Support for EC curve Hello extension, EC curve fallback
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309
310 typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312 /**
313 * Private data of an tls_crypto_t object.
314 */
315 struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
321
322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
386
387 /**
388 * EAP-[T]TLS MSK
389 */
390 chunk_t msk;
391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
396 };
397
398 typedef struct {
399 tls_cipher_suite_t suite;
400 hash_algorithm_t hash;
401 pseudo_random_function_t prf;
402 diffie_hellman_group_t dh;
403 integrity_algorithm_t mac;
404 encryption_algorithm_t encr;
405 size_t encr_size;
406 } suite_algs_t;
407
408 /**
409 * Mapping suites to a set of algorithms
410 */
411 static suite_algs_t suite_algs[] = {
412 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
413 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
414 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
415 },
416 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
417 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
418 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
419 },
420 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
421 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
422 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
423 },
424 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
425 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
426 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
427 },
428 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
429 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
430 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
431 },
432 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
433 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
434 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
435 },
436 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
437 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
438 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
439 },
440 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
441 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
442 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
443 },
444 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
445 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
446 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
447 },
448 { TLS_RSA_WITH_AES_128_CBC_SHA,
449 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
450 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
451 },
452 { TLS_RSA_WITH_AES_128_CBC_SHA256,
453 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
454 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
455 },
456 { TLS_RSA_WITH_AES_256_CBC_SHA,
457 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
458 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
459 },
460 { TLS_RSA_WITH_AES_256_CBC_SHA256,
461 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
463 },
464 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
465 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
466 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
467 },
468 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
469 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
470 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
471 },
472 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
473 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
474 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
475 },
476 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
477 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
478 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
479 },
480 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
481 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
482 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
483 },
484 { TLS_RSA_WITH_NULL_SHA,
485 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
486 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
487 },
488 { TLS_RSA_WITH_NULL_SHA256,
489 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
490 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
491 },
492 { TLS_RSA_WITH_NULL_MD5,
493 HASH_MD5, PRF_HMAC_MD5, MODP_NONE,
494 AUTH_HMAC_MD5_128, ENCR_NULL, 0
495 },
496 };
497
498 /**
499 * Look up algoritms by a suite
500 */
501 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
502 {
503 int i;
504
505 for (i = 0; i < countof(suite_algs); i++)
506 {
507 if (suite_algs[i].suite == suite)
508 {
509 return &suite_algs[i];
510 }
511 }
512 return NULL;
513 }
514
515 /**
516 * Filter a suite list using a transform enumerator
517 */
518 static void filter_suite(private_tls_crypto_t *this,
519 suite_algs_t suites[], int *count, int offset,
520 enumerator_t*(*create_enumerator)(crypto_factory_t*))
521 {
522 suite_algs_t current;
523 int i, remaining = 0;
524 enumerator_t *enumerator;
525
526 memset(&current, 0, sizeof(current));
527 for (i = 0; i < *count; i++)
528 {
529 enumerator = create_enumerator(lib->crypto);
530 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
531 {
532 if ((suites[i].encr == ENCR_NULL ||
533 !current.encr || current.encr == suites[i].encr) &&
534 (!current.mac || current.mac == suites[i].mac) &&
535 (!current.prf || current.prf == suites[i].prf) &&
536 (!current.hash || current.hash == suites[i].hash))
537 {
538 suites[remaining] = suites[i];
539 remaining++;
540 break;
541 }
542 }
543 enumerator->destroy(enumerator);
544 }
545 *count = remaining;
546 }
547
548 /**
549 * Purge NULL encryption cipher suites from list
550 */
551 static void filter_null_suites(private_tls_crypto_t *this,
552 suite_algs_t suites[], int *count)
553 {
554 int i, remaining = 0;
555
556 for (i = 0; i < *count; i++)
557 {
558 if (suites[i].encr != ENCR_NULL)
559 {
560 suites[remaining] = suites[i];
561 remaining++;
562 }
563 }
564 *count = remaining;
565 }
566
567 /**
568 * Initialize the cipher suite list
569 */
570 static void build_cipher_suite_list(private_tls_crypto_t *this,
571 bool require_encryption)
572 {
573 suite_algs_t suites[countof(suite_algs)];
574 int count = countof(suite_algs), i;
575
576 /* copy all suites */
577 for (i = 0; i < count; i++)
578 {
579 suites[i] = suite_algs[i];
580 }
581 if (require_encryption)
582 {
583 filter_null_suites(this, suites, &count);
584 }
585 /* filter suite list by each algorithm */
586 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
587 lib->crypto->create_crypter_enumerator);
588 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
589 lib->crypto->create_signer_enumerator);
590 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
591 lib->crypto->create_prf_enumerator);
592 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
593 lib->crypto->create_hasher_enumerator);
594
595 free(this->suites);
596 this->suite_count = count;
597 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
598
599 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
600 for (i = 0; i < count; i++)
601 {
602 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
603 this->suites[i] = suites[i].suite;
604 }
605 }
606
607 METHOD(tls_crypto_t, get_cipher_suites, int,
608 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
609 {
610 *suites = this->suites;
611 return this->suite_count;
612 }
613
614 /**
615 * Create crypto primitives
616 */
617 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
618 {
619 suite_algs_t *algs;
620
621 algs = find_suite(suite);
622 if (!algs)
623 {
624 DBG1(DBG_TLS, "selected TLS suite not supported");
625 return FALSE;
626 }
627
628 DESTROY_IF(this->prf);
629 if (this->tls->get_version(this->tls) < TLS_1_2)
630 {
631 this->prf = tls_prf_create_10();
632 }
633 else
634 {
635 this->prf = tls_prf_create_12(algs->prf);
636 }
637 if (!this->prf)
638 {
639 DBG1(DBG_TLS, "selected TLS PRF not supported");
640 return FALSE;
641 }
642
643 DESTROY_IF(this->signer_in);
644 DESTROY_IF(this->signer_out);
645 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
646 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
647 if (!this->signer_in || !this->signer_out)
648 {
649 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
650 integrity_algorithm_names, algs->mac);
651 return FALSE;
652 }
653
654 DESTROY_IF(this->crypter_in);
655 DESTROY_IF(this->crypter_out);
656 if (algs->encr == ENCR_NULL)
657 {
658 this->crypter_in = this->crypter_out = NULL;
659 }
660 else
661 {
662 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
663 algs->encr, algs->encr_size);
664 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
665 algs->encr, algs->encr_size);
666 if (!this->crypter_in || !this->crypter_out)
667 {
668 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
669 encryption_algorithm_names, algs->encr);
670 return FALSE;
671 }
672 }
673 return TRUE;
674 }
675
676 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
677 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
678 {
679 int i, j;
680
681 for (i = 0; i < this->suite_count; i++)
682 {
683 for (j = 0; j < count; j++)
684 {
685 if (this->suites[i] == suites[j])
686 {
687 if (create_ciphers(this, this->suites[i]))
688 {
689 this->suite = this->suites[i];
690 return this->suite;
691 }
692 }
693 }
694 }
695 return 0;
696 }
697
698 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
699 private_tls_crypto_t *this)
700 {
701 suite_algs_t *algs;
702
703 algs = find_suite(this->suite);
704 if (algs)
705 {
706 return algs->dh;
707 }
708 return MODP_NONE;
709 }
710
711 METHOD(tls_crypto_t, get_signature_algorithms, void,
712 private_tls_crypto_t *this, tls_writer_t *writer)
713 {
714 tls_writer_t *supported;
715 enumerator_t *enumerator;
716 hash_algorithm_t alg;
717 tls_hash_algorithm_t hash;
718
719 supported = tls_writer_create(32);
720 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
721 while (enumerator->enumerate(enumerator, &alg))
722 {
723 switch (alg)
724 {
725 case HASH_MD5:
726 hash = TLS_HASH_MD5;
727 break;
728 case HASH_SHA1:
729 hash = TLS_HASH_SHA1;
730 break;
731 case HASH_SHA224:
732 hash = TLS_HASH_SHA224;
733 break;
734 case HASH_SHA256:
735 hash = TLS_HASH_SHA256;
736 break;
737 case HASH_SHA384:
738 hash = TLS_HASH_SHA384;
739 break;
740 case HASH_SHA512:
741 hash = TLS_HASH_SHA512;
742 break;
743 default:
744 continue;
745 }
746 supported->write_uint8(supported, hash);
747 supported->write_uint8(supported, TLS_SIG_RSA);
748 if (alg != HASH_MD5 && alg != HASH_SHA224)
749 {
750 supported->write_uint8(supported, hash);
751 supported->write_uint8(supported, TLS_SIG_ECDSA);
752 }
753 }
754 enumerator->destroy(enumerator);
755
756 writer->write_data16(writer, supported->get_buf(supported));
757 supported->destroy(supported);
758 }
759
760 METHOD(tls_crypto_t, get_curves, void,
761 private_tls_crypto_t *this, tls_writer_t *writer)
762 {
763 u_int16_t curves[] = {
764 htons(TLS_SECP256R1),
765 htons(TLS_SECP384R1),
766 htons(TLS_SECP521R1),
767 htons(TLS_SECP192R1),
768 htons(TLS_SECP224R1),
769 };
770 writer->write_data16(writer, chunk_from_thing(curves));
771 }
772
773 METHOD(tls_crypto_t, set_protection, void,
774 private_tls_crypto_t *this, tls_protection_t *protection)
775 {
776 this->protection = protection;
777 }
778
779 METHOD(tls_crypto_t, append_handshake, void,
780 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
781 {
782 u_int32_t header;
783
784 /* reconstruct handshake header */
785 header = htonl(data.len | (type << 24));
786 this->handshake = chunk_cat("mcc", this->handshake,
787 chunk_from_thing(header), data);
788 }
789
790 /**
791 * Create a hash using the suites HASH algorithm
792 */
793 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
794 {
795 if (this->tls->get_version(this->tls) >= TLS_1_2)
796 {
797 hasher_t *hasher;
798 suite_algs_t *alg;
799
800 alg = find_suite(this->suite);
801 if (!alg)
802 {
803 return FALSE;
804 }
805 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
806 if (!hasher)
807 {
808 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
809 return FALSE;
810 }
811 hasher->allocate_hash(hasher, data, hash);
812 hasher->destroy(hasher);
813 }
814 else
815 {
816 hasher_t *md5, *sha1;
817 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
818
819 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
820 if (!md5)
821 {
822 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
823 return FALSE;
824 }
825 md5->get_hash(md5, data, buf);
826 md5->destroy(md5);
827 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
828 if (!sha1)
829 {
830 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
831 return FALSE;
832 }
833 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
834 sha1->destroy(sha1);
835
836 *hash = chunk_clone(chunk_from_thing(buf));
837 }
838 return TRUE;
839 }
840
841 /**
842 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
843 */
844 static signature_scheme_t hashsig_to_scheme(key_type_t type,
845 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
846 {
847 switch (sig)
848 {
849 case TLS_SIG_RSA:
850 if (type != KEY_RSA)
851 {
852 return SIGN_UNKNOWN;
853 }
854 switch (hash)
855 {
856 case TLS_HASH_MD5:
857 return SIGN_RSA_EMSA_PKCS1_MD5;
858 case TLS_HASH_SHA1:
859 return SIGN_RSA_EMSA_PKCS1_SHA1;
860 case TLS_HASH_SHA224:
861 return SIGN_RSA_EMSA_PKCS1_SHA224;
862 case TLS_HASH_SHA256:
863 return SIGN_RSA_EMSA_PKCS1_SHA256;
864 case TLS_HASH_SHA384:
865 return SIGN_RSA_EMSA_PKCS1_SHA384;
866 case TLS_HASH_SHA512:
867 return SIGN_RSA_EMSA_PKCS1_SHA512;
868 default:
869 return SIGN_UNKNOWN;
870 }
871 case TLS_SIG_ECDSA:
872 if (type != KEY_ECDSA)
873 {
874 return SIGN_UNKNOWN;
875 }
876 switch (hash)
877 {
878 case TLS_HASH_SHA224:
879 return SIGN_ECDSA_WITH_SHA1_DER;
880 case TLS_HASH_SHA256:
881 return SIGN_ECDSA_WITH_SHA256_DER;
882 case TLS_HASH_SHA384:
883 return SIGN_ECDSA_WITH_SHA384_DER;
884 case TLS_HASH_SHA512:
885 return SIGN_ECDSA_WITH_SHA512_DER;
886 default:
887 return SIGN_UNKNOWN;
888 }
889 default:
890 return SIGN_UNKNOWN;
891 }
892 }
893
894 METHOD(tls_crypto_t, sign, bool,
895 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
896 chunk_t data, chunk_t hashsig)
897 {
898 if (this->tls->get_version(this->tls) >= TLS_1_2)
899 {
900 signature_scheme_t scheme;
901 tls_reader_t *reader;
902 u_int8_t hash, alg;
903 chunk_t sig;
904 bool done = FALSE;
905
906 if (!hashsig.len)
907 { /* fallback if none given */
908 hashsig = chunk_from_chars(
909 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
910 }
911 reader = tls_reader_create(hashsig);
912 while (reader->remaining(reader) >= 2)
913 {
914 if (reader->read_uint8(reader, &hash) &&
915 reader->read_uint8(reader, &alg))
916 {
917 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
918 if (scheme != SIGN_UNKNOWN &&
919 key->sign(key, scheme, data, &sig))
920 {
921 done = TRUE;
922 break;
923 }
924 }
925 }
926 reader->destroy(reader);
927 if (!done)
928 {
929 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
930 return FALSE;
931 }
932 DBG2(DBG_TLS, "created signature with %N/%N",
933 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
934 writer->write_uint8(writer, hash);
935 writer->write_uint8(writer, alg);
936 writer->write_data16(writer, sig);
937 free(sig.ptr);
938 }
939 else
940 {
941 chunk_t sig, hash;
942 bool done;
943
944 switch (key->get_type(key))
945 {
946 case KEY_RSA:
947 if (!hash_data(this, data, &hash))
948 {
949 return FALSE;
950 }
951 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
952 free(hash.ptr);
953 if (!done)
954 {
955 return FALSE;
956 }
957 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
958 break;
959 case KEY_ECDSA:
960 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
961 {
962 return FALSE;
963 }
964 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
965 break;
966 default:
967 return FALSE;
968 }
969 writer->write_data16(writer, sig);
970 free(sig.ptr);
971 }
972 return TRUE;
973 }
974
975 METHOD(tls_crypto_t, verify, bool,
976 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
977 chunk_t data)
978 {
979 if (this->tls->get_version(this->tls) >= TLS_1_2)
980 {
981 signature_scheme_t scheme = SIGN_UNKNOWN;
982 u_int8_t hash, alg;
983 chunk_t sig;
984
985 if (!reader->read_uint8(reader, &hash) ||
986 !reader->read_uint8(reader, &alg) ||
987 !reader->read_data16(reader, &sig))
988 {
989 DBG1(DBG_TLS, "received invalid signature");
990 return FALSE;
991 }
992 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
993 if (scheme == SIGN_UNKNOWN)
994 {
995 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
996 tls_hash_algorithm_names, hash,
997 tls_signature_algorithm_names, alg);
998 return FALSE;
999 }
1000 if (!key->verify(key, scheme, data, sig))
1001 {
1002 return FALSE;
1003 }
1004 DBG2(DBG_TLS, "verified signature with %N/%N",
1005 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1006 }
1007 else
1008 {
1009 chunk_t sig, hash;
1010 bool done;
1011
1012 if (!reader->read_data16(reader, &sig))
1013 {
1014 DBG1(DBG_TLS, "received invalid signature");
1015 return FALSE;
1016 }
1017 switch (key->get_type(key))
1018 {
1019 case KEY_RSA:
1020 if (!hash_data(this, data, &hash))
1021 {
1022 return FALSE;
1023 }
1024 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1025 free(hash.ptr);
1026 if (!done)
1027 {
1028 return FALSE;
1029 }
1030 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1031 break;
1032 case KEY_ECDSA:
1033 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1034 {
1035 return FALSE;
1036 }
1037 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1038 break;
1039 default:
1040 return FALSE;
1041 }
1042 }
1043 return TRUE;
1044 }
1045
1046 METHOD(tls_crypto_t, sign_handshake, bool,
1047 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1048 chunk_t hashsig)
1049 {
1050 return sign(this, key, writer, this->handshake, hashsig);
1051 }
1052
1053 METHOD(tls_crypto_t, verify_handshake, bool,
1054 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1055 {
1056 return verify(this, key, reader, this->handshake);
1057 }
1058
1059 METHOD(tls_crypto_t, calculate_finished, bool,
1060 private_tls_crypto_t *this, char *label, char out[12])
1061 {
1062 chunk_t seed;
1063
1064 if (!this->prf)
1065 {
1066 return FALSE;
1067 }
1068 if (!hash_data(this, this->handshake, &seed))
1069 {
1070 return FALSE;
1071 }
1072 this->prf->get_bytes(this->prf, label, seed, 12, out);
1073 free(seed.ptr);
1074 return TRUE;
1075 }
1076
1077 METHOD(tls_crypto_t, derive_secrets, void,
1078 private_tls_crypto_t *this, chunk_t premaster,
1079 chunk_t client_random, chunk_t server_random)
1080 {
1081 char master[48];
1082 chunk_t seed, block, client_write, server_write;
1083 int mks, eks = 0, ivs = 0;
1084
1085 /* derive master secret */
1086 seed = chunk_cata("cc", client_random, server_random);
1087 this->prf->set_key(this->prf, premaster);
1088 this->prf->get_bytes(this->prf, "master secret", seed,
1089 sizeof(master), master);
1090
1091 this->prf->set_key(this->prf, chunk_from_thing(master));
1092 memset(master, 0, sizeof(master));
1093
1094 /* derive key block for key expansion */
1095 mks = this->signer_out->get_key_size(this->signer_out);
1096 if (this->crypter_out)
1097 {
1098 eks = this->crypter_out->get_key_size(this->crypter_out);
1099 if (this->tls->get_version(this->tls) < TLS_1_1)
1100 {
1101 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1102 }
1103 }
1104 seed = chunk_cata("cc", server_random, client_random);
1105 block = chunk_alloca((mks + eks + ivs) * 2);
1106 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1107
1108 /* signer keys */
1109 client_write = chunk_create(block.ptr, mks);
1110 block = chunk_skip(block, mks);
1111 server_write = chunk_create(block.ptr, mks);
1112 block = chunk_skip(block, mks);
1113 if (this->tls->is_server(this->tls))
1114 {
1115 this->signer_in->set_key(this->signer_in, client_write);
1116 this->signer_out->set_key(this->signer_out, server_write);
1117 }
1118 else
1119 {
1120 this->signer_out->set_key(this->signer_out, client_write);
1121 this->signer_in->set_key(this->signer_in, server_write);
1122 }
1123
1124 /* crypter keys, and IVs if < TLSv1.2 */
1125 if (this->crypter_out && this->crypter_in)
1126 {
1127 client_write = chunk_create(block.ptr, eks);
1128 block = chunk_skip(block, eks);
1129 server_write = chunk_create(block.ptr, eks);
1130 block = chunk_skip(block, eks);
1131
1132 if (this->tls->is_server(this->tls))
1133 {
1134 this->crypter_in->set_key(this->crypter_in, client_write);
1135 this->crypter_out->set_key(this->crypter_out, server_write);
1136 }
1137 else
1138 {
1139 this->crypter_out->set_key(this->crypter_out, client_write);
1140 this->crypter_in->set_key(this->crypter_in, server_write);
1141 }
1142 if (ivs)
1143 {
1144 client_write = chunk_create(block.ptr, ivs);
1145 block = chunk_skip(block, ivs);
1146 server_write = chunk_create(block.ptr, ivs);
1147 block = chunk_skip(block, ivs);
1148
1149 if (this->tls->is_server(this->tls))
1150 {
1151 this->iv_in = chunk_clone(client_write);
1152 this->iv_out = chunk_clone(server_write);
1153 }
1154 else
1155 {
1156 this->iv_out = chunk_clone(client_write);
1157 this->iv_in = chunk_clone(server_write);
1158 }
1159 }
1160 }
1161 }
1162
1163 METHOD(tls_crypto_t, change_cipher, void,
1164 private_tls_crypto_t *this, bool inbound)
1165 {
1166 if (this->protection)
1167 {
1168 if (inbound)
1169 {
1170 this->protection->set_cipher(this->protection, TRUE,
1171 this->signer_in, this->crypter_in, this->iv_in);
1172 }
1173 else
1174 {
1175 this->protection->set_cipher(this->protection, FALSE,
1176 this->signer_out, this->crypter_out, this->iv_out);
1177 }
1178 }
1179 }
1180
1181 METHOD(tls_crypto_t, derive_eap_msk, void,
1182 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1183 {
1184 if (this->msk_label)
1185 {
1186 chunk_t seed;
1187
1188 seed = chunk_cata("cc", client_random, server_random);
1189 free(this->msk.ptr);
1190 this->msk = chunk_alloc(64);
1191 this->prf->get_bytes(this->prf, this->msk_label, seed,
1192 this->msk.len, this->msk.ptr);
1193 }
1194 }
1195
1196 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1197 private_tls_crypto_t *this)
1198 {
1199 return this->msk;
1200 }
1201
1202 METHOD(tls_crypto_t, destroy, void,
1203 private_tls_crypto_t *this)
1204 {
1205 DESTROY_IF(this->signer_in);
1206 DESTROY_IF(this->signer_out);
1207 DESTROY_IF(this->crypter_in);
1208 DESTROY_IF(this->crypter_out);
1209 free(this->iv_in.ptr);
1210 free(this->iv_out.ptr);
1211 free(this->handshake.ptr);
1212 free(this->msk.ptr);
1213 DESTROY_IF(this->prf);
1214 free(this->suites);
1215 free(this);
1216 }
1217
1218 /**
1219 * See header
1220 */
1221 tls_crypto_t *tls_crypto_create(tls_t *tls)
1222 {
1223 private_tls_crypto_t *this;
1224
1225 INIT(this,
1226 .public = {
1227 .get_cipher_suites = _get_cipher_suites,
1228 .select_cipher_suite = _select_cipher_suite,
1229 .get_dh_group = _get_dh_group,
1230 .get_signature_algorithms = _get_signature_algorithms,
1231 .get_curves = _get_curves,
1232 .set_protection = _set_protection,
1233 .append_handshake = _append_handshake,
1234 .sign = _sign,
1235 .verify = _verify,
1236 .sign_handshake = _sign_handshake,
1237 .verify_handshake = _verify_handshake,
1238 .calculate_finished = _calculate_finished,
1239 .derive_secrets = _derive_secrets,
1240 .change_cipher = _change_cipher,
1241 .derive_eap_msk = _derive_eap_msk,
1242 .get_eap_msk = _get_eap_msk,
1243 .destroy = _destroy,
1244 },
1245 .tls = tls,
1246 );
1247
1248 switch (tls->get_purpose(tls))
1249 {
1250 case TLS_PURPOSE_EAP_TLS:
1251 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1252 this->msk_label = "client EAP encryption";
1253 build_cipher_suite_list(this, FALSE);
1254 break;
1255 case TLS_PURPOSE_EAP_TTLS:
1256 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1257 this->msk_label = "ttls keying material";
1258 build_cipher_suite_list(this, TRUE);
1259 break;
1260 case TLS_PURPOSE_GENERIC:
1261 build_cipher_suite_list(this, TRUE);
1262 break;
1263 }
1264 return &this->public;
1265 }