]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blob
? search:


e38bf83cfbc777714400c8fd25a6162fb2ee0cb7
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309
310 typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312 /**
313 * Private data of an tls_crypto_t object.
314 */
315 struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
321
322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
386
387 /**
388 * EAP-[T]TLS MSK
389 */
390 chunk_t msk;
391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
396 };
397
398 typedef struct {
399 tls_cipher_suite_t suite;
400 hash_algorithm_t hash;
401 pseudo_random_function_t prf;
402 diffie_hellman_group_t dh;
403 integrity_algorithm_t mac;
404 encryption_algorithm_t encr;
405 size_t encr_size;
406 } suite_algs_t;
407
408 /**
409 * Mapping suites to a set of algorithms
410 */
411 static suite_algs_t suite_algs[] = {
412 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
413 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
414 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
415 },
416 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
417 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
418 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
419 },
420 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
421 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
422 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
423 },
424 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
425 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
426 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
427 },
428 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
429 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
430 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
431 },
432 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
433 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_3072_BIT,
434 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
435 },
436 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
437 HASH_SHA1, PRF_HMAC_SHA1, MODP_3072_BIT,
438 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
439 },
440 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
441 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_4096_BIT,
442 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
443 },
444 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
445 HASH_SHA1, PRF_HMAC_SHA1, MODP_2048_BIT,
446 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
447 },
448 { TLS_RSA_WITH_AES_128_CBC_SHA,
449 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
450 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
451 },
452 { TLS_RSA_WITH_AES_128_CBC_SHA256,
453 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
454 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
455 },
456 { TLS_RSA_WITH_AES_256_CBC_SHA,
457 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
458 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
459 },
460 { TLS_RSA_WITH_AES_256_CBC_SHA256,
461 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
462 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
463 },
464 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
465 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
466 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
467 },
468 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
469 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
470 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
471 },
472 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
473 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
474 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
475 },
476 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
477 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
478 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
479 },
480 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
481 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
482 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
483 },
484 { TLS_RSA_WITH_NULL_SHA,
485 HASH_SHA1, PRF_HMAC_SHA1, MODP_NONE,
486 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
487 },
488 { TLS_RSA_WITH_NULL_SHA256,
489 HASH_SHA256, PRF_HMAC_SHA2_256, MODP_NONE,
490 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
491 },
492 { TLS_RSA_WITH_NULL_MD5,
493 HASH_MD5, PRF_HMAC_MD5, MODP_NONE,
494 AUTH_HMAC_MD5_128, ENCR_NULL, 0
495 },
496 };
497
498 /**
499 * Look up algoritms by a suite
500 */
501 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
502 {
503 int i;
504
505 for (i = 0; i < countof(suite_algs); i++)
506 {
507 if (suite_algs[i].suite == suite)
508 {
509 return &suite_algs[i];
510 }
511 }
512 return NULL;
513 }
514
515 /**
516 * Filter a suite list using a transform enumerator
517 */
518 static void filter_suite(private_tls_crypto_t *this,
519 suite_algs_t suites[], int *count, int offset,
520 enumerator_t*(*create_enumerator)(crypto_factory_t*))
521 {
522 suite_algs_t current;
523 int i, remaining = 0;
524 enumerator_t *enumerator;
525
526 memset(&current, 0, sizeof(current));
527 for (i = 0; i < *count; i++)
528 {
529 enumerator = create_enumerator(lib->crypto);
530 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
531 {
532 if ((suites[i].encr == ENCR_NULL ||
533 !current.encr || current.encr == suites[i].encr) &&
534 (!current.mac || current.mac == suites[i].mac) &&
535 (!current.prf || current.prf == suites[i].prf) &&
536 (!current.hash || current.hash == suites[i].hash))
537 {
538 suites[remaining] = suites[i];
539 remaining++;
540 break;
541 }
542 }
543 enumerator->destroy(enumerator);
544 }
545 *count = remaining;
546 }
547
548 /**
549 * Purge NULL encryption cipher suites from list
550 */
551 static void filter_null_suites(private_tls_crypto_t *this,
552 suite_algs_t suites[], int *count)
553 {
554 int i, remaining = 0;
555
556 for (i = 0; i < *count; i++)
557 {
558 if (suites[i].encr != ENCR_NULL)
559 {
560 suites[remaining] = suites[i];
561 remaining++;
562 }
563 }
564 *count = remaining;
565 }
566
567 /**
568 * Initialize the cipher suite list
569 */
570 static void build_cipher_suite_list(private_tls_crypto_t *this,
571 bool require_encryption)
572 {
573 suite_algs_t suites[countof(suite_algs)];
574 int count = countof(suite_algs), i;
575
576 /* copy all suites */
577 for (i = 0; i < count; i++)
578 {
579 suites[i] = suite_algs[i];
580 }
581 if (require_encryption)
582 {
583 filter_null_suites(this, suites, &count);
584 }
585 /* filter suite list by each algorithm */
586 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
587 lib->crypto->create_crypter_enumerator);
588 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
589 lib->crypto->create_signer_enumerator);
590 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
591 lib->crypto->create_prf_enumerator);
592 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
593 lib->crypto->create_hasher_enumerator);
594
595 free(this->suites);
596 this->suite_count = count;
597 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
598
599 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
600 for (i = 0; i < count; i++)
601 {
602 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
603 this->suites[i] = suites[i].suite;
604 }
605 }
606
607 METHOD(tls_crypto_t, get_cipher_suites, int,
608 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
609 {
610 *suites = this->suites;
611 return this->suite_count;
612 }
613
614 /**
615 * Create crypto primitives
616 */
617 static bool create_ciphers(private_tls_crypto_t *this, tls_cipher_suite_t suite)
618 {
619 suite_algs_t *algs;
620
621 algs = find_suite(suite);
622 if (!algs)
623 {
624 DBG1(DBG_TLS, "selected TLS suite not supported");
625 return FALSE;
626 }
627
628 DESTROY_IF(this->prf);
629 if (this->tls->get_version(this->tls) < TLS_1_2)
630 {
631 this->prf = tls_prf_create_10();
632 }
633 else
634 {
635 this->prf = tls_prf_create_12(algs->prf);
636 }
637 if (!this->prf)
638 {
639 DBG1(DBG_TLS, "selected TLS PRF not supported");
640 return FALSE;
641 }
642
643 DESTROY_IF(this->signer_in);
644 DESTROY_IF(this->signer_out);
645 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
646 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
647 if (!this->signer_in || !this->signer_out)
648 {
649 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
650 integrity_algorithm_names, algs->mac);
651 return FALSE;
652 }
653
654 DESTROY_IF(this->crypter_in);
655 DESTROY_IF(this->crypter_out);
656 if (algs->encr == ENCR_NULL)
657 {
658 this->crypter_in = this->crypter_out = NULL;
659 }
660 else
661 {
662 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
663 algs->encr, algs->encr_size);
664 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
665 algs->encr, algs->encr_size);
666 if (!this->crypter_in || !this->crypter_out)
667 {
668 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
669 encryption_algorithm_names, algs->encr);
670 return FALSE;
671 }
672 }
673 return TRUE;
674 }
675
676 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
677 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count)
678 {
679 int i, j;
680
681 for (i = 0; i < this->suite_count; i++)
682 {
683 for (j = 0; j < count; j++)
684 {
685 if (this->suites[i] == suites[j])
686 {
687 if (create_ciphers(this, this->suites[i]))
688 {
689 this->suite = this->suites[i];
690 return this->suite;
691 }
692 }
693 }
694 }
695 return 0;
696 }
697
698 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
699 private_tls_crypto_t *this)
700 {
701 suite_algs_t *algs;
702
703 algs = find_suite(this->suite);
704 if (algs)
705 {
706 return algs->dh;
707 }
708 return MODP_NONE;
709 }
710
711 METHOD(tls_crypto_t, get_signature_algorithms, void,
712 private_tls_crypto_t *this, tls_writer_t *writer)
713 {
714 tls_writer_t *supported;
715 enumerator_t *enumerator;
716 hash_algorithm_t alg;
717 tls_hash_algorithm_t hash;
718
719 supported = tls_writer_create(32);
720 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
721 while (enumerator->enumerate(enumerator, &alg))
722 {
723 switch (alg)
724 {
725 case HASH_MD5:
726 hash = TLS_HASH_MD5;
727 break;
728 case HASH_SHA1:
729 hash = TLS_HASH_SHA1;
730 break;
731 case HASH_SHA224:
732 hash = TLS_HASH_SHA224;
733 break;
734 case HASH_SHA256:
735 hash = TLS_HASH_SHA256;
736 break;
737 case HASH_SHA384:
738 hash = TLS_HASH_SHA384;
739 break;
740 case HASH_SHA512:
741 hash = TLS_HASH_SHA512;
742 break;
743 default:
744 continue;
745 }
746 supported->write_uint8(supported, hash);
747 supported->write_uint8(supported, TLS_SIG_RSA);
748 if (alg != HASH_MD5 && alg != HASH_SHA224)
749 {
750 supported->write_uint8(supported, hash);
751 supported->write_uint8(supported, TLS_SIG_ECDSA);
752 }
753 }
754 enumerator->destroy(enumerator);
755
756 writer->write_data16(writer, supported->get_buf(supported));
757 supported->destroy(supported);
758 }
759
760 METHOD(tls_crypto_t, set_protection, void,
761 private_tls_crypto_t *this, tls_protection_t *protection)
762 {
763 this->protection = protection;
764 }
765
766 METHOD(tls_crypto_t, append_handshake, void,
767 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
768 {
769 u_int32_t header;
770
771 /* reconstruct handshake header */
772 header = htonl(data.len | (type << 24));
773 this->handshake = chunk_cat("mcc", this->handshake,
774 chunk_from_thing(header), data);
775 }
776
777 /**
778 * Create a hash using the suites HASH algorithm
779 */
780 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
781 {
782 if (this->tls->get_version(this->tls) >= TLS_1_2)
783 {
784 hasher_t *hasher;
785 suite_algs_t *alg;
786
787 alg = find_suite(this->suite);
788 if (!alg)
789 {
790 return FALSE;
791 }
792 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
793 if (!hasher)
794 {
795 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
796 return FALSE;
797 }
798 hasher->allocate_hash(hasher, data, hash);
799 hasher->destroy(hasher);
800 }
801 else
802 {
803 hasher_t *md5, *sha1;
804 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
805
806 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
807 if (!md5)
808 {
809 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
810 return FALSE;
811 }
812 md5->get_hash(md5, data, buf);
813 md5->destroy(md5);
814 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
815 if (!sha1)
816 {
817 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
818 return FALSE;
819 }
820 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
821 sha1->destroy(sha1);
822
823 *hash = chunk_clone(chunk_from_thing(buf));
824 }
825 return TRUE;
826 }
827
828 /**
829 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
830 */
831 static signature_scheme_t hashsig_to_scheme(key_type_t type,
832 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
833 {
834 switch (sig)
835 {
836 case TLS_SIG_RSA:
837 if (type != KEY_RSA)
838 {
839 return SIGN_UNKNOWN;
840 }
841 switch (hash)
842 {
843 case TLS_HASH_MD5:
844 return SIGN_RSA_EMSA_PKCS1_MD5;
845 case TLS_HASH_SHA1:
846 return SIGN_RSA_EMSA_PKCS1_SHA1;
847 case TLS_HASH_SHA224:
848 return SIGN_RSA_EMSA_PKCS1_SHA224;
849 case TLS_HASH_SHA256:
850 return SIGN_RSA_EMSA_PKCS1_SHA256;
851 case TLS_HASH_SHA384:
852 return SIGN_RSA_EMSA_PKCS1_SHA384;
853 case TLS_HASH_SHA512:
854 return SIGN_RSA_EMSA_PKCS1_SHA512;
855 default:
856 return SIGN_UNKNOWN;
857 }
858 case TLS_SIG_ECDSA:
859 if (type != KEY_ECDSA)
860 {
861 return SIGN_UNKNOWN;
862 }
863 switch (hash)
864 {
865 case TLS_HASH_SHA224:
866 return SIGN_ECDSA_WITH_SHA1_DER;
867 case TLS_HASH_SHA256:
868 return SIGN_ECDSA_WITH_SHA256_DER;
869 case TLS_HASH_SHA384:
870 return SIGN_ECDSA_WITH_SHA384_DER;
871 case TLS_HASH_SHA512:
872 return SIGN_ECDSA_WITH_SHA512_DER;
873 default:
874 return SIGN_UNKNOWN;
875 }
876 default:
877 return SIGN_UNKNOWN;
878 }
879 }
880
881 METHOD(tls_crypto_t, sign, bool,
882 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
883 chunk_t data, chunk_t hashsig)
884 {
885 if (this->tls->get_version(this->tls) >= TLS_1_2)
886 {
887 signature_scheme_t scheme;
888 tls_reader_t *reader;
889 u_int8_t hash, alg;
890 chunk_t sig;
891 bool done = FALSE;
892
893 if (!hashsig.len)
894 { /* fallback if none given */
895 hashsig = chunk_from_chars(
896 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
897 }
898 reader = tls_reader_create(hashsig);
899 while (reader->remaining(reader) >= 2)
900 {
901 if (reader->read_uint8(reader, &hash) &&
902 reader->read_uint8(reader, &alg))
903 {
904 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
905 if (scheme != SIGN_UNKNOWN &&
906 key->sign(key, scheme, data, &sig))
907 {
908 done = TRUE;
909 break;
910 }
911 }
912 }
913 reader->destroy(reader);
914 if (!done)
915 {
916 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
917 return FALSE;
918 }
919 DBG2(DBG_TLS, "created signature with %N/%N",
920 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
921 writer->write_uint8(writer, hash);
922 writer->write_uint8(writer, alg);
923 writer->write_data16(writer, sig);
924 free(sig.ptr);
925 }
926 else
927 {
928 chunk_t sig, hash;
929 bool done;
930
931 switch (key->get_type(key))
932 {
933 case KEY_RSA:
934 if (!hash_data(this, data, &hash))
935 {
936 return FALSE;
937 }
938 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
939 free(hash.ptr);
940 if (!done)
941 {
942 return FALSE;
943 }
944 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
945 break;
946 case KEY_ECDSA:
947 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
948 {
949 return FALSE;
950 }
951 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
952 break;
953 default:
954 return FALSE;
955 }
956 writer->write_data16(writer, sig);
957 free(sig.ptr);
958 }
959 return TRUE;
960 }
961
962 METHOD(tls_crypto_t, verify, bool,
963 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
964 chunk_t data)
965 {
966 if (this->tls->get_version(this->tls) >= TLS_1_2)
967 {
968 signature_scheme_t scheme = SIGN_UNKNOWN;
969 u_int8_t hash, alg;
970 chunk_t sig;
971
972 if (!reader->read_uint8(reader, &hash) ||
973 !reader->read_uint8(reader, &alg) ||
974 !reader->read_data16(reader, &sig))
975 {
976 DBG1(DBG_TLS, "received invalid signature");
977 return FALSE;
978 }
979 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
980 if (scheme == SIGN_UNKNOWN)
981 {
982 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
983 tls_hash_algorithm_names, hash,
984 tls_signature_algorithm_names, alg);
985 return FALSE;
986 }
987 if (!key->verify(key, scheme, data, sig))
988 {
989 return FALSE;
990 }
991 DBG2(DBG_TLS, "verified signature with %N/%N",
992 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
993 }
994 else
995 {
996 chunk_t sig, hash;
997 bool done;
998
999 if (!reader->read_data16(reader, &sig))
1000 {
1001 DBG1(DBG_TLS, "received invalid signature");
1002 return FALSE;
1003 }
1004 switch (key->get_type(key))
1005 {
1006 case KEY_RSA:
1007 if (!hash_data(this, data, &hash))
1008 {
1009 return FALSE;
1010 }
1011 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1012 free(hash.ptr);
1013 if (!done)
1014 {
1015 return FALSE;
1016 }
1017 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1018 break;
1019 case KEY_ECDSA:
1020 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1021 {
1022 return FALSE;
1023 }
1024 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1025 break;
1026 default:
1027 return FALSE;
1028 }
1029 }
1030 return TRUE;
1031 }
1032
1033 METHOD(tls_crypto_t, sign_handshake, bool,
1034 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1035 chunk_t hashsig)
1036 {
1037 return sign(this, key, writer, this->handshake, hashsig);
1038 }
1039
1040 METHOD(tls_crypto_t, verify_handshake, bool,
1041 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1042 {
1043 return verify(this, key, reader, this->handshake);
1044 }
1045
1046 METHOD(tls_crypto_t, calculate_finished, bool,
1047 private_tls_crypto_t *this, char *label, char out[12])
1048 {
1049 chunk_t seed;
1050
1051 if (!this->prf)
1052 {
1053 return FALSE;
1054 }
1055 if (!hash_data(this, this->handshake, &seed))
1056 {
1057 return FALSE;
1058 }
1059 this->prf->get_bytes(this->prf, label, seed, 12, out);
1060 free(seed.ptr);
1061 return TRUE;
1062 }
1063
1064 METHOD(tls_crypto_t, derive_secrets, void,
1065 private_tls_crypto_t *this, chunk_t premaster,
1066 chunk_t client_random, chunk_t server_random)
1067 {
1068 char master[48];
1069 chunk_t seed, block, client_write, server_write;
1070 int mks, eks = 0, ivs = 0;
1071
1072 /* derive master secret */
1073 seed = chunk_cata("cc", client_random, server_random);
1074 this->prf->set_key(this->prf, premaster);
1075 this->prf->get_bytes(this->prf, "master secret", seed,
1076 sizeof(master), master);
1077
1078 this->prf->set_key(this->prf, chunk_from_thing(master));
1079 memset(master, 0, sizeof(master));
1080
1081 /* derive key block for key expansion */
1082 mks = this->signer_out->get_key_size(this->signer_out);
1083 if (this->crypter_out)
1084 {
1085 eks = this->crypter_out->get_key_size(this->crypter_out);
1086 if (this->tls->get_version(this->tls) < TLS_1_1)
1087 {
1088 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1089 }
1090 }
1091 seed = chunk_cata("cc", server_random, client_random);
1092 block = chunk_alloca((mks + eks + ivs) * 2);
1093 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1094
1095 /* signer keys */
1096 client_write = chunk_create(block.ptr, mks);
1097 block = chunk_skip(block, mks);
1098 server_write = chunk_create(block.ptr, mks);
1099 block = chunk_skip(block, mks);
1100 if (this->tls->is_server(this->tls))
1101 {
1102 this->signer_in->set_key(this->signer_in, client_write);
1103 this->signer_out->set_key(this->signer_out, server_write);
1104 }
1105 else
1106 {
1107 this->signer_out->set_key(this->signer_out, client_write);
1108 this->signer_in->set_key(this->signer_in, server_write);
1109 }
1110
1111 /* crypter keys, and IVs if < TLSv1.2 */
1112 if (this->crypter_out && this->crypter_in)
1113 {
1114 client_write = chunk_create(block.ptr, eks);
1115 block = chunk_skip(block, eks);
1116 server_write = chunk_create(block.ptr, eks);
1117 block = chunk_skip(block, eks);
1118
1119 if (this->tls->is_server(this->tls))
1120 {
1121 this->crypter_in->set_key(this->crypter_in, client_write);
1122 this->crypter_out->set_key(this->crypter_out, server_write);
1123 }
1124 else
1125 {
1126 this->crypter_out->set_key(this->crypter_out, client_write);
1127 this->crypter_in->set_key(this->crypter_in, server_write);
1128 }
1129 if (ivs)
1130 {
1131 client_write = chunk_create(block.ptr, ivs);
1132 block = chunk_skip(block, ivs);
1133 server_write = chunk_create(block.ptr, ivs);
1134 block = chunk_skip(block, ivs);
1135
1136 if (this->tls->is_server(this->tls))
1137 {
1138 this->iv_in = chunk_clone(client_write);
1139 this->iv_out = chunk_clone(server_write);
1140 }
1141 else
1142 {
1143 this->iv_out = chunk_clone(client_write);
1144 this->iv_in = chunk_clone(server_write);
1145 }
1146 }
1147 }
1148 }
1149
1150 METHOD(tls_crypto_t, change_cipher, void,
1151 private_tls_crypto_t *this, bool inbound)
1152 {
1153 if (this->protection)
1154 {
1155 if (inbound)
1156 {
1157 this->protection->set_cipher(this->protection, TRUE,
1158 this->signer_in, this->crypter_in, this->iv_in);
1159 }
1160 else
1161 {
1162 this->protection->set_cipher(this->protection, FALSE,
1163 this->signer_out, this->crypter_out, this->iv_out);
1164 }
1165 }
1166 }
1167
1168 METHOD(tls_crypto_t, derive_eap_msk, void,
1169 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1170 {
1171 if (this->msk_label)
1172 {
1173 chunk_t seed;
1174
1175 seed = chunk_cata("cc", client_random, server_random);
1176 free(this->msk.ptr);
1177 this->msk = chunk_alloc(64);
1178 this->prf->get_bytes(this->prf, this->msk_label, seed,
1179 this->msk.len, this->msk.ptr);
1180 }
1181 }
1182
1183 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1184 private_tls_crypto_t *this)
1185 {
1186 return this->msk;
1187 }
1188
1189 METHOD(tls_crypto_t, destroy, void,
1190 private_tls_crypto_t *this)
1191 {
1192 DESTROY_IF(this->signer_in);
1193 DESTROY_IF(this->signer_out);
1194 DESTROY_IF(this->crypter_in);
1195 DESTROY_IF(this->crypter_out);
1196 free(this->iv_in.ptr);
1197 free(this->iv_out.ptr);
1198 free(this->handshake.ptr);
1199 free(this->msk.ptr);
1200 DESTROY_IF(this->prf);
1201 free(this->suites);
1202 free(this);
1203 }
1204
1205 /**
1206 * See header
1207 */
1208 tls_crypto_t *tls_crypto_create(tls_t *tls)
1209 {
1210 private_tls_crypto_t *this;
1211
1212 INIT(this,
1213 .public = {
1214 .get_cipher_suites = _get_cipher_suites,
1215 .select_cipher_suite = _select_cipher_suite,
1216 .get_dh_group = _get_dh_group,
1217 .get_signature_algorithms = _get_signature_algorithms,
1218 .set_protection = _set_protection,
1219 .append_handshake = _append_handshake,
1220 .sign = _sign,
1221 .verify = _verify,
1222 .sign_handshake = _sign_handshake,
1223 .verify_handshake = _verify_handshake,
1224 .calculate_finished = _calculate_finished,
1225 .derive_secrets = _derive_secrets,
1226 .change_cipher = _change_cipher,
1227 .derive_eap_msk = _derive_eap_msk,
1228 .get_eap_msk = _get_eap_msk,
1229 .destroy = _destroy,
1230 },
1231 .tls = tls,
1232 );
1233
1234 switch (tls->get_purpose(tls))
1235 {
1236 case TLS_PURPOSE_EAP_TLS:
1237 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1238 this->msk_label = "client EAP encryption";
1239 build_cipher_suite_list(this, FALSE);
1240 break;
1241 case TLS_PURPOSE_EAP_TTLS:
1242 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1243 this->msk_label = "ttls keying material";
1244 build_cipher_suite_list(this, TRUE);
1245 break;
1246 case TLS_PURPOSE_GENERIC:
1247 build_cipher_suite_list(this, TRUE);
1248 break;
1249 }
1250 return &this->public;
1251 }
Unnamed repository; edit this file 'description' to name the repository.