86b94ab85775cb6822c79cc109f94ee6813cba45
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * TLS version we offered in hello
84 */
85 tls_version_t hello_version;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Resuming a session?
119 */
120 bool resume;
121
122 /**
123 * TLS session identifier
124 */
125 chunk_t session;
126
127 /**
128 * List of server-supported hashsig algorithms
129 */
130 chunk_t hashsig;
131
132 /**
133 * List of server-supported client certificate types
134 */
135 chunk_t cert_types;
136 };
137
138 /**
139 * Process a server hello message
140 */
141 static status_t process_server_hello(private_tls_peer_t *this,
142 bio_reader_t *reader)
143 {
144 u_int8_t compression;
145 u_int16_t version, cipher;
146 chunk_t random, session, ext = chunk_empty;
147 tls_cipher_suite_t suite = 0;
148
149 this->crypto->append_handshake(this->crypto,
150 TLS_SERVER_HELLO, reader->peek(reader));
151
152 if (!reader->read_uint16(reader, &version) ||
153 !reader->read_data(reader, sizeof(this->server_random), &random) ||
154 !reader->read_data8(reader, &session) ||
155 !reader->read_uint16(reader, &cipher) ||
156 !reader->read_uint8(reader, &compression) ||
157 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
158 {
159 DBG1(DBG_TLS, "received invalid ServerHello");
160 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
161 return NEED_MORE;
162 }
163
164 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
165
166 if (!this->tls->set_version(this->tls, version))
167 {
168 DBG1(DBG_TLS, "negotiated version %N not supported",
169 tls_version_names, version);
170 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
171 return NEED_MORE;
172 }
173
174 if (chunk_equals(this->session, session))
175 {
176 suite = this->crypto->resume_session(this->crypto, session, this->server,
177 chunk_from_thing(this->client_random),
178 chunk_from_thing(this->server_random));
179 if (suite)
180 {
181 DBG1(DBG_TLS, "resumed %N using suite %N",
182 tls_version_names, version, tls_cipher_suite_names, suite);
183 this->resume = TRUE;
184 }
185 }
186 if (!suite)
187 {
188 suite = cipher;
189 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
190 {
191 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
192 tls_cipher_suite_names, suite);
193 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
194 return NEED_MORE;
195 }
196 DBG1(DBG_TLS, "negotiated %N using suite %N",
197 tls_version_names, version, tls_cipher_suite_names, suite);
198 free(this->session.ptr);
199 this->session = chunk_clone(session);
200 }
201 this->state = STATE_HELLO_RECEIVED;
202 return NEED_MORE;
203 }
204
205 /**
206 * Check if a server certificate is acceptable for the given server identity
207 */
208 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
209 {
210 identification_t *id;
211
212 if (cert->has_subject(cert, this->server))
213 {
214 return TRUE;
215 }
216 id = cert->get_subject(cert);
217 if (id->matches(id, this->server))
218 {
219 return TRUE;
220 }
221 if (cert->get_type(cert) == CERT_X509)
222 {
223 x509_t *x509 = (x509_t*)cert;
224 enumerator_t *enumerator;
225
226 enumerator = x509->create_subjectAltName_enumerator(x509);
227 while (enumerator->enumerate(enumerator, &id))
228 {
229 if (id->matches(id, this->server))
230 {
231 enumerator->destroy(enumerator);
232 return TRUE;
233 }
234 }
235 enumerator->destroy(enumerator);
236 }
237 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
238 return FALSE;
239 }
240
241 /**
242 * Process a Certificate message
243 */
244 static status_t process_certificate(private_tls_peer_t *this,
245 bio_reader_t *reader)
246 {
247 certificate_t *cert;
248 bio_reader_t *certs;
249 chunk_t data;
250 bool first = TRUE;
251
252 this->crypto->append_handshake(this->crypto,
253 TLS_CERTIFICATE, reader->peek(reader));
254
255 if (!reader->read_data24(reader, &data))
256 {
257 DBG1(DBG_TLS, "certificate message header invalid");
258 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
259 return NEED_MORE;
260 }
261 certs = bio_reader_create(data);
262 while (certs->remaining(certs))
263 {
264 if (!certs->read_data24(certs, &data))
265 {
266 DBG1(DBG_TLS, "certificate message invalid");
267 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
268 certs->destroy(certs);
269 return NEED_MORE;
270 }
271 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
272 BUILD_BLOB_ASN1_DER, data, BUILD_END);
273 if (cert)
274 {
275 if (first)
276 {
277 if (!check_certificate(this, cert))
278 {
279 cert->destroy(cert);
280 certs->destroy(certs);
281 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
282 return NEED_MORE;
283 }
284 this->server_auth->add(this->server_auth,
285 AUTH_HELPER_SUBJECT_CERT, cert);
286 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
287 cert->get_subject(cert));
288 first = FALSE;
289 }
290 else
291 {
292 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
293 cert->get_subject(cert));
294 this->server_auth->add(this->server_auth,
295 AUTH_HELPER_IM_CERT, cert);
296 }
297 }
298 else
299 {
300 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
301 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
302 }
303 }
304 certs->destroy(certs);
305 this->state = STATE_CERT_RECEIVED;
306 return NEED_MORE;
307 }
308
309 /**
310 * Find a trusted public key to encrypt/verify key exchange data
311 */
312 static public_key_t *find_public_key(private_tls_peer_t *this)
313 {
314 public_key_t *public = NULL, *current;
315 certificate_t *cert, *found;
316 enumerator_t *enumerator;
317 auth_cfg_t *auth;
318
319 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
320 if (cert)
321 {
322 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
323 KEY_ANY, cert->get_subject(cert), this->server_auth);
324 while (enumerator->enumerate(enumerator, &current, &auth))
325 {
326 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
327 if (found && cert->equals(cert, found))
328 {
329 public = current->get_ref(current);
330 this->server_auth->merge(this->server_auth, auth, FALSE);
331 break;
332 }
333 }
334 enumerator->destroy(enumerator);
335 }
336 return public;
337 }
338
339 /**
340 * Process a Key Exchange message using MODP Diffie Hellman
341 */
342 static status_t process_modp_key_exchange(private_tls_peer_t *this,
343 bio_reader_t *reader)
344 {
345 chunk_t prime, generator, pub, chunk;
346 public_key_t *public;
347
348 chunk = reader->peek(reader);
349 if (!reader->read_data16(reader, &prime) ||
350 !reader->read_data16(reader, &generator) ||
351 !reader->read_data16(reader, &pub))
352 {
353 DBG1(DBG_TLS, "received invalid Server Key Exchange");
354 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
355 return NEED_MORE;
356 }
357 public = find_public_key(this);
358 if (!public)
359 {
360 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
361 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
362 return NEED_MORE;
363 }
364
365 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
366 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
367 chunk_from_thing(this->server_random), chunk);
368 if (!this->crypto->verify(this->crypto, public, reader, chunk))
369 {
370 public->destroy(public);
371 free(chunk.ptr);
372 DBG1(DBG_TLS, "verifying DH parameters failed");
373 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
374 return NEED_MORE;
375 }
376 public->destroy(public);
377 free(chunk.ptr);
378
379 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
380 generator, prime);
381 if (!this->dh)
382 {
383 DBG1(DBG_TLS, "custom DH parameters not supported");
384 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
385 return NEED_MORE;
386 }
387 if (!this->dh->set_other_public_value(this->dh, pub))
388 {
389 DBG1(DBG_TLS, "applying DH public value failed");
390 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
391 return NEED_MORE;
392 }
393
394 this->state = STATE_KEY_EXCHANGE_RECEIVED;
395 return NEED_MORE;
396 }
397
398 /**
399 * Get the EC group for a TLS named curve
400 */
401 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
402 tls_named_curve_t curve)
403 {
404 diffie_hellman_group_t group;
405 tls_named_curve_t current;
406 enumerator_t *enumerator;
407
408 enumerator = this->crypto->create_ec_enumerator(this->crypto);
409 while (enumerator->enumerate(enumerator, &group, &current))
410 {
411 if (current == curve)
412 {
413 enumerator->destroy(enumerator);
414 return group;
415 }
416 }
417 enumerator->destroy(enumerator);
418 return 0;
419 }
420
421 /**
422 * Process a Key Exchange message using EC Diffie Hellman
423 */
424 static status_t process_ec_key_exchange(private_tls_peer_t *this,
425 bio_reader_t *reader)
426 {
427 diffie_hellman_group_t group;
428 public_key_t *public;
429 u_int8_t type;
430 u_int16_t curve;
431 chunk_t pub, chunk;
432
433 chunk = reader->peek(reader);
434 if (!reader->read_uint8(reader, &type))
435 {
436 DBG1(DBG_TLS, "received invalid Server Key Exchange");
437 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
438 return NEED_MORE;
439 }
440 if (type != TLS_ECC_NAMED_CURVE)
441 {
442 DBG1(DBG_TLS, "ECDH curve type %N not supported",
443 tls_ecc_curve_type_names, type);
444 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
445 return NEED_MORE;
446 }
447 if (!reader->read_uint16(reader, &curve) ||
448 !reader->read_data8(reader, &pub) || pub.len == 0)
449 {
450 DBG1(DBG_TLS, "received invalid Server Key Exchange");
451 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
452 return NEED_MORE;
453 }
454
455 group = curve_to_ec_group(this, curve);
456 if (!group)
457 {
458 DBG1(DBG_TLS, "ECDH curve %N not supported",
459 tls_named_curve_names, curve);
460 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
461 return NEED_MORE;
462 }
463
464 public = find_public_key(this);
465 if (!public)
466 {
467 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
468 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
469 return NEED_MORE;
470 }
471
472 chunk.len = 4 + pub.len;
473 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
474 chunk_from_thing(this->server_random), chunk);
475 if (!this->crypto->verify(this->crypto, public, reader, chunk))
476 {
477 public->destroy(public);
478 free(chunk.ptr);
479 DBG1(DBG_TLS, "verifying DH parameters failed");
480 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
481 return NEED_MORE;
482 }
483 public->destroy(public);
484 free(chunk.ptr);
485
486 this->dh = lib->crypto->create_dh(lib->crypto, group);
487 if (!this->dh)
488 {
489 DBG1(DBG_TLS, "DH group %N not supported",
490 diffie_hellman_group_names, group);
491 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
492 return NEED_MORE;
493 }
494
495 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
496 {
497 DBG1(DBG_TLS, "DH point format '%N' not supported",
498 tls_ansi_point_format_names, pub.ptr[0]);
499 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
500 return NEED_MORE;
501 }
502 if (!this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)))
503 {
504 DBG1(DBG_TLS, "applying DH public value failed");
505 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
506 return NEED_MORE;
507 }
508
509 this->state = STATE_KEY_EXCHANGE_RECEIVED;
510 return NEED_MORE;
511 }
512
513 /**
514 * Process a Server Key Exchange
515 */
516 static status_t process_key_exchange(private_tls_peer_t *this,
517 bio_reader_t *reader)
518 {
519 diffie_hellman_group_t group;
520
521 this->crypto->append_handshake(this->crypto,
522 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
523
524 group = this->crypto->get_dh_group(this->crypto);
525 if (group == MODP_NONE)
526 {
527 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
528 "for current suite");
529 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
530 return NEED_MORE;
531 }
532 if (diffie_hellman_group_is_ec(group))
533 {
534 return process_ec_key_exchange(this, reader);
535 }
536 return process_modp_key_exchange(this, reader);
537 }
538
539 /**
540 * Process a Certificate Request message
541 */
542 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
543 {
544 chunk_t types, hashsig, data;
545 bio_reader_t *authorities;
546 identification_t *id;
547 certificate_t *cert;
548
549 if (!this->peer)
550 {
551 DBG1(DBG_TLS, "server requested a certificate, but client "
552 "authentication disabled");
553 }
554 this->crypto->append_handshake(this->crypto,
555 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
556
557 if (!reader->read_data8(reader, &types))
558 {
559 DBG1(DBG_TLS, "certreq message header invalid");
560 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
561 return NEED_MORE;
562 }
563 this->cert_types = chunk_clone(types);
564 if (this->tls->get_version(this->tls) >= TLS_1_2)
565 {
566 if (!reader->read_data16(reader, &hashsig))
567 {
568 DBG1(DBG_TLS, "certreq message invalid");
569 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
570 return NEED_MORE;
571 }
572 this->hashsig = chunk_clone(hashsig);
573 }
574 if (!reader->read_data16(reader, &data))
575 {
576 DBG1(DBG_TLS, "certreq message invalid");
577 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
578 return NEED_MORE;
579 }
580 authorities = bio_reader_create(data);
581 while (authorities->remaining(authorities))
582 {
583 if (!authorities->read_data16(authorities, &data))
584 {
585 DBG1(DBG_TLS, "certreq message invalid");
586 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
587 authorities->destroy(authorities);
588 return NEED_MORE;
589 }
590 if (this->peer)
591 {
592 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
593 cert = lib->credmgr->get_cert(lib->credmgr,
594 CERT_X509, KEY_ANY, id, TRUE);
595 if (cert)
596 {
597 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
598 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
599 }
600 else
601 {
602 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
603 }
604 id->destroy(id);
605 }
606 }
607 authorities->destroy(authorities);
608 this->state = STATE_CERTREQ_RECEIVED;
609 return NEED_MORE;
610 }
611
612 /**
613 * Process Hello Done message
614 */
615 static status_t process_hello_done(private_tls_peer_t *this,
616 bio_reader_t *reader)
617 {
618 this->crypto->append_handshake(this->crypto,
619 TLS_SERVER_HELLO_DONE, reader->peek(reader));
620 this->state = STATE_HELLO_DONE;
621 return NEED_MORE;
622 }
623
624 /**
625 * Process finished message
626 */
627 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
628 {
629 chunk_t received;
630 char buf[12];
631
632 if (!reader->read_data(reader, sizeof(buf), &received))
633 {
634 DBG1(DBG_TLS, "received server finished too short");
635 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
636 return NEED_MORE;
637 }
638 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
639 {
640 DBG1(DBG_TLS, "calculating server finished failed");
641 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
642 return NEED_MORE;
643 }
644 if (!chunk_equals_const(received, chunk_from_thing(buf)))
645 {
646 DBG1(DBG_TLS, "received server finished invalid");
647 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
648 return NEED_MORE;
649 }
650 this->state = STATE_FINISHED_RECEIVED;
651 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
652
653 return NEED_MORE;
654 }
655
656 METHOD(tls_handshake_t, process, status_t,
657 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
658 {
659 tls_handshake_type_t expected;
660
661 switch (this->state)
662 {
663 case STATE_HELLO_SENT:
664 if (type == TLS_SERVER_HELLO)
665 {
666 return process_server_hello(this, reader);
667 }
668 expected = TLS_SERVER_HELLO;
669 break;
670 case STATE_HELLO_RECEIVED:
671 if (type == TLS_CERTIFICATE)
672 {
673 return process_certificate(this, reader);
674 }
675 expected = TLS_CERTIFICATE;
676 break;
677 case STATE_CERT_RECEIVED:
678 if (type == TLS_SERVER_KEY_EXCHANGE)
679 {
680 return process_key_exchange(this, reader);
681 }
682 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
683 case STATE_KEY_EXCHANGE_RECEIVED:
684 if (type == TLS_CERTIFICATE_REQUEST)
685 {
686 return process_certreq(this, reader);
687 }
688 /* no cert request, server does not want to authenticate us */
689 DESTROY_IF(this->peer);
690 this->peer = NULL;
691 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
692 case STATE_CERTREQ_RECEIVED:
693 if (type == TLS_SERVER_HELLO_DONE)
694 {
695 return process_hello_done(this, reader);
696 }
697 expected = TLS_SERVER_HELLO_DONE;
698 break;
699 case STATE_CIPHERSPEC_CHANGED_IN:
700 if (type == TLS_FINISHED)
701 {
702 return process_finished(this, reader);
703 }
704 expected = TLS_FINISHED;
705 break;
706 default:
707 DBG1(DBG_TLS, "TLS %N not expected in current state",
708 tls_handshake_type_names, type);
709 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
710 return NEED_MORE;
711 }
712 DBG1(DBG_TLS, "TLS %N expected, but received %N",
713 tls_handshake_type_names, expected, tls_handshake_type_names, type);
714 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
715 return NEED_MORE;
716 }
717
718 /**
719 * Send a client hello
720 */
721 static status_t send_client_hello(private_tls_peer_t *this,
722 tls_handshake_type_t *type, bio_writer_t *writer)
723 {
724 tls_cipher_suite_t *suites;
725 bio_writer_t *extensions, *curves = NULL;
726 tls_version_t version;
727 tls_named_curve_t curve;
728 enumerator_t *enumerator;
729 int count, i;
730 rng_t *rng;
731
732 htoun32(&this->client_random, time(NULL));
733 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
734 if (!rng ||
735 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
736 this->client_random + 4))
737 {
738 DBG1(DBG_TLS, "failed to generate client random");
739 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
740 DESTROY_IF(rng);
741 return NEED_MORE;
742 }
743 rng->destroy(rng);
744
745 /* TLS version */
746 version = this->tls->get_version(this->tls);
747 this->hello_version = version;
748 writer->write_uint16(writer, version);
749 writer->write_data(writer, chunk_from_thing(this->client_random));
750
751 /* session identifier */
752 this->session = this->crypto->get_session(this->crypto, this->server);
753 writer->write_data8(writer, this->session);
754
755 /* add TLS cipher suites */
756 count = this->crypto->get_cipher_suites(this->crypto, &suites);
757 writer->write_uint16(writer, count * 2);
758 for (i = 0; i < count; i++)
759 {
760 writer->write_uint16(writer, suites[i]);
761 }
762
763 /* NULL compression only */
764 writer->write_uint8(writer, 1);
765 writer->write_uint8(writer, 0);
766
767 extensions = bio_writer_create(32);
768
769 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
770 this->crypto->get_signature_algorithms(this->crypto, extensions);
771
772 /* add supported Elliptic Curves, if any */
773 enumerator = this->crypto->create_ec_enumerator(this->crypto);
774 while (enumerator->enumerate(enumerator, NULL, &curve))
775 {
776 if (!curves)
777 {
778 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
779 curves = bio_writer_create(16);
780 }
781 curves->write_uint16(curves, curve);
782 }
783 enumerator->destroy(enumerator);
784 if (curves)
785 {
786 curves->wrap16(curves);
787 extensions->write_data16(extensions, curves->get_buf(curves));
788 curves->destroy(curves);
789
790 /* if we support curves, add point format extension */
791 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
792 extensions->write_uint16(extensions, 2);
793 extensions->write_uint8(extensions, 1);
794 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
795 }
796 if (this->server->get_type(this->server) == ID_FQDN)
797 {
798 bio_writer_t *names;
799
800 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
801
802 names = bio_writer_create(8);
803 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
804 names->write_data16(names, this->server->get_encoding(this->server));
805 names->wrap16(names);
806 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
807 extensions->write_data16(extensions, names->get_buf(names));
808 names->destroy(names);
809 }
810
811 writer->write_data16(writer, extensions->get_buf(extensions));
812 extensions->destroy(extensions);
813
814 *type = TLS_CLIENT_HELLO;
815 this->state = STATE_HELLO_SENT;
816 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
817 return NEED_MORE;
818 }
819
820 /**
821 * Find a private key suitable to sign Certificate Verify
822 */
823 static private_key_t *find_private_key(private_tls_peer_t *this)
824 {
825 private_key_t *key = NULL;
826 bio_reader_t *reader;
827 key_type_t type;
828 u_int8_t cert;
829
830 if (!this->peer)
831 {
832 return NULL;
833 }
834 reader = bio_reader_create(this->cert_types);
835 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
836 {
837 switch (cert)
838 {
839 case TLS_RSA_SIGN:
840 type = KEY_RSA;
841 break;
842 case TLS_ECDSA_SIGN:
843 type = KEY_ECDSA;
844 break;
845 default:
846 continue;
847 }
848 key = lib->credmgr->get_private(lib->credmgr, type,
849 this->peer, this->peer_auth);
850 if (key)
851 {
852 break;
853 }
854 }
855 reader->destroy(reader);
856 return key;
857 }
858
859 /**
860 * Send Certificate
861 */
862 static status_t send_certificate(private_tls_peer_t *this,
863 tls_handshake_type_t *type, bio_writer_t *writer)
864 {
865 enumerator_t *enumerator;
866 certificate_t *cert;
867 auth_rule_t rule;
868 bio_writer_t *certs;
869 chunk_t data;
870
871 this->private = find_private_key(this);
872 if (!this->private)
873 {
874 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
875 "skipping client authentication", this->peer);
876 this->peer->destroy(this->peer);
877 this->peer = NULL;
878 }
879
880 /* generate certificate payload */
881 certs = bio_writer_create(256);
882 if (this->peer)
883 {
884 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
885 if (cert)
886 {
887 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
888 {
889 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
890 cert->get_subject(cert));
891 certs->write_data24(certs, data);
892 free(data.ptr);
893 }
894 }
895 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
896 while (enumerator->enumerate(enumerator, &rule, &cert))
897 {
898 if (rule == AUTH_RULE_IM_CERT)
899 {
900 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
901 {
902 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
903 cert->get_subject(cert));
904 certs->write_data24(certs, data);
905 free(data.ptr);
906 }
907 }
908 }
909 enumerator->destroy(enumerator);
910 }
911
912 writer->write_data24(writer, certs->get_buf(certs));
913 certs->destroy(certs);
914
915 *type = TLS_CERTIFICATE;
916 this->state = STATE_CERT_SENT;
917 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
918 return NEED_MORE;
919 }
920
921 /**
922 * Send client key exchange, using premaster encryption
923 */
924 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
925 tls_handshake_type_t *type, bio_writer_t *writer)
926 {
927 public_key_t *public;
928 rng_t *rng;
929 char premaster[48];
930 chunk_t encrypted;
931
932 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
933 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
934 {
935 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
936 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
937 DESTROY_IF(rng);
938 return NEED_MORE;
939 }
940 rng->destroy(rng);
941 htoun16(premaster, this->hello_version);
942
943 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
944 this->session, this->server,
945 chunk_from_thing(this->client_random),
946 chunk_from_thing(this->server_random)))
947 {
948 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
949 return NEED_MORE;
950 }
951
952 public = find_public_key(this);
953 if (!public)
954 {
955 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
956 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
957 return NEED_MORE;
958 }
959 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
960 chunk_from_thing(premaster), &encrypted))
961 {
962 public->destroy(public);
963 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
964 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
965 return NEED_MORE;
966 }
967 public->destroy(public);
968
969 writer->write_data16(writer, encrypted);
970 free(encrypted.ptr);
971
972 *type = TLS_CLIENT_KEY_EXCHANGE;
973 this->state = STATE_KEY_EXCHANGE_SENT;
974 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
975 return NEED_MORE;
976 }
977
978 /**
979 * Send client key exchange, using DHE exchange
980 */
981 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
982 tls_handshake_type_t *type, bio_writer_t *writer)
983 {
984 chunk_t premaster, pub;
985
986 if (!this->dh->get_shared_secret(this->dh, &premaster))
987 {
988 DBG1(DBG_TLS, "calculating premaster from DH failed");
989 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
990 return NEED_MORE;
991 }
992 if (!this->crypto->derive_secrets(this->crypto, premaster,
993 this->session, this->server,
994 chunk_from_thing(this->client_random),
995 chunk_from_thing(this->server_random)))
996 {
997 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
998 chunk_clear(&premaster);
999 return NEED_MORE;
1000 }
1001 chunk_clear(&premaster);
1002
1003 if (!this->dh->get_my_public_value(this->dh, &pub))
1004 {
1005 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1006 return NEED_MORE;
1007 }
1008 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
1009 {
1010 writer->write_data16(writer, pub);
1011 }
1012 else
1013 { /* ECP uses 8bit length header only, but a point format */
1014 writer->write_uint8(writer, pub.len + 1);
1015 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1016 writer->write_data(writer, pub);
1017 }
1018 free(pub.ptr);
1019
1020 *type = TLS_CLIENT_KEY_EXCHANGE;
1021 this->state = STATE_KEY_EXCHANGE_SENT;
1022 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1023 return NEED_MORE;
1024 }
1025
1026 /**
1027 * Send client key exchange, depending on suite
1028 */
1029 static status_t send_key_exchange(private_tls_peer_t *this,
1030 tls_handshake_type_t *type, bio_writer_t *writer)
1031 {
1032 if (this->dh)
1033 {
1034 return send_key_exchange_dhe(this, type, writer);
1035 }
1036 return send_key_exchange_encrypt(this, type, writer);
1037 }
1038
1039 /**
1040 * Send certificate verify
1041 */
1042 static status_t send_certificate_verify(private_tls_peer_t *this,
1043 tls_handshake_type_t *type, bio_writer_t *writer)
1044 {
1045 if (!this->private ||
1046 !this->crypto->sign_handshake(this->crypto, this->private,
1047 writer, this->hashsig))
1048 {
1049 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1050 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1051 return NEED_MORE;
1052 }
1053
1054 *type = TLS_CERTIFICATE_VERIFY;
1055 this->state = STATE_VERIFY_SENT;
1056 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1057 return NEED_MORE;
1058 }
1059
1060 /**
1061 * Send Finished
1062 */
1063 static status_t send_finished(private_tls_peer_t *this,
1064 tls_handshake_type_t *type, bio_writer_t *writer)
1065 {
1066 char buf[12];
1067
1068 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1069 {
1070 DBG1(DBG_TLS, "calculating client finished data failed");
1071 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1072 return NEED_MORE;
1073 }
1074
1075 writer->write_data(writer, chunk_from_thing(buf));
1076
1077 *type = TLS_FINISHED;
1078 this->state = STATE_FINISHED_SENT;
1079 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1080 return NEED_MORE;
1081 }
1082
1083 METHOD(tls_handshake_t, build, status_t,
1084 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1085 {
1086 switch (this->state)
1087 {
1088 case STATE_INIT:
1089 return send_client_hello(this, type, writer);
1090 case STATE_HELLO_DONE:
1091 if (this->peer)
1092 {
1093 return send_certificate(this, type, writer);
1094 }
1095 /* otherwise fall through to next state */
1096 case STATE_CERT_SENT:
1097 return send_key_exchange(this, type, writer);
1098 case STATE_KEY_EXCHANGE_SENT:
1099 if (this->peer)
1100 {
1101 return send_certificate_verify(this, type, writer);
1102 }
1103 else
1104 {
1105 return INVALID_STATE;
1106 }
1107 case STATE_CIPHERSPEC_CHANGED_OUT:
1108 return send_finished(this, type, writer);
1109 default:
1110 return INVALID_STATE;
1111 }
1112 }
1113
1114 METHOD(tls_handshake_t, cipherspec_changed, bool,
1115 private_tls_peer_t *this, bool inbound)
1116 {
1117 if (inbound)
1118 {
1119 if (this->resume)
1120 {
1121 return this->state == STATE_HELLO_RECEIVED;
1122 }
1123 return this->state == STATE_FINISHED_SENT;
1124 }
1125 else
1126 {
1127 if (this->resume)
1128 {
1129 return this->state == STATE_FINISHED_RECEIVED;
1130 }
1131 if (this->peer)
1132 {
1133 return this->state == STATE_VERIFY_SENT;
1134 }
1135 return this->state == STATE_KEY_EXCHANGE_SENT;
1136 }
1137 }
1138
1139 METHOD(tls_handshake_t, change_cipherspec, void,
1140 private_tls_peer_t *this, bool inbound)
1141 {
1142 this->crypto->change_cipher(this->crypto, inbound);
1143 if (inbound)
1144 {
1145 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1146 }
1147 else
1148 {
1149 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1150 }
1151 }
1152
1153 METHOD(tls_handshake_t, finished, bool,
1154 private_tls_peer_t *this)
1155 {
1156 if (this->resume)
1157 {
1158 return this->state == STATE_FINISHED_SENT;
1159 }
1160 return this->state == STATE_FINISHED_RECEIVED;
1161 }
1162
1163 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1164 private_tls_peer_t *this)
1165 {
1166 return this->peer;
1167 }
1168
1169 METHOD(tls_handshake_t, get_server_id, identification_t*,
1170 private_tls_peer_t *this)
1171 {
1172 return this->server;
1173 }
1174
1175 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1176 private_tls_peer_t *this)
1177 {
1178 return this->server_auth;
1179 }
1180
1181 METHOD(tls_handshake_t, destroy, void,
1182 private_tls_peer_t *this)
1183 {
1184 DESTROY_IF(this->private);
1185 DESTROY_IF(this->dh);
1186 DESTROY_IF(this->peer);
1187 this->server->destroy(this->server);
1188 this->peer_auth->destroy(this->peer_auth);
1189 this->server_auth->destroy(this->server_auth);
1190 free(this->hashsig.ptr);
1191 free(this->cert_types.ptr);
1192 free(this->session.ptr);
1193 free(this);
1194 }
1195
1196 /**
1197 * See header
1198 */
1199 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1200 identification_t *peer, identification_t *server)
1201 {
1202 private_tls_peer_t *this;
1203
1204 INIT(this,
1205 .public = {
1206 .handshake = {
1207 .process = _process,
1208 .build = _build,
1209 .cipherspec_changed = _cipherspec_changed,
1210 .change_cipherspec = _change_cipherspec,
1211 .finished = _finished,
1212 .get_peer_id = _get_peer_id,
1213 .get_server_id = _get_server_id,
1214 .get_auth = _get_auth,
1215 .destroy = _destroy,
1216 },
1217 },
1218 .state = STATE_INIT,
1219 .tls = tls,
1220 .crypto = crypto,
1221 .alert = alert,
1222 .peer = peer ? peer->clone(peer) : NULL,
1223 .server = server->clone(server),
1224 .peer_auth = auth_cfg_create(),
1225 .server_auth = auth_cfg_create(),
1226 );
1227
1228 return &this->public;
1229 }