d34a8ecee300f2bfc2dccc20306121ec63c735e8
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27
28 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
29 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
30 "TLS_NULL_WITH_NULL_NULL",
31 "TLS_RSA_WITH_NULL_MD5",
32 "TLS_RSA_WITH_NULL_SHA",
33 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
34 "TLS_RSA_WITH_RC4_128_MD5",
35 "TLS_RSA_WITH_RC4_128_SHA",
36 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
37 "TLS_RSA_WITH_IDEA_CBC_SHA",
38 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
39 "TLS_RSA_WITH_DES_CBC_SHA",
40 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
41 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
42 "TLS_DH_DSS_WITH_DES_CBC_SHA",
43 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
44 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
45 "TLS_DH_RSA_WITH_DES_CBC_SHA",
46 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
47 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
49 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
50 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
51 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
52 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
53 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
54 "TLS_DH_anon_WITH_RC4_128_MD5",
55 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
56 "TLS_DH_anon_WITH_DES_CBC_SHA",
57 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
58 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
59 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
60 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
61 "TLS_KRB5_WITH_DES_CBC_SHA",
62 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
63 "TLS_KRB5_WITH_RC4_128_SHA",
64 "TLS_KRB5_WITH_IDEA_CBC_SHA",
65 "TLS_KRB5_WITH_DES_CBC_MD5",
66 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
67 "TLS_KRB5_WITH_RC4_128_MD5",
68 "TLS_KRB5_WITH_IDEA_CBC_MD5",
69 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
75 "TLS_PSK_WITH_NULL_SHA",
76 "TLS_DHE_PSK_WITH_NULL_SHA",
77 "TLS_RSA_PSK_WITH_NULL_SHA",
78 "TLS_RSA_WITH_AES_128_CBC_SHA",
79 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
80 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
83 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
84 "TLS_RSA_WITH_AES_256_CBC_SHA",
85 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
86 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
89 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
90 "TLS_RSA_WITH_NULL_SHA256",
91 "TLS_RSA_WITH_AES_128_CBC_SHA256",
92 "TLS_RSA_WITH_AES_256_CBC_SHA256",
93 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
94 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
96 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
102 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
103 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
104 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
105 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
106 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
107 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
112 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
113 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
114 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
115 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_PSK_WITH_RC4_128_SHA",
122 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_DHE_PSK_WITH_RC4_128_SHA",
126 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
129 "TLS_RSA_PSK_WITH_RC4_128_SHA",
130 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
133 "TLS_RSA_WITH_SEED_CBC_SHA",
134 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
135 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
136 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
137 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
138 "TLS_DH_anon_WITH_SEED_CBC_SHA",
139 "TLS_RSA_WITH_AES_128_GCM_SHA256",
140 "TLS_RSA_WITH_AES_256_GCM_SHA384",
141 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
142 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
143 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
144 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
147 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
148 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
149 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
150 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
151 "TLS_PSK_WITH_AES_128_GCM_SHA256",
152 "TLS_PSK_WITH_AES_256_GCM_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
155 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
156 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
157 "TLS_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_PSK_WITH_NULL_SHA256",
160 "TLS_PSK_WITH_NULL_SHA384",
161 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
162 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
163 "TLS_DHE_PSK_WITH_NULL_SHA256",
164 "TLS_DHE_PSK_WITH_NULL_SHA384",
165 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
166 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
167 "TLS_RSA_PSK_WITH_NULL_SHA256",
168 "TLS_RSA_PSK_WITH_NULL_SHA384",
169 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
181 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
184 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
185 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
186 TLS_AES_128_CCM_8_SHA256,
187 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
188 "TLS_AES_128_GCM_SHA256",
189 "TLS_AES_256_GCM_SHA384",
190 "TLS_CHACHA20_POLY1305_SHA256",
191 "TLS_AES_128_CCM_SHA256",
192 "TLS_AES_128_CCM_8_SHA256");
193 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
194 TLS_ECDHE_PSK_WITH_NULL_SHA384,
195 TLS_AES_128_CCM_8_SHA256,
196 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
197 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
198 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
202 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
203 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
206 "TLS_ECDH_RSA_WITH_NULL_SHA",
207 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
208 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
211 "TLS_ECDHE_RSA_WITH_NULL_SHA",
212 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
213 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
216 "TLS_ECDH_anon_WITH_NULL_SHA",
217 "TLS_ECDH_anon_WITH_RC4_128_SHA",
218 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
221 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
230 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
231 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
232 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
233 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
234 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
237 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
238 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
239 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
240 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
241 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
242 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
243 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
244 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
245 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
246 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
247 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
251 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
255 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_ECDHE_PSK_WITH_NULL_SHA384,
258 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
259 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
261 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
262
263
264 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
265 "NONE",
266 "MD5",
267 "SHA1",
268 "SHA224",
269 "SHA256",
270 "SHA384",
271 "SHA512",
272 );
273
274 ENUM_BEGIN(tls_signature_scheme_names,
275 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
276 "RSA_PKCS1_SHA1");
277 ENUM_NEXT(tls_signature_scheme_names,
278 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
279 "ECDSA_SHA1");
280 ENUM_NEXT(tls_signature_scheme_names,
281 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
282 "RSA_PKCS1_SHA224",
283 "DSA_SHA224",
284 "ECDSA_SHA224");
285 ENUM_NEXT(tls_signature_scheme_names,
286 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
287 "RSA_PKCS1_SHA256",
288 "DSA_SHA256",
289 "ECDSA_SHA256");
290 ENUM_NEXT(tls_signature_scheme_names,
291 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
292 "RSA_PKCS1_SHA384",
293 "DSA_SHA384",
294 "ECDSA_SHA384");
295 ENUM_NEXT(tls_signature_scheme_names,
296 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
297 "RSA_PKCS1_SHA512",
298 "DSA_SHA512",
299 "ECDSA_SHA512");
300 ENUM_NEXT(tls_signature_scheme_names,
301 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
302 "RSA_PSS_RSAE_SHA256",
303 "RSA_PSS_RSAE_SHA384",
304 "RSA_PSS_RSAE_SHA512",
305 "ED25519",
306 "ED448",
307 "RSA_PSS_PSS_SHA256",
308 "RSA_PSS_PSS_SHA384",
309 "RSA_PSS_PSS_SHA512",
310 );
311 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
312
313 ENUM_BEGIN(tls_client_certificate_type_names,
314 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
315 "RSA_SIGN",
316 "DSA_SIGN",
317 "RSA_FIXED_DH",
318 "DSS_FIXED_DH",
319 "RSA_EPHEMERAL_DH",
320 "DSS_EPHEMERAL_DH");
321 ENUM_NEXT(tls_client_certificate_type_names,
322 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
323 "FORTEZZA_DMS");
324 ENUM_NEXT(tls_client_certificate_type_names,
325 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
326 "ECDSA_SIGN",
327 "RSA_FIXED_ECDH",
328 "ECDSA_FIXED_ECDH");
329 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
330
331 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
332 "EXPLICIT_PRIME",
333 "EXPLICIT_CHAR2",
334 "NAMED_CURVE",
335 );
336
337 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
338 "SECT163K1",
339 "SECT163R1",
340 "SECT163R2",
341 "SECT193R1",
342 "SECT193R2",
343 "SECT233K1",
344 "SECT233R1",
345 "SECT239K1",
346 "SECT283K1",
347 "SECT283R1",
348 "SECT409K1",
349 "SECT409R1",
350 "SECT571K1",
351 "SECT571R1",
352 "SECP160K1",
353 "SECP160R1",
354 "SECP160R2",
355 "SECP192K1",
356 "SECP192R1",
357 "SECP224K1",
358 "SECP224R1",
359 "SECP256K1",
360 "SECP256R1",
361 "SECP384R1",
362 "SECP521R1",
363 );
364 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
365 "CURVE25519",
366 "CURVE448",
367 );
368 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
369 "FFDHE2048",
370 "FFDHE3072",
371 "FFDHE4096",
372 "FFDHE6144",
373 "FFDHE8192",
374 );
375 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
376
377 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
378 "compressed",
379 "compressed y",
380 "uncompressed",
381 "uncompressed y",
382 "hybrid",
383 "hybrid y",
384 );
385
386 ENUM(tls_ec_point_format_names,
387 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
388 "uncompressed",
389 "ansiX962 compressed prime",
390 "ansiX962 compressed char2",
391 );
392
393 typedef struct private_tls_crypto_t private_tls_crypto_t;
394
395 /**
396 * Private data of an tls_crypto_t object.
397 */
398 struct private_tls_crypto_t {
399
400 /**
401 * Public tls_crypto_t interface.
402 */
403 tls_crypto_t public;
404
405 /**
406 * Protection layer
407 */
408 tls_protection_t *protection;
409
410 /**
411 * List of supported/acceptable cipher suites
412 */
413 tls_cipher_suite_t *suites;
414
415 /**
416 * Number of supported suites
417 */
418 int suite_count;
419
420 /**
421 * HKDF for TLS 1.3
422 */
423 tls_hkdf_t *hkdf;
424
425 /**
426 * Selected cipher suite
427 */
428 tls_cipher_suite_t suite;
429
430 /**
431 * RSA supported?
432 */
433 bool rsa;
434
435 /**
436 * ECDSA supported?
437 */
438 bool ecdsa;
439
440 /**
441 * TLS context
442 */
443 tls_t *tls;
444
445 /**
446 * TLS session cache
447 */
448 tls_cache_t *cache;
449
450 /**
451 * All handshake data concatenated
452 */
453 chunk_t handshake;
454
455 /**
456 * Connection state TLS PRF
457 */
458 tls_prf_t *prf;
459
460 /**
461 * AEAD transform for inbound traffic
462 */
463 tls_aead_t *aead_in;
464
465 /**
466 * AEAD transform for outbound traffic
467 */
468 tls_aead_t *aead_out;
469
470 /**
471 * EAP-[T]TLS MSK
472 */
473 chunk_t msk;
474
475 /**
476 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
477 */
478 char *msk_label;
479 };
480
481 typedef struct {
482 tls_cipher_suite_t suite;
483 key_type_t key;
484 diffie_hellman_group_t dh;
485 hash_algorithm_t hash;
486 pseudo_random_function_t prf;
487 integrity_algorithm_t mac;
488 encryption_algorithm_t encr;
489 size_t encr_size;
490 tls_version_t min_version;
491 tls_version_t max_version;
492 } suite_algs_t;
493
494 /**
495 * Mapping suites to a set of algorithms
496 *
497 * The order represents the descending preference of cipher suites and follows
498 * this rule set:
499 *
500 * 1. TLS 1.3 > Legacy TLS
501 * 2. AES > CAMELLIA > NULL
502 * 3. AES256 > AES128
503 * 4. GCM > CBC
504 * 5. ECDHE > DHE > NULL
505 * 6. ECDSA > RSA
506 * 7. SHA384 > SHA256 > SHA1
507 *
508 */
509 static suite_algs_t suite_algs[] = {
510 /* Cipher suites of TLS 1.3: key exchange and authentication
511 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
512 { TLS_AES_256_GCM_SHA384,
513 KEY_ANY, MODP_NONE,
514 HASH_SHA384, PRF_UNDEFINED,
515 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
516 TLS_1_3, TLS_1_3,
517 },
518 { TLS_AES_128_GCM_SHA256,
519 KEY_ANY, MODP_NONE,
520 HASH_SHA256, PRF_UNDEFINED,
521 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
522 TLS_1_3, TLS_1_3,
523 },
524 { TLS_CHACHA20_POLY1305_SHA256,
525 KEY_ANY, MODP_NONE,
526 HASH_SHA256, PRF_UNDEFINED,
527 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
528 TLS_1_3, TLS_1_3,
529 },
530 { TLS_AES_128_CCM_SHA256,
531 KEY_ANY, MODP_NONE,
532 HASH_SHA256, PRF_UNDEFINED,
533 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
534 TLS_1_3, TLS_1_3,
535 },
536 { TLS_AES_128_CCM_8_SHA256,
537 KEY_ANY, MODP_NONE,
538 HASH_SHA256, PRF_UNDEFINED,
539 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
540 TLS_1_3, TLS_1_3,
541 },
542 /* Legacy TLS cipher suites */
543 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
544 KEY_ECDSA, ECP_384_BIT,
545 HASH_SHA384, PRF_HMAC_SHA2_384,
546 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
547 TLS_1_2, TLS_1_2,
548 },
549 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
550 KEY_ECDSA, ECP_384_BIT,
551 HASH_SHA384, PRF_HMAC_SHA2_384,
552 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
553 TLS_1_2, TLS_1_2,
554 },
555 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
556 KEY_ECDSA, ECP_384_BIT,
557 HASH_SHA256, PRF_HMAC_SHA2_256,
558 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
559 TLS_1_0, TLS_1_2,
560 },
561 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
562 KEY_ECDSA, ECP_256_BIT,
563 HASH_SHA256, PRF_HMAC_SHA2_256,
564 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
565 TLS_1_2, TLS_1_2,
566 },
567 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
568 KEY_ECDSA, ECP_256_BIT,
569 HASH_SHA256, PRF_HMAC_SHA2_256,
570 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
571 TLS_1_2, TLS_1_2,
572 },
573 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
574 KEY_ECDSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
577 TLS_1_0, TLS_1_2,
578 },
579 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
580 KEY_RSA, ECP_384_BIT,
581 HASH_SHA384, PRF_HMAC_SHA2_384,
582 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
583 TLS_1_2, TLS_1_2,
584 },
585 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
586 KEY_RSA, ECP_384_BIT,
587 HASH_SHA384, PRF_HMAC_SHA2_384,
588 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
589 TLS_1_2, TLS_1_2,
590 },
591 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
592 KEY_RSA, ECP_384_BIT,
593 HASH_SHA256, PRF_HMAC_SHA2_256,
594 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
595 TLS_1_0, TLS_1_2,
596 },
597 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
598 KEY_RSA, ECP_256_BIT,
599 HASH_SHA256, PRF_HMAC_SHA2_256,
600 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
601 TLS_1_2, TLS_1_2,
602 },
603 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
604 KEY_RSA, ECP_256_BIT,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
607 TLS_1_2, TLS_1_2,
608 },
609 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
610 KEY_RSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
613 TLS_1_0, TLS_1_2,
614 },
615 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
616 KEY_RSA, MODP_4096_BIT,
617 HASH_SHA384, PRF_HMAC_SHA2_384,
618 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
619 TLS_1_2, TLS_1_2,
620 },
621 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
622 KEY_RSA, MODP_4096_BIT,
623 HASH_SHA256, PRF_HMAC_SHA2_256,
624 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
625 TLS_1_2, TLS_1_2,
626 },
627 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
628 KEY_RSA, MODP_3072_BIT,
629 HASH_SHA256, PRF_HMAC_SHA2_256,
630 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
631 SSL_3_0, TLS_1_2,
632 },
633 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
634 KEY_RSA, MODP_4096_BIT,
635 HASH_SHA256, PRF_HMAC_SHA2_256,
636 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
637 TLS_1_2, TLS_1_2,
638 },
639 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
640 KEY_RSA, MODP_3072_BIT,
641 HASH_SHA256, PRF_HMAC_SHA2_256,
642 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
643 SSL_3_0, TLS_1_2,
644 },
645 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
646 KEY_RSA, MODP_3072_BIT,
647 HASH_SHA256, PRF_HMAC_SHA2_256,
648 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
649 TLS_1_2, TLS_1_2,
650 },
651 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
652 KEY_RSA, MODP_3072_BIT,
653 HASH_SHA256, PRF_HMAC_SHA2_256,
654 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
655 TLS_1_2, TLS_1_2,
656 },
657 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
658 KEY_RSA, MODP_2048_BIT,
659 HASH_SHA256,PRF_HMAC_SHA2_256,
660 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
661 SSL_3_0, TLS_1_2,
662 },
663 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
664 KEY_RSA, MODP_3072_BIT,
665 HASH_SHA256, PRF_HMAC_SHA2_256,
666 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
667 TLS_1_2, TLS_1_2,
668 },
669 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
670 KEY_RSA, MODP_2048_BIT,
671 HASH_SHA256, PRF_HMAC_SHA2_256,
672 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
673 SSL_3_0, TLS_1_2,
674 },
675 { TLS_RSA_WITH_AES_256_GCM_SHA384,
676 KEY_RSA, MODP_NONE,
677 HASH_SHA384, PRF_HMAC_SHA2_384,
678 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
679 TLS_1_2, TLS_1_2,
680 },
681 { TLS_RSA_WITH_AES_256_CBC_SHA256,
682 KEY_RSA, MODP_NONE,
683 HASH_SHA256, PRF_HMAC_SHA2_256,
684 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
685 TLS_1_2, TLS_1_2,
686 },
687 { TLS_RSA_WITH_AES_256_CBC_SHA,
688 KEY_RSA, MODP_NONE,
689 HASH_SHA256, PRF_HMAC_SHA2_256,
690 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
691 SSL_3_0, TLS_1_2,
692 },
693 { TLS_RSA_WITH_AES_128_GCM_SHA256,
694 KEY_RSA, MODP_NONE,
695 HASH_SHA256, PRF_HMAC_SHA2_256,
696 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
697 TLS_1_2, TLS_1_2,
698 },
699 { TLS_RSA_WITH_AES_128_CBC_SHA256,
700 KEY_RSA, MODP_NONE,
701 HASH_SHA256, PRF_HMAC_SHA2_256,
702 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
703 TLS_1_2, TLS_1_2,
704 },
705 { TLS_RSA_WITH_AES_128_CBC_SHA,
706 KEY_RSA, MODP_NONE,
707 HASH_SHA256, PRF_HMAC_SHA2_256,
708 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
709 SSL_3_0, TLS_1_2,
710 },
711 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
712 KEY_RSA, MODP_NONE,
713 HASH_SHA256, PRF_HMAC_SHA2_256,
714 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
715 TLS_1_2, TLS_1_2,
716 },
717 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
718 KEY_RSA, MODP_NONE,
719 HASH_SHA256, PRF_HMAC_SHA2_256,
720 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
721 SSL_3_0, TLS_1_2,
722 },
723 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
724 KEY_RSA, MODP_NONE,
725 HASH_SHA256, PRF_HMAC_SHA2_256,
726 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
727 TLS_1_2, TLS_1_2,
728 },
729 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
730 KEY_RSA, MODP_NONE,
731 HASH_SHA256, PRF_HMAC_SHA2_256,
732 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
733 SSL_3_0, TLS_1_2,
734 },
735 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
736 KEY_ECDSA, ECP_256_BIT,
737 HASH_SHA256, PRF_HMAC_SHA2_256,
738 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
739 TLS_1_0, TLS_1_2,
740 },
741 { TLS_ECDHE_RSA_WITH_NULL_SHA,
742 KEY_ECDSA, ECP_256_BIT,
743 HASH_SHA256, PRF_HMAC_SHA2_256,
744 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
745 TLS_1_0, TLS_1_2,
746 },
747 { TLS_RSA_WITH_NULL_SHA256,
748 KEY_RSA, MODP_NONE,
749 HASH_SHA256, PRF_HMAC_SHA2_256,
750 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
751 TLS_1_2, TLS_1_2,
752 },
753 { TLS_RSA_WITH_NULL_SHA,
754 KEY_RSA, MODP_NONE,
755 HASH_SHA256, PRF_HMAC_SHA2_256,
756 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
757 SSL_3_0, TLS_1_2,
758 },
759 };
760
761 /**
762 * Look up algorithms by a suite
763 */
764 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
765 {
766 int i;
767
768 for (i = 0; i < countof(suite_algs); i++)
769 {
770 if (suite_algs[i].suite == suite)
771 {
772 return &suite_algs[i];
773 }
774 }
775 return NULL;
776 }
777
778 /**
779 * Filter a suite list using a transform enumerator
780 */
781 static void filter_suite(suite_algs_t suites[], int *count, int offset,
782 enumerator_t*(*create_enumerator)(crypto_factory_t*))
783 {
784 const char *plugin_name;
785 suite_algs_t current;
786 int *current_alg, i, remaining = 0;
787 enumerator_t *enumerator;
788
789 memset(&current, 0, sizeof(current));
790 current_alg = (int*)((char*)&current + offset);
791
792 for (i = 0; i < *count; i++)
793 {
794 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
795 encryption_algorithm_is_aead(suites[i].encr))
796 { /* filtering crypters, but current suite uses an AEAD, apply */
797 suites[remaining] = suites[i];
798 remaining++;
799 continue;
800 }
801 if (create_enumerator == lib->crypto->create_aead_enumerator &&
802 !encryption_algorithm_is_aead(suites[i].encr))
803 { /* filtering AEADs, but current suite doesn't use one, apply */
804 suites[remaining] = suites[i];
805 remaining++;
806 continue;
807 }
808 enumerator = create_enumerator(lib->crypto);
809 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
810 {
811 if (current.encr && current.encr != suites[i].encr)
812 {
813 if (suites[i].encr != ENCR_NULL)
814 { /* skip, ENCR does not match nor is NULL */
815 continue;
816 }
817 }
818 if (current.mac && current.mac != suites[i].mac)
819 {
820 if (suites[i].mac != AUTH_UNDEFINED)
821 { /* skip, MAC does not match nor is it undefined */
822 continue;
823 }
824 }
825 if (current.prf && current.prf != suites[i].prf)
826 {
827 if (suites[i].prf != PRF_UNDEFINED)
828 {
829 /* skip, PRF does not match nor is it undefined */
830 continue;
831 }
832 }
833 if (current.hash && current.hash != suites[i].hash)
834 { /* skip, hash does not match */
835 continue;
836 }
837 if (current.dh && current.dh != suites[i].dh)
838 {
839 if (suites[i].dh != MODP_NONE)
840 { /* skip DH group, does not match nor NONE */
841 continue;
842 }
843 }
844 /* suite supported, apply */
845 suites[remaining] = suites[i];
846 remaining++;
847 break;
848 }
849 enumerator->destroy(enumerator);
850 }
851 *count = remaining;
852 }
853
854 /**
855 * Purge NULL encryption cipher suites from list
856 */
857 static void filter_null_suites(suite_algs_t suites[], int *count)
858 {
859 int i, remaining = 0;
860
861 for (i = 0; i < *count; i++)
862 {
863 if (suites[i].encr != ENCR_NULL)
864 {
865 suites[remaining] = suites[i];
866 remaining++;
867 }
868 }
869 *count = remaining;
870 }
871
872 /**
873 * Purge suites using a given key type
874 */
875 static void filter_key_suites(private_tls_crypto_t *this,
876 suite_algs_t suites[], int *count, key_type_t key)
877 {
878 int i, remaining = 0;
879
880 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
881 for (i = 0; i < *count; i++)
882 {
883 if (suites[i].key != key)
884 {
885 suites[remaining] = suites[i];
886 remaining++;
887 }
888 }
889 *count = remaining;
890 }
891
892 /**
893 * Filter suites by key exchange user config
894 */
895 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
896 suite_algs_t suites[], int *count)
897 {
898 enumerator_t *enumerator;
899 int i, remaining = 0;
900 char *token, *config;
901
902 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
903 lib->ns);
904 if (config)
905 {
906 for (i = 0; i < *count; i++)
907 {
908 enumerator = enumerator_create_token(config, ",", " ");
909 while (enumerator->enumerate(enumerator, &token))
910 {
911 if (strcaseeq(token, "ecdhe-ecdsa") &&
912 diffie_hellman_group_is_ec(suites[i].dh) &&
913 suites[i].key == KEY_ECDSA)
914 {
915 suites[remaining++] = suites[i];
916 break;
917 }
918 if (strcaseeq(token, "ecdhe-rsa") &&
919 diffie_hellman_group_is_ec(suites[i].dh) &&
920 suites[i].key == KEY_RSA)
921 {
922 suites[remaining++] = suites[i];
923 break;
924 }
925 if (strcaseeq(token, "dhe-rsa") &&
926 !diffie_hellman_group_is_ec(suites[i].dh) &&
927 suites[i].dh != MODP_NONE &&
928 suites[i].key == KEY_RSA)
929 {
930 suites[remaining++] = suites[i];
931 break;
932 }
933 if (strcaseeq(token, "rsa") &&
934 suites[i].dh == MODP_NONE &&
935 suites[i].key == KEY_RSA)
936 {
937 suites[remaining++] = suites[i];
938 break;
939 }
940 }
941 enumerator->destroy(enumerator);
942 }
943 *count = remaining;
944 }
945 }
946
947 /**
948 * Filter suites by cipher user config
949 */
950 static void filter_cipher_config_suites(private_tls_crypto_t *this,
951 suite_algs_t suites[], int *count)
952 {
953 enumerator_t *enumerator;
954 int i, remaining = 0;
955 char *token, *config;
956
957 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
958 lib->ns);
959 if (config)
960 {
961 for (i = 0; i < *count; i++)
962 {
963 enumerator = enumerator_create_token(config, ",", " ");
964 while (enumerator->enumerate(enumerator, &token))
965 {
966 if (strcaseeq(token, "aes128") &&
967 suites[i].encr == ENCR_AES_CBC &&
968 suites[i].encr_size == 16)
969 {
970 suites[remaining++] = suites[i];
971 break;
972 }
973 if (strcaseeq(token, "aes256") &&
974 suites[i].encr == ENCR_AES_CBC &&
975 suites[i].encr_size == 32)
976 {
977 suites[remaining++] = suites[i];
978 break;
979 }
980 if (strcaseeq(token, "aes128gcm") &&
981 suites[i].encr == ENCR_AES_GCM_ICV16 &&
982 suites[i].encr_size == 16)
983 {
984 suites[remaining++] = suites[i];
985 break;
986 }
987 if (strcaseeq(token, "aes256gcm") &&
988 suites[i].encr == ENCR_AES_GCM_ICV16 &&
989 suites[i].encr_size == 32)
990 {
991 suites[remaining++] = suites[i];
992 break;
993 }
994 if (strcaseeq(token, "camellia128") &&
995 suites[i].encr == ENCR_CAMELLIA_CBC &&
996 suites[i].encr_size == 16)
997 {
998 suites[remaining++] = suites[i];
999 break;
1000 }
1001 if (strcaseeq(token, "camellia256") &&
1002 suites[i].encr == ENCR_CAMELLIA_CBC &&
1003 suites[i].encr_size == 32)
1004 {
1005 suites[remaining++] = suites[i];
1006 break;
1007 }
1008 if (strcaseeq(token, "null") &&
1009 suites[i].encr == ENCR_NULL)
1010 {
1011 suites[remaining++] = suites[i];
1012 break;
1013 }
1014 }
1015 enumerator->destroy(enumerator);
1016 }
1017 *count = remaining;
1018 }
1019 }
1020
1021 /**
1022 * Filter suites by mac user config
1023 */
1024 static void filter_mac_config_suites(private_tls_crypto_t *this,
1025 suite_algs_t suites[], int *count)
1026 {
1027 enumerator_t *enumerator;
1028 int i, remaining = 0;
1029 char *token, *config;
1030
1031 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1032 lib->ns);
1033 if (config)
1034 {
1035 for (i = 0; i < *count; i++)
1036 {
1037 enumerator = enumerator_create_token(config, ",", " ");
1038 while (enumerator->enumerate(enumerator, &token))
1039 {
1040 if (strcaseeq(token, "sha1") &&
1041 suites[i].mac == AUTH_HMAC_SHA1_160)
1042 {
1043 suites[remaining++] = suites[i];
1044 break;
1045 }
1046 if (strcaseeq(token, "sha256") &&
1047 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1048 {
1049 suites[remaining++] = suites[i];
1050 break;
1051 }
1052 if (strcaseeq(token, "sha384") &&
1053 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1054 {
1055 suites[remaining++] = suites[i];
1056 break;
1057 }
1058 }
1059 enumerator->destroy(enumerator);
1060 }
1061 *count = remaining;
1062 }
1063 }
1064
1065 /**
1066 * Filter for specific suites specified in strongswan.conf
1067 */
1068 static void filter_specific_config_suites(private_tls_crypto_t *this,
1069 suite_algs_t suites[], int *count)
1070 {
1071 enumerator_t *enumerator;
1072 int i, remaining = 0, suite;
1073 char *token, *config;
1074
1075 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1076 lib->ns);
1077 if (config)
1078 {
1079 for (i = 0; i < *count; i++)
1080 {
1081 enumerator = enumerator_create_token(config, ",", " ");
1082 while (enumerator->enumerate(enumerator, &token))
1083 {
1084 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1085 suite == suites[i].suite)
1086 {
1087 suites[remaining++] = suites[i];
1088 break;
1089 }
1090 }
1091 enumerator->destroy(enumerator);
1092 }
1093 *count = remaining;
1094 }
1095 }
1096
1097 /**
1098 * Filter key exchange curves by curve user config
1099 */
1100 static bool filter_curve_config(tls_named_group_t curve)
1101 {
1102 enumerator_t *enumerator;
1103 char *token, *config;
1104
1105 config = lib->settings->get_str(lib->settings, "%s.tls.curve", NULL, lib->ns);
1106 if (config)
1107 {
1108 enumerator = enumerator_create_token(config, ",", " ");
1109 while (enumerator->enumerate(enumerator, &token))
1110 {
1111 const proposal_token_t *tok;
1112
1113 tok = lib->proposal->get_token(lib->proposal, token);
1114 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1115 curve == tls_ec_group_to_curve(tok->algorithm))
1116 {
1117 enumerator->destroy(enumerator);
1118 return TRUE;
1119 }
1120 }
1121 enumerator->destroy(enumerator);
1122 }
1123 return !config;
1124 }
1125
1126 /**
1127 * Filter out unsupported suites on given suite array
1128 */
1129 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1130 {
1131 /* filter suite list by each algorithm */
1132 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1133 lib->crypto->create_aead_enumerator);
1134 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1135 lib->crypto->create_prf_enumerator);
1136 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1137 lib->crypto->create_crypter_enumerator);
1138 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1139 lib->crypto->create_signer_enumerator);
1140 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1141 lib->crypto->create_hasher_enumerator);
1142 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1143 lib->crypto->create_dh_enumerator);
1144 }
1145
1146 /**
1147 * Initialize the cipher suite list
1148 */
1149 static void build_cipher_suite_list(private_tls_crypto_t *this)
1150 {
1151 suite_algs_t suites[countof(suite_algs)];
1152 tls_version_t min_version, max_version, new_min_version, new_max_version;
1153 bool require_encryption;
1154 int count = 0, i;
1155
1156 switch (this->tls->get_purpose(this->tls))
1157 {
1158 case TLS_PURPOSE_EAP_TLS:
1159 case TLS_PURPOSE_GENERIC_NULLOK:
1160 require_encryption = FALSE;
1161 break;
1162 case TLS_PURPOSE_EAP_PEAP:
1163 case TLS_PURPOSE_EAP_TTLS:
1164 case TLS_PURPOSE_GENERIC:
1165 require_encryption = TRUE;
1166 break;
1167 default:
1168 return;
1169 }
1170
1171 min_version = this->tls->get_version_min(this->tls);
1172 max_version = this->tls->get_version_max(this->tls);
1173
1174 /* copy all suites appropriate for the current min/max versions */
1175 for (i = 0; i < countof(suite_algs); i++)
1176 {
1177 if (suite_algs[i].min_version <= max_version &&
1178 suite_algs[i].max_version >= min_version)
1179 {
1180 suites[count++] = suite_algs[i];
1181 }
1182 }
1183
1184 if (require_encryption)
1185 {
1186 filter_null_suites(suites, &count);
1187 }
1188 if (!this->rsa)
1189 {
1190 filter_key_suites(this, suites, &count, KEY_RSA);
1191 }
1192 if (!this->ecdsa)
1193 {
1194 filter_key_suites(this, suites, &count, KEY_ECDSA);
1195 }
1196
1197 filter_unsupported_suites(suites, &count);
1198
1199 /* filter suites with strongswan.conf options */
1200 filter_key_exchange_config_suites(this, suites, &count);
1201 filter_cipher_config_suites(this, suites, &count);
1202 filter_mac_config_suites(this, suites, &count);
1203 filter_specific_config_suites(this, suites, &count);
1204
1205 free(this->suites);
1206 this->suite_count = count;
1207 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1208
1209 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1210 new_min_version = max_version;
1211 new_max_version = min_version;
1212 for (i = 0; i < count; i++)
1213 {
1214 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1215 this->suites[i] = suites[i].suite;
1216
1217 /* set TLS min/max versions appropriate to the final cipher suites */
1218 new_max_version = max(new_max_version, suites[i].max_version);
1219 new_min_version = min(new_min_version, suites[i].min_version);
1220 }
1221 new_max_version = min(new_max_version, max_version);
1222 new_min_version = max(new_min_version, min_version);
1223
1224 if (min_version != new_min_version || max_version != new_max_version)
1225 {
1226 this->tls->set_version(this->tls, new_min_version, new_max_version);
1227 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1228 tls_version_names, new_min_version,
1229 tls_version_names, new_max_version);
1230 }
1231 }
1232
1233 METHOD(tls_crypto_t, get_cipher_suites, int,
1234 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1235 {
1236 if (!this->suites)
1237 {
1238 build_cipher_suite_list(this);
1239 }
1240 if (suites)
1241 {
1242 *suites = this->suites;
1243 }
1244 return this->suite_count;
1245 }
1246
1247 /**
1248 * Create NULL encryption transforms
1249 */
1250 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1251 {
1252 this->aead_in = tls_aead_create_null(algs->mac);
1253 this->aead_out = tls_aead_create_null(algs->mac);
1254 if (!this->aead_in || !this->aead_out)
1255 {
1256 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1257 integrity_algorithm_names, algs->mac);
1258 return FALSE;
1259 }
1260 return TRUE;
1261 }
1262
1263 /**
1264 * Create traditional transforms
1265 */
1266 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1267 {
1268 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1269 {
1270 this->aead_in = tls_aead_create_implicit(algs->mac,
1271 algs->encr, algs->encr_size);
1272 this->aead_out = tls_aead_create_implicit(algs->mac,
1273 algs->encr, algs->encr_size);
1274 }
1275 else
1276 {
1277 this->aead_in = tls_aead_create_explicit(algs->mac,
1278 algs->encr, algs->encr_size);
1279 this->aead_out = tls_aead_create_explicit(algs->mac,
1280 algs->encr, algs->encr_size);
1281 }
1282 if (!this->aead_in || !this->aead_out)
1283 {
1284 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1285 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1286 integrity_algorithm_names, algs->mac);
1287 return FALSE;
1288 }
1289 return TRUE;
1290 }
1291
1292 /**
1293 * Create AEAD transforms
1294 */
1295 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1296 {
1297 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1298 {
1299 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1300 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1301 }
1302 else
1303 {
1304 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1305 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1306 }
1307 if (!this->aead_in || !this->aead_out)
1308 {
1309 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1310 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1311 return FALSE;
1312 }
1313 return TRUE;
1314 }
1315
1316 /**
1317 * Clean up and unset AEAD transforms
1318 */
1319 static void destroy_aeads(private_tls_crypto_t *this)
1320 {
1321 DESTROY_IF(this->aead_in);
1322 DESTROY_IF(this->aead_out);
1323 this->aead_in = this->aead_out = NULL;
1324 }
1325
1326 /**
1327 * Create crypto primitives
1328 */
1329 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1330 {
1331 destroy_aeads(this);
1332 DESTROY_IF(this->hkdf);
1333 DESTROY_IF(this->prf);
1334 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1335 {
1336 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1337 {
1338 this->prf = tls_prf_create_10();
1339 }
1340 else
1341 {
1342 this->prf = tls_prf_create_12(algs->prf);
1343 }
1344 if (!this->prf)
1345 {
1346 DBG1(DBG_TLS, "selected TLS PRF not supported");
1347 return FALSE;
1348 }
1349 }
1350 else
1351 {
1352 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1353 if (!this->hkdf)
1354 {
1355 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1356 return FALSE;
1357 }
1358 }
1359 if (algs->encr == ENCR_NULL)
1360 {
1361 if (create_null(this, algs))
1362 {
1363 return TRUE;
1364 }
1365 }
1366 else if (encryption_algorithm_is_aead(algs->encr))
1367 {
1368 if (create_aead(this, algs))
1369 {
1370 return TRUE;
1371 }
1372 }
1373 else
1374 {
1375 if (create_traditional(this, algs))
1376 {
1377 return TRUE;
1378 }
1379 }
1380 destroy_aeads(this);
1381 return FALSE;
1382 }
1383
1384 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1385 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1386 key_type_t key)
1387 {
1388 suite_algs_t *algs;
1389 int i, j;
1390
1391 for (i = 0; i < this->suite_count; i++)
1392 {
1393 for (j = 0; j < count; j++)
1394 {
1395 if (this->suites[i] == suites[j])
1396 {
1397 algs = find_suite(this->suites[i]);
1398 if (algs)
1399 {
1400 if (key == KEY_ANY || key == algs->key ||
1401 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1402 (algs->key == KEY_ECDSA && key == KEY_ED448))
1403 {
1404 if (create_ciphers(this, algs))
1405 {
1406 this->suite = this->suites[i];
1407 return this->suite;
1408 }
1409 }
1410 }
1411 }
1412 }
1413 }
1414 return 0;
1415 }
1416
1417 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1418 private_tls_crypto_t *this)
1419 {
1420 suite_algs_t *algs;
1421
1422 algs = find_suite(this->suite);
1423 if (algs)
1424 {
1425 return algs->dh;
1426 }
1427 return MODP_NONE;
1428 }
1429
1430 /**
1431 * Parameters for RSA/PSS signature schemes
1432 */
1433 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1434 .hash = HASH_SHA##bits, \
1435 .mgf1_hash = HASH_SHA##bits, \
1436 .salt_len = HASH_SIZE_SHA##bits, \
1437 }
1438
1439 PSS_PARAMS(256);
1440 PSS_PARAMS(384);
1441 PSS_PARAMS(512);
1442
1443 /**
1444 * Map TLS signature schemes, ordered by preference
1445 */
1446 static struct {
1447 tls_signature_scheme_t sig;
1448 signature_params_t params;
1449 /* min/max versions for use in CertificateVerify */
1450 tls_version_t min_version;
1451 tls_version_t max_version;
1452 } schemes[] = {
1453 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1454 TLS_1_0, TLS_1_3 },
1455 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1456 TLS_1_0, TLS_1_3 },
1457 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1458 TLS_1_0, TLS_1_3 },
1459 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1460 TLS_1_0, TLS_1_3 },
1461 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1462 TLS_1_0, TLS_1_3 },
1463 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1464 TLS_1_2, TLS_1_3 },
1465 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1466 TLS_1_2, TLS_1_3 },
1467 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1468 TLS_1_2, TLS_1_3 },
1469 /* the parameters for the next three should actually be taken from the
1470 * public key, we currently don't have an API for that, so assume defaults */
1471 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1472 TLS_1_2, TLS_1_3 },
1473 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1474 TLS_1_2, TLS_1_3 },
1475 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1476 TLS_1_2, TLS_1_3 },
1477 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1478 TLS_1_0, TLS_1_2 },
1479 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1480 TLS_1_0, TLS_1_2 },
1481 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1482 TLS_1_0, TLS_1_2 },
1483 };
1484
1485 METHOD(tls_crypto_t, get_signature_algorithms, void,
1486 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1487 {
1488 bio_writer_t *supported;
1489 tls_version_t min_version, max_version;
1490 int i;
1491
1492 supported = bio_writer_create(32);
1493
1494 if (!cert)
1495 {
1496 min_version = this->tls->get_version_min(this->tls);
1497 max_version = this->tls->get_version_max(this->tls);
1498 }
1499
1500 for (i = 0; i < countof(schemes); i++)
1501 {
1502 if ((cert || (schemes[i].min_version <= max_version &&
1503 schemes[i].max_version >= min_version)) &&
1504 lib->plugins->has_feature(lib->plugins,
1505 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1506 {
1507 supported->write_uint16(supported, schemes[i].sig);
1508 }
1509 }
1510
1511 writer->write_data16(writer, supported->get_buf(supported));
1512 supported->destroy(supported);
1513 }
1514
1515 /**
1516 * Get the signature parameters from a TLS signature scheme
1517 */
1518 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1519 bool sign)
1520 {
1521 int i;
1522
1523 for (i = 0; i < countof(schemes); i++)
1524 {
1525 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1526 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1527 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1528 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1529 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1530 {
1531 continue;
1532 }
1533 if (schemes[i].sig == sig)
1534 {
1535 return &schemes[i].params;
1536 }
1537 }
1538 return NULL;
1539 }
1540
1541 /**
1542 * Mapping groups to TLS named curves
1543 */
1544 static struct {
1545 diffie_hellman_group_t group;
1546 tls_named_group_t curve;
1547 } curves[] = {
1548 { ECP_256_BIT, TLS_SECP256R1},
1549 { ECP_384_BIT, TLS_SECP384R1},
1550 { ECP_521_BIT, TLS_SECP521R1},
1551 { ECP_224_BIT, TLS_SECP224R1},
1552 { ECP_192_BIT, TLS_SECP192R1},
1553 { CURVE_25519, TLS_CURVE25519},
1554 { CURVE_448, TLS_CURVE448},
1555 };
1556
1557 CALLBACK(group_filter, bool,
1558 void *null, enumerator_t *orig, va_list args)
1559 {
1560 diffie_hellman_group_t group, *group_out;
1561 tls_named_group_t curve, *curve_out;
1562 char *plugin;
1563
1564 VA_ARGS_VGET(args, group_out, curve_out);
1565
1566 while (orig->enumerate(orig, &group, &plugin))
1567 {
1568 curve = tls_ec_group_to_curve(group);
1569 if (curve)
1570 {
1571 if (group_out)
1572 {
1573 *group_out = group;
1574 }
1575 if (curve_out)
1576 {
1577 *curve_out = curve;
1578 }
1579 return TRUE;
1580 }
1581 }
1582 return FALSE;
1583 }
1584
1585 CALLBACK(config_filter, bool,
1586 void *null, enumerator_t *orig, va_list args)
1587 {
1588 diffie_hellman_group_t group, *group_out;
1589 tls_named_group_t curve, *curve_out;
1590
1591 VA_ARGS_VGET(args, group_out, curve_out);
1592
1593 while (orig->enumerate(orig, &group, &curve))
1594 {
1595 if (filter_curve_config(curve))
1596 {
1597 if (group_out)
1598 {
1599 *group_out = group;
1600 }
1601 if (curve_out)
1602 {
1603 *curve_out = curve;
1604 }
1605 return TRUE;
1606 }
1607 }
1608 return FALSE;
1609 }
1610
1611 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1612 private_tls_crypto_t *this)
1613 {
1614 return enumerator_create_filter(
1615 enumerator_create_filter(
1616 lib->crypto->create_dh_enumerator(lib->crypto),
1617 group_filter, NULL, NULL),
1618 config_filter, NULL, NULL);
1619 }
1620
1621 METHOD(tls_crypto_t, set_protection, void,
1622 private_tls_crypto_t *this, tls_protection_t *protection)
1623 {
1624 this->protection = protection;
1625 }
1626
1627 METHOD(tls_crypto_t, append_handshake, void,
1628 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1629 {
1630 uint32_t header;
1631
1632 /* reconstruct handshake header */
1633 header = htonl(data.len | (type << 24));
1634 this->handshake = chunk_cat("mcc", this->handshake,
1635 chunk_from_thing(header), data);
1636 }
1637
1638 /**
1639 * Create a hash using the suites HASH algorithm
1640 */
1641 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1642 {
1643 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1644 {
1645 hasher_t *hasher;
1646 suite_algs_t *alg;
1647
1648 alg = find_suite(this->suite);
1649 if (!alg)
1650 {
1651 return FALSE;
1652 }
1653 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1654 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1655 {
1656 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1657 DESTROY_IF(hasher);
1658 return FALSE;
1659 }
1660 hasher->destroy(hasher);
1661 }
1662 else
1663 {
1664 hasher_t *md5, *sha1;
1665 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1666
1667 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1668 if (!md5 || !md5->get_hash(md5, data, buf))
1669 {
1670 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1671 DESTROY_IF(md5);
1672 return FALSE;
1673 }
1674 md5->destroy(md5);
1675 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1676 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1677 {
1678 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1679 DESTROY_IF(sha1);
1680 return FALSE;
1681 }
1682 sha1->destroy(sha1);
1683
1684 *hash = chunk_clone(chunk_from_thing(buf));
1685 }
1686 return TRUE;
1687 }
1688
1689 METHOD(tls_crypto_t, hash_handshake, bool,
1690 private_tls_crypto_t *this, chunk_t *out)
1691 {
1692 chunk_t hash;
1693
1694 if (!hash_data(this, this->handshake, &hash))
1695 {
1696 return FALSE;
1697 }
1698
1699 chunk_free(&this->handshake);
1700 append_handshake(this, TLS_MESSAGE_HASH, hash);
1701
1702 if (out)
1703 {
1704 *out = hash;
1705 }
1706 else
1707 {
1708 free(hash.ptr);
1709 }
1710 return TRUE;
1711 }
1712
1713 /**
1714 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1715 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1716 */
1717 static chunk_t tls13_sig_data_server = chunk_from_chars(
1718 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1719 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1727 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1728 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1729 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1730 0x79, 0x00,
1731 );
1732
1733 /**
1734 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1735 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1736 */
1737 static chunk_t tls13_sig_data_client = chunk_from_chars(
1738 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1739 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1740 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1741 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1742 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1743 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1744 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1745 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1746 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1747 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1748 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1749 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1750 0x79, 0x00,
1751 );
1752
1753 METHOD(tls_crypto_t, sign, bool,
1754 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1755 chunk_t data, chunk_t hashsig)
1756 {
1757 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1758 {
1759 /* fallback to SHA1/RSA and SHA1/ECDSA */
1760 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1761 signature_params_t *params;
1762 key_type_t type;
1763 uint16_t scheme;
1764 bio_reader_t *reader;
1765 chunk_t sig;
1766 bool done = FALSE;
1767
1768 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1769 {
1770 chunk_t transcript_hash;
1771
1772 if (!hash_data(this, data, &transcript_hash))
1773 {
1774 DBG1(DBG_TLS, "unable to create transcript hash");
1775 return FALSE;
1776 }
1777 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1778 }
1779
1780 if (!hashsig.len)
1781 { /* fallback if none given */
1782 hashsig = hashsig_def;
1783 }
1784 type = key->get_type(key);
1785 reader = bio_reader_create(hashsig);
1786 while (reader->remaining(reader) >= 2)
1787 {
1788 if (reader->read_uint16(reader, &scheme))
1789 {
1790 params = params_for_scheme(scheme, TRUE);
1791 if (params &&
1792 type == key_type_from_signature_scheme(params->scheme) &&
1793 key->sign(key, params->scheme, params->params, data, &sig))
1794 {
1795 done = TRUE;
1796 break;
1797 }
1798 }
1799 }
1800 reader->destroy(reader);
1801 if (!done)
1802 {
1803 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1804 return FALSE;
1805 }
1806 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1807 scheme);
1808 writer->write_uint16(writer, scheme);
1809 writer->write_data16(writer, sig);
1810 free(sig.ptr);
1811 }
1812 else
1813 {
1814 chunk_t sig, hash;
1815 bool done;
1816
1817 switch (key->get_type(key))
1818 {
1819 case KEY_RSA:
1820 if (!hash_data(this, data, &hash))
1821 {
1822 return FALSE;
1823 }
1824 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1825 &sig);
1826 free(hash.ptr);
1827 if (!done)
1828 {
1829 return FALSE;
1830 }
1831 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1832 break;
1833 case KEY_ECDSA:
1834 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1835 {
1836 return FALSE;
1837 }
1838 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1839 break;
1840 case KEY_ED25519:
1841 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1842 {
1843 return FALSE;
1844 }
1845 DBG2(DBG_TLS, "created signature with Ed25519");
1846 break;
1847 case KEY_ED448:
1848 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1849 {
1850 return FALSE;
1851 }
1852 DBG2(DBG_TLS, "created signature with Ed448");
1853 break;
1854 default:
1855 return FALSE;
1856 }
1857 writer->write_data16(writer, sig);
1858 free(sig.ptr);
1859 }
1860 return TRUE;
1861 }
1862
1863 METHOD(tls_crypto_t, verify, bool,
1864 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1865 chunk_t data)
1866 {
1867 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1868 {
1869 signature_params_t *params;
1870 uint16_t scheme;
1871 chunk_t sig;
1872
1873 if (!reader->read_uint16(reader, &scheme) ||
1874 !reader->read_data16(reader, &sig))
1875 {
1876 DBG1(DBG_TLS, "received invalid signature");
1877 return FALSE;
1878 }
1879 params = params_for_scheme(scheme, FALSE);
1880 if (!params)
1881 {
1882 DBG1(DBG_TLS, "signature algorithms %N not supported",
1883 tls_signature_scheme_names, scheme);
1884 return FALSE;
1885 }
1886 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1887 {
1888 chunk_t transcript_hash;
1889
1890 if (!hash_data(this, data, &transcript_hash))
1891 {
1892 DBG1(DBG_TLS, "Unable to create transcript hash");
1893 return FALSE;
1894 }
1895
1896 if (this->tls->is_server(this->tls))
1897 {
1898 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1899 }
1900 else
1901 {
1902 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1903 }
1904 }
1905 if (!key->verify(key, params->scheme, params->params, data, sig))
1906 {
1907 DBG1(DBG_TLS, "signature verification with %N failed",
1908 tls_signature_scheme_names, scheme);
1909 return FALSE;
1910 }
1911 DBG2(DBG_TLS, "verified signature with %N",
1912 tls_signature_scheme_names, scheme);
1913 }
1914 else
1915 {
1916 chunk_t sig, hash;
1917 bool done;
1918
1919 if (!reader->read_data16(reader, &sig))
1920 {
1921 DBG1(DBG_TLS, "received invalid signature");
1922 return FALSE;
1923 }
1924 switch (key->get_type(key))
1925 {
1926 case KEY_RSA:
1927 if (!hash_data(this, data, &hash))
1928 {
1929 return FALSE;
1930 }
1931 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1932 sig);
1933 free(hash.ptr);
1934 if (!done)
1935 {
1936 return FALSE;
1937 }
1938 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1939 break;
1940 case KEY_ECDSA:
1941 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1942 sig))
1943 {
1944 return FALSE;
1945 }
1946 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1947 break;
1948 case KEY_ED25519:
1949 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1950 {
1951 return FALSE;
1952 }
1953 DBG2(DBG_TLS, "verified signature with Ed25519");
1954 break;
1955 case KEY_ED448:
1956 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1957 {
1958 return FALSE;
1959 }
1960 DBG2(DBG_TLS, "verified signature with Ed448");
1961 break;
1962 default:
1963 return FALSE;
1964 }
1965 }
1966 return TRUE;
1967 }
1968
1969 METHOD(tls_crypto_t, sign_handshake, bool,
1970 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1971 chunk_t hashsig)
1972 {
1973 return sign(this, key, writer, this->handshake, hashsig);
1974 }
1975
1976 METHOD(tls_crypto_t, verify_handshake, bool,
1977 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1978 {
1979 return verify(this, key, reader, this->handshake);
1980 }
1981
1982 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1983 private_tls_crypto_t *this, char *label, char out[12])
1984 {
1985 chunk_t seed;
1986
1987 if (!this->prf)
1988 {
1989 return FALSE;
1990 }
1991 if (!hash_data(this, this->handshake, &seed))
1992 {
1993 return FALSE;
1994 }
1995 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1996 {
1997 free(seed.ptr);
1998 return FALSE;
1999 }
2000 free(seed.ptr);
2001 return TRUE;
2002 }
2003
2004 METHOD(tls_crypto_t, calculate_finished, bool,
2005 private_tls_crypto_t *this, bool server, chunk_t *out)
2006 {
2007 chunk_t finished_key, finished_hash;
2008
2009 if (!this->hkdf)
2010 {
2011 return FALSE;
2012 }
2013 if (!hash_data(this, this->handshake, &finished_hash))
2014 {
2015 DBG1(DBG_TLS, "creating hash of handshake failed");
2016 return FALSE;
2017 }
2018 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2019 {
2020 DBG1(DBG_TLS, "generating finished key failed");
2021 chunk_clear(&finished_hash);
2022 return FALSE;
2023 }
2024 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2025 {
2026 DBG1(DBG_TLS, "generating finished HMAC failed");
2027 chunk_clear(&finished_key);
2028 chunk_clear(&finished_hash);
2029 return FALSE;
2030 }
2031 chunk_clear(&finished_key);
2032 chunk_clear(&finished_hash);
2033 return TRUE;
2034 }
2035
2036 /**
2037 * Derive master secret from premaster, optionally save session
2038 */
2039 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2040 chunk_t session, identification_t *id,
2041 chunk_t client_random, chunk_t server_random)
2042 {
2043 char master[48];
2044 chunk_t seed;
2045
2046 /* derive master secret */
2047 seed = chunk_cata("cc", client_random, server_random);
2048
2049 if (!this->prf->set_key(this->prf, premaster) ||
2050 !this->prf->get_bytes(this->prf, "master secret", seed,
2051 sizeof(master), master) ||
2052 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2053 {
2054 return FALSE;
2055 }
2056
2057 if (this->cache && session.len)
2058 {
2059 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2060 this->suite);
2061 }
2062 memwipe(master, sizeof(master));
2063 return TRUE;
2064 }
2065
2066 /**
2067 * Expand key material from master secret
2068 */
2069 static bool expand_keys(private_tls_crypto_t *this,
2070 chunk_t client_random, chunk_t server_random)
2071 {
2072 chunk_t seed, block;
2073 chunk_t cw_mac, cw, cw_iv;
2074 chunk_t sw_mac, sw, sw_iv;
2075 int mklen, eklen, ivlen;
2076
2077 if (!this->aead_in || !this->aead_out)
2078 {
2079 return FALSE;
2080 }
2081
2082 /* derive key block for key expansion */
2083 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2084 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2085 ivlen = this->aead_in->get_iv_size(this->aead_in);
2086 seed = chunk_cata("cc", server_random, client_random);
2087 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2088 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2089 block.len, block.ptr))
2090 {
2091 return FALSE;
2092 }
2093
2094 /* client/server write signer keys */
2095 cw_mac = chunk_create(block.ptr, mklen);
2096 block = chunk_skip(block, mklen);
2097 sw_mac = chunk_create(block.ptr, mklen);
2098 block = chunk_skip(block, mklen);
2099
2100 /* client/server write encryption keys */
2101 cw = chunk_create(block.ptr, eklen);
2102 block = chunk_skip(block, eklen);
2103 sw = chunk_create(block.ptr, eklen);
2104 block = chunk_skip(block, eklen);
2105
2106 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2107 cw_iv = chunk_create(block.ptr, ivlen);
2108 block = chunk_skip(block, ivlen);
2109 sw_iv = chunk_create(block.ptr, ivlen);
2110 block = chunk_skip(block, ivlen);
2111
2112 if (this->tls->is_server(this->tls))
2113 {
2114 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2115 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2116 {
2117 return FALSE;
2118 }
2119 }
2120 else
2121 {
2122 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2123 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2124 {
2125 return FALSE;
2126 }
2127 }
2128
2129 /* EAP-MSK */
2130 if (this->msk_label)
2131 {
2132 seed = chunk_cata("cc", client_random, server_random);
2133 this->msk = chunk_alloc(64);
2134 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2135 this->msk.len, this->msk.ptr))
2136 {
2137 return FALSE;
2138 }
2139 }
2140 return TRUE;
2141 }
2142
2143 METHOD(tls_crypto_t, derive_secrets, bool,
2144 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2145 identification_t *id, chunk_t client_random, chunk_t server_random)
2146 {
2147 return derive_master(this, premaster, session, id,
2148 client_random, server_random) &&
2149 expand_keys(this, client_random, server_random);
2150 }
2151
2152 /**
2153 * Derive and configure the client/server key/IV on an AEAD using a given label.
2154 */
2155 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2156 tls_hkdf_label_t label, tls_aead_t *aead)
2157 {
2158 chunk_t key = chunk_empty, iv = chunk_empty;
2159 bool success = FALSE;
2160
2161 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2162 NULL) ||
2163 !this->hkdf->derive_key(this->hkdf, server,
2164 aead->get_encr_key_size(aead), &key) ||
2165 !this->hkdf->derive_iv(this->hkdf, server,
2166 aead->get_iv_size(aead), &iv))
2167 {
2168 DBG1(DBG_TLS, "deriving key material failed");
2169 goto out;
2170 }
2171
2172 if (!aead->set_keys(aead, chunk_empty, key, iv))
2173 {
2174 DBG1(DBG_TLS, "setting AEAD key material failed");
2175 goto out;
2176 }
2177 success = TRUE;
2178
2179 out:
2180 chunk_clear(&key);
2181 chunk_clear(&iv);
2182 return success;
2183 }
2184
2185 /**
2186 * Derive and configure the keys/IVs using the given labels.
2187 */
2188 static bool derive_labeled_keys(private_tls_crypto_t *this,
2189 tls_hkdf_label_t client_label,
2190 tls_hkdf_label_t server_label)
2191 {
2192 tls_aead_t *aead_c, *aead_s;
2193 suite_algs_t *algs;
2194
2195 algs = find_suite(this->suite);
2196 destroy_aeads(this);
2197 if (!create_aead(this, algs))
2198 {
2199 return FALSE;
2200 }
2201 aead_c = this->aead_out;
2202 aead_s = this->aead_in;
2203 if (this->tls->is_server(this->tls))
2204 {
2205 aead_c = this->aead_in;
2206 aead_s = this->aead_out;
2207 }
2208 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2209 derive_labeled_key(this, TRUE, server_label, aead_s);
2210 }
2211
2212 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2213 private_tls_crypto_t *this, chunk_t shared_secret)
2214 {
2215 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2216 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2217 TLS_HKDF_S_HS_TRAFFIC);
2218 }
2219
2220 METHOD(tls_crypto_t, derive_app_keys, bool,
2221 private_tls_crypto_t *this)
2222 {
2223 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2224 TLS_HKDF_S_AP_TRAFFIC))
2225 {
2226 return FALSE;
2227 }
2228
2229 /* EAP-MSK */
2230 if (this->msk_label)
2231 {
2232 /* because the length is encoded when expanding key material, we
2233 * request the same number of bytes as FreeRADIUS (the first 64 for
2234 * the MSK, the next for the EMSK, which we just ignore) */
2235 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2236 this->handshake, 128, &this->msk))
2237 {
2238 return FALSE;
2239 }
2240 this->msk.len = 64;
2241 }
2242 return TRUE;
2243 }
2244
2245 METHOD(tls_crypto_t, update_app_keys, bool,
2246 private_tls_crypto_t *this, bool inbound)
2247 {
2248 suite_algs_t *algs;
2249 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2250
2251 algs = find_suite(this->suite);
2252 destroy_aeads(this);
2253 if (!create_aead(this, algs))
2254 {
2255 return FALSE;
2256 }
2257 if (this->tls->is_server(this->tls) != inbound)
2258 {
2259 label = TLS_HKDF_UPD_S_TRAFFIC;
2260 }
2261 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2262 inbound ? this->aead_in : this->aead_out);
2263 }
2264
2265 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2266 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2267 chunk_t client_random, chunk_t server_random)
2268 {
2269 chunk_t master;
2270
2271 if (this->cache && session.len)
2272 {
2273 this->suite = this->cache->lookup(this->cache, session, id, &master);
2274 if (this->suite)
2275 {
2276 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2277 if (this->suite)
2278 {
2279 if (!this->prf->set_key(this->prf, master) ||
2280 !expand_keys(this, client_random, server_random))
2281 {
2282 this->suite = 0;
2283 }
2284 }
2285 chunk_clear(&master);
2286 }
2287 return this->suite;
2288 }
2289 return 0;
2290 }
2291
2292 METHOD(tls_crypto_t, get_session, chunk_t,
2293 private_tls_crypto_t *this, identification_t *server)
2294 {
2295 if (this->cache)
2296 {
2297 return this->cache->check(this->cache, server);
2298 }
2299 return chunk_empty;
2300 }
2301
2302 METHOD(tls_crypto_t, change_cipher, void,
2303 private_tls_crypto_t *this, bool inbound)
2304 {
2305 if (this->protection)
2306 {
2307 if (inbound)
2308 {
2309 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2310 this->aead_in = NULL;
2311 }
2312 else
2313 {
2314 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2315 this->aead_out = NULL;
2316 }
2317 }
2318 }
2319
2320 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2321 private_tls_crypto_t *this)
2322 {
2323 return this->msk;
2324 }
2325
2326 METHOD(tls_crypto_t, destroy, void,
2327 private_tls_crypto_t *this)
2328 {
2329 destroy_aeads(this);
2330 free(this->handshake.ptr);
2331 free(this->msk.ptr);
2332 DESTROY_IF(this->prf);
2333 DESTROY_IF(this->hkdf);
2334 free(this->suites);
2335 free(this);
2336 }
2337
2338 /**
2339 * See header
2340 */
2341 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2342 {
2343 private_tls_crypto_t *this;
2344 enumerator_t *enumerator;
2345 credential_type_t type;
2346 int subtype;
2347
2348 INIT(this,
2349 .public = {
2350 .get_cipher_suites = _get_cipher_suites,
2351 .select_cipher_suite = _select_cipher_suite,
2352 .get_dh_group = _get_dh_group,
2353 .get_signature_algorithms = _get_signature_algorithms,
2354 .create_ec_enumerator = _create_ec_enumerator,
2355 .set_protection = _set_protection,
2356 .append_handshake = _append_handshake,
2357 .hash_handshake = _hash_handshake,
2358 .sign = _sign,
2359 .verify = _verify,
2360 .sign_handshake = _sign_handshake,
2361 .verify_handshake = _verify_handshake,
2362 .calculate_finished_legacy = _calculate_finished_legacy,
2363 .calculate_finished = _calculate_finished,
2364 .derive_secrets = _derive_secrets,
2365 .derive_handshake_keys = _derive_handshake_keys,
2366 .derive_app_keys = _derive_app_keys,
2367 .update_app_keys = _update_app_keys,
2368 .resume_session = _resume_session,
2369 .get_session = _get_session,
2370 .change_cipher = _change_cipher,
2371 .get_eap_msk = _get_eap_msk,
2372 .destroy = _destroy,
2373 },
2374 .tls = tls,
2375 .cache = cache,
2376 );
2377
2378 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2379 * separation would be welcome. */
2380 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2381 while (enumerator->enumerate(enumerator, &type, &subtype))
2382 {
2383 if (type == CRED_PUBLIC_KEY)
2384 {
2385 switch (subtype)
2386 {
2387 case KEY_RSA:
2388 this->rsa = TRUE;
2389 break;
2390 case KEY_ECDSA:
2391 case KEY_ED25519:
2392 case KEY_ED448:
2393 this->ecdsa = TRUE;
2394 break;
2395 default:
2396 break;
2397 }
2398 }
2399 }
2400 enumerator->destroy(enumerator);
2401
2402 switch (tls->get_purpose(tls))
2403 {
2404 case TLS_PURPOSE_EAP_TLS:
2405 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2406 this->msk_label = "client EAP encryption";
2407 break;
2408 case TLS_PURPOSE_EAP_PEAP:
2409 this->msk_label = "client EAP encryption";
2410 break;
2411 case TLS_PURPOSE_EAP_TTLS:
2412 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2413 this->msk_label = "ttls keying material";
2414 break;
2415 default:
2416 break;
2417 }
2418 return &this->public;
2419 }
2420
2421 /**
2422 * See header.
2423 */
2424 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2425 tls_cipher_suite_t **out)
2426 {
2427 suite_algs_t suites[countof(suite_algs)];
2428 int count = 0, i;
2429
2430 /* initialize copy of suite list */
2431 for (i = 0; i < countof(suite_algs); i++)
2432 {
2433 if (suite_algs[i].min_version <= version &&
2434 suite_algs[i].max_version >= version)
2435 {
2436 suites[count++] = suite_algs[i];
2437 }
2438 }
2439
2440 filter_unsupported_suites(suites, &count);
2441
2442 if (!null)
2443 {
2444 filter_null_suites(suites, &count);
2445 }
2446
2447 if (out)
2448 {
2449 *out = calloc(count, sizeof(tls_cipher_suite_t));
2450 for (i = 0; i < count; i++)
2451 {
2452 (*out)[i] = suites[i].suite;
2453 }
2454 }
2455 return count;
2456 }
2457
2458 /**
2459 * See header.
2460 */
2461 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2462 {
2463 enumerator_t *enumerator;
2464 diffie_hellman_group_t groups[countof(curves)];
2465 diffie_hellman_group_t group;
2466 tls_named_group_t curve;
2467 int count = 0, i;
2468
2469 enumerator = enumerator_create_filter(
2470 lib->crypto->create_dh_enumerator(lib->crypto),
2471 group_filter, NULL, NULL);
2472
2473 while (enumerator->enumerate(enumerator, &group, &curve))
2474 {
2475 groups[count++] = group;
2476 }
2477 enumerator->destroy(enumerator);
2478
2479 if (out)
2480 {
2481 *out = calloc(count, sizeof(diffie_hellman_group_t));
2482 for (i = 0; i < count; i++)
2483 {
2484 (*out)[i] = groups[i];
2485 }
2486 }
2487 return count;
2488 }
2489
2490 /**
2491 * See header.
2492 */
2493 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2494 {
2495 int i;
2496
2497 for (i = 0; i < countof(curves); i++)
2498 {
2499 if (curves[i].group == group)
2500 {
2501 return curves[i].curve;
2502 }
2503 }
2504 return 0;
2505 }
2506
2507 /**
2508 * See header.
2509 */
2510 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2511 {
2512 int i;
2513
2514 for (i = 0; i < countof(schemes); i++)
2515 {
2516 if (schemes[i].sig == sig)
2517 {
2518 return key_type_from_signature_scheme(schemes[i].params.scheme);
2519 }
2520 }
2521 return 0;
2522 }
2523
2524 /**
2525 * Hashtable hash function
2526 */
2527 static u_int hash_key_type(key_type_t *type)
2528 {
2529 return chunk_hash(chunk_from_thing(*type));
2530 }
2531
2532 /**
2533 * Hashtable equals function
2534 */
2535 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2536 {
2537 return *key1 == *key2;
2538 }
2539
2540 CALLBACK(filter_key_types, bool,
2541 void *data, enumerator_t *orig, va_list args)
2542 {
2543 key_type_t *key_type, *out;
2544
2545 VA_ARGS_VGET(args, out);
2546
2547 if (orig->enumerate(orig, NULL, &key_type))
2548 {
2549 *out = *key_type;
2550 return TRUE;
2551 }
2552 return FALSE;
2553 }
2554
2555 CALLBACK(destroy_key_types, void,
2556 hashtable_t *ht)
2557 {
2558 ht->destroy_function(ht, (void*)free);
2559 }
2560
2561 /*
2562 * See header.
2563 */
2564 enumerator_t *tls_get_supported_key_types(tls_version_t min_version,
2565 tls_version_t max_version)
2566 {
2567 hashtable_t *ht;
2568 key_type_t *type, lookup;
2569 int i;
2570
2571 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2572 (hashtable_equals_t)equals_key_type, 4);
2573 for (i = 0; i < countof(schemes); i++)
2574 {
2575 if (schemes[i].min_version <= max_version &&
2576 schemes[i].max_version >= min_version)
2577 {
2578 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2579 if (!ht->get(ht, &lookup))
2580 {
2581 type = malloc_thing(key_type_t);
2582 *type = lookup;
2583 ht->put(ht, type, type);
2584 }
2585 }
2586 }
2587 return enumerator_create_filter(ht->create_enumerator(ht),
2588 filter_key_types, ht, destroy_key_types);
2589 }