Added strongswan.conf options to filter cipher suites by specific algorithms
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ecp_format_names, TLS_ECP_COMPRESSED, TLS_ECP_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 typedef struct private_tls_crypto_t private_tls_crypto_t;
319
320 /**
321 * Private data of an tls_crypto_t object.
322 */
323 struct private_tls_crypto_t {
324
325 /**
326 * Public tls_crypto_t interface.
327 */
328 tls_crypto_t public;
329
330 /**
331 * Protection layer
332 */
333 tls_protection_t *protection;
334
335 /**
336 * List of supported/acceptable cipher suites
337 */
338 tls_cipher_suite_t *suites;
339
340 /**
341 * Number of supported suites
342 */
343 int suite_count;
344
345 /**
346 * Selected cipher suite
347 */
348 tls_cipher_suite_t suite;
349
350 /**
351 * RSA supported?
352 */
353 bool rsa;
354
355 /**
356 * ECDSA supported?
357 */
358 bool ecdsa;
359
360 /**
361 * TLS context
362 */
363 tls_t *tls;
364
365 /**
366 * All handshake data concatentated
367 */
368 chunk_t handshake;
369
370 /**
371 * Connection state TLS PRF
372 */
373 tls_prf_t *prf;
374
375 /**
376 * Signer instance for inbound traffic
377 */
378 signer_t *signer_in;
379
380 /**
381 * Signer instance for outbound traffic
382 */
383 signer_t *signer_out;
384
385 /**
386 * Crypter instance for inbound traffic
387 */
388 crypter_t *crypter_in;
389
390 /**
391 * Crypter instance for outbound traffic
392 */
393 crypter_t *crypter_out;
394
395 /**
396 * IV for input decryption, if < TLSv1.2
397 */
398 chunk_t iv_in;
399
400 /**
401 * IV for output decryption, if < TLSv1.2
402 */
403 chunk_t iv_out;
404
405 /**
406 * EAP-[T]TLS MSK
407 */
408 chunk_t msk;
409
410 /**
411 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
412 */
413 char *msk_label;
414 };
415
416 typedef struct {
417 tls_cipher_suite_t suite;
418 key_type_t key;
419 diffie_hellman_group_t dh;
420 hash_algorithm_t hash;
421 pseudo_random_function_t prf;
422 integrity_algorithm_t mac;
423 encryption_algorithm_t encr;
424 size_t encr_size;
425 } suite_algs_t;
426
427 /**
428 * Mapping suites to a set of algorithms
429 */
430 static suite_algs_t suite_algs[] = {
431 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
432 KEY_ECDSA, ECP_256_BIT,
433 HASH_SHA1, PRF_HMAC_SHA1,
434 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
435 },
436 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
437 KEY_ECDSA, ECP_256_BIT,
438 HASH_SHA256, PRF_HMAC_SHA2_256,
439 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
440 },
441 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
442 KEY_ECDSA, ECP_384_BIT,
443 HASH_SHA1, PRF_HMAC_SHA1,
444 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
445 },
446 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
447 KEY_ECDSA, ECP_384_BIT,
448 HASH_SHA384, PRF_HMAC_SHA2_384,
449 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
450 },
451 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
452 KEY_RSA, ECP_256_BIT,
453 HASH_SHA1, PRF_HMAC_SHA1,
454 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
455 },
456 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
457 KEY_RSA, ECP_256_BIT,
458 HASH_SHA256, PRF_HMAC_SHA2_256,
459 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
460 },
461 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
462 KEY_RSA, ECP_384_BIT,
463 HASH_SHA1, PRF_HMAC_SHA1,
464 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
465 },
466 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
467 KEY_RSA, ECP_384_BIT,
468 HASH_SHA384, PRF_HMAC_SHA2_384,
469 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
470 },
471 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
472 KEY_RSA, MODP_2048_BIT,
473 HASH_SHA1, PRF_HMAC_SHA1,
474 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
475 },
476 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
477 KEY_RSA, MODP_3072_BIT,
478 HASH_SHA256, PRF_HMAC_SHA2_256,
479 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
480 },
481 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
482 KEY_RSA, MODP_3072_BIT,
483 HASH_SHA1, PRF_HMAC_SHA1,
484 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
485 },
486 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
487 KEY_RSA, MODP_4096_BIT,
488 HASH_SHA256, PRF_HMAC_SHA2_256,
489 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
490 },
491 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
492 KEY_RSA, MODP_2048_BIT,
493 HASH_SHA1, PRF_HMAC_SHA1,
494 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
495 },
496 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
497 KEY_RSA, MODP_3072_BIT,
498 HASH_SHA256, PRF_HMAC_SHA2_256,
499 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
500 },
501 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
502 KEY_RSA, MODP_3072_BIT,
503 HASH_SHA1, PRF_HMAC_SHA1,
504 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
505 },
506 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
507 KEY_RSA, MODP_4096_BIT,
508 HASH_SHA256, PRF_HMAC_SHA2_256,
509 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
510 },
511 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
512 KEY_RSA, MODP_2048_BIT,
513 HASH_SHA1, PRF_HMAC_SHA1,
514 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
515 },
516 { TLS_RSA_WITH_AES_128_CBC_SHA,
517 KEY_RSA, MODP_NONE,
518 HASH_SHA1, PRF_HMAC_SHA1,
519 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
520 },
521 { TLS_RSA_WITH_AES_128_CBC_SHA256,
522 KEY_RSA, MODP_NONE,
523 HASH_SHA256, PRF_HMAC_SHA2_256,
524 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
525 },
526 { TLS_RSA_WITH_AES_256_CBC_SHA,
527 KEY_RSA, MODP_NONE,
528 HASH_SHA1, PRF_HMAC_SHA1,
529 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
530 },
531 { TLS_RSA_WITH_AES_256_CBC_SHA256,
532 KEY_RSA, MODP_NONE,
533 HASH_SHA256, PRF_HMAC_SHA2_256,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
535 },
536 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
537 KEY_RSA, MODP_NONE,
538 HASH_SHA1, PRF_HMAC_SHA1,
539 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
540 },
541 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
542 KEY_RSA, MODP_NONE,
543 HASH_SHA256, PRF_HMAC_SHA2_256,
544 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
545 },
546 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
547 KEY_RSA, MODP_NONE,
548 HASH_SHA1, PRF_HMAC_SHA1,
549 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
550 },
551 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
552 KEY_RSA, MODP_NONE,
553 HASH_SHA256, PRF_HMAC_SHA2_256,
554 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
555 },
556 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
557 KEY_ECDSA, ECP_256_BIT,
558 HASH_SHA1, PRF_HMAC_SHA1,
559 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
560 },
561 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
562 KEY_RSA, ECP_256_BIT,
563 HASH_SHA1, PRF_HMAC_SHA1,
564 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
565 },
566 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
567 KEY_RSA, MODP_NONE,
568 HASH_SHA1, PRF_HMAC_SHA1,
569 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
570 },
571 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
572 KEY_ECDSA, ECP_256_BIT,
573 HASH_SHA1, PRF_HMAC_SHA1,
574 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
575 },
576 { TLS_ECDHE_RSA_WITH_NULL_SHA,
577 KEY_ECDSA, ECP_256_BIT,
578 HASH_SHA1, PRF_HMAC_SHA1,
579 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
580 },
581 { TLS_RSA_WITH_NULL_SHA,
582 KEY_RSA, MODP_NONE,
583 HASH_SHA1, PRF_HMAC_SHA1,
584 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
585 },
586 { TLS_RSA_WITH_NULL_SHA256,
587 KEY_RSA, MODP_NONE,
588 HASH_SHA256, PRF_HMAC_SHA2_256,
589 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
590 },
591 { TLS_RSA_WITH_NULL_MD5,
592 KEY_RSA, MODP_NONE,
593 HASH_MD5, PRF_HMAC_MD5,
594 AUTH_HMAC_MD5_128, ENCR_NULL, 0
595 },
596 };
597
598 /**
599 * Look up algoritms by a suite
600 */
601 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
602 {
603 int i;
604
605 for (i = 0; i < countof(suite_algs); i++)
606 {
607 if (suite_algs[i].suite == suite)
608 {
609 return &suite_algs[i];
610 }
611 }
612 return NULL;
613 }
614
615 /**
616 * Filter a suite list using a transform enumerator
617 */
618 static void filter_suite(private_tls_crypto_t *this,
619 suite_algs_t suites[], int *count, int offset,
620 enumerator_t*(*create_enumerator)(crypto_factory_t*))
621 {
622 suite_algs_t current;
623 int i, remaining = 0;
624 enumerator_t *enumerator;
625
626 memset(&current, 0, sizeof(current));
627 for (i = 0; i < *count; i++)
628 {
629 enumerator = create_enumerator(lib->crypto);
630 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
631 {
632 if ((suites[i].encr == ENCR_NULL ||
633 !current.encr || current.encr == suites[i].encr) &&
634 (!current.mac || current.mac == suites[i].mac) &&
635 (!current.prf || current.prf == suites[i].prf) &&
636 (!current.hash || current.hash == suites[i].hash) &&
637 (suites[i].dh == MODP_NONE ||
638 !current.dh || current.dh == suites[i].dh))
639 {
640 suites[remaining] = suites[i];
641 remaining++;
642 break;
643 }
644 }
645 enumerator->destroy(enumerator);
646 }
647 *count = remaining;
648 }
649
650 /**
651 * Purge NULL encryption cipher suites from list
652 */
653 static void filter_null_suites(private_tls_crypto_t *this,
654 suite_algs_t suites[], int *count)
655 {
656 int i, remaining = 0;
657
658 for (i = 0; i < *count; i++)
659 {
660 if (suites[i].encr != ENCR_NULL)
661 {
662 suites[remaining] = suites[i];
663 remaining++;
664 }
665 }
666 *count = remaining;
667 }
668
669 /**
670 * Purge suites using a given key type
671 */
672 static void filter_key_suites(private_tls_crypto_t *this,
673 suite_algs_t suites[], int *count, key_type_t key)
674 {
675 int i, remaining = 0;
676
677 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
678 for (i = 0; i < *count; i++)
679 {
680 if (suites[i].key != key)
681 {
682 suites[remaining] = suites[i];
683 remaining++;
684 }
685 }
686 *count = remaining;
687 }
688
689 /**
690 * Filter suites by key exchange user config
691 */
692 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
693 suite_algs_t suites[], int *count)
694 {
695 enumerator_t *enumerator;
696 int i, remaining = 0;
697 char *token, *config;
698
699 config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
700 if (config)
701 {
702 for (i = 0; i < *count; i++)
703 {
704 enumerator = enumerator_create_token(config, ",", " ");
705 while (enumerator->enumerate(enumerator, &token))
706 {
707 if (strcaseeq(token, "ecdhe-ecdsa") &&
708 diffie_hellman_group_is_ec(suites[i].dh) &&
709 suites[i].key == KEY_ECDSA)
710 {
711 suites[remaining++] = suites[i];
712 break;
713 }
714 if (strcaseeq(token, "ecdhe-rsa") &&
715 diffie_hellman_group_is_ec(suites[i].dh) &&
716 suites[i].key == KEY_RSA)
717 {
718 suites[remaining++] = suites[i];
719 break;
720 }
721 if (strcaseeq(token, "dhe-rsa") &&
722 !diffie_hellman_group_is_ec(suites[i].dh) &&
723 suites[i].dh != MODP_NONE &&
724 suites[i].key == KEY_RSA)
725 {
726 suites[remaining++] = suites[i];
727 break;
728 }
729 if (strcaseeq(token, "rsa") &&
730 suites[i].dh == MODP_NONE &&
731 suites[i].key == KEY_RSA)
732 {
733 suites[remaining++] = suites[i];
734 break;
735 }
736 }
737 enumerator->destroy(enumerator);
738 }
739 *count = remaining;
740 }
741 }
742
743 /**
744 * Filter suites by cipher user config
745 */
746 static void filter_cipher_config_suites(private_tls_crypto_t *this,
747 suite_algs_t suites[], int *count)
748 {
749 enumerator_t *enumerator;
750 int i, remaining = 0;
751 char *token, *config;
752
753 config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
754 if (config)
755 {
756 for (i = 0; i < *count; i++)
757 {
758 enumerator = enumerator_create_token(config, ",", " ");
759 while (enumerator->enumerate(enumerator, &token))
760 {
761 if (strcaseeq(token, "aes128") &&
762 suites[i].encr == ENCR_AES_CBC &&
763 suites[i].encr_size == 16)
764 {
765 suites[remaining++] = suites[i];
766 break;
767 }
768 if (strcaseeq(token, "aes256") &&
769 suites[i].encr == ENCR_AES_CBC &&
770 suites[i].encr_size == 32)
771 {
772 suites[remaining++] = suites[i];
773 break;
774 }
775 if (strcaseeq(token, "camellia128") &&
776 suites[i].encr == ENCR_CAMELLIA_CBC &&
777 suites[i].encr_size == 16)
778 {
779 suites[remaining++] = suites[i];
780 break;
781 }
782 if (strcaseeq(token, "camellia256") &&
783 suites[i].encr == ENCR_CAMELLIA_CBC &&
784 suites[i].encr_size == 32)
785 {
786 suites[remaining++] = suites[i];
787 break;
788 }
789 if (strcaseeq(token, "3des") &&
790 suites[i].encr == ENCR_3DES)
791 {
792 suites[remaining++] = suites[i];
793 break;
794 }
795 if (strcaseeq(token, "null") &&
796 suites[i].encr == ENCR_NULL)
797 {
798 suites[remaining++] = suites[i];
799 break;
800 }
801 }
802 enumerator->destroy(enumerator);
803 }
804 *count = remaining;
805 }
806 }
807
808 /**
809 * Filter suites by mac user config
810 */
811 static void filter_mac_config_suites(private_tls_crypto_t *this,
812 suite_algs_t suites[], int *count)
813 {
814 enumerator_t *enumerator;
815 int i, remaining = 0;
816 char *token, *config;
817
818 config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
819 if (config)
820 {
821 for (i = 0; i < *count; i++)
822 {
823 enumerator = enumerator_create_token(config, ",", " ");
824 while (enumerator->enumerate(enumerator, &token))
825 {
826 if (strcaseeq(token, "md5") &&
827 suites[i].hash == HASH_MD5)
828 {
829 suites[remaining++] = suites[i];
830 break;
831 }
832 if (strcaseeq(token, "sha1") &&
833 suites[i].hash == HASH_SHA1)
834 {
835 suites[remaining++] = suites[i];
836 break;
837 }
838 if (strcaseeq(token, "sha256") &&
839 suites[i].hash == HASH_SHA256)
840 {
841 suites[remaining++] = suites[i];
842 break;
843 }
844 if (strcaseeq(token, "sha384") &&
845 suites[i].hash == HASH_SHA384)
846 {
847 suites[remaining++] = suites[i];
848 break;
849 }
850 }
851 enumerator->destroy(enumerator);
852 }
853 *count = remaining;
854 }
855 }
856
857 /**
858 * Initialize the cipher suite list
859 */
860 static void build_cipher_suite_list(private_tls_crypto_t *this,
861 bool require_encryption)
862 {
863 suite_algs_t suites[countof(suite_algs)];
864 int count = countof(suite_algs), i;
865
866 /* copy all suites */
867 for (i = 0; i < count; i++)
868 {
869 suites[i] = suite_algs[i];
870 }
871 if (require_encryption)
872 {
873 filter_null_suites(this, suites, &count);
874 }
875 if (!this->rsa)
876 {
877 filter_key_suites(this, suites, &count, KEY_RSA);
878 }
879 if (!this->ecdsa)
880 {
881 filter_key_suites(this, suites, &count, KEY_ECDSA);
882 }
883
884 /* filter suite list by each algorithm */
885 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
886 lib->crypto->create_crypter_enumerator);
887 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
888 lib->crypto->create_signer_enumerator);
889 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
890 lib->crypto->create_prf_enumerator);
891 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
892 lib->crypto->create_hasher_enumerator);
893 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
894 lib->crypto->create_dh_enumerator);
895
896 /* filter suites with strongswan.conf options */
897 filter_key_exchange_config_suites(this, suites, &count);
898 filter_cipher_config_suites(this, suites, &count);
899 filter_mac_config_suites(this, suites, &count);
900
901 free(this->suites);
902 this->suite_count = count;
903 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
904
905 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
906 for (i = 0; i < count; i++)
907 {
908 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
909 this->suites[i] = suites[i].suite;
910 }
911 }
912
913 METHOD(tls_crypto_t, get_cipher_suites, int,
914 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
915 {
916 *suites = this->suites;
917 return this->suite_count;
918 }
919
920 /**
921 * Create crypto primitives
922 */
923 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
924 {
925 DESTROY_IF(this->prf);
926 if (this->tls->get_version(this->tls) < TLS_1_2)
927 {
928 this->prf = tls_prf_create_10();
929 }
930 else
931 {
932 this->prf = tls_prf_create_12(algs->prf);
933 }
934 if (!this->prf)
935 {
936 DBG1(DBG_TLS, "selected TLS PRF not supported");
937 return FALSE;
938 }
939
940 DESTROY_IF(this->signer_in);
941 DESTROY_IF(this->signer_out);
942 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
943 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
944 if (!this->signer_in || !this->signer_out)
945 {
946 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
947 integrity_algorithm_names, algs->mac);
948 return FALSE;
949 }
950
951 DESTROY_IF(this->crypter_in);
952 DESTROY_IF(this->crypter_out);
953 if (algs->encr == ENCR_NULL)
954 {
955 this->crypter_in = this->crypter_out = NULL;
956 }
957 else
958 {
959 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
960 algs->encr, algs->encr_size);
961 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
962 algs->encr, algs->encr_size);
963 if (!this->crypter_in || !this->crypter_out)
964 {
965 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
966 encryption_algorithm_names, algs->encr);
967 return FALSE;
968 }
969 }
970 return TRUE;
971 }
972
973 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
974 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
975 key_type_t key)
976 {
977 suite_algs_t *algs;
978 int i, j;
979
980 for (i = 0; i < this->suite_count; i++)
981 {
982 for (j = 0; j < count; j++)
983 {
984 if (this->suites[i] == suites[j])
985 {
986 algs = find_suite(this->suites[i]);
987 if (algs)
988 {
989 if (key == KEY_ANY || key == algs->key)
990 {
991 if (create_ciphers(this, algs))
992 {
993 this->suite = this->suites[i];
994 return this->suite;
995 }
996 }
997 }
998 }
999 }
1000 }
1001 return 0;
1002 }
1003
1004 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1005 private_tls_crypto_t *this)
1006 {
1007 suite_algs_t *algs;
1008
1009 algs = find_suite(this->suite);
1010 if (algs)
1011 {
1012 return algs->dh;
1013 }
1014 return MODP_NONE;
1015 }
1016
1017 METHOD(tls_crypto_t, get_signature_algorithms, void,
1018 private_tls_crypto_t *this, tls_writer_t *writer)
1019 {
1020 tls_writer_t *supported;
1021 enumerator_t *enumerator;
1022 hash_algorithm_t alg;
1023 tls_hash_algorithm_t hash;
1024
1025 supported = tls_writer_create(32);
1026 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1027 while (enumerator->enumerate(enumerator, &alg))
1028 {
1029 switch (alg)
1030 {
1031 case HASH_MD5:
1032 hash = TLS_HASH_MD5;
1033 break;
1034 case HASH_SHA1:
1035 hash = TLS_HASH_SHA1;
1036 break;
1037 case HASH_SHA224:
1038 hash = TLS_HASH_SHA224;
1039 break;
1040 case HASH_SHA256:
1041 hash = TLS_HASH_SHA256;
1042 break;
1043 case HASH_SHA384:
1044 hash = TLS_HASH_SHA384;
1045 break;
1046 case HASH_SHA512:
1047 hash = TLS_HASH_SHA512;
1048 break;
1049 default:
1050 continue;
1051 }
1052 if (this->rsa)
1053 {
1054 supported->write_uint8(supported, hash);
1055 supported->write_uint8(supported, TLS_SIG_RSA);
1056 }
1057 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1058 { /* currently we have no signature scheme for MD5/SHA224 */
1059 supported->write_uint8(supported, hash);
1060 supported->write_uint8(supported, TLS_SIG_ECDSA);
1061 }
1062 }
1063 enumerator->destroy(enumerator);
1064
1065 writer->write_data16(writer, supported->get_buf(supported));
1066 supported->destroy(supported);
1067 }
1068
1069 /**
1070 * Mapping groups to TLS named curves
1071 */
1072 static struct {
1073 diffie_hellman_group_t group;
1074 tls_named_curve_t curve;
1075 } curves[] = {
1076 { ECP_256_BIT, TLS_SECP256R1},
1077 { ECP_384_BIT, TLS_SECP384R1},
1078 { ECP_521_BIT, TLS_SECP521R1},
1079 { ECP_224_BIT, TLS_SECP224R1},
1080 { ECP_192_BIT, TLS_SECP192R1},
1081 };
1082
1083 /**
1084 * Filter EC groups, add TLS curve
1085 */
1086 static bool group_filter(void *null,
1087 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1088 void* dummy1, tls_named_curve_t *curve)
1089 {
1090 int i;
1091
1092 for (i = 0; i < countof(curves); i++)
1093 {
1094 if (curves[i].group == *in)
1095 {
1096 if (out)
1097 {
1098 *out = curves[i].group;
1099 }
1100 if (curve)
1101 {
1102 *curve = curves[i].curve;
1103 }
1104 return TRUE;
1105 }
1106 }
1107 return FALSE;
1108 }
1109
1110 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1111 private_tls_crypto_t *this)
1112 {
1113 return enumerator_create_filter(
1114 lib->crypto->create_dh_enumerator(lib->crypto),
1115 (void*)group_filter, NULL, NULL);
1116 }
1117
1118 METHOD(tls_crypto_t, set_protection, void,
1119 private_tls_crypto_t *this, tls_protection_t *protection)
1120 {
1121 this->protection = protection;
1122 }
1123
1124 METHOD(tls_crypto_t, append_handshake, void,
1125 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1126 {
1127 u_int32_t header;
1128
1129 /* reconstruct handshake header */
1130 header = htonl(data.len | (type << 24));
1131 this->handshake = chunk_cat("mcc", this->handshake,
1132 chunk_from_thing(header), data);
1133 }
1134
1135 /**
1136 * Create a hash using the suites HASH algorithm
1137 */
1138 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1139 {
1140 if (this->tls->get_version(this->tls) >= TLS_1_2)
1141 {
1142 hasher_t *hasher;
1143 suite_algs_t *alg;
1144
1145 alg = find_suite(this->suite);
1146 if (!alg)
1147 {
1148 return FALSE;
1149 }
1150 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1151 if (!hasher)
1152 {
1153 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1154 return FALSE;
1155 }
1156 hasher->allocate_hash(hasher, data, hash);
1157 hasher->destroy(hasher);
1158 }
1159 else
1160 {
1161 hasher_t *md5, *sha1;
1162 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1163
1164 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1165 if (!md5)
1166 {
1167 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1168 return FALSE;
1169 }
1170 md5->get_hash(md5, data, buf);
1171 md5->destroy(md5);
1172 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1173 if (!sha1)
1174 {
1175 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1176 return FALSE;
1177 }
1178 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
1179 sha1->destroy(sha1);
1180
1181 *hash = chunk_clone(chunk_from_thing(buf));
1182 }
1183 return TRUE;
1184 }
1185
1186 /**
1187 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1188 */
1189 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1190 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1191 {
1192 switch (sig)
1193 {
1194 case TLS_SIG_RSA:
1195 if (type != KEY_RSA)
1196 {
1197 return SIGN_UNKNOWN;
1198 }
1199 switch (hash)
1200 {
1201 case TLS_HASH_MD5:
1202 return SIGN_RSA_EMSA_PKCS1_MD5;
1203 case TLS_HASH_SHA1:
1204 return SIGN_RSA_EMSA_PKCS1_SHA1;
1205 case TLS_HASH_SHA224:
1206 return SIGN_RSA_EMSA_PKCS1_SHA224;
1207 case TLS_HASH_SHA256:
1208 return SIGN_RSA_EMSA_PKCS1_SHA256;
1209 case TLS_HASH_SHA384:
1210 return SIGN_RSA_EMSA_PKCS1_SHA384;
1211 case TLS_HASH_SHA512:
1212 return SIGN_RSA_EMSA_PKCS1_SHA512;
1213 default:
1214 return SIGN_UNKNOWN;
1215 }
1216 case TLS_SIG_ECDSA:
1217 if (type != KEY_ECDSA)
1218 {
1219 return SIGN_UNKNOWN;
1220 }
1221 switch (hash)
1222 {
1223 case TLS_HASH_SHA224:
1224 return SIGN_ECDSA_WITH_SHA1_DER;
1225 case TLS_HASH_SHA256:
1226 return SIGN_ECDSA_WITH_SHA256_DER;
1227 case TLS_HASH_SHA384:
1228 return SIGN_ECDSA_WITH_SHA384_DER;
1229 case TLS_HASH_SHA512:
1230 return SIGN_ECDSA_WITH_SHA512_DER;
1231 default:
1232 return SIGN_UNKNOWN;
1233 }
1234 default:
1235 return SIGN_UNKNOWN;
1236 }
1237 }
1238
1239 METHOD(tls_crypto_t, sign, bool,
1240 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1241 chunk_t data, chunk_t hashsig)
1242 {
1243 if (this->tls->get_version(this->tls) >= TLS_1_2)
1244 {
1245 signature_scheme_t scheme;
1246 tls_reader_t *reader;
1247 u_int8_t hash, alg;
1248 chunk_t sig;
1249 bool done = FALSE;
1250
1251 if (!hashsig.len)
1252 { /* fallback if none given */
1253 hashsig = chunk_from_chars(
1254 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1255 }
1256 reader = tls_reader_create(hashsig);
1257 while (reader->remaining(reader) >= 2)
1258 {
1259 if (reader->read_uint8(reader, &hash) &&
1260 reader->read_uint8(reader, &alg))
1261 {
1262 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1263 if (scheme != SIGN_UNKNOWN &&
1264 key->sign(key, scheme, data, &sig))
1265 {
1266 done = TRUE;
1267 break;
1268 }
1269 }
1270 }
1271 reader->destroy(reader);
1272 if (!done)
1273 {
1274 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1275 return FALSE;
1276 }
1277 DBG2(DBG_TLS, "created signature with %N/%N",
1278 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1279 writer->write_uint8(writer, hash);
1280 writer->write_uint8(writer, alg);
1281 writer->write_data16(writer, sig);
1282 free(sig.ptr);
1283 }
1284 else
1285 {
1286 chunk_t sig, hash;
1287 bool done;
1288
1289 switch (key->get_type(key))
1290 {
1291 case KEY_RSA:
1292 if (!hash_data(this, data, &hash))
1293 {
1294 return FALSE;
1295 }
1296 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1297 free(hash.ptr);
1298 if (!done)
1299 {
1300 return FALSE;
1301 }
1302 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1303 break;
1304 case KEY_ECDSA:
1305 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1306 {
1307 return FALSE;
1308 }
1309 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1310 break;
1311 default:
1312 return FALSE;
1313 }
1314 writer->write_data16(writer, sig);
1315 free(sig.ptr);
1316 }
1317 return TRUE;
1318 }
1319
1320 METHOD(tls_crypto_t, verify, bool,
1321 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1322 chunk_t data)
1323 {
1324 if (this->tls->get_version(this->tls) >= TLS_1_2)
1325 {
1326 signature_scheme_t scheme = SIGN_UNKNOWN;
1327 u_int8_t hash, alg;
1328 chunk_t sig;
1329
1330 if (!reader->read_uint8(reader, &hash) ||
1331 !reader->read_uint8(reader, &alg) ||
1332 !reader->read_data16(reader, &sig))
1333 {
1334 DBG1(DBG_TLS, "received invalid signature");
1335 return FALSE;
1336 }
1337 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1338 if (scheme == SIGN_UNKNOWN)
1339 {
1340 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1341 tls_hash_algorithm_names, hash,
1342 tls_signature_algorithm_names, alg);
1343 return FALSE;
1344 }
1345 if (!key->verify(key, scheme, data, sig))
1346 {
1347 return FALSE;
1348 }
1349 DBG2(DBG_TLS, "verified signature with %N/%N",
1350 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1351 }
1352 else
1353 {
1354 chunk_t sig, hash;
1355 bool done;
1356
1357 if (!reader->read_data16(reader, &sig))
1358 {
1359 DBG1(DBG_TLS, "received invalid signature");
1360 return FALSE;
1361 }
1362 switch (key->get_type(key))
1363 {
1364 case KEY_RSA:
1365 if (!hash_data(this, data, &hash))
1366 {
1367 return FALSE;
1368 }
1369 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1370 free(hash.ptr);
1371 if (!done)
1372 {
1373 return FALSE;
1374 }
1375 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1376 break;
1377 case KEY_ECDSA:
1378 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1379 {
1380 return FALSE;
1381 }
1382 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1383 break;
1384 default:
1385 return FALSE;
1386 }
1387 }
1388 return TRUE;
1389 }
1390
1391 METHOD(tls_crypto_t, sign_handshake, bool,
1392 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1393 chunk_t hashsig)
1394 {
1395 return sign(this, key, writer, this->handshake, hashsig);
1396 }
1397
1398 METHOD(tls_crypto_t, verify_handshake, bool,
1399 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1400 {
1401 return verify(this, key, reader, this->handshake);
1402 }
1403
1404 METHOD(tls_crypto_t, calculate_finished, bool,
1405 private_tls_crypto_t *this, char *label, char out[12])
1406 {
1407 chunk_t seed;
1408
1409 if (!this->prf)
1410 {
1411 return FALSE;
1412 }
1413 if (!hash_data(this, this->handshake, &seed))
1414 {
1415 return FALSE;
1416 }
1417 this->prf->get_bytes(this->prf, label, seed, 12, out);
1418 free(seed.ptr);
1419 return TRUE;
1420 }
1421
1422 METHOD(tls_crypto_t, derive_secrets, void,
1423 private_tls_crypto_t *this, chunk_t premaster,
1424 chunk_t client_random, chunk_t server_random)
1425 {
1426 char master[48];
1427 chunk_t seed, block, client_write, server_write;
1428 int mks, eks = 0, ivs = 0;
1429
1430 /* derive master secret */
1431 seed = chunk_cata("cc", client_random, server_random);
1432 this->prf->set_key(this->prf, premaster);
1433 this->prf->get_bytes(this->prf, "master secret", seed,
1434 sizeof(master), master);
1435
1436 this->prf->set_key(this->prf, chunk_from_thing(master));
1437 memset(master, 0, sizeof(master));
1438
1439 /* derive key block for key expansion */
1440 mks = this->signer_out->get_key_size(this->signer_out);
1441 if (this->crypter_out)
1442 {
1443 eks = this->crypter_out->get_key_size(this->crypter_out);
1444 if (this->tls->get_version(this->tls) < TLS_1_1)
1445 {
1446 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1447 }
1448 }
1449 seed = chunk_cata("cc", server_random, client_random);
1450 block = chunk_alloca((mks + eks + ivs) * 2);
1451 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1452
1453 /* signer keys */
1454 client_write = chunk_create(block.ptr, mks);
1455 block = chunk_skip(block, mks);
1456 server_write = chunk_create(block.ptr, mks);
1457 block = chunk_skip(block, mks);
1458 if (this->tls->is_server(this->tls))
1459 {
1460 this->signer_in->set_key(this->signer_in, client_write);
1461 this->signer_out->set_key(this->signer_out, server_write);
1462 }
1463 else
1464 {
1465 this->signer_out->set_key(this->signer_out, client_write);
1466 this->signer_in->set_key(this->signer_in, server_write);
1467 }
1468
1469 /* crypter keys, and IVs if < TLSv1.2 */
1470 if (this->crypter_out && this->crypter_in)
1471 {
1472 client_write = chunk_create(block.ptr, eks);
1473 block = chunk_skip(block, eks);
1474 server_write = chunk_create(block.ptr, eks);
1475 block = chunk_skip(block, eks);
1476
1477 if (this->tls->is_server(this->tls))
1478 {
1479 this->crypter_in->set_key(this->crypter_in, client_write);
1480 this->crypter_out->set_key(this->crypter_out, server_write);
1481 }
1482 else
1483 {
1484 this->crypter_out->set_key(this->crypter_out, client_write);
1485 this->crypter_in->set_key(this->crypter_in, server_write);
1486 }
1487 if (ivs)
1488 {
1489 client_write = chunk_create(block.ptr, ivs);
1490 block = chunk_skip(block, ivs);
1491 server_write = chunk_create(block.ptr, ivs);
1492 block = chunk_skip(block, ivs);
1493
1494 if (this->tls->is_server(this->tls))
1495 {
1496 this->iv_in = chunk_clone(client_write);
1497 this->iv_out = chunk_clone(server_write);
1498 }
1499 else
1500 {
1501 this->iv_out = chunk_clone(client_write);
1502 this->iv_in = chunk_clone(server_write);
1503 }
1504 }
1505 }
1506 }
1507
1508 METHOD(tls_crypto_t, change_cipher, void,
1509 private_tls_crypto_t *this, bool inbound)
1510 {
1511 if (this->protection)
1512 {
1513 if (inbound)
1514 {
1515 this->protection->set_cipher(this->protection, TRUE,
1516 this->signer_in, this->crypter_in, this->iv_in);
1517 }
1518 else
1519 {
1520 this->protection->set_cipher(this->protection, FALSE,
1521 this->signer_out, this->crypter_out, this->iv_out);
1522 }
1523 }
1524 }
1525
1526 METHOD(tls_crypto_t, derive_eap_msk, void,
1527 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1528 {
1529 if (this->msk_label)
1530 {
1531 chunk_t seed;
1532
1533 seed = chunk_cata("cc", client_random, server_random);
1534 free(this->msk.ptr);
1535 this->msk = chunk_alloc(64);
1536 this->prf->get_bytes(this->prf, this->msk_label, seed,
1537 this->msk.len, this->msk.ptr);
1538 }
1539 }
1540
1541 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1542 private_tls_crypto_t *this)
1543 {
1544 return this->msk;
1545 }
1546
1547 METHOD(tls_crypto_t, destroy, void,
1548 private_tls_crypto_t *this)
1549 {
1550 DESTROY_IF(this->signer_in);
1551 DESTROY_IF(this->signer_out);
1552 DESTROY_IF(this->crypter_in);
1553 DESTROY_IF(this->crypter_out);
1554 free(this->iv_in.ptr);
1555 free(this->iv_out.ptr);
1556 free(this->handshake.ptr);
1557 free(this->msk.ptr);
1558 DESTROY_IF(this->prf);
1559 free(this->suites);
1560 free(this);
1561 }
1562
1563 /**
1564 * See header
1565 */
1566 tls_crypto_t *tls_crypto_create(tls_t *tls)
1567 {
1568 private_tls_crypto_t *this;
1569 enumerator_t *enumerator;
1570 credential_type_t type;
1571 int subtype;
1572
1573 INIT(this,
1574 .public = {
1575 .get_cipher_suites = _get_cipher_suites,
1576 .select_cipher_suite = _select_cipher_suite,
1577 .get_dh_group = _get_dh_group,
1578 .get_signature_algorithms = _get_signature_algorithms,
1579 .create_ec_enumerator = _create_ec_enumerator,
1580 .set_protection = _set_protection,
1581 .append_handshake = _append_handshake,
1582 .sign = _sign,
1583 .verify = _verify,
1584 .sign_handshake = _sign_handshake,
1585 .verify_handshake = _verify_handshake,
1586 .calculate_finished = _calculate_finished,
1587 .derive_secrets = _derive_secrets,
1588 .change_cipher = _change_cipher,
1589 .derive_eap_msk = _derive_eap_msk,
1590 .get_eap_msk = _get_eap_msk,
1591 .destroy = _destroy,
1592 },
1593 .tls = tls,
1594 );
1595
1596 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1597 while (enumerator->enumerate(enumerator, &type, &subtype))
1598 {
1599 if (type == CRED_PUBLIC_KEY)
1600 {
1601 switch (subtype)
1602 {
1603 case KEY_RSA:
1604 this->rsa = TRUE;
1605 break;
1606 case KEY_ECDSA:
1607 this->ecdsa = TRUE;
1608 break;
1609 default:
1610 break;
1611 }
1612 }
1613 }
1614 enumerator->destroy(enumerator);
1615
1616 switch (tls->get_purpose(tls))
1617 {
1618 case TLS_PURPOSE_EAP_TLS:
1619 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1620 this->msk_label = "client EAP encryption";
1621 build_cipher_suite_list(this, FALSE);
1622 break;
1623 case TLS_PURPOSE_EAP_TTLS:
1624 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1625 this->msk_label = "ttls keying material";
1626 build_cipher_suite_list(this, TRUE);
1627 break;
1628 case TLS_PURPOSE_GENERIC:
1629 build_cipher_suite_list(this, TRUE);
1630 break;
1631 }
1632 return &this->public;
1633 }