projects / strongswan.git / blob
? search:


b429da3004c1f5993e665638a8ffba8cf2393236
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * DHE exchange
109 */
110 diffie_hellman_t *dh;
111
112 /**
113 * Resuming a session?
114 */
115 bool resume;
116
117 /**
118 * TLS session identifier
119 */
120 chunk_t session;
121
122 /**
123 * List of server-supported hashsig algorithms
124 */
125 chunk_t hashsig;
126
127 /**
128 * List of server-supported client certificate types
129 */
130 chunk_t cert_types;
131 };
132
133 /**
134 * Process a server hello message
135 */
136 static status_t process_server_hello(private_tls_peer_t *this,
137 bio_reader_t *reader)
138 {
139 u_int8_t compression;
140 u_int16_t version, cipher;
141 chunk_t random, session, ext = chunk_empty;
142 tls_cipher_suite_t suite = 0;
143
144 this->crypto->append_handshake(this->crypto,
145 TLS_SERVER_HELLO, reader->peek(reader));
146
147 if (!reader->read_uint16(reader, &version) ||
148 !reader->read_data(reader, sizeof(this->server_random), &random) ||
149 !reader->read_data8(reader, &session) ||
150 !reader->read_uint16(reader, &cipher) ||
151 !reader->read_uint8(reader, &compression) ||
152 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
153 {
154 DBG1(DBG_TLS, "received invalid ServerHello");
155 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
156 return NEED_MORE;
157 }
158
159 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
160
161 if (!this->tls->set_version(this->tls, version))
162 {
163 DBG1(DBG_TLS, "negotiated version %N not supported",
164 tls_version_names, version);
165 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
166 return NEED_MORE;
167 }
168
169 if (chunk_equals(this->session, session))
170 {
171 suite = this->crypto->resume_session(this->crypto, session, this->server,
172 chunk_from_thing(this->client_random),
173 chunk_from_thing(this->server_random));
174 if (suite)
175 {
176 DBG1(DBG_TLS, "resumed %N using suite %N",
177 tls_version_names, version, tls_cipher_suite_names, suite);
178 this->resume = TRUE;
179 }
180 }
181 if (!suite)
182 {
183 suite = cipher;
184 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
185 {
186 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
187 tls_cipher_suite_names, suite);
188 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
189 return NEED_MORE;
190 }
191 DBG1(DBG_TLS, "negotiated %N using suite %N",
192 tls_version_names, version, tls_cipher_suite_names, suite);
193 free(this->session.ptr);
194 this->session = chunk_clone(session);
195 }
196 this->state = STATE_HELLO_RECEIVED;
197 return NEED_MORE;
198 }
199
200 /**
201 * Check if a server certificate is acceptable for the given server identity
202 */
203 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
204 {
205 identification_t *id;
206
207 if (cert->has_subject(cert, this->server))
208 {
209 return TRUE;
210 }
211 id = cert->get_subject(cert);
212 if (id->matches(id, this->server))
213 {
214 return TRUE;
215 }
216 if (cert->get_type(cert) == CERT_X509)
217 {
218 x509_t *x509 = (x509_t*)cert;
219 enumerator_t *enumerator;
220
221 enumerator = x509->create_subjectAltName_enumerator(x509);
222 while (enumerator->enumerate(enumerator, &id))
223 {
224 if (id->matches(id, this->server))
225 {
226 enumerator->destroy(enumerator);
227 return TRUE;
228 }
229 }
230 enumerator->destroy(enumerator);
231 }
232 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
233 return FALSE;
234 }
235
236 /**
237 * Process a Certificate message
238 */
239 static status_t process_certificate(private_tls_peer_t *this,
240 bio_reader_t *reader)
241 {
242 certificate_t *cert;
243 bio_reader_t *certs;
244 chunk_t data;
245 bool first = TRUE;
246
247 this->crypto->append_handshake(this->crypto,
248 TLS_CERTIFICATE, reader->peek(reader));
249
250 if (!reader->read_data24(reader, &data))
251 {
252 DBG1(DBG_TLS, "certificate message header invalid");
253 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
254 return NEED_MORE;
255 }
256 certs = bio_reader_create(data);
257 while (certs->remaining(certs))
258 {
259 if (!certs->read_data24(certs, &data))
260 {
261 DBG1(DBG_TLS, "certificate message invalid");
262 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
263 certs->destroy(certs);
264 return NEED_MORE;
265 }
266 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
267 BUILD_BLOB_ASN1_DER, data, BUILD_END);
268 if (cert)
269 {
270 if (first)
271 {
272 if (!check_certificate(this, cert))
273 {
274 cert->destroy(cert);
275 certs->destroy(certs);
276 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
277 return NEED_MORE;
278 }
279 this->server_auth->add(this->server_auth,
280 AUTH_HELPER_SUBJECT_CERT, cert);
281 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
282 cert->get_subject(cert));
283 first = FALSE;
284 }
285 else
286 {
287 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
288 cert->get_subject(cert));
289 this->server_auth->add(this->server_auth,
290 AUTH_HELPER_IM_CERT, cert);
291 }
292 }
293 else
294 {
295 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
296 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
297 }
298 }
299 certs->destroy(certs);
300 this->state = STATE_CERT_RECEIVED;
301 return NEED_MORE;
302 }
303
304 /**
305 * Find a trusted public key to encrypt/verify key exchange data
306 */
307 static public_key_t *find_public_key(private_tls_peer_t *this)
308 {
309 public_key_t *public = NULL, *current;
310 certificate_t *cert;
311 enumerator_t *enumerator;
312 auth_cfg_t *auth;
313
314 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
315 if (cert)
316 {
317 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
318 KEY_ANY, cert->get_subject(cert), this->server_auth);
319 while (enumerator->enumerate(enumerator, &current, &auth))
320 {
321 public = current->get_ref(current);
322 break;
323 }
324 enumerator->destroy(enumerator);
325 }
326 return public;
327 }
328
329 /**
330 * Process a Key Exchange message using MODP Diffie Hellman
331 */
332 static status_t process_modp_key_exchange(private_tls_peer_t *this,
333 bio_reader_t *reader)
334 {
335 chunk_t prime, generator, pub, chunk;
336 public_key_t *public;
337
338 chunk = reader->peek(reader);
339 if (!reader->read_data16(reader, &prime) ||
340 !reader->read_data16(reader, &generator) ||
341 !reader->read_data16(reader, &pub))
342 {
343 DBG1(DBG_TLS, "received invalid Server Key Exchange");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 public = find_public_key(this);
348 if (!public)
349 {
350 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
351 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
352 return NEED_MORE;
353 }
354
355 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
356 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
357 chunk_from_thing(this->server_random), chunk);
358 if (!this->crypto->verify(this->crypto, public, reader, chunk))
359 {
360 public->destroy(public);
361 free(chunk.ptr);
362 DBG1(DBG_TLS, "verifying DH parameters failed");
363 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
364 return NEED_MORE;
365 }
366 public->destroy(public);
367 free(chunk.ptr);
368
369 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
370 generator, prime);
371 if (!this->dh)
372 {
373 DBG1(DBG_TLS, "custom DH parameters not supported");
374 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
375 return NEED_MORE;
376 }
377 this->dh->set_other_public_value(this->dh, pub);
378
379 this->state = STATE_KEY_EXCHANGE_RECEIVED;
380 return NEED_MORE;
381 }
382
383 /**
384 * Get the EC group for a TLS named curve
385 */
386 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
387 tls_named_curve_t curve)
388 {
389 diffie_hellman_group_t group;
390 tls_named_curve_t current;
391 enumerator_t *enumerator;
392
393 enumerator = this->crypto->create_ec_enumerator(this->crypto);
394 while (enumerator->enumerate(enumerator, &group, &current))
395 {
396 if (current == curve)
397 {
398 enumerator->destroy(enumerator);
399 return group;
400 }
401 }
402 enumerator->destroy(enumerator);
403 return 0;
404 }
405
406 /**
407 * Process a Key Exchange message using EC Diffie Hellman
408 */
409 static status_t process_ec_key_exchange(private_tls_peer_t *this,
410 bio_reader_t *reader)
411 {
412 diffie_hellman_group_t group;
413 public_key_t *public;
414 u_int8_t type;
415 u_int16_t curve;
416 chunk_t pub, chunk;
417
418 chunk = reader->peek(reader);
419 if (!reader->read_uint8(reader, &type))
420 {
421 DBG1(DBG_TLS, "received invalid Server Key Exchange");
422 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
423 return NEED_MORE;
424 }
425 if (type != TLS_ECC_NAMED_CURVE)
426 {
427 DBG1(DBG_TLS, "ECDH curve type %N not supported",
428 tls_ecc_curve_type_names, type);
429 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
430 return NEED_MORE;
431 }
432 if (!reader->read_uint16(reader, &curve) ||
433 !reader->read_data8(reader, &pub) || pub.len == 0)
434 {
435 DBG1(DBG_TLS, "received invalid Server Key Exchange");
436 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
437 return NEED_MORE;
438 }
439
440 group = curve_to_ec_group(this, curve);
441 if (!group)
442 {
443 DBG1(DBG_TLS, "ECDH curve %N not supported",
444 tls_named_curve_names, curve);
445 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
446 return NEED_MORE;
447 }
448
449 public = find_public_key(this);
450 if (!public)
451 {
452 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
453 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
454 return NEED_MORE;
455 }
456
457 chunk.len = 4 + pub.len;
458 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
459 chunk_from_thing(this->server_random), chunk);
460 if (!this->crypto->verify(this->crypto, public, reader, chunk))
461 {
462 public->destroy(public);
463 free(chunk.ptr);
464 DBG1(DBG_TLS, "verifying DH parameters failed");
465 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
466 return NEED_MORE;
467 }
468 public->destroy(public);
469 free(chunk.ptr);
470
471 this->dh = lib->crypto->create_dh(lib->crypto, group);
472 if (!this->dh)
473 {
474 DBG1(DBG_TLS, "DH group %N not supported",
475 diffie_hellman_group_names, group);
476 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
477 return NEED_MORE;
478 }
479
480 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
481 {
482 DBG1(DBG_TLS, "DH point format '%N' not supported",
483 tls_ansi_point_format_names, pub.ptr[0]);
484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
485 return NEED_MORE;
486 }
487 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
488
489 this->state = STATE_KEY_EXCHANGE_RECEIVED;
490 return NEED_MORE;
491 }
492
493 /**
494 * Process a Server Key Exchange
495 */
496 static status_t process_key_exchange(private_tls_peer_t *this,
497 bio_reader_t *reader)
498 {
499 diffie_hellman_group_t group;
500
501 this->crypto->append_handshake(this->crypto,
502 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
503
504 group = this->crypto->get_dh_group(this->crypto);
505 if (group == MODP_NONE)
506 {
507 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
508 "for current suite");
509 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
510 return NEED_MORE;
511 }
512 if (diffie_hellman_group_is_ec(group))
513 {
514 return process_ec_key_exchange(this, reader);
515 }
516 return process_modp_key_exchange(this, reader);
517 }
518
519 /**
520 * Process a Certificate Request message
521 */
522 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
523 {
524 chunk_t types, hashsig, data;
525 bio_reader_t *authorities;
526 identification_t *id;
527 certificate_t *cert;
528
529 if (!this->peer)
530 {
531 DBG1(DBG_TLS, "server requested a certificate, but client "
532 "authentication disabled");
533 }
534 this->crypto->append_handshake(this->crypto,
535 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
536
537 if (!reader->read_data8(reader, &types))
538 {
539 DBG1(DBG_TLS, "certreq message header invalid");
540 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
541 return NEED_MORE;
542 }
543 this->cert_types = chunk_clone(types);
544 if (this->tls->get_version(this->tls) >= TLS_1_2)
545 {
546 if (!reader->read_data16(reader, &hashsig))
547 {
548 DBG1(DBG_TLS, "certreq message invalid");
549 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
550 return NEED_MORE;
551 }
552 this->hashsig = chunk_clone(hashsig);
553 }
554 if (!reader->read_data16(reader, &data))
555 {
556 DBG1(DBG_TLS, "certreq message invalid");
557 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
558 return NEED_MORE;
559 }
560 authorities = bio_reader_create(data);
561 while (authorities->remaining(authorities))
562 {
563 if (!authorities->read_data16(authorities, &data))
564 {
565 DBG1(DBG_TLS, "certreq message invalid");
566 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
567 authorities->destroy(authorities);
568 return NEED_MORE;
569 }
570 if (this->peer)
571 {
572 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
573 cert = lib->credmgr->get_cert(lib->credmgr,
574 CERT_X509, KEY_ANY, id, TRUE);
575 if (cert)
576 {
577 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
578 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
579 }
580 else
581 {
582 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
583 }
584 id->destroy(id);
585 }
586 }
587 authorities->destroy(authorities);
588 this->state = STATE_CERTREQ_RECEIVED;
589 return NEED_MORE;
590 }
591
592 /**
593 * Process Hello Done message
594 */
595 static status_t process_hello_done(private_tls_peer_t *this,
596 bio_reader_t *reader)
597 {
598 this->crypto->append_handshake(this->crypto,
599 TLS_SERVER_HELLO_DONE, reader->peek(reader));
600 this->state = STATE_HELLO_DONE;
601 return NEED_MORE;
602 }
603
604 /**
605 * Process finished message
606 */
607 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
608 {
609 chunk_t received;
610 char buf[12];
611
612 if (!reader->read_data(reader, sizeof(buf), &received))
613 {
614 DBG1(DBG_TLS, "received server finished too short");
615 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
616 return NEED_MORE;
617 }
618 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
619 {
620 DBG1(DBG_TLS, "calculating server finished failed");
621 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
622 return NEED_MORE;
623 }
624 if (!chunk_equals(received, chunk_from_thing(buf)))
625 {
626 DBG1(DBG_TLS, "received server finished invalid");
627 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
628 return NEED_MORE;
629 }
630 this->state = STATE_FINISHED_RECEIVED;
631 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
632
633 return NEED_MORE;
634 }
635
636 METHOD(tls_handshake_t, process, status_t,
637 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
638 {
639 tls_handshake_type_t expected;
640
641 switch (this->state)
642 {
643 case STATE_HELLO_SENT:
644 if (type == TLS_SERVER_HELLO)
645 {
646 return process_server_hello(this, reader);
647 }
648 expected = TLS_SERVER_HELLO;
649 break;
650 case STATE_HELLO_RECEIVED:
651 if (type == TLS_CERTIFICATE)
652 {
653 return process_certificate(this, reader);
654 }
655 expected = TLS_CERTIFICATE;
656 break;
657 case STATE_CERT_RECEIVED:
658 if (type == TLS_SERVER_KEY_EXCHANGE)
659 {
660 return process_key_exchange(this, reader);
661 }
662 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
663 case STATE_KEY_EXCHANGE_RECEIVED:
664 if (type == TLS_CERTIFICATE_REQUEST)
665 {
666 return process_certreq(this, reader);
667 }
668 /* no cert request, server does not want to authenticate us */
669 DESTROY_IF(this->peer);
670 this->peer = NULL;
671 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
672 case STATE_CERTREQ_RECEIVED:
673 if (type == TLS_SERVER_HELLO_DONE)
674 {
675 return process_hello_done(this, reader);
676 }
677 expected = TLS_SERVER_HELLO_DONE;
678 break;
679 case STATE_CIPHERSPEC_CHANGED_IN:
680 if (type == TLS_FINISHED)
681 {
682 return process_finished(this, reader);
683 }
684 expected = TLS_FINISHED;
685 break;
686 default:
687 DBG1(DBG_TLS, "TLS %N not expected in current state",
688 tls_handshake_type_names, type);
689 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
690 return NEED_MORE;
691 }
692 DBG1(DBG_TLS, "TLS %N expected, but received %N",
693 tls_handshake_type_names, expected, tls_handshake_type_names, type);
694 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
695 return NEED_MORE;
696 }
697
698 /**
699 * Send a client hello
700 */
701 static status_t send_client_hello(private_tls_peer_t *this,
702 tls_handshake_type_t *type, bio_writer_t *writer)
703 {
704 tls_cipher_suite_t *suites;
705 bio_writer_t *extensions, *curves = NULL;
706 tls_version_t version;
707 tls_named_curve_t curve;
708 enumerator_t *enumerator;
709 int count, i;
710 rng_t *rng;
711
712 htoun32(&this->client_random, time(NULL));
713 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
714 if (!rng ||
715 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
716 this->client_random + 4))
717 {
718 DBG1(DBG_TLS, "failed to generate client random");
719 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
720 DESTROY_IF(rng);
721 return NEED_MORE;
722 }
723 rng->destroy(rng);
724
725 /* TLS version */
726 version = this->tls->get_version(this->tls);
727 writer->write_uint16(writer, version);
728 writer->write_data(writer, chunk_from_thing(this->client_random));
729
730 /* session identifier */
731 this->session = this->crypto->get_session(this->crypto, this->server);
732 writer->write_data8(writer, this->session);
733
734 /* add TLS cipher suites */
735 count = this->crypto->get_cipher_suites(this->crypto, &suites);
736 writer->write_uint16(writer, count * 2);
737 for (i = 0; i < count; i++)
738 {
739 writer->write_uint16(writer, suites[i]);
740 }
741
742 /* NULL compression only */
743 writer->write_uint8(writer, 1);
744 writer->write_uint8(writer, 0);
745
746 extensions = bio_writer_create(32);
747
748 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
749 this->crypto->get_signature_algorithms(this->crypto, extensions);
750
751 /* add supported Elliptic Curves, if any */
752 enumerator = this->crypto->create_ec_enumerator(this->crypto);
753 while (enumerator->enumerate(enumerator, NULL, &curve))
754 {
755 if (!curves)
756 {
757 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
758 curves = bio_writer_create(16);
759 }
760 curves->write_uint16(curves, curve);
761 }
762 enumerator->destroy(enumerator);
763 if (curves)
764 {
765 curves->wrap16(curves);
766 extensions->write_data16(extensions, curves->get_buf(curves));
767 curves->destroy(curves);
768
769 /* if we support curves, add point format extension */
770 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
771 extensions->write_uint16(extensions, 2);
772 extensions->write_uint8(extensions, 1);
773 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
774 }
775 if (this->server->get_type(this->server) == ID_FQDN)
776 {
777 bio_writer_t *names;
778
779 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
780
781 names = bio_writer_create(8);
782 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
783 names->write_data16(names, this->server->get_encoding(this->server));
784 names->wrap16(names);
785 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
786 extensions->write_data16(extensions, names->get_buf(names));
787 names->destroy(names);
788 }
789
790 writer->write_data16(writer, extensions->get_buf(extensions));
791 extensions->destroy(extensions);
792
793 *type = TLS_CLIENT_HELLO;
794 this->state = STATE_HELLO_SENT;
795 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
796 return NEED_MORE;
797 }
798
799 /**
800 * Find a private key suitable to sign Certificate Verify
801 */
802 static private_key_t *find_private_key(private_tls_peer_t *this)
803 {
804 private_key_t *key = NULL;
805 bio_reader_t *reader;
806 key_type_t type;
807 u_int8_t cert;
808
809 if (!this->peer)
810 {
811 return NULL;
812 }
813 reader = bio_reader_create(this->cert_types);
814 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
815 {
816 switch (cert)
817 {
818 case TLS_RSA_SIGN:
819 type = KEY_RSA;
820 break;
821 case TLS_ECDSA_SIGN:
822 type = KEY_ECDSA;
823 break;
824 default:
825 continue;
826 }
827 key = lib->credmgr->get_private(lib->credmgr, type,
828 this->peer, this->peer_auth);
829 if (key)
830 {
831 break;
832 }
833 }
834 reader->destroy(reader);
835 return key;
836 }
837
838 /**
839 * Send Certificate
840 */
841 static status_t send_certificate(private_tls_peer_t *this,
842 tls_handshake_type_t *type, bio_writer_t *writer)
843 {
844 enumerator_t *enumerator;
845 certificate_t *cert;
846 auth_rule_t rule;
847 bio_writer_t *certs;
848 chunk_t data;
849
850 this->private = find_private_key(this);
851 if (!this->private)
852 {
853 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
854 "skipping client authentication", this->peer);
855 this->peer->destroy(this->peer);
856 this->peer = NULL;
857 }
858
859 /* generate certificate payload */
860 certs = bio_writer_create(256);
861 if (this->peer)
862 {
863 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
864 if (cert)
865 {
866 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
867 {
868 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
869 cert->get_subject(cert));
870 certs->write_data24(certs, data);
871 free(data.ptr);
872 }
873 }
874 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
875 while (enumerator->enumerate(enumerator, &rule, &cert))
876 {
877 if (rule == AUTH_RULE_IM_CERT)
878 {
879 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
880 {
881 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
882 cert->get_subject(cert));
883 certs->write_data24(certs, data);
884 free(data.ptr);
885 }
886 }
887 }
888 enumerator->destroy(enumerator);
889 }
890
891 writer->write_data24(writer, certs->get_buf(certs));
892 certs->destroy(certs);
893
894 *type = TLS_CERTIFICATE;
895 this->state = STATE_CERT_SENT;
896 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
897 return NEED_MORE;
898 }
899
900 /**
901 * Send client key exchange, using premaster encryption
902 */
903 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
904 tls_handshake_type_t *type, bio_writer_t *writer)
905 {
906 public_key_t *public;
907 rng_t *rng;
908 char premaster[48];
909 chunk_t encrypted;
910
911 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
912 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
913 {
914 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
915 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
916 DESTROY_IF(rng);
917 return NEED_MORE;
918 }
919 rng->destroy(rng);
920 htoun16(premaster, TLS_1_2);
921
922 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
923 this->session, this->server,
924 chunk_from_thing(this->client_random),
925 chunk_from_thing(this->server_random)))
926 {
927 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
928 return NEED_MORE;
929 }
930
931 public = find_public_key(this);
932 if (!public)
933 {
934 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
935 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
936 return NEED_MORE;
937 }
938 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
939 chunk_from_thing(premaster), &encrypted))
940 {
941 public->destroy(public);
942 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
943 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
944 return NEED_MORE;
945 }
946 public->destroy(public);
947
948 writer->write_data16(writer, encrypted);
949 free(encrypted.ptr);
950
951 *type = TLS_CLIENT_KEY_EXCHANGE;
952 this->state = STATE_KEY_EXCHANGE_SENT;
953 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
954 return NEED_MORE;
955 }
956
957 /**
958 * Send client key exchange, using DHE exchange
959 */
960 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
961 tls_handshake_type_t *type, bio_writer_t *writer)
962 {
963 chunk_t premaster, pub;
964
965 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
966 {
967 DBG1(DBG_TLS, "calculating premaster from DH failed");
968 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
969 return NEED_MORE;
970 }
971 if (!this->crypto->derive_secrets(this->crypto, premaster,
972 this->session, this->server,
973 chunk_from_thing(this->client_random),
974 chunk_from_thing(this->server_random)))
975 {
976 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
977 chunk_clear(&premaster);
978 return NEED_MORE;
979 }
980 chunk_clear(&premaster);
981
982 this->dh->get_my_public_value(this->dh, &pub);
983 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
984 {
985 writer->write_data16(writer, pub);
986 }
987 else
988 { /* ECP uses 8bit length header only, but a point format */
989 writer->write_uint8(writer, pub.len + 1);
990 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
991 writer->write_data(writer, pub);
992 }
993 free(pub.ptr);
994
995 *type = TLS_CLIENT_KEY_EXCHANGE;
996 this->state = STATE_KEY_EXCHANGE_SENT;
997 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
998 return NEED_MORE;
999 }
1000
1001 /**
1002 * Send client key exchange, depending on suite
1003 */
1004 static status_t send_key_exchange(private_tls_peer_t *this,
1005 tls_handshake_type_t *type, bio_writer_t *writer)
1006 {
1007 if (this->dh)
1008 {
1009 return send_key_exchange_dhe(this, type, writer);
1010 }
1011 return send_key_exchange_encrypt(this, type, writer);
1012 }
1013
1014 /**
1015 * Send certificate verify
1016 */
1017 static status_t send_certificate_verify(private_tls_peer_t *this,
1018 tls_handshake_type_t *type, bio_writer_t *writer)
1019 {
1020 if (!this->private ||
1021 !this->crypto->sign_handshake(this->crypto, this->private,
1022 writer, this->hashsig))
1023 {
1024 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1025 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1026 return NEED_MORE;
1027 }
1028
1029 *type = TLS_CERTIFICATE_VERIFY;
1030 this->state = STATE_VERIFY_SENT;
1031 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1032 return NEED_MORE;
1033 }
1034
1035 /**
1036 * Send Finished
1037 */
1038 static status_t send_finished(private_tls_peer_t *this,
1039 tls_handshake_type_t *type, bio_writer_t *writer)
1040 {
1041 char buf[12];
1042
1043 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1044 {
1045 DBG1(DBG_TLS, "calculating client finished data failed");
1046 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1047 return NEED_MORE;
1048 }
1049
1050 writer->write_data(writer, chunk_from_thing(buf));
1051
1052 *type = TLS_FINISHED;
1053 this->state = STATE_FINISHED_SENT;
1054 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1055 return NEED_MORE;
1056 }
1057
1058 METHOD(tls_handshake_t, build, status_t,
1059 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1060 {
1061 switch (this->state)
1062 {
1063 case STATE_INIT:
1064 return send_client_hello(this, type, writer);
1065 case STATE_HELLO_DONE:
1066 if (this->peer)
1067 {
1068 return send_certificate(this, type, writer);
1069 }
1070 /* otherwise fall through to next state */
1071 case STATE_CERT_SENT:
1072 return send_key_exchange(this, type, writer);
1073 case STATE_KEY_EXCHANGE_SENT:
1074 if (this->peer)
1075 {
1076 return send_certificate_verify(this, type, writer);
1077 }
1078 else
1079 {
1080 return INVALID_STATE;
1081 }
1082 case STATE_CIPHERSPEC_CHANGED_OUT:
1083 return send_finished(this, type, writer);
1084 default:
1085 return INVALID_STATE;
1086 }
1087 }
1088
1089 METHOD(tls_handshake_t, cipherspec_changed, bool,
1090 private_tls_peer_t *this, bool inbound)
1091 {
1092 if (inbound)
1093 {
1094 if (this->resume)
1095 {
1096 return this->state == STATE_HELLO_RECEIVED;
1097 }
1098 return this->state == STATE_FINISHED_SENT;
1099 }
1100 else
1101 {
1102 if (this->resume)
1103 {
1104 return this->state == STATE_FINISHED_RECEIVED;
1105 }
1106 if (this->peer)
1107 {
1108 return this->state == STATE_VERIFY_SENT;
1109 }
1110 return this->state == STATE_KEY_EXCHANGE_SENT;
1111 }
1112 }
1113
1114 METHOD(tls_handshake_t, change_cipherspec, void,
1115 private_tls_peer_t *this, bool inbound)
1116 {
1117 this->crypto->change_cipher(this->crypto, inbound);
1118 if (inbound)
1119 {
1120 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1121 }
1122 else
1123 {
1124 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1125 }
1126 }
1127
1128 METHOD(tls_handshake_t, finished, bool,
1129 private_tls_peer_t *this)
1130 {
1131 if (this->resume)
1132 {
1133 return this->state == STATE_FINISHED_SENT;
1134 }
1135 return this->state == STATE_FINISHED_RECEIVED;
1136 }
1137
1138 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1139 private_tls_peer_t *this)
1140 {
1141 return this->peer;
1142 }
1143
1144 METHOD(tls_handshake_t, get_server_id, identification_t*,
1145 private_tls_peer_t *this)
1146 {
1147 return this->server;
1148 }
1149
1150 METHOD(tls_handshake_t, destroy, void,
1151 private_tls_peer_t *this)
1152 {
1153 DESTROY_IF(this->private);
1154 DESTROY_IF(this->dh);
1155 DESTROY_IF(this->peer);
1156 this->server->destroy(this->server);
1157 this->peer_auth->destroy(this->peer_auth);
1158 this->server_auth->destroy(this->server_auth);
1159 free(this->hashsig.ptr);
1160 free(this->cert_types.ptr);
1161 free(this->session.ptr);
1162 free(this);
1163 }
1164
1165 /**
1166 * See header
1167 */
1168 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1169 identification_t *peer, identification_t *server)
1170 {
1171 private_tls_peer_t *this;
1172
1173 INIT(this,
1174 .public = {
1175 .handshake = {
1176 .process = _process,
1177 .build = _build,
1178 .cipherspec_changed = _cipherspec_changed,
1179 .change_cipherspec = _change_cipherspec,
1180 .finished = _finished,
1181 .get_peer_id = _get_peer_id,
1182 .get_server_id = _get_server_id,
1183 .destroy = _destroy,
1184 },
1185 },
1186 .state = STATE_INIT,
1187 .tls = tls,
1188 .crypto = crypto,
1189 .alert = alert,
1190 .peer = peer ? peer->clone(peer) : NULL,
1191 .server = server->clone(server),
1192 .peer_auth = auth_cfg_create(),
1193 .server_auth = auth_cfg_create(),
1194 );
1195
1196 return &this->public;
1197 }
strongSwan - IPsec VPN