]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Added TLS EC curve type and name identifiers
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
CommitLineData
536dbc00
MW		 1/*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16#include "tls_crypto.h"
17
0f82a470 18#include <debug.h>
18010de2 19
4657b3a4
AS		 20ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
37d2d7e1 40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
4657b3a4
AS		 41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
37d2d7e1 62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
4657b3a4
AS		 63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
37d2d7e1 92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
4657b3a4
AS		 93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
37d2d7e1 105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
4657b3a4
AS		 106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
37d2d7e1 174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
4657b3a4
AS		 175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
37d2d7e1 178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
4657b3a4
AS		 179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
9dd2ca92
MW		 241ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249);
250
251ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255);
256
99dcaea9
MW		 257ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
691ca54d
MW		 275ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279);
280
281ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307);
308
99dcaea9 309
536dbc00
MW		 310typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312/**
313 * Private data of an tls_crypto_t object.
314 */
315struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
18010de2 321
dc9f34be
MW		 322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
18010de2
MW		 327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
84d67ead
MW		 347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
18010de2
MW		 352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
84543e6e
MW		 356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
51313a39
MW		 386
387 /**
a6444fcd 388 * EAP-[T]TLS MSK
51313a39
MW		 389 */
390 chunk_t msk;
a6444fcd
AS		 391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
536dbc00
MW		 396};
397
84543e6e
MW		 398typedef struct {
399 tls_cipher_suite_t suite;
400 hash_algorithm_t hash;
401 pseudo_random_function_t prf;
35d9c15d 402 diffie_hellman_group_t dh;
84543e6e
MW		 403 integrity_algorithm_t mac;
404 encryption_algorithm_t encr;
405 size_t encr_size;
406} suite_algs_t;
407
408/**
409 * Mapping suites to a set of algorithms
410 */
411static suite_algs_t suite_algs[] = {
ef0a8e58
MW		 412 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
413 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
414 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
415 },
416 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
417 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
418 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
419 },
420 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
421 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
422 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
423 },
424 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
425 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
426 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
427 },
428 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
429 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
430 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
431 },
432 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
433 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
434 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
435 },
436 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
437 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
438 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
439 },
440 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
441 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
442 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
443 },
444 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
445 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
446 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
447 },
84543e6e 448 { TLS_RSA_WITH_AES_128_CBC_SHA,
35d9c15d 449 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
6e413d9c
MW		 450 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
451 },
452 { TLS_RSA_WITH_AES_128_CBC_SHA256,
35d9c15d 453 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
6e413d9c 454 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
84543e6e
MW		 455 },
456 { TLS_RSA_WITH_AES_256_CBC_SHA,
35d9c15d 457 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
6e413d9c 458 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
84543e6e 459 },
6e413d9c 460 { TLS_RSA_WITH_AES_256_CBC_SHA256,
35d9c15d 461 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
6e413d9c 462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
84543e6e 463 },
6e413d9c 464 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
35d9c15d 465 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
6e413d9c
MW		 466 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
467 },
468 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
35d9c15d 469 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
6e413d9c
MW		 470 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
471 },
472 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
35d9c15d 473 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
6e413d9c
MW		 474 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
475 },
476 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
35d9c15d 477 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
6e413d9c 478 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
84543e6e 479 },
2bf0e74c 480 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
35d9c15d 481 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
2bf0e74c
MW		 482 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
483 },
484 { TLS_RSA_WITH_NULL_SHA,
35d9c15d 485 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
2bf0e74c
MW		 486 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
487 },
488 { TLS_RSA_WITH_NULL_SHA256,
35d9c15d 489 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
2bf0e74c
MW		 490 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
491 },
492 { TLS_RSA_WITH_NULL_MD5,
35d9c15d 493 HASH_MD5, PRF_HMAC_MD5, MODP_NONE,
2bf0e74c
MW		 494 AUTH_HMAC_MD5_128, ENCR_NULL, 0
495 },
84543e6e
MW		 496};
497
498/**
499 * Look up algoritms by a suite
500 */
501static suite_algs_t *find_suite(tls_cipher_suite_t suite)
502{
503 int i;
504
505 for (i = 0; i < countof(suite_algs); i++)
506 {
507 if (suite_algs[i].suite == suite)
508 {
509 return &suite_algs[i];
510 }
511 }
512 return NULL;
513}
514
18010de2 515/**
a2bfc45b 516 * Filter a suite list using a transform enumerator
18010de2 517 */
a2bfc45b
MW		 518static void filter_suite(private_tls_crypto_t *this,
519 suite_algs_t suites[], int *count, int offset,
520 enumerator_t*(*create_enumerator)(crypto_factory_t*))
536dbc00 521{
a2bfc45b
MW		 522 suite_algs_t current;
523 int i, remaining = 0;
524 enumerator_t *enumerator;
536dbc00 525
a2bfc45b
MW		 526 memset(&current, 0, sizeof(current));
527 for (i = 0; i < *count; i++)
536dbc00 528 {
a2bfc45b
MW		 529 enumerator = create_enumerator(lib->crypto);
530 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
536dbc00 531 {
a2bfc45b
MW		 532 if ((suites[i].encr == ENCR_NULL ||
533 !current.encr || current.encr == suites[i].encr) &&
534 (!current.mac || current.mac == suites[i].mac) &&
535 (!current.prf || current.prf == suites[i].prf) &&
536 (!current.hash || current.hash == suites[i].hash))
536dbc00 537 {
a2bfc45b
MW		 538 suites[remaining] = suites[i];
539 remaining++;
540 break;
536dbc00
MW		 541 }
542 }
a2bfc45b 543 enumerator->destroy(enumerator);
536dbc00 544 }
a2bfc45b
MW		 545 *count = remaining;
546}
547
96b2fbcc
MW		 548/**
549 * Purge NULL encryption cipher suites from list
550 */
551static void filter_null_suites(private_tls_crypto_t *this,
552 suite_algs_t suites[], int *count)
553{
554 int i, remaining = 0;
555
556 for (i = 0; i < *count; i++)
557 {
558 if (suites[i].encr != ENCR_NULL)
559 {
560 suites[remaining] = suites[i];
561 remaining++;
562 }
563 }
564 *count = remaining;
565}
566
a2bfc45b
MW		 567/**
568 * Initialize the cipher suite list
569 */
96b2fbcc
MW		 570static void build_cipher_suite_list(private_tls_crypto_t *this,
571 bool require_encryption)
a2bfc45b
MW		 572{
573 suite_algs_t suites[countof(suite_algs)];
574 int count = countof(suite_algs), i;
536dbc00 575
a2bfc45b 576 /* copy all suites */
536dbc00
MW		 577 for (i = 0; i < count; i++)
578 {
a2bfc45b 579 suites[i] = suite_algs[i];
18010de2 580 }
96b2fbcc
MW		 581 if (require_encryption)
582 {
583 filter_null_suites(this, suites, &count);
584 }
a2bfc45b
MW		 585 /* filter suite list by each algorithm */
586 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
587 lib->crypto->create_crypter_enumerator);
588 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
589 lib->crypto->create_signer_enumerator);
590 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
591 lib->crypto->create_prf_enumerator);
592 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
593 lib->crypto->create_hasher_enumerator);
594
56a1167b
AS		 595 free(this->suites);
596 this->suite_count = count;
597 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
598
3c19b346 599 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
a2bfc45b
MW		 600 for (i = 0; i < count; i++)
601 {
3c19b346 602 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
56a1167b 603 this->suites[i] = suites[i].suite;
a2bfc45b 604 }
18010de2
MW		 605}
606
607METHOD(tls_crypto_t, get_cipher_suites, int,
608 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
609{
610 *suites = this->suites;
611 return this->suite_count;
612}
613
84543e6e
MW		 614/**
615 * Create crypto primitives
616 */
617static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
618{
619 suite_algs_t *algs;
620
621 algs = find_suite(suite);
622 if (!algs)
623 {
3c19b346 624 DBG1(DBG_TLS, "selected TLS suite not supported");
84543e6e
MW		 625 return FALSE;
626 }
627
628 DESTROY_IF(this->prf);
629 if (this->tls->get_version(this->tls) < TLS_1_2)
630 {
631 this->prf = tls_prf_create_10();
632 }
633 else
634 {
635 this->prf = tls_prf_create_12(algs->prf);
636 }
637 if (!this->prf)
638 {
3c19b346 639 DBG1(DBG_TLS, "selected TLS PRF not supported");
84543e6e
MW		 640 return FALSE;
641 }
642
643 DESTROY_IF(this->signer_in);
644 DESTROY_IF(this->signer_out);
645 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
646 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
647 if (!this->signer_in || !this->signer_out)
648 {
3c19b346 649 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
84543e6e
MW		 650 integrity_algorithm_names, algs->mac);
651 return FALSE;
652 }
653
654 DESTROY_IF(this->crypter_in);
655 DESTROY_IF(this->crypter_out);
656 if (algs->encr == ENCR_NULL)
657 {
658 this->crypter_in = this->crypter_out = NULL;
659 }
660 else
661 {
662 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
663 algs->encr, algs->encr_size);
664 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
665 algs->encr, algs->encr_size);
666 if (!this->crypter_in || !this->crypter_out)
667 {
3c19b346 668 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
84543e6e
MW		 669 encryption_algorithm_names, algs->encr);
670 return FALSE;
671 }
672 }
673 return TRUE;
674}
675
18010de2
MW		 676METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
677 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
678{
679 int i, j;
680
681 for (i = 0; i < this->suite_count; i++)
682 {
683 for (j = 0; j < count; j++)
684 {
685 if (this->suites[i] == suites[j])
686 {
84543e6e
MW		 687 if (create_ciphers(this, this->suites[i]))
688 {
689 this->suite = this->suites[i];
690 return this->suite;
691 }
18010de2
MW		 692 }
693 }
694 }
695 return 0;
696}
697
35d9c15d
MW		 698METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
699 private_tls_crypto_t *this)
700{
701 suite_algs_t *algs;
702
703 algs = find_suite(this->suite);
704 if (algs)
705 {
706 return algs->dh;
707 }
708 return MODP_NONE;
709}
710
d29a82a9
MW		 711METHOD(tls_crypto_t, get_signature_algorithms, void,
712 private_tls_crypto_t *this, tls_writer_t *writer)
713{
714 tls_writer_t *supported;
715 enumerator_t *enumerator;
716 hash_algorithm_t alg;
717 tls_hash_algorithm_t hash;
718
719 supported = tls_writer_create(32);
720 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
721 while (enumerator->enumerate(enumerator, &alg))
722 {
723 switch (alg)
724 {
725 case HASH_MD5:
726 hash = TLS_HASH_MD5;
727 break;
728 case HASH_SHA1:
729 hash = TLS_HASH_SHA1;
730 break;
731 case HASH_SHA224:
732 hash = TLS_HASH_SHA224;
733 break;
734 case HASH_SHA256:
735 hash = TLS_HASH_SHA256;
736 break;
737 case HASH_SHA384:
738 hash = TLS_HASH_SHA384;
739 break;
740 case HASH_SHA512:
741 hash = TLS_HASH_SHA512;
742 break;
743 default:
744 continue;
745 }
746 supported->write_uint8(supported, hash);
747 supported->write_uint8(supported, TLS_SIG_RSA);
748 if (alg != HASH_MD5 && alg != HASH_SHA224)
749 {
750 supported->write_uint8(supported, hash);
751 supported->write_uint8(supported, TLS_SIG_ECDSA);
752 }
753 }
754 enumerator->destroy(enumerator);
755
756 writer->write_data16(writer, supported->get_buf(supported));
757 supported->destroy(supported);
758}
759
dc9f34be
MW		 760METHOD(tls_crypto_t, set_protection, void,
761 private_tls_crypto_t *this, tls_protection_t *protection)
762{
763 this->protection = protection;
764}
765
84d67ead
MW		 766METHOD(tls_crypto_t, append_handshake, void,
767 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
768{
769 u_int32_t header;
770
771 /* reconstruct handshake header */
772 header = htonl(data.len | (type << 24));
773 this->handshake = chunk_cat("mcc", this->handshake,
774 chunk_from_thing(header), data);
775}
776
777/**
d29a82a9 778 * Create a hash using the suites HASH algorithm
84d67ead 779 */
d29a82a9 780static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
84d67ead
MW		 781{
782 if (this->tls->get_version(this->tls) >= TLS_1_2)
783 {
784 hasher_t *hasher;
785 suite_algs_t *alg;
786
787 alg = find_suite(this->suite);
788 if (!alg)
789 {
790 return FALSE;
791 }
792 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
793 if (!hasher)
794 {
3c19b346 795 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
84d67ead
MW		 796 return FALSE;
797 }
d29a82a9 798 hasher->allocate_hash(hasher, data, hash);
84d67ead
MW		 799 hasher->destroy(hasher);
800 }
801 else
802 {
803 hasher_t *md5, *sha1;
804 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
805
806 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
807 if (!md5)
808 {
3c19b346 809 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
84d67ead
MW		 810 return FALSE;
811 }
d29a82a9 812 md5->get_hash(md5, data, buf);
84d67ead
MW		 813 md5->destroy(md5);
814 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
815 if (!sha1)
816 {
3c19b346 817 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
84d67ead
MW		 818 return FALSE;
819 }
d29a82a9 820 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
84d67ead
MW		 821 sha1->destroy(sha1);
822
823 *hash = chunk_clone(chunk_from_thing(buf));
824 }
825 return TRUE;
826}
827
dbb7c030
MW		 828/**
829 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
830 */
831static signature_scheme_t hashsig_to_scheme(key_type_t type,
832 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
84d67ead 833{
dbb7c030
MW		 834 switch (sig)
835 {
836 case TLS_SIG_RSA:
837 if (type != KEY_RSA)
838 {
839 return SIGN_UNKNOWN;
840 }
841 switch (hash)
842 {
843 case TLS_HASH_MD5:
844 return SIGN_RSA_EMSA_PKCS1_MD5;
845 case TLS_HASH_SHA1:
846 return SIGN_RSA_EMSA_PKCS1_SHA1;
847 case TLS_HASH_SHA224:
848 return SIGN_RSA_EMSA_PKCS1_SHA224;
849 case TLS_HASH_SHA256:
850 return SIGN_RSA_EMSA_PKCS1_SHA256;
851 case TLS_HASH_SHA384:
852 return SIGN_RSA_EMSA_PKCS1_SHA384;
853 case TLS_HASH_SHA512:
854 return SIGN_RSA_EMSA_PKCS1_SHA512;
855 default:
856 return SIGN_UNKNOWN;
857 }
858 case TLS_SIG_ECDSA:
859 if (type != KEY_ECDSA)
860 {
861 return SIGN_UNKNOWN;
862 }
863 switch (hash)
864 {
865 case TLS_HASH_SHA224:
866 return SIGN_ECDSA_WITH_SHA1_DER;
867 case TLS_HASH_SHA256:
868 return SIGN_ECDSA_WITH_SHA256_DER;
869 case TLS_HASH_SHA384:
870 return SIGN_ECDSA_WITH_SHA384_DER;
871 case TLS_HASH_SHA512:
872 return SIGN_ECDSA_WITH_SHA512_DER;
873 default:
874 return SIGN_UNKNOWN;
875 }
876 default:
877 return SIGN_UNKNOWN;
878 }
879}
400df4ca 880
d29a82a9 881METHOD(tls_crypto_t, sign, bool,
dbb7c030 882 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
d29a82a9 883 chunk_t data, chunk_t hashsig)
dbb7c030 884{
84d67ead
MW		 885 if (this->tls->get_version(this->tls) >= TLS_1_2)
886 {
dbb7c030
MW		 887 signature_scheme_t scheme;
888 tls_reader_t *reader;
889 u_int8_t hash, alg;
890 chunk_t sig;
891 bool done = FALSE;
892
d29a82a9
MW		 893 if (!hashsig.len)
894 { /* fallback if none given */
895 hashsig = chunk_from_chars(
896 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
897 }
dbb7c030
MW		 898 reader = tls_reader_create(hashsig);
899 while (reader->remaining(reader) >= 2)
400df4ca 900 {
dbb7c030
MW		 901 if (reader->read_uint8(reader, &hash) &&
902 reader->read_uint8(reader, &alg))
903 {
904 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
905 if (scheme != SIGN_UNKNOWN &&
d29a82a9 906 key->sign(key, scheme, data, &sig))
dbb7c030
MW		 907 {
908 done = TRUE;
909 break;
910 }
911 }
912 }
913 reader->destroy(reader);
914 if (!done)
915 {
916 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
400df4ca
MW		 917 return FALSE;
918 }
d29a82a9 919 DBG2(DBG_TLS, "created signature with %N/%N",
dbb7c030
MW		 920 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
921 writer->write_uint8(writer, hash);
922 writer->write_uint8(writer, alg);
400df4ca
MW		 923 writer->write_data16(writer, sig);
924 free(sig.ptr);
925 }
926 else
927 {
dbb7c030 928 chunk_t sig, hash;
d29a82a9 929 bool done;
dbb7c030
MW		 930
931 switch (key->get_type(key))
400df4ca 932 {
dbb7c030 933 case KEY_RSA:
d29a82a9 934 if (!hash_data(this, data, &hash))
dbb7c030
MW		 935 {
936 return FALSE;
937 }
d29a82a9
MW		 938 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
939 free(hash.ptr);
940 if (!done)
dbb7c030 941 {
dbb7c030
MW		 942 return FALSE;
943 }
d29a82a9 944 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
dbb7c030
MW		 945 break;
946 case KEY_ECDSA:
d29a82a9 947 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
dbb7c030
MW		 948 {
949 return FALSE;
950 }
d29a82a9 951 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
dbb7c030
MW		 952 break;
953 default:
954 return FALSE;
400df4ca
MW		 955 }
956 writer->write_data16(writer, sig);
400df4ca
MW		 957 free(sig.ptr);
958 }
959 return TRUE;
960}
961
d29a82a9
MW		 962METHOD(tls_crypto_t, verify, bool,
963 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
964 chunk_t data)
400df4ca
MW		 965{
966 if (this->tls->get_version(this->tls) >= TLS_1_2)
967 {
dbb7c030 968 signature_scheme_t scheme = SIGN_UNKNOWN;
400df4ca
MW		 969 u_int8_t hash, alg;
970 chunk_t sig;
84d67ead 971
400df4ca
MW		 972 if (!reader->read_uint8(reader, &hash) ||
973 !reader->read_uint8(reader, &alg) ||
974 !reader->read_data16(reader, &sig))
975 {
d29a82a9 976 DBG1(DBG_TLS, "received invalid signature");
400df4ca
MW		 977 return FALSE;
978 }
dbb7c030
MW		 979 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
980 if (scheme == SIGN_UNKNOWN)
84d67ead 981 {
d29a82a9 982 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
dbb7c030
MW		 983 tls_hash_algorithm_names, hash,
984 tls_signature_algorithm_names, alg);
84d67ead
MW		 985 return FALSE;
986 }
d29a82a9 987 if (!key->verify(key, scheme, data, sig))
dbb7c030
MW		 988 {
989 return FALSE;
990 }
d29a82a9 991 DBG2(DBG_TLS, "verified signature with %N/%N",
dbb7c030 992 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
84d67ead
MW		 993 }
994 else
995 {
400df4ca 996 chunk_t sig, hash;
d29a82a9 997 bool done;
84d67ead 998
400df4ca
MW		 999 if (!reader->read_data16(reader, &sig))
1000 {
d29a82a9 1001 DBG1(DBG_TLS, "received invalid signature");
400df4ca
MW		 1002 return FALSE;
1003 }
dbb7c030 1004 switch (key->get_type(key))
84d67ead 1005 {
dbb7c030 1006 case KEY_RSA:
d29a82a9 1007 if (!hash_data(this, data, &hash))
dbb7c030
MW		 1008 {
1009 return FALSE;
1010 }
d29a82a9
MW		 1011 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1012 free(hash.ptr);
1013 if (!done)
dbb7c030 1014 {
dbb7c030
MW		 1015 return FALSE;
1016 }
d29a82a9 1017 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
dbb7c030
MW		 1018 break;
1019 case KEY_ECDSA:
d29a82a9 1020 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
dbb7c030 1021 {
dbb7c030
MW		 1022 return FALSE;
1023 }
d29a82a9 1024 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
dbb7c030
MW		 1025 break;
1026 default:
1027 return FALSE;
84d67ead 1028 }
84d67ead
MW		 1029 }
1030 return TRUE;
1031}
1032
d29a82a9
MW		 1033METHOD(tls_crypto_t, sign_handshake, bool,
1034 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1035 chunk_t hashsig)
1036{
1037 return sign(this, key, writer, this->handshake, hashsig);
1038}
1039
1040METHOD(tls_crypto_t, verify_handshake, bool,
1041 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1042{
1043 return verify(this, key, reader, this->handshake);
1044}
1045
84d67ead
MW		 1046METHOD(tls_crypto_t, calculate_finished, bool,
1047 private_tls_crypto_t *this, char *label, char out[12])
1048{
1049 chunk_t seed;
1050
1051 if (!this->prf)
1052 {
1053 return FALSE;
1054 }
d29a82a9 1055 if (!hash_data(this, this->handshake, &seed))
84d67ead
MW		 1056 {
1057 return FALSE;
1058 }
1059 this->prf->get_bytes(this->prf, label, seed, 12, out);
1060 free(seed.ptr);
1061 return TRUE;
1062}
1063
1064METHOD(tls_crypto_t, derive_secrets, void,
18010de2
MW		 1065 private_tls_crypto_t *this, chunk_t premaster,
1066 chunk_t client_random, chunk_t server_random)
1067{
84543e6e
MW		 1068 char master[48];
1069 chunk_t seed, block, client_write, server_write;
1070 int mks, eks = 0, ivs = 0;
1071
1072 /* derive master secret */
1073 seed = chunk_cata("cc", client_random, server_random);
1074 this->prf->set_key(this->prf, premaster);
1075 this->prf->get_bytes(this->prf, "master secret", seed,
1076 sizeof(master), master);
1077
1078 this->prf->set_key(this->prf, chunk_from_thing(master));
1079 memset(master, 0, sizeof(master));
1080
1081 /* derive key block for key expansion */
1082 mks = this->signer_out->get_key_size(this->signer_out);
1083 if (this->crypter_out)
18010de2 1084 {
84543e6e 1085 eks = this->crypter_out->get_key_size(this->crypter_out);
f139b578 1086 if (this->tls->get_version(this->tls) < TLS_1_1)
18010de2 1087 {
3102d866 1088 ivs = this->crypter_out->get_iv_size(this->crypter_out);
84543e6e
MW		 1089 }
1090 }
1091 seed = chunk_cata("cc", server_random, client_random);
1092 block = chunk_alloca((mks + eks + ivs) * 2);
1093 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1094
1095 /* signer keys */
1096 client_write = chunk_create(block.ptr, mks);
1097 block = chunk_skip(block, mks);
1098 server_write = chunk_create(block.ptr, mks);
1099 block = chunk_skip(block, mks);
1100 if (this->tls->is_server(this->tls))
1101 {
1102 this->signer_in->set_key(this->signer_in, client_write);
1103 this->signer_out->set_key(this->signer_out, server_write);
1104 }
1105 else
1106 {
1107 this->signer_out->set_key(this->signer_out, client_write);
1108 this->signer_in->set_key(this->signer_in, server_write);
1109 }
1110
1111 /* crypter keys, and IVs if < TLSv1.2 */
1112 if (this->crypter_out && this->crypter_in)
1113 {
1114 client_write = chunk_create(block.ptr, eks);
1115 block = chunk_skip(block, eks);
1116 server_write = chunk_create(block.ptr, eks);
1117 block = chunk_skip(block, eks);
1118
1119 if (this->tls->is_server(this->tls))
1120 {
1121 this->crypter_in->set_key(this->crypter_in, client_write);
1122 this->crypter_out->set_key(this->crypter_out, server_write);
18010de2
MW		 1123 }
1124 else
1125 {
84543e6e
MW		 1126 this->crypter_out->set_key(this->crypter_out, client_write);
1127 this->crypter_in->set_key(this->crypter_in, server_write);
1128 }
1129 if (ivs)
1130 {
1131 client_write = chunk_create(block.ptr, ivs);
1132 block = chunk_skip(block, ivs);
1133 server_write = chunk_create(block.ptr, ivs);
1134 block = chunk_skip(block, ivs);
1135
1136 if (this->tls->is_server(this->tls))
18010de2 1137 {
84543e6e
MW		 1138 this->iv_in = chunk_clone(client_write);
1139 this->iv_out = chunk_clone(server_write);
1140 }
1141 else
1142 {
1143 this->iv_out = chunk_clone(client_write);
1144 this->iv_in = chunk_clone(server_write);
18010de2 1145 }
536dbc00
MW		 1146 }
1147 }
84543e6e 1148}
18010de2 1149
84543e6e
MW		 1150METHOD(tls_crypto_t, change_cipher, void,
1151 private_tls_crypto_t *this, bool inbound)
1152{
dc9f34be 1153 if (this->protection)
84543e6e 1154 {
dc9f34be
MW		 1155 if (inbound)
1156 {
1157 this->protection->set_cipher(this->protection, TRUE,
1158 this->signer_in, this->crypter_in, this->iv_in);
1159 }
1160 else
1161 {
1162 this->protection->set_cipher(this->protection, FALSE,
1163 this->signer_out, this->crypter_out, this->iv_out);
1164 }
18010de2 1165 }
536dbc00
MW		 1166}
1167
84d67ead
MW		 1168METHOD(tls_crypto_t, derive_eap_msk, void,
1169 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
18010de2 1170{
bda7d9d9
MW		 1171 if (this->msk_label)
1172 {
1173 chunk_t seed;
84d67ead 1174
bda7d9d9
MW		 1175 seed = chunk_cata("cc", client_random, server_random);
1176 free(this->msk.ptr);
1177 this->msk = chunk_alloc(64);
1178 this->prf->get_bytes(this->prf, this->msk_label, seed,
1179 this->msk.len, this->msk.ptr);
1180 }
18010de2 1181}
536dbc00 1182
51313a39
MW		 1183METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1184 private_tls_crypto_t *this)
1185{
1186 return this->msk;
1187}
1188
536dbc00
MW		 1189METHOD(tls_crypto_t, destroy, void,
1190 private_tls_crypto_t *this)
1191{
84543e6e
MW		 1192 DESTROY_IF(this->signer_in);
1193 DESTROY_IF(this->signer_out);
1194 DESTROY_IF(this->crypter_in);
1195 DESTROY_IF(this->crypter_out);
1196 free(this->iv_in.ptr);
1197 free(this->iv_out.ptr);
84d67ead 1198 free(this->handshake.ptr);
51313a39 1199 free(this->msk.ptr);
18010de2 1200 DESTROY_IF(this->prf);
84543e6e 1201 free(this->suites);
536dbc00
MW		 1202 free(this);
1203}
1204
1205/**
1206 * See header
1207 */
96b2fbcc 1208tls_crypto_t *tls_crypto_create(tls_t *tls)
536dbc00
MW		 1209{
1210 private_tls_crypto_t *this;
1211
1212 INIT(this,
1213 .public = {
1214 .get_cipher_suites = _get_cipher_suites,
18010de2 1215 .select_cipher_suite = _select_cipher_suite,
35d9c15d 1216 .get_dh_group = _get_dh_group,
d29a82a9 1217 .get_signature_algorithms = _get_signature_algorithms,
dc9f34be 1218 .set_protection = _set_protection,
84d67ead 1219 .append_handshake = _append_handshake,
d29a82a9
MW		 1220 .sign = _sign,
1221 .verify = _verify,
84d67ead 1222 .sign_handshake = _sign_handshake,
400df4ca 1223 .verify_handshake = _verify_handshake,
84d67ead
MW		 1224 .calculate_finished = _calculate_finished,
1225 .derive_secrets = _derive_secrets,
84543e6e 1226 .change_cipher = _change_cipher,
84d67ead 1227 .derive_eap_msk = _derive_eap_msk,
51313a39 1228 .get_eap_msk = _get_eap_msk,
536dbc00
MW		 1229 .destroy = _destroy,
1230 },
18010de2 1231 .tls = tls,
536dbc00
MW		 1232 );
1233
96b2fbcc
MW		 1234 switch (tls->get_purpose(tls))
1235 {
1236 case TLS_PURPOSE_EAP_TLS:
1237 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1238 this->msk_label = "client EAP encryption";
1239 build_cipher_suite_list(this, FALSE);
1240 break;
1241 case TLS_PURPOSE_EAP_TTLS:
1242 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1243 this->msk_label = "ttls keying material";
1244 build_cipher_suite_list(this, TRUE);
1245 break;
bda7d9d9 1246 case TLS_PURPOSE_GENERIC:
bda7d9d9
MW		 1247 build_cipher_suite_list(this, TRUE);
1248 break;
96b2fbcc 1249 }
536dbc00
MW		 1250 return &this->public;
1251}
Unnamed repository; edit this file 'description' to name the repository.