Merge branch 'tls-aead'
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * TLS version we offered in hello
84 */
85 tls_version_t hello_version;
86
87 /**
88 * Hello random data selected by client
89 */
90 char client_random[32];
91
92 /**
93 * Hello random data selected by server
94 */
95 char server_random[32];
96
97 /**
98 * Auth helper for peer authentication
99 */
100 auth_cfg_t *peer_auth;
101
102 /**
103 * Auth helper for server authentication
104 */
105 auth_cfg_t *server_auth;
106
107 /**
108 * Peer private key
109 */
110 private_key_t *private;
111
112 /**
113 * DHE exchange
114 */
115 diffie_hellman_t *dh;
116
117 /**
118 * Resuming a session?
119 */
120 bool resume;
121
122 /**
123 * TLS session identifier
124 */
125 chunk_t session;
126
127 /**
128 * List of server-supported hashsig algorithms
129 */
130 chunk_t hashsig;
131
132 /**
133 * List of server-supported client certificate types
134 */
135 chunk_t cert_types;
136 };
137
138 /**
139 * Process a server hello message
140 */
141 static status_t process_server_hello(private_tls_peer_t *this,
142 bio_reader_t *reader)
143 {
144 u_int8_t compression;
145 u_int16_t version, cipher;
146 chunk_t random, session, ext = chunk_empty;
147 tls_cipher_suite_t suite = 0;
148
149 this->crypto->append_handshake(this->crypto,
150 TLS_SERVER_HELLO, reader->peek(reader));
151
152 if (!reader->read_uint16(reader, &version) ||
153 !reader->read_data(reader, sizeof(this->server_random), &random) ||
154 !reader->read_data8(reader, &session) ||
155 !reader->read_uint16(reader, &cipher) ||
156 !reader->read_uint8(reader, &compression) ||
157 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
158 {
159 DBG1(DBG_TLS, "received invalid ServerHello");
160 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
161 return NEED_MORE;
162 }
163
164 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
165
166 if (!this->tls->set_version(this->tls, version))
167 {
168 DBG1(DBG_TLS, "negotiated version %N not supported",
169 tls_version_names, version);
170 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
171 return NEED_MORE;
172 }
173
174 if (chunk_equals(this->session, session))
175 {
176 suite = this->crypto->resume_session(this->crypto, session, this->server,
177 chunk_from_thing(this->client_random),
178 chunk_from_thing(this->server_random));
179 if (suite)
180 {
181 DBG1(DBG_TLS, "resumed %N using suite %N",
182 tls_version_names, version, tls_cipher_suite_names, suite);
183 this->resume = TRUE;
184 }
185 }
186 if (!suite)
187 {
188 suite = cipher;
189 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
190 {
191 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
192 tls_cipher_suite_names, suite);
193 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
194 return NEED_MORE;
195 }
196 DBG1(DBG_TLS, "negotiated %N using suite %N",
197 tls_version_names, version, tls_cipher_suite_names, suite);
198 free(this->session.ptr);
199 this->session = chunk_clone(session);
200 }
201 this->state = STATE_HELLO_RECEIVED;
202 return NEED_MORE;
203 }
204
205 /**
206 * Check if a server certificate is acceptable for the given server identity
207 */
208 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
209 {
210 identification_t *id;
211
212 if (cert->has_subject(cert, this->server))
213 {
214 return TRUE;
215 }
216 id = cert->get_subject(cert);
217 if (id->matches(id, this->server))
218 {
219 return TRUE;
220 }
221 if (cert->get_type(cert) == CERT_X509)
222 {
223 x509_t *x509 = (x509_t*)cert;
224 enumerator_t *enumerator;
225
226 enumerator = x509->create_subjectAltName_enumerator(x509);
227 while (enumerator->enumerate(enumerator, &id))
228 {
229 if (id->matches(id, this->server))
230 {
231 enumerator->destroy(enumerator);
232 return TRUE;
233 }
234 }
235 enumerator->destroy(enumerator);
236 }
237 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
238 return FALSE;
239 }
240
241 /**
242 * Process a Certificate message
243 */
244 static status_t process_certificate(private_tls_peer_t *this,
245 bio_reader_t *reader)
246 {
247 certificate_t *cert;
248 bio_reader_t *certs;
249 chunk_t data;
250 bool first = TRUE;
251
252 this->crypto->append_handshake(this->crypto,
253 TLS_CERTIFICATE, reader->peek(reader));
254
255 if (!reader->read_data24(reader, &data))
256 {
257 DBG1(DBG_TLS, "certificate message header invalid");
258 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
259 return NEED_MORE;
260 }
261 certs = bio_reader_create(data);
262 while (certs->remaining(certs))
263 {
264 if (!certs->read_data24(certs, &data))
265 {
266 DBG1(DBG_TLS, "certificate message invalid");
267 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
268 certs->destroy(certs);
269 return NEED_MORE;
270 }
271 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
272 BUILD_BLOB_ASN1_DER, data, BUILD_END);
273 if (cert)
274 {
275 if (first)
276 {
277 if (!check_certificate(this, cert))
278 {
279 cert->destroy(cert);
280 certs->destroy(certs);
281 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
282 return NEED_MORE;
283 }
284 this->server_auth->add(this->server_auth,
285 AUTH_HELPER_SUBJECT_CERT, cert);
286 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
287 cert->get_subject(cert));
288 first = FALSE;
289 }
290 else
291 {
292 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
293 cert->get_subject(cert));
294 this->server_auth->add(this->server_auth,
295 AUTH_HELPER_IM_CERT, cert);
296 }
297 }
298 else
299 {
300 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
301 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
302 }
303 }
304 certs->destroy(certs);
305 this->state = STATE_CERT_RECEIVED;
306 return NEED_MORE;
307 }
308
309 /**
310 * Find a trusted public key to encrypt/verify key exchange data
311 */
312 static public_key_t *find_public_key(private_tls_peer_t *this)
313 {
314 public_key_t *public = NULL, *current;
315 certificate_t *cert;
316 enumerator_t *enumerator;
317 auth_cfg_t *auth;
318
319 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
320 if (cert)
321 {
322 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
323 KEY_ANY, cert->get_subject(cert), this->server_auth);
324 while (enumerator->enumerate(enumerator, &current, &auth))
325 {
326 public = current->get_ref(current);
327 break;
328 }
329 enumerator->destroy(enumerator);
330 }
331 return public;
332 }
333
334 /**
335 * Process a Key Exchange message using MODP Diffie Hellman
336 */
337 static status_t process_modp_key_exchange(private_tls_peer_t *this,
338 bio_reader_t *reader)
339 {
340 chunk_t prime, generator, pub, chunk;
341 public_key_t *public;
342
343 chunk = reader->peek(reader);
344 if (!reader->read_data16(reader, &prime) ||
345 !reader->read_data16(reader, &generator) ||
346 !reader->read_data16(reader, &pub))
347 {
348 DBG1(DBG_TLS, "received invalid Server Key Exchange");
349 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
350 return NEED_MORE;
351 }
352 public = find_public_key(this);
353 if (!public)
354 {
355 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
356 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
357 return NEED_MORE;
358 }
359
360 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
361 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
362 chunk_from_thing(this->server_random), chunk);
363 if (!this->crypto->verify(this->crypto, public, reader, chunk))
364 {
365 public->destroy(public);
366 free(chunk.ptr);
367 DBG1(DBG_TLS, "verifying DH parameters failed");
368 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
369 return NEED_MORE;
370 }
371 public->destroy(public);
372 free(chunk.ptr);
373
374 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
375 generator, prime);
376 if (!this->dh)
377 {
378 DBG1(DBG_TLS, "custom DH parameters not supported");
379 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
380 return NEED_MORE;
381 }
382 this->dh->set_other_public_value(this->dh, pub);
383
384 this->state = STATE_KEY_EXCHANGE_RECEIVED;
385 return NEED_MORE;
386 }
387
388 /**
389 * Get the EC group for a TLS named curve
390 */
391 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
392 tls_named_curve_t curve)
393 {
394 diffie_hellman_group_t group;
395 tls_named_curve_t current;
396 enumerator_t *enumerator;
397
398 enumerator = this->crypto->create_ec_enumerator(this->crypto);
399 while (enumerator->enumerate(enumerator, &group, &current))
400 {
401 if (current == curve)
402 {
403 enumerator->destroy(enumerator);
404 return group;
405 }
406 }
407 enumerator->destroy(enumerator);
408 return 0;
409 }
410
411 /**
412 * Process a Key Exchange message using EC Diffie Hellman
413 */
414 static status_t process_ec_key_exchange(private_tls_peer_t *this,
415 bio_reader_t *reader)
416 {
417 diffie_hellman_group_t group;
418 public_key_t *public;
419 u_int8_t type;
420 u_int16_t curve;
421 chunk_t pub, chunk;
422
423 chunk = reader->peek(reader);
424 if (!reader->read_uint8(reader, &type))
425 {
426 DBG1(DBG_TLS, "received invalid Server Key Exchange");
427 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
428 return NEED_MORE;
429 }
430 if (type != TLS_ECC_NAMED_CURVE)
431 {
432 DBG1(DBG_TLS, "ECDH curve type %N not supported",
433 tls_ecc_curve_type_names, type);
434 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
435 return NEED_MORE;
436 }
437 if (!reader->read_uint16(reader, &curve) ||
438 !reader->read_data8(reader, &pub) || pub.len == 0)
439 {
440 DBG1(DBG_TLS, "received invalid Server Key Exchange");
441 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
442 return NEED_MORE;
443 }
444
445 group = curve_to_ec_group(this, curve);
446 if (!group)
447 {
448 DBG1(DBG_TLS, "ECDH curve %N not supported",
449 tls_named_curve_names, curve);
450 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
451 return NEED_MORE;
452 }
453
454 public = find_public_key(this);
455 if (!public)
456 {
457 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
458 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
459 return NEED_MORE;
460 }
461
462 chunk.len = 4 + pub.len;
463 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
464 chunk_from_thing(this->server_random), chunk);
465 if (!this->crypto->verify(this->crypto, public, reader, chunk))
466 {
467 public->destroy(public);
468 free(chunk.ptr);
469 DBG1(DBG_TLS, "verifying DH parameters failed");
470 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
471 return NEED_MORE;
472 }
473 public->destroy(public);
474 free(chunk.ptr);
475
476 this->dh = lib->crypto->create_dh(lib->crypto, group);
477 if (!this->dh)
478 {
479 DBG1(DBG_TLS, "DH group %N not supported",
480 diffie_hellman_group_names, group);
481 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
482 return NEED_MORE;
483 }
484
485 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
486 {
487 DBG1(DBG_TLS, "DH point format '%N' not supported",
488 tls_ansi_point_format_names, pub.ptr[0]);
489 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
490 return NEED_MORE;
491 }
492 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
493
494 this->state = STATE_KEY_EXCHANGE_RECEIVED;
495 return NEED_MORE;
496 }
497
498 /**
499 * Process a Server Key Exchange
500 */
501 static status_t process_key_exchange(private_tls_peer_t *this,
502 bio_reader_t *reader)
503 {
504 diffie_hellman_group_t group;
505
506 this->crypto->append_handshake(this->crypto,
507 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
508
509 group = this->crypto->get_dh_group(this->crypto);
510 if (group == MODP_NONE)
511 {
512 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
513 "for current suite");
514 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
515 return NEED_MORE;
516 }
517 if (diffie_hellman_group_is_ec(group))
518 {
519 return process_ec_key_exchange(this, reader);
520 }
521 return process_modp_key_exchange(this, reader);
522 }
523
524 /**
525 * Process a Certificate Request message
526 */
527 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
528 {
529 chunk_t types, hashsig, data;
530 bio_reader_t *authorities;
531 identification_t *id;
532 certificate_t *cert;
533
534 if (!this->peer)
535 {
536 DBG1(DBG_TLS, "server requested a certificate, but client "
537 "authentication disabled");
538 }
539 this->crypto->append_handshake(this->crypto,
540 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
541
542 if (!reader->read_data8(reader, &types))
543 {
544 DBG1(DBG_TLS, "certreq message header invalid");
545 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
546 return NEED_MORE;
547 }
548 this->cert_types = chunk_clone(types);
549 if (this->tls->get_version(this->tls) >= TLS_1_2)
550 {
551 if (!reader->read_data16(reader, &hashsig))
552 {
553 DBG1(DBG_TLS, "certreq message invalid");
554 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
555 return NEED_MORE;
556 }
557 this->hashsig = chunk_clone(hashsig);
558 }
559 if (!reader->read_data16(reader, &data))
560 {
561 DBG1(DBG_TLS, "certreq message invalid");
562 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
563 return NEED_MORE;
564 }
565 authorities = bio_reader_create(data);
566 while (authorities->remaining(authorities))
567 {
568 if (!authorities->read_data16(authorities, &data))
569 {
570 DBG1(DBG_TLS, "certreq message invalid");
571 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
572 authorities->destroy(authorities);
573 return NEED_MORE;
574 }
575 if (this->peer)
576 {
577 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
578 cert = lib->credmgr->get_cert(lib->credmgr,
579 CERT_X509, KEY_ANY, id, TRUE);
580 if (cert)
581 {
582 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
583 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
584 }
585 else
586 {
587 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
588 }
589 id->destroy(id);
590 }
591 }
592 authorities->destroy(authorities);
593 this->state = STATE_CERTREQ_RECEIVED;
594 return NEED_MORE;
595 }
596
597 /**
598 * Process Hello Done message
599 */
600 static status_t process_hello_done(private_tls_peer_t *this,
601 bio_reader_t *reader)
602 {
603 this->crypto->append_handshake(this->crypto,
604 TLS_SERVER_HELLO_DONE, reader->peek(reader));
605 this->state = STATE_HELLO_DONE;
606 return NEED_MORE;
607 }
608
609 /**
610 * Process finished message
611 */
612 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
613 {
614 chunk_t received;
615 char buf[12];
616
617 if (!reader->read_data(reader, sizeof(buf), &received))
618 {
619 DBG1(DBG_TLS, "received server finished too short");
620 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
621 return NEED_MORE;
622 }
623 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
624 {
625 DBG1(DBG_TLS, "calculating server finished failed");
626 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
627 return NEED_MORE;
628 }
629 if (!chunk_equals(received, chunk_from_thing(buf)))
630 {
631 DBG1(DBG_TLS, "received server finished invalid");
632 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
633 return NEED_MORE;
634 }
635 this->state = STATE_FINISHED_RECEIVED;
636 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
637
638 return NEED_MORE;
639 }
640
641 METHOD(tls_handshake_t, process, status_t,
642 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
643 {
644 tls_handshake_type_t expected;
645
646 switch (this->state)
647 {
648 case STATE_HELLO_SENT:
649 if (type == TLS_SERVER_HELLO)
650 {
651 return process_server_hello(this, reader);
652 }
653 expected = TLS_SERVER_HELLO;
654 break;
655 case STATE_HELLO_RECEIVED:
656 if (type == TLS_CERTIFICATE)
657 {
658 return process_certificate(this, reader);
659 }
660 expected = TLS_CERTIFICATE;
661 break;
662 case STATE_CERT_RECEIVED:
663 if (type == TLS_SERVER_KEY_EXCHANGE)
664 {
665 return process_key_exchange(this, reader);
666 }
667 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
668 case STATE_KEY_EXCHANGE_RECEIVED:
669 if (type == TLS_CERTIFICATE_REQUEST)
670 {
671 return process_certreq(this, reader);
672 }
673 /* no cert request, server does not want to authenticate us */
674 DESTROY_IF(this->peer);
675 this->peer = NULL;
676 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
677 case STATE_CERTREQ_RECEIVED:
678 if (type == TLS_SERVER_HELLO_DONE)
679 {
680 return process_hello_done(this, reader);
681 }
682 expected = TLS_SERVER_HELLO_DONE;
683 break;
684 case STATE_CIPHERSPEC_CHANGED_IN:
685 if (type == TLS_FINISHED)
686 {
687 return process_finished(this, reader);
688 }
689 expected = TLS_FINISHED;
690 break;
691 default:
692 DBG1(DBG_TLS, "TLS %N not expected in current state",
693 tls_handshake_type_names, type);
694 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
695 return NEED_MORE;
696 }
697 DBG1(DBG_TLS, "TLS %N expected, but received %N",
698 tls_handshake_type_names, expected, tls_handshake_type_names, type);
699 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
700 return NEED_MORE;
701 }
702
703 /**
704 * Send a client hello
705 */
706 static status_t send_client_hello(private_tls_peer_t *this,
707 tls_handshake_type_t *type, bio_writer_t *writer)
708 {
709 tls_cipher_suite_t *suites;
710 bio_writer_t *extensions, *curves = NULL;
711 tls_version_t version;
712 tls_named_curve_t curve;
713 enumerator_t *enumerator;
714 int count, i;
715 rng_t *rng;
716
717 htoun32(&this->client_random, time(NULL));
718 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
719 if (!rng ||
720 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
721 this->client_random + 4))
722 {
723 DBG1(DBG_TLS, "failed to generate client random");
724 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
725 DESTROY_IF(rng);
726 return NEED_MORE;
727 }
728 rng->destroy(rng);
729
730 /* TLS version */
731 version = this->tls->get_version(this->tls);
732 this->hello_version = version;
733 writer->write_uint16(writer, version);
734 writer->write_data(writer, chunk_from_thing(this->client_random));
735
736 /* session identifier */
737 this->session = this->crypto->get_session(this->crypto, this->server);
738 writer->write_data8(writer, this->session);
739
740 /* add TLS cipher suites */
741 count = this->crypto->get_cipher_suites(this->crypto, &suites);
742 writer->write_uint16(writer, count * 2);
743 for (i = 0; i < count; i++)
744 {
745 writer->write_uint16(writer, suites[i]);
746 }
747
748 /* NULL compression only */
749 writer->write_uint8(writer, 1);
750 writer->write_uint8(writer, 0);
751
752 extensions = bio_writer_create(32);
753
754 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
755 this->crypto->get_signature_algorithms(this->crypto, extensions);
756
757 /* add supported Elliptic Curves, if any */
758 enumerator = this->crypto->create_ec_enumerator(this->crypto);
759 while (enumerator->enumerate(enumerator, NULL, &curve))
760 {
761 if (!curves)
762 {
763 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
764 curves = bio_writer_create(16);
765 }
766 curves->write_uint16(curves, curve);
767 }
768 enumerator->destroy(enumerator);
769 if (curves)
770 {
771 curves->wrap16(curves);
772 extensions->write_data16(extensions, curves->get_buf(curves));
773 curves->destroy(curves);
774
775 /* if we support curves, add point format extension */
776 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
777 extensions->write_uint16(extensions, 2);
778 extensions->write_uint8(extensions, 1);
779 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
780 }
781 if (this->server->get_type(this->server) == ID_FQDN)
782 {
783 bio_writer_t *names;
784
785 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
786
787 names = bio_writer_create(8);
788 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
789 names->write_data16(names, this->server->get_encoding(this->server));
790 names->wrap16(names);
791 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
792 extensions->write_data16(extensions, names->get_buf(names));
793 names->destroy(names);
794 }
795
796 writer->write_data16(writer, extensions->get_buf(extensions));
797 extensions->destroy(extensions);
798
799 *type = TLS_CLIENT_HELLO;
800 this->state = STATE_HELLO_SENT;
801 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
802 return NEED_MORE;
803 }
804
805 /**
806 * Find a private key suitable to sign Certificate Verify
807 */
808 static private_key_t *find_private_key(private_tls_peer_t *this)
809 {
810 private_key_t *key = NULL;
811 bio_reader_t *reader;
812 key_type_t type;
813 u_int8_t cert;
814
815 if (!this->peer)
816 {
817 return NULL;
818 }
819 reader = bio_reader_create(this->cert_types);
820 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
821 {
822 switch (cert)
823 {
824 case TLS_RSA_SIGN:
825 type = KEY_RSA;
826 break;
827 case TLS_ECDSA_SIGN:
828 type = KEY_ECDSA;
829 break;
830 default:
831 continue;
832 }
833 key = lib->credmgr->get_private(lib->credmgr, type,
834 this->peer, this->peer_auth);
835 if (key)
836 {
837 break;
838 }
839 }
840 reader->destroy(reader);
841 return key;
842 }
843
844 /**
845 * Send Certificate
846 */
847 static status_t send_certificate(private_tls_peer_t *this,
848 tls_handshake_type_t *type, bio_writer_t *writer)
849 {
850 enumerator_t *enumerator;
851 certificate_t *cert;
852 auth_rule_t rule;
853 bio_writer_t *certs;
854 chunk_t data;
855
856 this->private = find_private_key(this);
857 if (!this->private)
858 {
859 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
860 "skipping client authentication", this->peer);
861 this->peer->destroy(this->peer);
862 this->peer = NULL;
863 }
864
865 /* generate certificate payload */
866 certs = bio_writer_create(256);
867 if (this->peer)
868 {
869 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
870 if (cert)
871 {
872 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
873 {
874 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
875 cert->get_subject(cert));
876 certs->write_data24(certs, data);
877 free(data.ptr);
878 }
879 }
880 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
881 while (enumerator->enumerate(enumerator, &rule, &cert))
882 {
883 if (rule == AUTH_RULE_IM_CERT)
884 {
885 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
886 {
887 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
888 cert->get_subject(cert));
889 certs->write_data24(certs, data);
890 free(data.ptr);
891 }
892 }
893 }
894 enumerator->destroy(enumerator);
895 }
896
897 writer->write_data24(writer, certs->get_buf(certs));
898 certs->destroy(certs);
899
900 *type = TLS_CERTIFICATE;
901 this->state = STATE_CERT_SENT;
902 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
903 return NEED_MORE;
904 }
905
906 /**
907 * Send client key exchange, using premaster encryption
908 */
909 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
910 tls_handshake_type_t *type, bio_writer_t *writer)
911 {
912 public_key_t *public;
913 rng_t *rng;
914 char premaster[48];
915 chunk_t encrypted;
916
917 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
918 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
919 {
920 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
921 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
922 DESTROY_IF(rng);
923 return NEED_MORE;
924 }
925 rng->destroy(rng);
926 htoun16(premaster, this->hello_version);
927
928 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
929 this->session, this->server,
930 chunk_from_thing(this->client_random),
931 chunk_from_thing(this->server_random)))
932 {
933 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
934 return NEED_MORE;
935 }
936
937 public = find_public_key(this);
938 if (!public)
939 {
940 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
941 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
942 return NEED_MORE;
943 }
944 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
945 chunk_from_thing(premaster), &encrypted))
946 {
947 public->destroy(public);
948 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
949 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
950 return NEED_MORE;
951 }
952 public->destroy(public);
953
954 writer->write_data16(writer, encrypted);
955 free(encrypted.ptr);
956
957 *type = TLS_CLIENT_KEY_EXCHANGE;
958 this->state = STATE_KEY_EXCHANGE_SENT;
959 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
960 return NEED_MORE;
961 }
962
963 /**
964 * Send client key exchange, using DHE exchange
965 */
966 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
967 tls_handshake_type_t *type, bio_writer_t *writer)
968 {
969 chunk_t premaster, pub;
970
971 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
972 {
973 DBG1(DBG_TLS, "calculating premaster from DH failed");
974 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
975 return NEED_MORE;
976 }
977 if (!this->crypto->derive_secrets(this->crypto, premaster,
978 this->session, this->server,
979 chunk_from_thing(this->client_random),
980 chunk_from_thing(this->server_random)))
981 {
982 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
983 chunk_clear(&premaster);
984 return NEED_MORE;
985 }
986 chunk_clear(&premaster);
987
988 this->dh->get_my_public_value(this->dh, &pub);
989 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
990 {
991 writer->write_data16(writer, pub);
992 }
993 else
994 { /* ECP uses 8bit length header only, but a point format */
995 writer->write_uint8(writer, pub.len + 1);
996 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
997 writer->write_data(writer, pub);
998 }
999 free(pub.ptr);
1000
1001 *type = TLS_CLIENT_KEY_EXCHANGE;
1002 this->state = STATE_KEY_EXCHANGE_SENT;
1003 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1004 return NEED_MORE;
1005 }
1006
1007 /**
1008 * Send client key exchange, depending on suite
1009 */
1010 static status_t send_key_exchange(private_tls_peer_t *this,
1011 tls_handshake_type_t *type, bio_writer_t *writer)
1012 {
1013 if (this->dh)
1014 {
1015 return send_key_exchange_dhe(this, type, writer);
1016 }
1017 return send_key_exchange_encrypt(this, type, writer);
1018 }
1019
1020 /**
1021 * Send certificate verify
1022 */
1023 static status_t send_certificate_verify(private_tls_peer_t *this,
1024 tls_handshake_type_t *type, bio_writer_t *writer)
1025 {
1026 if (!this->private ||
1027 !this->crypto->sign_handshake(this->crypto, this->private,
1028 writer, this->hashsig))
1029 {
1030 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1031 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1032 return NEED_MORE;
1033 }
1034
1035 *type = TLS_CERTIFICATE_VERIFY;
1036 this->state = STATE_VERIFY_SENT;
1037 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1038 return NEED_MORE;
1039 }
1040
1041 /**
1042 * Send Finished
1043 */
1044 static status_t send_finished(private_tls_peer_t *this,
1045 tls_handshake_type_t *type, bio_writer_t *writer)
1046 {
1047 char buf[12];
1048
1049 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1050 {
1051 DBG1(DBG_TLS, "calculating client finished data failed");
1052 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1053 return NEED_MORE;
1054 }
1055
1056 writer->write_data(writer, chunk_from_thing(buf));
1057
1058 *type = TLS_FINISHED;
1059 this->state = STATE_FINISHED_SENT;
1060 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1061 return NEED_MORE;
1062 }
1063
1064 METHOD(tls_handshake_t, build, status_t,
1065 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1066 {
1067 switch (this->state)
1068 {
1069 case STATE_INIT:
1070 return send_client_hello(this, type, writer);
1071 case STATE_HELLO_DONE:
1072 if (this->peer)
1073 {
1074 return send_certificate(this, type, writer);
1075 }
1076 /* otherwise fall through to next state */
1077 case STATE_CERT_SENT:
1078 return send_key_exchange(this, type, writer);
1079 case STATE_KEY_EXCHANGE_SENT:
1080 if (this->peer)
1081 {
1082 return send_certificate_verify(this, type, writer);
1083 }
1084 else
1085 {
1086 return INVALID_STATE;
1087 }
1088 case STATE_CIPHERSPEC_CHANGED_OUT:
1089 return send_finished(this, type, writer);
1090 default:
1091 return INVALID_STATE;
1092 }
1093 }
1094
1095 METHOD(tls_handshake_t, cipherspec_changed, bool,
1096 private_tls_peer_t *this, bool inbound)
1097 {
1098 if (inbound)
1099 {
1100 if (this->resume)
1101 {
1102 return this->state == STATE_HELLO_RECEIVED;
1103 }
1104 return this->state == STATE_FINISHED_SENT;
1105 }
1106 else
1107 {
1108 if (this->resume)
1109 {
1110 return this->state == STATE_FINISHED_RECEIVED;
1111 }
1112 if (this->peer)
1113 {
1114 return this->state == STATE_VERIFY_SENT;
1115 }
1116 return this->state == STATE_KEY_EXCHANGE_SENT;
1117 }
1118 }
1119
1120 METHOD(tls_handshake_t, change_cipherspec, void,
1121 private_tls_peer_t *this, bool inbound)
1122 {
1123 this->crypto->change_cipher(this->crypto, inbound);
1124 if (inbound)
1125 {
1126 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1127 }
1128 else
1129 {
1130 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1131 }
1132 }
1133
1134 METHOD(tls_handshake_t, finished, bool,
1135 private_tls_peer_t *this)
1136 {
1137 if (this->resume)
1138 {
1139 return this->state == STATE_FINISHED_SENT;
1140 }
1141 return this->state == STATE_FINISHED_RECEIVED;
1142 }
1143
1144 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1145 private_tls_peer_t *this)
1146 {
1147 return this->peer;
1148 }
1149
1150 METHOD(tls_handshake_t, get_server_id, identification_t*,
1151 private_tls_peer_t *this)
1152 {
1153 return this->server;
1154 }
1155
1156 METHOD(tls_handshake_t, destroy, void,
1157 private_tls_peer_t *this)
1158 {
1159 DESTROY_IF(this->private);
1160 DESTROY_IF(this->dh);
1161 DESTROY_IF(this->peer);
1162 this->server->destroy(this->server);
1163 this->peer_auth->destroy(this->peer_auth);
1164 this->server_auth->destroy(this->server_auth);
1165 free(this->hashsig.ptr);
1166 free(this->cert_types.ptr);
1167 free(this->session.ptr);
1168 free(this);
1169 }
1170
1171 /**
1172 * See header
1173 */
1174 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1175 identification_t *peer, identification_t *server)
1176 {
1177 private_tls_peer_t *this;
1178
1179 INIT(this,
1180 .public = {
1181 .handshake = {
1182 .process = _process,
1183 .build = _build,
1184 .cipherspec_changed = _cipherspec_changed,
1185 .change_cipherspec = _change_cipherspec,
1186 .finished = _finished,
1187 .get_peer_id = _get_peer_id,
1188 .get_server_id = _get_server_id,
1189 .destroy = _destroy,
1190 },
1191 },
1192 .state = STATE_INIT,
1193 .tls = tls,
1194 .crypto = crypto,
1195 .alert = alert,
1196 .peer = peer ? peer->clone(peer) : NULL,
1197 .server = server->clone(server),
1198 .peer_auth = auth_cfg_create(),
1199 .server_auth = auth_cfg_create(),
1200 );
1201
1202 return &this->public;
1203 }