]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_crypto.h"
17
18 #include <debug.h>
19
20 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
21 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
22 "TLS_NULL_WITH_NULL_NULL",
23 "TLS_RSA_WITH_NULL_MD5",
24 "TLS_RSA_WITH_NULL_SHA",
25 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
26 "TLS_RSA_WITH_RC4_128_MD5",
27 "TLS_RSA_WITH_RC4_128_SHA",
28 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
29 "TLS_RSA_WITH_IDEA_CBC_SHA",
30 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
31 "TLS_RSA_WITH_DES_CBC_SHA",
32 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
33 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
34 "TLS_DH_DSS_WITH_DES_CBC_SHA",
35 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
36 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
37 "TLS_DH_RSA_WITH_DES_CBC_SHA",
38 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
39 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
40 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
41 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
42 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
43 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
44 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
45 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
46 "TLS_DH_anon_WITH_RC4_128_MD5",
47 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DH_anon_WITH_DES_CBC_SHA",
49 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
50 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
51 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
52 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
53 "TLS_KRB5_WITH_DES_CBC_SHA",
54 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
55 "TLS_KRB5_WITH_RC4_128_SHA",
56 "TLS_KRB5_WITH_IDEA_CBC_SHA",
57 "TLS_KRB5_WITH_DES_CBC_MD5",
58 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
59 "TLS_KRB5_WITH_RC4_128_MD5",
60 "TLS_KRB5_WITH_IDEA_CBC_MD5",
61 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
62 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
63 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
64 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
65 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
66 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
67 "TLS_PSK_WITH_NULL_SHA",
68 "TLS_DHE_PSK_WITH_NULL_SHA",
69 "TLS_RSA_PSK_WITH_NULL_SHA",
70 "TLS_RSA_WITH_AES_128_CBC_SHA",
71 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
72 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
73 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
74 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
75 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
76 "TLS_RSA_WITH_AES_256_CBC_SHA",
77 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
78 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
79 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
80 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
81 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
82 "TLS_RSA_WITH_NULL_SHA256",
83 "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
84 "TLS_RSA_WITH_AES_256_CBC_SHA256",
85 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
86 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
87 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
88 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
89 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
90 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
91 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
92 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
93 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
94 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
95 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
96 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
97 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
98 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
99 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
100 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
101 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
102 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
104 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
105 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
107 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
108 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
109 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
110 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
111 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
112 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
113 "TLS_PSK_WITH_RC4_128_SHA",
114 "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
115 "TLS_PSK_WITH_AES_128_CBC_SHA",
116 "TLS_PSK_WITH_AES_256_CBC_SHA",
117 "TLS_DHE_PSK_WITH_RC4_128_SHA",
118 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
119 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
120 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
121 "TLS_RSA_PSK_WITH_RC4_128_SHA",
122 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_SEED_CBC_SHA",
126 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
127 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
128 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
129 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
130 "TLS_DH_anon_WITH_SEED_CBC_SHA",
131 "TLS_RSA_WITH_AES_128_GCM_SHA256",
132 "TLS_RSA_WITH_AES_256_GCM_SHA384",
133 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
134 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
135 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
136 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
137 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
138 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
139 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
140 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
141 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
142 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
143 "TLS_PSK_WITH_AES_128_GCM_SHA256",
144 "TLS_PSK_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
149 "TLS_PSK_WITH_AES_128_CBC_SHA256",
150 "TLS_PSK_WITH_AES_256_CBC_SHA384",
151 "TLS_PSK_WITH_NULL_SHA256",
152 "TLS_PSK_WITH_NULL_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
155 "TLS_DHE_PSK_WITH_NULL_SHA256",
156 "TLS_DHE_PSK_WITH_NULL_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_RSA_PSK_WITH_NULL_SHA256",
160 "TLS_RSA_PSK_WITH_NULL_SHA384",
161 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
162 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
163 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
164 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
165 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
166 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
167 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
168 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
169 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
171 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
172 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
173 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
174 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
175 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
176 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
177 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
178 TLS_ECDHE_PSK_WITH_NULL_SHA384,
179 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
180 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
181 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
182 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
183 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
184 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
185 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
186 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
187 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
188 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
190 "TLS_ECDH_RSA_WITH_NULL_SHA",
191 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
192 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
193 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
195 "TLS_ECDHE_RSA_WITH_NULL_SHA",
196 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
197 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
198 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
200 "TLS_ECDH_anon_WITH_NULL_SHA",
201 "TLS_ECDH_anon_WITH_RC4_128_SHA",
202 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
203 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
204 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
205 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
206 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
207 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
209 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
212 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
213 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
214 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
215 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
216 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
223 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
239 ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
240
241 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
242 "NONE",
243 "MD5",
244 "SHA1",
245 "SHA224",
246 "SHA256",
247 "SHA384",
248 "SHA512",
249 );
250
251 ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
252 "RSA",
253 "DSA",
254 "ECDSA",
255 );
256
257 ENUM_BEGIN(tls_client_certificate_type_names,
258 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
259 "RSA_SIGN",
260 "DSA_SIGN",
261 "RSA_FIXED_DH",
262 "DSS_FIXED_DH",
263 "RSA_EPHEMERAL_DH",
264 "DSS_EPHEMERAL_DH");
265 ENUM_NEXT(tls_client_certificate_type_names,
266 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
267 "FORTEZZA_DMS");
268 ENUM_NEXT(tls_client_certificate_type_names,
269 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
270 "ECDSA_SIGN",
271 "RSA_FIXED_ECDH",
272 "ECDSA_FIXED_ECDH");
273 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
274
275 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
276 "EXPLICIT_PRIME",
277 "EXPLICIT_CHAR2",
278 "NAMED_CURVE",
279 );
280
281 ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
282 "SECT163K1",
283 "SECT163R1",
284 "SECT163R2",
285 "SECT193R1",
286 "SECT193R2",
287 "SECT233K1",
288 "SECT233R1",
289 "SECT239K1",
290 "SECT283K1",
291 "SECT283R1",
292 "SECT409K1",
293 "SECT409R1",
294 "SECT571K1",
295 "SECT571R1",
296 "SECP160K1",
297 "SECP160R1",
298 "SECP160R2",
299 "SECP192K1",
300 "SECP192R1",
301 "SECP224K1",
302 "SECP224R1",
303 "SECP256K1",
304 "SECP256R1",
305 "SECP384R1",
306 "SECP521R1",
307 );
308
309 ENUM(tls_ecp_format_names, TLS_ECP_COMPRESSED, TLS_ECP_HYBRID_Y,
310 "compressed",
311 "compressed y",
312 "uncompressed",
313 "uncompressed y",
314 "hybrid",
315 "hybrid y",
316 );
317
318 typedef struct private_tls_crypto_t private_tls_crypto_t;
319
320 /**
321 * Private data of an tls_crypto_t object.
322 */
323 struct private_tls_crypto_t {
324
325 /**
326 * Public tls_crypto_t interface.
327 */
328 tls_crypto_t public;
329
330 /**
331 * Protection layer
332 */
333 tls_protection_t *protection;
334
335 /**
336 * List of supported/acceptable cipher suites
337 */
338 tls_cipher_suite_t *suites;
339
340 /**
341 * Number of supported suites
342 */
343 int suite_count;
344
345 /**
346 * Selected cipher suite
347 */
348 tls_cipher_suite_t suite;
349
350 /**
351 * RSA supported?
352 */
353 bool rsa;
354
355 /**
356 * ECDSA supported?
357 */
358 bool ecdsa;
359
360 /**
361 * TLS context
362 */
363 tls_t *tls;
364
365 /**
366 * All handshake data concatentated
367 */
368 chunk_t handshake;
369
370 /**
371 * Connection state TLS PRF
372 */
373 tls_prf_t *prf;
374
375 /**
376 * Signer instance for inbound traffic
377 */
378 signer_t *signer_in;
379
380 /**
381 * Signer instance for outbound traffic
382 */
383 signer_t *signer_out;
384
385 /**
386 * Crypter instance for inbound traffic
387 */
388 crypter_t *crypter_in;
389
390 /**
391 * Crypter instance for outbound traffic
392 */
393 crypter_t *crypter_out;
394
395 /**
396 * IV for input decryption, if < TLSv1.2
397 */
398 chunk_t iv_in;
399
400 /**
401 * IV for output decryption, if < TLSv1.2
402 */
403 chunk_t iv_out;
404
405 /**
406 * EAP-[T]TLS MSK
407 */
408 chunk_t msk;
409
410 /**
411 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
412 */
413 char *msk_label;
414 };
415
416 typedef struct {
417 tls_cipher_suite_t suite;
418 key_type_t key;
419 diffie_hellman_group_t dh;
420 hash_algorithm_t hash;
421 pseudo_random_function_t prf;
422 integrity_algorithm_t mac;
423 encryption_algorithm_t encr;
424 size_t encr_size;
425 } suite_algs_t;
426
427 /**
428 * Mapping suites to a set of algorithms
429 */
430 static suite_algs_t suite_algs[] = {
431 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
432 KEY_ECDSA, ECP_256_BIT,
433 HASH_SHA1, PRF_HMAC_SHA1,
434 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
435 },
436 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
437 KEY_ECDSA, ECP_256_BIT,
438 HASH_SHA256, PRF_HMAC_SHA2_256,
439 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
440 },
441 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
442 KEY_ECDSA, ECP_384_BIT,
443 HASH_SHA1, PRF_HMAC_SHA1,
444 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
445 },
446 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
447 KEY_ECDSA, ECP_384_BIT,
448 HASH_SHA384, PRF_HMAC_SHA2_384,
449 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
450 },
451 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
452 KEY_RSA, ECP_256_BIT,
453 HASH_SHA1, PRF_HMAC_SHA1,
454 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
455 },
456 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
457 KEY_RSA, ECP_256_BIT,
458 HASH_SHA256, PRF_HMAC_SHA2_256,
459 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
460 },
461 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
462 KEY_RSA, ECP_384_BIT,
463 HASH_SHA1, PRF_HMAC_SHA1,
464 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
465 },
466 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
467 KEY_RSA, ECP_384_BIT,
468 HASH_SHA384, PRF_HMAC_SHA2_384,
469 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
470 },
471 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
472 KEY_RSA, MODP_2048_BIT,
473 HASH_SHA1, PRF_HMAC_SHA1,
474 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
475 },
476 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
477 KEY_RSA, MODP_3072_BIT,
478 HASH_SHA256, PRF_HMAC_SHA2_256,
479 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
480 },
481 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
482 KEY_RSA, MODP_3072_BIT,
483 HASH_SHA1, PRF_HMAC_SHA1,
484 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
485 },
486 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
487 KEY_RSA, MODP_4096_BIT,
488 HASH_SHA256, PRF_HMAC_SHA2_256,
489 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
490 },
491 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
492 KEY_RSA, MODP_2048_BIT,
493 HASH_SHA1, PRF_HMAC_SHA1,
494 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
495 },
496 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
497 KEY_RSA, MODP_3072_BIT,
498 HASH_SHA256, PRF_HMAC_SHA2_256,
499 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
500 },
501 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
502 KEY_RSA, MODP_3072_BIT,
503 HASH_SHA1, PRF_HMAC_SHA1,
504 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
505 },
506 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
507 KEY_RSA, MODP_4096_BIT,
508 HASH_SHA256, PRF_HMAC_SHA2_256,
509 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
510 },
511 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
512 KEY_RSA, MODP_2048_BIT,
513 HASH_SHA1, PRF_HMAC_SHA1,
514 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
515 },
516 { TLS_RSA_WITH_AES_128_CBC_SHA,
517 KEY_RSA, MODP_NONE,
518 HASH_SHA1, PRF_HMAC_SHA1,
519 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
520 },
521 { TLS_RSA_WITH_AES_128_CBC_SHA256,
522 KEY_RSA, MODP_NONE,
523 HASH_SHA256, PRF_HMAC_SHA2_256,
524 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
525 },
526 { TLS_RSA_WITH_AES_256_CBC_SHA,
527 KEY_RSA, MODP_NONE,
528 HASH_SHA1, PRF_HMAC_SHA1,
529 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
530 },
531 { TLS_RSA_WITH_AES_256_CBC_SHA256,
532 KEY_RSA, MODP_NONE,
533 HASH_SHA256, PRF_HMAC_SHA2_256,
534 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
535 },
536 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
537 KEY_RSA, MODP_NONE,
538 HASH_SHA1, PRF_HMAC_SHA1,
539 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
540 },
541 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
542 KEY_RSA, MODP_NONE,
543 HASH_SHA256, PRF_HMAC_SHA2_256,
544 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
545 },
546 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
547 KEY_RSA, MODP_NONE,
548 HASH_SHA1, PRF_HMAC_SHA1,
549 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
550 },
551 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
552 KEY_RSA, MODP_NONE,
553 HASH_SHA256, PRF_HMAC_SHA2_256,
554 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
555 },
556 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
557 KEY_ECDSA, ECP_256_BIT,
558 HASH_SHA1, PRF_HMAC_SHA1,
559 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
560 },
561 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
562 KEY_RSA, ECP_256_BIT,
563 HASH_SHA1, PRF_HMAC_SHA1,
564 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
565 },
566 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
567 KEY_RSA, MODP_NONE,
568 HASH_SHA1, PRF_HMAC_SHA1,
569 AUTH_HMAC_SHA1_160, ENCR_3DES, 0
570 },
571 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
572 KEY_ECDSA, ECP_256_BIT,
573 HASH_SHA1, PRF_HMAC_SHA1,
574 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
575 },
576 { TLS_ECDHE_RSA_WITH_NULL_SHA,
577 KEY_ECDSA, ECP_256_BIT,
578 HASH_SHA1, PRF_HMAC_SHA1,
579 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
580 },
581 { TLS_RSA_WITH_NULL_SHA,
582 KEY_RSA, MODP_NONE,
583 HASH_SHA1, PRF_HMAC_SHA1,
584 AUTH_HMAC_SHA1_160, ENCR_NULL, 0
585 },
586 { TLS_RSA_WITH_NULL_SHA256,
587 KEY_RSA, MODP_NONE,
588 HASH_SHA256, PRF_HMAC_SHA2_256,
589 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
590 },
591 { TLS_RSA_WITH_NULL_MD5,
592 KEY_RSA, MODP_NONE,
593 HASH_MD5, PRF_HMAC_MD5,
594 AUTH_HMAC_MD5_128, ENCR_NULL, 0
595 },
596 };
597
598 /**
599 * Look up algoritms by a suite
600 */
601 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
602 {
603 int i;
604
605 for (i = 0; i < countof(suite_algs); i++)
606 {
607 if (suite_algs[i].suite == suite)
608 {
609 return &suite_algs[i];
610 }
611 }
612 return NULL;
613 }
614
615 /**
616 * Filter a suite list using a transform enumerator
617 */
618 static void filter_suite(private_tls_crypto_t *this,
619 suite_algs_t suites[], int *count, int offset,
620 enumerator_t*(*create_enumerator)(crypto_factory_t*))
621 {
622 suite_algs_t current;
623 int i, remaining = 0;
624 enumerator_t *enumerator;
625
626 memset(&current, 0, sizeof(current));
627 for (i = 0; i < *count; i++)
628 {
629 enumerator = create_enumerator(lib->crypto);
630 while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
631 {
632 if ((suites[i].encr == ENCR_NULL ||
633 !current.encr || current.encr == suites[i].encr) &&
634 (!current.mac || current.mac == suites[i].mac) &&
635 (!current.prf || current.prf == suites[i].prf) &&
636 (!current.hash || current.hash == suites[i].hash) &&
637 (suites[i].dh == MODP_NONE ||
638 !current.dh || current.dh == suites[i].dh))
639 {
640 suites[remaining] = suites[i];
641 remaining++;
642 break;
643 }
644 }
645 enumerator->destroy(enumerator);
646 }
647 *count = remaining;
648 }
649
650 /**
651 * Purge NULL encryption cipher suites from list
652 */
653 static void filter_null_suites(private_tls_crypto_t *this,
654 suite_algs_t suites[], int *count)
655 {
656 int i, remaining = 0;
657
658 for (i = 0; i < *count; i++)
659 {
660 if (suites[i].encr != ENCR_NULL)
661 {
662 suites[remaining] = suites[i];
663 remaining++;
664 }
665 }
666 *count = remaining;
667 }
668
669 /**
670 * Purge suites using a given key type
671 */
672 static void filter_key_suites(private_tls_crypto_t *this,
673 suite_algs_t suites[], int *count, key_type_t key)
674 {
675 int i, remaining = 0;
676
677 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
678 for (i = 0; i < *count; i++)
679 {
680 if (suites[i].key != key)
681 {
682 suites[remaining] = suites[i];
683 remaining++;
684 }
685 }
686 *count = remaining;
687 }
688
689 /**
690 * Initialize the cipher suite list
691 */
692 static void build_cipher_suite_list(private_tls_crypto_t *this,
693 bool require_encryption)
694 {
695 suite_algs_t suites[countof(suite_algs)];
696 int count = countof(suite_algs), i;
697
698 /* copy all suites */
699 for (i = 0; i < count; i++)
700 {
701 suites[i] = suite_algs[i];
702 }
703 if (require_encryption)
704 {
705 filter_null_suites(this, suites, &count);
706 }
707 if (!this->rsa)
708 {
709 filter_key_suites(this, suites, &count, KEY_RSA);
710 }
711 if (!this->ecdsa)
712 {
713 filter_key_suites(this, suites, &count, KEY_ECDSA);
714 }
715
716 /* filter suite list by each algorithm */
717 filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
718 lib->crypto->create_crypter_enumerator);
719 filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
720 lib->crypto->create_signer_enumerator);
721 filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
722 lib->crypto->create_prf_enumerator);
723 filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
724 lib->crypto->create_hasher_enumerator);
725 filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
726 lib->crypto->create_dh_enumerator);
727
728 free(this->suites);
729 this->suite_count = count;
730 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
731
732 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
733 for (i = 0; i < count; i++)
734 {
735 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
736 this->suites[i] = suites[i].suite;
737 }
738 }
739
740 METHOD(tls_crypto_t, get_cipher_suites, int,
741 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
742 {
743 *suites = this->suites;
744 return this->suite_count;
745 }
746
747 /**
748 * Create crypto primitives
749 */
750 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
751 {
752 DESTROY_IF(this->prf);
753 if (this->tls->get_version(this->tls) < TLS_1_2)
754 {
755 this->prf = tls_prf_create_10();
756 }
757 else
758 {
759 this->prf = tls_prf_create_12(algs->prf);
760 }
761 if (!this->prf)
762 {
763 DBG1(DBG_TLS, "selected TLS PRF not supported");
764 return FALSE;
765 }
766
767 DESTROY_IF(this->signer_in);
768 DESTROY_IF(this->signer_out);
769 this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
770 this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
771 if (!this->signer_in || !this->signer_out)
772 {
773 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
774 integrity_algorithm_names, algs->mac);
775 return FALSE;
776 }
777
778 DESTROY_IF(this->crypter_in);
779 DESTROY_IF(this->crypter_out);
780 if (algs->encr == ENCR_NULL)
781 {
782 this->crypter_in = this->crypter_out = NULL;
783 }
784 else
785 {
786 this->crypter_in = lib->crypto->create_crypter(lib->crypto,
787 algs->encr, algs->encr_size);
788 this->crypter_out = lib->crypto->create_crypter(lib->crypto,
789 algs->encr, algs->encr_size);
790 if (!this->crypter_in || !this->crypter_out)
791 {
792 DBG1(DBG_TLS, "selected TLS crypter %N not supported",
793 encryption_algorithm_names, algs->encr);
794 return FALSE;
795 }
796 }
797 return TRUE;
798 }
799
800 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
801 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
802 key_type_t key)
803 {
804 suite_algs_t *algs;
805 int i, j;
806
807 for (i = 0; i < this->suite_count; i++)
808 {
809 for (j = 0; j < count; j++)
810 {
811 if (this->suites[i] == suites[j])
812 {
813 algs = find_suite(this->suites[i]);
814 if (algs)
815 {
816 if (key == KEY_ANY || key == algs->key)
817 {
818 if (create_ciphers(this, algs))
819 {
820 this->suite = this->suites[i];
821 return this->suite;
822 }
823 }
824 }
825 }
826 }
827 }
828 return 0;
829 }
830
831 METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
832 private_tls_crypto_t *this)
833 {
834 suite_algs_t *algs;
835
836 algs = find_suite(this->suite);
837 if (algs)
838 {
839 return algs->dh;
840 }
841 return MODP_NONE;
842 }
843
844 METHOD(tls_crypto_t, get_signature_algorithms, void,
845 private_tls_crypto_t *this, tls_writer_t *writer)
846 {
847 tls_writer_t *supported;
848 enumerator_t *enumerator;
849 hash_algorithm_t alg;
850 tls_hash_algorithm_t hash;
851
852 supported = tls_writer_create(32);
853 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
854 while (enumerator->enumerate(enumerator, &alg))
855 {
856 switch (alg)
857 {
858 case HASH_MD5:
859 hash = TLS_HASH_MD5;
860 break;
861 case HASH_SHA1:
862 hash = TLS_HASH_SHA1;
863 break;
864 case HASH_SHA224:
865 hash = TLS_HASH_SHA224;
866 break;
867 case HASH_SHA256:
868 hash = TLS_HASH_SHA256;
869 break;
870 case HASH_SHA384:
871 hash = TLS_HASH_SHA384;
872 break;
873 case HASH_SHA512:
874 hash = TLS_HASH_SHA512;
875 break;
876 default:
877 continue;
878 }
879 if (this->rsa)
880 {
881 supported->write_uint8(supported, hash);
882 supported->write_uint8(supported, TLS_SIG_RSA);
883 }
884 if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
885 { /* currently we have no signature scheme for MD5/SHA224 */
886 supported->write_uint8(supported, hash);
887 supported->write_uint8(supported, TLS_SIG_ECDSA);
888 }
889 }
890 enumerator->destroy(enumerator);
891
892 writer->write_data16(writer, supported->get_buf(supported));
893 supported->destroy(supported);
894 }
895
896 /**
897 * Mapping groups to TLS named curves
898 */
899 static struct {
900 diffie_hellman_group_t group;
901 tls_named_curve_t curve;
902 } curves[] = {
903 { ECP_256_BIT, TLS_SECP256R1},
904 { ECP_384_BIT, TLS_SECP384R1},
905 { ECP_521_BIT, TLS_SECP521R1},
906 { ECP_224_BIT, TLS_SECP224R1},
907 { ECP_192_BIT, TLS_SECP192R1},
908 };
909
910 /**
911 * Filter EC groups, add TLS curve
912 */
913 static bool group_filter(void *null,
914 diffie_hellman_group_t *in, diffie_hellman_group_t *out,
915 void* dummy1, tls_named_curve_t *curve)
916 {
917 int i;
918
919 for (i = 0; i < countof(curves); i++)
920 {
921 if (curves[i].group == *in)
922 {
923 if (out)
924 {
925 *out = curves[i].group;
926 }
927 if (curve)
928 {
929 *curve = curves[i].curve;
930 }
931 return TRUE;
932 }
933 }
934 return FALSE;
935 }
936
937 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
938 private_tls_crypto_t *this)
939 {
940 return enumerator_create_filter(
941 lib->crypto->create_dh_enumerator(lib->crypto),
942 (void*)group_filter, NULL, NULL);
943 }
944
945 METHOD(tls_crypto_t, set_protection, void,
946 private_tls_crypto_t *this, tls_protection_t *protection)
947 {
948 this->protection = protection;
949 }
950
951 METHOD(tls_crypto_t, append_handshake, void,
952 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
953 {
954 u_int32_t header;
955
956 /* reconstruct handshake header */
957 header = htonl(data.len | (type << 24));
958 this->handshake = chunk_cat("mcc", this->handshake,
959 chunk_from_thing(header), data);
960 }
961
962 /**
963 * Create a hash using the suites HASH algorithm
964 */
965 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
966 {
967 if (this->tls->get_version(this->tls) >= TLS_1_2)
968 {
969 hasher_t *hasher;
970 suite_algs_t *alg;
971
972 alg = find_suite(this->suite);
973 if (!alg)
974 {
975 return FALSE;
976 }
977 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
978 if (!hasher)
979 {
980 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
981 return FALSE;
982 }
983 hasher->allocate_hash(hasher, data, hash);
984 hasher->destroy(hasher);
985 }
986 else
987 {
988 hasher_t *md5, *sha1;
989 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
990
991 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
992 if (!md5)
993 {
994 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
995 return FALSE;
996 }
997 md5->get_hash(md5, data, buf);
998 md5->destroy(md5);
999 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1000 if (!sha1)
1001 {
1002 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1003 return FALSE;
1004 }
1005 sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
1006 sha1->destroy(sha1);
1007
1008 *hash = chunk_clone(chunk_from_thing(buf));
1009 }
1010 return TRUE;
1011 }
1012
1013 /**
1014 * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
1015 */
1016 static signature_scheme_t hashsig_to_scheme(key_type_t type,
1017 tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
1018 {
1019 switch (sig)
1020 {
1021 case TLS_SIG_RSA:
1022 if (type != KEY_RSA)
1023 {
1024 return SIGN_UNKNOWN;
1025 }
1026 switch (hash)
1027 {
1028 case TLS_HASH_MD5:
1029 return SIGN_RSA_EMSA_PKCS1_MD5;
1030 case TLS_HASH_SHA1:
1031 return SIGN_RSA_EMSA_PKCS1_SHA1;
1032 case TLS_HASH_SHA224:
1033 return SIGN_RSA_EMSA_PKCS1_SHA224;
1034 case TLS_HASH_SHA256:
1035 return SIGN_RSA_EMSA_PKCS1_SHA256;
1036 case TLS_HASH_SHA384:
1037 return SIGN_RSA_EMSA_PKCS1_SHA384;
1038 case TLS_HASH_SHA512:
1039 return SIGN_RSA_EMSA_PKCS1_SHA512;
1040 default:
1041 return SIGN_UNKNOWN;
1042 }
1043 case TLS_SIG_ECDSA:
1044 if (type != KEY_ECDSA)
1045 {
1046 return SIGN_UNKNOWN;
1047 }
1048 switch (hash)
1049 {
1050 case TLS_HASH_SHA224:
1051 return SIGN_ECDSA_WITH_SHA1_DER;
1052 case TLS_HASH_SHA256:
1053 return SIGN_ECDSA_WITH_SHA256_DER;
1054 case TLS_HASH_SHA384:
1055 return SIGN_ECDSA_WITH_SHA384_DER;
1056 case TLS_HASH_SHA512:
1057 return SIGN_ECDSA_WITH_SHA512_DER;
1058 default:
1059 return SIGN_UNKNOWN;
1060 }
1061 default:
1062 return SIGN_UNKNOWN;
1063 }
1064 }
1065
1066 METHOD(tls_crypto_t, sign, bool,
1067 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1068 chunk_t data, chunk_t hashsig)
1069 {
1070 if (this->tls->get_version(this->tls) >= TLS_1_2)
1071 {
1072 signature_scheme_t scheme;
1073 tls_reader_t *reader;
1074 u_int8_t hash, alg;
1075 chunk_t sig;
1076 bool done = FALSE;
1077
1078 if (!hashsig.len)
1079 { /* fallback if none given */
1080 hashsig = chunk_from_chars(
1081 TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
1082 }
1083 reader = tls_reader_create(hashsig);
1084 while (reader->remaining(reader) >= 2)
1085 {
1086 if (reader->read_uint8(reader, &hash) &&
1087 reader->read_uint8(reader, &alg))
1088 {
1089 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1090 if (scheme != SIGN_UNKNOWN &&
1091 key->sign(key, scheme, data, &sig))
1092 {
1093 done = TRUE;
1094 break;
1095 }
1096 }
1097 }
1098 reader->destroy(reader);
1099 if (!done)
1100 {
1101 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1102 return FALSE;
1103 }
1104 DBG2(DBG_TLS, "created signature with %N/%N",
1105 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1106 writer->write_uint8(writer, hash);
1107 writer->write_uint8(writer, alg);
1108 writer->write_data16(writer, sig);
1109 free(sig.ptr);
1110 }
1111 else
1112 {
1113 chunk_t sig, hash;
1114 bool done;
1115
1116 switch (key->get_type(key))
1117 {
1118 case KEY_RSA:
1119 if (!hash_data(this, data, &hash))
1120 {
1121 return FALSE;
1122 }
1123 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
1124 free(hash.ptr);
1125 if (!done)
1126 {
1127 return FALSE;
1128 }
1129 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1130 break;
1131 case KEY_ECDSA:
1132 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
1133 {
1134 return FALSE;
1135 }
1136 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1137 break;
1138 default:
1139 return FALSE;
1140 }
1141 writer->write_data16(writer, sig);
1142 free(sig.ptr);
1143 }
1144 return TRUE;
1145 }
1146
1147 METHOD(tls_crypto_t, verify, bool,
1148 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
1149 chunk_t data)
1150 {
1151 if (this->tls->get_version(this->tls) >= TLS_1_2)
1152 {
1153 signature_scheme_t scheme = SIGN_UNKNOWN;
1154 u_int8_t hash, alg;
1155 chunk_t sig;
1156
1157 if (!reader->read_uint8(reader, &hash) ||
1158 !reader->read_uint8(reader, &alg) ||
1159 !reader->read_data16(reader, &sig))
1160 {
1161 DBG1(DBG_TLS, "received invalid signature");
1162 return FALSE;
1163 }
1164 scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
1165 if (scheme == SIGN_UNKNOWN)
1166 {
1167 DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
1168 tls_hash_algorithm_names, hash,
1169 tls_signature_algorithm_names, alg);
1170 return FALSE;
1171 }
1172 if (!key->verify(key, scheme, data, sig))
1173 {
1174 return FALSE;
1175 }
1176 DBG2(DBG_TLS, "verified signature with %N/%N",
1177 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
1178 }
1179 else
1180 {
1181 chunk_t sig, hash;
1182 bool done;
1183
1184 if (!reader->read_data16(reader, &sig))
1185 {
1186 DBG1(DBG_TLS, "received invalid signature");
1187 return FALSE;
1188 }
1189 switch (key->get_type(key))
1190 {
1191 case KEY_RSA:
1192 if (!hash_data(this, data, &hash))
1193 {
1194 return FALSE;
1195 }
1196 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
1197 free(hash.ptr);
1198 if (!done)
1199 {
1200 return FALSE;
1201 }
1202 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
1203 break;
1204 case KEY_ECDSA:
1205 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
1206 {
1207 return FALSE;
1208 }
1209 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
1210 break;
1211 default:
1212 return FALSE;
1213 }
1214 }
1215 return TRUE;
1216 }
1217
1218 METHOD(tls_crypto_t, sign_handshake, bool,
1219 private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
1220 chunk_t hashsig)
1221 {
1222 return sign(this, key, writer, this->handshake, hashsig);
1223 }
1224
1225 METHOD(tls_crypto_t, verify_handshake, bool,
1226 private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
1227 {
1228 return verify(this, key, reader, this->handshake);
1229 }
1230
1231 METHOD(tls_crypto_t, calculate_finished, bool,
1232 private_tls_crypto_t *this, char *label, char out[12])
1233 {
1234 chunk_t seed;
1235
1236 if (!this->prf)
1237 {
1238 return FALSE;
1239 }
1240 if (!hash_data(this, this->handshake, &seed))
1241 {
1242 return FALSE;
1243 }
1244 this->prf->get_bytes(this->prf, label, seed, 12, out);
1245 free(seed.ptr);
1246 return TRUE;
1247 }
1248
1249 METHOD(tls_crypto_t, derive_secrets, void,
1250 private_tls_crypto_t *this, chunk_t premaster,
1251 chunk_t client_random, chunk_t server_random)
1252 {
1253 char master[48];
1254 chunk_t seed, block, client_write, server_write;
1255 int mks, eks = 0, ivs = 0;
1256
1257 /* derive master secret */
1258 seed = chunk_cata("cc", client_random, server_random);
1259 this->prf->set_key(this->prf, premaster);
1260 this->prf->get_bytes(this->prf, "master secret", seed,
1261 sizeof(master), master);
1262
1263 this->prf->set_key(this->prf, chunk_from_thing(master));
1264 memset(master, 0, sizeof(master));
1265
1266 /* derive key block for key expansion */
1267 mks = this->signer_out->get_key_size(this->signer_out);
1268 if (this->crypter_out)
1269 {
1270 eks = this->crypter_out->get_key_size(this->crypter_out);
1271 if (this->tls->get_version(this->tls) < TLS_1_1)
1272 {
1273 ivs = this->crypter_out->get_iv_size(this->crypter_out);
1274 }
1275 }
1276 seed = chunk_cata("cc", server_random, client_random);
1277 block = chunk_alloca((mks + eks + ivs) * 2);
1278 this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
1279
1280 /* signer keys */
1281 client_write = chunk_create(block.ptr, mks);
1282 block = chunk_skip(block, mks);
1283 server_write = chunk_create(block.ptr, mks);
1284 block = chunk_skip(block, mks);
1285 if (this->tls->is_server(this->tls))
1286 {
1287 this->signer_in->set_key(this->signer_in, client_write);
1288 this->signer_out->set_key(this->signer_out, server_write);
1289 }
1290 else
1291 {
1292 this->signer_out->set_key(this->signer_out, client_write);
1293 this->signer_in->set_key(this->signer_in, server_write);
1294 }
1295
1296 /* crypter keys, and IVs if < TLSv1.2 */
1297 if (this->crypter_out && this->crypter_in)
1298 {
1299 client_write = chunk_create(block.ptr, eks);
1300 block = chunk_skip(block, eks);
1301 server_write = chunk_create(block.ptr, eks);
1302 block = chunk_skip(block, eks);
1303
1304 if (this->tls->is_server(this->tls))
1305 {
1306 this->crypter_in->set_key(this->crypter_in, client_write);
1307 this->crypter_out->set_key(this->crypter_out, server_write);
1308 }
1309 else
1310 {
1311 this->crypter_out->set_key(this->crypter_out, client_write);
1312 this->crypter_in->set_key(this->crypter_in, server_write);
1313 }
1314 if (ivs)
1315 {
1316 client_write = chunk_create(block.ptr, ivs);
1317 block = chunk_skip(block, ivs);
1318 server_write = chunk_create(block.ptr, ivs);
1319 block = chunk_skip(block, ivs);
1320
1321 if (this->tls->is_server(this->tls))
1322 {
1323 this->iv_in = chunk_clone(client_write);
1324 this->iv_out = chunk_clone(server_write);
1325 }
1326 else
1327 {
1328 this->iv_out = chunk_clone(client_write);
1329 this->iv_in = chunk_clone(server_write);
1330 }
1331 }
1332 }
1333 }
1334
1335 METHOD(tls_crypto_t, change_cipher, void,
1336 private_tls_crypto_t *this, bool inbound)
1337 {
1338 if (this->protection)
1339 {
1340 if (inbound)
1341 {
1342 this->protection->set_cipher(this->protection, TRUE,
1343 this->signer_in, this->crypter_in, this->iv_in);
1344 }
1345 else
1346 {
1347 this->protection->set_cipher(this->protection, FALSE,
1348 this->signer_out, this->crypter_out, this->iv_out);
1349 }
1350 }
1351 }
1352
1353 METHOD(tls_crypto_t, derive_eap_msk, void,
1354 private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
1355 {
1356 if (this->msk_label)
1357 {
1358 chunk_t seed;
1359
1360 seed = chunk_cata("cc", client_random, server_random);
1361 free(this->msk.ptr);
1362 this->msk = chunk_alloc(64);
1363 this->prf->get_bytes(this->prf, this->msk_label, seed,
1364 this->msk.len, this->msk.ptr);
1365 }
1366 }
1367
1368 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
1369 private_tls_crypto_t *this)
1370 {
1371 return this->msk;
1372 }
1373
1374 METHOD(tls_crypto_t, destroy, void,
1375 private_tls_crypto_t *this)
1376 {
1377 DESTROY_IF(this->signer_in);
1378 DESTROY_IF(this->signer_out);
1379 DESTROY_IF(this->crypter_in);
1380 DESTROY_IF(this->crypter_out);
1381 free(this->iv_in.ptr);
1382 free(this->iv_out.ptr);
1383 free(this->handshake.ptr);
1384 free(this->msk.ptr);
1385 DESTROY_IF(this->prf);
1386 free(this->suites);
1387 free(this);
1388 }
1389
1390 /**
1391 * See header
1392 */
1393 tls_crypto_t *tls_crypto_create(tls_t *tls)
1394 {
1395 private_tls_crypto_t *this;
1396 enumerator_t *enumerator;
1397 credential_type_t type;
1398 int subtype;
1399
1400 INIT(this,
1401 .public = {
1402 .get_cipher_suites = _get_cipher_suites,
1403 .select_cipher_suite = _select_cipher_suite,
1404 .get_dh_group = _get_dh_group,
1405 .get_signature_algorithms = _get_signature_algorithms,
1406 .create_ec_enumerator = _create_ec_enumerator,
1407 .set_protection = _set_protection,
1408 .append_handshake = _append_handshake,
1409 .sign = _sign,
1410 .verify = _verify,
1411 .sign_handshake = _sign_handshake,
1412 .verify_handshake = _verify_handshake,
1413 .calculate_finished = _calculate_finished,
1414 .derive_secrets = _derive_secrets,
1415 .change_cipher = _change_cipher,
1416 .derive_eap_msk = _derive_eap_msk,
1417 .get_eap_msk = _get_eap_msk,
1418 .destroy = _destroy,
1419 },
1420 .tls = tls,
1421 );
1422
1423 enumerator = lib->creds->create_builder_enumerator(lib->creds);
1424 while (enumerator->enumerate(enumerator, &type, &subtype))
1425 {
1426 if (type == CRED_PUBLIC_KEY)
1427 {
1428 switch (subtype)
1429 {
1430 case KEY_RSA:
1431 this->rsa = TRUE;
1432 break;
1433 case KEY_ECDSA:
1434 this->ecdsa = TRUE;
1435 break;
1436 default:
1437 break;
1438 }
1439 }
1440 }
1441 enumerator->destroy(enumerator);
1442
1443 switch (tls->get_purpose(tls))
1444 {
1445 case TLS_PURPOSE_EAP_TLS:
1446 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
1447 this->msk_label = "client EAP encryption";
1448 build_cipher_suite_list(this, FALSE);
1449 break;
1450 case TLS_PURPOSE_EAP_TTLS:
1451 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
1452 this->msk_label = "ttls keying material";
1453 build_cipher_suite_list(this, TRUE);
1454 break;
1455 case TLS_PURPOSE_GENERIC:
1456 build_cipher_suite_list(this, TRUE);
1457 break;
1458 }
1459 return &this->public;
1460 }
Unnamed repository; edit this file 'description' to name the repository.