gitignore: Add nbproject/
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010-2014 Martin Willi
8 * Copyright (C) 2010-2014 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_crypto.h"
22 #include "tls_hkdf.h"
23
24 #include <utils/debug.h>
25 #include <plugins/plugin_feature.h>
26 #include <collections/hashtable.h>
27 #include <collections/array.h>
28
29 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
30 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
31 "TLS_NULL_WITH_NULL_NULL",
32 "TLS_RSA_WITH_NULL_MD5",
33 "TLS_RSA_WITH_NULL_SHA",
34 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
35 "TLS_RSA_WITH_RC4_128_MD5",
36 "TLS_RSA_WITH_RC4_128_SHA",
37 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
38 "TLS_RSA_WITH_IDEA_CBC_SHA",
39 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_RSA_WITH_DES_CBC_SHA",
41 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DH_DSS_WITH_DES_CBC_SHA",
44 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
46 "TLS_DH_RSA_WITH_DES_CBC_SHA",
47 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
48 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
50 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
51 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
52 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
53 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
54 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
55 "TLS_DH_anon_WITH_RC4_128_MD5",
56 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_anon_WITH_DES_CBC_SHA",
58 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
59 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
60 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
61 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
62 "TLS_KRB5_WITH_DES_CBC_SHA",
63 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
64 "TLS_KRB5_WITH_RC4_128_SHA",
65 "TLS_KRB5_WITH_IDEA_CBC_SHA",
66 "TLS_KRB5_WITH_DES_CBC_MD5",
67 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
68 "TLS_KRB5_WITH_RC4_128_MD5",
69 "TLS_KRB5_WITH_IDEA_CBC_MD5",
70 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
73 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
75 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
76 "TLS_PSK_WITH_NULL_SHA",
77 "TLS_DHE_PSK_WITH_NULL_SHA",
78 "TLS_RSA_PSK_WITH_NULL_SHA",
79 "TLS_RSA_WITH_AES_128_CBC_SHA",
80 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
81 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
83 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
84 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
85 "TLS_RSA_WITH_AES_256_CBC_SHA",
86 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
87 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
89 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
90 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
91 "TLS_RSA_WITH_NULL_SHA256",
92 "TLS_RSA_WITH_AES_128_CBC_SHA256",
93 "TLS_RSA_WITH_AES_256_CBC_SHA256",
94 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
95 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
96 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
97 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
102 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
103 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
104 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
105 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
106 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
110 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
112 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
113 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
114 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
115 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
116 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_PSK_WITH_RC4_128_SHA",
123 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_DHE_PSK_WITH_RC4_128_SHA",
127 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
129 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
130 "TLS_RSA_PSK_WITH_RC4_128_SHA",
131 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
133 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
134 "TLS_RSA_WITH_SEED_CBC_SHA",
135 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
136 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
137 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
138 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
139 "TLS_DH_anon_WITH_SEED_CBC_SHA",
140 "TLS_RSA_WITH_AES_128_GCM_SHA256",
141 "TLS_RSA_WITH_AES_256_GCM_SHA384",
142 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
143 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
144 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
145 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
148 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
149 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
150 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
151 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
152 "TLS_PSK_WITH_AES_128_GCM_SHA256",
153 "TLS_PSK_WITH_AES_256_GCM_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
156 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
157 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
158 "TLS_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_PSK_WITH_NULL_SHA256",
161 "TLS_PSK_WITH_NULL_SHA384",
162 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
163 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
164 "TLS_DHE_PSK_WITH_NULL_SHA256",
165 "TLS_DHE_PSK_WITH_NULL_SHA384",
166 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
167 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
168 "TLS_RSA_PSK_WITH_NULL_SHA256",
169 "TLS_RSA_PSK_WITH_NULL_SHA384",
170 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
182 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
184 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
186 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
187 TLS_AES_128_CCM_8_SHA256,
188 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
189 "TLS_AES_128_GCM_SHA256",
190 "TLS_AES_256_GCM_SHA384",
191 "TLS_CHACHA20_POLY1305_SHA256",
192 "TLS_AES_128_CCM_SHA256",
193 "TLS_AES_128_CCM_8_SHA256");
194 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
195 TLS_ECDHE_PSK_WITH_NULL_SHA384,
196 TLS_AES_128_CCM_8_SHA256,
197 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
198 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
199 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
203 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
204 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
206 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
207 "TLS_ECDH_RSA_WITH_NULL_SHA",
208 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
209 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
212 "TLS_ECDHE_RSA_WITH_NULL_SHA",
213 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
214 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
216 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_ECDH_anon_WITH_NULL_SHA",
218 "TLS_ECDH_anon_WITH_RC4_128_SHA",
219 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
221 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
222 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
225 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
228 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
230 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
231 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
232 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
233 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
234 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
235 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
238 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
239 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
240 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
241 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
242 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
243 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
244 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
245 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
246 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
247 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
248 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
251 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
252 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
255 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
256 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
258 TLS_ECDHE_PSK_WITH_NULL_SHA384,
259 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
261 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
262 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
263
264
265 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
266 "NONE",
267 "MD5",
268 "SHA1",
269 "SHA224",
270 "SHA256",
271 "SHA384",
272 "SHA512",
273 );
274
275 ENUM_BEGIN(tls_signature_scheme_names,
276 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
277 "RSA_PKCS1_SHA1");
278 ENUM_NEXT(tls_signature_scheme_names,
279 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
280 "ECDSA_SHA1");
281 ENUM_NEXT(tls_signature_scheme_names,
282 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
283 "RSA_PKCS1_SHA224",
284 "DSA_SHA224",
285 "ECDSA_SHA224");
286 ENUM_NEXT(tls_signature_scheme_names,
287 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
288 "RSA_PKCS1_SHA256",
289 "DSA_SHA256",
290 "ECDSA_SHA256");
291 ENUM_NEXT(tls_signature_scheme_names,
292 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
293 "RSA_PKCS1_SHA384",
294 "DSA_SHA384",
295 "ECDSA_SHA384");
296 ENUM_NEXT(tls_signature_scheme_names,
297 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
298 "RSA_PKCS1_SHA512",
299 "DSA_SHA512",
300 "ECDSA_SHA512");
301 ENUM_NEXT(tls_signature_scheme_names,
302 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
303 "RSA_PSS_RSAE_SHA256",
304 "RSA_PSS_RSAE_SHA384",
305 "RSA_PSS_RSAE_SHA512",
306 "ED25519",
307 "ED448",
308 "RSA_PSS_PSS_SHA256",
309 "RSA_PSS_PSS_SHA384",
310 "RSA_PSS_PSS_SHA512",
311 );
312 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
313
314 ENUM_BEGIN(tls_client_certificate_type_names,
315 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
316 "RSA_SIGN",
317 "DSA_SIGN",
318 "RSA_FIXED_DH",
319 "DSS_FIXED_DH",
320 "RSA_EPHEMERAL_DH",
321 "DSS_EPHEMERAL_DH");
322 ENUM_NEXT(tls_client_certificate_type_names,
323 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
324 "FORTEZZA_DMS");
325 ENUM_NEXT(tls_client_certificate_type_names,
326 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
327 "ECDSA_SIGN",
328 "RSA_FIXED_ECDH",
329 "ECDSA_FIXED_ECDH");
330 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
331
332 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
333 "EXPLICIT_PRIME",
334 "EXPLICIT_CHAR2",
335 "NAMED_CURVE",
336 );
337
338 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
339 "SECT163K1",
340 "SECT163R1",
341 "SECT163R2",
342 "SECT193R1",
343 "SECT193R2",
344 "SECT233K1",
345 "SECT233R1",
346 "SECT239K1",
347 "SECT283K1",
348 "SECT283R1",
349 "SECT409K1",
350 "SECT409R1",
351 "SECT571K1",
352 "SECT571R1",
353 "SECP160K1",
354 "SECP160R1",
355 "SECP160R2",
356 "SECP192K1",
357 "SECP192R1",
358 "SECP224K1",
359 "SECP224R1",
360 "SECP256K1",
361 "SECP256R1",
362 "SECP384R1",
363 "SECP521R1",
364 );
365 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
366 "CURVE25519",
367 "CURVE448",
368 );
369 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
370 "FFDHE2048",
371 "FFDHE3072",
372 "FFDHE4096",
373 "FFDHE6144",
374 "FFDHE8192",
375 );
376 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
377
378 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
379 "compressed",
380 "compressed y",
381 "uncompressed",
382 "uncompressed y",
383 "hybrid",
384 "hybrid y",
385 );
386
387 ENUM(tls_ec_point_format_names,
388 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
389 "uncompressed",
390 "ansiX962 compressed prime",
391 "ansiX962 compressed char2",
392 );
393
394 typedef struct private_tls_crypto_t private_tls_crypto_t;
395
396 /**
397 * Private data of an tls_crypto_t object.
398 */
399 struct private_tls_crypto_t {
400
401 /**
402 * Public tls_crypto_t interface.
403 */
404 tls_crypto_t public;
405
406 /**
407 * Protection layer
408 */
409 tls_protection_t *protection;
410
411 /**
412 * List of supported/acceptable cipher suites
413 */
414 tls_cipher_suite_t *suites;
415
416 /**
417 * Number of supported suites
418 */
419 int suite_count;
420
421 /**
422 * HKDF for TLS 1.3
423 */
424 tls_hkdf_t *hkdf;
425
426 /**
427 * Selected cipher suite
428 */
429 tls_cipher_suite_t suite;
430
431 /**
432 * RSA supported?
433 */
434 bool rsa;
435
436 /**
437 * ECDSA supported?
438 */
439 bool ecdsa;
440
441 /**
442 * TLS context
443 */
444 tls_t *tls;
445
446 /**
447 * TLS session cache
448 */
449 tls_cache_t *cache;
450
451 /**
452 * All handshake data concatenated
453 */
454 chunk_t handshake;
455
456 /**
457 * Connection state TLS PRF
458 */
459 tls_prf_t *prf;
460
461 /**
462 * AEAD transform for inbound traffic
463 */
464 tls_aead_t *aead_in;
465
466 /**
467 * AEAD transform for outbound traffic
468 */
469 tls_aead_t *aead_out;
470
471 /**
472 * EAP-[T]TLS MSK
473 */
474 chunk_t msk;
475
476 /**
477 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
478 */
479 char *msk_label;
480 };
481
482 typedef struct {
483 tls_cipher_suite_t suite;
484 key_type_t key;
485 diffie_hellman_group_t dh;
486 hash_algorithm_t hash;
487 pseudo_random_function_t prf;
488 integrity_algorithm_t mac;
489 encryption_algorithm_t encr;
490 size_t encr_size;
491 tls_version_t min_version;
492 tls_version_t max_version;
493 } suite_algs_t;
494
495 /**
496 * Mapping suites to a set of algorithms
497 *
498 * The order represents the descending preference of cipher suites and follows
499 * this rule set:
500 *
501 * 1. TLS 1.3 > Legacy TLS
502 * 2. AES > CAMELLIA > NULL
503 * 3. AES256 > AES128
504 * 4. GCM > CBC
505 * 5. ECDHE > DHE > NULL
506 * 6. ECDSA > RSA
507 * 7. SHA384 > SHA256 > SHA1
508 *
509 */
510 static suite_algs_t suite_algs[] = {
511 /* Cipher suites of TLS 1.3: key exchange and authentication
512 * delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
513 { TLS_AES_256_GCM_SHA384,
514 KEY_ANY, MODP_NONE,
515 HASH_SHA384, PRF_UNDEFINED,
516 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
517 TLS_1_3, TLS_1_3,
518 },
519 { TLS_AES_128_GCM_SHA256,
520 KEY_ANY, MODP_NONE,
521 HASH_SHA256, PRF_UNDEFINED,
522 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
523 TLS_1_3, TLS_1_3,
524 },
525 { TLS_CHACHA20_POLY1305_SHA256,
526 KEY_ANY, MODP_NONE,
527 HASH_SHA256, PRF_UNDEFINED,
528 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
529 TLS_1_3, TLS_1_3,
530 },
531 { TLS_AES_128_CCM_SHA256,
532 KEY_ANY, MODP_NONE,
533 HASH_SHA256, PRF_UNDEFINED,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
535 TLS_1_3, TLS_1_3,
536 },
537 { TLS_AES_128_CCM_8_SHA256,
538 KEY_ANY, MODP_NONE,
539 HASH_SHA256, PRF_UNDEFINED,
540 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
541 TLS_1_3, TLS_1_3,
542 },
543 /* Legacy TLS cipher suites */
544 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
545 KEY_ECDSA, ECP_384_BIT,
546 HASH_SHA384, PRF_HMAC_SHA2_384,
547 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
548 TLS_1_2, TLS_1_2,
549 },
550 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
551 KEY_ECDSA, ECP_384_BIT,
552 HASH_SHA384, PRF_HMAC_SHA2_384,
553 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
554 TLS_1_2, TLS_1_2,
555 },
556 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
557 KEY_ECDSA, ECP_384_BIT,
558 HASH_SHA256, PRF_HMAC_SHA2_256,
559 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
560 TLS_1_0, TLS_1_2,
561 },
562 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
563 KEY_ECDSA, ECP_256_BIT,
564 HASH_SHA256, PRF_HMAC_SHA2_256,
565 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
566 TLS_1_2, TLS_1_2,
567 },
568 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
572 TLS_1_2, TLS_1_2,
573 },
574 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
575 KEY_ECDSA, ECP_256_BIT,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
578 TLS_1_0, TLS_1_2,
579 },
580 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
581 KEY_RSA, ECP_384_BIT,
582 HASH_SHA384, PRF_HMAC_SHA2_384,
583 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
584 TLS_1_2, TLS_1_2,
585 },
586 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
587 KEY_RSA, ECP_384_BIT,
588 HASH_SHA384, PRF_HMAC_SHA2_384,
589 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
590 TLS_1_2, TLS_1_2,
591 },
592 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
593 KEY_RSA, ECP_384_BIT,
594 HASH_SHA256, PRF_HMAC_SHA2_256,
595 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
596 TLS_1_0, TLS_1_2,
597 },
598 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
599 KEY_RSA, ECP_256_BIT,
600 HASH_SHA256, PRF_HMAC_SHA2_256,
601 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
602 TLS_1_2, TLS_1_2,
603 },
604 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
605 KEY_RSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
608 TLS_1_2, TLS_1_2,
609 },
610 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
611 KEY_RSA, ECP_256_BIT,
612 HASH_SHA256, PRF_HMAC_SHA2_256,
613 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
614 TLS_1_0, TLS_1_2,
615 },
616 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
617 KEY_RSA, MODP_4096_BIT,
618 HASH_SHA384, PRF_HMAC_SHA2_384,
619 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
620 TLS_1_2, TLS_1_2,
621 },
622 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
623 KEY_RSA, MODP_4096_BIT,
624 HASH_SHA256, PRF_HMAC_SHA2_256,
625 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
626 TLS_1_2, TLS_1_2,
627 },
628 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
629 KEY_RSA, MODP_3072_BIT,
630 HASH_SHA256, PRF_HMAC_SHA2_256,
631 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
632 SSL_3_0, TLS_1_2,
633 },
634 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
635 KEY_RSA, MODP_4096_BIT,
636 HASH_SHA256, PRF_HMAC_SHA2_256,
637 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
638 TLS_1_2, TLS_1_2,
639 },
640 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
641 KEY_RSA, MODP_3072_BIT,
642 HASH_SHA256, PRF_HMAC_SHA2_256,
643 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
644 SSL_3_0, TLS_1_2,
645 },
646 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
647 KEY_RSA, MODP_3072_BIT,
648 HASH_SHA256, PRF_HMAC_SHA2_256,
649 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
650 TLS_1_2, TLS_1_2,
651 },
652 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
653 KEY_RSA, MODP_3072_BIT,
654 HASH_SHA256, PRF_HMAC_SHA2_256,
655 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
656 TLS_1_2, TLS_1_2,
657 },
658 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
659 KEY_RSA, MODP_2048_BIT,
660 HASH_SHA256,PRF_HMAC_SHA2_256,
661 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
662 SSL_3_0, TLS_1_2,
663 },
664 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
665 KEY_RSA, MODP_3072_BIT,
666 HASH_SHA256, PRF_HMAC_SHA2_256,
667 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
668 TLS_1_2, TLS_1_2,
669 },
670 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
671 KEY_RSA, MODP_2048_BIT,
672 HASH_SHA256, PRF_HMAC_SHA2_256,
673 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
674 SSL_3_0, TLS_1_2,
675 },
676 { TLS_RSA_WITH_AES_256_GCM_SHA384,
677 KEY_RSA, MODP_NONE,
678 HASH_SHA384, PRF_HMAC_SHA2_384,
679 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
680 TLS_1_2, TLS_1_2,
681 },
682 { TLS_RSA_WITH_AES_256_CBC_SHA256,
683 KEY_RSA, MODP_NONE,
684 HASH_SHA256, PRF_HMAC_SHA2_256,
685 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
686 TLS_1_2, TLS_1_2,
687 },
688 { TLS_RSA_WITH_AES_256_CBC_SHA,
689 KEY_RSA, MODP_NONE,
690 HASH_SHA256, PRF_HMAC_SHA2_256,
691 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
692 SSL_3_0, TLS_1_2,
693 },
694 { TLS_RSA_WITH_AES_128_GCM_SHA256,
695 KEY_RSA, MODP_NONE,
696 HASH_SHA256, PRF_HMAC_SHA2_256,
697 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
698 TLS_1_2, TLS_1_2,
699 },
700 { TLS_RSA_WITH_AES_128_CBC_SHA256,
701 KEY_RSA, MODP_NONE,
702 HASH_SHA256, PRF_HMAC_SHA2_256,
703 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
704 TLS_1_2, TLS_1_2,
705 },
706 { TLS_RSA_WITH_AES_128_CBC_SHA,
707 KEY_RSA, MODP_NONE,
708 HASH_SHA256, PRF_HMAC_SHA2_256,
709 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
710 SSL_3_0, TLS_1_2,
711 },
712 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
713 KEY_RSA, MODP_NONE,
714 HASH_SHA256, PRF_HMAC_SHA2_256,
715 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
716 TLS_1_2, TLS_1_2,
717 },
718 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
719 KEY_RSA, MODP_NONE,
720 HASH_SHA256, PRF_HMAC_SHA2_256,
721 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
722 SSL_3_0, TLS_1_2,
723 },
724 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
725 KEY_RSA, MODP_NONE,
726 HASH_SHA256, PRF_HMAC_SHA2_256,
727 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
728 TLS_1_2, TLS_1_2,
729 },
730 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
731 KEY_RSA, MODP_NONE,
732 HASH_SHA256, PRF_HMAC_SHA2_256,
733 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
734 SSL_3_0, TLS_1_2,
735 },
736 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
737 KEY_ECDSA, ECP_256_BIT,
738 HASH_SHA256, PRF_HMAC_SHA2_256,
739 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
740 TLS_1_0, TLS_1_2,
741 },
742 { TLS_ECDHE_RSA_WITH_NULL_SHA,
743 KEY_ECDSA, ECP_256_BIT,
744 HASH_SHA256, PRF_HMAC_SHA2_256,
745 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
746 TLS_1_0, TLS_1_2,
747 },
748 { TLS_RSA_WITH_NULL_SHA256,
749 KEY_RSA, MODP_NONE,
750 HASH_SHA256, PRF_HMAC_SHA2_256,
751 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
752 TLS_1_2, TLS_1_2,
753 },
754 { TLS_RSA_WITH_NULL_SHA,
755 KEY_RSA, MODP_NONE,
756 HASH_SHA256, PRF_HMAC_SHA2_256,
757 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
758 SSL_3_0, TLS_1_2,
759 },
760 };
761
762 /**
763 * Look up algorithms by a suite
764 */
765 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
766 {
767 int i;
768
769 for (i = 0; i < countof(suite_algs); i++)
770 {
771 if (suite_algs[i].suite == suite)
772 {
773 return &suite_algs[i];
774 }
775 }
776 return NULL;
777 }
778
779 /**
780 * Filter a suite list using a transform enumerator
781 */
782 static void filter_suite(suite_algs_t suites[], int *count, int offset,
783 enumerator_t*(*create_enumerator)(crypto_factory_t*))
784 {
785 const char *plugin_name;
786 suite_algs_t current;
787 int *current_alg, i, remaining = 0;
788 enumerator_t *enumerator;
789
790 memset(&current, 0, sizeof(current));
791 current_alg = (int*)((char*)&current + offset);
792
793 for (i = 0; i < *count; i++)
794 {
795 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
796 encryption_algorithm_is_aead(suites[i].encr))
797 { /* filtering crypters, but current suite uses an AEAD, apply */
798 suites[remaining] = suites[i];
799 remaining++;
800 continue;
801 }
802 if (create_enumerator == lib->crypto->create_aead_enumerator &&
803 !encryption_algorithm_is_aead(suites[i].encr))
804 { /* filtering AEADs, but current suite doesn't use one, apply */
805 suites[remaining] = suites[i];
806 remaining++;
807 continue;
808 }
809 enumerator = create_enumerator(lib->crypto);
810 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
811 {
812 if (current.encr && current.encr != suites[i].encr)
813 {
814 if (suites[i].encr != ENCR_NULL)
815 { /* skip, ENCR does not match nor is NULL */
816 continue;
817 }
818 }
819 if (current.mac && current.mac != suites[i].mac)
820 {
821 if (suites[i].mac != AUTH_UNDEFINED)
822 { /* skip, MAC does not match nor is it undefined */
823 continue;
824 }
825 }
826 if (current.prf && current.prf != suites[i].prf)
827 {
828 if (suites[i].prf != PRF_UNDEFINED)
829 {
830 /* skip, PRF does not match nor is it undefined */
831 continue;
832 }
833 }
834 if (current.hash && current.hash != suites[i].hash)
835 { /* skip, hash does not match */
836 continue;
837 }
838 if (current.dh && current.dh != suites[i].dh)
839 {
840 if (suites[i].dh != MODP_NONE &&
841 !(diffie_hellman_group_is_ec(current.dh) &&
842 diffie_hellman_group_is_ec(suites[i].dh)))
843 { /* skip DH group, does not match nor NONE nor both ECDH */
844 continue;
845 }
846 }
847 /* suite supported, apply */
848 suites[remaining] = suites[i];
849 remaining++;
850 break;
851 }
852 enumerator->destroy(enumerator);
853 }
854 *count = remaining;
855 }
856
857 /**
858 * Purge NULL encryption cipher suites from list
859 */
860 static void filter_null_suites(suite_algs_t suites[], int *count)
861 {
862 int i, remaining = 0;
863
864 for (i = 0; i < *count; i++)
865 {
866 if (suites[i].encr != ENCR_NULL)
867 {
868 suites[remaining] = suites[i];
869 remaining++;
870 }
871 }
872 *count = remaining;
873 }
874
875 /**
876 * Purge suites using a given key type
877 */
878 static void filter_key_suites(private_tls_crypto_t *this,
879 suite_algs_t suites[], int *count, key_type_t key)
880 {
881 int i, remaining = 0;
882
883 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
884 for (i = 0; i < *count; i++)
885 {
886 if (suites[i].key != key)
887 {
888 suites[remaining] = suites[i];
889 remaining++;
890 }
891 }
892 *count = remaining;
893 }
894
895 /**
896 * Filter suites by key exchange user config
897 */
898 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
899 suite_algs_t suites[], int *count)
900 {
901 enumerator_t *enumerator;
902 int i, remaining = 0;
903 char *token, *config;
904
905 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
906 lib->ns);
907 if (config)
908 {
909 for (i = 0; i < *count; i++)
910 {
911 enumerator = enumerator_create_token(config, ",", " ");
912 while (enumerator->enumerate(enumerator, &token))
913 {
914 if (strcaseeq(token, "ecdhe-ecdsa") &&
915 diffie_hellman_group_is_ec(suites[i].dh) &&
916 suites[i].key == KEY_ECDSA)
917 {
918 suites[remaining++] = suites[i];
919 break;
920 }
921 if (strcaseeq(token, "ecdhe-rsa") &&
922 diffie_hellman_group_is_ec(suites[i].dh) &&
923 suites[i].key == KEY_RSA)
924 {
925 suites[remaining++] = suites[i];
926 break;
927 }
928 if (strcaseeq(token, "dhe-rsa") &&
929 !diffie_hellman_group_is_ec(suites[i].dh) &&
930 suites[i].dh != MODP_NONE &&
931 suites[i].key == KEY_RSA)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 if (strcaseeq(token, "rsa") &&
937 suites[i].dh == MODP_NONE &&
938 suites[i].key == KEY_RSA)
939 {
940 suites[remaining++] = suites[i];
941 break;
942 }
943 }
944 enumerator->destroy(enumerator);
945 }
946 *count = remaining;
947 }
948 }
949
950 /**
951 * Filter suites by cipher user config
952 */
953 static void filter_cipher_config_suites(private_tls_crypto_t *this,
954 suite_algs_t suites[], int *count)
955 {
956 enumerator_t *enumerator;
957 int i, remaining = 0;
958 char *token, *config;
959
960 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
961 lib->ns);
962 if (config)
963 {
964 for (i = 0; i < *count; i++)
965 {
966 enumerator = enumerator_create_token(config, ",", " ");
967 while (enumerator->enumerate(enumerator, &token))
968 {
969 const proposal_token_t *tok;
970
971 tok = lib->proposal->get_token(lib->proposal, token);
972 if (tok != NULL && tok->type == ENCRYPTION_ALGORITHM &&
973 suites[i].encr == tok->algorithm &&
974 (!tok->keysize || suites[i].encr_size == tok->keysize / 8))
975 {
976 suites[remaining++] = suites[i];
977 break;
978 }
979 }
980 enumerator->destroy(enumerator);
981 }
982 *count = remaining;
983 }
984 }
985
986 /**
987 * Filter suites by mac user config
988 */
989 static void filter_mac_config_suites(private_tls_crypto_t *this,
990 suite_algs_t suites[], int *count)
991 {
992 enumerator_t *enumerator;
993 int i, remaining = 0;
994 char *token, *config;
995
996 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
997 lib->ns);
998 if (config)
999 {
1000 for (i = 0; i < *count; i++)
1001 {
1002 enumerator = enumerator_create_token(config, ",", " ");
1003 while (enumerator->enumerate(enumerator, &token))
1004 {
1005 if (strcaseeq(token, "sha1") &&
1006 suites[i].mac == AUTH_HMAC_SHA1_160)
1007 {
1008 suites[remaining++] = suites[i];
1009 break;
1010 }
1011 if (strcaseeq(token, "sha256") &&
1012 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1013 {
1014 suites[remaining++] = suites[i];
1015 break;
1016 }
1017 if (strcaseeq(token, "sha384") &&
1018 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1019 {
1020 suites[remaining++] = suites[i];
1021 break;
1022 }
1023 }
1024 enumerator->destroy(enumerator);
1025 }
1026 *count = remaining;
1027 }
1028 }
1029
1030 /**
1031 * Filter for specific suites specified in strongswan.conf
1032 */
1033 static void filter_specific_config_suites(private_tls_crypto_t *this,
1034 suite_algs_t suites[], int *count)
1035 {
1036 enumerator_t *enumerator;
1037 int i, remaining = 0, suite;
1038 char *token, *config;
1039
1040 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1041 lib->ns);
1042 if (config)
1043 {
1044 for (i = 0; i < *count; i++)
1045 {
1046 enumerator = enumerator_create_token(config, ",", " ");
1047 while (enumerator->enumerate(enumerator, &token))
1048 {
1049 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1050 suite == suites[i].suite)
1051 {
1052 suites[remaining++] = suites[i];
1053 break;
1054 }
1055 }
1056 enumerator->destroy(enumerator);
1057 }
1058 *count = remaining;
1059 }
1060 }
1061
1062 /**
1063 * Filter key exchange curves by curve user config
1064 */
1065 static bool filter_curve_config(tls_named_group_t curve)
1066 {
1067 enumerator_t *enumerator;
1068 char *token, *config;
1069
1070 config = lib->settings->get_str(lib->settings, "%s.tls.ke_group", NULL,
1071 lib->ns);
1072 if (config)
1073 {
1074 enumerator = enumerator_create_token(config, ",", " ");
1075 while (enumerator->enumerate(enumerator, &token))
1076 {
1077 const proposal_token_t *tok;
1078
1079 tok = lib->proposal->get_token(lib->proposal, token);
1080 if (tok != NULL && tok->type == DIFFIE_HELLMAN_GROUP &&
1081 curve == tls_ec_group_to_curve(tok->algorithm))
1082 {
1083 enumerator->destroy(enumerator);
1084 return TRUE;
1085 }
1086 }
1087 enumerator->destroy(enumerator);
1088 }
1089 return !config;
1090 }
1091
1092 /**
1093 * Filter out unsupported suites on given suite array
1094 */
1095 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1096 {
1097 /* filter suite list by each algorithm */
1098 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1099 lib->crypto->create_aead_enumerator);
1100 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1101 lib->crypto->create_prf_enumerator);
1102 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1103 lib->crypto->create_crypter_enumerator);
1104 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1105 lib->crypto->create_signer_enumerator);
1106 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1107 lib->crypto->create_hasher_enumerator);
1108 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1109 lib->crypto->create_dh_enumerator);
1110 }
1111
1112 /**
1113 * Initialize the cipher suite list
1114 */
1115 static void build_cipher_suite_list(private_tls_crypto_t *this)
1116 {
1117 suite_algs_t suites[countof(suite_algs)];
1118 tls_version_t min_version, max_version, new_min_version, new_max_version;
1119 bool require_encryption = TRUE;
1120 int count = 0, i;
1121
1122 switch (this->tls->get_purpose(this->tls))
1123 {
1124 case TLS_PURPOSE_EAP_TLS:
1125 require_encryption = FALSE;
1126 break;
1127 case TLS_PURPOSE_GENERIC:
1128 if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
1129 {
1130 require_encryption = FALSE;
1131 }
1132 break;
1133 default:
1134 break;
1135 }
1136
1137 min_version = this->tls->get_version_min(this->tls);
1138 max_version = this->tls->get_version_max(this->tls);
1139
1140 /* copy all suites appropriate for the current min/max versions */
1141 for (i = 0; i < countof(suite_algs); i++)
1142 {
1143 if (suite_algs[i].min_version <= max_version &&
1144 suite_algs[i].max_version >= min_version)
1145 {
1146 suites[count++] = suite_algs[i];
1147 }
1148 }
1149
1150 if (require_encryption)
1151 {
1152 filter_null_suites(suites, &count);
1153 }
1154 if (!this->rsa)
1155 {
1156 filter_key_suites(this, suites, &count, KEY_RSA);
1157 }
1158 if (!this->ecdsa)
1159 {
1160 filter_key_suites(this, suites, &count, KEY_ECDSA);
1161 }
1162
1163 filter_unsupported_suites(suites, &count);
1164
1165 /* filter suites with strongswan.conf options */
1166 filter_key_exchange_config_suites(this, suites, &count);
1167 filter_cipher_config_suites(this, suites, &count);
1168 filter_mac_config_suites(this, suites, &count);
1169 filter_specific_config_suites(this, suites, &count);
1170
1171 free(this->suites);
1172 this->suite_count = count;
1173 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1174
1175 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1176 new_min_version = max_version;
1177 new_max_version = min_version;
1178 for (i = 0; i < count; i++)
1179 {
1180 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1181 this->suites[i] = suites[i].suite;
1182
1183 /* set TLS min/max versions appropriate to the final cipher suites */
1184 new_max_version = max(new_max_version, suites[i].max_version);
1185 new_min_version = min(new_min_version, suites[i].min_version);
1186 }
1187 new_max_version = min(new_max_version, max_version);
1188 new_min_version = max(new_min_version, min_version);
1189
1190 if ((min_version != new_min_version || max_version != new_max_version) &&
1191 this->tls->set_version(this->tls, new_min_version, new_max_version))
1192 {
1193 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1194 tls_numeric_version_names, new_min_version,
1195 tls_numeric_version_names, new_max_version);
1196 }
1197 }
1198
1199 METHOD(tls_crypto_t, get_cipher_suites, int,
1200 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1201 {
1202 if (!this->suites)
1203 {
1204 build_cipher_suite_list(this);
1205 }
1206 if (suites)
1207 {
1208 *suites = this->suites;
1209 }
1210 return this->suite_count;
1211 }
1212
1213 /**
1214 * Create NULL encryption transforms
1215 */
1216 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1217 {
1218 this->aead_in = tls_aead_create_null(algs->mac);
1219 this->aead_out = tls_aead_create_null(algs->mac);
1220 if (!this->aead_in || !this->aead_out)
1221 {
1222 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1223 integrity_algorithm_names, algs->mac);
1224 return FALSE;
1225 }
1226 return TRUE;
1227 }
1228
1229 /**
1230 * Create traditional transforms
1231 */
1232 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1233 {
1234 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1235 {
1236 this->aead_in = tls_aead_create_implicit(algs->mac,
1237 algs->encr, algs->encr_size);
1238 this->aead_out = tls_aead_create_implicit(algs->mac,
1239 algs->encr, algs->encr_size);
1240 }
1241 else
1242 {
1243 this->aead_in = tls_aead_create_explicit(algs->mac,
1244 algs->encr, algs->encr_size);
1245 this->aead_out = tls_aead_create_explicit(algs->mac,
1246 algs->encr, algs->encr_size);
1247 }
1248 if (!this->aead_in || !this->aead_out)
1249 {
1250 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1251 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1252 integrity_algorithm_names, algs->mac);
1253 return FALSE;
1254 }
1255 return TRUE;
1256 }
1257
1258 /**
1259 * Create AEAD transforms
1260 */
1261 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1262 {
1263 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1264 {
1265 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1266 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1267 }
1268 else
1269 {
1270 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1271 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1272 }
1273 if (!this->aead_in || !this->aead_out)
1274 {
1275 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1276 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1277 return FALSE;
1278 }
1279 return TRUE;
1280 }
1281
1282 /**
1283 * Clean up and unset AEAD transforms
1284 */
1285 static void destroy_aeads(private_tls_crypto_t *this)
1286 {
1287 DESTROY_IF(this->aead_in);
1288 DESTROY_IF(this->aead_out);
1289 this->aead_in = this->aead_out = NULL;
1290 }
1291
1292 /**
1293 * Create crypto primitives
1294 */
1295 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1296 {
1297 destroy_aeads(this);
1298 DESTROY_IF(this->hkdf);
1299 DESTROY_IF(this->prf);
1300 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1301 {
1302 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1303 {
1304 this->prf = tls_prf_create_10();
1305 }
1306 else
1307 {
1308 this->prf = tls_prf_create_12(algs->prf);
1309 }
1310 if (!this->prf)
1311 {
1312 DBG1(DBG_TLS, "selected TLS PRF not supported");
1313 return FALSE;
1314 }
1315 }
1316 else
1317 {
1318 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1319 if (!this->hkdf)
1320 {
1321 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1322 return FALSE;
1323 }
1324 }
1325 if (algs->encr == ENCR_NULL)
1326 {
1327 if (create_null(this, algs))
1328 {
1329 return TRUE;
1330 }
1331 }
1332 else if (encryption_algorithm_is_aead(algs->encr))
1333 {
1334 if (create_aead(this, algs))
1335 {
1336 return TRUE;
1337 }
1338 }
1339 else
1340 {
1341 if (create_traditional(this, algs))
1342 {
1343 return TRUE;
1344 }
1345 }
1346 destroy_aeads(this);
1347 return FALSE;
1348 }
1349
1350 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1351 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1352 key_type_t key)
1353 {
1354 suite_algs_t *algs;
1355 int i, j;
1356
1357 for (i = 0; i < this->suite_count; i++)
1358 {
1359 for (j = 0; j < count; j++)
1360 {
1361 if (this->suites[i] == suites[j])
1362 {
1363 algs = find_suite(this->suites[i]);
1364 if (algs)
1365 {
1366 if (key == KEY_ANY || key == algs->key ||
1367 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1368 (algs->key == KEY_ECDSA && key == KEY_ED448))
1369 {
1370 if (create_ciphers(this, algs))
1371 {
1372 this->suite = this->suites[i];
1373 return this->suite;
1374 }
1375 }
1376 }
1377 }
1378 }
1379 }
1380 return 0;
1381 }
1382
1383 /**
1384 * Parameters for RSA/PSS signature schemes
1385 */
1386 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1387 .hash = HASH_SHA##bits, \
1388 .mgf1_hash = HASH_SHA##bits, \
1389 .salt_len = HASH_SIZE_SHA##bits, \
1390 }
1391
1392 PSS_PARAMS(256);
1393 PSS_PARAMS(384);
1394 PSS_PARAMS(512);
1395
1396 typedef struct {
1397 tls_signature_scheme_t sig;
1398 signature_params_t params;
1399 /* min/max versions for use in CertificateVerify */
1400 tls_version_t min_version;
1401 tls_version_t max_version;
1402 } scheme_algs_t;
1403
1404 /**
1405 * Map TLS signature schemes, ordered by preference
1406 */
1407 static scheme_algs_t schemes[] = {
1408 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1409 TLS_1_0, TLS_1_3 },
1410 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1411 TLS_1_0, TLS_1_3 },
1412 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1413 TLS_1_0, TLS_1_3 },
1414 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1415 TLS_1_0, TLS_1_3 },
1416 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1417 TLS_1_0, TLS_1_3 },
1418 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1419 TLS_1_2, TLS_1_3 },
1420 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1421 TLS_1_2, TLS_1_3 },
1422 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1423 TLS_1_2, TLS_1_3 },
1424 /* the parameters for the next three should actually be taken from the
1425 * public key, we currently don't have an API for that, so assume defaults */
1426 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1427 TLS_1_2, TLS_1_3 },
1428 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1429 TLS_1_2, TLS_1_3 },
1430 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1431 TLS_1_2, TLS_1_3 },
1432 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1433 TLS_1_0, TLS_1_2 },
1434 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1435 TLS_1_0, TLS_1_2 },
1436 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1437 TLS_1_0, TLS_1_2 },
1438 };
1439
1440 /**
1441 * Filter signature scheme config
1442 */
1443 static bool filter_signature_scheme_config(tls_signature_scheme_t signature)
1444 {
1445 enumerator_t *enumerator;
1446 char *token, *config;
1447
1448 config = lib->settings->get_str(lib->settings, "%s.tls.signature", NULL,
1449 lib->ns);
1450 if (config)
1451 {
1452 enumerator = enumerator_create_token(config, ",", " ");
1453 while (enumerator->enumerate(enumerator, &token))
1454 {
1455 tls_signature_scheme_t sig;
1456
1457 if (enum_from_name(tls_signature_scheme_names, token, &sig) &&
1458 sig == signature)
1459 {
1460 enumerator->destroy(enumerator);
1461 return TRUE;
1462 }
1463 }
1464 enumerator->destroy(enumerator);
1465 }
1466 return !config;
1467 }
1468
1469 METHOD(tls_crypto_t, get_signature_algorithms, void,
1470 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1471 {
1472 bio_writer_t *supported;
1473 tls_version_t min_version, max_version;
1474 int i;
1475
1476 supported = bio_writer_create(32);
1477
1478 if (!cert)
1479 {
1480 min_version = this->tls->get_version_min(this->tls);
1481 max_version = this->tls->get_version_max(this->tls);
1482 }
1483
1484 for (i = 0; i < countof(schemes); i++)
1485 {
1486 if ((cert || (schemes[i].min_version <= max_version &&
1487 schemes[i].max_version >= min_version)) &&
1488 lib->plugins->has_feature(lib->plugins,
1489 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)) &&
1490 filter_signature_scheme_config(schemes[i].sig))
1491 {
1492 supported->write_uint16(supported, schemes[i].sig);
1493 }
1494 }
1495
1496 writer->write_data16(writer, supported->get_buf(supported));
1497 supported->destroy(supported);
1498 }
1499
1500 /**
1501 * Get the signature parameters from a TLS signature scheme
1502 */
1503 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1504 bool sign)
1505 {
1506 int i;
1507
1508 for (i = 0; i < countof(schemes); i++)
1509 {
1510 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1511 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1512 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1513 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1514 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1515 {
1516 continue;
1517 }
1518 if (schemes[i].sig == sig)
1519 {
1520 return &schemes[i].params;
1521 }
1522 }
1523 return NULL;
1524 }
1525
1526 /**
1527 * Mapping groups to TLS named curves
1528 */
1529 static struct {
1530 diffie_hellman_group_t group;
1531 tls_named_group_t curve;
1532 } curves[] = {
1533 { ECP_256_BIT, TLS_SECP256R1},
1534 { ECP_384_BIT, TLS_SECP384R1},
1535 { ECP_521_BIT, TLS_SECP521R1},
1536 { ECP_224_BIT, TLS_SECP224R1},
1537 { ECP_192_BIT, TLS_SECP192R1},
1538 { CURVE_25519, TLS_CURVE25519},
1539 { CURVE_448, TLS_CURVE448},
1540 };
1541
1542 CALLBACK(group_filter, bool,
1543 void *null, enumerator_t *orig, va_list args)
1544 {
1545 diffie_hellman_group_t group, *group_out;
1546 tls_named_group_t curve, *curve_out;
1547 char *plugin;
1548
1549 VA_ARGS_VGET(args, group_out, curve_out);
1550
1551 while (orig->enumerate(orig, &group, &plugin))
1552 {
1553 curve = tls_ec_group_to_curve(group);
1554 if (curve)
1555 {
1556 if (group_out)
1557 {
1558 *group_out = group;
1559 }
1560 if (curve_out)
1561 {
1562 *curve_out = curve;
1563 }
1564 return TRUE;
1565 }
1566 }
1567 return FALSE;
1568 }
1569
1570 CALLBACK(config_filter, bool,
1571 void *null, enumerator_t *orig, va_list args)
1572 {
1573 diffie_hellman_group_t group, *group_out;
1574 tls_named_group_t curve, *curve_out;
1575
1576 VA_ARGS_VGET(args, group_out, curve_out);
1577
1578 while (orig->enumerate(orig, &group, &curve))
1579 {
1580 if (filter_curve_config(curve))
1581
1582 {
1583 if (group_out)
1584 {
1585 *group_out = group;
1586 }
1587 if (curve_out)
1588 {
1589 *curve_out = curve;
1590 }
1591 return TRUE;
1592 }
1593 }
1594 return FALSE;
1595 }
1596
1597 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1598 private_tls_crypto_t *this)
1599 {
1600 return enumerator_create_filter(
1601 enumerator_create_filter(
1602 lib->crypto->create_dh_enumerator(lib->crypto),
1603 group_filter, NULL, NULL),
1604 config_filter, NULL, NULL);
1605 }
1606
1607 /**
1608 * Check if the given ECDH group is supported or return the first one we
1609 * actually do support.
1610 */
1611 static diffie_hellman_group_t supported_ec_group(private_tls_crypto_t *this,
1612 diffie_hellman_group_t orig)
1613 {
1614 diffie_hellman_group_t current, first = MODP_NONE;
1615 enumerator_t *enumerator;
1616
1617 enumerator = create_ec_enumerator(this);
1618 while (enumerator->enumerate(enumerator, &current, NULL))
1619 {
1620 if (current == orig)
1621 {
1622 enumerator->destroy(enumerator);
1623 return orig;
1624 }
1625 else if (first == MODP_NONE)
1626 {
1627 first = current;
1628 }
1629 }
1630 enumerator->destroy(enumerator);
1631 return first;
1632 }
1633
1634 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1635 private_tls_crypto_t *this)
1636 {
1637 suite_algs_t *algs;
1638
1639 algs = find_suite(this->suite);
1640 if (algs)
1641 {
1642 if (diffie_hellman_group_is_ec(algs->dh))
1643 {
1644 return supported_ec_group(this, algs->dh);
1645 }
1646 return algs->dh;
1647 }
1648 return MODP_NONE;
1649 }
1650
1651 METHOD(tls_crypto_t, set_protection, void,
1652 private_tls_crypto_t *this, tls_protection_t *protection)
1653 {
1654 this->protection = protection;
1655 }
1656
1657 METHOD(tls_crypto_t, append_handshake, void,
1658 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1659 {
1660 uint32_t header;
1661
1662 /* reconstruct handshake header */
1663 header = htonl(data.len | (type << 24));
1664 this->handshake = chunk_cat("mcc", this->handshake,
1665 chunk_from_thing(header), data);
1666 }
1667
1668 /**
1669 * Create a hash using the suites HASH algorithm
1670 */
1671 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1672 {
1673 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1674 {
1675 hasher_t *hasher;
1676 suite_algs_t *alg;
1677
1678 alg = find_suite(this->suite);
1679 if (!alg)
1680 {
1681 return FALSE;
1682 }
1683 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1684 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1685 {
1686 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1687 DESTROY_IF(hasher);
1688 return FALSE;
1689 }
1690 hasher->destroy(hasher);
1691 }
1692 else
1693 {
1694 hasher_t *md5, *sha1;
1695 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1696
1697 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1698 if (!md5 || !md5->get_hash(md5, data, buf))
1699 {
1700 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1701 DESTROY_IF(md5);
1702 return FALSE;
1703 }
1704 md5->destroy(md5);
1705 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1706 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1707 {
1708 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1709 DESTROY_IF(sha1);
1710 return FALSE;
1711 }
1712 sha1->destroy(sha1);
1713
1714 *hash = chunk_clone(chunk_from_thing(buf));
1715 }
1716 return TRUE;
1717 }
1718
1719 METHOD(tls_crypto_t, hash_handshake, bool,
1720 private_tls_crypto_t *this, chunk_t *out)
1721 {
1722 chunk_t hash;
1723
1724 if (!hash_data(this, this->handshake, &hash))
1725 {
1726 return FALSE;
1727 }
1728
1729 chunk_free(&this->handshake);
1730 append_handshake(this, TLS_MESSAGE_HASH, hash);
1731
1732 if (out)
1733 {
1734 *out = hash;
1735 }
1736 else
1737 {
1738 free(hash.ptr);
1739 }
1740 return TRUE;
1741 }
1742
1743 /**
1744 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1745 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1746 */
1747 static chunk_t tls13_sig_data_server = chunk_from_chars(
1748 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1749 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1750 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1751 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1752 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1753 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1754 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1755 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1756 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1757 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1758 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1759 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1760 0x79, 0x00,
1761 );
1762
1763 /**
1764 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1765 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1766 */
1767 static chunk_t tls13_sig_data_client = chunk_from_chars(
1768 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1769 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1770 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1771 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1772 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1773 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1774 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1775 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1776 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1777 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1778 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1779 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1780 0x79, 0x00,
1781 );
1782
1783 METHOD(tls_crypto_t, sign, bool,
1784 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1785 chunk_t data, chunk_t hashsig)
1786 {
1787 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1788 {
1789 /* fallback to SHA1/RSA and SHA1/ECDSA */
1790 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1791 signature_params_t *params;
1792 key_type_t type;
1793 uint16_t scheme;
1794 bio_reader_t *reader;
1795 chunk_t sig;
1796 bool done = FALSE;
1797
1798 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1799 {
1800 chunk_t transcript_hash;
1801
1802 if (!hash_data(this, data, &transcript_hash))
1803 {
1804 DBG1(DBG_TLS, "unable to create transcript hash");
1805 return FALSE;
1806 }
1807 if (this->tls->is_server(this->tls))
1808 {
1809 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1810 }
1811 else
1812 {
1813 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1814 }
1815 }
1816
1817 if (!hashsig.len)
1818 { /* fallback if none given */
1819 hashsig = hashsig_def;
1820 }
1821 type = key->get_type(key);
1822 reader = bio_reader_create(hashsig);
1823 while (reader->remaining(reader) >= 2)
1824 {
1825 if (reader->read_uint16(reader, &scheme))
1826 {
1827 params = params_for_scheme(scheme, TRUE);
1828 if (params &&
1829 type == key_type_from_signature_scheme(params->scheme) &&
1830 key->sign(key, params->scheme, params->params, data, &sig))
1831 {
1832 done = TRUE;
1833 break;
1834 }
1835 }
1836 }
1837 reader->destroy(reader);
1838 if (!done)
1839 {
1840 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1841 return FALSE;
1842 }
1843 DBG2(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1844 scheme);
1845 writer->write_uint16(writer, scheme);
1846 writer->write_data16(writer, sig);
1847 free(sig.ptr);
1848 }
1849 else
1850 {
1851 chunk_t sig, hash;
1852 bool done;
1853
1854 switch (key->get_type(key))
1855 {
1856 case KEY_RSA:
1857 if (!hash_data(this, data, &hash))
1858 {
1859 return FALSE;
1860 }
1861 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1862 &sig);
1863 free(hash.ptr);
1864 if (!done)
1865 {
1866 return FALSE;
1867 }
1868 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1869 break;
1870 case KEY_ECDSA:
1871 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1872 {
1873 return FALSE;
1874 }
1875 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1876 break;
1877 case KEY_ED25519:
1878 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1879 {
1880 return FALSE;
1881 }
1882 DBG2(DBG_TLS, "created signature with Ed25519");
1883 break;
1884 case KEY_ED448:
1885 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1886 {
1887 return FALSE;
1888 }
1889 DBG2(DBG_TLS, "created signature with Ed448");
1890 break;
1891 default:
1892 return FALSE;
1893 }
1894 writer->write_data16(writer, sig);
1895 free(sig.ptr);
1896 }
1897 return TRUE;
1898 }
1899
1900 METHOD(tls_crypto_t, verify, bool,
1901 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1902 chunk_t data)
1903 {
1904 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1905 {
1906 signature_params_t *params;
1907 uint16_t scheme;
1908 chunk_t sig;
1909
1910 if (!reader->read_uint16(reader, &scheme) ||
1911 !reader->read_data16(reader, &sig))
1912 {
1913 DBG1(DBG_TLS, "received invalid signature");
1914 return FALSE;
1915 }
1916 params = params_for_scheme(scheme, FALSE);
1917 if (!params)
1918 {
1919 DBG1(DBG_TLS, "signature algorithms %N not supported",
1920 tls_signature_scheme_names, scheme);
1921 return FALSE;
1922 }
1923 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1924 {
1925 chunk_t transcript_hash;
1926
1927 if (!hash_data(this, data, &transcript_hash))
1928 {
1929 DBG1(DBG_TLS, "Unable to create transcript hash");
1930 return FALSE;
1931 }
1932
1933 if (this->tls->is_server(this->tls))
1934 {
1935 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1936 }
1937 else
1938 {
1939 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1940 }
1941 }
1942 if (!key->verify(key, params->scheme, params->params, data, sig))
1943 {
1944 DBG1(DBG_TLS, "signature verification with %N failed",
1945 tls_signature_scheme_names, scheme);
1946 return FALSE;
1947 }
1948 DBG2(DBG_TLS, "verified signature with %N",
1949 tls_signature_scheme_names, scheme);
1950 }
1951 else
1952 {
1953 chunk_t sig, hash;
1954 bool done;
1955
1956 if (!reader->read_data16(reader, &sig))
1957 {
1958 DBG1(DBG_TLS, "received invalid signature");
1959 return FALSE;
1960 }
1961 switch (key->get_type(key))
1962 {
1963 case KEY_RSA:
1964 if (!hash_data(this, data, &hash))
1965 {
1966 return FALSE;
1967 }
1968 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1969 sig);
1970 free(hash.ptr);
1971 if (!done)
1972 {
1973 return FALSE;
1974 }
1975 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1976 break;
1977 case KEY_ECDSA:
1978 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1979 sig))
1980 {
1981 return FALSE;
1982 }
1983 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1984 break;
1985 case KEY_ED25519:
1986 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
1987 {
1988 return FALSE;
1989 }
1990 DBG2(DBG_TLS, "verified signature with Ed25519");
1991 break;
1992 case KEY_ED448:
1993 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
1994 {
1995 return FALSE;
1996 }
1997 DBG2(DBG_TLS, "verified signature with Ed448");
1998 break;
1999 default:
2000 return FALSE;
2001 }
2002 }
2003 return TRUE;
2004 }
2005
2006 METHOD(tls_crypto_t, sign_handshake, bool,
2007 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
2008 chunk_t hashsig)
2009 {
2010 return sign(this, key, writer, this->handshake, hashsig);
2011 }
2012
2013 METHOD(tls_crypto_t, verify_handshake, bool,
2014 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
2015 {
2016 return verify(this, key, reader, this->handshake);
2017 }
2018
2019 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
2020 private_tls_crypto_t *this, char *label, char out[12])
2021 {
2022 chunk_t seed;
2023
2024 if (!this->prf)
2025 {
2026 return FALSE;
2027 }
2028 if (!hash_data(this, this->handshake, &seed))
2029 {
2030 return FALSE;
2031 }
2032 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2033 {
2034 free(seed.ptr);
2035 return FALSE;
2036 }
2037 free(seed.ptr);
2038 return TRUE;
2039 }
2040
2041 METHOD(tls_crypto_t, calculate_finished, bool,
2042 private_tls_crypto_t *this, bool server, chunk_t *out)
2043 {
2044 chunk_t finished_key, finished_hash;
2045
2046 if (!this->hkdf)
2047 {
2048 return FALSE;
2049 }
2050 if (!hash_data(this, this->handshake, &finished_hash))
2051 {
2052 DBG1(DBG_TLS, "creating hash of handshake failed");
2053 return FALSE;
2054 }
2055 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2056 {
2057 DBG1(DBG_TLS, "generating finished key failed");
2058 chunk_clear(&finished_hash);
2059 return FALSE;
2060 }
2061 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2062 {
2063 DBG1(DBG_TLS, "generating finished HMAC failed");
2064 chunk_clear(&finished_key);
2065 chunk_clear(&finished_hash);
2066 return FALSE;
2067 }
2068 chunk_clear(&finished_key);
2069 chunk_clear(&finished_hash);
2070 return TRUE;
2071 }
2072
2073 /**
2074 * Derive master secret from premaster, optionally save session
2075 */
2076 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2077 chunk_t session, identification_t *id,
2078 chunk_t client_random, chunk_t server_random)
2079 {
2080 char master[48];
2081 chunk_t seed;
2082
2083 /* derive master secret */
2084 seed = chunk_cata("cc", client_random, server_random);
2085
2086 if (!this->prf->set_key(this->prf, premaster) ||
2087 !this->prf->get_bytes(this->prf, "master secret", seed,
2088 sizeof(master), master) ||
2089 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2090 {
2091 return FALSE;
2092 }
2093
2094 if (this->cache && session.len)
2095 {
2096 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2097 this->suite);
2098 }
2099 memwipe(master, sizeof(master));
2100 return TRUE;
2101 }
2102
2103 /**
2104 * Expand key material from master secret
2105 */
2106 static bool expand_keys(private_tls_crypto_t *this,
2107 chunk_t client_random, chunk_t server_random)
2108 {
2109 chunk_t seed, block;
2110 chunk_t cw_mac, cw, cw_iv;
2111 chunk_t sw_mac, sw, sw_iv;
2112 int mklen, eklen, ivlen;
2113
2114 if (!this->aead_in || !this->aead_out)
2115 {
2116 return FALSE;
2117 }
2118
2119 /* derive key block for key expansion */
2120 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2121 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2122 ivlen = this->aead_in->get_iv_size(this->aead_in);
2123 seed = chunk_cata("cc", server_random, client_random);
2124 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2125 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2126 block.len, block.ptr))
2127 {
2128 return FALSE;
2129 }
2130
2131 /* client/server write signer keys */
2132 cw_mac = chunk_create(block.ptr, mklen);
2133 block = chunk_skip(block, mklen);
2134 sw_mac = chunk_create(block.ptr, mklen);
2135 block = chunk_skip(block, mklen);
2136
2137 /* client/server write encryption keys */
2138 cw = chunk_create(block.ptr, eklen);
2139 block = chunk_skip(block, eklen);
2140 sw = chunk_create(block.ptr, eklen);
2141 block = chunk_skip(block, eklen);
2142
2143 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2144 cw_iv = chunk_create(block.ptr, ivlen);
2145 block = chunk_skip(block, ivlen);
2146 sw_iv = chunk_create(block.ptr, ivlen);
2147 block = chunk_skip(block, ivlen);
2148
2149 if (this->tls->is_server(this->tls))
2150 {
2151 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2152 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2153 {
2154 return FALSE;
2155 }
2156 }
2157 else
2158 {
2159 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2160 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2161 {
2162 return FALSE;
2163 }
2164 }
2165
2166 /* EAP-MSK */
2167 if (this->msk_label)
2168 {
2169 seed = chunk_cata("cc", client_random, server_random);
2170 this->msk = chunk_alloc(64);
2171 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2172 this->msk.len, this->msk.ptr))
2173 {
2174 return FALSE;
2175 }
2176 }
2177 return TRUE;
2178 }
2179
2180 METHOD(tls_crypto_t, derive_secrets, bool,
2181 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2182 identification_t *id, chunk_t client_random, chunk_t server_random)
2183 {
2184 return derive_master(this, premaster, session, id,
2185 client_random, server_random) &&
2186 expand_keys(this, client_random, server_random);
2187 }
2188
2189 /**
2190 * Derive and configure the client/server key/IV on an AEAD using a given label.
2191 */
2192 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2193 tls_hkdf_label_t label, tls_aead_t *aead)
2194 {
2195 chunk_t key = chunk_empty, iv = chunk_empty;
2196 bool success = FALSE;
2197
2198 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2199 NULL) ||
2200 !this->hkdf->derive_key(this->hkdf, server,
2201 aead->get_encr_key_size(aead), &key) ||
2202 !this->hkdf->derive_iv(this->hkdf, server,
2203 aead->get_iv_size(aead), &iv))
2204 {
2205 DBG1(DBG_TLS, "deriving key material failed");
2206 goto out;
2207 }
2208
2209 if (!aead->set_keys(aead, chunk_empty, key, iv))
2210 {
2211 DBG1(DBG_TLS, "setting AEAD key material failed");
2212 goto out;
2213 }
2214 success = TRUE;
2215
2216 out:
2217 chunk_clear(&key);
2218 chunk_clear(&iv);
2219 return success;
2220 }
2221
2222 /**
2223 * Derive and configure the keys/IVs using the given labels.
2224 */
2225 static bool derive_labeled_keys(private_tls_crypto_t *this,
2226 tls_hkdf_label_t client_label,
2227 tls_hkdf_label_t server_label)
2228 {
2229 tls_aead_t *aead_c, *aead_s;
2230 suite_algs_t *algs;
2231
2232 algs = find_suite(this->suite);
2233 destroy_aeads(this);
2234 if (!create_aead(this, algs))
2235 {
2236 return FALSE;
2237 }
2238 aead_c = this->aead_out;
2239 aead_s = this->aead_in;
2240 if (this->tls->is_server(this->tls))
2241 {
2242 aead_c = this->aead_in;
2243 aead_s = this->aead_out;
2244 }
2245 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2246 derive_labeled_key(this, TRUE, server_label, aead_s);
2247 }
2248
2249 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2250 private_tls_crypto_t *this, chunk_t shared_secret)
2251 {
2252 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2253 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2254 TLS_HKDF_S_HS_TRAFFIC);
2255 }
2256
2257 METHOD(tls_crypto_t, derive_app_keys, bool,
2258 private_tls_crypto_t *this)
2259 {
2260 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2261 TLS_HKDF_S_AP_TRAFFIC))
2262 {
2263 return FALSE;
2264 }
2265
2266 /* EAP-MSK */
2267 if (this->msk_label)
2268 {
2269 /* because the length is encoded when expanding key material, we
2270 * request the same number of bytes as FreeRADIUS (the first 64 for
2271 * the MSK, the next for the EMSK, which we just ignore) */
2272 if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
2273 this->handshake, 128, &this->msk))
2274 {
2275 return FALSE;
2276 }
2277 this->msk.len = 64;
2278 }
2279 return TRUE;
2280 }
2281
2282 METHOD(tls_crypto_t, update_app_keys, bool,
2283 private_tls_crypto_t *this, bool inbound)
2284 {
2285 suite_algs_t *algs;
2286 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2287
2288 algs = find_suite(this->suite);
2289 destroy_aeads(this);
2290 if (!create_aead(this, algs))
2291 {
2292 return FALSE;
2293 }
2294 if (this->tls->is_server(this->tls) != inbound)
2295 {
2296 label = TLS_HKDF_UPD_S_TRAFFIC;
2297 }
2298 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2299 inbound ? this->aead_in : this->aead_out);
2300 }
2301
2302 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2303 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2304 chunk_t client_random, chunk_t server_random)
2305 {
2306 chunk_t master;
2307
2308 if (this->cache && session.len)
2309 {
2310 this->suite = this->cache->lookup(this->cache, session, id, &master);
2311 if (this->suite)
2312 {
2313 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2314 if (this->suite)
2315 {
2316 if (!this->prf->set_key(this->prf, master) ||
2317 !expand_keys(this, client_random, server_random))
2318 {
2319 this->suite = 0;
2320 }
2321 }
2322 chunk_clear(&master);
2323 }
2324 return this->suite;
2325 }
2326 return 0;
2327 }
2328
2329 METHOD(tls_crypto_t, get_session, chunk_t,
2330 private_tls_crypto_t *this, identification_t *server)
2331 {
2332 if (this->cache)
2333 {
2334 return this->cache->check(this->cache, server);
2335 }
2336 return chunk_empty;
2337 }
2338
2339 METHOD(tls_crypto_t, change_cipher, void,
2340 private_tls_crypto_t *this, bool inbound)
2341 {
2342 if (this->protection)
2343 {
2344 if (inbound)
2345 {
2346 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2347 this->aead_in = NULL;
2348 }
2349 else
2350 {
2351 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2352 this->aead_out = NULL;
2353 }
2354 }
2355 }
2356
2357 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2358 private_tls_crypto_t *this)
2359 {
2360 return this->msk;
2361 }
2362
2363 METHOD(tls_crypto_t, destroy, void,
2364 private_tls_crypto_t *this)
2365 {
2366 destroy_aeads(this);
2367 free(this->handshake.ptr);
2368 free(this->msk.ptr);
2369 DESTROY_IF(this->prf);
2370 DESTROY_IF(this->hkdf);
2371 free(this->suites);
2372 free(this);
2373 }
2374
2375 /**
2376 * See header
2377 */
2378 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2379 {
2380 private_tls_crypto_t *this;
2381 enumerator_t *enumerator;
2382 credential_type_t type;
2383 int subtype;
2384
2385 INIT(this,
2386 .public = {
2387 .get_cipher_suites = _get_cipher_suites,
2388 .select_cipher_suite = _select_cipher_suite,
2389 .get_dh_group = _get_dh_group,
2390 .get_signature_algorithms = _get_signature_algorithms,
2391 .create_ec_enumerator = _create_ec_enumerator,
2392 .set_protection = _set_protection,
2393 .append_handshake = _append_handshake,
2394 .hash_handshake = _hash_handshake,
2395 .sign = _sign,
2396 .verify = _verify,
2397 .sign_handshake = _sign_handshake,
2398 .verify_handshake = _verify_handshake,
2399 .calculate_finished_legacy = _calculate_finished_legacy,
2400 .calculate_finished = _calculate_finished,
2401 .derive_secrets = _derive_secrets,
2402 .derive_handshake_keys = _derive_handshake_keys,
2403 .derive_app_keys = _derive_app_keys,
2404 .update_app_keys = _update_app_keys,
2405 .resume_session = _resume_session,
2406 .get_session = _get_session,
2407 .change_cipher = _change_cipher,
2408 .get_eap_msk = _get_eap_msk,
2409 .destroy = _destroy,
2410 },
2411 .tls = tls,
2412 .cache = cache,
2413 );
2414
2415 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2416 * separation would be welcome. */
2417 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2418 while (enumerator->enumerate(enumerator, &type, &subtype))
2419 {
2420 if (type == CRED_PUBLIC_KEY)
2421 {
2422 switch (subtype)
2423 {
2424 case KEY_RSA:
2425 this->rsa = TRUE;
2426 break;
2427 case KEY_ECDSA:
2428 case KEY_ED25519:
2429 case KEY_ED448:
2430 this->ecdsa = TRUE;
2431 break;
2432 default:
2433 break;
2434 }
2435 }
2436 }
2437 enumerator->destroy(enumerator);
2438
2439 switch (tls->get_purpose(tls))
2440 {
2441 case TLS_PURPOSE_EAP_TLS:
2442 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2443 this->msk_label = "client EAP encryption";
2444 break;
2445 case TLS_PURPOSE_EAP_PEAP:
2446 this->msk_label = "client EAP encryption";
2447 break;
2448 case TLS_PURPOSE_EAP_TTLS:
2449 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2450 this->msk_label = "ttls keying material";
2451 break;
2452 default:
2453 break;
2454 }
2455 return &this->public;
2456 }
2457
2458 /**
2459 * See header.
2460 */
2461 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2462 tls_cipher_suite_t **out)
2463 {
2464 suite_algs_t suites[countof(suite_algs)];
2465 int count = 0, i;
2466
2467 /* initialize copy of suite list */
2468 for (i = 0; i < countof(suite_algs); i++)
2469 {
2470 if (suite_algs[i].min_version <= version &&
2471 suite_algs[i].max_version >= version)
2472 {
2473 suites[count++] = suite_algs[i];
2474 }
2475 }
2476
2477 filter_unsupported_suites(suites, &count);
2478
2479 if (!null)
2480 {
2481 filter_null_suites(suites, &count);
2482 }
2483
2484 if (out)
2485 {
2486 *out = calloc(count, sizeof(tls_cipher_suite_t));
2487 for (i = 0; i < count; i++)
2488 {
2489 (*out)[i] = suites[i].suite;
2490 }
2491 }
2492 return count;
2493 }
2494
2495 /**
2496 * See header.
2497 */
2498 int tls_crypto_get_supported_groups(diffie_hellman_group_t **out)
2499 {
2500 enumerator_t *enumerator;
2501 diffie_hellman_group_t groups[countof(curves)];
2502 diffie_hellman_group_t group;
2503 tls_named_group_t curve;
2504 int count = 0, i;
2505
2506 enumerator = enumerator_create_filter(
2507 lib->crypto->create_dh_enumerator(lib->crypto),
2508 group_filter, NULL, NULL);
2509
2510 while (enumerator->enumerate(enumerator, &group, &curve))
2511 {
2512 groups[count++] = group;
2513 }
2514 enumerator->destroy(enumerator);
2515
2516 if (out)
2517 {
2518 *out = calloc(count, sizeof(diffie_hellman_group_t));
2519 for (i = 0; i < count; i++)
2520 {
2521 (*out)[i] = groups[i];
2522 }
2523 }
2524 return count;
2525 }
2526
2527 /**
2528 * See header.
2529 */
2530 int tls_crypto_get_supported_signatures(tls_version_t version,
2531 tls_signature_scheme_t **out)
2532 {
2533 scheme_algs_t sigs[countof(schemes)];
2534 int count = 0, i;
2535
2536 /* initialize copy of signature scheme list */
2537 for (i = 0; i < countof(schemes); i++)
2538 {
2539 /* only RSA_PSS_RSAE schemes supported for signing and verifying */
2540 if (schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
2541 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
2542 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA512)
2543 {
2544 continue;
2545 }
2546 if (schemes[i].min_version <= version &&
2547 schemes[i].max_version >= version &&
2548 lib->plugins->has_feature(lib->plugins,
2549 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
2550 {
2551 sigs[count++] = schemes[i];
2552 }
2553 }
2554
2555 if (out)
2556 {
2557 *out = calloc(count, sizeof(tls_signature_scheme_t));
2558 for (i = 0; i < count; i++)
2559 {
2560 (*out)[i] = sigs[i].sig;
2561 }
2562 }
2563 return count;
2564 }
2565
2566 /**
2567 * See header.
2568 */
2569 tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group)
2570 {
2571 int i;
2572
2573 for (i = 0; i < countof(curves); i++)
2574 {
2575 if (curves[i].group == group)
2576 {
2577 return curves[i].curve;
2578 }
2579 }
2580 return 0;
2581 }
2582
2583 /**
2584 * See header.
2585 */
2586 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2587 {
2588 int i;
2589
2590 for (i = 0; i < countof(schemes); i++)
2591 {
2592 if (schemes[i].sig == sig)
2593 {
2594 return key_type_from_signature_scheme(schemes[i].params.scheme);
2595 }
2596 }
2597 return 0;
2598 }
2599
2600 /**
2601 * Hashtable hash function
2602 */
2603 static u_int hash_key_type(key_type_t *type)
2604 {
2605 return chunk_hash(chunk_from_thing(*type));
2606 }
2607
2608 /**
2609 * Hashtable equals function
2610 */
2611 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2612 {
2613 return *key1 == *key2;
2614 }
2615
2616 CALLBACK(filter_key_types, bool,
2617 void *data, enumerator_t *orig, va_list args)
2618 {
2619 key_type_t *key_type, *out;
2620
2621 VA_ARGS_VGET(args, out);
2622
2623 if (orig->enumerate(orig, NULL, &key_type))
2624 {
2625 *out = *key_type;
2626 return TRUE;
2627 }
2628 return FALSE;
2629 }
2630
2631 CALLBACK(destroy_key_types, void,
2632 hashtable_t *ht)
2633 {
2634 ht->destroy_function(ht, (void*)free);
2635 }
2636
2637 /**
2638 * Create an enumerator over supported key types within a specific TLS range
2639 */
2640 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2641 tls_version_t max_version)
2642 {
2643 hashtable_t *ht;
2644 key_type_t *type, lookup;
2645 int i;
2646
2647 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2648 (hashtable_equals_t)equals_key_type, 4);
2649 for (i = 0; i < countof(schemes); i++)
2650 {
2651 if (schemes[i].min_version <= max_version &&
2652 schemes[i].max_version >= min_version)
2653 {
2654 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2655 if (!ht->get(ht, &lookup))
2656 {
2657 type = malloc_thing(key_type_t);
2658 *type = lookup;
2659 ht->put(ht, type, type);
2660 }
2661 }
2662 }
2663 return enumerator_create_filter(ht->create_enumerator(ht),
2664 filter_key_types, ht, destroy_key_types);
2665 }
2666
2667 /**
2668 * Create an array of an intersection of server and peer supported key types
2669 */
2670 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2671 {
2672 array_t *key_types;
2673 key_type_t v, lookup;
2674 uint16_t sig_scheme;
2675
2676 key_types = array_create(sizeof(key_type_t), 8);
2677 while (enumerator->enumerate(enumerator, &v))
2678 {
2679 bio_reader_t *reader;
2680
2681 reader = bio_reader_create(hashsig);
2682 while (reader->remaining(reader) &&
2683 reader->read_uint16(reader, &sig_scheme))
2684 {
2685 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2686 if (v == lookup)
2687 {
2688 array_insert(key_types, ARRAY_TAIL, &lookup);
2689 break;
2690 }
2691 }
2692 reader->destroy(reader);
2693 }
2694 return key_types;
2695 }
2696
2697 typedef struct {
2698 enumerator_t public;
2699 array_t *key_types;
2700 identification_t *peer;
2701 private_key_t *key;
2702 auth_cfg_t *auth;
2703 } private_key_enumerator_t;
2704
2705 METHOD(enumerator_t, private_key_enumerate, bool,
2706 private_key_enumerator_t *this, va_list args)
2707 {
2708 key_type_t type;
2709 auth_cfg_t **auth_out;
2710 private_key_t **key_out;
2711
2712 VA_ARGS_VGET(args, key_out, auth_out);
2713
2714 DESTROY_IF(this->key);
2715 DESTROY_IF(this->auth);
2716 this->auth = auth_cfg_create();
2717
2718 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2719 {
2720 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2721 this->auth);
2722 if (this->key)
2723 {
2724 *key_out = this->key;
2725 if (auth_out)
2726 {
2727 *auth_out = this->auth;
2728 }
2729 return TRUE;
2730 }
2731 }
2732 return FALSE;
2733 }
2734
2735 METHOD(enumerator_t, private_key_destroy, void,
2736 private_key_enumerator_t *this)
2737 {
2738 DESTROY_IF(this->key);
2739 DESTROY_IF(this->auth);
2740 array_destroy(this->key_types);
2741 free(this);
2742 }
2743
2744 /**
2745 * See header.
2746 */
2747 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2748 tls_version_t max_version,
2749 chunk_t hashsig,
2750 identification_t *peer)
2751 {
2752 private_key_enumerator_t *enumerator;
2753 enumerator_t *key_types;
2754
2755 key_types = get_supported_key_types(min_version, max_version);
2756
2757 INIT(enumerator,
2758 .public = {
2759 .enumerate = enumerator_enumerate_default,
2760 .venumerate = _private_key_enumerate,
2761 .destroy = _private_key_destroy,
2762 },
2763 .key_types = create_common_key_types(key_types, hashsig),
2764 .peer = peer,
2765 );
2766 key_types->destroy(key_types);
2767
2768 if (!array_count(enumerator->key_types))
2769 {
2770 private_key_destroy(enumerator);
2771 return NULL;
2772 }
2773 return &enumerator->public;
2774 }