96ce37447217b1b44059de30d69099756d91c7d3
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_peer.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20
21 #include <time.h>
22
23 typedef struct private_tls_peer_t private_tls_peer_t;
24
25 typedef enum {
26 STATE_INIT,
27 STATE_HELLO_SENT,
28 STATE_HELLO_RECEIVED,
29 STATE_HELLO_DONE,
30 STATE_CERT_SENT,
31 STATE_CERT_RECEIVED,
32 STATE_KEY_EXCHANGE_RECEIVED,
33 STATE_CERTREQ_RECEIVED,
34 STATE_KEY_EXCHANGE_SENT,
35 STATE_VERIFY_SENT,
36 STATE_CIPHERSPEC_CHANGED_OUT,
37 STATE_FINISHED_SENT,
38 STATE_CIPHERSPEC_CHANGED_IN,
39 STATE_FINISHED_RECEIVED,
40 /* new states in TLS 1.3 */
41 STATE_HELLORETRYREQ_RECEIVED,
42 STATE_ENCRYPTED_EXTENSIONS_RECEIVED,
43 STATE_CERT_VERIFY_RECEIVED,
44 STATE_FINISHED_SENT_KEY_SWITCHED,
45
46 } peer_state_t;
47
48 /**
49 * Private data of an tls_peer_t object.
50 */
51 struct private_tls_peer_t {
52
53 /**
54 * Public tls_peer_t interface.
55 */
56 tls_peer_t public;
57
58 /**
59 * TLS stack
60 */
61 tls_t *tls;
62
63 /**
64 * TLS crypto context
65 */
66 tls_crypto_t *crypto;
67
68 /**
69 * TLS alert handler
70 */
71 tls_alert_t *alert;
72
73 /**
74 * Peer identity, NULL for no client authentication
75 */
76 identification_t *peer;
77
78 /**
79 * Server identity
80 */
81 identification_t *server;
82
83 /**
84 * State we are in
85 */
86 peer_state_t state;
87
88 /**
89 * TLS version we offered in hello
90 */
91 tls_version_t hello_version;
92
93 /**
94 * Hello random data selected by client
95 */
96 char client_random[32];
97
98 /**
99 * Hello random data selected by server
100 */
101 char server_random[32];
102
103 /**
104 * Auth helper for peer authentication
105 */
106 auth_cfg_t *peer_auth;
107
108 /**
109 * Auth helper for server authentication
110 */
111 auth_cfg_t *server_auth;
112
113 /**
114 * Peer private key
115 */
116 private_key_t *private;
117
118 /**
119 * DHE exchange
120 */
121 diffie_hellman_t *dh;
122
123 /**
124 * Resuming a session?
125 */
126 bool resume;
127
128 /**
129 * TLS session identifier
130 */
131 chunk_t session;
132
133 /**
134 * List of server-supported hashsig algorithms
135 */
136 chunk_t hashsig;
137
138 /**
139 * List of server-supported client certificate types
140 */
141 chunk_t cert_types;
142 };
143
144 /**
145 * Process a server hello message
146 */
147 static status_t process_server_hello(private_tls_peer_t *this,
148 bio_reader_t *reader)
149 {
150 uint8_t compression;
151 uint16_t version, cipher;
152 chunk_t random, session, ext = chunk_empty, ext_key_share = chunk_empty;
153 tls_cipher_suite_t suite = 0;
154 int offset = 0;
155 uint16_t extension_type, extension_length;
156 uint16_t key_type, key_length;
157
158 this->crypto->append_handshake(this->crypto,
159 TLS_SERVER_HELLO, reader->peek(reader));
160
161 if (!reader->read_uint16(reader, &version) ||
162 !reader->read_data(reader, sizeof(this->server_random), &random) ||
163 !reader->read_data8(reader, &session) ||
164 !reader->read_uint16(reader, &cipher) ||
165 !reader->read_uint8(reader, &compression) ||
166 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
167 {
168 DBG1(DBG_TLS, "received invalid ServerHello");
169 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
170 return NEED_MORE;
171 }
172
173 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
174
175 bio_reader_t *extension_reader = bio_reader_create(ext);
176
177 /* parse extension to decide which tls version of the state machine we
178 * want to go
179 */
180 while (offset < ext.len)
181 {
182 chunk_t extension_payload = chunk_empty;
183
184 extension_reader->read_uint16(extension_reader, &extension_type);
185 extension_reader->read_uint16(extension_reader, &extension_length);
186 offset += extension_length + 4;
187
188 if (!extension_reader->read_data(extension_reader,
189 extension_length,
190 &extension_payload))
191 {
192 DBG2(DBG_TLS, "unable to read extension payload data");
193 }
194
195 bio_reader_t *ext_payload_reader = bio_reader_create(extension_payload);
196
197 switch (extension_type)
198 {
199 case TLS_EXT_SUPPORTED_VERSIONS:
200 ext_payload_reader->read_uint16(ext_payload_reader, &version);
201 break;
202
203 case TLS_EXT_KEY_SHARE:
204 ext_payload_reader->read_uint16(ext_payload_reader, &key_type);
205 ext_payload_reader->read_uint16(ext_payload_reader, &key_length);
206 if (!ext_payload_reader->read_data(ext_payload_reader,
207 key_length,
208 &ext_key_share))
209 {
210 DBG2(DBG_TLS, "no valid key share found in extension");
211 }
212 break;
213 default:
214 continue;
215 }
216 ext_payload_reader->destroy(ext_payload_reader);
217 }
218 extension_reader->destroy(extension_reader);
219
220 if (!this->tls->set_version(this->tls, version))
221 {
222 DBG1(DBG_TLS, "negotiated version %N not supported",
223 tls_version_names, version);
224 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
225 return NEED_MORE;
226 }
227
228 if (this->tls->get_version_max(this->tls) < TLS_1_3)
229 {
230 if (chunk_equals(this->session, session))
231 {
232 suite = this->crypto->resume_session(this->crypto, session,
233 this->server, chunk_from_thing
234 (this->client_random),
235 chunk_from_thing
236 (this->server_random));
237 if (suite)
238 {
239 DBG1(DBG_TLS, "resumed %N using suite %N",
240 tls_version_names, version, tls_cipher_suite_names, suite);
241 this->resume = TRUE;
242 }
243 }
244 DESTROY_IF(this->dh);
245 this->dh = NULL;
246 }
247 if (!suite)
248 {
249 suite = cipher;
250 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
251 {
252 DBG1(DBG_TLS, "received TLS cipher suite %N unacceptable",
253 tls_cipher_suite_names, suite);
254 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
255 return NEED_MORE;
256 }
257 DBG1(DBG_TLS, "negotiated %N using suite %N",
258 tls_version_names, version, tls_cipher_suite_names, suite);
259 free(this->session.ptr);
260 this->session = chunk_clone(session);
261 }
262
263 if (this->tls->get_version_max(this->tls) == TLS_1_3)
264 {
265 chunk_t shared_secret = chunk_empty;
266
267 if (!this->dh->set_other_public_value(this->dh, ext_key_share) ||
268 !this->dh->get_shared_secret(this->dh, &shared_secret) ||
269 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
270 {
271 DBG1(DBG_TLS, "DH key derivation failed");
272 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
273 chunk_clear(&shared_secret);
274 return NEED_MORE;
275 }
276 chunk_clear(&shared_secret);
277
278 this->crypto->change_cipher(this->crypto, TRUE);
279 this->crypto->change_cipher(this->crypto, FALSE);
280 }
281
282 this->state = STATE_HELLO_RECEIVED;
283 return NEED_MORE;
284 }
285
286 /**
287 * Process a server encrypted extensions message
288 */
289 static status_t process_encrypted_extensions(private_tls_peer_t *this,
290 bio_reader_t *reader)
291 {
292 uint16_t length;
293 chunk_t ext = chunk_empty;
294 int offset = 0;
295 uint16_t extension_type, extension_length;
296
297 this->crypto->append_handshake(this->crypto,
298 TLS_ENCRYPTED_EXTENSIONS, reader->peek(reader));
299
300
301 if (!reader->read_uint16(reader, &length) ||
302 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
303 {
304 DBG1(DBG_TLS, "received invalid EncryptedExtensions");
305 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
306 return NEED_MORE;
307 }
308 if (ext.len == 0)
309 {
310 this->state = STATE_ENCRYPTED_EXTENSIONS_RECEIVED;
311 return NEED_MORE;
312 }
313 else
314 {
315 bio_reader_t *extension_reader = bio_reader_create(ext);
316
317 while (offset < ext.len)
318 {
319 chunk_t extension_payload = chunk_empty;
320 extension_reader->read_uint16(extension_reader, &extension_type);
321 extension_reader->read_uint16(extension_reader, &extension_length);
322 offset += extension_length + 4;
323
324 if (!extension_reader->read_data(extension_reader,
325 extension_length,
326 &extension_payload))
327 {
328 DBG2(DBG_TLS, "unable to read extension payload data");
329 }
330 switch (extension_type)
331 {
332 /* fall through because not supported so far */
333 case TLS_EXT_SERVER_NAME:
334 case TLS_EXT_MAX_FRAGMENT_LENGTH:
335 case TLS_EXT_SUPPORTED_GROUPS:
336 case TLS_EXT_USE_SRTP:
337 case TLS_EXT_HEARTBEAT:
338 case TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION:
339 case TLS_SERVER_CERTIFICATE_TYPE:
340 this->state = STATE_ENCRYPTED_EXTENSIONS_RECEIVED;
341 extension_reader->destroy(extension_reader);
342 break;
343 default:
344 DBG1(DBG_TLS, "received forbidden EncryptedExtensions");
345 this->alert->add(this->alert, TLS_FATAL,
346 TLS_ILLEGAL_PARAMETER);
347 extension_reader->destroy(extension_reader);
348 return NEED_MORE;
349 }
350 }
351
352 }
353 return NEED_MORE;
354 }
355
356 /**
357 * Check if a server certificate is acceptable for the given server identity
358 */
359 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
360 {
361 identification_t *id;
362
363 if (cert->has_subject(cert, this->server))
364 {
365 return TRUE;
366 }
367 id = cert->get_subject(cert);
368 if (id->matches(id, this->server))
369 {
370 return TRUE;
371 }
372 if (cert->get_type(cert) == CERT_X509)
373 {
374 x509_t *x509 = (x509_t*)cert;
375 enumerator_t *enumerator;
376
377 enumerator = x509->create_subjectAltName_enumerator(x509);
378 while (enumerator->enumerate(enumerator, &id))
379 {
380 if (id->matches(id, this->server))
381 {
382 enumerator->destroy(enumerator);
383 return TRUE;
384 }
385 }
386 enumerator->destroy(enumerator);
387 }
388 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
389 return FALSE;
390 }
391
392 /**
393 * Process a Certificate message
394 */
395 static status_t process_certificate(private_tls_peer_t *this,
396 bio_reader_t *reader)
397 {
398 certificate_t *cert;
399 bio_reader_t *certs;
400 chunk_t data;
401 bool first = TRUE;
402
403 this->crypto->append_handshake(this->crypto,
404 TLS_CERTIFICATE, reader->peek(reader));
405
406 if (this->tls->get_version_max(this->tls) > TLS_1_2)
407 {
408 if (!reader->read_data8(reader, &data))
409 {
410 DBG1(DBG_TLS, "certificate request context invalid");
411 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
412 return NEED_MORE;
413 }
414 if (data.len > 0)
415 {
416 DBG1(DBG_TLS, "certificate request context available,"
417 "but CertificateRequest not received");
418 }
419 }
420 if (!reader->read_data24(reader, &data))
421 {
422 DBG1(DBG_TLS, "certificate message header invalid");
423 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
424 return NEED_MORE;
425 }
426 certs = bio_reader_create(data);
427 while (certs->remaining(certs))
428 {
429 if (!certs->read_data24(certs, &data))
430 {
431 DBG1(DBG_TLS, "certificate message invalid");
432 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
433 certs->destroy(certs);
434 return NEED_MORE;
435 }
436 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
437 BUILD_BLOB_ASN1_DER, data, BUILD_END);
438 if (cert)
439 {
440 if (first)
441 {
442 if (!check_certificate(this, cert))
443 {
444 cert->destroy(cert);
445 certs->destroy(certs);
446 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
447 return NEED_MORE;
448 }
449 this->server_auth->add(this->server_auth,
450 AUTH_HELPER_SUBJECT_CERT, cert);
451 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
452 cert->get_subject(cert));
453 first = FALSE;
454 }
455 else
456 {
457 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
458 cert->get_subject(cert));
459 this->server_auth->add(this->server_auth,
460 AUTH_HELPER_IM_CERT, cert);
461 }
462 }
463 else
464 {
465 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
466 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
467 }
468 if (this->tls->get_version_max(this->tls) > TLS_1_2)
469 {
470 if (!certs->read_data16(certs, &data))
471 {
472 DBG1(DBG_TLS, "reading extension field of certificate failed",
473 &data);
474 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
475 return NEED_MORE;
476 }
477 break;
478 }
479 }
480 certs->destroy(certs);
481 this->state = STATE_CERT_RECEIVED;
482 return NEED_MORE;
483 }
484
485 /**
486 * Process Certificate verify
487 */
488 static status_t process_cert_verify(private_tls_peer_t *this,
489 bio_reader_t *reader)
490 {
491 enumerator_t *enumerator;
492 public_key_t *public;
493 auth_cfg_t *auth;
494 bio_reader_t *sig;
495 bool verified = FALSE;
496
497 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
498 KEY_ANY, this->server,
499 this->server_auth, TRUE);
500 while (enumerator->enumerate(enumerator, &public, &auth))
501 {
502 sig = bio_reader_create(reader->peek(reader));
503 verified = this->crypto->verify_handshake(this->crypto, public, sig);
504 sig->destroy(sig);
505 if (verified)
506 {
507 this->server_auth->merge(this->server_auth, auth, FALSE);
508 break;
509 }
510 DBG1(DBG_TLS, "signature verification failed, trying another key");
511 }
512 enumerator->destroy(enumerator);
513
514 if (!verified)
515 {
516 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
517 this->server);
518 this->server->destroy(this->server);
519 this->peer = NULL;
520 this->state = STATE_KEY_EXCHANGE_RECEIVED;
521 }
522 else
523 {
524 this->state = STATE_CERT_VERIFY_RECEIVED;
525 }
526 this->crypto->append_handshake(this->crypto,
527 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
528 return NEED_MORE;
529 }
530
531 /**
532 * Find a trusted public key to encrypt/verify key exchange data
533 */
534 static public_key_t *find_public_key(private_tls_peer_t *this)
535 {
536 public_key_t *public = NULL, *current;
537 certificate_t *cert, *found;
538 enumerator_t *enumerator;
539 auth_cfg_t *auth;
540
541 cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
542 if (cert)
543 {
544 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
545 KEY_ANY, cert->get_subject(cert),
546 this->server_auth, TRUE);
547 while (enumerator->enumerate(enumerator, &current, &auth))
548 {
549 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
550 if (found && cert->equals(cert, found))
551 {
552 public = current->get_ref(current);
553 this->server_auth->merge(this->server_auth, auth, FALSE);
554 break;
555 }
556 }
557 enumerator->destroy(enumerator);
558 }
559 return public;
560 }
561
562 /**
563 * Process a Key Exchange message using MODP Diffie Hellman
564 */
565 static status_t process_modp_key_exchange(private_tls_peer_t *this,
566 bio_reader_t *reader)
567 {
568 chunk_t prime, generator, pub, chunk;
569 public_key_t *public;
570
571 chunk = reader->peek(reader);
572 if (!reader->read_data16(reader, &prime) ||
573 !reader->read_data16(reader, &generator) ||
574 !reader->read_data16(reader, &pub))
575 {
576 DBG1(DBG_TLS, "received invalid Server Key Exchange");
577 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
578 return NEED_MORE;
579 }
580 /* reject (export) DH groups using primes smaller than 1024 bit */
581 if (prime.len < 1024 / 8)
582 {
583 DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len);
584 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
585 return NEED_MORE;
586 }
587 public = find_public_key(this);
588 if (!public)
589 {
590 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
591 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
592 return NEED_MORE;
593 }
594
595 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
596 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
597 chunk_from_thing(this->server_random), chunk);
598 if (!this->crypto->verify(this->crypto, public, reader, chunk))
599 {
600 public->destroy(public);
601 free(chunk.ptr);
602 DBG1(DBG_TLS, "verifying DH parameters failed");
603 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
604 return NEED_MORE;
605 }
606 public->destroy(public);
607 free(chunk.ptr);
608
609 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
610 generator, prime);
611 if (!this->dh)
612 {
613 DBG1(DBG_TLS, "custom DH parameters not supported");
614 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
615 return NEED_MORE;
616 }
617 if (!this->dh->set_other_public_value(this->dh, pub))
618 {
619 DBG1(DBG_TLS, "applying DH public value failed");
620 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
621 return NEED_MORE;
622 }
623
624 this->state = STATE_KEY_EXCHANGE_RECEIVED;
625 return NEED_MORE;
626 }
627
628 /**
629 * Get the EC group for a TLS named curve
630 */
631 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
632 tls_named_group_t curve)
633 {
634 diffie_hellman_group_t group;
635 tls_named_group_t current;
636 enumerator_t *enumerator;
637
638 enumerator = this->crypto->create_ec_enumerator(this->crypto);
639 while (enumerator->enumerate(enumerator, &group, &current))
640 {
641 if (current == curve)
642 {
643 enumerator->destroy(enumerator);
644 return group;
645 }
646 }
647 enumerator->destroy(enumerator);
648 return 0;
649 }
650
651 /**
652 * Process a Key Exchange message using EC Diffie Hellman
653 */
654 static status_t process_ec_key_exchange(private_tls_peer_t *this,
655 bio_reader_t *reader)
656 {
657 diffie_hellman_group_t group;
658 public_key_t *public;
659 uint8_t type;
660 uint16_t curve;
661 chunk_t pub, chunk;
662
663 chunk = reader->peek(reader);
664 if (!reader->read_uint8(reader, &type))
665 {
666 DBG1(DBG_TLS, "received invalid Server Key Exchange");
667 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
668 return NEED_MORE;
669 }
670 if (type != TLS_ECC_NAMED_CURVE)
671 {
672 DBG1(DBG_TLS, "ECDH curve type %N not supported",
673 tls_ecc_curve_type_names, type);
674 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
675 return NEED_MORE;
676 }
677 if (!reader->read_uint16(reader, &curve) ||
678 !reader->read_data8(reader, &pub) || pub.len == 0)
679 {
680 DBG1(DBG_TLS, "received invalid Server Key Exchange");
681 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
682 return NEED_MORE;
683 }
684
685 group = curve_to_ec_group(this, curve);
686 if (!group)
687 {
688 DBG1(DBG_TLS, "ECDH curve %N not supported",
689 tls_named_group_names, curve);
690 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
691 return NEED_MORE;
692 }
693
694 public = find_public_key(this);
695 if (!public)
696 {
697 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
698 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
699 return NEED_MORE;
700 }
701
702 chunk.len = 4 + pub.len;
703 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
704 chunk_from_thing(this->server_random), chunk);
705 if (!this->crypto->verify(this->crypto, public, reader, chunk))
706 {
707 public->destroy(public);
708 free(chunk.ptr);
709 DBG1(DBG_TLS, "verifying DH parameters failed");
710 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
711 return NEED_MORE;
712 }
713 public->destroy(public);
714 free(chunk.ptr);
715
716 this->dh = lib->crypto->create_dh(lib->crypto, group);
717 if (!this->dh)
718 {
719 DBG1(DBG_TLS, "DH group %N not supported",
720 diffie_hellman_group_names, group);
721 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
722 return NEED_MORE;
723 }
724
725 if (group != CURVE_25519 &&
726 group != CURVE_448)
727 { /* classic ECPoint format (see RFC 8422, section 5.4.1) */
728 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
729 {
730 DBG1(DBG_TLS, "DH point format '%N' not supported",
731 tls_ansi_point_format_names, pub.ptr[0]);
732 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
733 return NEED_MORE;
734 }
735 pub = chunk_skip(pub, 1);
736 }
737
738 if (!this->dh->set_other_public_value(this->dh, pub))
739 {
740 DBG1(DBG_TLS, "applying DH public value failed");
741 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
742 return NEED_MORE;
743 }
744
745 this->state = STATE_KEY_EXCHANGE_RECEIVED;
746 return NEED_MORE;
747 }
748
749 /**
750 * Process a Server Key Exchange
751 */
752 static status_t process_key_exchange(private_tls_peer_t *this,
753 bio_reader_t *reader)
754 {
755 diffie_hellman_group_t group;
756
757 this->crypto->append_handshake(this->crypto,
758 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
759
760 group = this->crypto->get_dh_group(this->crypto);
761 if (group == MODP_NONE)
762 {
763 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
764 "for current suite");
765 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
766 return NEED_MORE;
767 }
768 if (diffie_hellman_group_is_ec(group))
769 {
770 return process_ec_key_exchange(this, reader);
771 }
772 return process_modp_key_exchange(this, reader);
773 }
774
775 /**
776 * Process a Certificate Request message
777 */
778 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
779 {
780 chunk_t types, hashsig, data;
781 bio_reader_t *authorities;
782 identification_t *id;
783 certificate_t *cert;
784
785 if (!this->peer)
786 {
787 DBG1(DBG_TLS, "server requested a certificate, but client "
788 "authentication disabled");
789 }
790 this->crypto->append_handshake(this->crypto,
791 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
792
793 if (!reader->read_data8(reader, &types))
794 {
795 DBG1(DBG_TLS, "certreq message header invalid");
796 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
797 return NEED_MORE;
798 }
799 this->cert_types = chunk_clone(types);
800 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
801 {
802 if (!reader->read_data16(reader, &hashsig))
803 {
804 DBG1(DBG_TLS, "certreq message invalid");
805 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
806 return NEED_MORE;
807 }
808 this->hashsig = chunk_clone(hashsig);
809 }
810 if (!reader->read_data16(reader, &data))
811 {
812 DBG1(DBG_TLS, "certreq message invalid");
813 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
814 return NEED_MORE;
815 }
816 authorities = bio_reader_create(data);
817 while (authorities->remaining(authorities))
818 {
819 if (!authorities->read_data16(authorities, &data))
820 {
821 DBG1(DBG_TLS, "certreq message invalid");
822 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
823 authorities->destroy(authorities);
824 return NEED_MORE;
825 }
826 if (this->peer)
827 {
828 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
829 cert = lib->credmgr->get_cert(lib->credmgr,
830 CERT_X509, KEY_ANY, id, TRUE);
831 if (cert)
832 {
833 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
834 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
835 }
836 else
837 {
838 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
839 }
840 id->destroy(id);
841 }
842 }
843 authorities->destroy(authorities);
844 this->state = STATE_CERTREQ_RECEIVED;
845 return NEED_MORE;
846 }
847
848 /**
849 * Process Hello Done message
850 */
851 static status_t process_hello_done(private_tls_peer_t *this,
852 bio_reader_t *reader)
853 {
854 this->crypto->append_handshake(this->crypto,
855 TLS_SERVER_HELLO_DONE, reader->peek(reader));
856 this->state = STATE_HELLO_DONE;
857 return NEED_MORE;
858 }
859
860 /**
861 * Process finished message
862 */
863 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
864 {
865 chunk_t received, verify_data;
866 char buf[12];
867 uint32_t hash_length;
868
869 if (this->tls->get_version_max(this->tls) < TLS_1_3)
870 {
871 if (!reader->read_data(reader, sizeof(buf), &received))
872 {
873 DBG1(DBG_TLS, "received server finished too short");
874 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
875 return NEED_MORE;
876 }
877 if (!this->crypto->calculate_finished(this->crypto, "server finished",
878 buf))
879 {
880 DBG1(DBG_TLS, "calculating server finished failed");
881 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
882 return NEED_MORE;
883 }
884 if (!chunk_equals_const(received, chunk_from_thing(buf)))
885 {
886 DBG1(DBG_TLS, "received server finished invalid");
887 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
888 return NEED_MORE;
889 }
890 }
891 else
892 {
893 hash_length = reader->remaining(reader);
894 if (!reader->read_data(reader, hash_length, &received))
895 {
896 DBG1(DBG_TLS, "received server finished too short");
897 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
898 return NEED_MORE;
899 }
900 if (!this->crypto->calculate_finished_tls13(this->crypto, true,
901 &verify_data))
902 {
903 DBG1(DBG_TLS, "calculating server finished failed");
904 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
905 return NEED_MORE;
906 }
907 if (!chunk_equals(received, verify_data))
908 {
909 DBG1(DBG_TLS, "received server finished invalid");
910 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
911 return NEED_MORE;
912 }
913 }
914 this->state = STATE_FINISHED_RECEIVED;
915 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
916
917 return NEED_MORE;
918 }
919
920 /**
921 * Process New Session Ticket message
922 */
923 static status_t process_new_session_ticket(private_tls_peer_t *this,
924 bio_reader_t *reader)
925 {
926 uint32_t ticket_lifetime, ticket_age_add;
927 chunk_t ticket_nonce, ticket, extensions;
928
929 if (!reader->read_uint32(reader, &ticket_lifetime) ||
930 !reader->read_uint32(reader, &ticket_age_add) ||
931 !reader->read_data8(reader, &ticket_nonce) ||
932 !reader->read_data16(reader, &ticket) ||
933 !reader->read_data16(reader, &extensions))
934 {
935 DBG1(DBG_TLS, "received invalid NewSessionTicket");
936 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
937 return NEED_MORE;
938 }
939 return NEED_MORE;
940 }
941
942 METHOD(tls_handshake_t, process, status_t,
943 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
944 {
945 tls_handshake_type_t expected;
946
947 if (this->tls->get_version_max(this->tls) < TLS_1_3)
948 {
949 switch (this->state)
950 {
951 case STATE_HELLO_SENT:
952 if (type == TLS_SERVER_HELLO)
953 {
954 return process_server_hello(this, reader);
955 }
956 expected = TLS_SERVER_HELLO;
957 break;
958 case STATE_HELLO_RECEIVED:
959 if (type == TLS_CERTIFICATE)
960 {
961 return process_certificate(this, reader);
962 }
963 expected = TLS_CERTIFICATE;
964 break;
965 case STATE_CERT_RECEIVED:
966 if (type == TLS_SERVER_KEY_EXCHANGE)
967 {
968 return process_key_exchange(this, reader);
969 }
970 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
971 case STATE_KEY_EXCHANGE_RECEIVED:
972 if (type == TLS_CERTIFICATE_REQUEST)
973 {
974 return process_certreq(this, reader);
975 }
976 /* no cert request, server does not want to authenticate us */
977 DESTROY_IF(this->peer);
978 this->peer = NULL;
979 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
980 case STATE_CERTREQ_RECEIVED:
981 if (type == TLS_SERVER_HELLO_DONE)
982 {
983 return process_hello_done(this, reader);
984 }
985 expected = TLS_SERVER_HELLO_DONE;
986 break;
987 case STATE_CIPHERSPEC_CHANGED_IN:
988 if (type == TLS_FINISHED)
989 {
990 return process_finished(this, reader);
991 }
992 expected = TLS_FINISHED;
993 break;
994 default:
995 DBG1(DBG_TLS, "TLS %N not expected in current state",
996 tls_handshake_type_names, type);
997 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
998 return NEED_MORE;
999 }
1000 }
1001 else
1002 {
1003 switch (this->state)
1004 {
1005 case STATE_HELLO_SENT:
1006 if (type == TLS_SERVER_HELLO)
1007 {
1008 return process_server_hello(this, reader);
1009 }
1010 expected = TLS_SERVER_HELLO;
1011 break;
1012 case STATE_CIPHERSPEC_CHANGED_IN:
1013 case STATE_HELLO_RECEIVED:
1014 if (type == TLS_ENCRYPTED_EXTENSIONS)
1015 {
1016 return process_encrypted_extensions(this, reader);
1017 }
1018 expected = TLS_ENCRYPTED_EXTENSIONS;
1019 break;
1020 case STATE_ENCRYPTED_EXTENSIONS_RECEIVED:
1021 if (type == TLS_CERTIFICATE)
1022 {
1023 return process_certificate(this, reader);
1024 }
1025 expected = TLS_CERTIFICATE;
1026 break;
1027 case STATE_CERT_RECEIVED:
1028 if (type == TLS_CERTIFICATE_VERIFY)
1029 {
1030 return process_cert_verify(this, reader);
1031 }
1032 expected = TLS_CERTIFICATE_VERIFY;
1033 break;
1034 case STATE_CERT_VERIFY_RECEIVED:
1035 if (type == TLS_FINISHED)
1036 {
1037 return process_finished(this, reader);
1038 }
1039 expected = TLS_FINISHED;
1040 break;
1041 case STATE_FINISHED_RECEIVED:
1042 return NEED_MORE;
1043 case STATE_FINISHED_SENT_KEY_SWITCHED:
1044 if (type == TLS_NEW_SESSION_TICKET)
1045 {
1046 return process_new_session_ticket(this, reader);
1047 }
1048 expected = TLS_NEW_SESSION_TICKET;
1049 break;
1050 default:
1051 DBG1(DBG_TLS, "TLS %N not expected in current state",
1052 tls_handshake_type_names, type);
1053 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1054 return NEED_MORE;
1055 }
1056 }
1057 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1058 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1059 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1060 return NEED_MORE;
1061 }
1062
1063 /**
1064 * Send a client hello
1065 */
1066 static status_t send_client_hello(private_tls_peer_t *this,
1067 tls_handshake_type_t *type, bio_writer_t *writer)
1068 {
1069 tls_cipher_suite_t *suites;
1070 bio_writer_t *extensions, *curves = NULL;
1071 tls_version_t version_max, version_min;
1072 tls_named_group_t curve;
1073 enumerator_t *enumerator;
1074 int count, i, v;
1075 rng_t *rng;
1076 chunk_t pub;
1077 uint8_t nof_tls_versions;
1078
1079 htoun32(&this->client_random, time(NULL));
1080 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1081 if (!rng ||
1082 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
1083 this->client_random + 4))
1084 {
1085 DBG1(DBG_TLS, "failed to generate client random");
1086 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1087 DESTROY_IF(rng);
1088 return NEED_MORE;
1089 }
1090 rng->destroy(rng);
1091
1092 /* client key generation */
1093 this->dh = lib->crypto->create_dh(lib->crypto, CURVE_25519);
1094
1095 /* TLS version_max in handshake protocol */
1096 version_max = this->tls->get_version_max(this->tls);
1097 version_min = this->tls->get_version_min(this->tls);
1098 if (version_max < TLS_1_3)
1099 {
1100 this->hello_version = version_max;
1101 }
1102 else
1103 {
1104 this->hello_version = TLS_1_2;
1105 }
1106 writer->write_uint16(writer, this->hello_version);
1107 writer->write_data(writer, chunk_from_thing(this->client_random));
1108
1109 /* session identifier */
1110 this->session = this->crypto->get_session(this->crypto, this->server);
1111 writer->write_data8(writer, this->session);
1112
1113 /* add TLS cipher suites */
1114 count = this->crypto->get_cipher_suites(this->crypto, &suites);
1115 writer->write_uint16(writer, count * 2);
1116 for (i = 0; i < count; i++)
1117 {
1118 writer->write_uint16(writer, suites[i]);
1119 }
1120
1121 /* NULL compression only */
1122 writer->write_uint8(writer, 1);
1123 writer->write_uint8(writer, 0);
1124
1125 extensions = bio_writer_create(32);
1126
1127 if (this->server->get_type(this->server) == ID_FQDN)
1128 {
1129 bio_writer_t *names;
1130
1131 DBG2(DBG_TLS, "sending extension: Server Name Indication for '%Y'",
1132 this->server);
1133 names = bio_writer_create(8);
1134 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
1135 names->write_data16(names, this->server->get_encoding(this->server));
1136 names->wrap16(names);
1137 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
1138 extensions->write_data16(extensions, names->get_buf(names));
1139 names->destroy(names);
1140 }
1141
1142 DBG2(DBG_TLS, "sending extension: %N",
1143 tls_extension_names, TLS_EXT_SUPPORTED_GROUPS);
1144 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1145 while (enumerator->enumerate(enumerator, NULL, &curve))
1146 {
1147 if (!curves)
1148 {
1149 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_GROUPS);
1150 curves = bio_writer_create(16);
1151 }
1152 curves->write_uint16(curves, curve);
1153 }
1154 enumerator->destroy(enumerator);
1155 if (curves)
1156 {
1157 if (version_max == TLS_1_3)
1158 {
1159 curves->write_uint16(curves, TLS_CURVE25519);
1160 }
1161 curves->wrap16(curves);
1162 extensions->write_data16(extensions, curves->get_buf(curves));
1163 curves->destroy(curves);
1164
1165 /* if we support curves, add point format extension */
1166 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
1167 extensions->write_uint16(extensions, 2);
1168 extensions->write_uint8(extensions, 1);
1169 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
1170 }
1171
1172 DBG2(DBG_TLS, "sending extension: %N",
1173 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1174 nof_tls_versions = (version_max - version_min + 1)*2;
1175 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1176 extensions->write_uint16(extensions, nof_tls_versions+1);
1177 extensions->write_uint8(extensions, nof_tls_versions);
1178 for (v = version_max; v >= version_min; v--)
1179 {
1180 extensions->write_uint16(extensions, v);
1181 nof_tls_versions += 2;
1182 }
1183
1184 DBG2(DBG_TLS, "sending extension: %N",
1185 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1186 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1187 this->crypto->get_signature_algorithms(this->crypto, extensions);
1188
1189 DBG2(DBG_TLS, "sending extension: %N",
1190 tls_extension_names, TLS_EXT_KEY_SHARE);
1191 if (!this->dh->get_my_public_value(this->dh, &pub))
1192 {
1193 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1194 return NEED_MORE;
1195 }
1196 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1197 extensions->write_uint16(extensions, pub.len+6);
1198 extensions->write_uint16(extensions, pub.len+4);
1199 extensions->write_uint16(extensions, TLS_CURVE25519);
1200 extensions->write_uint16(extensions, pub.len);
1201 extensions->write_data(extensions, pub);
1202 free(pub.ptr);
1203
1204 writer->write_data16(writer, extensions->get_buf(extensions));
1205 extensions->destroy(extensions);
1206
1207 *type = TLS_CLIENT_HELLO;
1208 this->state = STATE_HELLO_SENT;
1209 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1210 return NEED_MORE;
1211 }
1212
1213 /**
1214 * Find a private key suitable to sign Certificate Verify
1215 */
1216 static private_key_t *find_private_key(private_tls_peer_t *this)
1217 {
1218 private_key_t *key = NULL;
1219 bio_reader_t *reader;
1220 key_type_t type;
1221 uint8_t cert;
1222
1223 if (!this->peer)
1224 {
1225 return NULL;
1226 }
1227 reader = bio_reader_create(this->cert_types);
1228 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
1229 {
1230 switch (cert)
1231 {
1232 case TLS_RSA_SIGN:
1233 type = KEY_RSA;
1234 break;
1235 case TLS_ECDSA_SIGN:
1236 type = KEY_ECDSA;
1237 break;
1238 default:
1239 continue;
1240 }
1241 key = lib->credmgr->get_private(lib->credmgr, type,
1242 this->peer, this->peer_auth);
1243 if (key)
1244 {
1245 break;
1246 }
1247 }
1248 reader->destroy(reader);
1249 return key;
1250 }
1251
1252 /**
1253 * Send Certificate
1254 */
1255 static status_t send_certificate(private_tls_peer_t *this,
1256 tls_handshake_type_t *type, bio_writer_t *writer)
1257 {
1258 enumerator_t *enumerator;
1259 certificate_t *cert;
1260 auth_rule_t rule;
1261 bio_writer_t *certs;
1262 chunk_t data;
1263
1264 this->private = find_private_key(this);
1265 if (!this->private)
1266 {
1267 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
1268 "skipping client authentication", this->peer);
1269 this->peer->destroy(this->peer);
1270 this->peer = NULL;
1271 }
1272
1273 /* generate certificate payload */
1274 certs = bio_writer_create(256);
1275 if (this->peer)
1276 {
1277 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
1278 if (cert)
1279 {
1280 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1281 {
1282 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
1283 cert->get_subject(cert));
1284 certs->write_data24(certs, data);
1285 free(data.ptr);
1286 }
1287 }
1288 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
1289 while (enumerator->enumerate(enumerator, &rule, &cert))
1290 {
1291 if (rule == AUTH_RULE_IM_CERT)
1292 {
1293 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1294 {
1295 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1296 cert->get_subject(cert));
1297 certs->write_data24(certs, data);
1298 free(data.ptr);
1299 }
1300 }
1301 }
1302 enumerator->destroy(enumerator);
1303 }
1304
1305 writer->write_data24(writer, certs->get_buf(certs));
1306 certs->destroy(certs);
1307
1308 *type = TLS_CERTIFICATE;
1309 this->state = STATE_CERT_SENT;
1310 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1311 return NEED_MORE;
1312 }
1313
1314 /**
1315 * Send client key exchange, using premaster encryption
1316 */
1317 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
1318 tls_handshake_type_t *type, bio_writer_t *writer)
1319 {
1320 public_key_t *public;
1321 rng_t *rng;
1322 char premaster[48];
1323 chunk_t encrypted;
1324
1325 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
1326 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
1327 {
1328 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
1329 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1330 DESTROY_IF(rng);
1331 return NEED_MORE;
1332 }
1333 rng->destroy(rng);
1334 htoun16(premaster, this->hello_version);
1335
1336 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
1337 this->session, this->server,
1338 chunk_from_thing(this->client_random),
1339 chunk_from_thing(this->server_random)))
1340 {
1341 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1342 return NEED_MORE;
1343 }
1344
1345 public = find_public_key(this);
1346 if (!public)
1347 {
1348 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
1349 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
1350 return NEED_MORE;
1351 }
1352 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
1353 chunk_from_thing(premaster), &encrypted))
1354 {
1355 public->destroy(public);
1356 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
1357 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
1358 return NEED_MORE;
1359 }
1360 public->destroy(public);
1361
1362 writer->write_data16(writer, encrypted);
1363 free(encrypted.ptr);
1364
1365 *type = TLS_CLIENT_KEY_EXCHANGE;
1366 this->state = STATE_KEY_EXCHANGE_SENT;
1367 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1368 return NEED_MORE;
1369 }
1370
1371 /**
1372 * Send client key exchange, using DHE exchange
1373 */
1374 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
1375 tls_handshake_type_t *type, bio_writer_t *writer)
1376 {
1377 chunk_t premaster, pub;
1378
1379 if (!this->dh->get_shared_secret(this->dh, &premaster))
1380 {
1381 DBG1(DBG_TLS, "calculating premaster from DH failed");
1382 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1383 return NEED_MORE;
1384 }
1385 if (!this->crypto->derive_secrets(this->crypto, premaster,
1386 this->session, this->server,
1387 chunk_from_thing(this->client_random),
1388 chunk_from_thing(this->server_random)))
1389 {
1390 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1391 chunk_clear(&premaster);
1392 return NEED_MORE;
1393 }
1394 chunk_clear(&premaster);
1395
1396 if (!this->dh->get_my_public_value(this->dh, &pub))
1397 {
1398 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1399 return NEED_MORE;
1400 }
1401 switch (this->dh->get_dh_group(this->dh))
1402 {
1403 case MODP_CUSTOM:
1404 writer->write_data16(writer, pub);
1405 break;
1406 case CURVE_25519:
1407 case CURVE_448:
1408 /* ECPoint uses an 8-bit length header only */
1409 writer->write_data8(writer, pub);
1410 break;
1411 default:
1412 /* classic ECPoint format (see RFC 8422, section 5.4.1) */
1413 writer->write_uint8(writer, pub.len + 1);
1414 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1415 writer->write_data(writer, pub);
1416 break;
1417 }
1418 free(pub.ptr);
1419
1420 *type = TLS_CLIENT_KEY_EXCHANGE;
1421 this->state = STATE_KEY_EXCHANGE_SENT;
1422 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1423 return NEED_MORE;
1424 }
1425
1426 /**
1427 * Send client key exchange, depending on suite
1428 */
1429 static status_t send_key_exchange(private_tls_peer_t *this,
1430 tls_handshake_type_t *type, bio_writer_t *writer)
1431 {
1432 if (this->dh)
1433 {
1434 return send_key_exchange_dhe(this, type, writer);
1435 }
1436 return send_key_exchange_encrypt(this, type, writer);
1437 }
1438
1439 /**
1440 * Send certificate verify
1441 */
1442 static status_t send_certificate_verify(private_tls_peer_t *this,
1443 tls_handshake_type_t *type, bio_writer_t *writer)
1444 {
1445 if (!this->private ||
1446 !this->crypto->sign_handshake(this->crypto, this->private,
1447 writer, this->hashsig))
1448 {
1449 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1450 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1451 return NEED_MORE;
1452 }
1453
1454 *type = TLS_CERTIFICATE_VERIFY;
1455 this->state = STATE_VERIFY_SENT;
1456 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1457 return NEED_MORE;
1458 }
1459
1460 /**
1461 * Send Finished
1462 */
1463 static status_t send_finished(private_tls_peer_t *this,
1464 tls_handshake_type_t *type, bio_writer_t *writer)
1465 {
1466 chunk_t verify_data;
1467
1468 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1469 {
1470 char buf[12];
1471
1472 if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
1473 {
1474 DBG1(DBG_TLS, "calculating client finished data failed");
1475 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1476 return NEED_MORE;
1477 }
1478
1479 writer->write_data(writer, chunk_from_thing(buf));
1480 }
1481 else
1482 {
1483 if (!this->crypto->calculate_finished_tls13(this->crypto, false,
1484 &verify_data))
1485 {
1486 DBG1(DBG_TLS, "calculating client finished data failed");
1487 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1488 return NEED_MORE;
1489 }
1490
1491 writer->write_data(writer, verify_data);
1492 }
1493
1494 *type = TLS_FINISHED;
1495 this->state = STATE_FINISHED_SENT;
1496 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1497 return NEED_MORE;
1498 }
1499
1500 METHOD(tls_handshake_t, build, status_t,
1501 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1502 {
1503 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1504 {
1505 switch (this->state)
1506 {
1507 case STATE_INIT:
1508 return send_client_hello(this, type, writer);
1509 case STATE_HELLO_DONE:
1510 if (this->peer)
1511 {
1512 return send_certificate(this, type, writer);
1513 }
1514 /* otherwise fall through to next state */
1515 case STATE_CERT_SENT:
1516 return send_key_exchange(this, type, writer);
1517 case STATE_KEY_EXCHANGE_SENT:
1518 if (this->peer)
1519 {
1520 return send_certificate_verify(this, type, writer);
1521 }
1522 else
1523 {
1524 return INVALID_STATE;
1525 }
1526 case STATE_CIPHERSPEC_CHANGED_OUT:
1527 return send_finished(this, type, writer);
1528 default:
1529 return INVALID_STATE;
1530 }
1531 }
1532 else
1533 {
1534 switch (this->state)
1535 {
1536 case STATE_INIT:
1537 return send_client_hello(this, type, writer);
1538 case STATE_HELLO_DONE:
1539 case STATE_CIPHERSPEC_CHANGED_OUT:
1540 case STATE_FINISHED_RECEIVED:
1541 return send_finished(this, type, writer);
1542 case STATE_FINISHED_SENT:
1543 if (!this->crypto->derive_app_keys(this->crypto))
1544 {
1545 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1546 return NEED_MORE;
1547 }
1548 this->crypto->change_cipher(this->crypto, TRUE);
1549 this->crypto->change_cipher(this->crypto, FALSE);
1550 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1551 return SUCCESS;
1552 case STATE_FINISHED_SENT_KEY_SWITCHED:
1553 return SUCCESS;
1554 default:
1555 return INVALID_STATE;
1556 }
1557 }
1558
1559 }
1560
1561 METHOD(tls_handshake_t, cipherspec_changed, bool,
1562 private_tls_peer_t *this, bool inbound)
1563 {
1564 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1565 {
1566 if (inbound)
1567 {
1568 if (this->resume)
1569 {
1570 return this->state == STATE_HELLO_RECEIVED;
1571 }
1572 return this->state == STATE_FINISHED_SENT;
1573 }
1574 else
1575 {
1576 if (this->resume)
1577 {
1578 return this->state == STATE_FINISHED_RECEIVED;
1579 }
1580 if (this->peer)
1581 {
1582 return this->state == STATE_VERIFY_SENT;
1583 }
1584 return this->state == STATE_KEY_EXCHANGE_SENT;
1585
1586 }
1587 }
1588 else
1589 {
1590 if (inbound)
1591 {
1592 return this->state == STATE_HELLO_RECEIVED;
1593 }
1594 else
1595 {
1596 return FALSE;
1597 }
1598 }
1599
1600 }
1601
1602 METHOD(tls_handshake_t, change_cipherspec, void,
1603 private_tls_peer_t *this, bool inbound)
1604 {
1605 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1606 {
1607 this->crypto->change_cipher(this->crypto, inbound);
1608 }
1609
1610 if (inbound)
1611 {
1612 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1613 }
1614 else
1615 {
1616 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1617 }
1618 }
1619
1620 METHOD(tls_handshake_t, finished, bool,
1621 private_tls_peer_t *this)
1622 {
1623 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1624 {
1625 if (this->resume)
1626 {
1627 return this->state == STATE_FINISHED_SENT;
1628 }
1629 return this->state == STATE_FINISHED_RECEIVED;
1630 }
1631 else
1632 {
1633 return this->state == STATE_FINISHED_SENT_KEY_SWITCHED;
1634 }
1635 }
1636
1637 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1638 private_tls_peer_t *this)
1639 {
1640 return this->peer;
1641 }
1642
1643 METHOD(tls_handshake_t, get_server_id, identification_t*,
1644 private_tls_peer_t *this)
1645 {
1646 return this->server;
1647 }
1648
1649 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1650 private_tls_peer_t *this)
1651 {
1652 return this->server_auth;
1653 }
1654
1655 METHOD(tls_handshake_t, destroy, void,
1656 private_tls_peer_t *this)
1657 {
1658 DESTROY_IF(this->private);
1659 DESTROY_IF(this->dh);
1660 DESTROY_IF(this->peer);
1661 this->server->destroy(this->server);
1662 this->peer_auth->destroy(this->peer_auth);
1663 this->server_auth->destroy(this->server_auth);
1664 free(this->hashsig.ptr);
1665 free(this->cert_types.ptr);
1666 free(this->session.ptr);
1667 free(this);
1668 }
1669
1670 /**
1671 * See header
1672 */
1673 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1674 identification_t *peer, identification_t *server)
1675 {
1676 private_tls_peer_t *this;
1677
1678 INIT(this,
1679 .public = {
1680 .handshake = {
1681 .process = _process,
1682 .build = _build,
1683 .cipherspec_changed = _cipherspec_changed,
1684 .change_cipherspec = _change_cipherspec,
1685 .finished = _finished,
1686 .get_peer_id = _get_peer_id,
1687 .get_server_id = _get_server_id,
1688 .get_auth = _get_auth,
1689 .destroy = _destroy,
1690 },
1691 },
1692 .state = STATE_INIT,
1693 .tls = tls,
1694 .crypto = crypto,
1695 .alert = alert,
1696 .peer = peer ? peer->clone(peer) : NULL,
1697 .server = server->clone(server),
1698 .peer_auth = auth_cfg_create(),
1699 .server_auth = auth_cfg_create(),
1700 );
1701
1702 return &this->public;
1703 }