Moved TLS stack to its own library
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 typedef struct private_tls_crypto_t private_tls_crypto_t;
21
22 /**
23 * Private data of an tls_crypto_t object.
24 */
25 struct private_tls_crypto_t {
26
27 /**
28 * Public tls_crypto_t interface.
29 */
30 tls_crypto_t public;
31
32 /**
33 * Protection layer
34 */
35 tls_protection_t *protection;
36
37 /**
38 * List of supported/acceptable cipher suites
39 */
40 tls_cipher_suite_t *suites;
41
42 /**
43 * Number of supported suites
44 */
45 int suite_count;
46
47 /**
48 * Selected cipher suite
49 */
50 tls_cipher_suite_t suite;
51
52 /**
53 * TLS context
54 */
55 tls_t *tls;
56
57 /**
58 * All handshake data concatentated
59 */
60 chunk_t handshake;
61
62 /**
63 * Connection state TLS PRF
64 */
65 tls_prf_t *prf;
66
67 /**
68 * Signer instance for inbound traffic
69 */
70 signer_t *signer_in;
71
72 /**
73 * Signer instance for outbound traffic
74 */
75 signer_t *signer_out;
76
77 /**
78 * Crypter instance for inbound traffic
79 */
80 crypter_t *crypter_in;
81
82 /**
83 * Crypter instance for outbound traffic
84 */
85 crypter_t *crypter_out;
86
87 /**
88 * IV for input decryption, if < TLSv1.2
89 */
90 chunk_t iv_in;
91
92 /**
93 * IV for output decryption, if < TLSv1.2
94 */
95 chunk_t iv_out;
96
97 /**
98 * EAP-TLS MSK
99 */
100 chunk_t msk;
101 };
102
103 typedef struct {
104 tls_cipher_suite_t suite;
105 hash_algorithm_t hash;
106 pseudo_random_function_t prf;
107 integrity_algorithm_t mac;
108 encryption_algorithm_t encr;
109 size_t encr_size;
110 } suite_algs_t;
111
112 /**
113 * Mapping suites to a set of algorithms
114 */
115 static suite_algs_t suite_algs[] = {
116 { TLS_RSA_WITH_NULL_MD5,
117 HASH_MD5,
118 PRF_HMAC_MD5,
119 AUTH_HMAC_MD5_128,
120 ENCR_NULL, 0
121 },
122 { TLS_RSA_WITH_NULL_SHA,
123 HASH_SHA1,
124 PRF_HMAC_SHA1,
125 AUTH_HMAC_SHA1_160,
126 ENCR_NULL, 0
127 },
128 { TLS_RSA_WITH_NULL_SHA256,
129 HASH_SHA256,
130 PRF_HMAC_SHA2_256,
131 AUTH_HMAC_SHA2_256_256,
132 ENCR_NULL, 0
133 },
134 { TLS_RSA_WITH_AES_128_CBC_SHA,
135 HASH_SHA1,
136 PRF_HMAC_SHA1,
137 AUTH_HMAC_SHA1_160,
138 ENCR_AES_CBC, 16
139 },
140 { TLS_RSA_WITH_AES_256_CBC_SHA,
141 HASH_SHA1,
142 PRF_HMAC_SHA1,
143 AUTH_HMAC_SHA1_160,
144 ENCR_AES_CBC, 32
145 },
146 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
147 HASH_SHA1,
148 PRF_HMAC_SHA1,
149 AUTH_HMAC_SHA1_160,
150 ENCR_3DES, 0
151 },
152 { TLS_RSA_WITH_AES_128_CBC_SHA256,
153 HASH_SHA256,
154 PRF_HMAC_SHA2_256,
155 AUTH_HMAC_SHA2_256_256,
156 ENCR_AES_CBC, 16
157 },
158 };
159
160 /**
161 * Look up algoritms by a suite
162 */
163 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
164 {
165 int i;
166
167 for (i = 0; i < countof(suite_algs); i++)
168 {
169 if (suite_algs[i].suite == suite)
170 {
171 return &suite_algs[i];
172 }
173 }
174 return NULL;
175 }
176
177 /**
178 * Initialize the cipher suite list
179 */
180 static void build_cipher_suite_list(private_tls_crypto_t *this)
181 {
182 encryption_algorithm_t encr;
183 integrity_algorithm_t mac;
184 enumerator_t *encrs, *macs;
185 tls_cipher_suite_t supported[64], unique[64];
186 int count = 0, i, j;
187
188 /* we assume that we support RSA, but no DHE yet */
189 macs = lib->crypto->create_signer_enumerator(lib->crypto);
190 while (macs->enumerate(macs, &mac))
191 {
192 switch (mac)
193 {
194 case AUTH_HMAC_SHA1_160:
195 supported[count++] = TLS_RSA_WITH_NULL_SHA;
196 break;
197 case AUTH_HMAC_SHA2_256_256:
198 supported[count++] = TLS_RSA_WITH_NULL_SHA256;
199 break;
200 case AUTH_HMAC_MD5_128:
201 supported[count++] = TLS_RSA_WITH_NULL_MD5;
202 break;
203 default:
204 break;
205 }
206 encrs = lib->crypto->create_crypter_enumerator(lib->crypto);
207 while (encrs->enumerate(encrs, &encr))
208 {
209 switch (encr)
210 {
211 case ENCR_AES_CBC:
212 switch (mac)
213 {
214 case AUTH_HMAC_SHA1_160:
215 supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
216 supported[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
217 break;
218 case AUTH_HMAC_SHA2_256_256:
219 supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
220 supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
221 break;
222 default:
223 break;
224 }
225 break;
226 case ENCR_3DES:
227 switch (mac)
228 {
229 case AUTH_HMAC_SHA1_160:
230 supported[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
231 break;
232 default:
233 break;
234 }
235 break;
236 default:
237 break;
238 }
239 }
240 encrs->destroy(encrs);
241 }
242 macs->destroy(macs);
243
244 /* remove duplicates */
245 this->suite_count = 0;
246 for (i = 0; i < count; i++)
247 {
248 bool match = FALSE;
249
250 for (j = 0; j < this->suite_count; j++)
251 {
252 if (supported[i] == unique[j])
253 {
254 match = TRUE;
255 break;
256 }
257 }
258 if (!match)
259 {
260 unique[this->suite_count++] = supported[i];
261 }
262 }
263 free(this->suites);
264 this->suites = malloc(sizeof(tls_cipher_suite_t) * this->suite_count);
265 memcpy(this->suites, unique, sizeof(tls_cipher_suite_t) * this->suite_count);
266 }
267
268 METHOD(tls_crypto_t, get_cipher_suites, int,
269 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
270 {
271 *suites = this->suites;
272 return this->suite_count;
273 }
274
275 /**
276 * Create crypto primitives
277 */
278 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
279 {
280 suite_algs_t *algs;
281
282 algs = find_suite(suite);
283 if (!algs)
284 {
285 DBG1(DBG_IKE, "selected TLS suite not supported");
286 return FALSE;
287 }
288
289 DESTROY_IF(this->prf);
290 if (this->tls->get_version(this->tls) < TLS_1_2)
291 {
292 this->prf = tls_prf_create_10();
293 }
294 else
295 {
296 this->prf = tls_prf_create_12(algs->prf);
297 }
298 if (!this->prf)
299 {
300 DBG1(DBG_IKE, "selected TLS PRF not supported");
301 return FALSE;
302 }
303
304 DESTROY_IF(this->signer_in);
305 DESTROY_IF(this->signer_out);
306 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
307 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
308 if (!this->signer_in || !this->signer_out)
309 {
310 DBG1(DBG_IKE, "selected TLS MAC %N not supported",
311 integrity_algorithm_names, algs->mac);
312 return FALSE;
313 }
314
315 DESTROY_IF(this->crypter_in);
316 DESTROY_IF(this->crypter_out);
317 if (algs->encr == ENCR_NULL)
318 {
319 this->crypter_in = this->crypter_out = NULL;
320 }
321 else
322 {
323 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
324 algs->encr, algs->encr_size);
325 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
326 algs->encr, algs->encr_size);
327 if (!this->crypter_in || !this->crypter_out)
328 {
329 DBG1(DBG_IKE, "selected TLS crypter %N not supported",
330 encryption_algorithm_names, algs->encr);
331 return FALSE;
332 }
333 }
334 return TRUE;
335 }
336
337 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
338 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
339 {
340 int i, j;
341
342 for (i = 0; i < this->suite_count; i++)
343 {
344 for (j = 0; j < count; j++)
345 {
346 if (this->suites[i] == suites[j])
347 {
348 if (create_ciphers(this, this->suites[i]))
349 {
350 this->suite = this->suites[i];
351 return this->suite;
352 }
353 }
354 }
355 }
356 return 0;
357 }
358
359 METHOD(tls_crypto_t, set_protection, void,
360 private_tls_crypto_t *this, tls_protection_t *protection)
361 {
362 this->protection = protection;
363 }
364
365 METHOD(tls_crypto_t, append_handshake, void,
366 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
367 {
368 u_int32_t header;
369
370 /* reconstruct handshake header */
371 header = htonl(data.len | (type << 24));
372 this->handshake = chunk_cat("mcc", this->handshake,
373 chunk_from_thing(header), data);
374 }
375
376 /**
377 * Create a hash of the stored handshake data
378 */
379 static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash)
380 {
381 if (this->tls->get_version(this->tls) >= TLS_1_2)
382 {
383 hasher_t *hasher;
384 suite_algs_t *alg;
385
386 alg = find_suite(this->suite);
387 if (!alg)
388 {
389 return FALSE;
390 }
391 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
392 if (!hasher)
393 {
394 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, alg->hash);
395 return FALSE;
396 }
397 hasher->allocate_hash(hasher, this->handshake, hash);
398 hasher->destroy(hasher);
399 }
400 else
401 {
402 hasher_t *md5, *sha1;
403 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
404
405 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
406 if (!md5)
407 {
408 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_MD5);
409 return FALSE;
410 }
411 md5->get_hash(md5, this->handshake, buf);
412 md5->destroy(md5);
413 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
414 if (!sha1)
415 {
416 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_SHA1);
417 return FALSE;
418 }
419 sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
420 sha1->destroy(sha1);
421
422 *hash = chunk_clone(chunk_from_thing(buf));
423 }
424 return TRUE;
425 }
426
427 METHOD(tls_crypto_t, sign_handshake, bool,
428 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer)
429 {
430 chunk_t sig, hash;
431
432 if (this->tls->get_version(this->tls) >= TLS_1_2)
433 {
434 /* TODO: use supported algorithms instead of fixed SHA1/RSA */
435 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, &sig))
436 {
437 return FALSE;
438 }
439 writer->write_uint8(writer, 2);
440 writer->write_uint8(writer, 1);
441 writer->write_data16(writer, sig);
442 free(sig.ptr);
443 }
444 else
445 {
446 if (!hash_handshake(this, &hash))
447 {
448 return FALSE;
449 }
450 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig))
451 {
452 free(hash.ptr);
453 return FALSE;
454 }
455 writer->write_data16(writer, sig);
456 free(hash.ptr);
457 free(sig.ptr);
458 }
459 return TRUE;
460 }
461
462 METHOD(tls_crypto_t, verify_handshake, bool,
463 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
464 {
465 if (this->tls->get_version(this->tls) >= TLS_1_2)
466 {
467 u_int8_t hash, alg;
468 chunk_t sig;
469
470 if (!reader->read_uint8(reader, &hash) ||
471 !reader->read_uint8(reader, &alg) ||
472 !reader->read_data16(reader, &sig))
473 {
474 DBG1(DBG_IKE, "received invalid Certificate Verify");
475 return FALSE;
476 }
477 /* TODO: map received hash/sig alg to signature scheme */
478 if (hash != 2 || alg != 1 ||
479 !key->verify(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig))
480 {
481 return FALSE;
482 }
483 }
484 else
485 {
486 chunk_t sig, hash;
487
488 if (!reader->read_data16(reader, &sig))
489 {
490 DBG1(DBG_IKE, "received invalid Certificate Verify");
491 return FALSE;
492 }
493 if (!hash_handshake(this, &hash))
494 {
495 return FALSE;
496 }
497 if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig))
498 {
499 free(hash.ptr);
500 return FALSE;
501 }
502 free(hash.ptr);
503 }
504 return TRUE;
505 }
506
507 METHOD(tls_crypto_t, calculate_finished, bool,
508 private_tls_crypto_t *this, char *label, char out[12])
509 {
510 chunk_t seed;
511
512 if (!this->prf)
513 {
514 return FALSE;
515 }
516 if (!hash_handshake(this, &seed))
517 {
518 return FALSE;
519 }
520 this->prf->get_bytes(this->prf, label, seed, 12, out);
521 free(seed.ptr);
522 return TRUE;
523 }
524
525 METHOD(tls_crypto_t, derive_secrets, void,
526 private_tls_crypto_t *this, chunk_t premaster,
527 chunk_t client_random, chunk_t server_random)
528 {
529 char master[48];
530 chunk_t seed, block, client_write, server_write;
531 int mks, eks = 0, ivs = 0;
532
533 /* derive master secret */
534 seed = chunk_cata("cc", client_random, server_random);
535 this->prf->set_key(this->prf, premaster);
536 this->prf->get_bytes(this->prf, "master secret", seed,
537 sizeof(master), master);
538
539 this->prf->set_key(this->prf, chunk_from_thing(master));
540 memset(master, 0, sizeof(master));
541
542 /* derive key block for key expansion */
543 mks = this->signer_out->get_key_size(this->signer_out);
544 if (this->crypter_out)
545 {
546 eks = this->crypter_out->get_key_size(this->crypter_out);
547 if (this->tls->get_version(this->tls) < TLS_1_1)
548 {
549 ivs = this->crypter_out->get_block_size(this->crypter_out);
550 }
551 }
552 seed = chunk_cata("cc", server_random, client_random);
553 block = chunk_alloca((mks + eks + ivs) * 2);
554 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
555
556 /* signer keys */
557 client_write = chunk_create(block.ptr, mks);
558 block = chunk_skip(block, mks);
559 server_write = chunk_create(block.ptr, mks);
560 block = chunk_skip(block, mks);
561 if (this->tls->is_server(this->tls))
562 {
563 this->signer_in->set_key(this->signer_in, client_write);
564 this->signer_out->set_key(this->signer_out, server_write);
565 }
566 else
567 {
568 this->signer_out->set_key(this->signer_out, client_write);
569 this->signer_in->set_key(this->signer_in, server_write);
570 }
571
572 /* crypter keys, and IVs if < TLSv1.2 */
573 if (this->crypter_out && this->crypter_in)
574 {
575 client_write = chunk_create(block.ptr, eks);
576 block = chunk_skip(block, eks);
577 server_write = chunk_create(block.ptr, eks);
578 block = chunk_skip(block, eks);
579
580 if (this->tls->is_server(this->tls))
581 {
582 this->crypter_in->set_key(this->crypter_in, client_write);
583 this->crypter_out->set_key(this->crypter_out, server_write);
584 }
585 else
586 {
587 this->crypter_out->set_key(this->crypter_out, client_write);
588 this->crypter_in->set_key(this->crypter_in, server_write);
589 }
590 if (ivs)
591 {
592 client_write = chunk_create(block.ptr, ivs);
593 block = chunk_skip(block, ivs);
594 server_write = chunk_create(block.ptr, ivs);
595 block = chunk_skip(block, ivs);
596
597 if (this->tls->is_server(this->tls))
598 {
599 this->iv_in = chunk_clone(client_write);
600 this->iv_out = chunk_clone(server_write);
601 }
602 else
603 {
604 this->iv_out = chunk_clone(client_write);
605 this->iv_in = chunk_clone(server_write);
606 }
607 }
608 }
609 }
610
611 METHOD(tls_crypto_t, change_cipher, void,
612 private_tls_crypto_t *this, bool inbound)
613 {
614 if (this->protection)
615 {
616 if (inbound)
617 {
618 this->protection->set_cipher(this->protection, TRUE,
619 this->signer_in, this->crypter_in, this->iv_in);
620 }
621 else
622 {
623 this->protection->set_cipher(this->protection, FALSE,
624 this->signer_out, this->crypter_out, this->iv_out);
625 }
626 }
627 }
628
629 METHOD(tls_crypto_t, derive_eap_msk, void,
630 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
631 {
632 chunk_t seed;
633
634 seed = chunk_cata("cc", client_random, server_random);
635 free(this->msk.ptr);
636 this->msk = chunk_alloc(64);
637 this->prf->get_bytes(this->prf, "client EAP encryption", seed,
638 this->msk.len, this->msk.ptr);
639 }
640
641 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
642 private_tls_crypto_t *this)
643 {
644 return this->msk;
645 }
646
647 METHOD(tls_crypto_t, destroy, void,
648 private_tls_crypto_t *this)
649 {
650 DESTROY_IF(this->signer_in);
651 DESTROY_IF(this->signer_out);
652 DESTROY_IF(this->crypter_in);
653 DESTROY_IF(this->crypter_out);
654 free(this->iv_in.ptr);
655 free(this->iv_out.ptr);
656 free(this->handshake.ptr);
657 free(this->msk.ptr);
658 DESTROY_IF(this->prf);
659 free(this->suites);
660 free(this);
661 }
662
663 /**
664 * See header
665 */
666 tls_crypto_t *tls_crypto_create(tls_t *tls)
667 {
668 private_tls_crypto_t *this;
669
670 INIT(this,
671 .public = {
672 .get_cipher_suites = _get_cipher_suites,
673 .select_cipher_suite = _select_cipher_suite,
674 .set_protection = _set_protection,
675 .append_handshake = _append_handshake,
676 .sign_handshake = _sign_handshake,
677 .verify_handshake = _verify_handshake,
678 .calculate_finished = _calculate_finished,
679 .derive_secrets = _derive_secrets,
680 .change_cipher = _change_cipher,
681 .derive_eap_msk = _derive_eap_msk,
682 .get_eap_msk = _get_eap_msk,
683 .destroy = _destroy,
684 },
685 .tls = tls,
686 );
687
688 build_cipher_suite_list(this);
689
690 return &this->public;
691 }