Merge branch 'rsassa-pss'
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
20
21 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
241
242 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
243 "NONE",
244 "MD5",
245 "SHA1",
246 "SHA224",
247 "SHA256",
248 "SHA384",
249 "SHA512",
250 );
251
252 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
253 "RSA",
254 "DSA",
255 "ECDSA",
256 );
257
258 ENUM_BEGIN(tls_client_certificate_type_names,
259 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
260 "RSA_SIGN",
261 "DSA_SIGN",
262 "RSA_FIXED_DH",
263 "DSS_FIXED_DH",
264 "RSA_EPHEMERAL_DH",
265 "DSS_EPHEMERAL_DH");
266 ENUM_NEXT(tls_client_certificate_type_names,
267 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
268 "FORTEZZA_DMS");
269 ENUM_NEXT(tls_client_certificate_type_names,
270 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
271 "ECDSA_SIGN",
272 "RSA_FIXED_ECDH",
273 "ECDSA_FIXED_ECDH");
274 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
275
276 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
277 "EXPLICIT_PRIME",
278 "EXPLICIT_CHAR2",
279 "NAMED_CURVE",
280 );
281
282 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
283 "SECT163K1",
284 "SECT163R1",
285 "SECT163R2",
286 "SECT193R1",
287 "SECT193R2",
288 "SECT233K1",
289 "SECT233R1",
290 "SECT239K1",
291 "SECT283K1",
292 "SECT283R1",
293 "SECT409K1",
294 "SECT409R1",
295 "SECT571K1",
296 "SECT571R1",
297 "SECP160K1",
298 "SECP160R1",
299 "SECP160R2",
300 "SECP192K1",
301 "SECP192R1",
302 "SECP224K1",
303 "SECP224R1",
304 "SECP256K1",
305 "SECP256R1",
306 "SECP384R1",
307 "SECP521R1",
308 );
309
310 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
311 "compressed",
312 "compressed y",
313 "uncompressed",
314 "uncompressed y",
315 "hybrid",
316 "hybrid y",
317 );
318
319 ENUM(tls_ec_point_format_names,
320 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
321 "uncompressed",
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
324 );
325
326 typedef struct private_tls_crypto_t private_tls_crypto_t;
327
328 /**
329 * Private data of an tls_crypto_t object.
330 */
331 struct private_tls_crypto_t {
332
333 /**
334 * Public tls_crypto_t interface.
335 */
336 tls_crypto_t public;
337
338 /**
339 * Protection layer
340 */
341 tls_protection_t *protection;
342
343 /**
344 * List of supported/acceptable cipher suites
345 */
346 tls_cipher_suite_t *suites;
347
348 /**
349 * Number of supported suites
350 */
351 int suite_count;
352
353 /**
354 * Selected cipher suite
355 */
356 tls_cipher_suite_t suite;
357
358 /**
359 * RSA supported?
360 */
361 bool rsa;
362
363 /**
364 * ECDSA supported?
365 */
366 bool ecdsa;
367
368 /**
369 * TLS context
370 */
371 tls_t *tls;
372
373 /**
374 * TLS session cache
375 */
376 tls_cache_t *cache;
377
378 /**
379 * All handshake data concatentated
380 */
381 chunk_t handshake;
382
383 /**
384 * Connection state TLS PRF
385 */
386 tls_prf_t *prf;
387
388 /**
389 * AEAD transform for inbound traffic
390 */
391 tls_aead_t *aead_in;
392
393 /**
394 * AEAD transform for outbound traffic
395 */
396 tls_aead_t *aead_out;
397
398 /**
399 * EAP-[T]TLS MSK
400 */
401 chunk_t msk;
402
403 /**
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
405 */
406 char *msk_label;
407 };
408
409 typedef struct {
410 tls_cipher_suite_t suite;
411 key_type_t key;
412 diffie_hellman_group_t dh;
413 hash_algorithm_t hash;
414 pseudo_random_function_t prf;
415 integrity_algorithm_t mac;
416 encryption_algorithm_t encr;
417 size_t encr_size;
418 } suite_algs_t;
419
420 /**
421 * Mapping suites to a set of algorithms
422 */
423 static suite_algs_t suite_algs[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
425 KEY_ECDSA, ECP_256_BIT,
426 HASH_SHA256, PRF_HMAC_SHA2_256,
427 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
428 },
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
430 KEY_ECDSA, ECP_256_BIT,
431 HASH_SHA256, PRF_HMAC_SHA2_256,
432 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
433 },
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
435 KEY_ECDSA, ECP_384_BIT,
436 HASH_SHA256, PRF_HMAC_SHA2_256,
437 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
438 },
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
440 KEY_ECDSA, ECP_384_BIT,
441 HASH_SHA384, PRF_HMAC_SHA2_384,
442 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
443 },
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
445 KEY_ECDSA, ECP_256_BIT,
446 HASH_SHA256, PRF_HMAC_SHA2_256,
447 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
448 },
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
450 KEY_ECDSA, ECP_384_BIT,
451 HASH_SHA384, PRF_HMAC_SHA2_384,
452 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
453 },
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
455 KEY_RSA, ECP_256_BIT,
456 HASH_SHA256, PRF_HMAC_SHA2_256,
457 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
458 },
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
460 KEY_RSA, ECP_256_BIT,
461 HASH_SHA256, PRF_HMAC_SHA2_256,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
463 },
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
465 KEY_RSA, ECP_384_BIT,
466 HASH_SHA256, PRF_HMAC_SHA2_256,
467 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
468 },
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
470 KEY_RSA, ECP_384_BIT,
471 HASH_SHA384, PRF_HMAC_SHA2_384,
472 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
473 },
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
475 KEY_RSA, ECP_256_BIT,
476 HASH_SHA256, PRF_HMAC_SHA2_256,
477 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
478 },
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
480 KEY_RSA, ECP_384_BIT,
481 HASH_SHA384, PRF_HMAC_SHA2_384,
482 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
483 },
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
485 KEY_RSA, MODP_2048_BIT,
486 HASH_SHA256,PRF_HMAC_SHA2_256,
487 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
488 },
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
490 KEY_RSA, MODP_3072_BIT,
491 HASH_SHA256, PRF_HMAC_SHA2_256,
492 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
493 },
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
495 KEY_RSA, MODP_3072_BIT,
496 HASH_SHA256, PRF_HMAC_SHA2_256,
497 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
498 },
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
500 KEY_RSA, MODP_4096_BIT,
501 HASH_SHA256, PRF_HMAC_SHA2_256,
502 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
503 },
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
505 KEY_RSA, MODP_3072_BIT,
506 HASH_SHA256, PRF_HMAC_SHA2_256,
507 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
508 },
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
510 KEY_RSA, MODP_4096_BIT,
511 HASH_SHA384, PRF_HMAC_SHA2_384,
512 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
513 },
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
515 KEY_RSA, MODP_2048_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
518 },
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
520 KEY_RSA, MODP_3072_BIT,
521 HASH_SHA256, PRF_HMAC_SHA2_256,
522 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
523 },
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
525 KEY_RSA, MODP_3072_BIT,
526 HASH_SHA256, PRF_HMAC_SHA2_256,
527 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
528 },
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
530 KEY_RSA, MODP_4096_BIT,
531 HASH_SHA256, PRF_HMAC_SHA2_256,
532 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
533 },
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
535 KEY_RSA, MODP_2048_BIT,
536 HASH_SHA256, PRF_HMAC_SHA2_256,
537 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
538 },
539 { TLS_RSA_WITH_AES_128_CBC_SHA,
540 KEY_RSA, MODP_NONE,
541 HASH_SHA256, PRF_HMAC_SHA2_256,
542 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
543 },
544 { TLS_RSA_WITH_AES_128_CBC_SHA256,
545 KEY_RSA, MODP_NONE,
546 HASH_SHA256, PRF_HMAC_SHA2_256,
547 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
548 },
549 { TLS_RSA_WITH_AES_256_CBC_SHA,
550 KEY_RSA, MODP_NONE,
551 HASH_SHA256, PRF_HMAC_SHA2_256,
552 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
553 },
554 { TLS_RSA_WITH_AES_256_CBC_SHA256,
555 KEY_RSA, MODP_NONE,
556 HASH_SHA256, PRF_HMAC_SHA2_256,
557 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
558 },
559 { TLS_RSA_WITH_AES_128_GCM_SHA256,
560 KEY_RSA, MODP_NONE,
561 HASH_SHA256, PRF_HMAC_SHA2_256,
562 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
563 },
564 { TLS_RSA_WITH_AES_256_GCM_SHA384,
565 KEY_RSA, MODP_NONE,
566 HASH_SHA384, PRF_HMAC_SHA2_384,
567 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
568 },
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
570 KEY_RSA, MODP_NONE,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
573 },
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
575 KEY_RSA, MODP_NONE,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
578 },
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 KEY_RSA, MODP_NONE,
581 HASH_SHA256, PRF_HMAC_SHA2_256,
582 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
583 },
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
585 KEY_RSA, MODP_NONE,
586 HASH_SHA256, PRF_HMAC_SHA2_256,
587 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
588 },
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
590 KEY_ECDSA, ECP_256_BIT,
591 HASH_SHA256, PRF_HMAC_SHA2_256,
592 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
593 },
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
595 KEY_RSA, ECP_256_BIT,
596 HASH_SHA256, PRF_HMAC_SHA2_256,
597 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
598 },
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
600 KEY_RSA, MODP_NONE,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
603 },
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
605 KEY_ECDSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
608 },
609 { TLS_ECDHE_RSA_WITH_NULL_SHA,
610 KEY_ECDSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
613 },
614 { TLS_RSA_WITH_NULL_SHA,
615 KEY_RSA, MODP_NONE,
616 HASH_SHA256, PRF_HMAC_SHA2_256,
617 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
618 },
619 { TLS_RSA_WITH_NULL_SHA256,
620 KEY_RSA, MODP_NONE,
621 HASH_SHA256, PRF_HMAC_SHA2_256,
622 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
623 },
624 { TLS_RSA_WITH_NULL_MD5,
625 KEY_RSA, MODP_NONE,
626 HASH_SHA256, PRF_HMAC_SHA2_256,
627 AUTH_HMAC_MD5_128, ENCR_NULL, 0
628 },
629 };
630
631 /**
632 * Look up algorithms by a suite
633 */
634 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
635 {
636 int i;
637
638 for (i = 0; i < countof(suite_algs); i++)
639 {
640 if (suite_algs[i].suite == suite)
641 {
642 return &suite_algs[i];
643 }
644 }
645 return NULL;
646 }
647
648 /**
649 * Filter a suite list using a transform enumerator
650 */
651 static void filter_suite(suite_algs_t suites[], int *count, int offset,
652 enumerator_t*(*create_enumerator)(crypto_factory_t*))
653 {
654 const char *plugin_name;
655 suite_algs_t current;
656 int *current_alg, i, remaining = 0;
657 enumerator_t *enumerator;
658
659 memset(&current, 0, sizeof(current));
660 current_alg = (int*)((char*)&current + offset);
661
662 for (i = 0; i < *count; i++)
663 {
664 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
665 encryption_algorithm_is_aead(suites[i].encr))
666 { /* filtering crypters, but current suite uses an AEAD, apply */
667 suites[remaining] = suites[i];
668 remaining++;
669 continue;
670 }
671 if (create_enumerator == lib->crypto->create_aead_enumerator &&
672 !encryption_algorithm_is_aead(suites[i].encr))
673 { /* filtering AEADs, but current suite doesn't use one, apply */
674 suites[remaining] = suites[i];
675 remaining++;
676 continue;
677 }
678 enumerator = create_enumerator(lib->crypto);
679 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
680 {
681 if (current.encr && current.encr != suites[i].encr)
682 {
683 if (suites[i].encr != ENCR_NULL)
684 { /* skip, ENCR does not match nor is NULL */
685 continue;
686 }
687 }
688 if (current.mac && current.mac != suites[i].mac)
689 {
690 if (suites[i].mac != AUTH_UNDEFINED)
691 { /* skip, MAC does not match nor is it undefined */
692 continue;
693 }
694 }
695 if (current.prf && current.prf != suites[i].prf)
696 { /* skip, PRF does not match */
697 continue;
698 }
699 if (current.hash && current.hash != suites[i].hash)
700 { /* skip, hash does not match */
701 continue;
702 }
703 if (current.dh && current.dh != suites[i].dh)
704 {
705 if (suites[i].dh != MODP_NONE)
706 { /* skip DH group, does not match nor NONE */
707 continue;
708 }
709 }
710 /* suite supported, apply */
711 suites[remaining] = suites[i];
712 remaining++;
713 break;
714 }
715 enumerator->destroy(enumerator);
716 }
717 *count = remaining;
718 }
719
720 /**
721 * Purge NULL encryption cipher suites from list
722 */
723 static void filter_null_suites(suite_algs_t suites[], int *count)
724 {
725 int i, remaining = 0;
726
727 for (i = 0; i < *count; i++)
728 {
729 if (suites[i].encr != ENCR_NULL)
730 {
731 suites[remaining] = suites[i];
732 remaining++;
733 }
734 }
735 *count = remaining;
736 }
737
738 /**
739 * Purge suites using a given key type
740 */
741 static void filter_key_suites(private_tls_crypto_t *this,
742 suite_algs_t suites[], int *count, key_type_t key)
743 {
744 int i, remaining = 0;
745
746 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
747 for (i = 0; i < *count; i++)
748 {
749 if (suites[i].key != key)
750 {
751 suites[remaining] = suites[i];
752 remaining++;
753 }
754 }
755 *count = remaining;
756 }
757
758 /**
759 * Filter suites by key exchange user config
760 */
761 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
762 suite_algs_t suites[], int *count)
763 {
764 enumerator_t *enumerator;
765 int i, remaining = 0;
766 char *token, *config;
767
768 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
769 lib->ns);
770 if (config)
771 {
772 for (i = 0; i < *count; i++)
773 {
774 enumerator = enumerator_create_token(config, ",", " ");
775 while (enumerator->enumerate(enumerator, &token))
776 {
777 if (strcaseeq(token, "ecdhe-ecdsa") &&
778 diffie_hellman_group_is_ec(suites[i].dh) &&
779 suites[i].key == KEY_ECDSA)
780 {
781 suites[remaining++] = suites[i];
782 break;
783 }
784 if (strcaseeq(token, "ecdhe-rsa") &&
785 diffie_hellman_group_is_ec(suites[i].dh) &&
786 suites[i].key == KEY_RSA)
787 {
788 suites[remaining++] = suites[i];
789 break;
790 }
791 if (strcaseeq(token, "dhe-rsa") &&
792 !diffie_hellman_group_is_ec(suites[i].dh) &&
793 suites[i].dh != MODP_NONE &&
794 suites[i].key == KEY_RSA)
795 {
796 suites[remaining++] = suites[i];
797 break;
798 }
799 if (strcaseeq(token, "rsa") &&
800 suites[i].dh == MODP_NONE &&
801 suites[i].key == KEY_RSA)
802 {
803 suites[remaining++] = suites[i];
804 break;
805 }
806 }
807 enumerator->destroy(enumerator);
808 }
809 *count = remaining;
810 }
811 }
812
813 /**
814 * Filter suites by cipher user config
815 */
816 static void filter_cipher_config_suites(private_tls_crypto_t *this,
817 suite_algs_t suites[], int *count)
818 {
819 enumerator_t *enumerator;
820 int i, remaining = 0;
821 char *token, *config;
822
823 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
824 lib->ns);
825 if (config)
826 {
827 for (i = 0; i < *count; i++)
828 {
829 enumerator = enumerator_create_token(config, ",", " ");
830 while (enumerator->enumerate(enumerator, &token))
831 {
832 if (strcaseeq(token, "aes128") &&
833 suites[i].encr == ENCR_AES_CBC &&
834 suites[i].encr_size == 16)
835 {
836 suites[remaining++] = suites[i];
837 break;
838 }
839 if (strcaseeq(token, "aes256") &&
840 suites[i].encr == ENCR_AES_CBC &&
841 suites[i].encr_size == 32)
842 {
843 suites[remaining++] = suites[i];
844 break;
845 }
846 if (strcaseeq(token, "aes128gcm") &&
847 suites[i].encr == ENCR_AES_GCM_ICV16 &&
848 suites[i].encr_size == 16)
849 {
850 suites[remaining++] = suites[i];
851 break;
852 }
853 if (strcaseeq(token, "aes256gcm") &&
854 suites[i].encr == ENCR_AES_GCM_ICV16 &&
855 suites[i].encr_size == 32)
856 {
857 suites[remaining++] = suites[i];
858 break;
859 }
860 if (strcaseeq(token, "camellia128") &&
861 suites[i].encr == ENCR_CAMELLIA_CBC &&
862 suites[i].encr_size == 16)
863 {
864 suites[remaining++] = suites[i];
865 break;
866 }
867 if (strcaseeq(token, "camellia256") &&
868 suites[i].encr == ENCR_CAMELLIA_CBC &&
869 suites[i].encr_size == 32)
870 {
871 suites[remaining++] = suites[i];
872 break;
873 }
874 if (strcaseeq(token, "3des") &&
875 suites[i].encr == ENCR_3DES)
876 {
877 suites[remaining++] = suites[i];
878 break;
879 }
880 if (strcaseeq(token, "null") &&
881 suites[i].encr == ENCR_NULL)
882 {
883 suites[remaining++] = suites[i];
884 break;
885 }
886 }
887 enumerator->destroy(enumerator);
888 }
889 *count = remaining;
890 }
891 }
892
893 /**
894 * Filter suites by mac user config
895 */
896 static void filter_mac_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "md5") &&
913 suites[i].mac == AUTH_HMAC_MD5_128)
914 {
915 suites[remaining++] = suites[i];
916 break;
917 }
918 if (strcaseeq(token, "sha1") &&
919 suites[i].mac == AUTH_HMAC_SHA1_160)
920 {
921 suites[remaining++] = suites[i];
922 break;
923 }
924 if (strcaseeq(token, "sha256") &&
925 suites[i].mac == AUTH_HMAC_SHA2_256_256)
926 {
927 suites[remaining++] = suites[i];
928 break;
929 }
930 if (strcaseeq(token, "sha384") &&
931 suites[i].mac == AUTH_HMAC_SHA2_384_384)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 }
937 enumerator->destroy(enumerator);
938 }
939 *count = remaining;
940 }
941 }
942
943 /**
944 * Filter for specific suites specified in strongswan.conf
945 */
946 static void filter_specific_config_suites(private_tls_crypto_t *this,
947 suite_algs_t suites[], int *count)
948 {
949 enumerator_t *enumerator;
950 int i, remaining = 0, suite;
951 char *token, *config;
952
953 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
954 lib->ns);
955 if (config)
956 {
957 for (i = 0; i < *count; i++)
958 {
959 enumerator = enumerator_create_token(config, ",", " ");
960 while (enumerator->enumerate(enumerator, &token))
961 {
962 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
963 suite == suites[i].suite)
964 {
965 suites[remaining++] = suites[i];
966 break;
967 }
968 }
969 enumerator->destroy(enumerator);
970 }
971 *count = remaining;
972 }
973 }
974
975 /**
976 * Filter out unsupported suites on given suite array
977 */
978 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
979 {
980 /* filter suite list by each algorithm */
981 filter_suite(suites, count, offsetof(suite_algs_t, encr),
982 lib->crypto->create_crypter_enumerator);
983 filter_suite(suites, count, offsetof(suite_algs_t, encr),
984 lib->crypto->create_aead_enumerator);
985 filter_suite(suites, count, offsetof(suite_algs_t, mac),
986 lib->crypto->create_signer_enumerator);
987 filter_suite(suites, count, offsetof(suite_algs_t, prf),
988 lib->crypto->create_prf_enumerator);
989 filter_suite(suites, count, offsetof(suite_algs_t, hash),
990 lib->crypto->create_hasher_enumerator);
991 filter_suite(suites, count, offsetof(suite_algs_t, dh),
992 lib->crypto->create_dh_enumerator);
993 }
994
995 /**
996 * Initialize the cipher suite list
997 */
998 static void build_cipher_suite_list(private_tls_crypto_t *this,
999 bool require_encryption)
1000 {
1001 suite_algs_t suites[countof(suite_algs)];
1002 int count = countof(suite_algs), i;
1003
1004 /* copy all suites */
1005 for (i = 0; i < count; i++)
1006 {
1007 suites[i] = suite_algs[i];
1008 }
1009
1010 if (require_encryption)
1011 {
1012 filter_null_suites(suites, &count);
1013 }
1014 if (!this->rsa)
1015 {
1016 filter_key_suites(this, suites, &count, KEY_RSA);
1017 }
1018 if (!this->ecdsa)
1019 {
1020 filter_key_suites(this, suites, &count, KEY_ECDSA);
1021 }
1022
1023 filter_unsupported_suites(suites, &count);
1024
1025 /* filter suites with strongswan.conf options */
1026 filter_key_exchange_config_suites(this, suites, &count);
1027 filter_cipher_config_suites(this, suites, &count);
1028 filter_mac_config_suites(this, suites, &count);
1029 filter_specific_config_suites(this, suites, &count);
1030
1031 free(this->suites);
1032 this->suite_count = count;
1033 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1034
1035 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1036 for (i = 0; i < count; i++)
1037 {
1038 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1039 this->suites[i] = suites[i].suite;
1040 }
1041 }
1042
1043 METHOD(tls_crypto_t, get_cipher_suites, int,
1044 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1045 {
1046 *suites = this->suites;
1047 return this->suite_count;
1048 }
1049
1050 /**
1051 * Create NULL encryption transforms
1052 */
1053 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1054 {
1055 this->aead_in = tls_aead_create_null(algs->mac);
1056 this->aead_out = tls_aead_create_null(algs->mac);
1057 if (!this->aead_in || !this->aead_out)
1058 {
1059 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1060 integrity_algorithm_names, algs->mac);
1061 return FALSE;
1062 }
1063 return TRUE;
1064 }
1065
1066 /**
1067 * Create traditional transforms
1068 */
1069 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1070 {
1071 if (this->tls->get_version(this->tls) < TLS_1_1)
1072 {
1073 this->aead_in = tls_aead_create_implicit(algs->mac,
1074 algs->encr, algs->encr_size);
1075 this->aead_out = tls_aead_create_implicit(algs->mac,
1076 algs->encr, algs->encr_size);
1077 }
1078 else
1079 {
1080 this->aead_in = tls_aead_create_explicit(algs->mac,
1081 algs->encr, algs->encr_size);
1082 this->aead_out = tls_aead_create_explicit(algs->mac,
1083 algs->encr, algs->encr_size);
1084 }
1085 if (!this->aead_in || !this->aead_out)
1086 {
1087 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1088 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1089 integrity_algorithm_names, algs->mac);
1090 return FALSE;
1091 }
1092 return TRUE;
1093 }
1094
1095 /**
1096 * Create AEAD transforms
1097 */
1098 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1099 {
1100 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1101 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1102 if (!this->aead_in || !this->aead_out)
1103 {
1104 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1105 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1106 return FALSE;
1107 }
1108 return TRUE;
1109 }
1110
1111 /**
1112 * Clean up and unset AEAD transforms
1113 */
1114 static void destroy_aeads(private_tls_crypto_t *this)
1115 {
1116 DESTROY_IF(this->aead_in);
1117 DESTROY_IF(this->aead_out);
1118 this->aead_in = this->aead_out = NULL;
1119 }
1120
1121 /**
1122 * Create crypto primitives
1123 */
1124 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1125 {
1126 destroy_aeads(this);
1127 DESTROY_IF(this->prf);
1128 if (this->tls->get_version(this->tls) < TLS_1_2)
1129 {
1130 this->prf = tls_prf_create_10();
1131 }
1132 else
1133 {
1134 this->prf = tls_prf_create_12(algs->prf);
1135 }
1136 if (!this->prf)
1137 {
1138 DBG1(DBG_TLS, "selected TLS PRF not supported");
1139 return FALSE;
1140 }
1141 if (algs->encr == ENCR_NULL)
1142 {
1143 if (create_null(this, algs))
1144 {
1145 return TRUE;
1146 }
1147 }
1148 else if (encryption_algorithm_is_aead(algs->encr))
1149 {
1150 if (create_aead(this, algs))
1151 {
1152 return TRUE;
1153 }
1154 }
1155 else
1156 {
1157 if (create_traditional(this, algs))
1158 {
1159 return TRUE;
1160 }
1161 }
1162 destroy_aeads(this);
1163 return FALSE;
1164 }
1165
1166 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1167 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1168 key_type_t key)
1169 {
1170 suite_algs_t *algs;
1171 int i, j;
1172
1173 for (i = 0; i < this->suite_count; i++)
1174 {
1175 for (j = 0; j < count; j++)
1176 {
1177 if (this->suites[i] == suites[j])
1178 {
1179 algs = find_suite(this->suites[i]);
1180 if (algs)
1181 {
1182 if (key == KEY_ANY || key == algs->key)
1183 {
1184 if (create_ciphers(this, algs))
1185 {
1186 this->suite = this->suites[i];
1187 return this->suite;
1188 }
1189 }
1190 }
1191 }
1192 }
1193 }
1194 return 0;
1195 }
1196
1197 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1198 private_tls_crypto_t *this)
1199 {
1200 suite_algs_t *algs;
1201
1202 algs = find_suite(this->suite);
1203 if (algs)
1204 {
1205 return algs->dh;
1206 }
1207 return MODP_NONE;
1208 }
1209
1210 /**
1211 * Map signature schemes to TLS key types and hashes, ordered by preference
1212 */
1213 static struct {
1214 tls_signature_algorithm_t sig;
1215 tls_hash_algorithm_t hash;
1216 signature_scheme_t scheme;
1217 } schemes[] = {
1218 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1219 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1220 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1221 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1222 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1223 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1224 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1225 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA2_224 },
1226 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1227 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1228 };
1229
1230 METHOD(tls_crypto_t, get_signature_algorithms, void,
1231 private_tls_crypto_t *this, bio_writer_t *writer)
1232 {
1233 bio_writer_t *supported;
1234 int i;
1235
1236 supported = bio_writer_create(32);
1237
1238 for (i = 0; i < countof(schemes); i++)
1239 {
1240 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1241 {
1242 continue;
1243 }
1244 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1245 {
1246 continue;
1247 }
1248 if (!lib->plugins->has_feature(lib->plugins,
1249 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1250 {
1251 continue;
1252 }
1253 supported->write_uint8(supported, schemes[i].hash);
1254 supported->write_uint8(supported, schemes[i].sig);
1255 }
1256
1257 supported->wrap16(supported);
1258 writer->write_data16(writer, supported->get_buf(supported));
1259 supported->destroy(supported);
1260 }
1261
1262 /**
1263 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1264 */
1265 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1266 tls_hash_algorithm_t hash,
1267 tls_signature_algorithm_t sig)
1268 {
1269 int i;
1270
1271 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1272 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1273 {
1274 for (i = 0; i < countof(schemes); i++)
1275 {
1276 if (schemes[i].sig == sig && schemes[i].hash == hash)
1277 {
1278 return schemes[i].scheme;
1279 }
1280 }
1281 }
1282 return SIGN_UNKNOWN;
1283 }
1284
1285 /**
1286 * Mapping groups to TLS named curves
1287 */
1288 static struct {
1289 diffie_hellman_group_t group;
1290 tls_named_curve_t curve;
1291 } curves[] = {
1292 { ECP_256_BIT, TLS_SECP256R1},
1293 { ECP_384_BIT, TLS_SECP384R1},
1294 { ECP_521_BIT, TLS_SECP521R1},
1295 { ECP_224_BIT, TLS_SECP224R1},
1296 { ECP_192_BIT, TLS_SECP192R1},
1297 };
1298
1299 CALLBACK(group_filter, bool,
1300 void *null, enumerator_t *orig, va_list args)
1301 {
1302 diffie_hellman_group_t group, *out;
1303 tls_named_curve_t *curve;
1304 char *plugin;
1305 int i;
1306
1307 VA_ARGS_VGET(args, out, curve);
1308
1309 while (orig->enumerate(orig, &group, &plugin))
1310 {
1311 for (i = 0; i < countof(curves); i++)
1312 {
1313 if (curves[i].group == group)
1314 {
1315 if (out)
1316 {
1317 *out = curves[i].group;
1318 }
1319 if (curve)
1320 {
1321 *curve = curves[i].curve;
1322 }
1323 return TRUE;
1324 }
1325 }
1326 }
1327 return FALSE;
1328 }
1329
1330 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1331 private_tls_crypto_t *this)
1332 {
1333 return enumerator_create_filter(
1334 lib->crypto->create_dh_enumerator(lib->crypto),
1335 group_filter, NULL, NULL);
1336 }
1337
1338 METHOD(tls_crypto_t, set_protection, void,
1339 private_tls_crypto_t *this, tls_protection_t *protection)
1340 {
1341 this->protection = protection;
1342 }
1343
1344 METHOD(tls_crypto_t, append_handshake, void,
1345 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1346 {
1347 uint32_t header;
1348
1349 /* reconstruct handshake header */
1350 header = htonl(data.len | (type << 24));
1351 this->handshake = chunk_cat("mcc", this->handshake,
1352 chunk_from_thing(header), data);
1353 }
1354
1355 /**
1356 * Create a hash using the suites HASH algorithm
1357 */
1358 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1359 {
1360 if (this->tls->get_version(this->tls) >= TLS_1_2)
1361 {
1362 hasher_t *hasher;
1363 suite_algs_t *alg;
1364
1365 alg = find_suite(this->suite);
1366 if (!alg)
1367 {
1368 return FALSE;
1369 }
1370 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1371 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1372 {
1373 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1374 DESTROY_IF(hasher);
1375 return FALSE;
1376 }
1377 hasher->destroy(hasher);
1378 }
1379 else
1380 {
1381 hasher_t *md5, *sha1;
1382 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1383
1384 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1385 if (!md5 || !md5->get_hash(md5, data, buf))
1386 {
1387 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1388 DESTROY_IF(md5);
1389 return FALSE;
1390 }
1391 md5->destroy(md5);
1392 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1393 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1394 {
1395 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1396 DESTROY_IF(sha1);
1397 return FALSE;
1398 }
1399 sha1->destroy(sha1);
1400
1401 *hash = chunk_clone(chunk_from_thing(buf));
1402 }
1403 return TRUE;
1404 }
1405
1406 METHOD(tls_crypto_t, sign, bool,
1407 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1408 chunk_t data, chunk_t hashsig)
1409 {
1410 if (this->tls->get_version(this->tls) >= TLS_1_2)
1411 {
1412 signature_scheme_t scheme;
1413 bio_reader_t *reader;
1414 uint8_t hash, alg;
1415 chunk_t sig;
1416 bool done = FALSE;
1417
1418 if (!hashsig.len)
1419 { /* fallback if none given */
1420 hashsig = chunk_from_chars(
1421 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1422 }
1423 reader = bio_reader_create(hashsig);
1424 while (reader->remaining(reader) >= 2)
1425 {
1426 if (reader->read_uint8(reader, &hash) &&
1427 reader->read_uint8(reader, &alg))
1428 {
1429 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1430 if (scheme != SIGN_UNKNOWN &&
1431 key->sign(key, scheme, NULL, data, &sig))
1432 {
1433 done = TRUE;
1434 break;
1435 }
1436 }
1437 }
1438 reader->destroy(reader);
1439 if (!done)
1440 {
1441 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1442 return FALSE;
1443 }
1444 DBG2(DBG_TLS, "created signature with %N/%N",
1445 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1446 writer->write_uint8(writer, hash);
1447 writer->write_uint8(writer, alg);
1448 writer->write_data16(writer, sig);
1449 free(sig.ptr);
1450 }
1451 else
1452 {
1453 chunk_t sig, hash;
1454 bool done;
1455
1456 switch (key->get_type(key))
1457 {
1458 case KEY_RSA:
1459 if (!hash_data(this, data, &hash))
1460 {
1461 return FALSE;
1462 }
1463 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1464 &sig);
1465 free(hash.ptr);
1466 if (!done)
1467 {
1468 return FALSE;
1469 }
1470 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1471 break;
1472 case KEY_ECDSA:
1473 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1474 {
1475 return FALSE;
1476 }
1477 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1478 break;
1479 default:
1480 return FALSE;
1481 }
1482 writer->write_data16(writer, sig);
1483 free(sig.ptr);
1484 }
1485 return TRUE;
1486 }
1487
1488 METHOD(tls_crypto_t, verify, bool,
1489 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1490 chunk_t data)
1491 {
1492 if (this->tls->get_version(this->tls) >= TLS_1_2)
1493 {
1494 signature_scheme_t scheme = SIGN_UNKNOWN;
1495 uint8_t hash, alg;
1496 chunk_t sig;
1497
1498 if (!reader->read_uint8(reader, &hash) ||
1499 !reader->read_uint8(reader, &alg) ||
1500 !reader->read_data16(reader, &sig))
1501 {
1502 DBG1(DBG_TLS, "received invalid signature");
1503 return FALSE;
1504 }
1505 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1506 if (scheme == SIGN_UNKNOWN)
1507 {
1508 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1509 tls_hash_algorithm_names, hash,
1510 tls_signature_algorithm_names, alg);
1511 return FALSE;
1512 }
1513 if (!key->verify(key, scheme, NULL, data, sig))
1514 {
1515 return FALSE;
1516 }
1517 DBG2(DBG_TLS, "verified signature with %N/%N",
1518 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1519 }
1520 else
1521 {
1522 chunk_t sig, hash;
1523 bool done;
1524
1525 if (!reader->read_data16(reader, &sig))
1526 {
1527 DBG1(DBG_TLS, "received invalid signature");
1528 return FALSE;
1529 }
1530 switch (key->get_type(key))
1531 {
1532 case KEY_RSA:
1533 if (!hash_data(this, data, &hash))
1534 {
1535 return FALSE;
1536 }
1537 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1538 sig);
1539 free(hash.ptr);
1540 if (!done)
1541 {
1542 return FALSE;
1543 }
1544 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1545 break;
1546 case KEY_ECDSA:
1547 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1548 sig))
1549 {
1550 return FALSE;
1551 }
1552 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1553 break;
1554 default:
1555 return FALSE;
1556 }
1557 }
1558 return TRUE;
1559 }
1560
1561 METHOD(tls_crypto_t, sign_handshake, bool,
1562 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1563 chunk_t hashsig)
1564 {
1565 return sign(this, key, writer, this->handshake, hashsig);
1566 }
1567
1568 METHOD(tls_crypto_t, verify_handshake, bool,
1569 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1570 {
1571 return verify(this, key, reader, this->handshake);
1572 }
1573
1574 METHOD(tls_crypto_t, calculate_finished, bool,
1575 private_tls_crypto_t *this, char *label, char out[12])
1576 {
1577 chunk_t seed;
1578
1579 if (!this->prf)
1580 {
1581 return FALSE;
1582 }
1583 if (!hash_data(this, this->handshake, &seed))
1584 {
1585 return FALSE;
1586 }
1587 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1588 {
1589 free(seed.ptr);
1590 return FALSE;
1591 }
1592 free(seed.ptr);
1593 return TRUE;
1594 }
1595
1596 /**
1597 * Derive master secret from premaster, optionally save session
1598 */
1599 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1600 chunk_t session, identification_t *id,
1601 chunk_t client_random, chunk_t server_random)
1602 {
1603 char master[48];
1604 chunk_t seed;
1605
1606 /* derive master secret */
1607 seed = chunk_cata("cc", client_random, server_random);
1608
1609 if (!this->prf->set_key(this->prf, premaster) ||
1610 !this->prf->get_bytes(this->prf, "master secret", seed,
1611 sizeof(master), master) ||
1612 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1613 {
1614 return FALSE;
1615 }
1616
1617 if (this->cache && session.len)
1618 {
1619 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1620 this->suite);
1621 }
1622 memwipe(master, sizeof(master));
1623 return TRUE;
1624 }
1625
1626 /**
1627 * Expand key material from master secret
1628 */
1629 static bool expand_keys(private_tls_crypto_t *this,
1630 chunk_t client_random, chunk_t server_random)
1631 {
1632 chunk_t seed, block;
1633 chunk_t cw_mac, cw, cw_iv;
1634 chunk_t sw_mac, sw, sw_iv;
1635 int mklen, eklen, ivlen;
1636
1637 if (!this->aead_in || !this->aead_out)
1638 {
1639 return FALSE;
1640 }
1641
1642 /* derive key block for key expansion */
1643 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1644 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1645 ivlen = this->aead_in->get_iv_size(this->aead_in);
1646 seed = chunk_cata("cc", server_random, client_random);
1647 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1648 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1649 block.len, block.ptr))
1650 {
1651 return FALSE;
1652 }
1653
1654 /* client/server write signer keys */
1655 cw_mac = chunk_create(block.ptr, mklen);
1656 block = chunk_skip(block, mklen);
1657 sw_mac = chunk_create(block.ptr, mklen);
1658 block = chunk_skip(block, mklen);
1659
1660 /* client/server write encryption keys */
1661 cw = chunk_create(block.ptr, eklen);
1662 block = chunk_skip(block, eklen);
1663 sw = chunk_create(block.ptr, eklen);
1664 block = chunk_skip(block, eklen);
1665
1666 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1667 cw_iv = chunk_create(block.ptr, ivlen);
1668 block = chunk_skip(block, ivlen);
1669 sw_iv = chunk_create(block.ptr, ivlen);
1670 block = chunk_skip(block, ivlen);
1671
1672 if (this->tls->is_server(this->tls))
1673 {
1674 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1675 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1676 {
1677 return FALSE;
1678 }
1679 }
1680 else
1681 {
1682 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1683 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1684 {
1685 return FALSE;
1686 }
1687 }
1688
1689 /* EAP-MSK */
1690 if (this->msk_label)
1691 {
1692 seed = chunk_cata("cc", client_random, server_random);
1693 this->msk = chunk_alloc(64);
1694 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1695 this->msk.len, this->msk.ptr))
1696 {
1697 return FALSE;
1698 }
1699 }
1700 return TRUE;
1701 }
1702
1703 METHOD(tls_crypto_t, derive_secrets, bool,
1704 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1705 identification_t *id, chunk_t client_random, chunk_t server_random)
1706 {
1707 return derive_master(this, premaster, session, id,
1708 client_random, server_random) &&
1709 expand_keys(this, client_random, server_random);
1710 }
1711
1712 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1713 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1714 chunk_t client_random, chunk_t server_random)
1715 {
1716 chunk_t master;
1717
1718 if (this->cache && session.len)
1719 {
1720 this->suite = this->cache->lookup(this->cache, session, id, &master);
1721 if (this->suite)
1722 {
1723 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1724 if (this->suite)
1725 {
1726 if (!this->prf->set_key(this->prf, master) ||
1727 !expand_keys(this, client_random, server_random))
1728 {
1729 this->suite = 0;
1730 }
1731 }
1732 chunk_clear(&master);
1733 }
1734 return this->suite;
1735 }
1736 return 0;
1737 }
1738
1739 METHOD(tls_crypto_t, get_session, chunk_t,
1740 private_tls_crypto_t *this, identification_t *server)
1741 {
1742 if (this->cache)
1743 {
1744 return this->cache->check(this->cache, server);
1745 }
1746 return chunk_empty;
1747 }
1748
1749 METHOD(tls_crypto_t, change_cipher, void,
1750 private_tls_crypto_t *this, bool inbound)
1751 {
1752 if (this->protection)
1753 {
1754 if (inbound)
1755 {
1756 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1757 }
1758 else
1759 {
1760 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1761 }
1762 }
1763 }
1764
1765 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1766 private_tls_crypto_t *this)
1767 {
1768 return this->msk;
1769 }
1770
1771 METHOD(tls_crypto_t, destroy, void,
1772 private_tls_crypto_t *this)
1773 {
1774 destroy_aeads(this);
1775 free(this->handshake.ptr);
1776 free(this->msk.ptr);
1777 DESTROY_IF(this->prf);
1778 free(this->suites);
1779 free(this);
1780 }
1781
1782 /**
1783 * See header
1784 */
1785 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1786 {
1787 private_tls_crypto_t *this;
1788 enumerator_t *enumerator;
1789 credential_type_t type;
1790 int subtype;
1791
1792 INIT(this,
1793 .public = {
1794 .get_cipher_suites = _get_cipher_suites,
1795 .select_cipher_suite = _select_cipher_suite,
1796 .get_dh_group = _get_dh_group,
1797 .get_signature_algorithms = _get_signature_algorithms,
1798 .create_ec_enumerator = _create_ec_enumerator,
1799 .set_protection = _set_protection,
1800 .append_handshake = _append_handshake,
1801 .sign = _sign,
1802 .verify = _verify,
1803 .sign_handshake = _sign_handshake,
1804 .verify_handshake = _verify_handshake,
1805 .calculate_finished = _calculate_finished,
1806 .derive_secrets = _derive_secrets,
1807 .resume_session = _resume_session,
1808 .get_session = _get_session,
1809 .change_cipher = _change_cipher,
1810 .get_eap_msk = _get_eap_msk,
1811 .destroy = _destroy,
1812 },
1813 .tls = tls,
1814 .cache = cache,
1815 );
1816
1817 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1818 while (enumerator->enumerate(enumerator, &type, &subtype))
1819 {
1820 if (type == CRED_PUBLIC_KEY)
1821 {
1822 switch (subtype)
1823 {
1824 case KEY_RSA:
1825 this->rsa = TRUE;
1826 break;
1827 case KEY_ECDSA:
1828 this->ecdsa = TRUE;
1829 break;
1830 default:
1831 break;
1832 }
1833 }
1834 }
1835 enumerator->destroy(enumerator);
1836
1837 switch (tls->get_purpose(tls))
1838 {
1839 case TLS_PURPOSE_EAP_TLS:
1840 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1841 this->msk_label = "client EAP encryption";
1842 build_cipher_suite_list(this, FALSE);
1843 break;
1844 case TLS_PURPOSE_EAP_PEAP:
1845 this->msk_label = "client EAP encryption";
1846 build_cipher_suite_list(this, TRUE);
1847 break;
1848 case TLS_PURPOSE_EAP_TTLS:
1849 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1850 this->msk_label = "ttls keying material";
1851 build_cipher_suite_list(this, TRUE);
1852 break;
1853 case TLS_PURPOSE_GENERIC:
1854 build_cipher_suite_list(this, TRUE);
1855 break;
1856 case TLS_PURPOSE_GENERIC_NULLOK:
1857 build_cipher_suite_list(this, FALSE);
1858 break;
1859 default:
1860 break;
1861 }
1862 return &this->public;
1863 }
1864
1865 /**
1866 * See header.
1867 */
1868 int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
1869 {
1870 suite_algs_t suites[countof(suite_algs)];
1871 int count = countof(suite_algs), i;
1872
1873 /* initialize copy of suite list */
1874 for (i = 0; i < count; i++)
1875 {
1876 suites[i] = suite_algs[i];
1877 }
1878
1879 filter_unsupported_suites(suites, &count);
1880
1881 if (!null)
1882 {
1883 filter_null_suites(suites, &count);
1884 }
1885
1886 if (out)
1887 {
1888 *out = calloc(count, sizeof(tls_cipher_suite_t));
1889 for (i = 0; i < count; i++)
1890 {
1891 (*out)[i] = suites[i].suite;
1892 }
1893 }
1894 return count;
1895 }