tls-crypto: Move AEAD ownership to the protection layer
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27
28 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
29 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
30 "TLS_NULL_WITH_NULL_NULL",
31 "TLS_RSA_WITH_NULL_MD5",
32 "TLS_RSA_WITH_NULL_SHA",
33 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
34 "TLS_RSA_WITH_RC4_128_MD5",
35 "TLS_RSA_WITH_RC4_128_SHA",
36 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
37 "TLS_RSA_WITH_IDEA_CBC_SHA",
38 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
39 "TLS_RSA_WITH_DES_CBC_SHA",
40 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
41 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
42 "TLS_DH_DSS_WITH_DES_CBC_SHA",
43 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
44 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
45 "TLS_DH_RSA_WITH_DES_CBC_SHA",
46 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
47 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
49 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
50 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
51 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
52 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
53 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
54 "TLS_DH_anon_WITH_RC4_128_MD5",
55 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
56 "TLS_DH_anon_WITH_DES_CBC_SHA",
57 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
58 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
59 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
60 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
61 "TLS_KRB5_WITH_DES_CBC_SHA",
62 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
63 "TLS_KRB5_WITH_RC4_128_SHA",
64 "TLS_KRB5_WITH_IDEA_CBC_SHA",
65 "TLS_KRB5_WITH_DES_CBC_MD5",
66 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
67 "TLS_KRB5_WITH_RC4_128_MD5",
68 "TLS_KRB5_WITH_IDEA_CBC_MD5",
69 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
75 "TLS_PSK_WITH_NULL_SHA",
76 "TLS_DHE_PSK_WITH_NULL_SHA",
77 "TLS_RSA_PSK_WITH_NULL_SHA",
78 "TLS_RSA_WITH_AES_128_CBC_SHA",
79 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
80 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
83 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
84 "TLS_RSA_WITH_AES_256_CBC_SHA",
85 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
86 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
89 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
90 "TLS_RSA_WITH_NULL_SHA256",
91 "TLS_RSA_WITH_AES_128_CBC_SHA256",
92 "TLS_RSA_WITH_AES_256_CBC_SHA256",
93 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
94 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
96 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
102 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
103 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
104 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
105 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
106 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
107 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
112 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
113 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
114 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
115 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_PSK_WITH_RC4_128_SHA",
122 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_DHE_PSK_WITH_RC4_128_SHA",
126 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
129 "TLS_RSA_PSK_WITH_RC4_128_SHA",
130 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
133 "TLS_RSA_WITH_SEED_CBC_SHA",
134 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
135 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
136 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
137 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
138 "TLS_DH_anon_WITH_SEED_CBC_SHA",
139 "TLS_RSA_WITH_AES_128_GCM_SHA256",
140 "TLS_RSA_WITH_AES_256_GCM_SHA384",
141 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
142 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
143 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
144 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
147 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
148 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
149 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
150 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
151 "TLS_PSK_WITH_AES_128_GCM_SHA256",
152 "TLS_PSK_WITH_AES_256_GCM_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
155 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
156 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
157 "TLS_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_PSK_WITH_NULL_SHA256",
160 "TLS_PSK_WITH_NULL_SHA384",
161 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
162 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
163 "TLS_DHE_PSK_WITH_NULL_SHA256",
164 "TLS_DHE_PSK_WITH_NULL_SHA384",
165 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
166 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
167 "TLS_RSA_PSK_WITH_NULL_SHA256",
168 "TLS_RSA_PSK_WITH_NULL_SHA384",
169 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
181 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
184 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
185 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
186 TLS_AES_128_CCM_8_SHA256,
187 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
188 "TLS_AES_128_GCM_SHA256",
189 "TLS_AES_256_GCM_SHA384",
190 "TLS_CHACHA20_POLY1305_SHA256",
191 "TLS_AES_128_CCM_SHA256",
192 "TLS_AES_128_CCM_8_SHA256");
193 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
194 TLS_ECDHE_PSK_WITH_NULL_SHA384,
195 TLS_AES_128_CCM_8_SHA256,
196 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
197 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
198 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
202 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
203 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
206 "TLS_ECDH_RSA_WITH_NULL_SHA",
207 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
208 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
211 "TLS_ECDHE_RSA_WITH_NULL_SHA",
212 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
213 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
216 "TLS_ECDH_anon_WITH_NULL_SHA",
217 "TLS_ECDH_anon_WITH_RC4_128_SHA",
218 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
221 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
230 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
231 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
232 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
233 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
234 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
237 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
238 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
239 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
240 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
241 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
242 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
243 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
244 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
245 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
246 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
247 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
251 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
255 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_ECDHE_PSK_WITH_NULL_SHA384,
258 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
259 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
261 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
262
263
264 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
265 "NONE",
266 "MD5",
267 "SHA1",
268 "SHA224",
269 "SHA256",
270 "SHA384",
271 "SHA512",
272 );
273
274 ENUM_BEGIN(tls_signature_scheme_names,
275 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
276 "RSA_PKCS1_SHA1");
277 ENUM_NEXT(tls_signature_scheme_names,
278 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
279 "ECDSA_SHA1");
280 ENUM_NEXT(tls_signature_scheme_names,
281 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
282 "RSA_PKCS1_SHA224",
283 "DSA_SHA224",
284 "ECDSA_SHA224");
285 ENUM_NEXT(tls_signature_scheme_names,
286 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
287 "RSA_PKCS1_SHA256",
288 "DSA_SHA256",
289 "ECDSA_SHA256");
290 ENUM_NEXT(tls_signature_scheme_names,
291 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
292 "RSA_PKCS1_SHA384",
293 "DSA_SHA384",
294 "ECDSA_SHA384");
295 ENUM_NEXT(tls_signature_scheme_names,
296 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
297 "RSA_PKCS1_SHA512",
298 "DSA_SHA512",
299 "ECDSA_SHA512");
300 ENUM_NEXT(tls_signature_scheme_names,
301 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
302 "RSA_PSS_RSAE_SHA256",
303 "RSA_PSS_RSAE_SHA384",
304 "RSA_PSS_RSAE_SHA512",
305 "ED25519",
306 "ED448",
307 "RSA_PSS_PSS_SHA256",
308 "RSA_PSS_PSS_SHA384",
309 "RSA_PSS_PSS_SHA512",
310 );
311 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
312
313 ENUM_BEGIN(tls_client_certificate_type_names,
314 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
315 "RSA_SIGN",
316 "DSA_SIGN",
317 "RSA_FIXED_DH",
318 "DSS_FIXED_DH",
319 "RSA_EPHEMERAL_DH",
320 "DSS_EPHEMERAL_DH");
321 ENUM_NEXT(tls_client_certificate_type_names,
322 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
323 "FORTEZZA_DMS");
324 ENUM_NEXT(tls_client_certificate_type_names,
325 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
326 "ECDSA_SIGN",
327 "RSA_FIXED_ECDH",
328 "ECDSA_FIXED_ECDH");
329 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
330
331 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
332 "EXPLICIT_PRIME",
333 "EXPLICIT_CHAR2",
334 "NAMED_CURVE",
335 );
336
337 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
338 "SECT163K1",
339 "SECT163R1",
340 "SECT163R2",
341 "SECT193R1",
342 "SECT193R2",
343 "SECT233K1",
344 "SECT233R1",
345 "SECT239K1",
346 "SECT283K1",
347 "SECT283R1",
348 "SECT409K1",
349 "SECT409R1",
350 "SECT571K1",
351 "SECT571R1",
352 "SECP160K1",
353 "SECP160R1",
354 "SECP160R2",
355 "SECP192K1",
356 "SECP192R1",
357 "SECP224K1",
358 "SECP224R1",
359 "SECP256K1",
360 "SECP256R1",
361 "SECP384R1",
362 "SECP521R1",
363 );
364 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
365 "CURVE25519",
366 "CURVE448",
367 );
368 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
369 "FFDHE2048",
370 "FFDHE3072",
371 "FFDHE4096",
372 "FFDHE6144",
373 "FFDHE8192",
374 );
375 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
376
377 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
378 "compressed",
379 "compressed y",
380 "uncompressed",
381 "uncompressed y",
382 "hybrid",
383 "hybrid y",
384 );
385
386 ENUM(tls_ec_point_format_names,
387 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
388 "uncompressed",
389 "ansiX962 compressed prime",
390 "ansiX962 compressed char2",
391 );
392
393 typedef struct private_tls_crypto_t private_tls_crypto_t;
394
395 /**
396 * Private data of an tls_crypto_t object.
397 */
398 struct private_tls_crypto_t {
399
400 /**
401 * Public tls_crypto_t interface.
402 */
403 tls_crypto_t public;
404
405 /**
406 * Protection layer
407 */
408 tls_protection_t *protection;
409
410 /**
411 * List of supported/acceptable cipher suites
412 */
413 tls_cipher_suite_t *suites;
414
415 /**
416 * Number of supported suites
417 */
418 int suite_count;
419
420 /**
421 * HKDF for TLS 1.3
422 */
423 tls_hkdf_t *hkdf;
424
425 /**
426 * Selected cipher suite
427 */
428 tls_cipher_suite_t suite;
429
430 /**
431 * RSA supported?
432 */
433 bool rsa;
434
435 /**
436 * ECDSA supported?
437 */
438 bool ecdsa;
439
440 /**
441 * TLS context
442 */
443 tls_t *tls;
444
445 /**
446 * TLS session cache
447 */
448 tls_cache_t *cache;
449
450 /**
451 * All handshake data concatenated
452 */
453 chunk_t handshake;
454
455 /**
456 * Connection state TLS PRF
457 */
458 tls_prf_t *prf;
459
460 /**
461 * AEAD transform for inbound traffic
462 */
463 tls_aead_t *aead_in;
464
465 /**
466 * AEAD transform for outbound traffic
467 */
468 tls_aead_t *aead_out;
469
470 /**
471 * EAP-[T]TLS MSK
472 */
473 chunk_t msk;
474
475 /**
476 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
477 */
478 char *msk_label;
479 };
480
481 typedef struct {
482 tls_cipher_suite_t suite;
483 key_type_t key;
484 diffie_hellman_group_t dh;
485 hash_algorithm_t hash;
486 pseudo_random_function_t prf;
487 integrity_algorithm_t mac;
488 encryption_algorithm_t encr;
489 size_t encr_size;
490 tls_version_t min_version;
491 tls_version_t max_version;
492 } suite_algs_t;
493
494 /**
495 * Mapping suites to a set of algorithms
496 *
497 * The order represents the descending preference of cipher suites and follows
498 * this rule set:
499 *
500 * 1. TLS 1.3 > Legacy TLS
501 * 2. AES > CAMELLIA > NULL
502 * 3. AES256 > AES128
503 * 4. GCM > CBC
504 * 5. ECDHE > DHE > NULL
505 * 6. ECDSA > RSA
506 * 7. SHA384 > SHA256 > SHA1
507 *
508 */
509 static suite_algs_t suite_algs[] = {
510 /* Cipher suites of TLS 1.3: key exchange and authentication
511 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
512 { TLS_AES_256_GCM_SHA384,
513 KEY_ANY, MODP_NONE,
514 HASH_SHA384, PRF_UNDEFINED,
515 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
516 TLS_1_3, TLS_1_3,
517 },
518 { TLS_AES_128_GCM_SHA256,
519 KEY_ANY, MODP_NONE,
520 HASH_SHA256, PRF_UNDEFINED,
521 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
522 TLS_1_3, TLS_1_3,
523 },
524 { TLS_CHACHA20_POLY1305_SHA256,
525 KEY_ANY, MODP_NONE,
526 HASH_SHA256, PRF_UNDEFINED,
527 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
528 TLS_1_3, TLS_1_3,
529 },
530 { TLS_AES_128_CCM_SHA256,
531 KEY_ANY, MODP_NONE,
532 HASH_SHA256, PRF_UNDEFINED,
533 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
534 TLS_1_3, TLS_1_3,
535 },
536 { TLS_AES_128_CCM_8_SHA256,
537 KEY_ANY, MODP_NONE,
538 HASH_SHA256, PRF_UNDEFINED,
539 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
540 TLS_1_3, TLS_1_3,
541 },
542 /* Legacy TLS cipher suites */
543 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
544 KEY_ECDSA, ECP_384_BIT,
545 HASH_SHA384, PRF_HMAC_SHA2_384,
546 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
547 TLS_1_2, TLS_1_2,
548 },
549 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
550 KEY_ECDSA, ECP_384_BIT,
551 HASH_SHA384, PRF_HMAC_SHA2_384,
552 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
553 TLS_1_2, TLS_1_2,
554 },
555 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
556 KEY_ECDSA, ECP_384_BIT,
557 HASH_SHA256, PRF_HMAC_SHA2_256,
558 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
559 TLS_1_0, TLS_1_2,
560 },
561 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
562 KEY_ECDSA, ECP_256_BIT,
563 HASH_SHA256, PRF_HMAC_SHA2_256,
564 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
565 TLS_1_2, TLS_1_2,
566 },
567 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
568 KEY_ECDSA, ECP_256_BIT,
569 HASH_SHA256, PRF_HMAC_SHA2_256,
570 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
571 TLS_1_2, TLS_1_2,
572 },
573 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
574 KEY_ECDSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
577 TLS_1_0, TLS_1_2,
578 },
579 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
580 KEY_RSA, ECP_384_BIT,
581 HASH_SHA384, PRF_HMAC_SHA2_384,
582 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
583 TLS_1_2, TLS_1_2,
584 },
585 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
586 KEY_RSA, ECP_384_BIT,
587 HASH_SHA384, PRF_HMAC_SHA2_384,
588 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
589 TLS_1_2, TLS_1_2,
590 },
591 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
592 KEY_RSA, ECP_384_BIT,
593 HASH_SHA256, PRF_HMAC_SHA2_256,
594 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
595 TLS_1_0, TLS_1_2,
596 },
597 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
598 KEY_RSA, ECP_256_BIT,
599 HASH_SHA256, PRF_HMAC_SHA2_256,
600 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
601 TLS_1_2, TLS_1_2,
602 },
603 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
604 KEY_RSA, ECP_256_BIT,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
607 TLS_1_2, TLS_1_2,
608 },
609 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
610 KEY_RSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
613 TLS_1_0, TLS_1_2,
614 },
615 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
616 KEY_RSA, MODP_4096_BIT,
617 HASH_SHA384, PRF_HMAC_SHA2_384,
618 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
619 TLS_1_2, TLS_1_2,
620 },
621 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
622 KEY_RSA, MODP_4096_BIT,
623 HASH_SHA256, PRF_HMAC_SHA2_256,
624 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
625 TLS_1_2, TLS_1_2,
626 },
627 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
628 KEY_RSA, MODP_3072_BIT,
629 HASH_SHA256, PRF_HMAC_SHA2_256,
630 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
631 SSL_3_0, TLS_1_2,
632 },
633 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
634 KEY_RSA, MODP_4096_BIT,
635 HASH_SHA256, PRF_HMAC_SHA2_256,
636 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
637 TLS_1_2, TLS_1_2,
638 },
639 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
640 KEY_RSA, MODP_3072_BIT,
641 HASH_SHA256, PRF_HMAC_SHA2_256,
642 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
643 SSL_3_0, TLS_1_2,
644 },
645 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
646 KEY_RSA, MODP_3072_BIT,
647 HASH_SHA256, PRF_HMAC_SHA2_256,
648 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
649 TLS_1_2, TLS_1_2,
650 },
651 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
652 KEY_RSA, MODP_3072_BIT,
653 HASH_SHA256, PRF_HMAC_SHA2_256,
654 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
655 TLS_1_2, TLS_1_2,
656 },
657 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
658 KEY_RSA, MODP_2048_BIT,
659 HASH_SHA256,PRF_HMAC_SHA2_256,
660 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
661 SSL_3_0, TLS_1_2,
662 },
663 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
664 KEY_RSA, MODP_3072_BIT,
665 HASH_SHA256, PRF_HMAC_SHA2_256,
666 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
667 TLS_1_2, TLS_1_2,
668 },
669 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
670 KEY_RSA, MODP_2048_BIT,
671 HASH_SHA256, PRF_HMAC_SHA2_256,
672 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
673 SSL_3_0, TLS_1_2,
674 },
675 { TLS_RSA_WITH_AES_256_GCM_SHA384,
676 KEY_RSA, MODP_NONE,
677 HASH_SHA384, PRF_HMAC_SHA2_384,
678 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
679 TLS_1_2, TLS_1_2,
680 },
681 { TLS_RSA_WITH_AES_256_CBC_SHA256,
682 KEY_RSA, MODP_NONE,
683 HASH_SHA256, PRF_HMAC_SHA2_256,
684 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
685 TLS_1_2, TLS_1_2,
686 },
687 { TLS_RSA_WITH_AES_256_CBC_SHA,
688 KEY_RSA, MODP_NONE,
689 HASH_SHA256, PRF_HMAC_SHA2_256,
690 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
691 SSL_3_0, TLS_1_2,
692 },
693 { TLS_RSA_WITH_AES_128_GCM_SHA256,
694 KEY_RSA, MODP_NONE,
695 HASH_SHA256, PRF_HMAC_SHA2_256,
696 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
697 TLS_1_2, TLS_1_2,
698 },
699 { TLS_RSA_WITH_AES_128_CBC_SHA256,
700 KEY_RSA, MODP_NONE,
701 HASH_SHA256, PRF_HMAC_SHA2_256,
702 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
703 TLS_1_2, TLS_1_2,
704 },
705 { TLS_RSA_WITH_AES_128_CBC_SHA,
706 KEY_RSA, MODP_NONE,
707 HASH_SHA256, PRF_HMAC_SHA2_256,
708 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
709 SSL_3_0, TLS_1_2,
710 },
711 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
712 KEY_RSA, MODP_NONE,
713 HASH_SHA256, PRF_HMAC_SHA2_256,
714 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
715 TLS_1_2, TLS_1_2,
716 },
717 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
718 KEY_RSA, MODP_NONE,
719 HASH_SHA256, PRF_HMAC_SHA2_256,
720 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
721 SSL_3_0, TLS_1_2,
722 },
723 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
724 KEY_RSA, MODP_NONE,
725 HASH_SHA256, PRF_HMAC_SHA2_256,
726 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
727 TLS_1_2, TLS_1_2,
728 },
729 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
730 KEY_RSA, MODP_NONE,
731 HASH_SHA256, PRF_HMAC_SHA2_256,
732 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
733 SSL_3_0, TLS_1_2,
734 },
735 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
736 KEY_ECDSA, ECP_256_BIT,
737 HASH_SHA256, PRF_HMAC_SHA2_256,
738 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
739 TLS_1_0, TLS_1_2,
740 },
741 { TLS_ECDHE_RSA_WITH_NULL_SHA,
742 KEY_ECDSA, ECP_256_BIT,
743 HASH_SHA256, PRF_HMAC_SHA2_256,
744 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
745 TLS_1_0, TLS_1_2,
746 },
747 { TLS_RSA_WITH_NULL_SHA256,
748 KEY_RSA, MODP_NONE,
749 HASH_SHA256, PRF_HMAC_SHA2_256,
750 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
751 TLS_1_2, TLS_1_2,
752 },
753 { TLS_RSA_WITH_NULL_SHA,
754 KEY_RSA, MODP_NONE,
755 HASH_SHA256, PRF_HMAC_SHA2_256,
756 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
757 SSL_3_0, TLS_1_2,
758 },
759 };
760
761 /**
762 * Look up algorithms by a suite
763 */
764 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
765 {
766 int i;
767
768 for (i = 0; i < countof(suite_algs); i++)
769 {
770 if (suite_algs[i].suite == suite)
771 {
772 return &suite_algs[i];
773 }
774 }
775 return NULL;
776 }
777
778 /**
779 * Filter a suite list using a transform enumerator
780 */
781 static void filter_suite(suite_algs_t suites[], int *count, int offset,
782 enumerator_t*(*create_enumerator)(crypto_factory_t*))
783 {
784 const char *plugin_name;
785 suite_algs_t current;
786 int *current_alg, i, remaining = 0;
787 enumerator_t *enumerator;
788
789 memset(&current, 0, sizeof(current));
790 current_alg = (int*)((char*)&current + offset);
791
792 for (i = 0; i < *count; i++)
793 {
794 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
795 encryption_algorithm_is_aead(suites[i].encr))
796 { /* filtering crypters, but current suite uses an AEAD, apply */
797 suites[remaining] = suites[i];
798 remaining++;
799 continue;
800 }
801 if (create_enumerator == lib->crypto->create_aead_enumerator &&
802 !encryption_algorithm_is_aead(suites[i].encr))
803 { /* filtering AEADs, but current suite doesn't use one, apply */
804 suites[remaining] = suites[i];
805 remaining++;
806 continue;
807 }
808 enumerator = create_enumerator(lib->crypto);
809 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
810 {
811 if (current.encr && current.encr != suites[i].encr)
812 {
813 if (suites[i].encr != ENCR_NULL)
814 { /* skip, ENCR does not match nor is NULL */
815 continue;
816 }
817 }
818 if (current.mac && current.mac != suites[i].mac)
819 {
820 if (suites[i].mac != AUTH_UNDEFINED)
821 { /* skip, MAC does not match nor is it undefined */
822 continue;
823 }
824 }
825 if (current.prf && current.prf != suites[i].prf)
826 {
827 if (suites[i].prf != PRF_UNDEFINED)
828 {
829 /* skip, PRF does not match nor is it undefined */
830 continue;
831 }
832 }
833 if (current.hash && current.hash != suites[i].hash)
834 { /* skip, hash does not match */
835 continue;
836 }
837 if (current.dh && current.dh != suites[i].dh)
838 {
839 if (suites[i].dh != MODP_NONE)
840 { /* skip DH group, does not match nor NONE */
841 continue;
842 }
843 }
844 /* suite supported, apply */
845 suites[remaining] = suites[i];
846 remaining++;
847 break;
848 }
849 enumerator->destroy(enumerator);
850 }
851 *count = remaining;
852 }
853
854 /**
855 * Purge NULL encryption cipher suites from list
856 */
857 static void filter_null_suites(suite_algs_t suites[], int *count)
858 {
859 int i, remaining = 0;
860
861 for (i = 0; i < *count; i++)
862 {
863 if (suites[i].encr != ENCR_NULL)
864 {
865 suites[remaining] = suites[i];
866 remaining++;
867 }
868 }
869 *count = remaining;
870 }
871
872 /**
873 * Purge suites using a given key type
874 */
875 static void filter_key_suites(private_tls_crypto_t *this,
876 suite_algs_t suites[], int *count, key_type_t key)
877 {
878 int i, remaining = 0;
879
880 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
881 for (i = 0; i < *count; i++)
882 {
883 if (suites[i].key != key)
884 {
885 suites[remaining] = suites[i];
886 remaining++;
887 }
888 }
889 *count = remaining;
890 }
891
892 /**
893 * Filter suites by key exchange user config
894 */
895 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
896 suite_algs_t suites[], int *count)
897 {
898 enumerator_t *enumerator;
899 int i, remaining = 0;
900 char *token, *config;
901
902 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
903 lib->ns);
904 if (config)
905 {
906 for (i = 0; i < *count; i++)
907 {
908 enumerator = enumerator_create_token(config, ",", " ");
909 while (enumerator->enumerate(enumerator, &token))
910 {
911 if (strcaseeq(token, "ecdhe-ecdsa") &&
912 diffie_hellman_group_is_ec(suites[i].dh) &&
913 suites[i].key == KEY_ECDSA)
914 {
915 suites[remaining++] = suites[i];
916 break;
917 }
918 if (strcaseeq(token, "ecdhe-rsa") &&
919 diffie_hellman_group_is_ec(suites[i].dh) &&
920 suites[i].key == KEY_RSA)
921 {
922 suites[remaining++] = suites[i];
923 break;
924 }
925 if (strcaseeq(token, "dhe-rsa") &&
926 !diffie_hellman_group_is_ec(suites[i].dh) &&
927 suites[i].dh != MODP_NONE &&
928 suites[i].key == KEY_RSA)
929 {
930 suites[remaining++] = suites[i];
931 break;
932 }
933 if (strcaseeq(token, "rsa") &&
934 suites[i].dh == MODP_NONE &&
935 suites[i].key == KEY_RSA)
936 {
937 suites[remaining++] = suites[i];
938 break;
939 }
940 }
941 enumerator->destroy(enumerator);
942 }
943 *count = remaining;
944 }
945 }
946
947 /**
948 * Filter suites by cipher user config
949 */
950 static void filter_cipher_config_suites(private_tls_crypto_t *this,
951 suite_algs_t suites[], int *count)
952 {
953 enumerator_t *enumerator;
954 int i, remaining = 0;
955 char *token, *config;
956
957 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
958 lib->ns);
959 if (config)
960 {
961 for (i = 0; i < *count; i++)
962 {
963 enumerator = enumerator_create_token(config, ",", " ");
964 while (enumerator->enumerate(enumerator, &token))
965 {
966 if (strcaseeq(token, "aes128") &&
967 suites[i].encr == ENCR_AES_CBC &&
968 suites[i].encr_size == 16)
969 {
970 suites[remaining++] = suites[i];
971 break;
972 }
973 if (strcaseeq(token, "aes256") &&
974 suites[i].encr == ENCR_AES_CBC &&
975 suites[i].encr_size == 32)
976 {
977 suites[remaining++] = suites[i];
978 break;
979 }
980 if (strcaseeq(token, "aes128gcm") &&
981 suites[i].encr == ENCR_AES_GCM_ICV16 &&
982 suites[i].encr_size == 16)
983 {
984 suites[remaining++] = suites[i];
985 break;
986 }
987 if (strcaseeq(token, "aes256gcm") &&
988 suites[i].encr == ENCR_AES_GCM_ICV16 &&
989 suites[i].encr_size == 32)
990 {
991 suites[remaining++] = suites[i];
992 break;
993 }
994 if (strcaseeq(token, "camellia128") &&
995 suites[i].encr == ENCR_CAMELLIA_CBC &&
996 suites[i].encr_size == 16)
997 {
998 suites[remaining++] = suites[i];
999 break;
1000 }
1001 if (strcaseeq(token, "camellia256") &&
1002 suites[i].encr == ENCR_CAMELLIA_CBC &&
1003 suites[i].encr_size == 32)
1004 {
1005 suites[remaining++] = suites[i];
1006 break;
1007 }
1008 if (strcaseeq(token, "null") &&
1009 suites[i].encr == ENCR_NULL)
1010 {
1011 suites[remaining++] = suites[i];
1012 break;
1013 }
1014 }
1015 enumerator->destroy(enumerator);
1016 }
1017 *count = remaining;
1018 }
1019 }
1020
1021 /**
1022 * Filter suites by mac user config
1023 */
1024 static void filter_mac_config_suites(private_tls_crypto_t *this,
1025 suite_algs_t suites[], int *count)
1026 {
1027 enumerator_t *enumerator;
1028 int i, remaining = 0;
1029 char *token, *config;
1030
1031 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1032 lib->ns);
1033 if (config)
1034 {
1035 for (i = 0; i < *count; i++)
1036 {
1037 enumerator = enumerator_create_token(config, ",", " ");
1038 while (enumerator->enumerate(enumerator, &token))
1039 {
1040 if (strcaseeq(token, "sha1") &&
1041 suites[i].mac == AUTH_HMAC_SHA1_160)
1042 {
1043 suites[remaining++] = suites[i];
1044 break;
1045 }
1046 if (strcaseeq(token, "sha256") &&
1047 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1048 {
1049 suites[remaining++] = suites[i];
1050 break;
1051 }
1052 if (strcaseeq(token, "sha384") &&
1053 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1054 {
1055 suites[remaining++] = suites[i];
1056 break;
1057 }
1058 }
1059 enumerator->destroy(enumerator);
1060 }
1061 *count = remaining;
1062 }
1063 }
1064
1065 /**
1066 * Filter for specific suites specified in strongswan.conf
1067 */
1068 static void filter_specific_config_suites(private_tls_crypto_t *this,
1069 suite_algs_t suites[], int *count)
1070 {
1071 enumerator_t *enumerator;
1072 int i, remaining = 0, suite;
1073 char *token, *config;
1074
1075 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1076 lib->ns);
1077 if (config)
1078 {
1079 for (i = 0; i < *count; i++)
1080 {
1081 enumerator = enumerator_create_token(config, ",", " ");
1082 while (enumerator->enumerate(enumerator, &token))
1083 {
1084 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1085 suite == suites[i].suite)
1086 {
1087 suites[remaining++] = suites[i];
1088 break;
1089 }
1090 }
1091 enumerator->destroy(enumerator);
1092 }
1093 *count = remaining;
1094 }
1095 }
1096
1097 /**
1098 * Filter key exchange curves by curve user config
1099 */
1100 static bool filter_curve_config(tls_named_group_t curve)
1101 {
1102 enumerator_t *enumerator;
1103 char *token, *config;
1104
1105 config = lib->settings->get_str(lib->settings, "%s.tls.curve", NULL, lib->ns);
1106 if (config)
1107 {
1108 enumerator = enumerator_create_token(config, ",", " ");
1109 while (enumerator->enumerate(enumerator, &token))
1110 {
1111 const proposal_token_t *tok;
1112
1113 tok = lib->proposal->get_token(lib->proposal, token);
1114 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1115 curve == tls_ec_group_to_curve(tok->algorithm))
1116 {
1117 enumerator->destroy(enumerator);
1118 return TRUE;
1119 }
1120 }
1121 enumerator->destroy(enumerator);
1122 }
1123 return !config;
1124 }
1125
1126 /**
1127 * Filter out unsupported suites on given suite array
1128 */
1129 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1130 {
1131 /* filter suite list by each algorithm */
1132 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1133 lib->crypto->create_aead_enumerator);
1134 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1135 lib->crypto->create_prf_enumerator);
1136 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1137 lib->crypto->create_crypter_enumerator);
1138 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1139 lib->crypto->create_signer_enumerator);
1140 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1141 lib->crypto->create_hasher_enumerator);
1142 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1143 lib->crypto->create_dh_enumerator);
1144 }
1145
1146 /**
1147 * Initialize the cipher suite list
1148 */
1149 static void build_cipher_suite_list(private_tls_crypto_t *this)
1150 {
1151 suite_algs_t suites[countof(suite_algs)];
1152 tls_version_t min_version, max_version, new_min_version, new_max_version;
1153 bool require_encryption;
1154 int count = 0, i;
1155
1156 switch (this->tls->get_purpose(this->tls))
1157 {
1158 case TLS_PURPOSE_EAP_TLS:
1159 case TLS_PURPOSE_GENERIC_NULLOK:
1160 require_encryption = FALSE;
1161 break;
1162 case TLS_PURPOSE_EAP_PEAP:
1163 case TLS_PURPOSE_EAP_TTLS:
1164 case TLS_PURPOSE_GENERIC:
1165 require_encryption = TRUE;
1166 break;
1167 default:
1168 return;
1169 }
1170
1171 min_version = this->tls->get_version_min(this->tls);
1172 max_version = this->tls->get_version_max(this->tls);
1173
1174 /* copy all suites appropriate for the current min/max versions */
1175 for (i = 0; i < countof(suite_algs); i++)
1176 {
1177 if (suite_algs[i].min_version <= max_version &&
1178 suite_algs[i].max_version >= min_version)
1179 {
1180 suites[count++] = suite_algs[i];
1181 }
1182 }
1183
1184 if (require_encryption)
1185 {
1186 filter_null_suites(suites, &count);
1187 }
1188 if (!this->rsa)
1189 {
1190 filter_key_suites(this, suites, &count, KEY_RSA);
1191 }
1192 if (!this->ecdsa)
1193 {
1194 filter_key_suites(this, suites, &count, KEY_ECDSA);
1195 }
1196
1197 filter_unsupported_suites(suites, &count);
1198
1199 /* filter suites with strongswan.conf options */
1200 filter_key_exchange_config_suites(this, suites, &count);
1201 filter_cipher_config_suites(this, suites, &count);
1202 filter_mac_config_suites(this, suites, &count);
1203 filter_specific_config_suites(this, suites, &count);
1204
1205 free(this->suites);
1206 this->suite_count = count;
1207 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1208
1209 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1210 new_min_version = max_version;
1211 new_max_version = min_version;
1212 for (i = 0; i < count; i++)
1213 {
1214 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1215 this->suites[i] = suites[i].suite;
1216
1217 /* set TLS min/max versions appropriate to the final cipher suites */
1218 new_max_version = max(new_max_version, suites[i].max_version);
1219 new_min_version = min(new_min_version, suites[i].min_version);
1220 }
1221 new_max_version = min(new_max_version, max_version);
1222 new_min_version = max(new_min_version, min_version);
1223
1224 if (min_version != new_min_version || max_version != new_max_version)
1225 {
1226 this->tls->set_version(this->tls, new_min_version, new_max_version);
1227 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1228 tls_version_names, new_min_version,
1229 tls_version_names, new_max_version);
1230 }
1231 }
1232
1233 METHOD(tls_crypto_t, get_cipher_suites, int,
1234 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1235 {
1236 if (!this->suites)
1237 {
1238 build_cipher_suite_list(this);
1239 }
1240 if (suites)
1241 {
1242 *suites = this->suites;
1243 }
1244 return this->suite_count;
1245 }
1246
1247 /**
1248 * Create NULL encryption transforms
1249 */
1250 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1251 {
1252 this->aead_in = tls_aead_create_null(algs->mac);
1253 this->aead_out = tls_aead_create_null(algs->mac);
1254 if (!this->aead_in || !this->aead_out)
1255 {
1256 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1257 integrity_algorithm_names, algs->mac);
1258 return FALSE;
1259 }
1260 return TRUE;
1261 }
1262
1263 /**
1264 * Create traditional transforms
1265 */
1266 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1267 {
1268 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1269 {
1270 this->aead_in = tls_aead_create_implicit(algs->mac,
1271 algs->encr, algs->encr_size);
1272 this->aead_out = tls_aead_create_implicit(algs->mac,
1273 algs->encr, algs->encr_size);
1274 }
1275 else
1276 {
1277 this->aead_in = tls_aead_create_explicit(algs->mac,
1278 algs->encr, algs->encr_size);
1279 this->aead_out = tls_aead_create_explicit(algs->mac,
1280 algs->encr, algs->encr_size);
1281 }
1282 if (!this->aead_in || !this->aead_out)
1283 {
1284 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1285 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1286 integrity_algorithm_names, algs->mac);
1287 return FALSE;
1288 }
1289 return TRUE;
1290 }
1291
1292 /**
1293 * Create AEAD transforms
1294 */
1295 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1296 {
1297 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1298 {
1299 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1300 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1301 }
1302 else
1303 {
1304 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1305 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1306 }
1307 if (!this->aead_in || !this->aead_out)
1308 {
1309 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1310 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1311 return FALSE;
1312 }
1313 return TRUE;
1314 }
1315
1316 /**
1317 * Clean up and unset AEAD transforms
1318 */
1319 static void destroy_aeads(private_tls_crypto_t *this)
1320 {
1321 DESTROY_IF(this->aead_in);
1322 DESTROY_IF(this->aead_out);
1323 this->aead_in = this->aead_out = NULL;
1324 }
1325
1326 /**
1327 * Create crypto primitives
1328 */
1329 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1330 {
1331 destroy_aeads(this);
1332 DESTROY_IF(this->hkdf);
1333 DESTROY_IF(this->prf);
1334 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1335 {
1336 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1337 {
1338 this->prf = tls_prf_create_10();
1339 }
1340 else
1341 {
1342 this->prf = tls_prf_create_12(algs->prf);
1343 }
1344 if (!this->prf)
1345 {
1346 DBG1(DBG_TLS, "selected TLS PRF not supported");
1347 return FALSE;
1348 }
1349 }
1350 else
1351 {
1352 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1353 if (!this->hkdf)
1354 {
1355 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1356 return FALSE;
1357 }
1358 }
1359 if (algs->encr == ENCR_NULL)
1360 {
1361 if (create_null(this, algs))
1362 {
1363 return TRUE;
1364 }
1365 }
1366 else if (encryption_algorithm_is_aead(algs->encr))
1367 {
1368 if (create_aead(this, algs))
1369 {
1370 return TRUE;
1371 }
1372 }
1373 else
1374 {
1375 if (create_traditional(this, algs))
1376 {
1377 return TRUE;
1378 }
1379 }
1380 destroy_aeads(this);
1381 return FALSE;
1382 }
1383
1384 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1385 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1386 key_type_t key)
1387 {
1388 suite_algs_t *algs;
1389 int i, j;
1390
1391 for (i = 0; i < this->suite_count; i++)
1392 {
1393 for (j = 0; j < count; j++)
1394 {
1395 if (this->suites[i] == suites[j])
1396 {
1397 algs = find_suite(this->suites[i]);
1398 if (algs)
1399 {
1400 if (key == KEY_ANY || key == algs->key ||
1401 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1402 (algs->key == KEY_ECDSA && key == KEY_ED448))
1403 {
1404 if (create_ciphers(this, algs))
1405 {
1406 this->suite = this->suites[i];
1407 return this->suite;
1408 }
1409 }
1410 }
1411 }
1412 }
1413 }
1414 return 0;
1415 }
1416
1417 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1418 private_tls_crypto_t *this)
1419 {
1420 suite_algs_t *algs;
1421
1422 algs = find_suite(this->suite);
1423 if (algs)
1424 {
1425 return algs->dh;
1426 }
1427 return MODP_NONE;
1428 }
1429
1430 /**
1431 * Parameters for RSA/PSS signature schemes
1432 */
1433 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1434 .hash = HASH_SHA##bits, \
1435 .mgf1_hash = HASH_SHA##bits, \
1436 .salt_len = HASH_SIZE_SHA##bits, \
1437 }
1438
1439 PSS_PARAMS(256);
1440 PSS_PARAMS(384);
1441 PSS_PARAMS(512);
1442
1443 /**
1444 * Map TLS signature schemes, ordered by preference
1445 */
1446 static struct {
1447 tls_signature_scheme_t sig;
1448 signature_params_t params;
1449 /* min/max versions for use in CertificateVerify */
1450 tls_version_t min_version;
1451 tls_version_t max_version;
1452 } schemes[] = {
1453 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1454 TLS_1_0, TLS_1_3 },
1455 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1456 TLS_1_0, TLS_1_3 },
1457 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1458 TLS_1_0, TLS_1_3 },
1459 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1460 TLS_1_0, TLS_1_3 },
1461 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1462 TLS_1_0, TLS_1_3 },
1463 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1464 TLS_1_2, TLS_1_3 },
1465 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1466 TLS_1_2, TLS_1_3 },
1467 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1468 TLS_1_2, TLS_1_3 },
1469 /* the parameters for the next three should actually be taken from the
1470 * public key, we currently don't have an API for that, so assume defaults */
1471 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1472 TLS_1_2, TLS_1_3 },
1473 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1474 TLS_1_2, TLS_1_3 },
1475 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1476 TLS_1_2, TLS_1_3 },
1477 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1478 TLS_1_0, TLS_1_2 },
1479 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1480 TLS_1_0, TLS_1_2 },
1481 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1482 TLS_1_0, TLS_1_2 },
1483 };
1484
1485 METHOD(tls_crypto_t, get_signature_algorithms, void,
1486 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1487 {
1488 bio_writer_t *supported;
1489 tls_version_t min_version, max_version;
1490 int i;
1491
1492 supported = bio_writer_create(32);
1493
1494 if (!cert)
1495 {
1496 min_version = this->tls->get_version_min(this->tls);
1497 max_version = this->tls->get_version_max(this->tls);
1498 }
1499
1500 for (i = 0; i < countof(schemes); i++)
1501 {
1502 if ((cert || (schemes[i].min_version <= max_version &&
1503 schemes[i].max_version >= min_version)) &&
1504 lib->plugins->has_feature(lib->plugins,
1505 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1506 {
1507 supported->write_uint16(supported, schemes[i].sig);
1508 }
1509 }
1510
1511 writer->write_data16(writer, supported->get_buf(supported));
1512 supported->destroy(supported);
1513 }
1514
1515 /**
1516 * Get the signature parameters from a TLS signature scheme
1517 */
1518 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1519 bool sign)
1520 {
1521 int i;
1522
1523 for (i = 0; i < countof(schemes); i++)
1524 {
1525 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1526 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1527 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1528 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1529 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1530 {
1531 continue;
1532 }
1533 if (schemes[i].sig == sig)
1534 {
1535 return &schemes[i].params;
1536 }
1537 }
1538 return NULL;
1539 }
1540
1541 /**
1542 * Mapping groups to TLS named curves
1543 */
1544 static struct {
1545 diffie_hellman_group_t group;
1546 tls_named_group_t curve;
1547 } curves[] = {
1548 { ECP_256_BIT, TLS_SECP256R1},
1549 { ECP_384_BIT, TLS_SECP384R1},
1550 { ECP_521_BIT, TLS_SECP521R1},
1551 { ECP_224_BIT, TLS_SECP224R1},
1552 { ECP_192_BIT, TLS_SECP192R1},
1553 { CURVE_25519, TLS_CURVE25519},
1554 { CURVE_448, TLS_CURVE448},
1555 };
1556
1557 CALLBACK(group_filter, bool,
1558 void *null, enumerator_t *orig, va_list args)
1559 {
1560 diffie_hellman_group_t group, *group_out;
1561 tls_named_group_t curve, *curve_out;
1562 char *plugin;
1563
1564 VA_ARGS_VGET(args, group_out, curve_out);
1565
1566 while (orig->enumerate(orig, &group, &plugin))
1567 {
1568 curve = tls_ec_group_to_curve(group);
1569 if (curve)
1570 {
1571 if (group_out)
1572 {
1573 *group_out = group;
1574 }
1575 if (curve_out)
1576 {
1577 *curve_out = curve;
1578 }
1579 return TRUE;
1580 }
1581 }
1582 return FALSE;
1583 }
1584
1585 CALLBACK(config_filter, bool,
1586 void *null, enumerator_t *orig, va_list args)
1587 {
1588 diffie_hellman_group_t group, *group_out;
1589 tls_named_group_t curve, *curve_out;
1590
1591 VA_ARGS_VGET(args, group_out, curve_out);
1592
1593 while (orig->enumerate(orig, &group, &curve))
1594 {
1595 if (filter_curve_config(curve))
1596 {
1597 if (group_out)
1598 {
1599 *group_out = group;
1600 }
1601 if (curve_out)
1602 {
1603 *curve_out = curve;
1604 }
1605 return TRUE;
1606 }
1607 }
1608 return FALSE;
1609 }
1610
1611 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1612 private_tls_crypto_t *this)
1613 {
1614 return enumerator_create_filter(
1615 enumerator_create_filter(
1616 lib->crypto->create_dh_enumerator(lib->crypto),
1617 group_filter, NULL, NULL),
1618 config_filter, NULL, NULL);
1619 }
1620
1621 METHOD(tls_crypto_t, set_protection, void,
1622 private_tls_crypto_t *this, tls_protection_t *protection)
1623 {
1624 this->protection = protection;
1625 }
1626
1627 METHOD(tls_crypto_t, append_handshake, void,
1628 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1629 {
1630 uint32_t header;
1631
1632 /* reconstruct handshake header */
1633 header = htonl(data.len | (type << 24));
1634 this->handshake = chunk_cat("mcc", this->handshake,
1635 chunk_from_thing(header), data);
1636 }
1637
1638 /**
1639 * Create a hash using the suites HASH algorithm
1640 */
1641 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1642 {
1643 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1644 {
1645 hasher_t *hasher;
1646 suite_algs_t *alg;
1647
1648 alg = find_suite(this->suite);
1649 if (!alg)
1650 {
1651 return FALSE;
1652 }
1653 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1654 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1655 {
1656 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1657 DESTROY_IF(hasher);
1658 return FALSE;
1659 }
1660 hasher->destroy(hasher);
1661 }
1662 else
1663 {
1664 hasher_t *md5, *sha1;
1665 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1666
1667 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1668 if (!md5 || !md5->get_hash(md5, data, buf))
1669 {
1670 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1671 DESTROY_IF(md5);
1672 return FALSE;
1673 }
1674 md5->destroy(md5);
1675 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1676 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1677 {
1678 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1679 DESTROY_IF(sha1);
1680 return FALSE;
1681 }
1682 sha1->destroy(sha1);
1683
1684 *hash = chunk_clone(chunk_from_thing(buf));
1685 }
1686 return TRUE;
1687 }
1688
1689 METHOD(tls_crypto_t, hash_handshake, bool,
1690 private_tls_crypto_t *this, chunk_t *out)
1691 {
1692 chunk_t hash;
1693
1694 if (!hash_data(this, this->handshake, &hash))
1695 {
1696 return FALSE;
1697 }
1698
1699 chunk_free(&this->handshake);
1700 append_handshake(this, TLS_MESSAGE_HASH, hash);
1701
1702 if (out)
1703 {
1704 *out = hash;
1705 }
1706 else
1707 {
1708 free(hash.ptr);
1709 }
1710 return TRUE;
1711 }
1712
1713 /**
1714 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1715 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1716 */
1717 static chunk_t tls13_sig_data_server = chunk_from_chars(
1718 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1719 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1727 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1728 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1729 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1730 0x79, 0x00,
1731 );
1732
1733 METHOD(tls_crypto_t, sign, bool,
1734 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1735 chunk_t data, chunk_t hashsig)
1736 {
1737 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1738 {
1739 /* fallback to SHA1/RSA and SHA1/ECDSA */
1740 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1741 signature_params_t *params;
1742 key_type_t type;
1743 uint16_t scheme;
1744 bio_reader_t *reader;
1745 chunk_t sig;
1746 bool done = FALSE;
1747
1748 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1749 {
1750 chunk_t transcript_hash;
1751
1752 if (!hash_data(this, data, &transcript_hash))
1753 {
1754 DBG1(DBG_TLS, "unable to create transcript hash");
1755 return FALSE;
1756 }
1757 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1758 }
1759
1760 if (!hashsig.len)
1761 { /* fallback if none given */
1762 hashsig = hashsig_def;
1763 }
1764 type = key->get_type(key);
1765 reader = bio_reader_create(hashsig);
1766 while (reader->remaining(reader) >= 2)
1767 {
1768 if (reader->read_uint16(reader, &scheme))
1769 {
1770 params = params_for_scheme(scheme, TRUE);
1771 if (params &&
1772 type == key_type_from_signature_scheme(params->scheme) &&
1773 key->sign(key, params->scheme, params->params, data, &sig))
1774 {
1775 done = TRUE;
1776 break;
1777 }
1778 }
1779 }
1780 reader->destroy(reader);
1781 if (!done)
1782 {
1783 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1784 return FALSE;
1785 }
1786 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1787 scheme);
1788 writer->write_uint16(writer, scheme);
1789 writer->write_data16(writer, sig);
1790 free(sig.ptr);
1791 }
1792 else
1793 {
1794 chunk_t sig, hash;
1795 bool done;
1796
1797 switch (key->get_type(key))
1798 {
1799 case KEY_RSA:
1800 if (!hash_data(this, data, &hash))
1801 {
1802 return FALSE;
1803 }
1804 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1805 &sig);
1806 free(hash.ptr);
1807 if (!done)
1808 {
1809 return FALSE;
1810 }
1811 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1812 break;
1813 case KEY_ECDSA:
1814 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1815 {
1816 return FALSE;
1817 }
1818 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1819 break;
1820 case KEY_ED25519:
1821 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1822 {
1823 return FALSE;
1824 }
1825 DBG2(DBG_TLS, "created signature with Ed25519");
1826 break;
1827 case KEY_ED448:
1828 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1829 {
1830 return FALSE;
1831 }
1832 DBG2(DBG_TLS, "created signature with Ed448");
1833 break;
1834 default:
1835 return FALSE;
1836 }
1837 writer->write_data16(writer, sig);
1838 free(sig.ptr);
1839 }
1840 return TRUE;
1841 }
1842
1843 METHOD(tls_crypto_t, verify, bool,
1844 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1845 chunk_t data)
1846 {
1847 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1848 {
1849 signature_params_t *params;
1850 uint16_t scheme;
1851 chunk_t sig;
1852
1853 if (!reader->read_uint16(reader, &scheme) ||
1854 !reader->read_data16(reader, &sig))
1855 {
1856 DBG1(DBG_TLS, "received invalid signature");
1857 return FALSE;
1858 }
1859 params = params_for_scheme(scheme, FALSE);
1860 if (!params)
1861 {
1862 DBG1(DBG_TLS, "signature algorithms %N not supported",
1863 tls_signature_scheme_names, scheme);
1864 return FALSE;
1865 }
1866 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1867 {
1868 chunk_t transcript_hash;
1869
1870 if (!hash_data(this, data, &transcript_hash))
1871 {
1872 DBG1(DBG_TLS, "Unable to create transcript hash");
1873 return FALSE;
1874 }
1875
1876 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1877 }
1878 if (!key->verify(key, params->scheme, params->params, data, sig))
1879 {
1880 DBG1(DBG_TLS, "signature verification with %N failed",
1881 tls_signature_scheme_names, scheme);
1882 return FALSE;
1883 }
1884 DBG2(DBG_TLS, "verified signature with %N",
1885 tls_signature_scheme_names, scheme);
1886 }
1887 else
1888 {
1889 chunk_t sig, hash;
1890 bool done;
1891
1892 if (!reader->read_data16(reader, &sig))
1893 {
1894 DBG1(DBG_TLS, "received invalid signature");
1895 return FALSE;
1896 }
1897 switch (key->get_type(key))
1898 {
1899 case KEY_RSA:
1900 if (!hash_data(this, data, &hash))
1901 {
1902 return FALSE;
1903 }
1904 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1905 sig);
1906 free(hash.ptr);
1907 if (!done)
1908 {
1909 return FALSE;
1910 }
1911 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1912 break;
1913 case KEY_ECDSA:
1914 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1915 sig))
1916 {
1917 return FALSE;
1918 }
1919 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1920 break;
1921 case KEY_ED25519:
1922 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1923 {
1924 return FALSE;
1925 }
1926 DBG2(DBG_TLS, "verified signature with Ed25519");
1927 break;
1928 case KEY_ED448:
1929 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1930 {
1931 return FALSE;
1932 }
1933 DBG2(DBG_TLS, "verified signature with Ed448");
1934 break;
1935 default:
1936 return FALSE;
1937 }
1938 }
1939 return TRUE;
1940 }
1941
1942 METHOD(tls_crypto_t, sign_handshake, bool,
1943 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1944 chunk_t hashsig)
1945 {
1946 return sign(this, key, writer, this->handshake, hashsig);
1947 }
1948
1949 METHOD(tls_crypto_t, verify_handshake, bool,
1950 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1951 {
1952 return verify(this, key, reader, this->handshake);
1953 }
1954
1955 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1956 private_tls_crypto_t *this, char *label, char out[12])
1957 {
1958 chunk_t seed;
1959
1960 if (!this->prf)
1961 {
1962 return FALSE;
1963 }
1964 if (!hash_data(this, this->handshake, &seed))
1965 {
1966 return FALSE;
1967 }
1968 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1969 {
1970 free(seed.ptr);
1971 return FALSE;
1972 }
1973 free(seed.ptr);
1974 return TRUE;
1975 }
1976
1977 METHOD(tls_crypto_t, calculate_finished, bool,
1978 private_tls_crypto_t *this, bool server, chunk_t *out)
1979 {
1980 chunk_t finished_key, finished_hash;
1981
1982 if (!this->hkdf)
1983 {
1984 return FALSE;
1985 }
1986 if (!hash_data(this, this->handshake, &finished_hash))
1987 {
1988 DBG1(DBG_TLS, "creating hash of handshake failed");
1989 return FALSE;
1990 }
1991 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
1992 {
1993 DBG1(DBG_TLS, "generating finished key failed");
1994 chunk_clear(&finished_hash);
1995 return FALSE;
1996 }
1997 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
1998 {
1999 DBG1(DBG_TLS, "generating finished HMAC failed");
2000 chunk_clear(&finished_key);
2001 chunk_clear(&finished_hash);
2002 return FALSE;
2003 }
2004 chunk_clear(&finished_key);
2005 chunk_clear(&finished_hash);
2006 return TRUE;
2007 }
2008
2009 /**
2010 * Derive master secret from premaster, optionally save session
2011 */
2012 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2013 chunk_t session, identification_t *id,
2014 chunk_t client_random, chunk_t server_random)
2015 {
2016 char master[48];
2017 chunk_t seed;
2018
2019 /* derive master secret */
2020 seed = chunk_cata("cc", client_random, server_random);
2021
2022 if (!this->prf->set_key(this->prf, premaster) ||
2023 !this->prf->get_bytes(this->prf, "master secret", seed,
2024 sizeof(master), master) ||
2025 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2026 {
2027 return FALSE;
2028 }
2029
2030 if (this->cache && session.len)
2031 {
2032 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2033 this->suite);
2034 }
2035 memwipe(master, sizeof(master));
2036 return TRUE;
2037 }
2038
2039 /**
2040 * Expand key material from master secret
2041 */
2042 static bool expand_keys(private_tls_crypto_t *this,
2043 chunk_t client_random, chunk_t server_random)
2044 {
2045 chunk_t seed, block;
2046 chunk_t cw_mac, cw, cw_iv;
2047 chunk_t sw_mac, sw, sw_iv;
2048 int mklen, eklen, ivlen;
2049
2050 if (!this->aead_in || !this->aead_out)
2051 {
2052 return FALSE;
2053 }
2054
2055 /* derive key block for key expansion */
2056 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2057 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2058 ivlen = this->aead_in->get_iv_size(this->aead_in);
2059 seed = chunk_cata("cc", server_random, client_random);
2060 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2061 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2062 block.len, block.ptr))
2063 {
2064 return FALSE;
2065 }
2066
2067 /* client/server write signer keys */
2068 cw_mac = chunk_create(block.ptr, mklen);
2069 block = chunk_skip(block, mklen);
2070 sw_mac = chunk_create(block.ptr, mklen);
2071 block = chunk_skip(block, mklen);
2072
2073 /* client/server write encryption keys */
2074 cw = chunk_create(block.ptr, eklen);
2075 block = chunk_skip(block, eklen);
2076 sw = chunk_create(block.ptr, eklen);
2077 block = chunk_skip(block, eklen);
2078
2079 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2080 cw_iv = chunk_create(block.ptr, ivlen);
2081 block = chunk_skip(block, ivlen);
2082 sw_iv = chunk_create(block.ptr, ivlen);
2083 block = chunk_skip(block, ivlen);
2084
2085 if (this->tls->is_server(this->tls))
2086 {
2087 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2088 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2089 {
2090 return FALSE;
2091 }
2092 }
2093 else
2094 {
2095 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2096 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2097 {
2098 return FALSE;
2099 }
2100 }
2101
2102 /* EAP-MSK */
2103 if (this->msk_label)
2104 {
2105 seed = chunk_cata("cc", client_random, server_random);
2106 this->msk = chunk_alloc(64);
2107 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2108 this->msk.len, this->msk.ptr))
2109 {
2110 return FALSE;
2111 }
2112 }
2113 return TRUE;
2114 }
2115
2116 METHOD(tls_crypto_t, derive_secrets, bool,
2117 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2118 identification_t *id, chunk_t client_random, chunk_t server_random)
2119 {
2120 return derive_master(this, premaster, session, id,
2121 client_random, server_random) &&
2122 expand_keys(this, client_random, server_random);
2123 }
2124
2125 /**
2126 * Derive and configure the client/server key/IV on an AEAD using a given label.
2127 */
2128 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2129 tls_hkdf_label_t label, tls_aead_t *aead)
2130 {
2131 chunk_t key = chunk_empty, iv = chunk_empty;
2132 bool success = FALSE;
2133
2134 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2135 NULL) ||
2136 !this->hkdf->derive_key(this->hkdf, server,
2137 aead->get_encr_key_size(aead), &key) ||
2138 !this->hkdf->derive_iv(this->hkdf, server,
2139 aead->get_iv_size(aead), &iv))
2140 {
2141 DBG1(DBG_TLS, "deriving key material failed");
2142 goto out;
2143 }
2144
2145 if (!aead->set_keys(aead, chunk_empty, key, iv))
2146 {
2147 DBG1(DBG_TLS, "setting AEAD key material failed");
2148 goto out;
2149 }
2150 success = TRUE;
2151
2152 out:
2153 chunk_clear(&key);
2154 chunk_clear(&iv);
2155 return success;
2156 }
2157
2158 /**
2159 * Derive and configure the keys/IVs using the given labels.
2160 */
2161 static bool derive_labeled_keys(private_tls_crypto_t *this,
2162 tls_hkdf_label_t client_label,
2163 tls_hkdf_label_t server_label)
2164 {
2165 tls_aead_t *aead_c, *aead_s;
2166 suite_algs_t *algs;
2167
2168 algs = find_suite(this->suite);
2169 destroy_aeads(this);
2170 if (!create_aead(this, algs))
2171 {
2172 return FALSE;
2173 }
2174 aead_c = this->aead_out;
2175 aead_s = this->aead_in;
2176 if (this->tls->is_server(this->tls))
2177 {
2178 aead_c = this->aead_in;
2179 aead_s = this->aead_out;
2180 }
2181 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2182 derive_labeled_key(this, TRUE, server_label, aead_s);
2183 }
2184
2185 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2186 private_tls_crypto_t *this, chunk_t shared_secret)
2187 {
2188 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2189 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2190 TLS_HKDF_S_HS_TRAFFIC);
2191 }
2192
2193 METHOD(tls_crypto_t, derive_app_keys, bool,
2194 private_tls_crypto_t *this)
2195 {
2196 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2197 TLS_HKDF_S_AP_TRAFFIC))
2198 {
2199 return FALSE;
2200 }
2201
2202 /* EAP-MSK */
2203 if (this->msk_label)
2204 {
2205 /* because the length is encoded when expanding key material, we
2206 * request the same number of bytes as FreeRADIUS (the first 64 for
2207 * the MSK, the next for the EMSK, which we just ignore) */
2208 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2209 this->handshake, 128, &this->msk))
2210 {
2211 return FALSE;
2212 }
2213 this->msk.len = 64;
2214 }
2215 return TRUE;
2216 }
2217
2218 METHOD(tls_crypto_t, update_app_keys, bool,
2219 private_tls_crypto_t *this, bool inbound)
2220 {
2221 suite_algs_t *algs;
2222 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2223
2224 algs = find_suite(this->suite);
2225 destroy_aeads(this);
2226 if (!create_aead(this, algs))
2227 {
2228 return FALSE;
2229 }
2230 if (this->tls->is_server(this->tls) != inbound)
2231 {
2232 label = TLS_HKDF_UPD_S_TRAFFIC;
2233 }
2234 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2235 inbound ? this->aead_in : this->aead_out);
2236 }
2237
2238 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2239 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2240 chunk_t client_random, chunk_t server_random)
2241 {
2242 chunk_t master;
2243
2244 if (this->cache && session.len)
2245 {
2246 this->suite = this->cache->lookup(this->cache, session, id, &master);
2247 if (this->suite)
2248 {
2249 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2250 if (this->suite)
2251 {
2252 if (!this->prf->set_key(this->prf, master) ||
2253 !expand_keys(this, client_random, server_random))
2254 {
2255 this->suite = 0;
2256 }
2257 }
2258 chunk_clear(&master);
2259 }
2260 return this->suite;
2261 }
2262 return 0;
2263 }
2264
2265 METHOD(tls_crypto_t, get_session, chunk_t,
2266 private_tls_crypto_t *this, identification_t *server)
2267 {
2268 if (this->cache)
2269 {
2270 return this->cache->check(this->cache, server);
2271 }
2272 return chunk_empty;
2273 }
2274
2275 METHOD(tls_crypto_t, change_cipher, void,
2276 private_tls_crypto_t *this, bool inbound)
2277 {
2278 if (this->protection)
2279 {
2280 if (inbound)
2281 {
2282 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2283 this->aead_in = NULL;
2284 }
2285 else
2286 {
2287 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2288 this->aead_out = NULL;
2289 }
2290 }
2291 }
2292
2293 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2294 private_tls_crypto_t *this)
2295 {
2296 return this->msk;
2297 }
2298
2299 METHOD(tls_crypto_t, destroy, void,
2300 private_tls_crypto_t *this)
2301 {
2302 destroy_aeads(this);
2303 free(this->handshake.ptr);
2304 free(this->msk.ptr);
2305 DESTROY_IF(this->prf);
2306 DESTROY_IF(this->hkdf);
2307 free(this->suites);
2308 free(this);
2309 }
2310
2311 /**
2312 * See header
2313 */
2314 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2315 {
2316 private_tls_crypto_t *this;
2317 enumerator_t *enumerator;
2318 credential_type_t type;
2319 int subtype;
2320
2321 INIT(this,
2322 .public = {
2323 .get_cipher_suites = _get_cipher_suites,
2324 .select_cipher_suite = _select_cipher_suite,
2325 .get_dh_group = _get_dh_group,
2326 .get_signature_algorithms = _get_signature_algorithms,
2327 .create_ec_enumerator = _create_ec_enumerator,
2328 .set_protection = _set_protection,
2329 .append_handshake = _append_handshake,
2330 .hash_handshake = _hash_handshake,
2331 .sign = _sign,
2332 .verify = _verify,
2333 .sign_handshake = _sign_handshake,
2334 .verify_handshake = _verify_handshake,
2335 .calculate_finished_legacy = _calculate_finished_legacy,
2336 .calculate_finished = _calculate_finished,
2337 .derive_secrets = _derive_secrets,
2338 .derive_handshake_keys = _derive_handshake_keys,
2339 .derive_app_keys = _derive_app_keys,
2340 .update_app_keys = _update_app_keys,
2341 .resume_session = _resume_session,
2342 .get_session = _get_session,
2343 .change_cipher = _change_cipher,
2344 .get_eap_msk = _get_eap_msk,
2345 .destroy = _destroy,
2346 },
2347 .tls = tls,
2348 .cache = cache,
2349 );
2350
2351 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2352 * separation would be welcome. */
2353 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2354 while (enumerator->enumerate(enumerator, &type, &subtype))
2355 {
2356 if (type == CRED_PUBLIC_KEY)
2357 {
2358 switch (subtype)
2359 {
2360 case KEY_RSA:
2361 this->rsa = TRUE;
2362 break;
2363 case KEY_ECDSA:
2364 case KEY_ED25519:
2365 case KEY_ED448:
2366 this->ecdsa = TRUE;
2367 break;
2368 default:
2369 break;
2370 }
2371 }
2372 }
2373 enumerator->destroy(enumerator);
2374
2375 switch (tls->get_purpose(tls))
2376 {
2377 case TLS_PURPOSE_EAP_TLS:
2378 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2379 this->msk_label = "client EAP encryption";
2380 break;
2381 case TLS_PURPOSE_EAP_PEAP:
2382 this->msk_label = "client EAP encryption";
2383 break;
2384 case TLS_PURPOSE_EAP_TTLS:
2385 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2386 this->msk_label = "ttls keying material";
2387 break;
2388 default:
2389 break;
2390 }
2391 return &this->public;
2392 }
2393
2394 /**
2395 * See header.
2396 */
2397 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2398 tls_cipher_suite_t **out)
2399 {
2400 suite_algs_t suites[countof(suite_algs)];
2401 int count = 0, i;
2402
2403 /* initialize copy of suite list */
2404 for (i = 0; i < countof(suite_algs); i++)
2405 {
2406 if (suite_algs[i].min_version <= version &&
2407 suite_algs[i].max_version >= version)
2408 {
2409 suites[count++] = suite_algs[i];
2410 }
2411 }
2412
2413 filter_unsupported_suites(suites, &count);
2414
2415 if (!null)
2416 {
2417 filter_null_suites(suites, &count);
2418 }
2419
2420 if (out)
2421 {
2422 *out = calloc(count, sizeof(tls_cipher_suite_t));
2423 for (i = 0; i < count; i++)
2424 {
2425 (*out)[i] = suites[i].suite;
2426 }
2427 }
2428 return count;
2429 }
2430
2431 /**
2432 * See header.
2433 */
2434 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2435 {
2436 enumerator_t *enumerator;
2437 diffie_hellman_group_t groups[countof(curves)];
2438 diffie_hellman_group_t group;
2439 tls_named_group_t curve;
2440 int count = 0, i;
2441
2442 enumerator = enumerator_create_filter(
2443 lib->crypto->create_dh_enumerator(lib->crypto),
2444 group_filter, NULL, NULL);
2445
2446 while (enumerator->enumerate(enumerator, &group, &curve))
2447 {
2448 groups[count++] = group;
2449 }
2450 enumerator->destroy(enumerator);
2451
2452 if (out)
2453 {
2454 *out = calloc(count, sizeof(diffie_hellman_group_t));
2455 for (i = 0; i < count; i++)
2456 {
2457 (*out)[i] = groups[i];
2458 }
2459 }
2460 return count;
2461 }
2462
2463 /**
2464 * See header.
2465 */
2466 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2467 {
2468 int i;
2469
2470 for (i = 0; i < countof(curves); i++)
2471 {
2472 if (curves[i].group == group)
2473 {
2474 return curves[i].curve;
2475 }
2476 }
2477 return 0;
2478 }
2479
2480 /**
2481 * See header.
2482 */
2483 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2484 {
2485 int i;
2486
2487 for (i = 0; i < countof(schemes); i++)
2488 {
2489 if (schemes[i].sig == sig)
2490 {
2491 return key_type_from_signature_scheme(schemes[i].params.scheme);
2492 }
2493 }
2494 return 0;
2495 }
2496
2497 /**
2498 * Hashtable hash function
2499 */
2500 static u_int hash_key_type(key_type_t *type)
2501 {
2502 return chunk_hash(chunk_from_thing(*type));
2503 }
2504
2505 /**
2506 * Hashtable equals function
2507 */
2508 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2509 {
2510 return *key1 == *key2;
2511 }
2512
2513 CALLBACK(filter_key_types, bool,
2514 void *data, enumerator_t *orig, va_list args)
2515 {
2516 key_type_t *key_type, *out;
2517
2518 VA_ARGS_VGET(args, out);
2519
2520 if (orig->enumerate(orig, NULL, &key_type))
2521 {
2522 *out = *key_type;
2523 return TRUE;
2524 }
2525 return FALSE;
2526 }
2527
2528 CALLBACK(destroy_key_types, void,
2529 hashtable_t *ht)
2530 {
2531 ht->destroy_function(ht, (void*)free);
2532 }
2533
2534 /*
2535 * See header.
2536 */
2537 enumerator_t *tls_get_supported_key_types(tls_version_t min_version,
2538 tls_version_t max_version)
2539 {
2540 hashtable_t *ht;
2541 key_type_t *type, lookup;
2542 int i;
2543
2544 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2545 (hashtable_equals_t)equals_key_type, 4);
2546 for (i = 0; i < countof(schemes); i++)
2547 {
2548 if (schemes[i].min_version <= max_version &&
2549 schemes[i].max_version >= min_version)
2550 {
2551 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2552 if (!ht->get(ht, &lookup))
2553 {
2554 type = malloc_thing(key_type_t);
2555 *type = lookup;
2556 ht->put(ht, type, type);
2557 }
2558 }
2559 }
2560 return enumerator_create_filter(ht->create_enumerator(ht),
2561 filter_key_types, ht, destroy_key_types);
2562 }