2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "tls_crypto.h"
20 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names
, TLS_ECDHE_PSK_WITH_NULL_SHA384
);
241 typedef struct private_tls_crypto_t private_tls_crypto_t
;
244 * Private data of an tls_crypto_t object.
246 struct private_tls_crypto_t
{
249 * Public tls_crypto_t interface.
256 tls_protection_t
*protection
;
259 * List of supported/acceptable cipher suites
261 tls_cipher_suite_t
*suites
;
264 * Number of supported suites
269 * Selected cipher suite
271 tls_cipher_suite_t suite
;
279 * All handshake data concatentated
284 * Connection state TLS PRF
289 * Signer instance for inbound traffic
294 * Signer instance for outbound traffic
296 signer_t
*signer_out
;
299 * Crypter instance for inbound traffic
301 crypter_t
*crypter_in
;
304 * Crypter instance for outbound traffic
306 crypter_t
*crypter_out
;
309 * IV for input decryption, if < TLSv1.2
314 * IV for output decryption, if < TLSv1.2
324 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
330 tls_cipher_suite_t suite
;
331 hash_algorithm_t hash
;
332 pseudo_random_function_t prf
;
333 integrity_algorithm_t mac
;
334 encryption_algorithm_t encr
;
339 * Mapping suites to a set of algorithms
341 static suite_algs_t suite_algs
[] = {
342 { TLS_RSA_WITH_NULL_MD5
,
348 { TLS_RSA_WITH_NULL_SHA
,
354 { TLS_RSA_WITH_NULL_SHA256
,
357 AUTH_HMAC_SHA2_256_256
,
360 { TLS_RSA_WITH_AES_128_CBC_SHA
,
366 { TLS_RSA_WITH_AES_256_CBC_SHA
,
372 { TLS_RSA_WITH_3DES_EDE_CBC_SHA
,
378 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
381 AUTH_HMAC_SHA2_256_256
,
387 * Look up algoritms by a suite
389 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
393 for (i
= 0; i
< countof(suite_algs
); i
++)
395 if (suite_algs
[i
].suite
== suite
)
397 return &suite_algs
[i
];
404 * Initialize the cipher suite list
406 static void build_cipher_suite_list(private_tls_crypto_t
*this)
408 encryption_algorithm_t encr
;
409 integrity_algorithm_t mac
;
410 enumerator_t
*encrs
, *macs
;
411 tls_cipher_suite_t supported
[64], unique
[64];
414 /* we assume that we support RSA, but no DHE yet */
415 macs
= lib
->crypto
->create_signer_enumerator(lib
->crypto
);
416 while (macs
->enumerate(macs
, &mac
))
420 case AUTH_HMAC_SHA1_160
:
421 supported
[count
++] = TLS_RSA_WITH_NULL_SHA
;
423 case AUTH_HMAC_SHA2_256_256
:
424 supported
[count
++] = TLS_RSA_WITH_NULL_SHA256
;
426 case AUTH_HMAC_MD5_128
:
427 supported
[count
++] = TLS_RSA_WITH_NULL_MD5
;
432 encrs
= lib
->crypto
->create_crypter_enumerator(lib
->crypto
);
433 while (encrs
->enumerate(encrs
, &encr
))
440 case AUTH_HMAC_SHA1_160
:
441 supported
[count
++] = TLS_RSA_WITH_AES_128_CBC_SHA
;
442 supported
[count
++] = TLS_RSA_WITH_AES_256_CBC_SHA
;
444 case AUTH_HMAC_SHA2_256_256
:
445 supported
[count
++] = TLS_RSA_WITH_AES_128_CBC_SHA256
;
446 supported
[count
++] = TLS_RSA_WITH_AES_256_CBC_SHA256
;
455 case AUTH_HMAC_SHA1_160
:
456 supported
[count
++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA
;
466 encrs
->destroy(encrs
);
470 /* remove duplicates */
471 this->suite_count
= 0;
472 for (i
= 0; i
< count
; i
++)
476 for (j
= 0; j
< this->suite_count
; j
++)
478 if (supported
[i
] == unique
[j
])
486 unique
[this->suite_count
++] = supported
[i
];
490 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * this->suite_count
);
491 memcpy(this->suites
, unique
, sizeof(tls_cipher_suite_t
) * this->suite_count
);
494 METHOD(tls_crypto_t
, get_cipher_suites
, int,
495 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
497 *suites
= this->suites
;
498 return this->suite_count
;
502 * Create crypto primitives
504 static bool create_ciphers(private_tls_crypto_t
*this, tls_cipher_suite_t suite
)
508 algs
= find_suite(suite
);
511 DBG1(DBG_IKE
, "selected TLS suite not supported");
515 DESTROY_IF(this->prf
);
516 if (this->tls
->get_version(this->tls
) < TLS_1_2
)
518 this->prf
= tls_prf_create_10();
522 this->prf
= tls_prf_create_12(algs
->prf
);
526 DBG1(DBG_IKE
, "selected TLS PRF not supported");
530 DESTROY_IF(this->signer_in
);
531 DESTROY_IF(this->signer_out
);
532 this->signer_in
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
533 this->signer_out
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
534 if (!this->signer_in
|| !this->signer_out
)
536 DBG1(DBG_IKE
, "selected TLS MAC %N not supported",
537 integrity_algorithm_names
, algs
->mac
);
541 DESTROY_IF(this->crypter_in
);
542 DESTROY_IF(this->crypter_out
);
543 if (algs
->encr
== ENCR_NULL
)
545 this->crypter_in
= this->crypter_out
= NULL
;
549 this->crypter_in
= lib
->crypto
->create_crypter(lib
->crypto
,
550 algs
->encr
, algs
->encr_size
);
551 this->crypter_out
= lib
->crypto
->create_crypter(lib
->crypto
,
552 algs
->encr
, algs
->encr_size
);
553 if (!this->crypter_in
|| !this->crypter_out
)
555 DBG1(DBG_IKE
, "selected TLS crypter %N not supported",
556 encryption_algorithm_names
, algs
->encr
);
563 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
564 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
)
568 for (i
= 0; i
< this->suite_count
; i
++)
570 for (j
= 0; j
< count
; j
++)
572 if (this->suites
[i
] == suites
[j
])
574 if (create_ciphers(this, this->suites
[i
]))
576 this->suite
= this->suites
[i
];
585 METHOD(tls_crypto_t
, set_protection
, void,
586 private_tls_crypto_t
*this, tls_protection_t
*protection
)
588 this->protection
= protection
;
591 METHOD(tls_crypto_t
, append_handshake
, void,
592 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
596 /* reconstruct handshake header */
597 header
= htonl(data
.len
| (type
<< 24));
598 this->handshake
= chunk_cat("mcc", this->handshake
,
599 chunk_from_thing(header
), data
);
603 * Create a hash of the stored handshake data
605 static bool hash_handshake(private_tls_crypto_t
*this, chunk_t
*hash
)
607 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
612 alg
= find_suite(this->suite
);
617 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
620 DBG1(DBG_IKE
, "%N not supported", hash_algorithm_names
, alg
->hash
);
623 hasher
->allocate_hash(hasher
, this->handshake
, hash
);
624 hasher
->destroy(hasher
);
628 hasher_t
*md5
, *sha1
;
629 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
631 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
634 DBG1(DBG_IKE
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
637 md5
->get_hash(md5
, this->handshake
, buf
);
639 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
642 DBG1(DBG_IKE
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
645 sha1
->get_hash(sha1
, this->handshake
, buf
+ HASH_SIZE_MD5
);
648 *hash
= chunk_clone(chunk_from_thing(buf
));
653 METHOD(tls_crypto_t
, sign_handshake
, bool,
654 private_tls_crypto_t
*this, private_key_t
*key
, tls_writer_t
*writer
)
658 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
660 /* TODO: use supported algorithms instead of fixed SHA1/RSA */
661 if (!key
->sign(key
, SIGN_RSA_EMSA_PKCS1_SHA1
, this->handshake
, &sig
))
665 writer
->write_uint8(writer
, 2);
666 writer
->write_uint8(writer
, 1);
667 writer
->write_data16(writer
, sig
);
672 if (!hash_handshake(this, &hash
))
676 if (!key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, &sig
))
681 writer
->write_data16(writer
, sig
);
688 METHOD(tls_crypto_t
, verify_handshake
, bool,
689 private_tls_crypto_t
*this, public_key_t
*key
, tls_reader_t
*reader
)
691 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
696 if (!reader
->read_uint8(reader
, &hash
) ||
697 !reader
->read_uint8(reader
, &alg
) ||
698 !reader
->read_data16(reader
, &sig
))
700 DBG1(DBG_IKE
, "received invalid Certificate Verify");
703 /* TODO: map received hash/sig alg to signature scheme */
704 if (hash
!= 2 || alg
!= 1 ||
705 !key
->verify(key
, SIGN_RSA_EMSA_PKCS1_SHA1
, this->handshake
, sig
))
714 if (!reader
->read_data16(reader
, &sig
))
716 DBG1(DBG_IKE
, "received invalid Certificate Verify");
719 if (!hash_handshake(this, &hash
))
723 if (!key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, sig
))
733 METHOD(tls_crypto_t
, calculate_finished
, bool,
734 private_tls_crypto_t
*this, char *label
, char out
[12])
742 if (!hash_handshake(this, &seed
))
746 this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
);
751 METHOD(tls_crypto_t
, derive_secrets
, void,
752 private_tls_crypto_t
*this, chunk_t premaster
,
753 chunk_t client_random
, chunk_t server_random
)
756 chunk_t seed
, block
, client_write
, server_write
;
757 int mks
, eks
= 0, ivs
= 0;
759 /* derive master secret */
760 seed
= chunk_cata("cc", client_random
, server_random
);
761 this->prf
->set_key(this->prf
, premaster
);
762 this->prf
->get_bytes(this->prf
, "master secret", seed
,
763 sizeof(master
), master
);
765 this->prf
->set_key(this->prf
, chunk_from_thing(master
));
766 memset(master
, 0, sizeof(master
));
768 /* derive key block for key expansion */
769 mks
= this->signer_out
->get_key_size(this->signer_out
);
770 if (this->crypter_out
)
772 eks
= this->crypter_out
->get_key_size(this->crypter_out
);
773 if (this->tls
->get_version(this->tls
) < TLS_1_1
)
775 ivs
= this->crypter_out
->get_block_size(this->crypter_out
);
778 seed
= chunk_cata("cc", server_random
, client_random
);
779 block
= chunk_alloca((mks
+ eks
+ ivs
) * 2);
780 this->prf
->get_bytes(this->prf
, "key expansion", seed
, block
.len
, block
.ptr
);
783 client_write
= chunk_create(block
.ptr
, mks
);
784 block
= chunk_skip(block
, mks
);
785 server_write
= chunk_create(block
.ptr
, mks
);
786 block
= chunk_skip(block
, mks
);
787 if (this->tls
->is_server(this->tls
))
789 this->signer_in
->set_key(this->signer_in
, client_write
);
790 this->signer_out
->set_key(this->signer_out
, server_write
);
794 this->signer_out
->set_key(this->signer_out
, client_write
);
795 this->signer_in
->set_key(this->signer_in
, server_write
);
798 /* crypter keys, and IVs if < TLSv1.2 */
799 if (this->crypter_out
&& this->crypter_in
)
801 client_write
= chunk_create(block
.ptr
, eks
);
802 block
= chunk_skip(block
, eks
);
803 server_write
= chunk_create(block
.ptr
, eks
);
804 block
= chunk_skip(block
, eks
);
806 if (this->tls
->is_server(this->tls
))
808 this->crypter_in
->set_key(this->crypter_in
, client_write
);
809 this->crypter_out
->set_key(this->crypter_out
, server_write
);
813 this->crypter_out
->set_key(this->crypter_out
, client_write
);
814 this->crypter_in
->set_key(this->crypter_in
, server_write
);
818 client_write
= chunk_create(block
.ptr
, ivs
);
819 block
= chunk_skip(block
, ivs
);
820 server_write
= chunk_create(block
.ptr
, ivs
);
821 block
= chunk_skip(block
, ivs
);
823 if (this->tls
->is_server(this->tls
))
825 this->iv_in
= chunk_clone(client_write
);
826 this->iv_out
= chunk_clone(server_write
);
830 this->iv_out
= chunk_clone(client_write
);
831 this->iv_in
= chunk_clone(server_write
);
837 METHOD(tls_crypto_t
, change_cipher
, void,
838 private_tls_crypto_t
*this, bool inbound
)
840 if (this->protection
)
844 this->protection
->set_cipher(this->protection
, TRUE
,
845 this->signer_in
, this->crypter_in
, this->iv_in
);
849 this->protection
->set_cipher(this->protection
, FALSE
,
850 this->signer_out
, this->crypter_out
, this->iv_out
);
855 METHOD(tls_crypto_t
, derive_eap_msk
, void,
856 private_tls_crypto_t
*this, chunk_t client_random
, chunk_t server_random
)
860 seed
= chunk_cata("cc", client_random
, server_random
);
862 this->msk
= chunk_alloc(64);
863 this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
864 this->msk
.len
, this->msk
.ptr
);
867 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
868 private_tls_crypto_t
*this)
873 METHOD(tls_crypto_t
, destroy
, void,
874 private_tls_crypto_t
*this)
876 DESTROY_IF(this->signer_in
);
877 DESTROY_IF(this->signer_out
);
878 DESTROY_IF(this->crypter_in
);
879 DESTROY_IF(this->crypter_out
);
880 free(this->iv_in
.ptr
);
881 free(this->iv_out
.ptr
);
882 free(this->handshake
.ptr
);
884 DESTROY_IF(this->prf
);
892 tls_crypto_t
*tls_crypto_create(tls_t
*tls
, char *msk_label
)
894 private_tls_crypto_t
*this;
898 .get_cipher_suites
= _get_cipher_suites
,
899 .select_cipher_suite
= _select_cipher_suite
,
900 .set_protection
= _set_protection
,
901 .append_handshake
= _append_handshake
,
902 .sign_handshake
= _sign_handshake
,
903 .verify_handshake
= _verify_handshake
,
904 .calculate_finished
= _calculate_finished
,
905 .derive_secrets
= _derive_secrets
,
906 .change_cipher
= _change_cipher
,
907 .derive_eap_msk
= _derive_eap_msk
,
908 .get_eap_msk
= _get_eap_msk
,
912 .msk_label
= msk_label
915 build_cipher_suite_list(this);
917 return &this->public;