public-key: Add optional parameters argument to verify() method
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
20
21 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
241
242 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
243 "NONE",
244 "MD5",
245 "SHA1",
246 "SHA224",
247 "SHA256",
248 "SHA384",
249 "SHA512",
250 );
251
252 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
253 "RSA",
254 "DSA",
255 "ECDSA",
256 );
257
258 ENUM_BEGIN(tls_client_certificate_type_names,
259 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
260 "RSA_SIGN",
261 "DSA_SIGN",
262 "RSA_FIXED_DH",
263 "DSS_FIXED_DH",
264 "RSA_EPHEMERAL_DH",
265 "DSS_EPHEMERAL_DH");
266 ENUM_NEXT(tls_client_certificate_type_names,
267 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
268 "FORTEZZA_DMS");
269 ENUM_NEXT(tls_client_certificate_type_names,
270 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
271 "ECDSA_SIGN",
272 "RSA_FIXED_ECDH",
273 "ECDSA_FIXED_ECDH");
274 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
275
276 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
277 "EXPLICIT_PRIME",
278 "EXPLICIT_CHAR2",
279 "NAMED_CURVE",
280 );
281
282 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
283 "SECT163K1",
284 "SECT163R1",
285 "SECT163R2",
286 "SECT193R1",
287 "SECT193R2",
288 "SECT233K1",
289 "SECT233R1",
290 "SECT239K1",
291 "SECT283K1",
292 "SECT283R1",
293 "SECT409K1",
294 "SECT409R1",
295 "SECT571K1",
296 "SECT571R1",
297 "SECP160K1",
298 "SECP160R1",
299 "SECP160R2",
300 "SECP192K1",
301 "SECP192R1",
302 "SECP224K1",
303 "SECP224R1",
304 "SECP256K1",
305 "SECP256R1",
306 "SECP384R1",
307 "SECP521R1",
308 );
309
310 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
311 "compressed",
312 "compressed y",
313 "uncompressed",
314 "uncompressed y",
315 "hybrid",
316 "hybrid y",
317 );
318
319 ENUM(tls_ec_point_format_names,
320 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
321 "uncompressed",
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
324 );
325
326 typedef struct private_tls_crypto_t private_tls_crypto_t;
327
328 /**
329 * Private data of an tls_crypto_t object.
330 */
331 struct private_tls_crypto_t {
332
333 /**
334 * Public tls_crypto_t interface.
335 */
336 tls_crypto_t public;
337
338 /**
339 * Protection layer
340 */
341 tls_protection_t *protection;
342
343 /**
344 * List of supported/acceptable cipher suites
345 */
346 tls_cipher_suite_t *suites;
347
348 /**
349 * Number of supported suites
350 */
351 int suite_count;
352
353 /**
354 * Selected cipher suite
355 */
356 tls_cipher_suite_t suite;
357
358 /**
359 * RSA supported?
360 */
361 bool rsa;
362
363 /**
364 * ECDSA supported?
365 */
366 bool ecdsa;
367
368 /**
369 * TLS context
370 */
371 tls_t *tls;
372
373 /**
374 * TLS session cache
375 */
376 tls_cache_t *cache;
377
378 /**
379 * All handshake data concatentated
380 */
381 chunk_t handshake;
382
383 /**
384 * Connection state TLS PRF
385 */
386 tls_prf_t *prf;
387
388 /**
389 * AEAD transform for inbound traffic
390 */
391 tls_aead_t *aead_in;
392
393 /**
394 * AEAD transform for outbound traffic
395 */
396 tls_aead_t *aead_out;
397
398 /**
399 * EAP-[T]TLS MSK
400 */
401 chunk_t msk;
402
403 /**
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
405 */
406 char *msk_label;
407 };
408
409 typedef struct {
410 tls_cipher_suite_t suite;
411 key_type_t key;
412 diffie_hellman_group_t dh;
413 hash_algorithm_t hash;
414 pseudo_random_function_t prf;
415 integrity_algorithm_t mac;
416 encryption_algorithm_t encr;
417 size_t encr_size;
418 } suite_algs_t;
419
420 /**
421 * Mapping suites to a set of algorithms
422 */
423 static suite_algs_t suite_algs[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
425 KEY_ECDSA, ECP_256_BIT,
426 HASH_SHA256, PRF_HMAC_SHA2_256,
427 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
428 },
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
430 KEY_ECDSA, ECP_256_BIT,
431 HASH_SHA256, PRF_HMAC_SHA2_256,
432 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
433 },
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
435 KEY_ECDSA, ECP_384_BIT,
436 HASH_SHA256, PRF_HMAC_SHA2_256,
437 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
438 },
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
440 KEY_ECDSA, ECP_384_BIT,
441 HASH_SHA384, PRF_HMAC_SHA2_384,
442 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
443 },
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
445 KEY_ECDSA, ECP_256_BIT,
446 HASH_SHA256, PRF_HMAC_SHA2_256,
447 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
448 },
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
450 KEY_ECDSA, ECP_384_BIT,
451 HASH_SHA384, PRF_HMAC_SHA2_384,
452 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
453 },
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
455 KEY_RSA, ECP_256_BIT,
456 HASH_SHA256, PRF_HMAC_SHA2_256,
457 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
458 },
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
460 KEY_RSA, ECP_256_BIT,
461 HASH_SHA256, PRF_HMAC_SHA2_256,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
463 },
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
465 KEY_RSA, ECP_384_BIT,
466 HASH_SHA256, PRF_HMAC_SHA2_256,
467 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
468 },
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
470 KEY_RSA, ECP_384_BIT,
471 HASH_SHA384, PRF_HMAC_SHA2_384,
472 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
473 },
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
475 KEY_RSA, ECP_256_BIT,
476 HASH_SHA256, PRF_HMAC_SHA2_256,
477 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
478 },
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
480 KEY_RSA, ECP_384_BIT,
481 HASH_SHA384, PRF_HMAC_SHA2_384,
482 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
483 },
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
485 KEY_RSA, MODP_2048_BIT,
486 HASH_SHA256,PRF_HMAC_SHA2_256,
487 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
488 },
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
490 KEY_RSA, MODP_3072_BIT,
491 HASH_SHA256, PRF_HMAC_SHA2_256,
492 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
493 },
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
495 KEY_RSA, MODP_3072_BIT,
496 HASH_SHA256, PRF_HMAC_SHA2_256,
497 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
498 },
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
500 KEY_RSA, MODP_4096_BIT,
501 HASH_SHA256, PRF_HMAC_SHA2_256,
502 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
503 },
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
505 KEY_RSA, MODP_3072_BIT,
506 HASH_SHA256, PRF_HMAC_SHA2_256,
507 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
508 },
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
510 KEY_RSA, MODP_4096_BIT,
511 HASH_SHA384, PRF_HMAC_SHA2_384,
512 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
513 },
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
515 KEY_RSA, MODP_2048_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
518 },
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
520 KEY_RSA, MODP_3072_BIT,
521 HASH_SHA256, PRF_HMAC_SHA2_256,
522 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
523 },
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
525 KEY_RSA, MODP_3072_BIT,
526 HASH_SHA256, PRF_HMAC_SHA2_256,
527 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
528 },
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
530 KEY_RSA, MODP_4096_BIT,
531 HASH_SHA256, PRF_HMAC_SHA2_256,
532 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
533 },
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
535 KEY_RSA, MODP_2048_BIT,
536 HASH_SHA256, PRF_HMAC_SHA2_256,
537 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
538 },
539 { TLS_RSA_WITH_AES_128_CBC_SHA,
540 KEY_RSA, MODP_NONE,
541 HASH_SHA256, PRF_HMAC_SHA2_256,
542 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
543 },
544 { TLS_RSA_WITH_AES_128_CBC_SHA256,
545 KEY_RSA, MODP_NONE,
546 HASH_SHA256, PRF_HMAC_SHA2_256,
547 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
548 },
549 { TLS_RSA_WITH_AES_256_CBC_SHA,
550 KEY_RSA, MODP_NONE,
551 HASH_SHA256, PRF_HMAC_SHA2_256,
552 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
553 },
554 { TLS_RSA_WITH_AES_256_CBC_SHA256,
555 KEY_RSA, MODP_NONE,
556 HASH_SHA256, PRF_HMAC_SHA2_256,
557 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
558 },
559 { TLS_RSA_WITH_AES_128_GCM_SHA256,
560 KEY_RSA, MODP_NONE,
561 HASH_SHA256, PRF_HMAC_SHA2_256,
562 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
563 },
564 { TLS_RSA_WITH_AES_256_GCM_SHA384,
565 KEY_RSA, MODP_NONE,
566 HASH_SHA384, PRF_HMAC_SHA2_384,
567 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
568 },
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
570 KEY_RSA, MODP_NONE,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
573 },
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
575 KEY_RSA, MODP_NONE,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
578 },
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 KEY_RSA, MODP_NONE,
581 HASH_SHA256, PRF_HMAC_SHA2_256,
582 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
583 },
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
585 KEY_RSA, MODP_NONE,
586 HASH_SHA256, PRF_HMAC_SHA2_256,
587 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
588 },
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
590 KEY_ECDSA, ECP_256_BIT,
591 HASH_SHA256, PRF_HMAC_SHA2_256,
592 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
593 },
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
595 KEY_RSA, ECP_256_BIT,
596 HASH_SHA256, PRF_HMAC_SHA2_256,
597 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
598 },
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
600 KEY_RSA, MODP_NONE,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
603 },
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
605 KEY_ECDSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
608 },
609 { TLS_ECDHE_RSA_WITH_NULL_SHA,
610 KEY_ECDSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
613 },
614 { TLS_RSA_WITH_NULL_SHA,
615 KEY_RSA, MODP_NONE,
616 HASH_SHA256, PRF_HMAC_SHA2_256,
617 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
618 },
619 { TLS_RSA_WITH_NULL_SHA256,
620 KEY_RSA, MODP_NONE,
621 HASH_SHA256, PRF_HMAC_SHA2_256,
622 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
623 },
624 { TLS_RSA_WITH_NULL_MD5,
625 KEY_RSA, MODP_NONE,
626 HASH_SHA256, PRF_HMAC_SHA2_256,
627 AUTH_HMAC_MD5_128, ENCR_NULL, 0
628 },
629 };
630
631 /**
632 * Look up algorithms by a suite
633 */
634 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
635 {
636 int i;
637
638 for (i = 0; i < countof(suite_algs); i++)
639 {
640 if (suite_algs[i].suite == suite)
641 {
642 return &suite_algs[i];
643 }
644 }
645 return NULL;
646 }
647
648 /**
649 * Filter a suite list using a transform enumerator
650 */
651 static void filter_suite(suite_algs_t suites[], int *count, int offset,
652 enumerator_t*(*create_enumerator)(crypto_factory_t*))
653 {
654 const char *plugin_name;
655 suite_algs_t current;
656 int *current_alg, i, remaining = 0;
657 enumerator_t *enumerator;
658
659 memset(&current, 0, sizeof(current));
660 current_alg = (int*)((char*)&current + offset);
661
662 for (i = 0; i < *count; i++)
663 {
664 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
665 encryption_algorithm_is_aead(suites[i].encr))
666 { /* filtering crypters, but current suite uses an AEAD, apply */
667 suites[remaining] = suites[i];
668 remaining++;
669 continue;
670 }
671 if (create_enumerator == lib->crypto->create_aead_enumerator &&
672 !encryption_algorithm_is_aead(suites[i].encr))
673 { /* filtering AEADs, but current suite doesn't use one, apply */
674 suites[remaining] = suites[i];
675 remaining++;
676 continue;
677 }
678 enumerator = create_enumerator(lib->crypto);
679 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
680 {
681 if (current.encr && current.encr != suites[i].encr)
682 {
683 if (suites[i].encr != ENCR_NULL)
684 { /* skip, ENCR does not match nor is NULL */
685 continue;
686 }
687 }
688 if (current.mac && current.mac != suites[i].mac)
689 {
690 if (suites[i].mac != AUTH_UNDEFINED)
691 { /* skip, MAC does not match nor is it undefined */
692 continue;
693 }
694 }
695 if (current.prf && current.prf != suites[i].prf)
696 { /* skip, PRF does not match */
697 continue;
698 }
699 if (current.hash && current.hash != suites[i].hash)
700 { /* skip, hash does not match */
701 continue;
702 }
703 if (current.dh && current.dh != suites[i].dh)
704 {
705 if (suites[i].dh != MODP_NONE)
706 { /* skip DH group, does not match nor NONE */
707 continue;
708 }
709 }
710 /* suite supported, apply */
711 suites[remaining] = suites[i];
712 remaining++;
713 break;
714 }
715 enumerator->destroy(enumerator);
716 }
717 *count = remaining;
718 }
719
720 /**
721 * Purge NULL encryption cipher suites from list
722 */
723 static void filter_null_suites(suite_algs_t suites[], int *count)
724 {
725 int i, remaining = 0;
726
727 for (i = 0; i < *count; i++)
728 {
729 if (suites[i].encr != ENCR_NULL)
730 {
731 suites[remaining] = suites[i];
732 remaining++;
733 }
734 }
735 *count = remaining;
736 }
737
738 /**
739 * Purge suites using a given key type
740 */
741 static void filter_key_suites(private_tls_crypto_t *this,
742 suite_algs_t suites[], int *count, key_type_t key)
743 {
744 int i, remaining = 0;
745
746 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
747 for (i = 0; i < *count; i++)
748 {
749 if (suites[i].key != key)
750 {
751 suites[remaining] = suites[i];
752 remaining++;
753 }
754 }
755 *count = remaining;
756 }
757
758 /**
759 * Filter suites by key exchange user config
760 */
761 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
762 suite_algs_t suites[], int *count)
763 {
764 enumerator_t *enumerator;
765 int i, remaining = 0;
766 char *token, *config;
767
768 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
769 lib->ns);
770 if (config)
771 {
772 for (i = 0; i < *count; i++)
773 {
774 enumerator = enumerator_create_token(config, ",", " ");
775 while (enumerator->enumerate(enumerator, &token))
776 {
777 if (strcaseeq(token, "ecdhe-ecdsa") &&
778 diffie_hellman_group_is_ec(suites[i].dh) &&
779 suites[i].key == KEY_ECDSA)
780 {
781 suites[remaining++] = suites[i];
782 break;
783 }
784 if (strcaseeq(token, "ecdhe-rsa") &&
785 diffie_hellman_group_is_ec(suites[i].dh) &&
786 suites[i].key == KEY_RSA)
787 {
788 suites[remaining++] = suites[i];
789 break;
790 }
791 if (strcaseeq(token, "dhe-rsa") &&
792 !diffie_hellman_group_is_ec(suites[i].dh) &&
793 suites[i].dh != MODP_NONE &&
794 suites[i].key == KEY_RSA)
795 {
796 suites[remaining++] = suites[i];
797 break;
798 }
799 if (strcaseeq(token, "rsa") &&
800 suites[i].dh == MODP_NONE &&
801 suites[i].key == KEY_RSA)
802 {
803 suites[remaining++] = suites[i];
804 break;
805 }
806 }
807 enumerator->destroy(enumerator);
808 }
809 *count = remaining;
810 }
811 }
812
813 /**
814 * Filter suites by cipher user config
815 */
816 static void filter_cipher_config_suites(private_tls_crypto_t *this,
817 suite_algs_t suites[], int *count)
818 {
819 enumerator_t *enumerator;
820 int i, remaining = 0;
821 char *token, *config;
822
823 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
824 lib->ns);
825 if (config)
826 {
827 for (i = 0; i < *count; i++)
828 {
829 enumerator = enumerator_create_token(config, ",", " ");
830 while (enumerator->enumerate(enumerator, &token))
831 {
832 if (strcaseeq(token, "aes128") &&
833 suites[i].encr == ENCR_AES_CBC &&
834 suites[i].encr_size == 16)
835 {
836 suites[remaining++] = suites[i];
837 break;
838 }
839 if (strcaseeq(token, "aes256") &&
840 suites[i].encr == ENCR_AES_CBC &&
841 suites[i].encr_size == 32)
842 {
843 suites[remaining++] = suites[i];
844 break;
845 }
846 if (strcaseeq(token, "aes128gcm") &&
847 suites[i].encr == ENCR_AES_GCM_ICV16 &&
848 suites[i].encr_size == 16)
849 {
850 suites[remaining++] = suites[i];
851 break;
852 }
853 if (strcaseeq(token, "aes256gcm") &&
854 suites[i].encr == ENCR_AES_GCM_ICV16 &&
855 suites[i].encr_size == 32)
856 {
857 suites[remaining++] = suites[i];
858 break;
859 }
860 if (strcaseeq(token, "camellia128") &&
861 suites[i].encr == ENCR_CAMELLIA_CBC &&
862 suites[i].encr_size == 16)
863 {
864 suites[remaining++] = suites[i];
865 break;
866 }
867 if (strcaseeq(token, "camellia256") &&
868 suites[i].encr == ENCR_CAMELLIA_CBC &&
869 suites[i].encr_size == 32)
870 {
871 suites[remaining++] = suites[i];
872 break;
873 }
874 if (strcaseeq(token, "3des") &&
875 suites[i].encr == ENCR_3DES)
876 {
877 suites[remaining++] = suites[i];
878 break;
879 }
880 if (strcaseeq(token, "null") &&
881 suites[i].encr == ENCR_NULL)
882 {
883 suites[remaining++] = suites[i];
884 break;
885 }
886 }
887 enumerator->destroy(enumerator);
888 }
889 *count = remaining;
890 }
891 }
892
893 /**
894 * Filter suites by mac user config
895 */
896 static void filter_mac_config_suites(private_tls_crypto_t *this,
897 suite_algs_t suites[], int *count)
898 {
899 enumerator_t *enumerator;
900 int i, remaining = 0;
901 char *token, *config;
902
903 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
904 lib->ns);
905 if (config)
906 {
907 for (i = 0; i < *count; i++)
908 {
909 enumerator = enumerator_create_token(config, ",", " ");
910 while (enumerator->enumerate(enumerator, &token))
911 {
912 if (strcaseeq(token, "md5") &&
913 suites[i].mac == AUTH_HMAC_MD5_128)
914 {
915 suites[remaining++] = suites[i];
916 break;
917 }
918 if (strcaseeq(token, "sha1") &&
919 suites[i].mac == AUTH_HMAC_SHA1_160)
920 {
921 suites[remaining++] = suites[i];
922 break;
923 }
924 if (strcaseeq(token, "sha256") &&
925 suites[i].mac == AUTH_HMAC_SHA2_256_256)
926 {
927 suites[remaining++] = suites[i];
928 break;
929 }
930 if (strcaseeq(token, "sha384") &&
931 suites[i].mac == AUTH_HMAC_SHA2_384_384)
932 {
933 suites[remaining++] = suites[i];
934 break;
935 }
936 }
937 enumerator->destroy(enumerator);
938 }
939 *count = remaining;
940 }
941 }
942
943 /**
944 * Filter for specific suites specified in strongswan.conf
945 */
946 static void filter_specific_config_suites(private_tls_crypto_t *this,
947 suite_algs_t suites[], int *count)
948 {
949 enumerator_t *enumerator;
950 int i, remaining = 0, suite;
951 char *token, *config;
952
953 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
954 lib->ns);
955 if (config)
956 {
957 for (i = 0; i < *count; i++)
958 {
959 enumerator = enumerator_create_token(config, ",", " ");
960 while (enumerator->enumerate(enumerator, &token))
961 {
962 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
963 suite == suites[i].suite)
964 {
965 suites[remaining++] = suites[i];
966 break;
967 }
968 }
969 enumerator->destroy(enumerator);
970 }
971 *count = remaining;
972 }
973 }
974
975 /**
976 * Filter out unsupported suites on given suite array
977 */
978 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
979 {
980 /* filter suite list by each algorithm */
981 filter_suite(suites, count, offsetof(suite_algs_t, encr),
982 lib->crypto->create_crypter_enumerator);
983 filter_suite(suites, count, offsetof(suite_algs_t, encr),
984 lib->crypto->create_aead_enumerator);
985 filter_suite(suites, count, offsetof(suite_algs_t, mac),
986 lib->crypto->create_signer_enumerator);
987 filter_suite(suites, count, offsetof(suite_algs_t, prf),
988 lib->crypto->create_prf_enumerator);
989 filter_suite(suites, count, offsetof(suite_algs_t, hash),
990 lib->crypto->create_hasher_enumerator);
991 filter_suite(suites, count, offsetof(suite_algs_t, dh),
992 lib->crypto->create_dh_enumerator);
993 }
994
995 /**
996 * Initialize the cipher suite list
997 */
998 static void build_cipher_suite_list(private_tls_crypto_t *this,
999 bool require_encryption)
1000 {
1001 suite_algs_t suites[countof(suite_algs)];
1002 int count = countof(suite_algs), i;
1003
1004 /* copy all suites */
1005 for (i = 0; i < count; i++)
1006 {
1007 suites[i] = suite_algs[i];
1008 }
1009
1010 if (require_encryption)
1011 {
1012 filter_null_suites(suites, &count);
1013 }
1014 if (!this->rsa)
1015 {
1016 filter_key_suites(this, suites, &count, KEY_RSA);
1017 }
1018 if (!this->ecdsa)
1019 {
1020 filter_key_suites(this, suites, &count, KEY_ECDSA);
1021 }
1022
1023 filter_unsupported_suites(suites, &count);
1024
1025 /* filter suites with strongswan.conf options */
1026 filter_key_exchange_config_suites(this, suites, &count);
1027 filter_cipher_config_suites(this, suites, &count);
1028 filter_mac_config_suites(this, suites, &count);
1029 filter_specific_config_suites(this, suites, &count);
1030
1031 free(this->suites);
1032 this->suite_count = count;
1033 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1034
1035 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1036 for (i = 0; i < count; i++)
1037 {
1038 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1039 this->suites[i] = suites[i].suite;
1040 }
1041 }
1042
1043 METHOD(tls_crypto_t, get_cipher_suites, int,
1044 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1045 {
1046 *suites = this->suites;
1047 return this->suite_count;
1048 }
1049
1050 /**
1051 * Create NULL encryption transforms
1052 */
1053 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1054 {
1055 this->aead_in = tls_aead_create_null(algs->mac);
1056 this->aead_out = tls_aead_create_null(algs->mac);
1057 if (!this->aead_in || !this->aead_out)
1058 {
1059 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1060 integrity_algorithm_names, algs->mac);
1061 return FALSE;
1062 }
1063 return TRUE;
1064 }
1065
1066 /**
1067 * Create traditional transforms
1068 */
1069 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1070 {
1071 if (this->tls->get_version(this->tls) < TLS_1_1)
1072 {
1073 this->aead_in = tls_aead_create_implicit(algs->mac,
1074 algs->encr, algs->encr_size);
1075 this->aead_out = tls_aead_create_implicit(algs->mac,
1076 algs->encr, algs->encr_size);
1077 }
1078 else
1079 {
1080 this->aead_in = tls_aead_create_explicit(algs->mac,
1081 algs->encr, algs->encr_size);
1082 this->aead_out = tls_aead_create_explicit(algs->mac,
1083 algs->encr, algs->encr_size);
1084 }
1085 if (!this->aead_in || !this->aead_out)
1086 {
1087 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1088 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1089 integrity_algorithm_names, algs->mac);
1090 return FALSE;
1091 }
1092 return TRUE;
1093 }
1094
1095 /**
1096 * Create AEAD transforms
1097 */
1098 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1099 {
1100 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1101 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1102 if (!this->aead_in || !this->aead_out)
1103 {
1104 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1105 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1106 return FALSE;
1107 }
1108 return TRUE;
1109 }
1110
1111 /**
1112 * Clean up and unset AEAD transforms
1113 */
1114 static void destroy_aeads(private_tls_crypto_t *this)
1115 {
1116 DESTROY_IF(this->aead_in);
1117 DESTROY_IF(this->aead_out);
1118 this->aead_in = this->aead_out = NULL;
1119 }
1120
1121 /**
1122 * Create crypto primitives
1123 */
1124 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1125 {
1126 destroy_aeads(this);
1127 DESTROY_IF(this->prf);
1128 if (this->tls->get_version(this->tls) < TLS_1_2)
1129 {
1130 this->prf = tls_prf_create_10();
1131 }
1132 else
1133 {
1134 this->prf = tls_prf_create_12(algs->prf);
1135 }
1136 if (!this->prf)
1137 {
1138 DBG1(DBG_TLS, "selected TLS PRF not supported");
1139 return FALSE;
1140 }
1141 if (algs->encr == ENCR_NULL)
1142 {
1143 if (create_null(this, algs))
1144 {
1145 return TRUE;
1146 }
1147 }
1148 else if (encryption_algorithm_is_aead(algs->encr))
1149 {
1150 if (create_aead(this, algs))
1151 {
1152 return TRUE;
1153 }
1154 }
1155 else
1156 {
1157 if (create_traditional(this, algs))
1158 {
1159 return TRUE;
1160 }
1161 }
1162 destroy_aeads(this);
1163 return FALSE;
1164 }
1165
1166 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1167 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1168 key_type_t key)
1169 {
1170 suite_algs_t *algs;
1171 int i, j;
1172
1173 for (i = 0; i < this->suite_count; i++)
1174 {
1175 for (j = 0; j < count; j++)
1176 {
1177 if (this->suites[i] == suites[j])
1178 {
1179 algs = find_suite(this->suites[i]);
1180 if (algs)
1181 {
1182 if (key == KEY_ANY || key == algs->key)
1183 {
1184 if (create_ciphers(this, algs))
1185 {
1186 this->suite = this->suites[i];
1187 return this->suite;
1188 }
1189 }
1190 }
1191 }
1192 }
1193 }
1194 return 0;
1195 }
1196
1197 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1198 private_tls_crypto_t *this)
1199 {
1200 suite_algs_t *algs;
1201
1202 algs = find_suite(this->suite);
1203 if (algs)
1204 {
1205 return algs->dh;
1206 }
1207 return MODP_NONE;
1208 }
1209
1210 /**
1211 * Map signature schemes to TLS key types and hashes, ordered by preference
1212 */
1213 static struct {
1214 tls_signature_algorithm_t sig;
1215 tls_hash_algorithm_t hash;
1216 signature_scheme_t scheme;
1217 } schemes[] = {
1218 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1219 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1220 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1221 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1222 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1223 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1224 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1225 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA2_224 },
1226 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1227 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1228 };
1229
1230 METHOD(tls_crypto_t, get_signature_algorithms, void,
1231 private_tls_crypto_t *this, bio_writer_t *writer)
1232 {
1233 bio_writer_t *supported;
1234 int i;
1235
1236 supported = bio_writer_create(32);
1237
1238 for (i = 0; i < countof(schemes); i++)
1239 {
1240 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1241 {
1242 continue;
1243 }
1244 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1245 {
1246 continue;
1247 }
1248 if (!lib->plugins->has_feature(lib->plugins,
1249 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1250 {
1251 continue;
1252 }
1253 supported->write_uint8(supported, schemes[i].hash);
1254 supported->write_uint8(supported, schemes[i].sig);
1255 }
1256
1257 supported->wrap16(supported);
1258 writer->write_data16(writer, supported->get_buf(supported));
1259 supported->destroy(supported);
1260 }
1261
1262 /**
1263 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1264 */
1265 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1266 tls_hash_algorithm_t hash,
1267 tls_signature_algorithm_t sig)
1268 {
1269 int i;
1270
1271 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1272 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1273 {
1274 for (i = 0; i < countof(schemes); i++)
1275 {
1276 if (schemes[i].sig == sig && schemes[i].hash == hash)
1277 {
1278 return schemes[i].scheme;
1279 }
1280 }
1281 }
1282 return SIGN_UNKNOWN;
1283 }
1284
1285 /**
1286 * Mapping groups to TLS named curves
1287 */
1288 static struct {
1289 diffie_hellman_group_t group;
1290 tls_named_curve_t curve;
1291 } curves[] = {
1292 { ECP_256_BIT, TLS_SECP256R1},
1293 { ECP_384_BIT, TLS_SECP384R1},
1294 { ECP_521_BIT, TLS_SECP521R1},
1295 { ECP_224_BIT, TLS_SECP224R1},
1296 { ECP_192_BIT, TLS_SECP192R1},
1297 };
1298
1299 CALLBACK(group_filter, bool,
1300 void *null, enumerator_t *orig, va_list args)
1301 {
1302 diffie_hellman_group_t group, *out;
1303 tls_named_curve_t *curve;
1304 char *plugin;
1305 int i;
1306
1307 VA_ARGS_VGET(args, out, curve);
1308
1309 while (orig->enumerate(orig, &group, &plugin))
1310 {
1311 for (i = 0; i < countof(curves); i++)
1312 {
1313 if (curves[i].group == group)
1314 {
1315 if (out)
1316 {
1317 *out = curves[i].group;
1318 }
1319 if (curve)
1320 {
1321 *curve = curves[i].curve;
1322 }
1323 return TRUE;
1324 }
1325 }
1326 }
1327 return FALSE;
1328 }
1329
1330 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1331 private_tls_crypto_t *this)
1332 {
1333 return enumerator_create_filter(
1334 lib->crypto->create_dh_enumerator(lib->crypto),
1335 group_filter, NULL, NULL);
1336 }
1337
1338 METHOD(tls_crypto_t, set_protection, void,
1339 private_tls_crypto_t *this, tls_protection_t *protection)
1340 {
1341 this->protection = protection;
1342 }
1343
1344 METHOD(tls_crypto_t, append_handshake, void,
1345 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1346 {
1347 uint32_t header;
1348
1349 /* reconstruct handshake header */
1350 header = htonl(data.len | (type << 24));
1351 this->handshake = chunk_cat("mcc", this->handshake,
1352 chunk_from_thing(header), data);
1353 }
1354
1355 /**
1356 * Create a hash using the suites HASH algorithm
1357 */
1358 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1359 {
1360 if (this->tls->get_version(this->tls) >= TLS_1_2)
1361 {
1362 hasher_t *hasher;
1363 suite_algs_t *alg;
1364
1365 alg = find_suite(this->suite);
1366 if (!alg)
1367 {
1368 return FALSE;
1369 }
1370 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1371 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1372 {
1373 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1374 DESTROY_IF(hasher);
1375 return FALSE;
1376 }
1377 hasher->destroy(hasher);
1378 }
1379 else
1380 {
1381 hasher_t *md5, *sha1;
1382 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1383
1384 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1385 if (!md5 || !md5->get_hash(md5, data, buf))
1386 {
1387 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1388 DESTROY_IF(md5);
1389 return FALSE;
1390 }
1391 md5->destroy(md5);
1392 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1393 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1394 {
1395 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1396 DESTROY_IF(sha1);
1397 return FALSE;
1398 }
1399 sha1->destroy(sha1);
1400
1401 *hash = chunk_clone(chunk_from_thing(buf));
1402 }
1403 return TRUE;
1404 }
1405
1406 METHOD(tls_crypto_t, sign, bool,
1407 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1408 chunk_t data, chunk_t hashsig)
1409 {
1410 if (this->tls->get_version(this->tls) >= TLS_1_2)
1411 {
1412 signature_scheme_t scheme;
1413 bio_reader_t *reader;
1414 uint8_t hash, alg;
1415 chunk_t sig;
1416 bool done = FALSE;
1417
1418 if (!hashsig.len)
1419 { /* fallback if none given */
1420 hashsig = chunk_from_chars(
1421 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1422 }
1423 reader = bio_reader_create(hashsig);
1424 while (reader->remaining(reader) >= 2)
1425 {
1426 if (reader->read_uint8(reader, &hash) &&
1427 reader->read_uint8(reader, &alg))
1428 {
1429 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1430 if (scheme != SIGN_UNKNOWN &&
1431 key->sign(key, scheme, data, &sig))
1432 {
1433 done = TRUE;
1434 break;
1435 }
1436 }
1437 }
1438 reader->destroy(reader);
1439 if (!done)
1440 {
1441 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1442 return FALSE;
1443 }
1444 DBG2(DBG_TLS, "created signature with %N/%N",
1445 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1446 writer->write_uint8(writer, hash);
1447 writer->write_uint8(writer, alg);
1448 writer->write_data16(writer, sig);
1449 free(sig.ptr);
1450 }
1451 else
1452 {
1453 chunk_t sig, hash;
1454 bool done;
1455
1456 switch (key->get_type(key))
1457 {
1458 case KEY_RSA:
1459 if (!hash_data(this, data, &hash))
1460 {
1461 return FALSE;
1462 }
1463 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1464 free(hash.ptr);
1465 if (!done)
1466 {
1467 return FALSE;
1468 }
1469 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1470 break;
1471 case KEY_ECDSA:
1472 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1473 {
1474 return FALSE;
1475 }
1476 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1477 break;
1478 default:
1479 return FALSE;
1480 }
1481 writer->write_data16(writer, sig);
1482 free(sig.ptr);
1483 }
1484 return TRUE;
1485 }
1486
1487 METHOD(tls_crypto_t, verify, bool,
1488 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1489 chunk_t data)
1490 {
1491 if (this->tls->get_version(this->tls) >= TLS_1_2)
1492 {
1493 signature_scheme_t scheme = SIGN_UNKNOWN;
1494 uint8_t hash, alg;
1495 chunk_t sig;
1496
1497 if (!reader->read_uint8(reader, &hash) ||
1498 !reader->read_uint8(reader, &alg) ||
1499 !reader->read_data16(reader, &sig))
1500 {
1501 DBG1(DBG_TLS, "received invalid signature");
1502 return FALSE;
1503 }
1504 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1505 if (scheme == SIGN_UNKNOWN)
1506 {
1507 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1508 tls_hash_algorithm_names, hash,
1509 tls_signature_algorithm_names, alg);
1510 return FALSE;
1511 }
1512 if (!key->verify(key, scheme, NULL, data, sig))
1513 {
1514 return FALSE;
1515 }
1516 DBG2(DBG_TLS, "verified signature with %N/%N",
1517 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1518 }
1519 else
1520 {
1521 chunk_t sig, hash;
1522 bool done;
1523
1524 if (!reader->read_data16(reader, &sig))
1525 {
1526 DBG1(DBG_TLS, "received invalid signature");
1527 return FALSE;
1528 }
1529 switch (key->get_type(key))
1530 {
1531 case KEY_RSA:
1532 if (!hash_data(this, data, &hash))
1533 {
1534 return FALSE;
1535 }
1536 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1537 sig);
1538 free(hash.ptr);
1539 if (!done)
1540 {
1541 return FALSE;
1542 }
1543 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1544 break;
1545 case KEY_ECDSA:
1546 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
1547 sig))
1548 {
1549 return FALSE;
1550 }
1551 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1552 break;
1553 default:
1554 return FALSE;
1555 }
1556 }
1557 return TRUE;
1558 }
1559
1560 METHOD(tls_crypto_t, sign_handshake, bool,
1561 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1562 chunk_t hashsig)
1563 {
1564 return sign(this, key, writer, this->handshake, hashsig);
1565 }
1566
1567 METHOD(tls_crypto_t, verify_handshake, bool,
1568 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1569 {
1570 return verify(this, key, reader, this->handshake);
1571 }
1572
1573 METHOD(tls_crypto_t, calculate_finished, bool,
1574 private_tls_crypto_t *this, char *label, char out[12])
1575 {
1576 chunk_t seed;
1577
1578 if (!this->prf)
1579 {
1580 return FALSE;
1581 }
1582 if (!hash_data(this, this->handshake, &seed))
1583 {
1584 return FALSE;
1585 }
1586 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1587 {
1588 free(seed.ptr);
1589 return FALSE;
1590 }
1591 free(seed.ptr);
1592 return TRUE;
1593 }
1594
1595 /**
1596 * Derive master secret from premaster, optionally save session
1597 */
1598 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1599 chunk_t session, identification_t *id,
1600 chunk_t client_random, chunk_t server_random)
1601 {
1602 char master[48];
1603 chunk_t seed;
1604
1605 /* derive master secret */
1606 seed = chunk_cata("cc", client_random, server_random);
1607
1608 if (!this->prf->set_key(this->prf, premaster) ||
1609 !this->prf->get_bytes(this->prf, "master secret", seed,
1610 sizeof(master), master) ||
1611 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1612 {
1613 return FALSE;
1614 }
1615
1616 if (this->cache && session.len)
1617 {
1618 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1619 this->suite);
1620 }
1621 memwipe(master, sizeof(master));
1622 return TRUE;
1623 }
1624
1625 /**
1626 * Expand key material from master secret
1627 */
1628 static bool expand_keys(private_tls_crypto_t *this,
1629 chunk_t client_random, chunk_t server_random)
1630 {
1631 chunk_t seed, block;
1632 chunk_t cw_mac, cw, cw_iv;
1633 chunk_t sw_mac, sw, sw_iv;
1634 int mklen, eklen, ivlen;
1635
1636 if (!this->aead_in || !this->aead_out)
1637 {
1638 return FALSE;
1639 }
1640
1641 /* derive key block for key expansion */
1642 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1643 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1644 ivlen = this->aead_in->get_iv_size(this->aead_in);
1645 seed = chunk_cata("cc", server_random, client_random);
1646 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1647 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1648 block.len, block.ptr))
1649 {
1650 return FALSE;
1651 }
1652
1653 /* client/server write signer keys */
1654 cw_mac = chunk_create(block.ptr, mklen);
1655 block = chunk_skip(block, mklen);
1656 sw_mac = chunk_create(block.ptr, mklen);
1657 block = chunk_skip(block, mklen);
1658
1659 /* client/server write encryption keys */
1660 cw = chunk_create(block.ptr, eklen);
1661 block = chunk_skip(block, eklen);
1662 sw = chunk_create(block.ptr, eklen);
1663 block = chunk_skip(block, eklen);
1664
1665 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1666 cw_iv = chunk_create(block.ptr, ivlen);
1667 block = chunk_skip(block, ivlen);
1668 sw_iv = chunk_create(block.ptr, ivlen);
1669 block = chunk_skip(block, ivlen);
1670
1671 if (this->tls->is_server(this->tls))
1672 {
1673 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1674 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1675 {
1676 return FALSE;
1677 }
1678 }
1679 else
1680 {
1681 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1682 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1683 {
1684 return FALSE;
1685 }
1686 }
1687
1688 /* EAP-MSK */
1689 if (this->msk_label)
1690 {
1691 seed = chunk_cata("cc", client_random, server_random);
1692 this->msk = chunk_alloc(64);
1693 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1694 this->msk.len, this->msk.ptr))
1695 {
1696 return FALSE;
1697 }
1698 }
1699 return TRUE;
1700 }
1701
1702 METHOD(tls_crypto_t, derive_secrets, bool,
1703 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1704 identification_t *id, chunk_t client_random, chunk_t server_random)
1705 {
1706 return derive_master(this, premaster, session, id,
1707 client_random, server_random) &&
1708 expand_keys(this, client_random, server_random);
1709 }
1710
1711 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1712 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1713 chunk_t client_random, chunk_t server_random)
1714 {
1715 chunk_t master;
1716
1717 if (this->cache && session.len)
1718 {
1719 this->suite = this->cache->lookup(this->cache, session, id, &master);
1720 if (this->suite)
1721 {
1722 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1723 if (this->suite)
1724 {
1725 if (!this->prf->set_key(this->prf, master) ||
1726 !expand_keys(this, client_random, server_random))
1727 {
1728 this->suite = 0;
1729 }
1730 }
1731 chunk_clear(&master);
1732 }
1733 return this->suite;
1734 }
1735 return 0;
1736 }
1737
1738 METHOD(tls_crypto_t, get_session, chunk_t,
1739 private_tls_crypto_t *this, identification_t *server)
1740 {
1741 if (this->cache)
1742 {
1743 return this->cache->check(this->cache, server);
1744 }
1745 return chunk_empty;
1746 }
1747
1748 METHOD(tls_crypto_t, change_cipher, void,
1749 private_tls_crypto_t *this, bool inbound)
1750 {
1751 if (this->protection)
1752 {
1753 if (inbound)
1754 {
1755 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1756 }
1757 else
1758 {
1759 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1760 }
1761 }
1762 }
1763
1764 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1765 private_tls_crypto_t *this)
1766 {
1767 return this->msk;
1768 }
1769
1770 METHOD(tls_crypto_t, destroy, void,
1771 private_tls_crypto_t *this)
1772 {
1773 destroy_aeads(this);
1774 free(this->handshake.ptr);
1775 free(this->msk.ptr);
1776 DESTROY_IF(this->prf);
1777 free(this->suites);
1778 free(this);
1779 }
1780
1781 /**
1782 * See header
1783 */
1784 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1785 {
1786 private_tls_crypto_t *this;
1787 enumerator_t *enumerator;
1788 credential_type_t type;
1789 int subtype;
1790
1791 INIT(this,
1792 .public = {
1793 .get_cipher_suites = _get_cipher_suites,
1794 .select_cipher_suite = _select_cipher_suite,
1795 .get_dh_group = _get_dh_group,
1796 .get_signature_algorithms = _get_signature_algorithms,
1797 .create_ec_enumerator = _create_ec_enumerator,
1798 .set_protection = _set_protection,
1799 .append_handshake = _append_handshake,
1800 .sign = _sign,
1801 .verify = _verify,
1802 .sign_handshake = _sign_handshake,
1803 .verify_handshake = _verify_handshake,
1804 .calculate_finished = _calculate_finished,
1805 .derive_secrets = _derive_secrets,
1806 .resume_session = _resume_session,
1807 .get_session = _get_session,
1808 .change_cipher = _change_cipher,
1809 .get_eap_msk = _get_eap_msk,
1810 .destroy = _destroy,
1811 },
1812 .tls = tls,
1813 .cache = cache,
1814 );
1815
1816 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1817 while (enumerator->enumerate(enumerator, &type, &subtype))
1818 {
1819 if (type == CRED_PUBLIC_KEY)
1820 {
1821 switch (subtype)
1822 {
1823 case KEY_RSA:
1824 this->rsa = TRUE;
1825 break;
1826 case KEY_ECDSA:
1827 this->ecdsa = TRUE;
1828 break;
1829 default:
1830 break;
1831 }
1832 }
1833 }
1834 enumerator->destroy(enumerator);
1835
1836 switch (tls->get_purpose(tls))
1837 {
1838 case TLS_PURPOSE_EAP_TLS:
1839 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1840 this->msk_label = "client EAP encryption";
1841 build_cipher_suite_list(this, FALSE);
1842 break;
1843 case TLS_PURPOSE_EAP_PEAP:
1844 this->msk_label = "client EAP encryption";
1845 build_cipher_suite_list(this, TRUE);
1846 break;
1847 case TLS_PURPOSE_EAP_TTLS:
1848 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1849 this->msk_label = "ttls keying material";
1850 build_cipher_suite_list(this, TRUE);
1851 break;
1852 case TLS_PURPOSE_GENERIC:
1853 build_cipher_suite_list(this, TRUE);
1854 break;
1855 case TLS_PURPOSE_GENERIC_NULLOK:
1856 build_cipher_suite_list(this, FALSE);
1857 break;
1858 default:
1859 break;
1860 }
1861 return &this->public;
1862 }
1863
1864 /**
1865 * See header.
1866 */
1867 int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
1868 {
1869 suite_algs_t suites[countof(suite_algs)];
1870 int count = countof(suite_algs), i;
1871
1872 /* initialize copy of suite list */
1873 for (i = 0; i < count; i++)
1874 {
1875 suites[i] = suite_algs[i];
1876 }
1877
1878 filter_unsupported_suites(suites, &count);
1879
1880 if (!null)
1881 {
1882 filter_null_suites(suites, &count);
1883 }
1884
1885 if (out)
1886 {
1887 *out = calloc(count, sizeof(tls_cipher_suite_t));
1888 for (i = 0; i < count; i++)
1889 {
1890 (*out)[i] = suites[i].suite;
1891 }
1892 }
1893 return count;
1894 }