Added TLS specific EC point formats
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * All handshake data concatentated
374 */
375 chunk_t handshake;
376
377 /**
378 * Connection state TLS PRF
379 */
380 tls_prf_t *prf;
381
382 /**
383 * Signer instance for inbound traffic
384 */
385 signer_t *signer_in;
386
387 /**
388 * Signer instance for outbound traffic
389 */
390 signer_t *signer_out;
391
392 /**
393 * Crypter instance for inbound traffic
394 */
395 crypter_t *crypter_in;
396
397 /**
398 * Crypter instance for outbound traffic
399 */
400 crypter_t *crypter_out;
401
402 /**
403 * IV for input decryption, if < TLSv1.2
404 */
405 chunk_t iv_in;
406
407 /**
408 * IV for output decryption, if < TLSv1.2
409 */
410 chunk_t iv_out;
411
412 /**
413 * EAP-[T]TLS MSK
414 */
415 chunk_t msk;
416
417 /**
418 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
419 */
420 char *msk_label;
421 };
422
423 typedef struct {
424 tls_cipher_suite_t suite;
425 key_type_t key;
426 diffie_hellman_group_t dh;
427 hash_algorithm_t hash;
428 pseudo_random_function_t prf;
429 integrity_algorithm_t mac;
430 encryption_algorithm_t encr;
431 size_t encr_size;
432 } suite_algs_t;
433
434 /**
435 * Mapping suites to a set of algorithms
436 */
437 static suite_algs_t suite_algs[] = {
438 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
439 KEY_ECDSA, ECP_256_BIT,
440 HASH_SHA1, PRF_HMAC_SHA1,
441 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
442 },
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
449 KEY_ECDSA, ECP_384_BIT,
450 HASH_SHA1, PRF_HMAC_SHA1,
451 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
452 },
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
454 KEY_ECDSA, ECP_384_BIT,
455 HASH_SHA384, PRF_HMAC_SHA2_384,
456 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
459 KEY_RSA, ECP_256_BIT,
460 HASH_SHA1, PRF_HMAC_SHA1,
461 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
462 },
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
464 KEY_RSA, ECP_256_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
467 },
468 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
469 KEY_RSA, ECP_384_BIT,
470 HASH_SHA1, PRF_HMAC_SHA1,
471 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
472 },
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
474 KEY_RSA, ECP_384_BIT,
475 HASH_SHA384, PRF_HMAC_SHA2_384,
476 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
477 },
478 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
479 KEY_RSA, MODP_2048_BIT,
480 HASH_SHA1, PRF_HMAC_SHA1,
481 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
484 KEY_RSA, MODP_3072_BIT,
485 HASH_SHA256, PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA1, PRF_HMAC_SHA1,
491 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
494 KEY_RSA, MODP_4096_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
499 KEY_RSA, MODP_2048_BIT,
500 HASH_SHA1, PRF_HMAC_SHA1,
501 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
502 },
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
504 KEY_RSA, MODP_3072_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
507 },
508 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
509 KEY_RSA, MODP_3072_BIT,
510 HASH_SHA1, PRF_HMAC_SHA1,
511 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
514 KEY_RSA, MODP_4096_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
517 },
518 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
519 KEY_RSA, MODP_2048_BIT,
520 HASH_SHA1, PRF_HMAC_SHA1,
521 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
522 },
523 { TLS_RSA_WITH_AES_128_CBC_SHA,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA1, PRF_HMAC_SHA1,
526 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
527 },
528 { TLS_RSA_WITH_AES_128_CBC_SHA256,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
532 },
533 { TLS_RSA_WITH_AES_256_CBC_SHA,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA1, PRF_HMAC_SHA1,
536 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
537 },
538 { TLS_RSA_WITH_AES_256_CBC_SHA256,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
542 },
543 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA1, PRF_HMAC_SHA1,
546 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
547 },
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
552 },
553 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA1, PRF_HMAC_SHA1,
556 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
557 },
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
562 },
563 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
564 KEY_ECDSA, ECP_256_BIT,
565 HASH_SHA1, PRF_HMAC_SHA1,
566 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
567 },
568 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
569 KEY_RSA, ECP_256_BIT,
570 HASH_SHA1, PRF_HMAC_SHA1,
571 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
572 },
573 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
574 KEY_RSA, MODP_NONE,
575 HASH_SHA1, PRF_HMAC_SHA1,
576 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
577 },
578 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
579 KEY_ECDSA, ECP_256_BIT,
580 HASH_SHA1, PRF_HMAC_SHA1,
581 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
582 },
583 { TLS_ECDHE_RSA_WITH_NULL_SHA,
584 KEY_ECDSA, ECP_256_BIT,
585 HASH_SHA1, PRF_HMAC_SHA1,
586 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
587 },
588 { TLS_RSA_WITH_NULL_SHA,
589 KEY_RSA, MODP_NONE,
590 HASH_SHA1, PRF_HMAC_SHA1,
591 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
592 },
593 { TLS_RSA_WITH_NULL_SHA256,
594 KEY_RSA, MODP_NONE,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
597 },
598 { TLS_RSA_WITH_NULL_MD5,
599 KEY_RSA, MODP_NONE,
600 HASH_MD5, PRF_HMAC_MD5,
601 AUTH_HMAC_MD5_128, ENCR_NULL, 0
602 },
603 };
604
605 /**
606 * Look up algoritms by a suite
607 */
608 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
609 {
610 int i;
611
612 for (i = 0; i < countof(suite_algs); i++)
613 {
614 if (suite_algs[i].suite == suite)
615 {
616 return &suite_algs[i];
617 }
618 }
619 return NULL;
620 }
621
622 /**
623 * Filter a suite list using a transform enumerator
624 */
625 static void filter_suite(private_tls_crypto_t *this,
626 suite_algs_t suites[], int *count, int offset,
627 enumerator_t*(*create_enumerator)(crypto_factory_t*))
628 {
629 suite_algs_t current;
630 int i, remaining = 0;
631 enumerator_t *enumerator;
632
633 memset(&current, 0, sizeof(current));
634 for (i = 0; i < *count; i++)
635 {
636 enumerator = create_enumerator(lib->crypto);
637 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
638 {
639 if ((suites[i].encr == ENCR_NULL ||
640 !current.encr || current.encr == suites[i].encr) &&
641 (!current.mac || current.mac == suites[i].mac) &&
642 (!current.prf || current.prf == suites[i].prf) &&
643 (!current.hash || current.hash == suites[i].hash) &&
644 (suites[i].dh == MODP_NONE ||
645 !current.dh || current.dh == suites[i].dh))
646 {
647 suites[remaining] = suites[i];
648 remaining++;
649 break;
650 }
651 }
652 enumerator->destroy(enumerator);
653 }
654 *count = remaining;
655 }
656
657 /**
658 * Purge NULL encryption cipher suites from list
659 */
660 static void filter_null_suites(private_tls_crypto_t *this,
661 suite_algs_t suites[], int *count)
662 {
663 int i, remaining = 0;
664
665 for (i = 0; i < *count; i++)
666 {
667 if (suites[i].encr != ENCR_NULL)
668 {
669 suites[remaining] = suites[i];
670 remaining++;
671 }
672 }
673 *count = remaining;
674 }
675
676 /**
677 * Purge suites using a given key type
678 */
679 static void filter_key_suites(private_tls_crypto_t *this,
680 suite_algs_t suites[], int *count, key_type_t key)
681 {
682 int i, remaining = 0;
683
684 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
685 for (i = 0; i < *count; i++)
686 {
687 if (suites[i].key != key)
688 {
689 suites[remaining] = suites[i];
690 remaining++;
691 }
692 }
693 *count = remaining;
694 }
695
696 /**
697 * Filter suites by key exchange user config
698 */
699 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
700 suite_algs_t suites[], int *count)
701 {
702 enumerator_t *enumerator;
703 int i, remaining = 0;
704 char *token, *config;
705
706 config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
707 if (config)
708 {
709 for (i = 0; i < *count; i++)
710 {
711 enumerator = enumerator_create_token(config, ",", " ");
712 while (enumerator->enumerate(enumerator, &token))
713 {
714 if (strcaseeq(token, "ecdhe-ecdsa") &&
715 diffie_hellman_group_is_ec(suites[i].dh) &&
716 suites[i].key == KEY_ECDSA)
717 {
718 suites[remaining++] = suites[i];
719 break;
720 }
721 if (strcaseeq(token, "ecdhe-rsa") &&
722 diffie_hellman_group_is_ec(suites[i].dh) &&
723 suites[i].key == KEY_RSA)
724 {
725 suites[remaining++] = suites[i];
726 break;
727 }
728 if (strcaseeq(token, "dhe-rsa") &&
729 !diffie_hellman_group_is_ec(suites[i].dh) &&
730 suites[i].dh != MODP_NONE &&
731 suites[i].key == KEY_RSA)
732 {
733 suites[remaining++] = suites[i];
734 break;
735 }
736 if (strcaseeq(token, "rsa") &&
737 suites[i].dh == MODP_NONE &&
738 suites[i].key == KEY_RSA)
739 {
740 suites[remaining++] = suites[i];
741 break;
742 }
743 }
744 enumerator->destroy(enumerator);
745 }
746 *count = remaining;
747 }
748 }
749
750 /**
751 * Filter suites by cipher user config
752 */
753 static void filter_cipher_config_suites(private_tls_crypto_t *this,
754 suite_algs_t suites[], int *count)
755 {
756 enumerator_t *enumerator;
757 int i, remaining = 0;
758 char *token, *config;
759
760 config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
761 if (config)
762 {
763 for (i = 0; i < *count; i++)
764 {
765 enumerator = enumerator_create_token(config, ",", " ");
766 while (enumerator->enumerate(enumerator, &token))
767 {
768 if (strcaseeq(token, "aes128") &&
769 suites[i].encr == ENCR_AES_CBC &&
770 suites[i].encr_size == 16)
771 {
772 suites[remaining++] = suites[i];
773 break;
774 }
775 if (strcaseeq(token, "aes256") &&
776 suites[i].encr == ENCR_AES_CBC &&
777 suites[i].encr_size == 32)
778 {
779 suites[remaining++] = suites[i];
780 break;
781 }
782 if (strcaseeq(token, "camellia128") &&
783 suites[i].encr == ENCR_CAMELLIA_CBC &&
784 suites[i].encr_size == 16)
785 {
786 suites[remaining++] = suites[i];
787 break;
788 }
789 if (strcaseeq(token, "camellia256") &&
790 suites[i].encr == ENCR_CAMELLIA_CBC &&
791 suites[i].encr_size == 32)
792 {
793 suites[remaining++] = suites[i];
794 break;
795 }
796 if (strcaseeq(token, "3des") &&
797 suites[i].encr == ENCR_3DES)
798 {
799 suites[remaining++] = suites[i];
800 break;
801 }
802 if (strcaseeq(token, "null") &&
803 suites[i].encr == ENCR_NULL)
804 {
805 suites[remaining++] = suites[i];
806 break;
807 }
808 }
809 enumerator->destroy(enumerator);
810 }
811 *count = remaining;
812 }
813 }
814
815 /**
816 * Filter suites by mac user config
817 */
818 static void filter_mac_config_suites(private_tls_crypto_t *this,
819 suite_algs_t suites[], int *count)
820 {
821 enumerator_t *enumerator;
822 int i, remaining = 0;
823 char *token, *config;
824
825 config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
826 if (config)
827 {
828 for (i = 0; i < *count; i++)
829 {
830 enumerator = enumerator_create_token(config, ",", " ");
831 while (enumerator->enumerate(enumerator, &token))
832 {
833 if (strcaseeq(token, "md5") &&
834 suites[i].hash == HASH_MD5)
835 {
836 suites[remaining++] = suites[i];
837 break;
838 }
839 if (strcaseeq(token, "sha1") &&
840 suites[i].hash == HASH_SHA1)
841 {
842 suites[remaining++] = suites[i];
843 break;
844 }
845 if (strcaseeq(token, "sha256") &&
846 suites[i].hash == HASH_SHA256)
847 {
848 suites[remaining++] = suites[i];
849 break;
850 }
851 if (strcaseeq(token, "sha384") &&
852 suites[i].hash == HASH_SHA384)
853 {
854 suites[remaining++] = suites[i];
855 break;
856 }
857 }
858 enumerator->destroy(enumerator);
859 }
860 *count = remaining;
861 }
862 }
863
864 /**
865 * Filter for specific suites specified in strongswan.conf
866 */
867 static void filter_specific_config_suites(private_tls_crypto_t *this,
868 suite_algs_t suites[], int *count)
869 {
870 enumerator_t *enumerator;
871 int i, remaining = 0, suite;
872 char *token, *config;
873
874 config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
875 if (config)
876 {
877 for (i = 0; i < *count; i++)
878 {
879 enumerator = enumerator_create_token(config, ",", " ");
880 while (enumerator->enumerate(enumerator, &token))
881 {
882 suite = enum_from_name(tls_cipher_suite_names, token);
883 if (suite == suites[i].suite)
884 {
885 suites[remaining++] = suites[i];
886 break;
887 }
888 }
889 enumerator->destroy(enumerator);
890 }
891 *count = remaining;
892 }
893 }
894
895 /**
896 * Initialize the cipher suite list
897 */
898 static void build_cipher_suite_list(private_tls_crypto_t *this,
899 bool require_encryption)
900 {
901 suite_algs_t suites[countof(suite_algs)];
902 int count = countof(suite_algs), i;
903
904 /* copy all suites */
905 for (i = 0; i < count; i++)
906 {
907 suites[i] = suite_algs[i];
908 }
909 if (require_encryption)
910 {
911 filter_null_suites(this, suites, &count);
912 }
913 if (!this->rsa)
914 {
915 filter_key_suites(this, suites, &count, KEY_RSA);
916 }
917 if (!this->ecdsa)
918 {
919 filter_key_suites(this, suites, &count, KEY_ECDSA);
920 }
921
922 /* filter suite list by each algorithm */
923 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
924 lib->crypto->create_crypter_enumerator);
925 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
926 lib->crypto->create_signer_enumerator);
927 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
928 lib->crypto->create_prf_enumerator);
929 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
930 lib->crypto->create_hasher_enumerator);
931 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
932 lib->crypto->create_dh_enumerator);
933
934 /* filter suites with strongswan.conf options */
935 filter_key_exchange_config_suites(this, suites, &count);
936 filter_cipher_config_suites(this, suites, &count);
937 filter_mac_config_suites(this, suites, &count);
938 filter_specific_config_suites(this, suites, &count);
939
940 free(this->suites);
941 this->suite_count = count;
942 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
943
944 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
945 for (i = 0; i < count; i++)
946 {
947 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
948 this->suites[i] = suites[i].suite;
949 }
950 }
951
952 METHOD(tls_crypto_t, get_cipher_suites, int,
953 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
954 {
955 *suites = this->suites;
956 return this->suite_count;
957 }
958
959 /**
960 * Create crypto primitives
961 */
962 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
963 {
964 DESTROY_IF(this->prf);
965 if (this->tls->get_version(this->tls) < TLS_1_2)
966 {
967 this->prf = tls_prf_create_10();
968 }
969 else
970 {
971 this->prf = tls_prf_create_12(algs->prf);
972 }
973 if (!this->prf)
974 {
975 DBG1(DBG_TLS, "selected TLS PRF not supported");
976 return FALSE;
977 }
978
979 DESTROY_IF(this->signer_in);
980 DESTROY_IF(this->signer_out);
981 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
982 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
983 if (!this->signer_in || !this->signer_out)
984 {
985 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
986 integrity_algorithm_names, algs->mac);
987 return FALSE;
988 }
989
990 DESTROY_IF(this->crypter_in);
991 DESTROY_IF(this->crypter_out);
992 if (algs->encr == ENCR_NULL)
993 {
994 this->crypter_in = this->crypter_out = NULL;
995 }
996 else
997 {
998 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
999 algs->encr, algs->encr_size);
1000 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
1001 algs->encr, algs->encr_size);
1002 if (!this->crypter_in || !this->crypter_out)
1003 {
1004 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
1005 encryption_algorithm_names, algs->encr);
1006 return FALSE;
1007 }
1008 }
1009 return TRUE;
1010 }
1011
1012 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1013 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1014 key_type_t key)
1015 {
1016 suite_algs_t *algs;
1017 int i, j;
1018
1019 for (i = 0; i < this->suite_count; i++)
1020 {
1021 for (j = 0; j < count; j++)
1022 {
1023 if (this->suites[i] == suites[j])
1024 {
1025 algs = find_suite(this->suites[i]);
1026 if (algs)
1027 {
1028 if (key == KEY_ANY || key == algs->key)
1029 {
1030 if (create_ciphers(this, algs))
1031 {
1032 this->suite = this->suites[i];
1033 return this->suite;
1034 }
1035 }
1036 }
1037 }
1038 }
1039 }
1040 return 0;
1041 }
1042
1043 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1044 private_tls_crypto_t *this)
1045 {
1046 suite_algs_t *algs;
1047
1048 algs = find_suite(this->suite);
1049 if (algs)
1050 {
1051 return algs->dh;
1052 }
1053 return MODP_NONE;
1054 }
1055
1056 METHOD(tls_crypto_t, get_signature_algorithms, void,
1057 private_tls_crypto_t *this, tls_writer_t *writer)
1058 {
1059 tls_writer_t *supported;
1060 enumerator_t *enumerator;
1061 hash_algorithm_t alg;
1062 tls_hash_algorithm_t hash;
1063
1064 supported = tls_writer_create(32);
1065 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1066 while (enumerator->enumerate(enumerator, &alg))
1067 {
1068 switch (alg)
1069 {
1070 case HASH_MD5:
1071 hash = TLS_HASH_MD5;
1072 break;
1073 case HASH_SHA1:
1074 hash = TLS_HASH_SHA1;
1075 break;
1076 case HASH_SHA224:
1077 hash = TLS_HASH_SHA224;
1078 break;
1079 case HASH_SHA256:
1080 hash = TLS_HASH_SHA256;
1081 break;
1082 case HASH_SHA384:
1083 hash = TLS_HASH_SHA384;
1084 break;
1085 case HASH_SHA512:
1086 hash = TLS_HASH_SHA512;
1087 break;
1088 default:
1089 continue;
1090 }
1091 if (this->rsa)
1092 {
1093 supported->write_uint8(supported, hash);
1094 supported->write_uint8(supported, TLS_SIG_RSA);
1095 }
1096 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1097 { /* currently we have no signature scheme for MD5/SHA224 */
1098 supported->write_uint8(supported, hash);
1099 supported->write_uint8(supported, TLS_SIG_ECDSA);
1100 }
1101 }
1102 enumerator->destroy(enumerator);
1103
1104 writer->write_data16(writer, supported->get_buf(supported));
1105 supported->destroy(supported);
1106 }
1107
1108 /**
1109 * Mapping groups to TLS named curves
1110 */
1111 static struct {
1112 diffie_hellman_group_t group;
1113 tls_named_curve_t curve;
1114 } curves[] = {
1115 { ECP_256_BIT, TLS_SECP256R1},
1116 { ECP_384_BIT, TLS_SECP384R1},
1117 { ECP_521_BIT, TLS_SECP521R1},
1118 { ECP_224_BIT, TLS_SECP224R1},
1119 { ECP_192_BIT, TLS_SECP192R1},
1120 };
1121
1122 /**
1123 * Filter EC groups, add TLS curve
1124 */
1125 static bool group_filter(void *null,
1126 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1127 void* dummy1, tls_named_curve_t *curve)
1128 {
1129 int i;
1130
1131 for (i = 0; i < countof(curves); i++)
1132 {
1133 if (curves[i].group == *in)
1134 {
1135 if (out)
1136 {
1137 *out = curves[i].group;
1138 }
1139 if (curve)
1140 {
1141 *curve = curves[i].curve;
1142 }
1143 return TRUE;
1144 }
1145 }
1146 return FALSE;
1147 }
1148
1149 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1150 private_tls_crypto_t *this)
1151 {
1152 return enumerator_create_filter(
1153 lib->crypto->create_dh_enumerator(lib->crypto),
1154 (void*)group_filter, NULL, NULL);
1155 }
1156
1157 METHOD(tls_crypto_t, set_protection, void,
1158 private_tls_crypto_t *this, tls_protection_t *protection)
1159 {
1160 this->protection = protection;
1161 }
1162
1163 METHOD(tls_crypto_t, append_handshake, void,
1164 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1165 {
1166 u_int32_t header;
1167
1168 /* reconstruct handshake header */
1169 header = htonl(data.len | (type << 24));
1170 this->handshake = chunk_cat("mcc", this->handshake,
1171 chunk_from_thing(header), data);
1172 }
1173
1174 /**
1175 * Create a hash using the suites HASH algorithm
1176 */
1177 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1178 {
1179 if (this->tls->get_version(this->tls) >= TLS_1_2)
1180 {
1181 hasher_t *hasher;
1182 suite_algs_t *alg;
1183
1184 alg = find_suite(this->suite);
1185 if (!alg)
1186 {
1187 return FALSE;
1188 }
1189 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1190 if (!hasher)
1191 {
1192 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1193 return FALSE;
1194 }
1195 hasher->allocate_hash(hasher, data, hash);
1196 hasher->destroy(hasher);
1197 }
1198 else
1199 {
1200 hasher_t *md5, *sha1;
1201 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1202
1203 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1204 if (!md5)
1205 {
1206 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1207 return FALSE;
1208 }
1209 md5->get_hash(md5, data, buf);
1210 md5->destroy(md5);
1211 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1212 if (!sha1)
1213 {
1214 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1215 return FALSE;
1216 }
1217 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
1218 sha1->destroy(sha1);
1219
1220 *hash = chunk_clone(chunk_from_thing(buf));
1221 }
1222 return TRUE;
1223 }
1224
1225 /**
1226 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1227 */
1228 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1229 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1230 {
1231 switch (sig)
1232 {
1233 case TLS_SIG_RSA:
1234 if (type != KEY_RSA)
1235 {
1236 return SIGN_UNKNOWN;
1237 }
1238 switch (hash)
1239 {
1240 case TLS_HASH_MD5:
1241 return SIGN_RSA_EMSA_PKCS1_MD5;
1242 case TLS_HASH_SHA1:
1243 return SIGN_RSA_EMSA_PKCS1_SHA1;
1244 case TLS_HASH_SHA224:
1245 return SIGN_RSA_EMSA_PKCS1_SHA224;
1246 case TLS_HASH_SHA256:
1247 return SIGN_RSA_EMSA_PKCS1_SHA256;
1248 case TLS_HASH_SHA384:
1249 return SIGN_RSA_EMSA_PKCS1_SHA384;
1250 case TLS_HASH_SHA512:
1251 return SIGN_RSA_EMSA_PKCS1_SHA512;
1252 default:
1253 return SIGN_UNKNOWN;
1254 }
1255 case TLS_SIG_ECDSA:
1256 if (type != KEY_ECDSA)
1257 {
1258 return SIGN_UNKNOWN;
1259 }
1260 switch (hash)
1261 {
1262 case TLS_HASH_SHA224:
1263 return SIGN_ECDSA_WITH_SHA1_DER;
1264 case TLS_HASH_SHA256:
1265 return SIGN_ECDSA_WITH_SHA256_DER;
1266 case TLS_HASH_SHA384:
1267 return SIGN_ECDSA_WITH_SHA384_DER;
1268 case TLS_HASH_SHA512:
1269 return SIGN_ECDSA_WITH_SHA512_DER;
1270 default:
1271 return SIGN_UNKNOWN;
1272 }
1273 default:
1274 return SIGN_UNKNOWN;
1275 }
1276 }
1277
1278 METHOD(tls_crypto_t, sign, bool,
1279 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1280 chunk_t data, chunk_t hashsig)
1281 {
1282 if (this->tls->get_version(this->tls) >= TLS_1_2)
1283 {
1284 signature_scheme_t scheme;
1285 tls_reader_t *reader;
1286 u_int8_t hash, alg;
1287 chunk_t sig;
1288 bool done = FALSE;
1289
1290 if (!hashsig.len)
1291 { /* fallback if none given */
1292 hashsig = chunk_from_chars(
1293 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1294 }
1295 reader = tls_reader_create(hashsig);
1296 while (reader->remaining(reader) >= 2)
1297 {
1298 if (reader->read_uint8(reader, &hash) &&
1299 reader->read_uint8(reader, &alg))
1300 {
1301 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1302 if (scheme != SIGN_UNKNOWN &&
1303 key->sign(key, scheme, data, &sig))
1304 {
1305 done = TRUE;
1306 break;
1307 }
1308 }
1309 }
1310 reader->destroy(reader);
1311 if (!done)
1312 {
1313 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1314 return FALSE;
1315 }
1316 DBG2(DBG_TLS, "created signature with %N/%N",
1317 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1318 writer->write_uint8(writer, hash);
1319 writer->write_uint8(writer, alg);
1320 writer->write_data16(writer, sig);
1321 free(sig.ptr);
1322 }
1323 else
1324 {
1325 chunk_t sig, hash;
1326 bool done;
1327
1328 switch (key->get_type(key))
1329 {
1330 case KEY_RSA:
1331 if (!hash_data(this, data, &hash))
1332 {
1333 return FALSE;
1334 }
1335 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1336 free(hash.ptr);
1337 if (!done)
1338 {
1339 return FALSE;
1340 }
1341 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1342 break;
1343 case KEY_ECDSA:
1344 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1345 {
1346 return FALSE;
1347 }
1348 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1349 break;
1350 default:
1351 return FALSE;
1352 }
1353 writer->write_data16(writer, sig);
1354 free(sig.ptr);
1355 }
1356 return TRUE;
1357 }
1358
1359 METHOD(tls_crypto_t, verify, bool,
1360 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1361 chunk_t data)
1362 {
1363 if (this->tls->get_version(this->tls) >= TLS_1_2)
1364 {
1365 signature_scheme_t scheme = SIGN_UNKNOWN;
1366 u_int8_t hash, alg;
1367 chunk_t sig;
1368
1369 if (!reader->read_uint8(reader, &hash) ||
1370 !reader->read_uint8(reader, &alg) ||
1371 !reader->read_data16(reader, &sig))
1372 {
1373 DBG1(DBG_TLS, "received invalid signature");
1374 return FALSE;
1375 }
1376 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1377 if (scheme == SIGN_UNKNOWN)
1378 {
1379 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1380 tls_hash_algorithm_names, hash,
1381 tls_signature_algorithm_names, alg);
1382 return FALSE;
1383 }
1384 if (!key->verify(key, scheme, data, sig))
1385 {
1386 return FALSE;
1387 }
1388 DBG2(DBG_TLS, "verified signature with %N/%N",
1389 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1390 }
1391 else
1392 {
1393 chunk_t sig, hash;
1394 bool done;
1395
1396 if (!reader->read_data16(reader, &sig))
1397 {
1398 DBG1(DBG_TLS, "received invalid signature");
1399 return FALSE;
1400 }
1401 switch (key->get_type(key))
1402 {
1403 case KEY_RSA:
1404 if (!hash_data(this, data, &hash))
1405 {
1406 return FALSE;
1407 }
1408 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1409 free(hash.ptr);
1410 if (!done)
1411 {
1412 return FALSE;
1413 }
1414 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1415 break;
1416 case KEY_ECDSA:
1417 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1418 {
1419 return FALSE;
1420 }
1421 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1422 break;
1423 default:
1424 return FALSE;
1425 }
1426 }
1427 return TRUE;
1428 }
1429
1430 METHOD(tls_crypto_t, sign_handshake, bool,
1431 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1432 chunk_t hashsig)
1433 {
1434 return sign(this, key, writer, this->handshake, hashsig);
1435 }
1436
1437 METHOD(tls_crypto_t, verify_handshake, bool,
1438 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1439 {
1440 return verify(this, key, reader, this->handshake);
1441 }
1442
1443 METHOD(tls_crypto_t, calculate_finished, bool,
1444 private_tls_crypto_t *this, char *label, char out[12])
1445 {
1446 chunk_t seed;
1447
1448 if (!this->prf)
1449 {
1450 return FALSE;
1451 }
1452 if (!hash_data(this, this->handshake, &seed))
1453 {
1454 return FALSE;
1455 }
1456 this->prf->get_bytes(this->prf, label, seed, 12, out);
1457 free(seed.ptr);
1458 return TRUE;
1459 }
1460
1461 METHOD(tls_crypto_t, derive_secrets, void,
1462 private_tls_crypto_t *this, chunk_t premaster,
1463 chunk_t client_random, chunk_t server_random)
1464 {
1465 char master[48];
1466 chunk_t seed, block, client_write, server_write;
1467 int mks, eks = 0, ivs = 0;
1468
1469 /* derive master secret */
1470 seed = chunk_cata("cc", client_random, server_random);
1471 this->prf->set_key(this->prf, premaster);
1472 this->prf->get_bytes(this->prf, "master secret", seed,
1473 sizeof(master), master);
1474
1475 this->prf->set_key(this->prf, chunk_from_thing(master));
1476 memset(master, 0, sizeof(master));
1477
1478 /* derive key block for key expansion */
1479 mks = this->signer_out->get_key_size(this->signer_out);
1480 if (this->crypter_out)
1481 {
1482 eks = this->crypter_out->get_key_size(this->crypter_out);
1483 if (this->tls->get_version(this->tls) < TLS_1_1)
1484 {
1485 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1486 }
1487 }
1488 seed = chunk_cata("cc", server_random, client_random);
1489 block = chunk_alloca((mks + eks + ivs) * 2);
1490 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1491
1492 /* signer keys */
1493 client_write = chunk_create(block.ptr, mks);
1494 block = chunk_skip(block, mks);
1495 server_write = chunk_create(block.ptr, mks);
1496 block = chunk_skip(block, mks);
1497 if (this->tls->is_server(this->tls))
1498 {
1499 this->signer_in->set_key(this->signer_in, client_write);
1500 this->signer_out->set_key(this->signer_out, server_write);
1501 }
1502 else
1503 {
1504 this->signer_out->set_key(this->signer_out, client_write);
1505 this->signer_in->set_key(this->signer_in, server_write);
1506 }
1507
1508 /* crypter keys, and IVs if < TLSv1.2 */
1509 if (this->crypter_out && this->crypter_in)
1510 {
1511 client_write = chunk_create(block.ptr, eks);
1512 block = chunk_skip(block, eks);
1513 server_write = chunk_create(block.ptr, eks);
1514 block = chunk_skip(block, eks);
1515
1516 if (this->tls->is_server(this->tls))
1517 {
1518 this->crypter_in->set_key(this->crypter_in, client_write);
1519 this->crypter_out->set_key(this->crypter_out, server_write);
1520 }
1521 else
1522 {
1523 this->crypter_out->set_key(this->crypter_out, client_write);
1524 this->crypter_in->set_key(this->crypter_in, server_write);
1525 }
1526 if (ivs)
1527 {
1528 client_write = chunk_create(block.ptr, ivs);
1529 block = chunk_skip(block, ivs);
1530 server_write = chunk_create(block.ptr, ivs);
1531 block = chunk_skip(block, ivs);
1532
1533 if (this->tls->is_server(this->tls))
1534 {
1535 this->iv_in = chunk_clone(client_write);
1536 this->iv_out = chunk_clone(server_write);
1537 }
1538 else
1539 {
1540 this->iv_out = chunk_clone(client_write);
1541 this->iv_in = chunk_clone(server_write);
1542 }
1543 }
1544 }
1545 }
1546
1547 METHOD(tls_crypto_t, change_cipher, void,
1548 private_tls_crypto_t *this, bool inbound)
1549 {
1550 if (this->protection)
1551 {
1552 if (inbound)
1553 {
1554 this->protection->set_cipher(this->protection, TRUE,
1555 this->signer_in, this->crypter_in, this->iv_in);
1556 }
1557 else
1558 {
1559 this->protection->set_cipher(this->protection, FALSE,
1560 this->signer_out, this->crypter_out, this->iv_out);
1561 }
1562 }
1563 }
1564
1565 METHOD(tls_crypto_t, derive_eap_msk, void,
1566 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1567 {
1568 if (this->msk_label)
1569 {
1570 chunk_t seed;
1571
1572 seed = chunk_cata("cc", client_random, server_random);
1573 free(this->msk.ptr);
1574 this->msk = chunk_alloc(64);
1575 this->prf->get_bytes(this->prf, this->msk_label, seed,
1576 this->msk.len, this->msk.ptr);
1577 }
1578 }
1579
1580 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1581 private_tls_crypto_t *this)
1582 {
1583 return this->msk;
1584 }
1585
1586 METHOD(tls_crypto_t, destroy, void,
1587 private_tls_crypto_t *this)
1588 {
1589 DESTROY_IF(this->signer_in);
1590 DESTROY_IF(this->signer_out);
1591 DESTROY_IF(this->crypter_in);
1592 DESTROY_IF(this->crypter_out);
1593 free(this->iv_in.ptr);
1594 free(this->iv_out.ptr);
1595 free(this->handshake.ptr);
1596 free(this->msk.ptr);
1597 DESTROY_IF(this->prf);
1598 free(this->suites);
1599 free(this);
1600 }
1601
1602 /**
1603 * See header
1604 */
1605 tls_crypto_t *tls_crypto_create(tls_t *tls)
1606 {
1607 private_tls_crypto_t *this;
1608 enumerator_t *enumerator;
1609 credential_type_t type;
1610 int subtype;
1611
1612 INIT(this,
1613 .public = {
1614 .get_cipher_suites = _get_cipher_suites,
1615 .select_cipher_suite = _select_cipher_suite,
1616 .get_dh_group = _get_dh_group,
1617 .get_signature_algorithms = _get_signature_algorithms,
1618 .create_ec_enumerator = _create_ec_enumerator,
1619 .set_protection = _set_protection,
1620 .append_handshake = _append_handshake,
1621 .sign = _sign,
1622 .verify = _verify,
1623 .sign_handshake = _sign_handshake,
1624 .verify_handshake = _verify_handshake,
1625 .calculate_finished = _calculate_finished,
1626 .derive_secrets = _derive_secrets,
1627 .change_cipher = _change_cipher,
1628 .derive_eap_msk = _derive_eap_msk,
1629 .get_eap_msk = _get_eap_msk,
1630 .destroy = _destroy,
1631 },
1632 .tls = tls,
1633 );
1634
1635 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1636 while (enumerator->enumerate(enumerator, &type, &subtype))
1637 {
1638 if (type == CRED_PUBLIC_KEY)
1639 {
1640 switch (subtype)
1641 {
1642 case KEY_RSA:
1643 this->rsa = TRUE;
1644 break;
1645 case KEY_ECDSA:
1646 this->ecdsa = TRUE;
1647 break;
1648 default:
1649 break;
1650 }
1651 }
1652 }
1653 enumerator->destroy(enumerator);
1654
1655 switch (tls->get_purpose(tls))
1656 {
1657 case TLS_PURPOSE_EAP_TLS:
1658 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1659 this->msk_label = "client EAP encryption";
1660 build_cipher_suite_list(this, FALSE);
1661 break;
1662 case TLS_PURPOSE_EAP_TTLS:
1663 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1664 this->msk_label = "ttls keying material";
1665 build_cipher_suite_list(this, TRUE);
1666 break;
1667 case TLS_PURPOSE_GENERIC:
1668 build_cipher_suite_list(this, TRUE);
1669 break;
1670 }
1671 return &this->public;
1672 }