Whitespace cleanups
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 typedef struct private_tls_crypto_t private_tls_crypto_t;
242
243 /**
244 * Private data of an tls_crypto_t object.
245 */
246 struct private_tls_crypto_t {
247
248 /**
249 * Public tls_crypto_t interface.
250 */
251 tls_crypto_t public;
252
253 /**
254 * Protection layer
255 */
256 tls_protection_t *protection;
257
258 /**
259 * List of supported/acceptable cipher suites
260 */
261 tls_cipher_suite_t *suites;
262
263 /**
264 * Number of supported suites
265 */
266 int suite_count;
267
268 /**
269 * Selected cipher suite
270 */
271 tls_cipher_suite_t suite;
272
273 /**
274 * TLS context
275 */
276 tls_t *tls;
277
278 /**
279 * All handshake data concatentated
280 */
281 chunk_t handshake;
282
283 /**
284 * Connection state TLS PRF
285 */
286 tls_prf_t *prf;
287
288 /**
289 * Signer instance for inbound traffic
290 */
291 signer_t *signer_in;
292
293 /**
294 * Signer instance for outbound traffic
295 */
296 signer_t *signer_out;
297
298 /**
299 * Crypter instance for inbound traffic
300 */
301 crypter_t *crypter_in;
302
303 /**
304 * Crypter instance for outbound traffic
305 */
306 crypter_t *crypter_out;
307
308 /**
309 * IV for input decryption, if < TLSv1.2
310 */
311 chunk_t iv_in;
312
313 /**
314 * IV for output decryption, if < TLSv1.2
315 */
316 chunk_t iv_out;
317
318 /**
319 * EAP-TLS MSK
320 */
321 chunk_t msk;
322 };
323
324 typedef struct {
325 tls_cipher_suite_t suite;
326 hash_algorithm_t hash;
327 pseudo_random_function_t prf;
328 integrity_algorithm_t mac;
329 encryption_algorithm_t encr;
330 size_t encr_size;
331 } suite_algs_t;
332
333 /**
334 * Mapping suites to a set of algorithms
335 */
336 static suite_algs_t suite_algs[] = {
337 { TLS_RSA_WITH_NULL_MD5,
338 HASH_MD5,
339 PRF_HMAC_MD5,
340 AUTH_HMAC_MD5_128,
341 ENCR_NULL, 0
342 },
343 { TLS_RSA_WITH_NULL_SHA,
344 HASH_SHA1,
345 PRF_HMAC_SHA1,
346 AUTH_HMAC_SHA1_160,
347 ENCR_NULL, 0
348 },
349 { TLS_RSA_WITH_NULL_SHA256,
350 HASH_SHA256,
351 PRF_HMAC_SHA2_256,
352 AUTH_HMAC_SHA2_256_256,
353 ENCR_NULL, 0
354 },
355 { TLS_RSA_WITH_AES_128_CBC_SHA,
356 HASH_SHA1,
357 PRF_HMAC_SHA1,
358 AUTH_HMAC_SHA1_160,
359 ENCR_AES_CBC, 16
360 },
361 { TLS_RSA_WITH_AES_256_CBC_SHA,
362 HASH_SHA1,
363 PRF_HMAC_SHA1,
364 AUTH_HMAC_SHA1_160,
365 ENCR_AES_CBC, 32
366 },
367 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
368 HASH_SHA1,
369 PRF_HMAC_SHA1,
370 AUTH_HMAC_SHA1_160,
371 ENCR_3DES, 0
372 },
373 { TLS_RSA_WITH_AES_128_CBC_SHA256,
374 HASH_SHA256,
375 PRF_HMAC_SHA2_256,
376 AUTH_HMAC_SHA2_256_256,
377 ENCR_AES_CBC, 16
378 },
379 };
380
381 /**
382 * Look up algoritms by a suite
383 */
384 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
385 {
386 int i;
387
388 for (i = 0; i < countof(suite_algs); i++)
389 {
390 if (suite_algs[i].suite == suite)
391 {
392 return &suite_algs[i];
393 }
394 }
395 return NULL;
396 }
397
398 /**
399 * Initialize the cipher suite list
400 */
401 static void build_cipher_suite_list(private_tls_crypto_t *this)
402 {
403 encryption_algorithm_t encr;
404 integrity_algorithm_t mac;
405 enumerator_t *encrs, *macs;
406 tls_cipher_suite_t supported[64], unique[64];
407 int count = 0, i, j;
408
409 /* we assume that we support RSA, but no DHE yet */
410 macs = lib->crypto->create_signer_enumerator(lib->crypto);
411 while (macs->enumerate(macs, &mac))
412 {
413 switch (mac)
414 {
415 case AUTH_HMAC_SHA1_160:
416 supported[count++] = TLS_RSA_WITH_NULL_SHA;
417 break;
418 case AUTH_HMAC_SHA2_256_256:
419 supported[count++] = TLS_RSA_WITH_NULL_SHA256;
420 break;
421 case AUTH_HMAC_MD5_128:
422 supported[count++] = TLS_RSA_WITH_NULL_MD5;
423 break;
424 default:
425 break;
426 }
427 encrs = lib->crypto->create_crypter_enumerator(lib->crypto);
428 while (encrs->enumerate(encrs, &encr))
429 {
430 switch (encr)
431 {
432 case ENCR_AES_CBC:
433 switch (mac)
434 {
435 case AUTH_HMAC_SHA1_160:
436 supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
437 supported[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
438 break;
439 case AUTH_HMAC_SHA2_256_256:
440 supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
441 supported[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
442 break;
443 default:
444 break;
445 }
446 break;
447 case ENCR_3DES:
448 switch (mac)
449 {
450 case AUTH_HMAC_SHA1_160:
451 supported[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
452 break;
453 default:
454 break;
455 }
456 break;
457 default:
458 break;
459 }
460 }
461 encrs->destroy(encrs);
462 }
463 macs->destroy(macs);
464
465 /* remove duplicates */
466 this->suite_count = 0;
467 for (i = 0; i < count; i++)
468 {
469 bool match = FALSE;
470
471 for (j = 0; j < this->suite_count; j++)
472 {
473 if (supported[i] == unique[j])
474 {
475 match = TRUE;
476 break;
477 }
478 }
479 if (!match)
480 {
481 unique[this->suite_count++] = supported[i];
482 }
483 }
484 free(this->suites);
485 this->suites = malloc(sizeof(tls_cipher_suite_t) * this->suite_count);
486 memcpy(this->suites, unique, sizeof(tls_cipher_suite_t) * this->suite_count);
487 }
488
489 METHOD(tls_crypto_t, get_cipher_suites, int,
490 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
491 {
492 *suites = this->suites;
493 return this->suite_count;
494 }
495
496 /**
497 * Create crypto primitives
498 */
499 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
500 {
501 suite_algs_t *algs;
502
503 algs = find_suite(suite);
504 if (!algs)
505 {
506 DBG1(DBG_IKE, "selected TLS suite not supported");
507 return FALSE;
508 }
509
510 DESTROY_IF(this->prf);
511 if (this->tls->get_version(this->tls) < TLS_1_2)
512 {
513 this->prf = tls_prf_create_10();
514 }
515 else
516 {
517 this->prf = tls_prf_create_12(algs->prf);
518 }
519 if (!this->prf)
520 {
521 DBG1(DBG_IKE, "selected TLS PRF not supported");
522 return FALSE;
523 }
524
525 DESTROY_IF(this->signer_in);
526 DESTROY_IF(this->signer_out);
527 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
528 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
529 if (!this->signer_in || !this->signer_out)
530 {
531 DBG1(DBG_IKE, "selected TLS MAC %N not supported",
532 integrity_algorithm_names, algs->mac);
533 return FALSE;
534 }
535
536 DESTROY_IF(this->crypter_in);
537 DESTROY_IF(this->crypter_out);
538 if (algs->encr == ENCR_NULL)
539 {
540 this->crypter_in = this->crypter_out = NULL;
541 }
542 else
543 {
544 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
545 algs->encr, algs->encr_size);
546 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
547 algs->encr, algs->encr_size);
548 if (!this->crypter_in || !this->crypter_out)
549 {
550 DBG1(DBG_IKE, "selected TLS crypter %N not supported",
551 encryption_algorithm_names, algs->encr);
552 return FALSE;
553 }
554 }
555 return TRUE;
556 }
557
558 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
559 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
560 {
561 int i, j;
562
563 for (i = 0; i < this->suite_count; i++)
564 {
565 for (j = 0; j < count; j++)
566 {
567 if (this->suites[i] == suites[j])
568 {
569 if (create_ciphers(this, this->suites[i]))
570 {
571 this->suite = this->suites[i];
572 return this->suite;
573 }
574 }
575 }
576 }
577 return 0;
578 }
579
580 METHOD(tls_crypto_t, set_protection, void,
581 private_tls_crypto_t *this, tls_protection_t *protection)
582 {
583 this->protection = protection;
584 }
585
586 METHOD(tls_crypto_t, append_handshake, void,
587 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
588 {
589 u_int32_t header;
590
591 /* reconstruct handshake header */
592 header = htonl(data.len | (type << 24));
593 this->handshake = chunk_cat("mcc", this->handshake,
594 chunk_from_thing(header), data);
595 }
596
597 /**
598 * Create a hash of the stored handshake data
599 */
600 static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash)
601 {
602 if (this->tls->get_version(this->tls) >= TLS_1_2)
603 {
604 hasher_t *hasher;
605 suite_algs_t *alg;
606
607 alg = find_suite(this->suite);
608 if (!alg)
609 {
610 return FALSE;
611 }
612 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
613 if (!hasher)
614 {
615 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, alg->hash);
616 return FALSE;
617 }
618 hasher->allocate_hash(hasher, this->handshake, hash);
619 hasher->destroy(hasher);
620 }
621 else
622 {
623 hasher_t *md5, *sha1;
624 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
625
626 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
627 if (!md5)
628 {
629 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_MD5);
630 return FALSE;
631 }
632 md5->get_hash(md5, this->handshake, buf);
633 md5->destroy(md5);
634 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
635 if (!sha1)
636 {
637 DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_SHA1);
638 return FALSE;
639 }
640 sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
641 sha1->destroy(sha1);
642
643 *hash = chunk_clone(chunk_from_thing(buf));
644 }
645 return TRUE;
646 }
647
648 METHOD(tls_crypto_t, sign_handshake, bool,
649 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer)
650 {
651 chunk_t sig, hash;
652
653 if (this->tls->get_version(this->tls) >= TLS_1_2)
654 {
655 /* TODO: use supported algorithms instead of fixed SHA1/RSA */
656 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, &sig))
657 {
658 return FALSE;
659 }
660 writer->write_uint8(writer, 2);
661 writer->write_uint8(writer, 1);
662 writer->write_data16(writer, sig);
663 free(sig.ptr);
664 }
665 else
666 {
667 if (!hash_handshake(this, &hash))
668 {
669 return FALSE;
670 }
671 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig))
672 {
673 free(hash.ptr);
674 return FALSE;
675 }
676 writer->write_data16(writer, sig);
677 free(hash.ptr);
678 free(sig.ptr);
679 }
680 return TRUE;
681 }
682
683 METHOD(tls_crypto_t, verify_handshake, bool,
684 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
685 {
686 if (this->tls->get_version(this->tls) >= TLS_1_2)
687 {
688 u_int8_t hash, alg;
689 chunk_t sig;
690
691 if (!reader->read_uint8(reader, &hash) ||
692 !reader->read_uint8(reader, &alg) ||
693 !reader->read_data16(reader, &sig))
694 {
695 DBG1(DBG_IKE, "received invalid Certificate Verify");
696 return FALSE;
697 }
698 /* TODO: map received hash/sig alg to signature scheme */
699 if (hash != 2 || alg != 1 ||
700 !key->verify(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig))
701 {
702 return FALSE;
703 }
704 }
705 else
706 {
707 chunk_t sig, hash;
708
709 if (!reader->read_data16(reader, &sig))
710 {
711 DBG1(DBG_IKE, "received invalid Certificate Verify");
712 return FALSE;
713 }
714 if (!hash_handshake(this, &hash))
715 {
716 return FALSE;
717 }
718 if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig))
719 {
720 free(hash.ptr);
721 return FALSE;
722 }
723 free(hash.ptr);
724 }
725 return TRUE;
726 }
727
728 METHOD(tls_crypto_t, calculate_finished, bool,
729 private_tls_crypto_t *this, char *label, char out[12])
730 {
731 chunk_t seed;
732
733 if (!this->prf)
734 {
735 return FALSE;
736 }
737 if (!hash_handshake(this, &seed))
738 {
739 return FALSE;
740 }
741 this->prf->get_bytes(this->prf, label, seed, 12, out);
742 free(seed.ptr);
743 return TRUE;
744 }
745
746 METHOD(tls_crypto_t, derive_secrets, void,
747 private_tls_crypto_t *this, chunk_t premaster,
748 chunk_t client_random, chunk_t server_random)
749 {
750 char master[48];
751 chunk_t seed, block, client_write, server_write;
752 int mks, eks = 0, ivs = 0;
753
754 /* derive master secret */
755 seed = chunk_cata("cc", client_random, server_random);
756 this->prf->set_key(this->prf, premaster);
757 this->prf->get_bytes(this->prf, "master secret", seed,
758 sizeof(master), master);
759
760 this->prf->set_key(this->prf, chunk_from_thing(master));
761 memset(master, 0, sizeof(master));
762
763 /* derive key block for key expansion */
764 mks = this->signer_out->get_key_size(this->signer_out);
765 if (this->crypter_out)
766 {
767 eks = this->crypter_out->get_key_size(this->crypter_out);
768 if (this->tls->get_version(this->tls) < TLS_1_1)
769 {
770 ivs = this->crypter_out->get_block_size(this->crypter_out);
771 }
772 }
773 seed = chunk_cata("cc", server_random, client_random);
774 block = chunk_alloca((mks + eks + ivs) * 2);
775 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
776
777 /* signer keys */
778 client_write = chunk_create(block.ptr, mks);
779 block = chunk_skip(block, mks);
780 server_write = chunk_create(block.ptr, mks);
781 block = chunk_skip(block, mks);
782 if (this->tls->is_server(this->tls))
783 {
784 this->signer_in->set_key(this->signer_in, client_write);
785 this->signer_out->set_key(this->signer_out, server_write);
786 }
787 else
788 {
789 this->signer_out->set_key(this->signer_out, client_write);
790 this->signer_in->set_key(this->signer_in, server_write);
791 }
792
793 /* crypter keys, and IVs if < TLSv1.2 */
794 if (this->crypter_out && this->crypter_in)
795 {
796 client_write = chunk_create(block.ptr, eks);
797 block = chunk_skip(block, eks);
798 server_write = chunk_create(block.ptr, eks);
799 block = chunk_skip(block, eks);
800
801 if (this->tls->is_server(this->tls))
802 {
803 this->crypter_in->set_key(this->crypter_in, client_write);
804 this->crypter_out->set_key(this->crypter_out, server_write);
805 }
806 else
807 {
808 this->crypter_out->set_key(this->crypter_out, client_write);
809 this->crypter_in->set_key(this->crypter_in, server_write);
810 }
811 if (ivs)
812 {
813 client_write = chunk_create(block.ptr, ivs);
814 block = chunk_skip(block, ivs);
815 server_write = chunk_create(block.ptr, ivs);
816 block = chunk_skip(block, ivs);
817
818 if (this->tls->is_server(this->tls))
819 {
820 this->iv_in = chunk_clone(client_write);
821 this->iv_out = chunk_clone(server_write);
822 }
823 else
824 {
825 this->iv_out = chunk_clone(client_write);
826 this->iv_in = chunk_clone(server_write);
827 }
828 }
829 }
830 }
831
832 METHOD(tls_crypto_t, change_cipher, void,
833 private_tls_crypto_t *this, bool inbound)
834 {
835 if (this->protection)
836 {
837 if (inbound)
838 {
839 this->protection->set_cipher(this->protection, TRUE,
840 this->signer_in, this->crypter_in, this->iv_in);
841 }
842 else
843 {
844 this->protection->set_cipher(this->protection, FALSE,
845 this->signer_out, this->crypter_out, this->iv_out);
846 }
847 }
848 }
849
850 METHOD(tls_crypto_t, derive_eap_msk, void,
851 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
852 {
853 chunk_t seed;
854
855 seed = chunk_cata("cc", client_random, server_random);
856 free(this->msk.ptr);
857 this->msk = chunk_alloc(64);
858 this->prf->get_bytes(this->prf, "client EAP encryption", seed,
859 this->msk.len, this->msk.ptr);
860 }
861
862 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
863 private_tls_crypto_t *this)
864 {
865 return this->msk;
866 }
867
868 METHOD(tls_crypto_t, destroy, void,
869 private_tls_crypto_t *this)
870 {
871 DESTROY_IF(this->signer_in);
872 DESTROY_IF(this->signer_out);
873 DESTROY_IF(this->crypter_in);
874 DESTROY_IF(this->crypter_out);
875 free(this->iv_in.ptr);
876 free(this->iv_out.ptr);
877 free(this->handshake.ptr);
878 free(this->msk.ptr);
879 DESTROY_IF(this->prf);
880 free(this->suites);
881 free(this);
882 }
883
884 /**
885 * See header
886 */
887 tls_crypto_t *tls_crypto_create(tls_t *tls)
888 {
889 private_tls_crypto_t *this;
890
891 INIT(this,
892 .public = {
893 .get_cipher_suites = _get_cipher_suites,
894 .select_cipher_suite = _select_cipher_suite,
895 .set_protection = _set_protection,
896 .append_handshake = _append_handshake,
897 .sign_handshake = _sign_handshake,
898 .verify_handshake = _verify_handshake,
899 .calculate_finished = _calculate_finished,
900 .derive_secrets = _derive_secrets,
901 .change_cipher = _change_cipher,
902 .derive_eap_msk = _derive_eap_msk,
903 .get_eap_msk = _get_eap_msk,
904 .destroy = _destroy,
905 },
906 .tls = tls,
907 );
908
909 build_cipher_suite_list(this);
910
911 return &this->public;
912 }