server_random);
2174 this->msk = chunk_alloc(64);
2175 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2176 this->msk.len, this->msk.ptr))
2177 {
2178 return FALSE;
2179 }
2180 }
2181 return TRUE;
2182 }
2183
2184 METHOD(tls_crypto_t, derive_secrets, bool,
2185 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2186 identification_t *id, chunk_t client_random, chunk_t server_random)
2187 {
2188 return derive_master(this, premaster, session, id,
2189 client_random, server_random) &&
2190 expand_keys(this, client_random, server_random);
2191 }
2192
2193 /**
2194 * Derive and configure the client/server key/IV on an AEAD using a given label.
2195 */
2196 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2197 tls_hkdf_label_t label, tls_aead_t *aead)
2198 {
2199 chunk_t key = chunk_empty, iv = chunk_empty;
2200 bool success = FALSE;
2201
2202 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2203 NULL) ||
2204 !this->hkdf->derive_key(this->hkdf, server,
2205 aead->get_encr_key_size(aead), &key) ||
2206 !this->hkdf->derive_iv(this->hkdf, server,
2207 aead->get_iv_size(aead), &iv))
2208 {
2209 DBG1(DBG_TLS, "deriving key material failed");
2210 goto out;
2211 }
2212
2213 if (!aead->set_keys(aead, chunk_empty, key, iv))
2214 {
2215 DBG1(DBG_TLS, "setting AEAD key material failed");
2216 goto out;
2217 }
2218 success = TRUE;
2219
2220 out:
2221 chunk_clear(&key);
2222 chunk_clear(&iv);
2223 return success;
2224 }
2225
2226 /**
2227 * Derive and configure the keys/IVs using the given labels.
2228 */
2229 static bool derive_labeled_keys(private_tls_crypto_t *this,
2230 tls_hkdf_label_t client_label,
2231 tls_hkdf_label_t server_label)
2232 {
2233 tls_aead_t *aead_c, *aead_s;
2234 suite_algs_t *algs;
2235
2236 algs = find_suite(this->suite);
2237 destroy_aeads(this);
2238 if (!create_aead(this, algs))
2239 {
2240 return FALSE;
2241 }
2242 aead_c = this->aead_out;
2243 aead_s = this->aead_in;
2244 if (this->tls->is_server(this->tls))
2245 {
2246 aead_c = this->aead_in;
2247 aead_s = this->aead_out;
2248 }
2249 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2250 derive_labeled_key(this, TRUE, server_label, aead_s);
2251 }
2252
2253 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2254 private_tls_crypto_t *this, chunk_t shared_secret)
2255 {
2256 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2257 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2258 TLS_HKDF_S_HS_TRAFFIC);
2259 }
2260
2261 METHOD(tls_crypto_t, derive_app_keys, bool,
2262 private_tls_crypto_t *this)
2263 {
2264 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2265 TLS_HKDF_S_AP_TRAFFIC))
2266 {
2267 return FALSE;
2268 }
2269
2270 /* EAP-MSK */
2271 if (this->msk_label)
2272 {
2273 /* because the length is encoded when expanding key material, we
2274 * request the same number of bytes as FreeRADIUS (the first 64 for
2275 * the MSK, the next for the EMSK, which we just ignore) */
2276 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2277 this->handshake, 128, &this->msk))
2278 {
2279 return FALSE;
2280 }
2281 this->msk.len = 64;
2282 }
2283 return TRUE;
2284 }
2285
2286 METHOD(tls_crypto_t, update_app_keys, bool,
2287 private_tls_crypto_t *this, bool inbound)
2288 {
2289 suite_algs_t *algs;
2290 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2291
2292 algs = find_suite(this->suite);
2293 destroy_aeads(this);
2294 if (!create_aead(this, algs))
2295 {
2296 return FALSE;
2297 }
2298 if (this->tls->is_server(this->tls) != inbound)
2299 {
2300 label = TLS_HKDF_UPD_S_TRAFFIC;
2301 }
2302 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2303 inbound ? this->aead_in : this->aead_out);
2304 }
2305
2306 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2307 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2308 chunk_t client_random, chunk_t server_random)
2309 {
2310 chunk_t master;
2311
2312 if (this->cache && session.len)
2313 {
2314 this->suite = this->cache->lookup(this->cache, session, id, &master);
2315 if (this->suite)
2316 {
2317 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2318 if (this->suite)
2319 {
2320 if (!this->prf->set_key(this->prf, master) ||
2321 !expand_keys(this, client_random, server_random))
2322 {
2323 this->suite = 0;
2324 }
2325 }
2326 chunk_clear(&master);
2327 }
2328 return this->suite;
2329 }
2330 return 0;
2331 }
2332
2333 METHOD(tls_crypto_t, get_session, chunk_t,
2334 private_tls_crypto_t *this, identification_t *server)
2335 {
2336 if (this->cache)
2337 {
2338 return this->cache->check(this->cache, server);
2339 }
2340 return chunk_empty;
2341 }
2342
2343 METHOD(tls_crypto_t, change_cipher, void,
2344 private_tls_crypto_t *this, bool inbound)
2345 {
2346 if (this->protection)
2347 {
2348 if (inbound)
2349 {
2350 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2351 this->aead_in = NULL;
2352 }
2353 else
2354 {
2355 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2356 this->aead_out = NULL;
2357 }
2358 }
2359 }
2360
2361 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2362 private_tls_crypto_t *this)
2363 {
2364 return this->msk;
2365 }
2366
2367 METHOD(tls_crypto_t, destroy, void,
2368 private_tls_crypto_t *this)
2369 {
2370 destroy_aeads(this);
2371 free(this->handshake.ptr);
2372 free(this->msk.ptr);
2373 DESTROY_IF(this->prf);
2374 DESTROY_IF(this->hkdf);
2375 free(this->suites);
2376 free(this);
2377 }
2378
2379 /**
2380 * See header
2381 */
2382 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2383 {
2384 private_tls_crypto_t *this;
2385 enumerator_t *enumerator;
2386 credential_type_t type;
2387 int subtype;
2388
2389 INIT(this,
2390 .public = {
2391 .get_cipher_suites = _get_cipher_suites,
2392 .select_cipher_suite = _select_cipher_suite,
2393 .get_dh_group = _get_dh_group,
2394 .get_signature_algorithms = _get_signature_algorithms,
2395 .create_ec_enumerator = _create_ec_enumerator,
2396 .set_protection = _set_protection,
2397 .append_handshake = _append_handshake,
2398 .hash_handshake = _hash_handshake,
2399 .sign = _sign,
2400 .verify = _verify,
2401 .sign_handshake = _sign_handshake,
2402 .verify_handshake = _verify_handshake,
2403 .calculate_finished_legacy = _calculate_finished_legacy,
2404 .calculate_finished = _calculate_finished,
2405 .derive_secrets = _derive_secrets,
2406 .derive_handshake_keys = _derive_handshake_keys,
2407 .derive_app_keys = _derive_app_keys,
2408 .update_app_keys = _update_app_keys,
2409 .resume_session = _resume_session,
2410 .get_session = _get_session,
2411 .change_cipher = _change_cipher,
2412 .get_eap_msk = _get_eap_msk,
2413 .destroy = _destroy,
2414 },
2415 .tls = tls,
2416 .cache = cache,
2417 );
2418
2419 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2420 * separation would be welcome. */
2421 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2422 while (enumerator->enumerate(enumerator, &type, &subtype))
2423 {
2424 if (type == CRED_PUBLIC_KEY)
2425 {
2426 switch (subtype)
2427 {
2428 case KEY_RSA:
2429 this->rsa = TRUE;
2430 break;
2431 case KEY_ECDSA:
2432 case KEY_ED25519:
2433 case KEY_ED448:
2434 this->ecdsa = TRUE;
2435 break;
2436 default:
2437 break;
2438 }
2439 }
2440 }
2441 enumerator->destroy(enumerator);
2442
2443 switch (tls->get_purpose(tls))
2444 {
2445 case TLS_PURPOSE_EAP_TLS:
2446 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2447 this->msk_label = "client EAP encryption";
2448 break;
2449 case TLS_PURPOSE_EAP_PEAP:
2450 this->msk_label = "client EAP encryption";
2451 break;
2452 case TLS_PURPOSE_EAP_TTLS:
2453 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2454 this->msk_label = "ttls keying material";
2455 break;
2456 default:
2457 break;
2458 }
2459 return &this->public;
2460 }
2461
2462 /**
2463 * See header.
2464 */
2465 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2466 tls_cipher_suite_t **out)
2467 {
2468 suite_algs_t suites[countof(suite_algs)];
2469 int count = 0, i;
2470
2471 /* initialize copy of suite list */
2472 for (i = 0; i < countof(suite_algs); i++)
2473 {
2474 if (suite_algs[i].min_version <= version &&
2475 suite_algs[i].max_version >= version)
2476 {
2477 suites[count++] = suite_algs[i];
2478 }
2479 }
2480
2481 filter_unsupported_suites(suites, &count);
2482
2483 if (!null)
2484 {
2485 filter_null_suites(suites, &count);
2486 }
2487
2488 if (out)
2489 {
2490 *out = calloc(count, sizeof(tls_cipher_suite_t));
2491 for (i = 0; i < count; i++)
2492 {
2493 (*out)[i] = suites[i].suite;
2494 }
2495 }
2496 return count;
2497 }
2498
2499 /**
2500 * See header.
2501 */
2502 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2503 {
2504 enumerator_t *enumerator;
2505 diffie_hellman_group_t groups[countof(curves)];
2506 diffie_hellman_group_t group;
2507 tls_named_group_t curve;
2508 int count = 0, i;
2509
2510 enumerator = enumerator_create_filter(
2511 lib->crypto->create_dh_enumerator(lib->crypto),
2512 group_filter, NULL, NULL);
2513
2514 while (enumerator->enumerate(enumerator, &group, &curve))
2515 {
2516 groups[count++] = group;
2517 }
2518 enumerator->destroy(enumerator);
2519
2520 if (out)
2521 {
2522 *out = calloc(count, sizeof(diffie_hellman_group_t));
2523 for (i = 0; i < count; i++)
2524 {
2525 (*out)[i] = groups[i];
2526 }
2527 }
2528 return count;
2529 }
2530
2531 /**
2532 * See header.
2533 */
2534 int tls_crypto_get_supported_signatures(tls_version_t version,
2535 tls_signature_scheme_t **out)
2536 {
2537 scheme_algs_t sigs[countof(schemes)];
2538 int count = 0, i;
2539
2540 /* initialize copy of signature scheme list */
2541 for (i = 0; i < countof(schemes); i++)
2542 {
2543 /* only RSA_PSS_RSAE schemes supported for signing and verifying */
2544 if (schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
2545 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
2546 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA512)
2547 {
2548 continue;
2549 }
2550 if (schemes[i].min_version <= version &&
2551 schemes[i].max_version >= version &&
2552 lib->plugins->has_feature(lib->plugins,
2553 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
2554 {
2555 sigs[count++] = schemes[i];
2556 }
2557 }
2558
2559 if (out)
2560 {
2561 *out = calloc(count, sizeof(tls_signature_scheme_t));
2562 for (i = 0; i < count; i++)
2563 {
2564 (*out)[i] = sigs[i].sig;
2565 }
2566 }
2567 return count;
2568 }
2569
2570 /**
2571 * See header.
2572 */
2573 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2574 {
2575 int i;
2576
2577 for (i = 0; i < countof(curves); i++)
2578 {
2579 if (curves[i].group == group)
2580 {
2581 return curves[i].curve;
2582 }
2583 }
2584 return 0;
2585 }
2586
2587 /**
2588 * See header.
2589 */
2590 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2591 {
2592 int i;
2593
2594 for (i = 0; i < countof(schemes); i++)
2595 {
2596 if (schemes[i].sig == sig)
2597 {
2598 return key_type_from_signature_scheme(schemes[i].params.scheme);
2599 }
2600 }
2601 return 0;
2602 }
2603
2604 /**
2605 * Hashtable hash function
2606 */
2607 static u_int hash_key_type(key_type_t *type)
2608 {
2609 return chunk_hash(chunk_from_thing(*type));
2610 }
2611
2612 /**
2613 * Hashtable equals function
2614 */
2615 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2616 {
2617 return *key1 == *key2;
2618 }
2619
2620 CALLBACK(filter_key_types, bool,
2621 void *data, enumerator_t *orig, va_list args)
2622 {
2623 key_type_t *key_type, *out;
2624
2625 VA_ARGS_VGET(args, out);
2626
2627 if (orig->enumerate(orig, NULL, &key_type))
2628 {
2629 *out = *key_type;
2630 return TRUE;
2631 }
2632 return FALSE;
2633 }
2634
2635 CALLBACK(destroy_key_types, void,
2636 hashtable_t *ht)
2637 {
2638 ht->destroy_function(ht, (void*)free);
2639 }
2640
2641 /**
2642 * Create an enumerator over supported key types within a specific TLS range
2643 */
2644 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2645 tls_version_t max_version)
2646 {
2647 hashtable_t *ht;
2648 key_type_t *type, lookup;
2649 int i;
2650
2651 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2652 (hashtable_equals_t)equals_key_type, 4);
2653 for (i = 0; i < countof(schemes); i++)
2654 {
2655 if (schemes[i].min_version <= max_version &&
2656 schemes[i].max_version >= min_version)
2657 {
2658 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2659 if (!ht->get(ht, &lookup))
2660 {
2661 type = malloc_thing(key_type_t);
2662 *type = lookup;
2663 ht->put(ht, type, type);
2664 }
2665 }
2666 }
2667 return enumerator_create_filter(ht->create_enumerator(ht),
2668 filter_key_types, ht, destroy_key_types);
2669 }
2670
2671 /**
2672 * Create an array of an intersection of server and peer supported key types
2673 */
2674 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2675 {
2676 array_t *key_types;
2677 key_type_t v, lookup;
2678 uint16_t sig_scheme;
2679
2680 key_types = array_create(sizeof(key_type_t), 8);
2681 while (enumerator->enumerate(enumerator, &v))
2682 {
2683 bio_reader_t *reader;
2684
2685 reader = bio_reader_create(hashsig);
2686 while (reader->remaining(reader) &&
2687 reader->read_uint16(reader, &sig_scheme))
2688 {
2689 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2690 if (v == lookup)
2691 {
2692 array_insert(key_types, ARRAY_TAIL, &lookup);
2693 break;
2694 }
2695 }
2696 reader->destroy(reader);
2697 }
2698 return key_types;
2699 }
2700
2701 typedef struct {
2702 enumerator_t public;
2703 array_t *key_types;
2704 identification_t *peer;
2705 private_key_t *key;
2706 auth_cfg_t *auth;
2707 } private_key_enumerator_t;
2708
2709 METHOD(enumerator_t, private_key_enumerate, bool,
2710 private_key_enumerator_t *this, va_list args)
2711 {
2712 key_type_t type;
2713 auth_cfg_t **auth_out;
2714 private_key_t **key_out;
2715
2716 VA_ARGS_VGET(args, key_out, auth_out);
2717
2718 DESTROY_IF(this->key);
2719 DESTROY_IF(this->auth);
2720 this->auth = auth_cfg_create();
2721
2722 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2723 {
2724 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2725 this->auth);
2726 if (this->key)
2727 {
2728 *key_out = this->key;
2729 if (auth_out)
2730 {
2731 *auth_out = this->auth;
2732 }
2733 return TRUE;
2734 }
2735 }
2736 return FALSE;
2737 }
2738
2739 METHOD(enumerator_t, private_key_destroy, void,
2740 private_key_enumerator_t *this)
2741 {
2742 DESTROY_IF(this->key);
2743 DESTROY_IF(this->auth);
2744 array_destroy(this->key_types);
2745 free(this);
2746 }
2747
2748 /**
2749 * See header.
2750 */
2751 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2752 tls_version_t max_version,
2753 chunk_t hashsig,
2754 identification_t *peer)
2755 {
2756 private_key_enumerator_t *enumerator;
2757 enumerator_t *key_types;
2758
2759 key_types = get_supported_key_types(min_version, max_version);
2760
2761 INIT(enumerator,
2762 .public = {
2763 .enumerate = enumerator_enumerate_default,
2764 .venumerate = _private_key_enumerate,
2765 .destroy = _private_key_destroy,
2766 },
2767 .key_types = create_common_key_types(key_types, hashsig),
2768 .peer = peer,
2769 );
2770 key_types->destroy(key_types);
2771
2772 if (!array_count(enumerator->key_types))
2773 {
2774 return NULL;
2775 }
2776 return &enumerator->public;
2777 }