1bee436c4af0ccd7b719000a272f5a420d1a0933
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * TLS version we offered in hello
84 */
85 tls_version_t hello_version;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Resuming a session?
119 */
120 bool resume;
121
122 /**
123 * TLS session identifier
124 */
125 chunk_t session;
126
127 /**
128 * List of server-supported hashsig algorithms
129 */
130 chunk_t hashsig;
131
132 /**
133 * List of server-supported client certificate types
134 */
135 chunk_t cert_types;
136 };
137
138 /**
139 * Process a server hello message
140 */
141 static status_t process_server_hello(private_tls_peer_t *this,
142 bio_reader_t *reader)
143 {
144 u_int8_t compression;
145 u_int16_t version, cipher;
146 chunk_t random, session, ext = chunk_empty;
147 tls_cipher_suite_t suite = 0;
148
149 this->crypto->append_handshake(this->crypto,
150 TLS_SERVER_HELLO, reader->peek(reader));
151
152 if (!reader->read_uint16(reader, &version) ||
153 !reader->read_data(reader, sizeof(this->server_random), &random) ||
154 !reader->read_data8(reader, &session) ||
155 !reader->read_uint16(reader, &cipher) ||
156 !reader->read_uint8(reader, &compression) ||
157 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
158 {
159 DBG1(DBG_TLS, "received invalid ServerHello");
160 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
161 return NEED_MORE;
162 }
163
164 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
165
166 if (!this->tls->set_version(this->tls, version))
167 {
168 DBG1(DBG_TLS, "negotiated version %N not supported",
169 tls_version_names, version);
170 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
171 return NEED_MORE;
172 }
173
174 if (chunk_equals(this->session, session))
175 {
176 suite = this->crypto->resume_session(this->crypto, session, this->server,
177 chunk_from_thing(this->client_random),
178 chunk_from_thing(this->server_random));
179 if (suite)
180 {
181 DBG1(DBG_TLS, "resumed %N using suite %N",
182 tls_version_names, version, tls_cipher_suite_names, suite);
183 this->resume = TRUE;
184 }
185 }
186 if (!suite)
187 {
188 suite = cipher;
189 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
190 {
191 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
192 tls_cipher_suite_names, suite);
193 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
194 return NEED_MORE;
195 }
196 DBG1(DBG_TLS, "negotiated %N using suite %N",
197 tls_version_names, version, tls_cipher_suite_names, suite);
198 free(this->session.ptr);
199 this->session = chunk_clone(session);
200 }
201 this->state = STATE_HELLO_RECEIVED;
202 return NEED_MORE;
203 }
204
205 /**
206 * Check if a server certificate is acceptable for the given server identity
207 */
208 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
209 {
210 identification_t *id;
211
212 if (cert->has_subject(cert, this->server))
213 {
214 return TRUE;
215 }
216 id = cert->get_subject(cert);
217 if (id->matches(id, this->server))
218 {
219 return TRUE;
220 }
221 if (cert->get_type(cert) == CERT_X509)
222 {
223 x509_t *x509 = (x509_t*)cert;
224 enumerator_t *enumerator;
225
226 enumerator = x509->create_subjectAltName_enumerator(x509);
227 while (enumerator->enumerate(enumerator, &id))
228 {
229 if (id->matches(id, this->server))
230 {
231 enumerator->destroy(enumerator);
232 return TRUE;
233 }
234 }
235 enumerator->destroy(enumerator);
236 }
237 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
238 return FALSE;
239 }
240
241 /**
242 * Process a Certificate message
243 */
244 static status_t process_certificate(private_tls_peer_t *this,
245 bio_reader_t *reader)
246 {
247 certificate_t *cert;
248 bio_reader_t *certs;
249 chunk_t data;
250 bool first = TRUE;
251
252 this->crypto->append_handshake(this->crypto,
253 TLS_CERTIFICATE, reader->peek(reader));
254
255 if (!reader->read_data24(reader, &data))
256 {
257 DBG1(DBG_TLS, "certificate message header invalid");
258 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
259 return NEED_MORE;
260 }
261 certs = bio_reader_create(data);
262 while (certs->remaining(certs))
263 {
264 if (!certs->read_data24(certs, &data))
265 {
266 DBG1(DBG_TLS, "certificate message invalid");
267 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
268 certs->destroy(certs);
269 return NEED_MORE;
270 }
271 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
272 BUILD_BLOB_ASN1_DER, data, BUILD_END);
273 if (cert)
274 {
275 if (first)
276 {
277 if (!check_certificate(this, cert))
278 {
279 cert->destroy(cert);
280 certs->destroy(certs);
281 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
282 return NEED_MORE;
283 }
284 this->server_auth->add(this->server_auth,
285 AUTH_HELPER_SUBJECT_CERT, cert);
286 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
287 cert->get_subject(cert));
288 first = FALSE;
289 }
290 else
291 {
292 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
293 cert->get_subject(cert));
294 this->server_auth->add(this->server_auth,
295 AUTH_HELPER_IM_CERT, cert);
296 }
297 }
298 else
299 {
300 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
301 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
302 }
303 }
304 certs->destroy(certs);
305 this->state = STATE_CERT_RECEIVED;
306 return NEED_MORE;
307 }
308
309 /**
310 * Find a trusted public key to encrypt/verify key exchange data
311 */
312 static public_key_t *find_public_key(private_tls_peer_t *this)
313 {
314 public_key_t *public = NULL, *current;
315 certificate_t *cert;
316 enumerator_t *enumerator;
317 auth_cfg_t *auth;
318
319 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
320 if (cert)
321 {
322 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
323 KEY_ANY, cert->get_subject(cert), this->server_auth);
324 while (enumerator->enumerate(enumerator, &current, &auth))
325 {
326 public = current->get_ref(current);
327 this->server_auth->merge(this->server_auth, auth, FALSE);
328 break;
329 }
330 enumerator->destroy(enumerator);
331 }
332 return public;
333 }
334
335 /**
336 * Process a Key Exchange message using MODP Diffie Hellman
337 */
338 static status_t process_modp_key_exchange(private_tls_peer_t *this,
339 bio_reader_t *reader)
340 {
341 chunk_t prime, generator, pub, chunk;
342 public_key_t *public;
343
344 chunk = reader->peek(reader);
345 if (!reader->read_data16(reader, &prime) ||
346 !reader->read_data16(reader, &generator) ||
347 !reader->read_data16(reader, &pub))
348 {
349 DBG1(DBG_TLS, "received invalid Server Key Exchange");
350 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
351 return NEED_MORE;
352 }
353 public = find_public_key(this);
354 if (!public)
355 {
356 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
357 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
358 return NEED_MORE;
359 }
360
361 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
362 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
363 chunk_from_thing(this->server_random), chunk);
364 if (!this->crypto->verify(this->crypto, public, reader, chunk))
365 {
366 public->destroy(public);
367 free(chunk.ptr);
368 DBG1(DBG_TLS, "verifying DH parameters failed");
369 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
370 return NEED_MORE;
371 }
372 public->destroy(public);
373 free(chunk.ptr);
374
375 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
376 generator, prime);
377 if (!this->dh)
378 {
379 DBG1(DBG_TLS, "custom DH parameters not supported");
380 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
381 return NEED_MORE;
382 }
383 this->dh->set_other_public_value(this->dh, pub);
384
385 this->state = STATE_KEY_EXCHANGE_RECEIVED;
386 return NEED_MORE;
387 }
388
389 /**
390 * Get the EC group for a TLS named curve
391 */
392 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
393 tls_named_curve_t curve)
394 {
395 diffie_hellman_group_t group;
396 tls_named_curve_t current;
397 enumerator_t *enumerator;
398
399 enumerator = this->crypto->create_ec_enumerator(this->crypto);
400 while (enumerator->enumerate(enumerator, &group, &current))
401 {
402 if (current == curve)
403 {
404 enumerator->destroy(enumerator);
405 return group;
406 }
407 }
408 enumerator->destroy(enumerator);
409 return 0;
410 }
411
412 /**
413 * Process a Key Exchange message using EC Diffie Hellman
414 */
415 static status_t process_ec_key_exchange(private_tls_peer_t *this,
416 bio_reader_t *reader)
417 {
418 diffie_hellman_group_t group;
419 public_key_t *public;
420 u_int8_t type;
421 u_int16_t curve;
422 chunk_t pub, chunk;
423
424 chunk = reader->peek(reader);
425 if (!reader->read_uint8(reader, &type))
426 {
427 DBG1(DBG_TLS, "received invalid Server Key Exchange");
428 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
429 return NEED_MORE;
430 }
431 if (type != TLS_ECC_NAMED_CURVE)
432 {
433 DBG1(DBG_TLS, "ECDH curve type %N not supported",
434 tls_ecc_curve_type_names, type);
435 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
436 return NEED_MORE;
437 }
438 if (!reader->read_uint16(reader, &curve) ||
439 !reader->read_data8(reader, &pub) || pub.len == 0)
440 {
441 DBG1(DBG_TLS, "received invalid Server Key Exchange");
442 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
443 return NEED_MORE;
444 }
445
446 group = curve_to_ec_group(this, curve);
447 if (!group)
448 {
449 DBG1(DBG_TLS, "ECDH curve %N not supported",
450 tls_named_curve_names, curve);
451 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
452 return NEED_MORE;
453 }
454
455 public = find_public_key(this);
456 if (!public)
457 {
458 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
459 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
460 return NEED_MORE;
461 }
462
463 chunk.len = 4 + pub.len;
464 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
465 chunk_from_thing(this->server_random), chunk);
466 if (!this->crypto->verify(this->crypto, public, reader, chunk))
467 {
468 public->destroy(public);
469 free(chunk.ptr);
470 DBG1(DBG_TLS, "verifying DH parameters failed");
471 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
472 return NEED_MORE;
473 }
474 public->destroy(public);
475 free(chunk.ptr);
476
477 this->dh = lib->crypto->create_dh(lib->crypto, group);
478 if (!this->dh)
479 {
480 DBG1(DBG_TLS, "DH group %N not supported",
481 diffie_hellman_group_names, group);
482 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
483 return NEED_MORE;
484 }
485
486 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
487 {
488 DBG1(DBG_TLS, "DH point format '%N' not supported",
489 tls_ansi_point_format_names, pub.ptr[0]);
490 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
491 return NEED_MORE;
492 }
493 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
494
495 this->state = STATE_KEY_EXCHANGE_RECEIVED;
496 return NEED_MORE;
497 }
498
499 /**
500 * Process a Server Key Exchange
501 */
502 static status_t process_key_exchange(private_tls_peer_t *this,
503 bio_reader_t *reader)
504 {
505 diffie_hellman_group_t group;
506
507 this->crypto->append_handshake(this->crypto,
508 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
509
510 group = this->crypto->get_dh_group(this->crypto);
511 if (group == MODP_NONE)
512 {
513 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
514 "for current suite");
515 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
516 return NEED_MORE;
517 }
518 if (diffie_hellman_group_is_ec(group))
519 {
520 return process_ec_key_exchange(this, reader);
521 }
522 return process_modp_key_exchange(this, reader);
523 }
524
525 /**
526 * Process a Certificate Request message
527 */
528 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
529 {
530 chunk_t types, hashsig, data;
531 bio_reader_t *authorities;
532 identification_t *id;
533 certificate_t *cert;
534
535 if (!this->peer)
536 {
537 DBG1(DBG_TLS, "server requested a certificate, but client "
538 "authentication disabled");
539 }
540 this->crypto->append_handshake(this->crypto,
541 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
542
543 if (!reader->read_data8(reader, &types))
544 {
545 DBG1(DBG_TLS, "certreq message header invalid");
546 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
547 return NEED_MORE;
548 }
549 this->cert_types = chunk_clone(types);
550 if (this->tls->get_version(this->tls) >= TLS_1_2)
551 {
552 if (!reader->read_data16(reader, &hashsig))
553 {
554 DBG1(DBG_TLS, "certreq message invalid");
555 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
556 return NEED_MORE;
557 }
558 this->hashsig = chunk_clone(hashsig);
559 }
560 if (!reader->read_data16(reader, &data))
561 {
562 DBG1(DBG_TLS, "certreq message invalid");
563 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
564 return NEED_MORE;
565 }
566 authorities = bio_reader_create(data);
567 while (authorities->remaining(authorities))
568 {
569 if (!authorities->read_data16(authorities, &data))
570 {
571 DBG1(DBG_TLS, "certreq message invalid");
572 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
573 authorities->destroy(authorities);
574 return NEED_MORE;
575 }
576 if (this->peer)
577 {
578 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
579 cert = lib->credmgr->get_cert(lib->credmgr,
580 CERT_X509, KEY_ANY, id, TRUE);
581 if (cert)
582 {
583 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
584 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
585 }
586 else
587 {
588 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
589 }
590 id->destroy(id);
591 }
592 }
593 authorities->destroy(authorities);
594 this->state = STATE_CERTREQ_RECEIVED;
595 return NEED_MORE;
596 }
597
598 /**
599 * Process Hello Done message
600 */
601 static status_t process_hello_done(private_tls_peer_t *this,
602 bio_reader_t *reader)
603 {
604 this->crypto->append_handshake(this->crypto,
605 TLS_SERVER_HELLO_DONE, reader->peek(reader));
606 this->state = STATE_HELLO_DONE;
607 return NEED_MORE;
608 }
609
610 /**
611 * Process finished message
612 */
613 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
614 {
615 chunk_t received;
616 char buf[12];
617
618 if (!reader->read_data(reader, sizeof(buf), &received))
619 {
620 DBG1(DBG_TLS, "received server finished too short");
621 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
622 return NEED_MORE;
623 }
624 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
625 {
626 DBG1(DBG_TLS, "calculating server finished failed");
627 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
628 return NEED_MORE;
629 }
630 if (!chunk_equals(received, chunk_from_thing(buf)))
631 {
632 DBG1(DBG_TLS, "received server finished invalid");
633 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
634 return NEED_MORE;
635 }
636 this->state = STATE_FINISHED_RECEIVED;
637 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
638
639 return NEED_MORE;
640 }
641
642 METHOD(tls_handshake_t, process, status_t,
643 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
644 {
645 tls_handshake_type_t expected;
646
647 switch (this->state)
648 {
649 case STATE_HELLO_SENT:
650 if (type == TLS_SERVER_HELLO)
651 {
652 return process_server_hello(this, reader);
653 }
654 expected = TLS_SERVER_HELLO;
655 break;
656 case STATE_HELLO_RECEIVED:
657 if (type == TLS_CERTIFICATE)
658 {
659 return process_certificate(this, reader);
660 }
661 expected = TLS_CERTIFICATE;
662 break;
663 case STATE_CERT_RECEIVED:
664 if (type == TLS_SERVER_KEY_EXCHANGE)
665 {
666 return process_key_exchange(this, reader);
667 }
668 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
669 case STATE_KEY_EXCHANGE_RECEIVED:
670 if (type == TLS_CERTIFICATE_REQUEST)
671 {
672 return process_certreq(this, reader);
673 }
674 /* no cert request, server does not want to authenticate us */
675 DESTROY_IF(this->peer);
676 this->peer = NULL;
677 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
678 case STATE_CERTREQ_RECEIVED:
679 if (type == TLS_SERVER_HELLO_DONE)
680 {
681 return process_hello_done(this, reader);
682 }
683 expected = TLS_SERVER_HELLO_DONE;
684 break;
685 case STATE_CIPHERSPEC_CHANGED_IN:
686 if (type == TLS_FINISHED)
687 {
688 return process_finished(this, reader);
689 }
690 expected = TLS_FINISHED;
691 break;
692 default:
693 DBG1(DBG_TLS, "TLS %N not expected in current state",
694 tls_handshake_type_names, type);
695 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
696 return NEED_MORE;
697 }
698 DBG1(DBG_TLS, "TLS %N expected, but received %N",
699 tls_handshake_type_names, expected, tls_handshake_type_names, type);
700 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
701 return NEED_MORE;
702 }
703
704 /**
705 * Send a client hello
706 */
707 static status_t send_client_hello(private_tls_peer_t *this,
708 tls_handshake_type_t *type, bio_writer_t *writer)
709 {
710 tls_cipher_suite_t *suites;
711 bio_writer_t *extensions, *curves = NULL;
712 tls_version_t version;
713 tls_named_curve_t curve;
714 enumerator_t *enumerator;
715 int count, i;
716 rng_t *rng;
717
718 htoun32(&this->client_random, time(NULL));
719 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
720 if (!rng ||
721 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
722 this->client_random + 4))
723 {
724 DBG1(DBG_TLS, "failed to generate client random");
725 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
726 DESTROY_IF(rng);
727 return NEED_MORE;
728 }
729 rng->destroy(rng);
730
731 /* TLS version */
732 version = this->tls->get_version(this->tls);
733 this->hello_version = version;
734 writer->write_uint16(writer, version);
735 writer->write_data(writer, chunk_from_thing(this->client_random));
736
737 /* session identifier */
738 this->session = this->crypto->get_session(this->crypto, this->server);
739 writer->write_data8(writer, this->session);
740
741 /* add TLS cipher suites */
742 count = this->crypto->get_cipher_suites(this->crypto, &suites);
743 writer->write_uint16(writer, count * 2);
744 for (i = 0; i < count; i++)
745 {
746 writer->write_uint16(writer, suites[i]);
747 }
748
749 /* NULL compression only */
750 writer->write_uint8(writer, 1);
751 writer->write_uint8(writer, 0);
752
753 extensions = bio_writer_create(32);
754
755 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
756 this->crypto->get_signature_algorithms(this->crypto, extensions);
757
758 /* add supported Elliptic Curves, if any */
759 enumerator = this->crypto->create_ec_enumerator(this->crypto);
760 while (enumerator->enumerate(enumerator, NULL, &curve))
761 {
762 if (!curves)
763 {
764 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
765 curves = bio_writer_create(16);
766 }
767 curves->write_uint16(curves, curve);
768 }
769 enumerator->destroy(enumerator);
770 if (curves)
771 {
772 curves->wrap16(curves);
773 extensions->write_data16(extensions, curves->get_buf(curves));
774 curves->destroy(curves);
775
776 /* if we support curves, add point format extension */
777 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
778 extensions->write_uint16(extensions, 2);
779 extensions->write_uint8(extensions, 1);
780 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
781 }
782 if (this->server->get_type(this->server) == ID_FQDN)
783 {
784 bio_writer_t *names;
785
786 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
787
788 names = bio_writer_create(8);
789 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
790 names->write_data16(names, this->server->get_encoding(this->server));
791 names->wrap16(names);
792 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
793 extensions->write_data16(extensions, names->get_buf(names));
794 names->destroy(names);
795 }
796
797 writer->write_data16(writer, extensions->get_buf(extensions));
798 extensions->destroy(extensions);
799
800 *type = TLS_CLIENT_HELLO;
801 this->state = STATE_HELLO_SENT;
802 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
803 return NEED_MORE;
804 }
805
806 /**
807 * Find a private key suitable to sign Certificate Verify
808 */
809 static private_key_t *find_private_key(private_tls_peer_t *this)
810 {
811 private_key_t *key = NULL;
812 bio_reader_t *reader;
813 key_type_t type;
814 u_int8_t cert;
815
816 if (!this->peer)
817 {
818 return NULL;
819 }
820 reader = bio_reader_create(this->cert_types);
821 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
822 {
823 switch (cert)
824 {
825 case TLS_RSA_SIGN:
826 type = KEY_RSA;
827 break;
828 case TLS_ECDSA_SIGN:
829 type = KEY_ECDSA;
830 break;
831 default:
832 continue;
833 }
834 key = lib->credmgr->get_private(lib->credmgr, type,
835 this->peer, this->peer_auth);
836 if (key)
837 {
838 break;
839 }
840 }
841 reader->destroy(reader);
842 return key;
843 }
844
845 /**
846 * Send Certificate
847 */
848 static status_t send_certificate(private_tls_peer_t *this,
849 tls_handshake_type_t *type, bio_writer_t *writer)
850 {
851 enumerator_t *enumerator;
852 certificate_t *cert;
853 auth_rule_t rule;
854 bio_writer_t *certs;
855 chunk_t data;
856
857 this->private = find_private_key(this);
858 if (!this->private)
859 {
860 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
861 "skipping client authentication", this->peer);
862 this->peer->destroy(this->peer);
863 this->peer = NULL;
864 }
865
866 /* generate certificate payload */
867 certs = bio_writer_create(256);
868 if (this->peer)
869 {
870 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
871 if (cert)
872 {
873 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
874 {
875 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
876 cert->get_subject(cert));
877 certs->write_data24(certs, data);
878 free(data.ptr);
879 }
880 }
881 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
882 while (enumerator->enumerate(enumerator, &rule, &cert))
883 {
884 if (rule == AUTH_RULE_IM_CERT)
885 {
886 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
887 {
888 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
889 cert->get_subject(cert));
890 certs->write_data24(certs, data);
891 free(data.ptr);
892 }
893 }
894 }
895 enumerator->destroy(enumerator);
896 }
897
898 writer->write_data24(writer, certs->get_buf(certs));
899 certs->destroy(certs);
900
901 *type = TLS_CERTIFICATE;
902 this->state = STATE_CERT_SENT;
903 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
904 return NEED_MORE;
905 }
906
907 /**
908 * Send client key exchange, using premaster encryption
909 */
910 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
911 tls_handshake_type_t *type, bio_writer_t *writer)
912 {
913 public_key_t *public;
914 rng_t *rng;
915 char premaster[48];
916 chunk_t encrypted;
917
918 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
919 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
920 {
921 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
922 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
923 DESTROY_IF(rng);
924 return NEED_MORE;
925 }
926 rng->destroy(rng);
927 htoun16(premaster, this->hello_version);
928
929 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
930 this->session, this->server,
931 chunk_from_thing(this->client_random),
932 chunk_from_thing(this->server_random)))
933 {
934 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
935 return NEED_MORE;
936 }
937
938 public = find_public_key(this);
939 if (!public)
940 {
941 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
942 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
943 return NEED_MORE;
944 }
945 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
946 chunk_from_thing(premaster), &encrypted))
947 {
948 public->destroy(public);
949 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
950 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
951 return NEED_MORE;
952 }
953 public->destroy(public);
954
955 writer->write_data16(writer, encrypted);
956 free(encrypted.ptr);
957
958 *type = TLS_CLIENT_KEY_EXCHANGE;
959 this->state = STATE_KEY_EXCHANGE_SENT;
960 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
961 return NEED_MORE;
962 }
963
964 /**
965 * Send client key exchange, using DHE exchange
966 */
967 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
968 tls_handshake_type_t *type, bio_writer_t *writer)
969 {
970 chunk_t premaster, pub;
971
972 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
973 {
974 DBG1(DBG_TLS, "calculating premaster from DH failed");
975 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
976 return NEED_MORE;
977 }
978 if (!this->crypto->derive_secrets(this->crypto, premaster,
979 this->session, this->server,
980 chunk_from_thing(this->client_random),
981 chunk_from_thing(this->server_random)))
982 {
983 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
984 chunk_clear(&premaster);
985 return NEED_MORE;
986 }
987 chunk_clear(&premaster);
988
989 this->dh->get_my_public_value(this->dh, &pub);
990 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
991 {
992 writer->write_data16(writer, pub);
993 }
994 else
995 { /* ECP uses 8bit length header only, but a point format */
996 writer->write_uint8(writer, pub.len + 1);
997 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
998 writer->write_data(writer, pub);
999 }
1000 free(pub.ptr);
1001
1002 *type = TLS_CLIENT_KEY_EXCHANGE;
1003 this->state = STATE_KEY_EXCHANGE_SENT;
1004 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1005 return NEED_MORE;
1006 }
1007
1008 /**
1009 * Send client key exchange, depending on suite
1010 */
1011 static status_t send_key_exchange(private_tls_peer_t *this,
1012 tls_handshake_type_t *type, bio_writer_t *writer)
1013 {
1014 if (this->dh)
1015 {
1016 return send_key_exchange_dhe(this, type, writer);
1017 }
1018 return send_key_exchange_encrypt(this, type, writer);
1019 }
1020
1021 /**
1022 * Send certificate verify
1023 */
1024 static status_t send_certificate_verify(private_tls_peer_t *this,
1025 tls_handshake_type_t *type, bio_writer_t *writer)
1026 {
1027 if (!this->private ||
1028 !this->crypto->sign_handshake(this->crypto, this->private,
1029 writer, this->hashsig))
1030 {
1031 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1032 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1033 return NEED_MORE;
1034 }
1035
1036 *type = TLS_CERTIFICATE_VERIFY;
1037 this->state = STATE_VERIFY_SENT;
1038 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1039 return NEED_MORE;
1040 }
1041
1042 /**
1043 * Send Finished
1044 */
1045 static status_t send_finished(private_tls_peer_t *this,
1046 tls_handshake_type_t *type, bio_writer_t *writer)
1047 {
1048 char buf[12];
1049
1050 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1051 {
1052 DBG1(DBG_TLS, "calculating client finished data failed");
1053 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1054 return NEED_MORE;
1055 }
1056
1057 writer->write_data(writer, chunk_from_thing(buf));
1058
1059 *type = TLS_FINISHED;
1060 this->state = STATE_FINISHED_SENT;
1061 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1062 return NEED_MORE;
1063 }
1064
1065 METHOD(tls_handshake_t, build, status_t,
1066 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1067 {
1068 switch (this->state)
1069 {
1070 case STATE_INIT:
1071 return send_client_hello(this, type, writer);
1072 case STATE_HELLO_DONE:
1073 if (this->peer)
1074 {
1075 return send_certificate(this, type, writer);
1076 }
1077 /* otherwise fall through to next state */
1078 case STATE_CERT_SENT:
1079 return send_key_exchange(this, type, writer);
1080 case STATE_KEY_EXCHANGE_SENT:
1081 if (this->peer)
1082 {
1083 return send_certificate_verify(this, type, writer);
1084 }
1085 else
1086 {
1087 return INVALID_STATE;
1088 }
1089 case STATE_CIPHERSPEC_CHANGED_OUT:
1090 return send_finished(this, type, writer);
1091 default:
1092 return INVALID_STATE;
1093 }
1094 }
1095
1096 METHOD(tls_handshake_t, cipherspec_changed, bool,
1097 private_tls_peer_t *this, bool inbound)
1098 {
1099 if (inbound)
1100 {
1101 if (this->resume)
1102 {
1103 return this->state == STATE_HELLO_RECEIVED;
1104 }
1105 return this->state == STATE_FINISHED_SENT;
1106 }
1107 else
1108 {
1109 if (this->resume)
1110 {
1111 return this->state == STATE_FINISHED_RECEIVED;
1112 }
1113 if (this->peer)
1114 {
1115 return this->state == STATE_VERIFY_SENT;
1116 }
1117 return this->state == STATE_KEY_EXCHANGE_SENT;
1118 }
1119 }
1120
1121 METHOD(tls_handshake_t, change_cipherspec, void,
1122 private_tls_peer_t *this, bool inbound)
1123 {
1124 this->crypto->change_cipher(this->crypto, inbound);
1125 if (inbound)
1126 {
1127 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1128 }
1129 else
1130 {
1131 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1132 }
1133 }
1134
1135 METHOD(tls_handshake_t, finished, bool,
1136 private_tls_peer_t *this)
1137 {
1138 if (this->resume)
1139 {
1140 return this->state == STATE_FINISHED_SENT;
1141 }
1142 return this->state == STATE_FINISHED_RECEIVED;
1143 }
1144
1145 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1146 private_tls_peer_t *this)
1147 {
1148 return this->peer;
1149 }
1150
1151 METHOD(tls_handshake_t, get_server_id, identification_t*,
1152 private_tls_peer_t *this)
1153 {
1154 return this->server;
1155 }
1156
1157 METHOD(tls_handshake_t, destroy, void,
1158 private_tls_peer_t *this)
1159 {
1160 DESTROY_IF(this->private);
1161 DESTROY_IF(this->dh);
1162 DESTROY_IF(this->peer);
1163 this->server->destroy(this->server);
1164 this->peer_auth->destroy(this->peer_auth);
1165 this->server_auth->destroy(this->server_auth);
1166 free(this->hashsig.ptr);
1167 free(this->cert_types.ptr);
1168 free(this->session.ptr);
1169 free(this);
1170 }
1171
1172 /**
1173 * See header
1174 */
1175 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1176 identification_t *peer, identification_t *server)
1177 {
1178 private_tls_peer_t *this;
1179
1180 INIT(this,
1181 .public = {
1182 .handshake = {
1183 .process = _process,
1184 .build = _build,
1185 .cipherspec_changed = _cipherspec_changed,
1186 .change_cipherspec = _change_cipherspec,
1187 .finished = _finished,
1188 .get_peer_id = _get_peer_id,
1189 .get_server_id = _get_server_id,
1190 .destroy = _destroy,
1191 },
1192 },
1193 .state = STATE_INIT,
1194 .tls = tls,
1195 .crypto = crypto,
1196 .alert = alert,
1197 .peer = peer ? peer->clone(peer) : NULL,
1198 .server = server->clone(server),
1199 .peer_auth = auth_cfg_create(),
1200 .server_auth = auth_cfg_create(),
1201 );
1202
1203 return &this->public;
1204 }