23c36374e6da59732ec48ea7b3eed720e80ae85f
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE)
841 { /* skip DH group, does not match nor NONE */
842 continue;
843 }
844 }
845 /* suite supported, apply */
846 suites[remaining] = suites[i];
847 remaining++;
848 break;
849 }
850 enumerator->destroy(enumerator);
851 }
852 *count = remaining;
853 }
854
855 /**
856 * Purge NULL encryption cipher suites from list
857 */
858 static void filter_null_suites(suite_algs_t suites[], int *count)
859 {
860 int i, remaining = 0;
861
862 for (i = 0; i < *count; i++)
863 {
864 if (suites[i].encr != ENCR_NULL)
865 {
866 suites[remaining] = suites[i];
867 remaining++;
868 }
869 }
870 *count = remaining;
871 }
872
873 /**
874 * Purge suites using a given key type
875 */
876 static void filter_key_suites(private_tls_crypto_t *this,
877 suite_algs_t suites[], int *count, key_type_t key)
878 {
879 int i, remaining = 0;
880
881 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
882 for (i = 0; i < *count; i++)
883 {
884 if (suites[i].key != key)
885 {
886 suites[remaining] = suites[i];
887 remaining++;
888 }
889 }
890 *count = remaining;
891 }
892
893 /**
894 * Filter suites by key exchange user config
895 */
896 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "ecdhe-ecdsa") &&
913 diffie_hellman_group_is_ec(suites[i].dh) &&
914 suites[i].key == KEY_ECDSA)
915 {
916 suites[remaining++] = suites[i];
917 break;
918 }
919 if (strcaseeq(token, "ecdhe-rsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_RSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "dhe-rsa") &&
927 !diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].dh != MODP_NONE &&
929 suites[i].key == KEY_RSA)
930 {
931 suites[remaining++] = suites[i];
932 break;
933 }
934 if (strcaseeq(token, "rsa") &&
935 suites[i].dh == MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 }
942 enumerator->destroy(enumerator);
943 }
944 *count = remaining;
945 }
946 }
947
948 /**
949 * Filter suites by cipher user config
950 */
951 static void filter_cipher_config_suites(private_tls_crypto_t *this,
952 suite_algs_t suites[], int *count)
953 {
954 enumerator_t *enumerator;
955 int i, remaining = 0;
956 char *token, *config;
957
958 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
959 lib->ns);
960 if (config)
961 {
962 for (i = 0; i < *count; i++)
963 {
964 enumerator = enumerator_create_token(config, ",", " ");
965 while (enumerator->enumerate(enumerator, &token))
966 {
967 if (strcaseeq(token, "aes128") &&
968 suites[i].encr == ENCR_AES_CBC &&
969 suites[i].encr_size == 16)
970 {
971 suites[remaining++] = suites[i];
972 break;
973 }
974 if (strcaseeq(token, "aes256") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 32)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes128gcm") &&
982 suites[i].encr == ENCR_AES_GCM_ICV16 &&
983 suites[i].encr_size == 16)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes256gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 32)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "camellia128") &&
996 suites[i].encr == ENCR_CAMELLIA_CBC &&
997 suites[i].encr_size == 16)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia256") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 32)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "null") &&
1010 suites[i].encr == ENCR_NULL)
1011 {
1012 suites[remaining++] = suites[i];
1013 break;
1014 }
1015 }
1016 enumerator->destroy(enumerator);
1017 }
1018 *count = remaining;
1019 }
1020 }
1021
1022 /**
1023 * Filter suites by mac user config
1024 */
1025 static void filter_mac_config_suites(private_tls_crypto_t *this,
1026 suite_algs_t suites[], int *count)
1027 {
1028 enumerator_t *enumerator;
1029 int i, remaining = 0;
1030 char *token, *config;
1031
1032 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1033 lib->ns);
1034 if (config)
1035 {
1036 for (i = 0; i < *count; i++)
1037 {
1038 enumerator = enumerator_create_token(config, ",", " ");
1039 while (enumerator->enumerate(enumerator, &token))
1040 {
1041 if (strcaseeq(token, "sha1") &&
1042 suites[i].mac == AUTH_HMAC_SHA1_160)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 if (strcaseeq(token, "sha256") &&
1048 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1049 {
1050 suites[remaining++] = suites[i];
1051 break;
1052 }
1053 if (strcaseeq(token, "sha384") &&
1054 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1055 {
1056 suites[remaining++] = suites[i];
1057 break;
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061 }
1062 *count = remaining;
1063 }
1064 }
1065
1066 /**
1067 * Filter for specific suites specified in strongswan.conf
1068 */
1069 static void filter_specific_config_suites(private_tls_crypto_t *this,
1070 suite_algs_t suites[], int *count)
1071 {
1072 enumerator_t *enumerator;
1073 int i, remaining = 0, suite;
1074 char *token, *config;
1075
1076 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1077 lib->ns);
1078 if (config)
1079 {
1080 for (i = 0; i < *count; i++)
1081 {
1082 enumerator = enumerator_create_token(config, ",", " ");
1083 while (enumerator->enumerate(enumerator, &token))
1084 {
1085 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1086 suite == suites[i].suite)
1087 {
1088 suites[remaining++] = suites[i];
1089 break;
1090 }
1091 }
1092 enumerator->destroy(enumerator);
1093 }
1094 *count = remaining;
1095 }
1096 }
1097
1098 /**
1099 * Filter key exchange curves by curve user config
1100 */
1101 static bool filter_curve_config(tls_named_group_t curve)
1102 {
1103 enumerator_t *enumerator;
1104 char *token, *config;
1105
1106 config = lib->settings->get_str(lib->settings, "%s.tls.curve", NULL, lib->ns);
1107 if (config)
1108 {
1109 enumerator = enumerator_create_token(config, ",", " ");
1110 while (enumerator->enumerate(enumerator, &token))
1111 {
1112 const proposal_token_t *tok;
1113
1114 tok = lib->proposal->get_token(lib->proposal, token);
1115 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1116 curve == tls_ec_group_to_curve(tok->algorithm))
1117 {
1118 enumerator->destroy(enumerator);
1119 return TRUE;
1120 }
1121 }
1122 enumerator->destroy(enumerator);
1123 }
1124 return !config;
1125 }
1126
1127 /**
1128 * Filter out unsupported suites on given suite array
1129 */
1130 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1131 {
1132 /* filter suite list by each algorithm */
1133 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1134 lib->crypto->create_aead_enumerator);
1135 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1136 lib->crypto->create_prf_enumerator);
1137 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1138 lib->crypto->create_crypter_enumerator);
1139 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1140 lib->crypto->create_signer_enumerator);
1141 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1142 lib->crypto->create_hasher_enumerator);
1143 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1144 lib->crypto->create_dh_enumerator);
1145 }
1146
1147 /**
1148 * Initialize the cipher suite list
1149 */
1150 static void build_cipher_suite_list(private_tls_crypto_t *this)
1151 {
1152 suite_algs_t suites[countof(suite_algs)];
1153 tls_version_t min_version, max_version, new_min_version, new_max_version;
1154 bool require_encryption;
1155 int count = 0, i;
1156
1157 switch (this->tls->get_purpose(this->tls))
1158 {
1159 case TLS_PURPOSE_EAP_TLS:
1160 case TLS_PURPOSE_GENERIC_NULLOK:
1161 require_encryption = FALSE;
1162 break;
1163 case TLS_PURPOSE_EAP_PEAP:
1164 case TLS_PURPOSE_EAP_TTLS:
1165 case TLS_PURPOSE_GENERIC:
1166 require_encryption = TRUE;
1167 break;
1168 default:
1169 return;
1170 }
1171
1172 min_version = this->tls->get_version_min(this->tls);
1173 max_version = this->tls->get_version_max(this->tls);
1174
1175 /* copy all suites appropriate for the current min/max versions */
1176 for (i = 0; i < countof(suite_algs); i++)
1177 {
1178 if (suite_algs[i].min_version <= max_version &&
1179 suite_algs[i].max_version >= min_version)
1180 {
1181 suites[count++] = suite_algs[i];
1182 }
1183 }
1184
1185 if (require_encryption)
1186 {
1187 filter_null_suites(suites, &count);
1188 }
1189 if (!this->rsa)
1190 {
1191 filter_key_suites(this, suites, &count, KEY_RSA);
1192 }
1193 if (!this->ecdsa)
1194 {
1195 filter_key_suites(this, suites, &count, KEY_ECDSA);
1196 }
1197
1198 filter_unsupported_suites(suites, &count);
1199
1200 /* filter suites with strongswan.conf options */
1201 filter_key_exchange_config_suites(this, suites, &count);
1202 filter_cipher_config_suites(this, suites, &count);
1203 filter_mac_config_suites(this, suites, &count);
1204 filter_specific_config_suites(this, suites, &count);
1205
1206 free(this->suites);
1207 this->suite_count = count;
1208 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1209
1210 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1211 new_min_version = max_version;
1212 new_max_version = min_version;
1213 for (i = 0; i < count; i++)
1214 {
1215 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1216 this->suites[i] = suites[i].suite;
1217
1218 /* set TLS min/max versions appropriate to the final cipher suites */
1219 new_max_version = max(new_max_version, suites[i].max_version);
1220 new_min_version = min(new_min_version, suites[i].min_version);
1221 }
1222 new_max_version = min(new_max_version, max_version);
1223 new_min_version = max(new_min_version, min_version);
1224
1225 if ((min_version != new_min_version || max_version != new_max_version) &&
1226 this->tls->set_version(this->tls, new_min_version, new_max_version))
1227 {
1228 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1229 tls_numeric_version_names, new_min_version,
1230 tls_numeric_version_names, new_max_version);
1231 }
1232 }
1233
1234 METHOD(tls_crypto_t, get_cipher_suites, int,
1235 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1236 {
1237 if (!this->suites)
1238 {
1239 build_cipher_suite_list(this);
1240 }
1241 if (suites)
1242 {
1243 *suites = this->suites;
1244 }
1245 return this->suite_count;
1246 }
1247
1248 /**
1249 * Create NULL encryption transforms
1250 */
1251 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1252 {
1253 this->aead_in = tls_aead_create_null(algs->mac);
1254 this->aead_out = tls_aead_create_null(algs->mac);
1255 if (!this->aead_in || !this->aead_out)
1256 {
1257 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1258 integrity_algorithm_names, algs->mac);
1259 return FALSE;
1260 }
1261 return TRUE;
1262 }
1263
1264 /**
1265 * Create traditional transforms
1266 */
1267 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1268 {
1269 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1270 {
1271 this->aead_in = tls_aead_create_implicit(algs->mac,
1272 algs->encr, algs->encr_size);
1273 this->aead_out = tls_aead_create_implicit(algs->mac,
1274 algs->encr, algs->encr_size);
1275 }
1276 else
1277 {
1278 this->aead_in = tls_aead_create_explicit(algs->mac,
1279 algs->encr, algs->encr_size);
1280 this->aead_out = tls_aead_create_explicit(algs->mac,
1281 algs->encr, algs->encr_size);
1282 }
1283 if (!this->aead_in || !this->aead_out)
1284 {
1285 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1286 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1287 integrity_algorithm_names, algs->mac);
1288 return FALSE;
1289 }
1290 return TRUE;
1291 }
1292
1293 /**
1294 * Create AEAD transforms
1295 */
1296 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1297 {
1298 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1299 {
1300 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1301 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1302 }
1303 else
1304 {
1305 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1306 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1307 }
1308 if (!this->aead_in || !this->aead_out)
1309 {
1310 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1311 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1312 return FALSE;
1313 }
1314 return TRUE;
1315 }
1316
1317 /**
1318 * Clean up and unset AEAD transforms
1319 */
1320 static void destroy_aeads(private_tls_crypto_t *this)
1321 {
1322 DESTROY_IF(this->aead_in);
1323 DESTROY_IF(this->aead_out);
1324 this->aead_in = this->aead_out = NULL;
1325 }
1326
1327 /**
1328 * Create crypto primitives
1329 */
1330 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1331 {
1332 destroy_aeads(this);
1333 DESTROY_IF(this->hkdf);
1334 DESTROY_IF(this->prf);
1335 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1336 {
1337 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1338 {
1339 this->prf = tls_prf_create_10();
1340 }
1341 else
1342 {
1343 this->prf = tls_prf_create_12(algs->prf);
1344 }
1345 if (!this->prf)
1346 {
1347 DBG1(DBG_TLS, "selected TLS PRF not supported");
1348 return FALSE;
1349 }
1350 }
1351 else
1352 {
1353 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1354 if (!this->hkdf)
1355 {
1356 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1357 return FALSE;
1358 }
1359 }
1360 if (algs->encr == ENCR_NULL)
1361 {
1362 if (create_null(this, algs))
1363 {
1364 return TRUE;
1365 }
1366 }
1367 else if (encryption_algorithm_is_aead(algs->encr))
1368 {
1369 if (create_aead(this, algs))
1370 {
1371 return TRUE;
1372 }
1373 }
1374 else
1375 {
1376 if (create_traditional(this, algs))
1377 {
1378 return TRUE;
1379 }
1380 }
1381 destroy_aeads(this);
1382 return FALSE;
1383 }
1384
1385 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1386 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1387 key_type_t key)
1388 {
1389 suite_algs_t *algs;
1390 int i, j;
1391
1392 for (i = 0; i < this->suite_count; i++)
1393 {
1394 for (j = 0; j < count; j++)
1395 {
1396 if (this->suites[i] == suites[j])
1397 {
1398 algs = find_suite(this->suites[i]);
1399 if (algs)
1400 {
1401 if (key == KEY_ANY || key == algs->key ||
1402 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1403 (algs->key == KEY_ECDSA && key == KEY_ED448))
1404 {
1405 if (create_ciphers(this, algs))
1406 {
1407 this->suite = this->suites[i];
1408 return this->suite;
1409 }
1410 }
1411 }
1412 }
1413 }
1414 }
1415 return 0;
1416 }
1417
1418 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1419 private_tls_crypto_t *this)
1420 {
1421 suite_algs_t *algs;
1422
1423 algs = find_suite(this->suite);
1424 if (algs)
1425 {
1426 return algs->dh;
1427 }
1428 return MODP_NONE;
1429 }
1430
1431 /**
1432 * Parameters for RSA/PSS signature schemes
1433 */
1434 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1435 .hash = HASH_SHA##bits, \
1436 .mgf1_hash = HASH_SHA##bits, \
1437 .salt_len = HASH_SIZE_SHA##bits, \
1438 }
1439
1440 PSS_PARAMS(256);
1441 PSS_PARAMS(384);
1442 PSS_PARAMS(512);
1443
1444 /**
1445 * Map TLS signature schemes, ordered by preference
1446 */
1447 static struct {
1448 tls_signature_scheme_t sig;
1449 signature_params_t params;
1450 /* min/max versions for use in CertificateVerify */
1451 tls_version_t min_version;
1452 tls_version_t max_version;
1453 } schemes[] = {
1454 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1455 TLS_1_0, TLS_1_3 },
1456 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1457 TLS_1_0, TLS_1_3 },
1458 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1459 TLS_1_0, TLS_1_3 },
1460 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1461 TLS_1_0, TLS_1_3 },
1462 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1463 TLS_1_0, TLS_1_3 },
1464 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1465 TLS_1_2, TLS_1_3 },
1466 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1467 TLS_1_2, TLS_1_3 },
1468 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1469 TLS_1_2, TLS_1_3 },
1470 /* the parameters for the next three should actually be taken from the
1471 * public key, we currently don't have an API for that, so assume defaults */
1472 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1473 TLS_1_2, TLS_1_3 },
1474 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1475 TLS_1_2, TLS_1_3 },
1476 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1477 TLS_1_2, TLS_1_3 },
1478 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1479 TLS_1_0, TLS_1_2 },
1480 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1481 TLS_1_0, TLS_1_2 },
1482 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1483 TLS_1_0, TLS_1_2 },
1484 };
1485
1486 METHOD(tls_crypto_t, get_signature_algorithms, void,
1487 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1488 {
1489 bio_writer_t *supported;
1490 tls_version_t min_version, max_version;
1491 int i;
1492
1493 supported = bio_writer_create(32);
1494
1495 if (!cert)
1496 {
1497 min_version = this->tls->get_version_min(this->tls);
1498 max_version = this->tls->get_version_max(this->tls);
1499 }
1500
1501 for (i = 0; i < countof(schemes); i++)
1502 {
1503 if ((cert || (schemes[i].min_version <= max_version &&
1504 schemes[i].max_version >= min_version)) &&
1505 lib->plugins->has_feature(lib->plugins,
1506 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1507 {
1508 supported->write_uint16(supported, schemes[i].sig);
1509 }
1510 }
1511
1512 writer->write_data16(writer, supported->get_buf(supported));
1513 supported->destroy(supported);
1514 }
1515
1516 /**
1517 * Get the signature parameters from a TLS signature scheme
1518 */
1519 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1520 bool sign)
1521 {
1522 int i;
1523
1524 for (i = 0; i < countof(schemes); i++)
1525 {
1526 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1527 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1528 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1529 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1530 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1531 {
1532 continue;
1533 }
1534 if (schemes[i].sig == sig)
1535 {
1536 return &schemes[i].params;
1537 }
1538 }
1539 return NULL;
1540 }
1541
1542 /**
1543 * Mapping groups to TLS named curves
1544 */
1545 static struct {
1546 diffie_hellman_group_t group;
1547 tls_named_group_t curve;
1548 } curves[] = {
1549 { ECP_256_BIT, TLS_SECP256R1},
1550 { ECP_384_BIT, TLS_SECP384R1},
1551 { ECP_521_BIT, TLS_SECP521R1},
1552 { ECP_224_BIT, TLS_SECP224R1},
1553 { ECP_192_BIT, TLS_SECP192R1},
1554 { CURVE_25519, TLS_CURVE25519},
1555 { CURVE_448, TLS_CURVE448},
1556 };
1557
1558 CALLBACK(group_filter, bool,
1559 void *null, enumerator_t *orig, va_list args)
1560 {
1561 diffie_hellman_group_t group, *group_out;
1562 tls_named_group_t curve, *curve_out;
1563 char *plugin;
1564
1565 VA_ARGS_VGET(args, group_out, curve_out);
1566
1567 while (orig->enumerate(orig, &group, &plugin))
1568 {
1569 curve = tls_ec_group_to_curve(group);
1570 if (curve)
1571 {
1572 if (group_out)
1573 {
1574 *group_out = group;
1575 }
1576 if (curve_out)
1577 {
1578 *curve_out = curve;
1579 }
1580 return TRUE;
1581 }
1582 }
1583 return FALSE;
1584 }
1585
1586 CALLBACK(config_filter, bool,
1587 void *null, enumerator_t *orig, va_list args)
1588 {
1589 diffie_hellman_group_t group, *group_out;
1590 tls_named_group_t curve, *curve_out;
1591
1592 VA_ARGS_VGET(args, group_out, curve_out);
1593
1594 while (orig->enumerate(orig, &group, &curve))
1595 {
1596 if (filter_curve_config(curve))
1597 {
1598 if (group_out)
1599 {
1600 *group_out = group;
1601 }
1602 if (curve_out)
1603 {
1604 *curve_out = curve;
1605 }
1606 return TRUE;
1607 }
1608 }
1609 return FALSE;
1610 }
1611
1612 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1613 private_tls_crypto_t *this)
1614 {
1615 return enumerator_create_filter(
1616 enumerator_create_filter(
1617 lib->crypto->create_dh_enumerator(lib->crypto),
1618 group_filter, NULL, NULL),
1619 config_filter, NULL, NULL);
1620 }
1621
1622 METHOD(tls_crypto_t, set_protection, void,
1623 private_tls_crypto_t *this, tls_protection_t *protection)
1624 {
1625 this->protection = protection;
1626 }
1627
1628 METHOD(tls_crypto_t, append_handshake, void,
1629 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1630 {
1631 uint32_t header;
1632
1633 /* reconstruct handshake header */
1634 header = htonl(data.len | (type << 24));
1635 this->handshake = chunk_cat("mcc", this->handshake,
1636 chunk_from_thing(header), data);
1637 }
1638
1639 /**
1640 * Create a hash using the suites HASH algorithm
1641 */
1642 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1643 {
1644 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1645 {
1646 hasher_t *hasher;
1647 suite_algs_t *alg;
1648
1649 alg = find_suite(this->suite);
1650 if (!alg)
1651 {
1652 return FALSE;
1653 }
1654 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1655 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1656 {
1657 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1658 DESTROY_IF(hasher);
1659 return FALSE;
1660 }
1661 hasher->destroy(hasher);
1662 }
1663 else
1664 {
1665 hasher_t *md5, *sha1;
1666 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1667
1668 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1669 if (!md5 || !md5->get_hash(md5, data, buf))
1670 {
1671 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1672 DESTROY_IF(md5);
1673 return FALSE;
1674 }
1675 md5->destroy(md5);
1676 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1677 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1678 {
1679 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1680 DESTROY_IF(sha1);
1681 return FALSE;
1682 }
1683 sha1->destroy(sha1);
1684
1685 *hash = chunk_clone(chunk_from_thing(buf));
1686 }
1687 return TRUE;
1688 }
1689
1690 METHOD(tls_crypto_t, hash_handshake, bool,
1691 private_tls_crypto_t *this, chunk_t *out)
1692 {
1693 chunk_t hash;
1694
1695 if (!hash_data(this, this->handshake, &hash))
1696 {
1697 return FALSE;
1698 }
1699
1700 chunk_free(&this->handshake);
1701 append_handshake(this, TLS_MESSAGE_HASH, hash);
1702
1703 if (out)
1704 {
1705 *out = hash;
1706 }
1707 else
1708 {
1709 free(hash.ptr);
1710 }
1711 return TRUE;
1712 }
1713
1714 /**
1715 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1716 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1717 */
1718 static chunk_t tls13_sig_data_server = chunk_from_chars(
1719 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1727 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1728 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1729 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1730 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1731 0x79, 0x00,
1732 );
1733
1734 /**
1735 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1736 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1737 */
1738 static chunk_t tls13_sig_data_client = chunk_from_chars(
1739 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1740 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1741 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1742 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1743 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1744 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1745 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1746 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1747 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1748 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1749 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1750 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1751 0x79, 0x00,
1752 );
1753
1754 METHOD(tls_crypto_t, sign, bool,
1755 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1756 chunk_t data, chunk_t hashsig)
1757 {
1758 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1759 {
1760 /* fallback to SHA1/RSA and SHA1/ECDSA */
1761 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1762 signature_params_t *params;
1763 key_type_t type;
1764 uint16_t scheme;
1765 bio_reader_t *reader;
1766 chunk_t sig;
1767 bool done = FALSE;
1768
1769 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1770 {
1771 chunk_t transcript_hash;
1772
1773 if (!hash_data(this, data, &transcript_hash))
1774 {
1775 DBG1(DBG_TLS, "unable to create transcript hash");
1776 return FALSE;
1777 }
1778 if (this->tls->is_server(this->tls))
1779 {
1780 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1781 }
1782 else
1783 {
1784 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1785 }
1786 }
1787
1788 if (!hashsig.len)
1789 { /* fallback if none given */
1790 hashsig = hashsig_def;
1791 }
1792 type = key->get_type(key);
1793 reader = bio_reader_create(hashsig);
1794 while (reader->remaining(reader) >= 2)
1795 {
1796 if (reader->read_uint16(reader, &scheme))
1797 {
1798 params = params_for_scheme(scheme, TRUE);
1799 if (params &&
1800 type == key_type_from_signature_scheme(params->scheme) &&
1801 key->sign(key, params->scheme, params->params, data, &sig))
1802 {
1803 done = TRUE;
1804 break;
1805 }
1806 }
1807 }
1808 reader->destroy(reader);
1809 if (!done)
1810 {
1811 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1812 return FALSE;
1813 }
1814 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1815 scheme);
1816 writer->write_uint16(writer, scheme);
1817 writer->write_data16(writer, sig);
1818 free(sig.ptr);
1819 }
1820 else
1821 {
1822 chunk_t sig, hash;
1823 bool done;
1824
1825 switch (key->get_type(key))
1826 {
1827 case KEY_RSA:
1828 if (!hash_data(this, data, &hash))
1829 {
1830 return FALSE;
1831 }
1832 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1833 &sig);
1834 free(hash.ptr);
1835 if (!done)
1836 {
1837 return FALSE;
1838 }
1839 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1840 break;
1841 case KEY_ECDSA:
1842 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1843 {
1844 return FALSE;
1845 }
1846 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1847 break;
1848 case KEY_ED25519:
1849 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1850 {
1851 return FALSE;
1852 }
1853 DBG2(DBG_TLS, "created signature with Ed25519");
1854 break;
1855 case KEY_ED448:
1856 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1857 {
1858 return FALSE;
1859 }
1860 DBG2(DBG_TLS, "created signature with Ed448");
1861 break;
1862 default:
1863 return FALSE;
1864 }
1865 writer->write_data16(writer, sig);
1866 free(sig.ptr);
1867 }
1868 return TRUE;
1869 }
1870
1871 METHOD(tls_crypto_t, verify, bool,
1872 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1873 chunk_t data)
1874 {
1875 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1876 {
1877 signature_params_t *params;
1878 uint16_t scheme;
1879 chunk_t sig;
1880
1881 if (!reader->read_uint16(reader, &scheme) ||
1882 !reader->read_data16(reader, &sig))
1883 {
1884 DBG1(DBG_TLS, "received invalid signature");
1885 return FALSE;
1886 }
1887 params = params_for_scheme(scheme, FALSE);
1888 if (!params)
1889 {
1890 DBG1(DBG_TLS, "signature algorithms %N not supported",
1891 tls_signature_scheme_names, scheme);
1892 return FALSE;
1893 }
1894 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1895 {
1896 chunk_t transcript_hash;
1897
1898 if (!hash_data(this, data, &transcript_hash))
1899 {
1900 DBG1(DBG_TLS, "Unable to create transcript hash");
1901 return FALSE;
1902 }
1903
1904 if (this->tls->is_server(this->tls))
1905 {
1906 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1907 }
1908 else
1909 {
1910 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1911 }
1912 }
1913 if (!key->verify(key, params->scheme, params->params, data, sig))
1914 {
1915 DBG1(DBG_TLS, "signature verification with %N failed",
1916 tls_signature_scheme_names, scheme);
1917 return FALSE;
1918 }
1919 DBG2(DBG_TLS, "verified signature with %N",
1920 tls_signature_scheme_names, scheme);
1921 }
1922 else
1923 {
1924 chunk_t sig, hash;
1925 bool done;
1926
1927 if (!reader->read_data16(reader, &sig))
1928 {
1929 DBG1(DBG_TLS, "received invalid signature");
1930 return FALSE;
1931 }
1932 switch (key->get_type(key))
1933 {
1934 case KEY_RSA:
1935 if (!hash_data(this, data, &hash))
1936 {
1937 return FALSE;
1938 }
1939 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1940 sig);
1941 free(hash.ptr);
1942 if (!done)
1943 {
1944 return FALSE;
1945 }
1946 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1947 break;
1948 case KEY_ECDSA:
1949 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1950 sig))
1951 {
1952 return FALSE;
1953 }
1954 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1955 break;
1956 case KEY_ED25519:
1957 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1958 {
1959 return FALSE;
1960 }
1961 DBG2(DBG_TLS, "verified signature with Ed25519");
1962 break;
1963 case KEY_ED448:
1964 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1965 {
1966 return FALSE;
1967 }
1968 DBG2(DBG_TLS, "verified signature with Ed448");
1969 break;
1970 default:
1971 return FALSE;
1972 }
1973 }
1974 return TRUE;
1975 }
1976
1977 METHOD(tls_crypto_t, sign_handshake, bool,
1978 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1979 chunk_t hashsig)
1980 {
1981 return sign(this, key, writer, this->handshake, hashsig);
1982 }
1983
1984 METHOD(tls_crypto_t, verify_handshake, bool,
1985 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1986 {
1987 return verify(this, key, reader, this->handshake);
1988 }
1989
1990 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1991 private_tls_crypto_t *this, char *label, char out[12])
1992 {
1993 chunk_t seed;
1994
1995 if (!this->prf)
1996 {
1997 return FALSE;
1998 }
1999 if (!hash_data(this, this->handshake, &seed))
2000 {
2001 return FALSE;
2002 }
2003 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2004 {
2005 free(seed.ptr);
2006 return FALSE;
2007 }
2008 free(seed.ptr);
2009 return TRUE;
2010 }
2011
2012 METHOD(tls_crypto_t, calculate_finished, bool,
2013 private_tls_crypto_t *this, bool server, chunk_t *out)
2014 {
2015 chunk_t finished_key, finished_hash;
2016
2017 if (!this->hkdf)
2018 {
2019 return FALSE;
2020 }
2021 if (!hash_data(this, this->handshake, &finished_hash))
2022 {
2023 DBG1(DBG_TLS, "creating hash of handshake failed");
2024 return FALSE;
2025 }
2026 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2027 {
2028 DBG1(DBG_TLS, "generating finished key failed");
2029 chunk_clear(&finished_hash);
2030 return FALSE;
2031 }
2032 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2033 {
2034 DBG1(DBG_TLS, "generating finished HMAC failed");
2035 chunk_clear(&finished_key);
2036 chunk_clear(&finished_hash);
2037 return FALSE;
2038 }
2039 chunk_clear(&finished_key);
2040 chunk_clear(&finished_hash);
2041 return TRUE;
2042 }
2043
2044 /**
2045 * Derive master secret from premaster, optionally save session
2046 */
2047 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2048 chunk_t session, identification_t *id,
2049 chunk_t client_random, chunk_t server_random)
2050 {
2051 char master[48];
2052 chunk_t seed;
2053
2054 /* derive master secret */
2055 seed = chunk_cata("cc", client_random, server_random);
2056
2057 if (!this->prf->set_key(this->prf, premaster) ||
2058 !this->prf->get_bytes(this->prf, "master secret", seed,
2059 sizeof(master), master) ||
2060 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2061 {
2062 return FALSE;
2063 }
2064
2065 if (this->cache && session.len)
2066 {
2067 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2068 this->suite);
2069 }
2070 memwipe(master, sizeof(master));
2071 return TRUE;
2072 }
2073
2074 /**
2075 * Expand key material from master secret
2076 */
2077 static bool expand_keys(private_tls_crypto_t *this,
2078 chunk_t client_random, chunk_t server_random)
2079 {
2080 chunk_t seed, block;
2081 chunk_t cw_mac, cw, cw_iv;
2082 chunk_t sw_mac, sw, sw_iv;
2083 int mklen, eklen, ivlen;
2084
2085 if (!this->aead_in || !this->aead_out)
2086 {
2087 return FALSE;
2088 }
2089
2090 /* derive key block for key expansion */
2091 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2092 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2093 ivlen = this->aead_in->get_iv_size(this->aead_in);
2094 seed = chunk_cata("cc", server_random, client_random);
2095 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2096 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2097 block.len, block.ptr))
2098 {
2099 return FALSE;
2100 }
2101
2102 /* client/server write signer keys */
2103 cw_mac = chunk_create(block.ptr, mklen);
2104 block = chunk_skip(block, mklen);
2105 sw_mac = chunk_create(block.ptr, mklen);
2106 block = chunk_skip(block, mklen);
2107
2108 /* client/server write encryption keys */
2109 cw = chunk_create(block.ptr, eklen);
2110 block = chunk_skip(block, eklen);
2111 sw = chunk_create(block.ptr, eklen);
2112 block = chunk_skip(block, eklen);
2113
2114 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2115 cw_iv = chunk_create(block.ptr, ivlen);
2116 block = chunk_skip(block, ivlen);
2117 sw_iv = chunk_create(block.ptr, ivlen);
2118 block = chunk_skip(block, ivlen);
2119
2120 if (this->tls->is_server(this->tls))
2121 {
2122 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2123 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2124 {
2125 return FALSE;
2126 }
2127 }
2128 else
2129 {
2130 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2131 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2132 {
2133 return FALSE;
2134 }
2135 }
2136
2137 /* EAP-MSK */
2138 if (this->msk_label)
2139 {
2140 seed = chunk_cata("cc", client_random, server_random);
2141 this->msk = chunk_alloc(64);
2142 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2143 this->msk.len, this->msk.ptr))
2144 {
2145 return FALSE;
2146 }
2147 }
2148 return TRUE;
2149 }
2150
2151 METHOD(tls_crypto_t, derive_secrets, bool,
2152 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2153 identification_t *id, chunk_t client_random, chunk_t server_random)
2154 {
2155 return derive_master(this, premaster, session, id,
2156 client_random, server_random) &&
2157 expand_keys(this, client_random, server_random);
2158 }
2159
2160 /**
2161 * Derive and configure the client/server key/IV on an AEAD using a given label.
2162 */
2163 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2164 tls_hkdf_label_t label, tls_aead_t *aead)
2165 {
2166 chunk_t key = chunk_empty, iv = chunk_empty;
2167 bool success = FALSE;
2168
2169 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2170 NULL) ||
2171 !this->hkdf->derive_key(this->hkdf, server,
2172 aead->get_encr_key_size(aead), &key) ||
2173 !this->hkdf->derive_iv(this->hkdf, server,
2174 aead->get_iv_size(aead), &iv))
2175 {
2176 DBG1(DBG_TLS, "deriving key material failed");
2177 goto out;
2178 }
2179
2180 if (!aead->set_keys(aead, chunk_empty, key, iv))
2181 {
2182 DBG1(DBG_TLS, "setting AEAD key material failed");
2183 goto out;
2184 }
2185 success = TRUE;
2186
2187 out:
2188 chunk_clear(&key);
2189 chunk_clear(&iv);
2190 return success;
2191 }
2192
2193 /**
2194 * Derive and configure the keys/IVs using the given labels.
2195 */
2196 static bool derive_labeled_keys(private_tls_crypto_t *this,
2197 tls_hkdf_label_t client_label,
2198 tls_hkdf_label_t server_label)
2199 {
2200 tls_aead_t *aead_c, *aead_s;
2201 suite_algs_t *algs;
2202
2203 algs = find_suite(this->suite);
2204 destroy_aeads(this);
2205 if (!create_aead(this, algs))
2206 {
2207 return FALSE;
2208 }
2209 aead_c = this->aead_out;
2210 aead_s = this->aead_in;
2211 if (this->tls->is_server(this->tls))
2212 {
2213 aead_c = this->aead_in;
2214 aead_s = this->aead_out;
2215 }
2216 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2217 derive_labeled_key(this, TRUE, server_label, aead_s);
2218 }
2219
2220 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2221 private_tls_crypto_t *this, chunk_t shared_secret)
2222 {
2223 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2224 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2225 TLS_HKDF_S_HS_TRAFFIC);
2226 }
2227
2228 METHOD(tls_crypto_t, derive_app_keys, bool,
2229 private_tls_crypto_t *this)
2230 {
2231 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2232 TLS_HKDF_S_AP_TRAFFIC))
2233 {
2234 return FALSE;
2235 }
2236
2237 /* EAP-MSK */
2238 if (this->msk_label)
2239 {
2240 /* because the length is encoded when expanding key material, we
2241 * request the same number of bytes as FreeRADIUS (the first 64 for
2242 * the MSK, the next for the EMSK, which we just ignore) */
2243 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2244 this->handshake, 128, &this->msk))
2245 {
2246 return FALSE;
2247 }
2248 this->msk.len = 64;
2249 }
2250 return TRUE;
2251 }
2252
2253 METHOD(tls_crypto_t, update_app_keys, bool,
2254 private_tls_crypto_t *this, bool inbound)
2255 {
2256 suite_algs_t *algs;
2257 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2258
2259 algs = find_suite(this->suite);
2260 destroy_aeads(this);
2261 if (!create_aead(this, algs))
2262 {
2263 return FALSE;
2264 }
2265 if (this->tls->is_server(this->tls) != inbound)
2266 {
2267 label = TLS_HKDF_UPD_S_TRAFFIC;
2268 }
2269 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2270 inbound ? this->aead_in : this->aead_out);
2271 }
2272
2273 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2274 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2275 chunk_t client_random, chunk_t server_random)
2276 {
2277 chunk_t master;
2278
2279 if (this->cache && session.len)
2280 {
2281 this->suite = this->cache->lookup(this->cache, session, id, &master);
2282 if (this->suite)
2283 {
2284 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2285 if (this->suite)
2286 {
2287 if (!this->prf->set_key(this->prf, master) ||
2288 !expand_keys(this, client_random, server_random))
2289 {
2290 this->suite = 0;
2291 }
2292 }
2293 chunk_clear(&master);
2294 }
2295 return this->suite;
2296 }
2297 return 0;
2298 }
2299
2300 METHOD(tls_crypto_t, get_session, chunk_t,
2301 private_tls_crypto_t *this, identification_t *server)
2302 {
2303 if (this->cache)
2304 {
2305 return this->cache->check(this->cache, server);
2306 }
2307 return chunk_empty;
2308 }
2309
2310 METHOD(tls_crypto_t, change_cipher, void,
2311 private_tls_crypto_t *this, bool inbound)
2312 {
2313 if (this->protection)
2314 {
2315 if (inbound)
2316 {
2317 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2318 this->aead_in = NULL;
2319 }
2320 else
2321 {
2322 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2323 this->aead_out = NULL;
2324 }
2325 }
2326 }
2327
2328 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2329 private_tls_crypto_t *this)
2330 {
2331 return this->msk;
2332 }
2333
2334 METHOD(tls_crypto_t, destroy, void,
2335 private_tls_crypto_t *this)
2336 {
2337 destroy_aeads(this);
2338 free(this->handshake.ptr);
2339 free(this->msk.ptr);
2340 DESTROY_IF(this->prf);
2341 DESTROY_IF(this->hkdf);
2342 free(this->suites);
2343 free(this);
2344 }
2345
2346 /**
2347 * See header
2348 */
2349 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2350 {
2351 private_tls_crypto_t *this;
2352 enumerator_t *enumerator;
2353 credential_type_t type;
2354 int subtype;
2355
2356 INIT(this,
2357 .public = {
2358 .get_cipher_suites = _get_cipher_suites,
2359 .select_cipher_suite = _select_cipher_suite,
2360 .get_dh_group = _get_dh_group,
2361 .get_signature_algorithms = _get_signature_algorithms,
2362 .create_ec_enumerator = _create_ec_enumerator,
2363 .set_protection = _set_protection,
2364 .append_handshake = _append_handshake,
2365 .hash_handshake = _hash_handshake,
2366 .sign = _sign,
2367 .verify = _verify,
2368 .sign_handshake = _sign_handshake,
2369 .verify_handshake = _verify_handshake,
2370 .calculate_finished_legacy = _calculate_finished_legacy,
2371 .calculate_finished = _calculate_finished,
2372 .derive_secrets = _derive_secrets,
2373 .derive_handshake_keys = _derive_handshake_keys,
2374 .derive_app_keys = _derive_app_keys,
2375 .update_app_keys = _update_app_keys,
2376 .resume_session = _resume_session,
2377 .get_session = _get_session,
2378 .change_cipher = _change_cipher,
2379 .get_eap_msk = _get_eap_msk,
2380 .destroy = _destroy,
2381 },
2382 .tls = tls,
2383 .cache = cache,
2384 );
2385
2386 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2387 * separation would be welcome. */
2388 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2389 while (enumerator->enumerate(enumerator, &type, &subtype))
2390 {
2391 if (type == CRED_PUBLIC_KEY)
2392 {
2393 switch (subtype)
2394 {
2395 case KEY_RSA:
2396 this->rsa = TRUE;
2397 break;
2398 case KEY_ECDSA:
2399 case KEY_ED25519:
2400 case KEY_ED448:
2401 this->ecdsa = TRUE;
2402 break;
2403 default:
2404 break;
2405 }
2406 }
2407 }
2408 enumerator->destroy(enumerator);
2409
2410 switch (tls->get_purpose(tls))
2411 {
2412 case TLS_PURPOSE_EAP_TLS:
2413 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2414 this->msk_label = "client EAP encryption";
2415 break;
2416 case TLS_PURPOSE_EAP_PEAP:
2417 this->msk_label = "client EAP encryption";
2418 break;
2419 case TLS_PURPOSE_EAP_TTLS:
2420 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2421 this->msk_label = "ttls keying material";
2422 break;
2423 default:
2424 break;
2425 }
2426 return &this->public;
2427 }
2428
2429 /**
2430 * See header.
2431 */
2432 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2433 tls_cipher_suite_t **out)
2434 {
2435 suite_algs_t suites[countof(suite_algs)];
2436 int count = 0, i;
2437
2438 /* initialize copy of suite list */
2439 for (i = 0; i < countof(suite_algs); i++)
2440 {
2441 if (suite_algs[i].min_version <= version &&
2442 suite_algs[i].max_version >= version)
2443 {
2444 suites[count++] = suite_algs[i];
2445 }
2446 }
2447
2448 filter_unsupported_suites(suites, &count);
2449
2450 if (!null)
2451 {
2452 filter_null_suites(suites, &count);
2453 }
2454
2455 if (out)
2456 {
2457 *out = calloc(count, sizeof(tls_cipher_suite_t));
2458 for (i = 0; i < count; i++)
2459 {
2460 (*out)[i] = suites[i].suite;
2461 }
2462 }
2463 return count;
2464 }
2465
2466 /**
2467 * See header.
2468 */
2469 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2470 {
2471 enumerator_t *enumerator;
2472 diffie_hellman_group_t groups[countof(curves)];
2473 diffie_hellman_group_t group;
2474 tls_named_group_t curve;
2475 int count = 0, i;
2476
2477 enumerator = enumerator_create_filter(
2478 lib->crypto->create_dh_enumerator(lib->crypto),
2479 group_filter, NULL, NULL);
2480
2481 while (enumerator->enumerate(enumerator, &group, &curve))
2482 {
2483 groups[count++] = group;
2484 }
2485 enumerator->destroy(enumerator);
2486
2487 if (out)
2488 {
2489 *out = calloc(count, sizeof(diffie_hellman_group_t));
2490 for (i = 0; i < count; i++)
2491 {
2492 (*out)[i] = groups[i];
2493 }
2494 }
2495 return count;
2496 }
2497
2498 /**
2499 * See header.
2500 */
2501 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2502 {
2503 int i;
2504
2505 for (i = 0; i < countof(curves); i++)
2506 {
2507 if (curves[i].group == group)
2508 {
2509 return curves[i].curve;
2510 }
2511 }
2512 return 0;
2513 }
2514
2515 /**
2516 * See header.
2517 */
2518 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2519 {
2520 int i;
2521
2522 for (i = 0; i < countof(schemes); i++)
2523 {
2524 if (schemes[i].sig == sig)
2525 {
2526 return key_type_from_signature_scheme(schemes[i].params.scheme);
2527 }
2528 }
2529 return 0;
2530 }
2531
2532 /**
2533 * Hashtable hash function
2534 */
2535 static u_int hash_key_type(key_type_t *type)
2536 {
2537 return chunk_hash(chunk_from_thing(*type));
2538 }
2539
2540 /**
2541 * Hashtable equals function
2542 */
2543 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2544 {
2545 return *key1 == *key2;
2546 }
2547
2548 CALLBACK(filter_key_types, bool,
2549 void *data, enumerator_t *orig, va_list args)
2550 {
2551 key_type_t *key_type, *out;
2552
2553 VA_ARGS_VGET(args, out);
2554
2555 if (orig->enumerate(orig, NULL, &key_type))
2556 {
2557 *out = *key_type;
2558 return TRUE;
2559 }
2560 return FALSE;
2561 }
2562
2563 CALLBACK(destroy_key_types, void,
2564 hashtable_t *ht)
2565 {
2566 ht->destroy_function(ht, (void*)free);
2567 }
2568
2569 /**
2570 * Create an enumerator over supported key types within a specific TLS range
2571 */
2572 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2573 tls_version_t max_version)
2574 {
2575 hashtable_t *ht;
2576 key_type_t *type, lookup;
2577 int i;
2578
2579 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2580 (hashtable_equals_t)equals_key_type, 4);
2581 for (i = 0; i < countof(schemes); i++)
2582 {
2583 if (schemes[i].min_version <= max_version &&
2584 schemes[i].max_version >= min_version)
2585 {
2586 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2587 if (!ht->get(ht, &lookup))
2588 {
2589 type = malloc_thing(key_type_t);
2590 *type = lookup;
2591 ht->put(ht, type, type);
2592 }
2593 }
2594 }
2595 return enumerator_create_filter(ht->create_enumerator(ht),
2596 filter_key_types, ht, destroy_key_types);
2597 }
2598
2599 /**
2600 * Create an array of an intersection of server and peer supported key types
2601 */
2602 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2603 {
2604 array_t *key_types;
2605 key_type_t v, lookup;
2606 uint16_t sig_scheme;
2607
2608 key_types = array_create(sizeof(key_type_t), 8);
2609 while (enumerator->enumerate(enumerator, &v))
2610 {
2611 bio_reader_t *reader;
2612
2613 reader = bio_reader_create(hashsig);
2614 while (reader->remaining(reader) &&
2615 reader->read_uint16(reader, &sig_scheme))
2616 {
2617 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2618 if (v == lookup)
2619 {
2620 array_insert(key_types, ARRAY_TAIL, &lookup);
2621 break;
2622 }
2623 }
2624 reader->destroy(reader);
2625 }
2626 return key_types;
2627 }
2628
2629 typedef struct {
2630 enumerator_t public;
2631 array_t *key_types;
2632 identification_t *peer;
2633 private_key_t *key;
2634 auth_cfg_t *auth;
2635 } private_key_enumerator_t;
2636
2637 METHOD(enumerator_t, private_key_enumerate, bool,
2638 private_key_enumerator_t *this, va_list args)
2639 {
2640 key_type_t type;
2641 auth_cfg_t **auth_out;
2642 private_key_t **key_out;
2643
2644 VA_ARGS_VGET(args, key_out, auth_out);
2645
2646 DESTROY_IF(this->key);
2647 DESTROY_IF(this->auth);
2648 this->auth = auth_cfg_create();
2649
2650 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2651 {
2652 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2653 this->auth);
2654 if (this->key)
2655 {
2656 *key_out = this->key;
2657 if (auth_out)
2658 {
2659 *auth_out = this->auth;
2660 }
2661 return TRUE;
2662 }
2663 }
2664 return FALSE;
2665 }
2666
2667 METHOD(enumerator_t, private_key_destroy, void,
2668 private_key_enumerator_t *this)
2669 {
2670 DESTROY_IF(this->key);
2671 DESTROY_IF(this->auth);
2672 array_destroy(this->key_types);
2673 free(this);
2674 }
2675
2676 /**
2677 * See header.
2678 */
2679 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2680 tls_version_t max_version,
2681 chunk_t hashsig,
2682 identification_t *peer)
2683 {
2684 private_key_enumerator_t *enumerator;
2685 enumerator_t *key_types;
2686
2687 key_types = get_supported_key_types(min_version, max_version);
2688
2689 INIT(enumerator,
2690 .public = {
2691 .enumerate = enumerator_enumerate_default,
2692 .venumerate = _private_key_enumerate,
2693 .destroy = _private_key_destroy,
2694 },
2695 .key_types = create_common_key_types(key_types, hashsig),
2696 .peer = peer,
2697 );
2698 key_types->destroy(key_types);
2699
2700 if (!array_count(enumerator->key_types))
2701 {
2702 return NULL;
2703 }
2704 return &enumerator->public;
2705 }