2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include "tls_crypto.h"
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
29 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names
, TLS_AES_128_GCM_SHA256
,
187 TLS_AES_128_CCM_8_SHA256
,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
196 TLS_AES_128_CCM_8_SHA256
,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
);
265 ENUM(tls_hash_algorithm_names
, TLS_HASH_NONE
, TLS_HASH_SHA512
,
275 ENUM_BEGIN(tls_signature_scheme_names
,
276 TLS_SIG_RSA_PKCS1_SHA1
, TLS_SIG_RSA_PKCS1_SHA1
,
278 ENUM_NEXT(tls_signature_scheme_names
,
279 TLS_SIG_ECDSA_SHA1
, TLS_SIG_ECDSA_SHA1
, TLS_SIG_RSA_PKCS1_SHA1
,
281 ENUM_NEXT(tls_signature_scheme_names
,
282 TLS_SIG_RSA_PKCS1_SHA224
, TLS_SIG_ECDSA_SHA224
, TLS_SIG_ECDSA_SHA1
,
286 ENUM_NEXT(tls_signature_scheme_names
,
287 TLS_SIG_RSA_PKCS1_SHA256
, TLS_SIG_ECDSA_SHA256
, TLS_SIG_ECDSA_SHA224
,
291 ENUM_NEXT(tls_signature_scheme_names
,
292 TLS_SIG_RSA_PKCS1_SHA384
, TLS_SIG_ECDSA_SHA384
, TLS_SIG_ECDSA_SHA256
,
296 ENUM_NEXT(tls_signature_scheme_names
,
297 TLS_SIG_RSA_PKCS1_SHA512
, TLS_SIG_ECDSA_SHA512
, TLS_SIG_ECDSA_SHA384
,
301 ENUM_NEXT(tls_signature_scheme_names
,
302 TLS_SIG_RSA_PSS_RSAE_SHA256
, TLS_SIG_RSA_PSS_PSS_SHA512
, TLS_SIG_ECDSA_SHA512
,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
312 ENUM_END(tls_signature_scheme_names
, TLS_SIG_RSA_PSS_PSS_SHA512
);
314 ENUM_BEGIN(tls_client_certificate_type_names
,
315 TLS_RSA_SIGN
, TLS_DSS_EPHEMERAL_DH
,
322 ENUM_NEXT(tls_client_certificate_type_names
,
323 TLS_FORTEZZA_DMS
, TLS_FORTEZZA_DMS
, TLS_DSS_EPHEMERAL_DH
,
325 ENUM_NEXT(tls_client_certificate_type_names
,
326 TLS_ECDSA_SIGN
, TLS_ECDSA_FIXED_ECDH
, TLS_FORTEZZA_DMS
,
330 ENUM_END(tls_client_certificate_type_names
, TLS_ECDSA_FIXED_ECDH
);
332 ENUM(tls_ecc_curve_type_names
, TLS_ECC_EXPLICIT_PRIME
, TLS_ECC_NAMED_CURVE
,
338 ENUM_BEGIN(tls_named_group_names
, TLS_SECT163K1
, TLS_SECP521R1
,
365 ENUM_NEXT(tls_named_group_names
, TLS_CURVE25519
, TLS_CURVE448
, TLS_SECP521R1
,
369 ENUM_NEXT(tls_named_group_names
, TLS_FFDHE2048
, TLS_FFDHE8192
, TLS_CURVE448
,
376 ENUM_END(tls_named_group_names
, TLS_FFDHE8192
);
378 ENUM(tls_ansi_point_format_names
, TLS_ANSI_COMPRESSED
, TLS_ANSI_HYBRID_Y
,
387 ENUM(tls_ec_point_format_names
,
388 TLS_EC_POINT_UNCOMPRESSED
, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2
,
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
394 typedef struct private_tls_crypto_t private_tls_crypto_t
;
397 * Private data of an tls_crypto_t object.
399 struct private_tls_crypto_t
{
402 * Public tls_crypto_t interface.
409 tls_protection_t
*protection
;
412 * List of supported/acceptable cipher suites
414 tls_cipher_suite_t
*suites
;
417 * Number of supported suites
427 * Selected cipher suite
429 tls_cipher_suite_t suite
;
452 * All handshake data concatenated
457 * Connection state TLS PRF
462 * AEAD transform for inbound traffic
467 * AEAD transform for outbound traffic
469 tls_aead_t
*aead_out
;
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
483 tls_cipher_suite_t suite
;
485 diffie_hellman_group_t dh
;
486 hash_algorithm_t hash
;
487 pseudo_random_function_t prf
;
488 integrity_algorithm_t mac
;
489 encryption_algorithm_t encr
;
491 tls_version_t min_version
;
492 tls_version_t max_version
;
496 * Mapping suites to a set of algorithms
498 * The order represents the descending preference of cipher suites and follows
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
505 * 5. ECDHE > DHE > NULL
507 * 7. SHA384 > SHA256 > SHA1
510 static suite_algs_t suite_algs
[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384
,
515 HASH_SHA384
, PRF_UNDEFINED
,
516 AUTH_HMAC_SHA2_384_384
, ENCR_AES_GCM_ICV16
, 32,
519 { TLS_AES_128_GCM_SHA256
,
521 HASH_SHA256
, PRF_UNDEFINED
,
522 AUTH_HMAC_SHA2_256_256
, ENCR_AES_GCM_ICV16
, 16,
525 { TLS_CHACHA20_POLY1305_SHA256
,
527 HASH_SHA256
, PRF_UNDEFINED
,
528 AUTH_HMAC_SHA2_256_256
, ENCR_CHACHA20_POLY1305
, 32,
531 { TLS_AES_128_CCM_SHA256
,
533 HASH_SHA256
, PRF_UNDEFINED
,
534 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CCM_ICV16
, 16,
537 { TLS_AES_128_CCM_8_SHA256
,
539 HASH_SHA256
, PRF_UNDEFINED
,
540 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CCM_ICV8
, 16,
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,
545 KEY_ECDSA
, ECP_384_BIT
,
546 HASH_SHA384
, PRF_HMAC_SHA2_384
,
547 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
,
551 KEY_ECDSA
, ECP_384_BIT
,
552 HASH_SHA384
, PRF_HMAC_SHA2_384
,
553 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32,
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
,
557 KEY_ECDSA
, ECP_384_BIT
,
558 HASH_SHA256
, PRF_HMAC_SHA2_256
,
559 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
563 KEY_ECDSA
, ECP_256_BIT
,
564 HASH_SHA256
, PRF_HMAC_SHA2_256
,
565 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
,
569 KEY_ECDSA
, ECP_256_BIT
,
570 HASH_SHA256
, PRF_HMAC_SHA2_256
,
571 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,
575 KEY_ECDSA
, ECP_256_BIT
,
576 HASH_SHA256
, PRF_HMAC_SHA2_256
,
577 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
,
581 KEY_RSA
, ECP_384_BIT
,
582 HASH_SHA384
, PRF_HMAC_SHA2_384
,
583 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
,
587 KEY_RSA
, ECP_384_BIT
,
588 HASH_SHA384
, PRF_HMAC_SHA2_384
,
589 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32,
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,
593 KEY_RSA
, ECP_384_BIT
,
594 HASH_SHA256
, PRF_HMAC_SHA2_256
,
595 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,
599 KEY_RSA
, ECP_256_BIT
,
600 HASH_SHA256
, PRF_HMAC_SHA2_256
,
601 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,
605 KEY_RSA
, ECP_256_BIT
,
606 HASH_SHA256
, PRF_HMAC_SHA2_256
,
607 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
,
611 KEY_RSA
, ECP_256_BIT
,
612 HASH_SHA256
, PRF_HMAC_SHA2_256
,
613 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
,
617 KEY_RSA
, MODP_4096_BIT
,
618 HASH_SHA384
, PRF_HMAC_SHA2_384
,
619 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,
623 KEY_RSA
, MODP_4096_BIT
,
624 HASH_SHA256
, PRF_HMAC_SHA2_256
,
625 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32,
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,
629 KEY_RSA
, MODP_3072_BIT
,
630 HASH_SHA256
, PRF_HMAC_SHA2_256
,
631 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
635 KEY_RSA
, MODP_4096_BIT
,
636 HASH_SHA256
, PRF_HMAC_SHA2_256
,
637 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32,
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
,
641 KEY_RSA
, MODP_3072_BIT
,
642 HASH_SHA256
, PRF_HMAC_SHA2_256
,
643 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32,
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,
647 KEY_RSA
, MODP_3072_BIT
,
648 HASH_SHA256
, PRF_HMAC_SHA2_256
,
649 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
653 KEY_RSA
, MODP_3072_BIT
,
654 HASH_SHA256
, PRF_HMAC_SHA2_256
,
655 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,
659 KEY_RSA
, MODP_2048_BIT
,
660 HASH_SHA256
,PRF_HMAC_SHA2_256
,
661 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
665 KEY_RSA
, MODP_3072_BIT
,
666 HASH_SHA256
, PRF_HMAC_SHA2_256
,
667 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16,
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
,
671 KEY_RSA
, MODP_2048_BIT
,
672 HASH_SHA256
, PRF_HMAC_SHA2_256
,
673 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16,
676 { TLS_RSA_WITH_AES_256_GCM_SHA384
,
678 HASH_SHA384
, PRF_HMAC_SHA2_384
,
679 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
682 { TLS_RSA_WITH_AES_256_CBC_SHA256
,
684 HASH_SHA256
, PRF_HMAC_SHA2_256
,
685 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32,
688 { TLS_RSA_WITH_AES_256_CBC_SHA
,
690 HASH_SHA256
, PRF_HMAC_SHA2_256
,
691 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
694 { TLS_RSA_WITH_AES_128_GCM_SHA256
,
696 HASH_SHA256
, PRF_HMAC_SHA2_256
,
697 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
700 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
702 HASH_SHA256
, PRF_HMAC_SHA2_256
,
703 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
706 { TLS_RSA_WITH_AES_128_CBC_SHA
,
708 HASH_SHA256
, PRF_HMAC_SHA2_256
,
709 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
714 HASH_SHA256
, PRF_HMAC_SHA2_256
,
715 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32,
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
720 HASH_SHA256
, PRF_HMAC_SHA2_256
,
721 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32,
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
726 HASH_SHA256
, PRF_HMAC_SHA2_256
,
727 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16,
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
,
732 HASH_SHA256
, PRF_HMAC_SHA2_256
,
733 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16,
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA
,
737 KEY_ECDSA
, ECP_256_BIT
,
738 HASH_SHA256
, PRF_HMAC_SHA2_256
,
739 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
742 { TLS_ECDHE_RSA_WITH_NULL_SHA
,
743 KEY_ECDSA
, ECP_256_BIT
,
744 HASH_SHA256
, PRF_HMAC_SHA2_256
,
745 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
748 { TLS_RSA_WITH_NULL_SHA256
,
750 HASH_SHA256
, PRF_HMAC_SHA2_256
,
751 AUTH_HMAC_SHA2_256_256
, ENCR_NULL
, 0,
754 { TLS_RSA_WITH_NULL_SHA
,
756 HASH_SHA256
, PRF_HMAC_SHA2_256
,
757 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
763 * Look up algorithms by a suite
765 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
769 for (i
= 0; i
< countof(suite_algs
); i
++)
771 if (suite_algs
[i
].suite
== suite
)
773 return &suite_algs
[i
];
780 * Filter a suite list using a transform enumerator
782 static void filter_suite(suite_algs_t suites
[], int *count
, int offset
,
783 enumerator_t
*(*create_enumerator
)(crypto_factory_t
*))
785 const char *plugin_name
;
786 suite_algs_t current
;
787 int *current_alg
, i
, remaining
= 0;
788 enumerator_t
*enumerator
;
790 memset(¤t
, 0, sizeof(current
));
791 current_alg
= (int*)((char*)¤t
+ offset
);
793 for (i
= 0; i
< *count
; i
++)
795 if (create_enumerator
== lib
->crypto
->create_crypter_enumerator
&&
796 encryption_algorithm_is_aead(suites
[i
].encr
))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites
[remaining
] = suites
[i
];
802 if (create_enumerator
== lib
->crypto
->create_aead_enumerator
&&
803 !encryption_algorithm_is_aead(suites
[i
].encr
))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites
[remaining
] = suites
[i
];
809 enumerator
= create_enumerator(lib
->crypto
);
810 while (enumerator
->enumerate(enumerator
, current_alg
, &plugin_name
))
812 if (current
.encr
&& current
.encr
!= suites
[i
].encr
)
814 if (suites
[i
].encr
!= ENCR_NULL
)
815 { /* skip, ENCR does not match nor is NULL */
819 if (current
.mac
&& current
.mac
!= suites
[i
].mac
)
821 if (suites
[i
].mac
!= AUTH_UNDEFINED
)
822 { /* skip, MAC does not match nor is it undefined */
826 if (current
.prf
&& current
.prf
!= suites
[i
].prf
)
828 if (suites
[i
].prf
!= PRF_UNDEFINED
)
830 /* skip, PRF does not match nor is it undefined */
834 if (current
.hash
&& current
.hash
!= suites
[i
].hash
)
835 { /* skip, hash does not match */
838 if (current
.dh
&& current
.dh
!= suites
[i
].dh
)
840 if (suites
[i
].dh
!= MODP_NONE
&&
841 !(diffie_hellman_group_is_ec(current
.dh
) &&
842 diffie_hellman_group_is_ec(suites
[i
].dh
)))
843 { /* skip DH group, does not match nor NONE nor both ECDH */
847 /* suite supported, apply */
848 suites
[remaining
] = suites
[i
];
852 enumerator
->destroy(enumerator
);
858 * Purge NULL encryption cipher suites from list
860 static void filter_null_suites(suite_algs_t suites
[], int *count
)
862 int i
, remaining
= 0;
864 for (i
= 0; i
< *count
; i
++)
866 if (suites
[i
].encr
!= ENCR_NULL
)
868 suites
[remaining
] = suites
[i
];
876 * Purge suites using a given key type
878 static void filter_key_suites(private_tls_crypto_t
*this,
879 suite_algs_t suites
[], int *count
, key_type_t key
)
881 int i
, remaining
= 0;
883 DBG2(DBG_TLS
, "disabling %N suites, no backend found", key_type_names
, key
);
884 for (i
= 0; i
< *count
; i
++)
886 if (suites
[i
].key
!= key
)
888 suites
[remaining
] = suites
[i
];
896 * Filter suites by key exchange user config
898 static void filter_key_exchange_config_suites(private_tls_crypto_t
*this,
899 suite_algs_t suites
[], int *count
)
901 enumerator_t
*enumerator
;
902 int i
, remaining
= 0;
903 char *token
, *config
;
905 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.key_exchange", NULL
,
909 for (i
= 0; i
< *count
; i
++)
911 enumerator
= enumerator_create_token(config
, ",", " ");
912 while (enumerator
->enumerate(enumerator
, &token
))
914 if (strcaseeq(token
, "ecdhe-ecdsa") &&
915 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
916 suites
[i
].key
== KEY_ECDSA
)
918 suites
[remaining
++] = suites
[i
];
921 if (strcaseeq(token
, "ecdhe-rsa") &&
922 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
923 suites
[i
].key
== KEY_RSA
)
925 suites
[remaining
++] = suites
[i
];
928 if (strcaseeq(token
, "dhe-rsa") &&
929 !diffie_hellman_group_is_ec(suites
[i
].dh
) &&
930 suites
[i
].dh
!= MODP_NONE
&&
931 suites
[i
].key
== KEY_RSA
)
933 suites
[remaining
++] = suites
[i
];
936 if (strcaseeq(token
, "rsa") &&
937 suites
[i
].dh
== MODP_NONE
&&
938 suites
[i
].key
== KEY_RSA
)
940 suites
[remaining
++] = suites
[i
];
944 enumerator
->destroy(enumerator
);
951 * Filter suites by cipher user config
953 static void filter_cipher_config_suites(private_tls_crypto_t
*this,
954 suite_algs_t suites
[], int *count
)
956 enumerator_t
*enumerator
;
957 int i
, remaining
= 0;
958 char *token
, *config
;
960 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.cipher", NULL
,
964 for (i
= 0; i
< *count
; i
++)
966 enumerator
= enumerator_create_token(config
, ",", " ");
967 while (enumerator
->enumerate(enumerator
, &token
))
969 if (strcaseeq(token
, "aes128") &&
970 suites
[i
].encr
== ENCR_AES_CBC
&&
971 suites
[i
].encr_size
== 16)
973 suites
[remaining
++] = suites
[i
];
976 if (strcaseeq(token
, "aes256") &&
977 suites
[i
].encr
== ENCR_AES_CBC
&&
978 suites
[i
].encr_size
== 32)
980 suites
[remaining
++] = suites
[i
];
983 if (strcaseeq(token
, "aes128gcm") &&
984 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
985 suites
[i
].encr_size
== 16)
987 suites
[remaining
++] = suites
[i
];
990 if (strcaseeq(token
, "aes256gcm") &&
991 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
992 suites
[i
].encr_size
== 32)
994 suites
[remaining
++] = suites
[i
];
997 if (strcaseeq(token
, "camellia128") &&
998 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
999 suites
[i
].encr_size
== 16)
1001 suites
[remaining
++] = suites
[i
];
1004 if (strcaseeq(token
, "camellia256") &&
1005 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
1006 suites
[i
].encr_size
== 32)
1008 suites
[remaining
++] = suites
[i
];
1011 if (strcaseeq(token
, "null") &&
1012 suites
[i
].encr
== ENCR_NULL
)
1014 suites
[remaining
++] = suites
[i
];
1018 enumerator
->destroy(enumerator
);
1025 * Filter suites by mac user config
1027 static void filter_mac_config_suites(private_tls_crypto_t
*this,
1028 suite_algs_t suites
[], int *count
)
1030 enumerator_t
*enumerator
;
1031 int i
, remaining
= 0;
1032 char *token
, *config
;
1034 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.mac", NULL
,
1038 for (i
= 0; i
< *count
; i
++)
1040 enumerator
= enumerator_create_token(config
, ",", " ");
1041 while (enumerator
->enumerate(enumerator
, &token
))
1043 if (strcaseeq(token
, "sha1") &&
1044 suites
[i
].mac
== AUTH_HMAC_SHA1_160
)
1046 suites
[remaining
++] = suites
[i
];
1049 if (strcaseeq(token
, "sha256") &&
1050 suites
[i
].mac
== AUTH_HMAC_SHA2_256_256
)
1052 suites
[remaining
++] = suites
[i
];
1055 if (strcaseeq(token
, "sha384") &&
1056 suites
[i
].mac
== AUTH_HMAC_SHA2_384_384
)
1058 suites
[remaining
++] = suites
[i
];
1062 enumerator
->destroy(enumerator
);
1069 * Filter for specific suites specified in strongswan.conf
1071 static void filter_specific_config_suites(private_tls_crypto_t
*this,
1072 suite_algs_t suites
[], int *count
)
1074 enumerator_t
*enumerator
;
1075 int i
, remaining
= 0, suite
;
1076 char *token
, *config
;
1078 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.suites", NULL
,
1082 for (i
= 0; i
< *count
; i
++)
1084 enumerator
= enumerator_create_token(config
, ",", " ");
1085 while (enumerator
->enumerate(enumerator
, &token
))
1087 if (enum_from_name(tls_cipher_suite_names
, token
, &suite
) &&
1088 suite
== suites
[i
].suite
)
1090 suites
[remaining
++] = suites
[i
];
1094 enumerator
->destroy(enumerator
);
1101 * Filter key exchange curves by curve user config
1103 static bool filter_curve_config(tls_named_group_t curve
)
1105 enumerator_t
*enumerator
;
1106 char *token
, *config
;
1108 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.ke_group", NULL
,
1112 enumerator
= enumerator_create_token(config
, ",", " ");
1113 while (enumerator
->enumerate(enumerator
, &token
))
1115 const proposal_token_t
*tok
;
1117 tok
= lib
->proposal
->get_token(lib
->proposal
, token
);
1118 if (tok
!= NULL
&& tok
->type
== DIFFIE_HELLMAN_GROUP
&&
1119 curve
== tls_ec_group_to_curve(tok
->algorithm
))
1121 enumerator
->destroy(enumerator
);
1125 enumerator
->destroy(enumerator
);
1131 * Filter out unsupported suites on given suite array
1133 static void filter_unsupported_suites(suite_algs_t suites
[], int *count
)
1135 /* filter suite list by each algorithm */
1136 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
1137 lib
->crypto
->create_aead_enumerator
);
1138 filter_suite(suites
, count
, offsetof(suite_algs_t
, prf
),
1139 lib
->crypto
->create_prf_enumerator
);
1140 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
1141 lib
->crypto
->create_crypter_enumerator
);
1142 filter_suite(suites
, count
, offsetof(suite_algs_t
, mac
),
1143 lib
->crypto
->create_signer_enumerator
);
1144 filter_suite(suites
, count
, offsetof(suite_algs_t
, hash
),
1145 lib
->crypto
->create_hasher_enumerator
);
1146 filter_suite(suites
, count
, offsetof(suite_algs_t
, dh
),
1147 lib
->crypto
->create_dh_enumerator
);
1151 * Initialize the cipher suite list
1153 static void build_cipher_suite_list(private_tls_crypto_t
*this)
1155 suite_algs_t suites
[countof(suite_algs
)];
1156 tls_version_t min_version
, max_version
, new_min_version
, new_max_version
;
1157 bool require_encryption
;
1160 switch (this->tls
->get_purpose(this->tls
))
1162 case TLS_PURPOSE_EAP_TLS
:
1163 case TLS_PURPOSE_GENERIC_NULLOK
:
1164 require_encryption
= FALSE
;
1166 case TLS_PURPOSE_EAP_PEAP
:
1167 case TLS_PURPOSE_EAP_TTLS
:
1168 case TLS_PURPOSE_GENERIC
:
1169 require_encryption
= TRUE
;
1175 min_version
= this->tls
->get_version_min(this->tls
);
1176 max_version
= this->tls
->get_version_max(this->tls
);
1178 /* copy all suites appropriate for the current min/max versions */
1179 for (i
= 0; i
< countof(suite_algs
); i
++)
1181 if (suite_algs
[i
].min_version
<= max_version
&&
1182 suite_algs
[i
].max_version
>= min_version
)
1184 suites
[count
++] = suite_algs
[i
];
1188 if (require_encryption
)
1190 filter_null_suites(suites
, &count
);
1194 filter_key_suites(this, suites
, &count
, KEY_RSA
);
1198 filter_key_suites(this, suites
, &count
, KEY_ECDSA
);
1201 filter_unsupported_suites(suites
, &count
);
1203 /* filter suites with strongswan.conf options */
1204 filter_key_exchange_config_suites(this, suites
, &count
);
1205 filter_cipher_config_suites(this, suites
, &count
);
1206 filter_mac_config_suites(this, suites
, &count
);
1207 filter_specific_config_suites(this, suites
, &count
);
1210 this->suite_count
= count
;
1211 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * count
);
1213 DBG2(DBG_TLS
, "%d supported TLS cipher suites:", count
);
1214 new_min_version
= max_version
;
1215 new_max_version
= min_version
;
1216 for (i
= 0; i
< count
; i
++)
1218 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
].suite
);
1219 this->suites
[i
] = suites
[i
].suite
;
1221 /* set TLS min/max versions appropriate to the final cipher suites */
1222 new_max_version
= max(new_max_version
, suites
[i
].max_version
);
1223 new_min_version
= min(new_min_version
, suites
[i
].min_version
);
1225 new_max_version
= min(new_max_version
, max_version
);
1226 new_min_version
= max(new_min_version
, min_version
);
1228 if ((min_version
!= new_min_version
|| max_version
!= new_max_version
) &&
1229 this->tls
->set_version(this->tls
, new_min_version
, new_max_version
))
1231 DBG2(DBG_TLS
, "TLS min/max %N/%N according to the cipher suites",
1232 tls_numeric_version_names
, new_min_version
,
1233 tls_numeric_version_names
, new_max_version
);
1237 METHOD(tls_crypto_t
, get_cipher_suites
, int,
1238 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
1242 build_cipher_suite_list(this);
1246 *suites
= this->suites
;
1248 return this->suite_count
;
1252 * Create NULL encryption transforms
1254 static bool create_null(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1256 this->aead_in
= tls_aead_create_null(algs
->mac
);
1257 this->aead_out
= tls_aead_create_null(algs
->mac
);
1258 if (!this->aead_in
|| !this->aead_out
)
1260 DBG1(DBG_TLS
, "selected TLS MAC %N not supported",
1261 integrity_algorithm_names
, algs
->mac
);
1268 * Create traditional transforms
1270 static bool create_traditional(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1272 if (this->tls
->get_version_max(this->tls
) < TLS_1_1
)
1274 this->aead_in
= tls_aead_create_implicit(algs
->mac
,
1275 algs
->encr
, algs
->encr_size
);
1276 this->aead_out
= tls_aead_create_implicit(algs
->mac
,
1277 algs
->encr
, algs
->encr_size
);
1281 this->aead_in
= tls_aead_create_explicit(algs
->mac
,
1282 algs
->encr
, algs
->encr_size
);
1283 this->aead_out
= tls_aead_create_explicit(algs
->mac
,
1284 algs
->encr
, algs
->encr_size
);
1286 if (!this->aead_in
|| !this->aead_out
)
1288 DBG1(DBG_TLS
, "selected TLS transforms %N-%u-%N not supported",
1289 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8,
1290 integrity_algorithm_names
, algs
->mac
);
1297 * Create AEAD transforms
1299 static bool create_aead(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1301 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1303 this->aead_in
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1304 this->aead_out
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1308 this->aead_in
= tls_aead_create_seq(algs
->encr
, algs
->encr_size
);
1309 this->aead_out
= tls_aead_create_seq(algs
->encr
, algs
->encr_size
);
1311 if (!this->aead_in
|| !this->aead_out
)
1313 DBG1(DBG_TLS
, "selected TLS transforms %N-%u not supported",
1314 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8);
1321 * Clean up and unset AEAD transforms
1323 static void destroy_aeads(private_tls_crypto_t
*this)
1325 DESTROY_IF(this->aead_in
);
1326 DESTROY_IF(this->aead_out
);
1327 this->aead_in
= this->aead_out
= NULL
;
1331 * Create crypto primitives
1333 static bool create_ciphers(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1335 destroy_aeads(this);
1336 DESTROY_IF(this->hkdf
);
1337 DESTROY_IF(this->prf
);
1338 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1340 if (this->tls
->get_version_max(this->tls
) < TLS_1_2
)
1342 this->prf
= tls_prf_create_10();
1346 this->prf
= tls_prf_create_12(algs
->prf
);
1350 DBG1(DBG_TLS
, "selected TLS PRF not supported");
1356 this->hkdf
= tls_hkdf_create(algs
->hash
, chunk_empty
);
1359 DBG1(DBG_TLS
, "TLS HKDF creation unsuccessful");
1363 if (algs
->encr
== ENCR_NULL
)
1365 if (create_null(this, algs
))
1370 else if (encryption_algorithm_is_aead(algs
->encr
))
1372 if (create_aead(this, algs
))
1379 if (create_traditional(this, algs
))
1384 destroy_aeads(this);
1388 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
1389 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
,
1395 for (i
= 0; i
< this->suite_count
; i
++)
1397 for (j
= 0; j
< count
; j
++)
1399 if (this->suites
[i
] == suites
[j
])
1401 algs
= find_suite(this->suites
[i
]);
1404 if (key
== KEY_ANY
|| key
== algs
->key
||
1405 (algs
->key
== KEY_ECDSA
&& key
== KEY_ED25519
) ||
1406 (algs
->key
== KEY_ECDSA
&& key
== KEY_ED448
))
1408 if (create_ciphers(this, algs
))
1410 this->suite
= this->suites
[i
];
1421 METHOD(tls_crypto_t
, get_dh_group
, diffie_hellman_group_t
,
1422 private_tls_crypto_t
*this)
1426 algs
= find_suite(this->suite
);
1435 * Parameters for RSA/PSS signature schemes
1437 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1438 .hash = HASH_SHA##bits, \
1439 .mgf1_hash = HASH_SHA##bits, \
1440 .salt_len = HASH_SIZE_SHA##bits, \
1448 tls_signature_scheme_t sig
;
1449 signature_params_t params
;
1450 /* min/max versions for use in CertificateVerify */
1451 tls_version_t min_version
;
1452 tls_version_t max_version
;
1456 * Map TLS signature schemes, ordered by preference
1458 static scheme_algs_t schemes
[] = {
1459 { TLS_SIG_ECDSA_SHA256
, { .scheme
= SIGN_ECDSA_WITH_SHA256_DER
},
1461 { TLS_SIG_ECDSA_SHA384
, { .scheme
= SIGN_ECDSA_WITH_SHA384_DER
},
1463 { TLS_SIG_ECDSA_SHA512
, { .scheme
= SIGN_ECDSA_WITH_SHA512_DER
},
1465 { TLS_SIG_ED25519
, { .scheme
= SIGN_ED25519
},
1467 { TLS_SIG_ED448
, { .scheme
= SIGN_ED448
},
1469 { TLS_SIG_RSA_PSS_RSAE_SHA256
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha256
, },
1471 { TLS_SIG_RSA_PSS_RSAE_SHA384
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha384
, },
1473 { TLS_SIG_RSA_PSS_RSAE_SHA512
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha512
, },
1475 /* the parameters for the next three should actually be taken from the
1476 * public key, we currently don't have an API for that, so assume defaults */
1477 { TLS_SIG_RSA_PSS_PSS_SHA256
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha256
, },
1479 { TLS_SIG_RSA_PSS_PSS_SHA384
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha384
, },
1481 { TLS_SIG_RSA_PSS_PSS_SHA512
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha512
, },
1483 { TLS_SIG_RSA_PKCS1_SHA256
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_256
},
1485 { TLS_SIG_RSA_PKCS1_SHA384
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_384
},
1487 { TLS_SIG_RSA_PKCS1_SHA512
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_512
},
1492 * Filter signature scheme config
1494 static bool filter_signature_scheme_config(tls_signature_scheme_t signature
)
1496 enumerator_t
*enumerator
;
1497 char *token
, *config
;
1499 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.signature", NULL
,
1503 enumerator
= enumerator_create_token(config
, ",", " ");
1504 while (enumerator
->enumerate(enumerator
, &token
))
1506 tls_signature_scheme_t sig
;
1508 if (enum_from_name(tls_signature_scheme_names
, token
, &sig
) &&
1511 enumerator
->destroy(enumerator
);
1515 enumerator
->destroy(enumerator
);
1520 METHOD(tls_crypto_t
, get_signature_algorithms
, void,
1521 private_tls_crypto_t
*this, bio_writer_t
*writer
, bool cert
)
1523 bio_writer_t
*supported
;
1524 tls_version_t min_version
, max_version
;
1527 supported
= bio_writer_create(32);
1531 min_version
= this->tls
->get_version_min(this->tls
);
1532 max_version
= this->tls
->get_version_max(this->tls
);
1535 for (i
= 0; i
< countof(schemes
); i
++)
1537 if ((cert
|| (schemes
[i
].min_version
<= max_version
&&
1538 schemes
[i
].max_version
>= min_version
)) &&
1539 lib
->plugins
->has_feature(lib
->plugins
,
1540 PLUGIN_PROVIDE(PUBKEY_VERIFY
, schemes
[i
].params
.scheme
)) &&
1541 filter_signature_scheme_config(schemes
[i
].sig
))
1543 supported
->write_uint16(supported
, schemes
[i
].sig
);
1547 writer
->write_data16(writer
, supported
->get_buf(supported
));
1548 supported
->destroy(supported
);
1552 * Get the signature parameters from a TLS signature scheme
1554 static signature_params_t
*params_for_scheme(tls_signature_scheme_t sig
,
1559 for (i
= 0; i
< countof(schemes
); i
++)
1561 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1562 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1563 if (sign
&& (sig
== TLS_SIG_RSA_PSS_PSS_SHA256
||
1564 sig
== TLS_SIG_RSA_PSS_PSS_SHA384
||
1565 sig
== TLS_SIG_RSA_PSS_PSS_SHA512
))
1569 if (schemes
[i
].sig
== sig
)
1571 return &schemes
[i
].params
;
1578 * Mapping groups to TLS named curves
1581 diffie_hellman_group_t group
;
1582 tls_named_group_t curve
;
1584 { ECP_256_BIT
, TLS_SECP256R1
},
1585 { ECP_384_BIT
, TLS_SECP384R1
},
1586 { ECP_521_BIT
, TLS_SECP521R1
},
1587 { ECP_224_BIT
, TLS_SECP224R1
},
1588 { ECP_192_BIT
, TLS_SECP192R1
},
1589 { CURVE_25519
, TLS_CURVE25519
},
1590 { CURVE_448
, TLS_CURVE448
},
1593 CALLBACK(group_filter
, bool,
1594 void *null
, enumerator_t
*orig
, va_list args
)
1596 diffie_hellman_group_t group
, *group_out
;
1597 tls_named_group_t curve
, *curve_out
;
1600 VA_ARGS_VGET(args
, group_out
, curve_out
);
1602 while (orig
->enumerate(orig
, &group
, &plugin
))
1604 curve
= tls_ec_group_to_curve(group
);
1621 CALLBACK(config_filter
, bool,
1622 void *null
, enumerator_t
*orig
, va_list args
)
1624 diffie_hellman_group_t group
, *group_out
;
1625 tls_named_group_t curve
, *curve_out
;
1627 VA_ARGS_VGET(args
, group_out
, curve_out
);
1629 while (orig
->enumerate(orig
, &group
, &curve
))
1631 if (filter_curve_config(curve
))
1647 METHOD(tls_crypto_t
, create_ec_enumerator
, enumerator_t
*,
1648 private_tls_crypto_t
*this)
1650 return enumerator_create_filter(
1651 enumerator_create_filter(
1652 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
1653 group_filter
, NULL
, NULL
),
1654 config_filter
, NULL
, NULL
);
1657 METHOD(tls_crypto_t
, set_protection
, void,
1658 private_tls_crypto_t
*this, tls_protection_t
*protection
)
1660 this->protection
= protection
;
1663 METHOD(tls_crypto_t
, append_handshake
, void,
1664 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
1668 /* reconstruct handshake header */
1669 header
= htonl(data
.len
| (type
<< 24));
1670 this->handshake
= chunk_cat("mcc", this->handshake
,
1671 chunk_from_thing(header
), data
);
1675 * Create a hash using the suites HASH algorithm
1677 static bool hash_data(private_tls_crypto_t
*this, chunk_t data
, chunk_t
*hash
)
1679 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1684 alg
= find_suite(this->suite
);
1689 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
1690 if (!hasher
|| !hasher
->allocate_hash(hasher
, data
, hash
))
1692 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, alg
->hash
);
1696 hasher
->destroy(hasher
);
1700 hasher_t
*md5
, *sha1
;
1701 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
1703 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
1704 if (!md5
|| !md5
->get_hash(md5
, data
, buf
))
1706 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
1711 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1712 if (!sha1
|| !sha1
->get_hash(sha1
, data
, buf
+ HASH_SIZE_MD5
))
1714 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
1718 sha1
->destroy(sha1
);
1720 *hash
= chunk_clone(chunk_from_thing(buf
));
1725 METHOD(tls_crypto_t
, hash_handshake
, bool,
1726 private_tls_crypto_t
*this, chunk_t
*out
)
1730 if (!hash_data(this, this->handshake
, &hash
))
1735 chunk_free(&this->handshake
);
1736 append_handshake(this, TLS_MESSAGE_HASH
, hash
);
1750 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1751 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1753 static chunk_t tls13_sig_data_server
= chunk_from_chars(
1754 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1755 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1756 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1757 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1758 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1759 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1760 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1761 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1762 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1763 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1764 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1765 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1770 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1771 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1773 static chunk_t tls13_sig_data_client
= chunk_from_chars(
1774 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1775 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1776 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1777 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1778 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1779 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1780 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1781 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1782 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1783 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1784 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1785 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1789 METHOD(tls_crypto_t
, sign
, bool,
1790 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1791 chunk_t data
, chunk_t hashsig
)
1793 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1795 /* fallback to SHA1/RSA and SHA1/ECDSA */
1796 const chunk_t hashsig_def
= chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1797 signature_params_t
*params
;
1800 bio_reader_t
*reader
;
1804 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
)
1806 chunk_t transcript_hash
;
1808 if (!hash_data(this, data
, &transcript_hash
))
1810 DBG1(DBG_TLS
, "unable to create transcript hash");
1813 if (this->tls
->is_server(this->tls
))
1815 data
= chunk_cata("cm", tls13_sig_data_server
, transcript_hash
);
1819 data
= chunk_cata("cm", tls13_sig_data_client
, transcript_hash
);
1824 { /* fallback if none given */
1825 hashsig
= hashsig_def
;
1827 type
= key
->get_type(key
);
1828 reader
= bio_reader_create(hashsig
);
1829 while (reader
->remaining(reader
) >= 2)
1831 if (reader
->read_uint16(reader
, &scheme
))
1833 params
= params_for_scheme(scheme
, TRUE
);
1835 type
== key_type_from_signature_scheme(params
->scheme
) &&
1836 key
->sign(key
, params
->scheme
, params
->params
, data
, &sig
))
1843 reader
->destroy(reader
);
1846 DBG1(DBG_TLS
, "none of the proposed hash/sig algorithms supported");
1849 DBG2(DBG_TLS
, "created signature with %N", tls_signature_scheme_names
,
1851 writer
->write_uint16(writer
, scheme
);
1852 writer
->write_data16(writer
, sig
);
1860 switch (key
->get_type(key
))
1863 if (!hash_data(this, data
, &hash
))
1867 done
= key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, NULL
, hash
,
1874 DBG2(DBG_TLS
, "created signature with MD5+SHA1/RSA");
1877 if (!key
->sign(key
, SIGN_ECDSA_WITH_SHA1_DER
, NULL
, data
, &sig
))
1881 DBG2(DBG_TLS
, "created signature with SHA1/ECDSA");
1884 if (!key
->sign(key
, SIGN_ED25519
, NULL
, data
, &sig
))
1888 DBG2(DBG_TLS
, "created signature with Ed25519");
1891 if (!key
->sign(key
, SIGN_ED448
, NULL
, data
, &sig
))
1895 DBG2(DBG_TLS
, "created signature with Ed448");
1900 writer
->write_data16(writer
, sig
);
1906 METHOD(tls_crypto_t
, verify
, bool,
1907 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
,
1910 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1912 signature_params_t
*params
;
1916 if (!reader
->read_uint16(reader
, &scheme
) ||
1917 !reader
->read_data16(reader
, &sig
))
1919 DBG1(DBG_TLS
, "received invalid signature");
1922 params
= params_for_scheme(scheme
, FALSE
);
1925 DBG1(DBG_TLS
, "signature algorithms %N not supported",
1926 tls_signature_scheme_names
, scheme
);
1929 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
)
1931 chunk_t transcript_hash
;
1933 if (!hash_data(this, data
, &transcript_hash
))
1935 DBG1(DBG_TLS
, "Unable to create transcript hash");
1939 if (this->tls
->is_server(this->tls
))
1941 data
= chunk_cata("cm", tls13_sig_data_client
, transcript_hash
);
1945 data
= chunk_cata("cm", tls13_sig_data_server
, transcript_hash
);
1948 if (!key
->verify(key
, params
->scheme
, params
->params
, data
, sig
))
1950 DBG1(DBG_TLS
, "signature verification with %N failed",
1951 tls_signature_scheme_names
, scheme
);
1954 DBG2(DBG_TLS
, "verified signature with %N",
1955 tls_signature_scheme_names
, scheme
);
1962 if (!reader
->read_data16(reader
, &sig
))
1964 DBG1(DBG_TLS
, "received invalid signature");
1967 switch (key
->get_type(key
))
1970 if (!hash_data(this, data
, &hash
))
1974 done
= key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, NULL
, hash
,
1981 DBG2(DBG_TLS
, "verified signature data with MD5+SHA1/RSA");
1984 if (!key
->verify(key
, SIGN_ECDSA_WITH_SHA1_DER
, NULL
, data
,
1989 DBG2(DBG_TLS
, "verified signature with SHA1/ECDSA");
1992 if (!key
->verify(key
, SIGN_ED25519
, NULL
, data
, sig
))
1996 DBG2(DBG_TLS
, "verified signature with Ed25519");
1999 if (!key
->verify(key
, SIGN_ED448
, NULL
, data
, sig
))
2003 DBG2(DBG_TLS
, "verified signature with Ed448");
2012 METHOD(tls_crypto_t
, sign_handshake
, bool,
2013 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
2016 return sign(this, key
, writer
, this->handshake
, hashsig
);
2019 METHOD(tls_crypto_t
, verify_handshake
, bool,
2020 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
)
2022 return verify(this, key
, reader
, this->handshake
);
2025 METHOD(tls_crypto_t
, calculate_finished_legacy
, bool,
2026 private_tls_crypto_t
*this, char *label
, char out
[12])
2034 if (!hash_data(this, this->handshake
, &seed
))
2038 if (!this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
))
2047 METHOD(tls_crypto_t
, calculate_finished
, bool,
2048 private_tls_crypto_t
*this, bool server
, chunk_t
*out
)
2050 chunk_t finished_key
, finished_hash
;
2056 if (!hash_data(this, this->handshake
, &finished_hash
))
2058 DBG1(DBG_TLS
, "creating hash of handshake failed");
2061 if (!this->hkdf
->derive_finished(this->hkdf
, server
, &finished_key
))
2063 DBG1(DBG_TLS
, "generating finished key failed");
2064 chunk_clear(&finished_hash
);
2067 if (!this->hkdf
->allocate_bytes(this->hkdf
, finished_key
, finished_hash
, out
))
2069 DBG1(DBG_TLS
, "generating finished HMAC failed");
2070 chunk_clear(&finished_key
);
2071 chunk_clear(&finished_hash
);
2074 chunk_clear(&finished_key
);
2075 chunk_clear(&finished_hash
);
2080 * Derive master secret from premaster, optionally save session
2082 static bool derive_master(private_tls_crypto_t
*this, chunk_t premaster
,
2083 chunk_t session
, identification_t
*id
,
2084 chunk_t client_random
, chunk_t server_random
)
2089 /* derive master secret */
2090 seed
= chunk_cata("cc", client_random
, server_random
);
2092 if (!this->prf
->set_key(this->prf
, premaster
) ||
2093 !this->prf
->get_bytes(this->prf
, "master secret", seed
,
2094 sizeof(master
), master
) ||
2095 !this->prf
->set_key(this->prf
, chunk_from_thing(master
)))
2100 if (this->cache
&& session
.len
)
2102 this->cache
->create(this->cache
, session
, id
, chunk_from_thing(master
),
2105 memwipe(master
, sizeof(master
));
2110 * Expand key material from master secret
2112 static bool expand_keys(private_tls_crypto_t
*this,
2113 chunk_t client_random
, chunk_t server_random
)
2115 chunk_t seed
, block
;
2116 chunk_t cw_mac
, cw
, cw_iv
;
2117 chunk_t sw_mac
, sw
, sw_iv
;
2118 int mklen
, eklen
, ivlen
;
2120 if (!this->aead_in
|| !this->aead_out
)
2125 /* derive key block for key expansion */
2126 mklen
= this->aead_in
->get_mac_key_size(this->aead_in
);
2127 eklen
= this->aead_in
->get_encr_key_size(this->aead_in
);
2128 ivlen
= this->aead_in
->get_iv_size(this->aead_in
);
2129 seed
= chunk_cata("cc", server_random
, client_random
);
2130 block
= chunk_alloca((mklen
+ eklen
+ ivlen
) * 2);
2131 if (!this->prf
->get_bytes(this->prf
, "key expansion", seed
,
2132 block
.len
, block
.ptr
))
2137 /* client/server write signer keys */
2138 cw_mac
= chunk_create(block
.ptr
, mklen
);
2139 block
= chunk_skip(block
, mklen
);
2140 sw_mac
= chunk_create(block
.ptr
, mklen
);
2141 block
= chunk_skip(block
, mklen
);
2143 /* client/server write encryption keys */
2144 cw
= chunk_create(block
.ptr
, eklen
);
2145 block
= chunk_skip(block
, eklen
);
2146 sw
= chunk_create(block
.ptr
, eklen
);
2147 block
= chunk_skip(block
, eklen
);
2149 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2150 cw_iv
= chunk_create(block
.ptr
, ivlen
);
2151 block
= chunk_skip(block
, ivlen
);
2152 sw_iv
= chunk_create(block
.ptr
, ivlen
);
2153 block
= chunk_skip(block
, ivlen
);
2155 if (this->tls
->is_server(this->tls
))
2157 if (!this->aead_in
->set_keys(this->aead_in
, cw_mac
, cw
, cw_iv
) ||
2158 !this->aead_out
->set_keys(this->aead_out
, sw_mac
, sw
, sw_iv
))
2165 if (!this->aead_out
->set_keys(this->aead_out
, cw_mac
, cw
, cw_iv
) ||
2166 !this->aead_in
->set_keys(this->aead_in
, sw_mac
, sw
, sw_iv
))
2173 if (this->msk_label
)
2175 seed
= chunk_cata("cc", client_random
, server_random
);
2176 this->msk
= chunk_alloc(64);
2177 if (!this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
2178 this->msk
.len
, this->msk
.ptr
))
2186 METHOD(tls_crypto_t
, derive_secrets
, bool,
2187 private_tls_crypto_t
*this, chunk_t premaster
, chunk_t session
,
2188 identification_t
*id
, chunk_t client_random
, chunk_t server_random
)
2190 return derive_master(this, premaster
, session
, id
,
2191 client_random
, server_random
) &&
2192 expand_keys(this, client_random
, server_random
);
2196 * Derive and configure the client/server key/IV on an AEAD using a given label.
2198 static bool derive_labeled_key(private_tls_crypto_t
*this, bool server
,
2199 tls_hkdf_label_t label
, tls_aead_t
*aead
)
2201 chunk_t key
= chunk_empty
, iv
= chunk_empty
;
2202 bool success
= FALSE
;
2204 if (!this->hkdf
->generate_secret(this->hkdf
, label
, this->handshake
,
2206 !this->hkdf
->derive_key(this->hkdf
, server
,
2207 aead
->get_encr_key_size(aead
), &key
) ||
2208 !this->hkdf
->derive_iv(this->hkdf
, server
,
2209 aead
->get_iv_size(aead
), &iv
))
2211 DBG1(DBG_TLS
, "deriving key material failed");
2215 if (!aead
->set_keys(aead
, chunk_empty
, key
, iv
))
2217 DBG1(DBG_TLS
, "setting AEAD key material failed");
2229 * Derive and configure the keys/IVs using the given labels.
2231 static bool derive_labeled_keys(private_tls_crypto_t
*this,
2232 tls_hkdf_label_t client_label
,
2233 tls_hkdf_label_t server_label
)
2235 tls_aead_t
*aead_c
, *aead_s
;
2238 algs
= find_suite(this->suite
);
2239 destroy_aeads(this);
2240 if (!create_aead(this, algs
))
2244 aead_c
= this->aead_out
;
2245 aead_s
= this->aead_in
;
2246 if (this->tls
->is_server(this->tls
))
2248 aead_c
= this->aead_in
;
2249 aead_s
= this->aead_out
;
2251 return derive_labeled_key(this, FALSE
, client_label
, aead_c
) &&
2252 derive_labeled_key(this, TRUE
, server_label
, aead_s
);
2255 METHOD(tls_crypto_t
, derive_handshake_keys
, bool,
2256 private_tls_crypto_t
*this, chunk_t shared_secret
)
2258 this->hkdf
->set_shared_secret(this->hkdf
, shared_secret
);
2259 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC
,
2260 TLS_HKDF_S_HS_TRAFFIC
);
2263 METHOD(tls_crypto_t
, derive_app_keys
, bool,
2264 private_tls_crypto_t
*this)
2266 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC
,
2267 TLS_HKDF_S_AP_TRAFFIC
))
2273 if (this->msk_label
)
2275 /* because the length is encoded when expanding key material, we
2276 * request the same number of bytes as FreeRADIUS (the first 64 for
2277 * the MSK, the next for the EMSK, which we just ignore) */
2278 if (!this->hkdf
->export(this->hkdf
, this->msk_label
, chunk_empty
,
2279 this->handshake
, 128, &this->msk
))
2288 METHOD(tls_crypto_t
, update_app_keys
, bool,
2289 private_tls_crypto_t
*this, bool inbound
)
2292 tls_hkdf_label_t label
= TLS_HKDF_UPD_C_TRAFFIC
;
2294 algs
= find_suite(this->suite
);
2295 destroy_aeads(this);
2296 if (!create_aead(this, algs
))
2300 if (this->tls
->is_server(this->tls
) != inbound
)
2302 label
= TLS_HKDF_UPD_S_TRAFFIC
;
2304 return derive_labeled_key(this, label
== TLS_HKDF_UPD_S_TRAFFIC
, label
,
2305 inbound ?
this->aead_in
: this->aead_out
);
2308 METHOD(tls_crypto_t
, resume_session
, tls_cipher_suite_t
,
2309 private_tls_crypto_t
*this, chunk_t session
, identification_t
*id
,
2310 chunk_t client_random
, chunk_t server_random
)
2314 if (this->cache
&& session
.len
)
2316 this->suite
= this->cache
->lookup(this->cache
, session
, id
, &master
);
2319 this->suite
= select_cipher_suite(this, &this->suite
, 1, KEY_ANY
);
2322 if (!this->prf
->set_key(this->prf
, master
) ||
2323 !expand_keys(this, client_random
, server_random
))
2328 chunk_clear(&master
);
2335 METHOD(tls_crypto_t
, get_session
, chunk_t
,
2336 private_tls_crypto_t
*this, identification_t
*server
)
2340 return this->cache
->check(this->cache
, server
);
2345 METHOD(tls_crypto_t
, change_cipher
, void,
2346 private_tls_crypto_t
*this, bool inbound
)
2348 if (this->protection
)
2352 this->protection
->set_cipher(this->protection
, TRUE
, this->aead_in
);
2353 this->aead_in
= NULL
;
2357 this->protection
->set_cipher(this->protection
, FALSE
, this->aead_out
);
2358 this->aead_out
= NULL
;
2363 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
2364 private_tls_crypto_t
*this)
2369 METHOD(tls_crypto_t
, destroy
, void,
2370 private_tls_crypto_t
*this)
2372 destroy_aeads(this);
2373 free(this->handshake
.ptr
);
2374 free(this->msk
.ptr
);
2375 DESTROY_IF(this->prf
);
2376 DESTROY_IF(this->hkdf
);
2384 tls_crypto_t
*tls_crypto_create(tls_t
*tls
, tls_cache_t
*cache
)
2386 private_tls_crypto_t
*this;
2387 enumerator_t
*enumerator
;
2388 credential_type_t type
;
2393 .get_cipher_suites
= _get_cipher_suites
,
2394 .select_cipher_suite
= _select_cipher_suite
,
2395 .get_dh_group
= _get_dh_group
,
2396 .get_signature_algorithms
= _get_signature_algorithms
,
2397 .create_ec_enumerator
= _create_ec_enumerator
,
2398 .set_protection
= _set_protection
,
2399 .append_handshake
= _append_handshake
,
2400 .hash_handshake
= _hash_handshake
,
2403 .sign_handshake
= _sign_handshake
,
2404 .verify_handshake
= _verify_handshake
,
2405 .calculate_finished_legacy
= _calculate_finished_legacy
,
2406 .calculate_finished
= _calculate_finished
,
2407 .derive_secrets
= _derive_secrets
,
2408 .derive_handshake_keys
= _derive_handshake_keys
,
2409 .derive_app_keys
= _derive_app_keys
,
2410 .update_app_keys
= _update_app_keys
,
2411 .resume_session
= _resume_session
,
2412 .get_session
= _get_session
,
2413 .change_cipher
= _change_cipher
,
2414 .get_eap_msk
= _get_eap_msk
,
2415 .destroy
= _destroy
,
2421 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2422 * separation would be welcome. */
2423 enumerator
= lib
->creds
->create_builder_enumerator(lib
->creds
);
2424 while (enumerator
->enumerate(enumerator
, &type
, &subtype
))
2426 if (type
== CRED_PUBLIC_KEY
)
2443 enumerator
->destroy(enumerator
);
2445 switch (tls
->get_purpose(tls
))
2447 case TLS_PURPOSE_EAP_TLS
:
2448 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2449 this->msk_label
= "client EAP encryption";
2451 case TLS_PURPOSE_EAP_PEAP
:
2452 this->msk_label
= "client EAP encryption";
2454 case TLS_PURPOSE_EAP_TTLS
:
2455 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2456 this->msk_label
= "ttls keying material";
2461 return &this->public;
2467 int tls_crypto_get_supported_suites(bool null
, tls_version_t version
,
2468 tls_cipher_suite_t
**out
)
2470 suite_algs_t suites
[countof(suite_algs
)];
2473 /* initialize copy of suite list */
2474 for (i
= 0; i
< countof(suite_algs
); i
++)
2476 if (suite_algs
[i
].min_version
<= version
&&
2477 suite_algs
[i
].max_version
>= version
)
2479 suites
[count
++] = suite_algs
[i
];
2483 filter_unsupported_suites(suites
, &count
);
2487 filter_null_suites(suites
, &count
);
2492 *out
= calloc(count
, sizeof(tls_cipher_suite_t
));
2493 for (i
= 0; i
< count
; i
++)
2495 (*out
)[i
] = suites
[i
].suite
;
2504 int tls_crypto_get_supported_groups(diffie_hellman_group_t
**out
)
2506 enumerator_t
*enumerator
;
2507 diffie_hellman_group_t groups
[countof(curves
)];
2508 diffie_hellman_group_t group
;
2509 tls_named_group_t curve
;
2512 enumerator
= enumerator_create_filter(
2513 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
2514 group_filter
, NULL
, NULL
);
2516 while (enumerator
->enumerate(enumerator
, &group
, &curve
))
2518 groups
[count
++] = group
;
2520 enumerator
->destroy(enumerator
);
2524 *out
= calloc(count
, sizeof(diffie_hellman_group_t
));
2525 for (i
= 0; i
< count
; i
++)
2527 (*out
)[i
] = groups
[i
];
2536 int tls_crypto_get_supported_signatures(tls_version_t version
,
2537 tls_signature_scheme_t
**out
)
2539 scheme_algs_t sigs
[countof(schemes
)];
2542 /* initialize copy of signature scheme list */
2543 for (i
= 0; i
< countof(schemes
); i
++)
2545 /* only RSA_PSS_RSAE schemes supported for signing and verifying */
2546 if (schemes
[i
].sig
== TLS_SIG_RSA_PSS_PSS_SHA256
||
2547 schemes
[i
].sig
== TLS_SIG_RSA_PSS_PSS_SHA384
||
2548 schemes
[i
].sig
== TLS_SIG_RSA_PSS_PSS_SHA512
)
2552 if (schemes
[i
].min_version
<= version
&&
2553 schemes
[i
].max_version
>= version
&&
2554 lib
->plugins
->has_feature(lib
->plugins
,
2555 PLUGIN_PROVIDE(PUBKEY_VERIFY
, schemes
[i
].params
.scheme
)))
2557 sigs
[count
++] = schemes
[i
];
2563 *out
= calloc(count
, sizeof(tls_signature_scheme_t
));
2564 for (i
= 0; i
< count
; i
++)
2566 (*out
)[i
] = sigs
[i
].sig
;
2575 tls_named_group_t
tls_ec_group_to_curve(diffie_hellman_group_t group
)
2579 for (i
= 0; i
< countof(curves
); i
++)
2581 if (curves
[i
].group
== group
)
2583 return curves
[i
].curve
;
2592 key_type_t
tls_signature_scheme_to_key_type(tls_signature_scheme_t sig
)
2596 for (i
= 0; i
< countof(schemes
); i
++)
2598 if (schemes
[i
].sig
== sig
)
2600 return key_type_from_signature_scheme(schemes
[i
].params
.scheme
);
2607 * Hashtable hash function
2609 static u_int
hash_key_type(key_type_t
*type
)
2611 return chunk_hash(chunk_from_thing(*type
));
2615 * Hashtable equals function
2617 static bool equals_key_type(key_type_t
*key1
, key_type_t
*key2
)
2619 return *key1
== *key2
;
2622 CALLBACK(filter_key_types
, bool,
2623 void *data
, enumerator_t
*orig
, va_list args
)
2625 key_type_t
*key_type
, *out
;
2627 VA_ARGS_VGET(args
, out
);
2629 if (orig
->enumerate(orig
, NULL
, &key_type
))
2637 CALLBACK(destroy_key_types
, void,
2640 ht
->destroy_function(ht
, (void*)free
);
2644 * Create an enumerator over supported key types within a specific TLS range
2646 static enumerator_t
*get_supported_key_types(tls_version_t min_version
,
2647 tls_version_t max_version
)
2650 key_type_t
*type
, lookup
;
2653 ht
= hashtable_create((hashtable_hash_t
)hash_key_type
,
2654 (hashtable_equals_t
)equals_key_type
, 4);
2655 for (i
= 0; i
< countof(schemes
); i
++)
2657 if (schemes
[i
].min_version
<= max_version
&&
2658 schemes
[i
].max_version
>= min_version
)
2660 lookup
= key_type_from_signature_scheme(schemes
[i
].params
.scheme
);
2661 if (!ht
->get(ht
, &lookup
))
2663 type
= malloc_thing(key_type_t
);
2665 ht
->put(ht
, type
, type
);
2669 return enumerator_create_filter(ht
->create_enumerator(ht
),
2670 filter_key_types
, ht
, destroy_key_types
);
2674 * Create an array of an intersection of server and peer supported key types
2676 static array_t
*create_common_key_types(enumerator_t
*enumerator
, chunk_t hashsig
)
2679 key_type_t v
, lookup
;
2680 uint16_t sig_scheme
;
2682 key_types
= array_create(sizeof(key_type_t
), 8);
2683 while (enumerator
->enumerate(enumerator
, &v
))
2685 bio_reader_t
*reader
;
2687 reader
= bio_reader_create(hashsig
);
2688 while (reader
->remaining(reader
) &&
2689 reader
->read_uint16(reader
, &sig_scheme
))
2691 lookup
= tls_signature_scheme_to_key_type(sig_scheme
);
2694 array_insert(key_types
, ARRAY_TAIL
, &lookup
);
2698 reader
->destroy(reader
);
2704 enumerator_t
public;
2706 identification_t
*peer
;
2709 } private_key_enumerator_t
;
2711 METHOD(enumerator_t
, private_key_enumerate
, bool,
2712 private_key_enumerator_t
*this, va_list args
)
2715 auth_cfg_t
**auth_out
;
2716 private_key_t
**key_out
;
2718 VA_ARGS_VGET(args
, key_out
, auth_out
);
2720 DESTROY_IF(this->key
);
2721 DESTROY_IF(this->auth
);
2722 this->auth
= auth_cfg_create();
2724 while (array_remove(this->key_types
, ARRAY_HEAD
, &type
))
2726 this->key
= lib
->credmgr
->get_private(lib
->credmgr
, type
, this->peer
,
2730 *key_out
= this->key
;
2733 *auth_out
= this->auth
;
2741 METHOD(enumerator_t
, private_key_destroy
, void,
2742 private_key_enumerator_t
*this)
2744 DESTROY_IF(this->key
);
2745 DESTROY_IF(this->auth
);
2746 array_destroy(this->key_types
);
2753 enumerator_t
*tls_create_private_key_enumerator(tls_version_t min_version
,
2754 tls_version_t max_version
,
2756 identification_t
*peer
)
2758 private_key_enumerator_t
*enumerator
;
2759 enumerator_t
*key_types
;
2761 key_types
= get_supported_key_types(min_version
, max_version
);
2765 .enumerate
= enumerator_enumerate_default
,
2766 .venumerate
= _private_key_enumerate
,
2767 .destroy
= _private_key_destroy
,
2769 .key_types
= create_common_key_types(key_types
, hashsig
),
2772 key_types
->destroy(key_types
);
2774 if (!array_count(enumerator
->key_types
))
2778 return &enumerator
->public;
projects / strongswan.git / blob