tls-crypto: Don't filter suites with specific ECDH group if any is available
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE &&
841 !(diffie_hellman_group_is_ec(current.dh) &&
842 diffie_hellman_group_is_ec(suites[i].dh)))
843 { /* skip DH group, does not match nor NONE nor both ECDH */
844 continue;
845 }
846 }
847 /* suite supported, apply */
848 suites[remaining] = suites[i];
849 remaining++;
850 break;
851 }
852 enumerator->destroy(enumerator);
853 }
854 *count = remaining;
855 }
856
857 /**
858 * Purge NULL encryption cipher suites from list
859 */
860 static void filter_null_suites(suite_algs_t suites[], int *count)
861 {
862 int i, remaining = 0;
863
864 for (i = 0; i < *count; i++)
865 {
866 if (suites[i].encr != ENCR_NULL)
867 {
868 suites[remaining] = suites[i];
869 remaining++;
870 }
871 }
872 *count = remaining;
873 }
874
875 /**
876 * Purge suites using a given key type
877 */
878 static void filter_key_suites(private_tls_crypto_t *this,
879 suite_algs_t suites[], int *count, key_type_t key)
880 {
881 int i, remaining = 0;
882
883 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
884 for (i = 0; i < *count; i++)
885 {
886 if (suites[i].key != key)
887 {
888 suites[remaining] = suites[i];
889 remaining++;
890 }
891 }
892 *count = remaining;
893 }
894
895 /**
896 * Filter suites by key exchange user config
897 */
898 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
899 suite_algs_t suites[], int *count)
900 {
901 enumerator_t *enumerator;
902 int i, remaining = 0;
903 char *token, *config;
904
905 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
906 lib->ns);
907 if (config)
908 {
909 for (i = 0; i < *count; i++)
910 {
911 enumerator = enumerator_create_token(config, ",", " ");
912 while (enumerator->enumerate(enumerator, &token))
913 {
914 if (strcaseeq(token, "ecdhe-ecdsa") &&
915 diffie_hellman_group_is_ec(suites[i].dh) &&
916 suites[i].key == KEY_ECDSA)
917 {
918 suites[remaining++] = suites[i];
919 break;
920 }
921 if (strcaseeq(token, "ecdhe-rsa") &&
922 diffie_hellman_group_is_ec(suites[i].dh) &&
923 suites[i].key == KEY_RSA)
924 {
925 suites[remaining++] = suites[i];
926 break;
927 }
928 if (strcaseeq(token, "dhe-rsa") &&
929 !diffie_hellman_group_is_ec(suites[i].dh) &&
930 suites[i].dh != MODP_NONE &&
931 suites[i].key == KEY_RSA)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 if (strcaseeq(token, "rsa") &&
937 suites[i].dh == MODP_NONE &&
938 suites[i].key == KEY_RSA)
939 {
940 suites[remaining++] = suites[i];
941 break;
942 }
943 }
944 enumerator->destroy(enumerator);
945 }
946 *count = remaining;
947 }
948 }
949
950 /**
951 * Filter suites by cipher user config
952 */
953 static void filter_cipher_config_suites(private_tls_crypto_t *this,
954 suite_algs_t suites[], int *count)
955 {
956 enumerator_t *enumerator;
957 int i, remaining = 0;
958 char *token, *config;
959
960 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
961 lib->ns);
962 if (config)
963 {
964 for (i = 0; i < *count; i++)
965 {
966 enumerator = enumerator_create_token(config, ",", " ");
967 while (enumerator->enumerate(enumerator, &token))
968 {
969 if (strcaseeq(token, "aes128") &&
970 suites[i].encr == ENCR_AES_CBC &&
971 suites[i].encr_size == 16)
972 {
973 suites[remaining++] = suites[i];
974 break;
975 }
976 if (strcaseeq(token, "aes256") &&
977 suites[i].encr == ENCR_AES_CBC &&
978 suites[i].encr_size == 32)
979 {
980 suites[remaining++] = suites[i];
981 break;
982 }
983 if (strcaseeq(token, "aes128gcm") &&
984 suites[i].encr == ENCR_AES_GCM_ICV16 &&
985 suites[i].encr_size == 16)
986 {
987 suites[remaining++] = suites[i];
988 break;
989 }
990 if (strcaseeq(token, "aes256gcm") &&
991 suites[i].encr == ENCR_AES_GCM_ICV16 &&
992 suites[i].encr_size == 32)
993 {
994 suites[remaining++] = suites[i];
995 break;
996 }
997 if (strcaseeq(token, "camellia128") &&
998 suites[i].encr == ENCR_CAMELLIA_CBC &&
999 suites[i].encr_size == 16)
1000 {
1001 suites[remaining++] = suites[i];
1002 break;
1003 }
1004 if (strcaseeq(token, "camellia256") &&
1005 suites[i].encr == ENCR_CAMELLIA_CBC &&
1006 suites[i].encr_size == 32)
1007 {
1008 suites[remaining++] = suites[i];
1009 break;
1010 }
1011 if (strcaseeq(token, "null") &&
1012 suites[i].encr == ENCR_NULL)
1013 {
1014 suites[remaining++] = suites[i];
1015 break;
1016 }
1017 }
1018 enumerator->destroy(enumerator);
1019 }
1020 *count = remaining;
1021 }
1022 }
1023
1024 /**
1025 * Filter suites by mac user config
1026 */
1027 static void filter_mac_config_suites(private_tls_crypto_t *this,
1028 suite_algs_t suites[], int *count)
1029 {
1030 enumerator_t *enumerator;
1031 int i, remaining = 0;
1032 char *token, *config;
1033
1034 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1035 lib->ns);
1036 if (config)
1037 {
1038 for (i = 0; i < *count; i++)
1039 {
1040 enumerator = enumerator_create_token(config, ",", " ");
1041 while (enumerator->enumerate(enumerator, &token))
1042 {
1043 if (strcaseeq(token, "sha1") &&
1044 suites[i].mac == AUTH_HMAC_SHA1_160)
1045 {
1046 suites[remaining++] = suites[i];
1047 break;
1048 }
1049 if (strcaseeq(token, "sha256") &&
1050 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1051 {
1052 suites[remaining++] = suites[i];
1053 break;
1054 }
1055 if (strcaseeq(token, "sha384") &&
1056 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1057 {
1058 suites[remaining++] = suites[i];
1059 break;
1060 }
1061 }
1062 enumerator->destroy(enumerator);
1063 }
1064 *count = remaining;
1065 }
1066 }
1067
1068 /**
1069 * Filter for specific suites specified in strongswan.conf
1070 */
1071 static void filter_specific_config_suites(private_tls_crypto_t *this,
1072 suite_algs_t suites[], int *count)
1073 {
1074 enumerator_t *enumerator;
1075 int i, remaining = 0, suite;
1076 char *token, *config;
1077
1078 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1079 lib->ns);
1080 if (config)
1081 {
1082 for (i = 0; i < *count; i++)
1083 {
1084 enumerator = enumerator_create_token(config, ",", " ");
1085 while (enumerator->enumerate(enumerator, &token))
1086 {
1087 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1088 suite == suites[i].suite)
1089 {
1090 suites[remaining++] = suites[i];
1091 break;
1092 }
1093 }
1094 enumerator->destroy(enumerator);
1095 }
1096 *count = remaining;
1097 }
1098 }
1099
1100 /**
1101 * Filter key exchange curves by curve user config
1102 */
1103 static bool filter_curve_config(tls_named_group_t curve)
1104 {
1105 enumerator_t *enumerator;
1106 char *token, *config;
1107
1108 config = lib->settings->get_str(lib->settings, "%s.tls.ke_group", NULL,
1109 lib->ns);
1110 if (config)
1111 {
1112 enumerator = enumerator_create_token(config, ",", " ");
1113 while (enumerator->enumerate(enumerator, &token))
1114 {
1115 const proposal_token_t *tok;
1116
1117 tok = lib->proposal->get_token(lib->proposal, token);
1118 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1119 curve == tls_ec_group_to_curve(tok->algorithm))
1120 {
1121 enumerator->destroy(enumerator);
1122 return TRUE;
1123 }
1124 }
1125 enumerator->destroy(enumerator);
1126 }
1127 return !config;
1128 }
1129
1130 /**
1131 * Filter out unsupported suites on given suite array
1132 */
1133 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1134 {
1135 /* filter suite list by each algorithm */
1136 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1137 lib->crypto->create_aead_enumerator);
1138 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1139 lib->crypto->create_prf_enumerator);
1140 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1141 lib->crypto->create_crypter_enumerator);
1142 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1143 lib->crypto->create_signer_enumerator);
1144 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1145 lib->crypto->create_hasher_enumerator);
1146 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1147 lib->crypto->create_dh_enumerator);
1148 }
1149
1150 /**
1151 * Initialize the cipher suite list
1152 */
1153 static void build_cipher_suite_list(private_tls_crypto_t *this)
1154 {
1155 suite_algs_t suites[countof(suite_algs)];
1156 tls_version_t min_version, max_version, new_min_version, new_max_version;
1157 bool require_encryption;
1158 int count = 0, i;
1159
1160 switch (this->tls->get_purpose(this->tls))
1161 {
1162 case TLS_PURPOSE_EAP_TLS:
1163 case TLS_PURPOSE_GENERIC_NULLOK:
1164 require_encryption = FALSE;
1165 break;
1166 case TLS_PURPOSE_EAP_PEAP:
1167 case TLS_PURPOSE_EAP_TTLS:
1168 case TLS_PURPOSE_GENERIC:
1169 require_encryption = TRUE;
1170 break;
1171 default:
1172 return;
1173 }
1174
1175 min_version = this->tls->get_version_min(this->tls);
1176 max_version = this->tls->get_version_max(this->tls);
1177
1178 /* copy all suites appropriate for the current min/max versions */
1179 for (i = 0; i < countof(suite_algs); i++)
1180 {
1181 if (suite_algs[i].min_version <= max_version &&
1182 suite_algs[i].max_version >= min_version)
1183 {
1184 suites[count++] = suite_algs[i];
1185 }
1186 }
1187
1188 if (require_encryption)
1189 {
1190 filter_null_suites(suites, &count);
1191 }
1192 if (!this->rsa)
1193 {
1194 filter_key_suites(this, suites, &count, KEY_RSA);
1195 }
1196 if (!this->ecdsa)
1197 {
1198 filter_key_suites(this, suites, &count, KEY_ECDSA);
1199 }
1200
1201 filter_unsupported_suites(suites, &count);
1202
1203 /* filter suites with strongswan.conf options */
1204 filter_key_exchange_config_suites(this, suites, &count);
1205 filter_cipher_config_suites(this, suites, &count);
1206 filter_mac_config_suites(this, suites, &count);
1207 filter_specific_config_suites(this, suites, &count);
1208
1209 free(this->suites);
1210 this->suite_count = count;
1211 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1212
1213 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1214 new_min_version = max_version;
1215 new_max_version = min_version;
1216 for (i = 0; i < count; i++)
1217 {
1218 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1219 this->suites[i] = suites[i].suite;
1220
1221 /* set TLS min/max versions appropriate to the final cipher suites */
1222 new_max_version = max(new_max_version, suites[i].max_version);
1223 new_min_version = min(new_min_version, suites[i].min_version);
1224 }
1225 new_max_version = min(new_max_version, max_version);
1226 new_min_version = max(new_min_version, min_version);
1227
1228 if ((min_version != new_min_version || max_version != new_max_version) &&
1229 this->tls->set_version(this->tls, new_min_version, new_max_version))
1230 {
1231 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1232 tls_numeric_version_names, new_min_version,
1233 tls_numeric_version_names, new_max_version);
1234 }
1235 }
1236
1237 METHOD(tls_crypto_t, get_cipher_suites, int,
1238 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1239 {
1240 if (!this->suites)
1241 {
1242 build_cipher_suite_list(this);
1243 }
1244 if (suites)
1245 {
1246 *suites = this->suites;
1247 }
1248 return this->suite_count;
1249 }
1250
1251 /**
1252 * Create NULL encryption transforms
1253 */
1254 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1255 {
1256 this->aead_in = tls_aead_create_null(algs->mac);
1257 this->aead_out = tls_aead_create_null(algs->mac);
1258 if (!this->aead_in || !this->aead_out)
1259 {
1260 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1261 integrity_algorithm_names, algs->mac);
1262 return FALSE;
1263 }
1264 return TRUE;
1265 }
1266
1267 /**
1268 * Create traditional transforms
1269 */
1270 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1271 {
1272 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1273 {
1274 this->aead_in = tls_aead_create_implicit(algs->mac,
1275 algs->encr, algs->encr_size);
1276 this->aead_out = tls_aead_create_implicit(algs->mac,
1277 algs->encr, algs->encr_size);
1278 }
1279 else
1280 {
1281 this->aead_in = tls_aead_create_explicit(algs->mac,
1282 algs->encr, algs->encr_size);
1283 this->aead_out = tls_aead_create_explicit(algs->mac,
1284 algs->encr, algs->encr_size);
1285 }
1286 if (!this->aead_in || !this->aead_out)
1287 {
1288 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1289 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1290 integrity_algorithm_names, algs->mac);
1291 return FALSE;
1292 }
1293 return TRUE;
1294 }
1295
1296 /**
1297 * Create AEAD transforms
1298 */
1299 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1300 {
1301 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1302 {
1303 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1304 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1305 }
1306 else
1307 {
1308 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1309 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1310 }
1311 if (!this->aead_in || !this->aead_out)
1312 {
1313 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1314 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1315 return FALSE;
1316 }
1317 return TRUE;
1318 }
1319
1320 /**
1321 * Clean up and unset AEAD transforms
1322 */
1323 static void destroy_aeads(private_tls_crypto_t *this)
1324 {
1325 DESTROY_IF(this->aead_in);
1326 DESTROY_IF(this->aead_out);
1327 this->aead_in = this->aead_out = NULL;
1328 }
1329
1330 /**
1331 * Create crypto primitives
1332 */
1333 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1334 {
1335 destroy_aeads(this);
1336 DESTROY_IF(this->hkdf);
1337 DESTROY_IF(this->prf);
1338 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1339 {
1340 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1341 {
1342 this->prf = tls_prf_create_10();
1343 }
1344 else
1345 {
1346 this->prf = tls_prf_create_12(algs->prf);
1347 }
1348 if (!this->prf)
1349 {
1350 DBG1(DBG_TLS, "selected TLS PRF not supported");
1351 return FALSE;
1352 }
1353 }
1354 else
1355 {
1356 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1357 if (!this->hkdf)
1358 {
1359 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1360 return FALSE;
1361 }
1362 }
1363 if (algs->encr == ENCR_NULL)
1364 {
1365 if (create_null(this, algs))
1366 {
1367 return TRUE;
1368 }
1369 }
1370 else if (encryption_algorithm_is_aead(algs->encr))
1371 {
1372 if (create_aead(this, algs))
1373 {
1374 return TRUE;
1375 }
1376 }
1377 else
1378 {
1379 if (create_traditional(this, algs))
1380 {
1381 return TRUE;
1382 }
1383 }
1384 destroy_aeads(this);
1385 return FALSE;
1386 }
1387
1388 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1389 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1390 key_type_t key)
1391 {
1392 suite_algs_t *algs;
1393 int i, j;
1394
1395 for (i = 0; i < this->suite_count; i++)
1396 {
1397 for (j = 0; j < count; j++)
1398 {
1399 if (this->suites[i] == suites[j])
1400 {
1401 algs = find_suite(this->suites[i]);
1402 if (algs)
1403 {
1404 if (key == KEY_ANY || key == algs->key ||
1405 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1406 (algs->key == KEY_ECDSA && key == KEY_ED448))
1407 {
1408 if (create_ciphers(this, algs))
1409 {
1410 this->suite = this->suites[i];
1411 return this->suite;
1412 }
1413 }
1414 }
1415 }
1416 }
1417 }
1418 return 0;
1419 }
1420
1421 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1422 private_tls_crypto_t *this)
1423 {
1424 suite_algs_t *algs;
1425
1426 algs = find_suite(this->suite);
1427 if (algs)
1428 {
1429 return algs->dh;
1430 }
1431 return MODP_NONE;
1432 }
1433
1434 /**
1435 * Parameters for RSA/PSS signature schemes
1436 */
1437 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1438 .hash = HASH_SHA##bits, \
1439 .mgf1_hash = HASH_SHA##bits, \
1440 .salt_len = HASH_SIZE_SHA##bits, \
1441 }
1442
1443 PSS_PARAMS(256);
1444 PSS_PARAMS(384);
1445 PSS_PARAMS(512);
1446
1447 typedef struct {
1448 tls_signature_scheme_t sig;
1449 signature_params_t params;
1450 /* min/max versions for use in CertificateVerify */
1451 tls_version_t min_version;
1452 tls_version_t max_version;
1453 } scheme_algs_t;
1454
1455 /**
1456 * Map TLS signature schemes, ordered by preference
1457 */
1458 static scheme_algs_t schemes[] = {
1459 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1460 TLS_1_0, TLS_1_3 },
1461 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1462 TLS_1_0, TLS_1_3 },
1463 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1464 TLS_1_0, TLS_1_3 },
1465 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1466 TLS_1_0, TLS_1_3 },
1467 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1468 TLS_1_0, TLS_1_3 },
1469 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1470 TLS_1_2, TLS_1_3 },
1471 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1472 TLS_1_2, TLS_1_3 },
1473 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1474 TLS_1_2, TLS_1_3 },
1475 /* the parameters for the next three should actually be taken from the
1476 * public key, we currently don't have an API for that, so assume defaults */
1477 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1478 TLS_1_2, TLS_1_3 },
1479 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1480 TLS_1_2, TLS_1_3 },
1481 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1482 TLS_1_2, TLS_1_3 },
1483 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1484 TLS_1_0, TLS_1_2 },
1485 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1486 TLS_1_0, TLS_1_2 },
1487 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1488 TLS_1_0, TLS_1_2 },
1489 };
1490
1491 /**
1492 * Filter signature scheme config
1493 */
1494 static bool filter_signature_scheme_config(tls_signature_scheme_t signature)
1495 {
1496 enumerator_t *enumerator;
1497 char *token, *config;
1498
1499 config = lib->settings->get_str(lib->settings, "%s.tls.signature", NULL,
1500 lib->ns);
1501 if (config)
1502 {
1503 enumerator = enumerator_create_token(config, ",", " ");
1504 while (enumerator->enumerate(enumerator, &token))
1505 {
1506 tls_signature_scheme_t sig;
1507
1508 if (enum_from_name(tls_signature_scheme_names, token, &sig) &&
1509 sig == signature)
1510 {
1511 enumerator->destroy(enumerator);
1512 return TRUE;
1513 }
1514 }
1515 enumerator->destroy(enumerator);
1516 }
1517 return !config;
1518 }
1519
1520 METHOD(tls_crypto_t, get_signature_algorithms, void,
1521 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1522 {
1523 bio_writer_t *supported;
1524 tls_version_t min_version, max_version;
1525 int i;
1526
1527 supported = bio_writer_create(32);
1528
1529 if (!cert)
1530 {
1531 min_version = this->tls->get_version_min(this->tls);
1532 max_version = this->tls->get_version_max(this->tls);
1533 }
1534
1535 for (i = 0; i < countof(schemes); i++)
1536 {
1537 if ((cert || (schemes[i].min_version <= max_version &&
1538 schemes[i].max_version >= min_version)) &&
1539 lib->plugins->has_feature(lib->plugins,
1540 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)) &&
1541 filter_signature_scheme_config(schemes[i].sig))
1542 {
1543 supported->write_uint16(supported, schemes[i].sig);
1544 }
1545 }
1546
1547 writer->write_data16(writer, supported->get_buf(supported));
1548 supported->destroy(supported);
1549 }
1550
1551 /**
1552 * Get the signature parameters from a TLS signature scheme
1553 */
1554 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1555 bool sign)
1556 {
1557 int i;
1558
1559 for (i = 0; i < countof(schemes); i++)
1560 {
1561 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1562 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1563 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1564 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1565 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1566 {
1567 continue;
1568 }
1569 if (schemes[i].sig == sig)
1570 {
1571 return &schemes[i].params;
1572 }
1573 }
1574 return NULL;
1575 }
1576
1577 /**
1578 * Mapping groups to TLS named curves
1579 */
1580 static struct {
1581 diffie_hellman_group_t group;
1582 tls_named_group_t curve;
1583 } curves[] = {
1584 { ECP_256_BIT, TLS_SECP256R1},
1585 { ECP_384_BIT, TLS_SECP384R1},
1586 { ECP_521_BIT, TLS_SECP521R1},
1587 { ECP_224_BIT, TLS_SECP224R1},
1588 { ECP_192_BIT, TLS_SECP192R1},
1589 { CURVE_25519, TLS_CURVE25519},
1590 { CURVE_448, TLS_CURVE448},
1591 };
1592
1593 CALLBACK(group_filter, bool,
1594 void *null, enumerator_t *orig, va_list args)
1595 {
1596 diffie_hellman_group_t group, *group_out;
1597 tls_named_group_t curve, *curve_out;
1598 char *plugin;
1599
1600 VA_ARGS_VGET(args, group_out, curve_out);
1601
1602 while (orig->enumerate(orig, &group, &plugin))
1603 {
1604 curve = tls_ec_group_to_curve(group);
1605 if (curve)
1606 {
1607 if (group_out)
1608 {
1609 *group_out = group;
1610 }
1611 if (curve_out)
1612 {
1613 *curve_out = curve;
1614 }
1615 return TRUE;
1616 }
1617 }
1618 return FALSE;
1619 }
1620
1621 CALLBACK(config_filter, bool,
1622 void *null, enumerator_t *orig, va_list args)
1623 {
1624 diffie_hellman_group_t group, *group_out;
1625 tls_named_group_t curve, *curve_out;
1626
1627 VA_ARGS_VGET(args, group_out, curve_out);
1628
1629 while (orig->enumerate(orig, &group, &curve))
1630 {
1631 if (filter_curve_config(curve))
1632 {
1633 if (group_out)
1634 {
1635 *group_out = group;
1636 }
1637 if (curve_out)
1638 {
1639 *curve_out = curve;
1640 }
1641 return TRUE;
1642 }
1643 }
1644 return FALSE;
1645 }
1646
1647 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1648 private_tls_crypto_t *this)
1649 {
1650 return enumerator_create_filter(
1651 enumerator_create_filter(
1652 lib->crypto->create_dh_enumerator(lib->crypto),
1653 group_filter, NULL, NULL),
1654 config_filter, NULL, NULL);
1655 }
1656
1657 METHOD(tls_crypto_t, set_protection, void,
1658 private_tls_crypto_t *this, tls_protection_t *protection)
1659 {
1660 this->protection = protection;
1661 }
1662
1663 METHOD(tls_crypto_t, append_handshake, void,
1664 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1665 {
1666 uint32_t header;
1667
1668 /* reconstruct handshake header */
1669 header = htonl(data.len | (type << 24));
1670 this->handshake = chunk_cat("mcc", this->handshake,
1671 chunk_from_thing(header), data);
1672 }
1673
1674 /**
1675 * Create a hash using the suites HASH algorithm
1676 */
1677 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1678 {
1679 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1680 {
1681 hasher_t *hasher;
1682 suite_algs_t *alg;
1683
1684 alg = find_suite(this->suite);
1685 if (!alg)
1686 {
1687 return FALSE;
1688 }
1689 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1690 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1691 {
1692 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1693 DESTROY_IF(hasher);
1694 return FALSE;
1695 }
1696 hasher->destroy(hasher);
1697 }
1698 else
1699 {
1700 hasher_t *md5, *sha1;
1701 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1702
1703 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1704 if (!md5 || !md5->get_hash(md5, data, buf))
1705 {
1706 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1707 DESTROY_IF(md5);
1708 return FALSE;
1709 }
1710 md5->destroy(md5);
1711 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1712 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1713 {
1714 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1715 DESTROY_IF(sha1);
1716 return FALSE;
1717 }
1718 sha1->destroy(sha1);
1719
1720 *hash = chunk_clone(chunk_from_thing(buf));
1721 }
1722 return TRUE;
1723 }
1724
1725 METHOD(tls_crypto_t, hash_handshake, bool,
1726 private_tls_crypto_t *this, chunk_t *out)
1727 {
1728 chunk_t hash;
1729
1730 if (!hash_data(this, this->handshake, &hash))
1731 {
1732 return FALSE;
1733 }
1734
1735 chunk_free(&this->handshake);
1736 append_handshake(this, TLS_MESSAGE_HASH, hash);
1737
1738 if (out)
1739 {
1740 *out = hash;
1741 }
1742 else
1743 {
1744 free(hash.ptr);
1745 }
1746 return TRUE;
1747 }
1748
1749 /**
1750 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1751 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1752 */
1753 static chunk_t tls13_sig_data_server = chunk_from_chars(
1754 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1755 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1756 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1757 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1758 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1759 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1760 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1761 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1762 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1763 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1764 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1765 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1766 0x79, 0x00,
1767 );
1768
1769 /**
1770 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1771 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1772 */
1773 static chunk_t tls13_sig_data_client = chunk_from_chars(
1774 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1775 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1776 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1777 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1778 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1779 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1780 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1781 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1782 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1783 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1784 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1785 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1786 0x79, 0x00,
1787 );
1788
1789 METHOD(tls_crypto_t, sign, bool,
1790 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1791 chunk_t data, chunk_t hashsig)
1792 {
1793 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1794 {
1795 /* fallback to SHA1/RSA and SHA1/ECDSA */
1796 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1797 signature_params_t *params;
1798 key_type_t type;
1799 uint16_t scheme;
1800 bio_reader_t *reader;
1801 chunk_t sig;
1802 bool done = FALSE;
1803
1804 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1805 {
1806 chunk_t transcript_hash;
1807
1808 if (!hash_data(this, data, &transcript_hash))
1809 {
1810 DBG1(DBG_TLS, "unable to create transcript hash");
1811 return FALSE;
1812 }
1813 if (this->tls->is_server(this->tls))
1814 {
1815 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1816 }
1817 else
1818 {
1819 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1820 }
1821 }
1822
1823 if (!hashsig.len)
1824 { /* fallback if none given */
1825 hashsig = hashsig_def;
1826 }
1827 type = key->get_type(key);
1828 reader = bio_reader_create(hashsig);
1829 while (reader->remaining(reader) >= 2)
1830 {
1831 if (reader->read_uint16(reader, &scheme))
1832 {
1833 params = params_for_scheme(scheme, TRUE);
1834 if (params &&
1835 type == key_type_from_signature_scheme(params->scheme) &&
1836 key->sign(key, params->scheme, params->params, data, &sig))
1837 {
1838 done = TRUE;
1839 break;
1840 }
1841 }
1842 }
1843 reader->destroy(reader);
1844 if (!done)
1845 {
1846 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1847 return FALSE;
1848 }
1849 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1850 scheme);
1851 writer->write_uint16(writer, scheme);
1852 writer->write_data16(writer, sig);
1853 free(sig.ptr);
1854 }
1855 else
1856 {
1857 chunk_t sig, hash;
1858 bool done;
1859
1860 switch (key->get_type(key))
1861 {
1862 case KEY_RSA:
1863 if (!hash_data(this, data, &hash))
1864 {
1865 return FALSE;
1866 }
1867 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1868 &sig);
1869 free(hash.ptr);
1870 if (!done)
1871 {
1872 return FALSE;
1873 }
1874 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1875 break;
1876 case KEY_ECDSA:
1877 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1878 {
1879 return FALSE;
1880 }
1881 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1882 break;
1883 case KEY_ED25519:
1884 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1885 {
1886 return FALSE;
1887 }
1888 DBG2(DBG_TLS, "created signature with Ed25519");
1889 break;
1890 case KEY_ED448:
1891 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1892 {
1893 return FALSE;
1894 }
1895 DBG2(DBG_TLS, "created signature with Ed448");
1896 break;
1897 default:
1898 return FALSE;
1899 }
1900 writer->write_data16(writer, sig);
1901 free(sig.ptr);
1902 }
1903 return TRUE;
1904 }
1905
1906 METHOD(tls_crypto_t, verify, bool,
1907 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1908 chunk_t data)
1909 {
1910 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1911 {
1912 signature_params_t *params;
1913 uint16_t scheme;
1914 chunk_t sig;
1915
1916 if (!reader->read_uint16(reader, &scheme) ||
1917 !reader->read_data16(reader, &sig))
1918 {
1919 DBG1(DBG_TLS, "received invalid signature");
1920 return FALSE;
1921 }
1922 params = params_for_scheme(scheme, FALSE);
1923 if (!params)
1924 {
1925 DBG1(DBG_TLS, "signature algorithms %N not supported",
1926 tls_signature_scheme_names, scheme);
1927 return FALSE;
1928 }
1929 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1930 {
1931 chunk_t transcript_hash;
1932
1933 if (!hash_data(this, data, &transcript_hash))
1934 {
1935 DBG1(DBG_TLS, "Unable to create transcript hash");
1936 return FALSE;
1937 }
1938
1939 if (this->tls->is_server(this->tls))
1940 {
1941 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1942 }
1943 else
1944 {
1945 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1946 }
1947 }
1948 if (!key->verify(key, params->scheme, params->params, data, sig))
1949 {
1950 DBG1(DBG_TLS, "signature verification with %N failed",
1951 tls_signature_scheme_names, scheme);
1952 return FALSE;
1953 }
1954 DBG2(DBG_TLS, "verified signature with %N",
1955 tls_signature_scheme_names, scheme);
1956 }
1957 else
1958 {
1959 chunk_t sig, hash;
1960 bool done;
1961
1962 if (!reader->read_data16(reader, &sig))
1963 {
1964 DBG1(DBG_TLS, "received invalid signature");
1965 return FALSE;
1966 }
1967 switch (key->get_type(key))
1968 {
1969 case KEY_RSA:
1970 if (!hash_data(this, data, &hash))
1971 {
1972 return FALSE;
1973 }
1974 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1975 sig);
1976 free(hash.ptr);
1977 if (!done)
1978 {
1979 return FALSE;
1980 }
1981 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1982 break;
1983 case KEY_ECDSA:
1984 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1985 sig))
1986 {
1987 return FALSE;
1988 }
1989 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1990 break;
1991 case KEY_ED25519:
1992 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1993 {
1994 return FALSE;
1995 }
1996 DBG2(DBG_TLS, "verified signature with Ed25519");
1997 break;
1998 case KEY_ED448:
1999 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
2000 {
2001 return FALSE;
2002 }
2003 DBG2(DBG_TLS, "verified signature with Ed448");
2004 break;
2005 default:
2006 return FALSE;
2007 }
2008 }
2009 return TRUE;
2010 }
2011
2012 METHOD(tls_crypto_t, sign_handshake, bool,
2013 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
2014 chunk_t hashsig)
2015 {
2016 return sign(this, key, writer, this->handshake, hashsig);
2017 }
2018
2019 METHOD(tls_crypto_t, verify_handshake, bool,
2020 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
2021 {
2022 return verify(this, key, reader, this->handshake);
2023 }
2024
2025 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
2026 private_tls_crypto_t *this, char *label, char out[12])
2027 {
2028 chunk_t seed;
2029
2030 if (!this->prf)
2031 {
2032 return FALSE;
2033 }
2034 if (!hash_data(this, this->handshake, &seed))
2035 {
2036 return FALSE;
2037 }
2038 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2039 {
2040 free(seed.ptr);
2041 return FALSE;
2042 }
2043 free(seed.ptr);
2044 return TRUE;
2045 }
2046
2047 METHOD(tls_crypto_t, calculate_finished, bool,
2048 private_tls_crypto_t *this, bool server, chunk_t *out)
2049 {
2050 chunk_t finished_key, finished_hash;
2051
2052 if (!this->hkdf)
2053 {
2054 return FALSE;
2055 }
2056 if (!hash_data(this, this->handshake, &finished_hash))
2057 {
2058 DBG1(DBG_TLS, "creating hash of handshake failed");
2059 return FALSE;
2060 }
2061 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2062 {
2063 DBG1(DBG_TLS, "generating finished key failed");
2064 chunk_clear(&finished_hash);
2065 return FALSE;
2066 }
2067 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2068 {
2069 DBG1(DBG_TLS, "generating finished HMAC failed");
2070 chunk_clear(&finished_key);
2071 chunk_clear(&finished_hash);
2072 return FALSE;
2073 }
2074 chunk_clear(&finished_key);
2075 chunk_clear(&finished_hash);
2076 return TRUE;
2077 }
2078
2079 /**
2080 * Derive master secret from premaster, optionally save session
2081 */
2082 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2083 chunk_t session, identification_t *id,
2084 chunk_t client_random, chunk_t server_random)
2085 {
2086 char master[48];
2087 chunk_t seed;
2088
2089 /* derive master secret */
2090 seed = chunk_cata("cc", client_random, server_random);
2091
2092 if (!this->prf->set_key(this->prf, premaster) ||
2093 !this->prf->get_bytes(this->prf, "master secret", seed,
2094 sizeof(master), master) ||
2095 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2096 {
2097 return FALSE;
2098 }
2099
2100 if (this->cache && session.len)
2101 {
2102 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2103 this->suite);
2104 }
2105 memwipe(master, sizeof(master));
2106 return TRUE;
2107 }
2108
2109 /**
2110 * Expand key material from master secret
2111 */
2112 static bool expand_keys(private_tls_crypto_t *this,
2113 chunk_t client_random, chunk_t server_random)
2114 {
2115 chunk_t seed, block;
2116 chunk_t cw_mac, cw, cw_iv;
2117 chunk_t sw_mac, sw, sw_iv;
2118 int mklen, eklen, ivlen;
2119
2120 if (!this->aead_in || !this->aead_out)
2121 {
2122 return FALSE;
2123 }
2124
2125 /* derive key block for key expansion */
2126 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2127 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2128 ivlen = this->aead_in->get_iv_size(this->aead_in);
2129 seed = chunk_cata("cc", server_random, client_random);
2130 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2131 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2132 block.len, block.ptr))
2133 {
2134 return FALSE;
2135 }
2136
2137 /* client/server write signer keys */
2138 cw_mac = chunk_create(block.ptr, mklen);
2139 block = chunk_skip(block, mklen);
2140 sw_mac = chunk_create(block.ptr, mklen);
2141 block = chunk_skip(block, mklen);
2142
2143 /* client/server write encryption keys */
2144 cw = chunk_create(block.ptr, eklen);
2145 block = chunk_skip(block, eklen);
2146 sw = chunk_create(block.ptr, eklen);
2147 block = chunk_skip(block, eklen);
2148
2149 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2150 cw_iv = chunk_create(block.ptr, ivlen);
2151 block = chunk_skip(block, ivlen);
2152 sw_iv = chunk_create(block.ptr, ivlen);
2153 block = chunk_skip(block, ivlen);
2154
2155 if (this->tls->is_server(this->tls))
2156 {
2157 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2158 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2159 {
2160 return FALSE;
2161 }
2162 }
2163 else
2164 {
2165 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2166 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2167 {
2168 return FALSE;
2169 }
2170 }
2171
2172 /* EAP-MSK */
2173 if (this->msk_label)
2174 {
2175 seed = chunk_cata("cc", client_random, server_random);
2176 this->msk = chunk_alloc(64);
2177 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2178 this->msk.len, this->msk.ptr))
2179 {
2180 return FALSE;
2181 }
2182 }
2183 return TRUE;
2184 }
2185
2186 METHOD(tls_crypto_t, derive_secrets, bool,
2187 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2188 identification_t *id, chunk_t client_random, chunk_t server_random)
2189 {
2190 return derive_master(this, premaster, session, id,
2191 client_random, server_random) &&
2192 expand_keys(this, client_random, server_random);
2193 }
2194
2195 /**
2196 * Derive and configure the client/server key/IV on an AEAD using a given label.
2197 */
2198 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2199 tls_hkdf_label_t label, tls_aead_t *aead)
2200 {
2201 chunk_t key = chunk_empty, iv = chunk_empty;
2202 bool success = FALSE;
2203
2204 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2205 NULL) ||
2206 !this->hkdf->derive_key(this->hkdf, server,
2207 aead->get_encr_key_size(aead), &key) ||
2208 !this->hkdf->derive_iv(this->hkdf, server,
2209 aead->get_iv_size(aead), &iv))
2210 {
2211 DBG1(DBG_TLS, "deriving key material failed");
2212 goto out;
2213 }
2214
2215 if (!aead->set_keys(aead, chunk_empty, key, iv))
2216 {
2217 DBG1(DBG_TLS, "setting AEAD key material failed");
2218 goto out;
2219 }
2220 success = TRUE;
2221
2222 out:
2223 chunk_clear(&key);
2224 chunk_clear(&iv);
2225 return success;
2226 }
2227
2228 /**
2229 * Derive and configure the keys/IVs using the given labels.
2230 */
2231 static bool derive_labeled_keys(private_tls_crypto_t *this,
2232 tls_hkdf_label_t client_label,
2233 tls_hkdf_label_t server_label)
2234 {
2235 tls_aead_t *aead_c, *aead_s;
2236 suite_algs_t *algs;
2237
2238 algs = find_suite(this->suite);
2239 destroy_aeads(this);
2240 if (!create_aead(this, algs))
2241 {
2242 return FALSE;
2243 }
2244 aead_c = this->aead_out;
2245 aead_s = this->aead_in;
2246 if (this->tls->is_server(this->tls))
2247 {
2248 aead_c = this->aead_in;
2249 aead_s = this->aead_out;
2250 }
2251 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2252 derive_labeled_key(this, TRUE, server_label, aead_s);
2253 }
2254
2255 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2256 private_tls_crypto_t *this, chunk_t shared_secret)
2257 {
2258 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2259 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2260 TLS_HKDF_S_HS_TRAFFIC);
2261 }
2262
2263 METHOD(tls_crypto_t, derive_app_keys, bool,
2264 private_tls_crypto_t *this)
2265 {
2266 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2267 TLS_HKDF_S_AP_TRAFFIC))
2268 {
2269 return FALSE;
2270 }
2271
2272 /* EAP-MSK */
2273 if (this->msk_label)
2274 {
2275 /* because the length is encoded when expanding key material, we
2276 * request the same number of bytes as FreeRADIUS (the first 64 for
2277 * the MSK, the next for the EMSK, which we just ignore) */
2278 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2279 this->handshake, 128, &this->msk))
2280 {
2281 return FALSE;
2282 }
2283 this->msk.len = 64;
2284 }
2285 return TRUE;
2286 }
2287
2288 METHOD(tls_crypto_t, update_app_keys, bool,
2289 private_tls_crypto_t *this, bool inbound)
2290 {
2291 suite_algs_t *algs;
2292 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2293
2294 algs = find_suite(this->suite);
2295 destroy_aeads(this);
2296 if (!create_aead(this, algs))
2297 {
2298 return FALSE;
2299 }
2300 if (this->tls->is_server(this->tls) != inbound)
2301 {
2302 label = TLS_HKDF_UPD_S_TRAFFIC;
2303 }
2304 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2305 inbound ? this->aead_in : this->aead_out);
2306 }
2307
2308 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2309 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2310 chunk_t client_random, chunk_t server_random)
2311 {
2312 chunk_t master;
2313
2314 if (this->cache && session.len)
2315 {
2316 this->suite = this->cache->lookup(this->cache, session, id, &master);
2317 if (this->suite)
2318 {
2319 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2320 if (this->suite)
2321 {
2322 if (!this->prf->set_key(this->prf, master) ||
2323 !expand_keys(this, client_random, server_random))
2324 {
2325 this->suite = 0;
2326 }
2327 }
2328 chunk_clear(&master);
2329 }
2330 return this->suite;
2331 }
2332 return 0;
2333 }
2334
2335 METHOD(tls_crypto_t, get_session, chunk_t,
2336 private_tls_crypto_t *this, identification_t *server)
2337 {
2338 if (this->cache)
2339 {
2340 return this->cache->check(this->cache, server);
2341 }
2342 return chunk_empty;
2343 }
2344
2345 METHOD(tls_crypto_t, change_cipher, void,
2346 private_tls_crypto_t *this, bool inbound)
2347 {
2348 if (this->protection)
2349 {
2350 if (inbound)
2351 {
2352 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2353 this->aead_in = NULL;
2354 }
2355 else
2356 {
2357 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2358 this->aead_out = NULL;
2359 }
2360 }
2361 }
2362
2363 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2364 private_tls_crypto_t *this)
2365 {
2366 return this->msk;
2367 }
2368
2369 METHOD(tls_crypto_t, destroy, void,
2370 private_tls_crypto_t *this)
2371 {
2372 destroy_aeads(this);
2373 free(this->handshake.ptr);
2374 free(this->msk.ptr);
2375 DESTROY_IF(this->prf);
2376 DESTROY_IF(this->hkdf);
2377 free(this->suites);
2378 free(this);
2379 }
2380
2381 /**
2382 * See header
2383 */
2384 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2385 {
2386 private_tls_crypto_t *this;
2387 enumerator_t *enumerator;
2388 credential_type_t type;
2389 int subtype;
2390
2391 INIT(this,
2392 .public = {
2393 .get_cipher_suites = _get_cipher_suites,
2394 .select_cipher_suite = _select_cipher_suite,
2395 .get_dh_group = _get_dh_group,
2396 .get_signature_algorithms = _get_signature_algorithms,
2397 .create_ec_enumerator = _create_ec_enumerator,
2398 .set_protection = _set_protection,
2399 .append_handshake = _append_handshake,
2400 .hash_handshake = _hash_handshake,
2401 .sign = _sign,
2402 .verify = _verify,
2403 .sign_handshake = _sign_handshake,
2404 .verify_handshake = _verify_handshake,
2405 .calculate_finished_legacy = _calculate_finished_legacy,
2406 .calculate_finished = _calculate_finished,
2407 .derive_secrets = _derive_secrets,
2408 .derive_handshake_keys = _derive_handshake_keys,
2409 .derive_app_keys = _derive_app_keys,
2410 .update_app_keys = _update_app_keys,
2411 .resume_session = _resume_session,
2412 .get_session = _get_session,
2413 .change_cipher = _change_cipher,
2414 .get_eap_msk = _get_eap_msk,
2415 .destroy = _destroy,
2416 },
2417 .tls = tls,
2418 .cache = cache,
2419 );
2420
2421 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2422 * separation would be welcome. */
2423 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2424 while (enumerator->enumerate(enumerator, &type, &subtype))
2425 {
2426 if (type == CRED_PUBLIC_KEY)
2427 {
2428 switch (subtype)
2429 {
2430 case KEY_RSA:
2431 this->rsa = TRUE;
2432 break;
2433 case KEY_ECDSA:
2434 case KEY_ED25519:
2435 case KEY_ED448:
2436 this->ecdsa = TRUE;
2437 break;
2438 default:
2439 break;
2440 }
2441 }
2442 }
2443 enumerator->destroy(enumerator);
2444
2445 switch (tls->get_purpose(tls))
2446 {
2447 case TLS_PURPOSE_EAP_TLS:
2448 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2449 this->msk_label = "client EAP encryption";
2450 break;
2451 case TLS_PURPOSE_EAP_PEAP:
2452 this->msk_label = "client EAP encryption";
2453 break;
2454 case TLS_PURPOSE_EAP_TTLS:
2455 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2456 this->msk_label = "ttls keying material";
2457 break;
2458 default:
2459 break;
2460 }
2461 return &this->public;
2462 }
2463
2464 /**
2465 * See header.
2466 */
2467 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2468 tls_cipher_suite_t **out)
2469 {
2470 suite_algs_t suites[countof(suite_algs)];
2471 int count = 0, i;
2472
2473 /* initialize copy of suite list */
2474 for (i = 0; i < countof(suite_algs); i++)
2475 {
2476 if (suite_algs[i].min_version <= version &&
2477 suite_algs[i].max_version >= version)
2478 {
2479 suites[count++] = suite_algs[i];
2480 }
2481 }
2482
2483 filter_unsupported_suites(suites, &count);
2484
2485 if (!null)
2486 {
2487 filter_null_suites(suites, &count);
2488 }
2489
2490 if (out)
2491 {
2492 *out = calloc(count, sizeof(tls_cipher_suite_t));
2493 for (i = 0; i < count; i++)
2494 {
2495 (*out)[i] = suites[i].suite;
2496 }
2497 }
2498 return count;
2499 }
2500
2501 /**
2502 * See header.
2503 */
2504 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2505 {
2506 enumerator_t *enumerator;
2507 diffie_hellman_group_t groups[countof(curves)];
2508 diffie_hellman_group_t group;
2509 tls_named_group_t curve;
2510 int count = 0, i;
2511
2512 enumerator = enumerator_create_filter(
2513 lib->crypto->create_dh_enumerator(lib->crypto),
2514 group_filter, NULL, NULL);
2515
2516 while (enumerator->enumerate(enumerator, &group, &curve))
2517 {
2518 groups[count++] = group;
2519 }
2520 enumerator->destroy(enumerator);
2521
2522 if (out)
2523 {
2524 *out = calloc(count, sizeof(diffie_hellman_group_t));
2525 for (i = 0; i < count; i++)
2526 {
2527 (*out)[i] = groups[i];
2528 }
2529 }
2530 return count;
2531 }
2532
2533 /**
2534 * See header.
2535 */
2536 int tls_crypto_get_supported_signatures(tls_version_t version,
2537 tls_signature_scheme_t **out)
2538 {
2539 scheme_algs_t sigs[countof(schemes)];
2540 int count = 0, i;
2541
2542 /* initialize copy of signature scheme list */
2543 for (i = 0; i < countof(schemes); i++)
2544 {
2545 /* only RSA_PSS_RSAE schemes supported for signing and verifying */
2546 if (schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
2547 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
2548 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA512)
2549 {
2550 continue;
2551 }
2552 if (schemes[i].min_version <= version &&
2553 schemes[i].max_version >= version &&
2554 lib->plugins->has_feature(lib->plugins,
2555 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
2556 {
2557 sigs[count++] = schemes[i];
2558 }
2559 }
2560
2561 if (out)
2562 {
2563 *out = calloc(count, sizeof(tls_signature_scheme_t));
2564 for (i = 0; i < count; i++)
2565 {
2566 (*out)[i] = sigs[i].sig;
2567 }
2568 }
2569 return count;
2570 }
2571
2572 /**
2573 * See header.
2574 */
2575 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2576 {
2577 int i;
2578
2579 for (i = 0; i < countof(curves); i++)
2580 {
2581 if (curves[i].group == group)
2582 {
2583 return curves[i].curve;
2584 }
2585 }
2586 return 0;
2587 }
2588
2589 /**
2590 * See header.
2591 */
2592 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2593 {
2594 int i;
2595
2596 for (i = 0; i < countof(schemes); i++)
2597 {
2598 if (schemes[i].sig == sig)
2599 {
2600 return key_type_from_signature_scheme(schemes[i].params.scheme);
2601 }
2602 }
2603 return 0;
2604 }
2605
2606 /**
2607 * Hashtable hash function
2608 */
2609 static u_int hash_key_type(key_type_t *type)
2610 {
2611 return chunk_hash(chunk_from_thing(*type));
2612 }
2613
2614 /**
2615 * Hashtable equals function
2616 */
2617 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2618 {
2619 return *key1 == *key2;
2620 }
2621
2622 CALLBACK(filter_key_types, bool,
2623 void *data, enumerator_t *orig, va_list args)
2624 {
2625 key_type_t *key_type, *out;
2626
2627 VA_ARGS_VGET(args, out);
2628
2629 if (orig->enumerate(orig, NULL, &key_type))
2630 {
2631 *out = *key_type;
2632 return TRUE;
2633 }
2634 return FALSE;
2635 }
2636
2637 CALLBACK(destroy_key_types, void,
2638 hashtable_t *ht)
2639 {
2640 ht->destroy_function(ht, (void*)free);
2641 }
2642
2643 /**
2644 * Create an enumerator over supported key types within a specific TLS range
2645 */
2646 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2647 tls_version_t max_version)
2648 {
2649 hashtable_t *ht;
2650 key_type_t *type, lookup;
2651 int i;
2652
2653 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2654 (hashtable_equals_t)equals_key_type, 4);
2655 for (i = 0; i < countof(schemes); i++)
2656 {
2657 if (schemes[i].min_version <= max_version &&
2658 schemes[i].max_version >= min_version)
2659 {
2660 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2661 if (!ht->get(ht, &lookup))
2662 {
2663 type = malloc_thing(key_type_t);
2664 *type = lookup;
2665 ht->put(ht, type, type);
2666 }
2667 }
2668 }
2669 return enumerator_create_filter(ht->create_enumerator(ht),
2670 filter_key_types, ht, destroy_key_types);
2671 }
2672
2673 /**
2674 * Create an array of an intersection of server and peer supported key types
2675 */
2676 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2677 {
2678 array_t *key_types;
2679 key_type_t v, lookup;
2680 uint16_t sig_scheme;
2681
2682 key_types = array_create(sizeof(key_type_t), 8);
2683 while (enumerator->enumerate(enumerator, &v))
2684 {
2685 bio_reader_t *reader;
2686
2687 reader = bio_reader_create(hashsig);
2688 while (reader->remaining(reader) &&
2689 reader->read_uint16(reader, &sig_scheme))
2690 {
2691 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2692 if (v == lookup)
2693 {
2694 array_insert(key_types, ARRAY_TAIL, &lookup);
2695 break;
2696 }
2697 }
2698 reader->destroy(reader);
2699 }
2700 return key_types;
2701 }
2702
2703 typedef struct {
2704 enumerator_t public;
2705 array_t *key_types;
2706 identification_t *peer;
2707 private_key_t *key;
2708 auth_cfg_t *auth;
2709 } private_key_enumerator_t;
2710
2711 METHOD(enumerator_t, private_key_enumerate, bool,
2712 private_key_enumerator_t *this, va_list args)
2713 {
2714 key_type_t type;
2715 auth_cfg_t **auth_out;
2716 private_key_t **key_out;
2717
2718 VA_ARGS_VGET(args, key_out, auth_out);
2719
2720 DESTROY_IF(this->key);
2721 DESTROY_IF(this->auth);
2722 this->auth = auth_cfg_create();
2723
2724 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2725 {
2726 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2727 this->auth);
2728 if (this->key)
2729 {
2730 *key_out = this->key;
2731 if (auth_out)
2732 {
2733 *auth_out = this->auth;
2734 }
2735 return TRUE;
2736 }
2737 }
2738 return FALSE;
2739 }
2740
2741 METHOD(enumerator_t, private_key_destroy, void,
2742 private_key_enumerator_t *this)
2743 {
2744 DESTROY_IF(this->key);
2745 DESTROY_IF(this->auth);
2746 array_destroy(this->key_types);
2747 free(this);
2748 }
2749
2750 /**
2751 * See header.
2752 */
2753 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2754 tls_version_t max_version,
2755 chunk_t hashsig,
2756 identification_t *peer)
2757 {
2758 private_key_enumerator_t *enumerator;
2759 enumerator_t *key_types;
2760
2761 key_types = get_supported_key_types(min_version, max_version);
2762
2763 INIT(enumerator,
2764 .public = {
2765 .enumerate = enumerator_enumerate_default,
2766 .venumerate = _private_key_enumerate,
2767 .destroy = _private_key_destroy,
2768 },
2769 .key_types = create_common_key_types(key_types, hashsig),
2770 .peer = peer,
2771 );
2772 key_types->destroy(key_types);
2773
2774 if (!array_count(enumerator->key_types))
2775 {
2776 return NULL;
2777 }
2778 return &enumerator->public;
2779 }