Added TLS specific Hash and Signature Algorithm identifiers
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 typedef struct private_tls_crypto_t private_tls_crypto_t;
258
259 /**
260 * Private data of an tls_crypto_t object.
261 */
262 struct private_tls_crypto_t {
263
264 /**
265 * Public tls_crypto_t interface.
266 */
267 tls_crypto_t public;
268
269 /**
270 * Protection layer
271 */
272 tls_protection_t *protection;
273
274 /**
275 * List of supported/acceptable cipher suites
276 */
277 tls_cipher_suite_t *suites;
278
279 /**
280 * Number of supported suites
281 */
282 int suite_count;
283
284 /**
285 * Selected cipher suite
286 */
287 tls_cipher_suite_t suite;
288
289 /**
290 * TLS context
291 */
292 tls_t *tls;
293
294 /**
295 * All handshake data concatentated
296 */
297 chunk_t handshake;
298
299 /**
300 * Connection state TLS PRF
301 */
302 tls_prf_t *prf;
303
304 /**
305 * Signer instance for inbound traffic
306 */
307 signer_t *signer_in;
308
309 /**
310 * Signer instance for outbound traffic
311 */
312 signer_t *signer_out;
313
314 /**
315 * Crypter instance for inbound traffic
316 */
317 crypter_t *crypter_in;
318
319 /**
320 * Crypter instance for outbound traffic
321 */
322 crypter_t *crypter_out;
323
324 /**
325 * IV for input decryption, if < TLSv1.2
326 */
327 chunk_t iv_in;
328
329 /**
330 * IV for output decryption, if < TLSv1.2
331 */
332 chunk_t iv_out;
333
334 /**
335 * EAP-[T]TLS MSK
336 */
337 chunk_t msk;
338
339 /**
340 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
341 */
342 char *msk_label;
343 };
344
345 typedef struct {
346 tls_cipher_suite_t suite;
347 hash_algorithm_t hash;
348 pseudo_random_function_t prf;
349 integrity_algorithm_t mac;
350 encryption_algorithm_t encr;
351 size_t encr_size;
352 } suite_algs_t;
353
354 /**
355 * Mapping suites to a set of algorithms
356 */
357 static suite_algs_t suite_algs[] = {
358 { TLS_RSA_WITH_AES_128_CBC_SHA,
359 HASH_SHA1, PRF_HMAC_SHA1,
360 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
361 },
362 { TLS_RSA_WITH_AES_128_CBC_SHA256,
363 HASH_SHA256, PRF_HMAC_SHA2_256,
364 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
365 },
366 { TLS_RSA_WITH_AES_256_CBC_SHA,
367 HASH_SHA1, PRF_HMAC_SHA1,
368 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
369 },
370 { TLS_RSA_WITH_AES_256_CBC_SHA256,
371 HASH_SHA256, PRF_HMAC_SHA2_256,
372 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
373 },
374 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
375 HASH_SHA1, PRF_HMAC_SHA1,
376 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
377 },
378 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
379 HASH_SHA256, PRF_HMAC_SHA2_256,
380 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
381 },
382 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
383 HASH_SHA1, PRF_HMAC_SHA1,
384 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
385 },
386 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
387 HASH_SHA256, PRF_HMAC_SHA2_256,
388 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
389 },
390 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
391 HASH_SHA1, PRF_HMAC_SHA1,
392 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
393 },
394 { TLS_RSA_WITH_NULL_SHA,
395 HASH_SHA1, PRF_HMAC_SHA1,
396 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
397 },
398 { TLS_RSA_WITH_NULL_SHA256,
399 HASH_SHA256, PRF_HMAC_SHA2_256,
400 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
401 },
402 { TLS_RSA_WITH_NULL_MD5,
403 HASH_MD5, PRF_HMAC_MD5,
404 AUTH_HMAC_MD5_128, ENCR_NULL, 0
405 },
406 };
407
408 /**
409 * Look up algoritms by a suite
410 */
411 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
412 {
413 int i;
414
415 for (i = 0; i < countof(suite_algs); i++)
416 {
417 if (suite_algs[i].suite == suite)
418 {
419 return &suite_algs[i];
420 }
421 }
422 return NULL;
423 }
424
425 /**
426 * Filter a suite list using a transform enumerator
427 */
428 static void filter_suite(private_tls_crypto_t *this,
429 suite_algs_t suites[], int *count, int offset,
430 enumerator_t*(*create_enumerator)(crypto_factory_t*))
431 {
432 suite_algs_t current;
433 int i, remaining = 0;
434 enumerator_t *enumerator;
435
436 memset(&current, 0, sizeof(current));
437 for (i = 0; i < *count; i++)
438 {
439 enumerator = create_enumerator(lib->crypto);
440 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
441 {
442 if ((suites[i].encr == ENCR_NULL ||
443 !current.encr || current.encr == suites[i].encr) &&
444 (!current.mac || current.mac == suites[i].mac) &&
445 (!current.prf || current.prf == suites[i].prf) &&
446 (!current.hash || current.hash == suites[i].hash))
447 {
448 suites[remaining] = suites[i];
449 remaining++;
450 break;
451 }
452 }
453 enumerator->destroy(enumerator);
454 }
455 *count = remaining;
456 }
457
458 /**
459 * Purge NULL encryption cipher suites from list
460 */
461 static void filter_null_suites(private_tls_crypto_t *this,
462 suite_algs_t suites[], int *count)
463 {
464 int i, remaining = 0;
465
466 for (i = 0; i < *count; i++)
467 {
468 if (suites[i].encr != ENCR_NULL)
469 {
470 suites[remaining] = suites[i];
471 remaining++;
472 }
473 }
474 *count = remaining;
475 }
476
477 /**
478 * Initialize the cipher suite list
479 */
480 static void build_cipher_suite_list(private_tls_crypto_t *this,
481 bool require_encryption)
482 {
483 suite_algs_t suites[countof(suite_algs)];
484 int count = countof(suite_algs), i;
485
486 /* copy all suites */
487 for (i = 0; i < count; i++)
488 {
489 suites[i] = suite_algs[i];
490 }
491 if (require_encryption)
492 {
493 filter_null_suites(this, suites, &count);
494 }
495 /* filter suite list by each algorithm */
496 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
497 lib->crypto->create_crypter_enumerator);
498 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
499 lib->crypto->create_signer_enumerator);
500 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
501 lib->crypto->create_prf_enumerator);
502 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
503 lib->crypto->create_hasher_enumerator);
504
505 free(this->suites);
506 this->suite_count = count;
507 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
508
509 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
510 for (i = 0; i < count; i++)
511 {
512 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
513 this->suites[i] = suites[i].suite;
514 }
515 }
516
517 METHOD(tls_crypto_t, get_cipher_suites, int,
518 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
519 {
520 *suites = this->suites;
521 return this->suite_count;
522 }
523
524 /**
525 * Create crypto primitives
526 */
527 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
528 {
529 suite_algs_t *algs;
530
531 algs = find_suite(suite);
532 if (!algs)
533 {
534 DBG1(DBG_TLS, "selected TLS suite not supported");
535 return FALSE;
536 }
537
538 DESTROY_IF(this->prf);
539 if (this->tls->get_version(this->tls) < TLS_1_2)
540 {
541 this->prf = tls_prf_create_10();
542 }
543 else
544 {
545 this->prf = tls_prf_create_12(algs->prf);
546 }
547 if (!this->prf)
548 {
549 DBG1(DBG_TLS, "selected TLS PRF not supported");
550 return FALSE;
551 }
552
553 DESTROY_IF(this->signer_in);
554 DESTROY_IF(this->signer_out);
555 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
556 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
557 if (!this->signer_in || !this->signer_out)
558 {
559 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
560 integrity_algorithm_names, algs->mac);
561 return FALSE;
562 }
563
564 DESTROY_IF(this->crypter_in);
565 DESTROY_IF(this->crypter_out);
566 if (algs->encr == ENCR_NULL)
567 {
568 this->crypter_in = this->crypter_out = NULL;
569 }
570 else
571 {
572 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
573 algs->encr, algs->encr_size);
574 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
575 algs->encr, algs->encr_size);
576 if (!this->crypter_in || !this->crypter_out)
577 {
578 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
579 encryption_algorithm_names, algs->encr);
580 return FALSE;
581 }
582 }
583 return TRUE;
584 }
585
586 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
587 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
588 {
589 int i, j;
590
591 for (i = 0; i < this->suite_count; i++)
592 {
593 for (j = 0; j < count; j++)
594 {
595 if (this->suites[i] == suites[j])
596 {
597 if (create_ciphers(this, this->suites[i]))
598 {
599 this->suite = this->suites[i];
600 return this->suite;
601 }
602 }
603 }
604 }
605 return 0;
606 }
607
608 METHOD(tls_crypto_t, set_protection, void,
609 private_tls_crypto_t *this, tls_protection_t *protection)
610 {
611 this->protection = protection;
612 }
613
614 METHOD(tls_crypto_t, append_handshake, void,
615 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
616 {
617 u_int32_t header;
618
619 /* reconstruct handshake header */
620 header = htonl(data.len | (type << 24));
621 this->handshake = chunk_cat("mcc", this->handshake,
622 chunk_from_thing(header), data);
623 }
624
625 /**
626 * Create a hash of the stored handshake data
627 */
628 static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash)
629 {
630 if (this->tls->get_version(this->tls) >= TLS_1_2)
631 {
632 hasher_t *hasher;
633 suite_algs_t *alg;
634
635 alg = find_suite(this->suite);
636 if (!alg)
637 {
638 return FALSE;
639 }
640 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
641 if (!hasher)
642 {
643 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
644 return FALSE;
645 }
646 hasher->allocate_hash(hasher, this->handshake, hash);
647 hasher->destroy(hasher);
648 }
649 else
650 {
651 hasher_t *md5, *sha1;
652 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
653
654 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
655 if (!md5)
656 {
657 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
658 return FALSE;
659 }
660 md5->get_hash(md5, this->handshake, buf);
661 md5->destroy(md5);
662 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
663 if (!sha1)
664 {
665 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
666 return FALSE;
667 }
668 sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
669 sha1->destroy(sha1);
670
671 *hash = chunk_clone(chunk_from_thing(buf));
672 }
673 return TRUE;
674 }
675
676 METHOD(tls_crypto_t, sign_handshake, bool,
677 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer)
678 {
679 chunk_t sig, hash;
680
681 if (this->tls->get_version(this->tls) >= TLS_1_2)
682 {
683 /* TODO: use supported algorithms instead of fixed SHA1/RSA */
684 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, &sig))
685 {
686 return FALSE;
687 }
688 writer->write_uint8(writer, 2);
689 writer->write_uint8(writer, 1);
690 writer->write_data16(writer, sig);
691 free(sig.ptr);
692 }
693 else
694 {
695 if (!hash_handshake(this, &hash))
696 {
697 return FALSE;
698 }
699 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig))
700 {
701 free(hash.ptr);
702 return FALSE;
703 }
704 writer->write_data16(writer, sig);
705 free(hash.ptr);
706 free(sig.ptr);
707 }
708 return TRUE;
709 }
710
711 METHOD(tls_crypto_t, verify_handshake, bool,
712 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
713 {
714 if (this->tls->get_version(this->tls) >= TLS_1_2)
715 {
716 u_int8_t hash, alg;
717 chunk_t sig;
718
719 if (!reader->read_uint8(reader, &hash) ||
720 !reader->read_uint8(reader, &alg) ||
721 !reader->read_data16(reader, &sig))
722 {
723 DBG1(DBG_TLS, "received invalid Certificate Verify");
724 return FALSE;
725 }
726 /* TODO: map received hash/sig alg to signature scheme */
727 if (hash != 2 || alg != 1 ||
728 !key->verify(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig))
729 {
730 return FALSE;
731 }
732 }
733 else
734 {
735 chunk_t sig, hash;
736
737 if (!reader->read_data16(reader, &sig))
738 {
739 DBG1(DBG_TLS, "received invalid Certificate Verify");
740 return FALSE;
741 }
742 if (!hash_handshake(this, &hash))
743 {
744 return FALSE;
745 }
746 if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig))
747 {
748 free(hash.ptr);
749 return FALSE;
750 }
751 free(hash.ptr);
752 }
753 return TRUE;
754 }
755
756 METHOD(tls_crypto_t, calculate_finished, bool,
757 private_tls_crypto_t *this, char *label, char out[12])
758 {
759 chunk_t seed;
760
761 if (!this->prf)
762 {
763 return FALSE;
764 }
765 if (!hash_handshake(this, &seed))
766 {
767 return FALSE;
768 }
769 this->prf->get_bytes(this->prf, label, seed, 12, out);
770 free(seed.ptr);
771 return TRUE;
772 }
773
774 METHOD(tls_crypto_t, derive_secrets, void,
775 private_tls_crypto_t *this, chunk_t premaster,
776 chunk_t client_random, chunk_t server_random)
777 {
778 char master[48];
779 chunk_t seed, block, client_write, server_write;
780 int mks, eks = 0, ivs = 0;
781
782 /* derive master secret */
783 seed = chunk_cata("cc", client_random, server_random);
784 this->prf->set_key(this->prf, premaster);
785 this->prf->get_bytes(this->prf, "master secret", seed,
786 sizeof(master), master);
787
788 this->prf->set_key(this->prf, chunk_from_thing(master));
789 memset(master, 0, sizeof(master));
790
791 /* derive key block for key expansion */
792 mks = this->signer_out->get_key_size(this->signer_out);
793 if (this->crypter_out)
794 {
795 eks = this->crypter_out->get_key_size(this->crypter_out);
796 if (this->tls->get_version(this->tls) < TLS_1_1)
797 {
798 ivs = this->crypter_out->get_iv_size(this->crypter_out);
799 }
800 }
801 seed = chunk_cata("cc", server_random, client_random);
802 block = chunk_alloca((mks + eks + ivs) * 2);
803 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
804
805 /* signer keys */
806 client_write = chunk_create(block.ptr, mks);
807 block = chunk_skip(block, mks);
808 server_write = chunk_create(block.ptr, mks);
809 block = chunk_skip(block, mks);
810 if (this->tls->is_server(this->tls))
811 {
812 this->signer_in->set_key(this->signer_in, client_write);
813 this->signer_out->set_key(this->signer_out, server_write);
814 }
815 else
816 {
817 this->signer_out->set_key(this->signer_out, client_write);
818 this->signer_in->set_key(this->signer_in, server_write);
819 }
820
821 /* crypter keys, and IVs if < TLSv1.2 */
822 if (this->crypter_out && this->crypter_in)
823 {
824 client_write = chunk_create(block.ptr, eks);
825 block = chunk_skip(block, eks);
826 server_write = chunk_create(block.ptr, eks);
827 block = chunk_skip(block, eks);
828
829 if (this->tls->is_server(this->tls))
830 {
831 this->crypter_in->set_key(this->crypter_in, client_write);
832 this->crypter_out->set_key(this->crypter_out, server_write);
833 }
834 else
835 {
836 this->crypter_out->set_key(this->crypter_out, client_write);
837 this->crypter_in->set_key(this->crypter_in, server_write);
838 }
839 if (ivs)
840 {
841 client_write = chunk_create(block.ptr, ivs);
842 block = chunk_skip(block, ivs);
843 server_write = chunk_create(block.ptr, ivs);
844 block = chunk_skip(block, ivs);
845
846 if (this->tls->is_server(this->tls))
847 {
848 this->iv_in = chunk_clone(client_write);
849 this->iv_out = chunk_clone(server_write);
850 }
851 else
852 {
853 this->iv_out = chunk_clone(client_write);
854 this->iv_in = chunk_clone(server_write);
855 }
856 }
857 }
858 }
859
860 METHOD(tls_crypto_t, change_cipher, void,
861 private_tls_crypto_t *this, bool inbound)
862 {
863 if (this->protection)
864 {
865 if (inbound)
866 {
867 this->protection->set_cipher(this->protection, TRUE,
868 this->signer_in, this->crypter_in, this->iv_in);
869 }
870 else
871 {
872 this->protection->set_cipher(this->protection, FALSE,
873 this->signer_out, this->crypter_out, this->iv_out);
874 }
875 }
876 }
877
878 METHOD(tls_crypto_t, derive_eap_msk, void,
879 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
880 {
881 if (this->msk_label)
882 {
883 chunk_t seed;
884
885 seed = chunk_cata("cc", client_random, server_random);
886 free(this->msk.ptr);
887 this->msk = chunk_alloc(64);
888 this->prf->get_bytes(this->prf, this->msk_label, seed,
889 this->msk.len, this->msk.ptr);
890 }
891 }
892
893 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
894 private_tls_crypto_t *this)
895 {
896 return this->msk;
897 }
898
899 METHOD(tls_crypto_t, destroy, void,
900 private_tls_crypto_t *this)
901 {
902 DESTROY_IF(this->signer_in);
903 DESTROY_IF(this->signer_out);
904 DESTROY_IF(this->crypter_in);
905 DESTROY_IF(this->crypter_out);
906 free(this->iv_in.ptr);
907 free(this->iv_out.ptr);
908 free(this->handshake.ptr);
909 free(this->msk.ptr);
910 DESTROY_IF(this->prf);
911 free(this->suites);
912 free(this);
913 }
914
915 /**
916 * See header
917 */
918 tls_crypto_t *tls_crypto_create(tls_t *tls)
919 {
920 private_tls_crypto_t *this;
921
922 INIT(this,
923 .public = {
924 .get_cipher_suites = _get_cipher_suites,
925 .select_cipher_suite = _select_cipher_suite,
926 .set_protection = _set_protection,
927 .append_handshake = _append_handshake,
928 .sign_handshake = _sign_handshake,
929 .verify_handshake = _verify_handshake,
930 .calculate_finished = _calculate_finished,
931 .derive_secrets = _derive_secrets,
932 .change_cipher = _change_cipher,
933 .derive_eap_msk = _derive_eap_msk,
934 .get_eap_msk = _get_eap_msk,
935 .destroy = _destroy,
936 },
937 .tls = tls,
938 );
939
940 switch (tls->get_purpose(tls))
941 {
942 case TLS_PURPOSE_EAP_TLS:
943 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
944 this->msk_label = "client EAP encryption";
945 build_cipher_suite_list(this, FALSE);
946 break;
947 case TLS_PURPOSE_EAP_TTLS:
948 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
949 this->msk_label = "ttls keying material";
950 build_cipher_suite_list(this, TRUE);
951 break;
952 case TLS_PURPOSE_GENERIC:
953 build_cipher_suite_list(this, TRUE);
954 break;
955 }
956 return &this->public;
957 }