39adcaebf7b04e5aea3758714c13a516489afd36
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26
27 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
28 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
29 "TLS_NULL_WITH_NULL_NULL",
30 "TLS_RSA_WITH_NULL_MD5",
31 "TLS_RSA_WITH_NULL_SHA",
32 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
33 "TLS_RSA_WITH_RC4_128_MD5",
34 "TLS_RSA_WITH_RC4_128_SHA",
35 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
36 "TLS_RSA_WITH_IDEA_CBC_SHA",
37 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_RSA_WITH_DES_CBC_SHA",
39 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DH_DSS_WITH_DES_CBC_SHA",
42 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DH_RSA_WITH_DES_CBC_SHA",
45 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
47 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
48 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
49 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
50 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
51 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
52 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
53 "TLS_DH_anon_WITH_RC4_128_MD5",
54 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
55 "TLS_DH_anon_WITH_DES_CBC_SHA",
56 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
57 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
58 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
59 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
60 "TLS_KRB5_WITH_DES_CBC_SHA",
61 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
62 "TLS_KRB5_WITH_RC4_128_SHA",
63 "TLS_KRB5_WITH_IDEA_CBC_SHA",
64 "TLS_KRB5_WITH_DES_CBC_MD5",
65 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
66 "TLS_KRB5_WITH_RC4_128_MD5",
67 "TLS_KRB5_WITH_IDEA_CBC_MD5",
68 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
69 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
72 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
74 "TLS_PSK_WITH_NULL_SHA",
75 "TLS_DHE_PSK_WITH_NULL_SHA",
76 "TLS_RSA_PSK_WITH_NULL_SHA",
77 "TLS_RSA_WITH_AES_128_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
83 "TLS_RSA_WITH_AES_256_CBC_SHA",
84 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
85 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
89 "TLS_RSA_WITH_NULL_SHA256",
90 "TLS_RSA_WITH_AES_128_CBC_SHA256",
91 "TLS_RSA_WITH_AES_256_CBC_SHA256",
92 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
93 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
94 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
96 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
101 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
102 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
103 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
104 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
105 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
106 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
107 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
111 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
112 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
113 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
114 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
115 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_PSK_WITH_RC4_128_SHA",
121 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
122 "TLS_PSK_WITH_AES_128_CBC_SHA",
123 "TLS_PSK_WITH_AES_256_CBC_SHA",
124 "TLS_DHE_PSK_WITH_RC4_128_SHA",
125 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
126 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
128 "TLS_RSA_PSK_WITH_RC4_128_SHA",
129 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
130 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
132 "TLS_RSA_WITH_SEED_CBC_SHA",
133 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
134 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DH_anon_WITH_SEED_CBC_SHA",
138 "TLS_RSA_WITH_AES_128_GCM_SHA256",
139 "TLS_RSA_WITH_AES_256_GCM_SHA384",
140 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
145 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
146 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_GCM_SHA256",
151 "TLS_PSK_WITH_AES_256_GCM_SHA384",
152 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_PSK_WITH_AES_128_CBC_SHA256",
157 "TLS_PSK_WITH_AES_256_CBC_SHA384",
158 "TLS_PSK_WITH_NULL_SHA256",
159 "TLS_PSK_WITH_NULL_SHA384",
160 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
161 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
162 "TLS_DHE_PSK_WITH_NULL_SHA256",
163 "TLS_DHE_PSK_WITH_NULL_SHA384",
164 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
165 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
166 "TLS_RSA_PSK_WITH_NULL_SHA256",
167 "TLS_RSA_PSK_WITH_NULL_SHA384",
168 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
175 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
180 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
183 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
184 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
185 TLS_AES_128_CCM_8_SHA256,
186 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
187 "TLS_AES_128_GCM_SHA256",
188 "TLS_AES_256_GCM_SHA384",
189 "TLS_CHACHA20_POLY1305_SHA256",
190 "TLS_AES_128_CCM_SHA256",
191 "TLS_AES_128_CCM_8_SHA256");
192 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
193 TLS_ECDHE_PSK_WITH_NULL_SHA384,
194 TLS_AES_128_CCM_8_SHA256,
195 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
196 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
197 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
201 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
202 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
205 "TLS_ECDH_RSA_WITH_NULL_SHA",
206 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
207 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
210 "TLS_ECDHE_RSA_WITH_NULL_SHA",
211 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
212 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
213 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
215 "TLS_ECDH_anon_WITH_NULL_SHA",
216 "TLS_ECDH_anon_WITH_RC4_128_SHA",
217 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
218 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
220 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
221 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
224 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
227 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
229 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
230 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
231 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
238 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
239 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
246 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
247 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
251 "TLS_ECDHE_PSK_WITH_NULL_SHA",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
254 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
255
256 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
257 "NONE",
258 "MD5",
259 "SHA1",
260 "SHA224",
261 "SHA256",
262 "SHA384",
263 "SHA512",
264 );
265
266 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
267 "RSA",
268 "DSA",
269 "ECDSA",
270 );
271
272 ENUM_BEGIN(tls_client_certificate_type_names,
273 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
274 "RSA_SIGN",
275 "DSA_SIGN",
276 "RSA_FIXED_DH",
277 "DSS_FIXED_DH",
278 "RSA_EPHEMERAL_DH",
279 "DSS_EPHEMERAL_DH");
280 ENUM_NEXT(tls_client_certificate_type_names,
281 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
282 "FORTEZZA_DMS");
283 ENUM_NEXT(tls_client_certificate_type_names,
284 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
285 "ECDSA_SIGN",
286 "RSA_FIXED_ECDH",
287 "ECDSA_FIXED_ECDH");
288 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
289
290 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
291 "EXPLICIT_PRIME",
292 "EXPLICIT_CHAR2",
293 "NAMED_CURVE",
294 );
295
296 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
297 "SECT163K1",
298 "SECT163R1",
299 "SECT163R2",
300 "SECT193R1",
301 "SECT193R2",
302 "SECT233K1",
303 "SECT233R1",
304 "SECT239K1",
305 "SECT283K1",
306 "SECT283R1",
307 "SECT409K1",
308 "SECT409R1",
309 "SECT571K1",
310 "SECT571R1",
311 "SECP160K1",
312 "SECP160R1",
313 "SECP160R2",
314 "SECP192K1",
315 "SECP192R1",
316 "SECP224K1",
317 "SECP224R1",
318 "SECP256K1",
319 "SECP256R1",
320 "SECP384R1",
321 "SECP521R1",
322 );
323 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
324 "CURVE25519",
325 "CURVE448",
326 );
327 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
328 "FFDHE2048",
329 "FFDHE3072",
330 "FFDHE4096",
331 "FFDHE6144",
332 "FFDHE8192",
333 );
334 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
335
336 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
337 "compressed",
338 "compressed y",
339 "uncompressed",
340 "uncompressed y",
341 "hybrid",
342 "hybrid y",
343 );
344
345 ENUM(tls_ec_point_format_names,
346 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
347 "uncompressed",
348 "ansiX962 compressed prime",
349 "ansiX962 compressed char2",
350 );
351
352 typedef struct private_tls_crypto_t private_tls_crypto_t;
353
354 /**
355 * Private data of an tls_crypto_t object.
356 */
357 struct private_tls_crypto_t {
358
359 /**
360 * Public tls_crypto_t interface.
361 */
362 tls_crypto_t public;
363
364 /**
365 * Protection layer
366 */
367 tls_protection_t *protection;
368
369 /**
370 * List of supported/acceptable cipher suites
371 */
372 tls_cipher_suite_t *suites;
373
374 /**
375 * Number of supported suites
376 */
377 int suite_count;
378
379 /**
380 * HKDF for TLS 1.3
381 */
382 tls_hkdf_t *hkdf;
383
384 /**
385 * Selected cipher suite
386 */
387 tls_cipher_suite_t suite;
388
389 /**
390 * RSA supported?
391 */
392 bool rsa;
393
394 /**
395 * ECDSA supported?
396 */
397 bool ecdsa;
398
399 /**
400 * TLS context
401 */
402 tls_t *tls;
403
404 /**
405 * TLS session cache
406 */
407 tls_cache_t *cache;
408
409 /**
410 * All handshake data concatenated
411 */
412 chunk_t handshake;
413
414 /**
415 * Connection state TLS PRF
416 */
417 tls_prf_t *prf;
418
419 /**
420 * AEAD transform for inbound traffic
421 */
422 tls_aead_t *aead_in;
423
424 /**
425 * AEAD transform for outbound traffic
426 */
427 tls_aead_t *aead_out;
428
429 /**
430 * EAP-[T]TLS MSK
431 */
432 chunk_t msk;
433
434 /**
435 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
436 */
437 char *msk_label;
438 };
439
440 typedef struct {
441 tls_cipher_suite_t suite;
442 key_type_t key;
443 diffie_hellman_group_t dh;
444 hash_algorithm_t hash;
445 pseudo_random_function_t prf;
446 integrity_algorithm_t mac;
447 encryption_algorithm_t encr;
448 size_t encr_size;
449 tls_version_t min_version;
450 tls_version_t max_version;
451 } suite_algs_t;
452
453 /**
454 * Mapping suites to a set of algorithms
455 */
456 static suite_algs_t suite_algs[] = {
457 /* Cipher suites of TLS 1.3: key exchange and authentication
458 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
459 { TLS_AES_128_GCM_SHA256,
460 KEY_ANY, MODP_NONE,
461 HASH_SHA256, PRF_UNDEFINED,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
463 TLS_1_3, TLS_1_3,
464 },
465 { TLS_AES_256_GCM_SHA384,
466 KEY_ANY, MODP_NONE,
467 HASH_SHA384, PRF_UNDEFINED,
468 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
469 TLS_1_3, TLS_1_3,
470 },
471 { TLS_CHACHA20_POLY1305_SHA256,
472 KEY_ANY, MODP_NONE,
473 HASH_SHA256, PRF_UNDEFINED,
474 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
475 TLS_1_3, TLS_1_3,
476 },
477 { TLS_AES_128_CCM_SHA256,
478 KEY_ANY, MODP_NONE,
479 HASH_SHA256, PRF_UNDEFINED,
480 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
481 TLS_1_3, TLS_1_3,
482 },
483 { TLS_AES_128_CCM_8_SHA256,
484 KEY_ANY, MODP_NONE,
485 HASH_SHA256, PRF_UNDEFINED,
486 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
487 TLS_1_3, TLS_1_3,
488 },
489 /* Legacy TLS cipher suites */
490 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
491 KEY_ECDSA, ECP_256_BIT,
492 HASH_SHA256, PRF_HMAC_SHA2_256,
493 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
494 TLS_1_0, TLS_1_2,
495 },
496 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
497 KEY_ECDSA, ECP_256_BIT,
498 HASH_SHA256, PRF_HMAC_SHA2_256,
499 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
500 TLS_1_2, TLS_1_2,
501 },
502 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
503 KEY_ECDSA, ECP_384_BIT,
504 HASH_SHA256, PRF_HMAC_SHA2_256,
505 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
506 TLS_1_0, TLS_1_2,
507 },
508 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
509 KEY_ECDSA, ECP_384_BIT,
510 HASH_SHA384, PRF_HMAC_SHA2_384,
511 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
512 TLS_1_2, TLS_1_2,
513 },
514 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
515 KEY_ECDSA, ECP_256_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
518 TLS_1_2, TLS_1_2,
519 },
520 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
521 KEY_ECDSA, ECP_384_BIT,
522 HASH_SHA384, PRF_HMAC_SHA2_384,
523 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
524 TLS_1_2, TLS_1_2,
525 },
526 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
527 KEY_RSA, ECP_256_BIT,
528 HASH_SHA256, PRF_HMAC_SHA2_256,
529 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
530 TLS_1_0, TLS_1_2,
531 },
532 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
533 KEY_RSA, ECP_256_BIT,
534 HASH_SHA256, PRF_HMAC_SHA2_256,
535 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
536 TLS_1_2, TLS_1_2,
537 },
538 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
539 KEY_RSA, ECP_384_BIT,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
542 TLS_1_0, TLS_1_2,
543 },
544 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
545 KEY_RSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
551 KEY_RSA, ECP_256_BIT,
552 HASH_SHA256, PRF_HMAC_SHA2_256,
553 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
557 KEY_RSA, ECP_384_BIT,
558 HASH_SHA384, PRF_HMAC_SHA2_384,
559 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
560 TLS_1_2, TLS_1_2,
561 },
562 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
563 KEY_RSA, MODP_2048_BIT,
564 HASH_SHA256,PRF_HMAC_SHA2_256,
565 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
566 SSL_3_0, TLS_1_2,
567 },
568 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
569 KEY_RSA, MODP_3072_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
575 KEY_RSA, MODP_3072_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
578 SSL_3_0, TLS_1_2,
579 },
580 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
581 KEY_RSA, MODP_4096_BIT,
582 HASH_SHA256, PRF_HMAC_SHA2_256,
583 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
587 KEY_RSA, MODP_3072_BIT,
588 HASH_SHA256, PRF_HMAC_SHA2_256,
589 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
593 KEY_RSA, MODP_4096_BIT,
594 HASH_SHA384, PRF_HMAC_SHA2_384,
595 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
596 TLS_1_2, TLS_1_2,
597 },
598 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
599 KEY_RSA, MODP_2048_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
602 SSL_3_0, TLS_1_2,
603 },
604 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
605 KEY_RSA, MODP_3072_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
611 KEY_RSA, MODP_3072_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
614 SSL_3_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA256, PRF_HMAC_SHA2_256,
619 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
623 KEY_RSA, MODP_2048_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
626 SSL_3_0, TLS_1_2,
627 },
628 { TLS_RSA_WITH_AES_128_CBC_SHA,
629 KEY_RSA, MODP_NONE,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_RSA_WITH_AES_128_CBC_SHA256,
635 KEY_RSA, MODP_NONE,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_RSA_WITH_AES_256_CBC_SHA,
641 KEY_RSA, MODP_NONE,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_RSA_WITH_AES_256_CBC_SHA256,
647 KEY_RSA, MODP_NONE,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_RSA_WITH_AES_128_GCM_SHA256,
653 KEY_RSA, MODP_NONE,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_RSA_WITH_AES_256_GCM_SHA384,
659 KEY_RSA, MODP_NONE,
660 HASH_SHA384, PRF_HMAC_SHA2_384,
661 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
662 TLS_1_2, TLS_1_2,
663 },
664 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
665 KEY_RSA, MODP_NONE,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
668 SSL_3_0, TLS_1_2,
669 },
670 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
671 KEY_RSA, MODP_NONE,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
674 TLS_1_2, TLS_1_2,
675 },
676 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA256, PRF_HMAC_SHA2_256,
679 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
680 SSL_3_0, TLS_1_2,
681 },
682 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
689 KEY_ECDSA, ECP_256_BIT,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
692 TLS_1_0, TLS_1_2,
693 },
694 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
695 KEY_RSA, ECP_256_BIT,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
698 TLS_1_0, TLS_1_2,
699 },
700 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
704 SSL_3_0, TLS_1_2,
705 },
706 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
707 KEY_ECDSA, ECP_256_BIT,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
710 TLS_1_0, TLS_1_2,
711 },
712 { TLS_ECDHE_RSA_WITH_NULL_SHA,
713 KEY_ECDSA, ECP_256_BIT,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
716 TLS_1_0, TLS_1_2,
717 },
718 { TLS_RSA_WITH_NULL_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_NULL_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_NULL_MD5,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_MD5_128, ENCR_NULL, 0,
734 SSL_2_0, TLS_1_2,
735 },
736 };
737
738 /**
739 * Look up algorithms by a suite
740 */
741 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
742 {
743 int i;
744
745 for (i = 0; i < countof(suite_algs); i++)
746 {
747 if (suite_algs[i].suite == suite)
748 {
749 return &suite_algs[i];
750 }
751 }
752 return NULL;
753 }
754
755 /**
756 * Filter a suite list using a transform enumerator
757 */
758 static void filter_suite(suite_algs_t suites[], int *count, int offset,
759 enumerator_t*(*create_enumerator)(crypto_factory_t*))
760 {
761 const char *plugin_name;
762 suite_algs_t current;
763 int *current_alg, i, remaining = 0;
764 enumerator_t *enumerator;
765
766 memset(&current, 0, sizeof(current));
767 current_alg = (int*)((char*)&current + offset);
768
769 for (i = 0; i < *count; i++)
770 {
771 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
772 encryption_algorithm_is_aead(suites[i].encr))
773 { /* filtering crypters, but current suite uses an AEAD, apply */
774 suites[remaining] = suites[i];
775 remaining++;
776 continue;
777 }
778 if (create_enumerator == lib->crypto->create_aead_enumerator &&
779 !encryption_algorithm_is_aead(suites[i].encr))
780 { /* filtering AEADs, but current suite doesn't use one, apply */
781 suites[remaining] = suites[i];
782 remaining++;
783 continue;
784 }
785 enumerator = create_enumerator(lib->crypto);
786 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
787 {
788 if (current.encr && current.encr != suites[i].encr)
789 {
790 if (suites[i].encr != ENCR_NULL)
791 { /* skip, ENCR does not match nor is NULL */
792 continue;
793 }
794 }
795 if (current.mac && current.mac != suites[i].mac)
796 {
797 if (suites[i].mac != AUTH_UNDEFINED)
798 { /* skip, MAC does not match nor is it undefined */
799 continue;
800 }
801 }
802 if (current.prf && current.prf != suites[i].prf)
803 {
804 if (suites[i].prf != PRF_UNDEFINED)
805 {
806 /* skip, PRF does not match nor is it undefined */
807 continue;
808 }
809 }
810 if (current.hash && current.hash != suites[i].hash)
811 { /* skip, hash does not match */
812 continue;
813 }
814 if (current.dh && current.dh != suites[i].dh)
815 {
816 if (suites[i].dh != MODP_NONE)
817 { /* skip DH group, does not match nor NONE */
818 continue;
819 }
820 }
821 /* suite supported, apply */
822 suites[remaining] = suites[i];
823 remaining++;
824 break;
825 }
826 enumerator->destroy(enumerator);
827 }
828 *count = remaining;
829 }
830
831 /**
832 * Purge NULL encryption cipher suites from list
833 */
834 static void filter_null_suites(suite_algs_t suites[], int *count)
835 {
836 int i, remaining = 0;
837
838 for (i = 0; i < *count; i++)
839 {
840 if (suites[i].encr != ENCR_NULL)
841 {
842 suites[remaining] = suites[i];
843 remaining++;
844 }
845 }
846 *count = remaining;
847 }
848
849 /**
850 * Purge suites using a given key type
851 */
852 static void filter_key_suites(private_tls_crypto_t *this,
853 suite_algs_t suites[], int *count, key_type_t key)
854 {
855 int i, remaining = 0;
856
857 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
858 for (i = 0; i < *count; i++)
859 {
860 if (suites[i].key != key)
861 {
862 suites[remaining] = suites[i];
863 remaining++;
864 }
865 }
866 *count = remaining;
867 }
868
869 /**
870 * Filter suites by key exchange user config
871 */
872 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
873 suite_algs_t suites[], int *count)
874 {
875 enumerator_t *enumerator;
876 int i, remaining = 0;
877 char *token, *config;
878
879 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
880 lib->ns);
881 if (config)
882 {
883 for (i = 0; i < *count; i++)
884 {
885 enumerator = enumerator_create_token(config, ",", " ");
886 while (enumerator->enumerate(enumerator, &token))
887 {
888 if (strcaseeq(token, "ecdhe-ecdsa") &&
889 diffie_hellman_group_is_ec(suites[i].dh) &&
890 suites[i].key == KEY_ECDSA)
891 {
892 suites[remaining++] = suites[i];
893 break;
894 }
895 if (strcaseeq(token, "ecdhe-rsa") &&
896 diffie_hellman_group_is_ec(suites[i].dh) &&
897 suites[i].key == KEY_RSA)
898 {
899 suites[remaining++] = suites[i];
900 break;
901 }
902 if (strcaseeq(token, "dhe-rsa") &&
903 !diffie_hellman_group_is_ec(suites[i].dh) &&
904 suites[i].dh != MODP_NONE &&
905 suites[i].key == KEY_RSA)
906 {
907 suites[remaining++] = suites[i];
908 break;
909 }
910 if (strcaseeq(token, "rsa") &&
911 suites[i].dh == MODP_NONE &&
912 suites[i].key == KEY_RSA)
913 {
914 suites[remaining++] = suites[i];
915 break;
916 }
917 }
918 enumerator->destroy(enumerator);
919 }
920 *count = remaining;
921 }
922 }
923
924 /**
925 * Filter suites by cipher user config
926 */
927 static void filter_cipher_config_suites(private_tls_crypto_t *this,
928 suite_algs_t suites[], int *count)
929 {
930 enumerator_t *enumerator;
931 int i, remaining = 0;
932 char *token, *config;
933
934 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
935 lib->ns);
936 if (config)
937 {
938 for (i = 0; i < *count; i++)
939 {
940 enumerator = enumerator_create_token(config, ",", " ");
941 while (enumerator->enumerate(enumerator, &token))
942 {
943 if (strcaseeq(token, "aes128") &&
944 suites[i].encr == ENCR_AES_CBC &&
945 suites[i].encr_size == 16)
946 {
947 suites[remaining++] = suites[i];
948 break;
949 }
950 if (strcaseeq(token, "aes256") &&
951 suites[i].encr == ENCR_AES_CBC &&
952 suites[i].encr_size == 32)
953 {
954 suites[remaining++] = suites[i];
955 break;
956 }
957 if (strcaseeq(token, "aes128gcm") &&
958 suites[i].encr == ENCR_AES_GCM_ICV16 &&
959 suites[i].encr_size == 16)
960 {
961 suites[remaining++] = suites[i];
962 break;
963 }
964 if (strcaseeq(token, "aes256gcm") &&
965 suites[i].encr == ENCR_AES_GCM_ICV16 &&
966 suites[i].encr_size == 32)
967 {
968 suites[remaining++] = suites[i];
969 break;
970 }
971 if (strcaseeq(token, "camellia128") &&
972 suites[i].encr == ENCR_CAMELLIA_CBC &&
973 suites[i].encr_size == 16)
974 {
975 suites[remaining++] = suites[i];
976 break;
977 }
978 if (strcaseeq(token, "camellia256") &&
979 suites[i].encr == ENCR_CAMELLIA_CBC &&
980 suites[i].encr_size == 32)
981 {
982 suites[remaining++] = suites[i];
983 break;
984 }
985 if (strcaseeq(token, "3des") &&
986 suites[i].encr == ENCR_3DES)
987 {
988 suites[remaining++] = suites[i];
989 break;
990 }
991 if (strcaseeq(token, "null") &&
992 suites[i].encr == ENCR_NULL)
993 {
994 suites[remaining++] = suites[i];
995 break;
996 }
997 }
998 enumerator->destroy(enumerator);
999 }
1000 *count = remaining;
1001 }
1002 }
1003
1004 /**
1005 * Filter suites by mac user config
1006 */
1007 static void filter_mac_config_suites(private_tls_crypto_t *this,
1008 suite_algs_t suites[], int *count)
1009 {
1010 enumerator_t *enumerator;
1011 int i, remaining = 0;
1012 char *token, *config;
1013
1014 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1015 lib->ns);
1016 if (config)
1017 {
1018 for (i = 0; i < *count; i++)
1019 {
1020 enumerator = enumerator_create_token(config, ",", " ");
1021 while (enumerator->enumerate(enumerator, &token))
1022 {
1023 if (strcaseeq(token, "md5") &&
1024 suites[i].mac == AUTH_HMAC_MD5_128)
1025 {
1026 suites[remaining++] = suites[i];
1027 break;
1028 }
1029 if (strcaseeq(token, "sha1") &&
1030 suites[i].mac == AUTH_HMAC_SHA1_160)
1031 {
1032 suites[remaining++] = suites[i];
1033 break;
1034 }
1035 if (strcaseeq(token, "sha256") &&
1036 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1037 {
1038 suites[remaining++] = suites[i];
1039 break;
1040 }
1041 if (strcaseeq(token, "sha384") &&
1042 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 }
1048 enumerator->destroy(enumerator);
1049 }
1050 *count = remaining;
1051 }
1052 }
1053
1054 /**
1055 * Filter for specific suites specified in strongswan.conf
1056 */
1057 static void filter_specific_config_suites(private_tls_crypto_t *this,
1058 suite_algs_t suites[], int *count)
1059 {
1060 enumerator_t *enumerator;
1061 int i, remaining = 0, suite;
1062 char *token, *config;
1063
1064 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1065 lib->ns);
1066 if (config)
1067 {
1068 for (i = 0; i < *count; i++)
1069 {
1070 enumerator = enumerator_create_token(config, ",", " ");
1071 while (enumerator->enumerate(enumerator, &token))
1072 {
1073 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1074 suite == suites[i].suite)
1075 {
1076 suites[remaining++] = suites[i];
1077 break;
1078 }
1079 }
1080 enumerator->destroy(enumerator);
1081 }
1082 *count = remaining;
1083 }
1084 }
1085
1086 /**
1087 * Filter out unsupported suites on given suite array
1088 */
1089 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1090 {
1091 /* filter suite list by each algorithm */
1092 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1093 lib->crypto->create_aead_enumerator);
1094 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1095 lib->crypto->create_prf_enumerator);
1096 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1097 lib->crypto->create_crypter_enumerator);
1098 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1099 lib->crypto->create_signer_enumerator);
1100 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1101 lib->crypto->create_hasher_enumerator);
1102 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1103 lib->crypto->create_dh_enumerator);
1104 }
1105
1106 /**
1107 * Initialize the cipher suite list
1108 */
1109 static void build_cipher_suite_list(private_tls_crypto_t *this)
1110 {
1111 suite_algs_t suites[countof(suite_algs)];
1112 tls_version_t min_version, max_version;
1113 bool require_encryption;
1114 int count = 0, i;
1115
1116 switch (this->tls->get_purpose(this->tls))
1117 {
1118 case TLS_PURPOSE_EAP_TLS:
1119 case TLS_PURPOSE_GENERIC_NULLOK:
1120 require_encryption = FALSE;
1121 break;
1122 case TLS_PURPOSE_EAP_PEAP:
1123 case TLS_PURPOSE_EAP_TTLS:
1124 case TLS_PURPOSE_GENERIC:
1125 require_encryption = TRUE;
1126 break;
1127 default:
1128 return;
1129 }
1130
1131 min_version = this->tls->get_version_min(this->tls);
1132 max_version = this->tls->get_version_max(this->tls);
1133
1134 /* copy all suites appropriate for the current min/max versions */
1135 for (i = 0; i < countof(suite_algs); i++)
1136 {
1137 if (suite_algs[i].min_version <= max_version &&
1138 suite_algs[i].max_version >= min_version)
1139 {
1140 suites[count++] = suite_algs[i];
1141 }
1142 }
1143
1144 if (require_encryption)
1145 {
1146 filter_null_suites(suites, &count);
1147 }
1148 if (!this->rsa)
1149 {
1150 filter_key_suites(this, suites, &count, KEY_RSA);
1151 }
1152 if (!this->ecdsa)
1153 {
1154 filter_key_suites(this, suites, &count, KEY_ECDSA);
1155 }
1156
1157 filter_unsupported_suites(suites, &count);
1158
1159 /* filter suites with strongswan.conf options */
1160 filter_key_exchange_config_suites(this, suites, &count);
1161 filter_cipher_config_suites(this, suites, &count);
1162 filter_mac_config_suites(this, suites, &count);
1163 filter_specific_config_suites(this, suites, &count);
1164
1165 free(this->suites);
1166 this->suite_count = count;
1167 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1168
1169 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1170 for (i = 0; i < count; i++)
1171 {
1172 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1173 this->suites[i] = suites[i].suite;
1174 }
1175 }
1176
1177 METHOD(tls_crypto_t, get_cipher_suites, int,
1178 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1179 {
1180 if (!this->suites)
1181 {
1182 build_cipher_suite_list(this);
1183 }
1184 *suites = this->suites;
1185 return this->suite_count;
1186 }
1187
1188 /**
1189 * Create NULL encryption transforms
1190 */
1191 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1192 {
1193 this->aead_in = tls_aead_create_null(algs->mac);
1194 this->aead_out = tls_aead_create_null(algs->mac);
1195 if (!this->aead_in || !this->aead_out)
1196 {
1197 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1198 integrity_algorithm_names, algs->mac);
1199 return FALSE;
1200 }
1201 return TRUE;
1202 }
1203
1204 /**
1205 * Create traditional transforms
1206 */
1207 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1208 {
1209 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1210 {
1211 this->aead_in = tls_aead_create_implicit(algs->mac,
1212 algs->encr, algs->encr_size);
1213 this->aead_out = tls_aead_create_implicit(algs->mac,
1214 algs->encr, algs->encr_size);
1215 }
1216 else
1217 {
1218 this->aead_in = tls_aead_create_explicit(algs->mac,
1219 algs->encr, algs->encr_size);
1220 this->aead_out = tls_aead_create_explicit(algs->mac,
1221 algs->encr, algs->encr_size);
1222 }
1223 if (!this->aead_in || !this->aead_out)
1224 {
1225 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1226 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1227 integrity_algorithm_names, algs->mac);
1228 return FALSE;
1229 }
1230 return TRUE;
1231 }
1232
1233 /**
1234 * Create AEAD transforms
1235 */
1236 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1237 {
1238 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1239 {
1240 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1241 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1242 }
1243 else
1244 {
1245 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1246 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1247 }
1248 if (!this->aead_in || !this->aead_out)
1249 {
1250 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1251 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1252 return FALSE;
1253 }
1254 return TRUE;
1255 }
1256
1257 /**
1258 * Clean up and unset AEAD transforms
1259 */
1260 static void destroy_aeads(private_tls_crypto_t *this)
1261 {
1262 DESTROY_IF(this->aead_in);
1263 DESTROY_IF(this->aead_out);
1264 this->aead_in = this->aead_out = NULL;
1265 }
1266
1267 /**
1268 * Create crypto primitives
1269 */
1270 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1271 {
1272 destroy_aeads(this);
1273 DESTROY_IF(this->hkdf);
1274 DESTROY_IF(this->prf);
1275 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1276 {
1277 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1278 {
1279 this->prf = tls_prf_create_10();
1280 }
1281 else
1282 {
1283 this->prf = tls_prf_create_12(algs->prf);
1284 }
1285 if (!this->prf)
1286 {
1287 DBG1(DBG_TLS, "selected TLS PRF not supported");
1288 return FALSE;
1289 }
1290 }
1291 else
1292 {
1293 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1294 if (!this->hkdf)
1295 {
1296 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1297 return FALSE;
1298 }
1299 }
1300 if (algs->encr == ENCR_NULL)
1301 {
1302 if (create_null(this, algs))
1303 {
1304 return TRUE;
1305 }
1306 }
1307 else if (encryption_algorithm_is_aead(algs->encr))
1308 {
1309 if (create_aead(this, algs))
1310 {
1311 return TRUE;
1312 }
1313 }
1314 else
1315 {
1316 if (create_traditional(this, algs))
1317 {
1318 return TRUE;
1319 }
1320 }
1321 destroy_aeads(this);
1322 return FALSE;
1323 }
1324
1325 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1326 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1327 key_type_t key)
1328 {
1329 suite_algs_t *algs;
1330 int i, j;
1331
1332 if (!this->suites)
1333 {
1334 build_cipher_suite_list(this);
1335 }
1336
1337 for (i = 0; i < this->suite_count; i++)
1338 {
1339 for (j = 0; j < count; j++)
1340 {
1341 if (this->suites[i] == suites[j])
1342 {
1343 algs = find_suite(this->suites[i]);
1344 if (algs)
1345 {
1346 if (key == KEY_ANY || key == algs->key)
1347 {
1348 if (create_ciphers(this, algs))
1349 {
1350 this->suite = this->suites[i];
1351 return this->suite;
1352 }
1353 }
1354 }
1355 }
1356 }
1357 }
1358 return 0;
1359 }
1360
1361 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1362 private_tls_crypto_t *this)
1363 {
1364 suite_algs_t *algs;
1365
1366 algs = find_suite(this->suite);
1367 if (algs)
1368 {
1369 return algs->dh;
1370 }
1371 return MODP_NONE;
1372 }
1373
1374 /**
1375 * Map signature schemes to TLS key types and hashes, ordered by preference
1376 */
1377 static struct {
1378 tls_signature_algorithm_t sig;
1379 tls_hash_algorithm_t hash;
1380 signature_scheme_t scheme;
1381 } schemes[] = {
1382 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1383 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1384 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1385 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1386 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1387 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1388 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1389 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA2_224 },
1390 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1391 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1392 };
1393
1394 METHOD(tls_crypto_t, get_signature_algorithms, void,
1395 private_tls_crypto_t *this, bio_writer_t *writer)
1396 {
1397 bio_writer_t *supported;
1398 tls_version_t version;
1399 int i;
1400
1401 supported = bio_writer_create(32);
1402 version = this->tls->get_version_max(this->tls);
1403
1404 for (i = 0; i < countof(schemes); i++)
1405 {
1406 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1407 {
1408 continue;
1409 }
1410 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1411 {
1412 continue;
1413 }
1414 if (schemes[i].hash == TLS_HASH_MD5 && version >= TLS_1_3)
1415 {
1416 continue;
1417 }
1418 if (schemes[i].hash == TLS_HASH_SHA224 && version >= TLS_1_3)
1419 {
1420 continue;
1421 }
1422 if (!lib->plugins->has_feature(lib->plugins,
1423 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1424 {
1425 continue;
1426 }
1427 supported->write_uint8(supported, schemes[i].hash);
1428 supported->write_uint8(supported, schemes[i].sig);
1429 }
1430
1431 supported->wrap16(supported);
1432 writer->write_data16(writer, supported->get_buf(supported));
1433 supported->destroy(supported);
1434 }
1435
1436 /**
1437 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1438 */
1439 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1440 tls_hash_algorithm_t hash,
1441 tls_signature_algorithm_t sig)
1442 {
1443 int i;
1444
1445 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1446 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1447 {
1448 for (i = 0; i < countof(schemes); i++)
1449 {
1450 if (schemes[i].sig == sig && schemes[i].hash == hash)
1451 {
1452 return schemes[i].scheme;
1453 }
1454 }
1455 }
1456 return SIGN_UNKNOWN;
1457 }
1458
1459 /**
1460 * Mapping groups to TLS named curves
1461 */
1462 static struct {
1463 diffie_hellman_group_t group;
1464 tls_named_group_t curve;
1465 } curves[] = {
1466 { ECP_256_BIT, TLS_SECP256R1},
1467 { ECP_384_BIT, TLS_SECP384R1},
1468 { ECP_521_BIT, TLS_SECP521R1},
1469 { ECP_224_BIT, TLS_SECP224R1},
1470 { ECP_192_BIT, TLS_SECP192R1},
1471 { CURVE_25519, TLS_CURVE25519},
1472 { CURVE_448, TLS_CURVE448},
1473 };
1474
1475 CALLBACK(group_filter, bool,
1476 void *null, enumerator_t *orig, va_list args)
1477 {
1478 diffie_hellman_group_t group, *out;
1479 tls_named_group_t *curve;
1480 char *plugin;
1481 int i;
1482
1483 VA_ARGS_VGET(args, out, curve);
1484
1485 while (orig->enumerate(orig, &group, &plugin))
1486 {
1487 for (i = 0; i < countof(curves); i++)
1488 {
1489 if (curves[i].group == group)
1490 {
1491 if (out)
1492 {
1493 *out = curves[i].group;
1494 }
1495 if (curve)
1496 {
1497 *curve = curves[i].curve;
1498 }
1499 return TRUE;
1500 }
1501 }
1502 }
1503 return FALSE;
1504 }
1505
1506 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1507 private_tls_crypto_t *this)
1508 {
1509 return enumerator_create_filter(
1510 lib->crypto->create_dh_enumerator(lib->crypto),
1511 group_filter, NULL, NULL);
1512 }
1513
1514 METHOD(tls_crypto_t, set_protection, void,
1515 private_tls_crypto_t *this, tls_protection_t *protection)
1516 {
1517 this->protection = protection;
1518 }
1519
1520 METHOD(tls_crypto_t, append_handshake, void,
1521 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1522 {
1523 uint32_t header;
1524
1525 /* reconstruct handshake header */
1526 header = htonl(data.len | (type << 24));
1527 this->handshake = chunk_cat("mcc", this->handshake,
1528 chunk_from_thing(header), data);
1529 }
1530
1531 /**
1532 * Create a hash using the suites HASH algorithm
1533 */
1534 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1535 {
1536 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1537 {
1538 hasher_t *hasher;
1539 suite_algs_t *alg;
1540
1541 alg = find_suite(this->suite);
1542 if (!alg)
1543 {
1544 return FALSE;
1545 }
1546 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1547 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1548 {
1549 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1550 DESTROY_IF(hasher);
1551 return FALSE;
1552 }
1553 hasher->destroy(hasher);
1554 }
1555 else
1556 {
1557 hasher_t *md5, *sha1;
1558 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1559
1560 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1561 if (!md5 || !md5->get_hash(md5, data, buf))
1562 {
1563 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1564 DESTROY_IF(md5);
1565 return FALSE;
1566 }
1567 md5->destroy(md5);
1568 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1569 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1570 {
1571 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1572 DESTROY_IF(sha1);
1573 return FALSE;
1574 }
1575 sha1->destroy(sha1);
1576
1577 *hash = chunk_clone(chunk_from_thing(buf));
1578 }
1579 return TRUE;
1580 }
1581
1582 METHOD(tls_crypto_t, hash_handshake, bool,
1583 private_tls_crypto_t *this, chunk_t *out)
1584 {
1585 chunk_t hash;
1586
1587 if (!hash_data(this, this->handshake, &hash))
1588 {
1589 return FALSE;
1590 }
1591
1592 chunk_free(&this->handshake);
1593 append_handshake(this, TLS_MESSAGE_HASH, hash);
1594
1595 if (out)
1596 {
1597 *out = hash;
1598 }
1599 else
1600 {
1601 free(hash.ptr);
1602 }
1603 return TRUE;
1604 }
1605
1606 /**
1607 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1608 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1609 */
1610 static chunk_t tls13_sig_data_server = chunk_from_chars(
1611 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1612 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1613 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1614 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1615 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1616 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1617 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1618 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1619 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1620 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1621 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1622 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1623 0x79, 0x00,
1624 );
1625
1626 METHOD(tls_crypto_t, sign, bool,
1627 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1628 chunk_t data, chunk_t hashsig)
1629 {
1630 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1631 {
1632 const chunk_t hashsig_def = chunk_from_chars(
1633 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1634 signature_scheme_t scheme;
1635 bio_reader_t *reader;
1636 uint8_t hash, alg;
1637 chunk_t sig;
1638 bool done = FALSE;
1639
1640 if (!hashsig.len)
1641 { /* fallback if none given */
1642 hashsig = hashsig_def;
1643 }
1644 reader = bio_reader_create(hashsig);
1645 while (reader->remaining(reader) >= 2)
1646 {
1647 if (reader->read_uint8(reader, &hash) &&
1648 reader->read_uint8(reader, &alg))
1649 {
1650 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1651 if (scheme != SIGN_UNKNOWN &&
1652 key->sign(key, scheme, NULL, data, &sig))
1653 {
1654 done = TRUE;
1655 break;
1656 }
1657 }
1658 }
1659 reader->destroy(reader);
1660 if (!done)
1661 {
1662 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1663 return FALSE;
1664 }
1665 DBG2(DBG_TLS, "created signature with %N/%N",
1666 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1667 writer->write_uint8(writer, hash);
1668 writer->write_uint8(writer, alg);
1669 writer->write_data16(writer, sig);
1670 free(sig.ptr);
1671 }
1672 else
1673 {
1674 chunk_t sig, hash;
1675 bool done;
1676
1677 switch (key->get_type(key))
1678 {
1679 case KEY_RSA:
1680 if (!hash_data(this, data, &hash))
1681 {
1682 return FALSE;
1683 }
1684 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1685 &sig);
1686 free(hash.ptr);
1687 if (!done)
1688 {
1689 return FALSE;
1690 }
1691 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1692 break;
1693 case KEY_ECDSA:
1694 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1695 {
1696 return FALSE;
1697 }
1698 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1699 break;
1700 default:
1701 return FALSE;
1702 }
1703 writer->write_data16(writer, sig);
1704 free(sig.ptr);
1705 }
1706 return TRUE;
1707 }
1708
1709 METHOD(tls_crypto_t, verify, bool,
1710 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1711 chunk_t data)
1712 {
1713 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1714 {
1715 signature_scheme_t scheme = SIGN_UNKNOWN;
1716 uint8_t hash, alg;
1717 chunk_t sig;
1718
1719 if (!reader->read_uint8(reader, &hash) ||
1720 !reader->read_uint8(reader, &alg) ||
1721 !reader->read_data16(reader, &sig))
1722 {
1723 DBG1(DBG_TLS, "received invalid signature");
1724 return FALSE;
1725 }
1726 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1727 if (scheme == SIGN_UNKNOWN)
1728 {
1729 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1730 tls_hash_algorithm_names, hash,
1731 tls_signature_algorithm_names, alg);
1732 return FALSE;
1733 }
1734 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1735 {
1736 chunk_t transcript_hash;
1737
1738 if (!hash_data(this, data, &transcript_hash))
1739 {
1740 DBG1(DBG_TLS, "Unable to create transcript hash");
1741 return FALSE;
1742 }
1743
1744 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1745 }
1746 if (!key->verify(key, scheme, NULL, data, sig))
1747 {
1748 DBG1(DBG_TLS, "signature verification with %N/%N failed",
1749 tls_hash_algorithm_names, hash, tls_signature_algorithm_names,
1750 alg);
1751 return FALSE;
1752 }
1753 DBG2(DBG_TLS, "verified signature with %N/%N",
1754 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1755 }
1756 else
1757 {
1758 chunk_t sig, hash;
1759 bool done;
1760
1761 if (!reader->read_data16(reader, &sig))
1762 {
1763 DBG1(DBG_TLS, "received invalid signature");
1764 return FALSE;
1765 }
1766 switch (key->get_type(key))
1767 {
1768 case KEY_RSA:
1769 if (!hash_data(this, data, &hash))
1770 {
1771 return FALSE;
1772 }
1773 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1774 sig);
1775 free(hash.ptr);
1776 if (!done)
1777 {
1778 return FALSE;
1779 }
1780 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1781 break;
1782 case KEY_ECDSA:
1783 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1784 sig))
1785 {
1786 return FALSE;
1787 }
1788 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1789 break;
1790 default:
1791 return FALSE;
1792 }
1793 }
1794 return TRUE;
1795 }
1796
1797 METHOD(tls_crypto_t, sign_handshake, bool,
1798 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1799 chunk_t hashsig)
1800 {
1801 return sign(this, key, writer, this->handshake, hashsig);
1802 }
1803
1804 METHOD(tls_crypto_t, verify_handshake, bool,
1805 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1806 {
1807 return verify(this, key, reader, this->handshake);
1808 }
1809
1810 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1811 private_tls_crypto_t *this, char *label, char out[12])
1812 {
1813 chunk_t seed;
1814
1815 if (!this->prf)
1816 {
1817 return FALSE;
1818 }
1819 if (!hash_data(this, this->handshake, &seed))
1820 {
1821 return FALSE;
1822 }
1823 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1824 {
1825 free(seed.ptr);
1826 return FALSE;
1827 }
1828 free(seed.ptr);
1829 return TRUE;
1830 }
1831
1832 METHOD(tls_crypto_t, calculate_finished, bool,
1833 private_tls_crypto_t *this, bool is_server, chunk_t *out)
1834 {
1835 chunk_t finished_key, finished_hash;
1836
1837 if (!this->hkdf)
1838 {
1839 return FALSE;
1840 }
1841 if (!hash_data(this, this->handshake, &finished_hash))
1842 {
1843 DBG1(DBG_TLS, "creating hash of handshake failed");
1844 return FALSE;
1845 }
1846 if (!this->hkdf->derive_finished(this->hkdf, is_server, &finished_key))
1847 {
1848 DBG1(DBG_TLS, "generating finished key failed");
1849 chunk_clear(&finished_hash);
1850 return FALSE;
1851 }
1852 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
1853 {
1854 DBG1(DBG_TLS, "generating finished HMAC failed");
1855 chunk_clear(&finished_key);
1856 chunk_clear(&finished_hash);
1857 return FALSE;
1858 }
1859 chunk_clear(&finished_key);
1860 chunk_clear(&finished_hash);
1861 return TRUE;
1862 }
1863
1864 /**
1865 * Derive master secret from premaster, optionally save session
1866 */
1867 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1868 chunk_t session, identification_t *id,
1869 chunk_t client_random, chunk_t server_random)
1870 {
1871 char master[48];
1872 chunk_t seed;
1873
1874 /* derive master secret */
1875 seed = chunk_cata("cc", client_random, server_random);
1876
1877 if (!this->prf->set_key(this->prf, premaster) ||
1878 !this->prf->get_bytes(this->prf, "master secret", seed,
1879 sizeof(master), master) ||
1880 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1881 {
1882 return FALSE;
1883 }
1884
1885 if (this->cache && session.len)
1886 {
1887 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1888 this->suite);
1889 }
1890 memwipe(master, sizeof(master));
1891 return TRUE;
1892 }
1893
1894 /**
1895 * Expand key material from master secret
1896 */
1897 static bool expand_keys(private_tls_crypto_t *this,
1898 chunk_t client_random, chunk_t server_random)
1899 {
1900 chunk_t seed, block;
1901 chunk_t cw_mac, cw, cw_iv;
1902 chunk_t sw_mac, sw, sw_iv;
1903 int mklen, eklen, ivlen;
1904
1905 if (!this->aead_in || !this->aead_out)
1906 {
1907 return FALSE;
1908 }
1909
1910 /* derive key block for key expansion */
1911 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1912 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1913 ivlen = this->aead_in->get_iv_size(this->aead_in);
1914 seed = chunk_cata("cc", server_random, client_random);
1915 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1916 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1917 block.len, block.ptr))
1918 {
1919 return FALSE;
1920 }
1921
1922 /* client/server write signer keys */
1923 cw_mac = chunk_create(block.ptr, mklen);
1924 block = chunk_skip(block, mklen);
1925 sw_mac = chunk_create(block.ptr, mklen);
1926 block = chunk_skip(block, mklen);
1927
1928 /* client/server write encryption keys */
1929 cw = chunk_create(block.ptr, eklen);
1930 block = chunk_skip(block, eklen);
1931 sw = chunk_create(block.ptr, eklen);
1932 block = chunk_skip(block, eklen);
1933
1934 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1935 cw_iv = chunk_create(block.ptr, ivlen);
1936 block = chunk_skip(block, ivlen);
1937 sw_iv = chunk_create(block.ptr, ivlen);
1938 block = chunk_skip(block, ivlen);
1939
1940 if (this->tls->is_server(this->tls))
1941 {
1942 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1943 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1944 {
1945 return FALSE;
1946 }
1947 }
1948 else
1949 {
1950 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1951 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1952 {
1953 return FALSE;
1954 }
1955 }
1956
1957 /* EAP-MSK */
1958 if (this->msk_label)
1959 {
1960 seed = chunk_cata("cc", client_random, server_random);
1961 this->msk = chunk_alloc(64);
1962 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1963 this->msk.len, this->msk.ptr))
1964 {
1965 return FALSE;
1966 }
1967 }
1968 return TRUE;
1969 }
1970
1971 METHOD(tls_crypto_t, derive_secrets, bool,
1972 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1973 identification_t *id, chunk_t client_random, chunk_t server_random)
1974 {
1975 return derive_master(this, premaster, session, id,
1976 client_random, server_random) &&
1977 expand_keys(this, client_random, server_random);
1978 }
1979
1980 /**
1981 * Derive and configure the keys/IVs using the given labels.
1982 */
1983 static bool derive_labeled_keys(private_tls_crypto_t *this,
1984 tls_hkdf_label_t client_label,
1985 tls_hkdf_label_t server_label)
1986 {
1987 chunk_t c_key = chunk_empty, c_iv = chunk_empty;
1988 chunk_t s_key = chunk_empty, s_iv = chunk_empty;
1989 tls_aead_t *aead_c = this->aead_out, *aead_s = this->aead_in;
1990 bool success = FALSE;
1991
1992 if (this->tls->is_server(this->tls))
1993 {
1994 aead_c = this->aead_in;
1995 aead_s = this->aead_out;
1996 }
1997
1998 if (!this->hkdf->generate_secret(this->hkdf, client_label, this->handshake,
1999 NULL) ||
2000 !this->hkdf->derive_key(this->hkdf, FALSE,
2001 this->aead_out->get_encr_key_size(this->aead_out),
2002 &c_key) ||
2003 !this->hkdf->derive_iv(this->hkdf, FALSE,
2004 this->aead_out->get_iv_size(this->aead_out),
2005 &c_iv))
2006 {
2007 DBG1(DBG_TLS, "deriving client key material failed");
2008 goto out;
2009 }
2010
2011 if (!this->hkdf->generate_secret(this->hkdf, server_label, this->handshake,
2012 NULL) ||
2013 !this->hkdf->derive_key(this->hkdf, TRUE,
2014 this->aead_in->get_encr_key_size(this->aead_in),
2015 &s_key) ||
2016 !this->hkdf->derive_iv(this->hkdf, TRUE,
2017 this->aead_in->get_iv_size(this->aead_in),
2018 &s_iv))
2019 {
2020 DBG1(DBG_TLS, "deriving server key material failed");
2021 goto out;
2022 }
2023
2024 if (!aead_c->set_keys(aead_c, chunk_empty, c_key, c_iv) ||
2025 !aead_s->set_keys(aead_s, chunk_empty, s_key, s_iv))
2026 {
2027 DBG1(DBG_TLS, "setting AEAD key material failed");
2028 goto out;
2029 }
2030 success = TRUE;
2031
2032 out:
2033 chunk_clear(&c_key);
2034 chunk_clear(&c_iv);
2035 chunk_clear(&s_key);
2036 chunk_clear(&s_iv);
2037 return success;
2038 }
2039
2040 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2041 private_tls_crypto_t *this, chunk_t shared_secret)
2042 {
2043 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2044 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2045 TLS_HKDF_S_HS_TRAFFIC);
2046 }
2047
2048 METHOD(tls_crypto_t, derive_app_keys, bool,
2049 private_tls_crypto_t *this)
2050 {
2051 return derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2052 TLS_HKDF_S_AP_TRAFFIC);
2053 }
2054
2055 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2056 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2057 chunk_t client_random, chunk_t server_random)
2058 {
2059 chunk_t master;
2060
2061 if (this->cache && session.len)
2062 {
2063 this->suite = this->cache->lookup(this->cache, session, id, &master);
2064 if (this->suite)
2065 {
2066 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2067 if (this->suite)
2068 {
2069 if (!this->prf->set_key(this->prf, master) ||
2070 !expand_keys(this, client_random, server_random))
2071 {
2072 this->suite = 0;
2073 }
2074 }
2075 chunk_clear(&master);
2076 }
2077 return this->suite;
2078 }
2079 return 0;
2080 }
2081
2082 METHOD(tls_crypto_t, get_session, chunk_t,
2083 private_tls_crypto_t *this, identification_t *server)
2084 {
2085 if (this->cache)
2086 {
2087 return this->cache->check(this->cache, server);
2088 }
2089 return chunk_empty;
2090 }
2091
2092 METHOD(tls_crypto_t, change_cipher, void,
2093 private_tls_crypto_t *this, bool inbound)
2094 {
2095 if (this->protection)
2096 {
2097 if (inbound)
2098 {
2099 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2100 }
2101 else
2102 {
2103 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2104 }
2105 }
2106 }
2107
2108 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2109 private_tls_crypto_t *this)
2110 {
2111 return this->msk;
2112 }
2113
2114 METHOD(tls_crypto_t, destroy, void,
2115 private_tls_crypto_t *this)
2116 {
2117 destroy_aeads(this);
2118 free(this->handshake.ptr);
2119 free(this->msk.ptr);
2120 DESTROY_IF(this->prf);
2121 DESTROY_IF(this->hkdf);
2122 free(this->suites);
2123 free(this);
2124 }
2125
2126 /**
2127 * See header
2128 */
2129 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2130 {
2131 private_tls_crypto_t *this;
2132 enumerator_t *enumerator;
2133 credential_type_t type;
2134 int subtype;
2135
2136 INIT(this,
2137 .public = {
2138 .get_cipher_suites = _get_cipher_suites,
2139 .select_cipher_suite = _select_cipher_suite,
2140 .get_dh_group = _get_dh_group,
2141 .get_signature_algorithms = _get_signature_algorithms,
2142 .create_ec_enumerator = _create_ec_enumerator,
2143 .set_protection = _set_protection,
2144 .append_handshake = _append_handshake,
2145 .hash_handshake = _hash_handshake,
2146 .sign = _sign,
2147 .verify = _verify,
2148 .sign_handshake = _sign_handshake,
2149 .verify_handshake = _verify_handshake,
2150 .calculate_finished_legacy = _calculate_finished_legacy,
2151 .calculate_finished = _calculate_finished,
2152 .derive_secrets = _derive_secrets,
2153 .derive_handshake_keys = _derive_handshake_keys,
2154 .derive_app_keys = _derive_app_keys,
2155 .resume_session = _resume_session,
2156 .get_session = _get_session,
2157 .change_cipher = _change_cipher,
2158 .get_eap_msk = _get_eap_msk,
2159 .destroy = _destroy,
2160 },
2161 .tls = tls,
2162 .cache = cache,
2163 );
2164
2165 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2166 while (enumerator->enumerate(enumerator, &type, &subtype))
2167 {
2168 if (type == CRED_PUBLIC_KEY)
2169 {
2170 switch (subtype)
2171 {
2172 case KEY_RSA:
2173 this->rsa = TRUE;
2174 break;
2175 case KEY_ECDSA:
2176 this->ecdsa = TRUE;
2177 break;
2178 default:
2179 break;
2180 }
2181 }
2182 }
2183 enumerator->destroy(enumerator);
2184
2185 switch (tls->get_purpose(tls))
2186 {
2187 case TLS_PURPOSE_EAP_TLS:
2188 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2189 this->msk_label = "client EAP encryption";
2190 break;
2191 case TLS_PURPOSE_EAP_PEAP:
2192 this->msk_label = "client EAP encryption";
2193 break;
2194 case TLS_PURPOSE_EAP_TTLS:
2195 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2196 this->msk_label = "ttls keying material";
2197 break;
2198 default:
2199 break;
2200 }
2201 return &this->public;
2202 }
2203
2204 /**
2205 * See header.
2206 */
2207 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2208 tls_cipher_suite_t **out)
2209 {
2210 suite_algs_t suites[countof(suite_algs)];
2211 int count = 0, i;
2212
2213 /* initialize copy of suite list */
2214 for (i = 0; i < countof(suite_algs); i++)
2215 {
2216 if (suite_algs[i].min_version <= version &&
2217 suite_algs[i].max_version >= version)
2218 {
2219 suites[count++] = suite_algs[i];
2220 }
2221 }
2222
2223 filter_unsupported_suites(suites, &count);
2224
2225 if (!null)
2226 {
2227 filter_null_suites(suites, &count);
2228 }
2229
2230 if (out)
2231 {
2232 *out = calloc(count, sizeof(tls_cipher_suite_t));
2233 for (i = 0; i < count; i++)
2234 {
2235 (*out)[i] = suites[i].suite;
2236 }
2237 }
2238 return count;
2239 }