Separated cipherspec checking and switching, allowing us to defer the second
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_COMPLETE,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * DHE exchange
109 */
110 diffie_hellman_t *dh;
111
112 /**
113 * List of server-supported hashsig algorithms
114 */
115 chunk_t hashsig;
116
117 /**
118 * List of server-supported client certificate types
119 */
120 chunk_t cert_types;
121 };
122
123 /**
124 * Process a server hello message
125 */
126 static status_t process_server_hello(private_tls_peer_t *this,
127 bio_reader_t *reader)
128 {
129 u_int8_t compression;
130 u_int16_t version, cipher;
131 chunk_t random, session, ext = chunk_empty;
132 tls_cipher_suite_t suite;
133
134 this->crypto->append_handshake(this->crypto,
135 TLS_SERVER_HELLO, reader->peek(reader));
136
137 if (!reader->read_uint16(reader, &version) ||
138 !reader->read_data(reader, sizeof(this->server_random), &random) ||
139 !reader->read_data8(reader, &session) ||
140 !reader->read_uint16(reader, &cipher) ||
141 !reader->read_uint8(reader, &compression) ||
142 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
143 {
144 DBG1(DBG_TLS, "received invalid ServerHello");
145 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
146 return NEED_MORE;
147 }
148
149 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
150
151 if (!this->tls->set_version(this->tls, version))
152 {
153 DBG1(DBG_TLS, "negotiated version %N not supported",
154 tls_version_names, version);
155 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
156 return NEED_MORE;
157 }
158 suite = cipher;
159 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
160 {
161 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
162 tls_cipher_suite_names, suite);
163 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
164 return NEED_MORE;
165 }
166 DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
167 tls_version_names, version, tls_cipher_suite_names, suite);
168 this->state = STATE_HELLO_RECEIVED;
169 return NEED_MORE;
170 }
171
172 /**
173 * Check if a server certificate is acceptable for the given server identity
174 */
175 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
176 {
177 identification_t *id;
178
179 if (cert->has_subject(cert, this->server))
180 {
181 return TRUE;
182 }
183 id = cert->get_subject(cert);
184 if (id->matches(id, this->server))
185 {
186 return TRUE;
187 }
188 if (cert->get_type(cert) == CERT_X509)
189 {
190 x509_t *x509 = (x509_t*)cert;
191 enumerator_t *enumerator;
192
193 enumerator = x509->create_subjectAltName_enumerator(x509);
194 while (enumerator->enumerate(enumerator, &id))
195 {
196 if (id->matches(id, this->server))
197 {
198 enumerator->destroy(enumerator);
199 return TRUE;
200 }
201 }
202 enumerator->destroy(enumerator);
203 }
204 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
205 return FALSE;
206 }
207
208 /**
209 * Process a Certificate message
210 */
211 static status_t process_certificate(private_tls_peer_t *this,
212 bio_reader_t *reader)
213 {
214 certificate_t *cert;
215 bio_reader_t *certs;
216 chunk_t data;
217 bool first = TRUE;
218
219 this->crypto->append_handshake(this->crypto,
220 TLS_CERTIFICATE, reader->peek(reader));
221
222 if (!reader->read_data24(reader, &data))
223 {
224 DBG1(DBG_TLS, "certificate message header invalid");
225 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
226 return NEED_MORE;
227 }
228 certs = bio_reader_create(data);
229 while (certs->remaining(certs))
230 {
231 if (!certs->read_data24(certs, &data))
232 {
233 DBG1(DBG_TLS, "certificate message invalid");
234 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
235 certs->destroy(certs);
236 return NEED_MORE;
237 }
238 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
239 BUILD_BLOB_ASN1_DER, data, BUILD_END);
240 if (cert)
241 {
242 if (first)
243 {
244 if (!check_certificate(this, cert))
245 {
246 cert->destroy(cert);
247 certs->destroy(certs);
248 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
249 return NEED_MORE;
250 }
251 this->server_auth->add(this->server_auth,
252 AUTH_HELPER_SUBJECT_CERT, cert);
253 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
254 cert->get_subject(cert));
255 first = FALSE;
256 }
257 else
258 {
259 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
260 cert->get_subject(cert));
261 this->server_auth->add(this->server_auth,
262 AUTH_HELPER_IM_CERT, cert);
263 }
264 }
265 else
266 {
267 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
268 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
269 }
270 }
271 certs->destroy(certs);
272 this->state = STATE_CERT_RECEIVED;
273 return NEED_MORE;
274 }
275
276 /**
277 * Find a trusted public key to encrypt/verify key exchange data
278 */
279 static public_key_t *find_public_key(private_tls_peer_t *this)
280 {
281 public_key_t *public = NULL, *current;
282 certificate_t *cert;
283 enumerator_t *enumerator;
284 auth_cfg_t *auth;
285
286 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
287 if (cert)
288 {
289 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
290 KEY_ANY, cert->get_subject(cert), this->server_auth);
291 while (enumerator->enumerate(enumerator, &current, &auth))
292 {
293 public = current->get_ref(current);
294 break;
295 }
296 enumerator->destroy(enumerator);
297 }
298 return public;
299 }
300
301 /**
302 * Process a Key Exchange message using MODP Diffie Hellman
303 */
304 static status_t process_modp_key_exchange(private_tls_peer_t *this,
305 bio_reader_t *reader)
306 {
307 chunk_t prime, generator, pub, chunk;
308 public_key_t *public;
309
310 chunk = reader->peek(reader);
311 if (!reader->read_data16(reader, &prime) ||
312 !reader->read_data16(reader, &generator) ||
313 !reader->read_data16(reader, &pub))
314 {
315 DBG1(DBG_TLS, "received invalid Server Key Exchange");
316 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
317 return NEED_MORE;
318 }
319 public = find_public_key(this);
320 if (!public)
321 {
322 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
323 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
324 return NEED_MORE;
325 }
326
327 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
328 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
329 chunk_from_thing(this->server_random), chunk);
330 if (!this->crypto->verify(this->crypto, public, reader, chunk))
331 {
332 public->destroy(public);
333 free(chunk.ptr);
334 DBG1(DBG_TLS, "verifying DH parameters failed");
335 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
336 return NEED_MORE;
337 }
338 public->destroy(public);
339 free(chunk.ptr);
340
341 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
342 generator, prime);
343 if (!this->dh)
344 {
345 DBG1(DBG_TLS, "custom DH parameters not supported");
346 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
347 return NEED_MORE;
348 }
349 this->dh->set_other_public_value(this->dh, pub);
350
351 this->state = STATE_KEY_EXCHANGE_RECEIVED;
352 return NEED_MORE;
353 }
354
355 /**
356 * Get the EC group for a TLS named curve
357 */
358 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
359 tls_named_curve_t curve)
360 {
361 diffie_hellman_group_t group;
362 tls_named_curve_t current;
363 enumerator_t *enumerator;
364
365 enumerator = this->crypto->create_ec_enumerator(this->crypto);
366 while (enumerator->enumerate(enumerator, &group, &current))
367 {
368 if (current == curve)
369 {
370 enumerator->destroy(enumerator);
371 return group;
372 }
373 }
374 enumerator->destroy(enumerator);
375 return 0;
376 }
377
378 /**
379 * Process a Key Exchange message using EC Diffie Hellman
380 */
381 static status_t process_ec_key_exchange(private_tls_peer_t *this,
382 bio_reader_t *reader)
383 {
384 diffie_hellman_group_t group;
385 public_key_t *public;
386 u_int8_t type;
387 u_int16_t curve;
388 chunk_t pub, chunk;
389
390 chunk = reader->peek(reader);
391 if (!reader->read_uint8(reader, &type))
392 {
393 DBG1(DBG_TLS, "received invalid Server Key Exchange");
394 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
395 return NEED_MORE;
396 }
397 if (type != TLS_ECC_NAMED_CURVE)
398 {
399 DBG1(DBG_TLS, "ECDH curve type %N not supported",
400 tls_ecc_curve_type_names, type);
401 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
402 return NEED_MORE;
403 }
404 if (!reader->read_uint16(reader, &curve) ||
405 !reader->read_data8(reader, &pub) || pub.len == 0)
406 {
407 DBG1(DBG_TLS, "received invalid Server Key Exchange");
408 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
409 return NEED_MORE;
410 }
411
412 group = curve_to_ec_group(this, curve);
413 if (!group)
414 {
415 DBG1(DBG_TLS, "ECDH curve %N not supported",
416 tls_named_curve_names, curve);
417 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
418 return NEED_MORE;
419 }
420
421 public = find_public_key(this);
422 if (!public)
423 {
424 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
425 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
426 return NEED_MORE;
427 }
428
429 chunk.len = 4 + pub.len;
430 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
431 chunk_from_thing(this->server_random), chunk);
432 if (!this->crypto->verify(this->crypto, public, reader, chunk))
433 {
434 public->destroy(public);
435 free(chunk.ptr);
436 DBG1(DBG_TLS, "verifying DH parameters failed");
437 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
438 return NEED_MORE;
439 }
440 public->destroy(public);
441 free(chunk.ptr);
442
443 this->dh = lib->crypto->create_dh(lib->crypto, group);
444 if (!this->dh)
445 {
446 DBG1(DBG_TLS, "DH group %N not supported",
447 diffie_hellman_group_names, group);
448 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
449 return NEED_MORE;
450 }
451
452 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
453 {
454 DBG1(DBG_TLS, "DH point format '%N' not supported",
455 tls_ansi_point_format_names, pub.ptr[0]);
456 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
457 return NEED_MORE;
458 }
459 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
460
461 this->state = STATE_KEY_EXCHANGE_RECEIVED;
462 return NEED_MORE;
463 }
464
465 /**
466 * Process a Server Key Exchange
467 */
468 static status_t process_key_exchange(private_tls_peer_t *this,
469 bio_reader_t *reader)
470 {
471 diffie_hellman_group_t group;
472
473 this->crypto->append_handshake(this->crypto,
474 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
475
476 group = this->crypto->get_dh_group(this->crypto);
477 if (group == MODP_NONE)
478 {
479 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
480 "for current suite");
481 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
482 return NEED_MORE;
483 }
484 if (diffie_hellman_group_is_ec(group))
485 {
486 return process_ec_key_exchange(this, reader);
487 }
488 return process_modp_key_exchange(this, reader);
489 }
490
491 /**
492 * Process a Certificate Request message
493 */
494 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
495 {
496 chunk_t types, hashsig, data;
497 bio_reader_t *authorities;
498 identification_t *id;
499 certificate_t *cert;
500
501 if (!this->peer)
502 {
503 DBG1(DBG_TLS, "server requested a certificate, but client "
504 "authentication disabled");
505 }
506 this->crypto->append_handshake(this->crypto,
507 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
508
509 if (!reader->read_data8(reader, &types))
510 {
511 DBG1(DBG_TLS, "certreq message header invalid");
512 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
513 return NEED_MORE;
514 }
515 this->cert_types = chunk_clone(types);
516 if (this->tls->get_version(this->tls) >= TLS_1_2)
517 {
518 if (!reader->read_data16(reader, &hashsig))
519 {
520 DBG1(DBG_TLS, "certreq message invalid");
521 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
522 return NEED_MORE;
523 }
524 this->hashsig = chunk_clone(hashsig);
525 }
526 if (!reader->read_data16(reader, &data))
527 {
528 DBG1(DBG_TLS, "certreq message invalid");
529 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
530 return NEED_MORE;
531 }
532 authorities = bio_reader_create(data);
533 while (authorities->remaining(authorities))
534 {
535 if (!authorities->read_data16(authorities, &data))
536 {
537 DBG1(DBG_TLS, "certreq message invalid");
538 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
539 authorities->destroy(authorities);
540 return NEED_MORE;
541 }
542 if (this->peer)
543 {
544 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
545 cert = lib->credmgr->get_cert(lib->credmgr,
546 CERT_X509, KEY_ANY, id, TRUE);
547 if (cert)
548 {
549 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
550 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
551 }
552 else
553 {
554 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
555 }
556 id->destroy(id);
557 }
558 }
559 authorities->destroy(authorities);
560 this->state = STATE_CERTREQ_RECEIVED;
561 return NEED_MORE;
562 }
563
564 /**
565 * Process Hello Done message
566 */
567 static status_t process_hello_done(private_tls_peer_t *this,
568 bio_reader_t *reader)
569 {
570 this->crypto->append_handshake(this->crypto,
571 TLS_SERVER_HELLO_DONE, reader->peek(reader));
572 this->state = STATE_HELLO_DONE;
573 return NEED_MORE;
574 }
575
576 /**
577 * Process finished message
578 */
579 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
580 {
581 chunk_t received;
582 char buf[12];
583
584 if (!reader->read_data(reader, sizeof(buf), &received))
585 {
586 DBG1(DBG_TLS, "received server finished too short");
587 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
588 return NEED_MORE;
589 }
590 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
591 {
592 DBG1(DBG_TLS, "calculating server finished failed");
593 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
594 return NEED_MORE;
595 }
596 if (!chunk_equals(received, chunk_from_thing(buf)))
597 {
598 DBG1(DBG_TLS, "received server finished invalid");
599 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
600 return NEED_MORE;
601 }
602 this->state = STATE_COMPLETE;
603 this->crypto->derive_eap_msk(this->crypto,
604 chunk_from_thing(this->client_random),
605 chunk_from_thing(this->server_random));
606 return NEED_MORE;
607 }
608
609 METHOD(tls_handshake_t, process, status_t,
610 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
611 {
612 tls_handshake_type_t expected;
613
614 switch (this->state)
615 {
616 case STATE_HELLO_SENT:
617 if (type == TLS_SERVER_HELLO)
618 {
619 return process_server_hello(this, reader);
620 }
621 expected = TLS_SERVER_HELLO;
622 break;
623 case STATE_HELLO_RECEIVED:
624 if (type == TLS_CERTIFICATE)
625 {
626 return process_certificate(this, reader);
627 }
628 expected = TLS_CERTIFICATE;
629 break;
630 case STATE_CERT_RECEIVED:
631 if (type == TLS_SERVER_KEY_EXCHANGE)
632 {
633 return process_key_exchange(this, reader);
634 }
635 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
636 case STATE_KEY_EXCHANGE_RECEIVED:
637 if (type == TLS_CERTIFICATE_REQUEST)
638 {
639 return process_certreq(this, reader);
640 }
641 this->peer = NULL;
642 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
643 case STATE_CERTREQ_RECEIVED:
644 if (type == TLS_SERVER_HELLO_DONE)
645 {
646 return process_hello_done(this, reader);
647 }
648 expected = TLS_SERVER_HELLO_DONE;
649 break;
650 case STATE_CIPHERSPEC_CHANGED_IN:
651 if (type == TLS_FINISHED)
652 {
653 return process_finished(this, reader);
654 }
655 expected = TLS_FINISHED;
656 break;
657 default:
658 DBG1(DBG_TLS, "TLS %N not expected in current state",
659 tls_handshake_type_names, type);
660 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
661 return NEED_MORE;
662 }
663 DBG1(DBG_TLS, "TLS %N expected, but received %N",
664 tls_handshake_type_names, expected, tls_handshake_type_names, type);
665 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
666 return NEED_MORE;
667 }
668
669 /**
670 * Send a client hello
671 */
672 static status_t send_client_hello(private_tls_peer_t *this,
673 tls_handshake_type_t *type, bio_writer_t *writer)
674 {
675 tls_cipher_suite_t *suites;
676 bio_writer_t *extensions, *curves = NULL;
677 tls_version_t version;
678 tls_named_curve_t curve;
679 enumerator_t *enumerator;
680 int count, i;
681 rng_t *rng;
682
683 htoun32(&this->client_random, time(NULL));
684 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
685 if (!rng)
686 {
687 DBG1(DBG_TLS, "no suitable RNG found to generate client random");
688 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
689 return NEED_MORE;
690 }
691 rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
692 rng->destroy(rng);
693
694 /* TLS version */
695 version = this->tls->get_version(this->tls);
696 writer->write_uint16(writer, version);
697 writer->write_data(writer, chunk_from_thing(this->client_random));
698
699 /* session identifier => none */
700 writer->write_data8(writer, chunk_empty);
701
702 /* add TLS cipher suites */
703 count = this->crypto->get_cipher_suites(this->crypto, &suites);
704 writer->write_uint16(writer, count * 2);
705 for (i = 0; i < count; i++)
706 {
707 writer->write_uint16(writer, suites[i]);
708 }
709
710 /* NULL compression only */
711 writer->write_uint8(writer, 1);
712 writer->write_uint8(writer, 0);
713
714 extensions = bio_writer_create(32);
715
716 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
717 this->crypto->get_signature_algorithms(this->crypto, extensions);
718
719 /* add supported Elliptic Curves, if any */
720 enumerator = this->crypto->create_ec_enumerator(this->crypto);
721 while (enumerator->enumerate(enumerator, NULL, &curve))
722 {
723 if (!curves)
724 {
725 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
726 curves = bio_writer_create(16);
727 }
728 curves->write_uint16(curves, curve);
729 }
730 enumerator->destroy(enumerator);
731 if (curves)
732 {
733 extensions->write_data16(extensions, curves->get_buf(curves));
734 curves->destroy(curves);
735
736 /* if we support curves, add point format extension */
737 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
738 extensions->write_uint16(extensions, 2);
739 extensions->write_uint8(extensions, 1);
740 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
741 }
742 if (this->server->get_type(this->server) == ID_FQDN)
743 {
744 bio_writer_t *names;
745
746 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
747
748 names = bio_writer_create(8);
749 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
750 names->write_data16(names, this->server->get_encoding(this->server));
751 names->wrap16(names);
752 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
753 extensions->write_data16(extensions, names->get_buf(names));
754 names->destroy(names);
755 }
756
757 writer->write_data16(writer, extensions->get_buf(extensions));
758 extensions->destroy(extensions);
759
760 *type = TLS_CLIENT_HELLO;
761 this->state = STATE_HELLO_SENT;
762 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
763 return NEED_MORE;
764 }
765
766 /**
767 * Find a private key suitable to sign Certificate Verify
768 */
769 static private_key_t *find_private_key(private_tls_peer_t *this)
770 {
771 private_key_t *key = NULL;
772 bio_reader_t *reader;
773 key_type_t type;
774 u_int8_t cert;
775
776 if (!this->peer)
777 {
778 return NULL;
779 }
780 reader = bio_reader_create(this->cert_types);
781 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
782 {
783 switch (cert)
784 {
785 case TLS_RSA_SIGN:
786 type = KEY_RSA;
787 break;
788 case TLS_ECDSA_SIGN:
789 type = KEY_ECDSA;
790 break;
791 default:
792 continue;
793 }
794 key = lib->credmgr->get_private(lib->credmgr, type,
795 this->peer, this->peer_auth);
796 if (key)
797 {
798 break;
799 }
800 }
801 reader->destroy(reader);
802 return key;
803 }
804
805 /**
806 * Send Certificate
807 */
808 static status_t send_certificate(private_tls_peer_t *this,
809 tls_handshake_type_t *type, bio_writer_t *writer)
810 {
811 enumerator_t *enumerator;
812 certificate_t *cert;
813 auth_rule_t rule;
814 bio_writer_t *certs;
815 chunk_t data;
816
817 this->private = find_private_key(this);
818 if (!this->private)
819 {
820 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
821 "skipping client authentication", this->peer);
822 this->peer = NULL;
823 }
824
825 /* generate certificate payload */
826 certs = bio_writer_create(256);
827 if (this->peer)
828 {
829 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
830 if (cert)
831 {
832 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
833 {
834 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
835 cert->get_subject(cert));
836 certs->write_data24(certs, data);
837 free(data.ptr);
838 }
839 }
840 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
841 while (enumerator->enumerate(enumerator, &rule, &cert))
842 {
843 if (rule == AUTH_RULE_IM_CERT)
844 {
845 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
846 {
847 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
848 cert->get_subject(cert));
849 certs->write_data24(certs, data);
850 free(data.ptr);
851 }
852 }
853 }
854 enumerator->destroy(enumerator);
855 }
856
857 writer->write_data24(writer, certs->get_buf(certs));
858 certs->destroy(certs);
859
860 *type = TLS_CERTIFICATE;
861 this->state = STATE_CERT_SENT;
862 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
863 return NEED_MORE;
864 }
865
866 /**
867 * Send client key exchange, using premaster encryption
868 */
869 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
870 tls_handshake_type_t *type, bio_writer_t *writer)
871 {
872 public_key_t *public;
873 rng_t *rng;
874 char premaster[48];
875 chunk_t encrypted;
876
877 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
878 if (!rng)
879 {
880 DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
881 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
882 return NEED_MORE;
883 }
884 rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
885 rng->destroy(rng);
886 htoun16(premaster, TLS_1_2);
887
888 this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
889 chunk_from_thing(this->client_random),
890 chunk_from_thing(this->server_random));
891
892 public = find_public_key(this);
893 if (!public)
894 {
895 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
896 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
897 return NEED_MORE;
898 }
899 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
900 chunk_from_thing(premaster), &encrypted))
901 {
902 public->destroy(public);
903 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
904 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
905 return NEED_MORE;
906 }
907 public->destroy(public);
908
909 writer->write_data16(writer, encrypted);
910 free(encrypted.ptr);
911
912 *type = TLS_CLIENT_KEY_EXCHANGE;
913 this->state = STATE_KEY_EXCHANGE_SENT;
914 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
915 return NEED_MORE;
916 }
917
918 /**
919 * Send client key exchange, using DHE exchange
920 */
921 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
922 tls_handshake_type_t *type, bio_writer_t *writer)
923 {
924 chunk_t premaster, pub;
925
926 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
927 {
928 DBG1(DBG_TLS, "calculating premaster from DH failed");
929 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
930 return NEED_MORE;
931 }
932 this->crypto->derive_secrets(this->crypto, premaster,
933 chunk_from_thing(this->client_random),
934 chunk_from_thing(this->server_random));
935 chunk_clear(&premaster);
936
937 this->dh->get_my_public_value(this->dh, &pub);
938 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
939 {
940 writer->write_data16(writer, pub);
941 }
942 else
943 { /* ECP uses 8bit length header only, but a point format */
944 writer->write_uint8(writer, pub.len + 1);
945 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
946 writer->write_data(writer, pub);
947 }
948 free(pub.ptr);
949
950 *type = TLS_CLIENT_KEY_EXCHANGE;
951 this->state = STATE_KEY_EXCHANGE_SENT;
952 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
953 return NEED_MORE;
954 }
955
956 /**
957 * Send client key exchange, depending on suite
958 */
959 static status_t send_key_exchange(private_tls_peer_t *this,
960 tls_handshake_type_t *type, bio_writer_t *writer)
961 {
962 if (this->dh)
963 {
964 return send_key_exchange_dhe(this, type, writer);
965 }
966 return send_key_exchange_encrypt(this, type, writer);
967 }
968
969 /**
970 * Send certificate verify
971 */
972 static status_t send_certificate_verify(private_tls_peer_t *this,
973 tls_handshake_type_t *type, bio_writer_t *writer)
974 {
975 if (!this->private ||
976 !this->crypto->sign_handshake(this->crypto, this->private,
977 writer, this->hashsig))
978 {
979 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
980 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
981 return NEED_MORE;
982 }
983
984 *type = TLS_CERTIFICATE_VERIFY;
985 this->state = STATE_VERIFY_SENT;
986 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
987 return NEED_MORE;
988 }
989
990 /**
991 * Send Finished
992 */
993 static status_t send_finished(private_tls_peer_t *this,
994 tls_handshake_type_t *type, bio_writer_t *writer)
995 {
996 char buf[12];
997
998 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
999 {
1000 DBG1(DBG_TLS, "calculating client finished data failed");
1001 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1002 return NEED_MORE;
1003 }
1004
1005 writer->write_data(writer, chunk_from_thing(buf));
1006
1007 *type = TLS_FINISHED;
1008 this->state = STATE_FINISHED_SENT;
1009 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1010 return NEED_MORE;
1011 }
1012
1013 METHOD(tls_handshake_t, build, status_t,
1014 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1015 {
1016 switch (this->state)
1017 {
1018 case STATE_INIT:
1019 return send_client_hello(this, type, writer);
1020 case STATE_HELLO_DONE:
1021 if (this->peer)
1022 {
1023 return send_certificate(this, type, writer);
1024 }
1025 /* otherwise fall through to next state */
1026 case STATE_CERT_SENT:
1027 return send_key_exchange(this, type, writer);
1028 case STATE_KEY_EXCHANGE_SENT:
1029 if (this->peer)
1030 {
1031 return send_certificate_verify(this, type, writer);
1032 }
1033 else
1034 {
1035 return INVALID_STATE;
1036 }
1037 case STATE_CIPHERSPEC_CHANGED_OUT:
1038 return send_finished(this, type, writer);
1039 default:
1040 return INVALID_STATE;
1041 }
1042 }
1043
1044 METHOD(tls_handshake_t, cipherspec_changed, bool,
1045 private_tls_peer_t *this, bool inbound)
1046 {
1047 if (inbound)
1048 {
1049 return this->state == STATE_FINISHED_SENT;
1050 }
1051 else
1052 {
1053 if (this->peer)
1054 {
1055 return this->state == STATE_VERIFY_SENT;
1056 }
1057 return this->state == STATE_KEY_EXCHANGE_SENT;
1058 }
1059 }
1060
1061 METHOD(tls_handshake_t, change_cipherspec, void,
1062 private_tls_peer_t *this, bool inbound)
1063 {
1064 this->crypto->change_cipher(this->crypto, inbound);
1065 if (inbound)
1066 {
1067 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1068 }
1069 else
1070 {
1071 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1072 }
1073 }
1074
1075 METHOD(tls_handshake_t, finished, bool,
1076 private_tls_peer_t *this)
1077 {
1078 return this->state == STATE_COMPLETE;
1079 }
1080
1081 METHOD(tls_handshake_t, destroy, void,
1082 private_tls_peer_t *this)
1083 {
1084 DESTROY_IF(this->private);
1085 DESTROY_IF(this->dh);
1086 this->peer_auth->destroy(this->peer_auth);
1087 this->server_auth->destroy(this->server_auth);
1088 free(this->hashsig.ptr);
1089 free(this->cert_types.ptr);
1090 free(this);
1091 }
1092
1093 /**
1094 * See header
1095 */
1096 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1097 identification_t *peer, identification_t *server)
1098 {
1099 private_tls_peer_t *this;
1100
1101 INIT(this,
1102 .public = {
1103 .handshake = {
1104 .process = _process,
1105 .build = _build,
1106 .cipherspec_changed = _cipherspec_changed,
1107 .change_cipherspec = _change_cipherspec,
1108 .finished = _finished,
1109 .destroy = _destroy,
1110 },
1111 },
1112 .state = STATE_INIT,
1113 .tls = tls,
1114 .crypto = crypto,
1115 .alert = alert,
1116 .peer = peer,
1117 .server = server,
1118 .peer_auth = auth_cfg_create(),
1119 .server_auth = auth_cfg_create(),
1120 );
1121
1122 return &this->public;
1123 }