tls-crypto: Rename DH group/key exchange method config option
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE)
841 { /* skip DH group, does not match nor NONE */
842 continue;
843 }
844 }
845 /* suite supported, apply */
846 suites[remaining] = suites[i];
847 remaining++;
848 break;
849 }
850 enumerator->destroy(enumerator);
851 }
852 *count = remaining;
853 }
854
855 /**
856 * Purge NULL encryption cipher suites from list
857 */
858 static void filter_null_suites(suite_algs_t suites[], int *count)
859 {
860 int i, remaining = 0;
861
862 for (i = 0; i < *count; i++)
863 {
864 if (suites[i].encr != ENCR_NULL)
865 {
866 suites[remaining] = suites[i];
867 remaining++;
868 }
869 }
870 *count = remaining;
871 }
872
873 /**
874 * Purge suites using a given key type
875 */
876 static void filter_key_suites(private_tls_crypto_t *this,
877 suite_algs_t suites[], int *count, key_type_t key)
878 {
879 int i, remaining = 0;
880
881 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
882 for (i = 0; i < *count; i++)
883 {
884 if (suites[i].key != key)
885 {
886 suites[remaining] = suites[i];
887 remaining++;
888 }
889 }
890 *count = remaining;
891 }
892
893 /**
894 * Filter suites by key exchange user config
895 */
896 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "ecdhe-ecdsa") &&
913 diffie_hellman_group_is_ec(suites[i].dh) &&
914 suites[i].key == KEY_ECDSA)
915 {
916 suites[remaining++] = suites[i];
917 break;
918 }
919 if (strcaseeq(token, "ecdhe-rsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_RSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "dhe-rsa") &&
927 !diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].dh != MODP_NONE &&
929 suites[i].key == KEY_RSA)
930 {
931 suites[remaining++] = suites[i];
932 break;
933 }
934 if (strcaseeq(token, "rsa") &&
935 suites[i].dh == MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 }
942 enumerator->destroy(enumerator);
943 }
944 *count = remaining;
945 }
946 }
947
948 /**
949 * Filter suites by cipher user config
950 */
951 static void filter_cipher_config_suites(private_tls_crypto_t *this,
952 suite_algs_t suites[], int *count)
953 {
954 enumerator_t *enumerator;
955 int i, remaining = 0;
956 char *token, *config;
957
958 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
959 lib->ns);
960 if (config)
961 {
962 for (i = 0; i < *count; i++)
963 {
964 enumerator = enumerator_create_token(config, ",", " ");
965 while (enumerator->enumerate(enumerator, &token))
966 {
967 if (strcaseeq(token, "aes128") &&
968 suites[i].encr == ENCR_AES_CBC &&
969 suites[i].encr_size == 16)
970 {
971 suites[remaining++] = suites[i];
972 break;
973 }
974 if (strcaseeq(token, "aes256") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 32)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes128gcm") &&
982 suites[i].encr == ENCR_AES_GCM_ICV16 &&
983 suites[i].encr_size == 16)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes256gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 32)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "camellia128") &&
996 suites[i].encr == ENCR_CAMELLIA_CBC &&
997 suites[i].encr_size == 16)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia256") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 32)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "null") &&
1010 suites[i].encr == ENCR_NULL)
1011 {
1012 suites[remaining++] = suites[i];
1013 break;
1014 }
1015 }
1016 enumerator->destroy(enumerator);
1017 }
1018 *count = remaining;
1019 }
1020 }
1021
1022 /**
1023 * Filter suites by mac user config
1024 */
1025 static void filter_mac_config_suites(private_tls_crypto_t *this,
1026 suite_algs_t suites[], int *count)
1027 {
1028 enumerator_t *enumerator;
1029 int i, remaining = 0;
1030 char *token, *config;
1031
1032 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1033 lib->ns);
1034 if (config)
1035 {
1036 for (i = 0; i < *count; i++)
1037 {
1038 enumerator = enumerator_create_token(config, ",", " ");
1039 while (enumerator->enumerate(enumerator, &token))
1040 {
1041 if (strcaseeq(token, "sha1") &&
1042 suites[i].mac == AUTH_HMAC_SHA1_160)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 if (strcaseeq(token, "sha256") &&
1048 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1049 {
1050 suites[remaining++] = suites[i];
1051 break;
1052 }
1053 if (strcaseeq(token, "sha384") &&
1054 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1055 {
1056 suites[remaining++] = suites[i];
1057 break;
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061 }
1062 *count = remaining;
1063 }
1064 }
1065
1066 /**
1067 * Filter for specific suites specified in strongswan.conf
1068 */
1069 static void filter_specific_config_suites(private_tls_crypto_t *this,
1070 suite_algs_t suites[], int *count)
1071 {
1072 enumerator_t *enumerator;
1073 int i, remaining = 0, suite;
1074 char *token, *config;
1075
1076 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1077 lib->ns);
1078 if (config)
1079 {
1080 for (i = 0; i < *count; i++)
1081 {
1082 enumerator = enumerator_create_token(config, ",", " ");
1083 while (enumerator->enumerate(enumerator, &token))
1084 {
1085 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1086 suite == suites[i].suite)
1087 {
1088 suites[remaining++] = suites[i];
1089 break;
1090 }
1091 }
1092 enumerator->destroy(enumerator);
1093 }
1094 *count = remaining;
1095 }
1096 }
1097
1098 /**
1099 * Filter key exchange curves by curve user config
1100 */
1101 static bool filter_curve_config(tls_named_group_t curve)
1102 {
1103 enumerator_t *enumerator;
1104 char *token, *config;
1105
1106 config = lib->settings->get_str(lib->settings, "%s.tls.ke_group", NULL,
1107 lib->ns);
1108 if (config)
1109 {
1110 enumerator = enumerator_create_token(config, ",", " ");
1111 while (enumerator->enumerate(enumerator, &token))
1112 {
1113 const proposal_token_t *tok;
1114
1115 tok = lib->proposal->get_token(lib->proposal, token);
1116 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1117 curve == tls_ec_group_to_curve(tok->algorithm))
1118 {
1119 enumerator->destroy(enumerator);
1120 return TRUE;
1121 }
1122 }
1123 enumerator->destroy(enumerator);
1124 }
1125 return !config;
1126 }
1127
1128 /**
1129 * Filter out unsupported suites on given suite array
1130 */
1131 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1132 {
1133 /* filter suite list by each algorithm */
1134 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1135 lib->crypto->create_aead_enumerator);
1136 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1137 lib->crypto->create_prf_enumerator);
1138 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1139 lib->crypto->create_crypter_enumerator);
1140 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1141 lib->crypto->create_signer_enumerator);
1142 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1143 lib->crypto->create_hasher_enumerator);
1144 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1145 lib->crypto->create_dh_enumerator);
1146 }
1147
1148 /**
1149 * Initialize the cipher suite list
1150 */
1151 static void build_cipher_suite_list(private_tls_crypto_t *this)
1152 {
1153 suite_algs_t suites[countof(suite_algs)];
1154 tls_version_t min_version, max_version, new_min_version, new_max_version;
1155 bool require_encryption;
1156 int count = 0, i;
1157
1158 switch (this->tls->get_purpose(this->tls))
1159 {
1160 case TLS_PURPOSE_EAP_TLS:
1161 case TLS_PURPOSE_GENERIC_NULLOK:
1162 require_encryption = FALSE;
1163 break;
1164 case TLS_PURPOSE_EAP_PEAP:
1165 case TLS_PURPOSE_EAP_TTLS:
1166 case TLS_PURPOSE_GENERIC:
1167 require_encryption = TRUE;
1168 break;
1169 default:
1170 return;
1171 }
1172
1173 min_version = this->tls->get_version_min(this->tls);
1174 max_version = this->tls->get_version_max(this->tls);
1175
1176 /* copy all suites appropriate for the current min/max versions */
1177 for (i = 0; i < countof(suite_algs); i++)
1178 {
1179 if (suite_algs[i].min_version <= max_version &&
1180 suite_algs[i].max_version >= min_version)
1181 {
1182 suites[count++] = suite_algs[i];
1183 }
1184 }
1185
1186 if (require_encryption)
1187 {
1188 filter_null_suites(suites, &count);
1189 }
1190 if (!this->rsa)
1191 {
1192 filter_key_suites(this, suites, &count, KEY_RSA);
1193 }
1194 if (!this->ecdsa)
1195 {
1196 filter_key_suites(this, suites, &count, KEY_ECDSA);
1197 }
1198
1199 filter_unsupported_suites(suites, &count);
1200
1201 /* filter suites with strongswan.conf options */
1202 filter_key_exchange_config_suites(this, suites, &count);
1203 filter_cipher_config_suites(this, suites, &count);
1204 filter_mac_config_suites(this, suites, &count);
1205 filter_specific_config_suites(this, suites, &count);
1206
1207 free(this->suites);
1208 this->suite_count = count;
1209 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1210
1211 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1212 new_min_version = max_version;
1213 new_max_version = min_version;
1214 for (i = 0; i < count; i++)
1215 {
1216 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1217 this->suites[i] = suites[i].suite;
1218
1219 /* set TLS min/max versions appropriate to the final cipher suites */
1220 new_max_version = max(new_max_version, suites[i].max_version);
1221 new_min_version = min(new_min_version, suites[i].min_version);
1222 }
1223 new_max_version = min(new_max_version, max_version);
1224 new_min_version = max(new_min_version, min_version);
1225
1226 if ((min_version != new_min_version || max_version != new_max_version) &&
1227 this->tls->set_version(this->tls, new_min_version, new_max_version))
1228 {
1229 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1230 tls_numeric_version_names, new_min_version,
1231 tls_numeric_version_names, new_max_version);
1232 }
1233 }
1234
1235 METHOD(tls_crypto_t, get_cipher_suites, int,
1236 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1237 {
1238 if (!this->suites)
1239 {
1240 build_cipher_suite_list(this);
1241 }
1242 if (suites)
1243 {
1244 *suites = this->suites;
1245 }
1246 return this->suite_count;
1247 }
1248
1249 /**
1250 * Create NULL encryption transforms
1251 */
1252 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1253 {
1254 this->aead_in = tls_aead_create_null(algs->mac);
1255 this->aead_out = tls_aead_create_null(algs->mac);
1256 if (!this->aead_in || !this->aead_out)
1257 {
1258 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1259 integrity_algorithm_names, algs->mac);
1260 return FALSE;
1261 }
1262 return TRUE;
1263 }
1264
1265 /**
1266 * Create traditional transforms
1267 */
1268 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1269 {
1270 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1271 {
1272 this->aead_in = tls_aead_create_implicit(algs->mac,
1273 algs->encr, algs->encr_size);
1274 this->aead_out = tls_aead_create_implicit(algs->mac,
1275 algs->encr, algs->encr_size);
1276 }
1277 else
1278 {
1279 this->aead_in = tls_aead_create_explicit(algs->mac,
1280 algs->encr, algs->encr_size);
1281 this->aead_out = tls_aead_create_explicit(algs->mac,
1282 algs->encr, algs->encr_size);
1283 }
1284 if (!this->aead_in || !this->aead_out)
1285 {
1286 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1287 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1288 integrity_algorithm_names, algs->mac);
1289 return FALSE;
1290 }
1291 return TRUE;
1292 }
1293
1294 /**
1295 * Create AEAD transforms
1296 */
1297 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1298 {
1299 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1300 {
1301 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1302 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1303 }
1304 else
1305 {
1306 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1307 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1308 }
1309 if (!this->aead_in || !this->aead_out)
1310 {
1311 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1312 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1313 return FALSE;
1314 }
1315 return TRUE;
1316 }
1317
1318 /**
1319 * Clean up and unset AEAD transforms
1320 */
1321 static void destroy_aeads(private_tls_crypto_t *this)
1322 {
1323 DESTROY_IF(this->aead_in);
1324 DESTROY_IF(this->aead_out);
1325 this->aead_in = this->aead_out = NULL;
1326 }
1327
1328 /**
1329 * Create crypto primitives
1330 */
1331 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1332 {
1333 destroy_aeads(this);
1334 DESTROY_IF(this->hkdf);
1335 DESTROY_IF(this->prf);
1336 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1337 {
1338 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1339 {
1340 this->prf = tls_prf_create_10();
1341 }
1342 else
1343 {
1344 this->prf = tls_prf_create_12(algs->prf);
1345 }
1346 if (!this->prf)
1347 {
1348 DBG1(DBG_TLS, "selected TLS PRF not supported");
1349 return FALSE;
1350 }
1351 }
1352 else
1353 {
1354 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1355 if (!this->hkdf)
1356 {
1357 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1358 return FALSE;
1359 }
1360 }
1361 if (algs->encr == ENCR_NULL)
1362 {
1363 if (create_null(this, algs))
1364 {
1365 return TRUE;
1366 }
1367 }
1368 else if (encryption_algorithm_is_aead(algs->encr))
1369 {
1370 if (create_aead(this, algs))
1371 {
1372 return TRUE;
1373 }
1374 }
1375 else
1376 {
1377 if (create_traditional(this, algs))
1378 {
1379 return TRUE;
1380 }
1381 }
1382 destroy_aeads(this);
1383 return FALSE;
1384 }
1385
1386 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1387 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1388 key_type_t key)
1389 {
1390 suite_algs_t *algs;
1391 int i, j;
1392
1393 for (i = 0; i < this->suite_count; i++)
1394 {
1395 for (j = 0; j < count; j++)
1396 {
1397 if (this->suites[i] == suites[j])
1398 {
1399 algs = find_suite(this->suites[i]);
1400 if (algs)
1401 {
1402 if (key == KEY_ANY || key == algs->key ||
1403 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1404 (algs->key == KEY_ECDSA && key == KEY_ED448))
1405 {
1406 if (create_ciphers(this, algs))
1407 {
1408 this->suite = this->suites[i];
1409 return this->suite;
1410 }
1411 }
1412 }
1413 }
1414 }
1415 }
1416 return 0;
1417 }
1418
1419 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1420 private_tls_crypto_t *this)
1421 {
1422 suite_algs_t *algs;
1423
1424 algs = find_suite(this->suite);
1425 if (algs)
1426 {
1427 return algs->dh;
1428 }
1429 return MODP_NONE;
1430 }
1431
1432 /**
1433 * Parameters for RSA/PSS signature schemes
1434 */
1435 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1436 .hash = HASH_SHA##bits, \
1437 .mgf1_hash = HASH_SHA##bits, \
1438 .salt_len = HASH_SIZE_SHA##bits, \
1439 }
1440
1441 PSS_PARAMS(256);
1442 PSS_PARAMS(384);
1443 PSS_PARAMS(512);
1444
1445 /**
1446 * Map TLS signature schemes, ordered by preference
1447 */
1448 static struct {
1449 tls_signature_scheme_t sig;
1450 signature_params_t params;
1451 /* min/max versions for use in CertificateVerify */
1452 tls_version_t min_version;
1453 tls_version_t max_version;
1454 } schemes[] = {
1455 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1456 TLS_1_0, TLS_1_3 },
1457 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1458 TLS_1_0, TLS_1_3 },
1459 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1460 TLS_1_0, TLS_1_3 },
1461 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1462 TLS_1_0, TLS_1_3 },
1463 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1464 TLS_1_0, TLS_1_3 },
1465 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1466 TLS_1_2, TLS_1_3 },
1467 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1468 TLS_1_2, TLS_1_3 },
1469 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1470 TLS_1_2, TLS_1_3 },
1471 /* the parameters for the next three should actually be taken from the
1472 * public key, we currently don't have an API for that, so assume defaults */
1473 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1474 TLS_1_2, TLS_1_3 },
1475 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1476 TLS_1_2, TLS_1_3 },
1477 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1478 TLS_1_2, TLS_1_3 },
1479 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1480 TLS_1_0, TLS_1_2 },
1481 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1482 TLS_1_0, TLS_1_2 },
1483 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1484 TLS_1_0, TLS_1_2 },
1485 };
1486
1487 METHOD(tls_crypto_t, get_signature_algorithms, void,
1488 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1489 {
1490 bio_writer_t *supported;
1491 tls_version_t min_version, max_version;
1492 int i;
1493
1494 supported = bio_writer_create(32);
1495
1496 if (!cert)
1497 {
1498 min_version = this->tls->get_version_min(this->tls);
1499 max_version = this->tls->get_version_max(this->tls);
1500 }
1501
1502 for (i = 0; i < countof(schemes); i++)
1503 {
1504 if ((cert || (schemes[i].min_version <= max_version &&
1505 schemes[i].max_version >= min_version)) &&
1506 lib->plugins->has_feature(lib->plugins,
1507 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1508 {
1509 supported->write_uint16(supported, schemes[i].sig);
1510 }
1511 }
1512
1513 writer->write_data16(writer, supported->get_buf(supported));
1514 supported->destroy(supported);
1515 }
1516
1517 /**
1518 * Get the signature parameters from a TLS signature scheme
1519 */
1520 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1521 bool sign)
1522 {
1523 int i;
1524
1525 for (i = 0; i < countof(schemes); i++)
1526 {
1527 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1528 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1529 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1530 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1531 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1532 {
1533 continue;
1534 }
1535 if (schemes[i].sig == sig)
1536 {
1537 return &schemes[i].params;
1538 }
1539 }
1540 return NULL;
1541 }
1542
1543 /**
1544 * Mapping groups to TLS named curves
1545 */
1546 static struct {
1547 diffie_hellman_group_t group;
1548 tls_named_group_t curve;
1549 } curves[] = {
1550 { ECP_256_BIT, TLS_SECP256R1},
1551 { ECP_384_BIT, TLS_SECP384R1},
1552 { ECP_521_BIT, TLS_SECP521R1},
1553 { ECP_224_BIT, TLS_SECP224R1},
1554 { ECP_192_BIT, TLS_SECP192R1},
1555 { CURVE_25519, TLS_CURVE25519},
1556 { CURVE_448, TLS_CURVE448},
1557 };
1558
1559 CALLBACK(group_filter, bool,
1560 void *null, enumerator_t *orig, va_list args)
1561 {
1562 diffie_hellman_group_t group, *group_out;
1563 tls_named_group_t curve, *curve_out;
1564 char *plugin;
1565
1566 VA_ARGS_VGET(args, group_out, curve_out);
1567
1568 while (orig->enumerate(orig, &group, &plugin))
1569 {
1570 curve = tls_ec_group_to_curve(group);
1571 if (curve)
1572 {
1573 if (group_out)
1574 {
1575 *group_out = group;
1576 }
1577 if (curve_out)
1578 {
1579 *curve_out = curve;
1580 }
1581 return TRUE;
1582 }
1583 }
1584 return FALSE;
1585 }
1586
1587 CALLBACK(config_filter, bool,
1588 void *null, enumerator_t *orig, va_list args)
1589 {
1590 diffie_hellman_group_t group, *group_out;
1591 tls_named_group_t curve, *curve_out;
1592
1593 VA_ARGS_VGET(args, group_out, curve_out);
1594
1595 while (orig->enumerate(orig, &group, &curve))
1596 {
1597 if (filter_curve_config(curve))
1598 {
1599 if (group_out)
1600 {
1601 *group_out = group;
1602 }
1603 if (curve_out)
1604 {
1605 *curve_out = curve;
1606 }
1607 return TRUE;
1608 }
1609 }
1610 return FALSE;
1611 }
1612
1613 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1614 private_tls_crypto_t *this)
1615 {
1616 return enumerator_create_filter(
1617 enumerator_create_filter(
1618 lib->crypto->create_dh_enumerator(lib->crypto),
1619 group_filter, NULL, NULL),
1620 config_filter, NULL, NULL);
1621 }
1622
1623 METHOD(tls_crypto_t, set_protection, void,
1624 private_tls_crypto_t *this, tls_protection_t *protection)
1625 {
1626 this->protection = protection;
1627 }
1628
1629 METHOD(tls_crypto_t, append_handshake, void,
1630 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1631 {
1632 uint32_t header;
1633
1634 /* reconstruct handshake header */
1635 header = htonl(data.len | (type << 24));
1636 this->handshake = chunk_cat("mcc", this->handshake,
1637 chunk_from_thing(header), data);
1638 }
1639
1640 /**
1641 * Create a hash using the suites HASH algorithm
1642 */
1643 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1644 {
1645 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1646 {
1647 hasher_t *hasher;
1648 suite_algs_t *alg;
1649
1650 alg = find_suite(this->suite);
1651 if (!alg)
1652 {
1653 return FALSE;
1654 }
1655 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1656 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1657 {
1658 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1659 DESTROY_IF(hasher);
1660 return FALSE;
1661 }
1662 hasher->destroy(hasher);
1663 }
1664 else
1665 {
1666 hasher_t *md5, *sha1;
1667 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1668
1669 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1670 if (!md5 || !md5->get_hash(md5, data, buf))
1671 {
1672 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1673 DESTROY_IF(md5);
1674 return FALSE;
1675 }
1676 md5->destroy(md5);
1677 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1678 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1679 {
1680 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1681 DESTROY_IF(sha1);
1682 return FALSE;
1683 }
1684 sha1->destroy(sha1);
1685
1686 *hash = chunk_clone(chunk_from_thing(buf));
1687 }
1688 return TRUE;
1689 }
1690
1691 METHOD(tls_crypto_t, hash_handshake, bool,
1692 private_tls_crypto_t *this, chunk_t *out)
1693 {
1694 chunk_t hash;
1695
1696 if (!hash_data(this, this->handshake, &hash))
1697 {
1698 return FALSE;
1699 }
1700
1701 chunk_free(&this->handshake);
1702 append_handshake(this, TLS_MESSAGE_HASH, hash);
1703
1704 if (out)
1705 {
1706 *out = hash;
1707 }
1708 else
1709 {
1710 free(hash.ptr);
1711 }
1712 return TRUE;
1713 }
1714
1715 /**
1716 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1717 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1718 */
1719 static chunk_t tls13_sig_data_server = chunk_from_chars(
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1727 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1728 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1729 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1730 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1731 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1732 0x79, 0x00,
1733 );
1734
1735 /**
1736 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1737 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1738 */
1739 static chunk_t tls13_sig_data_client = chunk_from_chars(
1740 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1741 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1742 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1743 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1744 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1745 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1746 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1747 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1748 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1749 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1750 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1751 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1752 0x79, 0x00,
1753 );
1754
1755 METHOD(tls_crypto_t, sign, bool,
1756 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1757 chunk_t data, chunk_t hashsig)
1758 {
1759 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1760 {
1761 /* fallback to SHA1/RSA and SHA1/ECDSA */
1762 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1763 signature_params_t *params;
1764 key_type_t type;
1765 uint16_t scheme;
1766 bio_reader_t *reader;
1767 chunk_t sig;
1768 bool done = FALSE;
1769
1770 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1771 {
1772 chunk_t transcript_hash;
1773
1774 if (!hash_data(this, data, &transcript_hash))
1775 {
1776 DBG1(DBG_TLS, "unable to create transcript hash");
1777 return FALSE;
1778 }
1779 if (this->tls->is_server(this->tls))
1780 {
1781 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1782 }
1783 else
1784 {
1785 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1786 }
1787 }
1788
1789 if (!hashsig.len)
1790 { /* fallback if none given */
1791 hashsig = hashsig_def;
1792 }
1793 type = key->get_type(key);
1794 reader = bio_reader_create(hashsig);
1795 while (reader->remaining(reader) >= 2)
1796 {
1797 if (reader->read_uint16(reader, &scheme))
1798 {
1799 params = params_for_scheme(scheme, TRUE);
1800 if (params &&
1801 type == key_type_from_signature_scheme(params->scheme) &&
1802 key->sign(key, params->scheme, params->params, data, &sig))
1803 {
1804 done = TRUE;
1805 break;
1806 }
1807 }
1808 }
1809 reader->destroy(reader);
1810 if (!done)
1811 {
1812 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1813 return FALSE;
1814 }
1815 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1816 scheme);
1817 writer->write_uint16(writer, scheme);
1818 writer->write_data16(writer, sig);
1819 free(sig.ptr);
1820 }
1821 else
1822 {
1823 chunk_t sig, hash;
1824 bool done;
1825
1826 switch (key->get_type(key))
1827 {
1828 case KEY_RSA:
1829 if (!hash_data(this, data, &hash))
1830 {
1831 return FALSE;
1832 }
1833 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1834 &sig);
1835 free(hash.ptr);
1836 if (!done)
1837 {
1838 return FALSE;
1839 }
1840 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1841 break;
1842 case KEY_ECDSA:
1843 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1844 {
1845 return FALSE;
1846 }
1847 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1848 break;
1849 case KEY_ED25519:
1850 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1851 {
1852 return FALSE;
1853 }
1854 DBG2(DBG_TLS, "created signature with Ed25519");
1855 break;
1856 case KEY_ED448:
1857 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1858 {
1859 return FALSE;
1860 }
1861 DBG2(DBG_TLS, "created signature with Ed448");
1862 break;
1863 default:
1864 return FALSE;
1865 }
1866 writer->write_data16(writer, sig);
1867 free(sig.ptr);
1868 }
1869 return TRUE;
1870 }
1871
1872 METHOD(tls_crypto_t, verify, bool,
1873 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1874 chunk_t data)
1875 {
1876 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1877 {
1878 signature_params_t *params;
1879 uint16_t scheme;
1880 chunk_t sig;
1881
1882 if (!reader->read_uint16(reader, &scheme) ||
1883 !reader->read_data16(reader, &sig))
1884 {
1885 DBG1(DBG_TLS, "received invalid signature");
1886 return FALSE;
1887 }
1888 params = params_for_scheme(scheme, FALSE);
1889 if (!params)
1890 {
1891 DBG1(DBG_TLS, "signature algorithms %N not supported",
1892 tls_signature_scheme_names, scheme);
1893 return FALSE;
1894 }
1895 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1896 {
1897 chunk_t transcript_hash;
1898
1899 if (!hash_data(this, data, &transcript_hash))
1900 {
1901 DBG1(DBG_TLS, "Unable to create transcript hash");
1902 return FALSE;
1903 }
1904
1905 if (this->tls->is_server(this->tls))
1906 {
1907 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1908 }
1909 else
1910 {
1911 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1912 }
1913 }
1914 if (!key->verify(key, params->scheme, params->params, data, sig))
1915 {
1916 DBG1(DBG_TLS, "signature verification with %N failed",
1917 tls_signature_scheme_names, scheme);
1918 return FALSE;
1919 }
1920 DBG2(DBG_TLS, "verified signature with %N",
1921 tls_signature_scheme_names, scheme);
1922 }
1923 else
1924 {
1925 chunk_t sig, hash;
1926 bool done;
1927
1928 if (!reader->read_data16(reader, &sig))
1929 {
1930 DBG1(DBG_TLS, "received invalid signature");
1931 return FALSE;
1932 }
1933 switch (key->get_type(key))
1934 {
1935 case KEY_RSA:
1936 if (!hash_data(this, data, &hash))
1937 {
1938 return FALSE;
1939 }
1940 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1941 sig);
1942 free(hash.ptr);
1943 if (!done)
1944 {
1945 return FALSE;
1946 }
1947 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1948 break;
1949 case KEY_ECDSA:
1950 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1951 sig))
1952 {
1953 return FALSE;
1954 }
1955 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1956 break;
1957 case KEY_ED25519:
1958 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1959 {
1960 return FALSE;
1961 }
1962 DBG2(DBG_TLS, "verified signature with Ed25519");
1963 break;
1964 case KEY_ED448:
1965 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1966 {
1967 return FALSE;
1968 }
1969 DBG2(DBG_TLS, "verified signature with Ed448");
1970 break;
1971 default:
1972 return FALSE;
1973 }
1974 }
1975 return TRUE;
1976 }
1977
1978 METHOD(tls_crypto_t, sign_handshake, bool,
1979 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1980 chunk_t hashsig)
1981 {
1982 return sign(this, key, writer, this->handshake, hashsig);
1983 }
1984
1985 METHOD(tls_crypto_t, verify_handshake, bool,
1986 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1987 {
1988 return verify(this, key, reader, this->handshake);
1989 }
1990
1991 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1992 private_tls_crypto_t *this, char *label, char out[12])
1993 {
1994 chunk_t seed;
1995
1996 if (!this->prf)
1997 {
1998 return FALSE;
1999 }
2000 if (!hash_data(this, this->handshake, &seed))
2001 {
2002 return FALSE;
2003 }
2004 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2005 {
2006 free(seed.ptr);
2007 return FALSE;
2008 }
2009 free(seed.ptr);
2010 return TRUE;
2011 }
2012
2013 METHOD(tls_crypto_t, calculate_finished, bool,
2014 private_tls_crypto_t *this, bool server, chunk_t *out)
2015 {
2016 chunk_t finished_key, finished_hash;
2017
2018 if (!this->hkdf)
2019 {
2020 return FALSE;
2021 }
2022 if (!hash_data(this, this->handshake, &finished_hash))
2023 {
2024 DBG1(DBG_TLS, "creating hash of handshake failed");
2025 return FALSE;
2026 }
2027 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2028 {
2029 DBG1(DBG_TLS, "generating finished key failed");
2030 chunk_clear(&finished_hash);
2031 return FALSE;
2032 }
2033 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2034 {
2035 DBG1(DBG_TLS, "generating finished HMAC failed");
2036 chunk_clear(&finished_key);
2037 chunk_clear(&finished_hash);
2038 return FALSE;
2039 }
2040 chunk_clear(&finished_key);
2041 chunk_clear(&finished_hash);
2042 return TRUE;
2043 }
2044
2045 /**
2046 * Derive master secret from premaster, optionally save session
2047 */
2048 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2049 chunk_t session, identification_t *id,
2050 chunk_t client_random, chunk_t server_random)
2051 {
2052 char master[48];
2053 chunk_t seed;
2054
2055 /* derive master secret */
2056 seed = chunk_cata("cc", client_random, server_random);
2057
2058 if (!this->prf->set_key(this->prf, premaster) ||
2059 !this->prf->get_bytes(this->prf, "master secret", seed,
2060 sizeof(master), master) ||
2061 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2062 {
2063 return FALSE;
2064 }
2065
2066 if (this->cache && session.len)
2067 {
2068 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2069 this->suite);
2070 }
2071 memwipe(master, sizeof(master));
2072 return TRUE;
2073 }
2074
2075 /**
2076 * Expand key material from master secret
2077 */
2078 static bool expand_keys(private_tls_crypto_t *this,
2079 chunk_t client_random, chunk_t server_random)
2080 {
2081 chunk_t seed, block;
2082 chunk_t cw_mac, cw, cw_iv;
2083 chunk_t sw_mac, sw, sw_iv;
2084 int mklen, eklen, ivlen;
2085
2086 if (!this->aead_in || !this->aead_out)
2087 {
2088 return FALSE;
2089 }
2090
2091 /* derive key block for key expansion */
2092 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2093 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2094 ivlen = this->aead_in->get_iv_size(this->aead_in);
2095 seed = chunk_cata("cc", server_random, client_random);
2096 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2097 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2098 block.len, block.ptr))
2099 {
2100 return FALSE;
2101 }
2102
2103 /* client/server write signer keys */
2104 cw_mac = chunk_create(block.ptr, mklen);
2105 block = chunk_skip(block, mklen);
2106 sw_mac = chunk_create(block.ptr, mklen);
2107 block = chunk_skip(block, mklen);
2108
2109 /* client/server write encryption keys */
2110 cw = chunk_create(block.ptr, eklen);
2111 block = chunk_skip(block, eklen);
2112 sw = chunk_create(block.ptr, eklen);
2113 block = chunk_skip(block, eklen);
2114
2115 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2116 cw_iv = chunk_create(block.ptr, ivlen);
2117 block = chunk_skip(block, ivlen);
2118 sw_iv = chunk_create(block.ptr, ivlen);
2119 block = chunk_skip(block, ivlen);
2120
2121 if (this->tls->is_server(this->tls))
2122 {
2123 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2124 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2125 {
2126 return FALSE;
2127 }
2128 }
2129 else
2130 {
2131 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2132 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2133 {
2134 return FALSE;
2135 }
2136 }
2137
2138 /* EAP-MSK */
2139 if (this->msk_label)
2140 {
2141 seed = chunk_cata("cc", client_random, server_random);
2142 this->msk = chunk_alloc(64);
2143 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2144 this->msk.len, this->msk.ptr))
2145 {
2146 return FALSE;
2147 }
2148 }
2149 return TRUE;
2150 }
2151
2152 METHOD(tls_crypto_t, derive_secrets, bool,
2153 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2154 identification_t *id, chunk_t client_random, chunk_t server_random)
2155 {
2156 return derive_master(this, premaster, session, id,
2157 client_random, server_random) &&
2158 expand_keys(this, client_random, server_random);
2159 }
2160
2161 /**
2162 * Derive and configure the client/server key/IV on an AEAD using a given label.
2163 */
2164 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2165 tls_hkdf_label_t label, tls_aead_t *aead)
2166 {
2167 chunk_t key = chunk_empty, iv = chunk_empty;
2168 bool success = FALSE;
2169
2170 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2171 NULL) ||
2172 !this->hkdf->derive_key(this->hkdf, server,
2173 aead->get_encr_key_size(aead), &key) ||
2174 !this->hkdf->derive_iv(this->hkdf, server,
2175 aead->get_iv_size(aead), &iv))
2176 {
2177 DBG1(DBG_TLS, "deriving key material failed");
2178 goto out;
2179 }
2180
2181 if (!aead->set_keys(aead, chunk_empty, key, iv))
2182 {
2183 DBG1(DBG_TLS, "setting AEAD key material failed");
2184 goto out;
2185 }
2186 success = TRUE;
2187
2188 out:
2189 chunk_clear(&key);
2190 chunk_clear(&iv);
2191 return success;
2192 }
2193
2194 /**
2195 * Derive and configure the keys/IVs using the given labels.
2196 */
2197 static bool derive_labeled_keys(private_tls_crypto_t *this,
2198 tls_hkdf_label_t client_label,
2199 tls_hkdf_label_t server_label)
2200 {
2201 tls_aead_t *aead_c, *aead_s;
2202 suite_algs_t *algs;
2203
2204 algs = find_suite(this->suite);
2205 destroy_aeads(this);
2206 if (!create_aead(this, algs))
2207 {
2208 return FALSE;
2209 }
2210 aead_c = this->aead_out;
2211 aead_s = this->aead_in;
2212 if (this->tls->is_server(this->tls))
2213 {
2214 aead_c = this->aead_in;
2215 aead_s = this->aead_out;
2216 }
2217 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2218 derive_labeled_key(this, TRUE, server_label, aead_s);
2219 }
2220
2221 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2222 private_tls_crypto_t *this, chunk_t shared_secret)
2223 {
2224 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2225 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2226 TLS_HKDF_S_HS_TRAFFIC);
2227 }
2228
2229 METHOD(tls_crypto_t, derive_app_keys, bool,
2230 private_tls_crypto_t *this)
2231 {
2232 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2233 TLS_HKDF_S_AP_TRAFFIC))
2234 {
2235 return FALSE;
2236 }
2237
2238 /* EAP-MSK */
2239 if (this->msk_label)
2240 {
2241 /* because the length is encoded when expanding key material, we
2242 * request the same number of bytes as FreeRADIUS (the first 64 for
2243 * the MSK, the next for the EMSK, which we just ignore) */
2244 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2245 this->handshake, 128, &this->msk))
2246 {
2247 return FALSE;
2248 }
2249 this->msk.len = 64;
2250 }
2251 return TRUE;
2252 }
2253
2254 METHOD(tls_crypto_t, update_app_keys, bool,
2255 private_tls_crypto_t *this, bool inbound)
2256 {
2257 suite_algs_t *algs;
2258 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2259
2260 algs = find_suite(this->suite);
2261 destroy_aeads(this);
2262 if (!create_aead(this, algs))
2263 {
2264 return FALSE;
2265 }
2266 if (this->tls->is_server(this->tls) != inbound)
2267 {
2268 label = TLS_HKDF_UPD_S_TRAFFIC;
2269 }
2270 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2271 inbound ? this->aead_in : this->aead_out);
2272 }
2273
2274 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2275 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2276 chunk_t client_random, chunk_t server_random)
2277 {
2278 chunk_t master;
2279
2280 if (this->cache && session.len)
2281 {
2282 this->suite = this->cache->lookup(this->cache, session, id, &master);
2283 if (this->suite)
2284 {
2285 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2286 if (this->suite)
2287 {
2288 if (!this->prf->set_key(this->prf, master) ||
2289 !expand_keys(this, client_random, server_random))
2290 {
2291 this->suite = 0;
2292 }
2293 }
2294 chunk_clear(&master);
2295 }
2296 return this->suite;
2297 }
2298 return 0;
2299 }
2300
2301 METHOD(tls_crypto_t, get_session, chunk_t,
2302 private_tls_crypto_t *this, identification_t *server)
2303 {
2304 if (this->cache)
2305 {
2306 return this->cache->check(this->cache, server);
2307 }
2308 return chunk_empty;
2309 }
2310
2311 METHOD(tls_crypto_t, change_cipher, void,
2312 private_tls_crypto_t *this, bool inbound)
2313 {
2314 if (this->protection)
2315 {
2316 if (inbound)
2317 {
2318 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2319 this->aead_in = NULL;
2320 }
2321 else
2322 {
2323 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2324 this->aead_out = NULL;
2325 }
2326 }
2327 }
2328
2329 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2330 private_tls_crypto_t *this)
2331 {
2332 return this->msk;
2333 }
2334
2335 METHOD(tls_crypto_t, destroy, void,
2336 private_tls_crypto_t *this)
2337 {
2338 destroy_aeads(this);
2339 free(this->handshake.ptr);
2340 free(this->msk.ptr);
2341 DESTROY_IF(this->prf);
2342 DESTROY_IF(this->hkdf);
2343 free(this->suites);
2344 free(this);
2345 }
2346
2347 /**
2348 * See header
2349 */
2350 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2351 {
2352 private_tls_crypto_t *this;
2353 enumerator_t *enumerator;
2354 credential_type_t type;
2355 int subtype;
2356
2357 INIT(this,
2358 .public = {
2359 .get_cipher_suites = _get_cipher_suites,
2360 .select_cipher_suite = _select_cipher_suite,
2361 .get_dh_group = _get_dh_group,
2362 .get_signature_algorithms = _get_signature_algorithms,
2363 .create_ec_enumerator = _create_ec_enumerator,
2364 .set_protection = _set_protection,
2365 .append_handshake = _append_handshake,
2366 .hash_handshake = _hash_handshake,
2367 .sign = _sign,
2368 .verify = _verify,
2369 .sign_handshake = _sign_handshake,
2370 .verify_handshake = _verify_handshake,
2371 .calculate_finished_legacy = _calculate_finished_legacy,
2372 .calculate_finished = _calculate_finished,
2373 .derive_secrets = _derive_secrets,
2374 .derive_handshake_keys = _derive_handshake_keys,
2375 .derive_app_keys = _derive_app_keys,
2376 .update_app_keys = _update_app_keys,
2377 .resume_session = _resume_session,
2378 .get_session = _get_session,
2379 .change_cipher = _change_cipher,
2380 .get_eap_msk = _get_eap_msk,
2381 .destroy = _destroy,
2382 },
2383 .tls = tls,
2384 .cache = cache,
2385 );
2386
2387 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2388 * separation would be welcome. */
2389 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2390 while (enumerator->enumerate(enumerator, &type, &subtype))
2391 {
2392 if (type == CRED_PUBLIC_KEY)
2393 {
2394 switch (subtype)
2395 {
2396 case KEY_RSA:
2397 this->rsa = TRUE;
2398 break;
2399 case KEY_ECDSA:
2400 case KEY_ED25519:
2401 case KEY_ED448:
2402 this->ecdsa = TRUE;
2403 break;
2404 default:
2405 break;
2406 }
2407 }
2408 }
2409 enumerator->destroy(enumerator);
2410
2411 switch (tls->get_purpose(tls))
2412 {
2413 case TLS_PURPOSE_EAP_TLS:
2414 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2415 this->msk_label = "client EAP encryption";
2416 break;
2417 case TLS_PURPOSE_EAP_PEAP:
2418 this->msk_label = "client EAP encryption";
2419 break;
2420 case TLS_PURPOSE_EAP_TTLS:
2421 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2422 this->msk_label = "ttls keying material";
2423 break;
2424 default:
2425 break;
2426 }
2427 return &this->public;
2428 }
2429
2430 /**
2431 * See header.
2432 */
2433 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2434 tls_cipher_suite_t **out)
2435 {
2436 suite_algs_t suites[countof(suite_algs)];
2437 int count = 0, i;
2438
2439 /* initialize copy of suite list */
2440 for (i = 0; i < countof(suite_algs); i++)
2441 {
2442 if (suite_algs[i].min_version <= version &&
2443 suite_algs[i].max_version >= version)
2444 {
2445 suites[count++] = suite_algs[i];
2446 }
2447 }
2448
2449 filter_unsupported_suites(suites, &count);
2450
2451 if (!null)
2452 {
2453 filter_null_suites(suites, &count);
2454 }
2455
2456 if (out)
2457 {
2458 *out = calloc(count, sizeof(tls_cipher_suite_t));
2459 for (i = 0; i < count; i++)
2460 {
2461 (*out)[i] = suites[i].suite;
2462 }
2463 }
2464 return count;
2465 }
2466
2467 /**
2468 * See header.
2469 */
2470 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2471 {
2472 enumerator_t *enumerator;
2473 diffie_hellman_group_t groups[countof(curves)];
2474 diffie_hellman_group_t group;
2475 tls_named_group_t curve;
2476 int count = 0, i;
2477
2478 enumerator = enumerator_create_filter(
2479 lib->crypto->create_dh_enumerator(lib->crypto),
2480 group_filter, NULL, NULL);
2481
2482 while (enumerator->enumerate(enumerator, &group, &curve))
2483 {
2484 groups[count++] = group;
2485 }
2486 enumerator->destroy(enumerator);
2487
2488 if (out)
2489 {
2490 *out = calloc(count, sizeof(diffie_hellman_group_t));
2491 for (i = 0; i < count; i++)
2492 {
2493 (*out)[i] = groups[i];
2494 }
2495 }
2496 return count;
2497 }
2498
2499 /**
2500 * See header.
2501 */
2502 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2503 {
2504 int i;
2505
2506 for (i = 0; i < countof(curves); i++)
2507 {
2508 if (curves[i].group == group)
2509 {
2510 return curves[i].curve;
2511 }
2512 }
2513 return 0;
2514 }
2515
2516 /**
2517 * See header.
2518 */
2519 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2520 {
2521 int i;
2522
2523 for (i = 0; i < countof(schemes); i++)
2524 {
2525 if (schemes[i].sig == sig)
2526 {
2527 return key_type_from_signature_scheme(schemes[i].params.scheme);
2528 }
2529 }
2530 return 0;
2531 }
2532
2533 /**
2534 * Hashtable hash function
2535 */
2536 static u_int hash_key_type(key_type_t *type)
2537 {
2538 return chunk_hash(chunk_from_thing(*type));
2539 }
2540
2541 /**
2542 * Hashtable equals function
2543 */
2544 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2545 {
2546 return *key1 == *key2;
2547 }
2548
2549 CALLBACK(filter_key_types, bool,
2550 void *data, enumerator_t *orig, va_list args)
2551 {
2552 key_type_t *key_type, *out;
2553
2554 VA_ARGS_VGET(args, out);
2555
2556 if (orig->enumerate(orig, NULL, &key_type))
2557 {
2558 *out = *key_type;
2559 return TRUE;
2560 }
2561 return FALSE;
2562 }
2563
2564 CALLBACK(destroy_key_types, void,
2565 hashtable_t *ht)
2566 {
2567 ht->destroy_function(ht, (void*)free);
2568 }
2569
2570 /**
2571 * Create an enumerator over supported key types within a specific TLS range
2572 */
2573 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2574 tls_version_t max_version)
2575 {
2576 hashtable_t *ht;
2577 key_type_t *type, lookup;
2578 int i;
2579
2580 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2581 (hashtable_equals_t)equals_key_type, 4);
2582 for (i = 0; i < countof(schemes); i++)
2583 {
2584 if (schemes[i].min_version <= max_version &&
2585 schemes[i].max_version >= min_version)
2586 {
2587 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2588 if (!ht->get(ht, &lookup))
2589 {
2590 type = malloc_thing(key_type_t);
2591 *type = lookup;
2592 ht->put(ht, type, type);
2593 }
2594 }
2595 }
2596 return enumerator_create_filter(ht->create_enumerator(ht),
2597 filter_key_types, ht, destroy_key_types);
2598 }
2599
2600 /**
2601 * Create an array of an intersection of server and peer supported key types
2602 */
2603 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2604 {
2605 array_t *key_types;
2606 key_type_t v, lookup;
2607 uint16_t sig_scheme;
2608
2609 key_types = array_create(sizeof(key_type_t), 8);
2610 while (enumerator->enumerate(enumerator, &v))
2611 {
2612 bio_reader_t *reader;
2613
2614 reader = bio_reader_create(hashsig);
2615 while (reader->remaining(reader) &&
2616 reader->read_uint16(reader, &sig_scheme))
2617 {
2618 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2619 if (v == lookup)
2620 {
2621 array_insert(key_types, ARRAY_TAIL, &lookup);
2622 break;
2623 }
2624 }
2625 reader->destroy(reader);
2626 }
2627 return key_types;
2628 }
2629
2630 typedef struct {
2631 enumerator_t public;
2632 array_t *key_types;
2633 identification_t *peer;
2634 private_key_t *key;
2635 auth_cfg_t *auth;
2636 } private_key_enumerator_t;
2637
2638 METHOD(enumerator_t, private_key_enumerate, bool,
2639 private_key_enumerator_t *this, va_list args)
2640 {
2641 key_type_t type;
2642 auth_cfg_t **auth_out;
2643 private_key_t **key_out;
2644
2645 VA_ARGS_VGET(args, key_out, auth_out);
2646
2647 DESTROY_IF(this->key);
2648 DESTROY_IF(this->auth);
2649 this->auth = auth_cfg_create();
2650
2651 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2652 {
2653 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2654 this->auth);
2655 if (this->key)
2656 {
2657 *key_out = this->key;
2658 if (auth_out)
2659 {
2660 *auth_out = this->auth;
2661 }
2662 return TRUE;
2663 }
2664 }
2665 return FALSE;
2666 }
2667
2668 METHOD(enumerator_t, private_key_destroy, void,
2669 private_key_enumerator_t *this)
2670 {
2671 DESTROY_IF(this->key);
2672 DESTROY_IF(this->auth);
2673 array_destroy(this->key_types);
2674 free(this);
2675 }
2676
2677 /**
2678 * See header.
2679 */
2680 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2681 tls_version_t max_version,
2682 chunk_t hashsig,
2683 identification_t *peer)
2684 {
2685 private_key_enumerator_t *enumerator;
2686 enumerator_t *key_types;
2687
2688 key_types = get_supported_key_types(min_version, max_version);
2689
2690 INIT(enumerator,
2691 .public = {
2692 .enumerate = enumerator_enumerate_default,
2693 .venumerate = _private_key_enumerate,
2694 .destroy = _private_key_destroy,
2695 },
2696 .key_types = create_common_key_types(key_types, hashsig),
2697 .peer = peer,
2698 );
2699 key_types->destroy(key_types);
2700
2701 if (!array_count(enumerator->key_types))
2702 {
2703 return NULL;
2704 }
2705 return &enumerator->public;
2706 }