Fixed encoding of TLS extensions (elliptic_curves and signature_algorithms)
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * Signer instance for inbound traffic
389 */
390 signer_t *signer_in;
391
392 /**
393 * Signer instance for outbound traffic
394 */
395 signer_t *signer_out;
396
397 /**
398 * Crypter instance for inbound traffic
399 */
400 crypter_t *crypter_in;
401
402 /**
403 * Crypter instance for outbound traffic
404 */
405 crypter_t *crypter_out;
406
407 /**
408 * IV for input decryption, if < TLSv1.2
409 */
410 chunk_t iv_in;
411
412 /**
413 * IV for output decryption, if < TLSv1.2
414 */
415 chunk_t iv_out;
416
417 /**
418 * EAP-[T]TLS MSK
419 */
420 chunk_t msk;
421
422 /**
423 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
424 */
425 char *msk_label;
426 };
427
428 typedef struct {
429 tls_cipher_suite_t suite;
430 key_type_t key;
431 diffie_hellman_group_t dh;
432 hash_algorithm_t hash;
433 pseudo_random_function_t prf;
434 integrity_algorithm_t mac;
435 encryption_algorithm_t encr;
436 size_t encr_size;
437 } suite_algs_t;
438
439 /**
440 * Mapping suites to a set of algorithms
441 */
442 static suite_algs_t suite_algs[] = {
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
449 KEY_ECDSA, ECP_256_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
452 },
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
454 KEY_ECDSA, ECP_384_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
459 KEY_ECDSA, ECP_384_BIT,
460 HASH_SHA384, PRF_HMAC_SHA2_384,
461 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
462 },
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
464 KEY_RSA, ECP_256_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
467 },
468 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
469 KEY_RSA, ECP_256_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
472 },
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
474 KEY_RSA, ECP_384_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
477 },
478 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
479 KEY_RSA, ECP_384_BIT,
480 HASH_SHA384, PRF_HMAC_SHA2_384,
481 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256,PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
504 KEY_RSA, MODP_2048_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
507 },
508 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
509 KEY_RSA, MODP_3072_BIT,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
514 KEY_RSA, MODP_3072_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
517 },
518 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
519 KEY_RSA, MODP_4096_BIT,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
522 },
523 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
524 KEY_RSA, MODP_2048_BIT,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
527 },
528 { TLS_RSA_WITH_AES_128_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
532 },
533 { TLS_RSA_WITH_AES_128_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
537 },
538 { TLS_RSA_WITH_AES_256_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
542 },
543 { TLS_RSA_WITH_AES_256_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
547 },
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
552 },
553 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
557 },
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
562 },
563 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
567 },
568 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
572 },
573 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
574 KEY_RSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
577 },
578 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
582 },
583 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
584 KEY_ECDSA, ECP_256_BIT,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
587 },
588 { TLS_ECDHE_RSA_WITH_NULL_SHA,
589 KEY_ECDSA, ECP_256_BIT,
590 HASH_SHA256, PRF_HMAC_SHA2_256,
591 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
592 },
593 { TLS_RSA_WITH_NULL_SHA,
594 KEY_RSA, MODP_NONE,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
597 },
598 { TLS_RSA_WITH_NULL_SHA256,
599 KEY_RSA, MODP_NONE,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
602 },
603 { TLS_RSA_WITH_NULL_MD5,
604 KEY_RSA, MODP_NONE,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_MD5_128, ENCR_NULL, 0
607 },
608 };
609
610 /**
611 * Look up algorithms by a suite
612 */
613 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
614 {
615 int i;
616
617 for (i = 0; i < countof(suite_algs); i++)
618 {
619 if (suite_algs[i].suite == suite)
620 {
621 return &suite_algs[i];
622 }
623 }
624 return NULL;
625 }
626
627 /**
628 * Filter a suite list using a transform enumerator
629 */
630 static void filter_suite(private_tls_crypto_t *this,
631 suite_algs_t suites[], int *count, int offset,
632 enumerator_t*(*create_enumerator)(crypto_factory_t*))
633 {
634 const char *plugin_name;
635 suite_algs_t current;
636 int *current_alg, i, remaining = 0;
637 enumerator_t *enumerator;
638
639 memset(&current, 0, sizeof(current));
640 current_alg = (int*)((char*)&current + offset);
641
642 for (i = 0; i < *count; i++)
643 {
644 enumerator = create_enumerator(lib->crypto);
645 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
646 {
647 if ((suites[i].encr == ENCR_NULL ||
648 !current.encr || current.encr == suites[i].encr) &&
649 (!current.mac || current.mac == suites[i].mac) &&
650 (!current.prf || current.prf == suites[i].prf) &&
651 (!current.hash || current.hash == suites[i].hash) &&
652 (suites[i].dh == MODP_NONE ||
653 !current.dh || current.dh == suites[i].dh))
654 {
655 suites[remaining] = suites[i];
656 remaining++;
657 break;
658 }
659 }
660 enumerator->destroy(enumerator);
661 }
662 *count = remaining;
663 }
664
665 /**
666 * Purge NULL encryption cipher suites from list
667 */
668 static void filter_null_suites(private_tls_crypto_t *this,
669 suite_algs_t suites[], int *count)
670 {
671 int i, remaining = 0;
672
673 for (i = 0; i < *count; i++)
674 {
675 if (suites[i].encr != ENCR_NULL)
676 {
677 suites[remaining] = suites[i];
678 remaining++;
679 }
680 }
681 *count = remaining;
682 }
683
684 /**
685 * Purge suites using a given key type
686 */
687 static void filter_key_suites(private_tls_crypto_t *this,
688 suite_algs_t suites[], int *count, key_type_t key)
689 {
690 int i, remaining = 0;
691
692 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
693 for (i = 0; i < *count; i++)
694 {
695 if (suites[i].key != key)
696 {
697 suites[remaining] = suites[i];
698 remaining++;
699 }
700 }
701 *count = remaining;
702 }
703
704 /**
705 * Filter suites by key exchange user config
706 */
707 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
708 suite_algs_t suites[], int *count)
709 {
710 enumerator_t *enumerator;
711 int i, remaining = 0;
712 char *token, *config;
713
714 config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
715 if (config)
716 {
717 for (i = 0; i < *count; i++)
718 {
719 enumerator = enumerator_create_token(config, ",", " ");
720 while (enumerator->enumerate(enumerator, &token))
721 {
722 if (strcaseeq(token, "ecdhe-ecdsa") &&
723 diffie_hellman_group_is_ec(suites[i].dh) &&
724 suites[i].key == KEY_ECDSA)
725 {
726 suites[remaining++] = suites[i];
727 break;
728 }
729 if (strcaseeq(token, "ecdhe-rsa") &&
730 diffie_hellman_group_is_ec(suites[i].dh) &&
731 suites[i].key == KEY_RSA)
732 {
733 suites[remaining++] = suites[i];
734 break;
735 }
736 if (strcaseeq(token, "dhe-rsa") &&
737 !diffie_hellman_group_is_ec(suites[i].dh) &&
738 suites[i].dh != MODP_NONE &&
739 suites[i].key == KEY_RSA)
740 {
741 suites[remaining++] = suites[i];
742 break;
743 }
744 if (strcaseeq(token, "rsa") &&
745 suites[i].dh == MODP_NONE &&
746 suites[i].key == KEY_RSA)
747 {
748 suites[remaining++] = suites[i];
749 break;
750 }
751 }
752 enumerator->destroy(enumerator);
753 }
754 *count = remaining;
755 }
756 }
757
758 /**
759 * Filter suites by cipher user config
760 */
761 static void filter_cipher_config_suites(private_tls_crypto_t *this,
762 suite_algs_t suites[], int *count)
763 {
764 enumerator_t *enumerator;
765 int i, remaining = 0;
766 char *token, *config;
767
768 config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
769 if (config)
770 {
771 for (i = 0; i < *count; i++)
772 {
773 enumerator = enumerator_create_token(config, ",", " ");
774 while (enumerator->enumerate(enumerator, &token))
775 {
776 if (strcaseeq(token, "aes128") &&
777 suites[i].encr == ENCR_AES_CBC &&
778 suites[i].encr_size == 16)
779 {
780 suites[remaining++] = suites[i];
781 break;
782 }
783 if (strcaseeq(token, "aes256") &&
784 suites[i].encr == ENCR_AES_CBC &&
785 suites[i].encr_size == 32)
786 {
787 suites[remaining++] = suites[i];
788 break;
789 }
790 if (strcaseeq(token, "camellia128") &&
791 suites[i].encr == ENCR_CAMELLIA_CBC &&
792 suites[i].encr_size == 16)
793 {
794 suites[remaining++] = suites[i];
795 break;
796 }
797 if (strcaseeq(token, "camellia256") &&
798 suites[i].encr == ENCR_CAMELLIA_CBC &&
799 suites[i].encr_size == 32)
800 {
801 suites[remaining++] = suites[i];
802 break;
803 }
804 if (strcaseeq(token, "3des") &&
805 suites[i].encr == ENCR_3DES)
806 {
807 suites[remaining++] = suites[i];
808 break;
809 }
810 if (strcaseeq(token, "null") &&
811 suites[i].encr == ENCR_NULL)
812 {
813 suites[remaining++] = suites[i];
814 break;
815 }
816 }
817 enumerator->destroy(enumerator);
818 }
819 *count = remaining;
820 }
821 }
822
823 /**
824 * Filter suites by mac user config
825 */
826 static void filter_mac_config_suites(private_tls_crypto_t *this,
827 suite_algs_t suites[], int *count)
828 {
829 enumerator_t *enumerator;
830 int i, remaining = 0;
831 char *token, *config;
832
833 config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
834 if (config)
835 {
836 for (i = 0; i < *count; i++)
837 {
838 enumerator = enumerator_create_token(config, ",", " ");
839 while (enumerator->enumerate(enumerator, &token))
840 {
841 if (strcaseeq(token, "md5") &&
842 suites[i].mac == AUTH_HMAC_MD5_128)
843 {
844 suites[remaining++] = suites[i];
845 break;
846 }
847 if (strcaseeq(token, "sha1") &&
848 suites[i].mac == AUTH_HMAC_SHA1_160)
849 {
850 suites[remaining++] = suites[i];
851 break;
852 }
853 if (strcaseeq(token, "sha256") &&
854 suites[i].mac == AUTH_HMAC_SHA2_256_256)
855 {
856 suites[remaining++] = suites[i];
857 break;
858 }
859 if (strcaseeq(token, "sha384") &&
860 suites[i].mac == AUTH_HMAC_SHA2_384_384)
861 {
862 suites[remaining++] = suites[i];
863 break;
864 }
865 }
866 enumerator->destroy(enumerator);
867 }
868 *count = remaining;
869 }
870 }
871
872 /**
873 * Filter for specific suites specified in strongswan.conf
874 */
875 static void filter_specific_config_suites(private_tls_crypto_t *this,
876 suite_algs_t suites[], int *count)
877 {
878 enumerator_t *enumerator;
879 int i, remaining = 0, suite;
880 char *token, *config;
881
882 config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
883 if (config)
884 {
885 for (i = 0; i < *count; i++)
886 {
887 enumerator = enumerator_create_token(config, ",", " ");
888 while (enumerator->enumerate(enumerator, &token))
889 {
890 suite = enum_from_name(tls_cipher_suite_names, token);
891 if (suite == suites[i].suite)
892 {
893 suites[remaining++] = suites[i];
894 break;
895 }
896 }
897 enumerator->destroy(enumerator);
898 }
899 *count = remaining;
900 }
901 }
902
903 /**
904 * Initialize the cipher suite list
905 */
906 static void build_cipher_suite_list(private_tls_crypto_t *this,
907 bool require_encryption)
908 {
909 suite_algs_t suites[countof(suite_algs)];
910 int count = countof(suite_algs), i;
911
912 /* copy all suites */
913 for (i = 0; i < count; i++)
914 {
915 suites[i] = suite_algs[i];
916 }
917 if (require_encryption)
918 {
919 filter_null_suites(this, suites, &count);
920 }
921 if (!this->rsa)
922 {
923 filter_key_suites(this, suites, &count, KEY_RSA);
924 }
925 if (!this->ecdsa)
926 {
927 filter_key_suites(this, suites, &count, KEY_ECDSA);
928 }
929
930 /* filter suite list by each algorithm */
931 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
932 lib->crypto->create_crypter_enumerator);
933 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
934 lib->crypto->create_signer_enumerator);
935 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
936 lib->crypto->create_prf_enumerator);
937 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
938 lib->crypto->create_hasher_enumerator);
939 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
940 lib->crypto->create_dh_enumerator);
941
942 /* filter suites with strongswan.conf options */
943 filter_key_exchange_config_suites(this, suites, &count);
944 filter_cipher_config_suites(this, suites, &count);
945 filter_mac_config_suites(this, suites, &count);
946 filter_specific_config_suites(this, suites, &count);
947
948 free(this->suites);
949 this->suite_count = count;
950 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
951
952 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
953 for (i = 0; i < count; i++)
954 {
955 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
956 this->suites[i] = suites[i].suite;
957 }
958 }
959
960 METHOD(tls_crypto_t, get_cipher_suites, int,
961 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
962 {
963 *suites = this->suites;
964 return this->suite_count;
965 }
966
967 /**
968 * Create crypto primitives
969 */
970 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
971 {
972 DESTROY_IF(this->prf);
973 if (this->tls->get_version(this->tls) < TLS_1_2)
974 {
975 this->prf = tls_prf_create_10();
976 }
977 else
978 {
979 this->prf = tls_prf_create_12(algs->prf);
980 }
981 if (!this->prf)
982 {
983 DBG1(DBG_TLS, "selected TLS PRF not supported");
984 return FALSE;
985 }
986
987 DESTROY_IF(this->signer_in);
988 DESTROY_IF(this->signer_out);
989 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
990 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
991 if (!this->signer_in || !this->signer_out)
992 {
993 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
994 integrity_algorithm_names, algs->mac);
995 return FALSE;
996 }
997
998 DESTROY_IF(this->crypter_in);
999 DESTROY_IF(this->crypter_out);
1000 if (algs->encr == ENCR_NULL)
1001 {
1002 this->crypter_in = this->crypter_out = NULL;
1003 }
1004 else
1005 {
1006 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
1007 algs->encr, algs->encr_size);
1008 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
1009 algs->encr, algs->encr_size);
1010 if (!this->crypter_in || !this->crypter_out)
1011 {
1012 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
1013 encryption_algorithm_names, algs->encr);
1014 return FALSE;
1015 }
1016 }
1017 return TRUE;
1018 }
1019
1020 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1021 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1022 key_type_t key)
1023 {
1024 suite_algs_t *algs;
1025 int i, j;
1026
1027 for (i = 0; i < this->suite_count; i++)
1028 {
1029 for (j = 0; j < count; j++)
1030 {
1031 if (this->suites[i] == suites[j])
1032 {
1033 algs = find_suite(this->suites[i]);
1034 if (algs)
1035 {
1036 if (key == KEY_ANY || key == algs->key)
1037 {
1038 if (create_ciphers(this, algs))
1039 {
1040 this->suite = this->suites[i];
1041 return this->suite;
1042 }
1043 }
1044 }
1045 }
1046 }
1047 }
1048 return 0;
1049 }
1050
1051 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1052 private_tls_crypto_t *this)
1053 {
1054 suite_algs_t *algs;
1055
1056 algs = find_suite(this->suite);
1057 if (algs)
1058 {
1059 return algs->dh;
1060 }
1061 return MODP_NONE;
1062 }
1063
1064 METHOD(tls_crypto_t, get_signature_algorithms, void,
1065 private_tls_crypto_t *this, bio_writer_t *writer)
1066 {
1067 bio_writer_t *supported;
1068 enumerator_t *enumerator;
1069 hash_algorithm_t alg;
1070 tls_hash_algorithm_t hash;
1071 const char *plugin_name;
1072
1073 supported = bio_writer_create(32);
1074 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1075 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1076 {
1077 switch (alg)
1078 {
1079 case HASH_MD5:
1080 hash = TLS_HASH_MD5;
1081 break;
1082 case HASH_SHA1:
1083 hash = TLS_HASH_SHA1;
1084 break;
1085 case HASH_SHA224:
1086 hash = TLS_HASH_SHA224;
1087 break;
1088 case HASH_SHA256:
1089 hash = TLS_HASH_SHA256;
1090 break;
1091 case HASH_SHA384:
1092 hash = TLS_HASH_SHA384;
1093 break;
1094 case HASH_SHA512:
1095 hash = TLS_HASH_SHA512;
1096 break;
1097 default:
1098 continue;
1099 }
1100 if (this->rsa)
1101 {
1102 supported->write_uint8(supported, hash);
1103 supported->write_uint8(supported, TLS_SIG_RSA);
1104 }
1105 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1106 { /* currently we have no signature scheme for MD5/SHA224 */
1107 supported->write_uint8(supported, hash);
1108 supported->write_uint8(supported, TLS_SIG_ECDSA);
1109 }
1110 }
1111 enumerator->destroy(enumerator);
1112
1113 supported->wrap16(supported);
1114 writer->write_data16(writer, supported->get_buf(supported));
1115 supported->destroy(supported);
1116 }
1117
1118 /**
1119 * Mapping groups to TLS named curves
1120 */
1121 static struct {
1122 diffie_hellman_group_t group;
1123 tls_named_curve_t curve;
1124 } curves[] = {
1125 { ECP_256_BIT, TLS_SECP256R1},
1126 { ECP_384_BIT, TLS_SECP384R1},
1127 { ECP_521_BIT, TLS_SECP521R1},
1128 { ECP_224_BIT, TLS_SECP224R1},
1129 { ECP_192_BIT, TLS_SECP192R1},
1130 };
1131
1132 /**
1133 * Filter EC groups, add TLS curve
1134 */
1135 static bool group_filter(void *null,
1136 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1137 void* dummy1, tls_named_curve_t *curve)
1138 {
1139 int i;
1140
1141 for (i = 0; i < countof(curves); i++)
1142 {
1143 if (curves[i].group == *in)
1144 {
1145 if (out)
1146 {
1147 *out = curves[i].group;
1148 }
1149 if (curve)
1150 {
1151 *curve = curves[i].curve;
1152 }
1153 return TRUE;
1154 }
1155 }
1156 return FALSE;
1157 }
1158
1159 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1160 private_tls_crypto_t *this)
1161 {
1162 return enumerator_create_filter(
1163 lib->crypto->create_dh_enumerator(lib->crypto),
1164 (void*)group_filter, NULL, NULL);
1165 }
1166
1167 METHOD(tls_crypto_t, set_protection, void,
1168 private_tls_crypto_t *this, tls_protection_t *protection)
1169 {
1170 this->protection = protection;
1171 }
1172
1173 METHOD(tls_crypto_t, append_handshake, void,
1174 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1175 {
1176 u_int32_t header;
1177
1178 /* reconstruct handshake header */
1179 header = htonl(data.len | (type << 24));
1180 this->handshake = chunk_cat("mcc", this->handshake,
1181 chunk_from_thing(header), data);
1182 }
1183
1184 /**
1185 * Create a hash using the suites HASH algorithm
1186 */
1187 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1188 {
1189 if (this->tls->get_version(this->tls) >= TLS_1_2)
1190 {
1191 hasher_t *hasher;
1192 suite_algs_t *alg;
1193
1194 alg = find_suite(this->suite);
1195 if (!alg)
1196 {
1197 return FALSE;
1198 }
1199 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1200 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1201 {
1202 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1203 DESTROY_IF(hasher);
1204 return FALSE;
1205 }
1206 hasher->destroy(hasher);
1207 }
1208 else
1209 {
1210 hasher_t *md5, *sha1;
1211 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1212
1213 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1214 if (!md5 || !md5->get_hash(md5, data, buf))
1215 {
1216 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1217 DESTROY_IF(md5);
1218 return FALSE;
1219 }
1220 md5->destroy(md5);
1221 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1222 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1223 {
1224 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1225 DESTROY_IF(sha1);
1226 return FALSE;
1227 }
1228 sha1->destroy(sha1);
1229
1230 *hash = chunk_clone(chunk_from_thing(buf));
1231 }
1232 return TRUE;
1233 }
1234
1235 /**
1236 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1237 */
1238 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1239 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1240 {
1241 switch (sig)
1242 {
1243 case TLS_SIG_RSA:
1244 if (type != KEY_RSA)
1245 {
1246 return SIGN_UNKNOWN;
1247 }
1248 switch (hash)
1249 {
1250 case TLS_HASH_MD5:
1251 return SIGN_RSA_EMSA_PKCS1_MD5;
1252 case TLS_HASH_SHA1:
1253 return SIGN_RSA_EMSA_PKCS1_SHA1;
1254 case TLS_HASH_SHA224:
1255 return SIGN_RSA_EMSA_PKCS1_SHA224;
1256 case TLS_HASH_SHA256:
1257 return SIGN_RSA_EMSA_PKCS1_SHA256;
1258 case TLS_HASH_SHA384:
1259 return SIGN_RSA_EMSA_PKCS1_SHA384;
1260 case TLS_HASH_SHA512:
1261 return SIGN_RSA_EMSA_PKCS1_SHA512;
1262 default:
1263 return SIGN_UNKNOWN;
1264 }
1265 case TLS_SIG_ECDSA:
1266 if (type != KEY_ECDSA)
1267 {
1268 return SIGN_UNKNOWN;
1269 }
1270 switch (hash)
1271 {
1272 case TLS_HASH_SHA224:
1273 return SIGN_ECDSA_WITH_SHA1_DER;
1274 case TLS_HASH_SHA256:
1275 return SIGN_ECDSA_WITH_SHA256_DER;
1276 case TLS_HASH_SHA384:
1277 return SIGN_ECDSA_WITH_SHA384_DER;
1278 case TLS_HASH_SHA512:
1279 return SIGN_ECDSA_WITH_SHA512_DER;
1280 default:
1281 return SIGN_UNKNOWN;
1282 }
1283 default:
1284 return SIGN_UNKNOWN;
1285 }
1286 }
1287
1288 METHOD(tls_crypto_t, sign, bool,
1289 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1290 chunk_t data, chunk_t hashsig)
1291 {
1292 if (this->tls->get_version(this->tls) >= TLS_1_2)
1293 {
1294 signature_scheme_t scheme;
1295 bio_reader_t *reader;
1296 u_int8_t hash, alg;
1297 chunk_t sig;
1298 bool done = FALSE;
1299
1300 if (!hashsig.len)
1301 { /* fallback if none given */
1302 hashsig = chunk_from_chars(
1303 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1304 }
1305 reader = bio_reader_create(hashsig);
1306 while (reader->remaining(reader) >= 2)
1307 {
1308 if (reader->read_uint8(reader, &hash) &&
1309 reader->read_uint8(reader, &alg))
1310 {
1311 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1312 if (scheme != SIGN_UNKNOWN &&
1313 key->sign(key, scheme, data, &sig))
1314 {
1315 done = TRUE;
1316 break;
1317 }
1318 }
1319 }
1320 reader->destroy(reader);
1321 if (!done)
1322 {
1323 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1324 return FALSE;
1325 }
1326 DBG2(DBG_TLS, "created signature with %N/%N",
1327 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1328 writer->write_uint8(writer, hash);
1329 writer->write_uint8(writer, alg);
1330 writer->write_data16(writer, sig);
1331 free(sig.ptr);
1332 }
1333 else
1334 {
1335 chunk_t sig, hash;
1336 bool done;
1337
1338 switch (key->get_type(key))
1339 {
1340 case KEY_RSA:
1341 if (!hash_data(this, data, &hash))
1342 {
1343 return FALSE;
1344 }
1345 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1346 free(hash.ptr);
1347 if (!done)
1348 {
1349 return FALSE;
1350 }
1351 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1352 break;
1353 case KEY_ECDSA:
1354 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1355 {
1356 return FALSE;
1357 }
1358 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1359 break;
1360 default:
1361 return FALSE;
1362 }
1363 writer->write_data16(writer, sig);
1364 free(sig.ptr);
1365 }
1366 return TRUE;
1367 }
1368
1369 METHOD(tls_crypto_t, verify, bool,
1370 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1371 chunk_t data)
1372 {
1373 if (this->tls->get_version(this->tls) >= TLS_1_2)
1374 {
1375 signature_scheme_t scheme = SIGN_UNKNOWN;
1376 u_int8_t hash, alg;
1377 chunk_t sig;
1378
1379 if (!reader->read_uint8(reader, &hash) ||
1380 !reader->read_uint8(reader, &alg) ||
1381 !reader->read_data16(reader, &sig))
1382 {
1383 DBG1(DBG_TLS, "received invalid signature");
1384 return FALSE;
1385 }
1386 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1387 if (scheme == SIGN_UNKNOWN)
1388 {
1389 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1390 tls_hash_algorithm_names, hash,
1391 tls_signature_algorithm_names, alg);
1392 return FALSE;
1393 }
1394 if (!key->verify(key, scheme, data, sig))
1395 {
1396 return FALSE;
1397 }
1398 DBG2(DBG_TLS, "verified signature with %N/%N",
1399 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1400 }
1401 else
1402 {
1403 chunk_t sig, hash;
1404 bool done;
1405
1406 if (!reader->read_data16(reader, &sig))
1407 {
1408 DBG1(DBG_TLS, "received invalid signature");
1409 return FALSE;
1410 }
1411 switch (key->get_type(key))
1412 {
1413 case KEY_RSA:
1414 if (!hash_data(this, data, &hash))
1415 {
1416 return FALSE;
1417 }
1418 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1419 free(hash.ptr);
1420 if (!done)
1421 {
1422 return FALSE;
1423 }
1424 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1425 break;
1426 case KEY_ECDSA:
1427 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1428 {
1429 return FALSE;
1430 }
1431 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1432 break;
1433 default:
1434 return FALSE;
1435 }
1436 }
1437 return TRUE;
1438 }
1439
1440 METHOD(tls_crypto_t, sign_handshake, bool,
1441 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1442 chunk_t hashsig)
1443 {
1444 return sign(this, key, writer, this->handshake, hashsig);
1445 }
1446
1447 METHOD(tls_crypto_t, verify_handshake, bool,
1448 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1449 {
1450 return verify(this, key, reader, this->handshake);
1451 }
1452
1453 METHOD(tls_crypto_t, calculate_finished, bool,
1454 private_tls_crypto_t *this, char *label, char out[12])
1455 {
1456 chunk_t seed;
1457
1458 if (!this->prf)
1459 {
1460 return FALSE;
1461 }
1462 if (!hash_data(this, this->handshake, &seed))
1463 {
1464 return FALSE;
1465 }
1466 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1467 {
1468 free(seed.ptr);
1469 return FALSE;
1470 }
1471 free(seed.ptr);
1472 return TRUE;
1473 }
1474
1475 /**
1476 * Derive master secret from premaster, optionally save session
1477 */
1478 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1479 chunk_t session, identification_t *id,
1480 chunk_t client_random, chunk_t server_random)
1481 {
1482 char master[48];
1483 chunk_t seed;
1484
1485 /* derive master secret */
1486 seed = chunk_cata("cc", client_random, server_random);
1487
1488 if (!this->prf->set_key(this->prf, premaster) ||
1489 !this->prf->get_bytes(this->prf, "master secret", seed,
1490 sizeof(master), master) ||
1491 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1492 {
1493 return FALSE;
1494 }
1495
1496 if (this->cache && session.len)
1497 {
1498 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1499 this->suite);
1500 }
1501 memwipe(master, sizeof(master));
1502 return TRUE;
1503 }
1504
1505 /**
1506 * Expand key material from master secret
1507 */
1508 static bool expand_keys(private_tls_crypto_t *this,
1509 chunk_t client_random, chunk_t server_random)
1510 {
1511 chunk_t seed, block, client_write, server_write;
1512 int mks, eks = 0, ivs = 0;
1513
1514 /* derive key block for key expansion */
1515 mks = this->signer_out->get_key_size(this->signer_out);
1516 if (this->crypter_out)
1517 {
1518 eks = this->crypter_out->get_key_size(this->crypter_out);
1519 if (this->tls->get_version(this->tls) < TLS_1_1)
1520 {
1521 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1522 }
1523 }
1524 seed = chunk_cata("cc", server_random, client_random);
1525 block = chunk_alloca((mks + eks + ivs) * 2);
1526 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1527 block.len, block.ptr))
1528 {
1529 return FALSE;
1530 }
1531
1532 /* signer keys */
1533 client_write = chunk_create(block.ptr, mks);
1534 block = chunk_skip(block, mks);
1535 server_write = chunk_create(block.ptr, mks);
1536 block = chunk_skip(block, mks);
1537 if (this->tls->is_server(this->tls))
1538 {
1539 if (!this->signer_in->set_key(this->signer_in, client_write) ||
1540 !this->signer_out->set_key(this->signer_out, server_write))
1541 {
1542 return FALSE;
1543 }
1544 }
1545 else
1546 {
1547 if (!this->signer_out->set_key(this->signer_out, client_write) ||
1548 !this->signer_in->set_key(this->signer_in, server_write))
1549 {
1550 return FALSE;
1551 }
1552 }
1553
1554 /* crypter keys, and IVs if < TLSv1.2 */
1555 if (this->crypter_out && this->crypter_in)
1556 {
1557 client_write = chunk_create(block.ptr, eks);
1558 block = chunk_skip(block, eks);
1559 server_write = chunk_create(block.ptr, eks);
1560 block = chunk_skip(block, eks);
1561
1562 if (this->tls->is_server(this->tls))
1563 {
1564 if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
1565 !this->crypter_out->set_key(this->crypter_out, server_write))
1566 {
1567 return FALSE;
1568 }
1569 }
1570 else
1571 {
1572 if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
1573 !this->crypter_in->set_key(this->crypter_in, server_write))
1574 {
1575 return FALSE;
1576 }
1577 }
1578 if (ivs)
1579 {
1580 client_write = chunk_create(block.ptr, ivs);
1581 block = chunk_skip(block, ivs);
1582 server_write = chunk_create(block.ptr, ivs);
1583 block = chunk_skip(block, ivs);
1584
1585 if (this->tls->is_server(this->tls))
1586 {
1587 this->iv_in = chunk_clone(client_write);
1588 this->iv_out = chunk_clone(server_write);
1589 }
1590 else
1591 {
1592 this->iv_out = chunk_clone(client_write);
1593 this->iv_in = chunk_clone(server_write);
1594 }
1595 }
1596 }
1597
1598 /* EAP-MSK */
1599 if (this->msk_label)
1600 {
1601 seed = chunk_cata("cc", client_random, server_random);
1602 this->msk = chunk_alloc(64);
1603 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1604 this->msk.len, this->msk.ptr))
1605 {
1606 return FALSE;
1607 }
1608 }
1609 return TRUE;
1610 }
1611
1612 METHOD(tls_crypto_t, derive_secrets, bool,
1613 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1614 identification_t *id, chunk_t client_random, chunk_t server_random)
1615 {
1616 return derive_master(this, premaster, session, id,
1617 client_random, server_random) &&
1618 expand_keys(this, client_random, server_random);
1619 }
1620
1621 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1622 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1623 chunk_t client_random, chunk_t server_random)
1624 {
1625 chunk_t master;
1626
1627 if (this->cache && session.len)
1628 {
1629 this->suite = this->cache->lookup(this->cache, session, id, &master);
1630 if (this->suite)
1631 {
1632 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1633 if (this->suite)
1634 {
1635 if (!this->prf->set_key(this->prf, master) ||
1636 !expand_keys(this, client_random, server_random))
1637 {
1638 this->suite = 0;
1639 }
1640 }
1641 chunk_clear(&master);
1642 }
1643 return this->suite;
1644 }
1645 return 0;
1646 }
1647
1648 METHOD(tls_crypto_t, get_session, chunk_t,
1649 private_tls_crypto_t *this, identification_t *server)
1650 {
1651 if (this->cache)
1652 {
1653 return this->cache->check(this->cache, server);
1654 }
1655 return chunk_empty;
1656 }
1657
1658 METHOD(tls_crypto_t, change_cipher, void,
1659 private_tls_crypto_t *this, bool inbound)
1660 {
1661 if (this->protection)
1662 {
1663 if (inbound)
1664 {
1665 this->protection->set_cipher(this->protection, TRUE,
1666 this->signer_in, this->crypter_in, this->iv_in);
1667 }
1668 else
1669 {
1670 this->protection->set_cipher(this->protection, FALSE,
1671 this->signer_out, this->crypter_out, this->iv_out);
1672 }
1673 }
1674 }
1675
1676 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1677 private_tls_crypto_t *this)
1678 {
1679 return this->msk;
1680 }
1681
1682 METHOD(tls_crypto_t, destroy, void,
1683 private_tls_crypto_t *this)
1684 {
1685 DESTROY_IF(this->signer_in);
1686 DESTROY_IF(this->signer_out);
1687 DESTROY_IF(this->crypter_in);
1688 DESTROY_IF(this->crypter_out);
1689 free(this->iv_in.ptr);
1690 free(this->iv_out.ptr);
1691 free(this->handshake.ptr);
1692 free(this->msk.ptr);
1693 DESTROY_IF(this->prf);
1694 free(this->suites);
1695 free(this);
1696 }
1697
1698 /**
1699 * See header
1700 */
1701 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1702 {
1703 private_tls_crypto_t *this;
1704 enumerator_t *enumerator;
1705 credential_type_t type;
1706 int subtype;
1707
1708 INIT(this,
1709 .public = {
1710 .get_cipher_suites = _get_cipher_suites,
1711 .select_cipher_suite = _select_cipher_suite,
1712 .get_dh_group = _get_dh_group,
1713 .get_signature_algorithms = _get_signature_algorithms,
1714 .create_ec_enumerator = _create_ec_enumerator,
1715 .set_protection = _set_protection,
1716 .append_handshake = _append_handshake,
1717 .sign = _sign,
1718 .verify = _verify,
1719 .sign_handshake = _sign_handshake,
1720 .verify_handshake = _verify_handshake,
1721 .calculate_finished = _calculate_finished,
1722 .derive_secrets = _derive_secrets,
1723 .resume_session = _resume_session,
1724 .get_session = _get_session,
1725 .change_cipher = _change_cipher,
1726 .get_eap_msk = _get_eap_msk,
1727 .destroy = _destroy,
1728 },
1729 .tls = tls,
1730 .cache = cache,
1731 );
1732
1733 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1734 while (enumerator->enumerate(enumerator, &type, &subtype))
1735 {
1736 if (type == CRED_PUBLIC_KEY)
1737 {
1738 switch (subtype)
1739 {
1740 case KEY_RSA:
1741 this->rsa = TRUE;
1742 break;
1743 case KEY_ECDSA:
1744 this->ecdsa = TRUE;
1745 break;
1746 default:
1747 break;
1748 }
1749 }
1750 }
1751 enumerator->destroy(enumerator);
1752
1753 switch (tls->get_purpose(tls))
1754 {
1755 case TLS_PURPOSE_EAP_TLS:
1756 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1757 this->msk_label = "client EAP encryption";
1758 build_cipher_suite_list(this, FALSE);
1759 break;
1760 case TLS_PURPOSE_EAP_PEAP:
1761 this->msk_label = "client EAP encryption";
1762 build_cipher_suite_list(this, TRUE);
1763 break;
1764 case TLS_PURPOSE_EAP_TTLS:
1765 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1766 this->msk_label = "ttls keying material";
1767 build_cipher_suite_list(this, TRUE);
1768 break;
1769 case TLS_PURPOSE_GENERIC:
1770 build_cipher_suite_list(this, TRUE);
1771 break;
1772 default:
1773 break;
1774 }
1775 return &this->public;
1776 }