tls: Offer TLS signature schemes in ClientHello in order of preference
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
20
21 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
241
242 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
243 "NONE",
244 "MD5",
245 "SHA1",
246 "SHA224",
247 "SHA256",
248 "SHA384",
249 "SHA512",
250 );
251
252 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
253 "RSA",
254 "DSA",
255 "ECDSA",
256 );
257
258 ENUM_BEGIN(tls_client_certificate_type_names,
259 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
260 "RSA_SIGN",
261 "DSA_SIGN",
262 "RSA_FIXED_DH",
263 "DSS_FIXED_DH",
264 "RSA_EPHEMERAL_DH",
265 "DSS_EPHEMERAL_DH");
266 ENUM_NEXT(tls_client_certificate_type_names,
267 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
268 "FORTEZZA_DMS");
269 ENUM_NEXT(tls_client_certificate_type_names,
270 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
271 "ECDSA_SIGN",
272 "RSA_FIXED_ECDH",
273 "ECDSA_FIXED_ECDH");
274 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
275
276 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
277 "EXPLICIT_PRIME",
278 "EXPLICIT_CHAR2",
279 "NAMED_CURVE",
280 );
281
282 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
283 "SECT163K1",
284 "SECT163R1",
285 "SECT163R2",
286 "SECT193R1",
287 "SECT193R2",
288 "SECT233K1",
289 "SECT233R1",
290 "SECT239K1",
291 "SECT283K1",
292 "SECT283R1",
293 "SECT409K1",
294 "SECT409R1",
295 "SECT571K1",
296 "SECT571R1",
297 "SECP160K1",
298 "SECP160R1",
299 "SECP160R2",
300 "SECP192K1",
301 "SECP192R1",
302 "SECP224K1",
303 "SECP224R1",
304 "SECP256K1",
305 "SECP256R1",
306 "SECP384R1",
307 "SECP521R1",
308 );
309
310 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
311 "compressed",
312 "compressed y",
313 "uncompressed",
314 "uncompressed y",
315 "hybrid",
316 "hybrid y",
317 );
318
319 ENUM(tls_ec_point_format_names,
320 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
321 "uncompressed",
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
324 );
325
326 typedef struct private_tls_crypto_t private_tls_crypto_t;
327
328 /**
329 * Private data of an tls_crypto_t object.
330 */
331 struct private_tls_crypto_t {
332
333 /**
334 * Public tls_crypto_t interface.
335 */
336 tls_crypto_t public;
337
338 /**
339 * Protection layer
340 */
341 tls_protection_t *protection;
342
343 /**
344 * List of supported/acceptable cipher suites
345 */
346 tls_cipher_suite_t *suites;
347
348 /**
349 * Number of supported suites
350 */
351 int suite_count;
352
353 /**
354 * Selected cipher suite
355 */
356 tls_cipher_suite_t suite;
357
358 /**
359 * RSA supported?
360 */
361 bool rsa;
362
363 /**
364 * ECDSA supported?
365 */
366 bool ecdsa;
367
368 /**
369 * TLS context
370 */
371 tls_t *tls;
372
373 /**
374 * TLS session cache
375 */
376 tls_cache_t *cache;
377
378 /**
379 * All handshake data concatentated
380 */
381 chunk_t handshake;
382
383 /**
384 * Connection state TLS PRF
385 */
386 tls_prf_t *prf;
387
388 /**
389 * AEAD transform for inbound traffic
390 */
391 tls_aead_t *aead_in;
392
393 /**
394 * AEAD transform for outbound traffic
395 */
396 tls_aead_t *aead_out;
397
398 /**
399 * EAP-[T]TLS MSK
400 */
401 chunk_t msk;
402
403 /**
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
405 */
406 char *msk_label;
407 };
408
409 typedef struct {
410 tls_cipher_suite_t suite;
411 key_type_t key;
412 diffie_hellman_group_t dh;
413 hash_algorithm_t hash;
414 pseudo_random_function_t prf;
415 integrity_algorithm_t mac;
416 encryption_algorithm_t encr;
417 size_t encr_size;
418 } suite_algs_t;
419
420 /**
421 * Mapping suites to a set of algorithms
422 */
423 static suite_algs_t suite_algs[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
425 KEY_ECDSA, ECP_256_BIT,
426 HASH_SHA256, PRF_HMAC_SHA2_256,
427 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
428 },
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
430 KEY_ECDSA, ECP_256_BIT,
431 HASH_SHA256, PRF_HMAC_SHA2_256,
432 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
433 },
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
435 KEY_ECDSA, ECP_384_BIT,
436 HASH_SHA256, PRF_HMAC_SHA2_256,
437 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
438 },
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
440 KEY_ECDSA, ECP_384_BIT,
441 HASH_SHA384, PRF_HMAC_SHA2_384,
442 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
443 },
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
445 KEY_ECDSA, ECP_256_BIT,
446 HASH_SHA256, PRF_HMAC_SHA2_256,
447 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
448 },
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
450 KEY_ECDSA, ECP_384_BIT,
451 HASH_SHA384, PRF_HMAC_SHA2_384,
452 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
453 },
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
455 KEY_RSA, ECP_256_BIT,
456 HASH_SHA256, PRF_HMAC_SHA2_256,
457 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
458 },
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
460 KEY_RSA, ECP_256_BIT,
461 HASH_SHA256, PRF_HMAC_SHA2_256,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
463 },
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
465 KEY_RSA, ECP_384_BIT,
466 HASH_SHA256, PRF_HMAC_SHA2_256,
467 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
468 },
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
470 KEY_RSA, ECP_384_BIT,
471 HASH_SHA384, PRF_HMAC_SHA2_384,
472 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
473 },
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
475 KEY_RSA, ECP_256_BIT,
476 HASH_SHA256, PRF_HMAC_SHA2_256,
477 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
478 },
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
480 KEY_RSA, ECP_384_BIT,
481 HASH_SHA384, PRF_HMAC_SHA2_384,
482 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
483 },
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
485 KEY_RSA, MODP_2048_BIT,
486 HASH_SHA256,PRF_HMAC_SHA2_256,
487 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
488 },
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
490 KEY_RSA, MODP_3072_BIT,
491 HASH_SHA256, PRF_HMAC_SHA2_256,
492 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
493 },
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
495 KEY_RSA, MODP_3072_BIT,
496 HASH_SHA256, PRF_HMAC_SHA2_256,
497 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
498 },
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
500 KEY_RSA, MODP_4096_BIT,
501 HASH_SHA256, PRF_HMAC_SHA2_256,
502 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
503 },
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
505 KEY_RSA, MODP_3072_BIT,
506 HASH_SHA256, PRF_HMAC_SHA2_256,
507 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
508 },
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
510 KEY_RSA, MODP_4096_BIT,
511 HASH_SHA384, PRF_HMAC_SHA2_384,
512 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
513 },
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
515 KEY_RSA, MODP_2048_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
518 },
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
520 KEY_RSA, MODP_3072_BIT,
521 HASH_SHA256, PRF_HMAC_SHA2_256,
522 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
523 },
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
525 KEY_RSA, MODP_3072_BIT,
526 HASH_SHA256, PRF_HMAC_SHA2_256,
527 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
528 },
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
530 KEY_RSA, MODP_4096_BIT,
531 HASH_SHA256, PRF_HMAC_SHA2_256,
532 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
533 },
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
535 KEY_RSA, MODP_2048_BIT,
536 HASH_SHA256, PRF_HMAC_SHA2_256,
537 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
538 },
539 { TLS_RSA_WITH_AES_128_CBC_SHA,
540 KEY_RSA, MODP_NONE,
541 HASH_SHA256, PRF_HMAC_SHA2_256,
542 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
543 },
544 { TLS_RSA_WITH_AES_128_CBC_SHA256,
545 KEY_RSA, MODP_NONE,
546 HASH_SHA256, PRF_HMAC_SHA2_256,
547 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
548 },
549 { TLS_RSA_WITH_AES_256_CBC_SHA,
550 KEY_RSA, MODP_NONE,
551 HASH_SHA256, PRF_HMAC_SHA2_256,
552 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
553 },
554 { TLS_RSA_WITH_AES_256_CBC_SHA256,
555 KEY_RSA, MODP_NONE,
556 HASH_SHA256, PRF_HMAC_SHA2_256,
557 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
558 },
559 { TLS_RSA_WITH_AES_128_GCM_SHA256,
560 KEY_RSA, MODP_NONE,
561 HASH_SHA256, PRF_HMAC_SHA2_256,
562 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
563 },
564 { TLS_RSA_WITH_AES_256_GCM_SHA384,
565 KEY_RSA, MODP_NONE,
566 HASH_SHA384, PRF_HMAC_SHA2_384,
567 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
568 },
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
570 KEY_RSA, MODP_NONE,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
573 },
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
575 KEY_RSA, MODP_NONE,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
578 },
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 KEY_RSA, MODP_NONE,
581 HASH_SHA256, PRF_HMAC_SHA2_256,
582 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
583 },
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
585 KEY_RSA, MODP_NONE,
586 HASH_SHA256, PRF_HMAC_SHA2_256,
587 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
588 },
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
590 KEY_ECDSA, ECP_256_BIT,
591 HASH_SHA256, PRF_HMAC_SHA2_256,
592 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
593 },
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
595 KEY_RSA, ECP_256_BIT,
596 HASH_SHA256, PRF_HMAC_SHA2_256,
597 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
598 },
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
600 KEY_RSA, MODP_NONE,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
603 },
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
605 KEY_ECDSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
608 },
609 { TLS_ECDHE_RSA_WITH_NULL_SHA,
610 KEY_ECDSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
613 },
614 { TLS_RSA_WITH_NULL_SHA,
615 KEY_RSA, MODP_NONE,
616 HASH_SHA256, PRF_HMAC_SHA2_256,
617 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
618 },
619 { TLS_RSA_WITH_NULL_SHA256,
620 KEY_RSA, MODP_NONE,
621 HASH_SHA256, PRF_HMAC_SHA2_256,
622 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
623 },
624 { TLS_RSA_WITH_NULL_MD5,
625 KEY_RSA, MODP_NONE,
626 HASH_SHA256, PRF_HMAC_SHA2_256,
627 AUTH_HMAC_MD5_128, ENCR_NULL, 0
628 },
629 };
630
631 /**
632 * Look up algorithms by a suite
633 */
634 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
635 {
636 int i;
637
638 for (i = 0; i < countof(suite_algs); i++)
639 {
640 if (suite_algs[i].suite == suite)
641 {
642 return &suite_algs[i];
643 }
644 }
645 return NULL;
646 }
647
648 /**
649 * Filter a suite list using a transform enumerator
650 */
651 static void filter_suite(private_tls_crypto_t *this, bool aead,
652 suite_algs_t suites[], int *count, int offset,
653 enumerator_t*(*create_enumerator)(crypto_factory_t*))
654 {
655 const char *plugin_name;
656 suite_algs_t current;
657 int *current_alg, i, remaining = 0;
658 enumerator_t *enumerator;
659
660 memset(&current, 0, sizeof(current));
661 current_alg = (int*)((char*)&current + offset);
662
663 for (i = 0; i < *count; i++)
664 {
665 enumerator = create_enumerator(lib->crypto);
666 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
667 {
668 if ((suites[i].encr == ENCR_NULL ||
669 aead != encryption_algorithm_is_aead(suites[i].encr) ||
670 !current.encr || current.encr == suites[i].encr) &&
671 (suites[i].mac == AUTH_UNDEFINED ||
672 !current.mac || current.mac == suites[i].mac) &&
673 (!current.prf || current.prf == suites[i].prf) &&
674 (!current.hash || current.hash == suites[i].hash) &&
675 (suites[i].dh == MODP_NONE ||
676 !current.dh || current.dh == suites[i].dh))
677 {
678 suites[remaining] = suites[i];
679 remaining++;
680 break;
681 }
682 }
683 enumerator->destroy(enumerator);
684 }
685 *count = remaining;
686 }
687
688 /**
689 * Purge NULL encryption cipher suites from list
690 */
691 static void filter_null_suites(private_tls_crypto_t *this,
692 suite_algs_t suites[], int *count)
693 {
694 int i, remaining = 0;
695
696 for (i = 0; i < *count; i++)
697 {
698 if (suites[i].encr != ENCR_NULL)
699 {
700 suites[remaining] = suites[i];
701 remaining++;
702 }
703 }
704 *count = remaining;
705 }
706
707 /**
708 * Purge suites using a given key type
709 */
710 static void filter_key_suites(private_tls_crypto_t *this,
711 suite_algs_t suites[], int *count, key_type_t key)
712 {
713 int i, remaining = 0;
714
715 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
716 for (i = 0; i < *count; i++)
717 {
718 if (suites[i].key != key)
719 {
720 suites[remaining] = suites[i];
721 remaining++;
722 }
723 }
724 *count = remaining;
725 }
726
727 /**
728 * Filter suites by key exchange user config
729 */
730 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
731 suite_algs_t suites[], int *count)
732 {
733 enumerator_t *enumerator;
734 int i, remaining = 0;
735 char *token, *config;
736
737 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
738 lib->ns);
739 if (config)
740 {
741 for (i = 0; i < *count; i++)
742 {
743 enumerator = enumerator_create_token(config, ",", " ");
744 while (enumerator->enumerate(enumerator, &token))
745 {
746 if (strcaseeq(token, "ecdhe-ecdsa") &&
747 diffie_hellman_group_is_ec(suites[i].dh) &&
748 suites[i].key == KEY_ECDSA)
749 {
750 suites[remaining++] = suites[i];
751 break;
752 }
753 if (strcaseeq(token, "ecdhe-rsa") &&
754 diffie_hellman_group_is_ec(suites[i].dh) &&
755 suites[i].key == KEY_RSA)
756 {
757 suites[remaining++] = suites[i];
758 break;
759 }
760 if (strcaseeq(token, "dhe-rsa") &&
761 !diffie_hellman_group_is_ec(suites[i].dh) &&
762 suites[i].dh != MODP_NONE &&
763 suites[i].key == KEY_RSA)
764 {
765 suites[remaining++] = suites[i];
766 break;
767 }
768 if (strcaseeq(token, "rsa") &&
769 suites[i].dh == MODP_NONE &&
770 suites[i].key == KEY_RSA)
771 {
772 suites[remaining++] = suites[i];
773 break;
774 }
775 }
776 enumerator->destroy(enumerator);
777 }
778 *count = remaining;
779 }
780 }
781
782 /**
783 * Filter suites by cipher user config
784 */
785 static void filter_cipher_config_suites(private_tls_crypto_t *this,
786 suite_algs_t suites[], int *count)
787 {
788 enumerator_t *enumerator;
789 int i, remaining = 0;
790 char *token, *config;
791
792 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
793 lib->ns);
794 if (config)
795 {
796 for (i = 0; i < *count; i++)
797 {
798 enumerator = enumerator_create_token(config, ",", " ");
799 while (enumerator->enumerate(enumerator, &token))
800 {
801 if (strcaseeq(token, "aes128") &&
802 suites[i].encr == ENCR_AES_CBC &&
803 suites[i].encr_size == 16)
804 {
805 suites[remaining++] = suites[i];
806 break;
807 }
808 if (strcaseeq(token, "aes256") &&
809 suites[i].encr == ENCR_AES_CBC &&
810 suites[i].encr_size == 32)
811 {
812 suites[remaining++] = suites[i];
813 break;
814 }
815 if (strcaseeq(token, "aes128gcm") &&
816 suites[i].encr == ENCR_AES_GCM_ICV16 &&
817 suites[i].encr_size == 16)
818 {
819 suites[remaining++] = suites[i];
820 break;
821 }
822 if (strcaseeq(token, "aes256gcm") &&
823 suites[i].encr == ENCR_AES_GCM_ICV16 &&
824 suites[i].encr_size == 32)
825 {
826 suites[remaining++] = suites[i];
827 break;
828 }
829 if (strcaseeq(token, "camellia128") &&
830 suites[i].encr == ENCR_CAMELLIA_CBC &&
831 suites[i].encr_size == 16)
832 {
833 suites[remaining++] = suites[i];
834 break;
835 }
836 if (strcaseeq(token, "camellia256") &&
837 suites[i].encr == ENCR_CAMELLIA_CBC &&
838 suites[i].encr_size == 32)
839 {
840 suites[remaining++] = suites[i];
841 break;
842 }
843 if (strcaseeq(token, "3des") &&
844 suites[i].encr == ENCR_3DES)
845 {
846 suites[remaining++] = suites[i];
847 break;
848 }
849 if (strcaseeq(token, "null") &&
850 suites[i].encr == ENCR_NULL)
851 {
852 suites[remaining++] = suites[i];
853 break;
854 }
855 }
856 enumerator->destroy(enumerator);
857 }
858 *count = remaining;
859 }
860 }
861
862 /**
863 * Filter suites by mac user config
864 */
865 static void filter_mac_config_suites(private_tls_crypto_t *this,
866 suite_algs_t suites[], int *count)
867 {
868 enumerator_t *enumerator;
869 int i, remaining = 0;
870 char *token, *config;
871
872 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
873 lib->ns);
874 if (config)
875 {
876 for (i = 0; i < *count; i++)
877 {
878 enumerator = enumerator_create_token(config, ",", " ");
879 while (enumerator->enumerate(enumerator, &token))
880 {
881 if (strcaseeq(token, "md5") &&
882 suites[i].mac == AUTH_HMAC_MD5_128)
883 {
884 suites[remaining++] = suites[i];
885 break;
886 }
887 if (strcaseeq(token, "sha1") &&
888 suites[i].mac == AUTH_HMAC_SHA1_160)
889 {
890 suites[remaining++] = suites[i];
891 break;
892 }
893 if (strcaseeq(token, "sha256") &&
894 suites[i].mac == AUTH_HMAC_SHA2_256_256)
895 {
896 suites[remaining++] = suites[i];
897 break;
898 }
899 if (strcaseeq(token, "sha384") &&
900 suites[i].mac == AUTH_HMAC_SHA2_384_384)
901 {
902 suites[remaining++] = suites[i];
903 break;
904 }
905 }
906 enumerator->destroy(enumerator);
907 }
908 *count = remaining;
909 }
910 }
911
912 /**
913 * Filter for specific suites specified in strongswan.conf
914 */
915 static void filter_specific_config_suites(private_tls_crypto_t *this,
916 suite_algs_t suites[], int *count)
917 {
918 enumerator_t *enumerator;
919 int i, remaining = 0, suite;
920 char *token, *config;
921
922 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
923 lib->ns);
924 if (config)
925 {
926 for (i = 0; i < *count; i++)
927 {
928 enumerator = enumerator_create_token(config, ",", " ");
929 while (enumerator->enumerate(enumerator, &token))
930 {
931 suite = enum_from_name(tls_cipher_suite_names, token);
932 if (suite == suites[i].suite)
933 {
934 suites[remaining++] = suites[i];
935 break;
936 }
937 }
938 enumerator->destroy(enumerator);
939 }
940 *count = remaining;
941 }
942 }
943
944 /**
945 * Initialize the cipher suite list
946 */
947 static void build_cipher_suite_list(private_tls_crypto_t *this,
948 bool require_encryption)
949 {
950 suite_algs_t suites[countof(suite_algs)];
951 int count = countof(suite_algs), i;
952
953 /* copy all suites */
954 for (i = 0; i < count; i++)
955 {
956 suites[i] = suite_algs[i];
957 }
958 if (require_encryption)
959 {
960 filter_null_suites(this, suites, &count);
961 }
962 if (!this->rsa)
963 {
964 filter_key_suites(this, suites, &count, KEY_RSA);
965 }
966 if (!this->ecdsa)
967 {
968 filter_key_suites(this, suites, &count, KEY_ECDSA);
969 }
970
971 /* filter suite list by each algorithm */
972 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, encr),
973 lib->crypto->create_crypter_enumerator);
974 filter_suite(this, TRUE, suites, &count, offsetof(suite_algs_t, encr),
975 lib->crypto->create_aead_enumerator);
976 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, mac),
977 lib->crypto->create_signer_enumerator);
978 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, prf),
979 lib->crypto->create_prf_enumerator);
980 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, hash),
981 lib->crypto->create_hasher_enumerator);
982 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, dh),
983 lib->crypto->create_dh_enumerator);
984
985 /* filter suites with strongswan.conf options */
986 filter_key_exchange_config_suites(this, suites, &count);
987 filter_cipher_config_suites(this, suites, &count);
988 filter_mac_config_suites(this, suites, &count);
989 filter_specific_config_suites(this, suites, &count);
990
991 free(this->suites);
992 this->suite_count = count;
993 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
994
995 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
996 for (i = 0; i < count; i++)
997 {
998 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
999 this->suites[i] = suites[i].suite;
1000 }
1001 }
1002
1003 METHOD(tls_crypto_t, get_cipher_suites, int,
1004 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1005 {
1006 *suites = this->suites;
1007 return this->suite_count;
1008 }
1009
1010 /**
1011 * Create NULL encryption transforms
1012 */
1013 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1014 {
1015 this->aead_in = tls_aead_create_null(algs->mac);
1016 this->aead_out = tls_aead_create_null(algs->mac);
1017 if (!this->aead_in || !this->aead_out)
1018 {
1019 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1020 integrity_algorithm_names, algs->mac);
1021 return FALSE;
1022 }
1023 return TRUE;
1024 }
1025
1026 /**
1027 * Create traditional transforms
1028 */
1029 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1030 {
1031 if (this->tls->get_version(this->tls) < TLS_1_1)
1032 {
1033 this->aead_in = tls_aead_create_implicit(algs->mac,
1034 algs->encr, algs->encr_size);
1035 this->aead_out = tls_aead_create_implicit(algs->mac,
1036 algs->encr, algs->encr_size);
1037 }
1038 else
1039 {
1040 this->aead_in = tls_aead_create_explicit(algs->mac,
1041 algs->encr, algs->encr_size);
1042 this->aead_out = tls_aead_create_explicit(algs->mac,
1043 algs->encr, algs->encr_size);
1044 }
1045 if (!this->aead_in || !this->aead_out)
1046 {
1047 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1048 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1049 integrity_algorithm_names, algs->mac);
1050 return FALSE;
1051 }
1052 return TRUE;
1053 }
1054
1055 /**
1056 * Create AEAD transforms
1057 */
1058 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1059 {
1060 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1061 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1062 if (!this->aead_in || !this->aead_out)
1063 {
1064 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1065 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1066 return FALSE;
1067 }
1068 return TRUE;
1069 }
1070
1071 /**
1072 * Clean up and unset AEAD transforms
1073 */
1074 static void destroy_aeads(private_tls_crypto_t *this)
1075 {
1076 DESTROY_IF(this->aead_in);
1077 DESTROY_IF(this->aead_out);
1078 this->aead_in = this->aead_out = NULL;
1079 }
1080
1081 /**
1082 * Create crypto primitives
1083 */
1084 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1085 {
1086 destroy_aeads(this);
1087 DESTROY_IF(this->prf);
1088 if (this->tls->get_version(this->tls) < TLS_1_2)
1089 {
1090 this->prf = tls_prf_create_10();
1091 }
1092 else
1093 {
1094 this->prf = tls_prf_create_12(algs->prf);
1095 }
1096 if (!this->prf)
1097 {
1098 DBG1(DBG_TLS, "selected TLS PRF not supported");
1099 return FALSE;
1100 }
1101 if (algs->encr == ENCR_NULL)
1102 {
1103 if (create_null(this, algs))
1104 {
1105 return TRUE;
1106 }
1107 }
1108 else if (encryption_algorithm_is_aead(algs->encr))
1109 {
1110 if (create_aead(this, algs))
1111 {
1112 return TRUE;
1113 }
1114 }
1115 else
1116 {
1117 if (create_traditional(this, algs))
1118 {
1119 return TRUE;
1120 }
1121 }
1122 destroy_aeads(this);
1123 return FALSE;
1124 }
1125
1126 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1127 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1128 key_type_t key)
1129 {
1130 suite_algs_t *algs;
1131 int i, j;
1132
1133 for (i = 0; i < this->suite_count; i++)
1134 {
1135 for (j = 0; j < count; j++)
1136 {
1137 if (this->suites[i] == suites[j])
1138 {
1139 algs = find_suite(this->suites[i]);
1140 if (algs)
1141 {
1142 if (key == KEY_ANY || key == algs->key)
1143 {
1144 if (create_ciphers(this, algs))
1145 {
1146 this->suite = this->suites[i];
1147 return this->suite;
1148 }
1149 }
1150 }
1151 }
1152 }
1153 }
1154 return 0;
1155 }
1156
1157 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1158 private_tls_crypto_t *this)
1159 {
1160 suite_algs_t *algs;
1161
1162 algs = find_suite(this->suite);
1163 if (algs)
1164 {
1165 return algs->dh;
1166 }
1167 return MODP_NONE;
1168 }
1169
1170 /**
1171 * Map signature schemes to TLS key types and hashes, ordered by preference
1172 */
1173 static struct {
1174 tls_signature_algorithm_t sig;
1175 tls_hash_algorithm_t hash;
1176 signature_scheme_t scheme;
1177 } schemes[] = {
1178 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1179 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1180 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1181 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1182 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA256 },
1183 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA384 },
1184 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA512 },
1185 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA224 },
1186 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1187 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1188 };
1189
1190 METHOD(tls_crypto_t, get_signature_algorithms, void,
1191 private_tls_crypto_t *this, bio_writer_t *writer)
1192 {
1193 bio_writer_t *supported;
1194 int i;
1195
1196 supported = bio_writer_create(32);
1197
1198 for (i = 0; i < countof(schemes); i++)
1199 {
1200 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1201 {
1202 continue;
1203 }
1204 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1205 {
1206 continue;
1207 }
1208 if (!lib->plugins->has_feature(lib->plugins,
1209 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1210 {
1211 continue;
1212 }
1213 supported->write_uint8(supported, schemes[i].hash);
1214 supported->write_uint8(supported, schemes[i].sig);
1215 }
1216
1217 supported->wrap16(supported);
1218 writer->write_data16(writer, supported->get_buf(supported));
1219 supported->destroy(supported);
1220 }
1221
1222 /**
1223 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1224 */
1225 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1226 tls_hash_algorithm_t hash,
1227 tls_signature_algorithm_t sig)
1228 {
1229 int i;
1230
1231 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1232 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1233 {
1234 for (i = 0; i < countof(schemes); i++)
1235 {
1236 if (schemes[i].sig == sig && schemes[i].hash == hash)
1237 {
1238 return schemes[i].scheme;
1239 }
1240 }
1241 }
1242 return SIGN_UNKNOWN;
1243 }
1244
1245 /**
1246 * Mapping groups to TLS named curves
1247 */
1248 static struct {
1249 diffie_hellman_group_t group;
1250 tls_named_curve_t curve;
1251 } curves[] = {
1252 { ECP_256_BIT, TLS_SECP256R1},
1253 { ECP_384_BIT, TLS_SECP384R1},
1254 { ECP_521_BIT, TLS_SECP521R1},
1255 { ECP_224_BIT, TLS_SECP224R1},
1256 { ECP_192_BIT, TLS_SECP192R1},
1257 };
1258
1259 /**
1260 * Filter EC groups, add TLS curve
1261 */
1262 static bool group_filter(void *null,
1263 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1264 void* dummy1, tls_named_curve_t *curve)
1265 {
1266 int i;
1267
1268 for (i = 0; i < countof(curves); i++)
1269 {
1270 if (curves[i].group == *in)
1271 {
1272 if (out)
1273 {
1274 *out = curves[i].group;
1275 }
1276 if (curve)
1277 {
1278 *curve = curves[i].curve;
1279 }
1280 return TRUE;
1281 }
1282 }
1283 return FALSE;
1284 }
1285
1286 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1287 private_tls_crypto_t *this)
1288 {
1289 return enumerator_create_filter(
1290 lib->crypto->create_dh_enumerator(lib->crypto),
1291 (void*)group_filter, NULL, NULL);
1292 }
1293
1294 METHOD(tls_crypto_t, set_protection, void,
1295 private_tls_crypto_t *this, tls_protection_t *protection)
1296 {
1297 this->protection = protection;
1298 }
1299
1300 METHOD(tls_crypto_t, append_handshake, void,
1301 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1302 {
1303 u_int32_t header;
1304
1305 /* reconstruct handshake header */
1306 header = htonl(data.len | (type << 24));
1307 this->handshake = chunk_cat("mcc", this->handshake,
1308 chunk_from_thing(header), data);
1309 }
1310
1311 /**
1312 * Create a hash using the suites HASH algorithm
1313 */
1314 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1315 {
1316 if (this->tls->get_version(this->tls) >= TLS_1_2)
1317 {
1318 hasher_t *hasher;
1319 suite_algs_t *alg;
1320
1321 alg = find_suite(this->suite);
1322 if (!alg)
1323 {
1324 return FALSE;
1325 }
1326 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1327 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1328 {
1329 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1330 DESTROY_IF(hasher);
1331 return FALSE;
1332 }
1333 hasher->destroy(hasher);
1334 }
1335 else
1336 {
1337 hasher_t *md5, *sha1;
1338 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1339
1340 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1341 if (!md5 || !md5->get_hash(md5, data, buf))
1342 {
1343 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1344 DESTROY_IF(md5);
1345 return FALSE;
1346 }
1347 md5->destroy(md5);
1348 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1349 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1350 {
1351 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1352 DESTROY_IF(sha1);
1353 return FALSE;
1354 }
1355 sha1->destroy(sha1);
1356
1357 *hash = chunk_clone(chunk_from_thing(buf));
1358 }
1359 return TRUE;
1360 }
1361
1362 METHOD(tls_crypto_t, sign, bool,
1363 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1364 chunk_t data, chunk_t hashsig)
1365 {
1366 if (this->tls->get_version(this->tls) >= TLS_1_2)
1367 {
1368 signature_scheme_t scheme;
1369 bio_reader_t *reader;
1370 u_int8_t hash, alg;
1371 chunk_t sig;
1372 bool done = FALSE;
1373
1374 if (!hashsig.len)
1375 { /* fallback if none given */
1376 hashsig = chunk_from_chars(
1377 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1378 }
1379 reader = bio_reader_create(hashsig);
1380 while (reader->remaining(reader) >= 2)
1381 {
1382 if (reader->read_uint8(reader, &hash) &&
1383 reader->read_uint8(reader, &alg))
1384 {
1385 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1386 if (scheme != SIGN_UNKNOWN &&
1387 key->sign(key, scheme, data, &sig))
1388 {
1389 done = TRUE;
1390 break;
1391 }
1392 }
1393 }
1394 reader->destroy(reader);
1395 if (!done)
1396 {
1397 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1398 return FALSE;
1399 }
1400 DBG2(DBG_TLS, "created signature with %N/%N",
1401 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1402 writer->write_uint8(writer, hash);
1403 writer->write_uint8(writer, alg);
1404 writer->write_data16(writer, sig);
1405 free(sig.ptr);
1406 }
1407 else
1408 {
1409 chunk_t sig, hash;
1410 bool done;
1411
1412 switch (key->get_type(key))
1413 {
1414 case KEY_RSA:
1415 if (!hash_data(this, data, &hash))
1416 {
1417 return FALSE;
1418 }
1419 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1420 free(hash.ptr);
1421 if (!done)
1422 {
1423 return FALSE;
1424 }
1425 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1426 break;
1427 case KEY_ECDSA:
1428 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1429 {
1430 return FALSE;
1431 }
1432 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1433 break;
1434 default:
1435 return FALSE;
1436 }
1437 writer->write_data16(writer, sig);
1438 free(sig.ptr);
1439 }
1440 return TRUE;
1441 }
1442
1443 METHOD(tls_crypto_t, verify, bool,
1444 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1445 chunk_t data)
1446 {
1447 if (this->tls->get_version(this->tls) >= TLS_1_2)
1448 {
1449 signature_scheme_t scheme = SIGN_UNKNOWN;
1450 u_int8_t hash, alg;
1451 chunk_t sig;
1452
1453 if (!reader->read_uint8(reader, &hash) ||
1454 !reader->read_uint8(reader, &alg) ||
1455 !reader->read_data16(reader, &sig))
1456 {
1457 DBG1(DBG_TLS, "received invalid signature");
1458 return FALSE;
1459 }
1460 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1461 if (scheme == SIGN_UNKNOWN)
1462 {
1463 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1464 tls_hash_algorithm_names, hash,
1465 tls_signature_algorithm_names, alg);
1466 return FALSE;
1467 }
1468 if (!key->verify(key, scheme, data, sig))
1469 {
1470 return FALSE;
1471 }
1472 DBG2(DBG_TLS, "verified signature with %N/%N",
1473 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1474 }
1475 else
1476 {
1477 chunk_t sig, hash;
1478 bool done;
1479
1480 if (!reader->read_data16(reader, &sig))
1481 {
1482 DBG1(DBG_TLS, "received invalid signature");
1483 return FALSE;
1484 }
1485 switch (key->get_type(key))
1486 {
1487 case KEY_RSA:
1488 if (!hash_data(this, data, &hash))
1489 {
1490 return FALSE;
1491 }
1492 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1493 free(hash.ptr);
1494 if (!done)
1495 {
1496 return FALSE;
1497 }
1498 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1499 break;
1500 case KEY_ECDSA:
1501 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1502 {
1503 return FALSE;
1504 }
1505 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1506 break;
1507 default:
1508 return FALSE;
1509 }
1510 }
1511 return TRUE;
1512 }
1513
1514 METHOD(tls_crypto_t, sign_handshake, bool,
1515 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1516 chunk_t hashsig)
1517 {
1518 return sign(this, key, writer, this->handshake, hashsig);
1519 }
1520
1521 METHOD(tls_crypto_t, verify_handshake, bool,
1522 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1523 {
1524 return verify(this, key, reader, this->handshake);
1525 }
1526
1527 METHOD(tls_crypto_t, calculate_finished, bool,
1528 private_tls_crypto_t *this, char *label, char out[12])
1529 {
1530 chunk_t seed;
1531
1532 if (!this->prf)
1533 {
1534 return FALSE;
1535 }
1536 if (!hash_data(this, this->handshake, &seed))
1537 {
1538 return FALSE;
1539 }
1540 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1541 {
1542 free(seed.ptr);
1543 return FALSE;
1544 }
1545 free(seed.ptr);
1546 return TRUE;
1547 }
1548
1549 /**
1550 * Derive master secret from premaster, optionally save session
1551 */
1552 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1553 chunk_t session, identification_t *id,
1554 chunk_t client_random, chunk_t server_random)
1555 {
1556 char master[48];
1557 chunk_t seed;
1558
1559 /* derive master secret */
1560 seed = chunk_cata("cc", client_random, server_random);
1561
1562 if (!this->prf->set_key(this->prf, premaster) ||
1563 !this->prf->get_bytes(this->prf, "master secret", seed,
1564 sizeof(master), master) ||
1565 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1566 {
1567 return FALSE;
1568 }
1569
1570 if (this->cache && session.len)
1571 {
1572 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1573 this->suite);
1574 }
1575 memwipe(master, sizeof(master));
1576 return TRUE;
1577 }
1578
1579 /**
1580 * Expand key material from master secret
1581 */
1582 static bool expand_keys(private_tls_crypto_t *this,
1583 chunk_t client_random, chunk_t server_random)
1584 {
1585 chunk_t seed, block;
1586 chunk_t cw_mac, cw, cw_iv;
1587 chunk_t sw_mac, sw, sw_iv;
1588 int mklen, eklen, ivlen;
1589
1590 if (!this->aead_in || !this->aead_out)
1591 {
1592 return FALSE;
1593 }
1594
1595 /* derive key block for key expansion */
1596 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1597 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1598 ivlen = this->aead_in->get_iv_size(this->aead_in);
1599 seed = chunk_cata("cc", server_random, client_random);
1600 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1601 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1602 block.len, block.ptr))
1603 {
1604 return FALSE;
1605 }
1606
1607 /* client/server write signer keys */
1608 cw_mac = chunk_create(block.ptr, mklen);
1609 block = chunk_skip(block, mklen);
1610 sw_mac = chunk_create(block.ptr, mklen);
1611 block = chunk_skip(block, mklen);
1612
1613 /* client/server write encryption keys */
1614 cw = chunk_create(block.ptr, eklen);
1615 block = chunk_skip(block, eklen);
1616 sw = chunk_create(block.ptr, eklen);
1617 block = chunk_skip(block, eklen);
1618
1619 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1620 cw_iv = chunk_create(block.ptr, ivlen);
1621 block = chunk_skip(block, ivlen);
1622 sw_iv = chunk_create(block.ptr, ivlen);
1623 block = chunk_skip(block, ivlen);
1624
1625 if (this->tls->is_server(this->tls))
1626 {
1627 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1628 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1629 {
1630 return FALSE;
1631 }
1632 }
1633 else
1634 {
1635 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1636 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1637 {
1638 return FALSE;
1639 }
1640 }
1641
1642 /* EAP-MSK */
1643 if (this->msk_label)
1644 {
1645 seed = chunk_cata("cc", client_random, server_random);
1646 this->msk = chunk_alloc(64);
1647 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1648 this->msk.len, this->msk.ptr))
1649 {
1650 return FALSE;
1651 }
1652 }
1653 return TRUE;
1654 }
1655
1656 METHOD(tls_crypto_t, derive_secrets, bool,
1657 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1658 identification_t *id, chunk_t client_random, chunk_t server_random)
1659 {
1660 return derive_master(this, premaster, session, id,
1661 client_random, server_random) &&
1662 expand_keys(this, client_random, server_random);
1663 }
1664
1665 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1666 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1667 chunk_t client_random, chunk_t server_random)
1668 {
1669 chunk_t master;
1670
1671 if (this->cache && session.len)
1672 {
1673 this->suite = this->cache->lookup(this->cache, session, id, &master);
1674 if (this->suite)
1675 {
1676 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1677 if (this->suite)
1678 {
1679 if (!this->prf->set_key(this->prf, master) ||
1680 !expand_keys(this, client_random, server_random))
1681 {
1682 this->suite = 0;
1683 }
1684 }
1685 chunk_clear(&master);
1686 }
1687 return this->suite;
1688 }
1689 return 0;
1690 }
1691
1692 METHOD(tls_crypto_t, get_session, chunk_t,
1693 private_tls_crypto_t *this, identification_t *server)
1694 {
1695 if (this->cache)
1696 {
1697 return this->cache->check(this->cache, server);
1698 }
1699 return chunk_empty;
1700 }
1701
1702 METHOD(tls_crypto_t, change_cipher, void,
1703 private_tls_crypto_t *this, bool inbound)
1704 {
1705 if (this->protection)
1706 {
1707 if (inbound)
1708 {
1709 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1710 }
1711 else
1712 {
1713 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1714 }
1715 }
1716 }
1717
1718 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1719 private_tls_crypto_t *this)
1720 {
1721 return this->msk;
1722 }
1723
1724 METHOD(tls_crypto_t, destroy, void,
1725 private_tls_crypto_t *this)
1726 {
1727 destroy_aeads(this);
1728 free(this->handshake.ptr);
1729 free(this->msk.ptr);
1730 DESTROY_IF(this->prf);
1731 free(this->suites);
1732 free(this);
1733 }
1734
1735 /**
1736 * See header
1737 */
1738 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1739 {
1740 private_tls_crypto_t *this;
1741 enumerator_t *enumerator;
1742 credential_type_t type;
1743 int subtype;
1744
1745 INIT(this,
1746 .public = {
1747 .get_cipher_suites = _get_cipher_suites,
1748 .select_cipher_suite = _select_cipher_suite,
1749 .get_dh_group = _get_dh_group,
1750 .get_signature_algorithms = _get_signature_algorithms,
1751 .create_ec_enumerator = _create_ec_enumerator,
1752 .set_protection = _set_protection,
1753 .append_handshake = _append_handshake,
1754 .sign = _sign,
1755 .verify = _verify,
1756 .sign_handshake = _sign_handshake,
1757 .verify_handshake = _verify_handshake,
1758 .calculate_finished = _calculate_finished,
1759 .derive_secrets = _derive_secrets,
1760 .resume_session = _resume_session,
1761 .get_session = _get_session,
1762 .change_cipher = _change_cipher,
1763 .get_eap_msk = _get_eap_msk,
1764 .destroy = _destroy,
1765 },
1766 .tls = tls,
1767 .cache = cache,
1768 );
1769
1770 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1771 while (enumerator->enumerate(enumerator, &type, &subtype))
1772 {
1773 if (type == CRED_PUBLIC_KEY)
1774 {
1775 switch (subtype)
1776 {
1777 case KEY_RSA:
1778 this->rsa = TRUE;
1779 break;
1780 case KEY_ECDSA:
1781 this->ecdsa = TRUE;
1782 break;
1783 default:
1784 break;
1785 }
1786 }
1787 }
1788 enumerator->destroy(enumerator);
1789
1790 switch (tls->get_purpose(tls))
1791 {
1792 case TLS_PURPOSE_EAP_TLS:
1793 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1794 this->msk_label = "client EAP encryption";
1795 build_cipher_suite_list(this, FALSE);
1796 break;
1797 case TLS_PURPOSE_EAP_PEAP:
1798 this->msk_label = "client EAP encryption";
1799 build_cipher_suite_list(this, TRUE);
1800 break;
1801 case TLS_PURPOSE_EAP_TTLS:
1802 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1803 this->msk_label = "ttls keying material";
1804 build_cipher_suite_list(this, TRUE);
1805 break;
1806 case TLS_PURPOSE_GENERIC:
1807 build_cipher_suite_list(this, TRUE);
1808 break;
1809 default:
1810 break;
1811 }
1812 return &this->public;
1813 }