libtls: As client, reject DH exchanges using primes smaller than 1024 bit
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * TLS version we offered in hello
84 */
85 tls_version_t hello_version;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Resuming a session?
119 */
120 bool resume;
121
122 /**
123 * TLS session identifier
124 */
125 chunk_t session;
126
127 /**
128 * List of server-supported hashsig algorithms
129 */
130 chunk_t hashsig;
131
132 /**
133 * List of server-supported client certificate types
134 */
135 chunk_t cert_types;
136 };
137
138 /**
139 * Process a server hello message
140 */
141 static status_t process_server_hello(private_tls_peer_t *this,
142 bio_reader_t *reader)
143 {
144 u_int8_t compression;
145 u_int16_t version, cipher;
146 chunk_t random, session, ext = chunk_empty;
147 tls_cipher_suite_t suite = 0;
148
149 this->crypto->append_handshake(this->crypto,
150 TLS_SERVER_HELLO, reader->peek(reader));
151
152 if (!reader->read_uint16(reader, &version) ||
153 !reader->read_data(reader, sizeof(this->server_random), &random) ||
154 !reader->read_data8(reader, &session) ||
155 !reader->read_uint16(reader, &cipher) ||
156 !reader->read_uint8(reader, &compression) ||
157 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
158 {
159 DBG1(DBG_TLS, "received invalid ServerHello");
160 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
161 return NEED_MORE;
162 }
163
164 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
165
166 if (!this->tls->set_version(this->tls, version))
167 {
168 DBG1(DBG_TLS, "negotiated version %N not supported",
169 tls_version_names, version);
170 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
171 return NEED_MORE;
172 }
173
174 if (chunk_equals(this->session, session))
175 {
176 suite = this->crypto->resume_session(this->crypto, session, this->server,
177 chunk_from_thing(this->client_random),
178 chunk_from_thing(this->server_random));
179 if (suite)
180 {
181 DBG1(DBG_TLS, "resumed %N using suite %N",
182 tls_version_names, version, tls_cipher_suite_names, suite);
183 this->resume = TRUE;
184 }
185 }
186 if (!suite)
187 {
188 suite = cipher;
189 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
190 {
191 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
192 tls_cipher_suite_names, suite);
193 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
194 return NEED_MORE;
195 }
196 DBG1(DBG_TLS, "negotiated %N using suite %N",
197 tls_version_names, version, tls_cipher_suite_names, suite);
198 free(this->session.ptr);
199 this->session = chunk_clone(session);
200 }
201 this->state = STATE_HELLO_RECEIVED;
202 return NEED_MORE;
203 }
204
205 /**
206 * Check if a server certificate is acceptable for the given server identity
207 */
208 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
209 {
210 identification_t *id;
211
212 if (cert->has_subject(cert, this->server))
213 {
214 return TRUE;
215 }
216 id = cert->get_subject(cert);
217 if (id->matches(id, this->server))
218 {
219 return TRUE;
220 }
221 if (cert->get_type(cert) == CERT_X509)
222 {
223 x509_t *x509 = (x509_t*)cert;
224 enumerator_t *enumerator;
225
226 enumerator = x509->create_subjectAltName_enumerator(x509);
227 while (enumerator->enumerate(enumerator, &id))
228 {
229 if (id->matches(id, this->server))
230 {
231 enumerator->destroy(enumerator);
232 return TRUE;
233 }
234 }
235 enumerator->destroy(enumerator);
236 }
237 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
238 return FALSE;
239 }
240
241 /**
242 * Process a Certificate message
243 */
244 static status_t process_certificate(private_tls_peer_t *this,
245 bio_reader_t *reader)
246 {
247 certificate_t *cert;
248 bio_reader_t *certs;
249 chunk_t data;
250 bool first = TRUE;
251
252 this->crypto->append_handshake(this->crypto,
253 TLS_CERTIFICATE, reader->peek(reader));
254
255 if (!reader->read_data24(reader, &data))
256 {
257 DBG1(DBG_TLS, "certificate message header invalid");
258 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
259 return NEED_MORE;
260 }
261 certs = bio_reader_create(data);
262 while (certs->remaining(certs))
263 {
264 if (!certs->read_data24(certs, &data))
265 {
266 DBG1(DBG_TLS, "certificate message invalid");
267 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
268 certs->destroy(certs);
269 return NEED_MORE;
270 }
271 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
272 BUILD_BLOB_ASN1_DER, data, BUILD_END);
273 if (cert)
274 {
275 if (first)
276 {
277 if (!check_certificate(this, cert))
278 {
279 cert->destroy(cert);
280 certs->destroy(certs);
281 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
282 return NEED_MORE;
283 }
284 this->server_auth->add(this->server_auth,
285 AUTH_HELPER_SUBJECT_CERT, cert);
286 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
287 cert->get_subject(cert));
288 first = FALSE;
289 }
290 else
291 {
292 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
293 cert->get_subject(cert));
294 this->server_auth->add(this->server_auth,
295 AUTH_HELPER_IM_CERT, cert);
296 }
297 }
298 else
299 {
300 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
301 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
302 }
303 }
304 certs->destroy(certs);
305 this->state = STATE_CERT_RECEIVED;
306 return NEED_MORE;
307 }
308
309 /**
310 * Find a trusted public key to encrypt/verify key exchange data
311 */
312 static public_key_t *find_public_key(private_tls_peer_t *this)
313 {
314 public_key_t *public = NULL, *current;
315 certificate_t *cert, *found;
316 enumerator_t *enumerator;
317 auth_cfg_t *auth;
318
319 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
320 if (cert)
321 {
322 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
323 KEY_ANY, cert->get_subject(cert), this->server_auth);
324 while (enumerator->enumerate(enumerator, &current, &auth))
325 {
326 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
327 if (found && cert->equals(cert, found))
328 {
329 public = current->get_ref(current);
330 this->server_auth->merge(this->server_auth, auth, FALSE);
331 break;
332 }
333 }
334 enumerator->destroy(enumerator);
335 }
336 return public;
337 }
338
339 /**
340 * Process a Key Exchange message using MODP Diffie Hellman
341 */
342 static status_t process_modp_key_exchange(private_tls_peer_t *this,
343 bio_reader_t *reader)
344 {
345 chunk_t prime, generator, pub, chunk;
346 public_key_t *public;
347
348 chunk = reader->peek(reader);
349 if (!reader->read_data16(reader, &prime) ||
350 !reader->read_data16(reader, &generator) ||
351 !reader->read_data16(reader, &pub))
352 {
353 DBG1(DBG_TLS, "received invalid Server Key Exchange");
354 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
355 return NEED_MORE;
356 }
357 /* reject (export) DH groups using primes smaller than 1024 bit */
358 if (prime.len < 1024 / 8)
359 {
360 DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len);
361 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
362 return NEED_MORE;
363 }
364 public = find_public_key(this);
365 if (!public)
366 {
367 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
368 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
369 return NEED_MORE;
370 }
371
372 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
373 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
374 chunk_from_thing(this->server_random), chunk);
375 if (!this->crypto->verify(this->crypto, public, reader, chunk))
376 {
377 public->destroy(public);
378 free(chunk.ptr);
379 DBG1(DBG_TLS, "verifying DH parameters failed");
380 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
381 return NEED_MORE;
382 }
383 public->destroy(public);
384 free(chunk.ptr);
385
386 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
387 generator, prime);
388 if (!this->dh)
389 {
390 DBG1(DBG_TLS, "custom DH parameters not supported");
391 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
392 return NEED_MORE;
393 }
394 if (!this->dh->set_other_public_value(this->dh, pub))
395 {
396 DBG1(DBG_TLS, "applying DH public value failed");
397 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
398 return NEED_MORE;
399 }
400
401 this->state = STATE_KEY_EXCHANGE_RECEIVED;
402 return NEED_MORE;
403 }
404
405 /**
406 * Get the EC group for a TLS named curve
407 */
408 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
409 tls_named_curve_t curve)
410 {
411 diffie_hellman_group_t group;
412 tls_named_curve_t current;
413 enumerator_t *enumerator;
414
415 enumerator = this->crypto->create_ec_enumerator(this->crypto);
416 while (enumerator->enumerate(enumerator, &group, &current))
417 {
418 if (current == curve)
419 {
420 enumerator->destroy(enumerator);
421 return group;
422 }
423 }
424 enumerator->destroy(enumerator);
425 return 0;
426 }
427
428 /**
429 * Process a Key Exchange message using EC Diffie Hellman
430 */
431 static status_t process_ec_key_exchange(private_tls_peer_t *this,
432 bio_reader_t *reader)
433 {
434 diffie_hellman_group_t group;
435 public_key_t *public;
436 u_int8_t type;
437 u_int16_t curve;
438 chunk_t pub, chunk;
439
440 chunk = reader->peek(reader);
441 if (!reader->read_uint8(reader, &type))
442 {
443 DBG1(DBG_TLS, "received invalid Server Key Exchange");
444 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
445 return NEED_MORE;
446 }
447 if (type != TLS_ECC_NAMED_CURVE)
448 {
449 DBG1(DBG_TLS, "ECDH curve type %N not supported",
450 tls_ecc_curve_type_names, type);
451 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
452 return NEED_MORE;
453 }
454 if (!reader->read_uint16(reader, &curve) ||
455 !reader->read_data8(reader, &pub) || pub.len == 0)
456 {
457 DBG1(DBG_TLS, "received invalid Server Key Exchange");
458 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
459 return NEED_MORE;
460 }
461
462 group = curve_to_ec_group(this, curve);
463 if (!group)
464 {
465 DBG1(DBG_TLS, "ECDH curve %N not supported",
466 tls_named_curve_names, curve);
467 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
468 return NEED_MORE;
469 }
470
471 public = find_public_key(this);
472 if (!public)
473 {
474 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
475 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
476 return NEED_MORE;
477 }
478
479 chunk.len = 4 + pub.len;
480 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
481 chunk_from_thing(this->server_random), chunk);
482 if (!this->crypto->verify(this->crypto, public, reader, chunk))
483 {
484 public->destroy(public);
485 free(chunk.ptr);
486 DBG1(DBG_TLS, "verifying DH parameters failed");
487 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
488 return NEED_MORE;
489 }
490 public->destroy(public);
491 free(chunk.ptr);
492
493 this->dh = lib->crypto->create_dh(lib->crypto, group);
494 if (!this->dh)
495 {
496 DBG1(DBG_TLS, "DH group %N not supported",
497 diffie_hellman_group_names, group);
498 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
499 return NEED_MORE;
500 }
501
502 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
503 {
504 DBG1(DBG_TLS, "DH point format '%N' not supported",
505 tls_ansi_point_format_names, pub.ptr[0]);
506 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
507 return NEED_MORE;
508 }
509 if (!this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)))
510 {
511 DBG1(DBG_TLS, "applying DH public value failed");
512 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
513 return NEED_MORE;
514 }
515
516 this->state = STATE_KEY_EXCHANGE_RECEIVED;
517 return NEED_MORE;
518 }
519
520 /**
521 * Process a Server Key Exchange
522 */
523 static status_t process_key_exchange(private_tls_peer_t *this,
524 bio_reader_t *reader)
525 {
526 diffie_hellman_group_t group;
527
528 this->crypto->append_handshake(this->crypto,
529 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
530
531 group = this->crypto->get_dh_group(this->crypto);
532 if (group == MODP_NONE)
533 {
534 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
535 "for current suite");
536 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
537 return NEED_MORE;
538 }
539 if (diffie_hellman_group_is_ec(group))
540 {
541 return process_ec_key_exchange(this, reader);
542 }
543 return process_modp_key_exchange(this, reader);
544 }
545
546 /**
547 * Process a Certificate Request message
548 */
549 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
550 {
551 chunk_t types, hashsig, data;
552 bio_reader_t *authorities;
553 identification_t *id;
554 certificate_t *cert;
555
556 if (!this->peer)
557 {
558 DBG1(DBG_TLS, "server requested a certificate, but client "
559 "authentication disabled");
560 }
561 this->crypto->append_handshake(this->crypto,
562 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
563
564 if (!reader->read_data8(reader, &types))
565 {
566 DBG1(DBG_TLS, "certreq message header invalid");
567 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
568 return NEED_MORE;
569 }
570 this->cert_types = chunk_clone(types);
571 if (this->tls->get_version(this->tls) >= TLS_1_2)
572 {
573 if (!reader->read_data16(reader, &hashsig))
574 {
575 DBG1(DBG_TLS, "certreq message invalid");
576 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
577 return NEED_MORE;
578 }
579 this->hashsig = chunk_clone(hashsig);
580 }
581 if (!reader->read_data16(reader, &data))
582 {
583 DBG1(DBG_TLS, "certreq message invalid");
584 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
585 return NEED_MORE;
586 }
587 authorities = bio_reader_create(data);
588 while (authorities->remaining(authorities))
589 {
590 if (!authorities->read_data16(authorities, &data))
591 {
592 DBG1(DBG_TLS, "certreq message invalid");
593 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
594 authorities->destroy(authorities);
595 return NEED_MORE;
596 }
597 if (this->peer)
598 {
599 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
600 cert = lib->credmgr->get_cert(lib->credmgr,
601 CERT_X509, KEY_ANY, id, TRUE);
602 if (cert)
603 {
604 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
605 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
606 }
607 else
608 {
609 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
610 }
611 id->destroy(id);
612 }
613 }
614 authorities->destroy(authorities);
615 this->state = STATE_CERTREQ_RECEIVED;
616 return NEED_MORE;
617 }
618
619 /**
620 * Process Hello Done message
621 */
622 static status_t process_hello_done(private_tls_peer_t *this,
623 bio_reader_t *reader)
624 {
625 this->crypto->append_handshake(this->crypto,
626 TLS_SERVER_HELLO_DONE, reader->peek(reader));
627 this->state = STATE_HELLO_DONE;
628 return NEED_MORE;
629 }
630
631 /**
632 * Process finished message
633 */
634 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
635 {
636 chunk_t received;
637 char buf[12];
638
639 if (!reader->read_data(reader, sizeof(buf), &received))
640 {
641 DBG1(DBG_TLS, "received server finished too short");
642 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
643 return NEED_MORE;
644 }
645 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
646 {
647 DBG1(DBG_TLS, "calculating server finished failed");
648 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
649 return NEED_MORE;
650 }
651 if (!chunk_equals_const(received, chunk_from_thing(buf)))
652 {
653 DBG1(DBG_TLS, "received server finished invalid");
654 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
655 return NEED_MORE;
656 }
657 this->state = STATE_FINISHED_RECEIVED;
658 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
659
660 return NEED_MORE;
661 }
662
663 METHOD(tls_handshake_t, process, status_t,
664 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
665 {
666 tls_handshake_type_t expected;
667
668 switch (this->state)
669 {
670 case STATE_HELLO_SENT:
671 if (type == TLS_SERVER_HELLO)
672 {
673 return process_server_hello(this, reader);
674 }
675 expected = TLS_SERVER_HELLO;
676 break;
677 case STATE_HELLO_RECEIVED:
678 if (type == TLS_CERTIFICATE)
679 {
680 return process_certificate(this, reader);
681 }
682 expected = TLS_CERTIFICATE;
683 break;
684 case STATE_CERT_RECEIVED:
685 if (type == TLS_SERVER_KEY_EXCHANGE)
686 {
687 return process_key_exchange(this, reader);
688 }
689 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
690 case STATE_KEY_EXCHANGE_RECEIVED:
691 if (type == TLS_CERTIFICATE_REQUEST)
692 {
693 return process_certreq(this, reader);
694 }
695 /* no cert request, server does not want to authenticate us */
696 DESTROY_IF(this->peer);
697 this->peer = NULL;
698 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
699 case STATE_CERTREQ_RECEIVED:
700 if (type == TLS_SERVER_HELLO_DONE)
701 {
702 return process_hello_done(this, reader);
703 }
704 expected = TLS_SERVER_HELLO_DONE;
705 break;
706 case STATE_CIPHERSPEC_CHANGED_IN:
707 if (type == TLS_FINISHED)
708 {
709 return process_finished(this, reader);
710 }
711 expected = TLS_FINISHED;
712 break;
713 default:
714 DBG1(DBG_TLS, "TLS %N not expected in current state",
715 tls_handshake_type_names, type);
716 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
717 return NEED_MORE;
718 }
719 DBG1(DBG_TLS, "TLS %N expected, but received %N",
720 tls_handshake_type_names, expected, tls_handshake_type_names, type);
721 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
722 return NEED_MORE;
723 }
724
725 /**
726 * Send a client hello
727 */
728 static status_t send_client_hello(private_tls_peer_t *this,
729 tls_handshake_type_t *type, bio_writer_t *writer)
730 {
731 tls_cipher_suite_t *suites;
732 bio_writer_t *extensions, *curves = NULL;
733 tls_version_t version;
734 tls_named_curve_t curve;
735 enumerator_t *enumerator;
736 int count, i;
737 rng_t *rng;
738
739 htoun32(&this->client_random, time(NULL));
740 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
741 if (!rng ||
742 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
743 this->client_random + 4))
744 {
745 DBG1(DBG_TLS, "failed to generate client random");
746 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
747 DESTROY_IF(rng);
748 return NEED_MORE;
749 }
750 rng->destroy(rng);
751
752 /* TLS version */
753 version = this->tls->get_version(this->tls);
754 this->hello_version = version;
755 writer->write_uint16(writer, version);
756 writer->write_data(writer, chunk_from_thing(this->client_random));
757
758 /* session identifier */
759 this->session = this->crypto->get_session(this->crypto, this->server);
760 writer->write_data8(writer, this->session);
761
762 /* add TLS cipher suites */
763 count = this->crypto->get_cipher_suites(this->crypto, &suites);
764 writer->write_uint16(writer, count * 2);
765 for (i = 0; i < count; i++)
766 {
767 writer->write_uint16(writer, suites[i]);
768 }
769
770 /* NULL compression only */
771 writer->write_uint8(writer, 1);
772 writer->write_uint8(writer, 0);
773
774 extensions = bio_writer_create(32);
775
776 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
777 this->crypto->get_signature_algorithms(this->crypto, extensions);
778
779 /* add supported Elliptic Curves, if any */
780 enumerator = this->crypto->create_ec_enumerator(this->crypto);
781 while (enumerator->enumerate(enumerator, NULL, &curve))
782 {
783 if (!curves)
784 {
785 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
786 curves = bio_writer_create(16);
787 }
788 curves->write_uint16(curves, curve);
789 }
790 enumerator->destroy(enumerator);
791 if (curves)
792 {
793 curves->wrap16(curves);
794 extensions->write_data16(extensions, curves->get_buf(curves));
795 curves->destroy(curves);
796
797 /* if we support curves, add point format extension */
798 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
799 extensions->write_uint16(extensions, 2);
800 extensions->write_uint8(extensions, 1);
801 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
802 }
803 if (this->server->get_type(this->server) == ID_FQDN)
804 {
805 bio_writer_t *names;
806
807 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
808
809 names = bio_writer_create(8);
810 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
811 names->write_data16(names, this->server->get_encoding(this->server));
812 names->wrap16(names);
813 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
814 extensions->write_data16(extensions, names->get_buf(names));
815 names->destroy(names);
816 }
817
818 writer->write_data16(writer, extensions->get_buf(extensions));
819 extensions->destroy(extensions);
820
821 *type = TLS_CLIENT_HELLO;
822 this->state = STATE_HELLO_SENT;
823 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
824 return NEED_MORE;
825 }
826
827 /**
828 * Find a private key suitable to sign Certificate Verify
829 */
830 static private_key_t *find_private_key(private_tls_peer_t *this)
831 {
832 private_key_t *key = NULL;
833 bio_reader_t *reader;
834 key_type_t type;
835 u_int8_t cert;
836
837 if (!this->peer)
838 {
839 return NULL;
840 }
841 reader = bio_reader_create(this->cert_types);
842 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
843 {
844 switch (cert)
845 {
846 case TLS_RSA_SIGN:
847 type = KEY_RSA;
848 break;
849 case TLS_ECDSA_SIGN:
850 type = KEY_ECDSA;
851 break;
852 default:
853 continue;
854 }
855 key = lib->credmgr->get_private(lib->credmgr, type,
856 this->peer, this->peer_auth);
857 if (key)
858 {
859 break;
860 }
861 }
862 reader->destroy(reader);
863 return key;
864 }
865
866 /**
867 * Send Certificate
868 */
869 static status_t send_certificate(private_tls_peer_t *this,
870 tls_handshake_type_t *type, bio_writer_t *writer)
871 {
872 enumerator_t *enumerator;
873 certificate_t *cert;
874 auth_rule_t rule;
875 bio_writer_t *certs;
876 chunk_t data;
877
878 this->private = find_private_key(this);
879 if (!this->private)
880 {
881 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
882 "skipping client authentication", this->peer);
883 this->peer->destroy(this->peer);
884 this->peer = NULL;
885 }
886
887 /* generate certificate payload */
888 certs = bio_writer_create(256);
889 if (this->peer)
890 {
891 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
892 if (cert)
893 {
894 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
895 {
896 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
897 cert->get_subject(cert));
898 certs->write_data24(certs, data);
899 free(data.ptr);
900 }
901 }
902 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
903 while (enumerator->enumerate(enumerator, &rule, &cert))
904 {
905 if (rule == AUTH_RULE_IM_CERT)
906 {
907 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
908 {
909 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
910 cert->get_subject(cert));
911 certs->write_data24(certs, data);
912 free(data.ptr);
913 }
914 }
915 }
916 enumerator->destroy(enumerator);
917 }
918
919 writer->write_data24(writer, certs->get_buf(certs));
920 certs->destroy(certs);
921
922 *type = TLS_CERTIFICATE;
923 this->state = STATE_CERT_SENT;
924 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
925 return NEED_MORE;
926 }
927
928 /**
929 * Send client key exchange, using premaster encryption
930 */
931 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
932 tls_handshake_type_t *type, bio_writer_t *writer)
933 {
934 public_key_t *public;
935 rng_t *rng;
936 char premaster[48];
937 chunk_t encrypted;
938
939 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
940 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
941 {
942 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
943 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
944 DESTROY_IF(rng);
945 return NEED_MORE;
946 }
947 rng->destroy(rng);
948 htoun16(premaster, this->hello_version);
949
950 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
951 this->session, this->server,
952 chunk_from_thing(this->client_random),
953 chunk_from_thing(this->server_random)))
954 {
955 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
956 return NEED_MORE;
957 }
958
959 public = find_public_key(this);
960 if (!public)
961 {
962 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
963 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
964 return NEED_MORE;
965 }
966 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
967 chunk_from_thing(premaster), &encrypted))
968 {
969 public->destroy(public);
970 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
971 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
972 return NEED_MORE;
973 }
974 public->destroy(public);
975
976 writer->write_data16(writer, encrypted);
977 free(encrypted.ptr);
978
979 *type = TLS_CLIENT_KEY_EXCHANGE;
980 this->state = STATE_KEY_EXCHANGE_SENT;
981 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
982 return NEED_MORE;
983 }
984
985 /**
986 * Send client key exchange, using DHE exchange
987 */
988 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
989 tls_handshake_type_t *type, bio_writer_t *writer)
990 {
991 chunk_t premaster, pub;
992
993 if (!this->dh->get_shared_secret(this->dh, &premaster))
994 {
995 DBG1(DBG_TLS, "calculating premaster from DH failed");
996 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
997 return NEED_MORE;
998 }
999 if (!this->crypto->derive_secrets(this->crypto, premaster,
1000 this->session, this->server,
1001 chunk_from_thing(this->client_random),
1002 chunk_from_thing(this->server_random)))
1003 {
1004 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1005 chunk_clear(&premaster);
1006 return NEED_MORE;
1007 }
1008 chunk_clear(&premaster);
1009
1010 if (!this->dh->get_my_public_value(this->dh, &pub))
1011 {
1012 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1013 return NEED_MORE;
1014 }
1015 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
1016 {
1017 writer->write_data16(writer, pub);
1018 }
1019 else
1020 { /* ECP uses 8bit length header only, but a point format */
1021 writer->write_uint8(writer, pub.len + 1);
1022 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1023 writer->write_data(writer, pub);
1024 }
1025 free(pub.ptr);
1026
1027 *type = TLS_CLIENT_KEY_EXCHANGE;
1028 this->state = STATE_KEY_EXCHANGE_SENT;
1029 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1030 return NEED_MORE;
1031 }
1032
1033 /**
1034 * Send client key exchange, depending on suite
1035 */
1036 static status_t send_key_exchange(private_tls_peer_t *this,
1037 tls_handshake_type_t *type, bio_writer_t *writer)
1038 {
1039 if (this->dh)
1040 {
1041 return send_key_exchange_dhe(this, type, writer);
1042 }
1043 return send_key_exchange_encrypt(this, type, writer);
1044 }
1045
1046 /**
1047 * Send certificate verify
1048 */
1049 static status_t send_certificate_verify(private_tls_peer_t *this,
1050 tls_handshake_type_t *type, bio_writer_t *writer)
1051 {
1052 if (!this->private ||
1053 !this->crypto->sign_handshake(this->crypto, this->private,
1054 writer, this->hashsig))
1055 {
1056 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1057 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1058 return NEED_MORE;
1059 }
1060
1061 *type = TLS_CERTIFICATE_VERIFY;
1062 this->state = STATE_VERIFY_SENT;
1063 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1064 return NEED_MORE;
1065 }
1066
1067 /**
1068 * Send Finished
1069 */
1070 static status_t send_finished(private_tls_peer_t *this,
1071 tls_handshake_type_t *type, bio_writer_t *writer)
1072 {
1073 char buf[12];
1074
1075 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1076 {
1077 DBG1(DBG_TLS, "calculating client finished data failed");
1078 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1079 return NEED_MORE;
1080 }
1081
1082 writer->write_data(writer, chunk_from_thing(buf));
1083
1084 *type = TLS_FINISHED;
1085 this->state = STATE_FINISHED_SENT;
1086 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1087 return NEED_MORE;
1088 }
1089
1090 METHOD(tls_handshake_t, build, status_t,
1091 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1092 {
1093 switch (this->state)
1094 {
1095 case STATE_INIT:
1096 return send_client_hello(this, type, writer);
1097 case STATE_HELLO_DONE:
1098 if (this->peer)
1099 {
1100 return send_certificate(this, type, writer);
1101 }
1102 /* otherwise fall through to next state */
1103 case STATE_CERT_SENT:
1104 return send_key_exchange(this, type, writer);
1105 case STATE_KEY_EXCHANGE_SENT:
1106 if (this->peer)
1107 {
1108 return send_certificate_verify(this, type, writer);
1109 }
1110 else
1111 {
1112 return INVALID_STATE;
1113 }
1114 case STATE_CIPHERSPEC_CHANGED_OUT:
1115 return send_finished(this, type, writer);
1116 default:
1117 return INVALID_STATE;
1118 }
1119 }
1120
1121 METHOD(tls_handshake_t, cipherspec_changed, bool,
1122 private_tls_peer_t *this, bool inbound)
1123 {
1124 if (inbound)
1125 {
1126 if (this->resume)
1127 {
1128 return this->state == STATE_HELLO_RECEIVED;
1129 }
1130 return this->state == STATE_FINISHED_SENT;
1131 }
1132 else
1133 {
1134 if (this->resume)
1135 {
1136 return this->state == STATE_FINISHED_RECEIVED;
1137 }
1138 if (this->peer)
1139 {
1140 return this->state == STATE_VERIFY_SENT;
1141 }
1142 return this->state == STATE_KEY_EXCHANGE_SENT;
1143 }
1144 }
1145
1146 METHOD(tls_handshake_t, change_cipherspec, void,
1147 private_tls_peer_t *this, bool inbound)
1148 {
1149 this->crypto->change_cipher(this->crypto, inbound);
1150 if (inbound)
1151 {
1152 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1153 }
1154 else
1155 {
1156 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1157 }
1158 }
1159
1160 METHOD(tls_handshake_t, finished, bool,
1161 private_tls_peer_t *this)
1162 {
1163 if (this->resume)
1164 {
1165 return this->state == STATE_FINISHED_SENT;
1166 }
1167 return this->state == STATE_FINISHED_RECEIVED;
1168 }
1169
1170 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1171 private_tls_peer_t *this)
1172 {
1173 return this->peer;
1174 }
1175
1176 METHOD(tls_handshake_t, get_server_id, identification_t*,
1177 private_tls_peer_t *this)
1178 {
1179 return this->server;
1180 }
1181
1182 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1183 private_tls_peer_t *this)
1184 {
1185 return this->server_auth;
1186 }
1187
1188 METHOD(tls_handshake_t, destroy, void,
1189 private_tls_peer_t *this)
1190 {
1191 DESTROY_IF(this->private);
1192 DESTROY_IF(this->dh);
1193 DESTROY_IF(this->peer);
1194 this->server->destroy(this->server);
1195 this->peer_auth->destroy(this->peer_auth);
1196 this->server_auth->destroy(this->server_auth);
1197 free(this->hashsig.ptr);
1198 free(this->cert_types.ptr);
1199 free(this->session.ptr);
1200 free(this);
1201 }
1202
1203 /**
1204 * See header
1205 */
1206 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1207 identification_t *peer, identification_t *server)
1208 {
1209 private_tls_peer_t *this;
1210
1211 INIT(this,
1212 .public = {
1213 .handshake = {
1214 .process = _process,
1215 .build = _build,
1216 .cipherspec_changed = _cipherspec_changed,
1217 .change_cipherspec = _change_cipherspec,
1218 .finished = _finished,
1219 .get_peer_id = _get_peer_id,
1220 .get_server_id = _get_server_id,
1221 .get_auth = _get_auth,
1222 .destroy = _destroy,
1223 },
1224 },
1225 .state = STATE_INIT,
1226 .tls = tls,
1227 .crypto = crypto,
1228 .alert = alert,
1229 .peer = peer ? peer->clone(peer) : NULL,
1230 .server = server->clone(server),
1231 .peer_auth = auth_cfg_create(),
1232 .server_auth = auth_cfg_create(),
1233 );
1234
1235 return &this->public;
1236 }