2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "tls_crypto.h"
18 #include <utils/debug.h>
19 #include <plugins/plugin_feature.h>
21 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
22 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
23 "TLS_NULL_WITH_NULL_NULL",
24 "TLS_RSA_WITH_NULL_MD5",
25 "TLS_RSA_WITH_NULL_SHA",
26 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
27 "TLS_RSA_WITH_RC4_128_MD5",
28 "TLS_RSA_WITH_RC4_128_SHA",
29 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
30 "TLS_RSA_WITH_IDEA_CBC_SHA",
31 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
32 "TLS_RSA_WITH_DES_CBC_SHA",
33 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
34 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
35 "TLS_DH_DSS_WITH_DES_CBC_SHA",
36 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
37 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
38 "TLS_DH_RSA_WITH_DES_CBC_SHA",
39 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
40 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
41 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
42 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
43 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
44 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
45 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
46 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
47 "TLS_DH_anon_WITH_RC4_128_MD5",
48 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
49 "TLS_DH_anon_WITH_DES_CBC_SHA",
50 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
51 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
52 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
53 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
54 "TLS_KRB5_WITH_DES_CBC_SHA",
55 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
56 "TLS_KRB5_WITH_RC4_128_SHA",
57 "TLS_KRB5_WITH_IDEA_CBC_SHA",
58 "TLS_KRB5_WITH_DES_CBC_MD5",
59 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
60 "TLS_KRB5_WITH_RC4_128_MD5",
61 "TLS_KRB5_WITH_IDEA_CBC_MD5",
62 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
65 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
67 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
68 "TLS_PSK_WITH_NULL_SHA",
69 "TLS_DHE_PSK_WITH_NULL_SHA",
70 "TLS_RSA_PSK_WITH_NULL_SHA",
71 "TLS_RSA_WITH_AES_128_CBC_SHA",
72 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
73 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
75 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
76 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
77 "TLS_RSA_WITH_AES_256_CBC_SHA",
78 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
79 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
81 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
82 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
83 "TLS_RSA_WITH_NULL_SHA256",
84 "TLS_RSA_WITH_AES_128_CBC_SHA256",
85 "TLS_RSA_WITH_AES_256_CBC_SHA256",
86 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
87 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
88 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
89 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
94 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
95 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
96 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
97 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
98 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
104 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
105 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
106 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
107 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
108 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
114 "TLS_PSK_WITH_RC4_128_SHA",
115 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
116 "TLS_PSK_WITH_AES_128_CBC_SHA",
117 "TLS_PSK_WITH_AES_256_CBC_SHA",
118 "TLS_DHE_PSK_WITH_RC4_128_SHA",
119 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
121 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
122 "TLS_RSA_PSK_WITH_RC4_128_SHA",
123 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
125 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
126 "TLS_RSA_WITH_SEED_CBC_SHA",
127 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
128 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
129 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
130 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
131 "TLS_DH_anon_WITH_SEED_CBC_SHA",
132 "TLS_RSA_WITH_AES_128_GCM_SHA256",
133 "TLS_RSA_WITH_AES_256_GCM_SHA384",
134 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
135 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
136 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
137 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
138 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
139 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
140 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
141 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
142 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
143 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
144 "TLS_PSK_WITH_AES_128_GCM_SHA256",
145 "TLS_PSK_WITH_AES_256_GCM_SHA384",
146 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
147 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
148 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
149 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
150 "TLS_PSK_WITH_AES_128_CBC_SHA256",
151 "TLS_PSK_WITH_AES_256_CBC_SHA384",
152 "TLS_PSK_WITH_NULL_SHA256",
153 "TLS_PSK_WITH_NULL_SHA384",
154 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
155 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
156 "TLS_DHE_PSK_WITH_NULL_SHA256",
157 "TLS_DHE_PSK_WITH_NULL_SHA384",
158 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
159 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
160 "TLS_RSA_PSK_WITH_NULL_SHA256",
161 "TLS_RSA_PSK_WITH_NULL_SHA384",
162 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
168 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
173 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
174 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
175 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
176 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
177 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
178 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
179 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
180 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
181 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
182 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
183 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
186 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
187 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
188 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
191 "TLS_ECDH_RSA_WITH_NULL_SHA",
192 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
193 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
196 "TLS_ECDHE_RSA_WITH_NULL_SHA",
197 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
198 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDH_anon_WITH_NULL_SHA",
202 "TLS_ECDH_anon_WITH_RC4_128_SHA",
203 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
206 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
215 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
216 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
217 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
218 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
219 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
220 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
221 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
222 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
223 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
224 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
225 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
226 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
227 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
228 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
229 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
230 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
231 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
232 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
235 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
236 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
239 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
240 ENUM_END(tls_cipher_suite_names
, TLS_ECDHE_PSK_WITH_NULL_SHA384
);
242 ENUM(tls_hash_algorithm_names
, TLS_HASH_NONE
, TLS_HASH_SHA512
,
252 ENUM(tls_signature_algorithm_names
, TLS_SIG_RSA
, TLS_SIG_ECDSA
,
258 ENUM_BEGIN(tls_client_certificate_type_names
,
259 TLS_RSA_SIGN
, TLS_DSS_EPHEMERAL_DH
,
266 ENUM_NEXT(tls_client_certificate_type_names
,
267 TLS_FORTEZZA_DMS
, TLS_FORTEZZA_DMS
, TLS_DSS_EPHEMERAL_DH
,
269 ENUM_NEXT(tls_client_certificate_type_names
,
270 TLS_ECDSA_SIGN
, TLS_ECDSA_FIXED_ECDH
, TLS_FORTEZZA_DMS
,
274 ENUM_END(tls_client_certificate_type_names
, TLS_ECDSA_FIXED_ECDH
);
276 ENUM(tls_ecc_curve_type_names
, TLS_ECC_EXPLICIT_PRIME
, TLS_ECC_NAMED_CURVE
,
282 ENUM(tls_named_curve_names
, TLS_SECT163K1
, TLS_SECP521R1
,
310 ENUM(tls_ansi_point_format_names
, TLS_ANSI_COMPRESSED
, TLS_ANSI_HYBRID_Y
,
319 ENUM(tls_ec_point_format_names
,
320 TLS_EC_POINT_UNCOMPRESSED
, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2
,
322 "ansiX962 compressed prime",
323 "ansiX962 compressed char2",
326 typedef struct private_tls_crypto_t private_tls_crypto_t
;
329 * Private data of an tls_crypto_t object.
331 struct private_tls_crypto_t
{
334 * Public tls_crypto_t interface.
341 tls_protection_t
*protection
;
344 * List of supported/acceptable cipher suites
346 tls_cipher_suite_t
*suites
;
349 * Number of supported suites
354 * Selected cipher suite
356 tls_cipher_suite_t suite
;
379 * All handshake data concatentated
384 * Connection state TLS PRF
389 * AEAD transform for inbound traffic
394 * AEAD transform for outbound traffic
396 tls_aead_t
*aead_out
;
404 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
410 tls_cipher_suite_t suite
;
412 diffie_hellman_group_t dh
;
413 hash_algorithm_t hash
;
414 pseudo_random_function_t prf
;
415 integrity_algorithm_t mac
;
416 encryption_algorithm_t encr
;
421 * Mapping suites to a set of algorithms
423 static suite_algs_t suite_algs
[] = {
424 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
,
425 KEY_ECDSA
, ECP_256_BIT
,
426 HASH_SHA256
, PRF_HMAC_SHA2_256
,
427 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
429 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
,
430 KEY_ECDSA
, ECP_256_BIT
,
431 HASH_SHA256
, PRF_HMAC_SHA2_256
,
432 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
434 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
,
435 KEY_ECDSA
, ECP_384_BIT
,
436 HASH_SHA256
, PRF_HMAC_SHA2_256
,
437 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
439 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
,
440 KEY_ECDSA
, ECP_384_BIT
,
441 HASH_SHA384
, PRF_HMAC_SHA2_384
,
442 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32
444 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
445 KEY_ECDSA
, ECP_256_BIT
,
446 HASH_SHA256
, PRF_HMAC_SHA2_256
,
447 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16
449 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,
450 KEY_ECDSA
, ECP_384_BIT
,
451 HASH_SHA384
, PRF_HMAC_SHA2_384
,
452 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32
454 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
,
455 KEY_RSA
, ECP_256_BIT
,
456 HASH_SHA256
, PRF_HMAC_SHA2_256
,
457 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
459 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,
460 KEY_RSA
, ECP_256_BIT
,
461 HASH_SHA256
, PRF_HMAC_SHA2_256
,
462 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
464 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,
465 KEY_RSA
, ECP_384_BIT
,
466 HASH_SHA256
, PRF_HMAC_SHA2_256
,
467 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
469 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
,
470 KEY_RSA
, ECP_384_BIT
,
471 HASH_SHA384
, PRF_HMAC_SHA2_384
,
472 AUTH_HMAC_SHA2_384_384
, ENCR_AES_CBC
, 32
474 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,
475 KEY_RSA
, ECP_256_BIT
,
476 HASH_SHA256
, PRF_HMAC_SHA2_256
,
477 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16
479 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
,
480 KEY_RSA
, ECP_384_BIT
,
481 HASH_SHA384
, PRF_HMAC_SHA2_384
,
482 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32
484 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,
485 KEY_RSA
, MODP_2048_BIT
,
486 HASH_SHA256
,PRF_HMAC_SHA2_256
,
487 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
489 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
490 KEY_RSA
, MODP_3072_BIT
,
491 HASH_SHA256
, PRF_HMAC_SHA2_256
,
492 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
494 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,
495 KEY_RSA
, MODP_3072_BIT
,
496 HASH_SHA256
, PRF_HMAC_SHA2_256
,
497 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
499 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,
500 KEY_RSA
, MODP_4096_BIT
,
501 HASH_SHA256
, PRF_HMAC_SHA2_256
,
502 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
504 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,
505 KEY_RSA
, MODP_3072_BIT
,
506 HASH_SHA256
, PRF_HMAC_SHA2_256
,
507 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16
509 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
,
510 KEY_RSA
, MODP_4096_BIT
,
511 HASH_SHA384
, PRF_HMAC_SHA2_384
,
512 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32
514 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
,
515 KEY_RSA
, MODP_2048_BIT
,
516 HASH_SHA256
, PRF_HMAC_SHA2_256
,
517 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
519 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
520 KEY_RSA
, MODP_3072_BIT
,
521 HASH_SHA256
, PRF_HMAC_SHA2_256
,
522 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
524 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
,
525 KEY_RSA
, MODP_3072_BIT
,
526 HASH_SHA256
, PRF_HMAC_SHA2_256
,
527 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
529 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
530 KEY_RSA
, MODP_4096_BIT
,
531 HASH_SHA256
, PRF_HMAC_SHA2_256
,
532 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
534 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
,
535 KEY_RSA
, MODP_2048_BIT
,
536 HASH_SHA256
, PRF_HMAC_SHA2_256
,
537 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
539 { TLS_RSA_WITH_AES_128_CBC_SHA
,
541 HASH_SHA256
, PRF_HMAC_SHA2_256
,
542 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
544 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
546 HASH_SHA256
, PRF_HMAC_SHA2_256
,
547 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
549 { TLS_RSA_WITH_AES_256_CBC_SHA
,
551 HASH_SHA256
, PRF_HMAC_SHA2_256
,
552 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
554 { TLS_RSA_WITH_AES_256_CBC_SHA256
,
556 HASH_SHA256
, PRF_HMAC_SHA2_256
,
557 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
559 { TLS_RSA_WITH_AES_128_GCM_SHA256
,
561 HASH_SHA256
, PRF_HMAC_SHA2_256
,
562 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 16
564 { TLS_RSA_WITH_AES_256_GCM_SHA384
,
566 HASH_SHA384
, PRF_HMAC_SHA2_384
,
567 AUTH_UNDEFINED
, ENCR_AES_GCM_ICV16
, 32
569 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
,
571 HASH_SHA256
, PRF_HMAC_SHA2_256
,
572 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
574 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
576 HASH_SHA256
, PRF_HMAC_SHA2_256
,
577 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
579 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
581 HASH_SHA256
, PRF_HMAC_SHA2_256
,
582 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
584 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
586 HASH_SHA256
, PRF_HMAC_SHA2_256
,
587 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
589 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
,
590 KEY_ECDSA
, ECP_256_BIT
,
591 HASH_SHA256
, PRF_HMAC_SHA2_256
,
592 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
594 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
,
595 KEY_RSA
, ECP_256_BIT
,
596 HASH_SHA256
, PRF_HMAC_SHA2_256
,
597 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
599 { TLS_RSA_WITH_3DES_EDE_CBC_SHA
,
601 HASH_SHA256
, PRF_HMAC_SHA2_256
,
602 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
604 { TLS_ECDHE_ECDSA_WITH_NULL_SHA
,
605 KEY_ECDSA
, ECP_256_BIT
,
606 HASH_SHA256
, PRF_HMAC_SHA2_256
,
607 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
609 { TLS_ECDHE_RSA_WITH_NULL_SHA
,
610 KEY_ECDSA
, ECP_256_BIT
,
611 HASH_SHA256
, PRF_HMAC_SHA2_256
,
612 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
614 { TLS_RSA_WITH_NULL_SHA
,
616 HASH_SHA256
, PRF_HMAC_SHA2_256
,
617 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
619 { TLS_RSA_WITH_NULL_SHA256
,
621 HASH_SHA256
, PRF_HMAC_SHA2_256
,
622 AUTH_HMAC_SHA2_256_256
, ENCR_NULL
, 0
624 { TLS_RSA_WITH_NULL_MD5
,
626 HASH_SHA256
, PRF_HMAC_SHA2_256
,
627 AUTH_HMAC_MD5_128
, ENCR_NULL
, 0
632 * Look up algorithms by a suite
634 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
638 for (i
= 0; i
< countof(suite_algs
); i
++)
640 if (suite_algs
[i
].suite
== suite
)
642 return &suite_algs
[i
];
649 * Filter a suite list using a transform enumerator
651 static void filter_suite(suite_algs_t suites
[], int *count
, int offset
,
652 enumerator_t
*(*create_enumerator
)(crypto_factory_t
*))
654 const char *plugin_name
;
655 suite_algs_t current
;
656 int *current_alg
, i
, remaining
= 0;
657 enumerator_t
*enumerator
;
659 memset(¤t
, 0, sizeof(current
));
660 current_alg
= (int*)((char*)¤t
+ offset
);
662 for (i
= 0; i
< *count
; i
++)
664 if (create_enumerator
== lib
->crypto
->create_crypter_enumerator
&&
665 encryption_algorithm_is_aead(suites
[i
].encr
))
666 { /* filtering crypters, but current suite uses an AEAD, apply */
667 suites
[remaining
] = suites
[i
];
671 if (create_enumerator
== lib
->crypto
->create_aead_enumerator
&&
672 !encryption_algorithm_is_aead(suites
[i
].encr
))
673 { /* filtering AEADs, but current suite doesn't use one, apply */
674 suites
[remaining
] = suites
[i
];
678 enumerator
= create_enumerator(lib
->crypto
);
679 while (enumerator
->enumerate(enumerator
, current_alg
, &plugin_name
))
681 if (current
.encr
&& current
.encr
!= suites
[i
].encr
)
683 if (suites
[i
].encr
!= ENCR_NULL
)
684 { /* skip, ENCR does not match nor is NULL */
688 if (current
.mac
&& current
.mac
!= suites
[i
].mac
)
690 if (suites
[i
].mac
!= AUTH_UNDEFINED
)
691 { /* skip, MAC does not match nor is it undefined */
695 if (current
.prf
&& current
.prf
!= suites
[i
].prf
)
696 { /* skip, PRF does not match */
699 if (current
.hash
&& current
.hash
!= suites
[i
].hash
)
700 { /* skip, hash does not match */
703 if (current
.dh
&& current
.dh
!= suites
[i
].dh
)
705 if (suites
[i
].dh
!= MODP_NONE
)
706 { /* skip DH group, does not match nor NONE */
710 /* suite supported, apply */
711 suites
[remaining
] = suites
[i
];
715 enumerator
->destroy(enumerator
);
721 * Purge NULL encryption cipher suites from list
723 static void filter_null_suites(suite_algs_t suites
[], int *count
)
725 int i
, remaining
= 0;
727 for (i
= 0; i
< *count
; i
++)
729 if (suites
[i
].encr
!= ENCR_NULL
)
731 suites
[remaining
] = suites
[i
];
739 * Purge suites using a given key type
741 static void filter_key_suites(private_tls_crypto_t
*this,
742 suite_algs_t suites
[], int *count
, key_type_t key
)
744 int i
, remaining
= 0;
746 DBG2(DBG_TLS
, "disabling %N suites, no backend found", key_type_names
, key
);
747 for (i
= 0; i
< *count
; i
++)
749 if (suites
[i
].key
!= key
)
751 suites
[remaining
] = suites
[i
];
759 * Filter suites by key exchange user config
761 static void filter_key_exchange_config_suites(private_tls_crypto_t
*this,
762 suite_algs_t suites
[], int *count
)
764 enumerator_t
*enumerator
;
765 int i
, remaining
= 0;
766 char *token
, *config
;
768 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.key_exchange", NULL
,
772 for (i
= 0; i
< *count
; i
++)
774 enumerator
= enumerator_create_token(config
, ",", " ");
775 while (enumerator
->enumerate(enumerator
, &token
))
777 if (strcaseeq(token
, "ecdhe-ecdsa") &&
778 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
779 suites
[i
].key
== KEY_ECDSA
)
781 suites
[remaining
++] = suites
[i
];
784 if (strcaseeq(token
, "ecdhe-rsa") &&
785 diffie_hellman_group_is_ec(suites
[i
].dh
) &&
786 suites
[i
].key
== KEY_RSA
)
788 suites
[remaining
++] = suites
[i
];
791 if (strcaseeq(token
, "dhe-rsa") &&
792 !diffie_hellman_group_is_ec(suites
[i
].dh
) &&
793 suites
[i
].dh
!= MODP_NONE
&&
794 suites
[i
].key
== KEY_RSA
)
796 suites
[remaining
++] = suites
[i
];
799 if (strcaseeq(token
, "rsa") &&
800 suites
[i
].dh
== MODP_NONE
&&
801 suites
[i
].key
== KEY_RSA
)
803 suites
[remaining
++] = suites
[i
];
807 enumerator
->destroy(enumerator
);
814 * Filter suites by cipher user config
816 static void filter_cipher_config_suites(private_tls_crypto_t
*this,
817 suite_algs_t suites
[], int *count
)
819 enumerator_t
*enumerator
;
820 int i
, remaining
= 0;
821 char *token
, *config
;
823 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.cipher", NULL
,
827 for (i
= 0; i
< *count
; i
++)
829 enumerator
= enumerator_create_token(config
, ",", " ");
830 while (enumerator
->enumerate(enumerator
, &token
))
832 if (strcaseeq(token
, "aes128") &&
833 suites
[i
].encr
== ENCR_AES_CBC
&&
834 suites
[i
].encr_size
== 16)
836 suites
[remaining
++] = suites
[i
];
839 if (strcaseeq(token
, "aes256") &&
840 suites
[i
].encr
== ENCR_AES_CBC
&&
841 suites
[i
].encr_size
== 32)
843 suites
[remaining
++] = suites
[i
];
846 if (strcaseeq(token
, "aes128gcm") &&
847 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
848 suites
[i
].encr_size
== 16)
850 suites
[remaining
++] = suites
[i
];
853 if (strcaseeq(token
, "aes256gcm") &&
854 suites
[i
].encr
== ENCR_AES_GCM_ICV16
&&
855 suites
[i
].encr_size
== 32)
857 suites
[remaining
++] = suites
[i
];
860 if (strcaseeq(token
, "camellia128") &&
861 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
862 suites
[i
].encr_size
== 16)
864 suites
[remaining
++] = suites
[i
];
867 if (strcaseeq(token
, "camellia256") &&
868 suites
[i
].encr
== ENCR_CAMELLIA_CBC
&&
869 suites
[i
].encr_size
== 32)
871 suites
[remaining
++] = suites
[i
];
874 if (strcaseeq(token
, "3des") &&
875 suites
[i
].encr
== ENCR_3DES
)
877 suites
[remaining
++] = suites
[i
];
880 if (strcaseeq(token
, "null") &&
881 suites
[i
].encr
== ENCR_NULL
)
883 suites
[remaining
++] = suites
[i
];
887 enumerator
->destroy(enumerator
);
894 * Filter suites by mac user config
896 static void filter_mac_config_suites(private_tls_crypto_t
*this,
897 suite_algs_t suites
[], int *count
)
899 enumerator_t
*enumerator
;
900 int i
, remaining
= 0;
901 char *token
, *config
;
903 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.mac", NULL
,
907 for (i
= 0; i
< *count
; i
++)
909 enumerator
= enumerator_create_token(config
, ",", " ");
910 while (enumerator
->enumerate(enumerator
, &token
))
912 if (strcaseeq(token
, "md5") &&
913 suites
[i
].mac
== AUTH_HMAC_MD5_128
)
915 suites
[remaining
++] = suites
[i
];
918 if (strcaseeq(token
, "sha1") &&
919 suites
[i
].mac
== AUTH_HMAC_SHA1_160
)
921 suites
[remaining
++] = suites
[i
];
924 if (strcaseeq(token
, "sha256") &&
925 suites
[i
].mac
== AUTH_HMAC_SHA2_256_256
)
927 suites
[remaining
++] = suites
[i
];
930 if (strcaseeq(token
, "sha384") &&
931 suites
[i
].mac
== AUTH_HMAC_SHA2_384_384
)
933 suites
[remaining
++] = suites
[i
];
937 enumerator
->destroy(enumerator
);
944 * Filter for specific suites specified in strongswan.conf
946 static void filter_specific_config_suites(private_tls_crypto_t
*this,
947 suite_algs_t suites
[], int *count
)
949 enumerator_t
*enumerator
;
950 int i
, remaining
= 0, suite
;
951 char *token
, *config
;
953 config
= lib
->settings
->get_str(lib
->settings
, "%s.tls.suites", NULL
,
957 for (i
= 0; i
< *count
; i
++)
959 enumerator
= enumerator_create_token(config
, ",", " ");
960 while (enumerator
->enumerate(enumerator
, &token
))
962 if (enum_from_name(tls_cipher_suite_names
, token
, &suite
) &&
963 suite
== suites
[i
].suite
)
965 suites
[remaining
++] = suites
[i
];
969 enumerator
->destroy(enumerator
);
976 * Filter out unsupported suites on given suite array
978 static void filter_unsupported_suites(suite_algs_t suites
[], int *count
)
980 /* filter suite list by each algorithm */
981 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
982 lib
->crypto
->create_crypter_enumerator
);
983 filter_suite(suites
, count
, offsetof(suite_algs_t
, encr
),
984 lib
->crypto
->create_aead_enumerator
);
985 filter_suite(suites
, count
, offsetof(suite_algs_t
, mac
),
986 lib
->crypto
->create_signer_enumerator
);
987 filter_suite(suites
, count
, offsetof(suite_algs_t
, prf
),
988 lib
->crypto
->create_prf_enumerator
);
989 filter_suite(suites
, count
, offsetof(suite_algs_t
, hash
),
990 lib
->crypto
->create_hasher_enumerator
);
991 filter_suite(suites
, count
, offsetof(suite_algs_t
, dh
),
992 lib
->crypto
->create_dh_enumerator
);
996 * Initialize the cipher suite list
998 static void build_cipher_suite_list(private_tls_crypto_t
*this,
999 bool require_encryption
)
1001 suite_algs_t suites
[countof(suite_algs
)];
1002 int count
= countof(suite_algs
), i
;
1004 /* copy all suites */
1005 for (i
= 0; i
< count
; i
++)
1007 suites
[i
] = suite_algs
[i
];
1010 if (require_encryption
)
1012 filter_null_suites(suites
, &count
);
1016 filter_key_suites(this, suites
, &count
, KEY_RSA
);
1020 filter_key_suites(this, suites
, &count
, KEY_ECDSA
);
1023 filter_unsupported_suites(suites
, &count
);
1025 /* filter suites with strongswan.conf options */
1026 filter_key_exchange_config_suites(this, suites
, &count
);
1027 filter_cipher_config_suites(this, suites
, &count
);
1028 filter_mac_config_suites(this, suites
, &count
);
1029 filter_specific_config_suites(this, suites
, &count
);
1032 this->suite_count
= count
;
1033 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * count
);
1035 DBG2(DBG_TLS
, "%d supported TLS cipher suites:", count
);
1036 for (i
= 0; i
< count
; i
++)
1038 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
].suite
);
1039 this->suites
[i
] = suites
[i
].suite
;
1043 METHOD(tls_crypto_t
, get_cipher_suites
, int,
1044 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
1046 *suites
= this->suites
;
1047 return this->suite_count
;
1051 * Create NULL encryption transforms
1053 static bool create_null(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1055 this->aead_in
= tls_aead_create_null(algs
->mac
);
1056 this->aead_out
= tls_aead_create_null(algs
->mac
);
1057 if (!this->aead_in
|| !this->aead_out
)
1059 DBG1(DBG_TLS
, "selected TLS MAC %N not supported",
1060 integrity_algorithm_names
, algs
->mac
);
1067 * Create traditional transforms
1069 static bool create_traditional(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1071 if (this->tls
->get_version(this->tls
) < TLS_1_1
)
1073 this->aead_in
= tls_aead_create_implicit(algs
->mac
,
1074 algs
->encr
, algs
->encr_size
);
1075 this->aead_out
= tls_aead_create_implicit(algs
->mac
,
1076 algs
->encr
, algs
->encr_size
);
1080 this->aead_in
= tls_aead_create_explicit(algs
->mac
,
1081 algs
->encr
, algs
->encr_size
);
1082 this->aead_out
= tls_aead_create_explicit(algs
->mac
,
1083 algs
->encr
, algs
->encr_size
);
1085 if (!this->aead_in
|| !this->aead_out
)
1087 DBG1(DBG_TLS
, "selected TLS transforms %N-%u-%N not supported",
1088 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8,
1089 integrity_algorithm_names
, algs
->mac
);
1096 * Create AEAD transforms
1098 static bool create_aead(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1100 this->aead_in
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1101 this->aead_out
= tls_aead_create_aead(algs
->encr
, algs
->encr_size
);
1102 if (!this->aead_in
|| !this->aead_out
)
1104 DBG1(DBG_TLS
, "selected TLS transforms %N-%u not supported",
1105 encryption_algorithm_names
, algs
->encr
, algs
->encr_size
* 8);
1112 * Clean up and unset AEAD transforms
1114 static void destroy_aeads(private_tls_crypto_t
*this)
1116 DESTROY_IF(this->aead_in
);
1117 DESTROY_IF(this->aead_out
);
1118 this->aead_in
= this->aead_out
= NULL
;
1122 * Create crypto primitives
1124 static bool create_ciphers(private_tls_crypto_t
*this, suite_algs_t
*algs
)
1126 destroy_aeads(this);
1127 DESTROY_IF(this->prf
);
1128 if (this->tls
->get_version(this->tls
) < TLS_1_2
)
1130 this->prf
= tls_prf_create_10();
1134 this->prf
= tls_prf_create_12(algs
->prf
);
1138 DBG1(DBG_TLS
, "selected TLS PRF not supported");
1141 if (algs
->encr
== ENCR_NULL
)
1143 if (create_null(this, algs
))
1148 else if (encryption_algorithm_is_aead(algs
->encr
))
1150 if (create_aead(this, algs
))
1157 if (create_traditional(this, algs
))
1162 destroy_aeads(this);
1166 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
1167 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
,
1173 for (i
= 0; i
< this->suite_count
; i
++)
1175 for (j
= 0; j
< count
; j
++)
1177 if (this->suites
[i
] == suites
[j
])
1179 algs
= find_suite(this->suites
[i
]);
1182 if (key
== KEY_ANY
|| key
== algs
->key
)
1184 if (create_ciphers(this, algs
))
1186 this->suite
= this->suites
[i
];
1197 METHOD(tls_crypto_t
, get_dh_group
, diffie_hellman_group_t
,
1198 private_tls_crypto_t
*this)
1202 algs
= find_suite(this->suite
);
1211 * Map signature schemes to TLS key types and hashes, ordered by preference
1214 tls_signature_algorithm_t sig
;
1215 tls_hash_algorithm_t hash
;
1216 signature_scheme_t scheme
;
1218 { TLS_SIG_ECDSA
, TLS_HASH_SHA256
, SIGN_ECDSA_WITH_SHA256_DER
},
1219 { TLS_SIG_ECDSA
, TLS_HASH_SHA384
, SIGN_ECDSA_WITH_SHA384_DER
},
1220 { TLS_SIG_ECDSA
, TLS_HASH_SHA512
, SIGN_ECDSA_WITH_SHA512_DER
},
1221 { TLS_SIG_ECDSA
, TLS_HASH_SHA1
, SIGN_ECDSA_WITH_SHA1_DER
},
1222 { TLS_SIG_RSA
, TLS_HASH_SHA256
, SIGN_RSA_EMSA_PKCS1_SHA2_256
},
1223 { TLS_SIG_RSA
, TLS_HASH_SHA384
, SIGN_RSA_EMSA_PKCS1_SHA2_384
},
1224 { TLS_SIG_RSA
, TLS_HASH_SHA512
, SIGN_RSA_EMSA_PKCS1_SHA2_512
},
1225 { TLS_SIG_RSA
, TLS_HASH_SHA224
, SIGN_RSA_EMSA_PKCS1_SHA2_224
},
1226 { TLS_SIG_RSA
, TLS_HASH_SHA1
, SIGN_RSA_EMSA_PKCS1_SHA1
},
1227 { TLS_SIG_RSA
, TLS_HASH_MD5
, SIGN_RSA_EMSA_PKCS1_MD5
},
1230 METHOD(tls_crypto_t
, get_signature_algorithms
, void,
1231 private_tls_crypto_t
*this, bio_writer_t
*writer
)
1233 bio_writer_t
*supported
;
1236 supported
= bio_writer_create(32);
1238 for (i
= 0; i
< countof(schemes
); i
++)
1240 if (schemes
[i
].sig
== TLS_SIG_RSA
&& !this->rsa
)
1244 if (schemes
[i
].sig
== TLS_SIG_ECDSA
&& !this->ecdsa
)
1248 if (!lib
->plugins
->has_feature(lib
->plugins
,
1249 PLUGIN_PROVIDE(PUBKEY_VERIFY
, schemes
[i
].scheme
)))
1253 supported
->write_uint8(supported
, schemes
[i
].hash
);
1254 supported
->write_uint8(supported
, schemes
[i
].sig
);
1257 supported
->wrap16(supported
);
1258 writer
->write_data16(writer
, supported
->get_buf(supported
));
1259 supported
->destroy(supported
);
1263 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1265 static signature_scheme_t
hashsig_to_scheme(key_type_t type
,
1266 tls_hash_algorithm_t hash
,
1267 tls_signature_algorithm_t sig
)
1271 if ((sig
== TLS_SIG_RSA
&& type
== KEY_RSA
) ||
1272 (sig
== TLS_SIG_ECDSA
&& type
== KEY_ECDSA
))
1274 for (i
= 0; i
< countof(schemes
); i
++)
1276 if (schemes
[i
].sig
== sig
&& schemes
[i
].hash
== hash
)
1278 return schemes
[i
].scheme
;
1282 return SIGN_UNKNOWN
;
1286 * Mapping groups to TLS named curves
1289 diffie_hellman_group_t group
;
1290 tls_named_curve_t curve
;
1292 { ECP_256_BIT
, TLS_SECP256R1
},
1293 { ECP_384_BIT
, TLS_SECP384R1
},
1294 { ECP_521_BIT
, TLS_SECP521R1
},
1295 { ECP_224_BIT
, TLS_SECP224R1
},
1296 { ECP_192_BIT
, TLS_SECP192R1
},
1299 CALLBACK(group_filter
, bool,
1300 void *null
, enumerator_t
*orig
, va_list args
)
1302 diffie_hellman_group_t group
, *out
;
1303 tls_named_curve_t
*curve
;
1307 VA_ARGS_VGET(args
, out
, curve
);
1309 while (orig
->enumerate(orig
, &group
, &plugin
))
1311 for (i
= 0; i
< countof(curves
); i
++)
1313 if (curves
[i
].group
== group
)
1317 *out
= curves
[i
].group
;
1321 *curve
= curves
[i
].curve
;
1330 METHOD(tls_crypto_t
, create_ec_enumerator
, enumerator_t
*,
1331 private_tls_crypto_t
*this)
1333 return enumerator_create_filter(
1334 lib
->crypto
->create_dh_enumerator(lib
->crypto
),
1335 group_filter
, NULL
, NULL
);
1338 METHOD(tls_crypto_t
, set_protection
, void,
1339 private_tls_crypto_t
*this, tls_protection_t
*protection
)
1341 this->protection
= protection
;
1344 METHOD(tls_crypto_t
, append_handshake
, void,
1345 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
1349 /* reconstruct handshake header */
1350 header
= htonl(data
.len
| (type
<< 24));
1351 this->handshake
= chunk_cat("mcc", this->handshake
,
1352 chunk_from_thing(header
), data
);
1356 * Create a hash using the suites HASH algorithm
1358 static bool hash_data(private_tls_crypto_t
*this, chunk_t data
, chunk_t
*hash
)
1360 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1365 alg
= find_suite(this->suite
);
1370 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
1371 if (!hasher
|| !hasher
->allocate_hash(hasher
, data
, hash
))
1373 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, alg
->hash
);
1377 hasher
->destroy(hasher
);
1381 hasher_t
*md5
, *sha1
;
1382 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
1384 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
1385 if (!md5
|| !md5
->get_hash(md5
, data
, buf
))
1387 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
1392 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1393 if (!sha1
|| !sha1
->get_hash(sha1
, data
, buf
+ HASH_SIZE_MD5
))
1395 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
1399 sha1
->destroy(sha1
);
1401 *hash
= chunk_clone(chunk_from_thing(buf
));
1406 METHOD(tls_crypto_t
, sign
, bool,
1407 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1408 chunk_t data
, chunk_t hashsig
)
1410 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1412 signature_scheme_t scheme
;
1413 bio_reader_t
*reader
;
1419 { /* fallback if none given */
1420 hashsig
= chunk_from_chars(
1421 TLS_HASH_SHA1
, TLS_SIG_RSA
, TLS_HASH_SHA1
, TLS_SIG_ECDSA
);
1423 reader
= bio_reader_create(hashsig
);
1424 while (reader
->remaining(reader
) >= 2)
1426 if (reader
->read_uint8(reader
, &hash
) &&
1427 reader
->read_uint8(reader
, &alg
))
1429 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
1430 if (scheme
!= SIGN_UNKNOWN
&&
1431 key
->sign(key
, scheme
, data
, &sig
))
1438 reader
->destroy(reader
);
1441 DBG1(DBG_TLS
, "none of the proposed hash/sig algorithms supported");
1444 DBG2(DBG_TLS
, "created signature with %N/%N",
1445 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
1446 writer
->write_uint8(writer
, hash
);
1447 writer
->write_uint8(writer
, alg
);
1448 writer
->write_data16(writer
, sig
);
1456 switch (key
->get_type(key
))
1459 if (!hash_data(this, data
, &hash
))
1463 done
= key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, &sig
);
1469 DBG2(DBG_TLS
, "created signature with MD5+SHA1/RSA");
1472 if (!key
->sign(key
, SIGN_ECDSA_WITH_SHA1_DER
, data
, &sig
))
1476 DBG2(DBG_TLS
, "created signature with SHA1/ECDSA");
1481 writer
->write_data16(writer
, sig
);
1487 METHOD(tls_crypto_t
, verify
, bool,
1488 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
,
1491 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
1493 signature_scheme_t scheme
= SIGN_UNKNOWN
;
1497 if (!reader
->read_uint8(reader
, &hash
) ||
1498 !reader
->read_uint8(reader
, &alg
) ||
1499 !reader
->read_data16(reader
, &sig
))
1501 DBG1(DBG_TLS
, "received invalid signature");
1504 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
1505 if (scheme
== SIGN_UNKNOWN
)
1507 DBG1(DBG_TLS
, "signature algorithms %N/%N not supported",
1508 tls_hash_algorithm_names
, hash
,
1509 tls_signature_algorithm_names
, alg
);
1512 if (!key
->verify(key
, scheme
, NULL
, data
, sig
))
1516 DBG2(DBG_TLS
, "verified signature with %N/%N",
1517 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
1524 if (!reader
->read_data16(reader
, &sig
))
1526 DBG1(DBG_TLS
, "received invalid signature");
1529 switch (key
->get_type(key
))
1532 if (!hash_data(this, data
, &hash
))
1536 done
= key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, NULL
, hash
,
1543 DBG2(DBG_TLS
, "verified signature data with MD5+SHA1/RSA");
1546 if (!key
->verify(key
, SIGN_ECDSA_WITH_SHA1_DER
, NULL
, data
,
1551 DBG2(DBG_TLS
, "verified signature with SHA1/ECDSA");
1560 METHOD(tls_crypto_t
, sign_handshake
, bool,
1561 private_tls_crypto_t
*this, private_key_t
*key
, bio_writer_t
*writer
,
1564 return sign(this, key
, writer
, this->handshake
, hashsig
);
1567 METHOD(tls_crypto_t
, verify_handshake
, bool,
1568 private_tls_crypto_t
*this, public_key_t
*key
, bio_reader_t
*reader
)
1570 return verify(this, key
, reader
, this->handshake
);
1573 METHOD(tls_crypto_t
, calculate_finished
, bool,
1574 private_tls_crypto_t
*this, char *label
, char out
[12])
1582 if (!hash_data(this, this->handshake
, &seed
))
1586 if (!this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
))
1596 * Derive master secret from premaster, optionally save session
1598 static bool derive_master(private_tls_crypto_t
*this, chunk_t premaster
,
1599 chunk_t session
, identification_t
*id
,
1600 chunk_t client_random
, chunk_t server_random
)
1605 /* derive master secret */
1606 seed
= chunk_cata("cc", client_random
, server_random
);
1608 if (!this->prf
->set_key(this->prf
, premaster
) ||
1609 !this->prf
->get_bytes(this->prf
, "master secret", seed
,
1610 sizeof(master
), master
) ||
1611 !this->prf
->set_key(this->prf
, chunk_from_thing(master
)))
1616 if (this->cache
&& session
.len
)
1618 this->cache
->create(this->cache
, session
, id
, chunk_from_thing(master
),
1621 memwipe(master
, sizeof(master
));
1626 * Expand key material from master secret
1628 static bool expand_keys(private_tls_crypto_t
*this,
1629 chunk_t client_random
, chunk_t server_random
)
1631 chunk_t seed
, block
;
1632 chunk_t cw_mac
, cw
, cw_iv
;
1633 chunk_t sw_mac
, sw
, sw_iv
;
1634 int mklen
, eklen
, ivlen
;
1636 if (!this->aead_in
|| !this->aead_out
)
1641 /* derive key block for key expansion */
1642 mklen
= this->aead_in
->get_mac_key_size(this->aead_in
);
1643 eklen
= this->aead_in
->get_encr_key_size(this->aead_in
);
1644 ivlen
= this->aead_in
->get_iv_size(this->aead_in
);
1645 seed
= chunk_cata("cc", server_random
, client_random
);
1646 block
= chunk_alloca((mklen
+ eklen
+ ivlen
) * 2);
1647 if (!this->prf
->get_bytes(this->prf
, "key expansion", seed
,
1648 block
.len
, block
.ptr
))
1653 /* client/server write signer keys */
1654 cw_mac
= chunk_create(block
.ptr
, mklen
);
1655 block
= chunk_skip(block
, mklen
);
1656 sw_mac
= chunk_create(block
.ptr
, mklen
);
1657 block
= chunk_skip(block
, mklen
);
1659 /* client/server write encryption keys */
1660 cw
= chunk_create(block
.ptr
, eklen
);
1661 block
= chunk_skip(block
, eklen
);
1662 sw
= chunk_create(block
.ptr
, eklen
);
1663 block
= chunk_skip(block
, eklen
);
1665 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
1666 cw_iv
= chunk_create(block
.ptr
, ivlen
);
1667 block
= chunk_skip(block
, ivlen
);
1668 sw_iv
= chunk_create(block
.ptr
, ivlen
);
1669 block
= chunk_skip(block
, ivlen
);
1671 if (this->tls
->is_server(this->tls
))
1673 if (!this->aead_in
->set_keys(this->aead_in
, cw_mac
, cw
, cw_iv
) ||
1674 !this->aead_out
->set_keys(this->aead_out
, sw_mac
, sw
, sw_iv
))
1681 if (!this->aead_out
->set_keys(this->aead_out
, cw_mac
, cw
, cw_iv
) ||
1682 !this->aead_in
->set_keys(this->aead_in
, sw_mac
, sw
, sw_iv
))
1689 if (this->msk_label
)
1691 seed
= chunk_cata("cc", client_random
, server_random
);
1692 this->msk
= chunk_alloc(64);
1693 if (!this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
1694 this->msk
.len
, this->msk
.ptr
))
1702 METHOD(tls_crypto_t
, derive_secrets
, bool,
1703 private_tls_crypto_t
*this, chunk_t premaster
, chunk_t session
,
1704 identification_t
*id
, chunk_t client_random
, chunk_t server_random
)
1706 return derive_master(this, premaster
, session
, id
,
1707 client_random
, server_random
) &&
1708 expand_keys(this, client_random
, server_random
);
1711 METHOD(tls_crypto_t
, resume_session
, tls_cipher_suite_t
,
1712 private_tls_crypto_t
*this, chunk_t session
, identification_t
*id
,
1713 chunk_t client_random
, chunk_t server_random
)
1717 if (this->cache
&& session
.len
)
1719 this->suite
= this->cache
->lookup(this->cache
, session
, id
, &master
);
1722 this->suite
= select_cipher_suite(this, &this->suite
, 1, KEY_ANY
);
1725 if (!this->prf
->set_key(this->prf
, master
) ||
1726 !expand_keys(this, client_random
, server_random
))
1731 chunk_clear(&master
);
1738 METHOD(tls_crypto_t
, get_session
, chunk_t
,
1739 private_tls_crypto_t
*this, identification_t
*server
)
1743 return this->cache
->check(this->cache
, server
);
1748 METHOD(tls_crypto_t
, change_cipher
, void,
1749 private_tls_crypto_t
*this, bool inbound
)
1751 if (this->protection
)
1755 this->protection
->set_cipher(this->protection
, TRUE
, this->aead_in
);
1759 this->protection
->set_cipher(this->protection
, FALSE
, this->aead_out
);
1764 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
1765 private_tls_crypto_t
*this)
1770 METHOD(tls_crypto_t
, destroy
, void,
1771 private_tls_crypto_t
*this)
1773 destroy_aeads(this);
1774 free(this->handshake
.ptr
);
1775 free(this->msk
.ptr
);
1776 DESTROY_IF(this->prf
);
1784 tls_crypto_t
*tls_crypto_create(tls_t
*tls
, tls_cache_t
*cache
)
1786 private_tls_crypto_t
*this;
1787 enumerator_t
*enumerator
;
1788 credential_type_t type
;
1793 .get_cipher_suites
= _get_cipher_suites
,
1794 .select_cipher_suite
= _select_cipher_suite
,
1795 .get_dh_group
= _get_dh_group
,
1796 .get_signature_algorithms
= _get_signature_algorithms
,
1797 .create_ec_enumerator
= _create_ec_enumerator
,
1798 .set_protection
= _set_protection
,
1799 .append_handshake
= _append_handshake
,
1802 .sign_handshake
= _sign_handshake
,
1803 .verify_handshake
= _verify_handshake
,
1804 .calculate_finished
= _calculate_finished
,
1805 .derive_secrets
= _derive_secrets
,
1806 .resume_session
= _resume_session
,
1807 .get_session
= _get_session
,
1808 .change_cipher
= _change_cipher
,
1809 .get_eap_msk
= _get_eap_msk
,
1810 .destroy
= _destroy
,
1816 enumerator
= lib
->creds
->create_builder_enumerator(lib
->creds
);
1817 while (enumerator
->enumerate(enumerator
, &type
, &subtype
))
1819 if (type
== CRED_PUBLIC_KEY
)
1834 enumerator
->destroy(enumerator
);
1836 switch (tls
->get_purpose(tls
))
1838 case TLS_PURPOSE_EAP_TLS
:
1839 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1840 this->msk_label
= "client EAP encryption";
1841 build_cipher_suite_list(this, FALSE
);
1843 case TLS_PURPOSE_EAP_PEAP
:
1844 this->msk_label
= "client EAP encryption";
1845 build_cipher_suite_list(this, TRUE
);
1847 case TLS_PURPOSE_EAP_TTLS
:
1848 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1849 this->msk_label
= "ttls keying material";
1850 build_cipher_suite_list(this, TRUE
);
1852 case TLS_PURPOSE_GENERIC
:
1853 build_cipher_suite_list(this, TRUE
);
1855 case TLS_PURPOSE_GENERIC_NULLOK
:
1856 build_cipher_suite_list(this, FALSE
);
1861 return &this->public;
1867 int tls_crypto_get_supported_suites(bool null
, tls_cipher_suite_t
**out
)
1869 suite_algs_t suites
[countof(suite_algs
)];
1870 int count
= countof(suite_algs
), i
;
1872 /* initialize copy of suite list */
1873 for (i
= 0; i
< count
; i
++)
1875 suites
[i
] = suite_algs
[i
];
1878 filter_unsupported_suites(suites
, &count
);
1882 filter_null_suites(suites
, &count
);
1887 *out
= calloc(count
, sizeof(tls_cipher_suite_t
));
1888 for (i
= 0; i
< count
; i
++)
1890 (*out
)[i
] = suites
[i
].suite
;