libtls: Move settings to <ns>.tls with fallback to libtls
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * Signer instance for inbound traffic
389 */
390 signer_t *signer_in;
391
392 /**
393 * Signer instance for outbound traffic
394 */
395 signer_t *signer_out;
396
397 /**
398 * Crypter instance for inbound traffic
399 */
400 crypter_t *crypter_in;
401
402 /**
403 * Crypter instance for outbound traffic
404 */
405 crypter_t *crypter_out;
406
407 /**
408 * IV for input decryption, if < TLSv1.2
409 */
410 chunk_t iv_in;
411
412 /**
413 * IV for output decryption, if < TLSv1.2
414 */
415 chunk_t iv_out;
416
417 /**
418 * EAP-[T]TLS MSK
419 */
420 chunk_t msk;
421
422 /**
423 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
424 */
425 char *msk_label;
426 };
427
428 typedef struct {
429 tls_cipher_suite_t suite;
430 key_type_t key;
431 diffie_hellman_group_t dh;
432 hash_algorithm_t hash;
433 pseudo_random_function_t prf;
434 integrity_algorithm_t mac;
435 encryption_algorithm_t encr;
436 size_t encr_size;
437 } suite_algs_t;
438
439 /**
440 * Mapping suites to a set of algorithms
441 */
442 static suite_algs_t suite_algs[] = {
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
449 KEY_ECDSA, ECP_256_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
452 },
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
454 KEY_ECDSA, ECP_384_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
459 KEY_ECDSA, ECP_384_BIT,
460 HASH_SHA384, PRF_HMAC_SHA2_384,
461 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
462 },
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
464 KEY_RSA, ECP_256_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
467 },
468 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
469 KEY_RSA, ECP_256_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
472 },
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
474 KEY_RSA, ECP_384_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
477 },
478 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
479 KEY_RSA, ECP_384_BIT,
480 HASH_SHA384, PRF_HMAC_SHA2_384,
481 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256,PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
504 KEY_RSA, MODP_2048_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
507 },
508 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
509 KEY_RSA, MODP_3072_BIT,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
514 KEY_RSA, MODP_3072_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
517 },
518 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
519 KEY_RSA, MODP_4096_BIT,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
522 },
523 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
524 KEY_RSA, MODP_2048_BIT,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
527 },
528 { TLS_RSA_WITH_AES_128_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
532 },
533 { TLS_RSA_WITH_AES_128_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
537 },
538 { TLS_RSA_WITH_AES_256_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
542 },
543 { TLS_RSA_WITH_AES_256_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
547 },
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
552 },
553 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
557 },
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
562 },
563 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
567 },
568 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
572 },
573 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
574 KEY_RSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
577 },
578 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
582 },
583 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
584 KEY_ECDSA, ECP_256_BIT,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
587 },
588 { TLS_ECDHE_RSA_WITH_NULL_SHA,
589 KEY_ECDSA, ECP_256_BIT,
590 HASH_SHA256, PRF_HMAC_SHA2_256,
591 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
592 },
593 { TLS_RSA_WITH_NULL_SHA,
594 KEY_RSA, MODP_NONE,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
597 },
598 { TLS_RSA_WITH_NULL_SHA256,
599 KEY_RSA, MODP_NONE,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
602 },
603 { TLS_RSA_WITH_NULL_MD5,
604 KEY_RSA, MODP_NONE,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_MD5_128, ENCR_NULL, 0
607 },
608 };
609
610 /**
611 * Look up algorithms by a suite
612 */
613 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
614 {
615 int i;
616
617 for (i = 0; i < countof(suite_algs); i++)
618 {
619 if (suite_algs[i].suite == suite)
620 {
621 return &suite_algs[i];
622 }
623 }
624 return NULL;
625 }
626
627 /**
628 * Filter a suite list using a transform enumerator
629 */
630 static void filter_suite(private_tls_crypto_t *this,
631 suite_algs_t suites[], int *count, int offset,
632 enumerator_t*(*create_enumerator)(crypto_factory_t*))
633 {
634 const char *plugin_name;
635 suite_algs_t current;
636 int *current_alg, i, remaining = 0;
637 enumerator_t *enumerator;
638
639 memset(&current, 0, sizeof(current));
640 current_alg = (int*)((char*)&current + offset);
641
642 for (i = 0; i < *count; i++)
643 {
644 enumerator = create_enumerator(lib->crypto);
645 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
646 {
647 if ((suites[i].encr == ENCR_NULL ||
648 !current.encr || current.encr == suites[i].encr) &&
649 (!current.mac || current.mac == suites[i].mac) &&
650 (!current.prf || current.prf == suites[i].prf) &&
651 (!current.hash || current.hash == suites[i].hash) &&
652 (suites[i].dh == MODP_NONE ||
653 !current.dh || current.dh == suites[i].dh))
654 {
655 suites[remaining] = suites[i];
656 remaining++;
657 break;
658 }
659 }
660 enumerator->destroy(enumerator);
661 }
662 *count = remaining;
663 }
664
665 /**
666 * Purge NULL encryption cipher suites from list
667 */
668 static void filter_null_suites(private_tls_crypto_t *this,
669 suite_algs_t suites[], int *count)
670 {
671 int i, remaining = 0;
672
673 for (i = 0; i < *count; i++)
674 {
675 if (suites[i].encr != ENCR_NULL)
676 {
677 suites[remaining] = suites[i];
678 remaining++;
679 }
680 }
681 *count = remaining;
682 }
683
684 /**
685 * Purge suites using a given key type
686 */
687 static void filter_key_suites(private_tls_crypto_t *this,
688 suite_algs_t suites[], int *count, key_type_t key)
689 {
690 int i, remaining = 0;
691
692 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
693 for (i = 0; i < *count; i++)
694 {
695 if (suites[i].key != key)
696 {
697 suites[remaining] = suites[i];
698 remaining++;
699 }
700 }
701 *count = remaining;
702 }
703
704 /**
705 * Filter suites by key exchange user config
706 */
707 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
708 suite_algs_t suites[], int *count)
709 {
710 enumerator_t *enumerator;
711 int i, remaining = 0;
712 char *token, *config;
713
714 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
715 lib->ns);
716 if (config)
717 {
718 for (i = 0; i < *count; i++)
719 {
720 enumerator = enumerator_create_token(config, ",", " ");
721 while (enumerator->enumerate(enumerator, &token))
722 {
723 if (strcaseeq(token, "ecdhe-ecdsa") &&
724 diffie_hellman_group_is_ec(suites[i].dh) &&
725 suites[i].key == KEY_ECDSA)
726 {
727 suites[remaining++] = suites[i];
728 break;
729 }
730 if (strcaseeq(token, "ecdhe-rsa") &&
731 diffie_hellman_group_is_ec(suites[i].dh) &&
732 suites[i].key == KEY_RSA)
733 {
734 suites[remaining++] = suites[i];
735 break;
736 }
737 if (strcaseeq(token, "dhe-rsa") &&
738 !diffie_hellman_group_is_ec(suites[i].dh) &&
739 suites[i].dh != MODP_NONE &&
740 suites[i].key == KEY_RSA)
741 {
742 suites[remaining++] = suites[i];
743 break;
744 }
745 if (strcaseeq(token, "rsa") &&
746 suites[i].dh == MODP_NONE &&
747 suites[i].key == KEY_RSA)
748 {
749 suites[remaining++] = suites[i];
750 break;
751 }
752 }
753 enumerator->destroy(enumerator);
754 }
755 *count = remaining;
756 }
757 }
758
759 /**
760 * Filter suites by cipher user config
761 */
762 static void filter_cipher_config_suites(private_tls_crypto_t *this,
763 suite_algs_t suites[], int *count)
764 {
765 enumerator_t *enumerator;
766 int i, remaining = 0;
767 char *token, *config;
768
769 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
770 lib->ns);
771 if (config)
772 {
773 for (i = 0; i < *count; i++)
774 {
775 enumerator = enumerator_create_token(config, ",", " ");
776 while (enumerator->enumerate(enumerator, &token))
777 {
778 if (strcaseeq(token, "aes128") &&
779 suites[i].encr == ENCR_AES_CBC &&
780 suites[i].encr_size == 16)
781 {
782 suites[remaining++] = suites[i];
783 break;
784 }
785 if (strcaseeq(token, "aes256") &&
786 suites[i].encr == ENCR_AES_CBC &&
787 suites[i].encr_size == 32)
788 {
789 suites[remaining++] = suites[i];
790 break;
791 }
792 if (strcaseeq(token, "camellia128") &&
793 suites[i].encr == ENCR_CAMELLIA_CBC &&
794 suites[i].encr_size == 16)
795 {
796 suites[remaining++] = suites[i];
797 break;
798 }
799 if (strcaseeq(token, "camellia256") &&
800 suites[i].encr == ENCR_CAMELLIA_CBC &&
801 suites[i].encr_size == 32)
802 {
803 suites[remaining++] = suites[i];
804 break;
805 }
806 if (strcaseeq(token, "3des") &&
807 suites[i].encr == ENCR_3DES)
808 {
809 suites[remaining++] = suites[i];
810 break;
811 }
812 if (strcaseeq(token, "null") &&
813 suites[i].encr == ENCR_NULL)
814 {
815 suites[remaining++] = suites[i];
816 break;
817 }
818 }
819 enumerator->destroy(enumerator);
820 }
821 *count = remaining;
822 }
823 }
824
825 /**
826 * Filter suites by mac user config
827 */
828 static void filter_mac_config_suites(private_tls_crypto_t *this,
829 suite_algs_t suites[], int *count)
830 {
831 enumerator_t *enumerator;
832 int i, remaining = 0;
833 char *token, *config;
834
835 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
836 lib->ns);
837 if (config)
838 {
839 for (i = 0; i < *count; i++)
840 {
841 enumerator = enumerator_create_token(config, ",", " ");
842 while (enumerator->enumerate(enumerator, &token))
843 {
844 if (strcaseeq(token, "md5") &&
845 suites[i].mac == AUTH_HMAC_MD5_128)
846 {
847 suites[remaining++] = suites[i];
848 break;
849 }
850 if (strcaseeq(token, "sha1") &&
851 suites[i].mac == AUTH_HMAC_SHA1_160)
852 {
853 suites[remaining++] = suites[i];
854 break;
855 }
856 if (strcaseeq(token, "sha256") &&
857 suites[i].mac == AUTH_HMAC_SHA2_256_256)
858 {
859 suites[remaining++] = suites[i];
860 break;
861 }
862 if (strcaseeq(token, "sha384") &&
863 suites[i].mac == AUTH_HMAC_SHA2_384_384)
864 {
865 suites[remaining++] = suites[i];
866 break;
867 }
868 }
869 enumerator->destroy(enumerator);
870 }
871 *count = remaining;
872 }
873 }
874
875 /**
876 * Filter for specific suites specified in strongswan.conf
877 */
878 static void filter_specific_config_suites(private_tls_crypto_t *this,
879 suite_algs_t suites[], int *count)
880 {
881 enumerator_t *enumerator;
882 int i, remaining = 0, suite;
883 char *token, *config;
884
885 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
886 lib->ns);
887 if (config)
888 {
889 for (i = 0; i < *count; i++)
890 {
891 enumerator = enumerator_create_token(config, ",", " ");
892 while (enumerator->enumerate(enumerator, &token))
893 {
894 suite = enum_from_name(tls_cipher_suite_names, token);
895 if (suite == suites[i].suite)
896 {
897 suites[remaining++] = suites[i];
898 break;
899 }
900 }
901 enumerator->destroy(enumerator);
902 }
903 *count = remaining;
904 }
905 }
906
907 /**
908 * Initialize the cipher suite list
909 */
910 static void build_cipher_suite_list(private_tls_crypto_t *this,
911 bool require_encryption)
912 {
913 suite_algs_t suites[countof(suite_algs)];
914 int count = countof(suite_algs), i;
915
916 /* copy all suites */
917 for (i = 0; i < count; i++)
918 {
919 suites[i] = suite_algs[i];
920 }
921 if (require_encryption)
922 {
923 filter_null_suites(this, suites, &count);
924 }
925 if (!this->rsa)
926 {
927 filter_key_suites(this, suites, &count, KEY_RSA);
928 }
929 if (!this->ecdsa)
930 {
931 filter_key_suites(this, suites, &count, KEY_ECDSA);
932 }
933
934 /* filter suite list by each algorithm */
935 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
936 lib->crypto->create_crypter_enumerator);
937 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
938 lib->crypto->create_signer_enumerator);
939 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
940 lib->crypto->create_prf_enumerator);
941 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
942 lib->crypto->create_hasher_enumerator);
943 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
944 lib->crypto->create_dh_enumerator);
945
946 /* filter suites with strongswan.conf options */
947 filter_key_exchange_config_suites(this, suites, &count);
948 filter_cipher_config_suites(this, suites, &count);
949 filter_mac_config_suites(this, suites, &count);
950 filter_specific_config_suites(this, suites, &count);
951
952 free(this->suites);
953 this->suite_count = count;
954 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
955
956 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
957 for (i = 0; i < count; i++)
958 {
959 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
960 this->suites[i] = suites[i].suite;
961 }
962 }
963
964 METHOD(tls_crypto_t, get_cipher_suites, int,
965 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
966 {
967 *suites = this->suites;
968 return this->suite_count;
969 }
970
971 /**
972 * Create crypto primitives
973 */
974 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
975 {
976 DESTROY_IF(this->prf);
977 if (this->tls->get_version(this->tls) < TLS_1_2)
978 {
979 this->prf = tls_prf_create_10();
980 }
981 else
982 {
983 this->prf = tls_prf_create_12(algs->prf);
984 }
985 if (!this->prf)
986 {
987 DBG1(DBG_TLS, "selected TLS PRF not supported");
988 return FALSE;
989 }
990
991 DESTROY_IF(this->signer_in);
992 DESTROY_IF(this->signer_out);
993 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
994 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
995 if (!this->signer_in || !this->signer_out)
996 {
997 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
998 integrity_algorithm_names, algs->mac);
999 return FALSE;
1000 }
1001
1002 DESTROY_IF(this->crypter_in);
1003 DESTROY_IF(this->crypter_out);
1004 if (algs->encr == ENCR_NULL)
1005 {
1006 this->crypter_in = this->crypter_out = NULL;
1007 }
1008 else
1009 {
1010 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
1011 algs->encr, algs->encr_size);
1012 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
1013 algs->encr, algs->encr_size);
1014 if (!this->crypter_in || !this->crypter_out)
1015 {
1016 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
1017 encryption_algorithm_names, algs->encr);
1018 return FALSE;
1019 }
1020 }
1021 return TRUE;
1022 }
1023
1024 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1025 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1026 key_type_t key)
1027 {
1028 suite_algs_t *algs;
1029 int i, j;
1030
1031 for (i = 0; i < this->suite_count; i++)
1032 {
1033 for (j = 0; j < count; j++)
1034 {
1035 if (this->suites[i] == suites[j])
1036 {
1037 algs = find_suite(this->suites[i]);
1038 if (algs)
1039 {
1040 if (key == KEY_ANY || key == algs->key)
1041 {
1042 if (create_ciphers(this, algs))
1043 {
1044 this->suite = this->suites[i];
1045 return this->suite;
1046 }
1047 }
1048 }
1049 }
1050 }
1051 }
1052 return 0;
1053 }
1054
1055 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1056 private_tls_crypto_t *this)
1057 {
1058 suite_algs_t *algs;
1059
1060 algs = find_suite(this->suite);
1061 if (algs)
1062 {
1063 return algs->dh;
1064 }
1065 return MODP_NONE;
1066 }
1067
1068 METHOD(tls_crypto_t, get_signature_algorithms, void,
1069 private_tls_crypto_t *this, bio_writer_t *writer)
1070 {
1071 bio_writer_t *supported;
1072 enumerator_t *enumerator;
1073 hash_algorithm_t alg;
1074 tls_hash_algorithm_t hash;
1075 const char *plugin_name;
1076
1077 supported = bio_writer_create(32);
1078 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1079 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1080 {
1081 switch (alg)
1082 {
1083 case HASH_MD5:
1084 hash = TLS_HASH_MD5;
1085 break;
1086 case HASH_SHA1:
1087 hash = TLS_HASH_SHA1;
1088 break;
1089 case HASH_SHA224:
1090 hash = TLS_HASH_SHA224;
1091 break;
1092 case HASH_SHA256:
1093 hash = TLS_HASH_SHA256;
1094 break;
1095 case HASH_SHA384:
1096 hash = TLS_HASH_SHA384;
1097 break;
1098 case HASH_SHA512:
1099 hash = TLS_HASH_SHA512;
1100 break;
1101 default:
1102 continue;
1103 }
1104 if (this->rsa)
1105 {
1106 supported->write_uint8(supported, hash);
1107 supported->write_uint8(supported, TLS_SIG_RSA);
1108 }
1109 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1110 { /* currently we have no signature scheme for MD5/SHA224 */
1111 supported->write_uint8(supported, hash);
1112 supported->write_uint8(supported, TLS_SIG_ECDSA);
1113 }
1114 }
1115 enumerator->destroy(enumerator);
1116
1117 supported->wrap16(supported);
1118 writer->write_data16(writer, supported->get_buf(supported));
1119 supported->destroy(supported);
1120 }
1121
1122 /**
1123 * Mapping groups to TLS named curves
1124 */
1125 static struct {
1126 diffie_hellman_group_t group;
1127 tls_named_curve_t curve;
1128 } curves[] = {
1129 { ECP_256_BIT, TLS_SECP256R1},
1130 { ECP_384_BIT, TLS_SECP384R1},
1131 { ECP_521_BIT, TLS_SECP521R1},
1132 { ECP_224_BIT, TLS_SECP224R1},
1133 { ECP_192_BIT, TLS_SECP192R1},
1134 };
1135
1136 /**
1137 * Filter EC groups, add TLS curve
1138 */
1139 static bool group_filter(void *null,
1140 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1141 void* dummy1, tls_named_curve_t *curve)
1142 {
1143 int i;
1144
1145 for (i = 0; i < countof(curves); i++)
1146 {
1147 if (curves[i].group == *in)
1148 {
1149 if (out)
1150 {
1151 *out = curves[i].group;
1152 }
1153 if (curve)
1154 {
1155 *curve = curves[i].curve;
1156 }
1157 return TRUE;
1158 }
1159 }
1160 return FALSE;
1161 }
1162
1163 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1164 private_tls_crypto_t *this)
1165 {
1166 return enumerator_create_filter(
1167 lib->crypto->create_dh_enumerator(lib->crypto),
1168 (void*)group_filter, NULL, NULL);
1169 }
1170
1171 METHOD(tls_crypto_t, set_protection, void,
1172 private_tls_crypto_t *this, tls_protection_t *protection)
1173 {
1174 this->protection = protection;
1175 }
1176
1177 METHOD(tls_crypto_t, append_handshake, void,
1178 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1179 {
1180 u_int32_t header;
1181
1182 /* reconstruct handshake header */
1183 header = htonl(data.len | (type << 24));
1184 this->handshake = chunk_cat("mcc", this->handshake,
1185 chunk_from_thing(header), data);
1186 }
1187
1188 /**
1189 * Create a hash using the suites HASH algorithm
1190 */
1191 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1192 {
1193 if (this->tls->get_version(this->tls) >= TLS_1_2)
1194 {
1195 hasher_t *hasher;
1196 suite_algs_t *alg;
1197
1198 alg = find_suite(this->suite);
1199 if (!alg)
1200 {
1201 return FALSE;
1202 }
1203 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1204 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1205 {
1206 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1207 DESTROY_IF(hasher);
1208 return FALSE;
1209 }
1210 hasher->destroy(hasher);
1211 }
1212 else
1213 {
1214 hasher_t *md5, *sha1;
1215 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1216
1217 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1218 if (!md5 || !md5->get_hash(md5, data, buf))
1219 {
1220 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1221 DESTROY_IF(md5);
1222 return FALSE;
1223 }
1224 md5->destroy(md5);
1225 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1226 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1227 {
1228 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1229 DESTROY_IF(sha1);
1230 return FALSE;
1231 }
1232 sha1->destroy(sha1);
1233
1234 *hash = chunk_clone(chunk_from_thing(buf));
1235 }
1236 return TRUE;
1237 }
1238
1239 /**
1240 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1241 */
1242 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1243 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1244 {
1245 switch (sig)
1246 {
1247 case TLS_SIG_RSA:
1248 if (type != KEY_RSA)
1249 {
1250 return SIGN_UNKNOWN;
1251 }
1252 switch (hash)
1253 {
1254 case TLS_HASH_MD5:
1255 return SIGN_RSA_EMSA_PKCS1_MD5;
1256 case TLS_HASH_SHA1:
1257 return SIGN_RSA_EMSA_PKCS1_SHA1;
1258 case TLS_HASH_SHA224:
1259 return SIGN_RSA_EMSA_PKCS1_SHA224;
1260 case TLS_HASH_SHA256:
1261 return SIGN_RSA_EMSA_PKCS1_SHA256;
1262 case TLS_HASH_SHA384:
1263 return SIGN_RSA_EMSA_PKCS1_SHA384;
1264 case TLS_HASH_SHA512:
1265 return SIGN_RSA_EMSA_PKCS1_SHA512;
1266 default:
1267 return SIGN_UNKNOWN;
1268 }
1269 case TLS_SIG_ECDSA:
1270 if (type != KEY_ECDSA)
1271 {
1272 return SIGN_UNKNOWN;
1273 }
1274 switch (hash)
1275 {
1276 case TLS_HASH_SHA224:
1277 return SIGN_ECDSA_WITH_SHA1_DER;
1278 case TLS_HASH_SHA256:
1279 return SIGN_ECDSA_WITH_SHA256_DER;
1280 case TLS_HASH_SHA384:
1281 return SIGN_ECDSA_WITH_SHA384_DER;
1282 case TLS_HASH_SHA512:
1283 return SIGN_ECDSA_WITH_SHA512_DER;
1284 default:
1285 return SIGN_UNKNOWN;
1286 }
1287 default:
1288 return SIGN_UNKNOWN;
1289 }
1290 }
1291
1292 METHOD(tls_crypto_t, sign, bool,
1293 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1294 chunk_t data, chunk_t hashsig)
1295 {
1296 if (this->tls->get_version(this->tls) >= TLS_1_2)
1297 {
1298 signature_scheme_t scheme;
1299 bio_reader_t *reader;
1300 u_int8_t hash, alg;
1301 chunk_t sig;
1302 bool done = FALSE;
1303
1304 if (!hashsig.len)
1305 { /* fallback if none given */
1306 hashsig = chunk_from_chars(
1307 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1308 }
1309 reader = bio_reader_create(hashsig);
1310 while (reader->remaining(reader) >= 2)
1311 {
1312 if (reader->read_uint8(reader, &hash) &&
1313 reader->read_uint8(reader, &alg))
1314 {
1315 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1316 if (scheme != SIGN_UNKNOWN &&
1317 key->sign(key, scheme, data, &sig))
1318 {
1319 done = TRUE;
1320 break;
1321 }
1322 }
1323 }
1324 reader->destroy(reader);
1325 if (!done)
1326 {
1327 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1328 return FALSE;
1329 }
1330 DBG2(DBG_TLS, "created signature with %N/%N",
1331 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1332 writer->write_uint8(writer, hash);
1333 writer->write_uint8(writer, alg);
1334 writer->write_data16(writer, sig);
1335 free(sig.ptr);
1336 }
1337 else
1338 {
1339 chunk_t sig, hash;
1340 bool done;
1341
1342 switch (key->get_type(key))
1343 {
1344 case KEY_RSA:
1345 if (!hash_data(this, data, &hash))
1346 {
1347 return FALSE;
1348 }
1349 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1350 free(hash.ptr);
1351 if (!done)
1352 {
1353 return FALSE;
1354 }
1355 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1356 break;
1357 case KEY_ECDSA:
1358 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1359 {
1360 return FALSE;
1361 }
1362 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1363 break;
1364 default:
1365 return FALSE;
1366 }
1367 writer->write_data16(writer, sig);
1368 free(sig.ptr);
1369 }
1370 return TRUE;
1371 }
1372
1373 METHOD(tls_crypto_t, verify, bool,
1374 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1375 chunk_t data)
1376 {
1377 if (this->tls->get_version(this->tls) >= TLS_1_2)
1378 {
1379 signature_scheme_t scheme = SIGN_UNKNOWN;
1380 u_int8_t hash, alg;
1381 chunk_t sig;
1382
1383 if (!reader->read_uint8(reader, &hash) ||
1384 !reader->read_uint8(reader, &alg) ||
1385 !reader->read_data16(reader, &sig))
1386 {
1387 DBG1(DBG_TLS, "received invalid signature");
1388 return FALSE;
1389 }
1390 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1391 if (scheme == SIGN_UNKNOWN)
1392 {
1393 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1394 tls_hash_algorithm_names, hash,
1395 tls_signature_algorithm_names, alg);
1396 return FALSE;
1397 }
1398 if (!key->verify(key, scheme, data, sig))
1399 {
1400 return FALSE;
1401 }
1402 DBG2(DBG_TLS, "verified signature with %N/%N",
1403 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1404 }
1405 else
1406 {
1407 chunk_t sig, hash;
1408 bool done;
1409
1410 if (!reader->read_data16(reader, &sig))
1411 {
1412 DBG1(DBG_TLS, "received invalid signature");
1413 return FALSE;
1414 }
1415 switch (key->get_type(key))
1416 {
1417 case KEY_RSA:
1418 if (!hash_data(this, data, &hash))
1419 {
1420 return FALSE;
1421 }
1422 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1423 free(hash.ptr);
1424 if (!done)
1425 {
1426 return FALSE;
1427 }
1428 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1429 break;
1430 case KEY_ECDSA:
1431 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1432 {
1433 return FALSE;
1434 }
1435 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1436 break;
1437 default:
1438 return FALSE;
1439 }
1440 }
1441 return TRUE;
1442 }
1443
1444 METHOD(tls_crypto_t, sign_handshake, bool,
1445 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1446 chunk_t hashsig)
1447 {
1448 return sign(this, key, writer, this->handshake, hashsig);
1449 }
1450
1451 METHOD(tls_crypto_t, verify_handshake, bool,
1452 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1453 {
1454 return verify(this, key, reader, this->handshake);
1455 }
1456
1457 METHOD(tls_crypto_t, calculate_finished, bool,
1458 private_tls_crypto_t *this, char *label, char out[12])
1459 {
1460 chunk_t seed;
1461
1462 if (!this->prf)
1463 {
1464 return FALSE;
1465 }
1466 if (!hash_data(this, this->handshake, &seed))
1467 {
1468 return FALSE;
1469 }
1470 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1471 {
1472 free(seed.ptr);
1473 return FALSE;
1474 }
1475 free(seed.ptr);
1476 return TRUE;
1477 }
1478
1479 /**
1480 * Derive master secret from premaster, optionally save session
1481 */
1482 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1483 chunk_t session, identification_t *id,
1484 chunk_t client_random, chunk_t server_random)
1485 {
1486 char master[48];
1487 chunk_t seed;
1488
1489 /* derive master secret */
1490 seed = chunk_cata("cc", client_random, server_random);
1491
1492 if (!this->prf->set_key(this->prf, premaster) ||
1493 !this->prf->get_bytes(this->prf, "master secret", seed,
1494 sizeof(master), master) ||
1495 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1496 {
1497 return FALSE;
1498 }
1499
1500 if (this->cache && session.len)
1501 {
1502 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1503 this->suite);
1504 }
1505 memwipe(master, sizeof(master));
1506 return TRUE;
1507 }
1508
1509 /**
1510 * Expand key material from master secret
1511 */
1512 static bool expand_keys(private_tls_crypto_t *this,
1513 chunk_t client_random, chunk_t server_random)
1514 {
1515 chunk_t seed, block, client_write, server_write;
1516 int mks, eks = 0, ivs = 0;
1517
1518 /* derive key block for key expansion */
1519 mks = this->signer_out->get_key_size(this->signer_out);
1520 if (this->crypter_out)
1521 {
1522 eks = this->crypter_out->get_key_size(this->crypter_out);
1523 if (this->tls->get_version(this->tls) < TLS_1_1)
1524 {
1525 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1526 }
1527 }
1528 seed = chunk_cata("cc", server_random, client_random);
1529 block = chunk_alloca((mks + eks + ivs) * 2);
1530 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1531 block.len, block.ptr))
1532 {
1533 return FALSE;
1534 }
1535
1536 /* signer keys */
1537 client_write = chunk_create(block.ptr, mks);
1538 block = chunk_skip(block, mks);
1539 server_write = chunk_create(block.ptr, mks);
1540 block = chunk_skip(block, mks);
1541 if (this->tls->is_server(this->tls))
1542 {
1543 if (!this->signer_in->set_key(this->signer_in, client_write) ||
1544 !this->signer_out->set_key(this->signer_out, server_write))
1545 {
1546 return FALSE;
1547 }
1548 }
1549 else
1550 {
1551 if (!this->signer_out->set_key(this->signer_out, client_write) ||
1552 !this->signer_in->set_key(this->signer_in, server_write))
1553 {
1554 return FALSE;
1555 }
1556 }
1557
1558 /* crypter keys, and IVs if < TLSv1.2 */
1559 if (this->crypter_out && this->crypter_in)
1560 {
1561 client_write = chunk_create(block.ptr, eks);
1562 block = chunk_skip(block, eks);
1563 server_write = chunk_create(block.ptr, eks);
1564 block = chunk_skip(block, eks);
1565
1566 if (this->tls->is_server(this->tls))
1567 {
1568 if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
1569 !this->crypter_out->set_key(this->crypter_out, server_write))
1570 {
1571 return FALSE;
1572 }
1573 }
1574 else
1575 {
1576 if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
1577 !this->crypter_in->set_key(this->crypter_in, server_write))
1578 {
1579 return FALSE;
1580 }
1581 }
1582 if (ivs)
1583 {
1584 client_write = chunk_create(block.ptr, ivs);
1585 block = chunk_skip(block, ivs);
1586 server_write = chunk_create(block.ptr, ivs);
1587 block = chunk_skip(block, ivs);
1588
1589 if (this->tls->is_server(this->tls))
1590 {
1591 this->iv_in = chunk_clone(client_write);
1592 this->iv_out = chunk_clone(server_write);
1593 }
1594 else
1595 {
1596 this->iv_out = chunk_clone(client_write);
1597 this->iv_in = chunk_clone(server_write);
1598 }
1599 }
1600 }
1601
1602 /* EAP-MSK */
1603 if (this->msk_label)
1604 {
1605 seed = chunk_cata("cc", client_random, server_random);
1606 this->msk = chunk_alloc(64);
1607 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1608 this->msk.len, this->msk.ptr))
1609 {
1610 return FALSE;
1611 }
1612 }
1613 return TRUE;
1614 }
1615
1616 METHOD(tls_crypto_t, derive_secrets, bool,
1617 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1618 identification_t *id, chunk_t client_random, chunk_t server_random)
1619 {
1620 return derive_master(this, premaster, session, id,
1621 client_random, server_random) &&
1622 expand_keys(this, client_random, server_random);
1623 }
1624
1625 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1626 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1627 chunk_t client_random, chunk_t server_random)
1628 {
1629 chunk_t master;
1630
1631 if (this->cache && session.len)
1632 {
1633 this->suite = this->cache->lookup(this->cache, session, id, &master);
1634 if (this->suite)
1635 {
1636 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1637 if (this->suite)
1638 {
1639 if (!this->prf->set_key(this->prf, master) ||
1640 !expand_keys(this, client_random, server_random))
1641 {
1642 this->suite = 0;
1643 }
1644 }
1645 chunk_clear(&master);
1646 }
1647 return this->suite;
1648 }
1649 return 0;
1650 }
1651
1652 METHOD(tls_crypto_t, get_session, chunk_t,
1653 private_tls_crypto_t *this, identification_t *server)
1654 {
1655 if (this->cache)
1656 {
1657 return this->cache->check(this->cache, server);
1658 }
1659 return chunk_empty;
1660 }
1661
1662 METHOD(tls_crypto_t, change_cipher, void,
1663 private_tls_crypto_t *this, bool inbound)
1664 {
1665 if (this->protection)
1666 {
1667 if (inbound)
1668 {
1669 this->protection->set_cipher(this->protection, TRUE,
1670 this->signer_in, this->crypter_in, this->iv_in);
1671 }
1672 else
1673 {
1674 this->protection->set_cipher(this->protection, FALSE,
1675 this->signer_out, this->crypter_out, this->iv_out);
1676 }
1677 }
1678 }
1679
1680 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1681 private_tls_crypto_t *this)
1682 {
1683 return this->msk;
1684 }
1685
1686 METHOD(tls_crypto_t, destroy, void,
1687 private_tls_crypto_t *this)
1688 {
1689 DESTROY_IF(this->signer_in);
1690 DESTROY_IF(this->signer_out);
1691 DESTROY_IF(this->crypter_in);
1692 DESTROY_IF(this->crypter_out);
1693 free(this->iv_in.ptr);
1694 free(this->iv_out.ptr);
1695 free(this->handshake.ptr);
1696 free(this->msk.ptr);
1697 DESTROY_IF(this->prf);
1698 free(this->suites);
1699 free(this);
1700 }
1701
1702 /**
1703 * See header
1704 */
1705 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1706 {
1707 private_tls_crypto_t *this;
1708 enumerator_t *enumerator;
1709 credential_type_t type;
1710 int subtype;
1711
1712 INIT(this,
1713 .public = {
1714 .get_cipher_suites = _get_cipher_suites,
1715 .select_cipher_suite = _select_cipher_suite,
1716 .get_dh_group = _get_dh_group,
1717 .get_signature_algorithms = _get_signature_algorithms,
1718 .create_ec_enumerator = _create_ec_enumerator,
1719 .set_protection = _set_protection,
1720 .append_handshake = _append_handshake,
1721 .sign = _sign,
1722 .verify = _verify,
1723 .sign_handshake = _sign_handshake,
1724 .verify_handshake = _verify_handshake,
1725 .calculate_finished = _calculate_finished,
1726 .derive_secrets = _derive_secrets,
1727 .resume_session = _resume_session,
1728 .get_session = _get_session,
1729 .change_cipher = _change_cipher,
1730 .get_eap_msk = _get_eap_msk,
1731 .destroy = _destroy,
1732 },
1733 .tls = tls,
1734 .cache = cache,
1735 );
1736
1737 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1738 while (enumerator->enumerate(enumerator, &type, &subtype))
1739 {
1740 if (type == CRED_PUBLIC_KEY)
1741 {
1742 switch (subtype)
1743 {
1744 case KEY_RSA:
1745 this->rsa = TRUE;
1746 break;
1747 case KEY_ECDSA:
1748 this->ecdsa = TRUE;
1749 break;
1750 default:
1751 break;
1752 }
1753 }
1754 }
1755 enumerator->destroy(enumerator);
1756
1757 switch (tls->get_purpose(tls))
1758 {
1759 case TLS_PURPOSE_EAP_TLS:
1760 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1761 this->msk_label = "client EAP encryption";
1762 build_cipher_suite_list(this, FALSE);
1763 break;
1764 case TLS_PURPOSE_EAP_PEAP:
1765 this->msk_label = "client EAP encryption";
1766 build_cipher_suite_list(this, TRUE);
1767 break;
1768 case TLS_PURPOSE_EAP_TTLS:
1769 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1770 this->msk_label = "ttls keying material";
1771 build_cipher_suite_list(this, TRUE);
1772 break;
1773 case TLS_PURPOSE_GENERIC:
1774 build_cipher_suite_list(this, TRUE);
1775 break;
1776 default:
1777 break;
1778 }
1779 return &this->public;
1780 }