tls-server: Determine supported/configured suites and versions early
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26
27 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
28 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
29 "TLS_NULL_WITH_NULL_NULL",
30 "TLS_RSA_WITH_NULL_MD5",
31 "TLS_RSA_WITH_NULL_SHA",
32 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
33 "TLS_RSA_WITH_RC4_128_MD5",
34 "TLS_RSA_WITH_RC4_128_SHA",
35 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
36 "TLS_RSA_WITH_IDEA_CBC_SHA",
37 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_RSA_WITH_DES_CBC_SHA",
39 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DH_DSS_WITH_DES_CBC_SHA",
42 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DH_RSA_WITH_DES_CBC_SHA",
45 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
47 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
48 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
49 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
50 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
51 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
52 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
53 "TLS_DH_anon_WITH_RC4_128_MD5",
54 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
55 "TLS_DH_anon_WITH_DES_CBC_SHA",
56 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
57 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
58 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
59 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
60 "TLS_KRB5_WITH_DES_CBC_SHA",
61 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
62 "TLS_KRB5_WITH_RC4_128_SHA",
63 "TLS_KRB5_WITH_IDEA_CBC_SHA",
64 "TLS_KRB5_WITH_DES_CBC_MD5",
65 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
66 "TLS_KRB5_WITH_RC4_128_MD5",
67 "TLS_KRB5_WITH_IDEA_CBC_MD5",
68 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
69 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
72 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
74 "TLS_PSK_WITH_NULL_SHA",
75 "TLS_DHE_PSK_WITH_NULL_SHA",
76 "TLS_RSA_PSK_WITH_NULL_SHA",
77 "TLS_RSA_WITH_AES_128_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
83 "TLS_RSA_WITH_AES_256_CBC_SHA",
84 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
85 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
89 "TLS_RSA_WITH_NULL_SHA256",
90 "TLS_RSA_WITH_AES_128_CBC_SHA256",
91 "TLS_RSA_WITH_AES_256_CBC_SHA256",
92 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
93 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
94 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
96 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
101 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
102 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
103 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
104 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
105 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
106 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
107 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
111 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
112 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
113 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
114 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
115 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_PSK_WITH_RC4_128_SHA",
121 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
122 "TLS_PSK_WITH_AES_128_CBC_SHA",
123 "TLS_PSK_WITH_AES_256_CBC_SHA",
124 "TLS_DHE_PSK_WITH_RC4_128_SHA",
125 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
126 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
128 "TLS_RSA_PSK_WITH_RC4_128_SHA",
129 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
130 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
132 "TLS_RSA_WITH_SEED_CBC_SHA",
133 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
134 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DH_anon_WITH_SEED_CBC_SHA",
138 "TLS_RSA_WITH_AES_128_GCM_SHA256",
139 "TLS_RSA_WITH_AES_256_GCM_SHA384",
140 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
145 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
146 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_GCM_SHA256",
151 "TLS_PSK_WITH_AES_256_GCM_SHA384",
152 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_PSK_WITH_AES_128_CBC_SHA256",
157 "TLS_PSK_WITH_AES_256_CBC_SHA384",
158 "TLS_PSK_WITH_NULL_SHA256",
159 "TLS_PSK_WITH_NULL_SHA384",
160 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
161 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
162 "TLS_DHE_PSK_WITH_NULL_SHA256",
163 "TLS_DHE_PSK_WITH_NULL_SHA384",
164 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
165 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
166 "TLS_RSA_PSK_WITH_NULL_SHA256",
167 "TLS_RSA_PSK_WITH_NULL_SHA384",
168 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
175 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
180 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
183 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
184 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
185 TLS_AES_128_CCM_8_SHA256,
186 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
187 "TLS_AES_128_GCM_SHA256",
188 "TLS_AES_256_GCM_SHA384",
189 "TLS_CHACHA20_POLY1305_SHA256",
190 "TLS_AES_128_CCM_SHA256",
191 "TLS_AES_128_CCM_8_SHA256");
192 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
193 TLS_ECDHE_PSK_WITH_NULL_SHA384,
194 TLS_AES_128_CCM_8_SHA256,
195 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
196 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
197 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
201 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
202 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
205 "TLS_ECDH_RSA_WITH_NULL_SHA",
206 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
207 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
210 "TLS_ECDHE_RSA_WITH_NULL_SHA",
211 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
212 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
213 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
215 "TLS_ECDH_anon_WITH_NULL_SHA",
216 "TLS_ECDH_anon_WITH_RC4_128_SHA",
217 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
218 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
220 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
221 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
224 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
227 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
229 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
230 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
231 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
238 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
239 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
246 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
247 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
251 "TLS_ECDHE_PSK_WITH_NULL_SHA",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
254 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
255
256 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
257 "NONE",
258 "MD5",
259 "SHA1",
260 "SHA224",
261 "SHA256",
262 "SHA384",
263 "SHA512",
264 );
265
266 ENUM_BEGIN(tls_signature_scheme_names,
267 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
268 "RSA_PKCS1_SHA1");
269 ENUM_NEXT(tls_signature_scheme_names,
270 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
271 "ECDSA_SHA1");
272 ENUM_NEXT(tls_signature_scheme_names,
273 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA1,
274 "RSA_PKCS1_SHA256");
275 ENUM_NEXT(tls_signature_scheme_names,
276 TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_RSA_PKCS1_SHA256,
277 "ECDSA_SHA256");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA256,
280 "RSA_PKCS1_SHA384");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_RSA_PKCS1_SHA384,
283 "ECDSA_SHA384");
284 ENUM_NEXT(tls_signature_scheme_names,
285 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA384,
286 "RSA_PKCS1_SHA512");
287 ENUM_NEXT(tls_signature_scheme_names,
288 TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_RSA_PKCS1_SHA512,
289 "ECDSA_SHA512");
290 ENUM_NEXT(tls_signature_scheme_names,
291 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
292 "RSA_PSS_RSAE_SHA256",
293 "RSA_PSS_RSAE_SHA384",
294 "RSA_PSS_RSAE_SHA512",
295 "ED25519",
296 "ED448",
297 "RSA_PSS_PSS_SHA256",
298 "RSA_PSS_PSS_SHA384",
299 "RSA_PSS_PSS_SHA512",
300 );
301 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
302
303 ENUM_BEGIN(tls_client_certificate_type_names,
304 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
305 "RSA_SIGN",
306 "DSA_SIGN",
307 "RSA_FIXED_DH",
308 "DSS_FIXED_DH",
309 "RSA_EPHEMERAL_DH",
310 "DSS_EPHEMERAL_DH");
311 ENUM_NEXT(tls_client_certificate_type_names,
312 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
313 "FORTEZZA_DMS");
314 ENUM_NEXT(tls_client_certificate_type_names,
315 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
316 "ECDSA_SIGN",
317 "RSA_FIXED_ECDH",
318 "ECDSA_FIXED_ECDH");
319 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
320
321 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
322 "EXPLICIT_PRIME",
323 "EXPLICIT_CHAR2",
324 "NAMED_CURVE",
325 );
326
327 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
328 "SECT163K1",
329 "SECT163R1",
330 "SECT163R2",
331 "SECT193R1",
332 "SECT193R2",
333 "SECT233K1",
334 "SECT233R1",
335 "SECT239K1",
336 "SECT283K1",
337 "SECT283R1",
338 "SECT409K1",
339 "SECT409R1",
340 "SECT571K1",
341 "SECT571R1",
342 "SECP160K1",
343 "SECP160R1",
344 "SECP160R2",
345 "SECP192K1",
346 "SECP192R1",
347 "SECP224K1",
348 "SECP224R1",
349 "SECP256K1",
350 "SECP256R1",
351 "SECP384R1",
352 "SECP521R1",
353 );
354 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
355 "CURVE25519",
356 "CURVE448",
357 );
358 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
359 "FFDHE2048",
360 "FFDHE3072",
361 "FFDHE4096",
362 "FFDHE6144",
363 "FFDHE8192",
364 );
365 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
366
367 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
368 "compressed",
369 "compressed y",
370 "uncompressed",
371 "uncompressed y",
372 "hybrid",
373 "hybrid y",
374 );
375
376 ENUM(tls_ec_point_format_names,
377 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
378 "uncompressed",
379 "ansiX962 compressed prime",
380 "ansiX962 compressed char2",
381 );
382
383 typedef struct private_tls_crypto_t private_tls_crypto_t;
384
385 /**
386 * Private data of an tls_crypto_t object.
387 */
388 struct private_tls_crypto_t {
389
390 /**
391 * Public tls_crypto_t interface.
392 */
393 tls_crypto_t public;
394
395 /**
396 * Protection layer
397 */
398 tls_protection_t *protection;
399
400 /**
401 * List of supported/acceptable cipher suites
402 */
403 tls_cipher_suite_t *suites;
404
405 /**
406 * Number of supported suites
407 */
408 int suite_count;
409
410 /**
411 * HKDF for TLS 1.3
412 */
413 tls_hkdf_t *hkdf;
414
415 /**
416 * Selected cipher suite
417 */
418 tls_cipher_suite_t suite;
419
420 /**
421 * RSA supported?
422 */
423 bool rsa;
424
425 /**
426 * ECDSA supported?
427 */
428 bool ecdsa;
429
430 /**
431 * TLS context
432 */
433 tls_t *tls;
434
435 /**
436 * TLS session cache
437 */
438 tls_cache_t *cache;
439
440 /**
441 * All handshake data concatenated
442 */
443 chunk_t handshake;
444
445 /**
446 * Connection state TLS PRF
447 */
448 tls_prf_t *prf;
449
450 /**
451 * AEAD transform for inbound traffic
452 */
453 tls_aead_t *aead_in;
454
455 /**
456 * AEAD transform for outbound traffic
457 */
458 tls_aead_t *aead_out;
459
460 /**
461 * EAP-[T]TLS MSK
462 */
463 chunk_t msk;
464
465 /**
466 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
467 */
468 char *msk_label;
469 };
470
471 typedef struct {
472 tls_cipher_suite_t suite;
473 key_type_t key;
474 diffie_hellman_group_t dh;
475 hash_algorithm_t hash;
476 pseudo_random_function_t prf;
477 integrity_algorithm_t mac;
478 encryption_algorithm_t encr;
479 size_t encr_size;
480 tls_version_t min_version;
481 tls_version_t max_version;
482 } suite_algs_t;
483
484 /**
485 * Mapping suites to a set of algorithms
486 */
487 static suite_algs_t suite_algs[] = {
488 /* Cipher suites of TLS 1.3: key exchange and authentication
489 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
490 { TLS_AES_128_GCM_SHA256,
491 KEY_ANY, MODP_NONE,
492 HASH_SHA256, PRF_UNDEFINED,
493 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
494 TLS_1_3, TLS_1_3,
495 },
496 { TLS_AES_256_GCM_SHA384,
497 KEY_ANY, MODP_NONE,
498 HASH_SHA384, PRF_UNDEFINED,
499 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
500 TLS_1_3, TLS_1_3,
501 },
502 { TLS_CHACHA20_POLY1305_SHA256,
503 KEY_ANY, MODP_NONE,
504 HASH_SHA256, PRF_UNDEFINED,
505 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
506 TLS_1_3, TLS_1_3,
507 },
508 { TLS_AES_128_CCM_SHA256,
509 KEY_ANY, MODP_NONE,
510 HASH_SHA256, PRF_UNDEFINED,
511 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
512 TLS_1_3, TLS_1_3,
513 },
514 { TLS_AES_128_CCM_8_SHA256,
515 KEY_ANY, MODP_NONE,
516 HASH_SHA256, PRF_UNDEFINED,
517 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
518 TLS_1_3, TLS_1_3,
519 },
520 /* Legacy TLS cipher suites */
521 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
522 KEY_ECDSA, ECP_256_BIT,
523 HASH_SHA256, PRF_HMAC_SHA2_256,
524 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
525 TLS_1_0, TLS_1_2,
526 },
527 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
528 KEY_ECDSA, ECP_256_BIT,
529 HASH_SHA256, PRF_HMAC_SHA2_256,
530 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
531 TLS_1_2, TLS_1_2,
532 },
533 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
534 KEY_ECDSA, ECP_384_BIT,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
537 TLS_1_0, TLS_1_2,
538 },
539 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
540 KEY_ECDSA, ECP_384_BIT,
541 HASH_SHA384, PRF_HMAC_SHA2_384,
542 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
543 TLS_1_2, TLS_1_2,
544 },
545 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
546 KEY_ECDSA, ECP_256_BIT,
547 HASH_SHA256, PRF_HMAC_SHA2_256,
548 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
549 TLS_1_2, TLS_1_2,
550 },
551 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
552 KEY_ECDSA, ECP_384_BIT,
553 HASH_SHA384, PRF_HMAC_SHA2_384,
554 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
555 TLS_1_2, TLS_1_2,
556 },
557 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
558 KEY_RSA, ECP_256_BIT,
559 HASH_SHA256, PRF_HMAC_SHA2_256,
560 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
561 TLS_1_0, TLS_1_2,
562 },
563 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
564 KEY_RSA, ECP_256_BIT,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
567 TLS_1_2, TLS_1_2,
568 },
569 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
570 KEY_RSA, ECP_384_BIT,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
573 TLS_1_0, TLS_1_2,
574 },
575 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
576 KEY_RSA, ECP_384_BIT,
577 HASH_SHA384, PRF_HMAC_SHA2_384,
578 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
579 TLS_1_2, TLS_1_2,
580 },
581 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
582 KEY_RSA, ECP_256_BIT,
583 HASH_SHA256, PRF_HMAC_SHA2_256,
584 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
585 TLS_1_2, TLS_1_2,
586 },
587 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
588 KEY_RSA, ECP_384_BIT,
589 HASH_SHA384, PRF_HMAC_SHA2_384,
590 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
591 TLS_1_2, TLS_1_2,
592 },
593 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
594 KEY_RSA, MODP_2048_BIT,
595 HASH_SHA256,PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
597 SSL_3_0, TLS_1_2,
598 },
599 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
600 KEY_RSA, MODP_3072_BIT,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
603 TLS_1_2, TLS_1_2,
604 },
605 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
606 KEY_RSA, MODP_3072_BIT,
607 HASH_SHA256, PRF_HMAC_SHA2_256,
608 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
609 SSL_3_0, TLS_1_2,
610 },
611 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
612 KEY_RSA, MODP_4096_BIT,
613 HASH_SHA256, PRF_HMAC_SHA2_256,
614 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
615 TLS_1_2, TLS_1_2,
616 },
617 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
618 KEY_RSA, MODP_3072_BIT,
619 HASH_SHA256, PRF_HMAC_SHA2_256,
620 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
621 TLS_1_2, TLS_1_2,
622 },
623 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
624 KEY_RSA, MODP_4096_BIT,
625 HASH_SHA384, PRF_HMAC_SHA2_384,
626 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
627 TLS_1_2, TLS_1_2,
628 },
629 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
630 KEY_RSA, MODP_2048_BIT,
631 HASH_SHA256, PRF_HMAC_SHA2_256,
632 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
633 SSL_3_0, TLS_1_2,
634 },
635 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
636 KEY_RSA, MODP_3072_BIT,
637 HASH_SHA256, PRF_HMAC_SHA2_256,
638 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
639 TLS_1_2, TLS_1_2,
640 },
641 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
642 KEY_RSA, MODP_3072_BIT,
643 HASH_SHA256, PRF_HMAC_SHA2_256,
644 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
645 SSL_3_0, TLS_1_2,
646 },
647 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
648 KEY_RSA, MODP_4096_BIT,
649 HASH_SHA256, PRF_HMAC_SHA2_256,
650 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
651 TLS_1_2, TLS_1_2,
652 },
653 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
654 KEY_RSA, MODP_2048_BIT,
655 HASH_SHA256, PRF_HMAC_SHA2_256,
656 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
657 SSL_3_0, TLS_1_2,
658 },
659 { TLS_RSA_WITH_AES_128_CBC_SHA,
660 KEY_RSA, MODP_NONE,
661 HASH_SHA256, PRF_HMAC_SHA2_256,
662 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
663 SSL_3_0, TLS_1_2,
664 },
665 { TLS_RSA_WITH_AES_128_CBC_SHA256,
666 KEY_RSA, MODP_NONE,
667 HASH_SHA256, PRF_HMAC_SHA2_256,
668 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
669 TLS_1_2, TLS_1_2,
670 },
671 { TLS_RSA_WITH_AES_256_CBC_SHA,
672 KEY_RSA, MODP_NONE,
673 HASH_SHA256, PRF_HMAC_SHA2_256,
674 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
675 SSL_3_0, TLS_1_2,
676 },
677 { TLS_RSA_WITH_AES_256_CBC_SHA256,
678 KEY_RSA, MODP_NONE,
679 HASH_SHA256, PRF_HMAC_SHA2_256,
680 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
681 TLS_1_2, TLS_1_2,
682 },
683 { TLS_RSA_WITH_AES_128_GCM_SHA256,
684 KEY_RSA, MODP_NONE,
685 HASH_SHA256, PRF_HMAC_SHA2_256,
686 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
687 TLS_1_2, TLS_1_2,
688 },
689 { TLS_RSA_WITH_AES_256_GCM_SHA384,
690 KEY_RSA, MODP_NONE,
691 HASH_SHA384, PRF_HMAC_SHA2_384,
692 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
693 TLS_1_2, TLS_1_2,
694 },
695 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
696 KEY_RSA, MODP_NONE,
697 HASH_SHA256, PRF_HMAC_SHA2_256,
698 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
699 SSL_3_0, TLS_1_2,
700 },
701 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
702 KEY_RSA, MODP_NONE,
703 HASH_SHA256, PRF_HMAC_SHA2_256,
704 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
705 TLS_1_2, TLS_1_2,
706 },
707 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
708 KEY_RSA, MODP_NONE,
709 HASH_SHA256, PRF_HMAC_SHA2_256,
710 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
711 SSL_3_0, TLS_1_2,
712 },
713 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
714 KEY_RSA, MODP_NONE,
715 HASH_SHA256, PRF_HMAC_SHA2_256,
716 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
717 TLS_1_2, TLS_1_2,
718 },
719 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
720 KEY_ECDSA, ECP_256_BIT,
721 HASH_SHA256, PRF_HMAC_SHA2_256,
722 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
723 TLS_1_0, TLS_1_2,
724 },
725 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
726 KEY_RSA, ECP_256_BIT,
727 HASH_SHA256, PRF_HMAC_SHA2_256,
728 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
729 TLS_1_0, TLS_1_2,
730 },
731 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
732 KEY_RSA, MODP_NONE,
733 HASH_SHA256, PRF_HMAC_SHA2_256,
734 AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
735 SSL_3_0, TLS_1_2,
736 },
737 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
738 KEY_ECDSA, ECP_256_BIT,
739 HASH_SHA256, PRF_HMAC_SHA2_256,
740 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
741 TLS_1_0, TLS_1_2,
742 },
743 { TLS_ECDHE_RSA_WITH_NULL_SHA,
744 KEY_ECDSA, ECP_256_BIT,
745 HASH_SHA256, PRF_HMAC_SHA2_256,
746 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
747 TLS_1_0, TLS_1_2,
748 },
749 { TLS_RSA_WITH_NULL_SHA,
750 KEY_RSA, MODP_NONE,
751 HASH_SHA256, PRF_HMAC_SHA2_256,
752 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
753 SSL_3_0, TLS_1_2,
754 },
755 { TLS_RSA_WITH_NULL_SHA256,
756 KEY_RSA, MODP_NONE,
757 HASH_SHA256, PRF_HMAC_SHA2_256,
758 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
759 TLS_1_2, TLS_1_2,
760 },
761 { TLS_RSA_WITH_NULL_MD5,
762 KEY_RSA, MODP_NONE,
763 HASH_SHA256, PRF_HMAC_SHA2_256,
764 AUTH_HMAC_MD5_128, ENCR_NULL, 0,
765 SSL_2_0, TLS_1_2,
766 },
767 };
768
769 /**
770 * Look up algorithms by a suite
771 */
772 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
773 {
774 int i;
775
776 for (i = 0; i < countof(suite_algs); i++)
777 {
778 if (suite_algs[i].suite == suite)
779 {
780 return &suite_algs[i];
781 }
782 }
783 return NULL;
784 }
785
786 /**
787 * Filter a suite list using a transform enumerator
788 */
789 static void filter_suite(suite_algs_t suites[], int *count, int offset,
790 enumerator_t*(*create_enumerator)(crypto_factory_t*))
791 {
792 const char *plugin_name;
793 suite_algs_t current;
794 int *current_alg, i, remaining = 0;
795 enumerator_t *enumerator;
796
797 memset(&current, 0, sizeof(current));
798 current_alg = (int*)((char*)&current + offset);
799
800 for (i = 0; i < *count; i++)
801 {
802 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
803 encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering crypters, but current suite uses an AEAD, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 if (create_enumerator == lib->crypto->create_aead_enumerator &&
810 !encryption_algorithm_is_aead(suites[i].encr))
811 { /* filtering AEADs, but current suite doesn't use one, apply */
812 suites[remaining] = suites[i];
813 remaining++;
814 continue;
815 }
816 enumerator = create_enumerator(lib->crypto);
817 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
818 {
819 if (current.encr && current.encr != suites[i].encr)
820 {
821 if (suites[i].encr != ENCR_NULL)
822 { /* skip, ENCR does not match nor is NULL */
823 continue;
824 }
825 }
826 if (current.mac && current.mac != suites[i].mac)
827 {
828 if (suites[i].mac != AUTH_UNDEFINED)
829 { /* skip, MAC does not match nor is it undefined */
830 continue;
831 }
832 }
833 if (current.prf && current.prf != suites[i].prf)
834 {
835 if (suites[i].prf != PRF_UNDEFINED)
836 {
837 /* skip, PRF does not match nor is it undefined */
838 continue;
839 }
840 }
841 if (current.hash && current.hash != suites[i].hash)
842 { /* skip, hash does not match */
843 continue;
844 }
845 if (current.dh && current.dh != suites[i].dh)
846 {
847 if (suites[i].dh != MODP_NONE)
848 { /* skip DH group, does not match nor NONE */
849 continue;
850 }
851 }
852 /* suite supported, apply */
853 suites[remaining] = suites[i];
854 remaining++;
855 break;
856 }
857 enumerator->destroy(enumerator);
858 }
859 *count = remaining;
860 }
861
862 /**
863 * Purge NULL encryption cipher suites from list
864 */
865 static void filter_null_suites(suite_algs_t suites[], int *count)
866 {
867 int i, remaining = 0;
868
869 for (i = 0; i < *count; i++)
870 {
871 if (suites[i].encr != ENCR_NULL)
872 {
873 suites[remaining] = suites[i];
874 remaining++;
875 }
876 }
877 *count = remaining;
878 }
879
880 /**
881 * Purge suites using a given key type
882 */
883 static void filter_key_suites(private_tls_crypto_t *this,
884 suite_algs_t suites[], int *count, key_type_t key)
885 {
886 int i, remaining = 0;
887
888 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
889 for (i = 0; i < *count; i++)
890 {
891 if (suites[i].key != key)
892 {
893 suites[remaining] = suites[i];
894 remaining++;
895 }
896 }
897 *count = remaining;
898 }
899
900 /**
901 * Filter suites by key exchange user config
902 */
903 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
904 suite_algs_t suites[], int *count)
905 {
906 enumerator_t *enumerator;
907 int i, remaining = 0;
908 char *token, *config;
909
910 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
911 lib->ns);
912 if (config)
913 {
914 for (i = 0; i < *count; i++)
915 {
916 enumerator = enumerator_create_token(config, ",", " ");
917 while (enumerator->enumerate(enumerator, &token))
918 {
919 if (strcaseeq(token, "ecdhe-ecdsa") &&
920 diffie_hellman_group_is_ec(suites[i].dh) &&
921 suites[i].key == KEY_ECDSA)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "ecdhe-rsa") &&
927 diffie_hellman_group_is_ec(suites[i].dh) &&
928 suites[i].key == KEY_RSA)
929 {
930 suites[remaining++] = suites[i];
931 break;
932 }
933 if (strcaseeq(token, "dhe-rsa") &&
934 !diffie_hellman_group_is_ec(suites[i].dh) &&
935 suites[i].dh != MODP_NONE &&
936 suites[i].key == KEY_RSA)
937 {
938 suites[remaining++] = suites[i];
939 break;
940 }
941 if (strcaseeq(token, "rsa") &&
942 suites[i].dh == MODP_NONE &&
943 suites[i].key == KEY_RSA)
944 {
945 suites[remaining++] = suites[i];
946 break;
947 }
948 }
949 enumerator->destroy(enumerator);
950 }
951 *count = remaining;
952 }
953 }
954
955 /**
956 * Filter suites by cipher user config
957 */
958 static void filter_cipher_config_suites(private_tls_crypto_t *this,
959 suite_algs_t suites[], int *count)
960 {
961 enumerator_t *enumerator;
962 int i, remaining = 0;
963 char *token, *config;
964
965 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
966 lib->ns);
967 if (config)
968 {
969 for (i = 0; i < *count; i++)
970 {
971 enumerator = enumerator_create_token(config, ",", " ");
972 while (enumerator->enumerate(enumerator, &token))
973 {
974 if (strcaseeq(token, "aes128") &&
975 suites[i].encr == ENCR_AES_CBC &&
976 suites[i].encr_size == 16)
977 {
978 suites[remaining++] = suites[i];
979 break;
980 }
981 if (strcaseeq(token, "aes256") &&
982 suites[i].encr == ENCR_AES_CBC &&
983 suites[i].encr_size == 32)
984 {
985 suites[remaining++] = suites[i];
986 break;
987 }
988 if (strcaseeq(token, "aes128gcm") &&
989 suites[i].encr == ENCR_AES_GCM_ICV16 &&
990 suites[i].encr_size == 16)
991 {
992 suites[remaining++] = suites[i];
993 break;
994 }
995 if (strcaseeq(token, "aes256gcm") &&
996 suites[i].encr == ENCR_AES_GCM_ICV16 &&
997 suites[i].encr_size == 32)
998 {
999 suites[remaining++] = suites[i];
1000 break;
1001 }
1002 if (strcaseeq(token, "camellia128") &&
1003 suites[i].encr == ENCR_CAMELLIA_CBC &&
1004 suites[i].encr_size == 16)
1005 {
1006 suites[remaining++] = suites[i];
1007 break;
1008 }
1009 if (strcaseeq(token, "camellia256") &&
1010 suites[i].encr == ENCR_CAMELLIA_CBC &&
1011 suites[i].encr_size == 32)
1012 {
1013 suites[remaining++] = suites[i];
1014 break;
1015 }
1016 if (strcaseeq(token, "3des") &&
1017 suites[i].encr == ENCR_3DES)
1018 {
1019 suites[remaining++] = suites[i];
1020 break;
1021 }
1022 if (strcaseeq(token, "null") &&
1023 suites[i].encr == ENCR_NULL)
1024 {
1025 suites[remaining++] = suites[i];
1026 break;
1027 }
1028 }
1029 enumerator->destroy(enumerator);
1030 }
1031 *count = remaining;
1032 }
1033 }
1034
1035 /**
1036 * Filter suites by mac user config
1037 */
1038 static void filter_mac_config_suites(private_tls_crypto_t *this,
1039 suite_algs_t suites[], int *count)
1040 {
1041 enumerator_t *enumerator;
1042 int i, remaining = 0;
1043 char *token, *config;
1044
1045 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
1046 lib->ns);
1047 if (config)
1048 {
1049 for (i = 0; i < *count; i++)
1050 {
1051 enumerator = enumerator_create_token(config, ",", " ");
1052 while (enumerator->enumerate(enumerator, &token))
1053 {
1054 if (strcaseeq(token, "md5") &&
1055 suites[i].mac == AUTH_HMAC_MD5_128)
1056 {
1057 suites[remaining++] = suites[i];
1058 break;
1059 }
1060 if (strcaseeq(token, "sha1") &&
1061 suites[i].mac == AUTH_HMAC_SHA1_160)
1062 {
1063 suites[remaining++] = suites[i];
1064 break;
1065 }
1066 if (strcaseeq(token, "sha256") &&
1067 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1068 {
1069 suites[remaining++] = suites[i];
1070 break;
1071 }
1072 if (strcaseeq(token, "sha384") &&
1073 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1074 {
1075 suites[remaining++] = suites[i];
1076 break;
1077 }
1078 }
1079 enumerator->destroy(enumerator);
1080 }
1081 *count = remaining;
1082 }
1083 }
1084
1085 /**
1086 * Filter for specific suites specified in strongswan.conf
1087 */
1088 static void filter_specific_config_suites(private_tls_crypto_t *this,
1089 suite_algs_t suites[], int *count)
1090 {
1091 enumerator_t *enumerator;
1092 int i, remaining = 0, suite;
1093 char *token, *config;
1094
1095 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1096 lib->ns);
1097 if (config)
1098 {
1099 for (i = 0; i < *count; i++)
1100 {
1101 enumerator = enumerator_create_token(config, ",", " ");
1102 while (enumerator->enumerate(enumerator, &token))
1103 {
1104 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1105 suite == suites[i].suite)
1106 {
1107 suites[remaining++] = suites[i];
1108 break;
1109 }
1110 }
1111 enumerator->destroy(enumerator);
1112 }
1113 *count = remaining;
1114 }
1115 }
1116
1117 /**
1118 * Filter out unsupported suites on given suite array
1119 */
1120 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1121 {
1122 /* filter suite list by each algorithm */
1123 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1124 lib->crypto->create_aead_enumerator);
1125 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1126 lib->crypto->create_prf_enumerator);
1127 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1128 lib->crypto->create_crypter_enumerator);
1129 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1130 lib->crypto->create_signer_enumerator);
1131 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1132 lib->crypto->create_hasher_enumerator);
1133 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1134 lib->crypto->create_dh_enumerator);
1135 }
1136
1137 /**
1138 * Initialize the cipher suite list
1139 */
1140 static void build_cipher_suite_list(private_tls_crypto_t *this)
1141 {
1142 suite_algs_t suites[countof(suite_algs)];
1143 tls_version_t min_version, max_version, new_min_version, new_max_version;
1144 bool require_encryption;
1145 int count = 0, i;
1146
1147 switch (this->tls->get_purpose(this->tls))
1148 {
1149 case TLS_PURPOSE_EAP_TLS:
1150 case TLS_PURPOSE_GENERIC_NULLOK:
1151 require_encryption = FALSE;
1152 break;
1153 case TLS_PURPOSE_EAP_PEAP:
1154 case TLS_PURPOSE_EAP_TTLS:
1155 case TLS_PURPOSE_GENERIC:
1156 require_encryption = TRUE;
1157 break;
1158 default:
1159 return;
1160 }
1161
1162 min_version = this->tls->get_version_min(this->tls);
1163 max_version = this->tls->get_version_max(this->tls);
1164
1165 /* copy all suites appropriate for the current min/max versions */
1166 for (i = 0; i < countof(suite_algs); i++)
1167 {
1168 if (suite_algs[i].min_version <= max_version &&
1169 suite_algs[i].max_version >= min_version)
1170 {
1171 suites[count++] = suite_algs[i];
1172 }
1173 }
1174
1175 if (require_encryption)
1176 {
1177 filter_null_suites(suites, &count);
1178 }
1179 if (!this->rsa)
1180 {
1181 filter_key_suites(this, suites, &count, KEY_RSA);
1182 }
1183 if (!this->ecdsa)
1184 {
1185 filter_key_suites(this, suites, &count, KEY_ECDSA);
1186 }
1187
1188 filter_unsupported_suites(suites, &count);
1189
1190 /* filter suites with strongswan.conf options */
1191 filter_key_exchange_config_suites(this, suites, &count);
1192 filter_cipher_config_suites(this, suites, &count);
1193 filter_mac_config_suites(this, suites, &count);
1194 filter_specific_config_suites(this, suites, &count);
1195
1196 free(this->suites);
1197 this->suite_count = count;
1198 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1199
1200 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1201 new_min_version = max_version;
1202 new_max_version = min_version;
1203 for (i = 0; i < count; i++)
1204 {
1205 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1206 this->suites[i] = suites[i].suite;
1207
1208 /* set TLS min/max versions appropriate to the final cipher suites */
1209 new_max_version = max(new_max_version, suites[i].max_version);
1210 new_min_version = min(new_min_version, suites[i].min_version);
1211 }
1212 new_max_version = min(new_max_version, max_version);
1213 new_min_version = max(new_min_version, min_version);
1214
1215 if (min_version != new_min_version || max_version != new_max_version)
1216 {
1217 this->tls->set_version(this->tls, new_min_version, new_max_version);
1218 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1219 tls_version_names, new_min_version,
1220 tls_version_names, new_max_version);
1221 }
1222 }
1223
1224 METHOD(tls_crypto_t, get_cipher_suites, int,
1225 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1226 {
1227 if (!this->suites)
1228 {
1229 build_cipher_suite_list(this);
1230 }
1231 if (suites)
1232 {
1233 *suites = this->suites;
1234 }
1235 return this->suite_count;
1236 }
1237
1238 /**
1239 * Create NULL encryption transforms
1240 */
1241 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1242 {
1243 this->aead_in = tls_aead_create_null(algs->mac);
1244 this->aead_out = tls_aead_create_null(algs->mac);
1245 if (!this->aead_in || !this->aead_out)
1246 {
1247 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1248 integrity_algorithm_names, algs->mac);
1249 return FALSE;
1250 }
1251 return TRUE;
1252 }
1253
1254 /**
1255 * Create traditional transforms
1256 */
1257 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1258 {
1259 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1260 {
1261 this->aead_in = tls_aead_create_implicit(algs->mac,
1262 algs->encr, algs->encr_size);
1263 this->aead_out = tls_aead_create_implicit(algs->mac,
1264 algs->encr, algs->encr_size);
1265 }
1266 else
1267 {
1268 this->aead_in = tls_aead_create_explicit(algs->mac,
1269 algs->encr, algs->encr_size);
1270 this->aead_out = tls_aead_create_explicit(algs->mac,
1271 algs->encr, algs->encr_size);
1272 }
1273 if (!this->aead_in || !this->aead_out)
1274 {
1275 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1276 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1277 integrity_algorithm_names, algs->mac);
1278 return FALSE;
1279 }
1280 return TRUE;
1281 }
1282
1283 /**
1284 * Create AEAD transforms
1285 */
1286 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1287 {
1288 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1289 {
1290 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1291 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1292 }
1293 else
1294 {
1295 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1296 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1297 }
1298 if (!this->aead_in || !this->aead_out)
1299 {
1300 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1301 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1302 return FALSE;
1303 }
1304 return TRUE;
1305 }
1306
1307 /**
1308 * Clean up and unset AEAD transforms
1309 */
1310 static void destroy_aeads(private_tls_crypto_t *this)
1311 {
1312 DESTROY_IF(this->aead_in);
1313 DESTROY_IF(this->aead_out);
1314 this->aead_in = this->aead_out = NULL;
1315 }
1316
1317 /**
1318 * Create crypto primitives
1319 */
1320 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1321 {
1322 destroy_aeads(this);
1323 DESTROY_IF(this->hkdf);
1324 DESTROY_IF(this->prf);
1325 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1326 {
1327 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1328 {
1329 this->prf = tls_prf_create_10();
1330 }
1331 else
1332 {
1333 this->prf = tls_prf_create_12(algs->prf);
1334 }
1335 if (!this->prf)
1336 {
1337 DBG1(DBG_TLS, "selected TLS PRF not supported");
1338 return FALSE;
1339 }
1340 }
1341 else
1342 {
1343 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1344 if (!this->hkdf)
1345 {
1346 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1347 return FALSE;
1348 }
1349 }
1350 if (algs->encr == ENCR_NULL)
1351 {
1352 if (create_null(this, algs))
1353 {
1354 return TRUE;
1355 }
1356 }
1357 else if (encryption_algorithm_is_aead(algs->encr))
1358 {
1359 if (create_aead(this, algs))
1360 {
1361 return TRUE;
1362 }
1363 }
1364 else
1365 {
1366 if (create_traditional(this, algs))
1367 {
1368 return TRUE;
1369 }
1370 }
1371 destroy_aeads(this);
1372 return FALSE;
1373 }
1374
1375 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1376 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1377 key_type_t key)
1378 {
1379 suite_algs_t *algs;
1380 int i, j;
1381
1382 for (i = 0; i < this->suite_count; i++)
1383 {
1384 for (j = 0; j < count; j++)
1385 {
1386 if (this->suites[i] == suites[j])
1387 {
1388 algs = find_suite(this->suites[i]);
1389 if (algs)
1390 {
1391 if (key == KEY_ANY || key == algs->key)
1392 {
1393 if (create_ciphers(this, algs))
1394 {
1395 this->suite = this->suites[i];
1396 return this->suite;
1397 }
1398 }
1399 }
1400 }
1401 }
1402 }
1403 return 0;
1404 }
1405
1406 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1407 private_tls_crypto_t *this)
1408 {
1409 suite_algs_t *algs;
1410
1411 algs = find_suite(this->suite);
1412 if (algs)
1413 {
1414 return algs->dh;
1415 }
1416 return MODP_NONE;
1417 }
1418
1419 /**
1420 * Parameters for RSA/PSS signature schemes
1421 */
1422 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1423 .hash = HASH_SHA##bits, \
1424 .mgf1_hash = HASH_SHA##bits, \
1425 .salt_len = HASH_SIZE_SHA##bits, \
1426 }
1427
1428 PSS_PARAMS(256);
1429 PSS_PARAMS(384);
1430 PSS_PARAMS(512);
1431
1432 /**
1433 * Map TLS signature schemes, ordered by preference
1434 */
1435 static struct {
1436 tls_signature_scheme_t sig;
1437 signature_params_t params;
1438 /* min/max versions for use in CertificateVerify */
1439 tls_version_t min_version;
1440 tls_version_t max_version;
1441 } schemes[] = {
1442 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1443 TLS_1_0, TLS_1_3 },
1444 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1445 TLS_1_0, TLS_1_3 },
1446 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1447 TLS_1_0, TLS_1_3 },
1448 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1449 TLS_1_3, TLS_1_3 },
1450 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1451 TLS_1_3, TLS_1_3 },
1452 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1453 TLS_1_2, TLS_1_3 },
1454 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1455 TLS_1_2, TLS_1_3 },
1456 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1457 TLS_1_2, TLS_1_3 },
1458 /* the parameters for the next three should actually be taken from the
1459 * public key, we currently don't have an API for that, so assume defaults */
1460 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1461 TLS_1_2, TLS_1_3 },
1462 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1463 TLS_1_2, TLS_1_3 },
1464 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1465 TLS_1_2, TLS_1_3 },
1466 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1467 TLS_1_0, TLS_1_2 },
1468 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1469 TLS_1_0, TLS_1_2 },
1470 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1471 TLS_1_0, TLS_1_2 },
1472 };
1473
1474 METHOD(tls_crypto_t, get_signature_algorithms, void,
1475 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1476 {
1477 bio_writer_t *supported;
1478 tls_version_t min_version, max_version;
1479 int i;
1480
1481 supported = bio_writer_create(32);
1482
1483 if (!cert)
1484 {
1485 min_version = this->tls->get_version_min(this->tls);
1486 max_version = this->tls->get_version_max(this->tls);
1487 }
1488
1489 for (i = 0; i < countof(schemes); i++)
1490 {
1491 if ((cert || (schemes[i].min_version <= max_version &&
1492 schemes[i].max_version >= min_version)) &&
1493 lib->plugins->has_feature(lib->plugins,
1494 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
1495 {
1496 supported->write_uint16(supported, schemes[i].sig);
1497 }
1498 }
1499
1500 supported->wrap16(supported);
1501 writer->write_data16(writer, supported->get_buf(supported));
1502 supported->destroy(supported);
1503 }
1504
1505 /**
1506 * Get the signature parameters from a TLS signature scheme
1507 */
1508 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig)
1509 {
1510 int i;
1511
1512 for (i = 0; i < countof(schemes); i++)
1513 {
1514 if (schemes[i].sig == sig)
1515 {
1516 return &schemes[i].params;
1517 }
1518 }
1519 return NULL;
1520 }
1521
1522 /**
1523 * Mapping groups to TLS named curves
1524 */
1525 static struct {
1526 diffie_hellman_group_t group;
1527 tls_named_group_t curve;
1528 } curves[] = {
1529 { ECP_256_BIT, TLS_SECP256R1},
1530 { ECP_384_BIT, TLS_SECP384R1},
1531 { ECP_521_BIT, TLS_SECP521R1},
1532 { ECP_224_BIT, TLS_SECP224R1},
1533 { ECP_192_BIT, TLS_SECP192R1},
1534 { CURVE_25519, TLS_CURVE25519},
1535 { CURVE_448, TLS_CURVE448},
1536 };
1537
1538 CALLBACK(group_filter, bool,
1539 void *null, enumerator_t *orig, va_list args)
1540 {
1541 diffie_hellman_group_t group, *out;
1542 tls_named_group_t *curve;
1543 char *plugin;
1544 int i;
1545
1546 VA_ARGS_VGET(args, out, curve);
1547
1548 while (orig->enumerate(orig, &group, &plugin))
1549 {
1550 for (i = 0; i < countof(curves); i++)
1551 {
1552 if (curves[i].group == group)
1553 {
1554 if (out)
1555 {
1556 *out = curves[i].group;
1557 }
1558 if (curve)
1559 {
1560 *curve = curves[i].curve;
1561 }
1562 return TRUE;
1563 }
1564 }
1565 }
1566 return FALSE;
1567 }
1568
1569 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1570 private_tls_crypto_t *this)
1571 {
1572 return enumerator_create_filter(
1573 lib->crypto->create_dh_enumerator(lib->crypto),
1574 group_filter, NULL, NULL);
1575 }
1576
1577 METHOD(tls_crypto_t, set_protection, void,
1578 private_tls_crypto_t *this, tls_protection_t *protection)
1579 {
1580 this->protection = protection;
1581 }
1582
1583 METHOD(tls_crypto_t, append_handshake, void,
1584 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1585 {
1586 uint32_t header;
1587
1588 /* reconstruct handshake header */
1589 header = htonl(data.len | (type << 24));
1590 this->handshake = chunk_cat("mcc", this->handshake,
1591 chunk_from_thing(header), data);
1592 }
1593
1594 /**
1595 * Create a hash using the suites HASH algorithm
1596 */
1597 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1598 {
1599 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1600 {
1601 hasher_t *hasher;
1602 suite_algs_t *alg;
1603
1604 alg = find_suite(this->suite);
1605 if (!alg)
1606 {
1607 return FALSE;
1608 }
1609 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1610 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1611 {
1612 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1613 DESTROY_IF(hasher);
1614 return FALSE;
1615 }
1616 hasher->destroy(hasher);
1617 }
1618 else
1619 {
1620 hasher_t *md5, *sha1;
1621 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1622
1623 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1624 if (!md5 || !md5->get_hash(md5, data, buf))
1625 {
1626 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1627 DESTROY_IF(md5);
1628 return FALSE;
1629 }
1630 md5->destroy(md5);
1631 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1632 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1633 {
1634 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1635 DESTROY_IF(sha1);
1636 return FALSE;
1637 }
1638 sha1->destroy(sha1);
1639
1640 *hash = chunk_clone(chunk_from_thing(buf));
1641 }
1642 return TRUE;
1643 }
1644
1645 METHOD(tls_crypto_t, hash_handshake, bool,
1646 private_tls_crypto_t *this, chunk_t *out)
1647 {
1648 chunk_t hash;
1649
1650 if (!hash_data(this, this->handshake, &hash))
1651 {
1652 return FALSE;
1653 }
1654
1655 chunk_free(&this->handshake);
1656 append_handshake(this, TLS_MESSAGE_HASH, hash);
1657
1658 if (out)
1659 {
1660 *out = hash;
1661 }
1662 else
1663 {
1664 free(hash.ptr);
1665 }
1666 return TRUE;
1667 }
1668
1669 /**
1670 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1671 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1672 */
1673 static chunk_t tls13_sig_data_server = chunk_from_chars(
1674 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1675 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1676 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1677 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1678 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1679 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1680 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1681 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1682 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1683 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1684 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1685 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1686 0x79, 0x00,
1687 );
1688
1689 METHOD(tls_crypto_t, sign, bool,
1690 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1691 chunk_t data, chunk_t hashsig)
1692 {
1693 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1694 {
1695 /* fallback to SHA1/RSA and SHA1/ECDSA */
1696 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1697 signature_params_t *params;
1698 key_type_t type;
1699 uint16_t scheme;
1700 bio_reader_t *reader;
1701 chunk_t sig;
1702 bool done = FALSE;
1703
1704 if (!hashsig.len)
1705 { /* fallback if none given */
1706 hashsig = hashsig_def;
1707 }
1708 type = key->get_type(key);
1709 reader = bio_reader_create(hashsig);
1710 while (reader->remaining(reader) >= 2)
1711 {
1712 if (reader->read_uint16(reader, &scheme))
1713 {
1714 params = params_for_scheme(scheme);
1715 if (params &&
1716 type == key_type_from_signature_scheme(params->scheme) &&
1717 key->sign(key, params->scheme, params->params, data, &sig))
1718 {
1719 done = TRUE;
1720 break;
1721 }
1722 }
1723 }
1724 reader->destroy(reader);
1725 if (!done)
1726 {
1727 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1728 return FALSE;
1729 }
1730 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1731 scheme);
1732 writer->write_uint16(writer, scheme);
1733 writer->write_data16(writer, sig);
1734 free(sig.ptr);
1735 }
1736 else
1737 {
1738 chunk_t sig, hash;
1739 bool done;
1740
1741 switch (key->get_type(key))
1742 {
1743 case KEY_RSA:
1744 if (!hash_data(this, data, &hash))
1745 {
1746 return FALSE;
1747 }
1748 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1749 &sig);
1750 free(hash.ptr);
1751 if (!done)
1752 {
1753 return FALSE;
1754 }
1755 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1756 break;
1757 case KEY_ECDSA:
1758 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1759 {
1760 return FALSE;
1761 }
1762 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1763 break;
1764 default:
1765 return FALSE;
1766 }
1767 writer->write_data16(writer, sig);
1768 free(sig.ptr);
1769 }
1770 return TRUE;
1771 }
1772
1773 METHOD(tls_crypto_t, verify, bool,
1774 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1775 chunk_t data)
1776 {
1777 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1778 {
1779 signature_params_t *params;
1780 uint16_t scheme;
1781 chunk_t sig;
1782
1783 if (!reader->read_uint16(reader, &scheme) ||
1784 !reader->read_data16(reader, &sig))
1785 {
1786 DBG1(DBG_TLS, "received invalid signature");
1787 return FALSE;
1788 }
1789 params = params_for_scheme(scheme);
1790 if (!params)
1791 {
1792 DBG1(DBG_TLS, "signature algorithms %N not supported",
1793 tls_signature_scheme_names, scheme);
1794 return FALSE;
1795 }
1796 if (this->tls->get_version_max(this->tls) == TLS_1_3)
1797 {
1798 chunk_t transcript_hash;
1799
1800 if (!hash_data(this, data, &transcript_hash))
1801 {
1802 DBG1(DBG_TLS, "Unable to create transcript hash");
1803 return FALSE;
1804 }
1805
1806 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1807 }
1808 if (!key->verify(key, params->scheme, params->params, data, sig))
1809 {
1810 DBG1(DBG_TLS, "signature verification with %N failed",
1811 tls_signature_scheme_names, scheme);
1812 return FALSE;
1813 }
1814 DBG2(DBG_TLS, "verified signature with %N",
1815 tls_signature_scheme_names, scheme);
1816 }
1817 else
1818 {
1819 chunk_t sig, hash;
1820 bool done;
1821
1822 if (!reader->read_data16(reader, &sig))
1823 {
1824 DBG1(DBG_TLS, "received invalid signature");
1825 return FALSE;
1826 }
1827 switch (key->get_type(key))
1828 {
1829 case KEY_RSA:
1830 if (!hash_data(this, data, &hash))
1831 {
1832 return FALSE;
1833 }
1834 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1835 sig);
1836 free(hash.ptr);
1837 if (!done)
1838 {
1839 return FALSE;
1840 }
1841 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1842 break;
1843 case KEY_ECDSA:
1844 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1845 sig))
1846 {
1847 return FALSE;
1848 }
1849 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1850 break;
1851 default:
1852 return FALSE;
1853 }
1854 }
1855 return TRUE;
1856 }
1857
1858 METHOD(tls_crypto_t, sign_handshake, bool,
1859 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1860 chunk_t hashsig)
1861 {
1862 return sign(this, key, writer, this->handshake, hashsig);
1863 }
1864
1865 METHOD(tls_crypto_t, verify_handshake, bool,
1866 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1867 {
1868 return verify(this, key, reader, this->handshake);
1869 }
1870
1871 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
1872 private_tls_crypto_t *this, char *label, char out[12])
1873 {
1874 chunk_t seed;
1875
1876 if (!this->prf)
1877 {
1878 return FALSE;
1879 }
1880 if (!hash_data(this, this->handshake, &seed))
1881 {
1882 return FALSE;
1883 }
1884 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1885 {
1886 free(seed.ptr);
1887 return FALSE;
1888 }
1889 free(seed.ptr);
1890 return TRUE;
1891 }
1892
1893 METHOD(tls_crypto_t, calculate_finished, bool,
1894 private_tls_crypto_t *this, bool is_server, chunk_t *out)
1895 {
1896 chunk_t finished_key, finished_hash;
1897
1898 if (!this->hkdf)
1899 {
1900 return FALSE;
1901 }
1902 if (!hash_data(this, this->handshake, &finished_hash))
1903 {
1904 DBG1(DBG_TLS, "creating hash of handshake failed");
1905 return FALSE;
1906 }
1907 if (!this->hkdf->derive_finished(this->hkdf, is_server, &finished_key))
1908 {
1909 DBG1(DBG_TLS, "generating finished key failed");
1910 chunk_clear(&finished_hash);
1911 return FALSE;
1912 }
1913 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
1914 {
1915 DBG1(DBG_TLS, "generating finished HMAC failed");
1916 chunk_clear(&finished_key);
1917 chunk_clear(&finished_hash);
1918 return FALSE;
1919 }
1920 chunk_clear(&finished_key);
1921 chunk_clear(&finished_hash);
1922 return TRUE;
1923 }
1924
1925 /**
1926 * Derive master secret from premaster, optionally save session
1927 */
1928 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1929 chunk_t session, identification_t *id,
1930 chunk_t client_random, chunk_t server_random)
1931 {
1932 char master[48];
1933 chunk_t seed;
1934
1935 /* derive master secret */
1936 seed = chunk_cata("cc", client_random, server_random);
1937
1938 if (!this->prf->set_key(this->prf, premaster) ||
1939 !this->prf->get_bytes(this->prf, "master secret", seed,
1940 sizeof(master), master) ||
1941 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1942 {
1943 return FALSE;
1944 }
1945
1946 if (this->cache && session.len)
1947 {
1948 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1949 this->suite);
1950 }
1951 memwipe(master, sizeof(master));
1952 return TRUE;
1953 }
1954
1955 /**
1956 * Expand key material from master secret
1957 */
1958 static bool expand_keys(private_tls_crypto_t *this,
1959 chunk_t client_random, chunk_t server_random)
1960 {
1961 chunk_t seed, block;
1962 chunk_t cw_mac, cw, cw_iv;
1963 chunk_t sw_mac, sw, sw_iv;
1964 int mklen, eklen, ivlen;
1965
1966 if (!this->aead_in || !this->aead_out)
1967 {
1968 return FALSE;
1969 }
1970
1971 /* derive key block for key expansion */
1972 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1973 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1974 ivlen = this->aead_in->get_iv_size(this->aead_in);
1975 seed = chunk_cata("cc", server_random, client_random);
1976 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1977 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1978 block.len, block.ptr))
1979 {
1980 return FALSE;
1981 }
1982
1983 /* client/server write signer keys */
1984 cw_mac = chunk_create(block.ptr, mklen);
1985 block = chunk_skip(block, mklen);
1986 sw_mac = chunk_create(block.ptr, mklen);
1987 block = chunk_skip(block, mklen);
1988
1989 /* client/server write encryption keys */
1990 cw = chunk_create(block.ptr, eklen);
1991 block = chunk_skip(block, eklen);
1992 sw = chunk_create(block.ptr, eklen);
1993 block = chunk_skip(block, eklen);
1994
1995 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1996 cw_iv = chunk_create(block.ptr, ivlen);
1997 block = chunk_skip(block, ivlen);
1998 sw_iv = chunk_create(block.ptr, ivlen);
1999 block = chunk_skip(block, ivlen);
2000
2001 if (this->tls->is_server(this->tls))
2002 {
2003 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2004 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2005 {
2006 return FALSE;
2007 }
2008 }
2009 else
2010 {
2011 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2012 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2013 {
2014 return FALSE;
2015 }
2016 }
2017
2018 /* EAP-MSK */
2019 if (this->msk_label)
2020 {
2021 seed = chunk_cata("cc", client_random, server_random);
2022 this->msk = chunk_alloc(64);
2023 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2024 this->msk.len, this->msk.ptr))
2025 {
2026 return FALSE;
2027 }
2028 }
2029 return TRUE;
2030 }
2031
2032 METHOD(tls_crypto_t, derive_secrets, bool,
2033 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2034 identification_t *id, chunk_t client_random, chunk_t server_random)
2035 {
2036 return derive_master(this, premaster, session, id,
2037 client_random, server_random) &&
2038 expand_keys(this, client_random, server_random);
2039 }
2040
2041 /**
2042 * Derive and configure the client/server key/IV on an AEAD using a given label.
2043 */
2044 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2045 tls_hkdf_label_t label, tls_aead_t *aead)
2046 {
2047 chunk_t key = chunk_empty, iv = chunk_empty;
2048 bool success = FALSE;
2049
2050 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2051 NULL) ||
2052 !this->hkdf->derive_key(this->hkdf, server,
2053 aead->get_encr_key_size(aead), &key) ||
2054 !this->hkdf->derive_iv(this->hkdf, server,
2055 aead->get_iv_size(aead), &iv))
2056 {
2057 DBG1(DBG_TLS, "deriving key material failed");
2058 goto out;
2059 }
2060
2061 if (!aead->set_keys(aead, chunk_empty, key, iv))
2062 {
2063 DBG1(DBG_TLS, "setting AEAD key material failed");
2064 goto out;
2065 }
2066 success = TRUE;
2067
2068 out:
2069 chunk_clear(&key);
2070 chunk_clear(&iv);
2071 return success;
2072 }
2073
2074 /**
2075 * Derive and configure the keys/IVs using the given labels.
2076 */
2077 static bool derive_labeled_keys(private_tls_crypto_t *this,
2078 tls_hkdf_label_t client_label,
2079 tls_hkdf_label_t server_label)
2080 {
2081 tls_aead_t *aead_c = this->aead_out, *aead_s = this->aead_in;
2082
2083 if (this->tls->is_server(this->tls))
2084 {
2085 aead_c = this->aead_in;
2086 aead_s = this->aead_out;
2087 }
2088 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2089 derive_labeled_key(this, TRUE, server_label, aead_s);
2090 }
2091
2092 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2093 private_tls_crypto_t *this, chunk_t shared_secret)
2094 {
2095 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2096 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2097 TLS_HKDF_S_HS_TRAFFIC);
2098 }
2099
2100 METHOD(tls_crypto_t, derive_app_keys, bool,
2101 private_tls_crypto_t *this)
2102 {
2103 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2104 TLS_HKDF_S_AP_TRAFFIC))
2105 {
2106 return FALSE;
2107 }
2108
2109 /* EAP-MSK */
2110 if (this->msk_label)
2111 {
2112 /* because the length is encoded when expanding key material, we
2113 * request the same number of bytes as FreeRADIUS (the first 64 for
2114 * the MSK, the next for the EMSK, which we just ignore) */
2115 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2116 this->handshake, 128, &this->msk))
2117 {
2118 return FALSE;
2119 }
2120 this->msk.len = 64;
2121 }
2122 return TRUE;
2123 }
2124
2125 METHOD(tls_crypto_t, update_app_keys, bool,
2126 private_tls_crypto_t *this, bool inbound)
2127 {
2128 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2129
2130 if (this->tls->is_server(this->tls) != inbound)
2131 {
2132 label = TLS_HKDF_UPD_S_TRAFFIC;
2133 }
2134 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2135 inbound ? this->aead_in : this->aead_out);
2136 }
2137
2138 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2139 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2140 chunk_t client_random, chunk_t server_random)
2141 {
2142 chunk_t master;
2143
2144 if (this->cache && session.len)
2145 {
2146 this->suite = this->cache->lookup(this->cache, session, id, &master);
2147 if (this->suite)
2148 {
2149 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2150 if (this->suite)
2151 {
2152 if (!this->prf->set_key(this->prf, master) ||
2153 !expand_keys(this, client_random, server_random))
2154 {
2155 this->suite = 0;
2156 }
2157 }
2158 chunk_clear(&master);
2159 }
2160 return this->suite;
2161 }
2162 return 0;
2163 }
2164
2165 METHOD(tls_crypto_t, get_session, chunk_t,
2166 private_tls_crypto_t *this, identification_t *server)
2167 {
2168 if (this->cache)
2169 {
2170 return this->cache->check(this->cache, server);
2171 }
2172 return chunk_empty;
2173 }
2174
2175 METHOD(tls_crypto_t, change_cipher, void,
2176 private_tls_crypto_t *this, bool inbound)
2177 {
2178 if (this->protection)
2179 {
2180 if (inbound)
2181 {
2182 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2183 }
2184 else
2185 {
2186 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2187 }
2188 }
2189 }
2190
2191 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2192 private_tls_crypto_t *this)
2193 {
2194 return this->msk;
2195 }
2196
2197 METHOD(tls_crypto_t, destroy, void,
2198 private_tls_crypto_t *this)
2199 {
2200 destroy_aeads(this);
2201 free(this->handshake.ptr);
2202 free(this->msk.ptr);
2203 DESTROY_IF(this->prf);
2204 DESTROY_IF(this->hkdf);
2205 free(this->suites);
2206 free(this);
2207 }
2208
2209 /**
2210 * See header
2211 */
2212 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2213 {
2214 private_tls_crypto_t *this;
2215 enumerator_t *enumerator;
2216 credential_type_t type;
2217 int subtype;
2218
2219 INIT(this,
2220 .public = {
2221 .get_cipher_suites = _get_cipher_suites,
2222 .select_cipher_suite = _select_cipher_suite,
2223 .get_dh_group = _get_dh_group,
2224 .get_signature_algorithms = _get_signature_algorithms,
2225 .create_ec_enumerator = _create_ec_enumerator,
2226 .set_protection = _set_protection,
2227 .append_handshake = _append_handshake,
2228 .hash_handshake = _hash_handshake,
2229 .sign = _sign,
2230 .verify = _verify,
2231 .sign_handshake = _sign_handshake,
2232 .verify_handshake = _verify_handshake,
2233 .calculate_finished_legacy = _calculate_finished_legacy,
2234 .calculate_finished = _calculate_finished,
2235 .derive_secrets = _derive_secrets,
2236 .derive_handshake_keys = _derive_handshake_keys,
2237 .derive_app_keys = _derive_app_keys,
2238 .update_app_keys = _update_app_keys,
2239 .resume_session = _resume_session,
2240 .get_session = _get_session,
2241 .change_cipher = _change_cipher,
2242 .get_eap_msk = _get_eap_msk,
2243 .destroy = _destroy,
2244 },
2245 .tls = tls,
2246 .cache = cache,
2247 );
2248
2249 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2250 while (enumerator->enumerate(enumerator, &type, &subtype))
2251 {
2252 if (type == CRED_PUBLIC_KEY)
2253 {
2254 switch (subtype)
2255 {
2256 case KEY_RSA:
2257 this->rsa = TRUE;
2258 break;
2259 case KEY_ECDSA:
2260 this->ecdsa = TRUE;
2261 break;
2262 default:
2263 break;
2264 }
2265 }
2266 }
2267 enumerator->destroy(enumerator);
2268
2269 switch (tls->get_purpose(tls))
2270 {
2271 case TLS_PURPOSE_EAP_TLS:
2272 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2273 this->msk_label = "client EAP encryption";
2274 break;
2275 case TLS_PURPOSE_EAP_PEAP:
2276 this->msk_label = "client EAP encryption";
2277 break;
2278 case TLS_PURPOSE_EAP_TTLS:
2279 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2280 this->msk_label = "ttls keying material";
2281 break;
2282 default:
2283 break;
2284 }
2285 return &this->public;
2286 }
2287
2288 /**
2289 * See header.
2290 */
2291 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2292 tls_cipher_suite_t **out)
2293 {
2294 suite_algs_t suites[countof(suite_algs)];
2295 int count = 0, i;
2296
2297 /* initialize copy of suite list */
2298 for (i = 0; i < countof(suite_algs); i++)
2299 {
2300 if (suite_algs[i].min_version <= version &&
2301 suite_algs[i].max_version >= version)
2302 {
2303 suites[count++] = suite_algs[i];
2304 }
2305 }
2306
2307 filter_unsupported_suites(suites, &count);
2308
2309 if (!null)
2310 {
2311 filter_null_suites(suites, &count);
2312 }
2313
2314 if (out)
2315 {
2316 *out = calloc(count, sizeof(tls_cipher_suite_t));
2317 for (i = 0; i < count; i++)
2318 {
2319 (*out)[i] = suites[i].suite;
2320 }
2321 }
2322 return count;
2323 }