]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Select private key based on received cipher suites
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309
310 typedef struct private_tls_crypto_t private_tls_crypto_t;
311
312 /**
313 * Private data of an tls_crypto_t object.
314 */
315 struct private_tls_crypto_t {
316
317 /**
318 * Public tls_crypto_t interface.
319 */
320 tls_crypto_t public;
321
322 /**
323 * Protection layer
324 */
325 tls_protection_t *protection;
326
327 /**
328 * List of supported/acceptable cipher suites
329 */
330 tls_cipher_suite_t *suites;
331
332 /**
333 * Number of supported suites
334 */
335 int suite_count;
336
337 /**
338 * Selected cipher suite
339 */
340 tls_cipher_suite_t suite;
341
342 /**
343 * TLS context
344 */
345 tls_t *tls;
346
347 /**
348 * All handshake data concatentated
349 */
350 chunk_t handshake;
351
352 /**
353 * Connection state TLS PRF
354 */
355 tls_prf_t *prf;
356
357 /**
358 * Signer instance for inbound traffic
359 */
360 signer_t *signer_in;
361
362 /**
363 * Signer instance for outbound traffic
364 */
365 signer_t *signer_out;
366
367 /**
368 * Crypter instance for inbound traffic
369 */
370 crypter_t *crypter_in;
371
372 /**
373 * Crypter instance for outbound traffic
374 */
375 crypter_t *crypter_out;
376
377 /**
378 * IV for input decryption, if < TLSv1.2
379 */
380 chunk_t iv_in;
381
382 /**
383 * IV for output decryption, if < TLSv1.2
384 */
385 chunk_t iv_out;
386
387 /**
388 * EAP-[T]TLS MSK
389 */
390 chunk_t msk;
391
392 /**
393 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
394 */
395 char *msk_label;
396 };
397
398 typedef struct {
399 tls_cipher_suite_t suite;
400 key_type_t key;
401 diffie_hellman_group_t dh;
402 hash_algorithm_t hash;
403 pseudo_random_function_t prf;
404 integrity_algorithm_t mac;
405 encryption_algorithm_t encr;
406 size_t encr_size;
407 } suite_algs_t;
408
409 /**
410 * Mapping suites to a set of algorithms
411 */
412 static suite_algs_t suite_algs[] = {
413 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
414 KEY_RSA, MODP_2048_BIT,
415 HASH_SHA1, PRF_HMAC_SHA1,
416 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
417 },
418 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
419 KEY_RSA, MODP_3072_BIT,
420 HASH_SHA256, PRF_HMAC_SHA2_256,
421 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
422 },
423 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
424 KEY_RSA, MODP_3072_BIT,
425 HASH_SHA1, PRF_HMAC_SHA1,
426 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
427 },
428 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
429 KEY_RSA, MODP_4096_BIT,
430 HASH_SHA256, PRF_HMAC_SHA2_256,
431 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
432 },
433 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
434 KEY_RSA, MODP_2048_BIT,
435 HASH_SHA1, PRF_HMAC_SHA1,
436 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
437 },
438 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
439 KEY_RSA, MODP_3072_BIT,
440 HASH_SHA256, PRF_HMAC_SHA2_256,
441 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
442 },
443 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
444 KEY_RSA, MODP_3072_BIT,
445 HASH_SHA1, PRF_HMAC_SHA1,
446 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
447 },
448 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
449 KEY_RSA, MODP_4096_BIT,
450 HASH_SHA256, PRF_HMAC_SHA2_256,
451 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
452 },
453 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
454 KEY_RSA, MODP_2048_BIT,
455 HASH_SHA1, PRF_HMAC_SHA1,
456 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
457 },
458 { TLS_RSA_WITH_AES_128_CBC_SHA,
459 KEY_RSA, MODP_NONE,
460 HASH_SHA1, PRF_HMAC_SHA1,
461 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
462 },
463 { TLS_RSA_WITH_AES_128_CBC_SHA256,
464 KEY_RSA, MODP_NONE,
465 HASH_SHA256, PRF_HMAC_SHA2_256,
466 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
467 },
468 { TLS_RSA_WITH_AES_256_CBC_SHA,
469 KEY_RSA, MODP_NONE,
470 HASH_SHA1, PRF_HMAC_SHA1,
471 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
472 },
473 { TLS_RSA_WITH_AES_256_CBC_SHA256,
474 KEY_RSA, MODP_NONE,
475 HASH_SHA256, PRF_HMAC_SHA2_256,
476 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
477 },
478 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
479 KEY_RSA, MODP_NONE,
480 HASH_SHA1, PRF_HMAC_SHA1,
481 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
482 },
483 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
484 KEY_RSA, MODP_NONE,
485 HASH_SHA256, PRF_HMAC_SHA2_256,
486 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
487 },
488 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
489 KEY_RSA, MODP_NONE,
490 HASH_SHA1, PRF_HMAC_SHA1,
491 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
492 },
493 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
494 KEY_RSA, MODP_NONE,
495 HASH_SHA256, PRF_HMAC_SHA2_256,
496 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
497 },
498 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
499 KEY_RSA, MODP_NONE,
500 HASH_SHA1, PRF_HMAC_SHA1,
501 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
502 },
503 { TLS_RSA_WITH_NULL_SHA,
504 KEY_RSA, MODP_NONE,
505 HASH_SHA1, PRF_HMAC_SHA1,
506 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
507 },
508 { TLS_RSA_WITH_NULL_SHA256,
509 KEY_RSA, MODP_NONE,
510 HASH_SHA256, PRF_HMAC_SHA2_256,
511 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
512 },
513 { TLS_RSA_WITH_NULL_MD5,
514 KEY_RSA, MODP_NONE,
515 HASH_MD5, PRF_HMAC_MD5,
516 AUTH_HMAC_MD5_128, ENCR_NULL, 0
517 },
518 };
519
520 /**
521 * Look up algoritms by a suite
522 */
523 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
524 {
525 int i;
526
527 for (i = 0; i < countof(suite_algs); i++)
528 {
529 if (suite_algs[i].suite == suite)
530 {
531 return &suite_algs[i];
532 }
533 }
534 return NULL;
535 }
536
537 /**
538 * Filter a suite list using a transform enumerator
539 */
540 static void filter_suite(private_tls_crypto_t *this,
541 suite_algs_t suites[], int *count, int offset,
542 enumerator_t*(*create_enumerator)(crypto_factory_t*))
543 {
544 suite_algs_t current;
545 int i, remaining = 0;
546 enumerator_t *enumerator;
547
548 memset(&current, 0, sizeof(current));
549 for (i = 0; i < *count; i++)
550 {
551 enumerator = create_enumerator(lib->crypto);
552 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
553 {
554 if ((suites[i].encr == ENCR_NULL ||
555 !current.encr || current.encr == suites[i].encr) &&
556 (!current.mac || current.mac == suites[i].mac) &&
557 (!current.prf || current.prf == suites[i].prf) &&
558 (!current.hash || current.hash == suites[i].hash))
559 {
560 suites[remaining] = suites[i];
561 remaining++;
562 break;
563 }
564 }
565 enumerator->destroy(enumerator);
566 }
567 *count = remaining;
568 }
569
570 /**
571 * Purge NULL encryption cipher suites from list
572 */
573 static void filter_null_suites(private_tls_crypto_t *this,
574 suite_algs_t suites[], int *count)
575 {
576 int i, remaining = 0;
577
578 for (i = 0; i < *count; i++)
579 {
580 if (suites[i].encr != ENCR_NULL)
581 {
582 suites[remaining] = suites[i];
583 remaining++;
584 }
585 }
586 *count = remaining;
587 }
588
589 /**
590 * Initialize the cipher suite list
591 */
592 static void build_cipher_suite_list(private_tls_crypto_t *this,
593 bool require_encryption)
594 {
595 suite_algs_t suites[countof(suite_algs)];
596 int count = countof(suite_algs), i;
597
598 /* copy all suites */
599 for (i = 0; i < count; i++)
600 {
601 suites[i] = suite_algs[i];
602 }
603 if (require_encryption)
604 {
605 filter_null_suites(this, suites, &count);
606 }
607 /* filter suite list by each algorithm */
608 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
609 lib->crypto->create_crypter_enumerator);
610 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
611 lib->crypto->create_signer_enumerator);
612 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
613 lib->crypto->create_prf_enumerator);
614 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
615 lib->crypto->create_hasher_enumerator);
616
617 free(this->suites);
618 this->suite_count = count;
619 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
620
621 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
622 for (i = 0; i < count; i++)
623 {
624 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
625 this->suites[i] = suites[i].suite;
626 }
627 }
628
629 METHOD(tls_crypto_t, get_cipher_suites, int,
630 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
631 {
632 *suites = this->suites;
633 return this->suite_count;
634 }
635
636 /**
637 * Create crypto primitives
638 */
639 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
640 {
641 DESTROY_IF(this->prf);
642 if (this->tls->get_version(this->tls) < TLS_1_2)
643 {
644 this->prf = tls_prf_create_10();
645 }
646 else
647 {
648 this->prf = tls_prf_create_12(algs->prf);
649 }
650 if (!this->prf)
651 {
652 DBG1(DBG_TLS, "selected TLS PRF not supported");
653 return FALSE;
654 }
655
656 DESTROY_IF(this->signer_in);
657 DESTROY_IF(this->signer_out);
658 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
659 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
660 if (!this->signer_in || !this->signer_out)
661 {
662 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
663 integrity_algorithm_names, algs->mac);
664 return FALSE;
665 }
666
667 DESTROY_IF(this->crypter_in);
668 DESTROY_IF(this->crypter_out);
669 if (algs->encr == ENCR_NULL)
670 {
671 this->crypter_in = this->crypter_out = NULL;
672 }
673 else
674 {
675 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
676 algs->encr, algs->encr_size);
677 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
678 algs->encr, algs->encr_size);
679 if (!this->crypter_in || !this->crypter_out)
680 {
681 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
682 encryption_algorithm_names, algs->encr);
683 return FALSE;
684 }
685 }
686 return TRUE;
687 }
688
689 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
690 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
691 key_type_t key)
692 {
693 suite_algs_t *algs;
694 int i, j;
695
696 for (i = 0; i < this->suite_count; i++)
697 {
698 for (j = 0; j < count; j++)
699 {
700 if (this->suites[i] == suites[j])
701 {
702 algs = find_suite(this->suites[i]);
703 if (algs)
704 {
705 if (key == KEY_ANY || key == algs->key)
706 {
707 if (create_ciphers(this, algs))
708 {
709 this->suite = this->suites[i];
710 return this->suite;
711 }
712 }
713 }
714 }
715 }
716 }
717 return 0;
718 }
719
720 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
721 private_tls_crypto_t *this)
722 {
723 suite_algs_t *algs;
724
725 algs = find_suite(this->suite);
726 if (algs)
727 {
728 return algs->dh;
729 }
730 return MODP_NONE;
731 }
732
733 METHOD(tls_crypto_t, get_signature_algorithms, void,
734 private_tls_crypto_t *this, tls_writer_t *writer)
735 {
736 tls_writer_t *supported;
737 enumerator_t *enumerator;
738 hash_algorithm_t alg;
739 tls_hash_algorithm_t hash;
740
741 supported = tls_writer_create(32);
742 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
743 while (enumerator->enumerate(enumerator, &alg))
744 {
745 switch (alg)
746 {
747 case HASH_MD5:
748 hash = TLS_HASH_MD5;
749 break;
750 case HASH_SHA1:
751 hash = TLS_HASH_SHA1;
752 break;
753 case HASH_SHA224:
754 hash = TLS_HASH_SHA224;
755 break;
756 case HASH_SHA256:
757 hash = TLS_HASH_SHA256;
758 break;
759 case HASH_SHA384:
760 hash = TLS_HASH_SHA384;
761 break;
762 case HASH_SHA512:
763 hash = TLS_HASH_SHA512;
764 break;
765 default:
766 continue;
767 }
768 supported->write_uint8(supported, hash);
769 supported->write_uint8(supported, TLS_SIG_RSA);
770 if (alg != HASH_MD5 && alg != HASH_SHA224)
771 {
772 supported->write_uint8(supported, hash);
773 supported->write_uint8(supported, TLS_SIG_ECDSA);
774 }
775 }
776 enumerator->destroy(enumerator);
777
778 writer->write_data16(writer, supported->get_buf(supported));
779 supported->destroy(supported);
780 }
781
782 METHOD(tls_crypto_t, get_curves, void,
783 private_tls_crypto_t *this, tls_writer_t *writer)
784 {
785 u_int16_t curves[] = {
786 htons(TLS_SECP256R1),
787 htons(TLS_SECP384R1),
788 htons(TLS_SECP521R1),
789 htons(TLS_SECP192R1),
790 htons(TLS_SECP224R1),
791 };
792 writer->write_data16(writer, chunk_from_thing(curves));
793 }
794
795 METHOD(tls_crypto_t, set_protection, void,
796 private_tls_crypto_t *this, tls_protection_t *protection)
797 {
798 this->protection = protection;
799 }
800
801 METHOD(tls_crypto_t, append_handshake, void,
802 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
803 {
804 u_int32_t header;
805
806 /* reconstruct handshake header */
807 header = htonl(data.len | (type << 24));
808 this->handshake = chunk_cat("mcc", this->handshake,
809 chunk_from_thing(header), data);
810 }
811
812 /**
813 * Create a hash using the suites HASH algorithm
814 */
815 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
816 {
817 if (this->tls->get_version(this->tls) >= TLS_1_2)
818 {
819 hasher_t *hasher;
820 suite_algs_t *alg;
821
822 alg = find_suite(this->suite);
823 if (!alg)
824 {
825 return FALSE;
826 }
827 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
828 if (!hasher)
829 {
830 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
831 return FALSE;
832 }
833 hasher->allocate_hash(hasher, data, hash);
834 hasher->destroy(hasher);
835 }
836 else
837 {
838 hasher_t *md5, *sha1;
839 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
840
841 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
842 if (!md5)
843 {
844 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
845 return FALSE;
846 }
847 md5->get_hash(md5, data, buf);
848 md5->destroy(md5);
849 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
850 if (!sha1)
851 {
852 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
853 return FALSE;
854 }
855 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
856 sha1->destroy(sha1);
857
858 *hash = chunk_clone(chunk_from_thing(buf));
859 }
860 return TRUE;
861 }
862
863 /**
864 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
865 */
866 static signature_scheme_t hashsig_to_scheme(key_type_t type,
867 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
868 {
869 switch (sig)
870 {
871 case TLS_SIG_RSA:
872 if (type != KEY_RSA)
873 {
874 return SIGN_UNKNOWN;
875 }
876 switch (hash)
877 {
878 case TLS_HASH_MD5:
879 return SIGN_RSA_EMSA_PKCS1_MD5;
880 case TLS_HASH_SHA1:
881 return SIGN_RSA_EMSA_PKCS1_SHA1;
882 case TLS_HASH_SHA224:
883 return SIGN_RSA_EMSA_PKCS1_SHA224;
884 case TLS_HASH_SHA256:
885 return SIGN_RSA_EMSA_PKCS1_SHA256;
886 case TLS_HASH_SHA384:
887 return SIGN_RSA_EMSA_PKCS1_SHA384;
888 case TLS_HASH_SHA512:
889 return SIGN_RSA_EMSA_PKCS1_SHA512;
890 default:
891 return SIGN_UNKNOWN;
892 }
893 case TLS_SIG_ECDSA:
894 if (type != KEY_ECDSA)
895 {
896 return SIGN_UNKNOWN;
897 }
898 switch (hash)
899 {
900 case TLS_HASH_SHA224:
901 return SIGN_ECDSA_WITH_SHA1_DER;
902 case TLS_HASH_SHA256:
903 return SIGN_ECDSA_WITH_SHA256_DER;
904 case TLS_HASH_SHA384:
905 return SIGN_ECDSA_WITH_SHA384_DER;
906 case TLS_HASH_SHA512:
907 return SIGN_ECDSA_WITH_SHA512_DER;
908 default:
909 return SIGN_UNKNOWN;
910 }
911 default:
912 return SIGN_UNKNOWN;
913 }
914 }
915
916 METHOD(tls_crypto_t, sign, bool,
917 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
918 chunk_t data, chunk_t hashsig)
919 {
920 if (this->tls->get_version(this->tls) >= TLS_1_2)
921 {
922 signature_scheme_t scheme;
923 tls_reader_t *reader;
924 u_int8_t hash, alg;
925 chunk_t sig;
926 bool done = FALSE;
927
928 if (!hashsig.len)
929 { /* fallback if none given */
930 hashsig = chunk_from_chars(
931 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
932 }
933 reader = tls_reader_create(hashsig);
934 while (reader->remaining(reader) >= 2)
935 {
936 if (reader->read_uint8(reader, &hash) &&
937 reader->read_uint8(reader, &alg))
938 {
939 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
940 if (scheme != SIGN_UNKNOWN &&
941 key->sign(key, scheme, data, &sig))
942 {
943 done = TRUE;
944 break;
945 }
946 }
947 }
948 reader->destroy(reader);
949 if (!done)
950 {
951 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
952 return FALSE;
953 }
954 DBG2(DBG_TLS, "created signature with %N/%N",
955 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
956 writer->write_uint8(writer, hash);
957 writer->write_uint8(writer, alg);
958 writer->write_data16(writer, sig);
959 free(sig.ptr);
960 }
961 else
962 {
963 chunk_t sig, hash;
964 bool done;
965
966 switch (key->get_type(key))
967 {
968 case KEY_RSA:
969 if (!hash_data(this, data, &hash))
970 {
971 return FALSE;
972 }
973 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
974 free(hash.ptr);
975 if (!done)
976 {
977 return FALSE;
978 }
979 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
980 break;
981 case KEY_ECDSA:
982 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
983 {
984 return FALSE;
985 }
986 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
987 break;
988 default:
989 return FALSE;
990 }
991 writer->write_data16(writer, sig);
992 free(sig.ptr);
993 }
994 return TRUE;
995 }
996
997 METHOD(tls_crypto_t, verify, bool,
998 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
999 chunk_t data)
1000 {
1001 if (this->tls->get_version(this->tls) >= TLS_1_2)
1002 {
1003 signature_scheme_t scheme = SIGN_UNKNOWN;
1004 u_int8_t hash, alg;
1005 chunk_t sig;
1006
1007 if (!reader->read_uint8(reader, &hash) ||
1008 !reader->read_uint8(reader, &alg) ||
1009 !reader->read_data16(reader, &sig))
1010 {
1011 DBG1(DBG_TLS, "received invalid signature");
1012 return FALSE;
1013 }
1014 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1015 if (scheme == SIGN_UNKNOWN)
1016 {
1017 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1018 tls_hash_algorithm_names, hash,
1019 tls_signature_algorithm_names, alg);
1020 return FALSE;
1021 }
1022 if (!key->verify(key, scheme, data, sig))
1023 {
1024 return FALSE;
1025 }
1026 DBG2(DBG_TLS, "verified signature with %N/%N",
1027 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1028 }
1029 else
1030 {
1031 chunk_t sig, hash;
1032 bool done;
1033
1034 if (!reader->read_data16(reader, &sig))
1035 {
1036 DBG1(DBG_TLS, "received invalid signature");
1037 return FALSE;
1038 }
1039 switch (key->get_type(key))
1040 {
1041 case KEY_RSA:
1042 if (!hash_data(this, data, &hash))
1043 {
1044 return FALSE;
1045 }
1046 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1047 free(hash.ptr);
1048 if (!done)
1049 {
1050 return FALSE;
1051 }
1052 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1053 break;
1054 case KEY_ECDSA:
1055 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1056 {
1057 return FALSE;
1058 }
1059 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1060 break;
1061 default:
1062 return FALSE;
1063 }
1064 }
1065 return TRUE;
1066 }
1067
1068 METHOD(tls_crypto_t, sign_handshake, bool,
1069 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1070 chunk_t hashsig)
1071 {
1072 return sign(this, key, writer, this->handshake, hashsig);
1073 }
1074
1075 METHOD(tls_crypto_t, verify_handshake, bool,
1076 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1077 {
1078 return verify(this, key, reader, this->handshake);
1079 }
1080
1081 METHOD(tls_crypto_t, calculate_finished, bool,
1082 private_tls_crypto_t *this, char *label, char out[12])
1083 {
1084 chunk_t seed;
1085
1086 if (!this->prf)
1087 {
1088 return FALSE;
1089 }
1090 if (!hash_data(this, this->handshake, &seed))
1091 {
1092 return FALSE;
1093 }
1094 this->prf->get_bytes(this->prf, label, seed, 12, out);
1095 free(seed.ptr);
1096 return TRUE;
1097 }
1098
1099 METHOD(tls_crypto_t, derive_secrets, void,
1100 private_tls_crypto_t *this, chunk_t premaster,
1101 chunk_t client_random, chunk_t server_random)
1102 {
1103 char master[48];
1104 chunk_t seed, block, client_write, server_write;
1105 int mks, eks = 0, ivs = 0;
1106
1107 /* derive master secret */
1108 seed = chunk_cata("cc", client_random, server_random);
1109 this->prf->set_key(this->prf, premaster);
1110 this->prf->get_bytes(this->prf, "master secret", seed,
1111 sizeof(master), master);
1112
1113 this->prf->set_key(this->prf, chunk_from_thing(master));
1114 memset(master, 0, sizeof(master));
1115
1116 /* derive key block for key expansion */
1117 mks = this->signer_out->get_key_size(this->signer_out);
1118 if (this->crypter_out)
1119 {
1120 eks = this->crypter_out->get_key_size(this->crypter_out);
1121 if (this->tls->get_version(this->tls) < TLS_1_1)
1122 {
1123 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1124 }
1125 }
1126 seed = chunk_cata("cc", server_random, client_random);
1127 block = chunk_alloca((mks + eks + ivs) * 2);
1128 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1129
1130 /* signer keys */
1131 client_write = chunk_create(block.ptr, mks);
1132 block = chunk_skip(block, mks);
1133 server_write = chunk_create(block.ptr, mks);
1134 block = chunk_skip(block, mks);
1135 if (this->tls->is_server(this->tls))
1136 {
1137 this->signer_in->set_key(this->signer_in, client_write);
1138 this->signer_out->set_key(this->signer_out, server_write);
1139 }
1140 else
1141 {
1142 this->signer_out->set_key(this->signer_out, client_write);
1143 this->signer_in->set_key(this->signer_in, server_write);
1144 }
1145
1146 /* crypter keys, and IVs if < TLSv1.2 */
1147 if (this->crypter_out && this->crypter_in)
1148 {
1149 client_write = chunk_create(block.ptr, eks);
1150 block = chunk_skip(block, eks);
1151 server_write = chunk_create(block.ptr, eks);
1152 block = chunk_skip(block, eks);
1153
1154 if (this->tls->is_server(this->tls))
1155 {
1156 this->crypter_in->set_key(this->crypter_in, client_write);
1157 this->crypter_out->set_key(this->crypter_out, server_write);
1158 }
1159 else
1160 {
1161 this->crypter_out->set_key(this->crypter_out, client_write);
1162 this->crypter_in->set_key(this->crypter_in, server_write);
1163 }
1164 if (ivs)
1165 {
1166 client_write = chunk_create(block.ptr, ivs);
1167 block = chunk_skip(block, ivs);
1168 server_write = chunk_create(block.ptr, ivs);
1169 block = chunk_skip(block, ivs);
1170
1171 if (this->tls->is_server(this->tls))
1172 {
1173 this->iv_in = chunk_clone(client_write);
1174 this->iv_out = chunk_clone(server_write);
1175 }
1176 else
1177 {
1178 this->iv_out = chunk_clone(client_write);
1179 this->iv_in = chunk_clone(server_write);
1180 }
1181 }
1182 }
1183 }
1184
1185 METHOD(tls_crypto_t, change_cipher, void,
1186 private_tls_crypto_t *this, bool inbound)
1187 {
1188 if (this->protection)
1189 {
1190 if (inbound)
1191 {
1192 this->protection->set_cipher(this->protection, TRUE,
1193 this->signer_in, this->crypter_in, this->iv_in);
1194 }
1195 else
1196 {
1197 this->protection->set_cipher(this->protection, FALSE,
1198 this->signer_out, this->crypter_out, this->iv_out);
1199 }
1200 }
1201 }
1202
1203 METHOD(tls_crypto_t, derive_eap_msk, void,
1204 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1205 {
1206 if (this->msk_label)
1207 {
1208 chunk_t seed;
1209
1210 seed = chunk_cata("cc", client_random, server_random);
1211 free(this->msk.ptr);
1212 this->msk = chunk_alloc(64);
1213 this->prf->get_bytes(this->prf, this->msk_label, seed,
1214 this->msk.len, this->msk.ptr);
1215 }
1216 }
1217
1218 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1219 private_tls_crypto_t *this)
1220 {
1221 return this->msk;
1222 }
1223
1224 METHOD(tls_crypto_t, destroy, void,
1225 private_tls_crypto_t *this)
1226 {
1227 DESTROY_IF(this->signer_in);
1228 DESTROY_IF(this->signer_out);
1229 DESTROY_IF(this->crypter_in);
1230 DESTROY_IF(this->crypter_out);
1231 free(this->iv_in.ptr);
1232 free(this->iv_out.ptr);
1233 free(this->handshake.ptr);
1234 free(this->msk.ptr);
1235 DESTROY_IF(this->prf);
1236 free(this->suites);
1237 free(this);
1238 }
1239
1240 /**
1241 * See header
1242 */
1243 tls_crypto_t *tls_crypto_create(tls_t *tls)
1244 {
1245 private_tls_crypto_t *this;
1246
1247 INIT(this,
1248 .public = {
1249 .get_cipher_suites = _get_cipher_suites,
1250 .select_cipher_suite = _select_cipher_suite,
1251 .get_dh_group = _get_dh_group,
1252 .get_signature_algorithms = _get_signature_algorithms,
1253 .get_curves = _get_curves,
1254 .set_protection = _set_protection,
1255 .append_handshake = _append_handshake,
1256 .sign = _sign,
1257 .verify = _verify,
1258 .sign_handshake = _sign_handshake,
1259 .verify_handshake = _verify_handshake,
1260 .calculate_finished = _calculate_finished,
1261 .derive_secrets = _derive_secrets,
1262 .change_cipher = _change_cipher,
1263 .derive_eap_msk = _derive_eap_msk,
1264 .get_eap_msk = _get_eap_msk,
1265 .destroy = _destroy,
1266 },
1267 .tls = tls,
1268 );
1269
1270 switch (tls->get_purpose(tls))
1271 {
1272 case TLS_PURPOSE_EAP_TLS:
1273 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1274 this->msk_label = "client EAP encryption";
1275 build_cipher_suite_list(this, FALSE);
1276 break;
1277 case TLS_PURPOSE_EAP_TTLS:
1278 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1279 this->msk_label = "ttls keying material";
1280 build_cipher_suite_list(this, TRUE);
1281 break;
1282 case TLS_PURPOSE_GENERIC:
1283 build_cipher_suite_list(this, TRUE);
1284 break;
1285 }
1286 return &this->public;
1287 }
Unnamed repository; edit this file 'description' to name the repository.