e9f967e842ca2bb9f150b2fba08a03e2364d889a
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 } peer_state_t;
41
42 /**
43 * Private data of an tls_peer_t object.
44 */
45 struct private_tls_peer_t {
46
47 /**
48 * Public tls_peer_t interface.
49 */
50 tls_peer_t public;
51
52 /**
53 * TLS stack
54 */
55 tls_t *tls;
56
57 /**
58 * TLS crypto context
59 */
60 tls_crypto_t *crypto;
61
62 /**
63 * TLS alert handler
64 */
65 tls_alert_t *alert;
66
67 /**
68 * Peer identity, NULL for no client authentication
69 */
70 identification_t *peer;
71
72 /**
73 * Server identity
74 */
75 identification_t *server;
76
77 /**
78 * State we are in
79 */
80 peer_state_t state;
81
82 /**
83 * Hello random data selected by client
84 */
85 char client_random[32];
86
87 /**
88 * Hello random data selected by server
89 */
90 char server_random[32];
91
92 /**
93 * Auth helper for peer authentication
94 */
95 auth_cfg_t *peer_auth;
96
97 /**
98 * Auth helper for server authentication
99 */
100 auth_cfg_t *server_auth;
101
102 /**
103 * Peer private key
104 */
105 private_key_t *private;
106
107 /**
108 * DHE exchange
109 */
110 diffie_hellman_t *dh;
111
112 /**
113 * Resuming a session?
114 */
115 bool resume;
116
117 /**
118 * TLS session identifier
119 */
120 chunk_t session;
121
122 /**
123 * List of server-supported hashsig algorithms
124 */
125 chunk_t hashsig;
126
127 /**
128 * List of server-supported client certificate types
129 */
130 chunk_t cert_types;
131 };
132
133 /**
134 * Process a server hello message
135 */
136 static status_t process_server_hello(private_tls_peer_t *this,
137 bio_reader_t *reader)
138 {
139 u_int8_t compression;
140 u_int16_t version, cipher;
141 chunk_t random, session, ext = chunk_empty;
142 tls_cipher_suite_t suite = 0;
143
144 this->crypto->append_handshake(this->crypto,
145 TLS_SERVER_HELLO, reader->peek(reader));
146
147 if (!reader->read_uint16(reader, &version) ||
148 !reader->read_data(reader, sizeof(this->server_random), &random) ||
149 !reader->read_data8(reader, &session) ||
150 !reader->read_uint16(reader, &cipher) ||
151 !reader->read_uint8(reader, &compression) ||
152 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
153 {
154 DBG1(DBG_TLS, "received invalid ServerHello");
155 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
156 return NEED_MORE;
157 }
158
159 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
160
161 if (!this->tls->set_version(this->tls, version))
162 {
163 DBG1(DBG_TLS, "negotiated version %N not supported",
164 tls_version_names, version);
165 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
166 return NEED_MORE;
167 }
168
169 if (chunk_equals(this->session, session))
170 {
171 suite = this->crypto->resume_session(this->crypto, session, this->server,
172 chunk_from_thing(this->client_random),
173 chunk_from_thing(this->server_random));
174 if (suite)
175 {
176 DBG1(DBG_TLS, "resumed %N using suite %N",
177 tls_version_names, version, tls_cipher_suite_names, suite);
178 this->resume = TRUE;
179 }
180 }
181 if (!suite)
182 {
183 suite = cipher;
184 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
185 {
186 DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
187 tls_cipher_suite_names, suite);
188 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
189 return NEED_MORE;
190 }
191 DBG1(DBG_TLS, "negotiated %N using suite %N",
192 tls_version_names, version, tls_cipher_suite_names, suite);
193 free(this->session.ptr);
194 this->session = chunk_clone(session);
195 }
196 this->state = STATE_HELLO_RECEIVED;
197 return NEED_MORE;
198 }
199
200 /**
201 * Check if a server certificate is acceptable for the given server identity
202 */
203 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
204 {
205 identification_t *id;
206
207 if (cert->has_subject(cert, this->server))
208 {
209 return TRUE;
210 }
211 id = cert->get_subject(cert);
212 if (id->matches(id, this->server))
213 {
214 return TRUE;
215 }
216 if (cert->get_type(cert) == CERT_X509)
217 {
218 x509_t *x509 = (x509_t*)cert;
219 enumerator_t *enumerator;
220
221 enumerator = x509->create_subjectAltName_enumerator(x509);
222 while (enumerator->enumerate(enumerator, &id))
223 {
224 if (id->matches(id, this->server))
225 {
226 enumerator->destroy(enumerator);
227 return TRUE;
228 }
229 }
230 enumerator->destroy(enumerator);
231 }
232 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
233 return FALSE;
234 }
235
236 /**
237 * Process a Certificate message
238 */
239 static status_t process_certificate(private_tls_peer_t *this,
240 bio_reader_t *reader)
241 {
242 certificate_t *cert;
243 bio_reader_t *certs;
244 chunk_t data;
245 bool first = TRUE;
246
247 this->crypto->append_handshake(this->crypto,
248 TLS_CERTIFICATE, reader->peek(reader));
249
250 if (!reader->read_data24(reader, &data))
251 {
252 DBG1(DBG_TLS, "certificate message header invalid");
253 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
254 return NEED_MORE;
255 }
256 certs = bio_reader_create(data);
257 while (certs->remaining(certs))
258 {
259 if (!certs->read_data24(certs, &data))
260 {
261 DBG1(DBG_TLS, "certificate message invalid");
262 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
263 certs->destroy(certs);
264 return NEED_MORE;
265 }
266 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
267 BUILD_BLOB_ASN1_DER, data, BUILD_END);
268 if (cert)
269 {
270 if (first)
271 {
272 if (!check_certificate(this, cert))
273 {
274 cert->destroy(cert);
275 certs->destroy(certs);
276 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
277 return NEED_MORE;
278 }
279 this->server_auth->add(this->server_auth,
280 AUTH_HELPER_SUBJECT_CERT, cert);
281 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
282 cert->get_subject(cert));
283 first = FALSE;
284 }
285 else
286 {
287 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
288 cert->get_subject(cert));
289 this->server_auth->add(this->server_auth,
290 AUTH_HELPER_IM_CERT, cert);
291 }
292 }
293 else
294 {
295 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
296 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
297 }
298 }
299 certs->destroy(certs);
300 this->state = STATE_CERT_RECEIVED;
301 return NEED_MORE;
302 }
303
304 /**
305 * Find a trusted public key to encrypt/verify key exchange data
306 */
307 static public_key_t *find_public_key(private_tls_peer_t *this)
308 {
309 public_key_t *public = NULL, *current;
310 certificate_t *cert;
311 enumerator_t *enumerator;
312 auth_cfg_t *auth;
313
314 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
315 if (cert)
316 {
317 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
318 KEY_ANY, cert->get_subject(cert), this->server_auth);
319 while (enumerator->enumerate(enumerator, &current, &auth))
320 {
321 public = current->get_ref(current);
322 break;
323 }
324 enumerator->destroy(enumerator);
325 }
326 return public;
327 }
328
329 /**
330 * Process a Key Exchange message using MODP Diffie Hellman
331 */
332 static status_t process_modp_key_exchange(private_tls_peer_t *this,
333 bio_reader_t *reader)
334 {
335 chunk_t prime, generator, pub, chunk;
336 public_key_t *public;
337
338 chunk = reader->peek(reader);
339 if (!reader->read_data16(reader, &prime) ||
340 !reader->read_data16(reader, &generator) ||
341 !reader->read_data16(reader, &pub))
342 {
343 DBG1(DBG_TLS, "received invalid Server Key Exchange");
344 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
345 return NEED_MORE;
346 }
347 public = find_public_key(this);
348 if (!public)
349 {
350 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
351 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
352 return NEED_MORE;
353 }
354
355 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
356 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
357 chunk_from_thing(this->server_random), chunk);
358 if (!this->crypto->verify(this->crypto, public, reader, chunk))
359 {
360 public->destroy(public);
361 free(chunk.ptr);
362 DBG1(DBG_TLS, "verifying DH parameters failed");
363 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
364 return NEED_MORE;
365 }
366 public->destroy(public);
367 free(chunk.ptr);
368
369 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
370 generator, prime);
371 if (!this->dh)
372 {
373 DBG1(DBG_TLS, "custom DH parameters not supported");
374 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
375 return NEED_MORE;
376 }
377 this->dh->set_other_public_value(this->dh, pub);
378
379 this->state = STATE_KEY_EXCHANGE_RECEIVED;
380 return NEED_MORE;
381 }
382
383 /**
384 * Get the EC group for a TLS named curve
385 */
386 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
387 tls_named_curve_t curve)
388 {
389 diffie_hellman_group_t group;
390 tls_named_curve_t current;
391 enumerator_t *enumerator;
392
393 enumerator = this->crypto->create_ec_enumerator(this->crypto);
394 while (enumerator->enumerate(enumerator, &group, &current))
395 {
396 if (current == curve)
397 {
398 enumerator->destroy(enumerator);
399 return group;
400 }
401 }
402 enumerator->destroy(enumerator);
403 return 0;
404 }
405
406 /**
407 * Process a Key Exchange message using EC Diffie Hellman
408 */
409 static status_t process_ec_key_exchange(private_tls_peer_t *this,
410 bio_reader_t *reader)
411 {
412 diffie_hellman_group_t group;
413 public_key_t *public;
414 u_int8_t type;
415 u_int16_t curve;
416 chunk_t pub, chunk;
417
418 chunk = reader->peek(reader);
419 if (!reader->read_uint8(reader, &type))
420 {
421 DBG1(DBG_TLS, "received invalid Server Key Exchange");
422 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
423 return NEED_MORE;
424 }
425 if (type != TLS_ECC_NAMED_CURVE)
426 {
427 DBG1(DBG_TLS, "ECDH curve type %N not supported",
428 tls_ecc_curve_type_names, type);
429 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
430 return NEED_MORE;
431 }
432 if (!reader->read_uint16(reader, &curve) ||
433 !reader->read_data8(reader, &pub) || pub.len == 0)
434 {
435 DBG1(DBG_TLS, "received invalid Server Key Exchange");
436 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
437 return NEED_MORE;
438 }
439
440 group = curve_to_ec_group(this, curve);
441 if (!group)
442 {
443 DBG1(DBG_TLS, "ECDH curve %N not supported",
444 tls_named_curve_names, curve);
445 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
446 return NEED_MORE;
447 }
448
449 public = find_public_key(this);
450 if (!public)
451 {
452 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
453 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
454 return NEED_MORE;
455 }
456
457 chunk.len = 4 + pub.len;
458 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
459 chunk_from_thing(this->server_random), chunk);
460 if (!this->crypto->verify(this->crypto, public, reader, chunk))
461 {
462 public->destroy(public);
463 free(chunk.ptr);
464 DBG1(DBG_TLS, "verifying DH parameters failed");
465 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
466 return NEED_MORE;
467 }
468 public->destroy(public);
469 free(chunk.ptr);
470
471 this->dh = lib->crypto->create_dh(lib->crypto, group);
472 if (!this->dh)
473 {
474 DBG1(DBG_TLS, "DH group %N not supported",
475 diffie_hellman_group_names, group);
476 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
477 return NEED_MORE;
478 }
479
480 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
481 {
482 DBG1(DBG_TLS, "DH point format '%N' not supported",
483 tls_ansi_point_format_names, pub.ptr[0]);
484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
485 return NEED_MORE;
486 }
487 this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
488
489 this->state = STATE_KEY_EXCHANGE_RECEIVED;
490 return NEED_MORE;
491 }
492
493 /**
494 * Process a Server Key Exchange
495 */
496 static status_t process_key_exchange(private_tls_peer_t *this,
497 bio_reader_t *reader)
498 {
499 diffie_hellman_group_t group;
500
501 this->crypto->append_handshake(this->crypto,
502 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
503
504 group = this->crypto->get_dh_group(this->crypto);
505 if (group == MODP_NONE)
506 {
507 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
508 "for current suite");
509 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
510 return NEED_MORE;
511 }
512 if (diffie_hellman_group_is_ec(group))
513 {
514 return process_ec_key_exchange(this, reader);
515 }
516 return process_modp_key_exchange(this, reader);
517 }
518
519 /**
520 * Process a Certificate Request message
521 */
522 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
523 {
524 chunk_t types, hashsig, data;
525 bio_reader_t *authorities;
526 identification_t *id;
527 certificate_t *cert;
528
529 if (!this->peer)
530 {
531 DBG1(DBG_TLS, "server requested a certificate, but client "
532 "authentication disabled");
533 }
534 this->crypto->append_handshake(this->crypto,
535 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
536
537 if (!reader->read_data8(reader, &types))
538 {
539 DBG1(DBG_TLS, "certreq message header invalid");
540 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
541 return NEED_MORE;
542 }
543 this->cert_types = chunk_clone(types);
544 if (this->tls->get_version(this->tls) >= TLS_1_2)
545 {
546 if (!reader->read_data16(reader, &hashsig))
547 {
548 DBG1(DBG_TLS, "certreq message invalid");
549 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
550 return NEED_MORE;
551 }
552 this->hashsig = chunk_clone(hashsig);
553 }
554 if (!reader->read_data16(reader, &data))
555 {
556 DBG1(DBG_TLS, "certreq message invalid");
557 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
558 return NEED_MORE;
559 }
560 authorities = bio_reader_create(data);
561 while (authorities->remaining(authorities))
562 {
563 if (!authorities->read_data16(authorities, &data))
564 {
565 DBG1(DBG_TLS, "certreq message invalid");
566 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
567 authorities->destroy(authorities);
568 return NEED_MORE;
569 }
570 if (this->peer)
571 {
572 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
573 cert = lib->credmgr->get_cert(lib->credmgr,
574 CERT_X509, KEY_ANY, id, TRUE);
575 if (cert)
576 {
577 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
578 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
579 }
580 else
581 {
582 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
583 }
584 id->destroy(id);
585 }
586 }
587 authorities->destroy(authorities);
588 this->state = STATE_CERTREQ_RECEIVED;
589 return NEED_MORE;
590 }
591
592 /**
593 * Process Hello Done message
594 */
595 static status_t process_hello_done(private_tls_peer_t *this,
596 bio_reader_t *reader)
597 {
598 this->crypto->append_handshake(this->crypto,
599 TLS_SERVER_HELLO_DONE, reader->peek(reader));
600 this->state = STATE_HELLO_DONE;
601 return NEED_MORE;
602 }
603
604 /**
605 * Process finished message
606 */
607 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
608 {
609 chunk_t received;
610 char buf[12];
611
612 if (!reader->read_data(reader, sizeof(buf), &received))
613 {
614 DBG1(DBG_TLS, "received server finished too short");
615 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
616 return NEED_MORE;
617 }
618 if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
619 {
620 DBG1(DBG_TLS, "calculating server finished failed");
621 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
622 return NEED_MORE;
623 }
624 if (!chunk_equals(received, chunk_from_thing(buf)))
625 {
626 DBG1(DBG_TLS, "received server finished invalid");
627 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
628 return NEED_MORE;
629 }
630 this->state = STATE_FINISHED_RECEIVED;
631 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
632
633 return NEED_MORE;
634 }
635
636 METHOD(tls_handshake_t, process, status_t,
637 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
638 {
639 tls_handshake_type_t expected;
640
641 switch (this->state)
642 {
643 case STATE_HELLO_SENT:
644 if (type == TLS_SERVER_HELLO)
645 {
646 return process_server_hello(this, reader);
647 }
648 expected = TLS_SERVER_HELLO;
649 break;
650 case STATE_HELLO_RECEIVED:
651 if (type == TLS_CERTIFICATE)
652 {
653 return process_certificate(this, reader);
654 }
655 expected = TLS_CERTIFICATE;
656 break;
657 case STATE_CERT_RECEIVED:
658 if (type == TLS_SERVER_KEY_EXCHANGE)
659 {
660 return process_key_exchange(this, reader);
661 }
662 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
663 case STATE_KEY_EXCHANGE_RECEIVED:
664 if (type == TLS_CERTIFICATE_REQUEST)
665 {
666 return process_certreq(this, reader);
667 }
668 this->peer = NULL;
669 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
670 case STATE_CERTREQ_RECEIVED:
671 if (type == TLS_SERVER_HELLO_DONE)
672 {
673 return process_hello_done(this, reader);
674 }
675 expected = TLS_SERVER_HELLO_DONE;
676 break;
677 case STATE_CIPHERSPEC_CHANGED_IN:
678 if (type == TLS_FINISHED)
679 {
680 return process_finished(this, reader);
681 }
682 expected = TLS_FINISHED;
683 break;
684 default:
685 DBG1(DBG_TLS, "TLS %N not expected in current state",
686 tls_handshake_type_names, type);
687 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
688 return NEED_MORE;
689 }
690 DBG1(DBG_TLS, "TLS %N expected, but received %N",
691 tls_handshake_type_names, expected, tls_handshake_type_names, type);
692 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
693 return NEED_MORE;
694 }
695
696 /**
697 * Send a client hello
698 */
699 static status_t send_client_hello(private_tls_peer_t *this,
700 tls_handshake_type_t *type, bio_writer_t *writer)
701 {
702 tls_cipher_suite_t *suites;
703 bio_writer_t *extensions, *curves = NULL;
704 tls_version_t version;
705 tls_named_curve_t curve;
706 enumerator_t *enumerator;
707 int count, i;
708 rng_t *rng;
709
710 htoun32(&this->client_random, time(NULL));
711 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
712 if (!rng ||
713 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
714 this->client_random + 4))
715 {
716 DBG1(DBG_TLS, "failed to generate client random");
717 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
718 DESTROY_IF(rng);
719 return NEED_MORE;
720 }
721 rng->destroy(rng);
722
723 /* TLS version */
724 version = this->tls->get_version(this->tls);
725 writer->write_uint16(writer, version);
726 writer->write_data(writer, chunk_from_thing(this->client_random));
727
728 /* session identifier */
729 this->session = this->crypto->get_session(this->crypto, this->server);
730 writer->write_data8(writer, this->session);
731
732 /* add TLS cipher suites */
733 count = this->crypto->get_cipher_suites(this->crypto, &suites);
734 writer->write_uint16(writer, count * 2);
735 for (i = 0; i < count; i++)
736 {
737 writer->write_uint16(writer, suites[i]);
738 }
739
740 /* NULL compression only */
741 writer->write_uint8(writer, 1);
742 writer->write_uint8(writer, 0);
743
744 extensions = bio_writer_create(32);
745
746 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
747 this->crypto->get_signature_algorithms(this->crypto, extensions);
748
749 /* add supported Elliptic Curves, if any */
750 enumerator = this->crypto->create_ec_enumerator(this->crypto);
751 while (enumerator->enumerate(enumerator, NULL, &curve))
752 {
753 if (!curves)
754 {
755 extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
756 curves = bio_writer_create(16);
757 }
758 curves->write_uint16(curves, curve);
759 }
760 enumerator->destroy(enumerator);
761 if (curves)
762 {
763 extensions->write_data16(extensions, curves->get_buf(curves));
764 curves->destroy(curves);
765
766 /* if we support curves, add point format extension */
767 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
768 extensions->write_uint16(extensions, 2);
769 extensions->write_uint8(extensions, 1);
770 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
771 }
772 if (this->server->get_type(this->server) == ID_FQDN)
773 {
774 bio_writer_t *names;
775
776 DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
777
778 names = bio_writer_create(8);
779 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
780 names->write_data16(names, this->server->get_encoding(this->server));
781 names->wrap16(names);
782 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
783 extensions->write_data16(extensions, names->get_buf(names));
784 names->destroy(names);
785 }
786
787 writer->write_data16(writer, extensions->get_buf(extensions));
788 extensions->destroy(extensions);
789
790 *type = TLS_CLIENT_HELLO;
791 this->state = STATE_HELLO_SENT;
792 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
793 return NEED_MORE;
794 }
795
796 /**
797 * Find a private key suitable to sign Certificate Verify
798 */
799 static private_key_t *find_private_key(private_tls_peer_t *this)
800 {
801 private_key_t *key = NULL;
802 bio_reader_t *reader;
803 key_type_t type;
804 u_int8_t cert;
805
806 if (!this->peer)
807 {
808 return NULL;
809 }
810 reader = bio_reader_create(this->cert_types);
811 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
812 {
813 switch (cert)
814 {
815 case TLS_RSA_SIGN:
816 type = KEY_RSA;
817 break;
818 case TLS_ECDSA_SIGN:
819 type = KEY_ECDSA;
820 break;
821 default:
822 continue;
823 }
824 key = lib->credmgr->get_private(lib->credmgr, type,
825 this->peer, this->peer_auth);
826 if (key)
827 {
828 break;
829 }
830 }
831 reader->destroy(reader);
832 return key;
833 }
834
835 /**
836 * Send Certificate
837 */
838 static status_t send_certificate(private_tls_peer_t *this,
839 tls_handshake_type_t *type, bio_writer_t *writer)
840 {
841 enumerator_t *enumerator;
842 certificate_t *cert;
843 auth_rule_t rule;
844 bio_writer_t *certs;
845 chunk_t data;
846
847 this->private = find_private_key(this);
848 if (!this->private)
849 {
850 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
851 "skipping client authentication", this->peer);
852 this->peer = NULL;
853 }
854
855 /* generate certificate payload */
856 certs = bio_writer_create(256);
857 if (this->peer)
858 {
859 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
860 if (cert)
861 {
862 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
863 {
864 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
865 cert->get_subject(cert));
866 certs->write_data24(certs, data);
867 free(data.ptr);
868 }
869 }
870 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
871 while (enumerator->enumerate(enumerator, &rule, &cert))
872 {
873 if (rule == AUTH_RULE_IM_CERT)
874 {
875 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
876 {
877 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
878 cert->get_subject(cert));
879 certs->write_data24(certs, data);
880 free(data.ptr);
881 }
882 }
883 }
884 enumerator->destroy(enumerator);
885 }
886
887 writer->write_data24(writer, certs->get_buf(certs));
888 certs->destroy(certs);
889
890 *type = TLS_CERTIFICATE;
891 this->state = STATE_CERT_SENT;
892 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
893 return NEED_MORE;
894 }
895
896 /**
897 * Send client key exchange, using premaster encryption
898 */
899 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
900 tls_handshake_type_t *type, bio_writer_t *writer)
901 {
902 public_key_t *public;
903 rng_t *rng;
904 char premaster[48];
905 chunk_t encrypted;
906
907 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
908 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
909 {
910 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
911 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
912 DESTROY_IF(rng);
913 return NEED_MORE;
914 }
915 rng->destroy(rng);
916 htoun16(premaster, TLS_1_2);
917
918 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
919 this->session, this->server,
920 chunk_from_thing(this->client_random),
921 chunk_from_thing(this->server_random)))
922 {
923 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
924 return NEED_MORE;
925 }
926
927 public = find_public_key(this);
928 if (!public)
929 {
930 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
931 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
932 return NEED_MORE;
933 }
934 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
935 chunk_from_thing(premaster), &encrypted))
936 {
937 public->destroy(public);
938 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
939 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
940 return NEED_MORE;
941 }
942 public->destroy(public);
943
944 writer->write_data16(writer, encrypted);
945 free(encrypted.ptr);
946
947 *type = TLS_CLIENT_KEY_EXCHANGE;
948 this->state = STATE_KEY_EXCHANGE_SENT;
949 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
950 return NEED_MORE;
951 }
952
953 /**
954 * Send client key exchange, using DHE exchange
955 */
956 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
957 tls_handshake_type_t *type, bio_writer_t *writer)
958 {
959 chunk_t premaster, pub;
960
961 if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
962 {
963 DBG1(DBG_TLS, "calculating premaster from DH failed");
964 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
965 return NEED_MORE;
966 }
967 if (!this->crypto->derive_secrets(this->crypto, premaster,
968 this->session, this->server,
969 chunk_from_thing(this->client_random),
970 chunk_from_thing(this->server_random)))
971 {
972 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
973 chunk_clear(&premaster);
974 return NEED_MORE;
975 }
976 chunk_clear(&premaster);
977
978 this->dh->get_my_public_value(this->dh, &pub);
979 if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
980 {
981 writer->write_data16(writer, pub);
982 }
983 else
984 { /* ECP uses 8bit length header only, but a point format */
985 writer->write_uint8(writer, pub.len + 1);
986 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
987 writer->write_data(writer, pub);
988 }
989 free(pub.ptr);
990
991 *type = TLS_CLIENT_KEY_EXCHANGE;
992 this->state = STATE_KEY_EXCHANGE_SENT;
993 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
994 return NEED_MORE;
995 }
996
997 /**
998 * Send client key exchange, depending on suite
999 */
1000 static status_t send_key_exchange(private_tls_peer_t *this,
1001 tls_handshake_type_t *type, bio_writer_t *writer)
1002 {
1003 if (this->dh)
1004 {
1005 return send_key_exchange_dhe(this, type, writer);
1006 }
1007 return send_key_exchange_encrypt(this, type, writer);
1008 }
1009
1010 /**
1011 * Send certificate verify
1012 */
1013 static status_t send_certificate_verify(private_tls_peer_t *this,
1014 tls_handshake_type_t *type, bio_writer_t *writer)
1015 {
1016 if (!this->private ||
1017 !this->crypto->sign_handshake(this->crypto, this->private,
1018 writer, this->hashsig))
1019 {
1020 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1021 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1022 return NEED_MORE;
1023 }
1024
1025 *type = TLS_CERTIFICATE_VERIFY;
1026 this->state = STATE_VERIFY_SENT;
1027 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1028 return NEED_MORE;
1029 }
1030
1031 /**
1032 * Send Finished
1033 */
1034 static status_t send_finished(private_tls_peer_t *this,
1035 tls_handshake_type_t *type, bio_writer_t *writer)
1036 {
1037 char buf[12];
1038
1039 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1040 {
1041 DBG1(DBG_TLS, "calculating client finished data failed");
1042 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1043 return NEED_MORE;
1044 }
1045
1046 writer->write_data(writer, chunk_from_thing(buf));
1047
1048 *type = TLS_FINISHED;
1049 this->state = STATE_FINISHED_SENT;
1050 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1051 return NEED_MORE;
1052 }
1053
1054 METHOD(tls_handshake_t, build, status_t,
1055 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1056 {
1057 switch (this->state)
1058 {
1059 case STATE_INIT:
1060 return send_client_hello(this, type, writer);
1061 case STATE_HELLO_DONE:
1062 if (this->peer)
1063 {
1064 return send_certificate(this, type, writer);
1065 }
1066 /* otherwise fall through to next state */
1067 case STATE_CERT_SENT:
1068 return send_key_exchange(this, type, writer);
1069 case STATE_KEY_EXCHANGE_SENT:
1070 if (this->peer)
1071 {
1072 return send_certificate_verify(this, type, writer);
1073 }
1074 else
1075 {
1076 return INVALID_STATE;
1077 }
1078 case STATE_CIPHERSPEC_CHANGED_OUT:
1079 return send_finished(this, type, writer);
1080 default:
1081 return INVALID_STATE;
1082 }
1083 }
1084
1085 METHOD(tls_handshake_t, cipherspec_changed, bool,
1086 private_tls_peer_t *this, bool inbound)
1087 {
1088 if (inbound)
1089 {
1090 if (this->resume)
1091 {
1092 return this->state == STATE_HELLO_RECEIVED;
1093 }
1094 return this->state == STATE_FINISHED_SENT;
1095 }
1096 else
1097 {
1098 if (this->resume)
1099 {
1100 return this->state == STATE_FINISHED_RECEIVED;
1101 }
1102 if (this->peer)
1103 {
1104 return this->state == STATE_VERIFY_SENT;
1105 }
1106 return this->state == STATE_KEY_EXCHANGE_SENT;
1107 }
1108 }
1109
1110 METHOD(tls_handshake_t, change_cipherspec, void,
1111 private_tls_peer_t *this, bool inbound)
1112 {
1113 this->crypto->change_cipher(this->crypto, inbound);
1114 if (inbound)
1115 {
1116 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1117 }
1118 else
1119 {
1120 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1121 }
1122 }
1123
1124 METHOD(tls_handshake_t, finished, bool,
1125 private_tls_peer_t *this)
1126 {
1127 if (this->resume)
1128 {
1129 return this->state == STATE_FINISHED_SENT;
1130 }
1131 return this->state == STATE_FINISHED_RECEIVED;
1132 }
1133
1134 METHOD(tls_handshake_t, destroy, void,
1135 private_tls_peer_t *this)
1136 {
1137 DESTROY_IF(this->private);
1138 DESTROY_IF(this->dh);
1139 this->peer_auth->destroy(this->peer_auth);
1140 this->server_auth->destroy(this->server_auth);
1141 free(this->hashsig.ptr);
1142 free(this->cert_types.ptr);
1143 free(this->session.ptr);
1144 free(this);
1145 }
1146
1147 /**
1148 * See header
1149 */
1150 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1151 identification_t *peer, identification_t *server)
1152 {
1153 private_tls_peer_t *this;
1154
1155 INIT(this,
1156 .public = {
1157 .handshake = {
1158 .process = _process,
1159 .build = _build,
1160 .cipherspec_changed = _cipherspec_changed,
1161 .change_cipherspec = _change_cipherspec,
1162 .finished = _finished,
1163 .destroy = _destroy,
1164 },
1165 },
1166 .state = STATE_INIT,
1167 .tls = tls,
1168 .crypto = crypto,
1169 .alert = alert,
1170 .peer = peer,
1171 .server = server,
1172 .peer_auth = auth_cfg_create(),
1173 .server_auth = auth_cfg_create(),
1174 );
1175
1176 return &this->public;
1177 }