1ce2a03e6aabf8c6444fb311b1cf6a16104fe4c2
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE)
841 { /* skip DH group, does not match nor NONE */
842 continue;
843 }
844 }
845 /* suite supported, apply */
846 suites[remaining] = suites[i];
847 remaining++;
848 break;
849 }
850 enumerator->destroy(enumerator);
851 }
852 *count = remaining;
853 }
854
855 /**
856 * Purge NULL encryption cipher suites from list
857 */
858 static void filter_null_suites(suite_algs_t suites[], int *count)
859 {
860 int i, remaining = 0;
861
862 for (i = 0; i < *count; i++)
863 {
864 if (suites[i].encr != ENCR_NULL)
865 {
866 suites[remaining] = suites[i];
867 remaining++;
868 }
869 }
870 *count = remaining;
871 }
872
873 /**
874 * Purge suites using a given key type
875 */
876 static void filter_key_suites(private_tls_crypto_t *this,
877 suite_algs_t suites[], int *count, key_type_t key)
878 {
879 int i, remaining = 0;
880
881 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
882 for (i = 0; i < *count; i++)
883 {
884 if (suites[i].key != key)
885 {
886 suites[remaining] = suites[i];
887 remaining++;
888 }
889 }
890 *count = remaining;
891 }
892
893 /**
894 * Filter suites by key exchange user config
895 */
896 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "ecdhe-ecdsa") &&
913 diffie_hellman_group_is_ec(suites[i].dh) &&
914 suites[i].key == KEY_ECDSA)
915 {
916 suites[remaining++] = suites[i];
917 break;
918 }
919 if (strcaseeq(token, "ecdhe-rsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_RSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "dhe-rsa") &&
927 !diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].dh != MODP_NONE &&
929 suites[i].key == KEY_RSA)
930 {
931 suites[remaining++] = suites[i];
932 break;
933 }
934 if (strcaseeq(token, "rsa") &&
935 suites[i].dh == MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 }
942 enumerator->destroy(enumerator);
943 }
944 *count = remaining;
945 }
946 }
947
948 /**
949 * Filter suites by cipher user config
950 */
951 static void filter_cipher_config_suites(private_tls_crypto_t *this,
952 suite_algs_t suites[], int *count)
953 {
954 enumerator_t *enumerator;
955 int i, remaining = 0;
956 char *token, *config;
957
958 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
959 lib->ns);
960 if (config)
961 {
962 for (i = 0; i < *count; i++)
963 {
964 enumerator = enumerator_create_token(config, ",", " ");
965 while (enumerator->enumerate(enumerator, &token))
966 {
967 if (strcaseeq(token, "aes128") &&
968 suites[i].encr == ENCR_AES_CBC &&
969 suites[i].encr_size == 16)
970 {
971 suites[remaining++] = suites[i];
972 break;
973 }
974 if (strcaseeq(token, "aes256") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 32)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes128gcm") &&
982 suites[i].encr == ENCR_AES_GCM_ICV16 &&
983 suites[i].encr_size == 16)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes256gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 32)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "camellia128") &&
996 suites[i].encr == ENCR_CAMELLIA_CBC &&
997 suites[i].encr_size == 16)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia256") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 32)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "null") &&
1010 suites[i].encr == ENCR_NULL)
1011 {
1012 suites[remaining++] = suites[i];
1013 break;
1014 }
1015 }
1016 enumerator->destroy(enumerator);
1017 }
1018 *count = remaining;
1019 }
1020 }
1021
1022 /**
1023 * Filter suites by mac user config
1024 */
1025 static void filter_mac_config_suites(private_tls_crypto_t *this,
1026 suite_algs_t suites[], int *count)
1027 {
1028 enumerator_t *enumerator;
1029 int i, remaining = 0;
1030 char *token, *config;
1031
1032 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1033 lib->ns);
1034 if (config)
1035 {
1036 for (i = 0; i < *count; i++)
1037 {
1038 enumerator = enumerator_create_token(config, ",", " ");
1039 while (enumerator->enumerate(enumerator, &token))
1040 {
1041 if (strcaseeq(token, "sha1") &&
1042 suites[i].mac == AUTH_HMAC_SHA1_160)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 if (strcaseeq(token, "sha256") &&
1048 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1049 {
1050 suites[remaining++] = suites[i];
1051 break;
1052 }
1053 if (strcaseeq(token, "sha384") &&
1054 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1055 {
1056 suites[remaining++] = suites[i];
1057 break;
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061 }
1062 *count = remaining;
1063 }
1064 }
1065
1066 /**
1067 * Filter for specific suites specified in strongswan.conf
1068 */
1069 static void filter_specific_config_suites(private_tls_crypto_t *this,
1070 suite_algs_t suites[], int *count)
1071 {
1072 enumerator_t *enumerator;
1073 int i, remaining = 0, suite;
1074 char *token, *config;
1075
1076 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1077 lib->ns);
1078 if (config)
1079 {
1080 for (i = 0; i < *count; i++)
1081 {
1082 enumerator = enumerator_create_token(config, ",", " ");
1083 while (enumerator->enumerate(enumerator, &token))
1084 {
1085 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1086 suite == suites[i].suite)
1087 {
1088 suites[remaining++] = suites[i];
1089 break;
1090 }
1091 }
1092 enumerator->destroy(enumerator);
1093 }
1094 *count = remaining;
1095 }
1096 }
1097
1098 /**
1099 * Filter key exchange curves by curve user config
1100 */
1101 static bool filter_curve_config(tls_named_group_t curve)
1102 {
1103 enumerator_t *enumerator;
1104 char *token, *config;
1105
1106 config = lib->settings->get_str(lib->settings, "%s.tls.curve", NULL, lib->ns);
1107 if (config)
1108 {
1109 enumerator = enumerator_create_token(config, ",", " ");
1110 while (enumerator->enumerate(enumerator, &token))
1111 {
1112 const proposal_token_t *tok;
1113
1114 tok = lib->proposal->get_token(lib->proposal, token);
1115 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1116 curve == tls_ec_group_to_curve(tok->algorithm))
1117 {
1118 enumerator->destroy(enumerator);
1119 return TRUE;
1120 }
1121 }
1122 enumerator->destroy(enumerator);
1123 }
1124 return !config;
1125 }
1126
1127 /**
1128 * Filter out unsupported suites on given suite array
1129 */
1130 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1131 {
1132 /* filter suite list by each algorithm */
1133 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1134 lib->crypto->create_aead_enumerator);
1135 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1136 lib->crypto->create_prf_enumerator);
1137 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1138 lib->crypto->create_crypter_enumerator);
1139 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1140 lib->crypto->create_signer_enumerator);
1141 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1142 lib->crypto->create_hasher_enumerator);
1143 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1144 lib->crypto->create_dh_enumerator);
1145 }
1146
1147 /**
1148 * Initialize the cipher suite list
1149 */
1150 static void build_cipher_suite_list(private_tls_crypto_t *this)
1151 {
1152 suite_algs_t suites[countof(suite_algs)];
1153 tls_version_t min_version, max_version, new_min_version, new_max_version;
1154 bool require_encryption;
1155 int count = 0, i;
1156
1157 switch (this->tls->get_purpose(this->tls))
1158 {
1159 case TLS_PURPOSE_EAP_TLS:
1160 case TLS_PURPOSE_GENERIC_NULLOK:
1161 require_encryption = FALSE;
1162 break;
1163 case TLS_PURPOSE_EAP_PEAP:
1164 case TLS_PURPOSE_EAP_TTLS:
1165 case TLS_PURPOSE_GENERIC:
1166 require_encryption = TRUE;
1167 break;
1168 default:
1169 return;
1170 }
1171
1172 min_version = this->tls->get_version_min(this->tls);
1173 max_version = this->tls->get_version_max(this->tls);
1174
1175 /* copy all suites appropriate for the current min/max versions */
1176 for (i = 0; i < countof(suite_algs); i++)
1177 {
1178 if (suite_algs[i].min_version <= max_version &&
1179 suite_algs[i].max_version >= min_version)
1180 {
1181 suites[count++] = suite_algs[i];
1182 }
1183 }
1184
1185 if (require_encryption)
1186 {
1187 filter_null_suites(suites, &count);
1188 }
1189 if (!this->rsa)
1190 {
1191 filter_key_suites(this, suites, &count, KEY_RSA);
1192 }
1193 if (!this->ecdsa)
1194 {
1195 filter_key_suites(this, suites, &count, KEY_ECDSA);
1196 }
1197
1198 filter_unsupported_suites(suites, &count);
1199
1200 /* filter suites with strongswan.conf options */
1201 filter_key_exchange_config_suites(this, suites, &count);
1202 filter_cipher_config_suites(this, suites, &count);
1203 filter_mac_config_suites(this, suites, &count);
1204 filter_specific_config_suites(this, suites, &count);
1205
1206 free(this->suites);
1207 this->suite_count = count;
1208 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1209
1210 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1211 new_min_version = max_version;
1212 new_max_version = min_version;
1213 for (i = 0; i < count; i++)
1214 {
1215 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1216 this->suites[i] = suites[i].suite;
1217
1218 /* set TLS min/max versions appropriate to the final cipher suites */
1219 new_max_version = max(new_max_version, suites[i].max_version);
1220 new_min_version = min(new_min_version, suites[i].min_version);
1221 }
1222 new_max_version = min(new_max_version, max_version);
1223 new_min_version = max(new_min_version, min_version);
1224
1225 if (min_version != new_min_version || max_version != new_max_version)
1226 {
1227 this->tls->set_version(this->tls, new_min_version, new_max_version);
1228 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1229 tls_version_names, new_min_version,
1230 tls_version_names, new_max_version);
1231 }
1232 }
1233
1234 METHOD(tls_crypto_t, get_cipher_suites, int,
1235 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1236 {
1237 if (!this->suites)
1238 {
1239 build_cipher_suite_list(this);
1240 }
1241 if (suites)
1242 {
1243 *suites = this->suites;
1244 }
1245 return this->suite_count;
1246 }
1247
1248 /**
1249 * Create NULL encryption transforms
1250 */
1251 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1252 {
1253 this->aead_in = tls_aead_create_null(algs->mac);
1254 this->aead_out = tls_aead_create_null(algs->mac);
1255 if (!this->aead_in || !this->aead_out)
1256 {
1257 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1258 integrity_algorithm_names, algs->mac);
1259 return FALSE;
1260 }
1261 return TRUE;
1262 }
1263
1264 /**
1265 * Create traditional transforms
1266 */
1267 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1268 {
1269 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1270 {
1271 this->aead_in = tls_aead_create_implicit(algs->mac,
1272 algs->encr, algs->encr_size);
1273 this->aead_out = tls_aead_create_implicit(algs->mac,
1274 algs->encr, algs->encr_size);
1275 }
1276 else
1277 {
1278 this->aead_in = tls_aead_create_explicit(algs->mac,
1279 algs->encr, algs->encr_size);
1280 this->aead_out = tls_aead_create_explicit(algs->mac,
1281 algs->encr, algs->encr_size);
1282 }
1283 if (!this->aead_in || !this->aead_out)
1284 {
1285 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1286 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1287 integrity_algorithm_names, algs->mac);
1288 return FALSE;
1289 }
1290 return TRUE;
1291 }
1292
1293 /**
1294 * Create AEAD transforms
1295 */
1296 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1297 {
1298 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1299 {
1300 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1301 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1302 }
1303 else
1304 {
1305 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1306 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1307 }
1308 if (!this->aead_in || !this->aead_out)
1309 {
1310 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1311 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1312 return FALSE;
1313 }
1314 return TRUE;
1315 }
1316
1317 /**
1318 * Clean up and unset AEAD transforms
1319 */
1320 static void destroy_aeads(private_tls_crypto_t *this)
1321 {
1322 DESTROY_IF(this->aead_in);
1323 DESTROY_IF(this->aead_out);
1324 this->aead_in = this->aead_out = NULL;
1325 }
1326
1327 /**
1328 * Create crypto primitives
1329 */
1330 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1331 {
1332 destroy_aeads(this);
1333 DESTROY_IF(this->hkdf);
1334 DESTROY_IF(this->prf);
1335 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1336 {
1337 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1338 {
1339 this->prf = tls_prf_create_10();
1340 }
1341 else
1342 {
1343 this->prf = tls_prf_create_12(algs->prf);
1344 }
1345 if (!this->prf)
1346 {
1347 DBG1(DBG_TLS, "selected TLS PRF not supported");
1348 return FALSE;
1349 }
1350 }
1351 else
1352 {
1353 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1354 if (!this->hkdf)
1355 {
1356 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1357 return FALSE;
1358 }
1359 }
1360 if (algs->encr == ENCR_NULL)
1361 {
1362 if (create_null(this, algs))
1363 {
1364 return TRUE;
1365 }
1366 }
1367 else if (encryption_algorithm_is_aead(algs->encr))
1368 {
1369 if (create_aead(this, algs))
1370 {
1371 return TRUE;
1372 }
1373 }
1374 else
1375 {
1376 if (create_traditional(this, algs))
1377 {
1378 return TRUE;
1379 }
1380 }
1381 destroy_aeads(this);
1382 return FALSE;
1383 }
1384
1385 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1386 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1387 key_type_t key)
1388 {
1389 suite_algs_t *algs;
1390 int i, j;
1391
1392 for (i = 0; i < this->suite_count; i++)
1393 {
1394 for (j = 0; j < count; j++)
1395 {
1396 if (this->suites[i] == suites[j])
1397 {
1398 algs = find_suite(this->suites[i]);
1399 if (algs)
1400 {
1401 if (key == KEY_ANY || key == algs->key ||
1402 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1403 (algs->key == KEY_ECDSA && key == KEY_ED448))
1404 {
1405 if (create_ciphers(this, algs))
1406 {
1407 this->suite = this->suites[i];
1408 return this->suite;
1409 }
1410 }
1411 }
1412 }
1413 }
1414 }
1415 return 0;
1416 }
1417
1418 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1419 private_tls_crypto_t *this)
1420 {
1421 suite_algs_t *algs;
1422
1423 algs = find_suite(this->suite);
1424 if (algs)
1425 {
1426 return algs->dh;
1427 }
1428 return MODP_NONE;
1429 }
1430
1431 /**
1432 * Parameters for RSA/PSS signature schemes
1433 */
1434 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1435 .hash = HASH_SHA##bits, \
1436 .mgf1_hash = HASH_SHA##bits, \
1437 .salt_len = HASH_SIZE_SHA##bits, \
1438 }
1439
1440 PSS_PARAMS(256);
1441 PSS_PARAMS(384);
1442 PSS_PARAMS(512);
1443
1444 /**
1445 * Map TLS signature schemes, ordered by preference
1446 */
1447 static struct {
1448 tls_signature_scheme_t sig;
1449 signature_params_t params;
1450 /* min/max versions for use in CertificateVerify */
1451 tls_version_t min_version;
1452 tls_version_t max_version;
1453 } schemes[] = {
1454 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1455 TLS_1_0, TLS_1_3 },
1456 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1457 TLS_1_0, TLS_1_3 },
1458 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1459 TLS_1_0, TLS_1_3 },
1460 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1461 TLS_1_0, TLS_1_3 },
1462 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1463 TLS_1_0, TLS_1_3 },
1464 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1465 TLS_1_2, TLS_1_3 },
1466 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1467 TLS_1_2, TLS_1_3 },
1468 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1469 TLS_1_2, TLS_1_3 },
1470 /* the parameters for the next three should actually be taken from the
1471 * public key, we currently don't have an API for that, so assume defaults */
1472 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1473 TLS_1_2, TLS_1_3 },
1474 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1475 TLS_1_2, TLS_1_3 },
1476 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1477 TLS_1_2, TLS_1_3 },
1478 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1479 TLS_1_0, TLS_1_2 },
1480 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1481 TLS_1_0, TLS_1_2 },
1482 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1483 TLS_1_0, TLS_1_2 },
1484 };
1485
1486 METHOD(tls_crypto_t, get_signature_algorithms, void,
1487 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1488 {
1489 bio_writer_t *supported;
1490 tls_version_t min_version, max_version;
1491 int i;
1492
1493 supported = bio_writer_create(32);
1494
1495 if (!cert)
1496 {
1497 min_version = this->tls->get_version_min(this->tls);
1498 max_version = this->tls->get_version_max(this->tls);
1499 }
1500
1501 for (i = 0; i < countof(schemes); i++)
1502 {
1503 if ((cert || (schemes[i].min_version <= max_version &&
1504 schemes[i].max_version >= min_version)) &&
1505 lib->plugins->has_feature(lib->plugins,
1506 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1507 {
1508 supported->write_uint16(supported, schemes[i].sig);
1509 }
1510 }
1511
1512 writer->write_data16(writer, supported->get_buf(supported));
1513 supported->destroy(supported);
1514 }
1515
1516 /**
1517 * Get the signature parameters from a TLS signature scheme
1518 */
1519 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1520 bool sign)
1521 {
1522 int i;
1523
1524 for (i = 0; i < countof(schemes); i++)
1525 {
1526 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1527 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1528 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1529 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1530 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1531 {
1532 continue;
1533 }
1534 if (schemes[i].sig == sig)
1535 {
1536 return &schemes[i].params;
1537 }
1538 }
1539 return NULL;
1540 }
1541
1542 /**
1543 * Mapping groups to TLS named curves
1544 */
1545 static struct {
1546 diffie_hellman_group_t group;
1547 tls_named_group_t curve;
1548 } curves[] = {
1549 { ECP_256_BIT, TLS_SECP256R1},
1550 { ECP_384_BIT, TLS_SECP384R1},
1551 { ECP_521_BIT, TLS_SECP521R1},
1552 { ECP_224_BIT, TLS_SECP224R1},
1553 { ECP_192_BIT, TLS_SECP192R1},
1554 { CURVE_25519, TLS_CURVE25519},
1555 { CURVE_448, TLS_CURVE448},
1556 };
1557
1558 CALLBACK(group_filter, bool,
1559 void *null, enumerator_t *orig, va_list args)
1560 {
1561 diffie_hellman_group_t group, *group_out;
1562 tls_named_group_t curve, *curve_out;
1563 char *plugin;
1564
1565 VA_ARGS_VGET(args, group_out, curve_out);
1566
1567 while (orig->enumerate(orig, &group, &plugin))
1568 {
1569 curve = tls_ec_group_to_curve(group);
1570 if (curve)
1571 {
1572 if (group_out)
1573 {
1574 *group_out = group;
1575 }
1576 if (curve_out)
1577 {
1578 *curve_out = curve;
1579 }
1580 return TRUE;
1581 }
1582 }
1583 return FALSE;
1584 }
1585
1586 CALLBACK(config_filter, bool,
1587 void *null, enumerator_t *orig, va_list args)
1588 {
1589 diffie_hellman_group_t group, *group_out;
1590 tls_named_group_t curve, *curve_out;
1591
1592 VA_ARGS_VGET(args, group_out, curve_out);
1593
1594 while (orig->enumerate(orig, &group, &curve))
1595 {
1596 if (filter_curve_config(curve))
1597 {
1598 if (group_out)
1599 {
1600 *group_out = group;
1601 }
1602 if (curve_out)
1603 {
1604 *curve_out = curve;
1605 }
1606 return TRUE;
1607 }
1608 }
1609 return FALSE;
1610 }
1611
1612 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1613 private_tls_crypto_t *this)
1614 {
1615 return enumerator_create_filter(
1616 enumerator_create_filter(
1617 lib->crypto->create_dh_enumerator(lib->crypto),
1618 group_filter, NULL, NULL),
1619 config_filter, NULL, NULL);
1620 }
1621
1622 METHOD(tls_crypto_t, set_protection, void,
1623 private_tls_crypto_t *this, tls_protection_t *protection)
1624 {
1625 this->protection = protection;
1626 }
1627
1628 METHOD(tls_crypto_t, append_handshake, void,
1629 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1630 {
1631 uint32_t header;
1632
1633 /* reconstruct handshake header */
1634 header = htonl(data.len | (type << 24));
1635 this->handshake = chunk_cat("mcc", this->handshake,
1636 chunk_from_thing(header), data);
1637 }
1638
1639 /**
1640 * Create a hash using the suites HASH algorithm
1641 */
1642 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1643 {
1644 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1645 {
1646 hasher_t *hasher;
1647 suite_algs_t *alg;
1648
1649 alg = find_suite(this->suite);
1650 if (!alg)
1651 {
1652 return FALSE;
1653 }
1654 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1655 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1656 {
1657 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1658 DESTROY_IF(hasher);
1659 return FALSE;
1660 }
1661 hasher->destroy(hasher);
1662 }
1663 else
1664 {
1665 hasher_t *md5, *sha1;
1666 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1667
1668 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1669 if (!md5 || !md5->get_hash(md5, data, buf))
1670 {
1671 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1672 DESTROY_IF(md5);
1673 return FALSE;
1674 }
1675 md5->destroy(md5);
1676 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1677 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1678 {
1679 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1680 DESTROY_IF(sha1);
1681 return FALSE;
1682 }
1683 sha1->destroy(sha1);
1684
1685 *hash = chunk_clone(chunk_from_thing(buf));
1686 }
1687 return TRUE;
1688 }
1689
1690 METHOD(tls_crypto_t, hash_handshake, bool,
1691 private_tls_crypto_t *this, chunk_t *out)
1692 {
1693 chunk_t hash;
1694
1695 if (!hash_data(this, this->handshake, &hash))
1696 {
1697 return FALSE;
1698 }
1699
1700 chunk_free(&this->handshake);
1701 append_handshake(this, TLS_MESSAGE_HASH, hash);
1702
1703 if (out)
1704 {
1705 *out = hash;
1706 }
1707 else
1708 {
1709 free(hash.ptr);
1710 }
1711 return TRUE;
1712 }
1713
1714 /**
1715 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1716 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1717 */
1718 static chunk_t tls13_sig_data_server = chunk_from_chars(
1719 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1727 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1728 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1729 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1730 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1731 0x79, 0x00,
1732 );
1733
1734 /**
1735 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1736 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1737 */
1738 static chunk_t tls13_sig_data_client = chunk_from_chars(
1739 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1740 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1741 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1742 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1743 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1744 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1745 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1746 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1747 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1748 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1749 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1750 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1751 0x79, 0x00,
1752 );
1753
1754 METHOD(tls_crypto_t, sign, bool,
1755 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1756 chunk_t data, chunk_t hashsig)
1757 {
1758 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1759 {
1760 /* fallback to SHA1/RSA and SHA1/ECDSA */
1761 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1762 signature_params_t *params;
1763 key_type_t type;
1764 uint16_t scheme;
1765 bio_reader_t *reader;
1766 chunk_t sig;
1767 bool done = FALSE;
1768
1769 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1770 {
1771 chunk_t transcript_hash;
1772
1773 if (!hash_data(this, data, &transcript_hash))
1774 {
1775 DBG1(DBG_TLS, "unable to create transcript hash");
1776 return FALSE;
1777 }
1778 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1779 }
1780
1781 if (!hashsig.len)
1782 { /* fallback if none given */
1783 hashsig = hashsig_def;
1784 }
1785 type = key->get_type(key);
1786 reader = bio_reader_create(hashsig);
1787 while (reader->remaining(reader) >= 2)
1788 {
1789 if (reader->read_uint16(reader, &scheme))
1790 {
1791 params = params_for_scheme(scheme, TRUE);
1792 if (params &&
1793 type == key_type_from_signature_scheme(params->scheme) &&
1794 key->sign(key, params->scheme, params->params, data, &sig))
1795 {
1796 done = TRUE;
1797 break;
1798 }
1799 }
1800 }
1801 reader->destroy(reader);
1802 if (!done)
1803 {
1804 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1805 return FALSE;
1806 }
1807 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1808 scheme);
1809 writer->write_uint16(writer, scheme);
1810 writer->write_data16(writer, sig);
1811 free(sig.ptr);
1812 }
1813 else
1814 {
1815 chunk_t sig, hash;
1816 bool done;
1817
1818 switch (key->get_type(key))
1819 {
1820 case KEY_RSA:
1821 if (!hash_data(this, data, &hash))
1822 {
1823 return FALSE;
1824 }
1825 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1826 &sig);
1827 free(hash.ptr);
1828 if (!done)
1829 {
1830 return FALSE;
1831 }
1832 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1833 break;
1834 case KEY_ECDSA:
1835 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1836 {
1837 return FALSE;
1838 }
1839 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1840 break;
1841 case KEY_ED25519:
1842 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1843 {
1844 return FALSE;
1845 }
1846 DBG2(DBG_TLS, "created signature with Ed25519");
1847 break;
1848 case KEY_ED448:
1849 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1850 {
1851 return FALSE;
1852 }
1853 DBG2(DBG_TLS, "created signature with Ed448");
1854 break;
1855 default:
1856 return FALSE;
1857 }
1858 writer->write_data16(writer, sig);
1859 free(sig.ptr);
1860 }
1861 return TRUE;
1862 }
1863
1864 METHOD(tls_crypto_t, verify, bool,
1865 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1866 chunk_t data)
1867 {
1868 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1869 {
1870 signature_params_t *params;
1871 uint16_t scheme;
1872 chunk_t sig;
1873
1874 if (!reader->read_uint16(reader, &scheme) ||
1875 !reader->read_data16(reader, &sig))
1876 {
1877 DBG1(DBG_TLS, "received invalid signature");
1878 return FALSE;
1879 }
1880 params = params_for_scheme(scheme, FALSE);
1881 if (!params)
1882 {
1883 DBG1(DBG_TLS, "signature algorithms %N not supported",
1884 tls_signature_scheme_names, scheme);
1885 return FALSE;
1886 }
1887 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1888 {
1889 chunk_t transcript_hash;
1890
1891 if (!hash_data(this, data, &transcript_hash))
1892 {
1893 DBG1(DBG_TLS, "Unable to create transcript hash");
1894 return FALSE;
1895 }
1896
1897 if (this->tls->is_server(this->tls))
1898 {
1899 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1900 }
1901 else
1902 {
1903 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1904 }
1905 }
1906 if (!key->verify(key, params->scheme, params->params, data, sig))
1907 {
1908 DBG1(DBG_TLS, "signature verification with %N failed",
1909 tls_signature_scheme_names, scheme);
1910 return FALSE;
1911 }
1912 DBG2(DBG_TLS, "verified signature with %N",
1913 tls_signature_scheme_names, scheme);
1914 }
1915 else
1916 {
1917 chunk_t sig, hash;
1918 bool done;
1919
1920 if (!reader->read_data16(reader, &sig))
1921 {
1922 DBG1(DBG_TLS, "received invalid signature");
1923 return FALSE;
1924 }
1925 switch (key->get_type(key))
1926 {
1927 case KEY_RSA:
1928 if (!hash_data(this, data, &hash))
1929 {
1930 return FALSE;
1931 }
1932 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1933 sig);
1934 free(hash.ptr);
1935 if (!done)
1936 {
1937 return FALSE;
1938 }
1939 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1940 break;
1941 case KEY_ECDSA:
1942 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1943 sig))
1944 {
1945 return FALSE;
1946 }
1947 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1948 break;
1949 case KEY_ED25519:
1950 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1951 {
1952 return FALSE;
1953 }
1954 DBG2(DBG_TLS, "verified signature with Ed25519");
1955 break;
1956 case KEY_ED448:
1957 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1958 {
1959 return FALSE;
1960 }
1961 DBG2(DBG_TLS, "verified signature with Ed448");
1962 break;
1963 default:
1964 return FALSE;
1965 }
1966 }
1967 return TRUE;
1968 }
1969
1970 METHOD(tls_crypto_t, sign_handshake, bool,
1971 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1972 chunk_t hashsig)
1973 {
1974 return sign(this, key, writer, this->handshake, hashsig);
1975 }
1976
1977 METHOD(tls_crypto_t, verify_handshake, bool,
1978 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1979 {
1980 return verify(this, key, reader, this->handshake);
1981 }
1982
1983 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1984 private_tls_crypto_t *this, char *label, char out[12])
1985 {
1986 chunk_t seed;
1987
1988 if (!this->prf)
1989 {
1990 return FALSE;
1991 }
1992 if (!hash_data(this, this->handshake, &seed))
1993 {
1994 return FALSE;
1995 }
1996 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1997 {
1998 free(seed.ptr);
1999 return FALSE;
2000 }
2001 free(seed.ptr);
2002 return TRUE;
2003 }
2004
2005 METHOD(tls_crypto_t, calculate_finished, bool,
2006 private_tls_crypto_t *this, bool server, chunk_t *out)
2007 {
2008 chunk_t finished_key, finished_hash;
2009
2010 if (!this->hkdf)
2011 {
2012 return FALSE;
2013 }
2014 if (!hash_data(this, this->handshake, &finished_hash))
2015 {
2016 DBG1(DBG_TLS, "creating hash of handshake failed");
2017 return FALSE;
2018 }
2019 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2020 {
2021 DBG1(DBG_TLS, "generating finished key failed");
2022 chunk_clear(&finished_hash);
2023 return FALSE;
2024 }
2025 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2026 {
2027 DBG1(DBG_TLS, "generating finished HMAC failed");
2028 chunk_clear(&finished_key);
2029 chunk_clear(&finished_hash);
2030 return FALSE;
2031 }
2032 chunk_clear(&finished_key);
2033 chunk_clear(&finished_hash);
2034 return TRUE;
2035 }
2036
2037 /**
2038 * Derive master secret from premaster, optionally save session
2039 */
2040 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2041 chunk_t session, identification_t *id,
2042 chunk_t client_random, chunk_t server_random)
2043 {
2044 char master[48];
2045 chunk_t seed;
2046
2047 /* derive master secret */
2048 seed = chunk_cata("cc", client_random, server_random);
2049
2050 if (!this->prf->set_key(this->prf, premaster) ||
2051 !this->prf->get_bytes(this->prf, "master secret", seed,
2052 sizeof(master), master) ||
2053 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2054 {
2055 return FALSE;
2056 }
2057
2058 if (this->cache && session.len)
2059 {
2060 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2061 this->suite);
2062 }
2063 memwipe(master, sizeof(master));
2064 return TRUE;
2065 }
2066
2067 /**
2068 * Expand key material from master secret
2069 */
2070 static bool expand_keys(private_tls_crypto_t *this,
2071 chunk_t client_random, chunk_t server_random)
2072 {
2073 chunk_t seed, block;
2074 chunk_t cw_mac, cw, cw_iv;
2075 chunk_t sw_mac, sw, sw_iv;
2076 int mklen, eklen, ivlen;
2077
2078 if (!this->aead_in || !this->aead_out)
2079 {
2080 return FALSE;
2081 }
2082
2083 /* derive key block for key expansion */
2084 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2085 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2086 ivlen = this->aead_in->get_iv_size(this->aead_in);
2087 seed = chunk_cata("cc", server_random, client_random);
2088 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2089 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2090 block.len, block.ptr))
2091 {
2092 return FALSE;
2093 }
2094
2095 /* client/server write signer keys */
2096 cw_mac = chunk_create(block.ptr, mklen);
2097 block = chunk_skip(block, mklen);
2098 sw_mac = chunk_create(block.ptr, mklen);
2099 block = chunk_skip(block, mklen);
2100
2101 /* client/server write encryption keys */
2102 cw = chunk_create(block.ptr, eklen);
2103 block = chunk_skip(block, eklen);
2104 sw = chunk_create(block.ptr, eklen);
2105 block = chunk_skip(block, eklen);
2106
2107 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2108 cw_iv = chunk_create(block.ptr, ivlen);
2109 block = chunk_skip(block, ivlen);
2110 sw_iv = chunk_create(block.ptr, ivlen);
2111 block = chunk_skip(block, ivlen);
2112
2113 if (this->tls->is_server(this->tls))
2114 {
2115 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2116 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2117 {
2118 return FALSE;
2119 }
2120 }
2121 else
2122 {
2123 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2124 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2125 {
2126 return FALSE;
2127 }
2128 }
2129
2130 /* EAP-MSK */
2131 if (this->msk_label)
2132 {
2133 seed = chunk_cata("cc", client_random, server_random);
2134 this->msk = chunk_alloc(64);
2135 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2136 this->msk.len, this->msk.ptr))
2137 {
2138 return FALSE;
2139 }
2140 }
2141 return TRUE;
2142 }
2143
2144 METHOD(tls_crypto_t, derive_secrets, bool,
2145 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2146 identification_t *id, chunk_t client_random, chunk_t server_random)
2147 {
2148 return derive_master(this, premaster, session, id,
2149 client_random, server_random) &&
2150 expand_keys(this, client_random, server_random);
2151 }
2152
2153 /**
2154 * Derive and configure the client/server key/IV on an AEAD using a given label.
2155 */
2156 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2157 tls_hkdf_label_t label, tls_aead_t *aead)
2158 {
2159 chunk_t key = chunk_empty, iv = chunk_empty;
2160 bool success = FALSE;
2161
2162 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2163 NULL) ||
2164 !this->hkdf->derive_key(this->hkdf, server,
2165 aead->get_encr_key_size(aead), &key) ||
2166 !this->hkdf->derive_iv(this->hkdf, server,
2167 aead->get_iv_size(aead), &iv))
2168 {
2169 DBG1(DBG_TLS, "deriving key material failed");
2170 goto out;
2171 }
2172
2173 if (!aead->set_keys(aead, chunk_empty, key, iv))
2174 {
2175 DBG1(DBG_TLS, "setting AEAD key material failed");
2176 goto out;
2177 }
2178 success = TRUE;
2179
2180 out:
2181 chunk_clear(&key);
2182 chunk_clear(&iv);
2183 return success;
2184 }
2185
2186 /**
2187 * Derive and configure the keys/IVs using the given labels.
2188 */
2189 static bool derive_labeled_keys(private_tls_crypto_t *this,
2190 tls_hkdf_label_t client_label,
2191 tls_hkdf_label_t server_label)
2192 {
2193 tls_aead_t *aead_c, *aead_s;
2194 suite_algs_t *algs;
2195
2196 algs = find_suite(this->suite);
2197 destroy_aeads(this);
2198 if (!create_aead(this, algs))
2199 {
2200 return FALSE;
2201 }
2202 aead_c = this->aead_out;
2203 aead_s = this->aead_in;
2204 if (this->tls->is_server(this->tls))
2205 {
2206 aead_c = this->aead_in;
2207 aead_s = this->aead_out;
2208 }
2209 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2210 derive_labeled_key(this, TRUE, server_label, aead_s);
2211 }
2212
2213 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2214 private_tls_crypto_t *this, chunk_t shared_secret)
2215 {
2216 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2217 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2218 TLS_HKDF_S_HS_TRAFFIC);
2219 }
2220
2221 METHOD(tls_crypto_t, derive_app_keys, bool,
2222 private_tls_crypto_t *this)
2223 {
2224 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2225 TLS_HKDF_S_AP_TRAFFIC))
2226 {
2227 return FALSE;
2228 }
2229
2230 /* EAP-MSK */
2231 if (this->msk_label)
2232 {
2233 /* because the length is encoded when expanding key material, we
2234 * request the same number of bytes as FreeRADIUS (the first 64 for
2235 * the MSK, the next for the EMSK, which we just ignore) */
2236 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2237 this->handshake, 128, &this->msk))
2238 {
2239 return FALSE;
2240 }
2241 this->msk.len = 64;
2242 }
2243 return TRUE;
2244 }
2245
2246 METHOD(tls_crypto_t, update_app_keys, bool,
2247 private_tls_crypto_t *this, bool inbound)
2248 {
2249 suite_algs_t *algs;
2250 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2251
2252 algs = find_suite(this->suite);
2253 destroy_aeads(this);
2254 if (!create_aead(this, algs))
2255 {
2256 return FALSE;
2257 }
2258 if (this->tls->is_server(this->tls) != inbound)
2259 {
2260 label = TLS_HKDF_UPD_S_TRAFFIC;
2261 }
2262 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2263 inbound ? this->aead_in : this->aead_out);
2264 }
2265
2266 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2267 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2268 chunk_t client_random, chunk_t server_random)
2269 {
2270 chunk_t master;
2271
2272 if (this->cache && session.len)
2273 {
2274 this->suite = this->cache->lookup(this->cache, session, id, &master);
2275 if (this->suite)
2276 {
2277 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2278 if (this->suite)
2279 {
2280 if (!this->prf->set_key(this->prf, master) ||
2281 !expand_keys(this, client_random, server_random))
2282 {
2283 this->suite = 0;
2284 }
2285 }
2286 chunk_clear(&master);
2287 }
2288 return this->suite;
2289 }
2290 return 0;
2291 }
2292
2293 METHOD(tls_crypto_t, get_session, chunk_t,
2294 private_tls_crypto_t *this, identification_t *server)
2295 {
2296 if (this->cache)
2297 {
2298 return this->cache->check(this->cache, server);
2299 }
2300 return chunk_empty;
2301 }
2302
2303 METHOD(tls_crypto_t, change_cipher, void,
2304 private_tls_crypto_t *this, bool inbound)
2305 {
2306 if (this->protection)
2307 {
2308 if (inbound)
2309 {
2310 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2311 this->aead_in = NULL;
2312 }
2313 else
2314 {
2315 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2316 this->aead_out = NULL;
2317 }
2318 }
2319 }
2320
2321 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2322 private_tls_crypto_t *this)
2323 {
2324 return this->msk;
2325 }
2326
2327 METHOD(tls_crypto_t, destroy, void,
2328 private_tls_crypto_t *this)
2329 {
2330 destroy_aeads(this);
2331 free(this->handshake.ptr);
2332 free(this->msk.ptr);
2333 DESTROY_IF(this->prf);
2334 DESTROY_IF(this->hkdf);
2335 free(this->suites);
2336 free(this);
2337 }
2338
2339 /**
2340 * See header
2341 */
2342 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2343 {
2344 private_tls_crypto_t *this;
2345 enumerator_t *enumerator;
2346 credential_type_t type;
2347 int subtype;
2348
2349 INIT(this,
2350 .public = {
2351 .get_cipher_suites = _get_cipher_suites,
2352 .select_cipher_suite = _select_cipher_suite,
2353 .get_dh_group = _get_dh_group,
2354 .get_signature_algorithms = _get_signature_algorithms,
2355 .create_ec_enumerator = _create_ec_enumerator,
2356 .set_protection = _set_protection,
2357 .append_handshake = _append_handshake,
2358 .hash_handshake = _hash_handshake,
2359 .sign = _sign,
2360 .verify = _verify,
2361 .sign_handshake = _sign_handshake,
2362 .verify_handshake = _verify_handshake,
2363 .calculate_finished_legacy = _calculate_finished_legacy,
2364 .calculate_finished = _calculate_finished,
2365 .derive_secrets = _derive_secrets,
2366 .derive_handshake_keys = _derive_handshake_keys,
2367 .derive_app_keys = _derive_app_keys,
2368 .update_app_keys = _update_app_keys,
2369 .resume_session = _resume_session,
2370 .get_session = _get_session,
2371 .change_cipher = _change_cipher,
2372 .get_eap_msk = _get_eap_msk,
2373 .destroy = _destroy,
2374 },
2375 .tls = tls,
2376 .cache = cache,
2377 );
2378
2379 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2380 * separation would be welcome. */
2381 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2382 while (enumerator->enumerate(enumerator, &type, &subtype))
2383 {
2384 if (type == CRED_PUBLIC_KEY)
2385 {
2386 switch (subtype)
2387 {
2388 case KEY_RSA:
2389 this->rsa = TRUE;
2390 break;
2391 case KEY_ECDSA:
2392 case KEY_ED25519:
2393 case KEY_ED448:
2394 this->ecdsa = TRUE;
2395 break;
2396 default:
2397 break;
2398 }
2399 }
2400 }
2401 enumerator->destroy(enumerator);
2402
2403 switch (tls->get_purpose(tls))
2404 {
2405 case TLS_PURPOSE_EAP_TLS:
2406 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2407 this->msk_label = "client EAP encryption";
2408 break;
2409 case TLS_PURPOSE_EAP_PEAP:
2410 this->msk_label = "client EAP encryption";
2411 break;
2412 case TLS_PURPOSE_EAP_TTLS:
2413 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2414 this->msk_label = "ttls keying material";
2415 break;
2416 default:
2417 break;
2418 }
2419 return &this->public;
2420 }
2421
2422 /**
2423 * See header.
2424 */
2425 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2426 tls_cipher_suite_t **out)
2427 {
2428 suite_algs_t suites[countof(suite_algs)];
2429 int count = 0, i;
2430
2431 /* initialize copy of suite list */
2432 for (i = 0; i < countof(suite_algs); i++)
2433 {
2434 if (suite_algs[i].min_version <= version &&
2435 suite_algs[i].max_version >= version)
2436 {
2437 suites[count++] = suite_algs[i];
2438 }
2439 }
2440
2441 filter_unsupported_suites(suites, &count);
2442
2443 if (!null)
2444 {
2445 filter_null_suites(suites, &count);
2446 }
2447
2448 if (out)
2449 {
2450 *out = calloc(count, sizeof(tls_cipher_suite_t));
2451 for (i = 0; i < count; i++)
2452 {
2453 (*out)[i] = suites[i].suite;
2454 }
2455 }
2456 return count;
2457 }
2458
2459 /**
2460 * See header.
2461 */
2462 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2463 {
2464 enumerator_t *enumerator;
2465 diffie_hellman_group_t groups[countof(curves)];
2466 diffie_hellman_group_t group;
2467 tls_named_group_t curve;
2468 int count = 0, i;
2469
2470 enumerator = enumerator_create_filter(
2471 lib->crypto->create_dh_enumerator(lib->crypto),
2472 group_filter, NULL, NULL);
2473
2474 while (enumerator->enumerate(enumerator, &group, &curve))
2475 {
2476 groups[count++] = group;
2477 }
2478 enumerator->destroy(enumerator);
2479
2480 if (out)
2481 {
2482 *out = calloc(count, sizeof(diffie_hellman_group_t));
2483 for (i = 0; i < count; i++)
2484 {
2485 (*out)[i] = groups[i];
2486 }
2487 }
2488 return count;
2489 }
2490
2491 /**
2492 * See header.
2493 */
2494 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2495 {
2496 int i;
2497
2498 for (i = 0; i < countof(curves); i++)
2499 {
2500 if (curves[i].group == group)
2501 {
2502 return curves[i].curve;
2503 }
2504 }
2505 return 0;
2506 }
2507
2508 /**
2509 * See header.
2510 */
2511 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2512 {
2513 int i;
2514
2515 for (i = 0; i < countof(schemes); i++)
2516 {
2517 if (schemes[i].sig == sig)
2518 {
2519 return key_type_from_signature_scheme(schemes[i].params.scheme);
2520 }
2521 }
2522 return 0;
2523 }
2524
2525 /**
2526 * Hashtable hash function
2527 */
2528 static u_int hash_key_type(key_type_t *type)
2529 {
2530 return chunk_hash(chunk_from_thing(*type));
2531 }
2532
2533 /**
2534 * Hashtable equals function
2535 */
2536 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2537 {
2538 return *key1 == *key2;
2539 }
2540
2541 CALLBACK(filter_key_types, bool,
2542 void *data, enumerator_t *orig, va_list args)
2543 {
2544 key_type_t *key_type, *out;
2545
2546 VA_ARGS_VGET(args, out);
2547
2548 if (orig->enumerate(orig, NULL, &key_type))
2549 {
2550 *out = *key_type;
2551 return TRUE;
2552 }
2553 return FALSE;
2554 }
2555
2556 CALLBACK(destroy_key_types, void,
2557 hashtable_t *ht)
2558 {
2559 ht->destroy_function(ht, (void*)free);
2560 }
2561
2562 /**
2563 * Create an enumerator over supported key types within a specific TLS range
2564 */
2565 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2566 tls_version_t max_version)
2567 {
2568 hashtable_t *ht;
2569 key_type_t *type, lookup;
2570 int i;
2571
2572 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2573 (hashtable_equals_t)equals_key_type, 4);
2574 for (i = 0; i < countof(schemes); i++)
2575 {
2576 if (schemes[i].min_version <= max_version &&
2577 schemes[i].max_version >= min_version)
2578 {
2579 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2580 if (!ht->get(ht, &lookup))
2581 {
2582 type = malloc_thing(key_type_t);
2583 *type = lookup;
2584 ht->put(ht, type, type);
2585 }
2586 }
2587 }
2588 return enumerator_create_filter(ht->create_enumerator(ht),
2589 filter_key_types, ht, destroy_key_types);
2590 }
2591
2592 /**
2593 * Create an array of an intersection of server and peer supported key types
2594 */
2595 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2596 {
2597 array_t *key_types;
2598 key_type_t v, lookup;
2599 uint16_t sig_scheme;
2600
2601 key_types = array_create(sizeof(key_type_t), 8);
2602 while (enumerator->enumerate(enumerator, &v))
2603 {
2604 bio_reader_t *reader;
2605
2606 reader = bio_reader_create(hashsig);
2607 while (reader->remaining(reader) &&
2608 reader->read_uint16(reader, &sig_scheme))
2609 {
2610 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2611 if (v == lookup)
2612 {
2613 array_insert(key_types, ARRAY_TAIL, &lookup);
2614 break;
2615 }
2616 }
2617 reader->destroy(reader);
2618 }
2619 return key_types;
2620 }
2621
2622 typedef struct {
2623 enumerator_t public;
2624 array_t *key_types;
2625 identification_t *peer;
2626 private_key_t *key;
2627 auth_cfg_t *auth;
2628 } private_key_enumerator_t;
2629
2630 METHOD(enumerator_t, private_key_enumerate, bool,
2631 private_key_enumerator_t *this, va_list args)
2632 {
2633 key_type_t type;
2634 auth_cfg_t **auth_out;
2635 private_key_t **key_out;
2636
2637 VA_ARGS_VGET(args, key_out, auth_out);
2638
2639 DESTROY_IF(this->key);
2640 DESTROY_IF(this->auth);
2641 this->auth = auth_cfg_create();
2642
2643 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2644 {
2645 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2646 this->auth);
2647 if (this->key)
2648 {
2649 *key_out = this->key;
2650 if (auth_out)
2651 {
2652 *auth_out = this->auth;
2653 }
2654 return TRUE;
2655 }
2656 }
2657 return FALSE;
2658 }
2659
2660 METHOD(enumerator_t, private_key_destroy, void,
2661 private_key_enumerator_t *this)
2662 {
2663 DESTROY_IF(this->key);
2664 DESTROY_IF(this->auth);
2665 array_destroy(this->key_types);
2666 free(this);
2667 }
2668
2669 /**
2670 * See header.
2671 */
2672 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2673 tls_version_t max_version,
2674 chunk_t hashsig,
2675 identification_t *peer)
2676 {
2677 private_key_enumerator_t *enumerator;
2678 enumerator_t *key_types;
2679
2680 key_types = get_supported_key_types(min_version, max_version);
2681
2682 INIT(enumerator,
2683 .public = {
2684 .enumerate = enumerator_enumerate_default,
2685 .venumerate = _private_key_enumerate,
2686 .destroy = _private_key_destroy,
2687 },
2688 .key_types = create_common_key_types(key_types, hashsig),
2689 .peer = peer,
2690 );
2691 key_types->destroy(key_types);
2692
2693 if (!array_count(enumerator->key_types))
2694 {
2695 return NULL;
2696 }
2697 return &enumerator->public;
2698 }