]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add ECDHE enabled cipher suites, including ECDSA variants
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309
310 typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312 /**
313 * Private data of an tls_crypto_t object.
314 */
315 struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
321
322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
386
387 /**
388 * EAP-[T]TLS MSK
389 */
390 chunk_t msk;
391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
396 };
397
398 typedef struct {
399 tls_cipher_suite_t suite;
400 key_type_t key;
401 diffie_hellman_group_t dh;
402 hash_algorithm_t hash;
403 pseudo_random_function_t prf;
404 integrity_algorithm_t mac;
405 encryption_algorithm_t encr;
406 size_t encr_size;
407 } suite_algs_t;
408
409 /**
410 * Mapping suites to a set of algorithms
411 */
412 static suite_algs_t suite_algs[] = {
413 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
414 KEY_ECDSA, ECP_256_BIT,
415 HASH_SHA1, PRF_HMAC_SHA1,
416 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
417 },
418 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
419 KEY_ECDSA, ECP_256_BIT,
420 HASH_SHA256, PRF_HMAC_SHA2_256,
421 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
422 },
423 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
424 KEY_ECDSA, ECP_384_BIT,
425 HASH_SHA1, PRF_HMAC_SHA1,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
427 },
428 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
429 KEY_ECDSA, ECP_384_BIT,
430 HASH_SHA384, PRF_HMAC_SHA2_384,
431 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
432 },
433 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
434 KEY_ECDSA, ECP_256_BIT,
435 HASH_SHA1, PRF_HMAC_SHA1,
436 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
437 },
438 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
439 KEY_ECDSA, ECP_256_BIT,
440 HASH_SHA256, PRF_HMAC_SHA2_256,
441 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
442 },
443 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
444 KEY_ECDSA, ECP_384_BIT,
445 HASH_SHA1, PRF_HMAC_SHA1,
446 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
447 },
448 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
449 KEY_ECDSA, ECP_384_BIT,
450 HASH_SHA384, PRF_HMAC_SHA2_384,
451 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
452 },
453 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
454 KEY_RSA, MODP_2048_BIT,
455 HASH_SHA1, PRF_HMAC_SHA1,
456 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
457 },
458 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
459 KEY_RSA, MODP_3072_BIT,
460 HASH_SHA256, PRF_HMAC_SHA2_256,
461 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
462 },
463 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
464 KEY_RSA, MODP_3072_BIT,
465 HASH_SHA1, PRF_HMAC_SHA1,
466 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
467 },
468 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
469 KEY_RSA, MODP_4096_BIT,
470 HASH_SHA256, PRF_HMAC_SHA2_256,
471 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
472 },
473 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
474 KEY_RSA, MODP_2048_BIT,
475 HASH_SHA1, PRF_HMAC_SHA1,
476 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
477 },
478 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
479 KEY_RSA, MODP_3072_BIT,
480 HASH_SHA256, PRF_HMAC_SHA2_256,
481 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
482 },
483 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
484 KEY_RSA, MODP_3072_BIT,
485 HASH_SHA1, PRF_HMAC_SHA1,
486 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
487 },
488 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
489 KEY_RSA, MODP_4096_BIT,
490 HASH_SHA256, PRF_HMAC_SHA2_256,
491 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
492 },
493 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
494 KEY_RSA, MODP_2048_BIT,
495 HASH_SHA1, PRF_HMAC_SHA1,
496 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
497 },
498 { TLS_RSA_WITH_AES_128_CBC_SHA,
499 KEY_RSA, MODP_NONE,
500 HASH_SHA1, PRF_HMAC_SHA1,
501 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
502 },
503 { TLS_RSA_WITH_AES_128_CBC_SHA256,
504 KEY_RSA, MODP_NONE,
505 HASH_SHA256, PRF_HMAC_SHA2_256,
506 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
507 },
508 { TLS_RSA_WITH_AES_256_CBC_SHA,
509 KEY_RSA, MODP_NONE,
510 HASH_SHA1, PRF_HMAC_SHA1,
511 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
512 },
513 { TLS_RSA_WITH_AES_256_CBC_SHA256,
514 KEY_RSA, MODP_NONE,
515 HASH_SHA256, PRF_HMAC_SHA2_256,
516 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
517 },
518 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
519 KEY_RSA, MODP_NONE,
520 HASH_SHA1, PRF_HMAC_SHA1,
521 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
522 },
523 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
524 KEY_RSA, MODP_NONE,
525 HASH_SHA256, PRF_HMAC_SHA2_256,
526 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
527 },
528 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
529 KEY_RSA, MODP_NONE,
530 HASH_SHA1, PRF_HMAC_SHA1,
531 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
532 },
533 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
534 KEY_RSA, MODP_NONE,
535 HASH_SHA256, PRF_HMAC_SHA2_256,
536 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
537 },
538 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
539 KEY_ECDSA, ECP_256_BIT,
540 HASH_SHA1, PRF_HMAC_SHA1,
541 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
542 },
543 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
544 KEY_ECDSA, ECP_256_BIT,
545 HASH_SHA1, PRF_HMAC_SHA1,
546 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
547 },
548 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
549 KEY_RSA, MODP_NONE,
550 HASH_SHA1, PRF_HMAC_SHA1,
551 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
552 },
553 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
554 KEY_ECDSA, ECP_256_BIT,
555 HASH_SHA1, PRF_HMAC_SHA1,
556 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
557 },
558 { TLS_ECDHE_RSA_WITH_NULL_SHA,
559 KEY_ECDSA, ECP_256_BIT,
560 HASH_SHA1, PRF_HMAC_SHA1,
561 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
562 },
563 { TLS_RSA_WITH_NULL_SHA,
564 KEY_RSA, MODP_NONE,
565 HASH_SHA1, PRF_HMAC_SHA1,
566 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
567 },
568 { TLS_RSA_WITH_NULL_SHA256,
569 KEY_RSA, MODP_NONE,
570 HASH_SHA256, PRF_HMAC_SHA2_256,
571 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
572 },
573 { TLS_RSA_WITH_NULL_MD5,
574 KEY_RSA, MODP_NONE,
575 HASH_MD5, PRF_HMAC_MD5,
576 AUTH_HMAC_MD5_128, ENCR_NULL, 0
577 },
578 };
579
580 /**
581 * Look up algoritms by a suite
582 */
583 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
584 {
585 int i;
586
587 for (i = 0; i < countof(suite_algs); i++)
588 {
589 if (suite_algs[i].suite == suite)
590 {
591 return &suite_algs[i];
592 }
593 }
594 return NULL;
595 }
596
597 /**
598 * Filter a suite list using a transform enumerator
599 */
600 static void filter_suite(private_tls_crypto_t *this,
601 suite_algs_t suites[], int *count, int offset,
602 enumerator_t*(*create_enumerator)(crypto_factory_t*))
603 {
604 suite_algs_t current;
605 int i, remaining = 0;
606 enumerator_t *enumerator;
607
608 memset(&current, 0, sizeof(current));
609 for (i = 0; i < *count; i++)
610 {
611 enumerator = create_enumerator(lib->crypto);
612 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
613 {
614 if ((suites[i].encr == ENCR_NULL ||
615 !current.encr || current.encr == suites[i].encr) &&
616 (!current.mac || current.mac == suites[i].mac) &&
617 (!current.prf || current.prf == suites[i].prf) &&
618 (!current.hash || current.hash == suites[i].hash))
619 {
620 suites[remaining] = suites[i];
621 remaining++;
622 break;
623 }
624 }
625 enumerator->destroy(enumerator);
626 }
627 *count = remaining;
628 }
629
630 /**
631 * Purge NULL encryption cipher suites from list
632 */
633 static void filter_null_suites(private_tls_crypto_t *this,
634 suite_algs_t suites[], int *count)
635 {
636 int i, remaining = 0;
637
638 for (i = 0; i < *count; i++)
639 {
640 if (suites[i].encr != ENCR_NULL)
641 {
642 suites[remaining] = suites[i];
643 remaining++;
644 }
645 }
646 *count = remaining;
647 }
648
649 /**
650 * Initialize the cipher suite list
651 */
652 static void build_cipher_suite_list(private_tls_crypto_t *this,
653 bool require_encryption)
654 {
655 suite_algs_t suites[countof(suite_algs)];
656 int count = countof(suite_algs), i;
657
658 /* copy all suites */
659 for (i = 0; i < count; i++)
660 {
661 suites[i] = suite_algs[i];
662 }
663 if (require_encryption)
664 {
665 filter_null_suites(this, suites, &count);
666 }
667 /* filter suite list by each algorithm */
668 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
669 lib->crypto->create_crypter_enumerator);
670 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
671 lib->crypto->create_signer_enumerator);
672 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
673 lib->crypto->create_prf_enumerator);
674 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
675 lib->crypto->create_hasher_enumerator);
676
677 free(this->suites);
678 this->suite_count = count;
679 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
680
681 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
682 for (i = 0; i < count; i++)
683 {
684 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
685 this->suites[i] = suites[i].suite;
686 }
687 }
688
689 METHOD(tls_crypto_t, get_cipher_suites, int,
690 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
691 {
692 *suites = this->suites;
693 return this->suite_count;
694 }
695
696 /**
697 * Create crypto primitives
698 */
699 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
700 {
701 DESTROY_IF(this->prf);
702 if (this->tls->get_version(this->tls) < TLS_1_2)
703 {
704 this->prf = tls_prf_create_10();
705 }
706 else
707 {
708 this->prf = tls_prf_create_12(algs->prf);
709 }
710 if (!this->prf)
711 {
712 DBG1(DBG_TLS, "selected TLS PRF not supported");
713 return FALSE;
714 }
715
716 DESTROY_IF(this->signer_in);
717 DESTROY_IF(this->signer_out);
718 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
719 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
720 if (!this->signer_in || !this->signer_out)
721 {
722 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
723 integrity_algorithm_names, algs->mac);
724 return FALSE;
725 }
726
727 DESTROY_IF(this->crypter_in);
728 DESTROY_IF(this->crypter_out);
729 if (algs->encr == ENCR_NULL)
730 {
731 this->crypter_in = this->crypter_out = NULL;
732 }
733 else
734 {
735 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
736 algs->encr, algs->encr_size);
737 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
738 algs->encr, algs->encr_size);
739 if (!this->crypter_in || !this->crypter_out)
740 {
741 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
742 encryption_algorithm_names, algs->encr);
743 return FALSE;
744 }
745 }
746 return TRUE;
747 }
748
749 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
750 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
751 key_type_t key)
752 {
753 suite_algs_t *algs;
754 int i, j;
755
756 for (i = 0; i < this->suite_count; i++)
757 {
758 for (j = 0; j < count; j++)
759 {
760 if (this->suites[i] == suites[j])
761 {
762 algs = find_suite(this->suites[i]);
763 if (algs)
764 {
765 if (key == KEY_ANY || key == algs->key)
766 {
767 if (create_ciphers(this, algs))
768 {
769 this->suite = this->suites[i];
770 return this->suite;
771 }
772 }
773 }
774 }
775 }
776 }
777 return 0;
778 }
779
780 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
781 private_tls_crypto_t *this)
782 {
783 suite_algs_t *algs;
784
785 algs = find_suite(this->suite);
786 if (algs)
787 {
788 return algs->dh;
789 }
790 return MODP_NONE;
791 }
792
793 METHOD(tls_crypto_t, get_signature_algorithms, void,
794 private_tls_crypto_t *this, tls_writer_t *writer)
795 {
796 tls_writer_t *supported;
797 enumerator_t *enumerator;
798 hash_algorithm_t alg;
799 tls_hash_algorithm_t hash;
800
801 supported = tls_writer_create(32);
802 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
803 while (enumerator->enumerate(enumerator, &alg))
804 {
805 switch (alg)
806 {
807 case HASH_MD5:
808 hash = TLS_HASH_MD5;
809 break;
810 case HASH_SHA1:
811 hash = TLS_HASH_SHA1;
812 break;
813 case HASH_SHA224:
814 hash = TLS_HASH_SHA224;
815 break;
816 case HASH_SHA256:
817 hash = TLS_HASH_SHA256;
818 break;
819 case HASH_SHA384:
820 hash = TLS_HASH_SHA384;
821 break;
822 case HASH_SHA512:
823 hash = TLS_HASH_SHA512;
824 break;
825 default:
826 continue;
827 }
828 supported->write_uint8(supported, hash);
829 supported->write_uint8(supported, TLS_SIG_RSA);
830 if (alg != HASH_MD5 && alg != HASH_SHA224)
831 {
832 supported->write_uint8(supported, hash);
833 supported->write_uint8(supported, TLS_SIG_ECDSA);
834 }
835 }
836 enumerator->destroy(enumerator);
837
838 writer->write_data16(writer, supported->get_buf(supported));
839 supported->destroy(supported);
840 }
841
842 METHOD(tls_crypto_t, get_curves, void,
843 private_tls_crypto_t *this, tls_writer_t *writer)
844 {
845 u_int16_t curves[] = {
846 htons(TLS_SECP256R1),
847 htons(TLS_SECP384R1),
848 htons(TLS_SECP521R1),
849 htons(TLS_SECP192R1),
850 htons(TLS_SECP224R1),
851 };
852 writer->write_data16(writer, chunk_from_thing(curves));
853 }
854
855 METHOD(tls_crypto_t, set_protection, void,
856 private_tls_crypto_t *this, tls_protection_t *protection)
857 {
858 this->protection = protection;
859 }
860
861 METHOD(tls_crypto_t, append_handshake, void,
862 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
863 {
864 u_int32_t header;
865
866 /* reconstruct handshake header */
867 header = htonl(data.len | (type << 24));
868 this->handshake = chunk_cat("mcc", this->handshake,
869 chunk_from_thing(header), data);
870 }
871
872 /**
873 * Create a hash using the suites HASH algorithm
874 */
875 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
876 {
877 if (this->tls->get_version(this->tls) >= TLS_1_2)
878 {
879 hasher_t *hasher;
880 suite_algs_t *alg;
881
882 alg = find_suite(this->suite);
883 if (!alg)
884 {
885 return FALSE;
886 }
887 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
888 if (!hasher)
889 {
890 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
891 return FALSE;
892 }
893 hasher->allocate_hash(hasher, data, hash);
894 hasher->destroy(hasher);
895 }
896 else
897 {
898 hasher_t *md5, *sha1;
899 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
900
901 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
902 if (!md5)
903 {
904 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
905 return FALSE;
906 }
907 md5->get_hash(md5, data, buf);
908 md5->destroy(md5);
909 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
910 if (!sha1)
911 {
912 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
913 return FALSE;
914 }
915 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
916 sha1->destroy(sha1);
917
918 *hash = chunk_clone(chunk_from_thing(buf));
919 }
920 return TRUE;
921 }
922
923 /**
924 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
925 */
926 static signature_scheme_t hashsig_to_scheme(key_type_t type,
927 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
928 {
929 switch (sig)
930 {
931 case TLS_SIG_RSA:
932 if (type != KEY_RSA)
933 {
934 return SIGN_UNKNOWN;
935 }
936 switch (hash)
937 {
938 case TLS_HASH_MD5:
939 return SIGN_RSA_EMSA_PKCS1_MD5;
940 case TLS_HASH_SHA1:
941 return SIGN_RSA_EMSA_PKCS1_SHA1;
942 case TLS_HASH_SHA224:
943 return SIGN_RSA_EMSA_PKCS1_SHA224;
944 case TLS_HASH_SHA256:
945 return SIGN_RSA_EMSA_PKCS1_SHA256;
946 case TLS_HASH_SHA384:
947 return SIGN_RSA_EMSA_PKCS1_SHA384;
948 case TLS_HASH_SHA512:
949 return SIGN_RSA_EMSA_PKCS1_SHA512;
950 default:
951 return SIGN_UNKNOWN;
952 }
953 case TLS_SIG_ECDSA:
954 if (type != KEY_ECDSA)
955 {
956 return SIGN_UNKNOWN;
957 }
958 switch (hash)
959 {
960 case TLS_HASH_SHA224:
961 return SIGN_ECDSA_WITH_SHA1_DER;
962 case TLS_HASH_SHA256:
963 return SIGN_ECDSA_WITH_SHA256_DER;
964 case TLS_HASH_SHA384:
965 return SIGN_ECDSA_WITH_SHA384_DER;
966 case TLS_HASH_SHA512:
967 return SIGN_ECDSA_WITH_SHA512_DER;
968 default:
969 return SIGN_UNKNOWN;
970 }
971 default:
972 return SIGN_UNKNOWN;
973 }
974 }
975
976 METHOD(tls_crypto_t, sign, bool,
977 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
978 chunk_t data, chunk_t hashsig)
979 {
980 if (this->tls->get_version(this->tls) >= TLS_1_2)
981 {
982 signature_scheme_t scheme;
983 tls_reader_t *reader;
984 u_int8_t hash, alg;
985 chunk_t sig;
986 bool done = FALSE;
987
988 if (!hashsig.len)
989 { /* fallback if none given */
990 hashsig = chunk_from_chars(
991 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
992 }
993 reader = tls_reader_create(hashsig);
994 while (reader->remaining(reader) >= 2)
995 {
996 if (reader->read_uint8(reader, &hash) &&
997 reader->read_uint8(reader, &alg))
998 {
999 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1000 if (scheme != SIGN_UNKNOWN &&
1001 key->sign(key, scheme, data, &sig))
1002 {
1003 done = TRUE;
1004 break;
1005 }
1006 }
1007 }
1008 reader->destroy(reader);
1009 if (!done)
1010 {
1011 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1012 return FALSE;
1013 }
1014 DBG2(DBG_TLS, "created signature with %N/%N",
1015 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1016 writer->write_uint8(writer, hash);
1017 writer->write_uint8(writer, alg);
1018 writer->write_data16(writer, sig);
1019 free(sig.ptr);
1020 }
1021 else
1022 {
1023 chunk_t sig, hash;
1024 bool done;
1025
1026 switch (key->get_type(key))
1027 {
1028 case KEY_RSA:
1029 if (!hash_data(this, data, &hash))
1030 {
1031 return FALSE;
1032 }
1033 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1034 free(hash.ptr);
1035 if (!done)
1036 {
1037 return FALSE;
1038 }
1039 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1040 break;
1041 case KEY_ECDSA:
1042 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1043 {
1044 return FALSE;
1045 }
1046 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1047 break;
1048 default:
1049 return FALSE;
1050 }
1051 writer->write_data16(writer, sig);
1052 free(sig.ptr);
1053 }
1054 return TRUE;
1055 }
1056
1057 METHOD(tls_crypto_t, verify, bool,
1058 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1059 chunk_t data)
1060 {
1061 if (this->tls->get_version(this->tls) >= TLS_1_2)
1062 {
1063 signature_scheme_t scheme = SIGN_UNKNOWN;
1064 u_int8_t hash, alg;
1065 chunk_t sig;
1066
1067 if (!reader->read_uint8(reader, &hash) ||
1068 !reader->read_uint8(reader, &alg) ||
1069 !reader->read_data16(reader, &sig))
1070 {
1071 DBG1(DBG_TLS, "received invalid signature");
1072 return FALSE;
1073 }
1074 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1075 if (scheme == SIGN_UNKNOWN)
1076 {
1077 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1078 tls_hash_algorithm_names, hash,
1079 tls_signature_algorithm_names, alg);
1080 return FALSE;
1081 }
1082 if (!key->verify(key, scheme, data, sig))
1083 {
1084 return FALSE;
1085 }
1086 DBG2(DBG_TLS, "verified signature with %N/%N",
1087 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1088 }
1089 else
1090 {
1091 chunk_t sig, hash;
1092 bool done;
1093
1094 if (!reader->read_data16(reader, &sig))
1095 {
1096 DBG1(DBG_TLS, "received invalid signature");
1097 return FALSE;
1098 }
1099 switch (key->get_type(key))
1100 {
1101 case KEY_RSA:
1102 if (!hash_data(this, data, &hash))
1103 {
1104 return FALSE;
1105 }
1106 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1107 free(hash.ptr);
1108 if (!done)
1109 {
1110 return FALSE;
1111 }
1112 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1113 break;
1114 case KEY_ECDSA:
1115 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1116 {
1117 return FALSE;
1118 }
1119 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1120 break;
1121 default:
1122 return FALSE;
1123 }
1124 }
1125 return TRUE;
1126 }
1127
1128 METHOD(tls_crypto_t, sign_handshake, bool,
1129 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1130 chunk_t hashsig)
1131 {
1132 return sign(this, key, writer, this->handshake, hashsig);
1133 }
1134
1135 METHOD(tls_crypto_t, verify_handshake, bool,
1136 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1137 {
1138 return verify(this, key, reader, this->handshake);
1139 }
1140
1141 METHOD(tls_crypto_t, calculate_finished, bool,
1142 private_tls_crypto_t *this, char *label, char out[12])
1143 {
1144 chunk_t seed;
1145
1146 if (!this->prf)
1147 {
1148 return FALSE;
1149 }
1150 if (!hash_data(this, this->handshake, &seed))
1151 {
1152 return FALSE;
1153 }
1154 this->prf->get_bytes(this->prf, label, seed, 12, out);
1155 free(seed.ptr);
1156 return TRUE;
1157 }
1158
1159 METHOD(tls_crypto_t, derive_secrets, void,
1160 private_tls_crypto_t *this, chunk_t premaster,
1161 chunk_t client_random, chunk_t server_random)
1162 {
1163 char master[48];
1164 chunk_t seed, block, client_write, server_write;
1165 int mks, eks = 0, ivs = 0;
1166
1167 /* derive master secret */
1168 seed = chunk_cata("cc", client_random, server_random);
1169 this->prf->set_key(this->prf, premaster);
1170 this->prf->get_bytes(this->prf, "master secret", seed,
1171 sizeof(master), master);
1172
1173 this->prf->set_key(this->prf, chunk_from_thing(master));
1174 memset(master, 0, sizeof(master));
1175
1176 /* derive key block for key expansion */
1177 mks = this->signer_out->get_key_size(this->signer_out);
1178 if (this->crypter_out)
1179 {
1180 eks = this->crypter_out->get_key_size(this->crypter_out);
1181 if (this->tls->get_version(this->tls) < TLS_1_1)
1182 {
1183 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1184 }
1185 }
1186 seed = chunk_cata("cc", server_random, client_random);
1187 block = chunk_alloca((mks + eks + ivs) * 2);
1188 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1189
1190 /* signer keys */
1191 client_write = chunk_create(block.ptr, mks);
1192 block = chunk_skip(block, mks);
1193 server_write = chunk_create(block.ptr, mks);
1194 block = chunk_skip(block, mks);
1195 if (this->tls->is_server(this->tls))
1196 {
1197 this->signer_in->set_key(this->signer_in, client_write);
1198 this->signer_out->set_key(this->signer_out, server_write);
1199 }
1200 else
1201 {
1202 this->signer_out->set_key(this->signer_out, client_write);
1203 this->signer_in->set_key(this->signer_in, server_write);
1204 }
1205
1206 /* crypter keys, and IVs if < TLSv1.2 */
1207 if (this->crypter_out && this->crypter_in)
1208 {
1209 client_write = chunk_create(block.ptr, eks);
1210 block = chunk_skip(block, eks);
1211 server_write = chunk_create(block.ptr, eks);
1212 block = chunk_skip(block, eks);
1213
1214 if (this->tls->is_server(this->tls))
1215 {
1216 this->crypter_in->set_key(this->crypter_in, client_write);
1217 this->crypter_out->set_key(this->crypter_out, server_write);
1218 }
1219 else
1220 {
1221 this->crypter_out->set_key(this->crypter_out, client_write);
1222 this->crypter_in->set_key(this->crypter_in, server_write);
1223 }
1224 if (ivs)
1225 {
1226 client_write = chunk_create(block.ptr, ivs);
1227 block = chunk_skip(block, ivs);
1228 server_write = chunk_create(block.ptr, ivs);
1229 block = chunk_skip(block, ivs);
1230
1231 if (this->tls->is_server(this->tls))
1232 {
1233 this->iv_in = chunk_clone(client_write);
1234 this->iv_out = chunk_clone(server_write);
1235 }
1236 else
1237 {
1238 this->iv_out = chunk_clone(client_write);
1239 this->iv_in = chunk_clone(server_write);
1240 }
1241 }
1242 }
1243 }
1244
1245 METHOD(tls_crypto_t, change_cipher, void,
1246 private_tls_crypto_t *this, bool inbound)
1247 {
1248 if (this->protection)
1249 {
1250 if (inbound)
1251 {
1252 this->protection->set_cipher(this->protection, TRUE,
1253 this->signer_in, this->crypter_in, this->iv_in);
1254 }
1255 else
1256 {
1257 this->protection->set_cipher(this->protection, FALSE,
1258 this->signer_out, this->crypter_out, this->iv_out);
1259 }
1260 }
1261 }
1262
1263 METHOD(tls_crypto_t, derive_eap_msk, void,
1264 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1265 {
1266 if (this->msk_label)
1267 {
1268 chunk_t seed;
1269
1270 seed = chunk_cata("cc", client_random, server_random);
1271 free(this->msk.ptr);
1272 this->msk = chunk_alloc(64);
1273 this->prf->get_bytes(this->prf, this->msk_label, seed,
1274 this->msk.len, this->msk.ptr);
1275 }
1276 }
1277
1278 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1279 private_tls_crypto_t *this)
1280 {
1281 return this->msk;
1282 }
1283
1284 METHOD(tls_crypto_t, destroy, void,
1285 private_tls_crypto_t *this)
1286 {
1287 DESTROY_IF(this->signer_in);
1288 DESTROY_IF(this->signer_out);
1289 DESTROY_IF(this->crypter_in);
1290 DESTROY_IF(this->crypter_out);
1291 free(this->iv_in.ptr);
1292 free(this->iv_out.ptr);
1293 free(this->handshake.ptr);
1294 free(this->msk.ptr);
1295 DESTROY_IF(this->prf);
1296 free(this->suites);
1297 free(this);
1298 }
1299
1300 /**
1301 * See header
1302 */
1303 tls_crypto_t *tls_crypto_create(tls_t *tls)
1304 {
1305 private_tls_crypto_t *this;
1306
1307 INIT(this,
1308 .public = {
1309 .get_cipher_suites = _get_cipher_suites,
1310 .select_cipher_suite = _select_cipher_suite,
1311 .get_dh_group = _get_dh_group,
1312 .get_signature_algorithms = _get_signature_algorithms,
1313 .get_curves = _get_curves,
1314 .set_protection = _set_protection,
1315 .append_handshake = _append_handshake,
1316 .sign = _sign,
1317 .verify = _verify,
1318 .sign_handshake = _sign_handshake,
1319 .verify_handshake = _verify_handshake,
1320 .calculate_finished = _calculate_finished,
1321 .derive_secrets = _derive_secrets,
1322 .change_cipher = _change_cipher,
1323 .derive_eap_msk = _derive_eap_msk,
1324 .get_eap_msk = _get_eap_msk,
1325 .destroy = _destroy,
1326 },
1327 .tls = tls,
1328 );
1329
1330 switch (tls->get_purpose(tls))
1331 {
1332 case TLS_PURPOSE_EAP_TLS:
1333 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1334 this->msk_label = "client EAP encryption";
1335 build_cipher_suite_list(this, FALSE);
1336 break;
1337 case TLS_PURPOSE_EAP_TTLS:
1338 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1339 this->msk_label = "ttls keying material";
1340 build_cipher_suite_list(this, TRUE);
1341 break;
1342 case TLS_PURPOSE_GENERIC:
1343 build_cipher_suite_list(this, TRUE);
1344 break;
1345 }
1346 return &this->public;
1347 }
Unnamed repository; edit this file 'description' to name the repository.