Support different hash/sig algorithms in handshake signing, including ECDSA
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275
276 typedef struct private_tls_crypto_t private_tls_crypto_t;
277
278 /**
279 * Private data of an tls_crypto_t object.
280 */
281 struct private_tls_crypto_t {
282
283 /**
284 * Public tls_crypto_t interface.
285 */
286 tls_crypto_t public;
287
288 /**
289 * Protection layer
290 */
291 tls_protection_t *protection;
292
293 /**
294 * List of supported/acceptable cipher suites
295 */
296 tls_cipher_suite_t *suites;
297
298 /**
299 * Number of supported suites
300 */
301 int suite_count;
302
303 /**
304 * Selected cipher suite
305 */
306 tls_cipher_suite_t suite;
307
308 /**
309 * TLS context
310 */
311 tls_t *tls;
312
313 /**
314 * All handshake data concatentated
315 */
316 chunk_t handshake;
317
318 /**
319 * Connection state TLS PRF
320 */
321 tls_prf_t *prf;
322
323 /**
324 * Signer instance for inbound traffic
325 */
326 signer_t *signer_in;
327
328 /**
329 * Signer instance for outbound traffic
330 */
331 signer_t *signer_out;
332
333 /**
334 * Crypter instance for inbound traffic
335 */
336 crypter_t *crypter_in;
337
338 /**
339 * Crypter instance for outbound traffic
340 */
341 crypter_t *crypter_out;
342
343 /**
344 * IV for input decryption, if < TLSv1.2
345 */
346 chunk_t iv_in;
347
348 /**
349 * IV for output decryption, if < TLSv1.2
350 */
351 chunk_t iv_out;
352
353 /**
354 * EAP-[T]TLS MSK
355 */
356 chunk_t msk;
357
358 /**
359 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
360 */
361 char *msk_label;
362 };
363
364 typedef struct {
365 tls_cipher_suite_t suite;
366 hash_algorithm_t hash;
367 pseudo_random_function_t prf;
368 integrity_algorithm_t mac;
369 encryption_algorithm_t encr;
370 size_t encr_size;
371 } suite_algs_t;
372
373 /**
374 * Mapping suites to a set of algorithms
375 */
376 static suite_algs_t suite_algs[] = {
377 { TLS_RSA_WITH_AES_128_CBC_SHA,
378 HASH_SHA1, PRF_HMAC_SHA1,
379 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
380 },
381 { TLS_RSA_WITH_AES_128_CBC_SHA256,
382 HASH_SHA256, PRF_HMAC_SHA2_256,
383 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
384 },
385 { TLS_RSA_WITH_AES_256_CBC_SHA,
386 HASH_SHA1, PRF_HMAC_SHA1,
387 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
388 },
389 { TLS_RSA_WITH_AES_256_CBC_SHA256,
390 HASH_SHA256, PRF_HMAC_SHA2_256,
391 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
392 },
393 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
394 HASH_SHA1, PRF_HMAC_SHA1,
395 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
396 },
397 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
398 HASH_SHA256, PRF_HMAC_SHA2_256,
399 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
400 },
401 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
402 HASH_SHA1, PRF_HMAC_SHA1,
403 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
404 },
405 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
406 HASH_SHA256, PRF_HMAC_SHA2_256,
407 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
408 },
409 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
410 HASH_SHA1, PRF_HMAC_SHA1,
411 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
412 },
413 { TLS_RSA_WITH_NULL_SHA,
414 HASH_SHA1, PRF_HMAC_SHA1,
415 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
416 },
417 { TLS_RSA_WITH_NULL_SHA256,
418 HASH_SHA256, PRF_HMAC_SHA2_256,
419 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
420 },
421 { TLS_RSA_WITH_NULL_MD5,
422 HASH_MD5, PRF_HMAC_MD5,
423 AUTH_HMAC_MD5_128, ENCR_NULL, 0
424 },
425 };
426
427 /**
428 * Look up algoritms by a suite
429 */
430 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
431 {
432 int i;
433
434 for (i = 0; i < countof(suite_algs); i++)
435 {
436 if (suite_algs[i].suite == suite)
437 {
438 return &suite_algs[i];
439 }
440 }
441 return NULL;
442 }
443
444 /**
445 * Filter a suite list using a transform enumerator
446 */
447 static void filter_suite(private_tls_crypto_t *this,
448 suite_algs_t suites[], int *count, int offset,
449 enumerator_t*(*create_enumerator)(crypto_factory_t*))
450 {
451 suite_algs_t current;
452 int i, remaining = 0;
453 enumerator_t *enumerator;
454
455 memset(&current, 0, sizeof(current));
456 for (i = 0; i < *count; i++)
457 {
458 enumerator = create_enumerator(lib->crypto);
459 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
460 {
461 if ((suites[i].encr == ENCR_NULL ||
462 !current.encr || current.encr == suites[i].encr) &&
463 (!current.mac || current.mac == suites[i].mac) &&
464 (!current.prf || current.prf == suites[i].prf) &&
465 (!current.hash || current.hash == suites[i].hash))
466 {
467 suites[remaining] = suites[i];
468 remaining++;
469 break;
470 }
471 }
472 enumerator->destroy(enumerator);
473 }
474 *count = remaining;
475 }
476
477 /**
478 * Purge NULL encryption cipher suites from list
479 */
480 static void filter_null_suites(private_tls_crypto_t *this,
481 suite_algs_t suites[], int *count)
482 {
483 int i, remaining = 0;
484
485 for (i = 0; i < *count; i++)
486 {
487 if (suites[i].encr != ENCR_NULL)
488 {
489 suites[remaining] = suites[i];
490 remaining++;
491 }
492 }
493 *count = remaining;
494 }
495
496 /**
497 * Initialize the cipher suite list
498 */
499 static void build_cipher_suite_list(private_tls_crypto_t *this,
500 bool require_encryption)
501 {
502 suite_algs_t suites[countof(suite_algs)];
503 int count = countof(suite_algs), i;
504
505 /* copy all suites */
506 for (i = 0; i < count; i++)
507 {
508 suites[i] = suite_algs[i];
509 }
510 if (require_encryption)
511 {
512 filter_null_suites(this, suites, &count);
513 }
514 /* filter suite list by each algorithm */
515 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
516 lib->crypto->create_crypter_enumerator);
517 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
518 lib->crypto->create_signer_enumerator);
519 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
520 lib->crypto->create_prf_enumerator);
521 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
522 lib->crypto->create_hasher_enumerator);
523
524 free(this->suites);
525 this->suite_count = count;
526 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
527
528 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
529 for (i = 0; i < count; i++)
530 {
531 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
532 this->suites[i] = suites[i].suite;
533 }
534 }
535
536 METHOD(tls_crypto_t, get_cipher_suites, int,
537 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
538 {
539 *suites = this->suites;
540 return this->suite_count;
541 }
542
543 /**
544 * Create crypto primitives
545 */
546 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
547 {
548 suite_algs_t *algs;
549
550 algs = find_suite(suite);
551 if (!algs)
552 {
553 DBG1(DBG_TLS, "selected TLS suite not supported");
554 return FALSE;
555 }
556
557 DESTROY_IF(this->prf);
558 if (this->tls->get_version(this->tls) < TLS_1_2)
559 {
560 this->prf = tls_prf_create_10();
561 }
562 else
563 {
564 this->prf = tls_prf_create_12(algs->prf);
565 }
566 if (!this->prf)
567 {
568 DBG1(DBG_TLS, "selected TLS PRF not supported");
569 return FALSE;
570 }
571
572 DESTROY_IF(this->signer_in);
573 DESTROY_IF(this->signer_out);
574 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
575 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
576 if (!this->signer_in || !this->signer_out)
577 {
578 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
579 integrity_algorithm_names, algs->mac);
580 return FALSE;
581 }
582
583 DESTROY_IF(this->crypter_in);
584 DESTROY_IF(this->crypter_out);
585 if (algs->encr == ENCR_NULL)
586 {
587 this->crypter_in = this->crypter_out = NULL;
588 }
589 else
590 {
591 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
592 algs->encr, algs->encr_size);
593 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
594 algs->encr, algs->encr_size);
595 if (!this->crypter_in || !this->crypter_out)
596 {
597 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
598 encryption_algorithm_names, algs->encr);
599 return FALSE;
600 }
601 }
602 return TRUE;
603 }
604
605 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
606 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
607 {
608 int i, j;
609
610 for (i = 0; i < this->suite_count; i++)
611 {
612 for (j = 0; j < count; j++)
613 {
614 if (this->suites[i] == suites[j])
615 {
616 if (create_ciphers(this, this->suites[i]))
617 {
618 this->suite = this->suites[i];
619 return this->suite;
620 }
621 }
622 }
623 }
624 return 0;
625 }
626
627 METHOD(tls_crypto_t, set_protection, void,
628 private_tls_crypto_t *this, tls_protection_t *protection)
629 {
630 this->protection = protection;
631 }
632
633 METHOD(tls_crypto_t, append_handshake, void,
634 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
635 {
636 u_int32_t header;
637
638 /* reconstruct handshake header */
639 header = htonl(data.len | (type << 24));
640 this->handshake = chunk_cat("mcc", this->handshake,
641 chunk_from_thing(header), data);
642 }
643
644 /**
645 * Create a hash of the stored handshake data
646 */
647 static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash)
648 {
649 if (this->tls->get_version(this->tls) >= TLS_1_2)
650 {
651 hasher_t *hasher;
652 suite_algs_t *alg;
653
654 alg = find_suite(this->suite);
655 if (!alg)
656 {
657 return FALSE;
658 }
659 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
660 if (!hasher)
661 {
662 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
663 return FALSE;
664 }
665 hasher->allocate_hash(hasher, this->handshake, hash);
666 hasher->destroy(hasher);
667 }
668 else
669 {
670 hasher_t *md5, *sha1;
671 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
672
673 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
674 if (!md5)
675 {
676 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
677 return FALSE;
678 }
679 md5->get_hash(md5, this->handshake, buf);
680 md5->destroy(md5);
681 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
682 if (!sha1)
683 {
684 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
685 return FALSE;
686 }
687 sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
688 sha1->destroy(sha1);
689
690 *hash = chunk_clone(chunk_from_thing(buf));
691 }
692 return TRUE;
693 }
694
695 /**
696 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
697 */
698 static signature_scheme_t hashsig_to_scheme(key_type_t type,
699 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
700 {
701 switch (sig)
702 {
703 case TLS_SIG_RSA:
704 if (type != KEY_RSA)
705 {
706 return SIGN_UNKNOWN;
707 }
708 switch (hash)
709 {
710 case TLS_HASH_MD5:
711 return SIGN_RSA_EMSA_PKCS1_MD5;
712 case TLS_HASH_SHA1:
713 return SIGN_RSA_EMSA_PKCS1_SHA1;
714 case TLS_HASH_SHA224:
715 return SIGN_RSA_EMSA_PKCS1_SHA224;
716 case TLS_HASH_SHA256:
717 return SIGN_RSA_EMSA_PKCS1_SHA256;
718 case TLS_HASH_SHA384:
719 return SIGN_RSA_EMSA_PKCS1_SHA384;
720 case TLS_HASH_SHA512:
721 return SIGN_RSA_EMSA_PKCS1_SHA512;
722 default:
723 return SIGN_UNKNOWN;
724 }
725 case TLS_SIG_ECDSA:
726 if (type != KEY_ECDSA)
727 {
728 return SIGN_UNKNOWN;
729 }
730 switch (hash)
731 {
732 case TLS_HASH_SHA224:
733 return SIGN_ECDSA_WITH_SHA1_DER;
734 case TLS_HASH_SHA256:
735 return SIGN_ECDSA_WITH_SHA256_DER;
736 case TLS_HASH_SHA384:
737 return SIGN_ECDSA_WITH_SHA384_DER;
738 case TLS_HASH_SHA512:
739 return SIGN_ECDSA_WITH_SHA512_DER;
740 default:
741 return SIGN_UNKNOWN;
742 }
743 default:
744 return SIGN_UNKNOWN;
745 }
746 }
747
748 METHOD(tls_crypto_t, sign_handshake, bool,
749 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
750 chunk_t hashsig)
751 {
752 if (this->tls->get_version(this->tls) >= TLS_1_2)
753 {
754 signature_scheme_t scheme;
755 tls_reader_t *reader;
756 u_int8_t hash, alg;
757 chunk_t sig;
758 bool done = FALSE;
759
760 reader = tls_reader_create(hashsig);
761 while (reader->remaining(reader) >= 2)
762 {
763 if (reader->read_uint8(reader, &hash) &&
764 reader->read_uint8(reader, &alg))
765 {
766 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
767 if (scheme != SIGN_UNKNOWN &&
768 key->sign(key, scheme, this->handshake, &sig))
769 {
770 done = TRUE;
771 break;
772 }
773 }
774 }
775 reader->destroy(reader);
776 if (!done)
777 {
778 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
779 return FALSE;
780 }
781 DBG2(DBG_TLS, "signed handshake data with %N/%N",
782 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
783 writer->write_uint8(writer, hash);
784 writer->write_uint8(writer, alg);
785 writer->write_data16(writer, sig);
786 free(sig.ptr);
787 }
788 else
789 {
790 chunk_t sig, hash;
791
792 switch (key->get_type(key))
793 {
794 case KEY_RSA:
795 if (!hash_handshake(this, &hash))
796 {
797 return FALSE;
798 }
799 if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig))
800 {
801 free(hash.ptr);
802 return FALSE;
803 }
804 DBG2(DBG_TLS, "signed handshake data with SHA1+MD5/RSA");
805 free(hash.ptr);
806 break;
807 case KEY_ECDSA:
808 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER,
809 this->handshake, &sig))
810 {
811 return FALSE;
812 }
813 DBG2(DBG_TLS, "signed handshake data with SHA1/ECDSA");
814 break;
815 default:
816 return FALSE;
817 }
818 writer->write_data16(writer, sig);
819 free(sig.ptr);
820 }
821 return TRUE;
822 }
823
824 METHOD(tls_crypto_t, verify_handshake, bool,
825 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
826 {
827 if (this->tls->get_version(this->tls) >= TLS_1_2)
828 {
829 signature_scheme_t scheme = SIGN_UNKNOWN;
830 u_int8_t hash, alg;
831 chunk_t sig;
832
833 if (!reader->read_uint8(reader, &hash) ||
834 !reader->read_uint8(reader, &alg) ||
835 !reader->read_data16(reader, &sig))
836 {
837 DBG1(DBG_TLS, "received invalid Certificate Verify");
838 return FALSE;
839 }
840 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
841 if (scheme == SIGN_UNKNOWN)
842 {
843 DBG1(DBG_TLS, "Certificate Verify algorithms %N/%N not supported",
844 tls_hash_algorithm_names, hash,
845 tls_signature_algorithm_names, alg);
846 return FALSE;
847 }
848 if (!key->verify(key, scheme, this->handshake, sig))
849 {
850 return FALSE;
851 }
852 DBG2(DBG_TLS, "verified handshake data with %N/%N",
853 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
854 }
855 else
856 {
857 chunk_t sig, hash;
858
859 if (!reader->read_data16(reader, &sig))
860 {
861 DBG1(DBG_TLS, "received invalid Certificate Verify");
862 return FALSE;
863 }
864 switch (key->get_type(key))
865 {
866 case KEY_RSA:
867 if (!hash_handshake(this, &hash))
868 {
869 return FALSE;
870 }
871 if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig))
872 {
873 free(hash.ptr);
874 return FALSE;
875 }
876 DBG2(DBG_TLS, "verified handshake data with SHA1+MD5/RSA");
877 free(hash.ptr);
878 break;
879 case KEY_ECDSA:
880 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER,
881 this->handshake, sig))
882 {
883 free(hash.ptr);
884 return FALSE;
885 }
886 DBG2(DBG_TLS, "verified handshake data with SHA1/ECDSA");
887 break;
888 default:
889 return FALSE;
890 }
891 }
892 return TRUE;
893 }
894
895 METHOD(tls_crypto_t, calculate_finished, bool,
896 private_tls_crypto_t *this, char *label, char out[12])
897 {
898 chunk_t seed;
899
900 if (!this->prf)
901 {
902 return FALSE;
903 }
904 if (!hash_handshake(this, &seed))
905 {
906 return FALSE;
907 }
908 this->prf->get_bytes(this->prf, label, seed, 12, out);
909 free(seed.ptr);
910 return TRUE;
911 }
912
913 METHOD(tls_crypto_t, derive_secrets, void,
914 private_tls_crypto_t *this, chunk_t premaster,
915 chunk_t client_random, chunk_t server_random)
916 {
917 char master[48];
918 chunk_t seed, block, client_write, server_write;
919 int mks, eks = 0, ivs = 0;
920
921 /* derive master secret */
922 seed = chunk_cata("cc", client_random, server_random);
923 this->prf->set_key(this->prf, premaster);
924 this->prf->get_bytes(this->prf, "master secret", seed,
925 sizeof(master), master);
926
927 this->prf->set_key(this->prf, chunk_from_thing(master));
928 memset(master, 0, sizeof(master));
929
930 /* derive key block for key expansion */
931 mks = this->signer_out->get_key_size(this->signer_out);
932 if (this->crypter_out)
933 {
934 eks = this->crypter_out->get_key_size(this->crypter_out);
935 if (this->tls->get_version(this->tls) < TLS_1_1)
936 {
937 ivs = this->crypter_out->get_iv_size(this->crypter_out);
938 }
939 }
940 seed = chunk_cata("cc", server_random, client_random);
941 block = chunk_alloca((mks + eks + ivs) * 2);
942 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
943
944 /* signer keys */
945 client_write = chunk_create(block.ptr, mks);
946 block = chunk_skip(block, mks);
947 server_write = chunk_create(block.ptr, mks);
948 block = chunk_skip(block, mks);
949 if (this->tls->is_server(this->tls))
950 {
951 this->signer_in->set_key(this->signer_in, client_write);
952 this->signer_out->set_key(this->signer_out, server_write);
953 }
954 else
955 {
956 this->signer_out->set_key(this->signer_out, client_write);
957 this->signer_in->set_key(this->signer_in, server_write);
958 }
959
960 /* crypter keys, and IVs if < TLSv1.2 */
961 if (this->crypter_out && this->crypter_in)
962 {
963 client_write = chunk_create(block.ptr, eks);
964 block = chunk_skip(block, eks);
965 server_write = chunk_create(block.ptr, eks);
966 block = chunk_skip(block, eks);
967
968 if (this->tls->is_server(this->tls))
969 {
970 this->crypter_in->set_key(this->crypter_in, client_write);
971 this->crypter_out->set_key(this->crypter_out, server_write);
972 }
973 else
974 {
975 this->crypter_out->set_key(this->crypter_out, client_write);
976 this->crypter_in->set_key(this->crypter_in, server_write);
977 }
978 if (ivs)
979 {
980 client_write = chunk_create(block.ptr, ivs);
981 block = chunk_skip(block, ivs);
982 server_write = chunk_create(block.ptr, ivs);
983 block = chunk_skip(block, ivs);
984
985 if (this->tls->is_server(this->tls))
986 {
987 this->iv_in = chunk_clone(client_write);
988 this->iv_out = chunk_clone(server_write);
989 }
990 else
991 {
992 this->iv_out = chunk_clone(client_write);
993 this->iv_in = chunk_clone(server_write);
994 }
995 }
996 }
997 }
998
999 METHOD(tls_crypto_t, change_cipher, void,
1000 private_tls_crypto_t *this, bool inbound)
1001 {
1002 if (this->protection)
1003 {
1004 if (inbound)
1005 {
1006 this->protection->set_cipher(this->protection, TRUE,
1007 this->signer_in, this->crypter_in, this->iv_in);
1008 }
1009 else
1010 {
1011 this->protection->set_cipher(this->protection, FALSE,
1012 this->signer_out, this->crypter_out, this->iv_out);
1013 }
1014 }
1015 }
1016
1017 METHOD(tls_crypto_t, derive_eap_msk, void,
1018 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1019 {
1020 if (this->msk_label)
1021 {
1022 chunk_t seed;
1023
1024 seed = chunk_cata("cc", client_random, server_random);
1025 free(this->msk.ptr);
1026 this->msk = chunk_alloc(64);
1027 this->prf->get_bytes(this->prf, this->msk_label, seed,
1028 this->msk.len, this->msk.ptr);
1029 }
1030 }
1031
1032 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1033 private_tls_crypto_t *this)
1034 {
1035 return this->msk;
1036 }
1037
1038 METHOD(tls_crypto_t, destroy, void,
1039 private_tls_crypto_t *this)
1040 {
1041 DESTROY_IF(this->signer_in);
1042 DESTROY_IF(this->signer_out);
1043 DESTROY_IF(this->crypter_in);
1044 DESTROY_IF(this->crypter_out);
1045 free(this->iv_in.ptr);
1046 free(this->iv_out.ptr);
1047 free(this->handshake.ptr);
1048 free(this->msk.ptr);
1049 DESTROY_IF(this->prf);
1050 free(this->suites);
1051 free(this);
1052 }
1053
1054 /**
1055 * See header
1056 */
1057 tls_crypto_t *tls_crypto_create(tls_t *tls)
1058 {
1059 private_tls_crypto_t *this;
1060
1061 INIT(this,
1062 .public = {
1063 .get_cipher_suites = _get_cipher_suites,
1064 .select_cipher_suite = _select_cipher_suite,
1065 .set_protection = _set_protection,
1066 .append_handshake = _append_handshake,
1067 .sign_handshake = _sign_handshake,
1068 .verify_handshake = _verify_handshake,
1069 .calculate_finished = _calculate_finished,
1070 .derive_secrets = _derive_secrets,
1071 .change_cipher = _change_cipher,
1072 .derive_eap_msk = _derive_eap_msk,
1073 .get_eap_msk = _get_eap_msk,
1074 .destroy = _destroy,
1075 },
1076 .tls = tls,
1077 );
1078
1079 switch (tls->get_purpose(tls))
1080 {
1081 case TLS_PURPOSE_EAP_TLS:
1082 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1083 this->msk_label = "client EAP encryption";
1084 build_cipher_suite_list(this, FALSE);
1085 break;
1086 case TLS_PURPOSE_EAP_TTLS:
1087 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1088 this->msk_label = "ttls keying material";
1089 build_cipher_suite_list(this, TRUE);
1090 break;
1091 case TLS_PURPOSE_GENERIC:
1092 build_cipher_suite_list(this, TRUE);
1093 break;
1094 }
1095 return &this->public;
1096 }