]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libtls/tls_crypto.c
projects / thirdparty / strongswan.git / blob
? search:


04fc8201ac0fa95bb0ead7ded04f8e199cf813cc
[thirdparty/strongswan.git] / src / libtls / tls_crypto.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * Copyright (C) 2010-2014 Martin Willi
6 *
7 * Copyright (C) secunet Security Networks AG
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include "tls_crypto.h"
21 #include "tls_hkdf.h"
22
23 #include <utils/debug.h>
24 #include <plugins/plugin_feature.h>
25 #include <collections/hashtable.h>
26 #include <collections/array.h>
27
28 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
29 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
30 "TLS_NULL_WITH_NULL_NULL",
31 "TLS_RSA_WITH_NULL_MD5",
32 "TLS_RSA_WITH_NULL_SHA",
33 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
34 "TLS_RSA_WITH_RC4_128_MD5",
35 "TLS_RSA_WITH_RC4_128_SHA",
36 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
37 "TLS_RSA_WITH_IDEA_CBC_SHA",
38 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
39 "TLS_RSA_WITH_DES_CBC_SHA",
40 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
41 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
42 "TLS_DH_DSS_WITH_DES_CBC_SHA",
43 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
44 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
45 "TLS_DH_RSA_WITH_DES_CBC_SHA",
46 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
47 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
48 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
49 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
50 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
51 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
52 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
53 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
54 "TLS_DH_anon_WITH_RC4_128_MD5",
55 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
56 "TLS_DH_anon_WITH_DES_CBC_SHA",
57 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
58 ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
59 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
60 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
61 "TLS_KRB5_WITH_DES_CBC_SHA",
62 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
63 "TLS_KRB5_WITH_RC4_128_SHA",
64 "TLS_KRB5_WITH_IDEA_CBC_SHA",
65 "TLS_KRB5_WITH_DES_CBC_MD5",
66 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
67 "TLS_KRB5_WITH_RC4_128_MD5",
68 "TLS_KRB5_WITH_IDEA_CBC_MD5",
69 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
70 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
71 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
72 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
73 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
74 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
75 "TLS_PSK_WITH_NULL_SHA",
76 "TLS_DHE_PSK_WITH_NULL_SHA",
77 "TLS_RSA_PSK_WITH_NULL_SHA",
78 "TLS_RSA_WITH_AES_128_CBC_SHA",
79 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
80 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
81 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
82 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
83 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
84 "TLS_RSA_WITH_AES_256_CBC_SHA",
85 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
86 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
87 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
88 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
89 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
90 "TLS_RSA_WITH_NULL_SHA256",
91 "TLS_RSA_WITH_AES_128_CBC_SHA256",
92 "TLS_RSA_WITH_AES_256_CBC_SHA256",
93 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
94 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
96 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
97 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
98 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
99 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
100 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
101 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
102 ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
103 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
104 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
105 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
106 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
107 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
108 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
109 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
110 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
111 "TLS_DH_anon_WITH_AES_256_CBC_SHA256");
112 ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
113 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
114 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
115 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
116 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
117 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
118 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
119 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
120 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
121 "TLS_PSK_WITH_RC4_128_SHA",
122 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
123 "TLS_PSK_WITH_AES_128_CBC_SHA",
124 "TLS_PSK_WITH_AES_256_CBC_SHA",
125 "TLS_DHE_PSK_WITH_RC4_128_SHA",
126 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
127 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
128 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
129 "TLS_RSA_PSK_WITH_RC4_128_SHA",
130 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
131 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
132 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
133 "TLS_RSA_WITH_SEED_CBC_SHA",
134 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
135 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
136 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
137 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
138 "TLS_DH_anon_WITH_SEED_CBC_SHA",
139 "TLS_RSA_WITH_AES_128_GCM_SHA256",
140 "TLS_RSA_WITH_AES_256_GCM_SHA384",
141 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
142 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
143 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
144 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
145 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
146 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
147 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
148 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
149 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
150 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
151 "TLS_PSK_WITH_AES_128_GCM_SHA256",
152 "TLS_PSK_WITH_AES_256_GCM_SHA384",
153 "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
154 "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
155 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
156 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
157 "TLS_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_PSK_WITH_NULL_SHA256",
160 "TLS_PSK_WITH_NULL_SHA384",
161 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
162 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
163 "TLS_DHE_PSK_WITH_NULL_SHA256",
164 "TLS_DHE_PSK_WITH_NULL_SHA384",
165 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
166 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
167 "TLS_RSA_PSK_WITH_NULL_SHA256",
168 "TLS_RSA_PSK_WITH_NULL_SHA384",
169 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
181 ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
182 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
183 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
184 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
185 ENUM_NEXT(tls_cipher_suite_names, TLS_AES_128_GCM_SHA256,
186 TLS_AES_128_CCM_8_SHA256,
187 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
188 "TLS_AES_128_GCM_SHA256",
189 "TLS_AES_256_GCM_SHA384",
190 "TLS_CHACHA20_POLY1305_SHA256",
191 "TLS_AES_128_CCM_SHA256",
192 "TLS_AES_128_CCM_8_SHA256");
193 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
194 TLS_ECDHE_PSK_WITH_NULL_SHA384,
195 TLS_AES_128_CCM_8_SHA256,
196 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
197 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
198 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
199 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
200 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
201 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
202 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
203 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
204 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
205 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
206 "TLS_ECDH_RSA_WITH_NULL_SHA",
207 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
208 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
209 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
210 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
211 "TLS_ECDHE_RSA_WITH_NULL_SHA",
212 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
213 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
214 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
215 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
216 "TLS_ECDH_anon_WITH_NULL_SHA",
217 "TLS_ECDH_anon_WITH_RC4_128_SHA",
218 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
219 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
220 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
221 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
222 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
223 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
224 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
225 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
226 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
227 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
228 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
229 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
230 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
231 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
232 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
233 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
234 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
237 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
238 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
239 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
240 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
241 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
242 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
243 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
244 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
245 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
246 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
247 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
248 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
249 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
250 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
251 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
252 "TLS_ECDHE_PSK_WITH_NULL_SHA",
253 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
254 "TLS_ECDHE_PSK_WITH_NULL_SHA384");
255 ENUM_NEXT(tls_cipher_suite_names, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
257 TLS_ECDHE_PSK_WITH_NULL_SHA384,
258 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
259 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
260 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
261 ENUM_END(tls_cipher_suite_names, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
262
263
264 ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
265 "NONE",
266 "MD5",
267 "SHA1",
268 "SHA224",
269 "SHA256",
270 "SHA384",
271 "SHA512",
272 );
273
274 ENUM_BEGIN(tls_signature_scheme_names,
275 TLS_SIG_RSA_PKCS1_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
276 "RSA_PKCS1_SHA1");
277 ENUM_NEXT(tls_signature_scheme_names,
278 TLS_SIG_ECDSA_SHA1, TLS_SIG_ECDSA_SHA1, TLS_SIG_RSA_PKCS1_SHA1,
279 "ECDSA_SHA1");
280 ENUM_NEXT(tls_signature_scheme_names,
281 TLS_SIG_RSA_PKCS1_SHA224, TLS_SIG_ECDSA_SHA224, TLS_SIG_ECDSA_SHA1,
282 "RSA_PKCS1_SHA224",
283 "DSA_SHA224",
284 "ECDSA_SHA224");
285 ENUM_NEXT(tls_signature_scheme_names,
286 TLS_SIG_RSA_PKCS1_SHA256, TLS_SIG_ECDSA_SHA256, TLS_SIG_ECDSA_SHA224,
287 "RSA_PKCS1_SHA256",
288 "DSA_SHA256",
289 "ECDSA_SHA256");
290 ENUM_NEXT(tls_signature_scheme_names,
291 TLS_SIG_RSA_PKCS1_SHA384, TLS_SIG_ECDSA_SHA384, TLS_SIG_ECDSA_SHA256,
292 "RSA_PKCS1_SHA384",
293 "DSA_SHA384",
294 "ECDSA_SHA384");
295 ENUM_NEXT(tls_signature_scheme_names,
296 TLS_SIG_RSA_PKCS1_SHA512, TLS_SIG_ECDSA_SHA512, TLS_SIG_ECDSA_SHA384,
297 "RSA_PKCS1_SHA512",
298 "DSA_SHA512",
299 "ECDSA_SHA512");
300 ENUM_NEXT(tls_signature_scheme_names,
301 TLS_SIG_RSA_PSS_RSAE_SHA256, TLS_SIG_RSA_PSS_PSS_SHA512, TLS_SIG_ECDSA_SHA512,
302 "RSA_PSS_RSAE_SHA256",
303 "RSA_PSS_RSAE_SHA384",
304 "RSA_PSS_RSAE_SHA512",
305 "ED25519",
306 "ED448",
307 "RSA_PSS_PSS_SHA256",
308 "RSA_PSS_PSS_SHA384",
309 "RSA_PSS_PSS_SHA512",
310 );
311 ENUM_END(tls_signature_scheme_names, TLS_SIG_RSA_PSS_PSS_SHA512);
312
313 ENUM_BEGIN(tls_client_certificate_type_names,
314 TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
315 "RSA_SIGN",
316 "DSA_SIGN",
317 "RSA_FIXED_DH",
318 "DSS_FIXED_DH",
319 "RSA_EPHEMERAL_DH",
320 "DSS_EPHEMERAL_DH");
321 ENUM_NEXT(tls_client_certificate_type_names,
322 TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
323 "FORTEZZA_DMS");
324 ENUM_NEXT(tls_client_certificate_type_names,
325 TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
326 "ECDSA_SIGN",
327 "RSA_FIXED_ECDH",
328 "ECDSA_FIXED_ECDH");
329 ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
330
331 ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
332 "EXPLICIT_PRIME",
333 "EXPLICIT_CHAR2",
334 "NAMED_CURVE",
335 );
336
337 ENUM_BEGIN(tls_named_group_names, TLS_SECT163K1, TLS_SECP521R1,
338 "SECT163K1",
339 "SECT163R1",
340 "SECT163R2",
341 "SECT193R1",
342 "SECT193R2",
343 "SECT233K1",
344 "SECT233R1",
345 "SECT239K1",
346 "SECT283K1",
347 "SECT283R1",
348 "SECT409K1",
349 "SECT409R1",
350 "SECT571K1",
351 "SECT571R1",
352 "SECP160K1",
353 "SECP160R1",
354 "SECP160R2",
355 "SECP192K1",
356 "SECP192R1",
357 "SECP224K1",
358 "SECP224R1",
359 "SECP256K1",
360 "SECP256R1",
361 "SECP384R1",
362 "SECP521R1",
363 );
364 ENUM_NEXT(tls_named_group_names, TLS_CURVE25519, TLS_CURVE448, TLS_SECP521R1,
365 "CURVE25519",
366 "CURVE448",
367 );
368 ENUM_NEXT(tls_named_group_names, TLS_FFDHE2048, TLS_FFDHE8192, TLS_CURVE448,
369 "FFDHE2048",
370 "FFDHE3072",
371 "FFDHE4096",
372 "FFDHE6144",
373 "FFDHE8192",
374 );
375 ENUM_END(tls_named_group_names, TLS_FFDHE8192);
376
377 ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
378 "compressed",
379 "compressed y",
380 "uncompressed",
381 "uncompressed y",
382 "hybrid",
383 "hybrid y",
384 );
385
386 ENUM(tls_ec_point_format_names,
387 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
388 "uncompressed",
389 "ansiX962 compressed prime",
390 "ansiX962 compressed char2",
391 );
392
393 typedef struct private_tls_crypto_t private_tls_crypto_t;
394
395 /**
396 * Private data of an tls_crypto_t object.
397 */
398 struct private_tls_crypto_t {
399
400 /**
401 * Public tls_crypto_t interface.
402 */
403 tls_crypto_t public;
404
405 /**
406 * Protection layer
407 */
408 tls_protection_t *protection;
409
410 /**
411 * List of supported/acceptable cipher suites
412 */
413 tls_cipher_suite_t *suites;
414
415 /**
416 * Number of supported suites
417 */
418 int suite_count;
419
420 /**
421 * HKDF for TLS 1.3
422 */
423 tls_hkdf_t *hkdf;
424
425 /**
426 * Selected cipher suite
427 */
428 tls_cipher_suite_t suite;
429
430 /**
431 * RSA supported?
432 */
433 bool rsa;
434
435 /**
436 * ECDSA supported?
437 */
438 bool ecdsa;
439
440 /**
441 * TLS context
442 */
443 tls_t *tls;
444
445 /**
446 * TLS session cache
447 */
448 tls_cache_t *cache;
449
450 /**
451 * All handshake data concatenated
452 */
453 chunk_t handshake;
454
455 /**
456 * Connection state TLS PRF
457 */
458 tls_prf_t *prf;
459
460 /**
461 * AEAD transform for inbound traffic
462 */
463 tls_aead_t *aead_in;
464
465 /**
466 * AEAD transform for outbound traffic
467 */
468 tls_aead_t *aead_out;
469
470 /**
471 * EAP-[T]TLS MSK
472 */
473 chunk_t msk;
474
475 /**
476 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
477 */
478 char *msk_label;
479 };
480
481 typedef struct {
482 tls_cipher_suite_t suite;
483 key_type_t key;
484 key_exchange_method_t dh;
485 hash_algorithm_t hash;
486 pseudo_random_function_t prf;
487 integrity_algorithm_t mac;
488 encryption_algorithm_t encr;
489 size_t encr_size;
490 tls_version_t min_version;
491 tls_version_t max_version;
492 } suite_algs_t;
493
494 /**
495 * Mapping suites to a set of algorithms
496 *
497 * The order represents the descending preference of cipher suites and follows
498 * this rule set:
499 *
500 * 1. TLS 1.3 > Legacy TLS
501 * 2. AES > CAMELLIA > NULL
502 * 3. AES256 > AES128
503 * 4. GCM > CBC
504 * 5. ECDHE > DHE > NULL
505 * 6. ECDSA > RSA
506 * 7. SHA384 > SHA256 > SHA1
507 *
508 */
509 static suite_algs_t suite_algs[] = {
510 /* Cipher suites of TLS 1.3: key exchange and authentication
511 * delegated to extensions, therefore KEY_ANY, KE_NONE, PRF_UNDEFINED */
512 { TLS_AES_256_GCM_SHA384,
513 KEY_ANY, KE_NONE,
514 HASH_SHA384, PRF_UNDEFINED,
515 AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
516 TLS_1_3, TLS_1_3,
517 },
518 { TLS_AES_128_GCM_SHA256,
519 KEY_ANY, KE_NONE,
520 HASH_SHA256, PRF_UNDEFINED,
521 AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
522 TLS_1_3, TLS_1_3,
523 },
524 { TLS_CHACHA20_POLY1305_SHA256,
525 KEY_ANY, KE_NONE,
526 HASH_SHA256, PRF_UNDEFINED,
527 AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
528 TLS_1_3, TLS_1_3,
529 },
530 { TLS_AES_128_CCM_SHA256,
531 KEY_ANY, KE_NONE,
532 HASH_SHA256, PRF_UNDEFINED,
533 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
534 TLS_1_3, TLS_1_3,
535 },
536 { TLS_AES_128_CCM_8_SHA256,
537 KEY_ANY, KE_NONE,
538 HASH_SHA256, PRF_UNDEFINED,
539 AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
540 TLS_1_3, TLS_1_3,
541 },
542 /* Legacy TLS cipher suites */
543 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
544 KEY_ECDSA, ECP_384_BIT,
545 HASH_SHA384, PRF_HMAC_SHA2_384,
546 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
547 TLS_1_2, TLS_1_2,
548 },
549 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
550 KEY_ECDSA, ECP_384_BIT,
551 HASH_SHA384, PRF_HMAC_SHA2_384,
552 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
553 TLS_1_2, TLS_1_2,
554 },
555 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
556 KEY_ECDSA, ECP_384_BIT,
557 HASH_SHA256, PRF_HMAC_SHA2_256,
558 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
559 TLS_1_0, TLS_1_2,
560 },
561 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
562 KEY_ECDSA, ECP_256_BIT,
563 HASH_SHA256, PRF_HMAC_SHA2_256,
564 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
565 TLS_1_2, TLS_1_2,
566 },
567 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
568 KEY_ECDSA, ECP_256_BIT,
569 HASH_SHA256, PRF_HMAC_SHA2_256,
570 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
571 TLS_1_2, TLS_1_2,
572 },
573 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
574 KEY_ECDSA, ECP_256_BIT,
575 HASH_SHA256, PRF_HMAC_SHA2_256,
576 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
577 TLS_1_0, TLS_1_2,
578 },
579 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
580 KEY_RSA, ECP_384_BIT,
581 HASH_SHA384, PRF_HMAC_SHA2_384,
582 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
583 TLS_1_2, TLS_1_2,
584 },
585 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
586 KEY_RSA, ECP_384_BIT,
587 HASH_SHA384, PRF_HMAC_SHA2_384,
588 AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
589 TLS_1_2, TLS_1_2,
590 },
591 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
592 KEY_RSA, ECP_384_BIT,
593 HASH_SHA256, PRF_HMAC_SHA2_256,
594 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
595 TLS_1_0, TLS_1_2,
596 },
597 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
598 KEY_RSA, ECP_256_BIT,
599 HASH_SHA256, PRF_HMAC_SHA2_256,
600 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
601 TLS_1_2, TLS_1_2,
602 },
603 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
604 KEY_RSA, ECP_256_BIT,
605 HASH_SHA256, PRF_HMAC_SHA2_256,
606 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
607 TLS_1_2, TLS_1_2,
608 },
609 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
610 KEY_RSA, ECP_256_BIT,
611 HASH_SHA256, PRF_HMAC_SHA2_256,
612 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
613 TLS_1_0, TLS_1_2,
614 },
615 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
616 KEY_RSA, MODP_4096_BIT,
617 HASH_SHA384, PRF_HMAC_SHA2_384,
618 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
619 TLS_1_2, TLS_1_2,
620 },
621 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
622 KEY_RSA, MODP_4096_BIT,
623 HASH_SHA256, PRF_HMAC_SHA2_256,
624 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
625 TLS_1_2, TLS_1_2,
626 },
627 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
628 KEY_RSA, MODP_3072_BIT,
629 HASH_SHA256, PRF_HMAC_SHA2_256,
630 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
631 SSL_3_0, TLS_1_2,
632 },
633 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
634 KEY_RSA, MODP_4096_BIT,
635 HASH_SHA256, PRF_HMAC_SHA2_256,
636 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
637 TLS_1_2, TLS_1_2,
638 },
639 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
640 KEY_RSA, MODP_3072_BIT,
641 HASH_SHA256, PRF_HMAC_SHA2_256,
642 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
643 SSL_3_0, TLS_1_2,
644 },
645 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
646 KEY_RSA, MODP_3072_BIT,
647 HASH_SHA256, PRF_HMAC_SHA2_256,
648 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
649 TLS_1_2, TLS_1_2,
650 },
651 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
652 KEY_RSA, MODP_3072_BIT,
653 HASH_SHA256, PRF_HMAC_SHA2_256,
654 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
655 TLS_1_2, TLS_1_2,
656 },
657 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
658 KEY_RSA, MODP_2048_BIT,
659 HASH_SHA256,PRF_HMAC_SHA2_256,
660 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
661 SSL_3_0, TLS_1_2,
662 },
663 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
664 KEY_RSA, MODP_3072_BIT,
665 HASH_SHA256, PRF_HMAC_SHA2_256,
666 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
667 TLS_1_2, TLS_1_2,
668 },
669 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
670 KEY_RSA, MODP_2048_BIT,
671 HASH_SHA256, PRF_HMAC_SHA2_256,
672 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
673 SSL_3_0, TLS_1_2,
674 },
675 { TLS_RSA_WITH_AES_256_GCM_SHA384,
676 KEY_RSA, KE_NONE,
677 HASH_SHA384, PRF_HMAC_SHA2_384,
678 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
679 TLS_1_2, TLS_1_2,
680 },
681 { TLS_RSA_WITH_AES_256_CBC_SHA256,
682 KEY_RSA, KE_NONE,
683 HASH_SHA256, PRF_HMAC_SHA2_256,
684 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
685 TLS_1_2, TLS_1_2,
686 },
687 { TLS_RSA_WITH_AES_256_CBC_SHA,
688 KEY_RSA, KE_NONE,
689 HASH_SHA256, PRF_HMAC_SHA2_256,
690 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
691 SSL_3_0, TLS_1_2,
692 },
693 { TLS_RSA_WITH_AES_128_GCM_SHA256,
694 KEY_RSA, KE_NONE,
695 HASH_SHA256, PRF_HMAC_SHA2_256,
696 AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
697 TLS_1_2, TLS_1_2,
698 },
699 { TLS_RSA_WITH_AES_128_CBC_SHA256,
700 KEY_RSA, KE_NONE,
701 HASH_SHA256, PRF_HMAC_SHA2_256,
702 AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
703 TLS_1_2, TLS_1_2,
704 },
705 { TLS_RSA_WITH_AES_128_CBC_SHA,
706 KEY_RSA, KE_NONE,
707 HASH_SHA256, PRF_HMAC_SHA2_256,
708 AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
709 SSL_3_0, TLS_1_2,
710 },
711 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
712 KEY_RSA, KE_NONE,
713 HASH_SHA256, PRF_HMAC_SHA2_256,
714 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
715 TLS_1_2, TLS_1_2,
716 },
717 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
718 KEY_RSA, KE_NONE,
719 HASH_SHA256, PRF_HMAC_SHA2_256,
720 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
721 SSL_3_0, TLS_1_2,
722 },
723 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
724 KEY_RSA, KE_NONE,
725 HASH_SHA256, PRF_HMAC_SHA2_256,
726 AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
727 TLS_1_2, TLS_1_2,
728 },
729 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
730 KEY_RSA, KE_NONE,
731 HASH_SHA256, PRF_HMAC_SHA2_256,
732 AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
733 SSL_3_0, TLS_1_2,
734 },
735 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,
736 KEY_ECDSA, ECP_256_BIT,
737 HASH_SHA256, PRF_HMAC_SHA2_256,
738 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
739 TLS_1_0, TLS_1_2,
740 },
741 { TLS_ECDHE_RSA_WITH_NULL_SHA,
742 KEY_ECDSA, ECP_256_BIT,
743 HASH_SHA256, PRF_HMAC_SHA2_256,
744 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
745 TLS_1_0, TLS_1_2,
746 },
747 { TLS_RSA_WITH_NULL_SHA256,
748 KEY_RSA, KE_NONE,
749 HASH_SHA256, PRF_HMAC_SHA2_256,
750 AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
751 TLS_1_2, TLS_1_2,
752 },
753 { TLS_RSA_WITH_NULL_SHA,
754 KEY_RSA, KE_NONE,
755 HASH_SHA256, PRF_HMAC_SHA2_256,
756 AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
757 SSL_3_0, TLS_1_2,
758 },
759 };
760
761 /**
762 * Look up algorithms by a suite
763 */
764 static suite_algs_t *find_suite(tls_cipher_suite_t suite)
765 {
766 int i;
767
768 for (i = 0; i < countof(suite_algs); i++)
769 {
770 if (suite_algs[i].suite == suite)
771 {
772 return &suite_algs[i];
773 }
774 }
775 return NULL;
776 }
777
778 /**
779 * Filter a suite list using a transform enumerator
780 */
781 static void filter_suite(suite_algs_t suites[], int *count, int offset,
782 enumerator_t*(*create_enumerator)(crypto_factory_t*))
783 {
784 const char *plugin_name;
785 suite_algs_t current;
786 int *current_alg, i, remaining = 0;
787 enumerator_t *enumerator;
788
789 memset(&current, 0, sizeof(current));
790 current_alg = (int*)((char*)&current + offset);
791
792 for (i = 0; i < *count; i++)
793 {
794 if (create_enumerator == lib->crypto->create_crypter_enumerator &&
795 encryption_algorithm_is_aead(suites[i].encr))
796 { /* filtering crypters, but current suite uses an AEAD, apply */
797 suites[remaining] = suites[i];
798 remaining++;
799 continue;
800 }
801 if (create_enumerator == lib->crypto->create_aead_enumerator &&
802 !encryption_algorithm_is_aead(suites[i].encr))
803 { /* filtering AEADs, but current suite doesn't use one, apply */
804 suites[remaining] = suites[i];
805 remaining++;
806 continue;
807 }
808 enumerator = create_enumerator(lib->crypto);
809 while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
810 {
811 if (current.encr && current.encr != suites[i].encr)
812 {
813 if (suites[i].encr != ENCR_NULL)
814 { /* skip, ENCR does not match nor is NULL */
815 continue;
816 }
817 }
818 if (current.mac && current.mac != suites[i].mac)
819 {
820 if (suites[i].mac != AUTH_UNDEFINED)
821 { /* skip, MAC does not match nor is it undefined */
822 continue;
823 }
824 }
825 if (current.prf && current.prf != suites[i].prf)
826 {
827 if (suites[i].prf != PRF_UNDEFINED)
828 {
829 /* skip, PRF does not match nor is it undefined */
830 continue;
831 }
832 }
833 if (current.hash && current.hash != suites[i].hash)
834 { /* skip, hash does not match */
835 continue;
836 }
837 if (current.dh && current.dh != suites[i].dh)
838 {
839 if (suites[i].dh != KE_NONE &&
840 !(key_exchange_is_ecdh(current.dh) &&
841 key_exchange_is_ecdh(suites[i].dh)))
842 { /* skip DH group, does not match nor NONE nor both ECDH */
843 continue;
844 }
845 }
846 /* suite supported, apply */
847 suites[remaining] = suites[i];
848 remaining++;
849 break;
850 }
851 enumerator->destroy(enumerator);
852 }
853 *count = remaining;
854 }
855
856 /**
857 * Purge NULL encryption cipher suites from list
858 */
859 static void filter_null_suites(suite_algs_t suites[], int *count)
860 {
861 int i, remaining = 0;
862
863 for (i = 0; i < *count; i++)
864 {
865 if (suites[i].encr != ENCR_NULL)
866 {
867 suites[remaining] = suites[i];
868 remaining++;
869 }
870 }
871 *count = remaining;
872 }
873
874 /**
875 * Purge suites using a given key type
876 */
877 static void filter_key_suites(private_tls_crypto_t *this,
878 suite_algs_t suites[], int *count, key_type_t key)
879 {
880 int i, remaining = 0;
881
882 DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
883 for (i = 0; i < *count; i++)
884 {
885 if (suites[i].key != key)
886 {
887 suites[remaining] = suites[i];
888 remaining++;
889 }
890 }
891 *count = remaining;
892 }
893
894 /**
895 * Filter suites by key exchange user config
896 */
897 static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
898 suite_algs_t suites[], int *count)
899 {
900 enumerator_t *enumerator;
901 int i, remaining = 0;
902 char *token, *config;
903
904 config = lib->settings->get_str(lib->settings, "%s.tls.key_exchange", NULL,
905 lib->ns);
906 if (config)
907 {
908 for (i = 0; i < *count; i++)
909 {
910 enumerator = enumerator_create_token(config, ",", " ");
911 while (enumerator->enumerate(enumerator, &token))
912 {
913 if (strcaseeq(token, "ecdhe-ecdsa") &&
914 key_exchange_is_ecdh(suites[i].dh) &&
915 suites[i].key == KEY_ECDSA)
916 {
917 suites[remaining++] = suites[i];
918 break;
919 }
920 if (strcaseeq(token, "ecdhe-rsa") &&
921 key_exchange_is_ecdh(suites[i].dh) &&
922 suites[i].key == KEY_RSA)
923 {
924 suites[remaining++] = suites[i];
925 break;
926 }
927 if (strcaseeq(token, "dhe-rsa") &&
928 !key_exchange_is_ecdh(suites[i].dh) &&
929 suites[i].dh != KE_NONE &&
930 suites[i].key == KEY_RSA)
931 {
932 suites[remaining++] = suites[i];
933 break;
934 }
935 if (strcaseeq(token, "rsa") &&
936 suites[i].dh == KE_NONE &&
937 suites[i].key == KEY_RSA)
938 {
939 suites[remaining++] = suites[i];
940 break;
941 }
942 }
943 enumerator->destroy(enumerator);
944 }
945 *count = remaining;
946 }
947 }
948
949 /**
950 * Filter suites by cipher user config
951 */
952 static void filter_cipher_config_suites(private_tls_crypto_t *this,
953 suite_algs_t suites[], int *count)
954 {
955 enumerator_t *enumerator;
956 int i, remaining = 0;
957 char *token, *config;
958
959 config = lib->settings->get_str(lib->settings, "%s.tls.cipher", NULL,
960 lib->ns);
961 if (config)
962 {
963 for (i = 0; i < *count; i++)
964 {
965 enumerator = enumerator_create_token(config, ",", " ");
966 while (enumerator->enumerate(enumerator, &token))
967 {
968 const proposal_token_t *tok;
969
970 tok = lib->proposal->get_token(lib->proposal, token);
971 if (tok != NULL && tok->type == ENCRYPTION_ALGORITHM &&
972 suites[i].encr == tok->algorithm &&
973 (!tok->keysize || suites[i].encr_size == tok->keysize / 8))
974 {
975 suites[remaining++] = suites[i];
976 break;
977 }
978 }
979 enumerator->destroy(enumerator);
980 }
981 *count = remaining;
982 }
983 }
984
985 /**
986 * Filter suites by mac user config
987 */
988 static void filter_mac_config_suites(private_tls_crypto_t *this,
989 suite_algs_t suites[], int *count)
990 {
991 enumerator_t *enumerator;
992 int i, remaining = 0;
993 char *token, *config;
994
995 config = lib->settings->get_str(lib->settings, "%s.tls.mac", NULL,
996 lib->ns);
997 if (config)
998 {
999 for (i = 0; i < *count; i++)
1000 {
1001 enumerator = enumerator_create_token(config, ",", " ");
1002 while (enumerator->enumerate(enumerator, &token))
1003 {
1004 if (strcaseeq(token, "sha1") &&
1005 suites[i].mac == AUTH_HMAC_SHA1_160)
1006 {
1007 suites[remaining++] = suites[i];
1008 break;
1009 }
1010 if (strcaseeq(token, "sha256") &&
1011 suites[i].mac == AUTH_HMAC_SHA2_256_256)
1012 {
1013 suites[remaining++] = suites[i];
1014 break;
1015 }
1016 if (strcaseeq(token, "sha384") &&
1017 suites[i].mac == AUTH_HMAC_SHA2_384_384)
1018 {
1019 suites[remaining++] = suites[i];
1020 break;
1021 }
1022 }
1023 enumerator->destroy(enumerator);
1024 }
1025 *count = remaining;
1026 }
1027 }
1028
1029 /**
1030 * Filter for specific suites specified in strongswan.conf
1031 */
1032 static void filter_specific_config_suites(private_tls_crypto_t *this,
1033 suite_algs_t suites[], int *count)
1034 {
1035 enumerator_t *enumerator;
1036 int i, remaining = 0, suite;
1037 char *token, *config;
1038
1039 config = lib->settings->get_str(lib->settings, "%s.tls.suites", NULL,
1040 lib->ns);
1041 if (config)
1042 {
1043 for (i = 0; i < *count; i++)
1044 {
1045 enumerator = enumerator_create_token(config, ",", " ");
1046 while (enumerator->enumerate(enumerator, &token))
1047 {
1048 if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
1049 suite == suites[i].suite)
1050 {
1051 suites[remaining++] = suites[i];
1052 break;
1053 }
1054 }
1055 enumerator->destroy(enumerator);
1056 }
1057 *count = remaining;
1058 }
1059 }
1060
1061 /**
1062 * Filter key exchange curves by curve user config
1063 */
1064 static bool filter_curve_config(tls_named_group_t curve)
1065 {
1066 enumerator_t *enumerator;
1067 char *token, *config;
1068
1069 config = lib->settings->get_str(lib->settings, "%s.tls.ke_group", NULL,
1070 lib->ns);
1071 if (config)
1072 {
1073 enumerator = enumerator_create_token(config, ",", " ");
1074 while (enumerator->enumerate(enumerator, &token))
1075 {
1076 const proposal_token_t *tok;
1077
1078 tok = lib->proposal->get_token(lib->proposal, token);
1079 if (tok != NULL && tok->type == KEY_EXCHANGE_METHOD &&
1080 curve == tls_ec_group_to_curve(tok->algorithm))
1081 {
1082 enumerator->destroy(enumerator);
1083 return TRUE;
1084 }
1085 }
1086 enumerator->destroy(enumerator);
1087 }
1088 return !config;
1089 }
1090
1091 /**
1092 * Filter out unsupported suites on given suite array
1093 */
1094 static void filter_unsupported_suites(suite_algs_t suites[], int *count)
1095 {
1096 /* filter suite list by each algorithm */
1097 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1098 lib->crypto->create_aead_enumerator);
1099 filter_suite(suites, count, offsetof(suite_algs_t, prf),
1100 lib->crypto->create_prf_enumerator);
1101 filter_suite(suites, count, offsetof(suite_algs_t, encr),
1102 lib->crypto->create_crypter_enumerator);
1103 filter_suite(suites, count, offsetof(suite_algs_t, mac),
1104 lib->crypto->create_signer_enumerator);
1105 filter_suite(suites, count, offsetof(suite_algs_t, hash),
1106 lib->crypto->create_hasher_enumerator);
1107 filter_suite(suites, count, offsetof(suite_algs_t, dh),
1108 lib->crypto->create_ke_enumerator);
1109 }
1110
1111 /**
1112 * Initialize the cipher suite list
1113 */
1114 static void build_cipher_suite_list(private_tls_crypto_t *this)
1115 {
1116 suite_algs_t suites[countof(suite_algs)] = {};
1117 tls_version_t min_version, max_version, new_min_version, new_max_version;
1118 bool require_encryption = TRUE;
1119 int count = 0, i;
1120
1121 switch (this->tls->get_purpose(this->tls))
1122 {
1123 case TLS_PURPOSE_EAP_TLS:
1124 require_encryption = FALSE;
1125 break;
1126 case TLS_PURPOSE_GENERIC:
1127 if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
1128 {
1129 require_encryption = FALSE;
1130 }
1131 break;
1132 default:
1133 break;
1134 }
1135
1136 min_version = this->tls->get_version_min(this->tls);
1137 max_version = this->tls->get_version_max(this->tls);
1138
1139 /* copy all suites appropriate for the current min/max versions */
1140 for (i = 0; i < countof(suite_algs); i++)
1141 {
1142 if (suite_algs[i].min_version <= max_version &&
1143 suite_algs[i].max_version >= min_version)
1144 {
1145 suites[count++] = suite_algs[i];
1146 }
1147 }
1148
1149 if (require_encryption)
1150 {
1151 filter_null_suites(suites, &count);
1152 }
1153 if (!this->rsa)
1154 {
1155 filter_key_suites(this, suites, &count, KEY_RSA);
1156 }
1157 if (!this->ecdsa)
1158 {
1159 filter_key_suites(this, suites, &count, KEY_ECDSA);
1160 }
1161
1162 filter_unsupported_suites(suites, &count);
1163
1164 /* filter suites with strongswan.conf options */
1165 filter_key_exchange_config_suites(this, suites, &count);
1166 filter_cipher_config_suites(this, suites, &count);
1167 filter_mac_config_suites(this, suites, &count);
1168 filter_specific_config_suites(this, suites, &count);
1169
1170 free(this->suites);
1171 this->suite_count = count;
1172 this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
1173
1174 DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
1175 new_min_version = max_version;
1176 new_max_version = min_version;
1177 for (i = 0; i < count; i++)
1178 {
1179 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
1180 this->suites[i] = suites[i].suite;
1181
1182 /* set TLS min/max versions appropriate to the final cipher suites */
1183 new_max_version = max(new_max_version, suites[i].max_version);
1184 new_min_version = min(new_min_version, suites[i].min_version);
1185 }
1186 new_max_version = min(new_max_version, max_version);
1187 new_min_version = max(new_min_version, min_version);
1188
1189 if ((min_version != new_min_version || max_version != new_max_version) &&
1190 this->tls->set_version(this->tls, new_min_version, new_max_version))
1191 {
1192 DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
1193 tls_numeric_version_names, new_min_version,
1194 tls_numeric_version_names, new_max_version);
1195 }
1196 }
1197
1198 METHOD(tls_crypto_t, get_cipher_suites, int,
1199 private_tls_crypto_t *this, tls_cipher_suite_t **suites)
1200 {
1201 if (!this->suites)
1202 {
1203 build_cipher_suite_list(this);
1204 }
1205 if (suites)
1206 {
1207 *suites = this->suites;
1208 }
1209 return this->suite_count;
1210 }
1211
1212 /**
1213 * Create NULL encryption transforms
1214 */
1215 static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
1216 {
1217 this->aead_in = tls_aead_create_null(algs->mac);
1218 this->aead_out = tls_aead_create_null(algs->mac);
1219 if (!this->aead_in || !this->aead_out)
1220 {
1221 DBG1(DBG_TLS, "selected TLS MAC %N not supported",
1222 integrity_algorithm_names, algs->mac);
1223 return FALSE;
1224 }
1225 return TRUE;
1226 }
1227
1228 /**
1229 * Create traditional transforms
1230 */
1231 static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
1232 {
1233 if (this->tls->get_version_max(this->tls) < TLS_1_1)
1234 {
1235 this->aead_in = tls_aead_create_implicit(algs->mac,
1236 algs->encr, algs->encr_size);
1237 this->aead_out = tls_aead_create_implicit(algs->mac,
1238 algs->encr, algs->encr_size);
1239 }
1240 else
1241 {
1242 this->aead_in = tls_aead_create_explicit(algs->mac,
1243 algs->encr, algs->encr_size);
1244 this->aead_out = tls_aead_create_explicit(algs->mac,
1245 algs->encr, algs->encr_size);
1246 }
1247 if (!this->aead_in || !this->aead_out)
1248 {
1249 DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
1250 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
1251 integrity_algorithm_names, algs->mac);
1252 return FALSE;
1253 }
1254 return TRUE;
1255 }
1256
1257 /**
1258 * Create AEAD transforms
1259 */
1260 static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
1261 {
1262 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1263 {
1264 this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
1265 this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
1266 }
1267 else
1268 {
1269 this->aead_in = tls_aead_create_seq(algs->encr, algs->encr_size);
1270 this->aead_out = tls_aead_create_seq(algs->encr, algs->encr_size);
1271 }
1272 if (!this->aead_in || !this->aead_out)
1273 {
1274 DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
1275 encryption_algorithm_names, algs->encr, algs->encr_size * 8);
1276 return FALSE;
1277 }
1278 return TRUE;
1279 }
1280
1281 /**
1282 * Clean up and unset AEAD transforms
1283 */
1284 static void destroy_aeads(private_tls_crypto_t *this)
1285 {
1286 DESTROY_IF(this->aead_in);
1287 DESTROY_IF(this->aead_out);
1288 this->aead_in = this->aead_out = NULL;
1289 }
1290
1291 /**
1292 * Create crypto primitives
1293 */
1294 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
1295 {
1296 destroy_aeads(this);
1297 DESTROY_IF(this->hkdf);
1298 DESTROY_IF(this->prf);
1299 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1300 {
1301 if (this->tls->get_version_max(this->tls) < TLS_1_2)
1302 {
1303 this->prf = tls_prf_create_10();
1304 }
1305 else
1306 {
1307 this->prf = tls_prf_create_12(algs->prf);
1308 }
1309 if (!this->prf)
1310 {
1311 DBG1(DBG_TLS, "selected TLS PRF not supported");
1312 return FALSE;
1313 }
1314 }
1315 else
1316 {
1317 this->hkdf = tls_hkdf_create(algs->hash, chunk_empty);
1318 if (!this->hkdf)
1319 {
1320 DBG1(DBG_TLS, "TLS HKDF creation unsuccessful");
1321 return FALSE;
1322 }
1323 }
1324 if (algs->encr == ENCR_NULL)
1325 {
1326 if (create_null(this, algs))
1327 {
1328 return TRUE;
1329 }
1330 }
1331 else if (encryption_algorithm_is_aead(algs->encr))
1332 {
1333 if (create_aead(this, algs))
1334 {
1335 return TRUE;
1336 }
1337 }
1338 else
1339 {
1340 if (create_traditional(this, algs))
1341 {
1342 return TRUE;
1343 }
1344 }
1345 destroy_aeads(this);
1346 return FALSE;
1347 }
1348
1349 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
1350 private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
1351 key_type_t key)
1352 {
1353 suite_algs_t *algs;
1354 int i, j;
1355
1356 for (i = 0; i < this->suite_count; i++)
1357 {
1358 for (j = 0; j < count; j++)
1359 {
1360 if (this->suites[i] == suites[j])
1361 {
1362 algs = find_suite(this->suites[i]);
1363 if (algs)
1364 {
1365 if (key == KEY_ANY || key == algs->key ||
1366 (algs->key == KEY_ECDSA && key == KEY_ED25519) ||
1367 (algs->key == KEY_ECDSA && key == KEY_ED448))
1368 {
1369 if (create_ciphers(this, algs))
1370 {
1371 this->suite = this->suites[i];
1372 return this->suite;
1373 }
1374 }
1375 }
1376 }
1377 }
1378 }
1379 return 0;
1380 }
1381
1382 /**
1383 * Parameters for RSA/PSS signature schemes
1384 */
1385 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
1386 .hash = HASH_SHA##bits, \
1387 .mgf1_hash = HASH_SHA##bits, \
1388 .salt_len = HASH_SIZE_SHA##bits, \
1389 }
1390
1391 PSS_PARAMS(256);
1392 PSS_PARAMS(384);
1393 PSS_PARAMS(512);
1394
1395 typedef struct {
1396 tls_signature_scheme_t sig;
1397 signature_params_t params;
1398 /* min/max versions for use in CertificateVerify */
1399 tls_version_t min_version;
1400 tls_version_t max_version;
1401 } scheme_algs_t;
1402
1403 /**
1404 * Map TLS signature schemes, ordered by preference
1405 */
1406 static scheme_algs_t schemes[] = {
1407 { TLS_SIG_ECDSA_SHA256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER },
1408 TLS_1_0, TLS_1_3 },
1409 { TLS_SIG_ECDSA_SHA384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER },
1410 TLS_1_0, TLS_1_3 },
1411 { TLS_SIG_ECDSA_SHA512, { .scheme = SIGN_ECDSA_WITH_SHA512_DER },
1412 TLS_1_0, TLS_1_3 },
1413 { TLS_SIG_ED25519, { .scheme = SIGN_ED25519 },
1414 TLS_1_0, TLS_1_3 },
1415 { TLS_SIG_ED448, { .scheme = SIGN_ED448 },
1416 TLS_1_0, TLS_1_3 },
1417 { TLS_SIG_RSA_PSS_RSAE_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1418 TLS_1_2, TLS_1_3 },
1419 { TLS_SIG_RSA_PSS_RSAE_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1420 TLS_1_2, TLS_1_3 },
1421 { TLS_SIG_RSA_PSS_RSAE_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1422 TLS_1_2, TLS_1_3 },
1423 /* the parameters for the next three should actually be taken from the
1424 * public key, we currently don't have an API for that, so assume defaults */
1425 { TLS_SIG_RSA_PSS_PSS_SHA256, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, },
1426 TLS_1_2, TLS_1_3 },
1427 { TLS_SIG_RSA_PSS_PSS_SHA384, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, },
1428 TLS_1_2, TLS_1_3 },
1429 { TLS_SIG_RSA_PSS_PSS_SHA512, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, },
1430 TLS_1_2, TLS_1_3 },
1431 { TLS_SIG_RSA_PKCS1_SHA256, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
1432 TLS_1_0, TLS_1_2 },
1433 { TLS_SIG_RSA_PKCS1_SHA384, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 },
1434 TLS_1_0, TLS_1_2 },
1435 { TLS_SIG_RSA_PKCS1_SHA512, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
1436 TLS_1_0, TLS_1_2 },
1437 };
1438
1439 /**
1440 * Filter signature scheme config
1441 */
1442 static bool filter_signature_scheme_config(tls_signature_scheme_t signature)
1443 {
1444 enumerator_t *enumerator;
1445 char *token, *config;
1446
1447 config = lib->settings->get_str(lib->settings, "%s.tls.signature", NULL,
1448 lib->ns);
1449 if (config)
1450 {
1451 enumerator = enumerator_create_token(config, ",", " ");
1452 while (enumerator->enumerate(enumerator, &token))
1453 {
1454 tls_signature_scheme_t sig;
1455
1456 if (enum_from_name(tls_signature_scheme_names, token, &sig) &&
1457 sig == signature)
1458 {
1459 enumerator->destroy(enumerator);
1460 return TRUE;
1461 }
1462 }
1463 enumerator->destroy(enumerator);
1464 }
1465 return !config;
1466 }
1467
1468 METHOD(tls_crypto_t, get_signature_algorithms, void,
1469 private_tls_crypto_t *this, bio_writer_t *writer, bool cert)
1470 {
1471 bio_writer_t *supported;
1472 tls_version_t min_version, max_version;
1473 int i;
1474
1475 supported = bio_writer_create(32);
1476
1477 if (!cert)
1478 {
1479 min_version = this->tls->get_version_min(this->tls);
1480 max_version = this->tls->get_version_max(this->tls);
1481 }
1482
1483 for (i = 0; i < countof(schemes); i++)
1484 {
1485 if ((cert || (schemes[i].min_version <= max_version &&
1486 schemes[i].max_version >= min_version)) &&
1487 lib->plugins->has_feature(lib->plugins,
1488 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)) &&
1489 filter_signature_scheme_config(schemes[i].sig))
1490 {
1491 supported->write_uint16(supported, schemes[i].sig);
1492 }
1493 }
1494
1495 writer->write_data16(writer, supported->get_buf(supported));
1496 supported->destroy(supported);
1497 }
1498
1499 /**
1500 * Get the signature parameters from a TLS signature scheme
1501 */
1502 static signature_params_t *params_for_scheme(tls_signature_scheme_t sig,
1503 bool sign)
1504 {
1505 int i;
1506
1507 for (i = 0; i < countof(schemes); i++)
1508 {
1509 /* strongSwan supports only RSA_PSS_RSAE schemes for signing but can
1510 * verify public keys in rsaEncryption as well as rsassaPss encoding. */
1511 if (sign && (sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
1512 sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
1513 sig == TLS_SIG_RSA_PSS_PSS_SHA512))
1514 {
1515 continue;
1516 }
1517 if (schemes[i].sig == sig)
1518 {
1519 return &schemes[i].params;
1520 }
1521 }
1522 return NULL;
1523 }
1524
1525 /**
1526 * Mapping groups to TLS named curves
1527 */
1528 static struct {
1529 key_exchange_method_t group;
1530 tls_named_group_t curve;
1531 } curves[] = {
1532 { ECP_256_BIT, TLS_SECP256R1},
1533 { ECP_384_BIT, TLS_SECP384R1},
1534 { ECP_521_BIT, TLS_SECP521R1},
1535 { ECP_224_BIT, TLS_SECP224R1},
1536 { ECP_192_BIT, TLS_SECP192R1},
1537 { CURVE_25519, TLS_CURVE25519},
1538 { CURVE_448, TLS_CURVE448},
1539 };
1540
1541 CALLBACK(group_filter, bool,
1542 void *null, enumerator_t *orig, va_list args)
1543 {
1544 key_exchange_method_t group, *group_out;
1545 tls_named_group_t curve, *curve_out;
1546 char *plugin;
1547
1548 VA_ARGS_VGET(args, group_out, curve_out);
1549
1550 while (orig->enumerate(orig, &group, &plugin))
1551 {
1552 curve = tls_ec_group_to_curve(group);
1553 if (curve)
1554 {
1555 if (group_out)
1556 {
1557 *group_out = group;
1558 }
1559 if (curve_out)
1560 {
1561 *curve_out = curve;
1562 }
1563 return TRUE;
1564 }
1565 }
1566 return FALSE;
1567 }
1568
1569 CALLBACK(config_filter, bool,
1570 void *null, enumerator_t *orig, va_list args)
1571 {
1572 key_exchange_method_t group, *group_out;
1573 tls_named_group_t curve, *curve_out;
1574
1575 VA_ARGS_VGET(args, group_out, curve_out);
1576
1577 while (orig->enumerate(orig, &group, &curve))
1578 {
1579 if (filter_curve_config(curve))
1580
1581 {
1582 if (group_out)
1583 {
1584 *group_out = group;
1585 }
1586 if (curve_out)
1587 {
1588 *curve_out = curve;
1589 }
1590 return TRUE;
1591 }
1592 }
1593 return FALSE;
1594 }
1595
1596 METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
1597 private_tls_crypto_t *this)
1598 {
1599 return enumerator_create_filter(
1600 enumerator_create_filter(
1601 lib->crypto->create_ke_enumerator(lib->crypto),
1602 group_filter, NULL, NULL),
1603 config_filter, NULL, NULL);
1604 }
1605
1606 /**
1607 * Check if the given ECDH group is supported or return the first one we
1608 * actually do support.
1609 */
1610 static key_exchange_method_t supported_ec_group(private_tls_crypto_t *this,
1611 key_exchange_method_t orig)
1612 {
1613 key_exchange_method_t current, first = KE_NONE;
1614 enumerator_t *enumerator;
1615
1616 enumerator = create_ec_enumerator(this);
1617 while (enumerator->enumerate(enumerator, &current, NULL))
1618 {
1619 if (current == orig)
1620 {
1621 enumerator->destroy(enumerator);
1622 return orig;
1623 }
1624 else if (first == KE_NONE)
1625 {
1626 first = current;
1627 }
1628 }
1629 enumerator->destroy(enumerator);
1630 return first;
1631 }
1632
1633 METHOD(tls_crypto_t, get_dh_group, key_exchange_method_t,
1634 private_tls_crypto_t *this)
1635 {
1636 suite_algs_t *algs;
1637
1638 algs = find_suite(this->suite);
1639 if (algs)
1640 {
1641 if (key_exchange_is_ecdh(algs->dh))
1642 {
1643 return supported_ec_group(this, algs->dh);
1644 }
1645 return algs->dh;
1646 }
1647 return KE_NONE;
1648 }
1649
1650 METHOD(tls_crypto_t, set_protection, void,
1651 private_tls_crypto_t *this, tls_protection_t *protection)
1652 {
1653 this->protection = protection;
1654 }
1655
1656 METHOD(tls_crypto_t, append_handshake, void,
1657 private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
1658 {
1659 uint32_t header;
1660
1661 /* reconstruct handshake header */
1662 header = htonl(data.len | (type << 24));
1663 this->handshake = chunk_cat("mcc", this->handshake,
1664 chunk_from_thing(header), data);
1665 }
1666
1667 /**
1668 * Create a hash using the suites HASH algorithm
1669 */
1670 static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
1671 {
1672 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1673 {
1674 hasher_t *hasher;
1675 suite_algs_t *alg;
1676
1677 alg = find_suite(this->suite);
1678 if (!alg)
1679 {
1680 return FALSE;
1681 }
1682 hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
1683 if (!hasher || !hasher->allocate_hash(hasher, data, hash))
1684 {
1685 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
1686 DESTROY_IF(hasher);
1687 return FALSE;
1688 }
1689 hasher->destroy(hasher);
1690 }
1691 else
1692 {
1693 hasher_t *md5, *sha1;
1694 char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
1695
1696 md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
1697 if (!md5 || !md5->get_hash(md5, data, buf))
1698 {
1699 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
1700 DESTROY_IF(md5);
1701 return FALSE;
1702 }
1703 md5->destroy(md5);
1704 sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1705 if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
1706 {
1707 DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
1708 DESTROY_IF(sha1);
1709 return FALSE;
1710 }
1711 sha1->destroy(sha1);
1712
1713 *hash = chunk_clone(chunk_from_thing(buf));
1714 }
1715 return TRUE;
1716 }
1717
1718 METHOD(tls_crypto_t, hash_handshake, bool,
1719 private_tls_crypto_t *this, chunk_t *out)
1720 {
1721 chunk_t hash;
1722
1723 if (!hash_data(this, this->handshake, &hash))
1724 {
1725 return FALSE;
1726 }
1727
1728 chunk_free(&this->handshake);
1729 append_handshake(this, TLS_MESSAGE_HASH, hash);
1730
1731 if (out)
1732 {
1733 *out = hash;
1734 }
1735 else
1736 {
1737 free(hash.ptr);
1738 }
1739 return TRUE;
1740 }
1741
1742 /**
1743 * TLS 1.3 static part of the data the server signs (64 spaces followed by the
1744 * context string "TLS 1.3, server CertificateVerify" and a 0 byte).
1745 */
1746 static chunk_t tls13_sig_data_server = chunk_from_chars(
1747 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1748 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1749 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1750 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1751 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1752 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1753 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1754 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1755 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1756 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20,
1757 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1758 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1759 0x79, 0x00,
1760 );
1761
1762 /**
1763 * TLS 1.3 static part of the data the peer signs (64 spaces followed by the
1764 * context string "TLS 1.3, client CertificateVerify" and a 0 byte).
1765 */
1766 static chunk_t tls13_sig_data_client = chunk_from_chars(
1767 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1768 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1769 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1770 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1771 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1772 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1773 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1774 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
1775 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c,
1776 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,
1777 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
1778 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66,
1779 0x79, 0x00,
1780 );
1781
1782 METHOD(tls_crypto_t, sign, bool,
1783 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
1784 chunk_t data, chunk_t hashsig)
1785 {
1786 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1787 {
1788 /* fallback to SHA1/RSA and SHA1/ECDSA */
1789 const chunk_t hashsig_def = chunk_from_chars(0x02, 0x01, 0x02, 0x03);
1790 signature_params_t *params;
1791 key_type_t type;
1792 uint16_t scheme = 0, hashsig_scheme;
1793 bio_reader_t *reader;
1794 chunk_t sig;
1795 bool done = FALSE;
1796
1797
1798 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1799 {
1800 chunk_t transcript_hash;
1801
1802 if (!hash_data(this, data, &transcript_hash))
1803 {
1804 DBG1(DBG_TLS, "unable to create transcript hash");
1805 return FALSE;
1806 }
1807 if (this->tls->is_server(this->tls))
1808 {
1809 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1810 }
1811 else
1812 {
1813 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1814 }
1815 }
1816
1817 if (!hashsig.len)
1818 { /* fallback if none given */
1819 hashsig = hashsig_def;
1820 }
1821
1822 /* Determine TLS signature scheme if unique */
1823 type = key->get_type(key);
1824 switch (type)
1825 {
1826 case KEY_ED448:
1827 scheme = TLS_SIG_ED448;
1828 break;
1829 case KEY_ED25519:
1830 scheme = TLS_SIG_ED25519;
1831 break;
1832 case KEY_ECDSA:
1833 switch (key->get_keysize(key))
1834 {
1835 case 256:
1836 scheme = TLS_SIG_ECDSA_SHA256;
1837 break;
1838 case 384:
1839 scheme = TLS_SIG_ECDSA_SHA384;
1840 break;
1841 case 521:
1842 scheme = TLS_SIG_ECDSA_SHA512;
1843 break;
1844 default:
1845 DBG1(DBG_TLS, "%d bit ECDSA private key size not supported",
1846 key->get_keysize(key));
1847 return FALSE;
1848 }
1849 break;
1850 case KEY_RSA:
1851 /* Several TLS signature schemes possible, select later on */
1852 break;
1853 default:
1854 DBG1(DBG_TLS, "%N private key type not supported",
1855 key_type_names, type);
1856 return FALSE;
1857 }
1858
1859 reader = bio_reader_create(hashsig);
1860 while (reader->remaining(reader) >= 2)
1861 {
1862 if (reader->read_uint16(reader, &hashsig_scheme))
1863 {
1864 params = params_for_scheme(hashsig_scheme, TRUE);
1865
1866 /**
1867 * All key types except RSA have a single fixed signature scheme
1868 * RSA signature schemes are tried until sign() is successful
1869 */
1870 if (params && (scheme == hashsig_scheme ||
1871 (!scheme &&
1872 type == key_type_from_signature_scheme(params->scheme))))
1873 {
1874 if (key->sign(key, params->scheme, params->params, data, &sig))
1875 {
1876 done = TRUE;
1877 scheme = hashsig_scheme;
1878 break;
1879 }
1880 }
1881 }
1882 }
1883 reader->destroy(reader);
1884 if (!done)
1885 {
1886 DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
1887 return FALSE;
1888 }
1889 DBG1(DBG_TLS, "created signature with %N", tls_signature_scheme_names,
1890 scheme);
1891 writer->write_uint16(writer, scheme);
1892 writer->write_data16(writer, sig);
1893 free(sig.ptr);
1894 }
1895 else
1896 {
1897 chunk_t sig, hash;
1898 bool done;
1899
1900 switch (key->get_type(key))
1901 {
1902 case KEY_RSA:
1903 if (!hash_data(this, data, &hash))
1904 {
1905 return FALSE;
1906 }
1907 done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
1908 &sig);
1909 free(hash.ptr);
1910 if (!done)
1911 {
1912 return FALSE;
1913 }
1914 DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
1915 break;
1916 case KEY_ECDSA:
1917 if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig))
1918 {
1919 return FALSE;
1920 }
1921 DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
1922 break;
1923 case KEY_ED25519:
1924 if (!key->sign(key, SIGN_ED25519, NULL, data, &sig))
1925 {
1926 return FALSE;
1927 }
1928 DBG2(DBG_TLS, "created signature with Ed25519");
1929 break;
1930 case KEY_ED448:
1931 if (!key->sign(key, SIGN_ED448, NULL, data, &sig))
1932 {
1933 return FALSE;
1934 }
1935 DBG2(DBG_TLS, "created signature with Ed448");
1936 break;
1937 default:
1938 return FALSE;
1939 }
1940 writer->write_data16(writer, sig);
1941 free(sig.ptr);
1942 }
1943 return TRUE;
1944 }
1945
1946 METHOD(tls_crypto_t, verify, bool,
1947 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader,
1948 chunk_t data)
1949 {
1950 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1951 {
1952 signature_params_t *params;
1953 uint16_t scheme;
1954 chunk_t sig;
1955
1956 if (!reader->read_uint16(reader, &scheme) ||
1957 !reader->read_data16(reader, &sig))
1958 {
1959 DBG1(DBG_TLS, "received invalid signature");
1960 return FALSE;
1961 }
1962 params = params_for_scheme(scheme, FALSE);
1963 if (!params)
1964 {
1965 DBG1(DBG_TLS, "signature algorithms %N not supported",
1966 tls_signature_scheme_names, scheme);
1967 return FALSE;
1968 }
1969 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1970 {
1971 chunk_t transcript_hash;
1972
1973 if (!hash_data(this, data, &transcript_hash))
1974 {
1975 DBG1(DBG_TLS, "Unable to create transcript hash");
1976 return FALSE;
1977 }
1978
1979 if (this->tls->is_server(this->tls))
1980 {
1981 data = chunk_cata("cm", tls13_sig_data_client, transcript_hash);
1982 }
1983 else
1984 {
1985 data = chunk_cata("cm", tls13_sig_data_server, transcript_hash);
1986 }
1987 }
1988 if (!key->verify(key, params->scheme, params->params, data, sig))
1989 {
1990 DBG1(DBG_TLS, "signature verification with %N failed",
1991 tls_signature_scheme_names, scheme);
1992 return FALSE;
1993 }
1994 DBG2(DBG_TLS, "verified signature with %N",
1995 tls_signature_scheme_names, scheme);
1996 }
1997 else
1998 {
1999 chunk_t sig, hash;
2000 bool done;
2001
2002 if (!reader->read_data16(reader, &sig))
2003 {
2004 DBG1(DBG_TLS, "received invalid signature");
2005 return FALSE;
2006 }
2007 switch (key->get_type(key))
2008 {
2009 case KEY_RSA:
2010 if (!hash_data(this, data, &hash))
2011 {
2012 return FALSE;
2013 }
2014 done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash,
2015 sig);
2016 free(hash.ptr);
2017 if (!done)
2018 {
2019 return FALSE;
2020 }
2021 DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
2022 break;
2023 case KEY_ECDSA:
2024 if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data,
2025 sig))
2026 {
2027 return FALSE;
2028 }
2029 DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
2030 break;
2031 case KEY_ED25519:
2032 if (!key->verify(key, SIGN_ED25519, NULL, data, sig))
2033 {
2034 return FALSE;
2035 }
2036 DBG2(DBG_TLS, "verified signature with Ed25519");
2037 break;
2038 case KEY_ED448:
2039 if (!key->verify(key, SIGN_ED448, NULL, data, sig))
2040 {
2041 return FALSE;
2042 }
2043 DBG2(DBG_TLS, "verified signature with Ed448");
2044 break;
2045 default:
2046 return FALSE;
2047 }
2048 }
2049 return TRUE;
2050 }
2051
2052 METHOD(tls_crypto_t, sign_handshake, bool,
2053 private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
2054 chunk_t hashsig)
2055 {
2056 return sign(this, key, writer, this->handshake, hashsig);
2057 }
2058
2059 METHOD(tls_crypto_t, verify_handshake, bool,
2060 private_tls_crypto_t *this, public_key_t *key, bio_reader_t *reader)
2061 {
2062 return verify(this, key, reader, this->handshake);
2063 }
2064
2065 METHOD(tls_crypto_t, calculate_finished_legacy, bool,
2066 private_tls_crypto_t *this, char *label, char out[12])
2067 {
2068 chunk_t seed;
2069
2070 if (!this->prf)
2071 {
2072 return FALSE;
2073 }
2074 if (!hash_data(this, this->handshake, &seed))
2075 {
2076 return FALSE;
2077 }
2078 if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
2079 {
2080 free(seed.ptr);
2081 return FALSE;
2082 }
2083 free(seed.ptr);
2084 return TRUE;
2085 }
2086
2087 METHOD(tls_crypto_t, calculate_finished, bool,
2088 private_tls_crypto_t *this, bool server, chunk_t *out)
2089 {
2090 chunk_t finished_key, finished_hash;
2091
2092 if (!this->hkdf)
2093 {
2094 return FALSE;
2095 }
2096 if (!hash_data(this, this->handshake, &finished_hash))
2097 {
2098 DBG1(DBG_TLS, "creating hash of handshake failed");
2099 return FALSE;
2100 }
2101 if (!this->hkdf->derive_finished(this->hkdf, server, &finished_key))
2102 {
2103 DBG1(DBG_TLS, "generating finished key failed");
2104 chunk_clear(&finished_hash);
2105 return FALSE;
2106 }
2107 if (!this->hkdf->allocate_bytes(this->hkdf, finished_key, finished_hash, out))
2108 {
2109 DBG1(DBG_TLS, "generating finished HMAC failed");
2110 chunk_clear(&finished_key);
2111 chunk_clear(&finished_hash);
2112 return FALSE;
2113 }
2114 chunk_clear(&finished_key);
2115 chunk_clear(&finished_hash);
2116 return TRUE;
2117 }
2118
2119 /**
2120 * Derive master secret from premaster, optionally save session
2121 */
2122 static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
2123 chunk_t session, identification_t *id,
2124 chunk_t client_random, chunk_t server_random)
2125 {
2126 char master[48];
2127 chunk_t seed;
2128
2129 /* derive master secret */
2130 seed = chunk_cata("cc", client_random, server_random);
2131
2132 if (!this->prf->set_key(this->prf, premaster) ||
2133 !this->prf->get_bytes(this->prf, "master secret", seed,
2134 sizeof(master), master) ||
2135 !this->prf->set_key(this->prf, chunk_from_thing(master)))
2136 {
2137 return FALSE;
2138 }
2139
2140 if (this->cache && session.len)
2141 {
2142 this->cache->create(this->cache, session, id, chunk_from_thing(master),
2143 this->suite);
2144 }
2145 memwipe(master, sizeof(master));
2146 return TRUE;
2147 }
2148
2149 /**
2150 * Expand key material from master secret
2151 */
2152 static bool expand_keys(private_tls_crypto_t *this,
2153 chunk_t client_random, chunk_t server_random)
2154 {
2155 chunk_t seed, block;
2156 chunk_t cw_mac, cw, cw_iv;
2157 chunk_t sw_mac, sw, sw_iv;
2158 int mklen, eklen, ivlen;
2159
2160 if (!this->aead_in || !this->aead_out)
2161 {
2162 return FALSE;
2163 }
2164
2165 /* derive key block for key expansion */
2166 mklen = this->aead_in->get_mac_key_size(this->aead_in);
2167 eklen = this->aead_in->get_encr_key_size(this->aead_in);
2168 ivlen = this->aead_in->get_iv_size(this->aead_in);
2169 seed = chunk_cata("cc", server_random, client_random);
2170 block = chunk_alloca((mklen + eklen + ivlen) * 2);
2171 if (!this->prf->get_bytes(this->prf, "key expansion", seed,
2172 block.len, block.ptr))
2173 {
2174 return FALSE;
2175 }
2176
2177 /* client/server write signer keys */
2178 cw_mac = chunk_create(block.ptr, mklen);
2179 block = chunk_skip(block, mklen);
2180 sw_mac = chunk_create(block.ptr, mklen);
2181 block = chunk_skip(block, mklen);
2182
2183 /* client/server write encryption keys */
2184 cw = chunk_create(block.ptr, eklen);
2185 block = chunk_skip(block, eklen);
2186 sw = chunk_create(block.ptr, eklen);
2187 block = chunk_skip(block, eklen);
2188
2189 /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
2190 cw_iv = chunk_create(block.ptr, ivlen);
2191 block = chunk_skip(block, ivlen);
2192 sw_iv = chunk_create(block.ptr, ivlen);
2193 block = chunk_skip(block, ivlen);
2194
2195 if (this->tls->is_server(this->tls))
2196 {
2197 if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
2198 !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
2199 {
2200 return FALSE;
2201 }
2202 }
2203 else
2204 {
2205 if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
2206 !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
2207 {
2208 return FALSE;
2209 }
2210 }
2211
2212 /* EAP-MSK */
2213 if (this->msk_label)
2214 {
2215 seed = chunk_cata("cc", client_random, server_random);
2216 this->msk = chunk_alloc(64);
2217 if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
2218 this->msk.len, this->msk.ptr))
2219 {
2220 return FALSE;
2221 }
2222 }
2223 return TRUE;
2224 }
2225
2226 METHOD(tls_crypto_t, derive_secrets, bool,
2227 private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
2228 identification_t *id, chunk_t client_random, chunk_t server_random)
2229 {
2230 return derive_master(this, premaster, session, id,
2231 client_random, server_random) &&
2232 expand_keys(this, client_random, server_random);
2233 }
2234
2235 /**
2236 * Derive and configure the client/server key/IV on an AEAD using a given label.
2237 */
2238 static bool derive_labeled_key(private_tls_crypto_t *this, bool server,
2239 tls_hkdf_label_t label, tls_aead_t *aead)
2240 {
2241 chunk_t key = chunk_empty, iv = chunk_empty;
2242 bool success = FALSE;
2243
2244 if (!this->hkdf->generate_secret(this->hkdf, label, this->handshake,
2245 NULL) ||
2246 !this->hkdf->derive_key(this->hkdf, server,
2247 aead->get_encr_key_size(aead), &key) ||
2248 !this->hkdf->derive_iv(this->hkdf, server,
2249 aead->get_iv_size(aead), &iv))
2250 {
2251 DBG1(DBG_TLS, "deriving key material failed");
2252 goto out;
2253 }
2254
2255 if (!aead->set_keys(aead, chunk_empty, key, iv))
2256 {
2257 DBG1(DBG_TLS, "setting AEAD key material failed");
2258 goto out;
2259 }
2260 success = TRUE;
2261
2262 out:
2263 chunk_clear(&key);
2264 chunk_clear(&iv);
2265 return success;
2266 }
2267
2268 /**
2269 * Derive and configure the keys/IVs using the given labels.
2270 */
2271 static bool derive_labeled_keys(private_tls_crypto_t *this,
2272 tls_hkdf_label_t client_label,
2273 tls_hkdf_label_t server_label)
2274 {
2275 tls_aead_t *aead_c, *aead_s;
2276 suite_algs_t *algs;
2277
2278 algs = find_suite(this->suite);
2279 destroy_aeads(this);
2280 if (!create_aead(this, algs))
2281 {
2282 return FALSE;
2283 }
2284 aead_c = this->aead_out;
2285 aead_s = this->aead_in;
2286 if (this->tls->is_server(this->tls))
2287 {
2288 aead_c = this->aead_in;
2289 aead_s = this->aead_out;
2290 }
2291 return derive_labeled_key(this, FALSE, client_label, aead_c) &&
2292 derive_labeled_key(this, TRUE, server_label, aead_s);
2293 }
2294
2295 METHOD(tls_crypto_t, derive_handshake_keys, bool,
2296 private_tls_crypto_t *this, chunk_t shared_secret)
2297 {
2298 this->hkdf->set_shared_secret(this->hkdf, shared_secret);
2299 return derive_labeled_keys(this, TLS_HKDF_C_HS_TRAFFIC,
2300 TLS_HKDF_S_HS_TRAFFIC);
2301 }
2302
2303 METHOD(tls_crypto_t, derive_app_keys, bool,
2304 private_tls_crypto_t *this)
2305 {
2306 if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
2307 TLS_HKDF_S_AP_TRAFFIC))
2308 {
2309 return FALSE;
2310 }
2311
2312 /* EAP-MSK */
2313 if (this->msk_label)
2314 {
2315 uint8_t type;
2316
2317 switch (this->tls->get_purpose(this->tls))
2318 {
2319 case TLS_PURPOSE_EAP_TLS:
2320 type = EAP_TLS;
2321 break;
2322 case TLS_PURPOSE_EAP_PEAP:
2323 type = EAP_PEAP;
2324 break;
2325 case TLS_PURPOSE_EAP_TTLS:
2326 type = EAP_TTLS;
2327 break;
2328 default:
2329 return FALSE;
2330 }
2331 /* because the length is encoded when expanding key material, we
2332 * request MSK and EMSK even if we don't use the latter */
2333 if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material",
2334 chunk_from_thing(type), this->handshake, 128,
2335 &this->msk))
2336 {
2337 return FALSE;
2338 }
2339 this->msk.len = 64;
2340 }
2341 return TRUE;
2342 }
2343
2344 METHOD(tls_crypto_t, update_app_keys, bool,
2345 private_tls_crypto_t *this, bool inbound)
2346 {
2347 suite_algs_t *algs;
2348 tls_hkdf_label_t label = TLS_HKDF_UPD_C_TRAFFIC;
2349
2350 algs = find_suite(this->suite);
2351 destroy_aeads(this);
2352 if (!create_aead(this, algs))
2353 {
2354 return FALSE;
2355 }
2356 if (this->tls->is_server(this->tls) != inbound)
2357 {
2358 label = TLS_HKDF_UPD_S_TRAFFIC;
2359 }
2360 return derive_labeled_key(this, label == TLS_HKDF_UPD_S_TRAFFIC, label,
2361 inbound ? this->aead_in : this->aead_out);
2362 }
2363
2364 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
2365 private_tls_crypto_t *this, chunk_t session, identification_t *id,
2366 chunk_t client_random, chunk_t server_random)
2367 {
2368 chunk_t master;
2369
2370 if (this->cache && session.len)
2371 {
2372 this->suite = this->cache->lookup(this->cache, session, id, &master);
2373 if (this->suite)
2374 {
2375 this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
2376 if (this->suite)
2377 {
2378 if (!this->prf->set_key(this->prf, master) ||
2379 !expand_keys(this, client_random, server_random))
2380 {
2381 this->suite = 0;
2382 }
2383 }
2384 chunk_clear(&master);
2385 }
2386 return this->suite;
2387 }
2388 return 0;
2389 }
2390
2391 METHOD(tls_crypto_t, get_session, chunk_t,
2392 private_tls_crypto_t *this, identification_t *server)
2393 {
2394 if (this->cache)
2395 {
2396 return this->cache->check(this->cache, server);
2397 }
2398 return chunk_empty;
2399 }
2400
2401 METHOD(tls_crypto_t, change_cipher, void,
2402 private_tls_crypto_t *this, bool inbound)
2403 {
2404 if (this->protection)
2405 {
2406 if (inbound)
2407 {
2408 this->protection->set_cipher(this->protection, TRUE, this->aead_in);
2409 this->aead_in = NULL;
2410 }
2411 else
2412 {
2413 this->protection->set_cipher(this->protection, FALSE, this->aead_out);
2414 this->aead_out = NULL;
2415 }
2416 }
2417 }
2418
2419 METHOD(tls_crypto_t, get_eap_msk, chunk_t,
2420 private_tls_crypto_t *this)
2421 {
2422 return this->msk;
2423 }
2424
2425 METHOD(tls_crypto_t, destroy, void,
2426 private_tls_crypto_t *this)
2427 {
2428 destroy_aeads(this);
2429 free(this->handshake.ptr);
2430 free(this->msk.ptr);
2431 DESTROY_IF(this->prf);
2432 DESTROY_IF(this->hkdf);
2433 free(this->suites);
2434 free(this);
2435 }
2436
2437 /**
2438 * See header
2439 */
2440 tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
2441 {
2442 private_tls_crypto_t *this;
2443 enumerator_t *enumerator;
2444 credential_type_t type;
2445 int subtype;
2446
2447 INIT(this,
2448 .public = {
2449 .get_cipher_suites = _get_cipher_suites,
2450 .select_cipher_suite = _select_cipher_suite,
2451 .get_dh_group = _get_dh_group,
2452 .get_signature_algorithms = _get_signature_algorithms,
2453 .create_ec_enumerator = _create_ec_enumerator,
2454 .set_protection = _set_protection,
2455 .append_handshake = _append_handshake,
2456 .hash_handshake = _hash_handshake,
2457 .sign = _sign,
2458 .verify = _verify,
2459 .sign_handshake = _sign_handshake,
2460 .verify_handshake = _verify_handshake,
2461 .calculate_finished_legacy = _calculate_finished_legacy,
2462 .calculate_finished = _calculate_finished,
2463 .derive_secrets = _derive_secrets,
2464 .derive_handshake_keys = _derive_handshake_keys,
2465 .derive_app_keys = _derive_app_keys,
2466 .update_app_keys = _update_app_keys,
2467 .resume_session = _resume_session,
2468 .get_session = _get_session,
2469 .change_cipher = _change_cipher,
2470 .get_eap_msk = _get_eap_msk,
2471 .destroy = _destroy,
2472 },
2473 .tls = tls,
2474 .cache = cache,
2475 );
2476
2477 /* FIXME: EDDSA keys are currently treated like ECDSA keys. A cleaner
2478 * separation would be welcome. */
2479 enumerator = lib->creds->create_builder_enumerator(lib->creds);
2480 while (enumerator->enumerate(enumerator, &type, &subtype))
2481 {
2482 if (type == CRED_PUBLIC_KEY)
2483 {
2484 switch (subtype)
2485 {
2486 case KEY_RSA:
2487 this->rsa = TRUE;
2488 break;
2489 case KEY_ECDSA:
2490 case KEY_ED25519:
2491 case KEY_ED448:
2492 this->ecdsa = TRUE;
2493 break;
2494 default:
2495 break;
2496 }
2497 }
2498 }
2499 enumerator->destroy(enumerator);
2500
2501 switch (tls->get_purpose(tls))
2502 {
2503 case TLS_PURPOSE_EAP_TLS:
2504 /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
2505 this->msk_label = "client EAP encryption";
2506 break;
2507 case TLS_PURPOSE_EAP_PEAP:
2508 this->msk_label = "client EAP encryption";
2509 break;
2510 case TLS_PURPOSE_EAP_TTLS:
2511 /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
2512 this->msk_label = "ttls keying material";
2513 break;
2514 default:
2515 break;
2516 }
2517 return &this->public;
2518 }
2519
2520 /**
2521 * See header.
2522 */
2523 int tls_crypto_get_supported_suites(bool null, tls_version_t version,
2524 tls_cipher_suite_t **out)
2525 {
2526 suite_algs_t suites[countof(suite_algs)] = {};
2527 int count = 0, i;
2528
2529 /* initialize copy of suite list */
2530 for (i = 0; i < countof(suite_algs); i++)
2531 {
2532 if (suite_algs[i].min_version <= version &&
2533 suite_algs[i].max_version >= version)
2534 {
2535 suites[count++] = suite_algs[i];
2536 }
2537 }
2538
2539 filter_unsupported_suites(suites, &count);
2540
2541 if (!null)
2542 {
2543 filter_null_suites(suites, &count);
2544 }
2545
2546 if (out)
2547 {
2548 *out = calloc(count, sizeof(tls_cipher_suite_t));
2549 for (i = 0; i < count; i++)
2550 {
2551 (*out)[i] = suites[i].suite;
2552 }
2553 }
2554 return count;
2555 }
2556
2557 /**
2558 * See header.
2559 */
2560 int tls_crypto_get_supported_groups(key_exchange_method_t **out)
2561 {
2562 enumerator_t *enumerator;
2563 key_exchange_method_t groups[countof(curves)];
2564 key_exchange_method_t group;
2565 tls_named_group_t curve;
2566 int count = 0, i;
2567
2568 enumerator = enumerator_create_filter(
2569 lib->crypto->create_ke_enumerator(lib->crypto),
2570 group_filter, NULL, NULL);
2571
2572 while (enumerator->enumerate(enumerator, &group, &curve))
2573 {
2574 groups[count++] = group;
2575 }
2576 enumerator->destroy(enumerator);
2577
2578 if (out)
2579 {
2580 *out = calloc(count, sizeof(key_exchange_method_t));
2581 for (i = 0; i < count; i++)
2582 {
2583 (*out)[i] = groups[i];
2584 }
2585 }
2586 return count;
2587 }
2588
2589 /**
2590 * See header.
2591 */
2592 int tls_crypto_get_supported_signatures(tls_version_t version,
2593 tls_signature_scheme_t **out)
2594 {
2595 scheme_algs_t sigs[countof(schemes)];
2596 int count = 0, i;
2597
2598 /* initialize copy of signature scheme list */
2599 for (i = 0; i < countof(schemes); i++)
2600 {
2601 /* only RSA_PSS_RSAE schemes supported for signing and verifying */
2602 if (schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA256 ||
2603 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA384 ||
2604 schemes[i].sig == TLS_SIG_RSA_PSS_PSS_SHA512)
2605 {
2606 continue;
2607 }
2608 if (schemes[i].min_version <= version &&
2609 schemes[i].max_version >= version &&
2610 lib->plugins->has_feature(lib->plugins,
2611 PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].params.scheme)))
2612 {
2613 sigs[count++] = schemes[i];
2614 }
2615 }
2616
2617 if (out)
2618 {
2619 *out = calloc(count, sizeof(tls_signature_scheme_t));
2620 for (i = 0; i < count; i++)
2621 {
2622 (*out)[i] = sigs[i].sig;
2623 }
2624 }
2625 return count;
2626 }
2627
2628 /**
2629 * See header.
2630 */
2631 tls_named_group_t tls_ec_group_to_curve(key_exchange_method_t group)
2632 {
2633 int i;
2634
2635 for (i = 0; i < countof(curves); i++)
2636 {
2637 if (curves[i].group == group)
2638 {
2639 return curves[i].curve;
2640 }
2641 }
2642 return 0;
2643 }
2644
2645 /**
2646 * See header.
2647 */
2648 key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig)
2649 {
2650 int i;
2651
2652 for (i = 0; i < countof(schemes); i++)
2653 {
2654 if (schemes[i].sig == sig)
2655 {
2656 return key_type_from_signature_scheme(schemes[i].params.scheme);
2657 }
2658 }
2659 return 0;
2660 }
2661
2662 /**
2663 * Hashtable hash function
2664 */
2665 static u_int hash_key_type(key_type_t *type)
2666 {
2667 return chunk_hash(chunk_from_thing(*type));
2668 }
2669
2670 /**
2671 * Hashtable equals function
2672 */
2673 static bool equals_key_type(key_type_t *key1, key_type_t *key2)
2674 {
2675 return *key1 == *key2;
2676 }
2677
2678 CALLBACK(filter_key_types, bool,
2679 void *data, enumerator_t *orig, va_list args)
2680 {
2681 key_type_t *key_type, *out;
2682
2683 VA_ARGS_VGET(args, out);
2684
2685 if (orig->enumerate(orig, NULL, &key_type))
2686 {
2687 *out = *key_type;
2688 return TRUE;
2689 }
2690 return FALSE;
2691 }
2692
2693 CALLBACK(destroy_key_types, void,
2694 hashtable_t *ht)
2695 {
2696 ht->destroy_function(ht, (void*)free);
2697 }
2698
2699 /**
2700 * Create an enumerator over supported key types within a specific TLS range
2701 */
2702 static enumerator_t *get_supported_key_types(tls_version_t min_version,
2703 tls_version_t max_version)
2704 {
2705 hashtable_t *ht;
2706 key_type_t *type, lookup;
2707 int i;
2708
2709 ht = hashtable_create((hashtable_hash_t)hash_key_type,
2710 (hashtable_equals_t)equals_key_type, 4);
2711 for (i = 0; i < countof(schemes); i++)
2712 {
2713 if (schemes[i].min_version <= max_version &&
2714 schemes[i].max_version >= min_version)
2715 {
2716 lookup = key_type_from_signature_scheme(schemes[i].params.scheme);
2717 if (!ht->get(ht, &lookup))
2718 {
2719 type = malloc_thing(key_type_t);
2720 *type = lookup;
2721 ht->put(ht, type, type);
2722 }
2723 }
2724 }
2725 return enumerator_create_filter(ht->create_enumerator(ht),
2726 filter_key_types, ht, destroy_key_types);
2727 }
2728
2729 /**
2730 * Create an array of an intersection of server and peer supported key types
2731 */
2732 static array_t *create_common_key_types(enumerator_t *enumerator, chunk_t hashsig)
2733 {
2734 array_t *key_types;
2735 key_type_t v, lookup;
2736 uint16_t sig_scheme;
2737
2738 key_types = array_create(sizeof(key_type_t), 8);
2739 while (enumerator->enumerate(enumerator, &v))
2740 {
2741 bio_reader_t *reader;
2742
2743 reader = bio_reader_create(hashsig);
2744 while (reader->remaining(reader) &&
2745 reader->read_uint16(reader, &sig_scheme))
2746 {
2747 lookup = tls_signature_scheme_to_key_type(sig_scheme);
2748 if (v == lookup)
2749 {
2750 array_insert(key_types, ARRAY_TAIL, &lookup);
2751 break;
2752 }
2753 }
2754 reader->destroy(reader);
2755 }
2756 return key_types;
2757 }
2758
2759 typedef struct {
2760 enumerator_t public;
2761 array_t *key_types;
2762 identification_t *peer;
2763 private_key_t *key;
2764 auth_cfg_t *auth;
2765 } private_key_enumerator_t;
2766
2767 METHOD(enumerator_t, private_key_enumerate, bool,
2768 private_key_enumerator_t *this, va_list args)
2769 {
2770 key_type_t type;
2771 auth_cfg_t **auth_out;
2772 private_key_t **key_out;
2773
2774 VA_ARGS_VGET(args, key_out, auth_out);
2775
2776 DESTROY_IF(this->key);
2777 DESTROY_IF(this->auth);
2778 this->auth = auth_cfg_create();
2779
2780 while (array_remove(this->key_types, ARRAY_HEAD, &type))
2781 {
2782 this->key = lib->credmgr->get_private(lib->credmgr, type, this->peer,
2783 this->auth);
2784 if (this->key)
2785 {
2786 *key_out = this->key;
2787 if (auth_out)
2788 {
2789 *auth_out = this->auth;
2790 }
2791 return TRUE;
2792 }
2793 }
2794 return FALSE;
2795 }
2796
2797 METHOD(enumerator_t, private_key_destroy, void,
2798 private_key_enumerator_t *this)
2799 {
2800 DESTROY_IF(this->key);
2801 DESTROY_IF(this->auth);
2802 array_destroy(this->key_types);
2803 free(this);
2804 }
2805
2806 /**
2807 * See header.
2808 */
2809 enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
2810 tls_version_t max_version,
2811 chunk_t hashsig,
2812 identification_t *peer)
2813 {
2814 private_key_enumerator_t *enumerator;
2815 enumerator_t *key_types;
2816
2817 key_types = get_supported_key_types(min_version, max_version);
2818
2819 INIT(enumerator,
2820 .public = {
2821 .enumerate = enumerator_enumerate_default,
2822 .venumerate = _private_key_enumerate,
2823 .destroy = _private_key_destroy,
2824 },
2825 .key_types = create_common_key_types(key_types, hashsig),
2826 .peer = peer,
2827 );
2828 key_types->destroy(key_types);
2829
2830 if (!array_count(enumerator->key_types))
2831 {
2832 private_key_destroy(enumerator);
2833 return NULL;
2834 }
2835 return &enumerator->public;
2836 }
Unnamed repository; edit this file 'description' to name the repository.