tls-peer: Mutual authentication support for TLS 1.3
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010 Martin Willi
8 * Copyright (C) 2010 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_peer.h"
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25
26 #include <time.h>
27
28 typedef struct private_tls_peer_t private_tls_peer_t;
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_SENT,
33 STATE_HELLO_RECEIVED,
34 STATE_HELLO_DONE,
35 STATE_CERT_SENT,
36 STATE_CERT_RECEIVED,
37 STATE_KEY_EXCHANGE_RECEIVED,
38 STATE_CERTREQ_RECEIVED,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_VERIFY_SENT,
41 STATE_CIPHERSPEC_CHANGED_OUT,
42 STATE_FINISHED_SENT,
43 STATE_CIPHERSPEC_CHANGED_IN,
44 STATE_FINISHED_RECEIVED,
45 /* new states in TLS 1.3 */
46 STATE_HELLORETRYREQ_RECEIVED,
47 STATE_ENCRYPTED_EXTENSIONS_RECEIVED,
48 STATE_CERT_VERIFY_RECEIVED,
49 STATE_FINISHED_SENT_KEY_SWITCHED,
50 STATE_KEY_UPDATE_REQUESTED,
51 STATE_KEY_UPDATE_SENT,
52 STATE_CERT_VERIFY_SENT,
53 } peer_state_t;
54
55 /**
56 * Private data of an tls_peer_t object.
57 */
58 struct private_tls_peer_t {
59
60 /**
61 * Public tls_peer_t interface.
62 */
63 tls_peer_t public;
64
65 /**
66 * TLS stack
67 */
68 tls_t *tls;
69
70 /**
71 * TLS crypto context
72 */
73 tls_crypto_t *crypto;
74
75 /**
76 * TLS alert handler
77 */
78 tls_alert_t *alert;
79
80 /**
81 * Peer identity, NULL for no client authentication
82 */
83 identification_t *peer;
84
85 /**
86 * Server identity
87 */
88 identification_t *server;
89
90 /**
91 * State we are in
92 */
93 peer_state_t state;
94
95 /**
96 * TLS version we offered in hello
97 */
98 tls_version_t hello_version;
99
100 /**
101 * Hello random data selected by client
102 */
103 char client_random[32];
104
105 /**
106 * Hello random data selected by server
107 */
108 char server_random[32];
109
110 /**
111 * Auth helper for peer authentication
112 */
113 auth_cfg_t *peer_auth;
114
115 /**
116 * Auth helper for server authentication
117 */
118 auth_cfg_t *server_auth;
119
120 /**
121 * Peer private key
122 */
123 private_key_t *private;
124
125 /**
126 * DHE exchange
127 */
128 diffie_hellman_t *dh;
129
130 /**
131 * Requested DH group
132 */
133 tls_named_group_t requested_curve;
134
135 /**
136 * Cookie extension received in HelloRetryRequest
137 */
138 chunk_t cookie;
139
140 /**
141 * Resuming a session?
142 */
143 bool resume;
144
145 /**
146 * TLS session identifier
147 */
148 chunk_t session;
149
150 /**
151 * List of server-supported hashsig algorithms
152 */
153 chunk_t hashsig;
154
155 /**
156 * List of server-supported client certificate types
157 */
158 chunk_t cert_types;
159 };
160
161 /* Implemented in tls_server.c */
162 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
163 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
164
165 /**
166 * Verify the DH group/key type requested by the server is valid.
167 */
168 static bool verify_requested_key_type(private_tls_peer_t *this,
169 uint16_t key_type)
170 {
171 enumerator_t *enumerator;
172 diffie_hellman_group_t group, found = MODP_NONE;
173 tls_named_group_t curve;
174
175 enumerator = this->crypto->create_ec_enumerator(this->crypto);
176 while (enumerator->enumerate(enumerator, &group, &curve))
177 {
178 if (key_type == curve)
179 {
180 found = group;
181 break;
182 }
183 }
184 enumerator->destroy(enumerator);
185
186 if (found == MODP_NONE)
187 {
188 DBG1(DBG_TLS, "server requested key exchange we didn't propose");
189 return FALSE;
190 }
191 if (this->dh->get_dh_group(this->dh) == found)
192 {
193 DBG1(DBG_TLS, "server requested key exchange we already use");
194 return FALSE;
195 }
196 return TRUE;
197 }
198
199 /**
200 * Process a server hello message
201 */
202 static status_t process_server_hello(private_tls_peer_t *this,
203 bio_reader_t *reader)
204 {
205 uint8_t compression;
206 uint16_t version, cipher, key_type = 0;
207 bio_reader_t *extensions, *extension;
208 chunk_t msg, random, session, ext = chunk_empty, key_share = chunk_empty;
209 chunk_t cookie = chunk_empty;
210 tls_cipher_suite_t suite = 0;
211 bool is_retry_request;
212
213 msg = reader->peek(reader);
214 if (!reader->read_uint16(reader, &version) ||
215 !reader->read_data(reader, sizeof(this->server_random), &random) ||
216 !reader->read_data8(reader, &session) ||
217 !reader->read_uint16(reader, &cipher) ||
218 !reader->read_uint8(reader, &compression) ||
219 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
220 {
221 DBG1(DBG_TLS, "received invalid ServerHello");
222 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
223 return NEED_MORE;
224 }
225
226 is_retry_request = chunk_equals_const(random, tls_hello_retry_request_magic);
227
228 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
229
230 extensions = bio_reader_create(ext);
231 while (extensions->remaining(extensions))
232 {
233 uint16_t extension_type;
234 chunk_t extension_data;
235
236 if (!extensions->read_uint16(extensions, &extension_type) ||
237 !extensions->read_data16(extensions, &extension_data))
238 {
239 DBG1(DBG_TLS, "invalid extension in ServerHello");
240 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
241 extensions->destroy(extensions);
242 return NEED_MORE;
243 }
244 extension = bio_reader_create(extension_data);
245 switch (extension_type)
246 {
247 case TLS_EXT_SUPPORTED_VERSIONS:
248 if (!extension->read_uint16(extension, &version))
249 {
250 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
251 extension_type);
252 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
253 extensions->destroy(extensions);
254 extension->destroy(extension);
255 return NEED_MORE;
256 }
257 break;
258 case TLS_EXT_KEY_SHARE:
259 if (!extension->read_uint16(extension, &key_type) ||
260 (!is_retry_request &&
261 !(extension->read_data16(extension, &key_share) &&
262 key_share.len)))
263 {
264 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
265 extension_type);
266 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
267 extensions->destroy(extensions);
268 extension->destroy(extension);
269 return NEED_MORE;
270 }
271 break;
272 case TLS_EXT_COOKIE:
273 if (!extension->read_data16(extension, &cookie))
274 {
275 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
276 extension_type);
277 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
278 extensions->destroy(extensions);
279 extension->destroy(extension);
280 return NEED_MORE;
281 }
282 default:
283 break;
284 }
285 extension->destroy(extension);
286 }
287 extensions->destroy(extensions);
288
289 if (!this->tls->set_version(this->tls, version, version))
290 {
291 DBG1(DBG_TLS, "negotiated version %N not supported",
292 tls_version_names, version);
293 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
294 return NEED_MORE;
295 }
296
297 if (this->tls->get_version_max(this->tls) < TLS_1_3)
298 {
299 if (chunk_equals(this->session, session))
300 {
301 suite = this->crypto->resume_session(this->crypto, session,
302 this->server, chunk_from_thing
303 (this->client_random),
304 chunk_from_thing
305 (this->server_random));
306 if (suite)
307 {
308 DBG1(DBG_TLS, "resumed %N using suite %N",
309 tls_version_names, version, tls_cipher_suite_names, suite);
310 this->resume = TRUE;
311 }
312 }
313 DESTROY_IF(this->dh);
314 this->dh = NULL;
315 }
316
317 if (!suite)
318 {
319 suite = cipher;
320 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
321 {
322 DBG1(DBG_TLS, "received TLS cipher suite %N unacceptable",
323 tls_cipher_suite_names, suite);
324 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
325 return NEED_MORE;
326 }
327 DBG1(DBG_TLS, "negotiated %N using suite %N",
328 tls_version_names, version, tls_cipher_suite_names, suite);
329 free(this->session.ptr);
330 this->session = chunk_clone(session);
331 }
332
333 if (is_retry_request)
334 {
335 if (!this->crypto->hash_handshake(this->crypto, NULL))
336 {
337 DBG1(DBG_TLS, "failed to hash handshake messages");
338 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
339 return NEED_MORE;
340 }
341 }
342 this->crypto->append_handshake(this->crypto, TLS_SERVER_HELLO, msg);
343
344 if (is_retry_request)
345 {
346 if (key_type)
347 {
348 DBG1(DBG_TLS, "server requests key exchange with %N",
349 tls_named_group_names, key_type);
350 }
351 else if (cookie.len)
352 {
353 DBG1(DBG_TLS, "server requests retry with cookie");
354 }
355 else
356 {
357 DBG1(DBG_TLS, "invalid retry request received");
358 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
359 return NEED_MORE;
360 }
361 if (this->requested_curve || this->cookie.len)
362 {
363 DBG1(DBG_TLS, "already replied to previous retry request");
364 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
365 return NEED_MORE;
366 }
367 if (key_type && !verify_requested_key_type(this, key_type))
368 {
369 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
370 return NEED_MORE;
371 }
372
373 DESTROY_IF(this->dh);
374 this->dh = NULL;
375 this->requested_curve = key_type;
376 this->cookie = chunk_clone(cookie);
377 this->state = STATE_INIT;
378 return NEED_MORE;
379 }
380
381 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
382 {
383 chunk_t shared_secret = chunk_empty;
384
385 if (key_share.len &&
386 key_type != TLS_CURVE25519 &&
387 key_type != TLS_CURVE448)
388 { /* classic format (see RFC 8446, section 4.2.8.2) */
389 if (key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
390 {
391 DBG1(DBG_TLS, "DH point format '%N' not supported",
392 tls_ansi_point_format_names, key_share.ptr[0]);
393 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
394 return NEED_MORE;
395 }
396 key_share = chunk_skip(key_share, 1);
397 }
398 if (!key_share.len ||
399 !this->dh->set_other_public_value(this->dh, key_share) ||
400 !this->dh->get_shared_secret(this->dh, &shared_secret) ||
401 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
402 {
403 DBG1(DBG_TLS, "DH key derivation failed");
404 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
405 chunk_clear(&shared_secret);
406 return NEED_MORE;
407 }
408 chunk_clear(&shared_secret);
409
410 this->crypto->change_cipher(this->crypto, TRUE);
411 this->crypto->change_cipher(this->crypto, FALSE);
412 }
413
414 this->state = STATE_HELLO_RECEIVED;
415 return NEED_MORE;
416 }
417
418 /**
419 * Process a server encrypted extensions message
420 */
421 static status_t process_encrypted_extensions(private_tls_peer_t *this,
422 bio_reader_t *reader)
423 {
424 chunk_t ext = chunk_empty;
425 uint16_t extension_type;
426
427 this->crypto->append_handshake(this->crypto, TLS_ENCRYPTED_EXTENSIONS,
428 reader->peek(reader));
429
430 if (!reader->read_data16(reader, &ext))
431 {
432 DBG1(DBG_TLS, "received invalid EncryptedExtensions");
433 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
434 return NEED_MORE;
435 }
436 if (ext.len)
437 {
438 bio_reader_t *extensions = bio_reader_create(ext);
439
440 while (extensions->remaining(extensions))
441 {
442 chunk_t extension_data = chunk_empty;
443
444 if (!extensions->read_uint16(extensions, &extension_type) ||
445 !extensions->read_data16(extensions, &extension_data))
446 {
447 DBG1(DBG_TLS, "invalid extension in EncryptedExtensions");
448 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
449 extensions->destroy(extensions);
450 return NEED_MORE;
451 }
452 switch (extension_type)
453 {
454 case TLS_EXT_SERVER_NAME:
455 case TLS_EXT_MAX_FRAGMENT_LENGTH:
456 case TLS_EXT_SUPPORTED_GROUPS:
457 case TLS_EXT_USE_SRTP:
458 case TLS_EXT_HEARTBEAT:
459 case TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION:
460 case TLS_SERVER_CERTIFICATE_TYPE:
461 /* not supported so far */
462 DBG2(DBG_TLS, "ignoring unsupported %N EncryptedExtension",
463 tls_extension_names, extension_type);
464 break;
465 default:
466 DBG1(DBG_TLS, "received forbidden EncryptedExtension (%d)",
467 extension_type);
468 this->alert->add(this->alert, TLS_FATAL,
469 TLS_ILLEGAL_PARAMETER);
470 extensions->destroy(extensions);
471 return NEED_MORE;
472 }
473 }
474 extensions->destroy(extensions);
475 }
476 this->state = STATE_ENCRYPTED_EXTENSIONS_RECEIVED;
477 return NEED_MORE;
478 }
479
480 /**
481 * Check if a server certificate is acceptable for the given server identity
482 */
483 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
484 {
485 identification_t *id;
486
487 if (cert->has_subject(cert, this->server))
488 {
489 return TRUE;
490 }
491 id = cert->get_subject(cert);
492 if (id->matches(id, this->server))
493 {
494 return TRUE;
495 }
496 if (cert->get_type(cert) == CERT_X509)
497 {
498 x509_t *x509 = (x509_t*)cert;
499 enumerator_t *enumerator;
500
501 enumerator = x509->create_subjectAltName_enumerator(x509);
502 while (enumerator->enumerate(enumerator, &id))
503 {
504 if (id->matches(id, this->server))
505 {
506 enumerator->destroy(enumerator);
507 return TRUE;
508 }
509 }
510 enumerator->destroy(enumerator);
511 }
512 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
513 return FALSE;
514 }
515
516 /**
517 * Process a Certificate message
518 */
519 static status_t process_certificate(private_tls_peer_t *this,
520 bio_reader_t *reader)
521 {
522 certificate_t *cert;
523 bio_reader_t *certs;
524 chunk_t data;
525 bool first = TRUE;
526
527 this->crypto->append_handshake(this->crypto,
528 TLS_CERTIFICATE, reader->peek(reader));
529
530 if (this->tls->get_version_max(this->tls) > TLS_1_2)
531 {
532 if (!reader->read_data8(reader, &data))
533 {
534 DBG1(DBG_TLS, "certificate request context invalid");
535 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
536 return NEED_MORE;
537 }
538 }
539
540 if (!reader->read_data24(reader, &data))
541 {
542 DBG1(DBG_TLS, "certificate message header invalid");
543 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
544 return NEED_MORE;
545 }
546 certs = bio_reader_create(data);
547 while (certs->remaining(certs))
548 {
549 if (!certs->read_data24(certs, &data))
550 {
551 DBG1(DBG_TLS, "certificate message invalid");
552 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
553 certs->destroy(certs);
554 return NEED_MORE;
555 }
556 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
557 BUILD_BLOB_ASN1_DER, data, BUILD_END);
558 if (cert)
559 {
560 if (first)
561 {
562 if (!check_certificate(this, cert))
563 {
564 cert->destroy(cert);
565 certs->destroy(certs);
566 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
567 return NEED_MORE;
568 }
569 this->server_auth->add(this->server_auth,
570 AUTH_HELPER_SUBJECT_CERT, cert);
571 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
572 cert->get_subject(cert));
573 first = FALSE;
574 }
575 else
576 {
577 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
578 cert->get_subject(cert));
579 this->server_auth->add(this->server_auth,
580 AUTH_HELPER_IM_CERT, cert);
581 }
582 }
583 else
584 {
585 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
586 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
587 }
588 if (this->tls->get_version_max(this->tls) > TLS_1_2)
589 {
590 if (!certs->read_data16(certs, &data))
591 {
592 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
593 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
594 return NEED_MORE;
595 }
596 }
597 }
598 certs->destroy(certs);
599 this->state = STATE_CERT_RECEIVED;
600 return NEED_MORE;
601 }
602
603 /**
604 * Process CertificateVerify message
605 */
606 static status_t process_cert_verify(private_tls_peer_t *this,
607 bio_reader_t *reader)
608 {
609 public_key_t *public;
610 chunk_t msg;
611
612 public = tls_find_public_key(this->server_auth);
613 if (!public)
614 {
615 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
616 this->server);
617 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
618 return NEED_MORE;
619 }
620
621 msg = reader->peek(reader);
622 if (!this->crypto->verify_handshake(this->crypto, public, reader))
623 {
624 public->destroy(public);
625 DBG1(DBG_TLS, "signature verification failed");
626 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
627 return NEED_MORE;
628 }
629 public->destroy(public);
630
631 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
632 this->state = STATE_CERT_VERIFY_RECEIVED;
633 return NEED_MORE;
634 }
635
636 /**
637 * Process a Key Exchange message using MODP Diffie Hellman
638 */
639 static status_t process_modp_key_exchange(private_tls_peer_t *this,
640 bio_reader_t *reader)
641 {
642 chunk_t prime, generator, pub, chunk;
643 public_key_t *public;
644
645 chunk = reader->peek(reader);
646 if (!reader->read_data16(reader, &prime) ||
647 !reader->read_data16(reader, &generator) ||
648 !reader->read_data16(reader, &pub))
649 {
650 DBG1(DBG_TLS, "received invalid Server Key Exchange");
651 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
652 return NEED_MORE;
653 }
654 /* reject (export) DH groups using primes smaller than 1024 bit */
655 if (prime.len < 1024 / 8)
656 {
657 DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len);
658 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
659 return NEED_MORE;
660 }
661 public = tls_find_public_key(this->server_auth);
662 if (!public)
663 {
664 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
665 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
666 return NEED_MORE;
667 }
668
669 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
670 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
671 chunk_from_thing(this->server_random), chunk);
672 if (!this->crypto->verify(this->crypto, public, reader, chunk))
673 {
674 public->destroy(public);
675 free(chunk.ptr);
676 DBG1(DBG_TLS, "verifying DH parameters failed");
677 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
678 return NEED_MORE;
679 }
680 public->destroy(public);
681 free(chunk.ptr);
682
683 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
684 generator, prime);
685 if (!this->dh)
686 {
687 DBG1(DBG_TLS, "custom DH parameters not supported");
688 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
689 return NEED_MORE;
690 }
691 if (!this->dh->set_other_public_value(this->dh, pub))
692 {
693 DBG1(DBG_TLS, "applying DH public value failed");
694 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
695 return NEED_MORE;
696 }
697
698 this->state = STATE_KEY_EXCHANGE_RECEIVED;
699 return NEED_MORE;
700 }
701
702 /**
703 * Get the EC group for a TLS named curve
704 */
705 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
706 tls_named_group_t curve)
707 {
708 diffie_hellman_group_t group;
709 tls_named_group_t current;
710 enumerator_t *enumerator;
711
712 enumerator = this->crypto->create_ec_enumerator(this->crypto);
713 while (enumerator->enumerate(enumerator, &group, &current))
714 {
715 if (current == curve)
716 {
717 enumerator->destroy(enumerator);
718 return group;
719 }
720 }
721 enumerator->destroy(enumerator);
722 return 0;
723 }
724
725 /**
726 * Process a Key Exchange message using EC Diffie Hellman
727 */
728 static status_t process_ec_key_exchange(private_tls_peer_t *this,
729 bio_reader_t *reader)
730 {
731 diffie_hellman_group_t group;
732 public_key_t *public;
733 uint8_t type;
734 uint16_t curve;
735 chunk_t pub, chunk;
736
737 chunk = reader->peek(reader);
738 if (!reader->read_uint8(reader, &type))
739 {
740 DBG1(DBG_TLS, "received invalid Server Key Exchange");
741 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
742 return NEED_MORE;
743 }
744 if (type != TLS_ECC_NAMED_CURVE)
745 {
746 DBG1(DBG_TLS, "ECDH curve type %N not supported",
747 tls_ecc_curve_type_names, type);
748 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
749 return NEED_MORE;
750 }
751 if (!reader->read_uint16(reader, &curve) ||
752 !reader->read_data8(reader, &pub) || pub.len == 0)
753 {
754 DBG1(DBG_TLS, "received invalid Server Key Exchange");
755 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
756 return NEED_MORE;
757 }
758
759 group = curve_to_ec_group(this, curve);
760 if (!group)
761 {
762 DBG1(DBG_TLS, "ECDH curve %N not supported",
763 tls_named_group_names, curve);
764 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
765 return NEED_MORE;
766 }
767
768 public = tls_find_public_key(this->server_auth);
769 if (!public)
770 {
771 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
772 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
773 return NEED_MORE;
774 }
775
776 chunk.len = 4 + pub.len;
777 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
778 chunk_from_thing(this->server_random), chunk);
779 if (!this->crypto->verify(this->crypto, public, reader, chunk))
780 {
781 public->destroy(public);
782 free(chunk.ptr);
783 DBG1(DBG_TLS, "verifying DH parameters failed");
784 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
785 return NEED_MORE;
786 }
787 public->destroy(public);
788 free(chunk.ptr);
789
790 this->dh = lib->crypto->create_dh(lib->crypto, group);
791 if (!this->dh)
792 {
793 DBG1(DBG_TLS, "DH group %N not supported",
794 diffie_hellman_group_names, group);
795 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
796 return NEED_MORE;
797 }
798
799 if (group != CURVE_25519 &&
800 group != CURVE_448)
801 { /* classic ECPoint format (see RFC 8422, section 5.4.1) */
802 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
803 {
804 DBG1(DBG_TLS, "DH point format '%N' not supported",
805 tls_ansi_point_format_names, pub.ptr[0]);
806 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
807 return NEED_MORE;
808 }
809 pub = chunk_skip(pub, 1);
810 }
811
812 if (!this->dh->set_other_public_value(this->dh, pub))
813 {
814 DBG1(DBG_TLS, "applying DH public value failed");
815 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
816 return NEED_MORE;
817 }
818
819 this->state = STATE_KEY_EXCHANGE_RECEIVED;
820 return NEED_MORE;
821 }
822
823 /**
824 * Process a Server Key Exchange
825 */
826 static status_t process_key_exchange(private_tls_peer_t *this,
827 bio_reader_t *reader)
828 {
829 diffie_hellman_group_t group;
830
831 this->crypto->append_handshake(this->crypto,
832 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
833
834 group = this->crypto->get_dh_group(this->crypto);
835 if (group == MODP_NONE)
836 {
837 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
838 "for current suite");
839 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
840 return NEED_MORE;
841 }
842 if (diffie_hellman_group_is_ec(group))
843 {
844 return process_ec_key_exchange(this, reader);
845 }
846 return process_modp_key_exchange(this, reader);
847 }
848
849 /**
850 * Read all available certificate authorities from the given reader
851 */
852 static bool read_certificate_authorities(private_tls_peer_t *this,
853 bio_reader_t *reader)
854 {
855 chunk_t data;
856 bio_reader_t *authorities;
857 identification_t *id;
858 certificate_t *cert;
859
860 if (!reader->read_data16(reader, &data))
861 {
862 return FALSE;
863 }
864 authorities = bio_reader_create(data);
865 while (authorities->remaining(authorities))
866 {
867 if (!authorities->read_data16(authorities, &data))
868 {
869 authorities->destroy(authorities);
870 return FALSE;
871 }
872 if (this->peer)
873 {
874 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
875 cert = lib->credmgr->get_cert(lib->credmgr,
876 CERT_X509, KEY_ANY, id, TRUE);
877 if (cert)
878 {
879 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
880 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
881 }
882 else
883 {
884 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
885 }
886 id->destroy(id);
887 }
888 }
889 authorities->destroy(authorities);
890 return TRUE;
891 }
892
893 /**
894 * Process a Certificate Request message
895 */
896 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
897 {
898 chunk_t types, hashsig, context, ext;
899 bio_reader_t *extensions, *extension;
900
901 if (!this->peer)
902 {
903 DBG1(DBG_TLS, "server requested a certificate, but client "
904 "authentication disabled");
905 }
906 this->crypto->append_handshake(this->crypto,
907 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
908
909 if (this->tls->get_version_max(this->tls) < TLS_1_3)
910 {
911 if (!reader->read_data8(reader, &types))
912 {
913 DBG1(DBG_TLS, "certreq message header invalid");
914 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
915 return NEED_MORE;
916 }
917 this->cert_types = chunk_clone(types);
918 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
919 {
920 if (!reader->read_data16(reader, &hashsig))
921 {
922 DBG1(DBG_TLS, "certreq message invalid");
923 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
924 return NEED_MORE;
925 }
926 this->hashsig = chunk_clone(hashsig);
927 }
928
929 if (!read_certificate_authorities(this, reader))
930 {
931 DBG1(DBG_TLS, "certreq message invalid");
932 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
933 return NEED_MORE;
934 }
935 }
936 else
937 {
938 /* certificate request context as described in RFC 8446, section 4.3.2 */
939 reader->read_data8(reader, &context);
940
941 reader->read_data16(reader, &ext);
942 extensions = bio_reader_create(ext);
943 while (extensions->remaining(extensions))
944 {
945 uint16_t extension_type;
946 chunk_t extension_data;
947
948 if (!extensions->read_uint16(extensions, &extension_type) ||
949 !extensions->read_data16(extensions, &extension_data))
950 {
951 DBG1(DBG_TLS, "invalid extension in CertificateRequest");
952 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
953 extensions->destroy(extensions);
954 return NEED_MORE;
955 }
956 extension = bio_reader_create(extension_data);
957 switch (extension_type)
958 {
959 case TLS_EXT_SIGNATURE_ALGORITHMS:
960 if (!extension->read_data16(extension, &extension_data))
961 {
962 DBG1(DBG_TLS, "invalid %N extension",
963 tls_extension_names, extension_type);
964 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
965 extension->destroy(extension);
966 extensions->destroy(extensions);
967 return NEED_MORE;
968 }
969 chunk_free(&this->hashsig);
970 this->hashsig = chunk_clone(extension_data);
971 break;
972 case TLS_EXT_CERTIFICATE_AUTHORITIES:
973 if (!read_certificate_authorities(this, extension))
974 {
975 DBG1(DBG_TLS, "certificate request message invalid");
976 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
977 extension->destroy(extension);
978 extensions->destroy(extensions);
979 return NEED_MORE;
980 }
981 break;
982 default:
983 break;
984 }
985 extension->destroy(extension);
986 }
987 extensions->destroy(extensions);
988 }
989 this->state = STATE_CERTREQ_RECEIVED;
990 return NEED_MORE;
991 }
992
993 /**
994 * Process Hello Done message
995 */
996 static status_t process_hello_done(private_tls_peer_t *this,
997 bio_reader_t *reader)
998 {
999 this->crypto->append_handshake(this->crypto,
1000 TLS_SERVER_HELLO_DONE, reader->peek(reader));
1001 this->state = STATE_HELLO_DONE;
1002 return NEED_MORE;
1003 }
1004
1005 /**
1006 * Process finished message
1007 */
1008 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
1009 {
1010 chunk_t received, verify_data;
1011 u_char buf[12];
1012
1013 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1014 {
1015 if (!reader->read_data(reader, sizeof(buf), &received))
1016 {
1017 DBG1(DBG_TLS, "received server finished too short");
1018 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1019 return NEED_MORE;
1020 }
1021 if (!this->crypto->calculate_finished_legacy(this->crypto,
1022 "server finished", buf))
1023 {
1024 DBG1(DBG_TLS, "calculating server finished failed");
1025 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1026 return NEED_MORE;
1027 }
1028 verify_data = chunk_from_thing(buf);
1029 }
1030 else
1031 {
1032 received = reader->peek(reader);
1033 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1034 {
1035 DBG1(DBG_TLS, "calculating server finished failed");
1036 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1037 return NEED_MORE;
1038 }
1039 }
1040
1041 if (!chunk_equals_const(received, verify_data))
1042 {
1043 DBG1(DBG_TLS, "received server finished invalid");
1044 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
1045 return NEED_MORE;
1046 }
1047
1048 if (verify_data.ptr != buf)
1049 {
1050 chunk_free(&verify_data);
1051 }
1052
1053 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
1054 this->state = STATE_FINISHED_RECEIVED;
1055 return NEED_MORE;
1056 }
1057
1058 /**
1059 * Process NewSessionTicket message
1060 */
1061 static status_t process_new_session_ticket(private_tls_peer_t *this,
1062 bio_reader_t *reader)
1063 {
1064 uint32_t ticket_lifetime, ticket_age_add;
1065 chunk_t ticket_nonce, ticket, extensions;
1066
1067 if (!reader->read_uint32(reader, &ticket_lifetime) ||
1068 !reader->read_uint32(reader, &ticket_age_add) ||
1069 !reader->read_data8(reader, &ticket_nonce) ||
1070 !reader->read_data16(reader, &ticket) ||
1071 !reader->read_data16(reader, &extensions))
1072 {
1073 DBG1(DBG_TLS, "received invalid NewSessionTicket");
1074 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1075 return NEED_MORE;
1076 }
1077 return NEED_MORE;
1078 }
1079
1080 /**
1081 * Process KeyUpdate message
1082 */
1083 static status_t process_key_update(private_tls_peer_t *this,
1084 bio_reader_t *reader)
1085 {
1086 uint8_t update_requested;
1087
1088 if (!reader->read_uint8(reader, &update_requested) ||
1089 update_requested > 1)
1090 {
1091 DBG1(DBG_TLS, "received invalid KeyUpdate");
1092 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1093 return NEED_MORE;
1094 }
1095
1096 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1097 {
1098 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1099 return NEED_MORE;
1100 }
1101 this->crypto->change_cipher(this->crypto, TRUE);
1102
1103 if (update_requested)
1104 {
1105 DBG1(DBG_TLS, "server requested KeyUpdate");
1106 this->state = STATE_KEY_UPDATE_REQUESTED;
1107 }
1108 return NEED_MORE;
1109 }
1110
1111 METHOD(tls_handshake_t, process, status_t,
1112 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1113 {
1114 tls_handshake_type_t expected;
1115
1116 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1117 {
1118 switch (this->state)
1119 {
1120 case STATE_HELLO_SENT:
1121 if (type == TLS_SERVER_HELLO)
1122 {
1123 return process_server_hello(this, reader);
1124 }
1125 expected = TLS_SERVER_HELLO;
1126 break;
1127 case STATE_HELLO_RECEIVED:
1128 if (type == TLS_CERTIFICATE)
1129 {
1130 return process_certificate(this, reader);
1131 }
1132 expected = TLS_CERTIFICATE;
1133 break;
1134 case STATE_CERT_RECEIVED:
1135 if (type == TLS_SERVER_KEY_EXCHANGE)
1136 {
1137 return process_key_exchange(this, reader);
1138 }
1139 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
1140 case STATE_KEY_EXCHANGE_RECEIVED:
1141 if (type == TLS_CERTIFICATE_REQUEST)
1142 {
1143 return process_certreq(this, reader);
1144 }
1145 /* no cert request, server does not want to authenticate us */
1146 DESTROY_IF(this->peer);
1147 this->peer = NULL;
1148 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
1149 case STATE_CERTREQ_RECEIVED:
1150 if (type == TLS_SERVER_HELLO_DONE)
1151 {
1152 return process_hello_done(this, reader);
1153 }
1154 expected = TLS_SERVER_HELLO_DONE;
1155 break;
1156 case STATE_CIPHERSPEC_CHANGED_IN:
1157 if (type == TLS_FINISHED)
1158 {
1159 return process_finished(this, reader);
1160 }
1161 expected = TLS_FINISHED;
1162 break;
1163 default:
1164 DBG1(DBG_TLS, "TLS %N not expected in current state",
1165 tls_handshake_type_names, type);
1166 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1167 return NEED_MORE;
1168 }
1169 }
1170 else
1171 {
1172 switch (this->state)
1173 {
1174 case STATE_HELLO_SENT:
1175 if (type == TLS_SERVER_HELLO)
1176 {
1177 return process_server_hello(this, reader);
1178 }
1179 expected = TLS_SERVER_HELLO;
1180 break;
1181 case STATE_CIPHERSPEC_CHANGED_IN:
1182 case STATE_HELLO_RECEIVED:
1183 if (type == TLS_ENCRYPTED_EXTENSIONS)
1184 {
1185 return process_encrypted_extensions(this, reader);
1186 }
1187 expected = TLS_ENCRYPTED_EXTENSIONS;
1188 break;
1189 case STATE_ENCRYPTED_EXTENSIONS_RECEIVED:
1190 if (type == TLS_CERTIFICATE_REQUEST)
1191 {
1192 return process_certreq(this, reader);
1193 }
1194 /* no cert request, server does not want to authenticate us */
1195 DESTROY_IF(this->peer);
1196 this->peer = NULL;
1197 /* otherwise fall through to next state */
1198 case STATE_CERTREQ_RECEIVED:
1199 if (type == TLS_CERTIFICATE)
1200 {
1201 return process_certificate(this, reader);
1202 }
1203 expected = TLS_CERTIFICATE;
1204 break;
1205 case STATE_CERT_RECEIVED:
1206 if (type == TLS_CERTIFICATE_VERIFY)
1207 {
1208 return process_cert_verify(this, reader);
1209 }
1210 expected = TLS_CERTIFICATE_VERIFY;
1211 break;
1212 case STATE_CERT_VERIFY_RECEIVED:
1213 if (type == TLS_FINISHED)
1214 {
1215 return process_finished(this, reader);
1216 }
1217 expected = TLS_FINISHED;
1218 break;
1219 case STATE_FINISHED_RECEIVED:
1220 return NEED_MORE;
1221 case STATE_FINISHED_SENT_KEY_SWITCHED:
1222 if (type == TLS_NEW_SESSION_TICKET)
1223 {
1224 return process_new_session_ticket(this, reader);
1225 }
1226 if (type == TLS_KEY_UPDATE)
1227 {
1228 return process_key_update(this, reader);
1229 }
1230 expected = TLS_NEW_SESSION_TICKET;
1231 break;
1232 default:
1233 DBG1(DBG_TLS, "TLS %N not expected in current state",
1234 tls_handshake_type_names, type);
1235 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1236 return NEED_MORE;
1237 }
1238 }
1239 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1240 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1241 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1242 return NEED_MORE;
1243 }
1244
1245 /**
1246 * Send a client hello
1247 */
1248 static status_t send_client_hello(private_tls_peer_t *this,
1249 tls_handshake_type_t *type,
1250 bio_writer_t *writer)
1251 {
1252 tls_cipher_suite_t *suites;
1253 bio_writer_t *extensions, *curves = NULL, *versions, *key_share, *signatures;
1254 tls_version_t version_max, version_min;
1255 diffie_hellman_group_t group;
1256 tls_named_group_t curve;
1257 enumerator_t *enumerator;
1258 int count, i, v;
1259 rng_t *rng;
1260
1261 htoun32(&this->client_random, time(NULL));
1262 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1263 if (!rng ||
1264 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
1265 this->client_random + 4))
1266 {
1267 DBG1(DBG_TLS, "failed to generate client random");
1268 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1269 DESTROY_IF(rng);
1270 return NEED_MORE;
1271 }
1272 rng->destroy(rng);
1273
1274 /* determine supported suites before the versions as they might change */
1275 count = this->crypto->get_cipher_suites(this->crypto, &suites);
1276
1277 /* TLS version_max in handshake protocol */
1278 version_max = this->tls->get_version_max(this->tls);
1279 version_min = this->tls->get_version_min(this->tls);
1280 if (version_max < TLS_1_3)
1281 {
1282 this->hello_version = version_max;
1283 }
1284 else
1285 {
1286 this->hello_version = TLS_1_2;
1287 }
1288 writer->write_uint16(writer, this->hello_version);
1289 writer->write_data(writer, chunk_from_thing(this->client_random));
1290
1291 /* session identifier */
1292 this->session = this->crypto->get_session(this->crypto, this->server);
1293 writer->write_data8(writer, this->session);
1294
1295 /* add TLS cipher suites */
1296 if (count <= 0)
1297 {
1298 DBG1(DBG_TLS, "no supported TLS cipher suite available");
1299 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1300 return NEED_MORE;
1301 }
1302 writer->write_uint16(writer, count * 2);
1303 for (i = 0; i < count; i++)
1304 {
1305 writer->write_uint16(writer, suites[i]);
1306 }
1307
1308 /* NULL compression only */
1309 writer->write_uint8(writer, 1);
1310 writer->write_uint8(writer, 0);
1311
1312 extensions = bio_writer_create(32);
1313
1314 if (this->server->get_type(this->server) == ID_FQDN)
1315 {
1316 bio_writer_t *names;
1317
1318 DBG2(DBG_TLS, "sending extension: Server Name Indication for '%Y'",
1319 this->server);
1320 names = bio_writer_create(8);
1321 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
1322 names->write_data16(names, this->server->get_encoding(this->server));
1323 names->wrap16(names);
1324 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
1325 extensions->write_data16(extensions, names->get_buf(names));
1326 names->destroy(names);
1327 }
1328
1329 DBG2(DBG_TLS, "sending extension: %N",
1330 tls_extension_names, TLS_EXT_SUPPORTED_GROUPS);
1331 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1332 while (enumerator->enumerate(enumerator, &group, &curve))
1333 {
1334 if (this->requested_curve && this->requested_curve != curve)
1335 {
1336 continue;
1337 }
1338 if (!curves)
1339 {
1340 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_GROUPS);
1341 curves = bio_writer_create(16);
1342 }
1343 if (!this->dh)
1344 {
1345 this->dh = lib->crypto->create_dh(lib->crypto, group);
1346 if (!this->dh)
1347 {
1348 continue;
1349 }
1350 }
1351 curves->write_uint16(curves, curve);
1352 }
1353 enumerator->destroy(enumerator);
1354 if (curves)
1355 {
1356 curves->wrap16(curves);
1357 extensions->write_data16(extensions, curves->get_buf(curves));
1358 curves->destroy(curves);
1359
1360 /* if we support curves, add point format extension */
1361 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
1362 extensions->write_uint16(extensions, 2);
1363 extensions->write_uint8(extensions, 1);
1364 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
1365 }
1366
1367 if (version_max >= TLS_1_3)
1368 {
1369 DBG2(DBG_TLS, "sending extension: %N",
1370 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1371 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1372 versions = bio_writer_create(0);
1373 for (v = version_max; v >= version_min; v--)
1374 {
1375 versions->write_uint16(versions, v);
1376 }
1377 versions->wrap8(versions);
1378 extensions->write_data16(extensions, versions->get_buf(versions));
1379 versions->destroy(versions);
1380 }
1381
1382 if (this->cookie.len)
1383 {
1384 DBG2(DBG_TLS, "sending extension: %N",
1385 tls_extension_names, TLS_EXT_COOKIE);
1386 extensions->write_uint16(extensions, TLS_EXT_COOKIE);
1387 extensions->write_uint16(extensions, this->cookie.len + 2);
1388 extensions->write_data16(extensions, this->cookie);
1389 chunk_free(&this->cookie);
1390 }
1391
1392 DBG2(DBG_TLS, "sending extension: %N",
1393 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1394 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1395 signatures = bio_writer_create(32);
1396 this->crypto->get_signature_algorithms(this->crypto, signatures, FALSE);
1397 extensions->write_data16(extensions, signatures->get_buf(signatures));
1398 signatures->destroy(signatures);
1399
1400 DBG2(DBG_TLS, "sending extension: %N",
1401 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
1402 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
1403 signatures = bio_writer_create(32);
1404 this->crypto->get_signature_algorithms(this->crypto, signatures, TRUE);
1405 extensions->write_data16(extensions, signatures->get_buf(signatures));
1406 signatures->destroy(signatures);
1407
1408 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1409 {
1410 DBG2(DBG_TLS, "sending extension: %N",
1411 tls_extension_names, TLS_EXT_KEY_SHARE);
1412 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1413 if (!tls_write_key_share(&key_share, this->dh))
1414 {
1415 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1416 extensions->destroy(extensions);
1417 return NEED_MORE;
1418 }
1419 key_share->wrap16(key_share);
1420 extensions->write_data16(extensions, key_share->get_buf(key_share));
1421 key_share->destroy(key_share);
1422 }
1423
1424 writer->write_data16(writer, extensions->get_buf(extensions));
1425 extensions->destroy(extensions);
1426
1427 *type = TLS_CLIENT_HELLO;
1428 this->state = STATE_HELLO_SENT;
1429 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1430 return NEED_MORE;
1431 }
1432
1433 /**
1434 * Convert certificate types to signature schemes so TLS version <= 1.1 can use
1435 * the same private key enumeration as newer TLS versions.
1436 */
1437 static void convert_cert_types(private_tls_peer_t *this)
1438 {
1439 bio_reader_t *reader;
1440 bio_writer_t *writer;
1441 uint8_t type;
1442
1443 reader = bio_reader_create(this->cert_types);
1444 writer = bio_writer_create(0);
1445 while (reader->remaining(reader) && reader->read_uint8(reader, &type))
1446 {
1447 /* each certificate type is mapped to one signature scheme, which is not
1448 * ideal but serves our needs in legacy TLS versions */
1449 switch (type)
1450 {
1451 case TLS_RSA_SIGN:
1452 writer->write_uint16(writer, TLS_SIG_RSA_PKCS1_SHA256);
1453 break;
1454 case TLS_ECDSA_SIGN:
1455 writer->write_uint16(writer, TLS_SIG_ECDSA_SHA256);
1456 break;
1457 default:
1458 continue;
1459 }
1460 }
1461 reader->destroy(reader);
1462 this->hashsig = writer->extract_buf(writer);
1463 writer->destroy(writer);
1464 }
1465
1466 /**
1467 * Send Certificate
1468 */
1469 static status_t send_certificate(private_tls_peer_t *this,
1470 tls_handshake_type_t *type, bio_writer_t *writer)
1471 {
1472 enumerator_t *enumerator;
1473 certificate_t *cert;
1474 auth_rule_t rule;
1475 bio_writer_t *certs;
1476 private_key_t *key;
1477 auth_cfg_t *auth;
1478 chunk_t data;
1479 tls_version_t version_min, version_max;
1480
1481 version_min = this->tls->get_version_min(this->tls);
1482 version_max = this->tls->get_version_max(this->tls);
1483 if (!this->hashsig.len)
1484 {
1485 convert_cert_types(this);
1486 }
1487 enumerator = tls_create_private_key_enumerator(version_min, version_max,
1488 this->hashsig, this->peer);
1489 if (!enumerator || !enumerator->enumerate(enumerator, &key, &auth))
1490 {
1491 if (!enumerator)
1492 {
1493 DBG1(DBG_TLS, "no common signature algorithms found");
1494 }
1495 else
1496 {
1497 DBG1(DBG_TLS, "no usable TLS client certificate found for '%Y'",
1498 this->peer);
1499 }
1500 this->peer->destroy(this->peer);
1501 this->peer = NULL;
1502 }
1503 else
1504 {
1505 this->private = key->get_ref(key);
1506 this->peer_auth->merge(this->peer_auth, auth, FALSE);
1507 }
1508 DESTROY_IF(enumerator);
1509
1510 /* certificate request context as described in RFC 8446, section 4.4.2 */
1511 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1512 {
1513 writer->write_uint8(writer, 0);
1514 }
1515
1516 /* generate certificate payload */
1517 certs = bio_writer_create(256);
1518 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
1519 if (cert)
1520 {
1521 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1522 {
1523 DBG1(DBG_TLS, "sending TLS client certificate '%Y'",
1524 cert->get_subject(cert));
1525 certs->write_data24(certs, data);
1526 free(data.ptr);
1527 }
1528 /* extensions see RFC 8446, section 4.4.2 */
1529 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1530 {
1531 certs->write_uint16(certs, 0);
1532 }
1533 }
1534 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
1535 while (enumerator->enumerate(enumerator, &rule, &cert))
1536 {
1537 if (rule == AUTH_RULE_IM_CERT)
1538 {
1539 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1540 {
1541 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1542 cert->get_subject(cert));
1543 certs->write_data24(certs, data);
1544 free(data.ptr);
1545 }
1546 }
1547 }
1548 enumerator->destroy(enumerator);
1549
1550 writer->write_data24(writer, certs->get_buf(certs));
1551 certs->destroy(certs);
1552
1553 *type = TLS_CERTIFICATE;
1554 this->state = STATE_CERT_SENT;
1555 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1556 return NEED_MORE;
1557 }
1558
1559 /**
1560 * Send client key exchange, using premaster encryption
1561 */
1562 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
1563 tls_handshake_type_t *type, bio_writer_t *writer)
1564 {
1565 public_key_t *public;
1566 rng_t *rng;
1567 char premaster[48];
1568 chunk_t encrypted;
1569
1570 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
1571 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
1572 {
1573 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
1574 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1575 DESTROY_IF(rng);
1576 return NEED_MORE;
1577 }
1578 rng->destroy(rng);
1579 htoun16(premaster, this->hello_version);
1580
1581 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
1582 this->session, this->server,
1583 chunk_from_thing(this->client_random),
1584 chunk_from_thing(this->server_random)))
1585 {
1586 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1587 return NEED_MORE;
1588 }
1589
1590 public = tls_find_public_key(this->server_auth);
1591 if (!public)
1592 {
1593 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
1594 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
1595 return NEED_MORE;
1596 }
1597 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
1598 chunk_from_thing(premaster), &encrypted))
1599 {
1600 public->destroy(public);
1601 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
1602 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
1603 return NEED_MORE;
1604 }
1605 public->destroy(public);
1606
1607 writer->write_data16(writer, encrypted);
1608 free(encrypted.ptr);
1609
1610 *type = TLS_CLIENT_KEY_EXCHANGE;
1611 this->state = STATE_KEY_EXCHANGE_SENT;
1612 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1613 return NEED_MORE;
1614 }
1615
1616 /**
1617 * Send client key exchange, using DHE exchange
1618 */
1619 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
1620 tls_handshake_type_t *type, bio_writer_t *writer)
1621 {
1622 chunk_t premaster, pub;
1623
1624 if (!this->dh->get_shared_secret(this->dh, &premaster))
1625 {
1626 DBG1(DBG_TLS, "calculating premaster from DH failed");
1627 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1628 return NEED_MORE;
1629 }
1630 if (!this->crypto->derive_secrets(this->crypto, premaster,
1631 this->session, this->server,
1632 chunk_from_thing(this->client_random),
1633 chunk_from_thing(this->server_random)))
1634 {
1635 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1636 chunk_clear(&premaster);
1637 return NEED_MORE;
1638 }
1639 chunk_clear(&premaster);
1640
1641 if (!this->dh->get_my_public_value(this->dh, &pub))
1642 {
1643 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1644 return NEED_MORE;
1645 }
1646 switch (this->dh->get_dh_group(this->dh))
1647 {
1648 case MODP_CUSTOM:
1649 writer->write_data16(writer, pub);
1650 break;
1651 case CURVE_25519:
1652 case CURVE_448:
1653 /* ECPoint uses an 8-bit length header only */
1654 writer->write_data8(writer, pub);
1655 break;
1656 default:
1657 /* classic ECPoint format (see RFC 8422, section 5.4.1) */
1658 writer->write_uint8(writer, pub.len + 1);
1659 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1660 writer->write_data(writer, pub);
1661 break;
1662 }
1663 free(pub.ptr);
1664
1665 *type = TLS_CLIENT_KEY_EXCHANGE;
1666 this->state = STATE_KEY_EXCHANGE_SENT;
1667 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1668 return NEED_MORE;
1669 }
1670
1671 /**
1672 * Send client key exchange, depending on suite
1673 */
1674 static status_t send_key_exchange(private_tls_peer_t *this,
1675 tls_handshake_type_t *type, bio_writer_t *writer)
1676 {
1677 if (this->dh)
1678 {
1679 return send_key_exchange_dhe(this, type, writer);
1680 }
1681 return send_key_exchange_encrypt(this, type, writer);
1682 }
1683
1684 /**
1685 * Send certificate verify
1686 */
1687 static status_t send_certificate_verify(private_tls_peer_t *this,
1688 tls_handshake_type_t *type,
1689 bio_writer_t *writer)
1690 {
1691 if (!this->private ||
1692 !this->crypto->sign_handshake(this->crypto, this->private,
1693 writer, this->hashsig))
1694 {
1695 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1696 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1697 return NEED_MORE;
1698 }
1699
1700 *type = TLS_CERTIFICATE_VERIFY;
1701 this->state = STATE_VERIFY_SENT;
1702 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1703 return NEED_MORE;
1704 }
1705
1706 /**
1707 * Send Finished
1708 */
1709 static status_t send_finished(private_tls_peer_t *this,
1710 tls_handshake_type_t *type, bio_writer_t *writer)
1711 {
1712 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1713 {
1714 char buf[12];
1715
1716 if (!this->crypto->calculate_finished_legacy(this->crypto,
1717 "client finished", buf))
1718 {
1719 DBG1(DBG_TLS, "calculating client finished data failed");
1720 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1721 return NEED_MORE;
1722 }
1723
1724 writer->write_data(writer, chunk_from_thing(buf));
1725 }
1726 else
1727 {
1728 chunk_t verify_data;
1729
1730 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
1731 {
1732 DBG1(DBG_TLS, "calculating client finished data failed");
1733 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1734 return NEED_MORE;
1735 }
1736
1737 writer->write_data(writer, verify_data);
1738 chunk_free(&verify_data);
1739 }
1740
1741 *type = TLS_FINISHED;
1742 this->state = STATE_FINISHED_SENT;
1743 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1744 return NEED_MORE;
1745 }
1746
1747 /**
1748 * Send KeyUpdate message
1749 */
1750 static status_t send_key_update(private_tls_peer_t *this,
1751 tls_handshake_type_t *type, bio_writer_t *writer)
1752 {
1753 *type = TLS_KEY_UPDATE;
1754
1755 /* we currently only send this as reply, so we never request an update */
1756 writer->write_uint8(writer, 0);
1757
1758 this->state = STATE_KEY_UPDATE_SENT;
1759 return NEED_MORE;
1760 }
1761
1762 METHOD(tls_handshake_t, build, status_t,
1763 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1764 {
1765 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1766 {
1767 switch (this->state)
1768 {
1769 case STATE_INIT:
1770 return send_client_hello(this, type, writer);
1771 case STATE_HELLO_DONE:
1772 if (this->peer)
1773 {
1774 return send_certificate(this, type, writer);
1775 }
1776 /* otherwise fall through to next state */
1777 case STATE_CERT_SENT:
1778 return send_key_exchange(this, type, writer);
1779 case STATE_KEY_EXCHANGE_SENT:
1780 if (this->peer)
1781 {
1782 return send_certificate_verify(this, type, writer);
1783 }
1784 else
1785 {
1786 return INVALID_STATE;
1787 }
1788 case STATE_CIPHERSPEC_CHANGED_OUT:
1789 return send_finished(this, type, writer);
1790 default:
1791 return INVALID_STATE;
1792 }
1793 }
1794 else
1795 {
1796 switch (this->state)
1797 {
1798 case STATE_INIT:
1799 return send_client_hello(this, type, writer);
1800 case STATE_HELLO_DONE:
1801 case STATE_CIPHERSPEC_CHANGED_OUT:
1802 case STATE_FINISHED_RECEIVED:
1803 if (!this->crypto->derive_app_keys(this->crypto))
1804 {
1805 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1806 return NEED_MORE;
1807 }
1808 this->crypto->change_cipher(this->crypto, TRUE);
1809 if (this->peer)
1810 {
1811 return send_certificate(this, type, writer);
1812 }
1813 /* otherwise fall through to next state */
1814 case STATE_CERT_SENT:
1815 if (this->peer)
1816 {
1817 return send_certificate_verify(this, type, writer);
1818 }
1819 /* otherwise fall through to next state */
1820 case STATE_VERIFY_SENT:
1821 return send_finished(this, type, writer);
1822 case STATE_FINISHED_SENT:
1823 this->crypto->change_cipher(this->crypto, FALSE);
1824 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1825 return INVALID_STATE;
1826 case STATE_KEY_UPDATE_REQUESTED:
1827 return send_key_update(this, type, writer);
1828 case STATE_KEY_UPDATE_SENT:
1829 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1830 {
1831 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1832 return NEED_MORE;
1833 }
1834 this->crypto->change_cipher(this->crypto, FALSE);
1835 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1836 return INVALID_STATE;
1837 default:
1838 return INVALID_STATE;
1839 }
1840 }
1841 }
1842
1843 /**
1844 * Check if we are currently retrying to connect to the server.
1845 */
1846 static bool retrying(private_tls_peer_t *this)
1847 {
1848 return this->state == STATE_INIT && (this->requested_curve || this->cookie.len);
1849 }
1850
1851 METHOD(tls_handshake_t, cipherspec_changed, bool,
1852 private_tls_peer_t *this, bool inbound)
1853 {
1854 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1855 {
1856 if (inbound)
1857 {
1858 if (this->resume)
1859 {
1860 return this->state == STATE_HELLO_RECEIVED;
1861 }
1862 return this->state == STATE_FINISHED_SENT;
1863 }
1864 else
1865 {
1866 if (this->resume)
1867 {
1868 return this->state == STATE_FINISHED_RECEIVED;
1869 }
1870 if (this->peer)
1871 {
1872 return this->state == STATE_VERIFY_SENT;
1873 }
1874 return this->state == STATE_KEY_EXCHANGE_SENT;
1875
1876 }
1877 }
1878 else
1879 {
1880 if (inbound)
1881 { /* accept ChangeCipherSpec after ServerHello or HelloRetryRequest */
1882 return this->state == STATE_HELLO_RECEIVED || retrying(this);
1883 }
1884 else
1885 {
1886 return FALSE;
1887 }
1888 }
1889 }
1890
1891 METHOD(tls_handshake_t, change_cipherspec, void,
1892 private_tls_peer_t *this, bool inbound)
1893 {
1894 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1895 {
1896 this->crypto->change_cipher(this->crypto, inbound);
1897 }
1898
1899 if (retrying(this))
1900 { /* servers might send a ChangeCipherSpec after a HelloRetryRequest,
1901 * which should not cause any state changes */
1902 return;
1903 }
1904
1905 if (inbound)
1906 {
1907 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1908 }
1909 else
1910 {
1911 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1912 }
1913 }
1914
1915 METHOD(tls_handshake_t, finished, bool,
1916 private_tls_peer_t *this)
1917 {
1918 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1919 {
1920 if (this->resume)
1921 {
1922 return this->state == STATE_FINISHED_SENT;
1923 }
1924 return this->state == STATE_FINISHED_RECEIVED;
1925 }
1926 else
1927 {
1928 return this->state == STATE_FINISHED_SENT_KEY_SWITCHED;
1929 }
1930 }
1931
1932 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1933 private_tls_peer_t *this)
1934 {
1935 return this->peer;
1936 }
1937
1938 METHOD(tls_handshake_t, get_server_id, identification_t*,
1939 private_tls_peer_t *this)
1940 {
1941 return this->server;
1942 }
1943
1944 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1945 private_tls_peer_t *this)
1946 {
1947 return this->server_auth;
1948 }
1949
1950 METHOD(tls_handshake_t, destroy, void,
1951 private_tls_peer_t *this)
1952 {
1953 DESTROY_IF(this->private);
1954 DESTROY_IF(this->dh);
1955 DESTROY_IF(this->peer);
1956 this->server->destroy(this->server);
1957 this->peer_auth->destroy(this->peer_auth);
1958 this->server_auth->destroy(this->server_auth);
1959 free(this->hashsig.ptr);
1960 free(this->cert_types.ptr);
1961 free(this->session.ptr);
1962 free(this->cookie.ptr);
1963 free(this);
1964 }
1965
1966 /**
1967 * See header
1968 */
1969 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1970 identification_t *peer, identification_t *server)
1971 {
1972 private_tls_peer_t *this;
1973
1974 INIT(this,
1975 .public = {
1976 .handshake = {
1977 .process = _process,
1978 .build = _build,
1979 .cipherspec_changed = _cipherspec_changed,
1980 .change_cipherspec = _change_cipherspec,
1981 .finished = _finished,
1982 .get_peer_id = _get_peer_id,
1983 .get_server_id = _get_server_id,
1984 .get_auth = _get_auth,
1985 .destroy = _destroy,
1986 },
1987 },
1988 .state = STATE_INIT,
1989 .tls = tls,
1990 .crypto = crypto,
1991 .alert = alert,
1992 .peer = peer ? peer->clone(peer) : NULL,
1993 .server = server->clone(server),
1994 .peer_auth = auth_cfg_create(),
1995 .server_auth = auth_cfg_create(),
1996 );
1997
1998 return &this->public;
1999 }