Fixed key type of ECDHE_RSA groups
[strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309
310 typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312 /**
313 * Private data of an tls_crypto_t object.
314 */
315 struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
321
322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
386
387 /**
388 * EAP-[T]TLS MSK
389 */
390 chunk_t msk;
391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
396 };
397
398 typedef struct {
399 tls_cipher_suite_t suite;
400 key_type_t key;
401 diffie_hellman_group_t dh;
402 hash_algorithm_t hash;
403 pseudo_random_function_t prf;
404 integrity_algorithm_t mac;
405 encryption_algorithm_t encr;
406 size_t encr_size;
407 } suite_algs_t;
408
409 /**
410 * Mapping suites to a set of algorithms
411 */
412 static suite_algs_t suite_algs[] = {
413 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
414 KEY_ECDSA, ECP_256_BIT,
415 HASH_SHA1, PRF_HMAC_SHA1,
416 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
417 },
418 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
419 KEY_ECDSA, ECP_256_BIT,
420 HASH_SHA256, PRF_HMAC_SHA2_256,
421 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
422 },
423 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
424 KEY_ECDSA, ECP_384_BIT,
425 HASH_SHA1, PRF_HMAC_SHA1,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
429 KEY_ECDSA, ECP_384_BIT,
430 HASH_SHA384, PRF_HMAC_SHA2_384,
431 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
432 },
433 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
434 KEY_RSA, ECP_256_BIT,
435 HASH_SHA1, PRF_HMAC_SHA1,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
437 },
438 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
439 KEY_RSA, ECP_256_BIT,
440 HASH_SHA256, PRF_HMAC_SHA2_256,
441 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
442 },
443 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
444 KEY_RSA, ECP_384_BIT,
445 HASH_SHA1, PRF_HMAC_SHA1,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
447 },
448 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
449 KEY_RSA, ECP_384_BIT,
450 HASH_SHA384, PRF_HMAC_SHA2_384,
451 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
452 },
453 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
454 KEY_RSA, MODP_2048_BIT,
455 HASH_SHA1, PRF_HMAC_SHA1,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
457 },
458 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
459 KEY_RSA, MODP_3072_BIT,
460 HASH_SHA256, PRF_HMAC_SHA2_256,
461 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
462 },
463 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
464 KEY_RSA, MODP_3072_BIT,
465 HASH_SHA1, PRF_HMAC_SHA1,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
467 },
468 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
469 KEY_RSA, MODP_4096_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
472 },
473 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
474 KEY_RSA, MODP_2048_BIT,
475 HASH_SHA1, PRF_HMAC_SHA1,
476 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
477 },
478 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
479 KEY_RSA, MODP_3072_BIT,
480 HASH_SHA256, PRF_HMAC_SHA2_256,
481 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
482 },
483 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
484 KEY_RSA, MODP_3072_BIT,
485 HASH_SHA1, PRF_HMAC_SHA1,
486 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
487 },
488 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
489 KEY_RSA, MODP_4096_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
492 },
493 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
494 KEY_RSA, MODP_2048_BIT,
495 HASH_SHA1, PRF_HMAC_SHA1,
496 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
497 },
498 { TLS_RSA_WITH_AES_128_CBC_SHA,
499 KEY_RSA, MODP_NONE,
500 HASH_SHA1, PRF_HMAC_SHA1,
501 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
502 },
503 { TLS_RSA_WITH_AES_128_CBC_SHA256,
504 KEY_RSA, MODP_NONE,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
507 },
508 { TLS_RSA_WITH_AES_256_CBC_SHA,
509 KEY_RSA, MODP_NONE,
510 HASH_SHA1, PRF_HMAC_SHA1,
511 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
512 },
513 { TLS_RSA_WITH_AES_256_CBC_SHA256,
514 KEY_RSA, MODP_NONE,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
517 },
518 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
519 KEY_RSA, MODP_NONE,
520 HASH_SHA1, PRF_HMAC_SHA1,
521 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
522 },
523 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
527 },
528 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA1, PRF_HMAC_SHA1,
531 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
532 },
533 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
537 },
538 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
539 KEY_ECDSA, ECP_256_BIT,
540 HASH_SHA1, PRF_HMAC_SHA1,
541 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
542 },
543 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
544 KEY_ECDSA, ECP_256_BIT,
545 HASH_SHA1, PRF_HMAC_SHA1,
546 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
547 },
548 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA1, PRF_HMAC_SHA1,
551 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
552 },
553 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
554 KEY_ECDSA, ECP_256_BIT,
555 HASH_SHA1, PRF_HMAC_SHA1,
556 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
557 },
558 { TLS_ECDHE_RSA_WITH_NULL_SHA,
559 KEY_ECDSA, ECP_256_BIT,
560 HASH_SHA1, PRF_HMAC_SHA1,
561 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
562 },
563 { TLS_RSA_WITH_NULL_SHA,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA1, PRF_HMAC_SHA1,
566 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
567 },
568 { TLS_RSA_WITH_NULL_SHA256,
569 KEY_RSA, MODP_NONE,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
572 },
573 { TLS_RSA_WITH_NULL_MD5,
574 KEY_RSA, MODP_NONE,
575 HASH_MD5, PRF_HMAC_MD5,
576 AUTH_HMAC_MD5_128, ENCR_NULL, 0
577 },
578 };
579
580 /**
581 * Look up algoritms by a suite
582 */
583 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
584 {
585 int i;
586
587 for (i = 0; i < countof(suite_algs); i++)
588 {
589 if (suite_algs[i].suite == suite)
590 {
591 return &suite_algs[i];
592 }
593 }
594 return NULL;
595 }
596
597 /**
598 * Filter a suite list using a transform enumerator
599 */
600 static void filter_suite(private_tls_crypto_t *this,
601 suite_algs_t suites[], int *count, int offset,
602 enumerator_t*(*create_enumerator)(crypto_factory_t*))
603 {
604 suite_algs_t current;
605 int i, remaining = 0;
606 enumerator_t *enumerator;
607
608 memset(&current, 0, sizeof(current));
609 for (i = 0; i < *count; i++)
610 {
611 enumerator = create_enumerator(lib->crypto);
612 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
613 {
614 if ((suites[i].encr == ENCR_NULL ||
615 !current.encr || current.encr == suites[i].encr) &&
616 (!current.mac || current.mac == suites[i].mac) &&
617 (!current.prf || current.prf == suites[i].prf) &&
618 (!current.hash || current.hash == suites[i].hash))
619 {
620 suites[remaining] = suites[i];
621 remaining++;
622 break;
623 }
624 }
625 enumerator->destroy(enumerator);
626 }
627 *count = remaining;
628 }
629
630 /**
631 * Purge NULL encryption cipher suites from list
632 */
633 static void filter_null_suites(private_tls_crypto_t *this,
634 suite_algs_t suites[], int *count)
635 {
636 int i, remaining = 0;
637
638 for (i = 0; i < *count; i++)
639 {
640 if (suites[i].encr != ENCR_NULL)
641 {
642 suites[remaining] = suites[i];
643 remaining++;
644 }
645 }
646 *count = remaining;
647 }
648
649 /**
650 * Initialize the cipher suite list
651 */
652 static void build_cipher_suite_list(private_tls_crypto_t *this,
653 bool require_encryption)
654 {
655 suite_algs_t suites[countof(suite_algs)];
656 int count = countof(suite_algs), i;
657
658 /* copy all suites */
659 for (i = 0; i < count; i++)
660 {
661 suites[i] = suite_algs[i];
662 }
663 if (require_encryption)
664 {
665 filter_null_suites(this, suites, &count);
666 }
667 /* filter suite list by each algorithm */
668 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
669 lib->crypto->create_crypter_enumerator);
670 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
671 lib->crypto->create_signer_enumerator);
672 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
673 lib->crypto->create_prf_enumerator);
674 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
675 lib->crypto->create_hasher_enumerator);
676
677 free(this->suites);
678 this->suite_count = count;
679 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
680
681 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
682 for (i = 0; i < count; i++)
683 {
684 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
685 this->suites[i] = suites[i].suite;
686 }
687 }
688
689 METHOD(tls_crypto_t, get_cipher_suites, int,
690 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
691 {
692 *suites = this->suites;
693 return this->suite_count;
694 }
695
696 /**
697 * Create crypto primitives
698 */
699 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
700 {
701 DESTROY_IF(this->prf);
702 if (this->tls->get_version(this->tls) < TLS_1_2)
703 {
704 this->prf = tls_prf_create_10();
705 }
706 else
707 {
708 this->prf = tls_prf_create_12(algs->prf);
709 }
710 if (!this->prf)
711 {
712 DBG1(DBG_TLS, "selected TLS PRF not supported");
713 return FALSE;
714 }
715
716 DESTROY_IF(this->signer_in);
717 DESTROY_IF(this->signer_out);
718 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
719 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
720 if (!this->signer_in || !this->signer_out)
721 {
722 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
723 integrity_algorithm_names, algs->mac);
724 return FALSE;
725 }
726
727 DESTROY_IF(this->crypter_in);
728 DESTROY_IF(this->crypter_out);
729 if (algs->encr == ENCR_NULL)
730 {
731 this->crypter_in = this->crypter_out = NULL;
732 }
733 else
734 {
735 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
736 algs->encr, algs->encr_size);
737 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
738 algs->encr, algs->encr_size);
739 if (!this->crypter_in || !this->crypter_out)
740 {
741 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
742 encryption_algorithm_names, algs->encr);
743 return FALSE;
744 }
745 }
746 return TRUE;
747 }
748
749 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
750 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
751 key_type_t key)
752 {
753 suite_algs_t *algs;
754 int i, j;
755
756 for (i = 0; i < this->suite_count; i++)
757 {
758 for (j = 0; j < count; j++)
759 {
760 if (this->suites[i] == suites[j])
761 {
762 algs = find_suite(this->suites[i]);
763 if (algs)
764 {
765 if (key == KEY_ANY || key == algs->key)
766 {
767 if (create_ciphers(this, algs))
768 {
769 this->suite = this->suites[i];
770 return this->suite;
771 }
772 }
773 }
774 }
775 }
776 }
777 return 0;
778 }
779
780 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
781 private_tls_crypto_t *this)
782 {
783 suite_algs_t *algs;
784
785 algs = find_suite(this->suite);
786 if (algs)
787 {
788 return algs->dh;
789 }
790 return MODP_NONE;
791 }
792
793 METHOD(tls_crypto_t, get_signature_algorithms, void,
794 private_tls_crypto_t *this, tls_writer_t *writer)
795 {
796 tls_writer_t *supported;
797 enumerator_t *enumerator;
798 hash_algorithm_t alg;
799 tls_hash_algorithm_t hash;
800
801 supported = tls_writer_create(32);
802 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
803 while (enumerator->enumerate(enumerator, &alg))
804 {
805 switch (alg)
806 {
807 case HASH_MD5:
808 hash = TLS_HASH_MD5;
809 break;
810 case HASH_SHA1:
811 hash = TLS_HASH_SHA1;
812 break;
813 case HASH_SHA224:
814 hash = TLS_HASH_SHA224;
815 break;
816 case HASH_SHA256:
817 hash = TLS_HASH_SHA256;
818 break;
819 case HASH_SHA384:
820 hash = TLS_HASH_SHA384;
821 break;
822 case HASH_SHA512:
823 hash = TLS_HASH_SHA512;
824 break;
825 default:
826 continue;
827 }
828 supported->write_uint8(supported, hash);
829 supported->write_uint8(supported, TLS_SIG_RSA);
830 if (alg != HASH_MD5 && alg != HASH_SHA224)
831 {
832 supported->write_uint8(supported, hash);
833 supported->write_uint8(supported, TLS_SIG_ECDSA);
834 }
835 }
836 enumerator->destroy(enumerator);
837
838 writer->write_data16(writer, supported->get_buf(supported));
839 supported->destroy(supported);
840 }
841
842 /**
843 * Mapping groups to TLS named curves
844 */
845 static struct {
846 diffie_hellman_group_t group;
847 tls_named_curve_t curve;
848 } curves[] = {
849 { ECP_256_BIT, TLS_SECP256R1},
850 { ECP_384_BIT, TLS_SECP384R1},
851 { ECP_521_BIT, TLS_SECP521R1},
852 { ECP_224_BIT, TLS_SECP224R1},
853 { ECP_192_BIT, TLS_SECP192R1},
854 };
855
856 /**
857 * Filter EC groups, add TLS curve
858 */
859 static bool group_filter(void *null,
860 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
861 void* dummy1, tls_named_curve_t *curve)
862 {
863 int i;
864
865 for (i = 0; i < countof(curves); i++)
866 {
867 if (curves[i].group == *in)
868 {
869 if (out)
870 {
871 *out = curves[i].group;
872 }
873 if (curve)
874 {
875 *curve = curves[i].curve;
876 }
877 return TRUE;
878 }
879 }
880 return FALSE;
881 }
882
883 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
884 private_tls_crypto_t *this)
885 {
886 return enumerator_create_filter(
887 lib->crypto->create_dh_enumerator(lib->crypto),
888 (void*)group_filter, NULL, NULL);
889 }
890
891 METHOD(tls_crypto_t, set_protection, void,
892 private_tls_crypto_t *this, tls_protection_t *protection)
893 {
894 this->protection = protection;
895 }
896
897 METHOD(tls_crypto_t, append_handshake, void,
898 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
899 {
900 u_int32_t header;
901
902 /* reconstruct handshake header */
903 header = htonl(data.len | (type << 24));
904 this->handshake = chunk_cat("mcc", this->handshake,
905 chunk_from_thing(header), data);
906 }
907
908 /**
909 * Create a hash using the suites HASH algorithm
910 */
911 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
912 {
913 if (this->tls->get_version(this->tls) >= TLS_1_2)
914 {
915 hasher_t *hasher;
916 suite_algs_t *alg;
917
918 alg = find_suite(this->suite);
919 if (!alg)
920 {
921 return FALSE;
922 }
923 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
924 if (!hasher)
925 {
926 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
927 return FALSE;
928 }
929 hasher->allocate_hash(hasher, data, hash);
930 hasher->destroy(hasher);
931 }
932 else
933 {
934 hasher_t *md5, *sha1;
935 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
936
937 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
938 if (!md5)
939 {
940 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
941 return FALSE;
942 }
943 md5->get_hash(md5, data, buf);
944 md5->destroy(md5);
945 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
946 if (!sha1)
947 {
948 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
949 return FALSE;
950 }
951 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
952 sha1->destroy(sha1);
953
954 *hash = chunk_clone(chunk_from_thing(buf));
955 }
956 return TRUE;
957 }
958
959 /**
960 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
961 */
962 static signature_scheme_t hashsig_to_scheme(key_type_t type,
963 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
964 {
965 switch (sig)
966 {
967 case TLS_SIG_RSA:
968 if (type != KEY_RSA)
969 {
970 return SIGN_UNKNOWN;
971 }
972 switch (hash)
973 {
974 case TLS_HASH_MD5:
975 return SIGN_RSA_EMSA_PKCS1_MD5;
976 case TLS_HASH_SHA1:
977 return SIGN_RSA_EMSA_PKCS1_SHA1;
978 case TLS_HASH_SHA224:
979 return SIGN_RSA_EMSA_PKCS1_SHA224;
980 case TLS_HASH_SHA256:
981 return SIGN_RSA_EMSA_PKCS1_SHA256;
982 case TLS_HASH_SHA384:
983 return SIGN_RSA_EMSA_PKCS1_SHA384;
984 case TLS_HASH_SHA512:
985 return SIGN_RSA_EMSA_PKCS1_SHA512;
986 default:
987 return SIGN_UNKNOWN;
988 }
989 case TLS_SIG_ECDSA:
990 if (type != KEY_ECDSA)
991 {
992 return SIGN_UNKNOWN;
993 }
994 switch (hash)
995 {
996 case TLS_HASH_SHA224:
997 return SIGN_ECDSA_WITH_SHA1_DER;
998 case TLS_HASH_SHA256:
999 return SIGN_ECDSA_WITH_SHA256_DER;
1000 case TLS_HASH_SHA384:
1001 return SIGN_ECDSA_WITH_SHA384_DER;
1002 case TLS_HASH_SHA512:
1003 return SIGN_ECDSA_WITH_SHA512_DER;
1004 default:
1005 return SIGN_UNKNOWN;
1006 }
1007 default:
1008 return SIGN_UNKNOWN;
1009 }
1010 }
1011
1012 METHOD(tls_crypto_t, sign, bool,
1013 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1014 chunk_t data, chunk_t hashsig)
1015 {
1016 if (this->tls->get_version(this->tls) >= TLS_1_2)
1017 {
1018 signature_scheme_t scheme;
1019 tls_reader_t *reader;
1020 u_int8_t hash, alg;
1021 chunk_t sig;
1022 bool done = FALSE;
1023
1024 if (!hashsig.len)
1025 { /* fallback if none given */
1026 hashsig = chunk_from_chars(
1027 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1028 }
1029 reader = tls_reader_create(hashsig);
1030 while (reader->remaining(reader) >= 2)
1031 {
1032 if (reader->read_uint8(reader, &hash) &&
1033 reader->read_uint8(reader, &alg))
1034 {
1035 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1036 if (scheme != SIGN_UNKNOWN &&
1037 key->sign(key, scheme, data, &sig))
1038 {
1039 done = TRUE;
1040 break;
1041 }
1042 }
1043 }
1044 reader->destroy(reader);
1045 if (!done)
1046 {
1047 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1048 return FALSE;
1049 }
1050 DBG2(DBG_TLS, "created signature with %N/%N",
1051 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1052 writer->write_uint8(writer, hash);
1053 writer->write_uint8(writer, alg);
1054 writer->write_data16(writer, sig);
1055 free(sig.ptr);
1056 }
1057 else
1058 {
1059 chunk_t sig, hash;
1060 bool done;
1061
1062 switch (key->get_type(key))
1063 {
1064 case KEY_RSA:
1065 if (!hash_data(this, data, &hash))
1066 {
1067 return FALSE;
1068 }
1069 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1070 free(hash.ptr);
1071 if (!done)
1072 {
1073 return FALSE;
1074 }
1075 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1076 break;
1077 case KEY_ECDSA:
1078 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1079 {
1080 return FALSE;
1081 }
1082 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1083 break;
1084 default:
1085 return FALSE;
1086 }
1087 writer->write_data16(writer, sig);
1088 free(sig.ptr);
1089 }
1090 return TRUE;
1091 }
1092
1093 METHOD(tls_crypto_t, verify, bool,
1094 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1095 chunk_t data)
1096 {
1097 if (this->tls->get_version(this->tls) >= TLS_1_2)
1098 {
1099 signature_scheme_t scheme = SIGN_UNKNOWN;
1100 u_int8_t hash, alg;
1101 chunk_t sig;
1102
1103 if (!reader->read_uint8(reader, &hash) ||
1104 !reader->read_uint8(reader, &alg) ||
1105 !reader->read_data16(reader, &sig))
1106 {
1107 DBG1(DBG_TLS, "received invalid signature");
1108 return FALSE;
1109 }
1110 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1111 if (scheme == SIGN_UNKNOWN)
1112 {
1113 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1114 tls_hash_algorithm_names, hash,
1115 tls_signature_algorithm_names, alg);
1116 return FALSE;
1117 }
1118 if (!key->verify(key, scheme, data, sig))
1119 {
1120 return FALSE;
1121 }
1122 DBG2(DBG_TLS, "verified signature with %N/%N",
1123 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1124 }
1125 else
1126 {
1127 chunk_t sig, hash;
1128 bool done;
1129
1130 if (!reader->read_data16(reader, &sig))
1131 {
1132 DBG1(DBG_TLS, "received invalid signature");
1133 return FALSE;
1134 }
1135 switch (key->get_type(key))
1136 {
1137 case KEY_RSA:
1138 if (!hash_data(this, data, &hash))
1139 {
1140 return FALSE;
1141 }
1142 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1143 free(hash.ptr);
1144 if (!done)
1145 {
1146 return FALSE;
1147 }
1148 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1149 break;
1150 case KEY_ECDSA:
1151 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1152 {
1153 return FALSE;
1154 }
1155 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1156 break;
1157 default:
1158 return FALSE;
1159 }
1160 }
1161 return TRUE;
1162 }
1163
1164 METHOD(tls_crypto_t, sign_handshake, bool,
1165 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1166 chunk_t hashsig)
1167 {
1168 return sign(this, key, writer, this->handshake, hashsig);
1169 }
1170
1171 METHOD(tls_crypto_t, verify_handshake, bool,
1172 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1173 {
1174 return verify(this, key, reader, this->handshake);
1175 }
1176
1177 METHOD(tls_crypto_t, calculate_finished, bool,
1178 private_tls_crypto_t *this, char *label, char out[12])
1179 {
1180 chunk_t seed;
1181
1182 if (!this->prf)
1183 {
1184 return FALSE;
1185 }
1186 if (!hash_data(this, this->handshake, &seed))
1187 {
1188 return FALSE;
1189 }
1190 this->prf->get_bytes(this->prf, label, seed, 12, out);
1191 free(seed.ptr);
1192 return TRUE;
1193 }
1194
1195 METHOD(tls_crypto_t, derive_secrets, void,
1196 private_tls_crypto_t *this, chunk_t premaster,
1197 chunk_t client_random, chunk_t server_random)
1198 {
1199 char master[48];
1200 chunk_t seed, block, client_write, server_write;
1201 int mks, eks = 0, ivs = 0;
1202
1203 /* derive master secret */
1204 seed = chunk_cata("cc", client_random, server_random);
1205 this->prf->set_key(this->prf, premaster);
1206 this->prf->get_bytes(this->prf, "master secret", seed,
1207 sizeof(master), master);
1208
1209 this->prf->set_key(this->prf, chunk_from_thing(master));
1210 memset(master, 0, sizeof(master));
1211
1212 /* derive key block for key expansion */
1213 mks = this->signer_out->get_key_size(this->signer_out);
1214 if (this->crypter_out)
1215 {
1216 eks = this->crypter_out->get_key_size(this->crypter_out);
1217 if (this->tls->get_version(this->tls) < TLS_1_1)
1218 {
1219 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1220 }
1221 }
1222 seed = chunk_cata("cc", server_random, client_random);
1223 block = chunk_alloca((mks + eks + ivs) * 2);
1224 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1225
1226 /* signer keys */
1227 client_write = chunk_create(block.ptr, mks);
1228 block = chunk_skip(block, mks);
1229 server_write = chunk_create(block.ptr, mks);
1230 block = chunk_skip(block, mks);
1231 if (this->tls->is_server(this->tls))
1232 {
1233 this->signer_in->set_key(this->signer_in, client_write);
1234 this->signer_out->set_key(this->signer_out, server_write);
1235 }
1236 else
1237 {
1238 this->signer_out->set_key(this->signer_out, client_write);
1239 this->signer_in->set_key(this->signer_in, server_write);
1240 }
1241
1242 /* crypter keys, and IVs if < TLSv1.2 */
1243 if (this->crypter_out && this->crypter_in)
1244 {
1245 client_write = chunk_create(block.ptr, eks);
1246 block = chunk_skip(block, eks);
1247 server_write = chunk_create(block.ptr, eks);
1248 block = chunk_skip(block, eks);
1249
1250 if (this->tls->is_server(this->tls))
1251 {
1252 this->crypter_in->set_key(this->crypter_in, client_write);
1253 this->crypter_out->set_key(this->crypter_out, server_write);
1254 }
1255 else
1256 {
1257 this->crypter_out->set_key(this->crypter_out, client_write);
1258 this->crypter_in->set_key(this->crypter_in, server_write);
1259 }
1260 if (ivs)
1261 {
1262 client_write = chunk_create(block.ptr, ivs);
1263 block = chunk_skip(block, ivs);
1264 server_write = chunk_create(block.ptr, ivs);
1265 block = chunk_skip(block, ivs);
1266
1267 if (this->tls->is_server(this->tls))
1268 {
1269 this->iv_in = chunk_clone(client_write);
1270 this->iv_out = chunk_clone(server_write);
1271 }
1272 else
1273 {
1274 this->iv_out = chunk_clone(client_write);
1275 this->iv_in = chunk_clone(server_write);
1276 }
1277 }
1278 }
1279 }
1280
1281 METHOD(tls_crypto_t, change_cipher, void,
1282 private_tls_crypto_t *this, bool inbound)
1283 {
1284 if (this->protection)
1285 {
1286 if (inbound)
1287 {
1288 this->protection->set_cipher(this->protection, TRUE,
1289 this->signer_in, this->crypter_in, this->iv_in);
1290 }
1291 else
1292 {
1293 this->protection->set_cipher(this->protection, FALSE,
1294 this->signer_out, this->crypter_out, this->iv_out);
1295 }
1296 }
1297 }
1298
1299 METHOD(tls_crypto_t, derive_eap_msk, void,
1300 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1301 {
1302 if (this->msk_label)
1303 {
1304 chunk_t seed;
1305
1306 seed = chunk_cata("cc", client_random, server_random);
1307 free(this->msk.ptr);
1308 this->msk = chunk_alloc(64);
1309 this->prf->get_bytes(this->prf, this->msk_label, seed,
1310 this->msk.len, this->msk.ptr);
1311 }
1312 }
1313
1314 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1315 private_tls_crypto_t *this)
1316 {
1317 return this->msk;
1318 }
1319
1320 METHOD(tls_crypto_t, destroy, void,
1321 private_tls_crypto_t *this)
1322 {
1323 DESTROY_IF(this->signer_in);
1324 DESTROY_IF(this->signer_out);
1325 DESTROY_IF(this->crypter_in);
1326 DESTROY_IF(this->crypter_out);
1327 free(this->iv_in.ptr);
1328 free(this->iv_out.ptr);
1329 free(this->handshake.ptr);
1330 free(this->msk.ptr);
1331 DESTROY_IF(this->prf);
1332 free(this->suites);
1333 free(this);
1334 }
1335
1336 /**
1337 * See header
1338 */
1339 tls_crypto_t *tls_crypto_create(tls_t *tls)
1340 {
1341 private_tls_crypto_t *this;
1342
1343 INIT(this,
1344 .public = {
1345 .get_cipher_suites = _get_cipher_suites,
1346 .select_cipher_suite = _select_cipher_suite,
1347 .get_dh_group = _get_dh_group,
1348 .get_signature_algorithms = _get_signature_algorithms,
1349 .create_ec_enumerator = _create_ec_enumerator,
1350 .set_protection = _set_protection,
1351 .append_handshake = _append_handshake,
1352 .sign = _sign,
1353 .verify = _verify,
1354 .sign_handshake = _sign_handshake,
1355 .verify_handshake = _verify_handshake,
1356 .calculate_finished = _calculate_finished,
1357 .derive_secrets = _derive_secrets,
1358 .change_cipher = _change_cipher,
1359 .derive_eap_msk = _derive_eap_msk,
1360 .get_eap_msk = _get_eap_msk,
1361 .destroy = _destroy,
1362 },
1363 .tls = tls,
1364 );
1365
1366 switch (tls->get_purpose(tls))
1367 {
1368 case TLS_PURPOSE_EAP_TLS:
1369 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1370 this->msk_label = "client EAP encryption";
1371 build_cipher_suite_list(this, FALSE);
1372 break;
1373 case TLS_PURPOSE_EAP_TTLS:
1374 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1375 this->msk_label = "ttls keying material";
1376 build_cipher_suite_list(this, TRUE);
1377 break;
1378 case TLS_PURPOSE_GENERIC:
1379 build_cipher_suite_list(this, TRUE);
1380 break;
1381 }
1382 return &this->public;
1383 }