Added more TLS cipher suites we already support
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 typedef struct private_tls_crypto_t private_tls_crypto_t;
242
243 /**
244 * Private data of an tls_crypto_t object.
245 */
246 struct private_tls_crypto_t {
247
248 /**
249 * Public tls_crypto_t interface.
250 */
251 tls_crypto_t public;
252
253 /**
254 * Protection layer
255 */
256 tls_protection_t *protection;
257
258 /**
259 * List of supported/acceptable cipher suites
260 */
261 tls_cipher_suite_t *suites;
262
263 /**
264 * Number of supported suites
265 */
266 int suite_count;
267
268 /**
269 * Selected cipher suite
270 */
271 tls_cipher_suite_t suite;
272
273 /**
274 * TLS context
275 */
276 tls_t *tls;
277
278 /**
279 * All handshake data concatentated
280 */
281 chunk_t handshake;
282
283 /**
284 * Connection state TLS PRF
285 */
286 tls_prf_t *prf;
287
288 /**
289 * Signer instance for inbound traffic
290 */
291 signer_t *signer_in;
292
293 /**
294 * Signer instance for outbound traffic
295 */
296 signer_t *signer_out;
297
298 /**
299 * Crypter instance for inbound traffic
300 */
301 crypter_t *crypter_in;
302
303 /**
304 * Crypter instance for outbound traffic
305 */
306 crypter_t *crypter_out;
307
308 /**
309 * IV for input decryption, if < TLSv1.2
310 */
311 chunk_t iv_in;
312
313 /**
314 * IV for output decryption, if < TLSv1.2
315 */
316 chunk_t iv_out;
317
318 /**
319 * EAP-[T]TLS MSK
320 */
321 chunk_t msk;
322
323 /**
324 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
325 */
326 char *msk_label;
327 };
328
329 typedef struct {
330 tls_cipher_suite_t suite;
331 hash_algorithm_t hash;
332 pseudo_random_function_t prf;
333 integrity_algorithm_t mac;
334 encryption_algorithm_t encr;
335 size_t encr_size;
336 } suite_algs_t;
337
338 /**
339 * Mapping suites to a set of algorithms
340 */
341 static suite_algs_t suite_algs[] = {
342 { TLS_RSA_WITH_NULL_MD5,
343 HASH_MD5, PRF_HMAC_MD5,
344 AUTH_HMAC_MD5_128, ENCR_NULL, 0
345 },
346 { TLS_RSA_WITH_NULL_SHA,
347 HASH_SHA1, PRF_HMAC_SHA1,
348 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
349 },
350 { TLS_RSA_WITH_NULL_SHA256,
351 HASH_SHA256, PRF_HMAC_SHA2_256,
352 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
353 },
354 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
355 HASH_SHA1, PRF_HMAC_SHA1,
356 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
357 },
358 { TLS_RSA_WITH_AES_128_CBC_SHA,
359 HASH_SHA1, PRF_HMAC_SHA1,
360 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
361 },
362 { TLS_RSA_WITH_AES_128_CBC_SHA256,
363 HASH_SHA256, PRF_HMAC_SHA2_256,
364 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
365 },
366 { TLS_RSA_WITH_AES_256_CBC_SHA,
367 HASH_SHA1, PRF_HMAC_SHA1,
368 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
369 },
370 { TLS_RSA_WITH_AES_256_CBC_SHA256,
371 HASH_SHA256, PRF_HMAC_SHA2_256,
372 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
373 },
374 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
375 HASH_SHA1, PRF_HMAC_SHA1,
376 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
377 },
378 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
379 HASH_SHA256, PRF_HMAC_SHA2_256,
380 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
381 },
382 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
383 HASH_SHA1, PRF_HMAC_SHA1,
384 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
385 },
386 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
387 HASH_SHA256, PRF_HMAC_SHA2_256,
388 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
389 },
390 };
391
392 /**
393 * Look up algoritms by a suite
394 */
395 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
396 {
397 int i;
398
399 for (i = 0; i < countof(suite_algs); i++)
400 {
401 if (suite_algs[i].suite == suite)
402 {
403 return &suite_algs[i];
404 }
405 }
406 return NULL;
407 }
408
409 /**
410 * Filter a suite list using a transform enumerator
411 */
412 static void filter_suite(private_tls_crypto_t *this,
413 suite_algs_t suites[], int *count, int offset,
414 enumerator_t*(*create_enumerator)(crypto_factory_t*))
415 {
416 suite_algs_t current;
417 int i, remaining = 0;
418 enumerator_t *enumerator;
419
420 memset(&current, 0, sizeof(current));
421 for (i = 0; i < *count; i++)
422 {
423 enumerator = create_enumerator(lib->crypto);
424 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
425 {
426 if ((suites[i].encr == ENCR_NULL ||
427 !current.encr || current.encr == suites[i].encr) &&
428 (!current.mac || current.mac == suites[i].mac) &&
429 (!current.prf || current.prf == suites[i].prf) &&
430 (!current.hash || current.hash == suites[i].hash))
431 {
432 suites[remaining] = suites[i];
433 remaining++;
434 break;
435 }
436 }
437 enumerator->destroy(enumerator);
438 }
439 *count = remaining;
440 }
441
442 /**
443 * Initialize the cipher suite list
444 */
445 static void build_cipher_suite_list(private_tls_crypto_t *this)
446 {
447 suite_algs_t suites[countof(suite_algs)];
448 int count = countof(suite_algs), i;
449
450 /* copy all suites */
451 for (i = 0; i < count; i++)
452 {
453 suites[i] = suite_algs[i];
454 }
455 /* filter suite list by each algorithm */
456 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
457 lib->crypto->create_crypter_enumerator);
458 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
459 lib->crypto->create_signer_enumerator);
460 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
461 lib->crypto->create_prf_enumerator);
462 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
463 lib->crypto->create_hasher_enumerator);
464
465 DBG2(DBG_CFG, "%d supported TLS cipher suites:", count);
466 for (i = 0; i < count; i++)
467 {
468 DBG2(DBG_CFG, " %N", tls_cipher_suite_names, suites[i]);
469 }
470
471 free(this->suites);
472 this->suite_count = count;
473 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
474 memcpy(this->suites, suites, sizeof(tls_cipher_suite_t) * this->suite_count);
475 }
476
477 METHOD(tls_crypto_t, get_cipher_suites, int,
478 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
479 {
480 *suites = this->suites;
481 return this->suite_count;
482 }
483
484 /**
485 * Create crypto primitives
486 */
487 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
488 {
489 suite_algs_t *algs;
490
491 algs = find_suite(suite);
492 if (!algs)
493 {
494 DBG1(DBG_IKE, "selected TLS suite not supported");
495 return FALSE;
496 }
497
498 DESTROY_IF(this->prf);
499 if (this->tls->get_version(this->tls) < TLS_1_2)
500 {
501 this->prf = tls_prf_create_10();
502 }
503 else
504 {
505 this->prf = tls_prf_create_12(algs->prf);
506 }
507 if (!this->prf)
508 {
509 DBG1(DBG_IKE, "selected TLS PRF not supported");
510 return FALSE;
511 }
512
513 DESTROY_IF(this->signer_in);
514 DESTROY_IF(this->signer_out);
515 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
516 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
517 if (!this->signer_in || !this->signer_out)
518 {
519 DBG1(DBG_IKE, "selected TLS MAC %N not supported",
520 integrity_algorithm_names, algs->mac);
521 return FALSE;
522 }
523
524 DESTROY_IF(this->crypter_in);
525 DESTROY_IF(this->crypter_out);
526 if (algs->encr == ENCR_NULL)
527 {
528 this->crypter_in = this->crypter_out = NULL;
529 }
530 else
531 {
532 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
533 algs->encr, algs->encr_size);
534 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
535 algs->encr, algs->encr_size);
536 if (!this->crypter_in || !this->crypter_out)
537 {
538 DBG1(DBG_IKE, "selected TLS crypter %N not supported",
539 encryption_algorithm_names, algs->encr);
540 return FALSE;
541 }
542 }
543 return TRUE;
544 }
545
546 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
547 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
548 {
549 int i, j;
550
551 for (i = 0; i < this->suite_count; i++)
552 {
553 for (j = 0; j < count; j++)
554 {
555 if (this->suites[i] == suites[j])
556 {
557 if (create_ciphers(this, this->suites[i]))
558 {
559 this->suite = this->suites[i];
560 return this->suite;
561 }
562 }
563 }
564 }
565 return 0;
566 }
567
568 METHOD(tls_crypto_t, set_protection, void,
569 private_tls_crypto_t *this, tls_protection_t *protection)
570 {
571 this->protection = protection;
572 }
573
574 METHOD(tls_crypto_t, append_handshake, void,
575 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
576 {
577 u_int32_t header;
578
579 /* reconstruct handshake header */
580 header = htonl(data.len | (type << 24));
581 this->handshake = chunk_cat("mcc", this->handshake,
582 chunk_from_thing(header), data);
583 }
584
585 /**
586 * Create a hash of the stored handshake data
587 */
588 static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash)
589 {
590 if (this->tls->get_version(this->tls) >= TLS_1_2)
591 {
592 hasher_t *hasher;
593 suite_algs_t *alg;
594
595 alg = find_suite(this->suite);
596 if (!alg)
597 {
598 return FALSE;
599 }
600 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
601 if (!hasher)
602 {
603 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, alg->hash);
604 return FALSE;
605 }
606 hasher->allocate_hash(hasher, this->handshake, hash);
607 hasher->destroy(hasher);
608 }
609 else
610 {
611 hasher_t *md5, *sha1;
612 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
613
614 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
615 if (!md5)
616 {
617 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_MD5);
618 return FALSE;
619 }
620 md5->get_hash(md5, this->handshake, buf);
621 md5->destroy(md5);
622 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
623 if (!sha1)
624 {
625 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_SHA1);
626 return FALSE;
627 }
628 sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
629 sha1->destroy(sha1);
630
631 *hash = chunk_clone(chunk_from_thing(buf));
632 }
633 return TRUE;
634 }
635
636 METHOD(tls_crypto_t, sign_handshake, bool,
637 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer)
638 {
639 chunk_t sig, hash;
640
641 if (this->tls->get_version(this->tls) >= TLS_1_2)
642 {
643 /* TODO: use supported algorithms instead of fixed SHA1/RSA */
644 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, &sig))
645 {
646 return FALSE;
647 }
648 writer->write_uint8(writer, 2);
649 writer->write_uint8(writer, 1);
650 writer->write_data16(writer, sig);
651 free(sig.ptr);
652 }
653 else
654 {
655 if (!hash_handshake(this, &hash))
656 {
657 return FALSE;
658 }
659 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig))
660 {
661 free(hash.ptr);
662 return FALSE;
663 }
664 writer->write_data16(writer, sig);
665 free(hash.ptr);
666 free(sig.ptr);
667 }
668 return TRUE;
669 }
670
671 METHOD(tls_crypto_t, verify_handshake, bool,
672 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
673 {
674 if (this->tls->get_version(this->tls) >= TLS_1_2)
675 {
676 u_int8_t hash, alg;
677 chunk_t sig;
678
679 if (!reader->read_uint8(reader, &hash) ||
680 !reader->read_uint8(reader, &alg) ||
681 !reader->read_data16(reader, &sig))
682 {
683 DBG1(DBG_IKE, "received invalid Certificate Verify");
684 return FALSE;
685 }
686 /* TODO: map received hash/sig alg to signature scheme */
687 if (hash != 2 || alg != 1 ||
688 !key->verify(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig))
689 {
690 return FALSE;
691 }
692 }
693 else
694 {
695 chunk_t sig, hash;
696
697 if (!reader->read_data16(reader, &sig))
698 {
699 DBG1(DBG_IKE, "received invalid Certificate Verify");
700 return FALSE;
701 }
702 if (!hash_handshake(this, &hash))
703 {
704 return FALSE;
705 }
706 if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig))
707 {
708 free(hash.ptr);
709 return FALSE;
710 }
711 free(hash.ptr);
712 }
713 return TRUE;
714 }
715
716 METHOD(tls_crypto_t, calculate_finished, bool,
717 private_tls_crypto_t *this, char *label, char out[12])
718 {
719 chunk_t seed;
720
721 if (!this->prf)
722 {
723 return FALSE;
724 }
725 if (!hash_handshake(this, &seed))
726 {
727 return FALSE;
728 }
729 this->prf->get_bytes(this->prf, label, seed, 12, out);
730 free(seed.ptr);
731 return TRUE;
732 }
733
734 METHOD(tls_crypto_t, derive_secrets, void,
735 private_tls_crypto_t *this, chunk_t premaster,
736 chunk_t client_random, chunk_t server_random)
737 {
738 char master[48];
739 chunk_t seed, block, client_write, server_write;
740 int mks, eks = 0, ivs = 0;
741
742 /* derive master secret */
743 seed = chunk_cata("cc", client_random, server_random);
744 this->prf->set_key(this->prf, premaster);
745 this->prf->get_bytes(this->prf, "master secret", seed,
746 sizeof(master), master);
747
748 this->prf->set_key(this->prf, chunk_from_thing(master));
749 memset(master, 0, sizeof(master));
750
751 /* derive key block for key expansion */
752 mks = this->signer_out->get_key_size(this->signer_out);
753 if (this->crypter_out)
754 {
755 eks = this->crypter_out->get_key_size(this->crypter_out);
756 if (this->tls->get_version(this->tls) < TLS_1_1)
757 {
758 ivs = this->crypter_out->get_iv_size(this->crypter_out);
759 }
760 }
761 seed = chunk_cata("cc", server_random, client_random);
762 block = chunk_alloca((mks + eks + ivs) * 2);
763 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
764
765 /* signer keys */
766 client_write = chunk_create(block.ptr, mks);
767 block = chunk_skip(block, mks);
768 server_write = chunk_create(block.ptr, mks);
769 block = chunk_skip(block, mks);
770 if (this->tls->is_server(this->tls))
771 {
772 this->signer_in->set_key(this->signer_in, client_write);
773 this->signer_out->set_key(this->signer_out, server_write);
774 }
775 else
776 {
777 this->signer_out->set_key(this->signer_out, client_write);
778 this->signer_in->set_key(this->signer_in, server_write);
779 }
780
781 /* crypter keys, and IVs if < TLSv1.2 */
782 if (this->crypter_out && this->crypter_in)
783 {
784 client_write = chunk_create(block.ptr, eks);
785 block = chunk_skip(block, eks);
786 server_write = chunk_create(block.ptr, eks);
787 block = chunk_skip(block, eks);
788
789 if (this->tls->is_server(this->tls))
790 {
791 this->crypter_in->set_key(this->crypter_in, client_write);
792 this->crypter_out->set_key(this->crypter_out, server_write);
793 }
794 else
795 {
796 this->crypter_out->set_key(this->crypter_out, client_write);
797 this->crypter_in->set_key(this->crypter_in, server_write);
798 }
799 if (ivs)
800 {
801 client_write = chunk_create(block.ptr, ivs);
802 block = chunk_skip(block, ivs);
803 server_write = chunk_create(block.ptr, ivs);
804 block = chunk_skip(block, ivs);
805
806 if (this->tls->is_server(this->tls))
807 {
808 this->iv_in = chunk_clone(client_write);
809 this->iv_out = chunk_clone(server_write);
810 }
811 else
812 {
813 this->iv_out = chunk_clone(client_write);
814 this->iv_in = chunk_clone(server_write);
815 }
816 }
817 }
818 }
819
820 METHOD(tls_crypto_t, change_cipher, void,
821 private_tls_crypto_t *this, bool inbound)
822 {
823 if (this->protection)
824 {
825 if (inbound)
826 {
827 this->protection->set_cipher(this->protection, TRUE,
828 this->signer_in, this->crypter_in, this->iv_in);
829 }
830 else
831 {
832 this->protection->set_cipher(this->protection, FALSE,
833 this->signer_out, this->crypter_out, this->iv_out);
834 }
835 }
836 }
837
838 METHOD(tls_crypto_t, derive_eap_msk, void,
839 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
840 {
841 chunk_t seed;
842
843 seed = chunk_cata("cc", client_random, server_random);
844 free(this->msk.ptr);
845 this->msk = chunk_alloc(64);
846 this->prf->get_bytes(this->prf, this->msk_label, seed,
847 this->msk.len, this->msk.ptr);
848 }
849
850 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
851 private_tls_crypto_t *this)
852 {
853 return this->msk;
854 }
855
856 METHOD(tls_crypto_t, destroy, void,
857 private_tls_crypto_t *this)
858 {
859 DESTROY_IF(this->signer_in);
860 DESTROY_IF(this->signer_out);
861 DESTROY_IF(this->crypter_in);
862 DESTROY_IF(this->crypter_out);
863 free(this->iv_in.ptr);
864 free(this->iv_out.ptr);
865 free(this->handshake.ptr);
866 free(this->msk.ptr);
867 DESTROY_IF(this->prf);
868 free(this->suites);
869 free(this);
870 }
871
872 /**
873 * See header
874 */
875 tls_crypto_t *tls_crypto_create(tls_t *tls, char *msk_label)
876 {
877 private_tls_crypto_t *this;
878
879 INIT(this,
880 .public = {
881 .get_cipher_suites = _get_cipher_suites,
882 .select_cipher_suite = _select_cipher_suite,
883 .set_protection = _set_protection,
884 .append_handshake = _append_handshake,
885 .sign_handshake = _sign_handshake,
886 .verify_handshake = _verify_handshake,
887 .calculate_finished = _calculate_finished,
888 .derive_secrets = _derive_secrets,
889 .change_cipher = _change_cipher,
890 .derive_eap_msk = _derive_eap_msk,
891 .get_eap_msk = _get_eap_msk,
892 .destroy = _destroy,
893 },
894 .tls = tls,
895 .msk_label = msk_label
896 );
897
898 build_cipher_suite_list(this);
899
900 return &this->public;
901 }