2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "tls_crypto.h"
18 #include <utils/debug.h>
20 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names
, TLS_ECDHE_PSK_WITH_NULL_SHA384
);
241 ENUM(tls_hash_algorithm_names
, TLS_HASH_NONE
, TLS_HASH_SHA512
,
251 ENUM(tls_signature_algorithm_names
, TLS_SIG_RSA
, TLS_SIG_ECDSA
,
257 ENUM_BEGIN(tls_client_certificate_type_names
,
258 TLS_RSA_SIGN
, TLS_DSS_EPHEMERAL_DH
,
265 ENUM_NEXT(tls_client_certificate_type_names
,
266 TLS_FORTEZZA_DMS
, TLS_FORTEZZA_DMS
, TLS_DSS_EPHEMERAL_DH
,
268 ENUM_NEXT(tls_client_certificate_type_names
,
269 TLS_ECDSA_SIGN
, TLS_ECDSA_FIXED_ECDH
, TLS_FORTEZZA_DMS
,
273 ENUM_END(tls_client_certificate_type_names
, TLS_ECDSA_FIXED_ECDH
);
275 ENUM(tls_ecc_curve_type_names
, TLS_ECC_EXPLICIT_PRIME
, TLS_ECC_NAMED_CURVE
,
281 ENUM(tls_named_curve_names
, TLS_SECT163K1
, TLS_SECP521R1
,
309 ENUM(tls_ansi_point_format_names
, TLS_ANSI_COMPRESSED
, TLS_ANSI_HYBRID_Y
,
318 ENUM(tls_ec_point_format_names
,
319 TLS_EC_POINT_UNCOMPRESSED
, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2
,
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
325 typedef struct private_tls_crypto_t private_tls_crypto_t
;
328 * Private data of an tls_crypto_t object.
330 struct private_tls_crypto_t
{
333 * Public tls_crypto_t interface.
340 tls_protection_t
*protection
;
343 * List of supported/acceptable cipher suites
345 tls_cipher_suite_t
*suites
;
348 * Number of supported suites
353 * Selected cipher suite
355 tls_cipher_suite_t suite
;
378 * All handshake data concatentated
383 * Connection state TLS PRF
388 * Signer instance for inbound traffic
393 * Signer instance for outbound traffic
395 signer_t
*signer_out
;
398 * Crypter instance for inbound traffic
400 crypter_t
*crypter_in
;
403 * Crypter instance for outbound traffic
405 crypter_t
*crypter_out
;
408 * IV for input decryption, if < TLSv1.2
413 * IV for output decryption, if < TLSv1.2
423 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
429 tls_cipher_suite_t suite
;
431 diffie_hellman_group_t dh
;
432 hash_algorithm_t hash
;
433 pseudo_random_function_t prf
;
434 integrity_algorithm_t mac
;
435 encryption_algorithm_t encr
;
440 * Mapping suites to a set of algorithms
442 static suite_algs_t suite_algs
[] = {
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,
444 KEY_ECDSA
, ECP_256_BIT
,
445 HASH_SHA256
, PRF_HMAC_SHA2_256
,
446 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
448 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
,
449 KEY_ECDSA
, ECP_256_BIT
,
450 HASH_SHA256
, PRF_HMAC_SHA2_256
,
451 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
,
454 KEY_ECDSA
, ECP_384_BIT
,
455 HASH_SHA256
, PRF_HMAC_SHA2_256
,
456 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
458 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
,
459 KEY_ECDSA
, ECP_384_BIT
,
460 HASH_SHA384
, PRF_HMAC_SHA2_384
,
461 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
,
464 KEY_RSA
, ECP_256_BIT
,
465 HASH_SHA256
, PRF_HMAC_SHA2_256
,
466 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
468 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,
469 KEY_RSA
, ECP_256_BIT
,
470 HASH_SHA256
, PRF_HMAC_SHA2_256
,
471 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,
474 KEY_RSA
, ECP_384_BIT
,
475 HASH_SHA256
, PRF_HMAC_SHA2_256
,
476 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
478 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
,
479 KEY_RSA
, ECP_384_BIT
,
480 HASH_SHA384
, PRF_HMAC_SHA2_384
,
481 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,
484 KEY_RSA
, MODP_2048_BIT
,
485 HASH_SHA256
,PRF_HMAC_SHA2_256
,
486 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
488 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
489 KEY_RSA
, MODP_3072_BIT
,
490 HASH_SHA256
, PRF_HMAC_SHA2_256
,
491 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,
494 KEY_RSA
, MODP_3072_BIT
,
495 HASH_SHA256
, PRF_HMAC_SHA2_256
,
496 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
498 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,
499 KEY_RSA
, MODP_4096_BIT
,
500 HASH_SHA256
, PRF_HMAC_SHA2_256
,
501 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
,
504 KEY_RSA
, MODP_2048_BIT
,
505 HASH_SHA256
, PRF_HMAC_SHA2_256
,
506 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
508 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
509 KEY_RSA
, MODP_3072_BIT
,
510 HASH_SHA256
, PRF_HMAC_SHA2_256
,
511 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
,
514 KEY_RSA
, MODP_3072_BIT
,
515 HASH_SHA256
, PRF_HMAC_SHA2_256
,
516 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
518 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
519 KEY_RSA
, MODP_4096_BIT
,
520 HASH_SHA256
, PRF_HMAC_SHA2_256
,
521 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
523 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
,
524 KEY_RSA
, MODP_2048_BIT
,
525 HASH_SHA256
, PRF_HMAC_SHA2_256
,
526 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
528 { TLS_RSA_WITH_AES_128_CBC_SHA
,
530 HASH_SHA256
, PRF_HMAC_SHA2_256
,
531 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
533 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
535 HASH_SHA256
, PRF_HMAC_SHA2_256
,
536 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
538 { TLS_RSA_WITH_AES_256_CBC_SHA
,
540 HASH_SHA256
, PRF_HMAC_SHA2_256
,
541 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
543 { TLS_RSA_WITH_AES_256_CBC_SHA256
,
545 HASH_SHA256
, PRF_HMAC_SHA2_256
,
546 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
,
550 HASH_SHA256
, PRF_HMAC_SHA2_256
,
551 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
553 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
555 HASH_SHA256
, PRF_HMAC_SHA2_256
,
556 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
560 HASH_SHA256
, PRF_HMAC_SHA2_256
,
561 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
563 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
565 HASH_SHA256
, PRF_HMAC_SHA2_256
,
566 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
568 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
,
569 KEY_ECDSA
, ECP_256_BIT
,
570 HASH_SHA256
, PRF_HMAC_SHA2_256
,
571 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
573 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
,
574 KEY_RSA
, ECP_256_BIT
,
575 HASH_SHA256
, PRF_HMAC_SHA2_256
,
576 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
578 { TLS_RSA_WITH_3DES_EDE_CBC_SHA
,
580 HASH_SHA256
, PRF_HMAC_SHA2_256
,
581 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
583 { TLS_ECDHE_ECDSA_WITH_NULL_SHA
,
584 KEY_ECDSA
, ECP_256_BIT
,
585 HASH_SHA256
, PRF_HMAC_SHA2_256
,
586 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
588 { TLS_ECDHE_RSA_WITH_NULL_SHA
,
589 KEY_ECDSA
, ECP_256_BIT
,
590 HASH_SHA256
, PRF_HMAC_SHA2_256
,
591 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
593 { TLS_RSA_WITH_NULL_SHA
,
595 HASH_SHA256
, PRF_HMAC_SHA2_256
,
596 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
598 { TLS_RSA_WITH_NULL_SHA256
,
600 HASH_SHA256
, PRF_HMAC_SHA2_256
,
601 AUTH_HMAC_SHA2_256_256
, ENCR_NULL
, 0
603 { TLS_RSA_WITH_NULL_MD5
,
605 HASH_SHA256
, PRF_HMAC_SHA2_256
,
606 AUTH_HMAC_MD5_128
, ENCR_NULL
, 0
611 * Look up algorithms by a suite
613 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
617 for (i
= 0; i
< countof(suite_algs
); i
++)
619 if (suite_algs
[i
].suite
== suite
)
621 return &suite_algs
[i
];
628 * Filter a suite list using a transform enumerator
630 static void filter_suite(private_tls_crypto_t
*this,
631 suite_algs_t suites
[], int *count
, int offset
,
632 enumerator_t
*(*create_enumerator
)(crypto_factory_t
*))
634 const char *plugin_name
;
635 suite_algs_t current
;
636 int *current_alg
, i
, remaining
= 0;
637 enumerator_t
*enumerator
;
639 memset(¤t
, 0, sizeof(current
));
640 current_alg
= (int*)((char*)¤t
+ offset
);
642 for (i
= 0; i
< *count
; i
++)
644 enumerator
= create_enumerator(lib
->crypto
);
645 while (enumerator
->enumerate(enumerator
, current_alg
, &plugin_name
))
647 if ((suites
[i
].encr
== ENCR_NULL
||
648 !current
.encr
|| current
.encr
== suites
[i
].encr
) &&
649 (!current
.mac
|| current
.mac
== suites
[i
].mac
) &&
650 (!current
.prf
|| current
.prf
== suites
[i
].prf
) &&
651 (!current
.hash
|| current
.hash
== suites
[i
].hash
) &&
652 (suites
[i
].dh
== MODP_NONE
||
653 !current
.dh
|| current
.dh
== suites
[i
].dh
))
655 suites
[remaining
] = suites
[i
];
660 enumerator
->destroy(enumerator
);
666 * Purge NULL encryption cipher suites from list
668 static void filter_null_suites(private_tls_crypto_t
*this,
669 suite_algs_t suites
[], int *count
)
671 int i
, remaining
= 0;
673 for (i
= 0; i
< *count
; i
++)
675 if (suites
[i
].encr
!= ENCR_NULL
)
677 suites
[remaining
] = suites
[i
];
685 * Purge suites using a given key type
687 static void filter_key_suites(private_tls_crypto_t
*this,
688 suite_algs_t suites
[], int *count
, key_type_t key
)
690 int i
, remaining
= 0;
692 DBG2(DBG_TLS
, "disabling %N suites, no backend found", key_type_names
, key
);
693 for (i
= 0; i
< *count
; i
++)
695 if (suites
[i
].key
!= key
)
697 suites
[remaining
] = suites
[i
];
705 * Filter suites by key exchange user config
707 static void filter_key_exchange_config_suites(private_tls_crypto_t
*this,
708 suite_algs_t suites
[], int *count
)
710 enumerator_t
*enumerator
;
711 int i
, remaining
= 0;
712 char *token
, *config
;
714 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.key_exchange", NULL
,
718 for (i
= 0; i
< *count
; i
++)
720 enumerator
= enumerator_create_token(config
, ",", " ");
721 while (enumerator
->enumerate(enumerator
, &token
))
723 if (strcaseeq(token
, "ecdhe-ecdsa") &&
724 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
725 suites
[i
].key
== KEY_ECDSA
)
727 suites
[remaining
++] = suites
[i
];
730 if (strcaseeq(token
, "ecdhe-rsa") &&
731 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
732 suites
[i
].key
== KEY_RSA
)
734 suites
[remaining
++] = suites
[i
];
737 if (strcaseeq(token
, "dhe-rsa") &&
738 !diffie_hellman_group_is_ec(suites
[i
].dh
) &&
739 suites
[i
].dh
!= MODP_NONE
&&
740 suites
[i
].key
== KEY_RSA
)
742 suites
[remaining
++] = suites
[i
];
745 if (strcaseeq(token
, "rsa") &&
746 suites
[i
].dh
== MODP_NONE
&&
747 suites
[i
].key
== KEY_RSA
)
749 suites
[remaining
++] = suites
[i
];
753 enumerator
->destroy(enumerator
);
760 * Filter suites by cipher user config
762 static void filter_cipher_config_suites(private_tls_crypto_t
*this,
763 suite_algs_t suites
[], int *count
)
765 enumerator_t
*enumerator
;
766 int i
, remaining
= 0;
767 char *token
, *config
;
769 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.cipher", NULL
,
773 for (i
= 0; i
< *count
; i
++)
775 enumerator
= enumerator_create_token(config
, ",", " ");
776 while (enumerator
->enumerate(enumerator
, &token
))
778 if (strcaseeq(token
, "aes128") &&
779 suites
[i
].encr
== ENCR_AES_CBC
&&
780 suites
[i
].encr_size
== 16)
782 suites
[remaining
++] = suites
[i
];
785 if (strcaseeq(token
, "aes256") &&
786 suites
[i
].encr
== ENCR_AES_CBC
&&
787 suites
[i
].encr_size
== 32)
789 suites
[remaining
++] = suites
[i
];
792 if (strcaseeq(token
, "camellia128") &&
793 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
794 suites
[i
].encr_size
== 16)
796 suites
[remaining
++] = suites
[i
];
799 if (strcaseeq(token
, "camellia256") &&
800 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
801 suites
[i
].encr_size
== 32)
803 suites
[remaining
++] = suites
[i
];
806 if (strcaseeq(token
, "3des") &&
807 suites
[i
].encr
== ENCR_3DES
)
809 suites
[remaining
++] = suites
[i
];
812 if (strcaseeq(token
, "null") &&
813 suites
[i
].encr
== ENCR_NULL
)
815 suites
[remaining
++] = suites
[i
];
819 enumerator
->destroy(enumerator
);
826 * Filter suites by mac user config
828 static void filter_mac_config_suites(private_tls_crypto_t
*this,
829 suite_algs_t suites
[], int *count
)
831 enumerator_t
*enumerator
;
832 int i
, remaining
= 0;
833 char *token
, *config
;
835 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.mac", NULL
,
839 for (i
= 0; i
< *count
; i
++)
841 enumerator
= enumerator_create_token(config
, ",", " ");
842 while (enumerator
->enumerate(enumerator
, &token
))
844 if (strcaseeq(token
, "md5") &&
845 suites
[i
].mac
== AUTH_HMAC_MD5_128
)
847 suites
[remaining
++] = suites
[i
];
850 if (strcaseeq(token
, "sha1") &&
851 suites
[i
].mac
== AUTH_HMAC_SHA1_160
)
853 suites
[remaining
++] = suites
[i
];
856 if (strcaseeq(token
, "sha256") &&
857 suites
[i
].mac
== AUTH_HMAC_SHA2_256_256
)
859 suites
[remaining
++] = suites
[i
];
862 if (strcaseeq(token
, "sha384") &&
863 suites
[i
].mac
== AUTH_HMAC_SHA2_384_384
)
865 suites
[remaining
++] = suites
[i
];
869 enumerator
->destroy(enumerator
);
876 * Filter for specific suites specified in strongswan.conf
878 static void filter_specific_config_suites(private_tls_crypto_t
*this,
879 suite_algs_t suites
[], int *count
)
881 enumerator_t
*enumerator
;
882 int i
, remaining
= 0, suite
;
883 char *token
, *config
;
885 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.suites", NULL
,
889 for (i
= 0; i
< *count
; i
++)
891 enumerator
= enumerator_create_token(config
, ",", " ");
892 while (enumerator
->enumerate(enumerator
, &token
))
894 suite
= enum_from_name(tls_cipher_suite_names
, token
);
895 if (suite
== suites
[i
].suite
)
897 suites
[remaining
++] = suites
[i
];
901 enumerator
->destroy(enumerator
);
908 * Initialize the cipher suite list
910 static void build_cipher_suite_list(private_tls_crypto_t
*this,
911 bool require_encryption
)
913 suite_algs_t suites
[countof(suite_algs
)];
914 int count
= countof(suite_algs
), i
;
916 /* copy all suites */
917 for (i
= 0; i
< count
; i
++)
919 suites
[i
] = suite_algs
[i
];
921 if (require_encryption
)
923 filter_null_suites(this, suites
, &count
);
927 filter_key_suites(this, suites
, &count
, KEY_RSA
);
931 filter_key_suites(this, suites
, &count
, KEY_ECDSA
);
934 /* filter suite list by each algorithm */
935 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, encr
),
936 lib
->crypto
->create_crypter_enumerator
);
937 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, mac
),
938 lib
->crypto
->create_signer_enumerator
);
939 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, prf
),
940 lib
->crypto
->create_prf_enumerator
);
941 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, hash
),
942 lib
->crypto
->create_hasher_enumerator
);
943 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, dh
),
944 lib
->crypto
->create_dh_enumerator
);
946 /* filter suites with strongswan.conf options */
947 filter_key_exchange_config_suites(this, suites
, &count
);
948 filter_cipher_config_suites(this, suites
, &count
);
949 filter_mac_config_suites(this, suites
, &count
);
950 filter_specific_config_suites(this, suites
, &count
);
953 this->suite_count
= count
;
954 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * count
);
956 DBG2(DBG_TLS
, "%d supported TLS cipher suites:", count
);
957 for (i
= 0; i
< count
; i
++)
959 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
].suite
);
960 this->suites
[i
] = suites
[i
].suite
;
964 METHOD(tls_crypto_t
, get_cipher_suites
, int,
965 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
967 *suites
= this->suites
;
968 return this->suite_count
;
972 * Create crypto primitives
974 static bool create_ciphers(private_tls_crypto_t
*this, suite_algs_t
*algs
)
976 DESTROY_IF(this->prf
);
977 if (this->tls
->get_version(this->tls
) < TLS_1_2
)
979 this->prf
= tls_prf_create_10();
983 this->prf
= tls_prf_create_12(algs
->prf
);
987 DBG1(DBG_TLS
, "selected TLS PRF not supported");
991 DESTROY_IF(this->signer_in
);
992 DESTROY_IF(this->signer_out
);
993 this->signer_in
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
994 this->signer_out
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
995 if (!this->signer_in
|| !this->signer_out
)
997 DBG1(DBG_TLS
, "selected TLS MAC %N not supported",
998 integrity_algorithm_names
, algs
->mac
);
1002 DESTROY_IF(this->crypter_in
);
1003 DESTROY_IF(this->crypter_out
);
1004 if (algs
->encr
== ENCR_NULL
)
1006 this->crypter_in
= this->crypter_out
= NULL
;
1010 this->crypter_in
= lib
->crypto
->create_crypter(lib
->crypto
,
1011 algs
->encr
, algs
->encr_size
);
1012 this->crypter_out
= lib
->crypto
->create_crypter(lib
->crypto
,
1013 algs
->encr
, algs
->encr_size
);
1014 if (!this->crypter_in
|| !this->crypter_out
)
1016 DBG1(DBG_TLS
, "selected TLS crypter %N not supported",
1017 encryption_algorithm_names
, algs
->encr
);
1024 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
1025 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
,
1031 for (i
= 0; i
< this->suite_count
; i
++)
1033 for (j
= 0; j
< count
; j
++)
1035 if (this->suites
[i
] == suites
[j
])
1037 algs
= find_suite(this->suites
[i
]);
1040 if (key
== KEY_ANY
|| key
== algs
->key
)
1042 if (create_ciphers(this, algs
))
1044 this->suite
= this->suites
[i
];
1055 METHOD(tls_crypto_t
, get_dh_group
, diffie_hellman_group_t
,
1056 private_tls_crypto_t
*this)
1060 algs
= find_suite(this->suite
);
1068 METHOD(tls_crypto_t
, get_signature_algorithms
, void,
1069 private_tls_crypto_t
*this, bio_writer_t
*writer
)
1071 bio_writer_t
*supported
;
1072 enumerator_t
*enumerator
;
1073 hash_algorithm_t alg
;
1074 tls_hash_algorithm_t hash
;
1075 const char *plugin_name
;
1077 supported
= bio_writer_create(32);
1078 enumerator
= lib
->crypto
->create_hasher_enumerator(lib
->crypto
);
1079 while (enumerator
->enumerate(enumerator
, &alg
, &plugin_name
))
1084 hash
= TLS_HASH_MD5
;
1087 hash
= TLS_HASH_SHA1
;
1090 hash
= TLS_HASH_SHA224
;
1093 hash
= TLS_HASH_SHA256
;
1096 hash
= TLS_HASH_SHA384
;
1099 hash
= TLS_HASH_SHA512
;
1106 supported
->write_uint8(supported
, hash
);
1107 supported
->write_uint8(supported
, TLS_SIG_RSA
);
1109 if (this->ecdsa
&& alg
!= HASH_MD5
&& alg
!= HASH_SHA224
)
1110 { /* currently we have no signature scheme for MD5/SHA224 */
1111 supported
->write_uint8(supported
, hash
);
1112 supported
->write_uint8(supported
, TLS_SIG_ECDSA
);
1115 enumerator
->destroy(enumerator
);
1117 supported
->wrap16(supported
);
1118 writer
->write_data16(writer
, supported
->get_buf(supported
));
1119 supported
->destroy(supported
);
1123 * Mapping groups to TLS named curves
1126 diffie_hellman_group_t group
;
1127 tls_named_curve_t curve
;
1129 { ECP_256_BIT
, TLS_SECP256R1
},
1130 { ECP_384_BIT
, TLS_SECP384R1
},
1131 { ECP_521_BIT
, TLS_SECP521R1
},
1132 { ECP_224_BIT
, TLS_SECP224R1
},
1133 { ECP_192_BIT
, TLS_SECP192R1
},
1137 * Filter EC groups, add TLS curve
1139 static bool group_filter(void *null
,
1140 diffie_hellman_group_t
*in
, diffie_hellman_group_t
*out
,
1141 void* dummy1
, tls_named_curve_t
*curve
)
1145 for (i
= 0; i
< countof(curves
); i
++)
1147 if (curves
[i
].group
== *in
)
1151 *out
= curves
[i
].group
;
1155 *curve
= curves
[i
].curve
;
1163 METHOD(tls_crypto_t
, create_ec_enumerator
, enumerator_t
*,
1164 private_tls_crypto_t
*this)
1166 return enumerator_create_filter(
1167 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
1168 (void*)group_filter
, NULL
, NULL
);
1171 METHOD(tls_crypto_t
, set_protection
, void,
1172 private_tls_crypto_t
*this, tls_protection_t
*protection
)
1174 this->protection
= protection
;
1177 METHOD(tls_crypto_t
, append_handshake
, void,
1178 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
1182 /* reconstruct handshake header */
1183 header
= htonl(data
.len
| (type
<< 24));
1184 this->handshake
= chunk_cat("mcc", this->handshake
,
1185 chunk_from_thing(header
), data
);
1189 * Create a hash using the suites HASH algorithm
1191 static bool hash_data(private_tls_crypto_t
*this, chunk_t data
, chunk_t
*hash
)
1193 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1198 alg
= find_suite(this->suite
);
1203 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
1204 if (!hasher
|| !hasher
->allocate_hash(hasher
, data
, hash
))
1206 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, alg
->hash
);
1210 hasher
->destroy(hasher
);
1214 hasher_t
*md5
, *sha1
;
1215 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
1217 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
1218 if (!md5
|| !md5
->get_hash(md5
, data
, buf
))
1220 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
1225 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1226 if (!sha1
|| !sha1
->get_hash(sha1
, data
, buf
+ HASH_SIZE_MD5
))
1228 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
1232 sha1
->destroy(sha1
);
1234 *hash
= chunk_clone(chunk_from_thing(buf
));
1240 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1242 static signature_scheme_t
hashsig_to_scheme(key_type_t type
,
1243 tls_hash_algorithm_t hash
, tls_signature_algorithm_t sig
)
1248 if (type
!= KEY_RSA
)
1250 return SIGN_UNKNOWN
;
1255 return SIGN_RSA_EMSA_PKCS1_MD5
;
1257 return SIGN_RSA_EMSA_PKCS1_SHA1
;
1258 case TLS_HASH_SHA224
:
1259 return SIGN_RSA_EMSA_PKCS1_SHA224
;
1260 case TLS_HASH_SHA256
:
1261 return SIGN_RSA_EMSA_PKCS1_SHA256
;
1262 case TLS_HASH_SHA384
:
1263 return SIGN_RSA_EMSA_PKCS1_SHA384
;
1264 case TLS_HASH_SHA512
:
1265 return SIGN_RSA_EMSA_PKCS1_SHA512
;
1267 return SIGN_UNKNOWN
;
1270 if (type
!= KEY_ECDSA
)
1272 return SIGN_UNKNOWN
;
1276 case TLS_HASH_SHA224
:
1277 return SIGN_ECDSA_WITH_SHA1_DER
;
1278 case TLS_HASH_SHA256
:
1279 return SIGN_ECDSA_WITH_SHA256_DER
;
1280 case TLS_HASH_SHA384
:
1281 return SIGN_ECDSA_WITH_SHA384_DER
;
1282 case TLS_HASH_SHA512
:
1283 return SIGN_ECDSA_WITH_SHA512_DER
;
1285 return SIGN_UNKNOWN
;
1288 return SIGN_UNKNOWN
;
1292 METHOD(tls_crypto_t
, sign
, bool,
1293 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1294 chunk_t data
, chunk_t hashsig
)
1296 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1298 signature_scheme_t scheme
;
1299 bio_reader_t
*reader
;
1305 { /* fallback if none given */
1306 hashsig
= chunk_from_chars(
1307 TLS_HASH_SHA1
, TLS_SIG_RSA
, TLS_HASH_SHA1
, TLS_SIG_ECDSA
);
1309 reader
= bio_reader_create(hashsig
);
1310 while (reader
->remaining(reader
) >= 2)
1312 if (reader
->read_uint8(reader
, &hash
) &&
1313 reader
->read_uint8(reader
, &alg
))
1315 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
1316 if (scheme
!= SIGN_UNKNOWN
&&
1317 key
->sign(key
, scheme
, data
, &sig
))
1324 reader
->destroy(reader
);
1327 DBG1(DBG_TLS
, "none of the proposed hash/sig algorithms supported");
1330 DBG2(DBG_TLS
, "created signature with %N/%N",
1331 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
1332 writer
->write_uint8(writer
, hash
);
1333 writer
->write_uint8(writer
, alg
);
1334 writer
->write_data16(writer
, sig
);
1342 switch (key
->get_type(key
))
1345 if (!hash_data(this, data
, &hash
))
1349 done
= key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, &sig
);
1355 DBG2(DBG_TLS
, "created signature with MD5+SHA1/RSA");
1358 if (!key
->sign(key
, SIGN_ECDSA_WITH_SHA1_DER
, data
, &sig
))
1362 DBG2(DBG_TLS
, "created signature with SHA1/ECDSA");
1367 writer
->write_data16(writer
, sig
);
1373 METHOD(tls_crypto_t
, verify
, bool,
1374 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
,
1377 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1379 signature_scheme_t scheme
= SIGN_UNKNOWN
;
1383 if (!reader
->read_uint8(reader
, &hash
) ||
1384 !reader
->read_uint8(reader
, &alg
) ||
1385 !reader
->read_data16(reader
, &sig
))
1387 DBG1(DBG_TLS
, "received invalid signature");
1390 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
1391 if (scheme
== SIGN_UNKNOWN
)
1393 DBG1(DBG_TLS
, "signature algorithms %N/%N not supported",
1394 tls_hash_algorithm_names
, hash
,
1395 tls_signature_algorithm_names
, alg
);
1398 if (!key
->verify(key
, scheme
, data
, sig
))
1402 DBG2(DBG_TLS
, "verified signature with %N/%N",
1403 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
1410 if (!reader
->read_data16(reader
, &sig
))
1412 DBG1(DBG_TLS
, "received invalid signature");
1415 switch (key
->get_type(key
))
1418 if (!hash_data(this, data
, &hash
))
1422 done
= key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, sig
);
1428 DBG2(DBG_TLS
, "verified signature data with MD5+SHA1/RSA");
1431 if (!key
->verify(key
, SIGN_ECDSA_WITH_SHA1_DER
, data
, sig
))
1435 DBG2(DBG_TLS
, "verified signature with SHA1/ECDSA");
1444 METHOD(tls_crypto_t
, sign_handshake
, bool,
1445 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1448 return sign(this, key
, writer
, this->handshake
, hashsig
);
1451 METHOD(tls_crypto_t
, verify_handshake
, bool,
1452 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
)
1454 return verify(this, key
, reader
, this->handshake
);
1457 METHOD(tls_crypto_t
, calculate_finished
, bool,
1458 private_tls_crypto_t
*this, char *label
, char out
[12])
1466 if (!hash_data(this, this->handshake
, &seed
))
1470 if (!this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
))
1480 * Derive master secret from premaster, optionally save session
1482 static bool derive_master(private_tls_crypto_t
*this, chunk_t premaster
,
1483 chunk_t session
, identification_t
*id
,
1484 chunk_t client_random
, chunk_t server_random
)
1489 /* derive master secret */
1490 seed
= chunk_cata("cc", client_random
, server_random
);
1492 if (!this->prf
->set_key(this->prf
, premaster
) ||
1493 !this->prf
->get_bytes(this->prf
, "master secret", seed
,
1494 sizeof(master
), master
) ||
1495 !this->prf
->set_key(this->prf
, chunk_from_thing(master
)))
1500 if (this->cache
&& session
.len
)
1502 this->cache
->create(this->cache
, session
, id
, chunk_from_thing(master
),
1505 memwipe(master
, sizeof(master
));
1510 * Expand key material from master secret
1512 static bool expand_keys(private_tls_crypto_t
*this,
1513 chunk_t client_random
, chunk_t server_random
)
1515 chunk_t seed
, block
, client_write
, server_write
;
1516 int mks
, eks
= 0, ivs
= 0;
1518 /* derive key block for key expansion */
1519 mks
= this->signer_out
->get_key_size(this->signer_out
);
1520 if (this->crypter_out
)
1522 eks
= this->crypter_out
->get_key_size(this->crypter_out
);
1523 if (this->tls
->get_version(this->tls
) < TLS_1_1
)
1525 ivs
= this->crypter_out
->get_iv_size(this->crypter_out
);
1528 seed
= chunk_cata("cc", server_random
, client_random
);
1529 block
= chunk_alloca((mks
+ eks
+ ivs
) * 2);
1530 if (!this->prf
->get_bytes(this->prf
, "key expansion", seed
,
1531 block
.len
, block
.ptr
))
1537 client_write
= chunk_create(block
.ptr
, mks
);
1538 block
= chunk_skip(block
, mks
);
1539 server_write
= chunk_create(block
.ptr
, mks
);
1540 block
= chunk_skip(block
, mks
);
1541 if (this->tls
->is_server(this->tls
))
1543 if (!this->signer_in
->set_key(this->signer_in
, client_write
) ||
1544 !this->signer_out
->set_key(this->signer_out
, server_write
))
1551 if (!this->signer_out
->set_key(this->signer_out
, client_write
) ||
1552 !this->signer_in
->set_key(this->signer_in
, server_write
))
1558 /* crypter keys, and IVs if < TLSv1.2 */
1559 if (this->crypter_out
&& this->crypter_in
)
1561 client_write
= chunk_create(block
.ptr
, eks
);
1562 block
= chunk_skip(block
, eks
);
1563 server_write
= chunk_create(block
.ptr
, eks
);
1564 block
= chunk_skip(block
, eks
);
1566 if (this->tls
->is_server(this->tls
))
1568 if (!this->crypter_in
->set_key(this->crypter_in
, client_write
) ||
1569 !this->crypter_out
->set_key(this->crypter_out
, server_write
))
1576 if (!this->crypter_out
->set_key(this->crypter_out
, client_write
) ||
1577 !this->crypter_in
->set_key(this->crypter_in
, server_write
))
1584 client_write
= chunk_create(block
.ptr
, ivs
);
1585 block
= chunk_skip(block
, ivs
);
1586 server_write
= chunk_create(block
.ptr
, ivs
);
1587 block
= chunk_skip(block
, ivs
);
1589 if (this->tls
->is_server(this->tls
))
1591 this->iv_in
= chunk_clone(client_write
);
1592 this->iv_out
= chunk_clone(server_write
);
1596 this->iv_out
= chunk_clone(client_write
);
1597 this->iv_in
= chunk_clone(server_write
);
1603 if (this->msk_label
)
1605 seed
= chunk_cata("cc", client_random
, server_random
);
1606 this->msk
= chunk_alloc(64);
1607 if (!this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
1608 this->msk
.len
, this->msk
.ptr
))
1616 METHOD(tls_crypto_t
, derive_secrets
, bool,
1617 private_tls_crypto_t
*this, chunk_t premaster
, chunk_t session
,
1618 identification_t
*id
, chunk_t client_random
, chunk_t server_random
)
1620 return derive_master(this, premaster
, session
, id
,
1621 client_random
, server_random
) &&
1622 expand_keys(this, client_random
, server_random
);
1625 METHOD(tls_crypto_t
, resume_session
, tls_cipher_suite_t
,
1626 private_tls_crypto_t
*this, chunk_t session
, identification_t
*id
,
1627 chunk_t client_random
, chunk_t server_random
)
1631 if (this->cache
&& session
.len
)
1633 this->suite
= this->cache
->lookup(this->cache
, session
, id
, &master
);
1636 this->suite
= select_cipher_suite(this, &this->suite
, 1, KEY_ANY
);
1639 if (!this->prf
->set_key(this->prf
, master
) ||
1640 !expand_keys(this, client_random
, server_random
))
1645 chunk_clear(&master
);
1652 METHOD(tls_crypto_t
, get_session
, chunk_t
,
1653 private_tls_crypto_t
*this, identification_t
*server
)
1657 return this->cache
->check(this->cache
, server
);
1662 METHOD(tls_crypto_t
, change_cipher
, void,
1663 private_tls_crypto_t
*this, bool inbound
)
1665 if (this->protection
)
1669 this->protection
->set_cipher(this->protection
, TRUE
,
1670 this->signer_in
, this->crypter_in
, this->iv_in
);
1674 this->protection
->set_cipher(this->protection
, FALSE
,
1675 this->signer_out
, this->crypter_out
, this->iv_out
);
1680 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
1681 private_tls_crypto_t
*this)
1686 METHOD(tls_crypto_t
, destroy
, void,
1687 private_tls_crypto_t
*this)
1689 DESTROY_IF(this->signer_in
);
1690 DESTROY_IF(this->signer_out
);
1691 DESTROY_IF(this->crypter_in
);
1692 DESTROY_IF(this->crypter_out
);
1693 free(this->iv_in
.ptr
);
1694 free(this->iv_out
.ptr
);
1695 free(this->handshake
.ptr
);
1696 free(this->msk
.ptr
);
1697 DESTROY_IF(this->prf
);
1705 tls_crypto_t
*tls_crypto_create(tls_t
*tls
, tls_cache_t
*cache
)
1707 private_tls_crypto_t
*this;
1708 enumerator_t
*enumerator
;
1709 credential_type_t type
;
1714 .get_cipher_suites
= _get_cipher_suites
,
1715 .select_cipher_suite
= _select_cipher_suite
,
1716 .get_dh_group
= _get_dh_group
,
1717 .get_signature_algorithms
= _get_signature_algorithms
,
1718 .create_ec_enumerator
= _create_ec_enumerator
,
1719 .set_protection
= _set_protection
,
1720 .append_handshake
= _append_handshake
,
1723 .sign_handshake
= _sign_handshake
,
1724 .verify_handshake
= _verify_handshake
,
1725 .calculate_finished
= _calculate_finished
,
1726 .derive_secrets
= _derive_secrets
,
1727 .resume_session
= _resume_session
,
1728 .get_session
= _get_session
,
1729 .change_cipher
= _change_cipher
,
1730 .get_eap_msk
= _get_eap_msk
,
1731 .destroy
= _destroy
,
1737 enumerator
= lib
->creds
->create_builder_enumerator(lib
->creds
);
1738 while (enumerator
->enumerate(enumerator
, &type
, &subtype
))
1740 if (type
== CRED_PUBLIC_KEY
)
1755 enumerator
->destroy(enumerator
);
1757 switch (tls
->get_purpose(tls
))
1759 case TLS_PURPOSE_EAP_TLS
:
1760 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1761 this->msk_label
= "client EAP encryption";
1762 build_cipher_suite_list(this, FALSE
);
1764 case TLS_PURPOSE_EAP_PEAP
:
1765 this->msk_label
= "client EAP encryption";
1766 build_cipher_suite_list(this, TRUE
);
1768 case TLS_PURPOSE_EAP_TTLS
:
1769 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1770 this->msk_label
= "ttls keying material";
1771 build_cipher_suite_list(this, TRUE
);
1773 case TLS_PURPOSE_GENERIC
:
1774 build_cipher_suite_list(this, TRUE
);
1779 return &this->public;
projects / strongswan.git / blob