Change interface for enumerator_create_filter() callback
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
20
21 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
241
242 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
243 "NONE",
244 "MD5",
245 "SHA1",
246 "SHA224",
247 "SHA256",
248 "SHA384",
249 "SHA512",
250 );
251
252 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
253 "RSA",
254 "DSA",
255 "ECDSA",
256 );
257
258 ENUM_BEGIN(tls_client_certificate_type_names,
259 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
260 "RSA_SIGN",
261 "DSA_SIGN",
262 "RSA_FIXED_DH",
263 "DSS_FIXED_DH",
264 "RSA_EPHEMERAL_DH",
265 "DSS_EPHEMERAL_DH");
266 ENUM_NEXT(tls_client_certificate_type_names,
267 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
268 "FORTEZZA_DMS");
269 ENUM_NEXT(tls_client_certificate_type_names,
270 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
271 "ECDSA_SIGN",
272 "RSA_FIXED_ECDH",
273 "ECDSA_FIXED_ECDH");
274 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
275
276 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
277 "EXPLICIT_PRIME",
278 "EXPLICIT_CHAR2",
279 "NAMED_CURVE",
280 );
281
282 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
283 "SECT163K1",
284 "SECT163R1",
285 "SECT163R2",
286 "SECT193R1",
287 "SECT193R2",
288 "SECT233K1",
289 "SECT233R1",
290 "SECT239K1",
291 "SECT283K1",
292 "SECT283R1",
293 "SECT409K1",
294 "SECT409R1",
295 "SECT571K1",
296 "SECT571R1",
297 "SECP160K1",
298 "SECP160R1",
299 "SECP160R2",
300 "SECP192K1",
301 "SECP192R1",
302 "SECP224K1",
303 "SECP224R1",
304 "SECP256K1",
305 "SECP256R1",
306 "SECP384R1",
307 "SECP521R1",
308 );
309
310 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
311 "compressed",
312 "compressed y",
313 "uncompressed",
314 "uncompressed y",
315 "hybrid",
316 "hybrid y",
317 );
318
319 ENUM(tls_ec_point_format_names,
320 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
321 "uncompressed",
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
324 );
325
326 typedef struct private_tls_crypto_t private_tls_crypto_t;
327
328 /**
329 * Private data of an tls_crypto_t object.
330 */
331 struct private_tls_crypto_t {
332
333 /**
334 * Public tls_crypto_t interface.
335 */
336 tls_crypto_t public;
337
338 /**
339 * Protection layer
340 */
341 tls_protection_t *protection;
342
343 /**
344 * List of supported/acceptable cipher suites
345 */
346 tls_cipher_suite_t *suites;
347
348 /**
349 * Number of supported suites
350 */
351 int suite_count;
352
353 /**
354 * Selected cipher suite
355 */
356 tls_cipher_suite_t suite;
357
358 /**
359 * RSA supported?
360 */
361 bool rsa;
362
363 /**
364 * ECDSA supported?
365 */
366 bool ecdsa;
367
368 /**
369 * TLS context
370 */
371 tls_t *tls;
372
373 /**
374 * TLS session cache
375 */
376 tls_cache_t *cache;
377
378 /**
379 * All handshake data concatentated
380 */
381 chunk_t handshake;
382
383 /**
384 * Connection state TLS PRF
385 */
386 tls_prf_t *prf;
387
388 /**
389 * AEAD transform for inbound traffic
390 */
391 tls_aead_t *aead_in;
392
393 /**
394 * AEAD transform for outbound traffic
395 */
396 tls_aead_t *aead_out;
397
398 /**
399 * EAP-[T]TLS MSK
400 */
401 chunk_t msk;
402
403 /**
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
405 */
406 char *msk_label;
407 };
408
409 typedef struct {
410 tls_cipher_suite_t suite;
411 key_type_t key;
412 diffie_hellman_group_t dh;
413 hash_algorithm_t hash;
414 pseudo_random_function_t prf;
415 integrity_algorithm_t mac;
416 encryption_algorithm_t encr;
417 size_t encr_size;
418 } suite_algs_t;
419
420 /**
421 * Mapping suites to a set of algorithms
422 */
423 static suite_algs_t suite_algs[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
425 KEY_ECDSA, ECP_256_BIT,
426 HASH_SHA256, PRF_HMAC_SHA2_256,
427 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
428 },
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
430 KEY_ECDSA, ECP_256_BIT,
431 HASH_SHA256, PRF_HMAC_SHA2_256,
432 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
433 },
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
435 KEY_ECDSA, ECP_384_BIT,
436 HASH_SHA256, PRF_HMAC_SHA2_256,
437 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
438 },
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
440 KEY_ECDSA, ECP_384_BIT,
441 HASH_SHA384, PRF_HMAC_SHA2_384,
442 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
443 },
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
445 KEY_ECDSA, ECP_256_BIT,
446 HASH_SHA256, PRF_HMAC_SHA2_256,
447 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
448 },
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
450 KEY_ECDSA, ECP_384_BIT,
451 HASH_SHA384, PRF_HMAC_SHA2_384,
452 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
453 },
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
455 KEY_RSA, ECP_256_BIT,
456 HASH_SHA256, PRF_HMAC_SHA2_256,
457 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
458 },
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
460 KEY_RSA, ECP_256_BIT,
461 HASH_SHA256, PRF_HMAC_SHA2_256,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
463 },
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
465 KEY_RSA, ECP_384_BIT,
466 HASH_SHA256, PRF_HMAC_SHA2_256,
467 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
468 },
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
470 KEY_RSA, ECP_384_BIT,
471 HASH_SHA384, PRF_HMAC_SHA2_384,
472 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
473 },
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
475 KEY_RSA, ECP_256_BIT,
476 HASH_SHA256, PRF_HMAC_SHA2_256,
477 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
478 },
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
480 KEY_RSA, ECP_384_BIT,
481 HASH_SHA384, PRF_HMAC_SHA2_384,
482 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
483 },
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
485 KEY_RSA, MODP_2048_BIT,
486 HASH_SHA256,PRF_HMAC_SHA2_256,
487 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
488 },
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
490 KEY_RSA, MODP_3072_BIT,
491 HASH_SHA256, PRF_HMAC_SHA2_256,
492 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
493 },
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
495 KEY_RSA, MODP_3072_BIT,
496 HASH_SHA256, PRF_HMAC_SHA2_256,
497 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
498 },
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
500 KEY_RSA, MODP_4096_BIT,
501 HASH_SHA256, PRF_HMAC_SHA2_256,
502 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
503 },
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
505 KEY_RSA, MODP_3072_BIT,
506 HASH_SHA256, PRF_HMAC_SHA2_256,
507 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
508 },
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
510 KEY_RSA, MODP_4096_BIT,
511 HASH_SHA384, PRF_HMAC_SHA2_384,
512 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
513 },
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
515 KEY_RSA, MODP_2048_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
518 },
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
520 KEY_RSA, MODP_3072_BIT,
521 HASH_SHA256, PRF_HMAC_SHA2_256,
522 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
523 },
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
525 KEY_RSA, MODP_3072_BIT,
526 HASH_SHA256, PRF_HMAC_SHA2_256,
527 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
528 },
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
530 KEY_RSA, MODP_4096_BIT,
531 HASH_SHA256, PRF_HMAC_SHA2_256,
532 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
533 },
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
535 KEY_RSA, MODP_2048_BIT,
536 HASH_SHA256, PRF_HMAC_SHA2_256,
537 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
538 },
539 { TLS_RSA_WITH_AES_128_CBC_SHA,
540 KEY_RSA, MODP_NONE,
541 HASH_SHA256, PRF_HMAC_SHA2_256,
542 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
543 },
544 { TLS_RSA_WITH_AES_128_CBC_SHA256,
545 KEY_RSA, MODP_NONE,
546 HASH_SHA256, PRF_HMAC_SHA2_256,
547 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
548 },
549 { TLS_RSA_WITH_AES_256_CBC_SHA,
550 KEY_RSA, MODP_NONE,
551 HASH_SHA256, PRF_HMAC_SHA2_256,
552 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
553 },
554 { TLS_RSA_WITH_AES_256_CBC_SHA256,
555 KEY_RSA, MODP_NONE,
556 HASH_SHA256, PRF_HMAC_SHA2_256,
557 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
558 },
559 { TLS_RSA_WITH_AES_128_GCM_SHA256,
560 KEY_RSA, MODP_NONE,
561 HASH_SHA256, PRF_HMAC_SHA2_256,
562 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
563 },
564 { TLS_RSA_WITH_AES_256_GCM_SHA384,
565 KEY_RSA, MODP_NONE,
566 HASH_SHA384, PRF_HMAC_SHA2_384,
567 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
568 },
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
570 KEY_RSA, MODP_NONE,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
573 },
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
575 KEY_RSA, MODP_NONE,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
578 },
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 KEY_RSA, MODP_NONE,
581 HASH_SHA256, PRF_HMAC_SHA2_256,
582 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
583 },
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
585 KEY_RSA, MODP_NONE,
586 HASH_SHA256, PRF_HMAC_SHA2_256,
587 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
588 },
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
590 KEY_ECDSA, ECP_256_BIT,
591 HASH_SHA256, PRF_HMAC_SHA2_256,
592 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
593 },
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
595 KEY_RSA, ECP_256_BIT,
596 HASH_SHA256, PRF_HMAC_SHA2_256,
597 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
598 },
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
600 KEY_RSA, MODP_NONE,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
603 },
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
605 KEY_ECDSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
608 },
609 { TLS_ECDHE_RSA_WITH_NULL_SHA,
610 KEY_ECDSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
613 },
614 { TLS_RSA_WITH_NULL_SHA,
615 KEY_RSA, MODP_NONE,
616 HASH_SHA256, PRF_HMAC_SHA2_256,
617 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
618 },
619 { TLS_RSA_WITH_NULL_SHA256,
620 KEY_RSA, MODP_NONE,
621 HASH_SHA256, PRF_HMAC_SHA2_256,
622 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
623 },
624 { TLS_RSA_WITH_NULL_MD5,
625 KEY_RSA, MODP_NONE,
626 HASH_SHA256, PRF_HMAC_SHA2_256,
627 AUTH_HMAC_MD5_128, ENCR_NULL, 0
628 },
629 };
630
631 /**
632 * Look up algorithms by a suite
633 */
634 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
635 {
636 int i;
637
638 for (i = 0; i < countof(suite_algs); i++)
639 {
640 if (suite_algs[i].suite == suite)
641 {
642 return &suite_algs[i];
643 }
644 }
645 return NULL;
646 }
647
648 /**
649 * Filter a suite list using a transform enumerator
650 */
651 static void filter_suite(suite_algs_t suites[], int *count, int offset,
652 enumerator_t*(*create_enumerator)(crypto_factory_t*))
653 {
654 const char *plugin_name;
655 suite_algs_t current;
656 int *current_alg, i, remaining = 0;
657 enumerator_t *enumerator;
658
659 memset(&current, 0, sizeof(current));
660 current_alg = (int*)((char*)&current + offset);
661
662 for (i = 0; i < *count; i++)
663 {
664 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
665 encryption_algorithm_is_aead(suites[i].encr))
666 { /* filtering crypters, but current suite uses an AEAD, apply */
667 suites[remaining] = suites[i];
668 remaining++;
669 continue;
670 }
671 if (create_enumerator == lib->crypto->create_aead_enumerator &&
672 !encryption_algorithm_is_aead(suites[i].encr))
673 { /* filtering AEADs, but current suite doesn't use one, apply */
674 suites[remaining] = suites[i];
675 remaining++;
676 continue;
677 }
678 enumerator = create_enumerator(lib->crypto);
679 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
680 {
681 if (current.encr && current.encr != suites[i].encr)
682 {
683 if (suites[i].encr != ENCR_NULL)
684 { /* skip, ENCR does not match nor is NULL */
685 continue;
686 }
687 }
688 if (current.mac && current.mac != suites[i].mac)
689 {
690 if (suites[i].mac != AUTH_UNDEFINED)
691 { /* skip, MAC does not match nor is it undefined */
692 continue;
693 }
694 }
695 if (current.prf && current.prf != suites[i].prf)
696 { /* skip, PRF does not match */
697 continue;
698 }
699 if (current.hash && current.hash != suites[i].hash)
700 { /* skip, hash does not match */
701 continue;
702 }
703 if (current.dh && current.dh != suites[i].dh)
704 {
705 if (suites[i].dh != MODP_NONE)
706 { /* skip DH group, does not match nor NONE */
707 continue;
708 }
709 }
710 /* suite supported, apply */
711 suites[remaining] = suites[i];
712 remaining++;
713 break;
714 }
715 enumerator->destroy(enumerator);
716 }
717 *count = remaining;
718 }
719
720 /**
721 * Purge NULL encryption cipher suites from list
722 */
723 static void filter_null_suites(suite_algs_t suites[], int *count)
724 {
725 int i, remaining = 0;
726
727 for (i = 0; i < *count; i++)
728 {
729 if (suites[i].encr != ENCR_NULL)
730 {
731 suites[remaining] = suites[i];
732 remaining++;
733 }
734 }
735 *count = remaining;
736 }
737
738 /**
739 * Purge suites using a given key type
740 */
741 static void filter_key_suites(private_tls_crypto_t *this,
742 suite_algs_t suites[], int *count, key_type_t key)
743 {
744 int i, remaining = 0;
745
746 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
747 for (i = 0; i < *count; i++)
748 {
749 if (suites[i].key != key)
750 {
751 suites[remaining] = suites[i];
752 remaining++;
753 }
754 }
755 *count = remaining;
756 }
757
758 /**
759 * Filter suites by key exchange user config
760 */
761 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
762 suite_algs_t suites[], int *count)
763 {
764 enumerator_t *enumerator;
765 int i, remaining = 0;
766 char *token, *config;
767
768 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
769 lib->ns);
770 if (config)
771 {
772 for (i = 0; i < *count; i++)
773 {
774 enumerator = enumerator_create_token(config, ",", " ");
775 while (enumerator->enumerate(enumerator, &token))
776 {
777 if (strcaseeq(token, "ecdhe-ecdsa") &&
778 diffie_hellman_group_is_ec(suites[i].dh) &&
779 suites[i].key == KEY_ECDSA)
780 {
781 suites[remaining++] = suites[i];
782 break;
783 }
784 if (strcaseeq(token, "ecdhe-rsa") &&
785 diffie_hellman_group_is_ec(suites[i].dh) &&
786 suites[i].key == KEY_RSA)
787 {
788 suites[remaining++] = suites[i];
789 break;
790 }
791 if (strcaseeq(token, "dhe-rsa") &&
792 !diffie_hellman_group_is_ec(suites[i].dh) &&
793 suites[i].dh != MODP_NONE &&
794 suites[i].key == KEY_RSA)
795 {
796 suites[remaining++] = suites[i];
797 break;
798 }
799 if (strcaseeq(token, "rsa") &&
800 suites[i].dh == MODP_NONE &&
801 suites[i].key == KEY_RSA)
802 {
803 suites[remaining++] = suites[i];
804 break;
805 }
806 }
807 enumerator->destroy(enumerator);
808 }
809 *count = remaining;
810 }
811 }
812
813 /**
814 * Filter suites by cipher user config
815 */
816 static void filter_cipher_config_suites(private_tls_crypto_t *this,
817 suite_algs_t suites[], int *count)
818 {
819 enumerator_t *enumerator;
820 int i, remaining = 0;
821 char *token, *config;
822
823 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
824 lib->ns);
825 if (config)
826 {
827 for (i = 0; i < *count; i++)
828 {
829 enumerator = enumerator_create_token(config, ",", " ");
830 while (enumerator->enumerate(enumerator, &token))
831 {
832 if (strcaseeq(token, "aes128") &&
833 suites[i].encr == ENCR_AES_CBC &&
834 suites[i].encr_size == 16)
835 {
836 suites[remaining++] = suites[i];
837 break;
838 }
839 if (strcaseeq(token, "aes256") &&
840 suites[i].encr == ENCR_AES_CBC &&
841 suites[i].encr_size == 32)
842 {
843 suites[remaining++] = suites[i];
844 break;
845 }
846 if (strcaseeq(token, "aes128gcm") &&
847 suites[i].encr == ENCR_AES_GCM_ICV16 &&
848 suites[i].encr_size == 16)
849 {
850 suites[remaining++] = suites[i];
851 break;
852 }
853 if (strcaseeq(token, "aes256gcm") &&
854 suites[i].encr == ENCR_AES_GCM_ICV16 &&
855 suites[i].encr_size == 32)
856 {
857 suites[remaining++] = suites[i];
858 break;
859 }
860 if (strcaseeq(token, "camellia128") &&
861 suites[i].encr == ENCR_CAMELLIA_CBC &&
862 suites[i].encr_size == 16)
863 {
864 suites[remaining++] = suites[i];
865 break;
866 }
867 if (strcaseeq(token, "camellia256") &&
868 suites[i].encr == ENCR_CAMELLIA_CBC &&
869 suites[i].encr_size == 32)
870 {
871 suites[remaining++] = suites[i];
872 break;
873 }
874 if (strcaseeq(token, "3des") &&
875 suites[i].encr == ENCR_3DES)
876 {
877 suites[remaining++] = suites[i];
878 break;
879 }
880 if (strcaseeq(token, "null") &&
881 suites[i].encr == ENCR_NULL)
882 {
883 suites[remaining++] = suites[i];
884 break;
885 }
886 }
887 enumerator->destroy(enumerator);
888 }
889 *count = remaining;
890 }
891 }
892
893 /**
894 * Filter suites by mac user config
895 */
896 static void filter_mac_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "md5") &&
913 suites[i].mac == AUTH_HMAC_MD5_128)
914 {
915 suites[remaining++] = suites[i];
916 break;
917 }
918 if (strcaseeq(token, "sha1") &&
919 suites[i].mac == AUTH_HMAC_SHA1_160)
920 {
921 suites[remaining++] = suites[i];
922 break;
923 }
924 if (strcaseeq(token, "sha256") &&
925 suites[i].mac == AUTH_HMAC_SHA2_256_256)
926 {
927 suites[remaining++] = suites[i];
928 break;
929 }
930 if (strcaseeq(token, "sha384") &&
931 suites[i].mac == AUTH_HMAC_SHA2_384_384)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 }
937 enumerator->destroy(enumerator);
938 }
939 *count = remaining;
940 }
941 }
942
943 /**
944 * Filter for specific suites specified in strongswan.conf
945 */
946 static void filter_specific_config_suites(private_tls_crypto_t *this,
947 suite_algs_t suites[], int *count)
948 {
949 enumerator_t *enumerator;
950 int i, remaining = 0, suite;
951 char *token, *config;
952
953 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
954 lib->ns);
955 if (config)
956 {
957 for (i = 0; i < *count; i++)
958 {
959 enumerator = enumerator_create_token(config, ",", " ");
960 while (enumerator->enumerate(enumerator, &token))
961 {
962 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
963 suite == suites[i].suite)
964 {
965 suites[remaining++] = suites[i];
966 break;
967 }
968 }
969 enumerator->destroy(enumerator);
970 }
971 *count = remaining;
972 }
973 }
974
975 /**
976 * Filter out unsupported suites on given suite array
977 */
978 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
979 {
980 /* filter suite list by each algorithm */
981 filter_suite(suites, count, offsetof(suite_algs_t, encr),
982 lib->crypto->create_crypter_enumerator);
983 filter_suite(suites, count, offsetof(suite_algs_t, encr),
984 lib->crypto->create_aead_enumerator);
985 filter_suite(suites, count, offsetof(suite_algs_t, mac),
986 lib->crypto->create_signer_enumerator);
987 filter_suite(suites, count, offsetof(suite_algs_t, prf),
988 lib->crypto->create_prf_enumerator);
989 filter_suite(suites, count, offsetof(suite_algs_t, hash),
990 lib->crypto->create_hasher_enumerator);
991 filter_suite(suites, count, offsetof(suite_algs_t, dh),
992 lib->crypto->create_dh_enumerator);
993 }
994
995 /**
996 * Initialize the cipher suite list
997 */
998 static void build_cipher_suite_list(private_tls_crypto_t *this,
999 bool require_encryption)
1000 {
1001 suite_algs_t suites[countof(suite_algs)];
1002 int count = countof(suite_algs), i;
1003
1004 /* copy all suites */
1005 for (i = 0; i < count; i++)
1006 {
1007 suites[i] = suite_algs[i];
1008 }
1009
1010 if (require_encryption)
1011 {
1012 filter_null_suites(suites, &count);
1013 }
1014 if (!this->rsa)
1015 {
1016 filter_key_suites(this, suites, &count, KEY_RSA);
1017 }
1018 if (!this->ecdsa)
1019 {
1020 filter_key_suites(this, suites, &count, KEY_ECDSA);
1021 }
1022
1023 filter_unsupported_suites(suites, &count);
1024
1025 /* filter suites with strongswan.conf options */
1026 filter_key_exchange_config_suites(this, suites, &count);
1027 filter_cipher_config_suites(this, suites, &count);
1028 filter_mac_config_suites(this, suites, &count);
1029 filter_specific_config_suites(this, suites, &count);
1030
1031 free(this->suites);
1032 this->suite_count = count;
1033 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1034
1035 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1036 for (i = 0; i < count; i++)
1037 {
1038 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1039 this->suites[i] = suites[i].suite;
1040 }
1041 }
1042
1043 METHOD(tls_crypto_t, get_cipher_suites, int,
1044 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1045 {
1046 *suites = this->suites;
1047 return this->suite_count;
1048 }
1049
1050 /**
1051 * Create NULL encryption transforms
1052 */
1053 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1054 {
1055 this->aead_in = tls_aead_create_null(algs->mac);
1056 this->aead_out = tls_aead_create_null(algs->mac);
1057 if (!this->aead_in || !this->aead_out)
1058 {
1059 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1060 integrity_algorithm_names, algs->mac);
1061 return FALSE;
1062 }
1063 return TRUE;
1064 }
1065
1066 /**
1067 * Create traditional transforms
1068 */
1069 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1070 {
1071 if (this->tls->get_version(this->tls) < TLS_1_1)
1072 {
1073 this->aead_in = tls_aead_create_implicit(algs->mac,
1074 algs->encr, algs->encr_size);
1075 this->aead_out = tls_aead_create_implicit(algs->mac,
1076 algs->encr, algs->encr_size);
1077 }
1078 else
1079 {
1080 this->aead_in = tls_aead_create_explicit(algs->mac,
1081 algs->encr, algs->encr_size);
1082 this->aead_out = tls_aead_create_explicit(algs->mac,
1083 algs->encr, algs->encr_size);
1084 }
1085 if (!this->aead_in || !this->aead_out)
1086 {
1087 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1088 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1089 integrity_algorithm_names, algs->mac);
1090 return FALSE;
1091 }
1092 return TRUE;
1093 }
1094
1095 /**
1096 * Create AEAD transforms
1097 */
1098 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1099 {
1100 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1101 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1102 if (!this->aead_in || !this->aead_out)
1103 {
1104 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1105 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1106 return FALSE;
1107 }
1108 return TRUE;
1109 }
1110
1111 /**
1112 * Clean up and unset AEAD transforms
1113 */
1114 static void destroy_aeads(private_tls_crypto_t *this)
1115 {
1116 DESTROY_IF(this->aead_in);
1117 DESTROY_IF(this->aead_out);
1118 this->aead_in = this->aead_out = NULL;
1119 }
1120
1121 /**
1122 * Create crypto primitives
1123 */
1124 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1125 {
1126 destroy_aeads(this);
1127 DESTROY_IF(this->prf);
1128 if (this->tls->get_version(this->tls) < TLS_1_2)
1129 {
1130 this->prf = tls_prf_create_10();
1131 }
1132 else
1133 {
1134 this->prf = tls_prf_create_12(algs->prf);
1135 }
1136 if (!this->prf)
1137 {
1138 DBG1(DBG_TLS, "selected TLS PRF not supported");
1139 return FALSE;
1140 }
1141 if (algs->encr == ENCR_NULL)
1142 {
1143 if (create_null(this, algs))
1144 {
1145 return TRUE;
1146 }
1147 }
1148 else if (encryption_algorithm_is_aead(algs->encr))
1149 {
1150 if (create_aead(this, algs))
1151 {
1152 return TRUE;
1153 }
1154 }
1155 else
1156 {
1157 if (create_traditional(this, algs))
1158 {
1159 return TRUE;
1160 }
1161 }
1162 destroy_aeads(this);
1163 return FALSE;
1164 }
1165
1166 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1167 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1168 key_type_t key)
1169 {
1170 suite_algs_t *algs;
1171 int i, j;
1172
1173 for (i = 0; i < this->suite_count; i++)
1174 {
1175 for (j = 0; j < count; j++)
1176 {
1177 if (this->suites[i] == suites[j])
1178 {
1179 algs = find_suite(this->suites[i]);
1180 if (algs)
1181 {
1182 if (key == KEY_ANY || key == algs->key)
1183 {
1184 if (create_ciphers(this, algs))
1185 {
1186 this->suite = this->suites[i];
1187 return this->suite;
1188 }
1189 }
1190 }
1191 }
1192 }
1193 }
1194 return 0;
1195 }
1196
1197 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1198 private_tls_crypto_t *this)
1199 {
1200 suite_algs_t *algs;
1201
1202 algs = find_suite(this->suite);
1203 if (algs)
1204 {
1205 return algs->dh;
1206 }
1207 return MODP_NONE;
1208 }
1209
1210 /**
1211 * Map signature schemes to TLS key types and hashes, ordered by preference
1212 */
1213 static struct {
1214 tls_signature_algorithm_t sig;
1215 tls_hash_algorithm_t hash;
1216 signature_scheme_t scheme;
1217 } schemes[] = {
1218 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1219 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1220 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1221 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1222 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1223 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1224 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1225 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA2_224 },
1226 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1227 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1228 };
1229
1230 METHOD(tls_crypto_t, get_signature_algorithms, void,
1231 private_tls_crypto_t *this, bio_writer_t *writer)
1232 {
1233 bio_writer_t *supported;
1234 int i;
1235
1236 supported = bio_writer_create(32);
1237
1238 for (i = 0; i < countof(schemes); i++)
1239 {
1240 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1241 {
1242 continue;
1243 }
1244 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1245 {
1246 continue;
1247 }
1248 if (!lib->plugins->has_feature(lib->plugins,
1249 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1250 {
1251 continue;
1252 }
1253 supported->write_uint8(supported, schemes[i].hash);
1254 supported->write_uint8(supported, schemes[i].sig);
1255 }
1256
1257 supported->wrap16(supported);
1258 writer->write_data16(writer, supported->get_buf(supported));
1259 supported->destroy(supported);
1260 }
1261
1262 /**
1263 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1264 */
1265 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1266 tls_hash_algorithm_t hash,
1267 tls_signature_algorithm_t sig)
1268 {
1269 int i;
1270
1271 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1272 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1273 {
1274 for (i = 0; i < countof(schemes); i++)
1275 {
1276 if (schemes[i].sig == sig && schemes[i].hash == hash)
1277 {
1278 return schemes[i].scheme;
1279 }
1280 }
1281 }
1282 return SIGN_UNKNOWN;
1283 }
1284
1285 /**
1286 * Mapping groups to TLS named curves
1287 */
1288 static struct {
1289 diffie_hellman_group_t group;
1290 tls_named_curve_t curve;
1291 } curves[] = {
1292 { ECP_256_BIT, TLS_SECP256R1},
1293 { ECP_384_BIT, TLS_SECP384R1},
1294 { ECP_521_BIT, TLS_SECP521R1},
1295 { ECP_224_BIT, TLS_SECP224R1},
1296 { ECP_192_BIT, TLS_SECP192R1},
1297 };
1298
1299 CALLBACK(group_filter, bool,
1300 void *null, enumerator_t *orig, va_list args)
1301 {
1302 diffie_hellman_group_t group, *out;
1303 tls_named_curve_t *curve;
1304 char *plugin;
1305 int i;
1306
1307 VA_ARGS_VGET(args, out, curve);
1308
1309 while (orig->enumerate(orig, &group, &plugin))
1310 {
1311 for (i = 0; i < countof(curves); i++)
1312 {
1313 if (curves[i].group == group)
1314 {
1315 if (out)
1316 {
1317 *out = curves[i].group;
1318 }
1319 if (curve)
1320 {
1321 *curve = curves[i].curve;
1322 }
1323 return TRUE;
1324 }
1325 }
1326 }
1327 return FALSE;
1328 }
1329
1330 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1331 private_tls_crypto_t *this)
1332 {
1333 return enumerator_create_filter(
1334 lib->crypto->create_dh_enumerator(lib->crypto),
1335 group_filter, NULL, NULL);
1336 }
1337
1338 METHOD(tls_crypto_t, set_protection, void,
1339 private_tls_crypto_t *this, tls_protection_t *protection)
1340 {
1341 this->protection = protection;
1342 }
1343
1344 METHOD(tls_crypto_t, append_handshake, void,
1345 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1346 {
1347 uint32_t header;
1348
1349 /* reconstruct handshake header */
1350 header = htonl(data.len | (type << 24));
1351 this->handshake = chunk_cat("mcc", this->handshake,
1352 chunk_from_thing(header), data);
1353 }
1354
1355 /**
1356 * Create a hash using the suites HASH algorithm
1357 */
1358 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1359 {
1360 if (this->tls->get_version(this->tls) >= TLS_1_2)
1361 {
1362 hasher_t *hasher;
1363 suite_algs_t *alg;
1364
1365 alg = find_suite(this->suite);
1366 if (!alg)
1367 {
1368 return FALSE;
1369 }
1370 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1371 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1372 {
1373 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1374 DESTROY_IF(hasher);
1375 return FALSE;
1376 }
1377 hasher->destroy(hasher);
1378 }
1379 else
1380 {
1381 hasher_t *md5, *sha1;
1382 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1383
1384 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1385 if (!md5 || !md5->get_hash(md5, data, buf))
1386 {
1387 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1388 DESTROY_IF(md5);
1389 return FALSE;
1390 }
1391 md5->destroy(md5);
1392 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1393 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1394 {
1395 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1396 DESTROY_IF(sha1);
1397 return FALSE;
1398 }
1399 sha1->destroy(sha1);
1400
1401 *hash = chunk_clone(chunk_from_thing(buf));
1402 }
1403 return TRUE;
1404 }
1405
1406 METHOD(tls_crypto_t, sign, bool,
1407 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1408 chunk_t data, chunk_t hashsig)
1409 {
1410 if (this->tls->get_version(this->tls) >= TLS_1_2)
1411 {
1412 signature_scheme_t scheme;
1413 bio_reader_t *reader;
1414 uint8_t hash, alg;
1415 chunk_t sig;
1416 bool done = FALSE;
1417
1418 if (!hashsig.len)
1419 { /* fallback if none given */
1420 hashsig = chunk_from_chars(
1421 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1422 }
1423 reader = bio_reader_create(hashsig);
1424 while (reader->remaining(reader) >= 2)
1425 {
1426 if (reader->read_uint8(reader, &hash) &&
1427 reader->read_uint8(reader, &alg))
1428 {
1429 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1430 if (scheme != SIGN_UNKNOWN &&
1431 key->sign(key, scheme, data, &sig))
1432 {
1433 done = TRUE;
1434 break;
1435 }
1436 }
1437 }
1438 reader->destroy(reader);
1439 if (!done)
1440 {
1441 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1442 return FALSE;
1443 }
1444 DBG2(DBG_TLS, "created signature with %N/%N",
1445 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1446 writer->write_uint8(writer, hash);
1447 writer->write_uint8(writer, alg);
1448 writer->write_data16(writer, sig);
1449 free(sig.ptr);
1450 }
1451 else
1452 {
1453 chunk_t sig, hash;
1454 bool done;
1455
1456 switch (key->get_type(key))
1457 {
1458 case KEY_RSA:
1459 if (!hash_data(this, data, &hash))
1460 {
1461 return FALSE;
1462 }
1463 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1464 free(hash.ptr);
1465 if (!done)
1466 {
1467 return FALSE;
1468 }
1469 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1470 break;
1471 case KEY_ECDSA:
1472 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1473 {
1474 return FALSE;
1475 }
1476 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1477 break;
1478 default:
1479 return FALSE;
1480 }
1481 writer->write_data16(writer, sig);
1482 free(sig.ptr);
1483 }
1484 return TRUE;
1485 }
1486
1487 METHOD(tls_crypto_t, verify, bool,
1488 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1489 chunk_t data)
1490 {
1491 if (this->tls->get_version(this->tls) >= TLS_1_2)
1492 {
1493 signature_scheme_t scheme = SIGN_UNKNOWN;
1494 uint8_t hash, alg;
1495 chunk_t sig;
1496
1497 if (!reader->read_uint8(reader, &hash) ||
1498 !reader->read_uint8(reader, &alg) ||
1499 !reader->read_data16(reader, &sig))
1500 {
1501 DBG1(DBG_TLS, "received invalid signature");
1502 return FALSE;
1503 }
1504 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1505 if (scheme == SIGN_UNKNOWN)
1506 {
1507 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1508 tls_hash_algorithm_names, hash,
1509 tls_signature_algorithm_names, alg);
1510 return FALSE;
1511 }
1512 if (!key->verify(key, scheme, data, sig))
1513 {
1514 return FALSE;
1515 }
1516 DBG2(DBG_TLS, "verified signature with %N/%N",
1517 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1518 }
1519 else
1520 {
1521 chunk_t sig, hash;
1522 bool done;
1523
1524 if (!reader->read_data16(reader, &sig))
1525 {
1526 DBG1(DBG_TLS, "received invalid signature");
1527 return FALSE;
1528 }
1529 switch (key->get_type(key))
1530 {
1531 case KEY_RSA:
1532 if (!hash_data(this, data, &hash))
1533 {
1534 return FALSE;
1535 }
1536 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1537 free(hash.ptr);
1538 if (!done)
1539 {
1540 return FALSE;
1541 }
1542 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1543 break;
1544 case KEY_ECDSA:
1545 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1546 {
1547 return FALSE;
1548 }
1549 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1550 break;
1551 default:
1552 return FALSE;
1553 }
1554 }
1555 return TRUE;
1556 }
1557
1558 METHOD(tls_crypto_t, sign_handshake, bool,
1559 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1560 chunk_t hashsig)
1561 {
1562 return sign(this, key, writer, this->handshake, hashsig);
1563 }
1564
1565 METHOD(tls_crypto_t, verify_handshake, bool,
1566 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1567 {
1568 return verify(this, key, reader, this->handshake);
1569 }
1570
1571 METHOD(tls_crypto_t, calculate_finished, bool,
1572 private_tls_crypto_t *this, char *label, char out[12])
1573 {
1574 chunk_t seed;
1575
1576 if (!this->prf)
1577 {
1578 return FALSE;
1579 }
1580 if (!hash_data(this, this->handshake, &seed))
1581 {
1582 return FALSE;
1583 }
1584 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1585 {
1586 free(seed.ptr);
1587 return FALSE;
1588 }
1589 free(seed.ptr);
1590 return TRUE;
1591 }
1592
1593 /**
1594 * Derive master secret from premaster, optionally save session
1595 */
1596 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1597 chunk_t session, identification_t *id,
1598 chunk_t client_random, chunk_t server_random)
1599 {
1600 char master[48];
1601 chunk_t seed;
1602
1603 /* derive master secret */
1604 seed = chunk_cata("cc", client_random, server_random);
1605
1606 if (!this->prf->set_key(this->prf, premaster) ||
1607 !this->prf->get_bytes(this->prf, "master secret", seed,
1608 sizeof(master), master) ||
1609 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1610 {
1611 return FALSE;
1612 }
1613
1614 if (this->cache && session.len)
1615 {
1616 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1617 this->suite);
1618 }
1619 memwipe(master, sizeof(master));
1620 return TRUE;
1621 }
1622
1623 /**
1624 * Expand key material from master secret
1625 */
1626 static bool expand_keys(private_tls_crypto_t *this,
1627 chunk_t client_random, chunk_t server_random)
1628 {
1629 chunk_t seed, block;
1630 chunk_t cw_mac, cw, cw_iv;
1631 chunk_t sw_mac, sw, sw_iv;
1632 int mklen, eklen, ivlen;
1633
1634 if (!this->aead_in || !this->aead_out)
1635 {
1636 return FALSE;
1637 }
1638
1639 /* derive key block for key expansion */
1640 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1641 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1642 ivlen = this->aead_in->get_iv_size(this->aead_in);
1643 seed = chunk_cata("cc", server_random, client_random);
1644 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1645 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1646 block.len, block.ptr))
1647 {
1648 return FALSE;
1649 }
1650
1651 /* client/server write signer keys */
1652 cw_mac = chunk_create(block.ptr, mklen);
1653 block = chunk_skip(block, mklen);
1654 sw_mac = chunk_create(block.ptr, mklen);
1655 block = chunk_skip(block, mklen);
1656
1657 /* client/server write encryption keys */
1658 cw = chunk_create(block.ptr, eklen);
1659 block = chunk_skip(block, eklen);
1660 sw = chunk_create(block.ptr, eklen);
1661 block = chunk_skip(block, eklen);
1662
1663 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1664 cw_iv = chunk_create(block.ptr, ivlen);
1665 block = chunk_skip(block, ivlen);
1666 sw_iv = chunk_create(block.ptr, ivlen);
1667 block = chunk_skip(block, ivlen);
1668
1669 if (this->tls->is_server(this->tls))
1670 {
1671 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1672 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1673 {
1674 return FALSE;
1675 }
1676 }
1677 else
1678 {
1679 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1680 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1681 {
1682 return FALSE;
1683 }
1684 }
1685
1686 /* EAP-MSK */
1687 if (this->msk_label)
1688 {
1689 seed = chunk_cata("cc", client_random, server_random);
1690 this->msk = chunk_alloc(64);
1691 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1692 this->msk.len, this->msk.ptr))
1693 {
1694 return FALSE;
1695 }
1696 }
1697 return TRUE;
1698 }
1699
1700 METHOD(tls_crypto_t, derive_secrets, bool,
1701 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1702 identification_t *id, chunk_t client_random, chunk_t server_random)
1703 {
1704 return derive_master(this, premaster, session, id,
1705 client_random, server_random) &&
1706 expand_keys(this, client_random, server_random);
1707 }
1708
1709 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1710 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1711 chunk_t client_random, chunk_t server_random)
1712 {
1713 chunk_t master;
1714
1715 if (this->cache && session.len)
1716 {
1717 this->suite = this->cache->lookup(this->cache, session, id, &master);
1718 if (this->suite)
1719 {
1720 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1721 if (this->suite)
1722 {
1723 if (!this->prf->set_key(this->prf, master) ||
1724 !expand_keys(this, client_random, server_random))
1725 {
1726 this->suite = 0;
1727 }
1728 }
1729 chunk_clear(&master);
1730 }
1731 return this->suite;
1732 }
1733 return 0;
1734 }
1735
1736 METHOD(tls_crypto_t, get_session, chunk_t,
1737 private_tls_crypto_t *this, identification_t *server)
1738 {
1739 if (this->cache)
1740 {
1741 return this->cache->check(this->cache, server);
1742 }
1743 return chunk_empty;
1744 }
1745
1746 METHOD(tls_crypto_t, change_cipher, void,
1747 private_tls_crypto_t *this, bool inbound)
1748 {
1749 if (this->protection)
1750 {
1751 if (inbound)
1752 {
1753 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1754 }
1755 else
1756 {
1757 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1758 }
1759 }
1760 }
1761
1762 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1763 private_tls_crypto_t *this)
1764 {
1765 return this->msk;
1766 }
1767
1768 METHOD(tls_crypto_t, destroy, void,
1769 private_tls_crypto_t *this)
1770 {
1771 destroy_aeads(this);
1772 free(this->handshake.ptr);
1773 free(this->msk.ptr);
1774 DESTROY_IF(this->prf);
1775 free(this->suites);
1776 free(this);
1777 }
1778
1779 /**
1780 * See header
1781 */
1782 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1783 {
1784 private_tls_crypto_t *this;
1785 enumerator_t *enumerator;
1786 credential_type_t type;
1787 int subtype;
1788
1789 INIT(this,
1790 .public = {
1791 .get_cipher_suites = _get_cipher_suites,
1792 .select_cipher_suite = _select_cipher_suite,
1793 .get_dh_group = _get_dh_group,
1794 .get_signature_algorithms = _get_signature_algorithms,
1795 .create_ec_enumerator = _create_ec_enumerator,
1796 .set_protection = _set_protection,
1797 .append_handshake = _append_handshake,
1798 .sign = _sign,
1799 .verify = _verify,
1800 .sign_handshake = _sign_handshake,
1801 .verify_handshake = _verify_handshake,
1802 .calculate_finished = _calculate_finished,
1803 .derive_secrets = _derive_secrets,
1804 .resume_session = _resume_session,
1805 .get_session = _get_session,
1806 .change_cipher = _change_cipher,
1807 .get_eap_msk = _get_eap_msk,
1808 .destroy = _destroy,
1809 },
1810 .tls = tls,
1811 .cache = cache,
1812 );
1813
1814 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1815 while (enumerator->enumerate(enumerator, &type, &subtype))
1816 {
1817 if (type == CRED_PUBLIC_KEY)
1818 {
1819 switch (subtype)
1820 {
1821 case KEY_RSA:
1822 this->rsa = TRUE;
1823 break;
1824 case KEY_ECDSA:
1825 this->ecdsa = TRUE;
1826 break;
1827 default:
1828 break;
1829 }
1830 }
1831 }
1832 enumerator->destroy(enumerator);
1833
1834 switch (tls->get_purpose(tls))
1835 {
1836 case TLS_PURPOSE_EAP_TLS:
1837 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1838 this->msk_label = "client EAP encryption";
1839 build_cipher_suite_list(this, FALSE);
1840 break;
1841 case TLS_PURPOSE_EAP_PEAP:
1842 this->msk_label = "client EAP encryption";
1843 build_cipher_suite_list(this, TRUE);
1844 break;
1845 case TLS_PURPOSE_EAP_TTLS:
1846 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1847 this->msk_label = "ttls keying material";
1848 build_cipher_suite_list(this, TRUE);
1849 break;
1850 case TLS_PURPOSE_GENERIC:
1851 build_cipher_suite_list(this, TRUE);
1852 break;
1853 case TLS_PURPOSE_GENERIC_NULLOK:
1854 build_cipher_suite_list(this, FALSE);
1855 break;
1856 default:
1857 break;
1858 }
1859 return &this->public;
1860 }
1861
1862 /**
1863 * See header.
1864 */
1865 int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
1866 {
1867 suite_algs_t suites[countof(suite_algs)];
1868 int count = countof(suite_algs), i;
1869
1870 /* initialize copy of suite list */
1871 for (i = 0; i < count; i++)
1872 {
1873 suites[i] = suite_algs[i];
1874 }
1875
1876 filter_unsupported_suites(suites, &count);
1877
1878 if (!null)
1879 {
1880 filter_null_suites(suites, &count);
1881 }
1882
1883 if (out)
1884 {
1885 *out = calloc(count, sizeof(tls_cipher_suite_t));
1886 for (i = 0; i < count; i++)
1887 {
1888 (*out)[i] = suites[i].suite;
1889 }
1890 }
1891 return count;
1892 }