Merge branch 'tls-aead'
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
20
21 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
241
242 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
243 "NONE",
244 "MD5",
245 "SHA1",
246 "SHA224",
247 "SHA256",
248 "SHA384",
249 "SHA512",
250 );
251
252 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
253 "RSA",
254 "DSA",
255 "ECDSA",
256 );
257
258 ENUM_BEGIN(tls_client_certificate_type_names,
259 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
260 "RSA_SIGN",
261 "DSA_SIGN",
262 "RSA_FIXED_DH",
263 "DSS_FIXED_DH",
264 "RSA_EPHEMERAL_DH",
265 "DSS_EPHEMERAL_DH");
266 ENUM_NEXT(tls_client_certificate_type_names,
267 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
268 "FORTEZZA_DMS");
269 ENUM_NEXT(tls_client_certificate_type_names,
270 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
271 "ECDSA_SIGN",
272 "RSA_FIXED_ECDH",
273 "ECDSA_FIXED_ECDH");
274 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
275
276 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
277 "EXPLICIT_PRIME",
278 "EXPLICIT_CHAR2",
279 "NAMED_CURVE",
280 );
281
282 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
283 "SECT163K1",
284 "SECT163R1",
285 "SECT163R2",
286 "SECT193R1",
287 "SECT193R2",
288 "SECT233K1",
289 "SECT233R1",
290 "SECT239K1",
291 "SECT283K1",
292 "SECT283R1",
293 "SECT409K1",
294 "SECT409R1",
295 "SECT571K1",
296 "SECT571R1",
297 "SECP160K1",
298 "SECP160R1",
299 "SECP160R2",
300 "SECP192K1",
301 "SECP192R1",
302 "SECP224K1",
303 "SECP224R1",
304 "SECP256K1",
305 "SECP256R1",
306 "SECP384R1",
307 "SECP521R1",
308 );
309
310 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
311 "compressed",
312 "compressed y",
313 "uncompressed",
314 "uncompressed y",
315 "hybrid",
316 "hybrid y",
317 );
318
319 ENUM(tls_ec_point_format_names,
320 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
321 "uncompressed",
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
324 );
325
326 typedef struct private_tls_crypto_t private_tls_crypto_t;
327
328 /**
329 * Private data of an tls_crypto_t object.
330 */
331 struct private_tls_crypto_t {
332
333 /**
334 * Public tls_crypto_t interface.
335 */
336 tls_crypto_t public;
337
338 /**
339 * Protection layer
340 */
341 tls_protection_t *protection;
342
343 /**
344 * List of supported/acceptable cipher suites
345 */
346 tls_cipher_suite_t *suites;
347
348 /**
349 * Number of supported suites
350 */
351 int suite_count;
352
353 /**
354 * Selected cipher suite
355 */
356 tls_cipher_suite_t suite;
357
358 /**
359 * RSA supported?
360 */
361 bool rsa;
362
363 /**
364 * ECDSA supported?
365 */
366 bool ecdsa;
367
368 /**
369 * TLS context
370 */
371 tls_t *tls;
372
373 /**
374 * TLS session cache
375 */
376 tls_cache_t *cache;
377
378 /**
379 * All handshake data concatentated
380 */
381 chunk_t handshake;
382
383 /**
384 * Connection state TLS PRF
385 */
386 tls_prf_t *prf;
387
388 /**
389 * AEAD transform for inbound traffic
390 */
391 tls_aead_t *aead_in;
392
393 /**
394 * AEAD transform for outbound traffic
395 */
396 tls_aead_t *aead_out;
397
398 /**
399 * EAP-[T]TLS MSK
400 */
401 chunk_t msk;
402
403 /**
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
405 */
406 char *msk_label;
407 };
408
409 typedef struct {
410 tls_cipher_suite_t suite;
411 key_type_t key;
412 diffie_hellman_group_t dh;
413 hash_algorithm_t hash;
414 pseudo_random_function_t prf;
415 integrity_algorithm_t mac;
416 encryption_algorithm_t encr;
417 size_t encr_size;
418 } suite_algs_t;
419
420 /**
421 * Mapping suites to a set of algorithms
422 */
423 static suite_algs_t suite_algs[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
425 KEY_ECDSA, ECP_256_BIT,
426 HASH_SHA256, PRF_HMAC_SHA2_256,
427 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
428 },
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
430 KEY_ECDSA, ECP_256_BIT,
431 HASH_SHA256, PRF_HMAC_SHA2_256,
432 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
433 },
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
435 KEY_ECDSA, ECP_384_BIT,
436 HASH_SHA256, PRF_HMAC_SHA2_256,
437 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
438 },
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
440 KEY_ECDSA, ECP_384_BIT,
441 HASH_SHA384, PRF_HMAC_SHA2_384,
442 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
443 },
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
445 KEY_ECDSA, ECP_256_BIT,
446 HASH_SHA256, PRF_HMAC_SHA2_256,
447 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
448 },
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
450 KEY_ECDSA, ECP_384_BIT,
451 HASH_SHA384, PRF_HMAC_SHA2_384,
452 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
453 },
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
455 KEY_RSA, ECP_256_BIT,
456 HASH_SHA256, PRF_HMAC_SHA2_256,
457 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
458 },
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
460 KEY_RSA, ECP_256_BIT,
461 HASH_SHA256, PRF_HMAC_SHA2_256,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
463 },
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
465 KEY_RSA, ECP_384_BIT,
466 HASH_SHA256, PRF_HMAC_SHA2_256,
467 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
468 },
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
470 KEY_RSA, ECP_384_BIT,
471 HASH_SHA384, PRF_HMAC_SHA2_384,
472 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
473 },
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
475 KEY_RSA, ECP_256_BIT,
476 HASH_SHA256, PRF_HMAC_SHA2_256,
477 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
478 },
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
480 KEY_RSA, ECP_384_BIT,
481 HASH_SHA384, PRF_HMAC_SHA2_384,
482 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
483 },
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
485 KEY_RSA, MODP_2048_BIT,
486 HASH_SHA256,PRF_HMAC_SHA2_256,
487 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
488 },
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
490 KEY_RSA, MODP_3072_BIT,
491 HASH_SHA256, PRF_HMAC_SHA2_256,
492 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
493 },
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
495 KEY_RSA, MODP_3072_BIT,
496 HASH_SHA256, PRF_HMAC_SHA2_256,
497 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
498 },
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
500 KEY_RSA, MODP_4096_BIT,
501 HASH_SHA256, PRF_HMAC_SHA2_256,
502 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
503 },
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
505 KEY_RSA, MODP_3072_BIT,
506 HASH_SHA256, PRF_HMAC_SHA2_256,
507 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
508 },
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
510 KEY_RSA, MODP_4096_BIT,
511 HASH_SHA384, PRF_HMAC_SHA2_384,
512 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
513 },
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
515 KEY_RSA, MODP_2048_BIT,
516 HASH_SHA256, PRF_HMAC_SHA2_256,
517 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
518 },
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
520 KEY_RSA, MODP_3072_BIT,
521 HASH_SHA256, PRF_HMAC_SHA2_256,
522 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
523 },
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
525 KEY_RSA, MODP_3072_BIT,
526 HASH_SHA256, PRF_HMAC_SHA2_256,
527 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
528 },
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
530 KEY_RSA, MODP_4096_BIT,
531 HASH_SHA256, PRF_HMAC_SHA2_256,
532 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
533 },
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
535 KEY_RSA, MODP_2048_BIT,
536 HASH_SHA256, PRF_HMAC_SHA2_256,
537 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
538 },
539 { TLS_RSA_WITH_AES_128_CBC_SHA,
540 KEY_RSA, MODP_NONE,
541 HASH_SHA256, PRF_HMAC_SHA2_256,
542 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
543 },
544 { TLS_RSA_WITH_AES_128_CBC_SHA256,
545 KEY_RSA, MODP_NONE,
546 HASH_SHA256, PRF_HMAC_SHA2_256,
547 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
548 },
549 { TLS_RSA_WITH_AES_256_CBC_SHA,
550 KEY_RSA, MODP_NONE,
551 HASH_SHA256, PRF_HMAC_SHA2_256,
552 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
553 },
554 { TLS_RSA_WITH_AES_256_CBC_SHA256,
555 KEY_RSA, MODP_NONE,
556 HASH_SHA256, PRF_HMAC_SHA2_256,
557 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
558 },
559 { TLS_RSA_WITH_AES_128_GCM_SHA256,
560 KEY_RSA, MODP_NONE,
561 HASH_SHA256, PRF_HMAC_SHA2_256,
562 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
563 },
564 { TLS_RSA_WITH_AES_256_GCM_SHA384,
565 KEY_RSA, MODP_NONE,
566 HASH_SHA384, PRF_HMAC_SHA2_384,
567 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
568 },
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
570 KEY_RSA, MODP_NONE,
571 HASH_SHA256, PRF_HMAC_SHA2_256,
572 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
573 },
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
575 KEY_RSA, MODP_NONE,
576 HASH_SHA256, PRF_HMAC_SHA2_256,
577 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
578 },
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 KEY_RSA, MODP_NONE,
581 HASH_SHA256, PRF_HMAC_SHA2_256,
582 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
583 },
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
585 KEY_RSA, MODP_NONE,
586 HASH_SHA256, PRF_HMAC_SHA2_256,
587 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
588 },
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
590 KEY_ECDSA, ECP_256_BIT,
591 HASH_SHA256, PRF_HMAC_SHA2_256,
592 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
593 },
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
595 KEY_RSA, ECP_256_BIT,
596 HASH_SHA256, PRF_HMAC_SHA2_256,
597 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
598 },
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
600 KEY_RSA, MODP_NONE,
601 HASH_SHA256, PRF_HMAC_SHA2_256,
602 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
603 },
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
605 KEY_ECDSA, ECP_256_BIT,
606 HASH_SHA256, PRF_HMAC_SHA2_256,
607 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
608 },
609 { TLS_ECDHE_RSA_WITH_NULL_SHA,
610 KEY_ECDSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
613 },
614 { TLS_RSA_WITH_NULL_SHA,
615 KEY_RSA, MODP_NONE,
616 HASH_SHA256, PRF_HMAC_SHA2_256,
617 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
618 },
619 { TLS_RSA_WITH_NULL_SHA256,
620 KEY_RSA, MODP_NONE,
621 HASH_SHA256, PRF_HMAC_SHA2_256,
622 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
623 },
624 { TLS_RSA_WITH_NULL_MD5,
625 KEY_RSA, MODP_NONE,
626 HASH_SHA256, PRF_HMAC_SHA2_256,
627 AUTH_HMAC_MD5_128, ENCR_NULL, 0
628 },
629 };
630
631 /**
632 * Look up algorithms by a suite
633 */
634 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
635 {
636 int i;
637
638 for (i = 0; i < countof(suite_algs); i++)
639 {
640 if (suite_algs[i].suite == suite)
641 {
642 return &suite_algs[i];
643 }
644 }
645 return NULL;
646 }
647
648 /**
649 * Filter a suite list using a transform enumerator
650 */
651 static void filter_suite(private_tls_crypto_t *this,
652 suite_algs_t suites[], int *count, int offset,
653 enumerator_t*(*create_enumerator)(crypto_factory_t*))
654 {
655 const char *plugin_name;
656 suite_algs_t current;
657 int *current_alg, i, remaining = 0;
658 enumerator_t *enumerator;
659
660 memset(&current, 0, sizeof(current));
661 current_alg = (int*)((char*)&current + offset);
662
663 for (i = 0; i < *count; i++)
664 {
665 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
666 encryption_algorithm_is_aead(suites[i].encr))
667 { /* filtering crypters, but current suite uses an AEAD, apply */
668 suites[remaining] = suites[i];
669 remaining++;
670 continue;
671 }
672 if (create_enumerator == lib->crypto->create_aead_enumerator &&
673 !encryption_algorithm_is_aead(suites[i].encr))
674 { /* filtering AEADs, but current suite doesn't use one, apply */
675 suites[remaining] = suites[i];
676 remaining++;
677 continue;
678 }
679 enumerator = create_enumerator(lib->crypto);
680 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
681 {
682 if (current.encr && current.encr != suites[i].encr)
683 {
684 if (suites[i].encr != ENCR_NULL)
685 { /* skip, ENCR does not match nor is NULL */
686 continue;
687 }
688 }
689 if (current.mac && current.mac != suites[i].mac)
690 {
691 if (suites[i].mac != AUTH_UNDEFINED)
692 { /* skip, MAC does not match nor is it undefined */
693 continue;
694 }
695 }
696 if (current.prf && current.prf != suites[i].prf)
697 { /* skip, PRF does not match */
698 continue;
699 }
700 if (current.hash && current.hash != suites[i].hash)
701 { /* skip, hash does not match */
702 continue;
703 }
704 if (current.dh && current.dh != suites[i].dh)
705 {
706 if (suites[i].dh != MODP_NONE)
707 { /* skip DH group, does not match nor NONE */
708 continue;
709 }
710 }
711 /* suite supported, apply */
712 suites[remaining] = suites[i];
713 remaining++;
714 break;
715 }
716 enumerator->destroy(enumerator);
717 }
718 *count = remaining;
719 }
720
721 /**
722 * Purge NULL encryption cipher suites from list
723 */
724 static void filter_null_suites(private_tls_crypto_t *this,
725 suite_algs_t suites[], int *count)
726 {
727 int i, remaining = 0;
728
729 for (i = 0; i < *count; i++)
730 {
731 if (suites[i].encr != ENCR_NULL)
732 {
733 suites[remaining] = suites[i];
734 remaining++;
735 }
736 }
737 *count = remaining;
738 }
739
740 /**
741 * Purge suites using a given key type
742 */
743 static void filter_key_suites(private_tls_crypto_t *this,
744 suite_algs_t suites[], int *count, key_type_t key)
745 {
746 int i, remaining = 0;
747
748 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
749 for (i = 0; i < *count; i++)
750 {
751 if (suites[i].key != key)
752 {
753 suites[remaining] = suites[i];
754 remaining++;
755 }
756 }
757 *count = remaining;
758 }
759
760 /**
761 * Filter suites by key exchange user config
762 */
763 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
764 suite_algs_t suites[], int *count)
765 {
766 enumerator_t *enumerator;
767 int i, remaining = 0;
768 char *token, *config;
769
770 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
771 lib->ns);
772 if (config)
773 {
774 for (i = 0; i < *count; i++)
775 {
776 enumerator = enumerator_create_token(config, ",", " ");
777 while (enumerator->enumerate(enumerator, &token))
778 {
779 if (strcaseeq(token, "ecdhe-ecdsa") &&
780 diffie_hellman_group_is_ec(suites[i].dh) &&
781 suites[i].key == KEY_ECDSA)
782 {
783 suites[remaining++] = suites[i];
784 break;
785 }
786 if (strcaseeq(token, "ecdhe-rsa") &&
787 diffie_hellman_group_is_ec(suites[i].dh) &&
788 suites[i].key == KEY_RSA)
789 {
790 suites[remaining++] = suites[i];
791 break;
792 }
793 if (strcaseeq(token, "dhe-rsa") &&
794 !diffie_hellman_group_is_ec(suites[i].dh) &&
795 suites[i].dh != MODP_NONE &&
796 suites[i].key == KEY_RSA)
797 {
798 suites[remaining++] = suites[i];
799 break;
800 }
801 if (strcaseeq(token, "rsa") &&
802 suites[i].dh == MODP_NONE &&
803 suites[i].key == KEY_RSA)
804 {
805 suites[remaining++] = suites[i];
806 break;
807 }
808 }
809 enumerator->destroy(enumerator);
810 }
811 *count = remaining;
812 }
813 }
814
815 /**
816 * Filter suites by cipher user config
817 */
818 static void filter_cipher_config_suites(private_tls_crypto_t *this,
819 suite_algs_t suites[], int *count)
820 {
821 enumerator_t *enumerator;
822 int i, remaining = 0;
823 char *token, *config;
824
825 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
826 lib->ns);
827 if (config)
828 {
829 for (i = 0; i < *count; i++)
830 {
831 enumerator = enumerator_create_token(config, ",", " ");
832 while (enumerator->enumerate(enumerator, &token))
833 {
834 if (strcaseeq(token, "aes128") &&
835 suites[i].encr == ENCR_AES_CBC &&
836 suites[i].encr_size == 16)
837 {
838 suites[remaining++] = suites[i];
839 break;
840 }
841 if (strcaseeq(token, "aes256") &&
842 suites[i].encr == ENCR_AES_CBC &&
843 suites[i].encr_size == 32)
844 {
845 suites[remaining++] = suites[i];
846 break;
847 }
848 if (strcaseeq(token, "aes128gcm") &&
849 suites[i].encr == ENCR_AES_GCM_ICV16 &&
850 suites[i].encr_size == 16)
851 {
852 suites[remaining++] = suites[i];
853 break;
854 }
855 if (strcaseeq(token, "aes256gcm") &&
856 suites[i].encr == ENCR_AES_GCM_ICV16 &&
857 suites[i].encr_size == 32)
858 {
859 suites[remaining++] = suites[i];
860 break;
861 }
862 if (strcaseeq(token, "camellia128") &&
863 suites[i].encr == ENCR_CAMELLIA_CBC &&
864 suites[i].encr_size == 16)
865 {
866 suites[remaining++] = suites[i];
867 break;
868 }
869 if (strcaseeq(token, "camellia256") &&
870 suites[i].encr == ENCR_CAMELLIA_CBC &&
871 suites[i].encr_size == 32)
872 {
873 suites[remaining++] = suites[i];
874 break;
875 }
876 if (strcaseeq(token, "3des") &&
877 suites[i].encr == ENCR_3DES)
878 {
879 suites[remaining++] = suites[i];
880 break;
881 }
882 if (strcaseeq(token, "null") &&
883 suites[i].encr == ENCR_NULL)
884 {
885 suites[remaining++] = suites[i];
886 break;
887 }
888 }
889 enumerator->destroy(enumerator);
890 }
891 *count = remaining;
892 }
893 }
894
895 /**
896 * Filter suites by mac user config
897 */
898 static void filter_mac_config_suites(private_tls_crypto_t *this,
899 suite_algs_t suites[], int *count)
900 {
901 enumerator_t *enumerator;
902 int i, remaining = 0;
903 char *token, *config;
904
905 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
906 lib->ns);
907 if (config)
908 {
909 for (i = 0; i < *count; i++)
910 {
911 enumerator = enumerator_create_token(config, ",", " ");
912 while (enumerator->enumerate(enumerator, &token))
913 {
914 if (strcaseeq(token, "md5") &&
915 suites[i].mac == AUTH_HMAC_MD5_128)
916 {
917 suites[remaining++] = suites[i];
918 break;
919 }
920 if (strcaseeq(token, "sha1") &&
921 suites[i].mac == AUTH_HMAC_SHA1_160)
922 {
923 suites[remaining++] = suites[i];
924 break;
925 }
926 if (strcaseeq(token, "sha256") &&
927 suites[i].mac == AUTH_HMAC_SHA2_256_256)
928 {
929 suites[remaining++] = suites[i];
930 break;
931 }
932 if (strcaseeq(token, "sha384") &&
933 suites[i].mac == AUTH_HMAC_SHA2_384_384)
934 {
935 suites[remaining++] = suites[i];
936 break;
937 }
938 }
939 enumerator->destroy(enumerator);
940 }
941 *count = remaining;
942 }
943 }
944
945 /**
946 * Filter for specific suites specified in strongswan.conf
947 */
948 static void filter_specific_config_suites(private_tls_crypto_t *this,
949 suite_algs_t suites[], int *count)
950 {
951 enumerator_t *enumerator;
952 int i, remaining = 0, suite;
953 char *token, *config;
954
955 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
956 lib->ns);
957 if (config)
958 {
959 for (i = 0; i < *count; i++)
960 {
961 enumerator = enumerator_create_token(config, ",", " ");
962 while (enumerator->enumerate(enumerator, &token))
963 {
964 suite = enum_from_name(tls_cipher_suite_names, token);
965 if (suite == suites[i].suite)
966 {
967 suites[remaining++] = suites[i];
968 break;
969 }
970 }
971 enumerator->destroy(enumerator);
972 }
973 *count = remaining;
974 }
975 }
976
977 /**
978 * Initialize the cipher suite list
979 */
980 static void build_cipher_suite_list(private_tls_crypto_t *this,
981 bool require_encryption)
982 {
983 suite_algs_t suites[countof(suite_algs)];
984 int count = countof(suite_algs), i;
985
986 /* copy all suites */
987 for (i = 0; i < count; i++)
988 {
989 suites[i] = suite_algs[i];
990 }
991 if (require_encryption)
992 {
993 filter_null_suites(this, suites, &count);
994 }
995 if (!this->rsa)
996 {
997 filter_key_suites(this, suites, &count, KEY_RSA);
998 }
999 if (!this->ecdsa)
1000 {
1001 filter_key_suites(this, suites, &count, KEY_ECDSA);
1002 }
1003
1004 /* filter suite list by each algorithm */
1005 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
1006 lib->crypto->create_crypter_enumerator);
1007 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
1008 lib->crypto->create_aead_enumerator);
1009 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
1010 lib->crypto->create_signer_enumerator);
1011 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
1012 lib->crypto->create_prf_enumerator);
1013 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
1014 lib->crypto->create_hasher_enumerator);
1015 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
1016 lib->crypto->create_dh_enumerator);
1017
1018 /* filter suites with strongswan.conf options */
1019 filter_key_exchange_config_suites(this, suites, &count);
1020 filter_cipher_config_suites(this, suites, &count);
1021 filter_mac_config_suites(this, suites, &count);
1022 filter_specific_config_suites(this, suites, &count);
1023
1024 free(this->suites);
1025 this->suite_count = count;
1026 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1027
1028 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1029 for (i = 0; i < count; i++)
1030 {
1031 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1032 this->suites[i] = suites[i].suite;
1033 }
1034 }
1035
1036 METHOD(tls_crypto_t, get_cipher_suites, int,
1037 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1038 {
1039 *suites = this->suites;
1040 return this->suite_count;
1041 }
1042
1043 /**
1044 * Create NULL encryption transforms
1045 */
1046 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1047 {
1048 this->aead_in = tls_aead_create_null(algs->mac);
1049 this->aead_out = tls_aead_create_null(algs->mac);
1050 if (!this->aead_in || !this->aead_out)
1051 {
1052 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1053 integrity_algorithm_names, algs->mac);
1054 return FALSE;
1055 }
1056 return TRUE;
1057 }
1058
1059 /**
1060 * Create traditional transforms
1061 */
1062 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1063 {
1064 if (this->tls->get_version(this->tls) < TLS_1_1)
1065 {
1066 this->aead_in = tls_aead_create_implicit(algs->mac,
1067 algs->encr, algs->encr_size);
1068 this->aead_out = tls_aead_create_implicit(algs->mac,
1069 algs->encr, algs->encr_size);
1070 }
1071 else
1072 {
1073 this->aead_in = tls_aead_create_explicit(algs->mac,
1074 algs->encr, algs->encr_size);
1075 this->aead_out = tls_aead_create_explicit(algs->mac,
1076 algs->encr, algs->encr_size);
1077 }
1078 if (!this->aead_in || !this->aead_out)
1079 {
1080 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1081 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1082 integrity_algorithm_names, algs->mac);
1083 return FALSE;
1084 }
1085 return TRUE;
1086 }
1087
1088 /**
1089 * Create AEAD transforms
1090 */
1091 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1092 {
1093 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1094 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1095 if (!this->aead_in || !this->aead_out)
1096 {
1097 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1098 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1099 return FALSE;
1100 }
1101 return TRUE;
1102 }
1103
1104 /**
1105 * Clean up and unset AEAD transforms
1106 */
1107 static void destroy_aeads(private_tls_crypto_t *this)
1108 {
1109 DESTROY_IF(this->aead_in);
1110 DESTROY_IF(this->aead_out);
1111 this->aead_in = this->aead_out = NULL;
1112 }
1113
1114 /**
1115 * Create crypto primitives
1116 */
1117 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1118 {
1119 destroy_aeads(this);
1120 DESTROY_IF(this->prf);
1121 if (this->tls->get_version(this->tls) < TLS_1_2)
1122 {
1123 this->prf = tls_prf_create_10();
1124 }
1125 else
1126 {
1127 this->prf = tls_prf_create_12(algs->prf);
1128 }
1129 if (!this->prf)
1130 {
1131 DBG1(DBG_TLS, "selected TLS PRF not supported");
1132 return FALSE;
1133 }
1134 if (algs->encr == ENCR_NULL)
1135 {
1136 if (create_null(this, algs))
1137 {
1138 return TRUE;
1139 }
1140 }
1141 else if (encryption_algorithm_is_aead(algs->encr))
1142 {
1143 if (create_aead(this, algs))
1144 {
1145 return TRUE;
1146 }
1147 }
1148 else
1149 {
1150 if (create_traditional(this, algs))
1151 {
1152 return TRUE;
1153 }
1154 }
1155 destroy_aeads(this);
1156 return FALSE;
1157 }
1158
1159 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1160 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1161 key_type_t key)
1162 {
1163 suite_algs_t *algs;
1164 int i, j;
1165
1166 for (i = 0; i < this->suite_count; i++)
1167 {
1168 for (j = 0; j < count; j++)
1169 {
1170 if (this->suites[i] == suites[j])
1171 {
1172 algs = find_suite(this->suites[i]);
1173 if (algs)
1174 {
1175 if (key == KEY_ANY || key == algs->key)
1176 {
1177 if (create_ciphers(this, algs))
1178 {
1179 this->suite = this->suites[i];
1180 return this->suite;
1181 }
1182 }
1183 }
1184 }
1185 }
1186 }
1187 return 0;
1188 }
1189
1190 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1191 private_tls_crypto_t *this)
1192 {
1193 suite_algs_t *algs;
1194
1195 algs = find_suite(this->suite);
1196 if (algs)
1197 {
1198 return algs->dh;
1199 }
1200 return MODP_NONE;
1201 }
1202
1203 /**
1204 * Map signature schemes to TLS key types and hashes, ordered by preference
1205 */
1206 static struct {
1207 tls_signature_algorithm_t sig;
1208 tls_hash_algorithm_t hash;
1209 signature_scheme_t scheme;
1210 } schemes[] = {
1211 { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
1212 { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
1213 { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
1214 { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
1215 { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA256 },
1216 { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA384 },
1217 { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA512 },
1218 { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA224 },
1219 { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
1220 { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
1221 };
1222
1223 METHOD(tls_crypto_t, get_signature_algorithms, void,
1224 private_tls_crypto_t *this, bio_writer_t *writer)
1225 {
1226 bio_writer_t *supported;
1227 int i;
1228
1229 supported = bio_writer_create(32);
1230
1231 for (i = 0; i < countof(schemes); i++)
1232 {
1233 if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
1234 {
1235 continue;
1236 }
1237 if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
1238 {
1239 continue;
1240 }
1241 if (!lib->plugins->has_feature(lib->plugins,
1242 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
1243 {
1244 continue;
1245 }
1246 supported->write_uint8(supported, schemes[i].hash);
1247 supported->write_uint8(supported, schemes[i].sig);
1248 }
1249
1250 supported->wrap16(supported);
1251 writer->write_data16(writer, supported->get_buf(supported));
1252 supported->destroy(supported);
1253 }
1254
1255 /**
1256 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1257 */
1258 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1259 tls_hash_algorithm_t hash,
1260 tls_signature_algorithm_t sig)
1261 {
1262 int i;
1263
1264 if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
1265 (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
1266 {
1267 for (i = 0; i < countof(schemes); i++)
1268 {
1269 if (schemes[i].sig == sig && schemes[i].hash == hash)
1270 {
1271 return schemes[i].scheme;
1272 }
1273 }
1274 }
1275 return SIGN_UNKNOWN;
1276 }
1277
1278 /**
1279 * Mapping groups to TLS named curves
1280 */
1281 static struct {
1282 diffie_hellman_group_t group;
1283 tls_named_curve_t curve;
1284 } curves[] = {
1285 { ECP_256_BIT, TLS_SECP256R1},
1286 { ECP_384_BIT, TLS_SECP384R1},
1287 { ECP_521_BIT, TLS_SECP521R1},
1288 { ECP_224_BIT, TLS_SECP224R1},
1289 { ECP_192_BIT, TLS_SECP192R1},
1290 };
1291
1292 /**
1293 * Filter EC groups, add TLS curve
1294 */
1295 static bool group_filter(void *null,
1296 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1297 void* dummy1, tls_named_curve_t *curve)
1298 {
1299 int i;
1300
1301 for (i = 0; i < countof(curves); i++)
1302 {
1303 if (curves[i].group == *in)
1304 {
1305 if (out)
1306 {
1307 *out = curves[i].group;
1308 }
1309 if (curve)
1310 {
1311 *curve = curves[i].curve;
1312 }
1313 return TRUE;
1314 }
1315 }
1316 return FALSE;
1317 }
1318
1319 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1320 private_tls_crypto_t *this)
1321 {
1322 return enumerator_create_filter(
1323 lib->crypto->create_dh_enumerator(lib->crypto),
1324 (void*)group_filter, NULL, NULL);
1325 }
1326
1327 METHOD(tls_crypto_t, set_protection, void,
1328 private_tls_crypto_t *this, tls_protection_t *protection)
1329 {
1330 this->protection = protection;
1331 }
1332
1333 METHOD(tls_crypto_t, append_handshake, void,
1334 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1335 {
1336 u_int32_t header;
1337
1338 /* reconstruct handshake header */
1339 header = htonl(data.len | (type << 24));
1340 this->handshake = chunk_cat("mcc", this->handshake,
1341 chunk_from_thing(header), data);
1342 }
1343
1344 /**
1345 * Create a hash using the suites HASH algorithm
1346 */
1347 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1348 {
1349 if (this->tls->get_version(this->tls) >= TLS_1_2)
1350 {
1351 hasher_t *hasher;
1352 suite_algs_t *alg;
1353
1354 alg = find_suite(this->suite);
1355 if (!alg)
1356 {
1357 return FALSE;
1358 }
1359 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1360 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1361 {
1362 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1363 DESTROY_IF(hasher);
1364 return FALSE;
1365 }
1366 hasher->destroy(hasher);
1367 }
1368 else
1369 {
1370 hasher_t *md5, *sha1;
1371 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1372
1373 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1374 if (!md5 || !md5->get_hash(md5, data, buf))
1375 {
1376 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1377 DESTROY_IF(md5);
1378 return FALSE;
1379 }
1380 md5->destroy(md5);
1381 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1382 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1383 {
1384 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1385 DESTROY_IF(sha1);
1386 return FALSE;
1387 }
1388 sha1->destroy(sha1);
1389
1390 *hash = chunk_clone(chunk_from_thing(buf));
1391 }
1392 return TRUE;
1393 }
1394
1395 METHOD(tls_crypto_t, sign, bool,
1396 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1397 chunk_t data, chunk_t hashsig)
1398 {
1399 if (this->tls->get_version(this->tls) >= TLS_1_2)
1400 {
1401 signature_scheme_t scheme;
1402 bio_reader_t *reader;
1403 u_int8_t hash, alg;
1404 chunk_t sig;
1405 bool done = FALSE;
1406
1407 if (!hashsig.len)
1408 { /* fallback if none given */
1409 hashsig = chunk_from_chars(
1410 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1411 }
1412 reader = bio_reader_create(hashsig);
1413 while (reader->remaining(reader) >= 2)
1414 {
1415 if (reader->read_uint8(reader, &hash) &&
1416 reader->read_uint8(reader, &alg))
1417 {
1418 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1419 if (scheme != SIGN_UNKNOWN &&
1420 key->sign(key, scheme, data, &sig))
1421 {
1422 done = TRUE;
1423 break;
1424 }
1425 }
1426 }
1427 reader->destroy(reader);
1428 if (!done)
1429 {
1430 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1431 return FALSE;
1432 }
1433 DBG2(DBG_TLS, "created signature with %N/%N",
1434 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1435 writer->write_uint8(writer, hash);
1436 writer->write_uint8(writer, alg);
1437 writer->write_data16(writer, sig);
1438 free(sig.ptr);
1439 }
1440 else
1441 {
1442 chunk_t sig, hash;
1443 bool done;
1444
1445 switch (key->get_type(key))
1446 {
1447 case KEY_RSA:
1448 if (!hash_data(this, data, &hash))
1449 {
1450 return FALSE;
1451 }
1452 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1453 free(hash.ptr);
1454 if (!done)
1455 {
1456 return FALSE;
1457 }
1458 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1459 break;
1460 case KEY_ECDSA:
1461 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1462 {
1463 return FALSE;
1464 }
1465 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1466 break;
1467 default:
1468 return FALSE;
1469 }
1470 writer->write_data16(writer, sig);
1471 free(sig.ptr);
1472 }
1473 return TRUE;
1474 }
1475
1476 METHOD(tls_crypto_t, verify, bool,
1477 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1478 chunk_t data)
1479 {
1480 if (this->tls->get_version(this->tls) >= TLS_1_2)
1481 {
1482 signature_scheme_t scheme = SIGN_UNKNOWN;
1483 u_int8_t hash, alg;
1484 chunk_t sig;
1485
1486 if (!reader->read_uint8(reader, &hash) ||
1487 !reader->read_uint8(reader, &alg) ||
1488 !reader->read_data16(reader, &sig))
1489 {
1490 DBG1(DBG_TLS, "received invalid signature");
1491 return FALSE;
1492 }
1493 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1494 if (scheme == SIGN_UNKNOWN)
1495 {
1496 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1497 tls_hash_algorithm_names, hash,
1498 tls_signature_algorithm_names, alg);
1499 return FALSE;
1500 }
1501 if (!key->verify(key, scheme, data, sig))
1502 {
1503 return FALSE;
1504 }
1505 DBG2(DBG_TLS, "verified signature with %N/%N",
1506 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1507 }
1508 else
1509 {
1510 chunk_t sig, hash;
1511 bool done;
1512
1513 if (!reader->read_data16(reader, &sig))
1514 {
1515 DBG1(DBG_TLS, "received invalid signature");
1516 return FALSE;
1517 }
1518 switch (key->get_type(key))
1519 {
1520 case KEY_RSA:
1521 if (!hash_data(this, data, &hash))
1522 {
1523 return FALSE;
1524 }
1525 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1526 free(hash.ptr);
1527 if (!done)
1528 {
1529 return FALSE;
1530 }
1531 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1532 break;
1533 case KEY_ECDSA:
1534 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1535 {
1536 return FALSE;
1537 }
1538 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1539 break;
1540 default:
1541 return FALSE;
1542 }
1543 }
1544 return TRUE;
1545 }
1546
1547 METHOD(tls_crypto_t, sign_handshake, bool,
1548 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1549 chunk_t hashsig)
1550 {
1551 return sign(this, key, writer, this->handshake, hashsig);
1552 }
1553
1554 METHOD(tls_crypto_t, verify_handshake, bool,
1555 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1556 {
1557 return verify(this, key, reader, this->handshake);
1558 }
1559
1560 METHOD(tls_crypto_t, calculate_finished, bool,
1561 private_tls_crypto_t *this, char *label, char out[12])
1562 {
1563 chunk_t seed;
1564
1565 if (!this->prf)
1566 {
1567 return FALSE;
1568 }
1569 if (!hash_data(this, this->handshake, &seed))
1570 {
1571 return FALSE;
1572 }
1573 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1574 {
1575 free(seed.ptr);
1576 return FALSE;
1577 }
1578 free(seed.ptr);
1579 return TRUE;
1580 }
1581
1582 /**
1583 * Derive master secret from premaster, optionally save session
1584 */
1585 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1586 chunk_t session, identification_t *id,
1587 chunk_t client_random, chunk_t server_random)
1588 {
1589 char master[48];
1590 chunk_t seed;
1591
1592 /* derive master secret */
1593 seed = chunk_cata("cc", client_random, server_random);
1594
1595 if (!this->prf->set_key(this->prf, premaster) ||
1596 !this->prf->get_bytes(this->prf, "master secret", seed,
1597 sizeof(master), master) ||
1598 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1599 {
1600 return FALSE;
1601 }
1602
1603 if (this->cache && session.len)
1604 {
1605 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1606 this->suite);
1607 }
1608 memwipe(master, sizeof(master));
1609 return TRUE;
1610 }
1611
1612 /**
1613 * Expand key material from master secret
1614 */
1615 static bool expand_keys(private_tls_crypto_t *this,
1616 chunk_t client_random, chunk_t server_random)
1617 {
1618 chunk_t seed, block;
1619 chunk_t cw_mac, cw, cw_iv;
1620 chunk_t sw_mac, sw, sw_iv;
1621 int mklen, eklen, ivlen;
1622
1623 if (!this->aead_in || !this->aead_out)
1624 {
1625 return FALSE;
1626 }
1627
1628 /* derive key block for key expansion */
1629 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1630 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1631 ivlen = this->aead_in->get_iv_size(this->aead_in);
1632 seed = chunk_cata("cc", server_random, client_random);
1633 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1634 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1635 block.len, block.ptr))
1636 {
1637 return FALSE;
1638 }
1639
1640 /* client/server write signer keys */
1641 cw_mac = chunk_create(block.ptr, mklen);
1642 block = chunk_skip(block, mklen);
1643 sw_mac = chunk_create(block.ptr, mklen);
1644 block = chunk_skip(block, mklen);
1645
1646 /* client/server write encryption keys */
1647 cw = chunk_create(block.ptr, eklen);
1648 block = chunk_skip(block, eklen);
1649 sw = chunk_create(block.ptr, eklen);
1650 block = chunk_skip(block, eklen);
1651
1652 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1653 cw_iv = chunk_create(block.ptr, ivlen);
1654 block = chunk_skip(block, ivlen);
1655 sw_iv = chunk_create(block.ptr, ivlen);
1656 block = chunk_skip(block, ivlen);
1657
1658 if (this->tls->is_server(this->tls))
1659 {
1660 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1661 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1662 {
1663 return FALSE;
1664 }
1665 }
1666 else
1667 {
1668 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1669 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1670 {
1671 return FALSE;
1672 }
1673 }
1674
1675 /* EAP-MSK */
1676 if (this->msk_label)
1677 {
1678 seed = chunk_cata("cc", client_random, server_random);
1679 this->msk = chunk_alloc(64);
1680 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1681 this->msk.len, this->msk.ptr))
1682 {
1683 return FALSE;
1684 }
1685 }
1686 return TRUE;
1687 }
1688
1689 METHOD(tls_crypto_t, derive_secrets, bool,
1690 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1691 identification_t *id, chunk_t client_random, chunk_t server_random)
1692 {
1693 return derive_master(this, premaster, session, id,
1694 client_random, server_random) &&
1695 expand_keys(this, client_random, server_random);
1696 }
1697
1698 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1699 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1700 chunk_t client_random, chunk_t server_random)
1701 {
1702 chunk_t master;
1703
1704 if (this->cache && session.len)
1705 {
1706 this->suite = this->cache->lookup(this->cache, session, id, &master);
1707 if (this->suite)
1708 {
1709 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1710 if (this->suite)
1711 {
1712 if (!this->prf->set_key(this->prf, master) ||
1713 !expand_keys(this, client_random, server_random))
1714 {
1715 this->suite = 0;
1716 }
1717 }
1718 chunk_clear(&master);
1719 }
1720 return this->suite;
1721 }
1722 return 0;
1723 }
1724
1725 METHOD(tls_crypto_t, get_session, chunk_t,
1726 private_tls_crypto_t *this, identification_t *server)
1727 {
1728 if (this->cache)
1729 {
1730 return this->cache->check(this->cache, server);
1731 }
1732 return chunk_empty;
1733 }
1734
1735 METHOD(tls_crypto_t, change_cipher, void,
1736 private_tls_crypto_t *this, bool inbound)
1737 {
1738 if (this->protection)
1739 {
1740 if (inbound)
1741 {
1742 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1743 }
1744 else
1745 {
1746 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1747 }
1748 }
1749 }
1750
1751 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1752 private_tls_crypto_t *this)
1753 {
1754 return this->msk;
1755 }
1756
1757 METHOD(tls_crypto_t, destroy, void,
1758 private_tls_crypto_t *this)
1759 {
1760 destroy_aeads(this);
1761 free(this->handshake.ptr);
1762 free(this->msk.ptr);
1763 DESTROY_IF(this->prf);
1764 free(this->suites);
1765 free(this);
1766 }
1767
1768 /**
1769 * See header
1770 */
1771 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1772 {
1773 private_tls_crypto_t *this;
1774 enumerator_t *enumerator;
1775 credential_type_t type;
1776 int subtype;
1777
1778 INIT(this,
1779 .public = {
1780 .get_cipher_suites = _get_cipher_suites,
1781 .select_cipher_suite = _select_cipher_suite,
1782 .get_dh_group = _get_dh_group,
1783 .get_signature_algorithms = _get_signature_algorithms,
1784 .create_ec_enumerator = _create_ec_enumerator,
1785 .set_protection = _set_protection,
1786 .append_handshake = _append_handshake,
1787 .sign = _sign,
1788 .verify = _verify,
1789 .sign_handshake = _sign_handshake,
1790 .verify_handshake = _verify_handshake,
1791 .calculate_finished = _calculate_finished,
1792 .derive_secrets = _derive_secrets,
1793 .resume_session = _resume_session,
1794 .get_session = _get_session,
1795 .change_cipher = _change_cipher,
1796 .get_eap_msk = _get_eap_msk,
1797 .destroy = _destroy,
1798 },
1799 .tls = tls,
1800 .cache = cache,
1801 );
1802
1803 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1804 while (enumerator->enumerate(enumerator, &type, &subtype))
1805 {
1806 if (type == CRED_PUBLIC_KEY)
1807 {
1808 switch (subtype)
1809 {
1810 case KEY_RSA:
1811 this->rsa = TRUE;
1812 break;
1813 case KEY_ECDSA:
1814 this->ecdsa = TRUE;
1815 break;
1816 default:
1817 break;
1818 }
1819 }
1820 }
1821 enumerator->destroy(enumerator);
1822
1823 switch (tls->get_purpose(tls))
1824 {
1825 case TLS_PURPOSE_EAP_TLS:
1826 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1827 this->msk_label = "client EAP encryption";
1828 build_cipher_suite_list(this, FALSE);
1829 break;
1830 case TLS_PURPOSE_EAP_PEAP:
1831 this->msk_label = "client EAP encryption";
1832 build_cipher_suite_list(this, TRUE);
1833 break;
1834 case TLS_PURPOSE_EAP_TTLS:
1835 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1836 this->msk_label = "ttls keying material";
1837 build_cipher_suite_list(this, TRUE);
1838 break;
1839 case TLS_PURPOSE_GENERIC:
1840 build_cipher_suite_list(this, TRUE);
1841 break;
1842 default:
1843 break;
1844 }
1845 return &this->public;
1846 }