99bc92ac016024bdfc7a00c83c6d410a235ee0ed
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * TLS version we offered in hello
84 */
85 tls_version_t hello_version;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Resuming a session?
119 */
120 bool resume;
121
122 /**
123 * TLS session identifier
124 */
125 chunk_t session;
126
127 /**
128 * List of server-supported hashsig algorithms
129 */
130 chunk_t hashsig;
131
132 /**
133 * List of server-supported client certificate types
134 */
135 chunk_t cert_types;
136 };
137
138 /**
139 * Process a server hello message
140 */
141 static status_t process_server_hello(private_tls_peer_t *this,
142 bio_reader_t *reader)
143 {
144 u_int8_t compression;
145 u_int16_t version, cipher;
146 chunk_t random, session, ext = chunk_empty;
147 tls_cipher_suite_t suite = 0;
148
149 this->crypto->append_handshake(this->crypto,
150 TLS_SERVER_HELLO, reader->peek(reader));
151
152 if (!reader->read_uint16(reader, &version) ||
153 !reader->read_data(reader, sizeof(this->server_random), &random) ||
154 !reader->read_data8(reader, &session) ||
155 !reader->read_uint16(reader, &cipher) ||
156 !reader->read_uint8(reader, &compression) ||
157 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
158 {
159 DBG1(DBG_TLS, "received invalid ServerHello");
160 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
161 return NEED_MORE;
162 }
163
164 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
165
166 if (!this->tls->set_version(this->tls, version))
167 {
168 DBG1(DBG_TLS, "negotiated version %N not supported",
169 tls_version_names, version);
170 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
171 return NEED_MORE;
172 }
173
174 if (chunk_equals(this->session, session))
175 {
176 suite = this->crypto->resume_session(this->crypto, session, this->server,
177 chunk_from_thing(this->client_random),
178 chunk_from_thing(this->server_random));
179 if (suite)
180 {
181 DBG1(DBG_TLS, "resumed %N using suite %N",
182 tls_version_names, version, tls_cipher_suite_names, suite);
183 this->resume = TRUE;
184 }
185 }
186 if (!suite)
187 {
188 suite = cipher;
189 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
190 {
191 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
192 tls_cipher_suite_names, suite);
193 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
194 return NEED_MORE;
195 }
196 DBG1(DBG_TLS, "negotiated %N using suite %N",
197 tls_version_names, version, tls_cipher_suite_names, suite);
198 free(this->session.ptr);
199 this->session = chunk_clone(session);
200 }
201 this->state = STATE_HELLO_RECEIVED;
202 return NEED_MORE;
203 }
204
205 /**
206 * Check if a server certificate is acceptable for the given server identity
207 */
208 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
209 {
210 identification_t *id;
211
212 if (cert->has_subject(cert, this->server))
213 {
214 return TRUE;
215 }
216 id = cert->get_subject(cert);
217 if (id->matches(id, this->server))
218 {
219 return TRUE;
220 }
221 if (cert->get_type(cert) == CERT_X509)
222 {
223 x509_t *x509 = (x509_t*)cert;
224 enumerator_t *enumerator;
225
226 enumerator = x509->create_subjectAltName_enumerator(x509);
227 while (enumerator->enumerate(enumerator, &id))
228 {
229 if (id->matches(id, this->server))
230 {
231 enumerator->destroy(enumerator);
232 return TRUE;
233 }
234 }
235 enumerator->destroy(enumerator);
236 }
237 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
238 return FALSE;
239 }
240
241 /**
242 * Process a Certificate message
243 */
244 static status_t process_certificate(private_tls_peer_t *this,
245 bio_reader_t *reader)
246 {
247 certificate_t *cert;
248 bio_reader_t *certs;
249 chunk_t data;
250 bool first = TRUE;
251
252 this->crypto->append_handshake(this->crypto,
253 TLS_CERTIFICATE, reader->peek(reader));
254
255 if (!reader->read_data24(reader, &data))
256 {
257 DBG1(DBG_TLS, "certificate message header invalid");
258 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
259 return NEED_MORE;
260 }
261 certs = bio_reader_create(data);
262 while (certs->remaining(certs))
263 {
264 if (!certs->read_data24(certs, &data))
265 {
266 DBG1(DBG_TLS, "certificate message invalid");
267 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
268 certs->destroy(certs);
269 return NEED_MORE;
270 }
271 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
272 BUILD_BLOB_ASN1_DER, data, BUILD_END);
273 if (cert)
274 {
275 if (first)
276 {
277 if (!check_certificate(this, cert))
278 {
279 cert->destroy(cert);
280 certs->destroy(certs);
281 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
282 return NEED_MORE;
283 }
284 this->server_auth->add(this->server_auth,
285 AUTH_HELPER_SUBJECT_CERT, cert);
286 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
287 cert->get_subject(cert));
288 first = FALSE;
289 }
290 else
291 {
292 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
293 cert->get_subject(cert));
294 this->server_auth->add(this->server_auth,
295 AUTH_HELPER_IM_CERT, cert);
296 }
297 }
298 else
299 {
300 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
301 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
302 }
303 }
304 certs->destroy(certs);
305 this->state = STATE_CERT_RECEIVED;
306 return NEED_MORE;
307 }
308
309 /**
310 * Find a trusted public key to encrypt/verify key exchange data
311 */
312 static public_key_t *find_public_key(private_tls_peer_t *this)
313 {
314 public_key_t *public = NULL, *current;
315 certificate_t *cert, *found;
316 enumerator_t *enumerator;
317 auth_cfg_t *auth;
318
319 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
320 if (cert)
321 {
322 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
323 KEY_ANY, cert->get_subject(cert), this->server_auth);
324 while (enumerator->enumerate(enumerator, &current, &auth))
325 {
326 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
327 if (found && cert->equals(cert, found))
328 {
329 public = current->get_ref(current);
330 this->server_auth->merge(this->server_auth, auth, FALSE);
331 break;
332 }
333 }
334 enumerator->destroy(enumerator);
335 }
336 return public;
337 }
338
339 /**
340 * Process a Key Exchange message using MODP Diffie Hellman
341 */
342 static status_t process_modp_key_exchange(private_tls_peer_t *this,
343 bio_reader_t *reader)
344 {
345 chunk_t prime, generator, pub, chunk;
346 public_key_t *public;
347
348 chunk = reader->peek(reader);
349 if (!reader->read_data16(reader, &prime) ||
350 !reader->read_data16(reader, &generator) ||
351 !reader->read_data16(reader, &pub))
352 {
353 DBG1(DBG_TLS, "received invalid Server Key Exchange");
354 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
355 return NEED_MORE;
356 }
357 public = find_public_key(this);
358 if (!public)
359 {
360 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
361 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
362 return NEED_MORE;
363 }
364
365 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
366 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
367 chunk_from_thing(this->server_random), chunk);
368 if (!this->crypto->verify(this->crypto, public, reader, chunk))
369 {
370 public->destroy(public);
371 free(chunk.ptr);
372 DBG1(DBG_TLS, "verifying DH parameters failed");
373 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
374 return NEED_MORE;
375 }
376 public->destroy(public);
377 free(chunk.ptr);
378
379 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
380 generator, prime);
381 if (!this->dh)
382 {
383 DBG1(DBG_TLS, "custom DH parameters not supported");
384 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
385 return NEED_MORE;
386 }
387 this->dh->set_other_public_value(this->dh, pub);
388
389 this->state = STATE_KEY_EXCHANGE_RECEIVED;
390 return NEED_MORE;
391 }
392
393 /**
394 * Get the EC group for a TLS named curve
395 */
396 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
397 tls_named_curve_t curve)
398 {
399 diffie_hellman_group_t group;
400 tls_named_curve_t current;
401 enumerator_t *enumerator;
402
403 enumerator = this->crypto->create_ec_enumerator(this->crypto);
404 while (enumerator->enumerate(enumerator, &group, &current))
405 {
406 if (current == curve)
407 {
408 enumerator->destroy(enumerator);
409 return group;
410 }
411 }
412 enumerator->destroy(enumerator);
413 return 0;
414 }
415
416 /**
417 * Process a Key Exchange message using EC Diffie Hellman
418 */
419 static status_t process_ec_key_exchange(private_tls_peer_t *this,
420 bio_reader_t *reader)
421 {
422 diffie_hellman_group_t group;
423 public_key_t *public;
424 u_int8_t type;
425 u_int16_t curve;
426 chunk_t pub, chunk;
427
428 chunk = reader->peek(reader);
429 if (!reader->read_uint8(reader, &type))
430 {
431 DBG1(DBG_TLS, "received invalid Server Key Exchange");
432 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
433 return NEED_MORE;
434 }
435 if (type != TLS_ECC_NAMED_CURVE)
436 {
437 DBG1(DBG_TLS, "ECDH curve type %N not supported",
438 tls_ecc_curve_type_names, type);
439 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
440 return NEED_MORE;
441 }
442 if (!reader->read_uint16(reader, &curve) ||
443 !reader->read_data8(reader, &pub) || pub.len == 0)
444 {
445 DBG1(DBG_TLS, "received invalid Server Key Exchange");
446 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
447 return NEED_MORE;
448 }
449
450 group = curve_to_ec_group(this, curve);
451 if (!group)
452 {
453 DBG1(DBG_TLS, "ECDH curve %N not supported",
454 tls_named_curve_names, curve);
455 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
456 return NEED_MORE;
457 }
458
459 public = find_public_key(this);
460 if (!public)
461 {
462 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
463 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
464 return NEED_MORE;
465 }
466
467 chunk.len = 4 + pub.len;
468 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
469 chunk_from_thing(this->server_random), chunk);
470 if (!this->crypto->verify(this->crypto, public, reader, chunk))
471 {
472 public->destroy(public);
473 free(chunk.ptr);
474 DBG1(DBG_TLS, "verifying DH parameters failed");
475 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
476 return NEED_MORE;
477 }
478 public->destroy(public);
479 free(chunk.ptr);
480
481 this->dh = lib->crypto->create_dh(lib->crypto, group);
482 if (!this->dh)
483 {
484 DBG1(DBG_TLS, "DH group %N not supported",
485 diffie_hellman_group_names, group);
486 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
487 return NEED_MORE;
488 }
489
490 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
491 {
492 DBG1(DBG_TLS, "DH point format '%N' not supported",
493 tls_ansi_point_format_names, pub.ptr[0]);
494 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
495 return NEED_MORE;
496 }
497 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
498
499 this->state = STATE_KEY_EXCHANGE_RECEIVED;
500 return NEED_MORE;
501 }
502
503 /**
504 * Process a Server Key Exchange
505 */
506 static status_t process_key_exchange(private_tls_peer_t *this,
507 bio_reader_t *reader)
508 {
509 diffie_hellman_group_t group;
510
511 this->crypto->append_handshake(this->crypto,
512 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
513
514 group = this->crypto->get_dh_group(this->crypto);
515 if (group == MODP_NONE)
516 {
517 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
518 "for current suite");
519 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
520 return NEED_MORE;
521 }
522 if (diffie_hellman_group_is_ec(group))
523 {
524 return process_ec_key_exchange(this, reader);
525 }
526 return process_modp_key_exchange(this, reader);
527 }
528
529 /**
530 * Process a Certificate Request message
531 */
532 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
533 {
534 chunk_t types, hashsig, data;
535 bio_reader_t *authorities;
536 identification_t *id;
537 certificate_t *cert;
538
539 if (!this->peer)
540 {
541 DBG1(DBG_TLS, "server requested a certificate, but client "
542 "authentication disabled");
543 }
544 this->crypto->append_handshake(this->crypto,
545 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
546
547 if (!reader->read_data8(reader, &types))
548 {
549 DBG1(DBG_TLS, "certreq message header invalid");
550 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
551 return NEED_MORE;
552 }
553 this->cert_types = chunk_clone(types);
554 if (this->tls->get_version(this->tls) >= TLS_1_2)
555 {
556 if (!reader->read_data16(reader, &hashsig))
557 {
558 DBG1(DBG_TLS, "certreq message invalid");
559 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
560 return NEED_MORE;
561 }
562 this->hashsig = chunk_clone(hashsig);
563 }
564 if (!reader->read_data16(reader, &data))
565 {
566 DBG1(DBG_TLS, "certreq message invalid");
567 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
568 return NEED_MORE;
569 }
570 authorities = bio_reader_create(data);
571 while (authorities->remaining(authorities))
572 {
573 if (!authorities->read_data16(authorities, &data))
574 {
575 DBG1(DBG_TLS, "certreq message invalid");
576 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
577 authorities->destroy(authorities);
578 return NEED_MORE;
579 }
580 if (this->peer)
581 {
582 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
583 cert = lib->credmgr->get_cert(lib->credmgr,
584 CERT_X509, KEY_ANY, id, TRUE);
585 if (cert)
586 {
587 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
588 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
589 }
590 else
591 {
592 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
593 }
594 id->destroy(id);
595 }
596 }
597 authorities->destroy(authorities);
598 this->state = STATE_CERTREQ_RECEIVED;
599 return NEED_MORE;
600 }
601
602 /**
603 * Process Hello Done message
604 */
605 static status_t process_hello_done(private_tls_peer_t *this,
606 bio_reader_t *reader)
607 {
608 this->crypto->append_handshake(this->crypto,
609 TLS_SERVER_HELLO_DONE, reader->peek(reader));
610 this->state = STATE_HELLO_DONE;
611 return NEED_MORE;
612 }
613
614 /**
615 * Process finished message
616 */
617 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
618 {
619 chunk_t received;
620 char buf[12];
621
622 if (!reader->read_data(reader, sizeof(buf), &received))
623 {
624 DBG1(DBG_TLS, "received server finished too short");
625 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
626 return NEED_MORE;
627 }
628 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
629 {
630 DBG1(DBG_TLS, "calculating server finished failed");
631 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
632 return NEED_MORE;
633 }
634 if (!chunk_equals(received, chunk_from_thing(buf)))
635 {
636 DBG1(DBG_TLS, "received server finished invalid");
637 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
638 return NEED_MORE;
639 }
640 this->state = STATE_FINISHED_RECEIVED;
641 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
642
643 return NEED_MORE;
644 }
645
646 METHOD(tls_handshake_t, process, status_t,
647 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
648 {
649 tls_handshake_type_t expected;
650
651 switch (this->state)
652 {
653 case STATE_HELLO_SENT:
654 if (type == TLS_SERVER_HELLO)
655 {
656 return process_server_hello(this, reader);
657 }
658 expected = TLS_SERVER_HELLO;
659 break;
660 case STATE_HELLO_RECEIVED:
661 if (type == TLS_CERTIFICATE)
662 {
663 return process_certificate(this, reader);
664 }
665 expected = TLS_CERTIFICATE;
666 break;
667 case STATE_CERT_RECEIVED:
668 if (type == TLS_SERVER_KEY_EXCHANGE)
669 {
670 return process_key_exchange(this, reader);
671 }
672 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
673 case STATE_KEY_EXCHANGE_RECEIVED:
674 if (type == TLS_CERTIFICATE_REQUEST)
675 {
676 return process_certreq(this, reader);
677 }
678 /* no cert request, server does not want to authenticate us */
679 DESTROY_IF(this->peer);
680 this->peer = NULL;
681 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
682 case STATE_CERTREQ_RECEIVED:
683 if (type == TLS_SERVER_HELLO_DONE)
684 {
685 return process_hello_done(this, reader);
686 }
687 expected = TLS_SERVER_HELLO_DONE;
688 break;
689 case STATE_CIPHERSPEC_CHANGED_IN:
690 if (type == TLS_FINISHED)
691 {
692 return process_finished(this, reader);
693 }
694 expected = TLS_FINISHED;
695 break;
696 default:
697 DBG1(DBG_TLS, "TLS %N not expected in current state",
698 tls_handshake_type_names, type);
699 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
700 return NEED_MORE;
701 }
702 DBG1(DBG_TLS, "TLS %N expected, but received %N",
703 tls_handshake_type_names, expected, tls_handshake_type_names, type);
704 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
705 return NEED_MORE;
706 }
707
708 /**
709 * Send a client hello
710 */
711 static status_t send_client_hello(private_tls_peer_t *this,
712 tls_handshake_type_t *type, bio_writer_t *writer)
713 {
714 tls_cipher_suite_t *suites;
715 bio_writer_t *extensions, *curves = NULL;
716 tls_version_t version;
717 tls_named_curve_t curve;
718 enumerator_t *enumerator;
719 int count, i;
720 rng_t *rng;
721
722 htoun32(&this->client_random, time(NULL));
723 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
724 if (!rng ||
725 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
726 this->client_random + 4))
727 {
728 DBG1(DBG_TLS, "failed to generate client random");
729 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
730 DESTROY_IF(rng);
731 return NEED_MORE;
732 }
733 rng->destroy(rng);
734
735 /* TLS version */
736 version = this->tls->get_version(this->tls);
737 this->hello_version = version;
738 writer->write_uint16(writer, version);
739 writer->write_data(writer, chunk_from_thing(this->client_random));
740
741 /* session identifier */
742 this->session = this->crypto->get_session(this->crypto, this->server);
743 writer->write_data8(writer, this->session);
744
745 /* add TLS cipher suites */
746 count = this->crypto->get_cipher_suites(this->crypto, &suites);
747 writer->write_uint16(writer, count * 2);
748 for (i = 0; i < count; i++)
749 {
750 writer->write_uint16(writer, suites[i]);
751 }
752
753 /* NULL compression only */
754 writer->write_uint8(writer, 1);
755 writer->write_uint8(writer, 0);
756
757 extensions = bio_writer_create(32);
758
759 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
760 this->crypto->get_signature_algorithms(this->crypto, extensions);
761
762 /* add supported Elliptic Curves, if any */
763 enumerator = this->crypto->create_ec_enumerator(this->crypto);
764 while (enumerator->enumerate(enumerator, NULL, &curve))
765 {
766 if (!curves)
767 {
768 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
769 curves = bio_writer_create(16);
770 }
771 curves->write_uint16(curves, curve);
772 }
773 enumerator->destroy(enumerator);
774 if (curves)
775 {
776 curves->wrap16(curves);
777 extensions->write_data16(extensions, curves->get_buf(curves));
778 curves->destroy(curves);
779
780 /* if we support curves, add point format extension */
781 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
782 extensions->write_uint16(extensions, 2);
783 extensions->write_uint8(extensions, 1);
784 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
785 }
786 if (this->server->get_type(this->server) == ID_FQDN)
787 {
788 bio_writer_t *names;
789
790 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
791
792 names = bio_writer_create(8);
793 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
794 names->write_data16(names, this->server->get_encoding(this->server));
795 names->wrap16(names);
796 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
797 extensions->write_data16(extensions, names->get_buf(names));
798 names->destroy(names);
799 }
800
801 writer->write_data16(writer, extensions->get_buf(extensions));
802 extensions->destroy(extensions);
803
804 *type = TLS_CLIENT_HELLO;
805 this->state = STATE_HELLO_SENT;
806 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
807 return NEED_MORE;
808 }
809
810 /**
811 * Find a private key suitable to sign Certificate Verify
812 */
813 static private_key_t *find_private_key(private_tls_peer_t *this)
814 {
815 private_key_t *key = NULL;
816 bio_reader_t *reader;
817 key_type_t type;
818 u_int8_t cert;
819
820 if (!this->peer)
821 {
822 return NULL;
823 }
824 reader = bio_reader_create(this->cert_types);
825 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
826 {
827 switch (cert)
828 {
829 case TLS_RSA_SIGN:
830 type = KEY_RSA;
831 break;
832 case TLS_ECDSA_SIGN:
833 type = KEY_ECDSA;
834 break;
835 default:
836 continue;
837 }
838 key = lib->credmgr->get_private(lib->credmgr, type,
839 this->peer, this->peer_auth);
840 if (key)
841 {
842 break;
843 }
844 }
845 reader->destroy(reader);
846 return key;
847 }
848
849 /**
850 * Send Certificate
851 */
852 static status_t send_certificate(private_tls_peer_t *this,
853 tls_handshake_type_t *type, bio_writer_t *writer)
854 {
855 enumerator_t *enumerator;
856 certificate_t *cert;
857 auth_rule_t rule;
858 bio_writer_t *certs;
859 chunk_t data;
860
861 this->private = find_private_key(this);
862 if (!this->private)
863 {
864 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
865 "skipping client authentication", this->peer);
866 this->peer->destroy(this->peer);
867 this->peer = NULL;
868 }
869
870 /* generate certificate payload */
871 certs = bio_writer_create(256);
872 if (this->peer)
873 {
874 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
875 if (cert)
876 {
877 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
878 {
879 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
880 cert->get_subject(cert));
881 certs->write_data24(certs, data);
882 free(data.ptr);
883 }
884 }
885 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
886 while (enumerator->enumerate(enumerator, &rule, &cert))
887 {
888 if (rule == AUTH_RULE_IM_CERT)
889 {
890 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
891 {
892 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
893 cert->get_subject(cert));
894 certs->write_data24(certs, data);
895 free(data.ptr);
896 }
897 }
898 }
899 enumerator->destroy(enumerator);
900 }
901
902 writer->write_data24(writer, certs->get_buf(certs));
903 certs->destroy(certs);
904
905 *type = TLS_CERTIFICATE;
906 this->state = STATE_CERT_SENT;
907 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
908 return NEED_MORE;
909 }
910
911 /**
912 * Send client key exchange, using premaster encryption
913 */
914 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
915 tls_handshake_type_t *type, bio_writer_t *writer)
916 {
917 public_key_t *public;
918 rng_t *rng;
919 char premaster[48];
920 chunk_t encrypted;
921
922 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
923 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
924 {
925 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
926 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
927 DESTROY_IF(rng);
928 return NEED_MORE;
929 }
930 rng->destroy(rng);
931 htoun16(premaster, this->hello_version);
932
933 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
934 this->session, this->server,
935 chunk_from_thing(this->client_random),
936 chunk_from_thing(this->server_random)))
937 {
938 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
939 return NEED_MORE;
940 }
941
942 public = find_public_key(this);
943 if (!public)
944 {
945 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
946 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
947 return NEED_MORE;
948 }
949 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
950 chunk_from_thing(premaster), &encrypted))
951 {
952 public->destroy(public);
953 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
954 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
955 return NEED_MORE;
956 }
957 public->destroy(public);
958
959 writer->write_data16(writer, encrypted);
960 free(encrypted.ptr);
961
962 *type = TLS_CLIENT_KEY_EXCHANGE;
963 this->state = STATE_KEY_EXCHANGE_SENT;
964 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
965 return NEED_MORE;
966 }
967
968 /**
969 * Send client key exchange, using DHE exchange
970 */
971 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
972 tls_handshake_type_t *type, bio_writer_t *writer)
973 {
974 chunk_t premaster, pub;
975
976 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
977 {
978 DBG1(DBG_TLS, "calculating premaster from DH failed");
979 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
980 return NEED_MORE;
981 }
982 if (!this->crypto->derive_secrets(this->crypto, premaster,
983 this->session, this->server,
984 chunk_from_thing(this->client_random),
985 chunk_from_thing(this->server_random)))
986 {
987 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
988 chunk_clear(&premaster);
989 return NEED_MORE;
990 }
991 chunk_clear(&premaster);
992
993 this->dh->get_my_public_value(this->dh, &pub);
994 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
995 {
996 writer->write_data16(writer, pub);
997 }
998 else
999 { /* ECP uses 8bit length header only, but a point format */
1000 writer->write_uint8(writer, pub.len + 1);
1001 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1002 writer->write_data(writer, pub);
1003 }
1004 free(pub.ptr);
1005
1006 *type = TLS_CLIENT_KEY_EXCHANGE;
1007 this->state = STATE_KEY_EXCHANGE_SENT;
1008 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1009 return NEED_MORE;
1010 }
1011
1012 /**
1013 * Send client key exchange, depending on suite
1014 */
1015 static status_t send_key_exchange(private_tls_peer_t *this,
1016 tls_handshake_type_t *type, bio_writer_t *writer)
1017 {
1018 if (this->dh)
1019 {
1020 return send_key_exchange_dhe(this, type, writer);
1021 }
1022 return send_key_exchange_encrypt(this, type, writer);
1023 }
1024
1025 /**
1026 * Send certificate verify
1027 */
1028 static status_t send_certificate_verify(private_tls_peer_t *this,
1029 tls_handshake_type_t *type, bio_writer_t *writer)
1030 {
1031 if (!this->private ||
1032 !this->crypto->sign_handshake(this->crypto, this->private,
1033 writer, this->hashsig))
1034 {
1035 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1036 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1037 return NEED_MORE;
1038 }
1039
1040 *type = TLS_CERTIFICATE_VERIFY;
1041 this->state = STATE_VERIFY_SENT;
1042 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1043 return NEED_MORE;
1044 }
1045
1046 /**
1047 * Send Finished
1048 */
1049 static status_t send_finished(private_tls_peer_t *this,
1050 tls_handshake_type_t *type, bio_writer_t *writer)
1051 {
1052 char buf[12];
1053
1054 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1055 {
1056 DBG1(DBG_TLS, "calculating client finished data failed");
1057 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1058 return NEED_MORE;
1059 }
1060
1061 writer->write_data(writer, chunk_from_thing(buf));
1062
1063 *type = TLS_FINISHED;
1064 this->state = STATE_FINISHED_SENT;
1065 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1066 return NEED_MORE;
1067 }
1068
1069 METHOD(tls_handshake_t, build, status_t,
1070 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1071 {
1072 switch (this->state)
1073 {
1074 case STATE_INIT:
1075 return send_client_hello(this, type, writer);
1076 case STATE_HELLO_DONE:
1077 if (this->peer)
1078 {
1079 return send_certificate(this, type, writer);
1080 }
1081 /* otherwise fall through to next state */
1082 case STATE_CERT_SENT:
1083 return send_key_exchange(this, type, writer);
1084 case STATE_KEY_EXCHANGE_SENT:
1085 if (this->peer)
1086 {
1087 return send_certificate_verify(this, type, writer);
1088 }
1089 else
1090 {
1091 return INVALID_STATE;
1092 }
1093 case STATE_CIPHERSPEC_CHANGED_OUT:
1094 return send_finished(this, type, writer);
1095 default:
1096 return INVALID_STATE;
1097 }
1098 }
1099
1100 METHOD(tls_handshake_t, cipherspec_changed, bool,
1101 private_tls_peer_t *this, bool inbound)
1102 {
1103 if (inbound)
1104 {
1105 if (this->resume)
1106 {
1107 return this->state == STATE_HELLO_RECEIVED;
1108 }
1109 return this->state == STATE_FINISHED_SENT;
1110 }
1111 else
1112 {
1113 if (this->resume)
1114 {
1115 return this->state == STATE_FINISHED_RECEIVED;
1116 }
1117 if (this->peer)
1118 {
1119 return this->state == STATE_VERIFY_SENT;
1120 }
1121 return this->state == STATE_KEY_EXCHANGE_SENT;
1122 }
1123 }
1124
1125 METHOD(tls_handshake_t, change_cipherspec, void,
1126 private_tls_peer_t *this, bool inbound)
1127 {
1128 this->crypto->change_cipher(this->crypto, inbound);
1129 if (inbound)
1130 {
1131 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1132 }
1133 else
1134 {
1135 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1136 }
1137 }
1138
1139 METHOD(tls_handshake_t, finished, bool,
1140 private_tls_peer_t *this)
1141 {
1142 if (this->resume)
1143 {
1144 return this->state == STATE_FINISHED_SENT;
1145 }
1146 return this->state == STATE_FINISHED_RECEIVED;
1147 }
1148
1149 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1150 private_tls_peer_t *this)
1151 {
1152 return this->peer;
1153 }
1154
1155 METHOD(tls_handshake_t, get_server_id, identification_t*,
1156 private_tls_peer_t *this)
1157 {
1158 return this->server;
1159 }
1160
1161 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1162 private_tls_peer_t *this)
1163 {
1164 return this->server_auth;
1165 }
1166
1167 METHOD(tls_handshake_t, destroy, void,
1168 private_tls_peer_t *this)
1169 {
1170 DESTROY_IF(this->private);
1171 DESTROY_IF(this->dh);
1172 DESTROY_IF(this->peer);
1173 this->server->destroy(this->server);
1174 this->peer_auth->destroy(this->peer_auth);
1175 this->server_auth->destroy(this->server_auth);
1176 free(this->hashsig.ptr);
1177 free(this->cert_types.ptr);
1178 free(this->session.ptr);
1179 free(this);
1180 }
1181
1182 /**
1183 * See header
1184 */
1185 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1186 identification_t *peer, identification_t *server)
1187 {
1188 private_tls_peer_t *this;
1189
1190 INIT(this,
1191 .public = {
1192 .handshake = {
1193 .process = _process,
1194 .build = _build,
1195 .cipherspec_changed = _cipherspec_changed,
1196 .change_cipherspec = _change_cipherspec,
1197 .finished = _finished,
1198 .get_peer_id = _get_peer_id,
1199 .get_server_id = _get_server_id,
1200 .get_auth = _get_auth,
1201 .destroy = _destroy,
1202 },
1203 },
1204 .state = STATE_INIT,
1205 .tls = tls,
1206 .crypto = crypto,
1207 .alert = alert,
1208 .peer = peer ? peer->clone(peer) : NULL,
1209 .server = server->clone(server),
1210 .peer_auth = auth_cfg_create(),
1211 .server_auth = auth_cfg_create(),
1212 );
1213
1214 return &this->public;
1215 }