]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add ECDHE enabled cipher suites, including ECDSA variants
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
CommitLineData
536dbc00
MW		 1/*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16#include "tls_crypto.h"
17
0f82a470 18#include <debug.h>
18010de2 19
4657b3a4
AS		 20ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
37d2d7e1 40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
4657b3a4
AS		 41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
37d2d7e1 62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
4657b3a4
AS		 63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
37d2d7e1 92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
4657b3a4
AS		 93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
37d2d7e1 105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
4657b3a4
AS		 106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
37d2d7e1 174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
4657b3a4
AS		 175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
37d2d7e1 178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
4657b3a4
AS		 179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
9dd2ca92
MW		 241ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249);
250
251ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255);
256
99dcaea9
MW		 257ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
691ca54d
MW		 275ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279);
280
281ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307);
308
99dcaea9 309
536dbc00
MW		 310typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312/**
313 * Private data of an tls_crypto_t object.
314 */
315struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
18010de2 321
dc9f34be
MW		 322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
18010de2
MW		 327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
84d67ead
MW		 347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
18010de2
MW		 352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
84543e6e
MW		 356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
51313a39
MW		 386
387 /**
a6444fcd 388 * EAP-[T]TLS MSK
51313a39
MW		 389 */
390 chunk_t msk;
a6444fcd
AS		 391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
536dbc00
MW		 396};
397
84543e6e
MW		 398typedef struct {
399 tls_cipher_suite_t suite;
4cdade5a
MW		 400 key_type_t key;
401 diffie_hellman_group_t dh;
84543e6e
MW		 402 hash_algorithm_t hash;
403 pseudo_random_function_t prf;
404 integrity_algorithm_t mac;
405 encryption_algorithm_t encr;
406 size_t encr_size;
407} suite_algs_t;
408
409/**
410 * Mapping suites to a set of algorithms
411 */
412static suite_algs_t suite_algs[] = {
2066918d
MW		 413 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
414 KEY_ECDSA, ECP_256_BIT,
415 HASH_SHA1, PRF_HMAC_SHA1,
416 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
417 },
418 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
419 KEY_ECDSA, ECP_256_BIT,
420 HASH_SHA256, PRF_HMAC_SHA2_256,
421 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
422 },
423 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
424 KEY_ECDSA, ECP_384_BIT,
425 HASH_SHA1, PRF_HMAC_SHA1,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
429 KEY_ECDSA, ECP_384_BIT,
430 HASH_SHA384, PRF_HMAC_SHA2_384,
431 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
432 },
433 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
434 KEY_ECDSA, ECP_256_BIT,
435 HASH_SHA1, PRF_HMAC_SHA1,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
437 },
438 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
439 KEY_ECDSA, ECP_256_BIT,
440 HASH_SHA256, PRF_HMAC_SHA2_256,
441 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
442 },
443 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
444 KEY_ECDSA, ECP_384_BIT,
445 HASH_SHA1, PRF_HMAC_SHA1,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
447 },
448 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
449 KEY_ECDSA, ECP_384_BIT,
450 HASH_SHA384, PRF_HMAC_SHA2_384,
451 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
452 },
ef0a8e58 453 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
4cdade5a
MW		 454 KEY_RSA, MODP_2048_BIT,
455 HASH_SHA1, PRF_HMAC_SHA1,
ef0a8e58
MW		 456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
457 },
458 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
4cdade5a
MW		 459 KEY_RSA, MODP_3072_BIT,
460 HASH_SHA256, PRF_HMAC_SHA2_256,
ef0a8e58
MW		 461 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
462 },
463 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
4cdade5a
MW		 464 KEY_RSA, MODP_3072_BIT,
465 HASH_SHA1, PRF_HMAC_SHA1,
ef0a8e58
MW		 466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
467 },
468 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
4cdade5a
MW		 469 KEY_RSA, MODP_4096_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
ef0a8e58
MW		 471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
472 },
473 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
4cdade5a
MW		 474 KEY_RSA, MODP_2048_BIT,
475 HASH_SHA1, PRF_HMAC_SHA1,
ef0a8e58
MW		 476 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
477 },
478 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
4cdade5a
MW		 479 KEY_RSA, MODP_3072_BIT,
480 HASH_SHA256, PRF_HMAC_SHA2_256,
ef0a8e58
MW		 481 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
482 },
483 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
4cdade5a
MW		 484 KEY_RSA, MODP_3072_BIT,
485 HASH_SHA1, PRF_HMAC_SHA1,
ef0a8e58
MW		 486 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
487 },
488 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
4cdade5a
MW		 489 KEY_RSA, MODP_4096_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
ef0a8e58
MW		 491 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
492 },
493 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
4cdade5a
MW		 494 KEY_RSA, MODP_2048_BIT,
495 HASH_SHA1, PRF_HMAC_SHA1,
ef0a8e58
MW		 496 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
497 },
84543e6e 498 { TLS_RSA_WITH_AES_128_CBC_SHA,
4cdade5a
MW		 499 KEY_RSA, MODP_NONE,
500 HASH_SHA1, PRF_HMAC_SHA1,
6e413d9c
MW		 501 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
502 },
503 { TLS_RSA_WITH_AES_128_CBC_SHA256,
4cdade5a
MW		 504 KEY_RSA, MODP_NONE,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
6e413d9c 506 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
84543e6e
MW		 507 },
508 { TLS_RSA_WITH_AES_256_CBC_SHA,
4cdade5a
MW		 509 KEY_RSA, MODP_NONE,
510 HASH_SHA1, PRF_HMAC_SHA1,
6e413d9c 511 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
84543e6e 512 },
6e413d9c 513 { TLS_RSA_WITH_AES_256_CBC_SHA256,
4cdade5a
MW		 514 KEY_RSA, MODP_NONE,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
6e413d9c 516 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
84543e6e 517 },
6e413d9c 518 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
4cdade5a
MW		 519 KEY_RSA, MODP_NONE,
520 HASH_SHA1, PRF_HMAC_SHA1,
6e413d9c
MW		 521 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
522 },
523 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
4cdade5a
MW		 524 KEY_RSA, MODP_NONE,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
6e413d9c
MW		 526 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
527 },
528 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
4cdade5a
MW		 529 KEY_RSA, MODP_NONE,
530 HASH_SHA1, PRF_HMAC_SHA1,
6e413d9c
MW		 531 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
532 },
533 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
4cdade5a
MW		 534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
6e413d9c 536 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
84543e6e 537 },
2066918d
MW		 538 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
539 KEY_ECDSA, ECP_256_BIT,
540 HASH_SHA1, PRF_HMAC_SHA1,
541 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
542 },
543 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
544 KEY_ECDSA, ECP_256_BIT,
545 HASH_SHA1, PRF_HMAC_SHA1,
546 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
547 },
2bf0e74c 548 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
4cdade5a
MW		 549 KEY_RSA, MODP_NONE,
550 HASH_SHA1, PRF_HMAC_SHA1,
2bf0e74c
MW		 551 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
552 },
2066918d
MW		 553 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
554 KEY_ECDSA, ECP_256_BIT,
555 HASH_SHA1, PRF_HMAC_SHA1,
556 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
557 },
558 { TLS_ECDHE_RSA_WITH_NULL_SHA,
559 KEY_ECDSA, ECP_256_BIT,
560 HASH_SHA1, PRF_HMAC_SHA1,
561 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
562 },
2bf0e74c 563 { TLS_RSA_WITH_NULL_SHA,
4cdade5a
MW		 564 KEY_RSA, MODP_NONE,
565 HASH_SHA1, PRF_HMAC_SHA1,
2bf0e74c
MW		 566 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
567 },
568 { TLS_RSA_WITH_NULL_SHA256,
4cdade5a
MW		 569 KEY_RSA, MODP_NONE,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
2bf0e74c
MW		 571 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
572 },
573 { TLS_RSA_WITH_NULL_MD5,
4cdade5a
MW		 574 KEY_RSA, MODP_NONE,
575 HASH_MD5, PRF_HMAC_MD5,
2bf0e74c
MW		 576 AUTH_HMAC_MD5_128, ENCR_NULL, 0
577 },
84543e6e
MW		 578};
579
580/**
581 * Look up algoritms by a suite
582 */
583static suite_algs_t *find_suite(tls_cipher_suite_t suite)
584{
585 int i;
586
587 for (i = 0; i < countof(suite_algs); i++)
588 {
589 if (suite_algs[i].suite == suite)
590 {
591 return &suite_algs[i];
592 }
593 }
594 return NULL;
595}
596
18010de2 597/**
a2bfc45b 598 * Filter a suite list using a transform enumerator
18010de2 599 */
a2bfc45b
MW		 600static void filter_suite(private_tls_crypto_t *this,
601 suite_algs_t suites[], int *count, int offset,
602 enumerator_t*(*create_enumerator)(crypto_factory_t*))
536dbc00 603{
a2bfc45b
MW		 604 suite_algs_t current;
605 int i, remaining = 0;
606 enumerator_t *enumerator;
536dbc00 607
a2bfc45b
MW		 608 memset(&current, 0, sizeof(current));
609 for (i = 0; i < *count; i++)
536dbc00 610 {
a2bfc45b
MW		 611 enumerator = create_enumerator(lib->crypto);
612 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
536dbc00 613 {
a2bfc45b
MW		 614 if ((suites[i].encr == ENCR_NULL ||
615 !current.encr || current.encr == suites[i].encr) &&
616 (!current.mac || current.mac == suites[i].mac) &&
617 (!current.prf || current.prf == suites[i].prf) &&
618 (!current.hash || current.hash == suites[i].hash))
536dbc00 619 {
a2bfc45b
MW		 620 suites[remaining] = suites[i];
621 remaining++;
622 break;
536dbc00
MW		 623 }
624 }
a2bfc45b 625 enumerator->destroy(enumerator);
536dbc00 626 }
a2bfc45b
MW		 627 *count = remaining;
628}
629
96b2fbcc
MW		 630/**
631 * Purge NULL encryption cipher suites from list
632 */
633static void filter_null_suites(private_tls_crypto_t *this,
634 suite_algs_t suites[], int *count)
635{
636 int i, remaining = 0;
637
638 for (i = 0; i < *count; i++)
639 {
640 if (suites[i].encr != ENCR_NULL)
641 {
642 suites[remaining] = suites[i];
643 remaining++;
644 }
645 }
646 *count = remaining;
647}
648
a2bfc45b
MW		 649/**
650 * Initialize the cipher suite list
651 */
96b2fbcc
MW		 652static void build_cipher_suite_list(private_tls_crypto_t *this,
653 bool require_encryption)
a2bfc45b
MW		 654{
655 suite_algs_t suites[countof(suite_algs)];
656 int count = countof(suite_algs), i;
536dbc00 657
a2bfc45b 658 /* copy all suites */
536dbc00
MW		 659 for (i = 0; i < count; i++)
660 {
a2bfc45b 661 suites[i] = suite_algs[i];
18010de2 662 }
96b2fbcc
MW		 663 if (require_encryption)
664 {
665 filter_null_suites(this, suites, &count);
666 }
a2bfc45b
MW		 667 /* filter suite list by each algorithm */
668 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
669 lib->crypto->create_crypter_enumerator);
670 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
671 lib->crypto->create_signer_enumerator);
672 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
673 lib->crypto->create_prf_enumerator);
674 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
675 lib->crypto->create_hasher_enumerator);
676
56a1167b
AS		 677 free(this->suites);
678 this->suite_count = count;
679 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
680
3c19b346 681 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
a2bfc45b
MW		 682 for (i = 0; i < count; i++)
683 {
3c19b346 684 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
56a1167b 685 this->suites[i] = suites[i].suite;
a2bfc45b 686 }
18010de2
MW		 687}
688
689METHOD(tls_crypto_t, get_cipher_suites, int,
690 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
691{
692 *suites = this->suites;
693 return this->suite_count;
694}
695
84543e6e
MW		 696/**
697 * Create crypto primitives
698 */
4cdade5a 699static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
84543e6e 700{
84543e6e
MW		 701 DESTROY_IF(this->prf);
702 if (this->tls->get_version(this->tls) < TLS_1_2)
703 {
704 this->prf = tls_prf_create_10();
705 }
706 else
707 {
708 this->prf = tls_prf_create_12(algs->prf);
709 }
710 if (!this->prf)
711 {
3c19b346 712 DBG1(DBG_TLS, "selected TLS PRF not supported");
84543e6e
MW		 713 return FALSE;
714 }
715
716 DESTROY_IF(this->signer_in);
717 DESTROY_IF(this->signer_out);
718 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
719 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
720 if (!this->signer_in || !this->signer_out)
721 {
3c19b346 722 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
84543e6e
MW		 723 integrity_algorithm_names, algs->mac);
724 return FALSE;
725 }
726
727 DESTROY_IF(this->crypter_in);
728 DESTROY_IF(this->crypter_out);
729 if (algs->encr == ENCR_NULL)
730 {
731 this->crypter_in = this->crypter_out = NULL;
732 }
733 else
734 {
735 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
736 algs->encr, algs->encr_size);
737 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
738 algs->encr, algs->encr_size);
739 if (!this->crypter_in || !this->crypter_out)
740 {
3c19b346 741 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
84543e6e
MW		 742 encryption_algorithm_names, algs->encr);
743 return FALSE;
744 }
745 }
746 return TRUE;
747}
748
18010de2 749METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
4cdade5a
MW		 750 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
751 key_type_t key)
18010de2 752{
4cdade5a 753 suite_algs_t *algs;
18010de2
MW		 754 int i, j;
755
756 for (i = 0; i < this->suite_count; i++)
757 {
758 for (j = 0; j < count; j++)
759 {
760 if (this->suites[i] == suites[j])
761 {
4cdade5a
MW		 762 algs = find_suite(this->suites[i]);
763 if (algs)
84543e6e 764 {
4cdade5a
MW		 765 if (key == KEY_ANY || key == algs->key)
766 {
767 if (create_ciphers(this, algs))
768 {
769 this->suite = this->suites[i];
770 return this->suite;
771 }
772 }
84543e6e 773 }
18010de2
MW		 774 }
775 }
776 }
777 return 0;
778}
779
35d9c15d
MW		 780METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
781 private_tls_crypto_t *this)
782{
783 suite_algs_t *algs;
784
785 algs = find_suite(this->suite);
786 if (algs)
787 {
788 return algs->dh;
789 }
790 return MODP_NONE;
791}
792
d29a82a9
MW		 793METHOD(tls_crypto_t, get_signature_algorithms, void,
794 private_tls_crypto_t *this, tls_writer_t *writer)
795{
796 tls_writer_t *supported;
797 enumerator_t *enumerator;
798 hash_algorithm_t alg;
799 tls_hash_algorithm_t hash;
800
801 supported = tls_writer_create(32);
802 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
803 while (enumerator->enumerate(enumerator, &alg))
804 {
805 switch (alg)
806 {
807 case HASH_MD5:
808 hash = TLS_HASH_MD5;
809 break;
810 case HASH_SHA1:
811 hash = TLS_HASH_SHA1;
812 break;
813 case HASH_SHA224:
814 hash = TLS_HASH_SHA224;
815 break;
816 case HASH_SHA256:
817 hash = TLS_HASH_SHA256;
818 break;
819 case HASH_SHA384:
820 hash = TLS_HASH_SHA384;
821 break;
822 case HASH_SHA512:
823 hash = TLS_HASH_SHA512;
824 break;
825 default:
826 continue;
827 }
828 supported->write_uint8(supported, hash);
829 supported->write_uint8(supported, TLS_SIG_RSA);
830 if (alg != HASH_MD5 && alg != HASH_SHA224)
831 {
832 supported->write_uint8(supported, hash);
833 supported->write_uint8(supported, TLS_SIG_ECDSA);
834 }
835 }
836 enumerator->destroy(enumerator);
837
838 writer->write_data16(writer, supported->get_buf(supported));
839 supported->destroy(supported);
840}
841
37a59a8f
MW		 842METHOD(tls_crypto_t, get_curves, void,
843 private_tls_crypto_t *this, tls_writer_t *writer)
844{
845 u_int16_t curves[] = {
846 htons(TLS_SECP256R1),
847 htons(TLS_SECP384R1),
848 htons(TLS_SECP521R1),
849 htons(TLS_SECP192R1),
850 htons(TLS_SECP224R1),
851 };
852 writer->write_data16(writer, chunk_from_thing(curves));
853}
854
dc9f34be
MW		 855METHOD(tls_crypto_t, set_protection, void,
856 private_tls_crypto_t *this, tls_protection_t *protection)
857{
858 this->protection = protection;
859}
860
84d67ead
MW		 861METHOD(tls_crypto_t, append_handshake, void,
862 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
863{
864 u_int32_t header;
865
866 /* reconstruct handshake header */
867 header = htonl(data.len | (type << 24));
868 this->handshake = chunk_cat("mcc", this->handshake,
869 chunk_from_thing(header), data);
870}
871
872/**
d29a82a9 873 * Create a hash using the suites HASH algorithm
84d67ead 874 */
d29a82a9 875static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
84d67ead
MW		 876{
877 if (this->tls->get_version(this->tls) >= TLS_1_2)
878 {
879 hasher_t *hasher;
880 suite_algs_t *alg;
881
882 alg = find_suite(this->suite);
883 if (!alg)
884 {
885 return FALSE;
886 }
887 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
888 if (!hasher)
889 {
3c19b346 890 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
84d67ead
MW		 891 return FALSE;
892 }
d29a82a9 893 hasher->allocate_hash(hasher, data, hash);
84d67ead
MW		 894 hasher->destroy(hasher);
895 }
896 else
897 {
898 hasher_t *md5, *sha1;
899 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
900
901 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
902 if (!md5)
903 {
3c19b346 904 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
84d67ead
MW		 905 return FALSE;
906 }
d29a82a9 907 md5->get_hash(md5, data, buf);
84d67ead
MW		 908 md5->destroy(md5);
909 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
910 if (!sha1)
911 {
3c19b346 912 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
84d67ead
MW		 913 return FALSE;
914 }
d29a82a9 915 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
84d67ead
MW		 916 sha1->destroy(sha1);
917
918 *hash = chunk_clone(chunk_from_thing(buf));
919 }
920 return TRUE;
921}
922
dbb7c030
MW		 923/**
924 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
925 */
926static signature_scheme_t hashsig_to_scheme(key_type_t type,
927 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
84d67ead 928{
dbb7c030
MW		 929 switch (sig)
930 {
931 case TLS_SIG_RSA:
932 if (type != KEY_RSA)
933 {
934 return SIGN_UNKNOWN;
935 }
936 switch (hash)
937 {
938 case TLS_HASH_MD5:
939 return SIGN_RSA_EMSA_PKCS1_MD5;
940 case TLS_HASH_SHA1:
941 return SIGN_RSA_EMSA_PKCS1_SHA1;
942 case TLS_HASH_SHA224:
943 return SIGN_RSA_EMSA_PKCS1_SHA224;
944 case TLS_HASH_SHA256:
945 return SIGN_RSA_EMSA_PKCS1_SHA256;
946 case TLS_HASH_SHA384:
947 return SIGN_RSA_EMSA_PKCS1_SHA384;
948 case TLS_HASH_SHA512:
949 return SIGN_RSA_EMSA_PKCS1_SHA512;
950 default:
951 return SIGN_UNKNOWN;
952 }
953 case TLS_SIG_ECDSA:
954 if (type != KEY_ECDSA)
955 {
956 return SIGN_UNKNOWN;
957 }
958 switch (hash)
959 {
960 case TLS_HASH_SHA224:
961 return SIGN_ECDSA_WITH_SHA1_DER;
962 case TLS_HASH_SHA256:
963 return SIGN_ECDSA_WITH_SHA256_DER;
964 case TLS_HASH_SHA384:
965 return SIGN_ECDSA_WITH_SHA384_DER;
966 case TLS_HASH_SHA512:
967 return SIGN_ECDSA_WITH_SHA512_DER;
968 default:
969 return SIGN_UNKNOWN;
970 }
971 default:
972 return SIGN_UNKNOWN;
973 }
974}
400df4ca 975
d29a82a9 976METHOD(tls_crypto_t, sign, bool,
dbb7c030 977 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
d29a82a9 978 chunk_t data, chunk_t hashsig)
dbb7c030 979{
84d67ead
MW		 980 if (this->tls->get_version(this->tls) >= TLS_1_2)
981 {
dbb7c030
MW		 982 signature_scheme_t scheme;
983 tls_reader_t *reader;
984 u_int8_t hash, alg;
985 chunk_t sig;
986 bool done = FALSE;
987
d29a82a9
MW		 988 if (!hashsig.len)
989 { /* fallback if none given */
990 hashsig = chunk_from_chars(
991 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
992 }
dbb7c030
MW		 993 reader = tls_reader_create(hashsig);
994 while (reader->remaining(reader) >= 2)
400df4ca 995 {
dbb7c030
MW		 996 if (reader->read_uint8(reader, &hash) &&
997 reader->read_uint8(reader, &alg))
998 {
999 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1000 if (scheme != SIGN_UNKNOWN &&
d29a82a9 1001 key->sign(key, scheme, data, &sig))
dbb7c030
MW		 1002 {
1003 done = TRUE;
1004 break;
1005 }
1006 }
1007 }
1008 reader->destroy(reader);
1009 if (!done)
1010 {
1011 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
400df4ca
MW		 1012 return FALSE;
1013 }
d29a82a9 1014 DBG2(DBG_TLS, "created signature with %N/%N",
dbb7c030
MW		 1015 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1016 writer->write_uint8(writer, hash);
1017 writer->write_uint8(writer, alg);
400df4ca
MW		 1018 writer->write_data16(writer, sig);
1019 free(sig.ptr);
1020 }
1021 else
1022 {
dbb7c030 1023 chunk_t sig, hash;
d29a82a9 1024 bool done;
dbb7c030
MW		 1025
1026 switch (key->get_type(key))
400df4ca 1027 {
dbb7c030 1028 case KEY_RSA:
d29a82a9 1029 if (!hash_data(this, data, &hash))
dbb7c030
MW		 1030 {
1031 return FALSE;
1032 }
d29a82a9
MW		 1033 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1034 free(hash.ptr);
1035 if (!done)
dbb7c030 1036 {
dbb7c030
MW		 1037 return FALSE;
1038 }
d29a82a9 1039 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
dbb7c030
MW		 1040 break;
1041 case KEY_ECDSA:
d29a82a9 1042 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
dbb7c030
MW		 1043 {
1044 return FALSE;
1045 }
d29a82a9 1046 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
dbb7c030
MW		 1047 break;
1048 default:
1049 return FALSE;
400df4ca
MW		 1050 }
1051 writer->write_data16(writer, sig);
400df4ca
MW		 1052 free(sig.ptr);
1053 }
1054 return TRUE;
1055}
1056
d29a82a9
MW		 1057METHOD(tls_crypto_t, verify, bool,
1058 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1059 chunk_t data)
400df4ca
MW		 1060{
1061 if (this->tls->get_version(this->tls) >= TLS_1_2)
1062 {
dbb7c030 1063 signature_scheme_t scheme = SIGN_UNKNOWN;
400df4ca
MW		 1064 u_int8_t hash, alg;
1065 chunk_t sig;
84d67ead 1066
400df4ca
MW		 1067 if (!reader->read_uint8(reader, &hash) ||
1068 !reader->read_uint8(reader, &alg) ||
1069 !reader->read_data16(reader, &sig))
1070 {
d29a82a9 1071 DBG1(DBG_TLS, "received invalid signature");
400df4ca
MW		 1072 return FALSE;
1073 }
dbb7c030
MW		 1074 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1075 if (scheme == SIGN_UNKNOWN)
84d67ead 1076 {
d29a82a9 1077 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
dbb7c030
MW		 1078 tls_hash_algorithm_names, hash,
1079 tls_signature_algorithm_names, alg);
84d67ead
MW		 1080 return FALSE;
1081 }
d29a82a9 1082 if (!key->verify(key, scheme, data, sig))
dbb7c030
MW		 1083 {
1084 return FALSE;
1085 }
d29a82a9 1086 DBG2(DBG_TLS, "verified signature with %N/%N",
dbb7c030 1087 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
84d67ead
MW		 1088 }
1089 else
1090 {
400df4ca 1091 chunk_t sig, hash;
d29a82a9 1092 bool done;
84d67ead 1093
400df4ca
MW		 1094 if (!reader->read_data16(reader, &sig))
1095 {
d29a82a9 1096 DBG1(DBG_TLS, "received invalid signature");
400df4ca
MW		 1097 return FALSE;
1098 }
dbb7c030 1099 switch (key->get_type(key))
84d67ead 1100 {
dbb7c030 1101 case KEY_RSA:
d29a82a9 1102 if (!hash_data(this, data, &hash))
dbb7c030
MW		 1103 {
1104 return FALSE;
1105 }
d29a82a9
MW		 1106 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1107 free(hash.ptr);
1108 if (!done)
dbb7c030 1109 {
dbb7c030
MW		 1110 return FALSE;
1111 }
d29a82a9 1112 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
dbb7c030
MW		 1113 break;
1114 case KEY_ECDSA:
d29a82a9 1115 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
dbb7c030 1116 {
dbb7c030
MW		 1117 return FALSE;
1118 }
d29a82a9 1119 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
dbb7c030
MW		 1120 break;
1121 default:
1122 return FALSE;
84d67ead 1123 }
84d67ead
MW		 1124 }
1125 return TRUE;
1126}
1127
d29a82a9
MW		 1128METHOD(tls_crypto_t, sign_handshake, bool,
1129 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1130 chunk_t hashsig)
1131{
1132 return sign(this, key, writer, this->handshake, hashsig);
1133}
1134
1135METHOD(tls_crypto_t, verify_handshake, bool,
1136 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1137{
1138 return verify(this, key, reader, this->handshake);
1139}
1140
84d67ead
MW		 1141METHOD(tls_crypto_t, calculate_finished, bool,
1142 private_tls_crypto_t *this, char *label, char out[12])
1143{
1144 chunk_t seed;
1145
1146 if (!this->prf)
1147 {
1148 return FALSE;
1149 }
d29a82a9 1150 if (!hash_data(this, this->handshake, &seed))
84d67ead
MW		 1151 {
1152 return FALSE;
1153 }
1154 this->prf->get_bytes(this->prf, label, seed, 12, out);
1155 free(seed.ptr);
1156 return TRUE;
1157}
1158
1159METHOD(tls_crypto_t, derive_secrets, void,
18010de2
MW		 1160 private_tls_crypto_t *this, chunk_t premaster,
1161 chunk_t client_random, chunk_t server_random)
1162{
84543e6e
MW		 1163 char master[48];
1164 chunk_t seed, block, client_write, server_write;
1165 int mks, eks = 0, ivs = 0;
1166
1167 /* derive master secret */
1168 seed = chunk_cata("cc", client_random, server_random);
1169 this->prf->set_key(this->prf, premaster);
1170 this->prf->get_bytes(this->prf, "master secret", seed,
1171 sizeof(master), master);
1172
1173 this->prf->set_key(this->prf, chunk_from_thing(master));
1174 memset(master, 0, sizeof(master));
1175
1176 /* derive key block for key expansion */
1177 mks = this->signer_out->get_key_size(this->signer_out);
1178 if (this->crypter_out)
18010de2 1179 {
84543e6e 1180 eks = this->crypter_out->get_key_size(this->crypter_out);
f139b578 1181 if (this->tls->get_version(this->tls) < TLS_1_1)
18010de2 1182 {
3102d866 1183 ivs = this->crypter_out->get_iv_size(this->crypter_out);
84543e6e
MW		 1184 }
1185 }
1186 seed = chunk_cata("cc", server_random, client_random);
1187 block = chunk_alloca((mks + eks + ivs) * 2);
1188 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1189
1190 /* signer keys */
1191 client_write = chunk_create(block.ptr, mks);
1192 block = chunk_skip(block, mks);
1193 server_write = chunk_create(block.ptr, mks);
1194 block = chunk_skip(block, mks);
1195 if (this->tls->is_server(this->tls))
1196 {
1197 this->signer_in->set_key(this->signer_in, client_write);
1198 this->signer_out->set_key(this->signer_out, server_write);
1199 }
1200 else
1201 {
1202 this->signer_out->set_key(this->signer_out, client_write);
1203 this->signer_in->set_key(this->signer_in, server_write);
1204 }
1205
1206 /* crypter keys, and IVs if < TLSv1.2 */
1207 if (this->crypter_out && this->crypter_in)
1208 {
1209 client_write = chunk_create(block.ptr, eks);
1210 block = chunk_skip(block, eks);
1211 server_write = chunk_create(block.ptr, eks);
1212 block = chunk_skip(block, eks);
1213
1214 if (this->tls->is_server(this->tls))
1215 {
1216 this->crypter_in->set_key(this->crypter_in, client_write);
1217 this->crypter_out->set_key(this->crypter_out, server_write);
18010de2
MW		 1218 }
1219 else
1220 {
84543e6e
MW		 1221 this->crypter_out->set_key(this->crypter_out, client_write);
1222 this->crypter_in->set_key(this->crypter_in, server_write);
1223 }
1224 if (ivs)
1225 {
1226 client_write = chunk_create(block.ptr, ivs);
1227 block = chunk_skip(block, ivs);
1228 server_write = chunk_create(block.ptr, ivs);
1229 block = chunk_skip(block, ivs);
1230
1231 if (this->tls->is_server(this->tls))
18010de2 1232 {
84543e6e
MW		 1233 this->iv_in = chunk_clone(client_write);
1234 this->iv_out = chunk_clone(server_write);
1235 }
1236 else
1237 {
1238 this->iv_out = chunk_clone(client_write);
1239 this->iv_in = chunk_clone(server_write);
18010de2 1240 }
536dbc00
MW		 1241 }
1242 }
84543e6e 1243}
18010de2 1244
84543e6e
MW		 1245METHOD(tls_crypto_t, change_cipher, void,
1246 private_tls_crypto_t *this, bool inbound)
1247{
dc9f34be 1248 if (this->protection)
84543e6e 1249 {
dc9f34be
MW		 1250 if (inbound)
1251 {
1252 this->protection->set_cipher(this->protection, TRUE,
1253 this->signer_in, this->crypter_in, this->iv_in);
1254 }
1255 else
1256 {
1257 this->protection->set_cipher(this->protection, FALSE,
1258 this->signer_out, this->crypter_out, this->iv_out);
1259 }
18010de2 1260 }
536dbc00
MW		 1261}
1262
84d67ead
MW		 1263METHOD(tls_crypto_t, derive_eap_msk, void,
1264 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
18010de2 1265{
bda7d9d9
MW		 1266 if (this->msk_label)
1267 {
1268 chunk_t seed;
84d67ead 1269
bda7d9d9
MW		 1270 seed = chunk_cata("cc", client_random, server_random);
1271 free(this->msk.ptr);
1272 this->msk = chunk_alloc(64);
1273 this->prf->get_bytes(this->prf, this->msk_label, seed,
1274 this->msk.len, this->msk.ptr);
1275 }
18010de2 1276}
536dbc00 1277
51313a39
MW		 1278METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1279 private_tls_crypto_t *this)
1280{
1281 return this->msk;
1282}
1283
536dbc00
MW		 1284METHOD(tls_crypto_t, destroy, void,
1285 private_tls_crypto_t *this)
1286{
84543e6e
MW		 1287 DESTROY_IF(this->signer_in);
1288 DESTROY_IF(this->signer_out);
1289 DESTROY_IF(this->crypter_in);
1290 DESTROY_IF(this->crypter_out);
1291 free(this->iv_in.ptr);
1292 free(this->iv_out.ptr);
84d67ead 1293 free(this->handshake.ptr);
51313a39 1294 free(this->msk.ptr);
18010de2 1295 DESTROY_IF(this->prf);
84543e6e 1296 free(this->suites);
536dbc00
MW		 1297 free(this);
1298}
1299
1300/**
1301 * See header
1302 */
96b2fbcc 1303tls_crypto_t *tls_crypto_create(tls_t *tls)
536dbc00
MW		 1304{
1305 private_tls_crypto_t *this;
1306
1307 INIT(this,
1308 .public = {
1309 .get_cipher_suites = _get_cipher_suites,
18010de2 1310 .select_cipher_suite = _select_cipher_suite,
35d9c15d 1311 .get_dh_group = _get_dh_group,
d29a82a9 1312 .get_signature_algorithms = _get_signature_algorithms,
37a59a8f 1313 .get_curves = _get_curves,
dc9f34be 1314 .set_protection = _set_protection,
84d67ead 1315 .append_handshake = _append_handshake,
d29a82a9
MW		 1316 .sign = _sign,
1317 .verify = _verify,
84d67ead 1318 .sign_handshake = _sign_handshake,
400df4ca 1319 .verify_handshake = _verify_handshake,
84d67ead
MW		 1320 .calculate_finished = _calculate_finished,
1321 .derive_secrets = _derive_secrets,
84543e6e 1322 .change_cipher = _change_cipher,
84d67ead 1323 .derive_eap_msk = _derive_eap_msk,
51313a39 1324 .get_eap_msk = _get_eap_msk,
536dbc00
MW		 1325 .destroy = _destroy,
1326 },
18010de2 1327 .tls = tls,
536dbc00
MW		 1328 );
1329
96b2fbcc
MW		 1330 switch (tls->get_purpose(tls))
1331 {
1332 case TLS_PURPOSE_EAP_TLS:
1333 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1334 this->msk_label = "client EAP encryption";
1335 build_cipher_suite_list(this, FALSE);
1336 break;
1337 case TLS_PURPOSE_EAP_TTLS:
1338 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1339 this->msk_label = "ttls keying material";
1340 build_cipher_suite_list(this, TRUE);
1341 break;
bda7d9d9 1342 case TLS_PURPOSE_GENERIC:
bda7d9d9
MW		 1343 build_cipher_suite_list(this, TRUE);
1344 break;
96b2fbcc 1345 }
536dbc00
MW		 1346 return &this->public;
1347}
Unnamed repository; edit this file 'description' to name the repository.