2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include "tls_crypto.h"
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
29 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names
, TLS_AES_128_GCM_SHA256
,
187 TLS_AES_128_CCM_8_SHA256
,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
196 TLS_AES_128_CCM_8_SHA256
,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
);
265 ENUM(tls_hash_algorithm_names
, TLS_HASH_NONE
, TLS_HASH_SHA512
,
275 ENUM_BEGIN(tls_signature_scheme_names
,
276 TLS_SIG_RSA_PKCS1_SHA1
, TLS_SIG_RSA_PKCS1_SHA1
,
278 ENUM_NEXT(tls_signature_scheme_names
,
279 TLS_SIG_ECDSA_SHA1
, TLS_SIG_ECDSA_SHA1
, TLS_SIG_RSA_PKCS1_SHA1
,
281 ENUM_NEXT(tls_signature_scheme_names
,
282 TLS_SIG_RSA_PKCS1_SHA224
, TLS_SIG_ECDSA_SHA224
, TLS_SIG_ECDSA_SHA1
,
286 ENUM_NEXT(tls_signature_scheme_names
,
287 TLS_SIG_RSA_PKCS1_SHA256
, TLS_SIG_ECDSA_SHA256
, TLS_SIG_ECDSA_SHA224
,
291 ENUM_NEXT(tls_signature_scheme_names
,
292 TLS_SIG_RSA_PKCS1_SHA384
, TLS_SIG_ECDSA_SHA384
, TLS_SIG_ECDSA_SHA256
,
296 ENUM_NEXT(tls_signature_scheme_names
,
297 TLS_SIG_RSA_PKCS1_SHA512
, TLS_SIG_ECDSA_SHA512
, TLS_SIG_ECDSA_SHA384
,
301 ENUM_NEXT(tls_signature_scheme_names
,
302 TLS_SIG_RSA_PSS_RSAE_SHA256
, TLS_SIG_RSA_PSS_PSS_SHA512
, TLS_SIG_ECDSA_SHA512
,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
312 ENUM_END(tls_signature_scheme_names
, TLS_SIG_RSA_PSS_PSS_SHA512
);
314 ENUM_BEGIN(tls_client_certificate_type_names
,
315 TLS_RSA_SIGN
, TLS_DSS_EPHEMERAL_DH
,
322 ENUM_NEXT(tls_client_certificate_type_names
,
323 TLS_FORTEZZA_DMS
, TLS_FORTEZZA_DMS
, TLS_DSS_EPHEMERAL_DH
,
325 ENUM_NEXT(tls_client_certificate_type_names
,
326 TLS_ECDSA_SIGN
, TLS_ECDSA_FIXED_ECDH
, TLS_FORTEZZA_DMS
,
330 ENUM_END(tls_client_certificate_type_names
, TLS_ECDSA_FIXED_ECDH
);
332 ENUM(tls_ecc_curve_type_names
, TLS_ECC_EXPLICIT_PRIME
, TLS_ECC_NAMED_CURVE
,
338 ENUM_BEGIN(tls_named_group_names
, TLS_SECT163K1
, TLS_SECP521R1
,
365 ENUM_NEXT(tls_named_group_names
, TLS_CURVE25519
, TLS_CURVE448
, TLS_SECP521R1
,
369 ENUM_NEXT(tls_named_group_names
, TLS_FFDHE2048
, TLS_FFDHE8192
, TLS_CURVE448
,
376 ENUM_END(tls_named_group_names
, TLS_FFDHE8192
);
378 ENUM(tls_ansi_point_format_names
, TLS_ANSI_COMPRESSED
, TLS_ANSI_HYBRID_Y
,
387 ENUM(tls_ec_point_format_names
,
388 TLS_EC_POINT_UNCOMPRESSED
, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2
,
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
394 typedef struct private_tls_crypto_t private_tls_crypto_t
;
397 * Private data of an tls_crypto_t object.
399 struct private_tls_crypto_t
{
402 * Public tls_crypto_t interface.
409 tls_protection_t
*protection
;
412 * List of supported/acceptable cipher suites
414 tls_cipher_suite_t
*suites
;
417 * Number of supported suites
427 * Selected cipher suite
429 tls_cipher_suite_t suite
;
452 * All handshake data concatenated
457 * Connection state TLS PRF
462 * AEAD transform for inbound traffic
467 * AEAD transform for outbound traffic
469 tls_aead_t
*aead_out
;
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
483 tls_cipher_suite_t suite
;
485 diffie_hellman_group_t dh
;
486 hash_algorithm_t hash
;
487 pseudo_random_function_t prf
;
488 integrity_algorithm_t mac
;
489 encryption_algorithm_t encr
;
491 tls_version_t min_version
;
492 tls_version_t max_version
;
496 * Mapping suites to a set of algorithms
498 * The order represents the descending preference of cipher suites and follows
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
505 * 5. ECDHE > DHE > NULL
507 * 7. SHA384 > SHA256 > SHA1
510 static suite_algs_t suite_algs
[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384
,
515 HASH_SHA384
, PRF_UNDEFINED
,
516 AUTH_HMAC_SHA2_384_384
, ENCR_AES_GCM_ICV16
, 32,
519 { TLS_AES_128_GCM_SHA256
,
521 HASH_SHA256
, PRF_UNDEFINED
,
522 AUTH_HMAC_SHA2_256_256
, ENCR_AES_GCM_ICV16
, 16,
525 { TLS_CHACHA20_POLY1305_SHA256
,
527 HASH_SHA256
, PRF_UNDEFINED
,
528 AUTH_HMAC_SHA2_256_256
, ENCR_CHACHA20_POLY1305
, 32,
531 { TLS_AES_128_CCM_SHA256
,
533 HASH_SHA256
, PRF_UNDEFINED
,
534 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CCM_ICV16
, 16,
537 { TLS_AES_128_CCM_8_SHA256
,
539 HASH_SHA256
, PRF_UNDEFINED
,
540 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CCM_ICV8
, 16,
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,
545 KEY_ECDSA
, ECP_384_BIT
,
546 HASH_SHA384
, PRF_HMAC_SHA2_384
,
547 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
,
551 KEY_ECDSA
, ECP_384_BIT
,
552 HASH_SHA384
, PRF_HMAC_SHA2_384
,
553 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32,
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
,
557 KEY_ECDSA
, ECP_384_BIT
,
558 HASH_SHA256
, PRF_HMAC_SHA2_256
,
559 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
563 KEY_ECDSA
, ECP_256_BIT
,
564 HASH_SHA256
, PRF_HMAC_SHA2_256
,
565 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
,
569 KEY_ECDSA
, ECP_256_BIT
,
570 HASH_SHA256
, PRF_HMAC_SHA2_256
,
571 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,
575 KEY_ECDSA
, ECP_256_BIT
,
576 HASH_SHA256
, PRF_HMAC_SHA2_256
,
577 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
,
581 KEY_RSA
, ECP_384_BIT
,
582 HASH_SHA384
, PRF_HMAC_SHA2_384
,
583 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
,
587 KEY_RSA
, ECP_384_BIT
,
588 HASH_SHA384
, PRF_HMAC_SHA2_384
,
589 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32,
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,
593 KEY_RSA
, ECP_384_BIT
,
594 HASH_SHA256
, PRF_HMAC_SHA2_256
,
595 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,
599 KEY_RSA
, ECP_256_BIT
,
600 HASH_SHA256
, PRF_HMAC_SHA2_256
,
601 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,
605 KEY_RSA
, ECP_256_BIT
,
606 HASH_SHA256
, PRF_HMAC_SHA2_256
,
607 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
,
611 KEY_RSA
, ECP_256_BIT
,
612 HASH_SHA256
, PRF_HMAC_SHA2_256
,
613 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
,
617 KEY_RSA
, MODP_4096_BIT
,
618 HASH_SHA384
, PRF_HMAC_SHA2_384
,
619 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,
623 KEY_RSA
, MODP_4096_BIT
,
624 HASH_SHA256
, PRF_HMAC_SHA2_256
,
625 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32,
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,
629 KEY_RSA
, MODP_3072_BIT
,
630 HASH_SHA256
, PRF_HMAC_SHA2_256
,
631 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
635 KEY_RSA
, MODP_4096_BIT
,
636 HASH_SHA256
, PRF_HMAC_SHA2_256
,
637 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32,
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
,
641 KEY_RSA
, MODP_3072_BIT
,
642 HASH_SHA256
, PRF_HMAC_SHA2_256
,
643 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32,
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,
647 KEY_RSA
, MODP_3072_BIT
,
648 HASH_SHA256
, PRF_HMAC_SHA2_256
,
649 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
653 KEY_RSA
, MODP_3072_BIT
,
654 HASH_SHA256
, PRF_HMAC_SHA2_256
,
655 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,
659 KEY_RSA
, MODP_2048_BIT
,
660 HASH_SHA256
,PRF_HMAC_SHA2_256
,
661 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
665 KEY_RSA
, MODP_3072_BIT
,
666 HASH_SHA256
, PRF_HMAC_SHA2_256
,
667 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16,
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
,
671 KEY_RSA
, MODP_2048_BIT
,
672 HASH_SHA256
, PRF_HMAC_SHA2_256
,
673 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16,
676 { TLS_RSA_WITH_AES_256_GCM_SHA384
,
678 HASH_SHA384
, PRF_HMAC_SHA2_384
,
679 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32,
682 { TLS_RSA_WITH_AES_256_CBC_SHA256
,
684 HASH_SHA256
, PRF_HMAC_SHA2_256
,
685 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32,
688 { TLS_RSA_WITH_AES_256_CBC_SHA
,
690 HASH_SHA256
, PRF_HMAC_SHA2_256
,
691 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32,
694 { TLS_RSA_WITH_AES_128_GCM_SHA256
,
696 HASH_SHA256
, PRF_HMAC_SHA2_256
,
697 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16,
700 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
702 HASH_SHA256
, PRF_HMAC_SHA2_256
,
703 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16,
706 { TLS_RSA_WITH_AES_128_CBC_SHA
,
708 HASH_SHA256
, PRF_HMAC_SHA2_256
,
709 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16,
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
714 HASH_SHA256
, PRF_HMAC_SHA2_256
,
715 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32,
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
720 HASH_SHA256
, PRF_HMAC_SHA2_256
,
721 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32,
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
726 HASH_SHA256
, PRF_HMAC_SHA2_256
,
727 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16,
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
,
732 HASH_SHA256
, PRF_HMAC_SHA2_256
,
733 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16,
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA
,
737 KEY_ECDSA
, ECP_256_BIT
,
738 HASH_SHA256
, PRF_HMAC_SHA2_256
,
739 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
742 { TLS_ECDHE_RSA_WITH_NULL_SHA
,
743 KEY_ECDSA
, ECP_256_BIT
,
744 HASH_SHA256
, PRF_HMAC_SHA2_256
,
745 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
748 { TLS_RSA_WITH_NULL_SHA256
,
750 HASH_SHA256
, PRF_HMAC_SHA2_256
,
751 AUTH_HMAC_SHA2_256_256
, ENCR_NULL
, 0,
754 { TLS_RSA_WITH_NULL_SHA
,
756 HASH_SHA256
, PRF_HMAC_SHA2_256
,
757 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0,
763 * Look up algorithms by a suite
765 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
769 for (i
= 0; i
< countof(suite_algs
); i
++)
771 if (suite_algs
[i
].suite
== suite
)
773 return &suite_algs
[i
];
780 * Filter a suite list using a transform enumerator
782 static void filter_suite(suite_algs_t suites
[], int *count
, int offset
,
783 enumerator_t
*(*create_enumerator
)(crypto_factory_t
*))
785 const char *plugin_name
;
786 suite_algs_t current
;
787 int *current_alg
, i
, remaining
= 0;
788 enumerator_t
*enumerator
;
790 memset(¤t
, 0, sizeof(current
));
791 current_alg
= (int*)((char*)¤t
+ offset
);
793 for (i
= 0; i
< *count
; i
++)
795 if (create_enumerator
== lib
->crypto
->create_crypter_enumerator
&&
796 encryption_algorithm_is_aead(suites
[i
].encr
))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites
[remaining
] = suites
[i
];
802 if (create_enumerator
== lib
->crypto
->create_aead_enumerator
&&
803 !encryption_algorithm_is_aead(suites
[i
].encr
))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites
[remaining
] = suites
[i
];
809 enumerator
= create_enumerator(lib
->crypto
);
810 while (enumerator
->enumerate(enumerator
, current_alg
, &plugin_name
))
812 if (current
.encr
&& current
.encr
!= suites
[i
].encr
)
814 if (suites
[i
].encr
!= ENCR_NULL
)
815 { /* skip, ENCR does not match nor is NULL */
819 if (current
.mac
&& current
.mac
!= suites
[i
].mac
)
821 if (suites
[i
].mac
!= AUTH_UNDEFINED
)
822 { /* skip, MAC does not match nor is it undefined */
826 if (current
.prf
&& current
.prf
!= suites
[i
].prf
)
828 if (suites
[i
].prf
!= PRF_UNDEFINED
)
830 /* skip, PRF does not match nor is it undefined */
834 if (current
.hash
&& current
.hash
!= suites
[i
].hash
)
835 { /* skip, hash does not match */
838 if (current
.dh
&& current
.dh
!= suites
[i
].dh
)
840 if (suites
[i
].dh
!= MODP_NONE
)
841 { /* skip DH group, does not match nor NONE */
845 /* suite supported, apply */
846 suites
[remaining
] = suites
[i
];
850 enumerator
->destroy(enumerator
);
856 * Purge NULL encryption cipher suites from list
858 static void filter_null_suites(suite_algs_t suites
[], int *count
)
860 int i
, remaining
= 0;
862 for (i
= 0; i
< *count
; i
++)
864 if (suites
[i
].encr
!= ENCR_NULL
)
866 suites
[remaining
] = suites
[i
];
874 * Purge suites using a given key type
876 static void filter_key_suites(private_tls_crypto_t
*this,
877 suite_algs_t suites
[], int *count
, key_type_t key
)
879 int i
, remaining
= 0;
881 DBG2(DBG_TLS
, "disabling %N suites, no backend found", key_type_names
, key
);
882 for (i
= 0; i
< *count
; i
++)
884 if (suites
[i
].key
!= key
)
886 suites
[remaining
] = suites
[i
];
894 * Filter suites by key exchange user config
896 static void filter_key_exchange_config_suites(private_tls_crypto_t
*this,
897 suite_algs_t suites
[], int *count
)
899 enumerator_t
*enumerator
;
900 int i
, remaining
= 0;
901 char *token
, *config
;
903 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.key_exchange", NULL
,
907 for (i
= 0; i
< *count
; i
++)
909 enumerator
= enumerator_create_token(config
, ",", " ");
910 while (enumerator
->enumerate(enumerator
, &token
))
912 if (strcaseeq(token
, "ecdhe-ecdsa") &&
913 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
914 suites
[i
].key
== KEY_ECDSA
)
916 suites
[remaining
++] = suites
[i
];
919 if (strcaseeq(token
, "ecdhe-rsa") &&
920 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
921 suites
[i
].key
== KEY_RSA
)
923 suites
[remaining
++] = suites
[i
];
926 if (strcaseeq(token
, "dhe-rsa") &&
927 !diffie_hellman_group_is_ec(suites
[i
].dh
) &&
928 suites
[i
].dh
!= MODP_NONE
&&
929 suites
[i
].key
== KEY_RSA
)
931 suites
[remaining
++] = suites
[i
];
934 if (strcaseeq(token
, "rsa") &&
935 suites
[i
].dh
== MODP_NONE
&&
936 suites
[i
].key
== KEY_RSA
)
938 suites
[remaining
++] = suites
[i
];
942 enumerator
->destroy(enumerator
);
949 * Filter suites by cipher user config
951 static void filter_cipher_config_suites(private_tls_crypto_t
*this,
952 suite_algs_t suites
[], int *count
)
954 enumerator_t
*enumerator
;
955 int i
, remaining
= 0;
956 char *token
, *config
;
958 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.cipher", NULL
,
962 for (i
= 0; i
< *count
; i
++)
964 enumerator
= enumerator_create_token(config
, ",", " ");
965 while (enumerator
->enumerate(enumerator
, &token
))
967 if (strcaseeq(token
, "aes128") &&
968 suites
[i
].encr
== ENCR_AES_CBC
&&
969 suites
[i
].encr_size
== 16)
971 suites
[remaining
++] = suites
[i
];
974 if (strcaseeq(token
, "aes256") &&
975 suites
[i
].encr
== ENCR_AES_CBC
&&
976 suites
[i
].encr_size
== 32)
978 suites
[remaining
++] = suites
[i
];
981 if (strcaseeq(token
, "aes128gcm") &&
982 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
983 suites
[i
].encr_size
== 16)
985 suites
[remaining
++] = suites
[i
];
988 if (strcaseeq(token
, "aes256gcm") &&
989 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
990 suites
[i
].encr_size
== 32)
992 suites
[remaining
++] = suites
[i
];
995 if (strcaseeq(token
, "camellia128") &&
996 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
997 suites
[i
].encr_size
== 16)
999 suites
[remaining
++] = suites
[i
];
1002 if (strcaseeq(token
, "camellia256") &&
1003 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
1004 suites
[i
].encr_size
== 32)
1006 suites
[remaining
++] = suites
[i
];
1009 if (strcaseeq(token
, "null") &&
1010 suites
[i
].encr
== ENCR_NULL
)
1012 suites
[remaining
++] = suites
[i
];
1016 enumerator
->destroy(enumerator
);
1023 * Filter suites by mac user config
1025 static void filter_mac_config_suites(private_tls_crypto_t
*this,
1026 suite_algs_t suites
[], int *count
)
1028 enumerator_t
*enumerator
;
1029 int i
, remaining
= 0;
1030 char *token
, *config
;
1032 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.mac", NULL
,
1036 for (i
= 0; i
< *count
; i
++)
1038 enumerator
= enumerator_create_token(config
, ",", " ");
1039 while (enumerator
->enumerate(enumerator
, &token
))
1041 if (strcaseeq(token
, "sha1") &&
1042 suites
[i
].mac
== AUTH_HMAC_SHA1_160
)
1044 suites
[remaining
++] = suites
[i
];
1047 if (strcaseeq(token
, "sha256") &&
1048 suites
[i
].mac
== AUTH_HMAC_SHA2_256_256
)
1050 suites
[remaining
++] = suites
[i
];
1053 if (strcaseeq(token
, "sha384") &&
1054 suites
[i
].mac
== AUTH_HMAC_SHA2_384_384
)
1056 suites
[remaining
++] = suites
[i
];
1060 enumerator
->destroy(enumerator
);
1067 * Filter for specific suites specified in strongswan.conf
1069 static void filter_specific_config_suites(private_tls_crypto_t
*this,
1070 suite_algs_t suites
[], int *count
)
1072 enumerator_t
*enumerator
;
1073 int i
, remaining
= 0, suite
;
1074 char *token
, *config
;
1076 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.suites", NULL
,
1080 for (i
= 0; i
< *count
; i
++)
1082 enumerator
= enumerator_create_token(config
, ",", " ");
1083 while (enumerator
->enumerate(enumerator
, &token
))
1085 if (enum_from_name(tls_cipher_suite_names
, token
, &suite
) &&
1086 suite
== suites
[i
].suite
)
1088 suites
[remaining
++] = suites
[i
];
1092 enumerator
->destroy(enumerator
);
1099 * Filter key exchange curves by curve user config
1101 static bool filter_curve_config(tls_named_group_t curve
)
1103 enumerator_t
*enumerator
;
1104 char *token
, *config
;
1106 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.curve", NULL
, lib
->ns
);
1109 enumerator
= enumerator_create_token(config
, ",", " ");
1110 while (enumerator
->enumerate(enumerator
, &token
))
1112 const proposal_token_t
*tok
;
1114 tok
= lib
->proposal
->get_token(lib
->proposal
, token
);
1115 if (tok
!= NULL
&& tok
->type
== DIFFIE_HELLMAN_GROUP
&&
1116 curve
== tls_ec_group_to_curve(tok
->algorithm
))
1118 enumerator
->destroy(enumerator
);
1122 enumerator
->destroy(enumerator
);
1128 * Filter out unsupported suites on given suite array
1130 static void filter_unsupported_suites(suite_algs_t suites
[], int *count
)
1132 /* filter suite list by each algorithm */
1133 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
1134 lib
->crypto
->create_aead_enumerator
);
1135 filter_suite(suites
, count
, offsetof(suite_algs_t
, prf
),
1136 lib
->crypto
->create_prf_enumerator
);
1137 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
1138 lib
->crypto
->create_crypter_enumerator
);
1139 filter_suite(suites
, count
, offsetof(suite_algs_t
, mac
),
1140 lib
->crypto
->create_signer_enumerator
);
1141 filter_suite(suites
, count
, offsetof(suite_algs_t
, hash
),
1142 lib
->crypto
->create_hasher_enumerator
);
1143 filter_suite(suites
, count
, offsetof(suite_algs_t
, dh
),
1144 lib
->crypto
->create_dh_enumerator
);
1148 * Initialize the cipher suite list
1150 static void build_cipher_suite_list(private_tls_crypto_t
*this)
1152 suite_algs_t suites
[countof(suite_algs
)];
1153 tls_version_t min_version
, max_version
, new_min_version
, new_max_version
;
1154 bool require_encryption
;
1157 switch (this->tls
->get_purpose(this->tls
))
1159 case TLS_PURPOSE_EAP_TLS
:
1160 case TLS_PURPOSE_GENERIC_NULLOK
:
1161 require_encryption
= FALSE
;
1163 case TLS_PURPOSE_EAP_PEAP
:
1164 case TLS_PURPOSE_EAP_TTLS
:
1165 case TLS_PURPOSE_GENERIC
:
1166 require_encryption
= TRUE
;
1172 min_version
= this->tls
->get_version_min(this->tls
);
1173 max_version
= this->tls
->get_version_max(this->tls
);
1175 /* copy all suites appropriate for the current min/max versions */
1176 for (i
= 0; i
< countof(suite_algs
); i
++)
1178 if (suite_algs
[i
].min_version
<= max_version
&&
1179 suite_algs
[i
].max_version
>= min_version
)
1181 suites
[count
++] = suite_algs
[i
];
1185 if (require_encryption
)
1187 filter_null_suites(suites
, &count
);
1191 filter_key_suites(this, suites
, &count
, KEY_RSA
);
1195 filter_key_suites(this, suites
, &count
, KEY_ECDSA
);
1198 filter_unsupported_suites(suites
, &count
);
1200 /* filter suites with strongswan.conf options */
1201 filter_key_exchange_config_suites(this, suites
, &count
);
1202 filter_cipher_config_suites(this, suites
, &count
);
1203 filter_mac_config_suites(this, suites
, &count
);
1204 filter_specific_config_suites(this, suites
, &count
);
1207 this->suite_count
= count
;
1208 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * count
);
1210 DBG2(DBG_TLS
, "%d supported TLS cipher suites:", count
);
1211 new_min_version
= max_version
;
1212 new_max_version
= min_version
;
1213 for (i
= 0; i
< count
; i
++)
1215 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
].suite
);
1216 this->suites
[i
] = suites
[i
].suite
;
1218 /* set TLS min/max versions appropriate to the final cipher suites */
1219 new_max_version
= max(new_max_version
, suites
[i
].max_version
);
1220 new_min_version
= min(new_min_version
, suites
[i
].min_version
);
1222 new_max_version
= min(new_max_version
, max_version
);
1223 new_min_version
= max(new_min_version
, min_version
);
1225 if (min_version
!= new_min_version
|| max_version
!= new_max_version
)
1227 this->tls
->set_version(this->tls
, new_min_version
, new_max_version
);
1228 DBG2(DBG_TLS
, "TLS min/max %N/%N according to the cipher suites",
1229 tls_version_names
, new_min_version
,
1230 tls_version_names
, new_max_version
);
1234 METHOD(tls_crypto_t
, get_cipher_suites
, int,
1235 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
1239 build_cipher_suite_list(this);
1243 *suites
= this->suites
;
1245 return this->suite_count
;
1249 * Create NULL encryption transforms
1251 static bool create_null(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1253 this->aead_in
= tls_aead_create_null(algs
->mac
);
1254 this->aead_out
= tls_aead_create_null(algs
->mac
);
1255 if (!this->aead_in
|| !this->aead_out
)
1257 DBG1(DBG_TLS
, "selected TLS MAC %N not supported",
1258 integrity_algorithm_names
, algs
->mac
);
1265 * Create traditional transforms
1267 static bool create_traditional(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1269 if (this->tls
->get_version_max(this->tls
) < TLS_1_1
)
1271 this->aead_in
= tls_aead_create_implicit(algs
->mac
,
1272 algs
->encr
, algs
->encr_size
);
1273 this->aead_out
= tls_aead_create_implicit(algs
->mac
,
1274 algs
->encr
, algs
->encr_size
);
1278 this->aead_in
= tls_aead_create_explicit(algs
->mac
,
1279 algs
->encr
, algs
->encr_size
);
1280 this->aead_out
= tls_aead_create_explicit(algs
->mac
,
1281 algs
->encr
, algs
->encr_size
);
1283 if (!this->aead_in
|| !this->aead_out
)
1285 DBG1(DBG_TLS
, "selected TLS transforms %N-%u-%N not supported",
1286 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8,
1287 integrity_algorithm_names
, algs
->mac
);
1294 * Create AEAD transforms
1296 static bool create_aead(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1298 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1300 this->aead_in
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1301 this->aead_out
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1305 this->aead_in
= tls_aead_create_seq(algs
->encr
, algs
->encr_size
);
1306 this->aead_out
= tls_aead_create_seq(algs
->encr
, algs
->encr_size
);
1308 if (!this->aead_in
|| !this->aead_out
)
1310 DBG1(DBG_TLS
, "selected TLS transforms %N-%u not supported",
1311 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8);
1318 * Clean up and unset AEAD transforms
1320 static void destroy_aeads(private_tls_crypto_t
*this)
1322 DESTROY_IF(this->aead_in
);
1323 DESTROY_IF(this->aead_out
);
1324 this->aead_in
= this->aead_out
= NULL
;
1328 * Create crypto primitives
1330 static bool create_ciphers(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1332 destroy_aeads(this);
1333 DESTROY_IF(this->hkdf
);
1334 DESTROY_IF(this->prf
);
1335 if (this->tls
->get_version_max(this->tls
) < TLS_1_3
)
1337 if (this->tls
->get_version_max(this->tls
) < TLS_1_2
)
1339 this->prf
= tls_prf_create_10();
1343 this->prf
= tls_prf_create_12(algs
->prf
);
1347 DBG1(DBG_TLS
, "selected TLS PRF not supported");
1353 this->hkdf
= tls_hkdf_create(algs
->hash
, chunk_empty
);
1356 DBG1(DBG_TLS
, "TLS HKDF creation unsuccessful");
1360 if (algs
->encr
== ENCR_NULL
)
1362 if (create_null(this, algs
))
1367 else if (encryption_algorithm_is_aead(algs
->encr
))
1369 if (create_aead(this, algs
))
1376 if (create_traditional(this, algs
))
1381 destroy_aeads(this);
1385 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
1386 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
,
1392 for (i
= 0; i
< this->suite_count
; i
++)
1394 for (j
= 0; j
< count
; j
++)
1396 if (this->suites
[i
] == suites
[j
])
1398 algs
= find_suite(this->suites
[i
]);
1401 if (key
== KEY_ANY
|| key
== algs
->key
||
1402 (algs
->key
== KEY_ECDSA
&& key
== KEY_ED25519
) ||
1403 (algs
->key
== KEY_ECDSA
&& key
== KEY_ED448
))
1405 if (create_ciphers(this, algs
))
1407 this->suite
= this->suites
[i
];
1418 METHOD(tls_crypto_t
, get_dh_group
, diffie_hellman_group_t
,
1419 private_tls_crypto_t
*this)
1423 algs
= find_suite(this->suite
);
1432 * Parameters for RSA/PSS signature schemes
1434 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1435 .hash = HASH_SHA##bits, \
1436 .mgf1_hash = HASH_SHA##bits, \
1437 .salt_len = HASH_SIZE_SHA##bits, \
1445 * Map TLS signature schemes, ordered by preference
1448 tls_signature_scheme_t sig
;
1449 signature_params_t params
;
1450 /* min/max versions for use in CertificateVerify */
1451 tls_version_t min_version
;
1452 tls_version_t max_version
;
1454 { TLS_SIG_ECDSA_SHA256
, { .scheme
= SIGN_ECDSA_WITH_SHA256_DER
},
1456 { TLS_SIG_ECDSA_SHA384
, { .scheme
= SIGN_ECDSA_WITH_SHA384_DER
},
1458 { TLS_SIG_ECDSA_SHA512
, { .scheme
= SIGN_ECDSA_WITH_SHA512_DER
},
1460 { TLS_SIG_ED25519
, { .scheme
= SIGN_ED25519
},
1462 { TLS_SIG_ED448
, { .scheme
= SIGN_ED448
},
1464 { TLS_SIG_RSA_PSS_RSAE_SHA256
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha256
, },
1466 { TLS_SIG_RSA_PSS_RSAE_SHA384
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha384
, },
1468 { TLS_SIG_RSA_PSS_RSAE_SHA512
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha512
, },
1470 /* the parameters for the next three should actually be taken from the
1471 * public key, we currently don't have an API for that, so assume defaults */
1472 { TLS_SIG_RSA_PSS_PSS_SHA256
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha256
, },
1474 { TLS_SIG_RSA_PSS_PSS_SHA384
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha384
, },
1476 { TLS_SIG_RSA_PSS_PSS_SHA512
, { .scheme
= SIGN_RSA_EMSA_PSS
, .params
= &pss_params_sha512
, },
1478 { TLS_SIG_RSA_PKCS1_SHA256
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_256
},
1480 { TLS_SIG_RSA_PKCS1_SHA384
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_384
},
1482 { TLS_SIG_RSA_PKCS1_SHA512
, { .scheme
= SIGN_RSA_EMSA_PKCS1_SHA2_512
},
1486 METHOD(tls_crypto_t
, get_signature_algorithms
, void,
1487 private_tls_crypto_t
*this, bio_writer_t
*writer
, bool cert
)
1489 bio_writer_t
*supported
;
1490 tls_version_t min_version
, max_version
;
1493 supported
= bio_writer_create(32);
1497 min_version
= this->tls
->get_version_min(this->tls
);
1498 max_version
= this->tls
->get_version_max(this->tls
);
1501 for (i
= 0; i
< countof(schemes
); i
++)
1503 if ((cert
|| (schemes
[i
].min_version
<= max_version
&&
1504 schemes
[i
].max_version
>= min_version
)) &&
1505 lib
->plugins
->has_feature(lib
->plugins
,
1506 PLUGIN_PROVIDE(PUBKEY_VERIFY
, schemes
[i
].params
.scheme
)))
1508 supported
->write_uint16(supported
, schemes
[i
].sig
);
1512 writer
->write_data16(writer
, supported
->get_buf(supported
));
1513 supported
->destroy(supported
);
1517 * Get the signature parameters from a TLS signature scheme
1519 static signature_params_t
*params_for_scheme(tls_signature_scheme_t sig
,
1524 for (i
= 0; i
< countof(schemes
); i
++)
1526 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1527 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1528 if (sign
&& (sig
== TLS_SIG_RSA_PSS_PSS_SHA256
||
1529 sig
== TLS_SIG_RSA_PSS_PSS_SHA384
||
1530 sig
== TLS_SIG_RSA_PSS_PSS_SHA512
))
1534 if (schemes
[i
].sig
== sig
)
1536 return &schemes
[i
].params
;
1543 * Mapping groups to TLS named curves
1546 diffie_hellman_group_t group
;
1547 tls_named_group_t curve
;
1549 { ECP_256_BIT
, TLS_SECP256R1
},
1550 { ECP_384_BIT
, TLS_SECP384R1
},
1551 { ECP_521_BIT
, TLS_SECP521R1
},
1552 { ECP_224_BIT
, TLS_SECP224R1
},
1553 { ECP_192_BIT
, TLS_SECP192R1
},
1554 { CURVE_25519
, TLS_CURVE25519
},
1555 { CURVE_448
, TLS_CURVE448
},
1558 CALLBACK(group_filter
, bool,
1559 void *null
, enumerator_t
*orig
, va_list args
)
1561 diffie_hellman_group_t group
, *group_out
;
1562 tls_named_group_t curve
, *curve_out
;
1565 VA_ARGS_VGET(args
, group_out
, curve_out
);
1567 while (orig
->enumerate(orig
, &group
, &plugin
))
1569 curve
= tls_ec_group_to_curve(group
);
1586 CALLBACK(config_filter
, bool,
1587 void *null
, enumerator_t
*orig
, va_list args
)
1589 diffie_hellman_group_t group
, *group_out
;
1590 tls_named_group_t curve
, *curve_out
;
1592 VA_ARGS_VGET(args
, group_out
, curve_out
);
1594 while (orig
->enumerate(orig
, &group
, &curve
))
1596 if (filter_curve_config(curve
))
1612 METHOD(tls_crypto_t
, create_ec_enumerator
, enumerator_t
*,
1613 private_tls_crypto_t
*this)
1615 return enumerator_create_filter(
1616 enumerator_create_filter(
1617 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
1618 group_filter
, NULL
, NULL
),
1619 config_filter
, NULL
, NULL
);
1622 METHOD(tls_crypto_t
, set_protection
, void,
1623 private_tls_crypto_t
*this, tls_protection_t
*protection
)
1625 this->protection
= protection
;
1628 METHOD(tls_crypto_t
, append_handshake
, void,
1629 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
1633 /* reconstruct handshake header */
1634 header
= htonl(data
.len
| (type
<< 24));
1635 this->handshake
= chunk_cat("mcc", this->handshake
,
1636 chunk_from_thing(header
), data
);
1640 * Create a hash using the suites HASH algorithm
1642 static bool hash_data(private_tls_crypto_t
*this, chunk_t data
, chunk_t
*hash
)
1644 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1649 alg
= find_suite(this->suite
);
1654 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
1655 if (!hasher
|| !hasher
->allocate_hash(hasher
, data
, hash
))
1657 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, alg
->hash
);
1661 hasher
->destroy(hasher
);
1665 hasher_t
*md5
, *sha1
;
1666 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
1668 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
1669 if (!md5
|| !md5
->get_hash(md5
, data
, buf
))
1671 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
1676 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1677 if (!sha1
|| !sha1
->get_hash(sha1
, data
, buf
+ HASH_SIZE_MD5
))
1679 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
1683 sha1
->destroy(sha1
);
1685 *hash
= chunk_clone(chunk_from_thing(buf
));
1690 METHOD(tls_crypto_t
, hash_handshake
, bool,
1691 private_tls_crypto_t
*this, chunk_t
*out
)
1695 if (!hash_data(this, this->handshake
, &hash
))
1700 chunk_free(&this->handshake
);
1701 append_handshake(this, TLS_MESSAGE_HASH
, hash
);
1715 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1716 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1718 static chunk_t tls13_sig_data_server
= chunk_from_chars(
1719 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1720 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1721 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1722 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1723 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1724 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1725 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1726 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1727 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1728 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1729 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1730 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1735 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1736 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1738 static chunk_t tls13_sig_data_client
= chunk_from_chars(
1739 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1740 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1741 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1742 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1743 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1744 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1745 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1746 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1747 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1748 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1749 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1750 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1754 METHOD(tls_crypto_t
, sign
, bool,
1755 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1756 chunk_t data
, chunk_t hashsig
)
1758 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1760 /* fallback to SHA1/RSA and SHA1/ECDSA */
1761 const chunk_t hashsig_def
= chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1762 signature_params_t
*params
;
1765 bio_reader_t
*reader
;
1769 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
)
1771 chunk_t transcript_hash
;
1773 if (!hash_data(this, data
, &transcript_hash
))
1775 DBG1(DBG_TLS
, "unable to create transcript hash");
1778 if (this->tls
->is_server(this->tls
))
1780 data
= chunk_cata("cm", tls13_sig_data_server
, transcript_hash
);
1784 data
= chunk_cata("cm", tls13_sig_data_client
, transcript_hash
);
1789 { /* fallback if none given */
1790 hashsig
= hashsig_def
;
1792 type
= key
->get_type(key
);
1793 reader
= bio_reader_create(hashsig
);
1794 while (reader
->remaining(reader
) >= 2)
1796 if (reader
->read_uint16(reader
, &scheme
))
1798 params
= params_for_scheme(scheme
, TRUE
);
1800 type
== key_type_from_signature_scheme(params
->scheme
) &&
1801 key
->sign(key
, params
->scheme
, params
->params
, data
, &sig
))
1808 reader
->destroy(reader
);
1811 DBG1(DBG_TLS
, "none of the proposed hash/sig algorithms supported");
1814 DBG2(DBG_TLS
, "created signature with %N", tls_signature_scheme_names
,
1816 writer
->write_uint16(writer
, scheme
);
1817 writer
->write_data16(writer
, sig
);
1825 switch (key
->get_type(key
))
1828 if (!hash_data(this, data
, &hash
))
1832 done
= key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, NULL
, hash
,
1839 DBG2(DBG_TLS
, "created signature with MD5+SHA1/RSA");
1842 if (!key
->sign(key
, SIGN_ECDSA_WITH_SHA1_DER
, NULL
, data
, &sig
))
1846 DBG2(DBG_TLS
, "created signature with SHA1/ECDSA");
1849 if (!key
->sign(key
, SIGN_ED25519
, NULL
, data
, &sig
))
1853 DBG2(DBG_TLS
, "created signature with Ed25519");
1856 if (!key
->sign(key
, SIGN_ED448
, NULL
, data
, &sig
))
1860 DBG2(DBG_TLS
, "created signature with Ed448");
1865 writer
->write_data16(writer
, sig
);
1871 METHOD(tls_crypto_t
, verify
, bool,
1872 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
,
1875 if (this->tls
->get_version_max(this->tls
) >= TLS_1_2
)
1877 signature_params_t
*params
;
1881 if (!reader
->read_uint16(reader
, &scheme
) ||
1882 !reader
->read_data16(reader
, &sig
))
1884 DBG1(DBG_TLS
, "received invalid signature");
1887 params
= params_for_scheme(scheme
, FALSE
);
1890 DBG1(DBG_TLS
, "signature algorithms %N not supported",
1891 tls_signature_scheme_names
, scheme
);
1894 if (this->tls
->get_version_max(this->tls
) >= TLS_1_3
)
1896 chunk_t transcript_hash
;
1898 if (!hash_data(this, data
, &transcript_hash
))
1900 DBG1(DBG_TLS
, "Unable to create transcript hash");
1904 if (this->tls
->is_server(this->tls
))
1906 data
= chunk_cata("cm", tls13_sig_data_client
, transcript_hash
);
1910 data
= chunk_cata("cm", tls13_sig_data_server
, transcript_hash
);
1913 if (!key
->verify(key
, params
->scheme
, params
->params
, data
, sig
))
1915 DBG1(DBG_TLS
, "signature verification with %N failed",
1916 tls_signature_scheme_names
, scheme
);
1919 DBG2(DBG_TLS
, "verified signature with %N",
1920 tls_signature_scheme_names
, scheme
);
1927 if (!reader
->read_data16(reader
, &sig
))
1929 DBG1(DBG_TLS
, "received invalid signature");
1932 switch (key
->get_type(key
))
1935 if (!hash_data(this, data
, &hash
))
1939 done
= key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, NULL
, hash
,
1946 DBG2(DBG_TLS
, "verified signature data with MD5+SHA1/RSA");
1949 if (!key
->verify(key
, SIGN_ECDSA_WITH_SHA1_DER
, NULL
, data
,
1954 DBG2(DBG_TLS
, "verified signature with SHA1/ECDSA");
1957 if (!key
->verify(key
, SIGN_ED25519
, NULL
, data
, sig
))
1961 DBG2(DBG_TLS
, "verified signature with Ed25519");
1964 if (!key
->verify(key
, SIGN_ED448
, NULL
, data
, sig
))
1968 DBG2(DBG_TLS
, "verified signature with Ed448");
1977 METHOD(tls_crypto_t
, sign_handshake
, bool,
1978 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1981 return sign(this, key
, writer
, this->handshake
, hashsig
);
1984 METHOD(tls_crypto_t
, verify_handshake
, bool,
1985 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
)
1987 return verify(this, key
, reader
, this->handshake
);
1990 METHOD(tls_crypto_t
, calculate_finished_legacy
, bool,
1991 private_tls_crypto_t
*this, char *label
, char out
[12])
1999 if (!hash_data(this, this->handshake
, &seed
))
2003 if (!this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
))
2012 METHOD(tls_crypto_t
, calculate_finished
, bool,
2013 private_tls_crypto_t
*this, bool server
, chunk_t
*out
)
2015 chunk_t finished_key
, finished_hash
;
2021 if (!hash_data(this, this->handshake
, &finished_hash
))
2023 DBG1(DBG_TLS
, "creating hash of handshake failed");
2026 if (!this->hkdf
->derive_finished(this->hkdf
, server
, &finished_key
))
2028 DBG1(DBG_TLS
, "generating finished key failed");
2029 chunk_clear(&finished_hash
);
2032 if (!this->hkdf
->allocate_bytes(this->hkdf
, finished_key
, finished_hash
, out
))
2034 DBG1(DBG_TLS
, "generating finished HMAC failed");
2035 chunk_clear(&finished_key
);
2036 chunk_clear(&finished_hash
);
2039 chunk_clear(&finished_key
);
2040 chunk_clear(&finished_hash
);
2045 * Derive master secret from premaster, optionally save session
2047 static bool derive_master(private_tls_crypto_t
*this, chunk_t premaster
,
2048 chunk_t session
, identification_t
*id
,
2049 chunk_t client_random
, chunk_t server_random
)
2054 /* derive master secret */
2055 seed
= chunk_cata("cc", client_random
, server_random
);
2057 if (!this->prf
->set_key(this->prf
, premaster
) ||
2058 !this->prf
->get_bytes(this->prf
, "master secret", seed
,
2059 sizeof(master
), master
) ||
2060 !this->prf
->set_key(this->prf
, chunk_from_thing(master
)))
2065 if (this->cache
&& session
.len
)
2067 this->cache
->create(this->cache
, session
, id
, chunk_from_thing(master
),
2070 memwipe(master
, sizeof(master
));
2075 * Expand key material from master secret
2077 static bool expand_keys(private_tls_crypto_t
*this,
2078 chunk_t client_random
, chunk_t server_random
)
2080 chunk_t seed
, block
;
2081 chunk_t cw_mac
, cw
, cw_iv
;
2082 chunk_t sw_mac
, sw
, sw_iv
;
2083 int mklen
, eklen
, ivlen
;
2085 if (!this->aead_in
|| !this->aead_out
)
2090 /* derive key block for key expansion */
2091 mklen
= this->aead_in
->get_mac_key_size(this->aead_in
);
2092 eklen
= this->aead_in
->get_encr_key_size(this->aead_in
);
2093 ivlen
= this->aead_in
->get_iv_size(this->aead_in
);
2094 seed
= chunk_cata("cc", server_random
, client_random
);
2095 block
= chunk_alloca((mklen
+ eklen
+ ivlen
) * 2);
2096 if (!this->prf
->get_bytes(this->prf
, "key expansion", seed
,
2097 block
.len
, block
.ptr
))
2102 /* client/server write signer keys */
2103 cw_mac
= chunk_create(block
.ptr
, mklen
);
2104 block
= chunk_skip(block
, mklen
);
2105 sw_mac
= chunk_create(block
.ptr
, mklen
);
2106 block
= chunk_skip(block
, mklen
);
2108 /* client/server write encryption keys */
2109 cw
= chunk_create(block
.ptr
, eklen
);
2110 block
= chunk_skip(block
, eklen
);
2111 sw
= chunk_create(block
.ptr
, eklen
);
2112 block
= chunk_skip(block
, eklen
);
2114 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2115 cw_iv
= chunk_create(block
.ptr
, ivlen
);
2116 block
= chunk_skip(block
, ivlen
);
2117 sw_iv
= chunk_create(block
.ptr
, ivlen
);
2118 block
= chunk_skip(block
, ivlen
);
2120 if (this->tls
->is_server(this->tls
))
2122 if (!this->aead_in
->set_keys(this->aead_in
, cw_mac
, cw
, cw_iv
) ||
2123 !this->aead_out
->set_keys(this->aead_out
, sw_mac
, sw
, sw_iv
))
2130 if (!this->aead_out
->set_keys(this->aead_out
, cw_mac
, cw
, cw_iv
) ||
2131 !this->aead_in
->set_keys(this->aead_in
, sw_mac
, sw
, sw_iv
))
2138 if (this->msk_label
)
2140 seed
= chunk_cata("cc", client_random
, server_random
);
2141 this->msk
= chunk_alloc(64);
2142 if (!this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
2143 this->msk
.len
, this->msk
.ptr
))
2151 METHOD(tls_crypto_t
, derive_secrets
, bool,
2152 private_tls_crypto_t
*this, chunk_t premaster
, chunk_t session
,
2153 identification_t
*id
, chunk_t client_random
, chunk_t server_random
)
2155 return derive_master(this, premaster
, session
, id
,
2156 client_random
, server_random
) &&
2157 expand_keys(this, client_random
, server_random
);
2161 * Derive and configure the client/server key/IV on an AEAD using a given label.
2163 static bool derive_labeled_key(private_tls_crypto_t
*this, bool server
,
2164 tls_hkdf_label_t label
, tls_aead_t
*aead
)
2166 chunk_t key
= chunk_empty
, iv
= chunk_empty
;
2167 bool success
= FALSE
;
2169 if (!this->hkdf
->generate_secret(this->hkdf
, label
, this->handshake
,
2171 !this->hkdf
->derive_key(this->hkdf
, server
,
2172 aead
->get_encr_key_size(aead
), &key
) ||
2173 !this->hkdf
->derive_iv(this->hkdf
, server
,
2174 aead
->get_iv_size(aead
), &iv
))
2176 DBG1(DBG_TLS
, "deriving key material failed");
2180 if (!aead
->set_keys(aead
, chunk_empty
, key
, iv
))
2182 DBG1(DBG_TLS
, "setting AEAD key material failed");
2194 * Derive and configure the keys/IVs using the given labels.
2196 static bool derive_labeled_keys(private_tls_crypto_t
*this,
2197 tls_hkdf_label_t client_label
,
2198 tls_hkdf_label_t server_label
)
2200 tls_aead_t
*aead_c
, *aead_s
;
2203 algs
= find_suite(this->suite
);
2204 destroy_aeads(this);
2205 if (!create_aead(this, algs
))
2209 aead_c
= this->aead_out
;
2210 aead_s
= this->aead_in
;
2211 if (this->tls
->is_server(this->tls
))
2213 aead_c
= this->aead_in
;
2214 aead_s
= this->aead_out
;
2216 return derive_labeled_key(this, FALSE
, client_label
, aead_c
) &&
2217 derive_labeled_key(this, TRUE
, server_label
, aead_s
);
2220 METHOD(tls_crypto_t
, derive_handshake_keys
, bool,
2221 private_tls_crypto_t
*this, chunk_t shared_secret
)
2223 this->hkdf
->set_shared_secret(this->hkdf
, shared_secret
);
2224 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC
,
2225 TLS_HKDF_S_HS_TRAFFIC
);
2228 METHOD(tls_crypto_t
, derive_app_keys
, bool,
2229 private_tls_crypto_t
*this)
2231 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC
,
2232 TLS_HKDF_S_AP_TRAFFIC
))
2238 if (this->msk_label
)
2240 /* because the length is encoded when expanding key material, we
2241 * request the same number of bytes as FreeRADIUS (the first 64 for
2242 * the MSK, the next for the EMSK, which we just ignore) */
2243 if (!this->hkdf
->export(this->hkdf
, this->msk_label
, chunk_empty
,
2244 this->handshake
, 128, &this->msk
))
2253 METHOD(tls_crypto_t
, update_app_keys
, bool,
2254 private_tls_crypto_t
*this, bool inbound
)
2257 tls_hkdf_label_t label
= TLS_HKDF_UPD_C_TRAFFIC
;
2259 algs
= find_suite(this->suite
);
2260 destroy_aeads(this);
2261 if (!create_aead(this, algs
))
2265 if (this->tls
->is_server(this->tls
) != inbound
)
2267 label
= TLS_HKDF_UPD_S_TRAFFIC
;
2269 return derive_labeled_key(this, label
== TLS_HKDF_UPD_S_TRAFFIC
, label
,
2270 inbound ?
this->aead_in
: this->aead_out
);
2273 METHOD(tls_crypto_t
, resume_session
, tls_cipher_suite_t
,
2274 private_tls_crypto_t
*this, chunk_t session
, identification_t
*id
,
2275 chunk_t client_random
, chunk_t server_random
)
2279 if (this->cache
&& session
.len
)
2281 this->suite
= this->cache
->lookup(this->cache
, session
, id
, &master
);
2284 this->suite
= select_cipher_suite(this, &this->suite
, 1, KEY_ANY
);
2287 if (!this->prf
->set_key(this->prf
, master
) ||
2288 !expand_keys(this, client_random
, server_random
))
2293 chunk_clear(&master
);
2300 METHOD(tls_crypto_t
, get_session
, chunk_t
,
2301 private_tls_crypto_t
*this, identification_t
*server
)
2305 return this->cache
->check(this->cache
, server
);
2310 METHOD(tls_crypto_t
, change_cipher
, void,
2311 private_tls_crypto_t
*this, bool inbound
)
2313 if (this->protection
)
2317 this->protection
->set_cipher(this->protection
, TRUE
, this->aead_in
);
2318 this->aead_in
= NULL
;
2322 this->protection
->set_cipher(this->protection
, FALSE
, this->aead_out
);
2323 this->aead_out
= NULL
;
2328 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
2329 private_tls_crypto_t
*this)
2334 METHOD(tls_crypto_t
, destroy
, void,
2335 private_tls_crypto_t
*this)
2337 destroy_aeads(this);
2338 free(this->handshake
.ptr
);
2339 free(this->msk
.ptr
);
2340 DESTROY_IF(this->prf
);
2341 DESTROY_IF(this->hkdf
);
2349 tls_crypto_t
*tls_crypto_create(tls_t
*tls
, tls_cache_t
*cache
)
2351 private_tls_crypto_t
*this;
2352 enumerator_t
*enumerator
;
2353 credential_type_t type
;
2358 .get_cipher_suites
= _get_cipher_suites
,
2359 .select_cipher_suite
= _select_cipher_suite
,
2360 .get_dh_group
= _get_dh_group
,
2361 .get_signature_algorithms
= _get_signature_algorithms
,
2362 .create_ec_enumerator
= _create_ec_enumerator
,
2363 .set_protection
= _set_protection
,
2364 .append_handshake
= _append_handshake
,
2365 .hash_handshake
= _hash_handshake
,
2368 .sign_handshake
= _sign_handshake
,
2369 .verify_handshake
= _verify_handshake
,
2370 .calculate_finished_legacy
= _calculate_finished_legacy
,
2371 .calculate_finished
= _calculate_finished
,
2372 .derive_secrets
= _derive_secrets
,
2373 .derive_handshake_keys
= _derive_handshake_keys
,
2374 .derive_app_keys
= _derive_app_keys
,
2375 .update_app_keys
= _update_app_keys
,
2376 .resume_session
= _resume_session
,
2377 .get_session
= _get_session
,
2378 .change_cipher
= _change_cipher
,
2379 .get_eap_msk
= _get_eap_msk
,
2380 .destroy
= _destroy
,
2386 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2387 * separation would be welcome. */
2388 enumerator
= lib
->creds
->create_builder_enumerator(lib
->creds
);
2389 while (enumerator
->enumerate(enumerator
, &type
, &subtype
))
2391 if (type
== CRED_PUBLIC_KEY
)
2408 enumerator
->destroy(enumerator
);
2410 switch (tls
->get_purpose(tls
))
2412 case TLS_PURPOSE_EAP_TLS
:
2413 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2414 this->msk_label
= "client EAP encryption";
2416 case TLS_PURPOSE_EAP_PEAP
:
2417 this->msk_label
= "client EAP encryption";
2419 case TLS_PURPOSE_EAP_TTLS
:
2420 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2421 this->msk_label
= "ttls keying material";
2426 return &this->public;
2432 int tls_crypto_get_supported_suites(bool null
, tls_version_t version
,
2433 tls_cipher_suite_t
**out
)
2435 suite_algs_t suites
[countof(suite_algs
)];
2438 /* initialize copy of suite list */
2439 for (i
= 0; i
< countof(suite_algs
); i
++)
2441 if (suite_algs
[i
].min_version
<= version
&&
2442 suite_algs
[i
].max_version
>= version
)
2444 suites
[count
++] = suite_algs
[i
];
2448 filter_unsupported_suites(suites
, &count
);
2452 filter_null_suites(suites
, &count
);
2457 *out
= calloc(count
, sizeof(tls_cipher_suite_t
));
2458 for (i
= 0; i
< count
; i
++)
2460 (*out
)[i
] = suites
[i
].suite
;
2469 int tls_crypto_get_supported_groups(diffie_hellman_group_t
**out
)
2471 enumerator_t
*enumerator
;
2472 diffie_hellman_group_t groups
[countof(curves
)];
2473 diffie_hellman_group_t group
;
2474 tls_named_group_t curve
;
2477 enumerator
= enumerator_create_filter(
2478 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
2479 group_filter
, NULL
, NULL
);
2481 while (enumerator
->enumerate(enumerator
, &group
, &curve
))
2483 groups
[count
++] = group
;
2485 enumerator
->destroy(enumerator
);
2489 *out
= calloc(count
, sizeof(diffie_hellman_group_t
));
2490 for (i
= 0; i
< count
; i
++)
2492 (*out
)[i
] = groups
[i
];
2501 tls_named_group_t
tls_ec_group_to_curve(diffie_hellman_group_t group
)
2505 for (i
= 0; i
< countof(curves
); i
++)
2507 if (curves
[i
].group
== group
)
2509 return curves
[i
].curve
;
2518 key_type_t
tls_signature_scheme_to_key_type(tls_signature_scheme_t sig
)
2522 for (i
= 0; i
< countof(schemes
); i
++)
2524 if (schemes
[i
].sig
== sig
)
2526 return key_type_from_signature_scheme(schemes
[i
].params
.scheme
);
2533 * Hashtable hash function
2535 static u_int
hash_key_type(key_type_t
*type
)
2537 return chunk_hash(chunk_from_thing(*type
));
2541 * Hashtable equals function
2543 static bool equals_key_type(key_type_t
*key1
, key_type_t
*key2
)
2545 return *key1
== *key2
;
2548 CALLBACK(filter_key_types
, bool,
2549 void *data
, enumerator_t
*orig
, va_list args
)
2551 key_type_t
*key_type
, *out
;
2553 VA_ARGS_VGET(args
, out
);
2555 if (orig
->enumerate(orig
, NULL
, &key_type
))
2563 CALLBACK(destroy_key_types
, void,
2566 ht
->destroy_function(ht
, (void*)free
);
2570 * Create an enumerator over supported key types within a specific TLS range
2572 static enumerator_t
*get_supported_key_types(tls_version_t min_version
,
2573 tls_version_t max_version
)
2576 key_type_t
*type
, lookup
;
2579 ht
= hashtable_create((hashtable_hash_t
)hash_key_type
,
2580 (hashtable_equals_t
)equals_key_type
, 4);
2581 for (i
= 0; i
< countof(schemes
); i
++)
2583 if (schemes
[i
].min_version
<= max_version
&&
2584 schemes
[i
].max_version
>= min_version
)
2586 lookup
= key_type_from_signature_scheme(schemes
[i
].params
.scheme
);
2587 if (!ht
->get(ht
, &lookup
))
2589 type
= malloc_thing(key_type_t
);
2591 ht
->put(ht
, type
, type
);
2595 return enumerator_create_filter(ht
->create_enumerator(ht
),
2596 filter_key_types
, ht
, destroy_key_types
);
2600 * Create an array of an intersection of server and peer supported key types
2602 static array_t
*create_common_key_types(enumerator_t
*enumerator
, chunk_t hashsig
)
2605 key_type_t v
, lookup
;
2606 uint16_t sig_scheme
;
2608 key_types
= array_create(sizeof(key_type_t
), 8);
2609 while (enumerator
->enumerate(enumerator
, &v
))
2611 bio_reader_t
*reader
;
2613 reader
= bio_reader_create(hashsig
);
2614 while (reader
->remaining(reader
) &&
2615 reader
->read_uint16(reader
, &sig_scheme
))
2617 lookup
= tls_signature_scheme_to_key_type(sig_scheme
);
2620 array_insert(key_types
, ARRAY_TAIL
, &lookup
);
2624 reader
->destroy(reader
);
2630 enumerator_t
public;
2632 identification_t
*peer
;
2635 } private_key_enumerator_t
;
2637 METHOD(enumerator_t
, private_key_enumerate
, bool,
2638 private_key_enumerator_t
*this, va_list args
)
2641 auth_cfg_t
**auth_out
;
2642 private_key_t
**key_out
;
2644 VA_ARGS_VGET(args
, key_out
, auth_out
);
2646 DESTROY_IF(this->key
);
2647 DESTROY_IF(this->auth
);
2648 this->auth
= auth_cfg_create();
2650 while (array_remove(this->key_types
, ARRAY_HEAD
, &type
))
2652 this->key
= lib
->credmgr
->get_private(lib
->credmgr
, type
, this->peer
,
2656 *key_out
= this->key
;
2659 *auth_out
= this->auth
;
2667 METHOD(enumerator_t
, private_key_destroy
, void,
2668 private_key_enumerator_t
*this)
2670 DESTROY_IF(this->key
);
2671 DESTROY_IF(this->auth
);
2672 array_destroy(this->key_types
);
2679 enumerator_t
*tls_create_private_key_enumerator(tls_version_t min_version
,
2680 tls_version_t max_version
,
2682 identification_t
*peer
)
2684 private_key_enumerator_t
*enumerator
;
2685 enumerator_t
*key_types
;
2687 key_types
= get_supported_key_types(min_version
, max_version
);
2691 .enumerate
= enumerator_enumerate_default
,
2692 .venumerate
= _private_key_enumerate
,
2693 .destroy
= _private_key_destroy
,
2695 .key_types
= create_common_key_types(key_types
, hashsig
),
2698 key_types
->destroy(key_types
);
2700 if (!array_count(enumerator
->key_types
))
2704 return &enumerator
->public;
projects / strongswan.git / blob