622df4035ce4fed7ef47ff1b79a541da3bbb4271
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * DHE exchange
109 */
110 diffie_hellman_t *dh;
111
112 /**
113 * Resuming a session?
114 */
115 bool resume;
116
117 /**
118 * TLS session identifier
119 */
120 chunk_t session;
121
122 /**
123 * List of server-supported hashsig algorithms
124 */
125 chunk_t hashsig;
126
127 /**
128 * List of server-supported client certificate types
129 */
130 chunk_t cert_types;
131 };
132
133 /**
134 * Process a server hello message
135 */
136 static status_t process_server_hello(private_tls_peer_t *this,
137 bio_reader_t *reader)
138 {
139 u_int8_t compression;
140 u_int16_t version, cipher;
141 chunk_t random, session, ext = chunk_empty;
142 tls_cipher_suite_t suite = 0;
143
144 this->crypto->append_handshake(this->crypto,
145 TLS_SERVER_HELLO, reader->peek(reader));
146
147 if (!reader->read_uint16(reader, &version) ||
148 !reader->read_data(reader, sizeof(this->server_random), &random) ||
149 !reader->read_data8(reader, &session) ||
150 !reader->read_uint16(reader, &cipher) ||
151 !reader->read_uint8(reader, &compression) ||
152 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
153 {
154 DBG1(DBG_TLS, "received invalid ServerHello");
155 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
156 return NEED_MORE;
157 }
158
159 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
160
161 if (!this->tls->set_version(this->tls, version))
162 {
163 DBG1(DBG_TLS, "negotiated version %N not supported",
164 tls_version_names, version);
165 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
166 return NEED_MORE;
167 }
168
169 if (chunk_equals(this->session, session))
170 {
171 suite = this->crypto->resume_session(this->crypto, session, this->server,
172 chunk_from_thing(this->client_random),
173 chunk_from_thing(this->server_random));
174 if (suite)
175 {
176 DBG1(DBG_TLS, "resumed %N using suite %N",
177 tls_version_names, version, tls_cipher_suite_names, suite);
178 this->resume = TRUE;
179 }
180 }
181 if (!suite)
182 {
183 suite = cipher;
184 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
185 {
186 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
187 tls_cipher_suite_names, suite);
188 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
189 return NEED_MORE;
190 }
191 DBG1(DBG_TLS, "negotiated %N using suite %N",
192 tls_version_names, version, tls_cipher_suite_names, suite);
193 free(this->session.ptr);
194 this->session = chunk_clone(session);
195 }
196 this->state = STATE_HELLO_RECEIVED;
197 return NEED_MORE;
198 }
199
200 /**
201 * Check if a server certificate is acceptable for the given server identity
202 */
203 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
204 {
205 identification_t *id;
206
207 if (cert->has_subject(cert, this->server))
208 {
209 return TRUE;
210 }
211 id = cert->get_subject(cert);
212 if (id->matches(id, this->server))
213 {
214 return TRUE;
215 }
216 if (cert->get_type(cert) == CERT_X509)
217 {
218 x509_t *x509 = (x509_t*)cert;
219 enumerator_t *enumerator;
220
221 enumerator = x509->create_subjectAltName_enumerator(x509);
222 while (enumerator->enumerate(enumerator, &id))
223 {
224 if (id->matches(id, this->server))
225 {
226 enumerator->destroy(enumerator);
227 return TRUE;
228 }
229 }
230 enumerator->destroy(enumerator);
231 }
232 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
233 return FALSE;
234 }
235
236 /**
237 * Process a Certificate message
238 */
239 static status_t process_certificate(private_tls_peer_t *this,
240 bio_reader_t *reader)
241 {
242 certificate_t *cert;
243 bio_reader_t *certs;
244 chunk_t data;
245 bool first = TRUE;
246
247 this->crypto->append_handshake(this->crypto,
248 TLS_CERTIFICATE, reader->peek(reader));
249
250 if (!reader->read_data24(reader, &data))
251 {
252 DBG1(DBG_TLS, "certificate message header invalid");
253 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
254 return NEED_MORE;
255 }
256 certs = bio_reader_create(data);
257 while (certs->remaining(certs))
258 {
259 if (!certs->read_data24(certs, &data))
260 {
261 DBG1(DBG_TLS, "certificate message invalid");
262 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
263 certs->destroy(certs);
264 return NEED_MORE;
265 }
266 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
267 BUILD_BLOB_ASN1_DER, data, BUILD_END);
268 if (cert)
269 {
270 if (first)
271 {
272 if (!check_certificate(this, cert))
273 {
274 cert->destroy(cert);
275 certs->destroy(certs);
276 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
277 return NEED_MORE;
278 }
279 this->server_auth->add(this->server_auth,
280 AUTH_HELPER_SUBJECT_CERT, cert);
281 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
282 cert->get_subject(cert));
283 first = FALSE;
284 }
285 else
286 {
287 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
288 cert->get_subject(cert));
289 this->server_auth->add(this->server_auth,
290 AUTH_HELPER_IM_CERT, cert);
291 }
292 }
293 else
294 {
295 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
296 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
297 }
298 }
299 certs->destroy(certs);
300 this->state = STATE_CERT_RECEIVED;
301 return NEED_MORE;
302 }
303
304 /**
305 * Find a trusted public key to encrypt/verify key exchange data
306 */
307 static public_key_t *find_public_key(private_tls_peer_t *this)
308 {
309 public_key_t *public = NULL, *current;
310 certificate_t *cert;
311 enumerator_t *enumerator;
312 auth_cfg_t *auth;
313
314 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
315 if (cert)
316 {
317 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
318 KEY_ANY, cert->get_subject(cert), this->server_auth);
319 while (enumerator->enumerate(enumerator, &current, &auth))
320 {
321 public = current->get_ref(current);
322 break;
323 }
324 enumerator->destroy(enumerator);
325 }
326 return public;
327 }
328
329 /**
330 * Process a Key Exchange message using MODP Diffie Hellman
331 */
332 static status_t process_modp_key_exchange(private_tls_peer_t *this,
333 bio_reader_t *reader)
334 {
335 chunk_t prime, generator, pub, chunk;
336 public_key_t *public;
337
338 chunk = reader->peek(reader);
339 if (!reader->read_data16(reader, &prime) ||
340 !reader->read_data16(reader, &generator) ||
341 !reader->read_data16(reader, &pub))
342 {
343 DBG1(DBG_TLS, "received invalid Server Key Exchange");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 public = find_public_key(this);
348 if (!public)
349 {
350 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
351 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
352 return NEED_MORE;
353 }
354
355 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
356 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
357 chunk_from_thing(this->server_random), chunk);
358 if (!this->crypto->verify(this->crypto, public, reader, chunk))
359 {
360 public->destroy(public);
361 free(chunk.ptr);
362 DBG1(DBG_TLS, "verifying DH parameters failed");
363 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
364 return NEED_MORE;
365 }
366 public->destroy(public);
367 free(chunk.ptr);
368
369 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
370 generator, prime);
371 if (!this->dh)
372 {
373 DBG1(DBG_TLS, "custom DH parameters not supported");
374 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
375 return NEED_MORE;
376 }
377 this->dh->set_other_public_value(this->dh, pub);
378
379 this->state = STATE_KEY_EXCHANGE_RECEIVED;
380 return NEED_MORE;
381 }
382
383 /**
384 * Get the EC group for a TLS named curve
385 */
386 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
387 tls_named_curve_t curve)
388 {
389 diffie_hellman_group_t group;
390 tls_named_curve_t current;
391 enumerator_t *enumerator;
392
393 enumerator = this->crypto->create_ec_enumerator(this->crypto);
394 while (enumerator->enumerate(enumerator, &group, &current))
395 {
396 if (current == curve)
397 {
398 enumerator->destroy(enumerator);
399 return group;
400 }
401 }
402 enumerator->destroy(enumerator);
403 return 0;
404 }
405
406 /**
407 * Process a Key Exchange message using EC Diffie Hellman
408 */
409 static status_t process_ec_key_exchange(private_tls_peer_t *this,
410 bio_reader_t *reader)
411 {
412 diffie_hellman_group_t group;
413 public_key_t *public;
414 u_int8_t type;
415 u_int16_t curve;
416 chunk_t pub, chunk;
417
418 chunk = reader->peek(reader);
419 if (!reader->read_uint8(reader, &type))
420 {
421 DBG1(DBG_TLS, "received invalid Server Key Exchange");
422 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
423 return NEED_MORE;
424 }
425 if (type != TLS_ECC_NAMED_CURVE)
426 {
427 DBG1(DBG_TLS, "ECDH curve type %N not supported",
428 tls_ecc_curve_type_names, type);
429 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
430 return NEED_MORE;
431 }
432 if (!reader->read_uint16(reader, &curve) ||
433 !reader->read_data8(reader, &pub) || pub.len == 0)
434 {
435 DBG1(DBG_TLS, "received invalid Server Key Exchange");
436 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
437 return NEED_MORE;
438 }
439
440 group = curve_to_ec_group(this, curve);
441 if (!group)
442 {
443 DBG1(DBG_TLS, "ECDH curve %N not supported",
444 tls_named_curve_names, curve);
445 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
446 return NEED_MORE;
447 }
448
449 public = find_public_key(this);
450 if (!public)
451 {
452 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
453 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
454 return NEED_MORE;
455 }
456
457 chunk.len = 4 + pub.len;
458 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
459 chunk_from_thing(this->server_random), chunk);
460 if (!this->crypto->verify(this->crypto, public, reader, chunk))
461 {
462 public->destroy(public);
463 free(chunk.ptr);
464 DBG1(DBG_TLS, "verifying DH parameters failed");
465 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
466 return NEED_MORE;
467 }
468 public->destroy(public);
469 free(chunk.ptr);
470
471 this->dh = lib->crypto->create_dh(lib->crypto, group);
472 if (!this->dh)
473 {
474 DBG1(DBG_TLS, "DH group %N not supported",
475 diffie_hellman_group_names, group);
476 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
477 return NEED_MORE;
478 }
479
480 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
481 {
482 DBG1(DBG_TLS, "DH point format '%N' not supported",
483 tls_ansi_point_format_names, pub.ptr[0]);
484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
485 return NEED_MORE;
486 }
487 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
488
489 this->state = STATE_KEY_EXCHANGE_RECEIVED;
490 return NEED_MORE;
491 }
492
493 /**
494 * Process a Server Key Exchange
495 */
496 static status_t process_key_exchange(private_tls_peer_t *this,
497 bio_reader_t *reader)
498 {
499 diffie_hellman_group_t group;
500
501 this->crypto->append_handshake(this->crypto,
502 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
503
504 group = this->crypto->get_dh_group(this->crypto);
505 if (group == MODP_NONE)
506 {
507 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
508 "for current suite");
509 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
510 return NEED_MORE;
511 }
512 if (diffie_hellman_group_is_ec(group))
513 {
514 return process_ec_key_exchange(this, reader);
515 }
516 return process_modp_key_exchange(this, reader);
517 }
518
519 /**
520 * Process a Certificate Request message
521 */
522 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
523 {
524 chunk_t types, hashsig, data;
525 bio_reader_t *authorities;
526 identification_t *id;
527 certificate_t *cert;
528
529 if (!this->peer)
530 {
531 DBG1(DBG_TLS, "server requested a certificate, but client "
532 "authentication disabled");
533 }
534 this->crypto->append_handshake(this->crypto,
535 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
536
537 if (!reader->read_data8(reader, &types))
538 {
539 DBG1(DBG_TLS, "certreq message header invalid");
540 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
541 return NEED_MORE;
542 }
543 this->cert_types = chunk_clone(types);
544 if (this->tls->get_version(this->tls) >= TLS_1_2)
545 {
546 if (!reader->read_data16(reader, &hashsig))
547 {
548 DBG1(DBG_TLS, "certreq message invalid");
549 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
550 return NEED_MORE;
551 }
552 this->hashsig = chunk_clone(hashsig);
553 }
554 if (!reader->read_data16(reader, &data))
555 {
556 DBG1(DBG_TLS, "certreq message invalid");
557 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
558 return NEED_MORE;
559 }
560 authorities = bio_reader_create(data);
561 while (authorities->remaining(authorities))
562 {
563 if (!authorities->read_data16(authorities, &data))
564 {
565 DBG1(DBG_TLS, "certreq message invalid");
566 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
567 authorities->destroy(authorities);
568 return NEED_MORE;
569 }
570 if (this->peer)
571 {
572 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
573 cert = lib->credmgr->get_cert(lib->credmgr,
574 CERT_X509, KEY_ANY, id, TRUE);
575 if (cert)
576 {
577 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
578 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
579 }
580 else
581 {
582 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
583 }
584 id->destroy(id);
585 }
586 }
587 authorities->destroy(authorities);
588 this->state = STATE_CERTREQ_RECEIVED;
589 return NEED_MORE;
590 }
591
592 /**
593 * Process Hello Done message
594 */
595 static status_t process_hello_done(private_tls_peer_t *this,
596 bio_reader_t *reader)
597 {
598 this->crypto->append_handshake(this->crypto,
599 TLS_SERVER_HELLO_DONE, reader->peek(reader));
600 this->state = STATE_HELLO_DONE;
601 return NEED_MORE;
602 }
603
604 /**
605 * Process finished message
606 */
607 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
608 {
609 chunk_t received;
610 char buf[12];
611
612 if (!reader->read_data(reader, sizeof(buf), &received))
613 {
614 DBG1(DBG_TLS, "received server finished too short");
615 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
616 return NEED_MORE;
617 }
618 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
619 {
620 DBG1(DBG_TLS, "calculating server finished failed");
621 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
622 return NEED_MORE;
623 }
624 if (!chunk_equals(received, chunk_from_thing(buf)))
625 {
626 DBG1(DBG_TLS, "received server finished invalid");
627 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
628 return NEED_MORE;
629 }
630 this->state = STATE_FINISHED_RECEIVED;
631 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
632
633 return NEED_MORE;
634 }
635
636 METHOD(tls_handshake_t, process, status_t,
637 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
638 {
639 tls_handshake_type_t expected;
640
641 switch (this->state)
642 {
643 case STATE_HELLO_SENT:
644 if (type == TLS_SERVER_HELLO)
645 {
646 return process_server_hello(this, reader);
647 }
648 expected = TLS_SERVER_HELLO;
649 break;
650 case STATE_HELLO_RECEIVED:
651 if (type == TLS_CERTIFICATE)
652 {
653 return process_certificate(this, reader);
654 }
655 expected = TLS_CERTIFICATE;
656 break;
657 case STATE_CERT_RECEIVED:
658 if (type == TLS_SERVER_KEY_EXCHANGE)
659 {
660 return process_key_exchange(this, reader);
661 }
662 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
663 case STATE_KEY_EXCHANGE_RECEIVED:
664 if (type == TLS_CERTIFICATE_REQUEST)
665 {
666 return process_certreq(this, reader);
667 }
668 this->peer = NULL;
669 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
670 case STATE_CERTREQ_RECEIVED:
671 if (type == TLS_SERVER_HELLO_DONE)
672 {
673 return process_hello_done(this, reader);
674 }
675 expected = TLS_SERVER_HELLO_DONE;
676 break;
677 case STATE_CIPHERSPEC_CHANGED_IN:
678 if (type == TLS_FINISHED)
679 {
680 return process_finished(this, reader);
681 }
682 expected = TLS_FINISHED;
683 break;
684 default:
685 DBG1(DBG_TLS, "TLS %N not expected in current state",
686 tls_handshake_type_names, type);
687 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
688 return NEED_MORE;
689 }
690 DBG1(DBG_TLS, "TLS %N expected, but received %N",
691 tls_handshake_type_names, expected, tls_handshake_type_names, type);
692 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
693 return NEED_MORE;
694 }
695
696 /**
697 * Send a client hello
698 */
699 static status_t send_client_hello(private_tls_peer_t *this,
700 tls_handshake_type_t *type, bio_writer_t *writer)
701 {
702 tls_cipher_suite_t *suites;
703 bio_writer_t *extensions, *curves = NULL;
704 tls_version_t version;
705 tls_named_curve_t curve;
706 enumerator_t *enumerator;
707 int count, i;
708 rng_t *rng;
709
710 htoun32(&this->client_random, time(NULL));
711 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
712 if (!rng ||
713 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
714 this->client_random + 4))
715 {
716 DBG1(DBG_TLS, "failed to generate client random");
717 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
718 DESTROY_IF(rng);
719 return NEED_MORE;
720 }
721 rng->destroy(rng);
722
723 /* TLS version */
724 version = this->tls->get_version(this->tls);
725 writer->write_uint16(writer, version);
726 writer->write_data(writer, chunk_from_thing(this->client_random));
727
728 /* session identifier */
729 this->session = this->crypto->get_session(this->crypto, this->server);
730 writer->write_data8(writer, this->session);
731
732 /* add TLS cipher suites */
733 count = this->crypto->get_cipher_suites(this->crypto, &suites);
734 writer->write_uint16(writer, count * 2);
735 for (i = 0; i < count; i++)
736 {
737 writer->write_uint16(writer, suites[i]);
738 }
739
740 /* NULL compression only */
741 writer->write_uint8(writer, 1);
742 writer->write_uint8(writer, 0);
743
744 extensions = bio_writer_create(32);
745
746 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
747 this->crypto->get_signature_algorithms(this->crypto, extensions);
748
749 /* add supported Elliptic Curves, if any */
750 enumerator = this->crypto->create_ec_enumerator(this->crypto);
751 while (enumerator->enumerate(enumerator, NULL, &curve))
752 {
753 if (!curves)
754 {
755 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
756 curves = bio_writer_create(16);
757 }
758 curves->write_uint16(curves, curve);
759 }
760 enumerator->destroy(enumerator);
761 if (curves)
762 {
763 curves->wrap16(curves);
764 extensions->write_data16(extensions, curves->get_buf(curves));
765 curves->destroy(curves);
766
767 /* if we support curves, add point format extension */
768 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
769 extensions->write_uint16(extensions, 2);
770 extensions->write_uint8(extensions, 1);
771 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
772 }
773 if (this->server->get_type(this->server) == ID_FQDN)
774 {
775 bio_writer_t *names;
776
777 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
778
779 names = bio_writer_create(8);
780 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
781 names->write_data16(names, this->server->get_encoding(this->server));
782 names->wrap16(names);
783 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
784 extensions->write_data16(extensions, names->get_buf(names));
785 names->destroy(names);
786 }
787
788 writer->write_data16(writer, extensions->get_buf(extensions));
789 extensions->destroy(extensions);
790
791 *type = TLS_CLIENT_HELLO;
792 this->state = STATE_HELLO_SENT;
793 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
794 return NEED_MORE;
795 }
796
797 /**
798 * Find a private key suitable to sign Certificate Verify
799 */
800 static private_key_t *find_private_key(private_tls_peer_t *this)
801 {
802 private_key_t *key = NULL;
803 bio_reader_t *reader;
804 key_type_t type;
805 u_int8_t cert;
806
807 if (!this->peer)
808 {
809 return NULL;
810 }
811 reader = bio_reader_create(this->cert_types);
812 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
813 {
814 switch (cert)
815 {
816 case TLS_RSA_SIGN:
817 type = KEY_RSA;
818 break;
819 case TLS_ECDSA_SIGN:
820 type = KEY_ECDSA;
821 break;
822 default:
823 continue;
824 }
825 key = lib->credmgr->get_private(lib->credmgr, type,
826 this->peer, this->peer_auth);
827 if (key)
828 {
829 break;
830 }
831 }
832 reader->destroy(reader);
833 return key;
834 }
835
836 /**
837 * Send Certificate
838 */
839 static status_t send_certificate(private_tls_peer_t *this,
840 tls_handshake_type_t *type, bio_writer_t *writer)
841 {
842 enumerator_t *enumerator;
843 certificate_t *cert;
844 auth_rule_t rule;
845 bio_writer_t *certs;
846 chunk_t data;
847
848 this->private = find_private_key(this);
849 if (!this->private)
850 {
851 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
852 "skipping client authentication", this->peer);
853 this->peer = NULL;
854 }
855
856 /* generate certificate payload */
857 certs = bio_writer_create(256);
858 if (this->peer)
859 {
860 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
861 if (cert)
862 {
863 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
864 {
865 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
866 cert->get_subject(cert));
867 certs->write_data24(certs, data);
868 free(data.ptr);
869 }
870 }
871 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
872 while (enumerator->enumerate(enumerator, &rule, &cert))
873 {
874 if (rule == AUTH_RULE_IM_CERT)
875 {
876 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
877 {
878 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
879 cert->get_subject(cert));
880 certs->write_data24(certs, data);
881 free(data.ptr);
882 }
883 }
884 }
885 enumerator->destroy(enumerator);
886 }
887
888 writer->write_data24(writer, certs->get_buf(certs));
889 certs->destroy(certs);
890
891 *type = TLS_CERTIFICATE;
892 this->state = STATE_CERT_SENT;
893 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
894 return NEED_MORE;
895 }
896
897 /**
898 * Send client key exchange, using premaster encryption
899 */
900 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
901 tls_handshake_type_t *type, bio_writer_t *writer)
902 {
903 public_key_t *public;
904 rng_t *rng;
905 char premaster[48];
906 chunk_t encrypted;
907
908 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
909 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
910 {
911 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
912 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
913 DESTROY_IF(rng);
914 return NEED_MORE;
915 }
916 rng->destroy(rng);
917 htoun16(premaster, TLS_1_2);
918
919 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
920 this->session, this->server,
921 chunk_from_thing(this->client_random),
922 chunk_from_thing(this->server_random)))
923 {
924 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
925 return NEED_MORE;
926 }
927
928 public = find_public_key(this);
929 if (!public)
930 {
931 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
932 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
933 return NEED_MORE;
934 }
935 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
936 chunk_from_thing(premaster), &encrypted))
937 {
938 public->destroy(public);
939 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
940 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
941 return NEED_MORE;
942 }
943 public->destroy(public);
944
945 writer->write_data16(writer, encrypted);
946 free(encrypted.ptr);
947
948 *type = TLS_CLIENT_KEY_EXCHANGE;
949 this->state = STATE_KEY_EXCHANGE_SENT;
950 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
951 return NEED_MORE;
952 }
953
954 /**
955 * Send client key exchange, using DHE exchange
956 */
957 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
958 tls_handshake_type_t *type, bio_writer_t *writer)
959 {
960 chunk_t premaster, pub;
961
962 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
963 {
964 DBG1(DBG_TLS, "calculating premaster from DH failed");
965 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
966 return NEED_MORE;
967 }
968 if (!this->crypto->derive_secrets(this->crypto, premaster,
969 this->session, this->server,
970 chunk_from_thing(this->client_random),
971 chunk_from_thing(this->server_random)))
972 {
973 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
974 chunk_clear(&premaster);
975 return NEED_MORE;
976 }
977 chunk_clear(&premaster);
978
979 this->dh->get_my_public_value(this->dh, &pub);
980 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
981 {
982 writer->write_data16(writer, pub);
983 }
984 else
985 { /* ECP uses 8bit length header only, but a point format */
986 writer->write_uint8(writer, pub.len + 1);
987 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
988 writer->write_data(writer, pub);
989 }
990 free(pub.ptr);
991
992 *type = TLS_CLIENT_KEY_EXCHANGE;
993 this->state = STATE_KEY_EXCHANGE_SENT;
994 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
995 return NEED_MORE;
996 }
997
998 /**
999 * Send client key exchange, depending on suite
1000 */
1001 static status_t send_key_exchange(private_tls_peer_t *this,
1002 tls_handshake_type_t *type, bio_writer_t *writer)
1003 {
1004 if (this->dh)
1005 {
1006 return send_key_exchange_dhe(this, type, writer);
1007 }
1008 return send_key_exchange_encrypt(this, type, writer);
1009 }
1010
1011 /**
1012 * Send certificate verify
1013 */
1014 static status_t send_certificate_verify(private_tls_peer_t *this,
1015 tls_handshake_type_t *type, bio_writer_t *writer)
1016 {
1017 if (!this->private ||
1018 !this->crypto->sign_handshake(this->crypto, this->private,
1019 writer, this->hashsig))
1020 {
1021 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1022 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1023 return NEED_MORE;
1024 }
1025
1026 *type = TLS_CERTIFICATE_VERIFY;
1027 this->state = STATE_VERIFY_SENT;
1028 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1029 return NEED_MORE;
1030 }
1031
1032 /**
1033 * Send Finished
1034 */
1035 static status_t send_finished(private_tls_peer_t *this,
1036 tls_handshake_type_t *type, bio_writer_t *writer)
1037 {
1038 char buf[12];
1039
1040 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1041 {
1042 DBG1(DBG_TLS, "calculating client finished data failed");
1043 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1044 return NEED_MORE;
1045 }
1046
1047 writer->write_data(writer, chunk_from_thing(buf));
1048
1049 *type = TLS_FINISHED;
1050 this->state = STATE_FINISHED_SENT;
1051 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1052 return NEED_MORE;
1053 }
1054
1055 METHOD(tls_handshake_t, build, status_t,
1056 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1057 {
1058 switch (this->state)
1059 {
1060 case STATE_INIT:
1061 return send_client_hello(this, type, writer);
1062 case STATE_HELLO_DONE:
1063 if (this->peer)
1064 {
1065 return send_certificate(this, type, writer);
1066 }
1067 /* otherwise fall through to next state */
1068 case STATE_CERT_SENT:
1069 return send_key_exchange(this, type, writer);
1070 case STATE_KEY_EXCHANGE_SENT:
1071 if (this->peer)
1072 {
1073 return send_certificate_verify(this, type, writer);
1074 }
1075 else
1076 {
1077 return INVALID_STATE;
1078 }
1079 case STATE_CIPHERSPEC_CHANGED_OUT:
1080 return send_finished(this, type, writer);
1081 default:
1082 return INVALID_STATE;
1083 }
1084 }
1085
1086 METHOD(tls_handshake_t, cipherspec_changed, bool,
1087 private_tls_peer_t *this, bool inbound)
1088 {
1089 if (inbound)
1090 {
1091 if (this->resume)
1092 {
1093 return this->state == STATE_HELLO_RECEIVED;
1094 }
1095 return this->state == STATE_FINISHED_SENT;
1096 }
1097 else
1098 {
1099 if (this->resume)
1100 {
1101 return this->state == STATE_FINISHED_RECEIVED;
1102 }
1103 if (this->peer)
1104 {
1105 return this->state == STATE_VERIFY_SENT;
1106 }
1107 return this->state == STATE_KEY_EXCHANGE_SENT;
1108 }
1109 }
1110
1111 METHOD(tls_handshake_t, change_cipherspec, void,
1112 private_tls_peer_t *this, bool inbound)
1113 {
1114 this->crypto->change_cipher(this->crypto, inbound);
1115 if (inbound)
1116 {
1117 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1118 }
1119 else
1120 {
1121 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1122 }
1123 }
1124
1125 METHOD(tls_handshake_t, finished, bool,
1126 private_tls_peer_t *this)
1127 {
1128 if (this->resume)
1129 {
1130 return this->state == STATE_FINISHED_SENT;
1131 }
1132 return this->state == STATE_FINISHED_RECEIVED;
1133 }
1134
1135 METHOD(tls_handshake_t, destroy, void,
1136 private_tls_peer_t *this)
1137 {
1138 DESTROY_IF(this->private);
1139 DESTROY_IF(this->dh);
1140 this->peer_auth->destroy(this->peer_auth);
1141 this->server_auth->destroy(this->server_auth);
1142 free(this->hashsig.ptr);
1143 free(this->cert_types.ptr);
1144 free(this->session.ptr);
1145 free(this);
1146 }
1147
1148 /**
1149 * See header
1150 */
1151 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1152 identification_t *peer, identification_t *server)
1153 {
1154 private_tls_peer_t *this;
1155
1156 INIT(this,
1157 .public = {
1158 .handshake = {
1159 .process = _process,
1160 .build = _build,
1161 .cipherspec_changed = _cipherspec_changed,
1162 .change_cipherspec = _change_cipherspec,
1163 .finished = _finished,
1164 .destroy = _destroy,
1165 },
1166 },
1167 .state = STATE_INIT,
1168 .tls = tls,
1169 .crypto = crypto,
1170 .alert = alert,
1171 .peer = peer,
1172 .server = server,
1173 .peer_auth = auth_cfg_create(),
1174 .server_auth = auth_cfg_create(),
1175 );
1176
1177 return &this->public;
1178 }