068dd3ae757b1903d6b4d0f68a3b72356c904e04
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * DHE exchange
109 */
110 diffie_hellman_t *dh;
111
112 /**
113 * Resuming a session?
114 */
115 bool resume;
116
117 /**
118 * TLS session identifier
119 */
120 chunk_t session;
121
122 /**
123 * List of server-supported hashsig algorithms
124 */
125 chunk_t hashsig;
126
127 /**
128 * List of server-supported client certificate types
129 */
130 chunk_t cert_types;
131 };
132
133 /**
134 * Process a server hello message
135 */
136 static status_t process_server_hello(private_tls_peer_t *this,
137 bio_reader_t *reader)
138 {
139 u_int8_t compression;
140 u_int16_t version, cipher;
141 chunk_t random, session, ext = chunk_empty;
142 tls_cipher_suite_t suite = 0;
143
144 this->crypto->append_handshake(this->crypto,
145 TLS_SERVER_HELLO, reader->peek(reader));
146
147 if (!reader->read_uint16(reader, &version) ||
148 !reader->read_data(reader, sizeof(this->server_random), &random) ||
149 !reader->read_data8(reader, &session) ||
150 !reader->read_uint16(reader, &cipher) ||
151 !reader->read_uint8(reader, &compression) ||
152 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
153 {
154 DBG1(DBG_TLS, "received invalid ServerHello");
155 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
156 return NEED_MORE;
157 }
158
159 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
160
161 if (!this->tls->set_version(this->tls, version))
162 {
163 DBG1(DBG_TLS, "negotiated version %N not supported",
164 tls_version_names, version);
165 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
166 return NEED_MORE;
167 }
168
169 if (chunk_equals(this->session, session))
170 {
171 suite = this->crypto->resume_session(this->crypto, session, this->server,
172 chunk_from_thing(this->client_random),
173 chunk_from_thing(this->server_random));
174 if (suite)
175 {
176 DBG1(DBG_TLS, "resumed %N using suite %N",
177 tls_version_names, version, tls_cipher_suite_names, suite);
178 this->resume = TRUE;
179 }
180 }
181 if (!suite)
182 {
183 suite = cipher;
184 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
185 {
186 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
187 tls_cipher_suite_names, suite);
188 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
189 return NEED_MORE;
190 }
191 DBG1(DBG_TLS, "negotiated %N using suite %N",
192 tls_version_names, version, tls_cipher_suite_names, suite);
193 free(this->session.ptr);
194 this->session = chunk_clone(session);
195 }
196 this->state = STATE_HELLO_RECEIVED;
197 return NEED_MORE;
198 }
199
200 /**
201 * Check if a server certificate is acceptable for the given server identity
202 */
203 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
204 {
205 identification_t *id;
206
207 if (cert->has_subject(cert, this->server))
208 {
209 return TRUE;
210 }
211 id = cert->get_subject(cert);
212 if (id->matches(id, this->server))
213 {
214 return TRUE;
215 }
216 if (cert->get_type(cert) == CERT_X509)
217 {
218 x509_t *x509 = (x509_t*)cert;
219 enumerator_t *enumerator;
220
221 enumerator = x509->create_subjectAltName_enumerator(x509);
222 while (enumerator->enumerate(enumerator, &id))
223 {
224 if (id->matches(id, this->server))
225 {
226 enumerator->destroy(enumerator);
227 return TRUE;
228 }
229 }
230 enumerator->destroy(enumerator);
231 }
232 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
233 return FALSE;
234 }
235
236 /**
237 * Process a Certificate message
238 */
239 static status_t process_certificate(private_tls_peer_t *this,
240 bio_reader_t *reader)
241 {
242 certificate_t *cert;
243 bio_reader_t *certs;
244 chunk_t data;
245 bool first = TRUE;
246
247 this->crypto->append_handshake(this->crypto,
248 TLS_CERTIFICATE, reader->peek(reader));
249
250 if (!reader->read_data24(reader, &data))
251 {
252 DBG1(DBG_TLS, "certificate message header invalid");
253 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
254 return NEED_MORE;
255 }
256 certs = bio_reader_create(data);
257 while (certs->remaining(certs))
258 {
259 if (!certs->read_data24(certs, &data))
260 {
261 DBG1(DBG_TLS, "certificate message invalid");
262 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
263 certs->destroy(certs);
264 return NEED_MORE;
265 }
266 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
267 BUILD_BLOB_ASN1_DER, data, BUILD_END);
268 if (cert)
269 {
270 if (first)
271 {
272 if (!check_certificate(this, cert))
273 {
274 cert->destroy(cert);
275 certs->destroy(certs);
276 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
277 return NEED_MORE;
278 }
279 this->server_auth->add(this->server_auth,
280 AUTH_HELPER_SUBJECT_CERT, cert);
281 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
282 cert->get_subject(cert));
283 first = FALSE;
284 }
285 else
286 {
287 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
288 cert->get_subject(cert));
289 this->server_auth->add(this->server_auth,
290 AUTH_HELPER_IM_CERT, cert);
291 }
292 }
293 else
294 {
295 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
296 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
297 }
298 }
299 certs->destroy(certs);
300 this->state = STATE_CERT_RECEIVED;
301 return NEED_MORE;
302 }
303
304 /**
305 * Find a trusted public key to encrypt/verify key exchange data
306 */
307 static public_key_t *find_public_key(private_tls_peer_t *this)
308 {
309 public_key_t *public = NULL, *current;
310 certificate_t *cert;
311 enumerator_t *enumerator;
312 auth_cfg_t *auth;
313
314 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
315 if (cert)
316 {
317 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
318 KEY_ANY, cert->get_subject(cert), this->server_auth);
319 while (enumerator->enumerate(enumerator, &current, &auth))
320 {
321 public = current->get_ref(current);
322 break;
323 }
324 enumerator->destroy(enumerator);
325 }
326 return public;
327 }
328
329 /**
330 * Process a Key Exchange message using MODP Diffie Hellman
331 */
332 static status_t process_modp_key_exchange(private_tls_peer_t *this,
333 bio_reader_t *reader)
334 {
335 chunk_t prime, generator, pub, chunk;
336 public_key_t *public;
337
338 chunk = reader->peek(reader);
339 if (!reader->read_data16(reader, &prime) ||
340 !reader->read_data16(reader, &generator) ||
341 !reader->read_data16(reader, &pub))
342 {
343 DBG1(DBG_TLS, "received invalid Server Key Exchange");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 public = find_public_key(this);
348 if (!public)
349 {
350 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
351 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
352 return NEED_MORE;
353 }
354
355 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
356 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
357 chunk_from_thing(this->server_random), chunk);
358 if (!this->crypto->verify(this->crypto, public, reader, chunk))
359 {
360 public->destroy(public);
361 free(chunk.ptr);
362 DBG1(DBG_TLS, "verifying DH parameters failed");
363 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
364 return NEED_MORE;
365 }
366 public->destroy(public);
367 free(chunk.ptr);
368
369 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
370 generator, prime);
371 if (!this->dh)
372 {
373 DBG1(DBG_TLS, "custom DH parameters not supported");
374 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
375 return NEED_MORE;
376 }
377 this->dh->set_other_public_value(this->dh, pub);
378
379 this->state = STATE_KEY_EXCHANGE_RECEIVED;
380 return NEED_MORE;
381 }
382
383 /**
384 * Get the EC group for a TLS named curve
385 */
386 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
387 tls_named_curve_t curve)
388 {
389 diffie_hellman_group_t group;
390 tls_named_curve_t current;
391 enumerator_t *enumerator;
392
393 enumerator = this->crypto->create_ec_enumerator(this->crypto);
394 while (enumerator->enumerate(enumerator, &group, &current))
395 {
396 if (current == curve)
397 {
398 enumerator->destroy(enumerator);
399 return group;
400 }
401 }
402 enumerator->destroy(enumerator);
403 return 0;
404 }
405
406 /**
407 * Process a Key Exchange message using EC Diffie Hellman
408 */
409 static status_t process_ec_key_exchange(private_tls_peer_t *this,
410 bio_reader_t *reader)
411 {
412 diffie_hellman_group_t group;
413 public_key_t *public;
414 u_int8_t type;
415 u_int16_t curve;
416 chunk_t pub, chunk;
417
418 chunk = reader->peek(reader);
419 if (!reader->read_uint8(reader, &type))
420 {
421 DBG1(DBG_TLS, "received invalid Server Key Exchange");
422 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
423 return NEED_MORE;
424 }
425 if (type != TLS_ECC_NAMED_CURVE)
426 {
427 DBG1(DBG_TLS, "ECDH curve type %N not supported",
428 tls_ecc_curve_type_names, type);
429 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
430 return NEED_MORE;
431 }
432 if (!reader->read_uint16(reader, &curve) ||
433 !reader->read_data8(reader, &pub) || pub.len == 0)
434 {
435 DBG1(DBG_TLS, "received invalid Server Key Exchange");
436 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
437 return NEED_MORE;
438 }
439
440 group = curve_to_ec_group(this, curve);
441 if (!group)
442 {
443 DBG1(DBG_TLS, "ECDH curve %N not supported",
444 tls_named_curve_names, curve);
445 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
446 return NEED_MORE;
447 }
448
449 public = find_public_key(this);
450 if (!public)
451 {
452 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
453 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
454 return NEED_MORE;
455 }
456
457 chunk.len = 4 + pub.len;
458 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
459 chunk_from_thing(this->server_random), chunk);
460 if (!this->crypto->verify(this->crypto, public, reader, chunk))
461 {
462 public->destroy(public);
463 free(chunk.ptr);
464 DBG1(DBG_TLS, "verifying DH parameters failed");
465 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
466 return NEED_MORE;
467 }
468 public->destroy(public);
469 free(chunk.ptr);
470
471 this->dh = lib->crypto->create_dh(lib->crypto, group);
472 if (!this->dh)
473 {
474 DBG1(DBG_TLS, "DH group %N not supported",
475 diffie_hellman_group_names, group);
476 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
477 return NEED_MORE;
478 }
479
480 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
481 {
482 DBG1(DBG_TLS, "DH point format '%N' not supported",
483 tls_ansi_point_format_names, pub.ptr[0]);
484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
485 return NEED_MORE;
486 }
487 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
488
489 this->state = STATE_KEY_EXCHANGE_RECEIVED;
490 return NEED_MORE;
491 }
492
493 /**
494 * Process a Server Key Exchange
495 */
496 static status_t process_key_exchange(private_tls_peer_t *this,
497 bio_reader_t *reader)
498 {
499 diffie_hellman_group_t group;
500
501 this->crypto->append_handshake(this->crypto,
502 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
503
504 group = this->crypto->get_dh_group(this->crypto);
505 if (group == MODP_NONE)
506 {
507 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
508 "for current suite");
509 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
510 return NEED_MORE;
511 }
512 if (diffie_hellman_group_is_ec(group))
513 {
514 return process_ec_key_exchange(this, reader);
515 }
516 return process_modp_key_exchange(this, reader);
517 }
518
519 /**
520 * Process a Certificate Request message
521 */
522 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
523 {
524 chunk_t types, hashsig, data;
525 bio_reader_t *authorities;
526 identification_t *id;
527 certificate_t *cert;
528
529 if (!this->peer)
530 {
531 DBG1(DBG_TLS, "server requested a certificate, but client "
532 "authentication disabled");
533 }
534 this->crypto->append_handshake(this->crypto,
535 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
536
537 if (!reader->read_data8(reader, &types))
538 {
539 DBG1(DBG_TLS, "certreq message header invalid");
540 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
541 return NEED_MORE;
542 }
543 this->cert_types = chunk_clone(types);
544 if (this->tls->get_version(this->tls) >= TLS_1_2)
545 {
546 if (!reader->read_data16(reader, &hashsig))
547 {
548 DBG1(DBG_TLS, "certreq message invalid");
549 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
550 return NEED_MORE;
551 }
552 this->hashsig = chunk_clone(hashsig);
553 }
554 if (!reader->read_data16(reader, &data))
555 {
556 DBG1(DBG_TLS, "certreq message invalid");
557 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
558 return NEED_MORE;
559 }
560 authorities = bio_reader_create(data);
561 while (authorities->remaining(authorities))
562 {
563 if (!authorities->read_data16(authorities, &data))
564 {
565 DBG1(DBG_TLS, "certreq message invalid");
566 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
567 authorities->destroy(authorities);
568 return NEED_MORE;
569 }
570 if (this->peer)
571 {
572 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
573 cert = lib->credmgr->get_cert(lib->credmgr,
574 CERT_X509, KEY_ANY, id, TRUE);
575 if (cert)
576 {
577 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
578 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
579 }
580 else
581 {
582 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
583 }
584 id->destroy(id);
585 }
586 }
587 authorities->destroy(authorities);
588 this->state = STATE_CERTREQ_RECEIVED;
589 return NEED_MORE;
590 }
591
592 /**
593 * Process Hello Done message
594 */
595 static status_t process_hello_done(private_tls_peer_t *this,
596 bio_reader_t *reader)
597 {
598 this->crypto->append_handshake(this->crypto,
599 TLS_SERVER_HELLO_DONE, reader->peek(reader));
600 this->state = STATE_HELLO_DONE;
601 return NEED_MORE;
602 }
603
604 /**
605 * Process finished message
606 */
607 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
608 {
609 chunk_t received;
610 char buf[12];
611
612 if (!reader->read_data(reader, sizeof(buf), &received))
613 {
614 DBG1(DBG_TLS, "received server finished too short");
615 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
616 return NEED_MORE;
617 }
618 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
619 {
620 DBG1(DBG_TLS, "calculating server finished failed");
621 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
622 return NEED_MORE;
623 }
624 if (!chunk_equals(received, chunk_from_thing(buf)))
625 {
626 DBG1(DBG_TLS, "received server finished invalid");
627 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
628 return NEED_MORE;
629 }
630 this->state = STATE_FINISHED_RECEIVED;
631 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
632
633 return NEED_MORE;
634 }
635
636 METHOD(tls_handshake_t, process, status_t,
637 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
638 {
639 tls_handshake_type_t expected;
640
641 switch (this->state)
642 {
643 case STATE_HELLO_SENT:
644 if (type == TLS_SERVER_HELLO)
645 {
646 return process_server_hello(this, reader);
647 }
648 expected = TLS_SERVER_HELLO;
649 break;
650 case STATE_HELLO_RECEIVED:
651 if (type == TLS_CERTIFICATE)
652 {
653 return process_certificate(this, reader);
654 }
655 expected = TLS_CERTIFICATE;
656 break;
657 case STATE_CERT_RECEIVED:
658 if (type == TLS_SERVER_KEY_EXCHANGE)
659 {
660 return process_key_exchange(this, reader);
661 }
662 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
663 case STATE_KEY_EXCHANGE_RECEIVED:
664 if (type == TLS_CERTIFICATE_REQUEST)
665 {
666 return process_certreq(this, reader);
667 }
668 this->peer = NULL;
669 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
670 case STATE_CERTREQ_RECEIVED:
671 if (type == TLS_SERVER_HELLO_DONE)
672 {
673 return process_hello_done(this, reader);
674 }
675 expected = TLS_SERVER_HELLO_DONE;
676 break;
677 case STATE_CIPHERSPEC_CHANGED_IN:
678 if (type == TLS_FINISHED)
679 {
680 return process_finished(this, reader);
681 }
682 expected = TLS_FINISHED;
683 break;
684 default:
685 DBG1(DBG_TLS, "TLS %N not expected in current state",
686 tls_handshake_type_names, type);
687 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
688 return NEED_MORE;
689 }
690 DBG1(DBG_TLS, "TLS %N expected, but received %N",
691 tls_handshake_type_names, expected, tls_handshake_type_names, type);
692 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
693 return NEED_MORE;
694 }
695
696 /**
697 * Send a client hello
698 */
699 static status_t send_client_hello(private_tls_peer_t *this,
700 tls_handshake_type_t *type, bio_writer_t *writer)
701 {
702 tls_cipher_suite_t *suites;
703 bio_writer_t *extensions, *curves = NULL;
704 tls_version_t version;
705 tls_named_curve_t curve;
706 enumerator_t *enumerator;
707 int count, i;
708 rng_t *rng;
709
710 htoun32(&this->client_random, time(NULL));
711 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
712 if (!rng)
713 {
714 DBG1(DBG_TLS, "no suitable RNG found to generate client random");
715 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
716 return NEED_MORE;
717 }
718 rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
719 rng->destroy(rng);
720
721 /* TLS version */
722 version = this->tls->get_version(this->tls);
723 writer->write_uint16(writer, version);
724 writer->write_data(writer, chunk_from_thing(this->client_random));
725
726 /* session identifier */
727 this->session = this->crypto->get_session(this->crypto, this->server);
728 writer->write_data8(writer, this->session);
729
730 /* add TLS cipher suites */
731 count = this->crypto->get_cipher_suites(this->crypto, &suites);
732 writer->write_uint16(writer, count * 2);
733 for (i = 0; i < count; i++)
734 {
735 writer->write_uint16(writer, suites[i]);
736 }
737
738 /* NULL compression only */
739 writer->write_uint8(writer, 1);
740 writer->write_uint8(writer, 0);
741
742 extensions = bio_writer_create(32);
743
744 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
745 this->crypto->get_signature_algorithms(this->crypto, extensions);
746
747 /* add supported Elliptic Curves, if any */
748 enumerator = this->crypto->create_ec_enumerator(this->crypto);
749 while (enumerator->enumerate(enumerator, NULL, &curve))
750 {
751 if (!curves)
752 {
753 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
754 curves = bio_writer_create(16);
755 }
756 curves->write_uint16(curves, curve);
757 }
758 enumerator->destroy(enumerator);
759 if (curves)
760 {
761 extensions->write_data16(extensions, curves->get_buf(curves));
762 curves->destroy(curves);
763
764 /* if we support curves, add point format extension */
765 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
766 extensions->write_uint16(extensions, 2);
767 extensions->write_uint8(extensions, 1);
768 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
769 }
770 if (this->server->get_type(this->server) == ID_FQDN)
771 {
772 bio_writer_t *names;
773
774 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
775
776 names = bio_writer_create(8);
777 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
778 names->write_data16(names, this->server->get_encoding(this->server));
779 names->wrap16(names);
780 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
781 extensions->write_data16(extensions, names->get_buf(names));
782 names->destroy(names);
783 }
784
785 writer->write_data16(writer, extensions->get_buf(extensions));
786 extensions->destroy(extensions);
787
788 *type = TLS_CLIENT_HELLO;
789 this->state = STATE_HELLO_SENT;
790 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
791 return NEED_MORE;
792 }
793
794 /**
795 * Find a private key suitable to sign Certificate Verify
796 */
797 static private_key_t *find_private_key(private_tls_peer_t *this)
798 {
799 private_key_t *key = NULL;
800 bio_reader_t *reader;
801 key_type_t type;
802 u_int8_t cert;
803
804 if (!this->peer)
805 {
806 return NULL;
807 }
808 reader = bio_reader_create(this->cert_types);
809 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
810 {
811 switch (cert)
812 {
813 case TLS_RSA_SIGN:
814 type = KEY_RSA;
815 break;
816 case TLS_ECDSA_SIGN:
817 type = KEY_ECDSA;
818 break;
819 default:
820 continue;
821 }
822 key = lib->credmgr->get_private(lib->credmgr, type,
823 this->peer, this->peer_auth);
824 if (key)
825 {
826 break;
827 }
828 }
829 reader->destroy(reader);
830 return key;
831 }
832
833 /**
834 * Send Certificate
835 */
836 static status_t send_certificate(private_tls_peer_t *this,
837 tls_handshake_type_t *type, bio_writer_t *writer)
838 {
839 enumerator_t *enumerator;
840 certificate_t *cert;
841 auth_rule_t rule;
842 bio_writer_t *certs;
843 chunk_t data;
844
845 this->private = find_private_key(this);
846 if (!this->private)
847 {
848 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
849 "skipping client authentication", this->peer);
850 this->peer = NULL;
851 }
852
853 /* generate certificate payload */
854 certs = bio_writer_create(256);
855 if (this->peer)
856 {
857 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
858 if (cert)
859 {
860 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
861 {
862 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
863 cert->get_subject(cert));
864 certs->write_data24(certs, data);
865 free(data.ptr);
866 }
867 }
868 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
869 while (enumerator->enumerate(enumerator, &rule, &cert))
870 {
871 if (rule == AUTH_RULE_IM_CERT)
872 {
873 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
874 {
875 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
876 cert->get_subject(cert));
877 certs->write_data24(certs, data);
878 free(data.ptr);
879 }
880 }
881 }
882 enumerator->destroy(enumerator);
883 }
884
885 writer->write_data24(writer, certs->get_buf(certs));
886 certs->destroy(certs);
887
888 *type = TLS_CERTIFICATE;
889 this->state = STATE_CERT_SENT;
890 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
891 return NEED_MORE;
892 }
893
894 /**
895 * Send client key exchange, using premaster encryption
896 */
897 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
898 tls_handshake_type_t *type, bio_writer_t *writer)
899 {
900 public_key_t *public;
901 rng_t *rng;
902 char premaster[48];
903 chunk_t encrypted;
904
905 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
906 if (!rng)
907 {
908 DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
909 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
910 return NEED_MORE;
911 }
912 rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
913 rng->destroy(rng);
914 htoun16(premaster, TLS_1_2);
915
916 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
917 this->session, this->server,
918 chunk_from_thing(this->client_random),
919 chunk_from_thing(this->server_random)))
920 {
921 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
922 return NEED_MORE;
923 }
924
925 public = find_public_key(this);
926 if (!public)
927 {
928 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
929 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
930 return NEED_MORE;
931 }
932 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
933 chunk_from_thing(premaster), &encrypted))
934 {
935 public->destroy(public);
936 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
937 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
938 return NEED_MORE;
939 }
940 public->destroy(public);
941
942 writer->write_data16(writer, encrypted);
943 free(encrypted.ptr);
944
945 *type = TLS_CLIENT_KEY_EXCHANGE;
946 this->state = STATE_KEY_EXCHANGE_SENT;
947 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
948 return NEED_MORE;
949 }
950
951 /**
952 * Send client key exchange, using DHE exchange
953 */
954 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
955 tls_handshake_type_t *type, bio_writer_t *writer)
956 {
957 chunk_t premaster, pub;
958
959 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
960 {
961 DBG1(DBG_TLS, "calculating premaster from DH failed");
962 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
963 return NEED_MORE;
964 }
965 if (!this->crypto->derive_secrets(this->crypto, premaster,
966 this->session, this->server,
967 chunk_from_thing(this->client_random),
968 chunk_from_thing(this->server_random)))
969 {
970 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
971 chunk_clear(&premaster);
972 return NEED_MORE;
973 }
974 chunk_clear(&premaster);
975
976 this->dh->get_my_public_value(this->dh, &pub);
977 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
978 {
979 writer->write_data16(writer, pub);
980 }
981 else
982 { /* ECP uses 8bit length header only, but a point format */
983 writer->write_uint8(writer, pub.len + 1);
984 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
985 writer->write_data(writer, pub);
986 }
987 free(pub.ptr);
988
989 *type = TLS_CLIENT_KEY_EXCHANGE;
990 this->state = STATE_KEY_EXCHANGE_SENT;
991 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
992 return NEED_MORE;
993 }
994
995 /**
996 * Send client key exchange, depending on suite
997 */
998 static status_t send_key_exchange(private_tls_peer_t *this,
999 tls_handshake_type_t *type, bio_writer_t *writer)
1000 {
1001 if (this->dh)
1002 {
1003 return send_key_exchange_dhe(this, type, writer);
1004 }
1005 return send_key_exchange_encrypt(this, type, writer);
1006 }
1007
1008 /**
1009 * Send certificate verify
1010 */
1011 static status_t send_certificate_verify(private_tls_peer_t *this,
1012 tls_handshake_type_t *type, bio_writer_t *writer)
1013 {
1014 if (!this->private ||
1015 !this->crypto->sign_handshake(this->crypto, this->private,
1016 writer, this->hashsig))
1017 {
1018 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1019 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1020 return NEED_MORE;
1021 }
1022
1023 *type = TLS_CERTIFICATE_VERIFY;
1024 this->state = STATE_VERIFY_SENT;
1025 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1026 return NEED_MORE;
1027 }
1028
1029 /**
1030 * Send Finished
1031 */
1032 static status_t send_finished(private_tls_peer_t *this,
1033 tls_handshake_type_t *type, bio_writer_t *writer)
1034 {
1035 char buf[12];
1036
1037 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1038 {
1039 DBG1(DBG_TLS, "calculating client finished data failed");
1040 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1041 return NEED_MORE;
1042 }
1043
1044 writer->write_data(writer, chunk_from_thing(buf));
1045
1046 *type = TLS_FINISHED;
1047 this->state = STATE_FINISHED_SENT;
1048 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1049 return NEED_MORE;
1050 }
1051
1052 METHOD(tls_handshake_t, build, status_t,
1053 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1054 {
1055 switch (this->state)
1056 {
1057 case STATE_INIT:
1058 return send_client_hello(this, type, writer);
1059 case STATE_HELLO_DONE:
1060 if (this->peer)
1061 {
1062 return send_certificate(this, type, writer);
1063 }
1064 /* otherwise fall through to next state */
1065 case STATE_CERT_SENT:
1066 return send_key_exchange(this, type, writer);
1067 case STATE_KEY_EXCHANGE_SENT:
1068 if (this->peer)
1069 {
1070 return send_certificate_verify(this, type, writer);
1071 }
1072 else
1073 {
1074 return INVALID_STATE;
1075 }
1076 case STATE_CIPHERSPEC_CHANGED_OUT:
1077 return send_finished(this, type, writer);
1078 default:
1079 return INVALID_STATE;
1080 }
1081 }
1082
1083 METHOD(tls_handshake_t, cipherspec_changed, bool,
1084 private_tls_peer_t *this, bool inbound)
1085 {
1086 if (inbound)
1087 {
1088 if (this->resume)
1089 {
1090 return this->state == STATE_HELLO_RECEIVED;
1091 }
1092 return this->state == STATE_FINISHED_SENT;
1093 }
1094 else
1095 {
1096 if (this->resume)
1097 {
1098 return this->state == STATE_FINISHED_RECEIVED;
1099 }
1100 if (this->peer)
1101 {
1102 return this->state == STATE_VERIFY_SENT;
1103 }
1104 return this->state == STATE_KEY_EXCHANGE_SENT;
1105 }
1106 }
1107
1108 METHOD(tls_handshake_t, change_cipherspec, void,
1109 private_tls_peer_t *this, bool inbound)
1110 {
1111 this->crypto->change_cipher(this->crypto, inbound);
1112 if (inbound)
1113 {
1114 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1115 }
1116 else
1117 {
1118 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1119 }
1120 }
1121
1122 METHOD(tls_handshake_t, finished, bool,
1123 private_tls_peer_t *this)
1124 {
1125 if (this->resume)
1126 {
1127 return this->state == STATE_FINISHED_SENT;
1128 }
1129 return this->state == STATE_FINISHED_RECEIVED;
1130 }
1131
1132 METHOD(tls_handshake_t, destroy, void,
1133 private_tls_peer_t *this)
1134 {
1135 DESTROY_IF(this->private);
1136 DESTROY_IF(this->dh);
1137 this->peer_auth->destroy(this->peer_auth);
1138 this->server_auth->destroy(this->server_auth);
1139 free(this->hashsig.ptr);
1140 free(this->cert_types.ptr);
1141 free(this->session.ptr);
1142 free(this);
1143 }
1144
1145 /**
1146 * See header
1147 */
1148 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1149 identification_t *peer, identification_t *server)
1150 {
1151 private_tls_peer_t *this;
1152
1153 INIT(this,
1154 .public = {
1155 .handshake = {
1156 .process = _process,
1157 .build = _build,
1158 .cipherspec_changed = _cipherspec_changed,
1159 .change_cipherspec = _change_cipherspec,
1160 .finished = _finished,
1161 .destroy = _destroy,
1162 },
1163 },
1164 .state = STATE_INIT,
1165 .tls = tls,
1166 .crypto = crypto,
1167 .alert = alert,
1168 .peer = peer,
1169 .server = server,
1170 .peer_auth = auth_cfg_create(),
1171 .server_auth = auth_cfg_create(),
1172 );
1173
1174 return &this->public;
1175 }