Add a return value to signer_t.set_key()
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * Signer instance for inbound traffic
389 */
390 signer_t *signer_in;
391
392 /**
393 * Signer instance for outbound traffic
394 */
395 signer_t *signer_out;
396
397 /**
398 * Crypter instance for inbound traffic
399 */
400 crypter_t *crypter_in;
401
402 /**
403 * Crypter instance for outbound traffic
404 */
405 crypter_t *crypter_out;
406
407 /**
408 * IV for input decryption, if < TLSv1.2
409 */
410 chunk_t iv_in;
411
412 /**
413 * IV for output decryption, if < TLSv1.2
414 */
415 chunk_t iv_out;
416
417 /**
418 * EAP-[T]TLS MSK
419 */
420 chunk_t msk;
421
422 /**
423 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
424 */
425 char *msk_label;
426 };
427
428 typedef struct {
429 tls_cipher_suite_t suite;
430 key_type_t key;
431 diffie_hellman_group_t dh;
432 hash_algorithm_t hash;
433 pseudo_random_function_t prf;
434 integrity_algorithm_t mac;
435 encryption_algorithm_t encr;
436 size_t encr_size;
437 } suite_algs_t;
438
439 /**
440 * Mapping suites to a set of algorithms
441 */
442 static suite_algs_t suite_algs[] = {
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
449 KEY_ECDSA, ECP_256_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
452 },
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
454 KEY_ECDSA, ECP_384_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
459 KEY_ECDSA, ECP_384_BIT,
460 HASH_SHA384, PRF_HMAC_SHA2_384,
461 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
462 },
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
464 KEY_RSA, ECP_256_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
467 },
468 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
469 KEY_RSA, ECP_256_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
472 },
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
474 KEY_RSA, ECP_384_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
477 },
478 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
479 KEY_RSA, ECP_384_BIT,
480 HASH_SHA384, PRF_HMAC_SHA2_384,
481 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256,PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
504 KEY_RSA, MODP_2048_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
507 },
508 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
509 KEY_RSA, MODP_3072_BIT,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
514 KEY_RSA, MODP_3072_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
517 },
518 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
519 KEY_RSA, MODP_4096_BIT,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
522 },
523 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
524 KEY_RSA, MODP_2048_BIT,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
527 },
528 { TLS_RSA_WITH_AES_128_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
532 },
533 { TLS_RSA_WITH_AES_128_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
537 },
538 { TLS_RSA_WITH_AES_256_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
542 },
543 { TLS_RSA_WITH_AES_256_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
547 },
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
552 },
553 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
557 },
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
562 },
563 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
567 },
568 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
572 },
573 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
574 KEY_RSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
577 },
578 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
582 },
583 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
584 KEY_ECDSA, ECP_256_BIT,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
587 },
588 { TLS_ECDHE_RSA_WITH_NULL_SHA,
589 KEY_ECDSA, ECP_256_BIT,
590 HASH_SHA256, PRF_HMAC_SHA2_256,
591 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
592 },
593 { TLS_RSA_WITH_NULL_SHA,
594 KEY_RSA, MODP_NONE,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
597 },
598 { TLS_RSA_WITH_NULL_SHA256,
599 KEY_RSA, MODP_NONE,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
602 },
603 { TLS_RSA_WITH_NULL_MD5,
604 KEY_RSA, MODP_NONE,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_MD5_128, ENCR_NULL, 0
607 },
608 };
609
610 /**
611 * Look up algorithms by a suite
612 */
613 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
614 {
615 int i;
616
617 for (i = 0; i < countof(suite_algs); i++)
618 {
619 if (suite_algs[i].suite == suite)
620 {
621 return &suite_algs[i];
622 }
623 }
624 return NULL;
625 }
626
627 /**
628 * Filter a suite list using a transform enumerator
629 */
630 static void filter_suite(private_tls_crypto_t *this,
631 suite_algs_t suites[], int *count, int offset,
632 enumerator_t*(*create_enumerator)(crypto_factory_t*))
633 {
634 const char *plugin_name;
635 suite_algs_t current;
636 int *current_alg, i, remaining = 0;
637 enumerator_t *enumerator;
638
639 memset(&current, 0, sizeof(current));
640 current_alg = (int*)((char*)&current + offset);
641
642 for (i = 0; i < *count; i++)
643 {
644 enumerator = create_enumerator(lib->crypto);
645 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
646 {
647 if ((suites[i].encr == ENCR_NULL ||
648 !current.encr || current.encr == suites[i].encr) &&
649 (!current.mac || current.mac == suites[i].mac) &&
650 (!current.prf || current.prf == suites[i].prf) &&
651 (!current.hash || current.hash == suites[i].hash) &&
652 (suites[i].dh == MODP_NONE ||
653 !current.dh || current.dh == suites[i].dh))
654 {
655 suites[remaining] = suites[i];
656 remaining++;
657 break;
658 }
659 }
660 enumerator->destroy(enumerator);
661 }
662 *count = remaining;
663 }
664
665 /**
666 * Purge NULL encryption cipher suites from list
667 */
668 static void filter_null_suites(private_tls_crypto_t *this,
669 suite_algs_t suites[], int *count)
670 {
671 int i, remaining = 0;
672
673 for (i = 0; i < *count; i++)
674 {
675 if (suites[i].encr != ENCR_NULL)
676 {
677 suites[remaining] = suites[i];
678 remaining++;
679 }
680 }
681 *count = remaining;
682 }
683
684 /**
685 * Purge suites using a given key type
686 */
687 static void filter_key_suites(private_tls_crypto_t *this,
688 suite_algs_t suites[], int *count, key_type_t key)
689 {
690 int i, remaining = 0;
691
692 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
693 for (i = 0; i < *count; i++)
694 {
695 if (suites[i].key != key)
696 {
697 suites[remaining] = suites[i];
698 remaining++;
699 }
700 }
701 *count = remaining;
702 }
703
704 /**
705 * Filter suites by key exchange user config
706 */
707 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
708 suite_algs_t suites[], int *count)
709 {
710 enumerator_t *enumerator;
711 int i, remaining = 0;
712 char *token, *config;
713
714 config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
715 if (config)
716 {
717 for (i = 0; i < *count; i++)
718 {
719 enumerator = enumerator_create_token(config, ",", " ");
720 while (enumerator->enumerate(enumerator, &token))
721 {
722 if (strcaseeq(token, "ecdhe-ecdsa") &&
723 diffie_hellman_group_is_ec(suites[i].dh) &&
724 suites[i].key == KEY_ECDSA)
725 {
726 suites[remaining++] = suites[i];
727 break;
728 }
729 if (strcaseeq(token, "ecdhe-rsa") &&
730 diffie_hellman_group_is_ec(suites[i].dh) &&
731 suites[i].key == KEY_RSA)
732 {
733 suites[remaining++] = suites[i];
734 break;
735 }
736 if (strcaseeq(token, "dhe-rsa") &&
737 !diffie_hellman_group_is_ec(suites[i].dh) &&
738 suites[i].dh != MODP_NONE &&
739 suites[i].key == KEY_RSA)
740 {
741 suites[remaining++] = suites[i];
742 break;
743 }
744 if (strcaseeq(token, "rsa") &&
745 suites[i].dh == MODP_NONE &&
746 suites[i].key == KEY_RSA)
747 {
748 suites[remaining++] = suites[i];
749 break;
750 }
751 }
752 enumerator->destroy(enumerator);
753 }
754 *count = remaining;
755 }
756 }
757
758 /**
759 * Filter suites by cipher user config
760 */
761 static void filter_cipher_config_suites(private_tls_crypto_t *this,
762 suite_algs_t suites[], int *count)
763 {
764 enumerator_t *enumerator;
765 int i, remaining = 0;
766 char *token, *config;
767
768 config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
769 if (config)
770 {
771 for (i = 0; i < *count; i++)
772 {
773 enumerator = enumerator_create_token(config, ",", " ");
774 while (enumerator->enumerate(enumerator, &token))
775 {
776 if (strcaseeq(token, "aes128") &&
777 suites[i].encr == ENCR_AES_CBC &&
778 suites[i].encr_size == 16)
779 {
780 suites[remaining++] = suites[i];
781 break;
782 }
783 if (strcaseeq(token, "aes256") &&
784 suites[i].encr == ENCR_AES_CBC &&
785 suites[i].encr_size == 32)
786 {
787 suites[remaining++] = suites[i];
788 break;
789 }
790 if (strcaseeq(token, "camellia128") &&
791 suites[i].encr == ENCR_CAMELLIA_CBC &&
792 suites[i].encr_size == 16)
793 {
794 suites[remaining++] = suites[i];
795 break;
796 }
797 if (strcaseeq(token, "camellia256") &&
798 suites[i].encr == ENCR_CAMELLIA_CBC &&
799 suites[i].encr_size == 32)
800 {
801 suites[remaining++] = suites[i];
802 break;
803 }
804 if (strcaseeq(token, "3des") &&
805 suites[i].encr == ENCR_3DES)
806 {
807 suites[remaining++] = suites[i];
808 break;
809 }
810 if (strcaseeq(token, "null") &&
811 suites[i].encr == ENCR_NULL)
812 {
813 suites[remaining++] = suites[i];
814 break;
815 }
816 }
817 enumerator->destroy(enumerator);
818 }
819 *count = remaining;
820 }
821 }
822
823 /**
824 * Filter suites by mac user config
825 */
826 static void filter_mac_config_suites(private_tls_crypto_t *this,
827 suite_algs_t suites[], int *count)
828 {
829 enumerator_t *enumerator;
830 int i, remaining = 0;
831 char *token, *config;
832
833 config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
834 if (config)
835 {
836 for (i = 0; i < *count; i++)
837 {
838 enumerator = enumerator_create_token(config, ",", " ");
839 while (enumerator->enumerate(enumerator, &token))
840 {
841 if (strcaseeq(token, "md5") &&
842 suites[i].mac == AUTH_HMAC_MD5_128)
843 {
844 suites[remaining++] = suites[i];
845 break;
846 }
847 if (strcaseeq(token, "sha1") &&
848 suites[i].mac == AUTH_HMAC_SHA1_160)
849 {
850 suites[remaining++] = suites[i];
851 break;
852 }
853 if (strcaseeq(token, "sha256") &&
854 suites[i].mac == AUTH_HMAC_SHA2_256_256)
855 {
856 suites[remaining++] = suites[i];
857 break;
858 }
859 if (strcaseeq(token, "sha384") &&
860 suites[i].mac == AUTH_HMAC_SHA2_384_384)
861 {
862 suites[remaining++] = suites[i];
863 break;
864 }
865 }
866 enumerator->destroy(enumerator);
867 }
868 *count = remaining;
869 }
870 }
871
872 /**
873 * Filter for specific suites specified in strongswan.conf
874 */
875 static void filter_specific_config_suites(private_tls_crypto_t *this,
876 suite_algs_t suites[], int *count)
877 {
878 enumerator_t *enumerator;
879 int i, remaining = 0, suite;
880 char *token, *config;
881
882 config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
883 if (config)
884 {
885 for (i = 0; i < *count; i++)
886 {
887 enumerator = enumerator_create_token(config, ",", " ");
888 while (enumerator->enumerate(enumerator, &token))
889 {
890 suite = enum_from_name(tls_cipher_suite_names, token);
891 if (suite == suites[i].suite)
892 {
893 suites[remaining++] = suites[i];
894 break;
895 }
896 }
897 enumerator->destroy(enumerator);
898 }
899 *count = remaining;
900 }
901 }
902
903 /**
904 * Initialize the cipher suite list
905 */
906 static void build_cipher_suite_list(private_tls_crypto_t *this,
907 bool require_encryption)
908 {
909 suite_algs_t suites[countof(suite_algs)];
910 int count = countof(suite_algs), i;
911
912 /* copy all suites */
913 for (i = 0; i < count; i++)
914 {
915 suites[i] = suite_algs[i];
916 }
917 if (require_encryption)
918 {
919 filter_null_suites(this, suites, &count);
920 }
921 if (!this->rsa)
922 {
923 filter_key_suites(this, suites, &count, KEY_RSA);
924 }
925 if (!this->ecdsa)
926 {
927 filter_key_suites(this, suites, &count, KEY_ECDSA);
928 }
929
930 /* filter suite list by each algorithm */
931 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
932 lib->crypto->create_crypter_enumerator);
933 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
934 lib->crypto->create_signer_enumerator);
935 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
936 lib->crypto->create_prf_enumerator);
937 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
938 lib->crypto->create_hasher_enumerator);
939 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
940 lib->crypto->create_dh_enumerator);
941
942 /* filter suites with strongswan.conf options */
943 filter_key_exchange_config_suites(this, suites, &count);
944 filter_cipher_config_suites(this, suites, &count);
945 filter_mac_config_suites(this, suites, &count);
946 filter_specific_config_suites(this, suites, &count);
947
948 free(this->suites);
949 this->suite_count = count;
950 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
951
952 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
953 for (i = 0; i < count; i++)
954 {
955 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
956 this->suites[i] = suites[i].suite;
957 }
958 }
959
960 METHOD(tls_crypto_t, get_cipher_suites, int,
961 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
962 {
963 *suites = this->suites;
964 return this->suite_count;
965 }
966
967 /**
968 * Create crypto primitives
969 */
970 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
971 {
972 DESTROY_IF(this->prf);
973 if (this->tls->get_version(this->tls) < TLS_1_2)
974 {
975 this->prf = tls_prf_create_10();
976 }
977 else
978 {
979 this->prf = tls_prf_create_12(algs->prf);
980 }
981 if (!this->prf)
982 {
983 DBG1(DBG_TLS, "selected TLS PRF not supported");
984 return FALSE;
985 }
986
987 DESTROY_IF(this->signer_in);
988 DESTROY_IF(this->signer_out);
989 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
990 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
991 if (!this->signer_in || !this->signer_out)
992 {
993 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
994 integrity_algorithm_names, algs->mac);
995 return FALSE;
996 }
997
998 DESTROY_IF(this->crypter_in);
999 DESTROY_IF(this->crypter_out);
1000 if (algs->encr == ENCR_NULL)
1001 {
1002 this->crypter_in = this->crypter_out = NULL;
1003 }
1004 else
1005 {
1006 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
1007 algs->encr, algs->encr_size);
1008 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
1009 algs->encr, algs->encr_size);
1010 if (!this->crypter_in || !this->crypter_out)
1011 {
1012 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
1013 encryption_algorithm_names, algs->encr);
1014 return FALSE;
1015 }
1016 }
1017 return TRUE;
1018 }
1019
1020 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1021 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1022 key_type_t key)
1023 {
1024 suite_algs_t *algs;
1025 int i, j;
1026
1027 for (i = 0; i < this->suite_count; i++)
1028 {
1029 for (j = 0; j < count; j++)
1030 {
1031 if (this->suites[i] == suites[j])
1032 {
1033 algs = find_suite(this->suites[i]);
1034 if (algs)
1035 {
1036 if (key == KEY_ANY || key == algs->key)
1037 {
1038 if (create_ciphers(this, algs))
1039 {
1040 this->suite = this->suites[i];
1041 return this->suite;
1042 }
1043 }
1044 }
1045 }
1046 }
1047 }
1048 return 0;
1049 }
1050
1051 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1052 private_tls_crypto_t *this)
1053 {
1054 suite_algs_t *algs;
1055
1056 algs = find_suite(this->suite);
1057 if (algs)
1058 {
1059 return algs->dh;
1060 }
1061 return MODP_NONE;
1062 }
1063
1064 METHOD(tls_crypto_t, get_signature_algorithms, void,
1065 private_tls_crypto_t *this, bio_writer_t *writer)
1066 {
1067 bio_writer_t *supported;
1068 enumerator_t *enumerator;
1069 hash_algorithm_t alg;
1070 tls_hash_algorithm_t hash;
1071 const char *plugin_name;
1072
1073 supported = bio_writer_create(32);
1074 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1075 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1076 {
1077 switch (alg)
1078 {
1079 case HASH_MD5:
1080 hash = TLS_HASH_MD5;
1081 break;
1082 case HASH_SHA1:
1083 hash = TLS_HASH_SHA1;
1084 break;
1085 case HASH_SHA224:
1086 hash = TLS_HASH_SHA224;
1087 break;
1088 case HASH_SHA256:
1089 hash = TLS_HASH_SHA256;
1090 break;
1091 case HASH_SHA384:
1092 hash = TLS_HASH_SHA384;
1093 break;
1094 case HASH_SHA512:
1095 hash = TLS_HASH_SHA512;
1096 break;
1097 default:
1098 continue;
1099 }
1100 if (this->rsa)
1101 {
1102 supported->write_uint8(supported, hash);
1103 supported->write_uint8(supported, TLS_SIG_RSA);
1104 }
1105 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1106 { /* currently we have no signature scheme for MD5/SHA224 */
1107 supported->write_uint8(supported, hash);
1108 supported->write_uint8(supported, TLS_SIG_ECDSA);
1109 }
1110 }
1111 enumerator->destroy(enumerator);
1112
1113 writer->write_data16(writer, supported->get_buf(supported));
1114 supported->destroy(supported);
1115 }
1116
1117 /**
1118 * Mapping groups to TLS named curves
1119 */
1120 static struct {
1121 diffie_hellman_group_t group;
1122 tls_named_curve_t curve;
1123 } curves[] = {
1124 { ECP_256_BIT, TLS_SECP256R1},
1125 { ECP_384_BIT, TLS_SECP384R1},
1126 { ECP_521_BIT, TLS_SECP521R1},
1127 { ECP_224_BIT, TLS_SECP224R1},
1128 { ECP_192_BIT, TLS_SECP192R1},
1129 };
1130
1131 /**
1132 * Filter EC groups, add TLS curve
1133 */
1134 static bool group_filter(void *null,
1135 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1136 void* dummy1, tls_named_curve_t *curve)
1137 {
1138 int i;
1139
1140 for (i = 0; i < countof(curves); i++)
1141 {
1142 if (curves[i].group == *in)
1143 {
1144 if (out)
1145 {
1146 *out = curves[i].group;
1147 }
1148 if (curve)
1149 {
1150 *curve = curves[i].curve;
1151 }
1152 return TRUE;
1153 }
1154 }
1155 return FALSE;
1156 }
1157
1158 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1159 private_tls_crypto_t *this)
1160 {
1161 return enumerator_create_filter(
1162 lib->crypto->create_dh_enumerator(lib->crypto),
1163 (void*)group_filter, NULL, NULL);
1164 }
1165
1166 METHOD(tls_crypto_t, set_protection, void,
1167 private_tls_crypto_t *this, tls_protection_t *protection)
1168 {
1169 this->protection = protection;
1170 }
1171
1172 METHOD(tls_crypto_t, append_handshake, void,
1173 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1174 {
1175 u_int32_t header;
1176
1177 /* reconstruct handshake header */
1178 header = htonl(data.len | (type << 24));
1179 this->handshake = chunk_cat("mcc", this->handshake,
1180 chunk_from_thing(header), data);
1181 }
1182
1183 /**
1184 * Create a hash using the suites HASH algorithm
1185 */
1186 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1187 {
1188 if (this->tls->get_version(this->tls) >= TLS_1_2)
1189 {
1190 hasher_t *hasher;
1191 suite_algs_t *alg;
1192
1193 alg = find_suite(this->suite);
1194 if (!alg)
1195 {
1196 return FALSE;
1197 }
1198 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1199 if (!hasher)
1200 {
1201 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1202 return FALSE;
1203 }
1204 hasher->allocate_hash(hasher, data, hash);
1205 hasher->destroy(hasher);
1206 }
1207 else
1208 {
1209 hasher_t *md5, *sha1;
1210 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1211
1212 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1213 if (!md5)
1214 {
1215 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1216 return FALSE;
1217 }
1218 md5->get_hash(md5, data, buf);
1219 md5->destroy(md5);
1220 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1221 if (!sha1)
1222 {
1223 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1224 return FALSE;
1225 }
1226 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
1227 sha1->destroy(sha1);
1228
1229 *hash = chunk_clone(chunk_from_thing(buf));
1230 }
1231 return TRUE;
1232 }
1233
1234 /**
1235 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1236 */
1237 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1238 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1239 {
1240 switch (sig)
1241 {
1242 case TLS_SIG_RSA:
1243 if (type != KEY_RSA)
1244 {
1245 return SIGN_UNKNOWN;
1246 }
1247 switch (hash)
1248 {
1249 case TLS_HASH_MD5:
1250 return SIGN_RSA_EMSA_PKCS1_MD5;
1251 case TLS_HASH_SHA1:
1252 return SIGN_RSA_EMSA_PKCS1_SHA1;
1253 case TLS_HASH_SHA224:
1254 return SIGN_RSA_EMSA_PKCS1_SHA224;
1255 case TLS_HASH_SHA256:
1256 return SIGN_RSA_EMSA_PKCS1_SHA256;
1257 case TLS_HASH_SHA384:
1258 return SIGN_RSA_EMSA_PKCS1_SHA384;
1259 case TLS_HASH_SHA512:
1260 return SIGN_RSA_EMSA_PKCS1_SHA512;
1261 default:
1262 return SIGN_UNKNOWN;
1263 }
1264 case TLS_SIG_ECDSA:
1265 if (type != KEY_ECDSA)
1266 {
1267 return SIGN_UNKNOWN;
1268 }
1269 switch (hash)
1270 {
1271 case TLS_HASH_SHA224:
1272 return SIGN_ECDSA_WITH_SHA1_DER;
1273 case TLS_HASH_SHA256:
1274 return SIGN_ECDSA_WITH_SHA256_DER;
1275 case TLS_HASH_SHA384:
1276 return SIGN_ECDSA_WITH_SHA384_DER;
1277 case TLS_HASH_SHA512:
1278 return SIGN_ECDSA_WITH_SHA512_DER;
1279 default:
1280 return SIGN_UNKNOWN;
1281 }
1282 default:
1283 return SIGN_UNKNOWN;
1284 }
1285 }
1286
1287 METHOD(tls_crypto_t, sign, bool,
1288 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1289 chunk_t data, chunk_t hashsig)
1290 {
1291 if (this->tls->get_version(this->tls) >= TLS_1_2)
1292 {
1293 signature_scheme_t scheme;
1294 bio_reader_t *reader;
1295 u_int8_t hash, alg;
1296 chunk_t sig;
1297 bool done = FALSE;
1298
1299 if (!hashsig.len)
1300 { /* fallback if none given */
1301 hashsig = chunk_from_chars(
1302 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1303 }
1304 reader = bio_reader_create(hashsig);
1305 while (reader->remaining(reader) >= 2)
1306 {
1307 if (reader->read_uint8(reader, &hash) &&
1308 reader->read_uint8(reader, &alg))
1309 {
1310 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1311 if (scheme != SIGN_UNKNOWN &&
1312 key->sign(key, scheme, data, &sig))
1313 {
1314 done = TRUE;
1315 break;
1316 }
1317 }
1318 }
1319 reader->destroy(reader);
1320 if (!done)
1321 {
1322 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1323 return FALSE;
1324 }
1325 DBG2(DBG_TLS, "created signature with %N/%N",
1326 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1327 writer->write_uint8(writer, hash);
1328 writer->write_uint8(writer, alg);
1329 writer->write_data16(writer, sig);
1330 free(sig.ptr);
1331 }
1332 else
1333 {
1334 chunk_t sig, hash;
1335 bool done;
1336
1337 switch (key->get_type(key))
1338 {
1339 case KEY_RSA:
1340 if (!hash_data(this, data, &hash))
1341 {
1342 return FALSE;
1343 }
1344 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1345 free(hash.ptr);
1346 if (!done)
1347 {
1348 return FALSE;
1349 }
1350 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1351 break;
1352 case KEY_ECDSA:
1353 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1354 {
1355 return FALSE;
1356 }
1357 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1358 break;
1359 default:
1360 return FALSE;
1361 }
1362 writer->write_data16(writer, sig);
1363 free(sig.ptr);
1364 }
1365 return TRUE;
1366 }
1367
1368 METHOD(tls_crypto_t, verify, bool,
1369 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1370 chunk_t data)
1371 {
1372 if (this->tls->get_version(this->tls) >= TLS_1_2)
1373 {
1374 signature_scheme_t scheme = SIGN_UNKNOWN;
1375 u_int8_t hash, alg;
1376 chunk_t sig;
1377
1378 if (!reader->read_uint8(reader, &hash) ||
1379 !reader->read_uint8(reader, &alg) ||
1380 !reader->read_data16(reader, &sig))
1381 {
1382 DBG1(DBG_TLS, "received invalid signature");
1383 return FALSE;
1384 }
1385 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1386 if (scheme == SIGN_UNKNOWN)
1387 {
1388 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1389 tls_hash_algorithm_names, hash,
1390 tls_signature_algorithm_names, alg);
1391 return FALSE;
1392 }
1393 if (!key->verify(key, scheme, data, sig))
1394 {
1395 return FALSE;
1396 }
1397 DBG2(DBG_TLS, "verified signature with %N/%N",
1398 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1399 }
1400 else
1401 {
1402 chunk_t sig, hash;
1403 bool done;
1404
1405 if (!reader->read_data16(reader, &sig))
1406 {
1407 DBG1(DBG_TLS, "received invalid signature");
1408 return FALSE;
1409 }
1410 switch (key->get_type(key))
1411 {
1412 case KEY_RSA:
1413 if (!hash_data(this, data, &hash))
1414 {
1415 return FALSE;
1416 }
1417 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1418 free(hash.ptr);
1419 if (!done)
1420 {
1421 return FALSE;
1422 }
1423 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1424 break;
1425 case KEY_ECDSA:
1426 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1427 {
1428 return FALSE;
1429 }
1430 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1431 break;
1432 default:
1433 return FALSE;
1434 }
1435 }
1436 return TRUE;
1437 }
1438
1439 METHOD(tls_crypto_t, sign_handshake, bool,
1440 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1441 chunk_t hashsig)
1442 {
1443 return sign(this, key, writer, this->handshake, hashsig);
1444 }
1445
1446 METHOD(tls_crypto_t, verify_handshake, bool,
1447 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1448 {
1449 return verify(this, key, reader, this->handshake);
1450 }
1451
1452 METHOD(tls_crypto_t, calculate_finished, bool,
1453 private_tls_crypto_t *this, char *label, char out[12])
1454 {
1455 chunk_t seed;
1456
1457 if (!this->prf)
1458 {
1459 return FALSE;
1460 }
1461 if (!hash_data(this, this->handshake, &seed))
1462 {
1463 return FALSE;
1464 }
1465 this->prf->get_bytes(this->prf, label, seed, 12, out);
1466 free(seed.ptr);
1467 return TRUE;
1468 }
1469
1470 /**
1471 * Derive master secret from premaster, optionally save session
1472 */
1473 static void derive_master(private_tls_crypto_t *this, chunk_t premaster,
1474 chunk_t session, identification_t *id,
1475 chunk_t client_random, chunk_t server_random)
1476 {
1477 char master[48];
1478 chunk_t seed;
1479
1480 /* derive master secret */
1481 seed = chunk_cata("cc", client_random, server_random);
1482 this->prf->set_key(this->prf, premaster);
1483 this->prf->get_bytes(this->prf, "master secret", seed,
1484 sizeof(master), master);
1485
1486 this->prf->set_key(this->prf, chunk_from_thing(master));
1487 if (this->cache && session.len)
1488 {
1489 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1490 this->suite);
1491 }
1492 memwipe(master, sizeof(master));
1493 }
1494
1495 /**
1496 * Expand key material from master secret
1497 */
1498 static bool expand_keys(private_tls_crypto_t *this,
1499 chunk_t client_random, chunk_t server_random)
1500 {
1501 chunk_t seed, block, client_write, server_write;
1502 int mks, eks = 0, ivs = 0;
1503
1504 /* derive key block for key expansion */
1505 mks = this->signer_out->get_key_size(this->signer_out);
1506 if (this->crypter_out)
1507 {
1508 eks = this->crypter_out->get_key_size(this->crypter_out);
1509 if (this->tls->get_version(this->tls) < TLS_1_1)
1510 {
1511 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1512 }
1513 }
1514 seed = chunk_cata("cc", server_random, client_random);
1515 block = chunk_alloca((mks + eks + ivs) * 2);
1516 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1517
1518 /* signer keys */
1519 client_write = chunk_create(block.ptr, mks);
1520 block = chunk_skip(block, mks);
1521 server_write = chunk_create(block.ptr, mks);
1522 block = chunk_skip(block, mks);
1523 if (this->tls->is_server(this->tls))
1524 {
1525 if (!this->signer_in->set_key(this->signer_in, client_write) ||
1526 !this->signer_out->set_key(this->signer_out, server_write))
1527 {
1528 return FALSE;
1529 }
1530 }
1531 else
1532 {
1533 if (!this->signer_out->set_key(this->signer_out, client_write) ||
1534 !this->signer_in->set_key(this->signer_in, server_write))
1535 {
1536 return FALSE;
1537 }
1538 }
1539
1540 /* crypter keys, and IVs if < TLSv1.2 */
1541 if (this->crypter_out && this->crypter_in)
1542 {
1543 client_write = chunk_create(block.ptr, eks);
1544 block = chunk_skip(block, eks);
1545 server_write = chunk_create(block.ptr, eks);
1546 block = chunk_skip(block, eks);
1547
1548 if (this->tls->is_server(this->tls))
1549 {
1550 this->crypter_in->set_key(this->crypter_in, client_write);
1551 this->crypter_out->set_key(this->crypter_out, server_write);
1552 }
1553 else
1554 {
1555 this->crypter_out->set_key(this->crypter_out, client_write);
1556 this->crypter_in->set_key(this->crypter_in, server_write);
1557 }
1558 if (ivs)
1559 {
1560 client_write = chunk_create(block.ptr, ivs);
1561 block = chunk_skip(block, ivs);
1562 server_write = chunk_create(block.ptr, ivs);
1563 block = chunk_skip(block, ivs);
1564
1565 if (this->tls->is_server(this->tls))
1566 {
1567 this->iv_in = chunk_clone(client_write);
1568 this->iv_out = chunk_clone(server_write);
1569 }
1570 else
1571 {
1572 this->iv_out = chunk_clone(client_write);
1573 this->iv_in = chunk_clone(server_write);
1574 }
1575 }
1576 }
1577
1578 /* EAP-MSK */
1579 if (this->msk_label)
1580 {
1581 seed = chunk_cata("cc", client_random, server_random);
1582 this->msk = chunk_alloc(64);
1583 this->prf->get_bytes(this->prf, this->msk_label, seed,
1584 this->msk.len, this->msk.ptr);
1585 }
1586 return TRUE;
1587 }
1588
1589 METHOD(tls_crypto_t, derive_secrets, bool,
1590 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1591 identification_t *id, chunk_t client_random, chunk_t server_random)
1592 {
1593 derive_master(this, premaster, session, id, client_random, server_random);
1594 return expand_keys(this, client_random, server_random);
1595 }
1596
1597 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1598 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1599 chunk_t client_random, chunk_t server_random)
1600 {
1601 chunk_t master;
1602
1603 if (this->cache && session.len)
1604 {
1605 this->suite = this->cache->lookup(this->cache, session, id, &master);
1606 if (this->suite)
1607 {
1608 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1609 if (this->suite)
1610 {
1611 this->prf->set_key(this->prf, master);
1612 if (!expand_keys(this, client_random, server_random))
1613 {
1614 this->suite = 0;
1615 }
1616 }
1617 chunk_clear(&master);
1618 }
1619 return this->suite;
1620 }
1621 return 0;
1622 }
1623
1624 METHOD(tls_crypto_t, get_session, chunk_t,
1625 private_tls_crypto_t *this, identification_t *server)
1626 {
1627 if (this->cache)
1628 {
1629 return this->cache->check(this->cache, server);
1630 }
1631 return chunk_empty;
1632 }
1633
1634 METHOD(tls_crypto_t, change_cipher, void,
1635 private_tls_crypto_t *this, bool inbound)
1636 {
1637 if (this->protection)
1638 {
1639 if (inbound)
1640 {
1641 this->protection->set_cipher(this->protection, TRUE,
1642 this->signer_in, this->crypter_in, this->iv_in);
1643 }
1644 else
1645 {
1646 this->protection->set_cipher(this->protection, FALSE,
1647 this->signer_out, this->crypter_out, this->iv_out);
1648 }
1649 }
1650 }
1651
1652 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1653 private_tls_crypto_t *this)
1654 {
1655 return this->msk;
1656 }
1657
1658 METHOD(tls_crypto_t, destroy, void,
1659 private_tls_crypto_t *this)
1660 {
1661 DESTROY_IF(this->signer_in);
1662 DESTROY_IF(this->signer_out);
1663 DESTROY_IF(this->crypter_in);
1664 DESTROY_IF(this->crypter_out);
1665 free(this->iv_in.ptr);
1666 free(this->iv_out.ptr);
1667 free(this->handshake.ptr);
1668 free(this->msk.ptr);
1669 DESTROY_IF(this->prf);
1670 free(this->suites);
1671 free(this);
1672 }
1673
1674 /**
1675 * See header
1676 */
1677 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1678 {
1679 private_tls_crypto_t *this;
1680 enumerator_t *enumerator;
1681 credential_type_t type;
1682 int subtype;
1683
1684 INIT(this,
1685 .public = {
1686 .get_cipher_suites = _get_cipher_suites,
1687 .select_cipher_suite = _select_cipher_suite,
1688 .get_dh_group = _get_dh_group,
1689 .get_signature_algorithms = _get_signature_algorithms,
1690 .create_ec_enumerator = _create_ec_enumerator,
1691 .set_protection = _set_protection,
1692 .append_handshake = _append_handshake,
1693 .sign = _sign,
1694 .verify = _verify,
1695 .sign_handshake = _sign_handshake,
1696 .verify_handshake = _verify_handshake,
1697 .calculate_finished = _calculate_finished,
1698 .derive_secrets = _derive_secrets,
1699 .resume_session = _resume_session,
1700 .get_session = _get_session,
1701 .change_cipher = _change_cipher,
1702 .get_eap_msk = _get_eap_msk,
1703 .destroy = _destroy,
1704 },
1705 .tls = tls,
1706 .cache = cache,
1707 );
1708
1709 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1710 while (enumerator->enumerate(enumerator, &type, &subtype))
1711 {
1712 if (type == CRED_PUBLIC_KEY)
1713 {
1714 switch (subtype)
1715 {
1716 case KEY_RSA:
1717 this->rsa = TRUE;
1718 break;
1719 case KEY_ECDSA:
1720 this->ecdsa = TRUE;
1721 break;
1722 default:
1723 break;
1724 }
1725 }
1726 }
1727 enumerator->destroy(enumerator);
1728
1729 switch (tls->get_purpose(tls))
1730 {
1731 case TLS_PURPOSE_EAP_TLS:
1732 case TLS_PURPOSE_EAP_PEAP:
1733 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1734 this->msk_label = "client EAP encryption";
1735 build_cipher_suite_list(this, FALSE);
1736 break;
1737 case TLS_PURPOSE_EAP_TTLS:
1738 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1739 this->msk_label = "ttls keying material";
1740 build_cipher_suite_list(this, TRUE);
1741 break;
1742 case TLS_PURPOSE_GENERIC:
1743 build_cipher_suite_list(this, TRUE);
1744 break;
1745 default:
1746 break;
1747 }
1748 return &this->public;
1749 }