Store a MODP group we use for each TLS suite
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275
276 typedef struct private_tls_crypto_t private_tls_crypto_t;
277
278 /**
279 * Private data of an tls_crypto_t object.
280 */
281 struct private_tls_crypto_t {
282
283 /**
284 * Public tls_crypto_t interface.
285 */
286 tls_crypto_t public;
287
288 /**
289 * Protection layer
290 */
291 tls_protection_t *protection;
292
293 /**
294 * List of supported/acceptable cipher suites
295 */
296 tls_cipher_suite_t *suites;
297
298 /**
299 * Number of supported suites
300 */
301 int suite_count;
302
303 /**
304 * Selected cipher suite
305 */
306 tls_cipher_suite_t suite;
307
308 /**
309 * TLS context
310 */
311 tls_t *tls;
312
313 /**
314 * All handshake data concatentated
315 */
316 chunk_t handshake;
317
318 /**
319 * Connection state TLS PRF
320 */
321 tls_prf_t *prf;
322
323 /**
324 * Signer instance for inbound traffic
325 */
326 signer_t *signer_in;
327
328 /**
329 * Signer instance for outbound traffic
330 */
331 signer_t *signer_out;
332
333 /**
334 * Crypter instance for inbound traffic
335 */
336 crypter_t *crypter_in;
337
338 /**
339 * Crypter instance for outbound traffic
340 */
341 crypter_t *crypter_out;
342
343 /**
344 * IV for input decryption, if < TLSv1.2
345 */
346 chunk_t iv_in;
347
348 /**
349 * IV for output decryption, if < TLSv1.2
350 */
351 chunk_t iv_out;
352
353 /**
354 * EAP-[T]TLS MSK
355 */
356 chunk_t msk;
357
358 /**
359 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
360 */
361 char *msk_label;
362 };
363
364 typedef struct {
365 tls_cipher_suite_t suite;
366 hash_algorithm_t hash;
367 pseudo_random_function_t prf;
368 diffie_hellman_group_t dh;
369 integrity_algorithm_t mac;
370 encryption_algorithm_t encr;
371 size_t encr_size;
372 } suite_algs_t;
373
374 /**
375 * Mapping suites to a set of algorithms
376 */
377 static suite_algs_t suite_algs[] = {
378 { TLS_RSA_WITH_AES_128_CBC_SHA,
379 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
380 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
381 },
382 { TLS_RSA_WITH_AES_128_CBC_SHA256,
383 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
384 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
385 },
386 { TLS_RSA_WITH_AES_256_CBC_SHA,
387 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
388 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
389 },
390 { TLS_RSA_WITH_AES_256_CBC_SHA256,
391 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
392 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
393 },
394 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
395 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
396 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
397 },
398 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
399 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
400 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
401 },
402 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
403 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
404 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
405 },
406 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
407 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
408 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
409 },
410 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
411 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
412 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
413 },
414 { TLS_RSA_WITH_NULL_SHA,
415 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
416 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
417 },
418 { TLS_RSA_WITH_NULL_SHA256,
419 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
420 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
421 },
422 { TLS_RSA_WITH_NULL_MD5,
423 HASH_MD5, PRF_HMAC_MD5, MODP_NONE,
424 AUTH_HMAC_MD5_128, ENCR_NULL, 0
425 },
426 };
427
428 /**
429 * Look up algoritms by a suite
430 */
431 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
432 {
433 int i;
434
435 for (i = 0; i < countof(suite_algs); i++)
436 {
437 if (suite_algs[i].suite == suite)
438 {
439 return &suite_algs[i];
440 }
441 }
442 return NULL;
443 }
444
445 /**
446 * Filter a suite list using a transform enumerator
447 */
448 static void filter_suite(private_tls_crypto_t *this,
449 suite_algs_t suites[], int *count, int offset,
450 enumerator_t*(*create_enumerator)(crypto_factory_t*))
451 {
452 suite_algs_t current;
453 int i, remaining = 0;
454 enumerator_t *enumerator;
455
456 memset(&current, 0, sizeof(current));
457 for (i = 0; i < *count; i++)
458 {
459 enumerator = create_enumerator(lib->crypto);
460 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
461 {
462 if ((suites[i].encr == ENCR_NULL ||
463 !current.encr || current.encr == suites[i].encr) &&
464 (!current.mac || current.mac == suites[i].mac) &&
465 (!current.prf || current.prf == suites[i].prf) &&
466 (!current.hash || current.hash == suites[i].hash))
467 {
468 suites[remaining] = suites[i];
469 remaining++;
470 break;
471 }
472 }
473 enumerator->destroy(enumerator);
474 }
475 *count = remaining;
476 }
477
478 /**
479 * Purge NULL encryption cipher suites from list
480 */
481 static void filter_null_suites(private_tls_crypto_t *this,
482 suite_algs_t suites[], int *count)
483 {
484 int i, remaining = 0;
485
486 for (i = 0; i < *count; i++)
487 {
488 if (suites[i].encr != ENCR_NULL)
489 {
490 suites[remaining] = suites[i];
491 remaining++;
492 }
493 }
494 *count = remaining;
495 }
496
497 /**
498 * Initialize the cipher suite list
499 */
500 static void build_cipher_suite_list(private_tls_crypto_t *this,
501 bool require_encryption)
502 {
503 suite_algs_t suites[countof(suite_algs)];
504 int count = countof(suite_algs), i;
505
506 /* copy all suites */
507 for (i = 0; i < count; i++)
508 {
509 suites[i] = suite_algs[i];
510 }
511 if (require_encryption)
512 {
513 filter_null_suites(this, suites, &count);
514 }
515 /* filter suite list by each algorithm */
516 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
517 lib->crypto->create_crypter_enumerator);
518 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
519 lib->crypto->create_signer_enumerator);
520 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
521 lib->crypto->create_prf_enumerator);
522 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
523 lib->crypto->create_hasher_enumerator);
524
525 free(this->suites);
526 this->suite_count = count;
527 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
528
529 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
530 for (i = 0; i < count; i++)
531 {
532 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
533 this->suites[i] = suites[i].suite;
534 }
535 }
536
537 METHOD(tls_crypto_t, get_cipher_suites, int,
538 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
539 {
540 *suites = this->suites;
541 return this->suite_count;
542 }
543
544 /**
545 * Create crypto primitives
546 */
547 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
548 {
549 suite_algs_t *algs;
550
551 algs = find_suite(suite);
552 if (!algs)
553 {
554 DBG1(DBG_TLS, "selected TLS suite not supported");
555 return FALSE;
556 }
557
558 DESTROY_IF(this->prf);
559 if (this->tls->get_version(this->tls) < TLS_1_2)
560 {
561 this->prf = tls_prf_create_10();
562 }
563 else
564 {
565 this->prf = tls_prf_create_12(algs->prf);
566 }
567 if (!this->prf)
568 {
569 DBG1(DBG_TLS, "selected TLS PRF not supported");
570 return FALSE;
571 }
572
573 DESTROY_IF(this->signer_in);
574 DESTROY_IF(this->signer_out);
575 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
576 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
577 if (!this->signer_in || !this->signer_out)
578 {
579 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
580 integrity_algorithm_names, algs->mac);
581 return FALSE;
582 }
583
584 DESTROY_IF(this->crypter_in);
585 DESTROY_IF(this->crypter_out);
586 if (algs->encr == ENCR_NULL)
587 {
588 this->crypter_in = this->crypter_out = NULL;
589 }
590 else
591 {
592 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
593 algs->encr, algs->encr_size);
594 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
595 algs->encr, algs->encr_size);
596 if (!this->crypter_in || !this->crypter_out)
597 {
598 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
599 encryption_algorithm_names, algs->encr);
600 return FALSE;
601 }
602 }
603 return TRUE;
604 }
605
606 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
607 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
608 {
609 int i, j;
610
611 for (i = 0; i < this->suite_count; i++)
612 {
613 for (j = 0; j < count; j++)
614 {
615 if (this->suites[i] == suites[j])
616 {
617 if (create_ciphers(this, this->suites[i]))
618 {
619 this->suite = this->suites[i];
620 return this->suite;
621 }
622 }
623 }
624 }
625 return 0;
626 }
627
628 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
629 private_tls_crypto_t *this)
630 {
631 suite_algs_t *algs;
632
633 algs = find_suite(this->suite);
634 if (algs)
635 {
636 return algs->dh;
637 }
638 return MODP_NONE;
639 }
640
641 METHOD(tls_crypto_t, get_signature_algorithms, void,
642 private_tls_crypto_t *this, tls_writer_t *writer)
643 {
644 tls_writer_t *supported;
645 enumerator_t *enumerator;
646 hash_algorithm_t alg;
647 tls_hash_algorithm_t hash;
648
649 supported = tls_writer_create(32);
650 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
651 while (enumerator->enumerate(enumerator, &alg))
652 {
653 switch (alg)
654 {
655 case HASH_MD5:
656 hash = TLS_HASH_MD5;
657 break;
658 case HASH_SHA1:
659 hash = TLS_HASH_SHA1;
660 break;
661 case HASH_SHA224:
662 hash = TLS_HASH_SHA224;
663 break;
664 case HASH_SHA256:
665 hash = TLS_HASH_SHA256;
666 break;
667 case HASH_SHA384:
668 hash = TLS_HASH_SHA384;
669 break;
670 case HASH_SHA512:
671 hash = TLS_HASH_SHA512;
672 break;
673 default:
674 continue;
675 }
676 supported->write_uint8(supported, hash);
677 supported->write_uint8(supported, TLS_SIG_RSA);
678 if (alg != HASH_MD5 && alg != HASH_SHA224)
679 {
680 supported->write_uint8(supported, hash);
681 supported->write_uint8(supported, TLS_SIG_ECDSA);
682 }
683 }
684 enumerator->destroy(enumerator);
685
686 writer->write_data16(writer, supported->get_buf(supported));
687 supported->destroy(supported);
688 }
689
690 METHOD(tls_crypto_t, set_protection, void,
691 private_tls_crypto_t *this, tls_protection_t *protection)
692 {
693 this->protection = protection;
694 }
695
696 METHOD(tls_crypto_t, append_handshake, void,
697 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
698 {
699 u_int32_t header;
700
701 /* reconstruct handshake header */
702 header = htonl(data.len | (type << 24));
703 this->handshake = chunk_cat("mcc", this->handshake,
704 chunk_from_thing(header), data);
705 }
706
707 /**
708 * Create a hash using the suites HASH algorithm
709 */
710 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
711 {
712 if (this->tls->get_version(this->tls) >= TLS_1_2)
713 {
714 hasher_t *hasher;
715 suite_algs_t *alg;
716
717 alg = find_suite(this->suite);
718 if (!alg)
719 {
720 return FALSE;
721 }
722 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
723 if (!hasher)
724 {
725 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
726 return FALSE;
727 }
728 hasher->allocate_hash(hasher, data, hash);
729 hasher->destroy(hasher);
730 }
731 else
732 {
733 hasher_t *md5, *sha1;
734 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
735
736 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
737 if (!md5)
738 {
739 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
740 return FALSE;
741 }
742 md5->get_hash(md5, data, buf);
743 md5->destroy(md5);
744 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
745 if (!sha1)
746 {
747 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
748 return FALSE;
749 }
750 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
751 sha1->destroy(sha1);
752
753 *hash = chunk_clone(chunk_from_thing(buf));
754 }
755 return TRUE;
756 }
757
758 /**
759 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
760 */
761 static signature_scheme_t hashsig_to_scheme(key_type_t type,
762 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
763 {
764 switch (sig)
765 {
766 case TLS_SIG_RSA:
767 if (type != KEY_RSA)
768 {
769 return SIGN_UNKNOWN;
770 }
771 switch (hash)
772 {
773 case TLS_HASH_MD5:
774 return SIGN_RSA_EMSA_PKCS1_MD5;
775 case TLS_HASH_SHA1:
776 return SIGN_RSA_EMSA_PKCS1_SHA1;
777 case TLS_HASH_SHA224:
778 return SIGN_RSA_EMSA_PKCS1_SHA224;
779 case TLS_HASH_SHA256:
780 return SIGN_RSA_EMSA_PKCS1_SHA256;
781 case TLS_HASH_SHA384:
782 return SIGN_RSA_EMSA_PKCS1_SHA384;
783 case TLS_HASH_SHA512:
784 return SIGN_RSA_EMSA_PKCS1_SHA512;
785 default:
786 return SIGN_UNKNOWN;
787 }
788 case TLS_SIG_ECDSA:
789 if (type != KEY_ECDSA)
790 {
791 return SIGN_UNKNOWN;
792 }
793 switch (hash)
794 {
795 case TLS_HASH_SHA224:
796 return SIGN_ECDSA_WITH_SHA1_DER;
797 case TLS_HASH_SHA256:
798 return SIGN_ECDSA_WITH_SHA256_DER;
799 case TLS_HASH_SHA384:
800 return SIGN_ECDSA_WITH_SHA384_DER;
801 case TLS_HASH_SHA512:
802 return SIGN_ECDSA_WITH_SHA512_DER;
803 default:
804 return SIGN_UNKNOWN;
805 }
806 default:
807 return SIGN_UNKNOWN;
808 }
809 }
810
811 METHOD(tls_crypto_t, sign, bool,
812 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
813 chunk_t data, chunk_t hashsig)
814 {
815 if (this->tls->get_version(this->tls) >= TLS_1_2)
816 {
817 signature_scheme_t scheme;
818 tls_reader_t *reader;
819 u_int8_t hash, alg;
820 chunk_t sig;
821 bool done = FALSE;
822
823 if (!hashsig.len)
824 { /* fallback if none given */
825 hashsig = chunk_from_chars(
826 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
827 }
828 reader = tls_reader_create(hashsig);
829 while (reader->remaining(reader) >= 2)
830 {
831 if (reader->read_uint8(reader, &hash) &&
832 reader->read_uint8(reader, &alg))
833 {
834 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
835 if (scheme != SIGN_UNKNOWN &&
836 key->sign(key, scheme, data, &sig))
837 {
838 done = TRUE;
839 break;
840 }
841 }
842 }
843 reader->destroy(reader);
844 if (!done)
845 {
846 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
847 return FALSE;
848 }
849 DBG2(DBG_TLS, "created signature with %N/%N",
850 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
851 writer->write_uint8(writer, hash);
852 writer->write_uint8(writer, alg);
853 writer->write_data16(writer, sig);
854 free(sig.ptr);
855 }
856 else
857 {
858 chunk_t sig, hash;
859 bool done;
860
861 switch (key->get_type(key))
862 {
863 case KEY_RSA:
864 if (!hash_data(this, data, &hash))
865 {
866 return FALSE;
867 }
868 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
869 free(hash.ptr);
870 if (!done)
871 {
872 return FALSE;
873 }
874 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
875 break;
876 case KEY_ECDSA:
877 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
878 {
879 return FALSE;
880 }
881 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
882 break;
883 default:
884 return FALSE;
885 }
886 writer->write_data16(writer, sig);
887 free(sig.ptr);
888 }
889 return TRUE;
890 }
891
892 METHOD(tls_crypto_t, verify, bool,
893 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
894 chunk_t data)
895 {
896 if (this->tls->get_version(this->tls) >= TLS_1_2)
897 {
898 signature_scheme_t scheme = SIGN_UNKNOWN;
899 u_int8_t hash, alg;
900 chunk_t sig;
901
902 if (!reader->read_uint8(reader, &hash) ||
903 !reader->read_uint8(reader, &alg) ||
904 !reader->read_data16(reader, &sig))
905 {
906 DBG1(DBG_TLS, "received invalid signature");
907 return FALSE;
908 }
909 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
910 if (scheme == SIGN_UNKNOWN)
911 {
912 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
913 tls_hash_algorithm_names, hash,
914 tls_signature_algorithm_names, alg);
915 return FALSE;
916 }
917 if (!key->verify(key, scheme, data, sig))
918 {
919 return FALSE;
920 }
921 DBG2(DBG_TLS, "verified signature with %N/%N",
922 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
923 }
924 else
925 {
926 chunk_t sig, hash;
927 bool done;
928
929 if (!reader->read_data16(reader, &sig))
930 {
931 DBG1(DBG_TLS, "received invalid signature");
932 return FALSE;
933 }
934 switch (key->get_type(key))
935 {
936 case KEY_RSA:
937 if (!hash_data(this, data, &hash))
938 {
939 return FALSE;
940 }
941 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
942 free(hash.ptr);
943 if (!done)
944 {
945 return FALSE;
946 }
947 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
948 break;
949 case KEY_ECDSA:
950 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
951 {
952 return FALSE;
953 }
954 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
955 break;
956 default:
957 return FALSE;
958 }
959 }
960 return TRUE;
961 }
962
963 METHOD(tls_crypto_t, sign_handshake, bool,
964 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
965 chunk_t hashsig)
966 {
967 return sign(this, key, writer, this->handshake, hashsig);
968 }
969
970 METHOD(tls_crypto_t, verify_handshake, bool,
971 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
972 {
973 return verify(this, key, reader, this->handshake);
974 }
975
976 METHOD(tls_crypto_t, calculate_finished, bool,
977 private_tls_crypto_t *this, char *label, char out[12])
978 {
979 chunk_t seed;
980
981 if (!this->prf)
982 {
983 return FALSE;
984 }
985 if (!hash_data(this, this->handshake, &seed))
986 {
987 return FALSE;
988 }
989 this->prf->get_bytes(this->prf, label, seed, 12, out);
990 free(seed.ptr);
991 return TRUE;
992 }
993
994 METHOD(tls_crypto_t, derive_secrets, void,
995 private_tls_crypto_t *this, chunk_t premaster,
996 chunk_t client_random, chunk_t server_random)
997 {
998 char master[48];
999 chunk_t seed, block, client_write, server_write;
1000 int mks, eks = 0, ivs = 0;
1001
1002 /* derive master secret */
1003 seed = chunk_cata("cc", client_random, server_random);
1004 this->prf->set_key(this->prf, premaster);
1005 this->prf->get_bytes(this->prf, "master secret", seed,
1006 sizeof(master), master);
1007
1008 this->prf->set_key(this->prf, chunk_from_thing(master));
1009 memset(master, 0, sizeof(master));
1010
1011 /* derive key block for key expansion */
1012 mks = this->signer_out->get_key_size(this->signer_out);
1013 if (this->crypter_out)
1014 {
1015 eks = this->crypter_out->get_key_size(this->crypter_out);
1016 if (this->tls->get_version(this->tls) < TLS_1_1)
1017 {
1018 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1019 }
1020 }
1021 seed = chunk_cata("cc", server_random, client_random);
1022 block = chunk_alloca((mks + eks + ivs) * 2);
1023 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1024
1025 /* signer keys */
1026 client_write = chunk_create(block.ptr, mks);
1027 block = chunk_skip(block, mks);
1028 server_write = chunk_create(block.ptr, mks);
1029 block = chunk_skip(block, mks);
1030 if (this->tls->is_server(this->tls))
1031 {
1032 this->signer_in->set_key(this->signer_in, client_write);
1033 this->signer_out->set_key(this->signer_out, server_write);
1034 }
1035 else
1036 {
1037 this->signer_out->set_key(this->signer_out, client_write);
1038 this->signer_in->set_key(this->signer_in, server_write);
1039 }
1040
1041 /* crypter keys, and IVs if < TLSv1.2 */
1042 if (this->crypter_out && this->crypter_in)
1043 {
1044 client_write = chunk_create(block.ptr, eks);
1045 block = chunk_skip(block, eks);
1046 server_write = chunk_create(block.ptr, eks);
1047 block = chunk_skip(block, eks);
1048
1049 if (this->tls->is_server(this->tls))
1050 {
1051 this->crypter_in->set_key(this->crypter_in, client_write);
1052 this->crypter_out->set_key(this->crypter_out, server_write);
1053 }
1054 else
1055 {
1056 this->crypter_out->set_key(this->crypter_out, client_write);
1057 this->crypter_in->set_key(this->crypter_in, server_write);
1058 }
1059 if (ivs)
1060 {
1061 client_write = chunk_create(block.ptr, ivs);
1062 block = chunk_skip(block, ivs);
1063 server_write = chunk_create(block.ptr, ivs);
1064 block = chunk_skip(block, ivs);
1065
1066 if (this->tls->is_server(this->tls))
1067 {
1068 this->iv_in = chunk_clone(client_write);
1069 this->iv_out = chunk_clone(server_write);
1070 }
1071 else
1072 {
1073 this->iv_out = chunk_clone(client_write);
1074 this->iv_in = chunk_clone(server_write);
1075 }
1076 }
1077 }
1078 }
1079
1080 METHOD(tls_crypto_t, change_cipher, void,
1081 private_tls_crypto_t *this, bool inbound)
1082 {
1083 if (this->protection)
1084 {
1085 if (inbound)
1086 {
1087 this->protection->set_cipher(this->protection, TRUE,
1088 this->signer_in, this->crypter_in, this->iv_in);
1089 }
1090 else
1091 {
1092 this->protection->set_cipher(this->protection, FALSE,
1093 this->signer_out, this->crypter_out, this->iv_out);
1094 }
1095 }
1096 }
1097
1098 METHOD(tls_crypto_t, derive_eap_msk, void,
1099 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1100 {
1101 if (this->msk_label)
1102 {
1103 chunk_t seed;
1104
1105 seed = chunk_cata("cc", client_random, server_random);
1106 free(this->msk.ptr);
1107 this->msk = chunk_alloc(64);
1108 this->prf->get_bytes(this->prf, this->msk_label, seed,
1109 this->msk.len, this->msk.ptr);
1110 }
1111 }
1112
1113 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1114 private_tls_crypto_t *this)
1115 {
1116 return this->msk;
1117 }
1118
1119 METHOD(tls_crypto_t, destroy, void,
1120 private_tls_crypto_t *this)
1121 {
1122 DESTROY_IF(this->signer_in);
1123 DESTROY_IF(this->signer_out);
1124 DESTROY_IF(this->crypter_in);
1125 DESTROY_IF(this->crypter_out);
1126 free(this->iv_in.ptr);
1127 free(this->iv_out.ptr);
1128 free(this->handshake.ptr);
1129 free(this->msk.ptr);
1130 DESTROY_IF(this->prf);
1131 free(this->suites);
1132 free(this);
1133 }
1134
1135 /**
1136 * See header
1137 */
1138 tls_crypto_t *tls_crypto_create(tls_t *tls)
1139 {
1140 private_tls_crypto_t *this;
1141
1142 INIT(this,
1143 .public = {
1144 .get_cipher_suites = _get_cipher_suites,
1145 .select_cipher_suite = _select_cipher_suite,
1146 .get_dh_group = _get_dh_group,
1147 .get_signature_algorithms = _get_signature_algorithms,
1148 .set_protection = _set_protection,
1149 .append_handshake = _append_handshake,
1150 .sign = _sign,
1151 .verify = _verify,
1152 .sign_handshake = _sign_handshake,
1153 .verify_handshake = _verify_handshake,
1154 .calculate_finished = _calculate_finished,
1155 .derive_secrets = _derive_secrets,
1156 .change_cipher = _change_cipher,
1157 .derive_eap_msk = _derive_eap_msk,
1158 .get_eap_msk = _get_eap_msk,
1159 .destroy = _destroy,
1160 },
1161 .tls = tls,
1162 );
1163
1164 switch (tls->get_purpose(tls))
1165 {
1166 case TLS_PURPOSE_EAP_TLS:
1167 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1168 this->msk_label = "client EAP encryption";
1169 build_cipher_suite_list(this, FALSE);
1170 break;
1171 case TLS_PURPOSE_EAP_TTLS:
1172 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1173 this->msk_label = "ttls keying material";
1174 build_cipher_suite_list(this, TRUE);
1175 break;
1176 case TLS_PURPOSE_GENERIC:
1177 build_cipher_suite_list(this, TRUE);
1178 break;
1179 }
1180 return &this->public;
1181 }