2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "tls_crypto.h"
20 ENUM_BEGIN(tls_cipher_suite_names
, TLS_NULL_WITH_NULL_NULL
,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names
, TLS_KRB5_WITH_DES_CBC_SHA
,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names
, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names
, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256
,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names
, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names
, TLS_ECDH_ECDSA_WITH_NULL_SHA
,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384
,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names
, TLS_ECDHE_PSK_WITH_NULL_SHA384
);
241 ENUM(tls_hash_algorithm_names
, TLS_HASH_NONE
, TLS_HASH_SHA512
,
251 ENUM(tls_signature_algorithm_names
, TLS_SIG_RSA
, TLS_SIG_ECDSA
,
257 ENUM_BEGIN(tls_client_certificate_type_names
,
258 TLS_RSA_SIGN
, TLS_DSS_EPHEMERAL_DH
,
265 ENUM_NEXT(tls_client_certificate_type_names
,
266 TLS_FORTEZZA_DMS
, TLS_FORTEZZA_DMS
, TLS_DSS_EPHEMERAL_DH
,
268 ENUM_NEXT(tls_client_certificate_type_names
,
269 TLS_ECDSA_SIGN
, TLS_ECDSA_FIXED_ECDH
, TLS_FORTEZZA_DMS
,
273 ENUM_END(tls_client_certificate_type_names
, TLS_ECDSA_FIXED_ECDH
);
275 ENUM(tls_ecc_curve_type_names
, TLS_ECC_EXPLICIT_PRIME
, TLS_ECC_NAMED_CURVE
,
281 ENUM(tls_named_curve_names
, TLS_SECT163K1
, TLS_SECP521R1
,
310 typedef struct private_tls_crypto_t private_tls_crypto_t
;
313 * Private data of an tls_crypto_t object.
315 struct private_tls_crypto_t
{
318 * Public tls_crypto_t interface.
325 tls_protection_t
*protection
;
328 * List of supported/acceptable cipher suites
330 tls_cipher_suite_t
*suites
;
333 * Number of supported suites
338 * Selected cipher suite
340 tls_cipher_suite_t suite
;
348 * All handshake data concatentated
353 * Connection state TLS PRF
358 * Signer instance for inbound traffic
363 * Signer instance for outbound traffic
365 signer_t
*signer_out
;
368 * Crypter instance for inbound traffic
370 crypter_t
*crypter_in
;
373 * Crypter instance for outbound traffic
375 crypter_t
*crypter_out
;
378 * IV for input decryption, if < TLSv1.2
383 * IV for output decryption, if < TLSv1.2
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
399 tls_cipher_suite_t suite
;
400 hash_algorithm_t hash
;
401 pseudo_random_function_t prf
;
402 diffie_hellman_group_t dh
;
403 integrity_algorithm_t mac
;
404 encryption_algorithm_t encr
;
409 * Mapping suites to a set of algorithms
411 static suite_algs_t suite_algs
[] = {
412 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,
413 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_2048_BIT
,
414 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
416 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,
417 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_3072_BIT
,
418 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
420 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,
421 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_3072_BIT
,
422 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
424 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,
425 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_4096_BIT
,
426 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
428 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
,
429 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_2048_BIT
,
430 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
432 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
433 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_3072_BIT
,
434 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
436 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
,
437 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_3072_BIT
,
438 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
440 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
441 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_4096_BIT
,
442 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
444 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
,
445 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_2048_BIT
,
446 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
448 { TLS_RSA_WITH_AES_128_CBC_SHA
,
449 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
450 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 16
452 { TLS_RSA_WITH_AES_128_CBC_SHA256
,
453 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_NONE
,
454 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 16
456 { TLS_RSA_WITH_AES_256_CBC_SHA
,
457 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
458 AUTH_HMAC_SHA1_160
, ENCR_AES_CBC
, 32
460 { TLS_RSA_WITH_AES_256_CBC_SHA256
,
461 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_NONE
,
462 AUTH_HMAC_SHA2_256_256
, ENCR_AES_CBC
, 32
464 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
,
465 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
466 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 16
468 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
,
469 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_NONE
,
470 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 16
472 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
,
473 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
474 AUTH_HMAC_SHA1_160
, ENCR_CAMELLIA_CBC
, 32
476 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
,
477 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_NONE
,
478 AUTH_HMAC_SHA2_256_256
, ENCR_CAMELLIA_CBC
, 32
480 { TLS_RSA_WITH_3DES_EDE_CBC_SHA
,
481 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
482 AUTH_HMAC_SHA1_160
, ENCR_3DES
, 0
484 { TLS_RSA_WITH_NULL_SHA
,
485 HASH_SHA1
, PRF_HMAC_SHA1
, MODP_NONE
,
486 AUTH_HMAC_SHA1_160
, ENCR_NULL
, 0
488 { TLS_RSA_WITH_NULL_SHA256
,
489 HASH_SHA256
, PRF_HMAC_SHA2_256
, MODP_NONE
,
490 AUTH_HMAC_SHA2_256_256
, ENCR_NULL
, 0
492 { TLS_RSA_WITH_NULL_MD5
,
493 HASH_MD5
, PRF_HMAC_MD5
, MODP_NONE
,
494 AUTH_HMAC_MD5_128
, ENCR_NULL
, 0
499 * Look up algoritms by a suite
501 static suite_algs_t
*find_suite(tls_cipher_suite_t suite
)
505 for (i
= 0; i
< countof(suite_algs
); i
++)
507 if (suite_algs
[i
].suite
== suite
)
509 return &suite_algs
[i
];
516 * Filter a suite list using a transform enumerator
518 static void filter_suite(private_tls_crypto_t
*this,
519 suite_algs_t suites
[], int *count
, int offset
,
520 enumerator_t
*(*create_enumerator
)(crypto_factory_t
*))
522 suite_algs_t current
;
523 int i
, remaining
= 0;
524 enumerator_t
*enumerator
;
526 memset(¤t
, 0, sizeof(current
));
527 for (i
= 0; i
< *count
; i
++)
529 enumerator
= create_enumerator(lib
->crypto
);
530 while (enumerator
->enumerate(enumerator
, ((char*)¤t
) + offset
))
532 if ((suites
[i
].encr
== ENCR_NULL
||
533 !current
.encr
|| current
.encr
== suites
[i
].encr
) &&
534 (!current
.mac
|| current
.mac
== suites
[i
].mac
) &&
535 (!current
.prf
|| current
.prf
== suites
[i
].prf
) &&
536 (!current
.hash
|| current
.hash
== suites
[i
].hash
))
538 suites
[remaining
] = suites
[i
];
543 enumerator
->destroy(enumerator
);
549 * Purge NULL encryption cipher suites from list
551 static void filter_null_suites(private_tls_crypto_t
*this,
552 suite_algs_t suites
[], int *count
)
554 int i
, remaining
= 0;
556 for (i
= 0; i
< *count
; i
++)
558 if (suites
[i
].encr
!= ENCR_NULL
)
560 suites
[remaining
] = suites
[i
];
568 * Initialize the cipher suite list
570 static void build_cipher_suite_list(private_tls_crypto_t
*this,
571 bool require_encryption
)
573 suite_algs_t suites
[countof(suite_algs
)];
574 int count
= countof(suite_algs
), i
;
576 /* copy all suites */
577 for (i
= 0; i
< count
; i
++)
579 suites
[i
] = suite_algs
[i
];
581 if (require_encryption
)
583 filter_null_suites(this, suites
, &count
);
585 /* filter suite list by each algorithm */
586 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, encr
),
587 lib
->crypto
->create_crypter_enumerator
);
588 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, mac
),
589 lib
->crypto
->create_signer_enumerator
);
590 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, prf
),
591 lib
->crypto
->create_prf_enumerator
);
592 filter_suite(this, suites
, &count
, offsetof(suite_algs_t
, hash
),
593 lib
->crypto
->create_hasher_enumerator
);
596 this->suite_count
= count
;
597 this->suites
= malloc(sizeof(tls_cipher_suite_t
) * count
);
599 DBG2(DBG_TLS
, "%d supported TLS cipher suites:", count
);
600 for (i
= 0; i
< count
; i
++)
602 DBG2(DBG_TLS
, " %N", tls_cipher_suite_names
, suites
[i
].suite
);
603 this->suites
[i
] = suites
[i
].suite
;
607 METHOD(tls_crypto_t
, get_cipher_suites
, int,
608 private_tls_crypto_t
*this, tls_cipher_suite_t
**suites
)
610 *suites
= this->suites
;
611 return this->suite_count
;
615 * Create crypto primitives
617 static bool create_ciphers(private_tls_crypto_t
*this, tls_cipher_suite_t suite
)
621 algs
= find_suite(suite
);
624 DBG1(DBG_TLS
, "selected TLS suite not supported");
628 DESTROY_IF(this->prf
);
629 if (this->tls
->get_version(this->tls
) < TLS_1_2
)
631 this->prf
= tls_prf_create_10();
635 this->prf
= tls_prf_create_12(algs
->prf
);
639 DBG1(DBG_TLS
, "selected TLS PRF not supported");
643 DESTROY_IF(this->signer_in
);
644 DESTROY_IF(this->signer_out
);
645 this->signer_in
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
646 this->signer_out
= lib
->crypto
->create_signer(lib
->crypto
, algs
->mac
);
647 if (!this->signer_in
|| !this->signer_out
)
649 DBG1(DBG_TLS
, "selected TLS MAC %N not supported",
650 integrity_algorithm_names
, algs
->mac
);
654 DESTROY_IF(this->crypter_in
);
655 DESTROY_IF(this->crypter_out
);
656 if (algs
->encr
== ENCR_NULL
)
658 this->crypter_in
= this->crypter_out
= NULL
;
662 this->crypter_in
= lib
->crypto
->create_crypter(lib
->crypto
,
663 algs
->encr
, algs
->encr_size
);
664 this->crypter_out
= lib
->crypto
->create_crypter(lib
->crypto
,
665 algs
->encr
, algs
->encr_size
);
666 if (!this->crypter_in
|| !this->crypter_out
)
668 DBG1(DBG_TLS
, "selected TLS crypter %N not supported",
669 encryption_algorithm_names
, algs
->encr
);
676 METHOD(tls_crypto_t
, select_cipher_suite
, tls_cipher_suite_t
,
677 private_tls_crypto_t
*this, tls_cipher_suite_t
*suites
, int count
)
681 for (i
= 0; i
< this->suite_count
; i
++)
683 for (j
= 0; j
< count
; j
++)
685 if (this->suites
[i
] == suites
[j
])
687 if (create_ciphers(this, this->suites
[i
]))
689 this->suite
= this->suites
[i
];
698 METHOD(tls_crypto_t
, get_dh_group
, diffie_hellman_group_t
,
699 private_tls_crypto_t
*this)
703 algs
= find_suite(this->suite
);
711 METHOD(tls_crypto_t
, get_signature_algorithms
, void,
712 private_tls_crypto_t
*this, tls_writer_t
*writer
)
714 tls_writer_t
*supported
;
715 enumerator_t
*enumerator
;
716 hash_algorithm_t alg
;
717 tls_hash_algorithm_t hash
;
719 supported
= tls_writer_create(32);
720 enumerator
= lib
->crypto
->create_hasher_enumerator(lib
->crypto
);
721 while (enumerator
->enumerate(enumerator
, &alg
))
729 hash
= TLS_HASH_SHA1
;
732 hash
= TLS_HASH_SHA224
;
735 hash
= TLS_HASH_SHA256
;
738 hash
= TLS_HASH_SHA384
;
741 hash
= TLS_HASH_SHA512
;
746 supported
->write_uint8(supported
, hash
);
747 supported
->write_uint8(supported
, TLS_SIG_RSA
);
748 if (alg
!= HASH_MD5
&& alg
!= HASH_SHA224
)
750 supported
->write_uint8(supported
, hash
);
751 supported
->write_uint8(supported
, TLS_SIG_ECDSA
);
754 enumerator
->destroy(enumerator
);
756 writer
->write_data16(writer
, supported
->get_buf(supported
));
757 supported
->destroy(supported
);
760 METHOD(tls_crypto_t
, get_curves
, void,
761 private_tls_crypto_t
*this, tls_writer_t
*writer
)
763 u_int16_t curves
[] = {
764 htons(TLS_SECP256R1
),
765 htons(TLS_SECP384R1
),
766 htons(TLS_SECP521R1
),
767 htons(TLS_SECP192R1
),
768 htons(TLS_SECP224R1
),
770 writer
->write_data16(writer
, chunk_from_thing(curves
));
773 METHOD(tls_crypto_t
, set_protection
, void,
774 private_tls_crypto_t
*this, tls_protection_t
*protection
)
776 this->protection
= protection
;
779 METHOD(tls_crypto_t
, append_handshake
, void,
780 private_tls_crypto_t
*this, tls_handshake_type_t type
, chunk_t data
)
784 /* reconstruct handshake header */
785 header
= htonl(data
.len
| (type
<< 24));
786 this->handshake
= chunk_cat("mcc", this->handshake
,
787 chunk_from_thing(header
), data
);
791 * Create a hash using the suites HASH algorithm
793 static bool hash_data(private_tls_crypto_t
*this, chunk_t data
, chunk_t
*hash
)
795 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
800 alg
= find_suite(this->suite
);
805 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, alg
->hash
);
808 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, alg
->hash
);
811 hasher
->allocate_hash(hasher
, data
, hash
);
812 hasher
->destroy(hasher
);
816 hasher_t
*md5
, *sha1
;
817 char buf
[HASH_SIZE_MD5
+ HASH_SIZE_SHA1
];
819 md5
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
);
822 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_MD5
);
825 md5
->get_hash(md5
, data
, buf
);
827 sha1
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
830 DBG1(DBG_TLS
, "%N not supported", hash_algorithm_names
, HASH_SHA1
);
833 sha1
->get_hash(sha1
, data
, buf
+ HASH_SIZE_MD5
);
836 *hash
= chunk_clone(chunk_from_thing(buf
));
842 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
844 static signature_scheme_t
hashsig_to_scheme(key_type_t type
,
845 tls_hash_algorithm_t hash
, tls_signature_algorithm_t sig
)
857 return SIGN_RSA_EMSA_PKCS1_MD5
;
859 return SIGN_RSA_EMSA_PKCS1_SHA1
;
860 case TLS_HASH_SHA224
:
861 return SIGN_RSA_EMSA_PKCS1_SHA224
;
862 case TLS_HASH_SHA256
:
863 return SIGN_RSA_EMSA_PKCS1_SHA256
;
864 case TLS_HASH_SHA384
:
865 return SIGN_RSA_EMSA_PKCS1_SHA384
;
866 case TLS_HASH_SHA512
:
867 return SIGN_RSA_EMSA_PKCS1_SHA512
;
872 if (type
!= KEY_ECDSA
)
878 case TLS_HASH_SHA224
:
879 return SIGN_ECDSA_WITH_SHA1_DER
;
880 case TLS_HASH_SHA256
:
881 return SIGN_ECDSA_WITH_SHA256_DER
;
882 case TLS_HASH_SHA384
:
883 return SIGN_ECDSA_WITH_SHA384_DER
;
884 case TLS_HASH_SHA512
:
885 return SIGN_ECDSA_WITH_SHA512_DER
;
894 METHOD(tls_crypto_t
, sign
, bool,
895 private_tls_crypto_t
*this, private_key_t
*key
, tls_writer_t
*writer
,
896 chunk_t data
, chunk_t hashsig
)
898 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
900 signature_scheme_t scheme
;
901 tls_reader_t
*reader
;
907 { /* fallback if none given */
908 hashsig
= chunk_from_chars(
909 TLS_HASH_SHA1
, TLS_SIG_RSA
, TLS_HASH_SHA1
, TLS_SIG_ECDSA
);
911 reader
= tls_reader_create(hashsig
);
912 while (reader
->remaining(reader
) >= 2)
914 if (reader
->read_uint8(reader
, &hash
) &&
915 reader
->read_uint8(reader
, &alg
))
917 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
918 if (scheme
!= SIGN_UNKNOWN
&&
919 key
->sign(key
, scheme
, data
, &sig
))
926 reader
->destroy(reader
);
929 DBG1(DBG_TLS
, "none of the proposed hash/sig algorithms supported");
932 DBG2(DBG_TLS
, "created signature with %N/%N",
933 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
934 writer
->write_uint8(writer
, hash
);
935 writer
->write_uint8(writer
, alg
);
936 writer
->write_data16(writer
, sig
);
944 switch (key
->get_type(key
))
947 if (!hash_data(this, data
, &hash
))
951 done
= key
->sign(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, &sig
);
957 DBG2(DBG_TLS
, "created signature with MD5+SHA1/RSA");
960 if (!key
->sign(key
, SIGN_ECDSA_WITH_SHA1_DER
, data
, &sig
))
964 DBG2(DBG_TLS
, "created signature with SHA1/ECDSA");
969 writer
->write_data16(writer
, sig
);
975 METHOD(tls_crypto_t
, verify
, bool,
976 private_tls_crypto_t
*this, public_key_t
*key
, tls_reader_t
*reader
,
979 if (this->tls
->get_version(this->tls
) >= TLS_1_2
)
981 signature_scheme_t scheme
= SIGN_UNKNOWN
;
985 if (!reader
->read_uint8(reader
, &hash
) ||
986 !reader
->read_uint8(reader
, &alg
) ||
987 !reader
->read_data16(reader
, &sig
))
989 DBG1(DBG_TLS
, "received invalid signature");
992 scheme
= hashsig_to_scheme(key
->get_type(key
), hash
, alg
);
993 if (scheme
== SIGN_UNKNOWN
)
995 DBG1(DBG_TLS
, "signature algorithms %N/%N not supported",
996 tls_hash_algorithm_names
, hash
,
997 tls_signature_algorithm_names
, alg
);
1000 if (!key
->verify(key
, scheme
, data
, sig
))
1004 DBG2(DBG_TLS
, "verified signature with %N/%N",
1005 tls_hash_algorithm_names
, hash
, tls_signature_algorithm_names
, alg
);
1012 if (!reader
->read_data16(reader
, &sig
))
1014 DBG1(DBG_TLS
, "received invalid signature");
1017 switch (key
->get_type(key
))
1020 if (!hash_data(this, data
, &hash
))
1024 done
= key
->verify(key
, SIGN_RSA_EMSA_PKCS1_NULL
, hash
, sig
);
1030 DBG2(DBG_TLS
, "verified signature data with MD5+SHA1/RSA");
1033 if (!key
->verify(key
, SIGN_ECDSA_WITH_SHA1_DER
, data
, sig
))
1037 DBG2(DBG_TLS
, "verified signature with SHA1/ECDSA");
1046 METHOD(tls_crypto_t
, sign_handshake
, bool,
1047 private_tls_crypto_t
*this, private_key_t
*key
, tls_writer_t
*writer
,
1050 return sign(this, key
, writer
, this->handshake
, hashsig
);
1053 METHOD(tls_crypto_t
, verify_handshake
, bool,
1054 private_tls_crypto_t
*this, public_key_t
*key
, tls_reader_t
*reader
)
1056 return verify(this, key
, reader
, this->handshake
);
1059 METHOD(tls_crypto_t
, calculate_finished
, bool,
1060 private_tls_crypto_t
*this, char *label
, char out
[12])
1068 if (!hash_data(this, this->handshake
, &seed
))
1072 this->prf
->get_bytes(this->prf
, label
, seed
, 12, out
);
1077 METHOD(tls_crypto_t
, derive_secrets
, void,
1078 private_tls_crypto_t
*this, chunk_t premaster
,
1079 chunk_t client_random
, chunk_t server_random
)
1082 chunk_t seed
, block
, client_write
, server_write
;
1083 int mks
, eks
= 0, ivs
= 0;
1085 /* derive master secret */
1086 seed
= chunk_cata("cc", client_random
, server_random
);
1087 this->prf
->set_key(this->prf
, premaster
);
1088 this->prf
->get_bytes(this->prf
, "master secret", seed
,
1089 sizeof(master
), master
);
1091 this->prf
->set_key(this->prf
, chunk_from_thing(master
));
1092 memset(master
, 0, sizeof(master
));
1094 /* derive key block for key expansion */
1095 mks
= this->signer_out
->get_key_size(this->signer_out
);
1096 if (this->crypter_out
)
1098 eks
= this->crypter_out
->get_key_size(this->crypter_out
);
1099 if (this->tls
->get_version(this->tls
) < TLS_1_1
)
1101 ivs
= this->crypter_out
->get_iv_size(this->crypter_out
);
1104 seed
= chunk_cata("cc", server_random
, client_random
);
1105 block
= chunk_alloca((mks
+ eks
+ ivs
) * 2);
1106 this->prf
->get_bytes(this->prf
, "key expansion", seed
, block
.len
, block
.ptr
);
1109 client_write
= chunk_create(block
.ptr
, mks
);
1110 block
= chunk_skip(block
, mks
);
1111 server_write
= chunk_create(block
.ptr
, mks
);
1112 block
= chunk_skip(block
, mks
);
1113 if (this->tls
->is_server(this->tls
))
1115 this->signer_in
->set_key(this->signer_in
, client_write
);
1116 this->signer_out
->set_key(this->signer_out
, server_write
);
1120 this->signer_out
->set_key(this->signer_out
, client_write
);
1121 this->signer_in
->set_key(this->signer_in
, server_write
);
1124 /* crypter keys, and IVs if < TLSv1.2 */
1125 if (this->crypter_out
&& this->crypter_in
)
1127 client_write
= chunk_create(block
.ptr
, eks
);
1128 block
= chunk_skip(block
, eks
);
1129 server_write
= chunk_create(block
.ptr
, eks
);
1130 block
= chunk_skip(block
, eks
);
1132 if (this->tls
->is_server(this->tls
))
1134 this->crypter_in
->set_key(this->crypter_in
, client_write
);
1135 this->crypter_out
->set_key(this->crypter_out
, server_write
);
1139 this->crypter_out
->set_key(this->crypter_out
, client_write
);
1140 this->crypter_in
->set_key(this->crypter_in
, server_write
);
1144 client_write
= chunk_create(block
.ptr
, ivs
);
1145 block
= chunk_skip(block
, ivs
);
1146 server_write
= chunk_create(block
.ptr
, ivs
);
1147 block
= chunk_skip(block
, ivs
);
1149 if (this->tls
->is_server(this->tls
))
1151 this->iv_in
= chunk_clone(client_write
);
1152 this->iv_out
= chunk_clone(server_write
);
1156 this->iv_out
= chunk_clone(client_write
);
1157 this->iv_in
= chunk_clone(server_write
);
1163 METHOD(tls_crypto_t
, change_cipher
, void,
1164 private_tls_crypto_t
*this, bool inbound
)
1166 if (this->protection
)
1170 this->protection
->set_cipher(this->protection
, TRUE
,
1171 this->signer_in
, this->crypter_in
, this->iv_in
);
1175 this->protection
->set_cipher(this->protection
, FALSE
,
1176 this->signer_out
, this->crypter_out
, this->iv_out
);
1181 METHOD(tls_crypto_t
, derive_eap_msk
, void,
1182 private_tls_crypto_t
*this, chunk_t client_random
, chunk_t server_random
)
1184 if (this->msk_label
)
1188 seed
= chunk_cata("cc", client_random
, server_random
);
1189 free(this->msk
.ptr
);
1190 this->msk
= chunk_alloc(64);
1191 this->prf
->get_bytes(this->prf
, this->msk_label
, seed
,
1192 this->msk
.len
, this->msk
.ptr
);
1196 METHOD(tls_crypto_t
, get_eap_msk
, chunk_t
,
1197 private_tls_crypto_t
*this)
1202 METHOD(tls_crypto_t
, destroy
, void,
1203 private_tls_crypto_t
*this)
1205 DESTROY_IF(this->signer_in
);
1206 DESTROY_IF(this->signer_out
);
1207 DESTROY_IF(this->crypter_in
);
1208 DESTROY_IF(this->crypter_out
);
1209 free(this->iv_in
.ptr
);
1210 free(this->iv_out
.ptr
);
1211 free(this->handshake
.ptr
);
1212 free(this->msk
.ptr
);
1213 DESTROY_IF(this->prf
);
1221 tls_crypto_t
*tls_crypto_create(tls_t
*tls
)
1223 private_tls_crypto_t
*this;
1227 .get_cipher_suites
= _get_cipher_suites
,
1228 .select_cipher_suite
= _select_cipher_suite
,
1229 .get_dh_group
= _get_dh_group
,
1230 .get_signature_algorithms
= _get_signature_algorithms
,
1231 .get_curves
= _get_curves
,
1232 .set_protection
= _set_protection
,
1233 .append_handshake
= _append_handshake
,
1236 .sign_handshake
= _sign_handshake
,
1237 .verify_handshake
= _verify_handshake
,
1238 .calculate_finished
= _calculate_finished
,
1239 .derive_secrets
= _derive_secrets
,
1240 .change_cipher
= _change_cipher
,
1241 .derive_eap_msk
= _derive_eap_msk
,
1242 .get_eap_msk
= _get_eap_msk
,
1243 .destroy
= _destroy
,
1248 switch (tls
->get_purpose(tls
))
1250 case TLS_PURPOSE_EAP_TLS
:
1251 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1252 this->msk_label
= "client EAP encryption";
1253 build_cipher_suite_list(this, FALSE
);
1255 case TLS_PURPOSE_EAP_TTLS
:
1256 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1257 this->msk_label
= "ttls keying material";
1258 build_cipher_suite_list(this, TRUE
);
1260 case TLS_PURPOSE_GENERIC
:
1261 build_cipher_suite_list(this, TRUE
);
1264 return &this->public;