tls: Implement the TLS AEAD abstraction for real AEAD modes
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <utils/debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 ENUM(tls_ec_point_format_names,
319 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
320 "uncompressed",
321 "ansiX962 compressed prime",
322 "ansiX962 compressed char2",
323 );
324
325 typedef struct private_tls_crypto_t private_tls_crypto_t;
326
327 /**
328 * Private data of an tls_crypto_t object.
329 */
330 struct private_tls_crypto_t {
331
332 /**
333 * Public tls_crypto_t interface.
334 */
335 tls_crypto_t public;
336
337 /**
338 * Protection layer
339 */
340 tls_protection_t *protection;
341
342 /**
343 * List of supported/acceptable cipher suites
344 */
345 tls_cipher_suite_t *suites;
346
347 /**
348 * Number of supported suites
349 */
350 int suite_count;
351
352 /**
353 * Selected cipher suite
354 */
355 tls_cipher_suite_t suite;
356
357 /**
358 * RSA supported?
359 */
360 bool rsa;
361
362 /**
363 * ECDSA supported?
364 */
365 bool ecdsa;
366
367 /**
368 * TLS context
369 */
370 tls_t *tls;
371
372 /**
373 * TLS session cache
374 */
375 tls_cache_t *cache;
376
377 /**
378 * All handshake data concatentated
379 */
380 chunk_t handshake;
381
382 /**
383 * Connection state TLS PRF
384 */
385 tls_prf_t *prf;
386
387 /**
388 * AEAD transform for inbound traffic
389 */
390 tls_aead_t *aead_in;
391
392 /**
393 * AEAD transform for outbound traffic
394 */
395 tls_aead_t *aead_out;
396
397 /**
398 * EAP-[T]TLS MSK
399 */
400 chunk_t msk;
401
402 /**
403 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
404 */
405 char *msk_label;
406 };
407
408 typedef struct {
409 tls_cipher_suite_t suite;
410 key_type_t key;
411 diffie_hellman_group_t dh;
412 hash_algorithm_t hash;
413 pseudo_random_function_t prf;
414 integrity_algorithm_t mac;
415 encryption_algorithm_t encr;
416 size_t encr_size;
417 } suite_algs_t;
418
419 /**
420 * Mapping suites to a set of algorithms
421 */
422 static suite_algs_t suite_algs[] = {
423 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
424 KEY_ECDSA, ECP_256_BIT,
425 HASH_SHA256, PRF_HMAC_SHA2_256,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
429 KEY_ECDSA, ECP_256_BIT,
430 HASH_SHA256, PRF_HMAC_SHA2_256,
431 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
432 },
433 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
434 KEY_ECDSA, ECP_384_BIT,
435 HASH_SHA256, PRF_HMAC_SHA2_256,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
437 },
438 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
439 KEY_ECDSA, ECP_384_BIT,
440 HASH_SHA384, PRF_HMAC_SHA2_384,
441 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
442 },
443 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
444 KEY_RSA, ECP_256_BIT,
445 HASH_SHA256, PRF_HMAC_SHA2_256,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
447 },
448 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
449 KEY_RSA, ECP_256_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
452 },
453 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
454 KEY_RSA, ECP_384_BIT,
455 HASH_SHA256, PRF_HMAC_SHA2_256,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
457 },
458 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
459 KEY_RSA, ECP_384_BIT,
460 HASH_SHA384, PRF_HMAC_SHA2_384,
461 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
462 },
463 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
464 KEY_RSA, MODP_2048_BIT,
465 HASH_SHA256,PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
467 },
468 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
469 KEY_RSA, MODP_3072_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
472 },
473 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
474 KEY_RSA, MODP_3072_BIT,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
477 },
478 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
479 KEY_RSA, MODP_4096_BIT,
480 HASH_SHA256, PRF_HMAC_SHA2_256,
481 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
482 },
483 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 KEY_RSA, MODP_2048_BIT,
485 HASH_SHA256, PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
487 },
488 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
489 KEY_RSA, MODP_3072_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
492 },
493 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
494 KEY_RSA, MODP_3072_BIT,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
497 },
498 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
499 KEY_RSA, MODP_4096_BIT,
500 HASH_SHA256, PRF_HMAC_SHA2_256,
501 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
502 },
503 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
504 KEY_RSA, MODP_2048_BIT,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
507 },
508 { TLS_RSA_WITH_AES_128_CBC_SHA,
509 KEY_RSA, MODP_NONE,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
512 },
513 { TLS_RSA_WITH_AES_128_CBC_SHA256,
514 KEY_RSA, MODP_NONE,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
517 },
518 { TLS_RSA_WITH_AES_256_CBC_SHA,
519 KEY_RSA, MODP_NONE,
520 HASH_SHA256, PRF_HMAC_SHA2_256,
521 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
522 },
523 { TLS_RSA_WITH_AES_256_CBC_SHA256,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
527 },
528 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA256, PRF_HMAC_SHA2_256,
531 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
532 },
533 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
537 },
538 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
539 KEY_RSA, MODP_NONE,
540 HASH_SHA256, PRF_HMAC_SHA2_256,
541 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
542 },
543 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
544 KEY_RSA, MODP_NONE,
545 HASH_SHA256, PRF_HMAC_SHA2_256,
546 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
547 },
548 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
549 KEY_ECDSA, ECP_256_BIT,
550 HASH_SHA256, PRF_HMAC_SHA2_256,
551 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
552 },
553 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
554 KEY_RSA, ECP_256_BIT,
555 HASH_SHA256, PRF_HMAC_SHA2_256,
556 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
557 },
558 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
559 KEY_RSA, MODP_NONE,
560 HASH_SHA256, PRF_HMAC_SHA2_256,
561 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
562 },
563 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
564 KEY_ECDSA, ECP_256_BIT,
565 HASH_SHA256, PRF_HMAC_SHA2_256,
566 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
567 },
568 { TLS_ECDHE_RSA_WITH_NULL_SHA,
569 KEY_ECDSA, ECP_256_BIT,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
572 },
573 { TLS_RSA_WITH_NULL_SHA,
574 KEY_RSA, MODP_NONE,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
577 },
578 { TLS_RSA_WITH_NULL_SHA256,
579 KEY_RSA, MODP_NONE,
580 HASH_SHA256, PRF_HMAC_SHA2_256,
581 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
582 },
583 { TLS_RSA_WITH_NULL_MD5,
584 KEY_RSA, MODP_NONE,
585 HASH_SHA256, PRF_HMAC_SHA2_256,
586 AUTH_HMAC_MD5_128, ENCR_NULL, 0
587 },
588 };
589
590 /**
591 * Look up algorithms by a suite
592 */
593 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
594 {
595 int i;
596
597 for (i = 0; i < countof(suite_algs); i++)
598 {
599 if (suite_algs[i].suite == suite)
600 {
601 return &suite_algs[i];
602 }
603 }
604 return NULL;
605 }
606
607 /**
608 * Filter a suite list using a transform enumerator
609 */
610 static void filter_suite(private_tls_crypto_t *this, bool aead,
611 suite_algs_t suites[], int *count, int offset,
612 enumerator_t*(*create_enumerator)(crypto_factory_t*))
613 {
614 const char *plugin_name;
615 suite_algs_t current;
616 int *current_alg, i, remaining = 0;
617 enumerator_t *enumerator;
618
619 memset(&current, 0, sizeof(current));
620 current_alg = (int*)((char*)&current + offset);
621
622 for (i = 0; i < *count; i++)
623 {
624 enumerator = create_enumerator(lib->crypto);
625 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
626 {
627 if ((suites[i].encr == ENCR_NULL ||
628 aead != encryption_algorithm_is_aead(suites[i].encr) ||
629 !current.encr || current.encr == suites[i].encr) &&
630 (suites[i].mac == AUTH_UNDEFINED ||
631 !current.mac || current.mac == suites[i].mac) &&
632 (!current.prf || current.prf == suites[i].prf) &&
633 (!current.hash || current.hash == suites[i].hash) &&
634 (suites[i].dh == MODP_NONE ||
635 !current.dh || current.dh == suites[i].dh))
636 {
637 suites[remaining] = suites[i];
638 remaining++;
639 break;
640 }
641 }
642 enumerator->destroy(enumerator);
643 }
644 *count = remaining;
645 }
646
647 /**
648 * Purge NULL encryption cipher suites from list
649 */
650 static void filter_null_suites(private_tls_crypto_t *this,
651 suite_algs_t suites[], int *count)
652 {
653 int i, remaining = 0;
654
655 for (i = 0; i < *count; i++)
656 {
657 if (suites[i].encr != ENCR_NULL)
658 {
659 suites[remaining] = suites[i];
660 remaining++;
661 }
662 }
663 *count = remaining;
664 }
665
666 /**
667 * Purge suites using a given key type
668 */
669 static void filter_key_suites(private_tls_crypto_t *this,
670 suite_algs_t suites[], int *count, key_type_t key)
671 {
672 int i, remaining = 0;
673
674 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
675 for (i = 0; i < *count; i++)
676 {
677 if (suites[i].key != key)
678 {
679 suites[remaining] = suites[i];
680 remaining++;
681 }
682 }
683 *count = remaining;
684 }
685
686 /**
687 * Filter suites by key exchange user config
688 */
689 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
690 suite_algs_t suites[], int *count)
691 {
692 enumerator_t *enumerator;
693 int i, remaining = 0;
694 char *token, *config;
695
696 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
697 lib->ns);
698 if (config)
699 {
700 for (i = 0; i < *count; i++)
701 {
702 enumerator = enumerator_create_token(config, ",", " ");
703 while (enumerator->enumerate(enumerator, &token))
704 {
705 if (strcaseeq(token, "ecdhe-ecdsa") &&
706 diffie_hellman_group_is_ec(suites[i].dh) &&
707 suites[i].key == KEY_ECDSA)
708 {
709 suites[remaining++] = suites[i];
710 break;
711 }
712 if (strcaseeq(token, "ecdhe-rsa") &&
713 diffie_hellman_group_is_ec(suites[i].dh) &&
714 suites[i].key == KEY_RSA)
715 {
716 suites[remaining++] = suites[i];
717 break;
718 }
719 if (strcaseeq(token, "dhe-rsa") &&
720 !diffie_hellman_group_is_ec(suites[i].dh) &&
721 suites[i].dh != MODP_NONE &&
722 suites[i].key == KEY_RSA)
723 {
724 suites[remaining++] = suites[i];
725 break;
726 }
727 if (strcaseeq(token, "rsa") &&
728 suites[i].dh == MODP_NONE &&
729 suites[i].key == KEY_RSA)
730 {
731 suites[remaining++] = suites[i];
732 break;
733 }
734 }
735 enumerator->destroy(enumerator);
736 }
737 *count = remaining;
738 }
739 }
740
741 /**
742 * Filter suites by cipher user config
743 */
744 static void filter_cipher_config_suites(private_tls_crypto_t *this,
745 suite_algs_t suites[], int *count)
746 {
747 enumerator_t *enumerator;
748 int i, remaining = 0;
749 char *token, *config;
750
751 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
752 lib->ns);
753 if (config)
754 {
755 for (i = 0; i < *count; i++)
756 {
757 enumerator = enumerator_create_token(config, ",", " ");
758 while (enumerator->enumerate(enumerator, &token))
759 {
760 if (strcaseeq(token, "aes128") &&
761 suites[i].encr == ENCR_AES_CBC &&
762 suites[i].encr_size == 16)
763 {
764 suites[remaining++] = suites[i];
765 break;
766 }
767 if (strcaseeq(token, "aes256") &&
768 suites[i].encr == ENCR_AES_CBC &&
769 suites[i].encr_size == 32)
770 {
771 suites[remaining++] = suites[i];
772 break;
773 }
774 if (strcaseeq(token, "camellia128") &&
775 suites[i].encr == ENCR_CAMELLIA_CBC &&
776 suites[i].encr_size == 16)
777 {
778 suites[remaining++] = suites[i];
779 break;
780 }
781 if (strcaseeq(token, "camellia256") &&
782 suites[i].encr == ENCR_CAMELLIA_CBC &&
783 suites[i].encr_size == 32)
784 {
785 suites[remaining++] = suites[i];
786 break;
787 }
788 if (strcaseeq(token, "3des") &&
789 suites[i].encr == ENCR_3DES)
790 {
791 suites[remaining++] = suites[i];
792 break;
793 }
794 if (strcaseeq(token, "null") &&
795 suites[i].encr == ENCR_NULL)
796 {
797 suites[remaining++] = suites[i];
798 break;
799 }
800 }
801 enumerator->destroy(enumerator);
802 }
803 *count = remaining;
804 }
805 }
806
807 /**
808 * Filter suites by mac user config
809 */
810 static void filter_mac_config_suites(private_tls_crypto_t *this,
811 suite_algs_t suites[], int *count)
812 {
813 enumerator_t *enumerator;
814 int i, remaining = 0;
815 char *token, *config;
816
817 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
818 lib->ns);
819 if (config)
820 {
821 for (i = 0; i < *count; i++)
822 {
823 enumerator = enumerator_create_token(config, ",", " ");
824 while (enumerator->enumerate(enumerator, &token))
825 {
826 if (strcaseeq(token, "md5") &&
827 suites[i].mac == AUTH_HMAC_MD5_128)
828 {
829 suites[remaining++] = suites[i];
830 break;
831 }
832 if (strcaseeq(token, "sha1") &&
833 suites[i].mac == AUTH_HMAC_SHA1_160)
834 {
835 suites[remaining++] = suites[i];
836 break;
837 }
838 if (strcaseeq(token, "sha256") &&
839 suites[i].mac == AUTH_HMAC_SHA2_256_256)
840 {
841 suites[remaining++] = suites[i];
842 break;
843 }
844 if (strcaseeq(token, "sha384") &&
845 suites[i].mac == AUTH_HMAC_SHA2_384_384)
846 {
847 suites[remaining++] = suites[i];
848 break;
849 }
850 }
851 enumerator->destroy(enumerator);
852 }
853 *count = remaining;
854 }
855 }
856
857 /**
858 * Filter for specific suites specified in strongswan.conf
859 */
860 static void filter_specific_config_suites(private_tls_crypto_t *this,
861 suite_algs_t suites[], int *count)
862 {
863 enumerator_t *enumerator;
864 int i, remaining = 0, suite;
865 char *token, *config;
866
867 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
868 lib->ns);
869 if (config)
870 {
871 for (i = 0; i < *count; i++)
872 {
873 enumerator = enumerator_create_token(config, ",", " ");
874 while (enumerator->enumerate(enumerator, &token))
875 {
876 suite = enum_from_name(tls_cipher_suite_names, token);
877 if (suite == suites[i].suite)
878 {
879 suites[remaining++] = suites[i];
880 break;
881 }
882 }
883 enumerator->destroy(enumerator);
884 }
885 *count = remaining;
886 }
887 }
888
889 /**
890 * Initialize the cipher suite list
891 */
892 static void build_cipher_suite_list(private_tls_crypto_t *this,
893 bool require_encryption)
894 {
895 suite_algs_t suites[countof(suite_algs)];
896 int count = countof(suite_algs), i;
897
898 /* copy all suites */
899 for (i = 0; i < count; i++)
900 {
901 suites[i] = suite_algs[i];
902 }
903 if (require_encryption)
904 {
905 filter_null_suites(this, suites, &count);
906 }
907 if (!this->rsa)
908 {
909 filter_key_suites(this, suites, &count, KEY_RSA);
910 }
911 if (!this->ecdsa)
912 {
913 filter_key_suites(this, suites, &count, KEY_ECDSA);
914 }
915
916 /* filter suite list by each algorithm */
917 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, encr),
918 lib->crypto->create_crypter_enumerator);
919 filter_suite(this, TRUE, suites, &count, offsetof(suite_algs_t, encr),
920 lib->crypto->create_aead_enumerator);
921 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, mac),
922 lib->crypto->create_signer_enumerator);
923 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, prf),
924 lib->crypto->create_prf_enumerator);
925 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, hash),
926 lib->crypto->create_hasher_enumerator);
927 filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, dh),
928 lib->crypto->create_dh_enumerator);
929
930 /* filter suites with strongswan.conf options */
931 filter_key_exchange_config_suites(this, suites, &count);
932 filter_cipher_config_suites(this, suites, &count);
933 filter_mac_config_suites(this, suites, &count);
934 filter_specific_config_suites(this, suites, &count);
935
936 free(this->suites);
937 this->suite_count = count;
938 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
939
940 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
941 for (i = 0; i < count; i++)
942 {
943 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
944 this->suites[i] = suites[i].suite;
945 }
946 }
947
948 METHOD(tls_crypto_t, get_cipher_suites, int,
949 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
950 {
951 *suites = this->suites;
952 return this->suite_count;
953 }
954
955 /**
956 * Create NULL encryption transforms
957 */
958 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
959 {
960 this->aead_in = tls_aead_create_null(algs->mac);
961 this->aead_out = tls_aead_create_null(algs->mac);
962 if (!this->aead_in || !this->aead_out)
963 {
964 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
965 integrity_algorithm_names, algs->mac);
966 return FALSE;
967 }
968 return TRUE;
969 }
970
971 /**
972 * Create traditional transforms
973 */
974 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
975 {
976 if (this->tls->get_version(this->tls) < TLS_1_1)
977 {
978 this->aead_in = tls_aead_create_implicit(algs->mac,
979 algs->encr, algs->encr_size);
980 this->aead_out = tls_aead_create_implicit(algs->mac,
981 algs->encr, algs->encr_size);
982 }
983 else
984 {
985 this->aead_in = tls_aead_create_explicit(algs->mac,
986 algs->encr, algs->encr_size);
987 this->aead_out = tls_aead_create_explicit(algs->mac,
988 algs->encr, algs->encr_size);
989 }
990 if (!this->aead_in || !this->aead_out)
991 {
992 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
993 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
994 integrity_algorithm_names, algs->mac);
995 return FALSE;
996 }
997 return TRUE;
998 }
999
1000 /**
1001 * Create AEAD transforms
1002 */
1003 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1004 {
1005 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1006 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1007 if (!this->aead_in || !this->aead_out)
1008 {
1009 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1010 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1011 return FALSE;
1012 }
1013 return TRUE;
1014 }
1015
1016 /**
1017 * Clean up and unset AEAD transforms
1018 */
1019 static void destroy_aeads(private_tls_crypto_t *this)
1020 {
1021 DESTROY_IF(this->aead_in);
1022 DESTROY_IF(this->aead_out);
1023 this->aead_in = this->aead_out = NULL;
1024 }
1025
1026 /**
1027 * Create crypto primitives
1028 */
1029 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1030 {
1031 destroy_aeads(this);
1032 DESTROY_IF(this->prf);
1033 if (this->tls->get_version(this->tls) < TLS_1_2)
1034 {
1035 this->prf = tls_prf_create_10();
1036 }
1037 else
1038 {
1039 this->prf = tls_prf_create_12(algs->prf);
1040 }
1041 if (!this->prf)
1042 {
1043 DBG1(DBG_TLS, "selected TLS PRF not supported");
1044 return FALSE;
1045 }
1046 if (algs->encr == ENCR_NULL)
1047 {
1048 if (create_null(this, algs))
1049 {
1050 return TRUE;
1051 }
1052 }
1053 else if (encryption_algorithm_is_aead(algs->encr))
1054 {
1055 if (create_aead(this, algs))
1056 {
1057 return TRUE;
1058 }
1059 }
1060 else
1061 {
1062 if (create_traditional(this, algs))
1063 {
1064 return TRUE;
1065 }
1066 }
1067 destroy_aeads(this);
1068 return FALSE;
1069 }
1070
1071 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1072 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1073 key_type_t key)
1074 {
1075 suite_algs_t *algs;
1076 int i, j;
1077
1078 for (i = 0; i < this->suite_count; i++)
1079 {
1080 for (j = 0; j < count; j++)
1081 {
1082 if (this->suites[i] == suites[j])
1083 {
1084 algs = find_suite(this->suites[i]);
1085 if (algs)
1086 {
1087 if (key == KEY_ANY || key == algs->key)
1088 {
1089 if (create_ciphers(this, algs))
1090 {
1091 this->suite = this->suites[i];
1092 return this->suite;
1093 }
1094 }
1095 }
1096 }
1097 }
1098 }
1099 return 0;
1100 }
1101
1102 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
1103 private_tls_crypto_t *this)
1104 {
1105 suite_algs_t *algs;
1106
1107 algs = find_suite(this->suite);
1108 if (algs)
1109 {
1110 return algs->dh;
1111 }
1112 return MODP_NONE;
1113 }
1114
1115 METHOD(tls_crypto_t, get_signature_algorithms, void,
1116 private_tls_crypto_t *this, bio_writer_t *writer)
1117 {
1118 bio_writer_t *supported;
1119 enumerator_t *enumerator;
1120 hash_algorithm_t alg;
1121 tls_hash_algorithm_t hash;
1122 const char *plugin_name;
1123
1124 supported = bio_writer_create(32);
1125 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
1126 while (enumerator->enumerate(enumerator, &alg, &plugin_name))
1127 {
1128 switch (alg)
1129 {
1130 case HASH_MD5:
1131 hash = TLS_HASH_MD5;
1132 break;
1133 case HASH_SHA1:
1134 hash = TLS_HASH_SHA1;
1135 break;
1136 case HASH_SHA224:
1137 hash = TLS_HASH_SHA224;
1138 break;
1139 case HASH_SHA256:
1140 hash = TLS_HASH_SHA256;
1141 break;
1142 case HASH_SHA384:
1143 hash = TLS_HASH_SHA384;
1144 break;
1145 case HASH_SHA512:
1146 hash = TLS_HASH_SHA512;
1147 break;
1148 default:
1149 continue;
1150 }
1151 if (this->rsa)
1152 {
1153 supported->write_uint8(supported, hash);
1154 supported->write_uint8(supported, TLS_SIG_RSA);
1155 }
1156 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
1157 { /* currently we have no signature scheme for MD5/SHA224 */
1158 supported->write_uint8(supported, hash);
1159 supported->write_uint8(supported, TLS_SIG_ECDSA);
1160 }
1161 }
1162 enumerator->destroy(enumerator);
1163
1164 supported->wrap16(supported);
1165 writer->write_data16(writer, supported->get_buf(supported));
1166 supported->destroy(supported);
1167 }
1168
1169 /**
1170 * Mapping groups to TLS named curves
1171 */
1172 static struct {
1173 diffie_hellman_group_t group;
1174 tls_named_curve_t curve;
1175 } curves[] = {
1176 { ECP_256_BIT, TLS_SECP256R1},
1177 { ECP_384_BIT, TLS_SECP384R1},
1178 { ECP_521_BIT, TLS_SECP521R1},
1179 { ECP_224_BIT, TLS_SECP224R1},
1180 { ECP_192_BIT, TLS_SECP192R1},
1181 };
1182
1183 /**
1184 * Filter EC groups, add TLS curve
1185 */
1186 static bool group_filter(void *null,
1187 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
1188 void* dummy1, tls_named_curve_t *curve)
1189 {
1190 int i;
1191
1192 for (i = 0; i < countof(curves); i++)
1193 {
1194 if (curves[i].group == *in)
1195 {
1196 if (out)
1197 {
1198 *out = curves[i].group;
1199 }
1200 if (curve)
1201 {
1202 *curve = curves[i].curve;
1203 }
1204 return TRUE;
1205 }
1206 }
1207 return FALSE;
1208 }
1209
1210 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1211 private_tls_crypto_t *this)
1212 {
1213 return enumerator_create_filter(
1214 lib->crypto->create_dh_enumerator(lib->crypto),
1215 (void*)group_filter, NULL, NULL);
1216 }
1217
1218 METHOD(tls_crypto_t, set_protection, void,
1219 private_tls_crypto_t *this, tls_protection_t *protection)
1220 {
1221 this->protection = protection;
1222 }
1223
1224 METHOD(tls_crypto_t, append_handshake, void,
1225 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1226 {
1227 u_int32_t header;
1228
1229 /* reconstruct handshake header */
1230 header = htonl(data.len | (type << 24));
1231 this->handshake = chunk_cat("mcc", this->handshake,
1232 chunk_from_thing(header), data);
1233 }
1234
1235 /**
1236 * Create a hash using the suites HASH algorithm
1237 */
1238 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1239 {
1240 if (this->tls->get_version(this->tls) >= TLS_1_2)
1241 {
1242 hasher_t *hasher;
1243 suite_algs_t *alg;
1244
1245 alg = find_suite(this->suite);
1246 if (!alg)
1247 {
1248 return FALSE;
1249 }
1250 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1251 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1252 {
1253 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1254 DESTROY_IF(hasher);
1255 return FALSE;
1256 }
1257 hasher->destroy(hasher);
1258 }
1259 else
1260 {
1261 hasher_t *md5, *sha1;
1262 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1263
1264 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1265 if (!md5 || !md5->get_hash(md5, data, buf))
1266 {
1267 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1268 DESTROY_IF(md5);
1269 return FALSE;
1270 }
1271 md5->destroy(md5);
1272 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1273 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1274 {
1275 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1276 DESTROY_IF(sha1);
1277 return FALSE;
1278 }
1279 sha1->destroy(sha1);
1280
1281 *hash = chunk_clone(chunk_from_thing(buf));
1282 }
1283 return TRUE;
1284 }
1285
1286 /**
1287 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1288 */
1289 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1290 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1291 {
1292 switch (sig)
1293 {
1294 case TLS_SIG_RSA:
1295 if (type != KEY_RSA)
1296 {
1297 return SIGN_UNKNOWN;
1298 }
1299 switch (hash)
1300 {
1301 case TLS_HASH_MD5:
1302 return SIGN_RSA_EMSA_PKCS1_MD5;
1303 case TLS_HASH_SHA1:
1304 return SIGN_RSA_EMSA_PKCS1_SHA1;
1305 case TLS_HASH_SHA224:
1306 return SIGN_RSA_EMSA_PKCS1_SHA224;
1307 case TLS_HASH_SHA256:
1308 return SIGN_RSA_EMSA_PKCS1_SHA256;
1309 case TLS_HASH_SHA384:
1310 return SIGN_RSA_EMSA_PKCS1_SHA384;
1311 case TLS_HASH_SHA512:
1312 return SIGN_RSA_EMSA_PKCS1_SHA512;
1313 default:
1314 return SIGN_UNKNOWN;
1315 }
1316 case TLS_SIG_ECDSA:
1317 if (type != KEY_ECDSA)
1318 {
1319 return SIGN_UNKNOWN;
1320 }
1321 switch (hash)
1322 {
1323 case TLS_HASH_SHA224:
1324 return SIGN_ECDSA_WITH_SHA1_DER;
1325 case TLS_HASH_SHA256:
1326 return SIGN_ECDSA_WITH_SHA256_DER;
1327 case TLS_HASH_SHA384:
1328 return SIGN_ECDSA_WITH_SHA384_DER;
1329 case TLS_HASH_SHA512:
1330 return SIGN_ECDSA_WITH_SHA512_DER;
1331 default:
1332 return SIGN_UNKNOWN;
1333 }
1334 default:
1335 return SIGN_UNKNOWN;
1336 }
1337 }
1338
1339 METHOD(tls_crypto_t, sign, bool,
1340 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1341 chunk_t data, chunk_t hashsig)
1342 {
1343 if (this->tls->get_version(this->tls) >= TLS_1_2)
1344 {
1345 signature_scheme_t scheme;
1346 bio_reader_t *reader;
1347 u_int8_t hash, alg;
1348 chunk_t sig;
1349 bool done = FALSE;
1350
1351 if (!hashsig.len)
1352 { /* fallback if none given */
1353 hashsig = chunk_from_chars(
1354 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1355 }
1356 reader = bio_reader_create(hashsig);
1357 while (reader->remaining(reader) >= 2)
1358 {
1359 if (reader->read_uint8(reader, &hash) &&
1360 reader->read_uint8(reader, &alg))
1361 {
1362 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1363 if (scheme != SIGN_UNKNOWN &&
1364 key->sign(key, scheme, data, &sig))
1365 {
1366 done = TRUE;
1367 break;
1368 }
1369 }
1370 }
1371 reader->destroy(reader);
1372 if (!done)
1373 {
1374 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1375 return FALSE;
1376 }
1377 DBG2(DBG_TLS, "created signature with %N/%N",
1378 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1379 writer->write_uint8(writer, hash);
1380 writer->write_uint8(writer, alg);
1381 writer->write_data16(writer, sig);
1382 free(sig.ptr);
1383 }
1384 else
1385 {
1386 chunk_t sig, hash;
1387 bool done;
1388
1389 switch (key->get_type(key))
1390 {
1391 case KEY_RSA:
1392 if (!hash_data(this, data, &hash))
1393 {
1394 return FALSE;
1395 }
1396 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1397 free(hash.ptr);
1398 if (!done)
1399 {
1400 return FALSE;
1401 }
1402 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1403 break;
1404 case KEY_ECDSA:
1405 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1406 {
1407 return FALSE;
1408 }
1409 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1410 break;
1411 default:
1412 return FALSE;
1413 }
1414 writer->write_data16(writer, sig);
1415 free(sig.ptr);
1416 }
1417 return TRUE;
1418 }
1419
1420 METHOD(tls_crypto_t, verify, bool,
1421 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1422 chunk_t data)
1423 {
1424 if (this->tls->get_version(this->tls) >= TLS_1_2)
1425 {
1426 signature_scheme_t scheme = SIGN_UNKNOWN;
1427 u_int8_t hash, alg;
1428 chunk_t sig;
1429
1430 if (!reader->read_uint8(reader, &hash) ||
1431 !reader->read_uint8(reader, &alg) ||
1432 !reader->read_data16(reader, &sig))
1433 {
1434 DBG1(DBG_TLS, "received invalid signature");
1435 return FALSE;
1436 }
1437 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1438 if (scheme == SIGN_UNKNOWN)
1439 {
1440 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1441 tls_hash_algorithm_names, hash,
1442 tls_signature_algorithm_names, alg);
1443 return FALSE;
1444 }
1445 if (!key->verify(key, scheme, data, sig))
1446 {
1447 return FALSE;
1448 }
1449 DBG2(DBG_TLS, "verified signature with %N/%N",
1450 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1451 }
1452 else
1453 {
1454 chunk_t sig, hash;
1455 bool done;
1456
1457 if (!reader->read_data16(reader, &sig))
1458 {
1459 DBG1(DBG_TLS, "received invalid signature");
1460 return FALSE;
1461 }
1462 switch (key->get_type(key))
1463 {
1464 case KEY_RSA:
1465 if (!hash_data(this, data, &hash))
1466 {
1467 return FALSE;
1468 }
1469 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1470 free(hash.ptr);
1471 if (!done)
1472 {
1473 return FALSE;
1474 }
1475 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1476 break;
1477 case KEY_ECDSA:
1478 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1479 {
1480 return FALSE;
1481 }
1482 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1483 break;
1484 default:
1485 return FALSE;
1486 }
1487 }
1488 return TRUE;
1489 }
1490
1491 METHOD(tls_crypto_t, sign_handshake, bool,
1492 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1493 chunk_t hashsig)
1494 {
1495 return sign(this, key, writer, this->handshake, hashsig);
1496 }
1497
1498 METHOD(tls_crypto_t, verify_handshake, bool,
1499 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
1500 {
1501 return verify(this, key, reader, this->handshake);
1502 }
1503
1504 METHOD(tls_crypto_t, calculate_finished, bool,
1505 private_tls_crypto_t *this, char *label, char out[12])
1506 {
1507 chunk_t seed;
1508
1509 if (!this->prf)
1510 {
1511 return FALSE;
1512 }
1513 if (!hash_data(this, this->handshake, &seed))
1514 {
1515 return FALSE;
1516 }
1517 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
1518 {
1519 free(seed.ptr);
1520 return FALSE;
1521 }
1522 free(seed.ptr);
1523 return TRUE;
1524 }
1525
1526 /**
1527 * Derive master secret from premaster, optionally save session
1528 */
1529 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
1530 chunk_t session, identification_t *id,
1531 chunk_t client_random, chunk_t server_random)
1532 {
1533 char master[48];
1534 chunk_t seed;
1535
1536 /* derive master secret */
1537 seed = chunk_cata("cc", client_random, server_random);
1538
1539 if (!this->prf->set_key(this->prf, premaster) ||
1540 !this->prf->get_bytes(this->prf, "master secret", seed,
1541 sizeof(master), master) ||
1542 !this->prf->set_key(this->prf, chunk_from_thing(master)))
1543 {
1544 return FALSE;
1545 }
1546
1547 if (this->cache && session.len)
1548 {
1549 this->cache->create(this->cache, session, id, chunk_from_thing(master),
1550 this->suite);
1551 }
1552 memwipe(master, sizeof(master));
1553 return TRUE;
1554 }
1555
1556 /**
1557 * Expand key material from master secret
1558 */
1559 static bool expand_keys(private_tls_crypto_t *this,
1560 chunk_t client_random, chunk_t server_random)
1561 {
1562 chunk_t seed, block;
1563 chunk_t cw_mac, cw, cw_iv;
1564 chunk_t sw_mac, sw, sw_iv;
1565 int mklen, eklen, ivlen;
1566
1567 if (!this->aead_in || !this->aead_out)
1568 {
1569 return FALSE;
1570 }
1571
1572 /* derive key block for key expansion */
1573 mklen = this->aead_in->get_mac_key_size(this->aead_in);
1574 eklen = this->aead_in->get_encr_key_size(this->aead_in);
1575 ivlen = this->aead_in->get_iv_size(this->aead_in);
1576 seed = chunk_cata("cc", server_random, client_random);
1577 block = chunk_alloca((mklen + eklen + ivlen) * 2);
1578 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
1579 block.len, block.ptr))
1580 {
1581 return FALSE;
1582 }
1583
1584 /* client/server write signer keys */
1585 cw_mac = chunk_create(block.ptr, mklen);
1586 block = chunk_skip(block, mklen);
1587 sw_mac = chunk_create(block.ptr, mklen);
1588 block = chunk_skip(block, mklen);
1589
1590 /* client/server write encryption keys */
1591 cw = chunk_create(block.ptr, eklen);
1592 block = chunk_skip(block, eklen);
1593 sw = chunk_create(block.ptr, eklen);
1594 block = chunk_skip(block, eklen);
1595
1596 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1597 cw_iv = chunk_create(block.ptr, ivlen);
1598 block = chunk_skip(block, ivlen);
1599 sw_iv = chunk_create(block.ptr, ivlen);
1600 block = chunk_skip(block, ivlen);
1601
1602 if (this->tls->is_server(this->tls))
1603 {
1604 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
1605 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
1606 {
1607 return FALSE;
1608 }
1609 }
1610 else
1611 {
1612 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
1613 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
1614 {
1615 return FALSE;
1616 }
1617 }
1618
1619 /* EAP-MSK */
1620 if (this->msk_label)
1621 {
1622 seed = chunk_cata("cc", client_random, server_random);
1623 this->msk = chunk_alloc(64);
1624 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
1625 this->msk.len, this->msk.ptr))
1626 {
1627 return FALSE;
1628 }
1629 }
1630 return TRUE;
1631 }
1632
1633 METHOD(tls_crypto_t, derive_secrets, bool,
1634 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
1635 identification_t *id, chunk_t client_random, chunk_t server_random)
1636 {
1637 return derive_master(this, premaster, session, id,
1638 client_random, server_random) &&
1639 expand_keys(this, client_random, server_random);
1640 }
1641
1642 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
1643 private_tls_crypto_t *this, chunk_t session, identification_t *id,
1644 chunk_t client_random, chunk_t server_random)
1645 {
1646 chunk_t master;
1647
1648 if (this->cache && session.len)
1649 {
1650 this->suite = this->cache->lookup(this->cache, session, id, &master);
1651 if (this->suite)
1652 {
1653 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
1654 if (this->suite)
1655 {
1656 if (!this->prf->set_key(this->prf, master) ||
1657 !expand_keys(this, client_random, server_random))
1658 {
1659 this->suite = 0;
1660 }
1661 }
1662 chunk_clear(&master);
1663 }
1664 return this->suite;
1665 }
1666 return 0;
1667 }
1668
1669 METHOD(tls_crypto_t, get_session, chunk_t,
1670 private_tls_crypto_t *this, identification_t *server)
1671 {
1672 if (this->cache)
1673 {
1674 return this->cache->check(this->cache, server);
1675 }
1676 return chunk_empty;
1677 }
1678
1679 METHOD(tls_crypto_t, change_cipher, void,
1680 private_tls_crypto_t *this, bool inbound)
1681 {
1682 if (this->protection)
1683 {
1684 if (inbound)
1685 {
1686 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
1687 }
1688 else
1689 {
1690 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
1691 }
1692 }
1693 }
1694
1695 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1696 private_tls_crypto_t *this)
1697 {
1698 return this->msk;
1699 }
1700
1701 METHOD(tls_crypto_t, destroy, void,
1702 private_tls_crypto_t *this)
1703 {
1704 destroy_aeads(this);
1705 free(this->handshake.ptr);
1706 free(this->msk.ptr);
1707 DESTROY_IF(this->prf);
1708 free(this->suites);
1709 free(this);
1710 }
1711
1712 /**
1713 * See header
1714 */
1715 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
1716 {
1717 private_tls_crypto_t *this;
1718 enumerator_t *enumerator;
1719 credential_type_t type;
1720 int subtype;
1721
1722 INIT(this,
1723 .public = {
1724 .get_cipher_suites = _get_cipher_suites,
1725 .select_cipher_suite = _select_cipher_suite,
1726 .get_dh_group = _get_dh_group,
1727 .get_signature_algorithms = _get_signature_algorithms,
1728 .create_ec_enumerator = _create_ec_enumerator,
1729 .set_protection = _set_protection,
1730 .append_handshake = _append_handshake,
1731 .sign = _sign,
1732 .verify = _verify,
1733 .sign_handshake = _sign_handshake,
1734 .verify_handshake = _verify_handshake,
1735 .calculate_finished = _calculate_finished,
1736 .derive_secrets = _derive_secrets,
1737 .resume_session = _resume_session,
1738 .get_session = _get_session,
1739 .change_cipher = _change_cipher,
1740 .get_eap_msk = _get_eap_msk,
1741 .destroy = _destroy,
1742 },
1743 .tls = tls,
1744 .cache = cache,
1745 );
1746
1747 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1748 while (enumerator->enumerate(enumerator, &type, &subtype))
1749 {
1750 if (type == CRED_PUBLIC_KEY)
1751 {
1752 switch (subtype)
1753 {
1754 case KEY_RSA:
1755 this->rsa = TRUE;
1756 break;
1757 case KEY_ECDSA:
1758 this->ecdsa = TRUE;
1759 break;
1760 default:
1761 break;
1762 }
1763 }
1764 }
1765 enumerator->destroy(enumerator);
1766
1767 switch (tls->get_purpose(tls))
1768 {
1769 case TLS_PURPOSE_EAP_TLS:
1770 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1771 this->msk_label = "client EAP encryption";
1772 build_cipher_suite_list(this, FALSE);
1773 break;
1774 case TLS_PURPOSE_EAP_PEAP:
1775 this->msk_label = "client EAP encryption";
1776 build_cipher_suite_list(this, TRUE);
1777 break;
1778 case TLS_PURPOSE_EAP_TTLS:
1779 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1780 this->msk_label = "ttls keying material";
1781 build_cipher_suite_list(this, TRUE);
1782 break;
1783 case TLS_PURPOSE_GENERIC:
1784 build_cipher_suite_list(this, TRUE);
1785 break;
1786 default:
1787 break;
1788 }
1789 return &this->public;
1790 }