tls-crypto: Rename methods to calculate finished message
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26
27 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
28 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
29 "TLS_NULL_WITH_NULL_NULL",
30 "TLS_RSA_WITH_NULL_MD5",
31 "TLS_RSA_WITH_NULL_SHA",
32 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
33 "TLS_RSA_WITH_RC4_128_MD5",
34 "TLS_RSA_WITH_RC4_128_SHA",
35 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
36 "TLS_RSA_WITH_IDEA_CBC_SHA",
37 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_RSA_WITH_DES_CBC_SHA",
39 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DH_DSS_WITH_DES_CBC_SHA",
42 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DH_RSA_WITH_DES_CBC_SHA",
45 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
47 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
48 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
49 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
50 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
51 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
52 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
53 "TLS_DH_anon_WITH_RC4_128_MD5",
54 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
55 "TLS_DH_anon_WITH_DES_CBC_SHA",
56 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
57 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
58 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
59 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
60 "TLS_KRB5_WITH_DES_CBC_SHA",
61 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
62 "TLS_KRB5_WITH_RC4_128_SHA",
63 "TLS_KRB5_WITH_IDEA_CBC_SHA",
64 "TLS_KRB5_WITH_DES_CBC_MD5",
65 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
66 "TLS_KRB5_WITH_RC4_128_MD5",
67 "TLS_KRB5_WITH_IDEA_CBC_MD5",
68 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
69 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
72 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
74 "TLS_PSK_WITH_NULL_SHA",
75 "TLS_DHE_PSK_WITH_NULL_SHA",
76 "TLS_RSA_PSK_WITH_NULL_SHA",
77 "TLS_RSA_WITH_AES_128_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
83 "TLS_RSA_WITH_AES_256_CBC_SHA",
84 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
85 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
89 "TLS_RSA_WITH_NULL_SHA256",
90 "TLS_RSA_WITH_AES_128_CBC_SHA256",
91 "TLS_RSA_WITH_AES_256_CBC_SHA256",
92 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
93 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
94 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
96 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
101 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
102 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
103 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
104 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
105 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
106 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
107 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
111 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
112 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
113 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
114 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
115 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_PSK_WITH_RC4_128_SHA",
121 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
122 "TLS_PSK_WITH_AES_128_CBC_SHA",
123 "TLS_PSK_WITH_AES_256_CBC_SHA",
124 "TLS_DHE_PSK_WITH_RC4_128_SHA",
125 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
126 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
128 "TLS_RSA_PSK_WITH_RC4_128_SHA",
129 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
130 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
132 "TLS_RSA_WITH_SEED_CBC_SHA",
133 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
134 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DH_anon_WITH_SEED_CBC_SHA",
138 "TLS_RSA_WITH_AES_128_GCM_SHA256",
139 "TLS_RSA_WITH_AES_256_GCM_SHA384",
140 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
145 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
146 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_GCM_SHA256",
151 "TLS_PSK_WITH_AES_256_GCM_SHA384",
152 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_PSK_WITH_AES_128_CBC_SHA256",
157 "TLS_PSK_WITH_AES_256_CBC_SHA384",
158 "TLS_PSK_WITH_NULL_SHA256",
159 "TLS_PSK_WITH_NULL_SHA384",
160 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
161 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
162 "TLS_DHE_PSK_WITH_NULL_SHA256",
163 "TLS_DHE_PSK_WITH_NULL_SHA384",
164 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
165 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
166 "TLS_RSA_PSK_WITH_NULL_SHA256",
167 "TLS_RSA_PSK_WITH_NULL_SHA384",
168 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
175 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
180 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
183 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
184 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
185 TLS_AES_128_CCM_8_SHA256,
186 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
187 "TLS_AES_128_GCM_SHA256",
188 "TLS_AES_256_GCM_SHA384",
189 "TLS_CHACHA20_POLY1305_SHA256",
190 "TLS_AES_128_CCM_SHA256",
191 "TLS_AES_128_CCM_8_SHA256");
192 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
193 TLS_ECDHE_PSK_WITH_NULL_SHA384,
194 TLS_AES_128_CCM_8_SHA256,
195 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
196 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
197 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
201 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
202 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
205 "TLS_ECDH_RSA_WITH_NULL_SHA",
206 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
207 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
210 "TLS_ECDHE_RSA_WITH_NULL_SHA",
211 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
212 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
213 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
215 "TLS_ECDH_anon_WITH_NULL_SHA",
216 "TLS_ECDH_anon_WITH_RC4_128_SHA",
217 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
218 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
220 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
221 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
224 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
227 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
229 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
230 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
231 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
238 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
239 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
246 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
247 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
251 "TLS_ECDHE_PSK_WITH_NULL_SHA",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
254 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
255
256 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
257 "NONE",
258 "MD5",
259 "SHA1",
260 "SHA224",
261 "SHA256",
262 "SHA384",
263 "SHA512",
264 );
265
266 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
267 "RSA",
268 "DSA",
269 "ECDSA",
270 );
271
272 ENUM_BEGIN(tls_client_certificate_type_names,
273 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
274 "RSA_SIGN",
275 "DSA_SIGN",
276 "RSA_FIXED_DH",
277 "DSS_FIXED_DH",
278 "RSA_EPHEMERAL_DH",
279 "DSS_EPHEMERAL_DH");
280 ENUM_NEXT(tls_client_certificate_type_names,
281 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
282 "FORTEZZA_DMS");
283 ENUM_NEXT(tls_client_certificate_type_names,
284 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
285 "ECDSA_SIGN",
286 "RSA_FIXED_ECDH",
287 "ECDSA_FIXED_ECDH");
288 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
289
290 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
291 "EXPLICIT_PRIME",
292 "EXPLICIT_CHAR2",
293 "NAMED_CURVE",
294 );
295
296 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
297 "SECT163K1",
298 "SECT163R1",
299 "SECT163R2",
300 "SECT193R1",
301 "SECT193R2",
302 "SECT233K1",
303 "SECT233R1",
304 "SECT239K1",
305 "SECT283K1",
306 "SECT283R1",
307 "SECT409K1",
308 "SECT409R1",
309 "SECT571K1",
310 "SECT571R1",
311 "SECP160K1",
312 "SECP160R1",
313 "SECP160R2",
314 "SECP192K1",
315 "SECP192R1",
316 "SECP224K1",
317 "SECP224R1",
318 "SECP256K1",
319 "SECP256R1",
320 "SECP384R1",
321 "SECP521R1",
322 );
323 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
324 "CURVE25519",
325 "CURVE448",
326 );
327 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
328 "FFDHE2048",
329 "FFDHE3072",
330 "FFDHE4096",
331 "FFDHE6144",
332 "FFDHE8192",
333 );
334 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
335
336 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
337 "compressed",
338 "compressed y",
339 "uncompressed",
340 "uncompressed y",
341 "hybrid",
342 "hybrid y",
343 );
344
345 ENUM(tls_ec_point_format_names,
346 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
347 "uncompressed",
348 "ansiX962 compressed prime",
349 "ansiX962 compressed char2",
350 );
351
352 typedef struct private_tls_crypto_t private_tls_crypto_t;
353
354 /**
355 * Private data of an tls_crypto_t object.
356 */
357 struct private_tls_crypto_t {
358
359 /**
360 * Public tls_crypto_t interface.
361 */
362 tls_crypto_t public;
363
364 /**
365 * Protection layer
366 */
367 tls_protection_t *protection;
368
369 /**
370 * List of supported/acceptable cipher suites
371 */
372 tls_cipher_suite_t *suites;
373
374 /**
375 * Number of supported suites
376 */
377 int suite_count;
378
379 /**
380 * HKDF for TLS 1.3
381 */
382 tls_hkdf_t *hkdf;
383
384 /**
385 * Selected cipher suite
386 */
387 tls_cipher_suite_t suite;
388
389 /**
390 * RSA supported?
391 */
392 bool rsa;
393
394 /**
395 * ECDSA supported?
396 */
397 bool ecdsa;
398
399 /**
400 * TLS context
401 */
402 tls_t *tls;
403
404 /**
405 * TLS session cache
406 */
407 tls_cache_t *cache;
408
409 /**
410 * All handshake data concatenated
411 */
412 chunk_t handshake;
413
414 /**
415 * Connection state TLS PRF
416 */
417 tls_prf_t *prf;
418
419 /**
420 * AEAD transform for inbound traffic
421 */
422 tls_aead_t *aead_in;
423
424 /**
425 * AEAD transform for outbound traffic
426 */
427 tls_aead_t *aead_out;
428
429 /**
430 * EAP-[T]TLS MSK
431 */
432 chunk_t msk;
433
434 /**
435 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
436 */
437 char *msk_label;
438 };
439
440 typedef struct {
441 tls_cipher_suite_t suite;
442 key_type_t key;
443 diffie_hellman_group_t dh;
444 hash_algorithm_t hash;
445 pseudo_random_function_t prf;
446 integrity_algorithm_t mac;
447 encryption_algorithm_t encr;
448 size_t encr_size;
449 tls_version_t min_version;
450 tls_version_t max_version;
451 } suite_algs_t;
452
453 /**
454 * Mapping suites to a set of algorithms
455 */
456 static suite_algs_t suite_algs[] = {
457 /* Cipher suites of TLS 1.3: key exchange and authentication
458 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
459 { TLS_AES_128_GCM_SHA256,
460 KEY_ANY, MODP_NONE,
461 HASH_SHA256, PRF_UNDEFINED,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
463 TLS_1_3, TLS_1_3,
464 },
465 { TLS_AES_256_GCM_SHA384,
466 KEY_ANY, MODP_NONE,
467 HASH_SHA384, PRF_UNDEFINED,
468 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
469 TLS_1_3, TLS_1_3,
470 },
471 { TLS_CHACHA20_POLY1305_SHA256,
472 KEY_ANY, MODP_NONE,
473 HASH_SHA256, PRF_UNDEFINED,
474 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
475 TLS_1_3, TLS_1_3,
476 },
477 { TLS_AES_128_CCM_SHA256,
478 KEY_ANY, MODP_NONE,
479 HASH_SHA256, PRF_UNDEFINED,
480 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
481 TLS_1_3, TLS_1_3,
482 },
483 { TLS_AES_128_CCM_8_SHA256,
484 KEY_ANY, MODP_NONE,
485 HASH_SHA256, PRF_UNDEFINED,
486 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
487 TLS_1_3, TLS_1_3,
488 },
489 /* Legacy TLS cipher suites */
490 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
491 KEY_ECDSA, ECP_256_BIT,
492 HASH_SHA256, PRF_HMAC_SHA2_256,
493 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
494 TLS_1_0, TLS_1_2,
495 },
496 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
497 KEY_ECDSA, ECP_256_BIT,
498 HASH_SHA256, PRF_HMAC_SHA2_256,
499 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
500 TLS_1_2, TLS_1_2,
501 },
502 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
503 KEY_ECDSA, ECP_384_BIT,
504 HASH_SHA256, PRF_HMAC_SHA2_256,
505 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
506 TLS_1_0, TLS_1_2,
507 },
508 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
509 KEY_ECDSA, ECP_384_BIT,
510 HASH_SHA384, PRF_HMAC_SHA2_384,
511 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
512 TLS_1_2, TLS_1_2,
513 },
514 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
515 KEY_ECDSA, ECP_256_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
518 TLS_1_2, TLS_1_2,
519 },
520 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
521 KEY_ECDSA, ECP_384_BIT,
522 HASH_SHA384, PRF_HMAC_SHA2_384,
523 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
524 TLS_1_2, TLS_1_2,
525 },
526 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
527 KEY_RSA, ECP_256_BIT,
528 HASH_SHA256, PRF_HMAC_SHA2_256,
529 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
530 TLS_1_0, TLS_1_2,
531 },
532 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
533 KEY_RSA, ECP_256_BIT,
534 HASH_SHA256, PRF_HMAC_SHA2_256,
535 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
536 TLS_1_2, TLS_1_2,
537 },
538 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
539 KEY_RSA, ECP_384_BIT,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
542 TLS_1_0, TLS_1_2,
543 },
544 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
545 KEY_RSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
551 KEY_RSA, ECP_256_BIT,
552 HASH_SHA256, PRF_HMAC_SHA2_256,
553 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
557 KEY_RSA, ECP_384_BIT,
558 HASH_SHA384, PRF_HMAC_SHA2_384,
559 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
560 TLS_1_2, TLS_1_2,
561 },
562 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
563 KEY_RSA, MODP_2048_BIT,
564 HASH_SHA256,PRF_HMAC_SHA2_256,
565 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
566 SSL_3_0, TLS_1_2,
567 },
568 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
569 KEY_RSA, MODP_3072_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
575 KEY_RSA, MODP_3072_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
578 SSL_3_0, TLS_1_2,
579 },
580 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
581 KEY_RSA, MODP_4096_BIT,
582 HASH_SHA256, PRF_HMAC_SHA2_256,
583 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
587 KEY_RSA, MODP_3072_BIT,
588 HASH_SHA256, PRF_HMAC_SHA2_256,
589 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
593 KEY_RSA, MODP_4096_BIT,
594 HASH_SHA384, PRF_HMAC_SHA2_384,
595 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
596 TLS_1_2, TLS_1_2,
597 },
598 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
599 KEY_RSA, MODP_2048_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
602 SSL_3_0, TLS_1_2,
603 },
604 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
605 KEY_RSA, MODP_3072_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
611 KEY_RSA, MODP_3072_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
614 SSL_3_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA256, PRF_HMAC_SHA2_256,
619 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
623 KEY_RSA, MODP_2048_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
626 SSL_3_0, TLS_1_2,
627 },
628 { TLS_RSA_WITH_AES_128_CBC_SHA,
629 KEY_RSA, MODP_NONE,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_RSA_WITH_AES_128_CBC_SHA256,
635 KEY_RSA, MODP_NONE,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_RSA_WITH_AES_256_CBC_SHA,
641 KEY_RSA, MODP_NONE,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_RSA_WITH_AES_256_CBC_SHA256,
647 KEY_RSA, MODP_NONE,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_RSA_WITH_AES_128_GCM_SHA256,
653 KEY_RSA, MODP_NONE,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_RSA_WITH_AES_256_GCM_SHA384,
659 KEY_RSA, MODP_NONE,
660 HASH_SHA384, PRF_HMAC_SHA2_384,
661 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
662 TLS_1_2, TLS_1_2,
663 },
664 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
665 KEY_RSA, MODP_NONE,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
668 SSL_3_0, TLS_1_2,
669 },
670 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
671 KEY_RSA, MODP_NONE,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
674 TLS_1_2, TLS_1_2,
675 },
676 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA256, PRF_HMAC_SHA2_256,
679 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
680 SSL_3_0, TLS_1_2,
681 },
682 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
689 KEY_ECDSA, ECP_256_BIT,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
692 TLS_1_0, TLS_1_2,
693 },
694 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
695 KEY_RSA, ECP_256_BIT,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
698 TLS_1_0, TLS_1_2,
699 },
700 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
704 SSL_3_0, TLS_1_2,
705 },
706 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
707 KEY_ECDSA, ECP_256_BIT,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
710 TLS_1_0, TLS_1_2,
711 },
712 { TLS_ECDHE_RSA_WITH_NULL_SHA,
713 KEY_ECDSA, ECP_256_BIT,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
716 TLS_1_0, TLS_1_2,
717 },
718 { TLS_RSA_WITH_NULL_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_NULL_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_NULL_MD5,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_MD5_128, ENCR_NULL, 0,
734 SSL_2_0, TLS_1_2,
735 },
736 };
737
738 /**
739 * Look up algorithms by a suite
740 */
741 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
742 {
743 int i;
744
745 for (i = 0; i < countof(suite_algs); i++)
746 {
747 if (suite_algs[i].suite == suite)
748 {
749 return &suite_algs[i];
750 }
751 }
752 return NULL;
753 }
754
755 /**
756 * Filter a suite list using a transform enumerator
757 */
758 static void filter_suite(suite_algs_t suites[], int *count, int offset,
759 enumerator_t*(*create_enumerator)(crypto_factory_t*))
760 {
761 const char *plugin_name;
762 suite_algs_t current;
763 int *current_alg, i, remaining = 0;
764 enumerator_t *enumerator;
765
766 memset(&current, 0, sizeof(current));
767 current_alg = (int*)((char*)&current + offset);
768
769 for (i = 0; i < *count; i++)
770 {
771 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
772 encryption_algorithm_is_aead(suites[i].encr))
773 { /* filtering crypters, but current suite uses an AEAD, apply */
774 suites[remaining] = suites[i];
775 remaining++;
776 continue;
777 }
778 if (create_enumerator == lib->crypto->create_aead_enumerator &&
779 !encryption_algorithm_is_aead(suites[i].encr))
780 { /* filtering AEADs, but current suite doesn't use one, apply */
781 suites[remaining] = suites[i];
782 remaining++;
783 continue;
784 }
785 enumerator = create_enumerator(lib->crypto);
786 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
787 {
788 if (current.encr && current.encr != suites[i].encr)
789 {
790 if (suites[i].encr != ENCR_NULL)
791 { /* skip, ENCR does not match nor is NULL */
792 continue;
793 }
794 }
795 if (current.mac && current.mac != suites[i].mac)
796 {
797 if (suites[i].mac != AUTH_UNDEFINED)
798 { /* skip, MAC does not match nor is it undefined */
799 continue;
800 }
801 }
802 if (current.prf && current.prf != suites[i].prf)
803 {
804 if (suites[i].prf != PRF_UNDEFINED)
805 {
806 /* skip, PRF does not match nor is it undefined */
807 continue;
808 }
809 }
810 if (current.hash && current.hash != suites[i].hash)
811 { /* skip, hash does not match */
812 continue;
813 }
814 if (current.dh && current.dh != suites[i].dh)
815 {
816 if (suites[i].dh != MODP_NONE)
817 { /* skip DH group, does not match nor NONE */
818 continue;
819 }
820 }
821 /* suite supported, apply */
822 suites[remaining] = suites[i];
823 remaining++;
824 break;
825 }
826 enumerator->destroy(enumerator);
827 }
828 *count = remaining;
829 }
830
831 /**
832 * Purge NULL encryption cipher suites from list
833 */
834 static void filter_null_suites(suite_algs_t suites[], int *count)
835 {
836 int i, remaining = 0;
837
838 for (i = 0; i < *count; i++)
839 {
840 if (suites[i].encr != ENCR_NULL)
841 {
842 suites[remaining] = suites[i];
843 remaining++;
844 }
845 }
846 *count = remaining;
847 }
848
849 /**
850 * Purge suites using a given key type
851 */
852 static void filter_key_suites(private_tls_crypto_t *this,
853 suite_algs_t suites[], int *count, key_type_t key)
854 {
855 int i, remaining = 0;
856
857 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
858 for (i = 0; i < *count; i++)
859 {
860 if (suites[i].key != key)
861 {
862 suites[remaining] = suites[i];
863 remaining++;
864 }
865 }
866 *count = remaining;
867 }
868
869 /**
870 * Filter suites by key exchange user config
871 */
872 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
873 suite_algs_t suites[], int *count)
874 {
875 enumerator_t *enumerator;
876 int i, remaining = 0;
877 char *token, *config;
878
879 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
880 lib->ns);
881 if (config)
882 {
883 for (i = 0; i < *count; i++)
884 {
885 enumerator = enumerator_create_token(config, ",", " ");
886 while (enumerator->enumerate(enumerator, &token))
887 {
888 if (strcaseeq(token, "ecdhe-ecdsa") &&
889 diffie_hellman_group_is_ec(suites[i].dh) &&
890 suites[i].key == KEY_ECDSA)
891 {
892 suites[remaining++] = suites[i];
893 break;
894 }
895 if (strcaseeq(token, "ecdhe-rsa") &&
896 diffie_hellman_group_is_ec(suites[i].dh) &&
897 suites[i].key == KEY_RSA)
898 {
899 suites[remaining++] = suites[i];
900 break;
901 }
902 if (strcaseeq(token, "dhe-rsa") &&
903 !diffie_hellman_group_is_ec(suites[i].dh) &&
904 suites[i].dh != MODP_NONE &&
905 suites[i].key == KEY_RSA)
906 {
907 suites[remaining++] = suites[i];
908 break;
909 }
910 if (strcaseeq(token, "rsa") &&
911 suites[i].dh == MODP_NONE &&
912 suites[i].key == KEY_RSA)
913 {
914 suites[remaining++] = suites[i];
915 break;
916 }
917 }
918 enumerator->destroy(enumerator);
919 }
920 *count = remaining;
921 }
922 }
923
924 /**
925 * Filter suites by cipher user config
926 */
927 static void filter_cipher_config_suites(private_tls_crypto_t *this,
928 suite_algs_t suites[], int *count)
929 {
930 enumerator_t *enumerator;
931 int i, remaining = 0;
932 char *token, *config;
933
934 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
935 lib->ns);
936 if (config)
937 {
938 for (i = 0; i < *count; i++)
939 {
940 enumerator = enumerator_create_token(config, ",", " ");
941 while (enumerator->enumerate(enumerator, &token))
942 {
943 if (strcaseeq(token, "aes128") &&
944 suites[i].encr == ENCR_AES_CBC &&
945 suites[i].encr_size == 16)
946 {
947 suites[remaining++] = suites[i];
948 break;
949 }
950 if (strcaseeq(token, "aes256") &&
951 suites[i].encr == ENCR_AES_CBC &&
952 suites[i].encr_size == 32)
953 {
954 suites[remaining++] = suites[i];
955 break;
956 }
957 if (strcaseeq(token, "aes128gcm") &&
958 suites[i].encr == ENCR_AES_GCM_ICV16 &&
959 suites[i].encr_size == 16)
960 {
961 suites[remaining++] = suites[i];
962 break;
963 }
964 if (strcaseeq(token, "aes256gcm") &&
965 suites[i].encr == ENCR_AES_GCM_ICV16 &&
966 suites[i].encr_size == 32)
967 {
968 suites[remaining++] = suites[i];
969 break;
970 }
971 if (strcaseeq(token, "camellia128") &&
972 suites[i].encr == ENCR_CAMELLIA_CBC &&
973 suites[i].encr_size == 16)
974 {
975 suites[remaining++] = suites[i];
976 break;
977 }
978 if (strcaseeq(token, "camellia256") &&
979 suites[i].encr == ENCR_CAMELLIA_CBC &&
980 suites[i].encr_size == 32)
981 {
982 suites[remaining++] = suites[i];
983 break;
984 }
985 if (strcaseeq(token, "3des") &&
986 suites[i].encr == ENCR_3DES)
987 {
988 suites[remaining++] = suites[i];
989 break;
990 }
991 if (strcaseeq(token, "null") &&
992 suites[i].encr == ENCR_NULL)
993 {
994 suites[remaining++] = suites[i];
995 break;
996 }
997 }
998 enumerator->destroy(enumerator);
999 }
1000 *count = remaining;
1001 }
1002 }
1003
1004 /**
1005 * Filter suites by mac user config
1006 */
1007 static void filter_mac_config_suites(private_tls_crypto_t *this,
1008 suite_algs_t suites[], int *count)
1009 {
1010 enumerator_t *enumerator;
1011 int i, remaining = 0;
1012 char *token, *config;
1013
1014 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1015 lib->ns);
1016 if (config)
1017 {
1018 for (i = 0; i < *count; i++)
1019 {
1020 enumerator = enumerator_create_token(config, ",", " ");
1021 while (enumerator->enumerate(enumerator, &token))
1022 {
1023 if (strcaseeq(token, "md5") &&
1024 suites[i].mac == AUTH_HMAC_MD5_128)
1025 {
1026 suites[remaining++] = suites[i];
1027 break;
1028 }
1029 if (strcaseeq(token, "sha1") &&
1030 suites[i].mac == AUTH_HMAC_SHA1_160)
1031 {
1032 suites[remaining++] = suites[i];
1033 break;
1034 }
1035 if (strcaseeq(token, "sha256") &&
1036 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1037 {
1038 suites[remaining++] = suites[i];
1039 break;
1040 }
1041 if (strcaseeq(token, "sha384") &&
1042 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1043 {
1044 suites[remaining++] = suites[i];
1045 break;
1046 }
1047 }
1048 enumerator->destroy(enumerator);
1049 }
1050 *count = remaining;
1051 }
1052 }
1053
1054 /**
1055 * Filter for specific suites specified in strongswan.conf
1056 */
1057 static void filter_specific_config_suites(private_tls_crypto_t *this,
1058 suite_algs_t suites[], int *count)
1059 {
1060 enumerator_t *enumerator;
1061 int i, remaining = 0, suite;
1062 char *token, *config;
1063
1064 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1065 lib->ns);
1066 if (config)
1067 {
1068 for (i = 0; i < *count; i++)
1069 {
1070 enumerator = enumerator_create_token(config, ",", " ");
1071 while (enumerator->enumerate(enumerator, &token))
1072 {
1073 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1074 suite == suites[i].suite)
1075 {
1076 suites[remaining++] = suites[i];
1077 break;
1078 }
1079 }
1080 enumerator->destroy(enumerator);
1081 }
1082 *count = remaining;
1083 }
1084 }
1085
1086 /**
1087 * Filter out unsupported suites on given suite array
1088 */
1089 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1090 {
1091 /* filter suite list by each algorithm */
1092 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1093 lib->crypto->create_aead_enumerator);
1094 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1095 lib->crypto->create_prf_enumerator);
1096 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1097 lib->crypto->create_crypter_enumerator);
1098 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1099 lib->crypto->create_signer_enumerator);
1100 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1101 lib->crypto->create_hasher_enumerator);
1102 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1103 lib->crypto->create_dh_enumerator);
1104 }
1105
1106 /**
1107 * Initialize the cipher suite list
1108 */
1109 static void build_cipher_suite_list(private_tls_crypto_t *this)
1110 {
1111 suite_algs_t suites[countof(suite_algs)];
1112 tls_version_t min_version, max_version;
1113 bool require_encryption;
1114 int count = 0, i;
1115
1116 switch (this->tls->get_purpose(this->tls))
1117 {
1118 case TLS_PURPOSE_EAP_TLS:
1119 case TLS_PURPOSE_GENERIC_NULLOK:
1120 require_encryption = FALSE;
1121 break;
1122 case TLS_PURPOSE_EAP_PEAP:
1123 case TLS_PURPOSE_EAP_TTLS:
1124 case TLS_PURPOSE_GENERIC:
1125 require_encryption = TRUE;
1126 break;
1127 default:
1128 return;
1129 }
1130
1131 min_version = this->tls->get_version_min(this->tls);
1132 max_version = this->tls->get_version_max(this->tls);
1133
1134 /* copy all suites appropriate for the current min/max versions */
1135 for (i = 0; i < countof(suite_algs); i++)
1136 {
1137 if (suite_algs[i].min_version <= max_version &&
1138 suite_algs[i].max_version >= min_version)
1139 {
1140 suites[count++] = suite_algs[i];
1141 }
1142 }
1143
1144 if (require_encryption)
1145 {
1146 filter_null_suites(suites, &count);
1147 }
1148 if (!this->rsa)
1149 {
1150 filter_key_suites(this, suites, &count, KEY_RSA);
1151 }
1152 if (!this->ecdsa)
1153 {
1154 filter_key_suites(this, suites, &count, KEY_ECDSA);
1155 }
1156
1157 filter_unsupported_suites(suites, &count);
1158
1159 /* filter suites with strongswan.conf options */
1160 filter_key_exchange_config_suites(this, suites, &count);
1161 filter_cipher_config_suites(this, suites, &count);
1162 filter_mac_config_suites(this, suites, &count);
1163 filter_specific_config_suites(this, suites, &count);
1164
1165 free(this->suites);
1166 this->suite_count = count;
1167 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1168
1169 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1170 for (i = 0; i < count; i++)
1171 {
1172 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1173 this->suites[i] = suites[i].suite;
1174 }
1175 }
1176
1177 METHOD(tls_crypto_t, get_cipher_suites, int,
1178 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1179 {
1180 if (!this->suites)
1181 {
1182 build_cipher_suite_list(this);
1183 }
1184 *suites = this->suites;
1185 return this->suite_count;
1186 }
1187
1188 /**
1189 * Create NULL encryption transforms
1190 */
1191 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1192 {
1193 this->aead_in = tls_aead_create_null(algs->mac);
1194 this->aead_out = tls_aead_create_null(algs->mac);
1195 if (!this->aead_in || !this->aead_out)
1196 {
1197 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1198 integrity_algorithm_names, algs->mac);
1199 return FALSE;
1200 }
1201 return TRUE;
1202 }
1203
1204 /**
1205 * Create traditional transforms
1206 */
1207 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1208 {
1209 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1210 {
1211 this->aead_in = tls_aead_create_implicit(algs->mac,
1212 algs->encr, algs->encr_size);
1213 this->aead_out = tls_aead_create_implicit(algs->mac,
1214 algs->encr, algs->encr_size);
1215 }
1216 else
1217 {
1218 this->aead_in = tls_aead_create_explicit(algs->mac,
1219 algs->encr, algs->encr_size);
1220 this->aead_out = tls_aead_create_explicit(algs->mac,
1221 algs->encr, algs->encr_size);
1222 }
1223 if (!this->aead_in || !this->aead_out)
1224 {
1225 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1226 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1227 integrity_algorithm_names, algs->mac);
1228 return FALSE;
1229 }
1230 return TRUE;
1231 }
1232
1233 /**
1234 * Create AEAD transforms
1235 */
1236 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1237 {
1238 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1239 {
1240 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1241 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1242 }
1243 else
1244 {
1245 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1246 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1247 }
1248 if (!this->aead_in || !this->aead_out)
1249 {
1250 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1251 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1252 return FALSE;
1253 }
1254 return TRUE;
1255 }
1256
1257 /**
1258 * Clean up and unset AEAD transforms
1259 */
1260 static void destroy_aeads(private_tls_crypto_t *this)
1261 {
1262 DESTROY_IF(this->aead_in);
1263 DESTROY_IF(this->aead_out);
1264 this->aead_in = this->aead_out = NULL;
1265 }
1266
1267 /**
1268 * Create crypto primitives
1269 */
1270 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1271 {
1272 destroy_aeads(this);
1273 DESTROY_IF(this->prf);
1274 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1275 {
1276 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1277 {
1278 this->prf = tls_prf_create_10();
1279 }
1280 else
1281 {
1282 this->prf = tls_prf_create_12(algs->prf);
1283 }
1284 if (!this->prf)
1285 {
1286 DBG1(DBG_TLS, "selected TLS PRF not supported");
1287 return FALSE;
1288 }
1289 }
1290 else
1291 {
1292 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1293 if (!this->hkdf)
1294 {
1295 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1296 return FALSE;
1297 }
1298 }
1299 if (algs->encr == ENCR_NULL)
1300 {
1301 if (create_null(this, algs))
1302 {
1303 return TRUE;
1304 }
1305 }
1306 else if (encryption_algorithm_is_aead(algs->encr))
1307 {
1308 if (create_aead(this, algs))
1309 {
1310 return TRUE;
1311 }
1312 }
1313 else
1314 {
1315 if (create_traditional(this, algs))
1316 {
1317 return TRUE;
1318 }
1319 }
1320 destroy_aeads(this);
1321 return FALSE;
1322 }
1323
1324 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1325 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1326 key_type_t key)
1327 {
1328 suite_algs_t *algs;
1329 int i, j;
1330
1331 if (!this->suites)
1332 {
1333 build_cipher_suite_list(this);
1334 }
1335
1336 for (i = 0; i < this->suite_count; i++)
1337 {
1338 for (j = 0; j < count; j++)
1339 {
1340 if (this->suites[i] == suites[j])
1341 {
1342 algs = find_suite(this->suites[i]);
1343 if (algs)
1344 {
1345 if (key == KEY_ANY || key == algs->key)
1346 {
1347 if (create_ciphers(this, algs))
1348 {
1349 this->suite = this->suites[i];
1350 return this->suite;
1351 }
1352 }
1353 }
1354 }
1355 }
1356 }
1357 return 0;
1358 }
1359
1360 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1361 private_tls_crypto_t *this)
1362 {
1363 suite_algs_t *algs;
1364
1365 algs = find_suite(this->suite);
1366 if (algs)
1367 {
1368 return algs->dh;
1369 }
1370 return MODP_NONE;
1371 }
1372
1373 /**
1374 * Map signature schemes to TLS key types and hashes, ordered by preference
1375 */
1376 static struct {
1377 tls_signature_algorithm_t sig;
1378 tls_hash_algorithm_t hash;
1379 signature_scheme_t scheme;
1380 } schemes[] = {
1381 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1382 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1383 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1384 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1385 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1386 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1387 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1388 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA2_224 },
1389 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1390 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1391 };
1392
1393 METHOD(tls_crypto_t, get_signature_algorithms, void,
1394 private_tls_crypto_t *this, bio_writer_t *writer)
1395 {
1396 bio_writer_t *supported;
1397 tls_version_t version;
1398 int i;
1399
1400 supported = bio_writer_create(32);
1401 version = this->tls->get_version_max(this->tls);
1402
1403 for (i = 0; i < countof(schemes); i++)
1404 {
1405 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1406 {
1407 continue;
1408 }
1409 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1410 {
1411 continue;
1412 }
1413 if (schemes[i].hash == TLS_HASH_MD5 && version >= TLS_1_3)
1414 {
1415 continue;
1416 }
1417 if (schemes[i].hash == TLS_HASH_SHA224 && version >= TLS_1_3)
1418 {
1419 continue;
1420 }
1421 if (!lib->plugins->has_feature(lib->plugins,
1422 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1423 {
1424 continue;
1425 }
1426 supported->write_uint8(supported, schemes[i].hash);
1427 supported->write_uint8(supported, schemes[i].sig);
1428 }
1429
1430 supported->wrap16(supported);
1431 writer->write_data16(writer, supported->get_buf(supported));
1432 supported->destroy(supported);
1433 }
1434
1435 /**
1436 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1437 */
1438 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1439 tls_hash_algorithm_t hash,
1440 tls_signature_algorithm_t sig)
1441 {
1442 int i;
1443
1444 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1445 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1446 {
1447 for (i = 0; i < countof(schemes); i++)
1448 {
1449 if (schemes[i].sig == sig && schemes[i].hash == hash)
1450 {
1451 return schemes[i].scheme;
1452 }
1453 }
1454 }
1455 return SIGN_UNKNOWN;
1456 }
1457
1458 /**
1459 * Mapping groups to TLS named curves
1460 */
1461 static struct {
1462 diffie_hellman_group_t group;
1463 tls_named_group_t curve;
1464 } curves[] = {
1465 { ECP_256_BIT, TLS_SECP256R1},
1466 { ECP_384_BIT, TLS_SECP384R1},
1467 { ECP_521_BIT, TLS_SECP521R1},
1468 { ECP_224_BIT, TLS_SECP224R1},
1469 { ECP_192_BIT, TLS_SECP192R1},
1470 { CURVE_25519, TLS_CURVE25519},
1471 { CURVE_448, TLS_CURVE448},
1472 };
1473
1474 CALLBACK(group_filter, bool,
1475 void *null, enumerator_t *orig, va_list args)
1476 {
1477 diffie_hellman_group_t group, *out;
1478 tls_named_group_t *curve;
1479 char *plugin;
1480 int i;
1481
1482 VA_ARGS_VGET(args, out, curve);
1483
1484 while (orig->enumerate(orig, &group, &plugin))
1485 {
1486 for (i = 0; i < countof(curves); i++)
1487 {
1488 if (curves[i].group == group)
1489 {
1490 if (out)
1491 {
1492 *out = curves[i].group;
1493 }
1494 if (curve)
1495 {
1496 *curve = curves[i].curve;
1497 }
1498 return TRUE;
1499 }
1500 }
1501 }
1502 return FALSE;
1503 }
1504
1505 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1506 private_tls_crypto_t *this)
1507 {
1508 return enumerator_create_filter(
1509 lib->crypto->create_dh_enumerator(lib->crypto),
1510 group_filter, NULL, NULL);
1511 }
1512
1513 METHOD(tls_crypto_t, set_protection, void,
1514 private_tls_crypto_t *this, tls_protection_t *protection)
1515 {
1516 this->protection = protection;
1517 }
1518
1519 METHOD(tls_crypto_t, append_handshake, void,
1520 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1521 {
1522 uint32_t header;
1523
1524 /* reconstruct handshake header */
1525 header = htonl(data.len | (type << 24));
1526 this->handshake = chunk_cat("mcc", this->handshake,
1527 chunk_from_thing(header), data);
1528 }
1529
1530 /**
1531 * Create a hash using the suites HASH algorithm
1532 */
1533 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1534 {
1535 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1536 {
1537 hasher_t *hasher;
1538 suite_algs_t *alg;
1539
1540 alg = find_suite(this->suite);
1541 if (!alg)
1542 {
1543 return FALSE;
1544 }
1545 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1546 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1547 {
1548 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1549 DESTROY_IF(hasher);
1550 return FALSE;
1551 }
1552 hasher->destroy(hasher);
1553 }
1554 else
1555 {
1556 hasher_t *md5, *sha1;
1557 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1558
1559 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1560 if (!md5 || !md5->get_hash(md5, data, buf))
1561 {
1562 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1563 DESTROY_IF(md5);
1564 return FALSE;
1565 }
1566 md5->destroy(md5);
1567 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1568 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1569 {
1570 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1571 DESTROY_IF(sha1);
1572 return FALSE;
1573 }
1574 sha1->destroy(sha1);
1575
1576 *hash = chunk_clone(chunk_from_thing(buf));
1577 }
1578 return TRUE;
1579 }
1580
1581 /**
1582 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1583 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1584 */
1585 static chunk_t tls13_sig_data_server = chunk_from_chars(
1586 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1587 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1588 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1589 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1590 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1591 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1592 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1593 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1594 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1595 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1596 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1597 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1598 0x79, 0x00,
1599 );
1600
1601 METHOD(tls_crypto_t, sign, bool,
1602 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1603 chunk_t data, chunk_t hashsig)
1604 {
1605 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1606 {
1607 const chunk_t hashsig_def = chunk_from_chars(
1608 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1609 signature_scheme_t scheme;
1610 bio_reader_t *reader;
1611 uint8_t hash, alg;
1612 chunk_t sig;
1613 bool done = FALSE;
1614
1615 if (!hashsig.len)
1616 { /* fallback if none given */
1617 hashsig = hashsig_def;
1618 }
1619 reader = bio_reader_create(hashsig);
1620 while (reader->remaining(reader) >= 2)
1621 {
1622 if (reader->read_uint8(reader, &hash) &&
1623 reader->read_uint8(reader, &alg))
1624 {
1625 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1626 if (scheme != SIGN_UNKNOWN &&
1627 key->sign(key, scheme, NULL, data, &sig))
1628 {
1629 done = TRUE;
1630 break;
1631 }
1632 }
1633 }
1634 reader->destroy(reader);
1635 if (!done)
1636 {
1637 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1638 return FALSE;
1639 }
1640 DBG2(DBG_TLS, "created signature with %N/%N",
1641 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1642 writer->write_uint8(writer, hash);
1643 writer->write_uint8(writer, alg);
1644 writer->write_data16(writer, sig);
1645 free(sig.ptr);
1646 }
1647 else
1648 {
1649 chunk_t sig, hash;
1650 bool done;
1651
1652 switch (key->get_type(key))
1653 {
1654 case KEY_RSA:
1655 if (!hash_data(this, data, &hash))
1656 {
1657 return FALSE;
1658 }
1659 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1660 &sig);
1661 free(hash.ptr);
1662 if (!done)
1663 {
1664 return FALSE;
1665 }
1666 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1667 break;
1668 case KEY_ECDSA:
1669 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1670 {
1671 return FALSE;
1672 }
1673 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1674 break;
1675 default:
1676 return FALSE;
1677 }
1678 writer->write_data16(writer, sig);
1679 free(sig.ptr);
1680 }
1681 return TRUE;
1682 }
1683
1684 METHOD(tls_crypto_t, verify, bool,
1685 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1686 chunk_t data)
1687 {
1688 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1689 {
1690 signature_scheme_t scheme = SIGN_UNKNOWN;
1691 uint8_t hash, alg;
1692 chunk_t sig;
1693
1694 if (!reader->read_uint8(reader, &hash) ||
1695 !reader->read_uint8(reader, &alg) ||
1696 !reader->read_data16(reader, &sig))
1697 {
1698 DBG1(DBG_TLS, "received invalid signature");
1699 return FALSE;
1700 }
1701 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1702 if (scheme == SIGN_UNKNOWN)
1703 {
1704 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1705 tls_hash_algorithm_names, hash,
1706 tls_signature_algorithm_names, alg);
1707 return FALSE;
1708 }
1709 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1710 {
1711 chunk_t transcript_hash;
1712
1713 if (!hash_data(this, data, &transcript_hash))
1714 {
1715 DBG1(DBG_TLS, "Unable to create transcript hash");
1716 return FALSE;
1717 }
1718
1719 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1720 }
1721 if (!key->verify(key, scheme, NULL, data, sig))
1722 {
1723 DBG1(DBG_TLS, "signature verification with %N/%N failed",
1724 tls_hash_algorithm_names, hash, tls_signature_algorithm_names,
1725 alg);
1726 return FALSE;
1727 }
1728 DBG2(DBG_TLS, "verified signature with %N/%N",
1729 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1730 }
1731 else
1732 {
1733 chunk_t sig, hash;
1734 bool done;
1735
1736 if (!reader->read_data16(reader, &sig))
1737 {
1738 DBG1(DBG_TLS, "received invalid signature");
1739 return FALSE;
1740 }
1741 switch (key->get_type(key))
1742 {
1743 case KEY_RSA:
1744 if (!hash_data(this, data, &hash))
1745 {
1746 return FALSE;
1747 }
1748 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1749 sig);
1750 free(hash.ptr);
1751 if (!done)
1752 {
1753 return FALSE;
1754 }
1755 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1756 break;
1757 case KEY_ECDSA:
1758 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1759 sig))
1760 {
1761 return FALSE;
1762 }
1763 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1764 break;
1765 default:
1766 return FALSE;
1767 }
1768 }
1769 return TRUE;
1770 }
1771
1772 METHOD(tls_crypto_t, sign_handshake, bool,
1773 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1774 chunk_t hashsig)
1775 {
1776 return sign(this, key, writer, this->handshake, hashsig);
1777 }
1778
1779 METHOD(tls_crypto_t, verify_handshake, bool,
1780 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1781 {
1782 return verify(this, key, reader, this->handshake);
1783 }
1784
1785 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1786 private_tls_crypto_t *this, char *label, char out[12])
1787 {
1788 chunk_t seed;
1789
1790 if (!this->prf)
1791 {
1792 return FALSE;
1793 }
1794 if (!hash_data(this, this->handshake, &seed))
1795 {
1796 return FALSE;
1797 }
1798 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1799 {
1800 free(seed.ptr);
1801 return FALSE;
1802 }
1803 free(seed.ptr);
1804 return TRUE;
1805 }
1806
1807 METHOD(tls_crypto_t, calculate_finished, bool,
1808 private_tls_crypto_t *this, bool is_server, chunk_t *out)
1809 {
1810 chunk_t finished_key, finished_hash;
1811
1812 if (!this->hkdf)
1813 {
1814 return FALSE;
1815 }
1816 if (!hash_data(this, this->handshake, &finished_hash))
1817 {
1818 DBG1(DBG_TLS, "creating hash of handshake failed");
1819 return FALSE;
1820 }
1821 if (!this->hkdf->derive_finished(this->hkdf, is_server, &finished_key))
1822 {
1823 DBG1(DBG_TLS, "generating finished key failed");
1824 chunk_clear(&finished_hash);
1825 return FALSE;
1826 }
1827 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
1828 {
1829 DBG1(DBG_TLS, "generating finished HMAC failed");
1830 chunk_clear(&finished_key);
1831 chunk_clear(&finished_hash);
1832 return FALSE;
1833 }
1834 chunk_clear(&finished_key);
1835 chunk_clear(&finished_hash);
1836 return TRUE;
1837 }
1838
1839 /**
1840 * Derive master secret from premaster, optionally save session
1841 */
1842 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1843 chunk_t session, identification_t *id,
1844 chunk_t client_random, chunk_t server_random)
1845 {
1846 char master[48];
1847 chunk_t seed;
1848
1849 /* derive master secret */
1850 seed = chunk_cata("cc", client_random, server_random);
1851
1852 if (!this->prf->set_key(this->prf, premaster) ||
1853 !this->prf->get_bytes(this->prf, "master secret", seed,
1854 sizeof(master), master) ||
1855 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1856 {
1857 return FALSE;
1858 }
1859
1860 if (this->cache && session.len)
1861 {
1862 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1863 this->suite);
1864 }
1865 memwipe(master, sizeof(master));
1866 return TRUE;
1867 }
1868
1869 /**
1870 * Expand key material from master secret
1871 */
1872 static bool expand_keys(private_tls_crypto_t *this,
1873 chunk_t client_random, chunk_t server_random)
1874 {
1875 chunk_t seed, block;
1876 chunk_t cw_mac, cw, cw_iv;
1877 chunk_t sw_mac, sw, sw_iv;
1878 int mklen, eklen, ivlen;
1879
1880 if (!this->aead_in || !this->aead_out)
1881 {
1882 return FALSE;
1883 }
1884
1885 /* derive key block for key expansion */
1886 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1887 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1888 ivlen = this->aead_in->get_iv_size(this->aead_in);
1889 seed = chunk_cata("cc", server_random, client_random);
1890 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1891 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1892 block.len, block.ptr))
1893 {
1894 return FALSE;
1895 }
1896
1897 /* client/server write signer keys */
1898 cw_mac = chunk_create(block.ptr, mklen);
1899 block = chunk_skip(block, mklen);
1900 sw_mac = chunk_create(block.ptr, mklen);
1901 block = chunk_skip(block, mklen);
1902
1903 /* client/server write encryption keys */
1904 cw = chunk_create(block.ptr, eklen);
1905 block = chunk_skip(block, eklen);
1906 sw = chunk_create(block.ptr, eklen);
1907 block = chunk_skip(block, eklen);
1908
1909 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1910 cw_iv = chunk_create(block.ptr, ivlen);
1911 block = chunk_skip(block, ivlen);
1912 sw_iv = chunk_create(block.ptr, ivlen);
1913 block = chunk_skip(block, ivlen);
1914
1915 if (this->tls->is_server(this->tls))
1916 {
1917 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1918 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1919 {
1920 return FALSE;
1921 }
1922 }
1923 else
1924 {
1925 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1926 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1927 {
1928 return FALSE;
1929 }
1930 }
1931
1932 /* EAP-MSK */
1933 if (this->msk_label)
1934 {
1935 seed = chunk_cata("cc", client_random, server_random);
1936 this->msk = chunk_alloc(64);
1937 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1938 this->msk.len, this->msk.ptr))
1939 {
1940 return FALSE;
1941 }
1942 }
1943 return TRUE;
1944 }
1945
1946 METHOD(tls_crypto_t, derive_secrets, bool,
1947 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1948 identification_t *id, chunk_t client_random, chunk_t server_random)
1949 {
1950 return derive_master(this, premaster, session, id,
1951 client_random, server_random) &&
1952 expand_keys(this, client_random, server_random);
1953 }
1954
1955 /**
1956 * Derive and configure the keys/IVs using the given labels.
1957 */
1958 static bool derive_labeled_keys(private_tls_crypto_t *this,
1959 tls_hkdf_label_t client_label,
1960 tls_hkdf_label_t server_label)
1961 {
1962 chunk_t c_key = chunk_empty, c_iv = chunk_empty;
1963 chunk_t s_key = chunk_empty, s_iv = chunk_empty;
1964 tls_aead_t *aead_c = this->aead_out, *aead_s = this->aead_in;
1965 bool success = FALSE;
1966
1967 if (this->tls->is_server(this->tls))
1968 {
1969 aead_c = this->aead_in;
1970 aead_s = this->aead_out;
1971 }
1972
1973 if (!this->hkdf->generate_secret(this->hkdf, client_label, this->handshake,
1974 NULL) ||
1975 !this->hkdf->derive_key(this->hkdf, FALSE,
1976 this->aead_out->get_encr_key_size(this->aead_out),
1977 &c_key) ||
1978 !this->hkdf->derive_iv(this->hkdf, FALSE,
1979 this->aead_out->get_iv_size(this->aead_out),
1980 &c_iv))
1981 {
1982 DBG1(DBG_TLS, "deriving client key material failed");
1983 goto out;
1984 }
1985
1986 if (!this->hkdf->generate_secret(this->hkdf, server_label, this->handshake,
1987 NULL) ||
1988 !this->hkdf->derive_key(this->hkdf, TRUE,
1989 this->aead_in->get_encr_key_size(this->aead_in),
1990 &s_key) ||
1991 !this->hkdf->derive_iv(this->hkdf, TRUE,
1992 this->aead_in->get_iv_size(this->aead_in),
1993 &s_iv))
1994 {
1995 DBG1(DBG_TLS, "deriving server key material failed");
1996 goto out;
1997 }
1998
1999 if (!aead_c->set_keys(aead_c, chunk_empty, c_key, c_iv) ||
2000 !aead_s->set_keys(aead_s, chunk_empty, s_key, s_iv))
2001 {
2002 DBG1(DBG_TLS, "setting AEAD key material failed");
2003 goto out;
2004 }
2005 success = TRUE;
2006
2007 out:
2008 chunk_clear(&c_key);
2009 chunk_clear(&c_iv);
2010 chunk_clear(&s_key);
2011 chunk_clear(&s_iv);
2012 return success;
2013 }
2014
2015 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2016 private_tls_crypto_t *this, chunk_t shared_secret)
2017 {
2018 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2019 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2020 TLS_HKDF_S_HS_TRAFFIC);
2021 }
2022
2023 METHOD(tls_crypto_t, derive_app_keys, bool,
2024 private_tls_crypto_t *this)
2025 {
2026 return derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2027 TLS_HKDF_S_AP_TRAFFIC);
2028 }
2029
2030 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2031 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2032 chunk_t client_random, chunk_t server_random)
2033 {
2034 chunk_t master;
2035
2036 if (this->cache && session.len)
2037 {
2038 this->suite = this->cache->lookup(this->cache, session, id, &master);
2039 if (this->suite)
2040 {
2041 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2042 if (this->suite)
2043 {
2044 if (!this->prf->set_key(this->prf, master) ||
2045 !expand_keys(this, client_random, server_random))
2046 {
2047 this->suite = 0;
2048 }
2049 }
2050 chunk_clear(&master);
2051 }
2052 return this->suite;
2053 }
2054 return 0;
2055 }
2056
2057 METHOD(tls_crypto_t, get_session, chunk_t,
2058 private_tls_crypto_t *this, identification_t *server)
2059 {
2060 if (this->cache)
2061 {
2062 return this->cache->check(this->cache, server);
2063 }
2064 return chunk_empty;
2065 }
2066
2067 METHOD(tls_crypto_t, change_cipher, void,
2068 private_tls_crypto_t *this, bool inbound)
2069 {
2070 if (this->protection)
2071 {
2072 if (inbound)
2073 {
2074 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2075 }
2076 else
2077 {
2078 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2079 }
2080 }
2081 }
2082
2083 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2084 private_tls_crypto_t *this)
2085 {
2086 return this->msk;
2087 }
2088
2089 METHOD(tls_crypto_t, destroy, void,
2090 private_tls_crypto_t *this)
2091 {
2092 destroy_aeads(this);
2093 free(this->handshake.ptr);
2094 free(this->msk.ptr);
2095 DESTROY_IF(this->prf);
2096 DESTROY_IF(this->hkdf);
2097 free(this->suites);
2098 free(this);
2099 }
2100
2101 /**
2102 * See header
2103 */
2104 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2105 {
2106 private_tls_crypto_t *this;
2107 enumerator_t *enumerator;
2108 credential_type_t type;
2109 int subtype;
2110
2111 INIT(this,
2112 .public = {
2113 .get_cipher_suites = _get_cipher_suites,
2114 .select_cipher_suite = _select_cipher_suite,
2115 .get_dh_group = _get_dh_group,
2116 .get_signature_algorithms = _get_signature_algorithms,
2117 .create_ec_enumerator = _create_ec_enumerator,
2118 .set_protection = _set_protection,
2119 .append_handshake = _append_handshake,
2120 .sign = _sign,
2121 .verify = _verify,
2122 .sign_handshake = _sign_handshake,
2123 .verify_handshake = _verify_handshake,
2124 .calculate_finished_legacy = _calculate_finished_legacy,
2125 .calculate_finished = _calculate_finished,
2126 .derive_secrets = _derive_secrets,
2127 .derive_handshake_keys = _derive_handshake_keys,
2128 .derive_app_keys = _derive_app_keys,
2129 .resume_session = _resume_session,
2130 .get_session = _get_session,
2131 .change_cipher = _change_cipher,
2132 .get_eap_msk = _get_eap_msk,
2133 .destroy = _destroy,
2134 },
2135 .tls = tls,
2136 .cache = cache,
2137 );
2138
2139 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2140 while (enumerator->enumerate(enumerator, &type, &subtype))
2141 {
2142 if (type == CRED_PUBLIC_KEY)
2143 {
2144 switch (subtype)
2145 {
2146 case KEY_RSA:
2147 this->rsa = TRUE;
2148 break;
2149 case KEY_ECDSA:
2150 this->ecdsa = TRUE;
2151 break;
2152 default:
2153 break;
2154 }
2155 }
2156 }
2157 enumerator->destroy(enumerator);
2158
2159 switch (tls->get_purpose(tls))
2160 {
2161 case TLS_PURPOSE_EAP_TLS:
2162 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2163 this->msk_label = "client EAP encryption";
2164 break;
2165 case TLS_PURPOSE_EAP_PEAP:
2166 this->msk_label = "client EAP encryption";
2167 break;
2168 case TLS_PURPOSE_EAP_TTLS:
2169 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2170 this->msk_label = "ttls keying material";
2171 break;
2172 default:
2173 break;
2174 }
2175 return &this->public;
2176 }
2177
2178 /**
2179 * See header.
2180 */
2181 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2182 tls_cipher_suite_t **out)
2183 {
2184 suite_algs_t suites[countof(suite_algs)];
2185 int count = 0, i;
2186
2187 /* initialize copy of suite list */
2188 for (i = 0; i < countof(suite_algs); i++)
2189 {
2190 if (suite_algs[i].min_version <= version &&
2191 suite_algs[i].max_version >= version)
2192 {
2193 suites[count++] = suite_algs[i];
2194 }
2195 }
2196
2197 filter_unsupported_suites(suites, &count);
2198
2199 if (!null)
2200 {
2201 filter_null_suites(suites, &count);
2202 }
2203
2204 if (out)
2205 {
2206 *out = calloc(count, sizeof(tls_cipher_suite_t));
2207 for (i = 0; i < count; i++)
2208 {
2209 (*out)[i] = suites[i].suite;
2210 }
2211 }
2212 return count;
2213 }