Revert alloc_str changes
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * All handshake data concatentated
374 */
375 chunk_t handshake;
376
377 /**
378 * Connection state TLS PRF
379 */
380 tls_prf_t *prf;
381
382 /**
383 * Signer instance for inbound traffic
384 */
385 signer_t *signer_in;
386
387 /**
388 * Signer instance for outbound traffic
389 */
390 signer_t *signer_out;
391
392 /**
393 * Crypter instance for inbound traffic
394 */
395 crypter_t *crypter_in;
396
397 /**
398 * Crypter instance for outbound traffic
399 */
400 crypter_t *crypter_out;
401
402 /**
403 * IV for input decryption, if < TLSv1.2
404 */
405 chunk_t iv_in;
406
407 /**
408 * IV for output decryption, if < TLSv1.2
409 */
410 chunk_t iv_out;
411
412 /**
413 * EAP-[T]TLS MSK
414 */
415 chunk_t msk;
416
417 /**
418 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
419 */
420 char *msk_label;
421 };
422
423 typedef struct {
424 tls_cipher_suite_t suite;
425 key_type_t key;
426 diffie_hellman_group_t dh;
427 hash_algorithm_t hash;
428 pseudo_random_function_t prf;
429 integrity_algorithm_t mac;
430 encryption_algorithm_t encr;
431 size_t encr_size;
432 } suite_algs_t;
433
434 /**
435 * Mapping suites to a set of algorithms
436 */
437 static suite_algs_t suite_algs[] = {
438 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
439 KEY_ECDSA, ECP_256_BIT,
440 HASH_SHA1, PRF_HMAC_SHA1,
441 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
442 },
443 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
444 KEY_ECDSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
449 KEY_ECDSA, ECP_384_BIT,
450 HASH_SHA1, PRF_HMAC_SHA1,
451 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
452 },
453 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
454 KEY_ECDSA, ECP_384_BIT,
455 HASH_SHA384, PRF_HMAC_SHA2_384,
456 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
459 KEY_RSA, ECP_256_BIT,
460 HASH_SHA1, PRF_HMAC_SHA1,
461 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
462 },
463 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
464 KEY_RSA, ECP_256_BIT,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
467 },
468 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
469 KEY_RSA, ECP_384_BIT,
470 HASH_SHA1, PRF_HMAC_SHA1,
471 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
472 },
473 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
474 KEY_RSA, ECP_384_BIT,
475 HASH_SHA384, PRF_HMAC_SHA2_384,
476 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
477 },
478 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
479 KEY_RSA, MODP_2048_BIT,
480 HASH_SHA1, PRF_HMAC_SHA1,
481 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
482 },
483 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
484 KEY_RSA, MODP_3072_BIT,
485 HASH_SHA256, PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA1, PRF_HMAC_SHA1,
491 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
492 },
493 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
494 KEY_RSA, MODP_4096_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
499 KEY_RSA, MODP_2048_BIT,
500 HASH_SHA1, PRF_HMAC_SHA1,
501 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
502 },
503 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
504 KEY_RSA, MODP_3072_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
507 },
508 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
509 KEY_RSA, MODP_3072_BIT,
510 HASH_SHA1, PRF_HMAC_SHA1,
511 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
512 },
513 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
514 KEY_RSA, MODP_4096_BIT,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
517 },
518 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
519 KEY_RSA, MODP_2048_BIT,
520 HASH_SHA1, PRF_HMAC_SHA1,
521 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
522 },
523 { TLS_RSA_WITH_AES_128_CBC_SHA,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA1, PRF_HMAC_SHA1,
526 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
527 },
528 { TLS_RSA_WITH_AES_128_CBC_SHA256,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
532 },
533 { TLS_RSA_WITH_AES_256_CBC_SHA,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA1, PRF_HMAC_SHA1,
536 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
537 },
538 { TLS_RSA_WITH_AES_256_CBC_SHA256,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
542 },
543 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA1, PRF_HMAC_SHA1,
546 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
547 },
548 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
552 },
553 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
554 KEY_RSA, MODP_NONE,
555 HASH_SHA1, PRF_HMAC_SHA1,
556 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
557 },
558 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
562 },
563 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
564 KEY_ECDSA, ECP_256_BIT,
565 HASH_SHA1, PRF_HMAC_SHA1,
566 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
567 },
568 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
569 KEY_RSA, ECP_256_BIT,
570 HASH_SHA1, PRF_HMAC_SHA1,
571 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
572 },
573 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
574 KEY_RSA, MODP_NONE,
575 HASH_SHA1, PRF_HMAC_SHA1,
576 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
577 },
578 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
579 KEY_ECDSA, ECP_256_BIT,
580 HASH_SHA1, PRF_HMAC_SHA1,
581 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
582 },
583 { TLS_ECDHE_RSA_WITH_NULL_SHA,
584 KEY_ECDSA, ECP_256_BIT,
585 HASH_SHA1, PRF_HMAC_SHA1,
586 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
587 },
588 { TLS_RSA_WITH_NULL_SHA,
589 KEY_RSA, MODP_NONE,
590 HASH_SHA1, PRF_HMAC_SHA1,
591 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
592 },
593 { TLS_RSA_WITH_NULL_SHA256,
594 KEY_RSA, MODP_NONE,
595 HASH_SHA256, PRF_HMAC_SHA2_256,
596 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
597 },
598 { TLS_RSA_WITH_NULL_MD5,
599 KEY_RSA, MODP_NONE,
600 HASH_MD5, PRF_HMAC_MD5,
601 AUTH_HMAC_MD5_128, ENCR_NULL, 0
602 },
603 };
604
605 /**
606 * Look up algoritms by a suite
607 */
608 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
609 {
610 int i;
611
612 for (i = 0; i < countof(suite_algs); i++)
613 {
614 if (suite_algs[i].suite == suite)
615 {
616 return &suite_algs[i];
617 }
618 }
619 return NULL;
620 }
621
622 /**
623 * Filter a suite list using a transform enumerator
624 */
625 static void filter_suite(private_tls_crypto_t *this,
626 suite_algs_t suites[], int *count, int offset,
627 enumerator_t*(*create_enumerator)(crypto_factory_t*))
628 {
629 const char *plugin_name;
630 suite_algs_t current;
631 int *current_alg, i, remaining = 0;
632 enumerator_t *enumerator;
633
634 memset(&current, 0, sizeof(current));
635 current_alg = (int*)((char*)&current + offset);
636
637 for (i = 0; i < *count; i++)
638 {
639 enumerator = create_enumerator(lib->crypto);
640 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
641 {
642 if ((suites[i].encr == ENCR_NULL ||
643 !current.encr || current.encr == suites[i].encr) &&
644 (!current.mac || current.mac == suites[i].mac) &&
645 (!current.prf || current.prf == suites[i].prf) &&
646 (!current.hash || current.hash == suites[i].hash) &&
647 (suites[i].dh == MODP_NONE ||
648 !current.dh || current.dh == suites[i].dh))
649 {
650 suites[remaining] = suites[i];
651 remaining++;
652 break;
653 }
654 }
655 enumerator->destroy(enumerator);
656 }
657 *count = remaining;
658 }
659
660 /**
661 * Purge NULL encryption cipher suites from list
662 */
663 static void filter_null_suites(private_tls_crypto_t *this,
664 suite_algs_t suites[], int *count)
665 {
666 int i, remaining = 0;
667
668 for (i = 0; i < *count; i++)
669 {
670 if (suites[i].encr != ENCR_NULL)
671 {
672 suites[remaining] = suites[i];
673 remaining++;
674 }
675 }
676 *count = remaining;
677 }
678
679 /**
680 * Purge suites using a given key type
681 */
682 static void filter_key_suites(private_tls_crypto_t *this,
683 suite_algs_t suites[], int *count, key_type_t key)
684 {
685 int i, remaining = 0;
686
687 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
688 for (i = 0; i < *count; i++)
689 {
690 if (suites[i].key != key)
691 {
692 suites[remaining] = suites[i];
693 remaining++;
694 }
695 }
696 *count = remaining;
697 }
698
699 /**
700 * Filter suites by key exchange user config
701 */
702 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
703 suite_algs_t suites[], int *count)
704 {
705 enumerator_t *enumerator;
706 int i, remaining = 0;
707 char *token, *config;
708
709 config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
710 if (config)
711 {
712 for (i = 0; i < *count; i++)
713 {
714 enumerator = enumerator_create_token(config, ",", " ");
715 while (enumerator->enumerate(enumerator, &token))
716 {
717 if (strcaseeq(token, "ecdhe-ecdsa") &&
718 diffie_hellman_group_is_ec(suites[i].dh) &&
719 suites[i].key == KEY_ECDSA)
720 {
721 suites[remaining++] = suites[i];
722 break;
723 }
724 if (strcaseeq(token, "ecdhe-rsa") &&
725 diffie_hellman_group_is_ec(suites[i].dh) &&
726 suites[i].key == KEY_RSA)
727 {
728 suites[remaining++] = suites[i];
729 break;
730 }
731 if (strcaseeq(token, "dhe-rsa") &&
732 !diffie_hellman_group_is_ec(suites[i].dh) &&
733 suites[i].dh != MODP_NONE &&
734 suites[i].key == KEY_RSA)
735 {
736 suites[remaining++] = suites[i];
737 break;
738 }
739 if (strcaseeq(token, "rsa") &&
740 suites[i].dh == MODP_NONE &&
741 suites[i].key == KEY_RSA)
742 {
743 suites[remaining++] = suites[i];
744 break;
745 }
746 }
747 enumerator->destroy(enumerator);
748 }
749 *count = remaining;
750 }
751 }
752
753 /**
754 * Filter suites by cipher user config
755 */
756 static void filter_cipher_config_suites(private_tls_crypto_t *this,
757 suite_algs_t suites[], int *count)
758 {
759 enumerator_t *enumerator;
760 int i, remaining = 0;
761 char *token, *config;
762
763 config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
764 if (config)
765 {
766 for (i = 0; i < *count; i++)
767 {
768 enumerator = enumerator_create_token(config, ",", " ");
769 while (enumerator->enumerate(enumerator, &token))
770 {
771 if (strcaseeq(token, "aes128") &&
772 suites[i].encr == ENCR_AES_CBC &&
773 suites[i].encr_size == 16)
774 {
775 suites[remaining++] = suites[i];
776 break;
777 }
778 if (strcaseeq(token, "aes256") &&
779 suites[i].encr == ENCR_AES_CBC &&
780 suites[i].encr_size == 32)
781 {
782 suites[remaining++] = suites[i];
783 break;
784 }
785 if (strcaseeq(token, "camellia128") &&
786 suites[i].encr == ENCR_CAMELLIA_CBC &&
787 suites[i].encr_size == 16)
788 {
789 suites[remaining++] = suites[i];
790 break;
791 }
792 if (strcaseeq(token, "camellia256") &&
793 suites[i].encr == ENCR_CAMELLIA_CBC &&
794 suites[i].encr_size == 32)
795 {
796 suites[remaining++] = suites[i];
797 break;
798 }
799 if (strcaseeq(token, "3des") &&
800 suites[i].encr == ENCR_3DES)
801 {
802 suites[remaining++] = suites[i];
803 break;
804 }
805 if (strcaseeq(token, "null") &&
806 suites[i].encr == ENCR_NULL)
807 {
808 suites[remaining++] = suites[i];
809 break;
810 }
811 }
812 enumerator->destroy(enumerator);
813 }
814 *count = remaining;
815 }
816 }
817
818 /**
819 * Filter suites by mac user config
820 */
821 static void filter_mac_config_suites(private_tls_crypto_t *this,
822 suite_algs_t suites[], int *count)
823 {
824 enumerator_t *enumerator;
825 int i, remaining = 0;
826 char *token, *config;
827
828 config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
829 if (config)
830 {
831 for (i = 0; i < *count; i++)
832 {
833 enumerator = enumerator_create_token(config, ",", " ");
834 while (enumerator->enumerate(enumerator, &token))
835 {
836 if (strcaseeq(token, "md5") &&
837 suites[i].hash == HASH_MD5)
838 {
839 suites[remaining++] = suites[i];
840 break;
841 }
842 if (strcaseeq(token, "sha1") &&
843 suites[i].hash == HASH_SHA1)
844 {
845 suites[remaining++] = suites[i];
846 break;
847 }
848 if (strcaseeq(token, "sha256") &&
849 suites[i].hash == HASH_SHA256)
850 {
851 suites[remaining++] = suites[i];
852 break;
853 }
854 if (strcaseeq(token, "sha384") &&
855 suites[i].hash == HASH_SHA384)
856 {
857 suites[remaining++] = suites[i];
858 break;
859 }
860 }
861 enumerator->destroy(enumerator);
862 }
863 *count = remaining;
864 }
865 }
866
867 /**
868 * Filter for specific suites specified in strongswan.conf
869 */
870 static void filter_specific_config_suites(private_tls_crypto_t *this,
871 suite_algs_t suites[], int *count)
872 {
873 enumerator_t *enumerator;
874 int i, remaining = 0, suite;
875 char *token, *config;
876
877 config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
878 if (config)
879 {
880 for (i = 0; i < *count; i++)
881 {
882 enumerator = enumerator_create_token(config, ",", " ");
883 while (enumerator->enumerate(enumerator, &token))
884 {
885 suite = enum_from_name(tls_cipher_suite_names, token);
886 if (suite == suites[i].suite)
887 {
888 suites[remaining++] = suites[i];
889 break;
890 }
891 }
892 enumerator->destroy(enumerator);
893 }
894 *count = remaining;
895 }
896 }
897
898 /**
899 * Initialize the cipher suite list
900 */
901 static void build_cipher_suite_list(private_tls_crypto_t *this,
902 bool require_encryption)
903 {
904 suite_algs_t suites[countof(suite_algs)];
905 int count = countof(suite_algs), i;
906
907 /* copy all suites */
908 for (i = 0; i < count; i++)
909 {
910 suites[i] = suite_algs[i];
911 }
912 if (require_encryption)
913 {
914 filter_null_suites(this, suites, &count);
915 }
916 if (!this->rsa)
917 {
918 filter_key_suites(this, suites, &count, KEY_RSA);
919 }
920 if (!this->ecdsa)
921 {
922 filter_key_suites(this, suites, &count, KEY_ECDSA);
923 }
924
925 /* filter suite list by each algorithm */
926 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
927 lib->crypto->create_crypter_enumerator);
928 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
929 lib->crypto->create_signer_enumerator);
930 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
931 lib->crypto->create_prf_enumerator);
932 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
933 lib->crypto->create_hasher_enumerator);
934 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
935 lib->crypto->create_dh_enumerator);
936
937 /* filter suites with strongswan.conf options */
938 filter_key_exchange_config_suites(this, suites, &count);
939 filter_cipher_config_suites(this, suites, &count);
940 filter_mac_config_suites(this, suites, &count);
941 filter_specific_config_suites(this, suites, &count);
942
943 free(this->suites);
944 this->suite_count = count;
945 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
946
947 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
948 for (i = 0; i < count; i++)
949 {
950 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
951 this->suites[i] = suites[i].suite;
952 }
953 }
954
955 METHOD(tls_crypto_t, get_cipher_suites, int,
956 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
957 {
958 *suites = this->suites;
959 return this->suite_count;
960 }
961
962 /**
963 * Create crypto primitives
964 */
965 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
966 {
967 DESTROY_IF(this->prf);
968 if (this->tls->get_version(this->tls) < TLS_1_2)
969 {
970 this->prf = tls_prf_create_10();
971 }
972 else
973 {
974 this->prf = tls_prf_create_12(algs->prf);
975 }
976 if (!this->prf)
977 {
978 DBG1(DBG_TLS, "selected TLS PRF not supported");
979 return FALSE;
980 }
981
982 DESTROY_IF(this->signer_in);
983 DESTROY_IF(this->signer_out);
984 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
985 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
986 if (!this->signer_in || !this->signer_out)
987 {
988 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
989 integrity_algorithm_names, algs->mac);
990 return FALSE;
991 }
992
993 DESTROY_IF(this->crypter_in);
994 DESTROY_IF(this->crypter_out);
995 if (algs->encr == ENCR_NULL)
996 {
997 this->crypter_in = this->crypter_out = NULL;
998 }
999 else
1000 {
1001 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
1002 algs->encr, algs->encr_size);
1003 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
1004 algs->encr, algs->encr_size);
1005 if (!this->crypter_in || !this->crypter_out)
1006 {
1007 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
1008 encryption_algorithm_names, algs->encr);
1009 return FALSE;
1010 }
1011 }
1012 return TRUE;
1013 }
1014
1015 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1016 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1017 key_type_t key)
1018 {
1019 suite_algs_t *algs;
1020 int i, j;
1021
1022 for (i = 0; i < this->suite_count; i++)
1023 {
1024 for (j = 0; j < count; j++)
1025 {
1026 if (this->suites[i] == suites[j])
1027 {
1028 algs = find_suite(this->suites[i]);
1029 if (algs)
1030 {
1031 if (key == KEY_ANY || key == algs->key)
1032 {
1033 if (create_ciphers(this, algs))
1034 {
1035 this->suite = this->suites[i];
1036 return this->suite;
1037 }
1038 }
1039 }
1040 }
1041 }
1042 }
1043 return 0;
1044 }
1045
1046 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1047 private_tls_crypto_t *this)
1048 {
1049 suite_algs_t *algs;
1050
1051 algs = find_suite(this->suite);
1052 if (algs)
1053 {
1054 return algs->dh;
1055 }
1056 return MODP_NONE;
1057 }
1058
1059 METHOD(tls_crypto_t, get_signature_algorithms, void,
1060 private_tls_crypto_t *this, tls_writer_t *writer)
1061 {
1062 tls_writer_t *supported;
1063 enumerator_t *enumerator;
1064 hash_algorithm_t alg;
1065 tls_hash_algorithm_t hash;
1066 const char *plugin_name;
1067
1068 supported = tls_writer_create(32);
1069 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1070 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1071 {
1072 switch (alg)
1073 {
1074 case HASH_MD5:
1075 hash = TLS_HASH_MD5;
1076 break;
1077 case HASH_SHA1:
1078 hash = TLS_HASH_SHA1;
1079 break;
1080 case HASH_SHA224:
1081 hash = TLS_HASH_SHA224;
1082 break;
1083 case HASH_SHA256:
1084 hash = TLS_HASH_SHA256;
1085 break;
1086 case HASH_SHA384:
1087 hash = TLS_HASH_SHA384;
1088 break;
1089 case HASH_SHA512:
1090 hash = TLS_HASH_SHA512;
1091 break;
1092 default:
1093 continue;
1094 }
1095 if (this->rsa)
1096 {
1097 supported->write_uint8(supported, hash);
1098 supported->write_uint8(supported, TLS_SIG_RSA);
1099 }
1100 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1101 { /* currently we have no signature scheme for MD5/SHA224 */
1102 supported->write_uint8(supported, hash);
1103 supported->write_uint8(supported, TLS_SIG_ECDSA);
1104 }
1105 }
1106 enumerator->destroy(enumerator);
1107
1108 writer->write_data16(writer, supported->get_buf(supported));
1109 supported->destroy(supported);
1110 }
1111
1112 /**
1113 * Mapping groups to TLS named curves
1114 */
1115 static struct {
1116 diffie_hellman_group_t group;
1117 tls_named_curve_t curve;
1118 } curves[] = {
1119 { ECP_256_BIT, TLS_SECP256R1},
1120 { ECP_384_BIT, TLS_SECP384R1},
1121 { ECP_521_BIT, TLS_SECP521R1},
1122 { ECP_224_BIT, TLS_SECP224R1},
1123 { ECP_192_BIT, TLS_SECP192R1},
1124 };
1125
1126 /**
1127 * Filter EC groups, add TLS curve
1128 */
1129 static bool group_filter(void *null,
1130 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1131 void* dummy1, tls_named_curve_t *curve)
1132 {
1133 int i;
1134
1135 for (i = 0; i < countof(curves); i++)
1136 {
1137 if (curves[i].group == *in)
1138 {
1139 if (out)
1140 {
1141 *out = curves[i].group;
1142 }
1143 if (curve)
1144 {
1145 *curve = curves[i].curve;
1146 }
1147 return TRUE;
1148 }
1149 }
1150 return FALSE;
1151 }
1152
1153 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1154 private_tls_crypto_t *this)
1155 {
1156 return enumerator_create_filter(
1157 lib->crypto->create_dh_enumerator(lib->crypto),
1158 (void*)group_filter, NULL, NULL);
1159 }
1160
1161 METHOD(tls_crypto_t, set_protection, void,
1162 private_tls_crypto_t *this, tls_protection_t *protection)
1163 {
1164 this->protection = protection;
1165 }
1166
1167 METHOD(tls_crypto_t, append_handshake, void,
1168 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1169 {
1170 u_int32_t header;
1171
1172 /* reconstruct handshake header */
1173 header = htonl(data.len | (type << 24));
1174 this->handshake = chunk_cat("mcc", this->handshake,
1175 chunk_from_thing(header), data);
1176 }
1177
1178 /**
1179 * Create a hash using the suites HASH algorithm
1180 */
1181 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1182 {
1183 if (this->tls->get_version(this->tls) >= TLS_1_2)
1184 {
1185 hasher_t *hasher;
1186 suite_algs_t *alg;
1187
1188 alg = find_suite(this->suite);
1189 if (!alg)
1190 {
1191 return FALSE;
1192 }
1193 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1194 if (!hasher)
1195 {
1196 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1197 return FALSE;
1198 }
1199 hasher->allocate_hash(hasher, data, hash);
1200 hasher->destroy(hasher);
1201 }
1202 else
1203 {
1204 hasher_t *md5, *sha1;
1205 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1206
1207 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1208 if (!md5)
1209 {
1210 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1211 return FALSE;
1212 }
1213 md5->get_hash(md5, data, buf);
1214 md5->destroy(md5);
1215 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1216 if (!sha1)
1217 {
1218 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1219 return FALSE;
1220 }
1221 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
1222 sha1->destroy(sha1);
1223
1224 *hash = chunk_clone(chunk_from_thing(buf));
1225 }
1226 return TRUE;
1227 }
1228
1229 /**
1230 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1231 */
1232 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1233 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1234 {
1235 switch (sig)
1236 {
1237 case TLS_SIG_RSA:
1238 if (type != KEY_RSA)
1239 {
1240 return SIGN_UNKNOWN;
1241 }
1242 switch (hash)
1243 {
1244 case TLS_HASH_MD5:
1245 return SIGN_RSA_EMSA_PKCS1_MD5;
1246 case TLS_HASH_SHA1:
1247 return SIGN_RSA_EMSA_PKCS1_SHA1;
1248 case TLS_HASH_SHA224:
1249 return SIGN_RSA_EMSA_PKCS1_SHA224;
1250 case TLS_HASH_SHA256:
1251 return SIGN_RSA_EMSA_PKCS1_SHA256;
1252 case TLS_HASH_SHA384:
1253 return SIGN_RSA_EMSA_PKCS1_SHA384;
1254 case TLS_HASH_SHA512:
1255 return SIGN_RSA_EMSA_PKCS1_SHA512;
1256 default:
1257 return SIGN_UNKNOWN;
1258 }
1259 case TLS_SIG_ECDSA:
1260 if (type != KEY_ECDSA)
1261 {
1262 return SIGN_UNKNOWN;
1263 }
1264 switch (hash)
1265 {
1266 case TLS_HASH_SHA224:
1267 return SIGN_ECDSA_WITH_SHA1_DER;
1268 case TLS_HASH_SHA256:
1269 return SIGN_ECDSA_WITH_SHA256_DER;
1270 case TLS_HASH_SHA384:
1271 return SIGN_ECDSA_WITH_SHA384_DER;
1272 case TLS_HASH_SHA512:
1273 return SIGN_ECDSA_WITH_SHA512_DER;
1274 default:
1275 return SIGN_UNKNOWN;
1276 }
1277 default:
1278 return SIGN_UNKNOWN;
1279 }
1280 }
1281
1282 METHOD(tls_crypto_t, sign, bool,
1283 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1284 chunk_t data, chunk_t hashsig)
1285 {
1286 if (this->tls->get_version(this->tls) >= TLS_1_2)
1287 {
1288 signature_scheme_t scheme;
1289 tls_reader_t *reader;
1290 u_int8_t hash, alg;
1291 chunk_t sig;
1292 bool done = FALSE;
1293
1294 if (!hashsig.len)
1295 { /* fallback if none given */
1296 hashsig = chunk_from_chars(
1297 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1298 }
1299 reader = tls_reader_create(hashsig);
1300 while (reader->remaining(reader) >= 2)
1301 {
1302 if (reader->read_uint8(reader, &hash) &&
1303 reader->read_uint8(reader, &alg))
1304 {
1305 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1306 if (scheme != SIGN_UNKNOWN &&
1307 key->sign(key, scheme, data, &sig))
1308 {
1309 done = TRUE;
1310 break;
1311 }
1312 }
1313 }
1314 reader->destroy(reader);
1315 if (!done)
1316 {
1317 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1318 return FALSE;
1319 }
1320 DBG2(DBG_TLS, "created signature with %N/%N",
1321 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1322 writer->write_uint8(writer, hash);
1323 writer->write_uint8(writer, alg);
1324 writer->write_data16(writer, sig);
1325 free(sig.ptr);
1326 }
1327 else
1328 {
1329 chunk_t sig, hash;
1330 bool done;
1331
1332 switch (key->get_type(key))
1333 {
1334 case KEY_RSA:
1335 if (!hash_data(this, data, &hash))
1336 {
1337 return FALSE;
1338 }
1339 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1340 free(hash.ptr);
1341 if (!done)
1342 {
1343 return FALSE;
1344 }
1345 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1346 break;
1347 case KEY_ECDSA:
1348 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1349 {
1350 return FALSE;
1351 }
1352 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1353 break;
1354 default:
1355 return FALSE;
1356 }
1357 writer->write_data16(writer, sig);
1358 free(sig.ptr);
1359 }
1360 return TRUE;
1361 }
1362
1363 METHOD(tls_crypto_t, verify, bool,
1364 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1365 chunk_t data)
1366 {
1367 if (this->tls->get_version(this->tls) >= TLS_1_2)
1368 {
1369 signature_scheme_t scheme = SIGN_UNKNOWN;
1370 u_int8_t hash, alg;
1371 chunk_t sig;
1372
1373 if (!reader->read_uint8(reader, &hash) ||
1374 !reader->read_uint8(reader, &alg) ||
1375 !reader->read_data16(reader, &sig))
1376 {
1377 DBG1(DBG_TLS, "received invalid signature");
1378 return FALSE;
1379 }
1380 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1381 if (scheme == SIGN_UNKNOWN)
1382 {
1383 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1384 tls_hash_algorithm_names, hash,
1385 tls_signature_algorithm_names, alg);
1386 return FALSE;
1387 }
1388 if (!key->verify(key, scheme, data, sig))
1389 {
1390 return FALSE;
1391 }
1392 DBG2(DBG_TLS, "verified signature with %N/%N",
1393 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1394 }
1395 else
1396 {
1397 chunk_t sig, hash;
1398 bool done;
1399
1400 if (!reader->read_data16(reader, &sig))
1401 {
1402 DBG1(DBG_TLS, "received invalid signature");
1403 return FALSE;
1404 }
1405 switch (key->get_type(key))
1406 {
1407 case KEY_RSA:
1408 if (!hash_data(this, data, &hash))
1409 {
1410 return FALSE;
1411 }
1412 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1413 free(hash.ptr);
1414 if (!done)
1415 {
1416 return FALSE;
1417 }
1418 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1419 break;
1420 case KEY_ECDSA:
1421 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1422 {
1423 return FALSE;
1424 }
1425 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1426 break;
1427 default:
1428 return FALSE;
1429 }
1430 }
1431 return TRUE;
1432 }
1433
1434 METHOD(tls_crypto_t, sign_handshake, bool,
1435 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1436 chunk_t hashsig)
1437 {
1438 return sign(this, key, writer, this->handshake, hashsig);
1439 }
1440
1441 METHOD(tls_crypto_t, verify_handshake, bool,
1442 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1443 {
1444 return verify(this, key, reader, this->handshake);
1445 }
1446
1447 METHOD(tls_crypto_t, calculate_finished, bool,
1448 private_tls_crypto_t *this, char *label, char out[12])
1449 {
1450 chunk_t seed;
1451
1452 if (!this->prf)
1453 {
1454 return FALSE;
1455 }
1456 if (!hash_data(this, this->handshake, &seed))
1457 {
1458 return FALSE;
1459 }
1460 this->prf->get_bytes(this->prf, label, seed, 12, out);
1461 free(seed.ptr);
1462 return TRUE;
1463 }
1464
1465 METHOD(tls_crypto_t, derive_secrets, void,
1466 private_tls_crypto_t *this, chunk_t premaster,
1467 chunk_t client_random, chunk_t server_random)
1468 {
1469 char master[48];
1470 chunk_t seed, block, client_write, server_write;
1471 int mks, eks = 0, ivs = 0;
1472
1473 /* derive master secret */
1474 seed = chunk_cata("cc", client_random, server_random);
1475 this->prf->set_key(this->prf, premaster);
1476 this->prf->get_bytes(this->prf, "master secret", seed,
1477 sizeof(master), master);
1478
1479 this->prf->set_key(this->prf, chunk_from_thing(master));
1480 memset(master, 0, sizeof(master));
1481
1482 /* derive key block for key expansion */
1483 mks = this->signer_out->get_key_size(this->signer_out);
1484 if (this->crypter_out)
1485 {
1486 eks = this->crypter_out->get_key_size(this->crypter_out);
1487 if (this->tls->get_version(this->tls) < TLS_1_1)
1488 {
1489 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1490 }
1491 }
1492 seed = chunk_cata("cc", server_random, client_random);
1493 block = chunk_alloca((mks + eks + ivs) * 2);
1494 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1495
1496 /* signer keys */
1497 client_write = chunk_create(block.ptr, mks);
1498 block = chunk_skip(block, mks);
1499 server_write = chunk_create(block.ptr, mks);
1500 block = chunk_skip(block, mks);
1501 if (this->tls->is_server(this->tls))
1502 {
1503 this->signer_in->set_key(this->signer_in, client_write);
1504 this->signer_out->set_key(this->signer_out, server_write);
1505 }
1506 else
1507 {
1508 this->signer_out->set_key(this->signer_out, client_write);
1509 this->signer_in->set_key(this->signer_in, server_write);
1510 }
1511
1512 /* crypter keys, and IVs if < TLSv1.2 */
1513 if (this->crypter_out && this->crypter_in)
1514 {
1515 client_write = chunk_create(block.ptr, eks);
1516 block = chunk_skip(block, eks);
1517 server_write = chunk_create(block.ptr, eks);
1518 block = chunk_skip(block, eks);
1519
1520 if (this->tls->is_server(this->tls))
1521 {
1522 this->crypter_in->set_key(this->crypter_in, client_write);
1523 this->crypter_out->set_key(this->crypter_out, server_write);
1524 }
1525 else
1526 {
1527 this->crypter_out->set_key(this->crypter_out, client_write);
1528 this->crypter_in->set_key(this->crypter_in, server_write);
1529 }
1530 if (ivs)
1531 {
1532 client_write = chunk_create(block.ptr, ivs);
1533 block = chunk_skip(block, ivs);
1534 server_write = chunk_create(block.ptr, ivs);
1535 block = chunk_skip(block, ivs);
1536
1537 if (this->tls->is_server(this->tls))
1538 {
1539 this->iv_in = chunk_clone(client_write);
1540 this->iv_out = chunk_clone(server_write);
1541 }
1542 else
1543 {
1544 this->iv_out = chunk_clone(client_write);
1545 this->iv_in = chunk_clone(server_write);
1546 }
1547 }
1548 }
1549 }
1550
1551 METHOD(tls_crypto_t, change_cipher, void,
1552 private_tls_crypto_t *this, bool inbound)
1553 {
1554 if (this->protection)
1555 {
1556 if (inbound)
1557 {
1558 this->protection->set_cipher(this->protection, TRUE,
1559 this->signer_in, this->crypter_in, this->iv_in);
1560 }
1561 else
1562 {
1563 this->protection->set_cipher(this->protection, FALSE,
1564 this->signer_out, this->crypter_out, this->iv_out);
1565 }
1566 }
1567 }
1568
1569 METHOD(tls_crypto_t, derive_eap_msk, void,
1570 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1571 {
1572 if (this->msk_label)
1573 {
1574 chunk_t seed;
1575
1576 seed = chunk_cata("cc", client_random, server_random);
1577 free(this->msk.ptr);
1578 this->msk = chunk_alloc(64);
1579 this->prf->get_bytes(this->prf, this->msk_label, seed,
1580 this->msk.len, this->msk.ptr);
1581 }
1582 }
1583
1584 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1585 private_tls_crypto_t *this)
1586 {
1587 return this->msk;
1588 }
1589
1590 METHOD(tls_crypto_t, destroy, void,
1591 private_tls_crypto_t *this)
1592 {
1593 DESTROY_IF(this->signer_in);
1594 DESTROY_IF(this->signer_out);
1595 DESTROY_IF(this->crypter_in);
1596 DESTROY_IF(this->crypter_out);
1597 free(this->iv_in.ptr);
1598 free(this->iv_out.ptr);
1599 free(this->handshake.ptr);
1600 free(this->msk.ptr);
1601 DESTROY_IF(this->prf);
1602 free(this->suites);
1603 free(this);
1604 }
1605
1606 /**
1607 * See header
1608 */
1609 tls_crypto_t *tls_crypto_create(tls_t *tls)
1610 {
1611 private_tls_crypto_t *this;
1612 enumerator_t *enumerator;
1613 credential_type_t type;
1614 int subtype;
1615
1616 INIT(this,
1617 .public = {
1618 .get_cipher_suites = _get_cipher_suites,
1619 .select_cipher_suite = _select_cipher_suite,
1620 .get_dh_group = _get_dh_group,
1621 .get_signature_algorithms = _get_signature_algorithms,
1622 .create_ec_enumerator = _create_ec_enumerator,
1623 .set_protection = _set_protection,
1624 .append_handshake = _append_handshake,
1625 .sign = _sign,
1626 .verify = _verify,
1627 .sign_handshake = _sign_handshake,
1628 .verify_handshake = _verify_handshake,
1629 .calculate_finished = _calculate_finished,
1630 .derive_secrets = _derive_secrets,
1631 .change_cipher = _change_cipher,
1632 .derive_eap_msk = _derive_eap_msk,
1633 .get_eap_msk = _get_eap_msk,
1634 .destroy = _destroy,
1635 },
1636 .tls = tls,
1637 );
1638
1639 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1640 while (enumerator->enumerate(enumerator, &type, &subtype))
1641 {
1642 if (type == CRED_PUBLIC_KEY)
1643 {
1644 switch (subtype)
1645 {
1646 case KEY_RSA:
1647 this->rsa = TRUE;
1648 break;
1649 case KEY_ECDSA:
1650 this->ecdsa = TRUE;
1651 break;
1652 default:
1653 break;
1654 }
1655 }
1656 }
1657 enumerator->destroy(enumerator);
1658
1659 switch (tls->get_purpose(tls))
1660 {
1661 case TLS_PURPOSE_EAP_TLS:
1662 case TLS_PURPOSE_EAP_PEAP:
1663 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1664 this->msk_label = "client EAP encryption";
1665 build_cipher_suite_list(this, FALSE);
1666 break;
1667 case TLS_PURPOSE_EAP_TTLS:
1668 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1669 this->msk_label = "ttls keying material";
1670 build_cipher_suite_list(this, TRUE);
1671 break;
1672 case TLS_PURPOSE_GENERIC:
1673 build_cipher_suite_list(this, TRUE);
1674 break;
1675 default:
1676 break;
1677 }
1678 return &this->public;
1679 }