tls-server: Share trusted public key search between client and server
[strongswan.git] / src / libtls / tls_peer.c
1 /*
2 * Copyright (C) 2020 Tobias Brunner
3 * Copyright (C) 2020 Pascal Knecht
4 * Copyright (C) 2020 Méline Sieber
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * Copyright (C) 2010 Martin Willi
8 * Copyright (C) 2010 revosec AG
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include "tls_peer.h"
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25
26 #include <time.h>
27
28 typedef struct private_tls_peer_t private_tls_peer_t;
29
30 typedef enum {
31 STATE_INIT,
32 STATE_HELLO_SENT,
33 STATE_HELLO_RECEIVED,
34 STATE_HELLO_DONE,
35 STATE_CERT_SENT,
36 STATE_CERT_RECEIVED,
37 STATE_KEY_EXCHANGE_RECEIVED,
38 STATE_CERTREQ_RECEIVED,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_VERIFY_SENT,
41 STATE_CIPHERSPEC_CHANGED_OUT,
42 STATE_FINISHED_SENT,
43 STATE_CIPHERSPEC_CHANGED_IN,
44 STATE_FINISHED_RECEIVED,
45 /* new states in TLS 1.3 */
46 STATE_HELLORETRYREQ_RECEIVED,
47 STATE_ENCRYPTED_EXTENSIONS_RECEIVED,
48 STATE_CERT_VERIFY_RECEIVED,
49 STATE_FINISHED_SENT_KEY_SWITCHED,
50 STATE_KEY_UPDATE_REQUESTED,
51 STATE_KEY_UPDATE_SENT,
52 } peer_state_t;
53
54 /**
55 * Private data of an tls_peer_t object.
56 */
57 struct private_tls_peer_t {
58
59 /**
60 * Public tls_peer_t interface.
61 */
62 tls_peer_t public;
63
64 /**
65 * TLS stack
66 */
67 tls_t *tls;
68
69 /**
70 * TLS crypto context
71 */
72 tls_crypto_t *crypto;
73
74 /**
75 * TLS alert handler
76 */
77 tls_alert_t *alert;
78
79 /**
80 * Peer identity, NULL for no client authentication
81 */
82 identification_t *peer;
83
84 /**
85 * Server identity
86 */
87 identification_t *server;
88
89 /**
90 * State we are in
91 */
92 peer_state_t state;
93
94 /**
95 * TLS version we offered in hello
96 */
97 tls_version_t hello_version;
98
99 /**
100 * Hello random data selected by client
101 */
102 char client_random[32];
103
104 /**
105 * Hello random data selected by server
106 */
107 char server_random[32];
108
109 /**
110 * Auth helper for peer authentication
111 */
112 auth_cfg_t *peer_auth;
113
114 /**
115 * Auth helper for server authentication
116 */
117 auth_cfg_t *server_auth;
118
119 /**
120 * Peer private key
121 */
122 private_key_t *private;
123
124 /**
125 * DHE exchange
126 */
127 diffie_hellman_t *dh;
128
129 /**
130 * Requested DH group
131 */
132 tls_named_group_t requested_curve;
133
134 /**
135 * Cookie extension received in HelloRetryRequest
136 */
137 chunk_t cookie;
138
139 /**
140 * Resuming a session?
141 */
142 bool resume;
143
144 /**
145 * TLS session identifier
146 */
147 chunk_t session;
148
149 /**
150 * List of server-supported hashsig algorithms
151 */
152 chunk_t hashsig;
153
154 /**
155 * List of server-supported client certificate types
156 */
157 chunk_t cert_types;
158 };
159
160 /* Implemented in tls_server.c */
161 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
162 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
163
164 /**
165 * Verify the DH group/key type requested by the server is valid.
166 */
167 static bool verify_requested_key_type(private_tls_peer_t *this,
168 uint16_t key_type)
169 {
170 enumerator_t *enumerator;
171 diffie_hellman_group_t group, found = MODP_NONE;
172 tls_named_group_t curve;
173
174 enumerator = this->crypto->create_ec_enumerator(this->crypto);
175 while (enumerator->enumerate(enumerator, &group, &curve))
176 {
177 if (key_type == curve)
178 {
179 found = group;
180 break;
181 }
182 }
183 enumerator->destroy(enumerator);
184
185 if (found == MODP_NONE)
186 {
187 DBG1(DBG_TLS, "server requested key exchange we didn't propose");
188 return FALSE;
189 }
190 if (this->dh->get_dh_group(this->dh) == found)
191 {
192 DBG1(DBG_TLS, "server requested key exchange we already use");
193 return FALSE;
194 }
195 return TRUE;
196 }
197
198 /**
199 * Process a server hello message
200 */
201 static status_t process_server_hello(private_tls_peer_t *this,
202 bio_reader_t *reader)
203 {
204 uint8_t compression;
205 uint16_t version, cipher, key_type = 0;
206 bio_reader_t *extensions, *extension;
207 chunk_t msg, random, session, ext = chunk_empty, key_share = chunk_empty;
208 chunk_t cookie = chunk_empty;
209 tls_cipher_suite_t suite = 0;
210 bool is_retry_request;
211
212 msg = reader->peek(reader);
213 if (!reader->read_uint16(reader, &version) ||
214 !reader->read_data(reader, sizeof(this->server_random), &random) ||
215 !reader->read_data8(reader, &session) ||
216 !reader->read_uint16(reader, &cipher) ||
217 !reader->read_uint8(reader, &compression) ||
218 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
219 {
220 DBG1(DBG_TLS, "received invalid ServerHello");
221 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
222 return NEED_MORE;
223 }
224
225 is_retry_request = chunk_equals_const(random, tls_hello_retry_request_magic);
226
227 memcpy(this->server_random, random.ptr, sizeof(this->server_random));
228
229 extensions = bio_reader_create(ext);
230 while (extensions->remaining(extensions))
231 {
232 uint16_t extension_type;
233 chunk_t extension_data;
234
235 if (!extensions->read_uint16(extensions, &extension_type) ||
236 !extensions->read_data16(extensions, &extension_data))
237 {
238 DBG1(DBG_TLS, "invalid extension in ServerHello");
239 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
240 extensions->destroy(extensions);
241 return NEED_MORE;
242 }
243 extension = bio_reader_create(extension_data);
244 switch (extension_type)
245 {
246 case TLS_EXT_SUPPORTED_VERSIONS:
247 if (!extension->read_uint16(extension, &version))
248 {
249 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
250 extension_type);
251 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
252 extensions->destroy(extensions);
253 extension->destroy(extension);
254 return NEED_MORE;
255 }
256 break;
257 case TLS_EXT_KEY_SHARE:
258 if (!extension->read_uint16(extension, &key_type) ||
259 (!is_retry_request &&
260 !(extension->read_data16(extension, &key_share) &&
261 key_share.len)))
262 {
263 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
264 extension_type);
265 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
266 extensions->destroy(extensions);
267 extension->destroy(extension);
268 return NEED_MORE;
269 }
270 break;
271 case TLS_EXT_COOKIE:
272 if (!extension->read_data16(extension, &cookie))
273 {
274 DBG1(DBG_TLS, "invalid %N extension", tls_extension_names,
275 extension_type);
276 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
277 extensions->destroy(extensions);
278 extension->destroy(extension);
279 return NEED_MORE;
280 }
281 default:
282 break;
283 }
284 extension->destroy(extension);
285 }
286 extensions->destroy(extensions);
287
288 if (!this->tls->set_version(this->tls, version, version))
289 {
290 DBG1(DBG_TLS, "negotiated version %N not supported",
291 tls_version_names, version);
292 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
293 return NEED_MORE;
294 }
295
296 if (this->tls->get_version_max(this->tls) < TLS_1_3)
297 {
298 if (chunk_equals(this->session, session))
299 {
300 suite = this->crypto->resume_session(this->crypto, session,
301 this->server, chunk_from_thing
302 (this->client_random),
303 chunk_from_thing
304 (this->server_random));
305 if (suite)
306 {
307 DBG1(DBG_TLS, "resumed %N using suite %N",
308 tls_version_names, version, tls_cipher_suite_names, suite);
309 this->resume = TRUE;
310 }
311 }
312 DESTROY_IF(this->dh);
313 this->dh = NULL;
314 }
315
316 if (!suite)
317 {
318 suite = cipher;
319 if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
320 {
321 DBG1(DBG_TLS, "received TLS cipher suite %N unacceptable",
322 tls_cipher_suite_names, suite);
323 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
324 return NEED_MORE;
325 }
326 DBG1(DBG_TLS, "negotiated %N using suite %N",
327 tls_version_names, version, tls_cipher_suite_names, suite);
328 free(this->session.ptr);
329 this->session = chunk_clone(session);
330 }
331
332 if (is_retry_request)
333 {
334 if (!this->crypto->hash_handshake(this->crypto, NULL))
335 {
336 DBG1(DBG_TLS, "failed to hash handshake messages");
337 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
338 return NEED_MORE;
339 }
340 }
341 this->crypto->append_handshake(this->crypto, TLS_SERVER_HELLO, msg);
342
343 if (is_retry_request)
344 {
345 if (key_type)
346 {
347 DBG1(DBG_TLS, "server requests key exchange with %N",
348 tls_named_group_names, key_type);
349 }
350 else if (cookie.len)
351 {
352 DBG1(DBG_TLS, "server requests retry with cookie");
353 }
354 else
355 {
356 DBG1(DBG_TLS, "invalid retry request received");
357 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
358 return NEED_MORE;
359 }
360 if (this->requested_curve || this->cookie.len)
361 {
362 DBG1(DBG_TLS, "already replied to previous retry request");
363 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
364 return NEED_MORE;
365 }
366 if (key_type && !verify_requested_key_type(this, key_type))
367 {
368 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
369 return NEED_MORE;
370 }
371
372 DESTROY_IF(this->dh);
373 this->dh = NULL;
374 this->requested_curve = key_type;
375 this->cookie = chunk_clone(cookie);
376 this->state = STATE_INIT;
377 return NEED_MORE;
378 }
379
380 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
381 {
382 chunk_t shared_secret = chunk_empty;
383
384 if (key_share.len &&
385 key_type != TLS_CURVE25519 &&
386 key_type != TLS_CURVE448)
387 { /* classic format (see RFC 8446, section 4.2.8.2) */
388 if (key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
389 {
390 DBG1(DBG_TLS, "DH point format '%N' not supported",
391 tls_ansi_point_format_names, key_share.ptr[0]);
392 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
393 return NEED_MORE;
394 }
395 key_share = chunk_skip(key_share, 1);
396 }
397 if (!key_share.len ||
398 !this->dh->set_other_public_value(this->dh, key_share) ||
399 !this->dh->get_shared_secret(this->dh, &shared_secret) ||
400 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
401 {
402 DBG1(DBG_TLS, "DH key derivation failed");
403 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
404 chunk_clear(&shared_secret);
405 return NEED_MORE;
406 }
407 chunk_clear(&shared_secret);
408
409 this->crypto->change_cipher(this->crypto, TRUE);
410 this->crypto->change_cipher(this->crypto, FALSE);
411 }
412
413 this->state = STATE_HELLO_RECEIVED;
414 return NEED_MORE;
415 }
416
417 /**
418 * Process a server encrypted extensions message
419 */
420 static status_t process_encrypted_extensions(private_tls_peer_t *this,
421 bio_reader_t *reader)
422 {
423 chunk_t ext = chunk_empty;
424 uint16_t extension_type;
425
426 this->crypto->append_handshake(this->crypto, TLS_ENCRYPTED_EXTENSIONS,
427 reader->peek(reader));
428
429 if (!reader->read_data16(reader, &ext))
430 {
431 DBG1(DBG_TLS, "received invalid EncryptedExtensions");
432 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
433 return NEED_MORE;
434 }
435 if (ext.len)
436 {
437 bio_reader_t *extensions = bio_reader_create(ext);
438
439 while (extensions->remaining(extensions))
440 {
441 chunk_t extension_data = chunk_empty;
442
443 if (!extensions->read_uint16(extensions, &extension_type) ||
444 !extensions->read_data16(extensions, &extension_data))
445 {
446 DBG1(DBG_TLS, "invalid extension in EncryptedExtensions");
447 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
448 extensions->destroy(extensions);
449 return NEED_MORE;
450 }
451 switch (extension_type)
452 {
453 case TLS_EXT_SERVER_NAME:
454 case TLS_EXT_MAX_FRAGMENT_LENGTH:
455 case TLS_EXT_SUPPORTED_GROUPS:
456 case TLS_EXT_USE_SRTP:
457 case TLS_EXT_HEARTBEAT:
458 case TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION:
459 case TLS_SERVER_CERTIFICATE_TYPE:
460 /* not supported so far */
461 DBG2(DBG_TLS, "ignoring unsupported %N EncryptedExtension",
462 tls_extension_names, extension_type);
463 break;
464 default:
465 DBG1(DBG_TLS, "received forbidden EncryptedExtension (%d)",
466 extension_type);
467 this->alert->add(this->alert, TLS_FATAL,
468 TLS_ILLEGAL_PARAMETER);
469 extensions->destroy(extensions);
470 return NEED_MORE;
471 }
472 }
473 extensions->destroy(extensions);
474 }
475 this->state = STATE_ENCRYPTED_EXTENSIONS_RECEIVED;
476 return NEED_MORE;
477 }
478
479 /**
480 * Check if a server certificate is acceptable for the given server identity
481 */
482 static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
483 {
484 identification_t *id;
485
486 if (cert->has_subject(cert, this->server))
487 {
488 return TRUE;
489 }
490 id = cert->get_subject(cert);
491 if (id->matches(id, this->server))
492 {
493 return TRUE;
494 }
495 if (cert->get_type(cert) == CERT_X509)
496 {
497 x509_t *x509 = (x509_t*)cert;
498 enumerator_t *enumerator;
499
500 enumerator = x509->create_subjectAltName_enumerator(x509);
501 while (enumerator->enumerate(enumerator, &id))
502 {
503 if (id->matches(id, this->server))
504 {
505 enumerator->destroy(enumerator);
506 return TRUE;
507 }
508 }
509 enumerator->destroy(enumerator);
510 }
511 DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
512 return FALSE;
513 }
514
515 /**
516 * Process a Certificate message
517 */
518 static status_t process_certificate(private_tls_peer_t *this,
519 bio_reader_t *reader)
520 {
521 certificate_t *cert;
522 bio_reader_t *certs;
523 chunk_t data;
524 bool first = TRUE;
525
526 this->crypto->append_handshake(this->crypto,
527 TLS_CERTIFICATE, reader->peek(reader));
528
529 if (this->tls->get_version_max(this->tls) > TLS_1_2)
530 {
531 if (!reader->read_data8(reader, &data))
532 {
533 DBG1(DBG_TLS, "certificate request context invalid");
534 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
535 return NEED_MORE;
536 }
537 }
538
539 if (!reader->read_data24(reader, &data))
540 {
541 DBG1(DBG_TLS, "certificate message header invalid");
542 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
543 return NEED_MORE;
544 }
545 certs = bio_reader_create(data);
546 while (certs->remaining(certs))
547 {
548 if (!certs->read_data24(certs, &data))
549 {
550 DBG1(DBG_TLS, "certificate message invalid");
551 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
552 certs->destroy(certs);
553 return NEED_MORE;
554 }
555 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
556 BUILD_BLOB_ASN1_DER, data, BUILD_END);
557 if (cert)
558 {
559 if (first)
560 {
561 if (!check_certificate(this, cert))
562 {
563 cert->destroy(cert);
564 certs->destroy(certs);
565 this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
566 return NEED_MORE;
567 }
568 this->server_auth->add(this->server_auth,
569 AUTH_HELPER_SUBJECT_CERT, cert);
570 DBG1(DBG_TLS, "received TLS server certificate '%Y'",
571 cert->get_subject(cert));
572 first = FALSE;
573 }
574 else
575 {
576 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
577 cert->get_subject(cert));
578 this->server_auth->add(this->server_auth,
579 AUTH_HELPER_IM_CERT, cert);
580 }
581 }
582 else
583 {
584 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
585 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
586 }
587 if (this->tls->get_version_max(this->tls) > TLS_1_2)
588 {
589 if (!certs->read_data16(certs, &data))
590 {
591 DBG1(DBG_TLS, "failed to read extensions of CertificateEntry");
592 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
593 return NEED_MORE;
594 }
595 }
596 }
597 certs->destroy(certs);
598 this->state = STATE_CERT_RECEIVED;
599 return NEED_MORE;
600 }
601
602 /**
603 * Process CertificateVerify message
604 */
605 static status_t process_cert_verify(private_tls_peer_t *this,
606 bio_reader_t *reader)
607 {
608 public_key_t *public;
609 chunk_t msg;
610
611 public = tls_find_public_key(this->server_auth);
612 if (!public)
613 {
614 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
615 this->server);
616 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
617 return NEED_MORE;
618 }
619
620 msg = reader->peek(reader);
621 if (!this->crypto->verify_handshake(this->crypto, public, reader))
622 {
623 public->destroy(public);
624 DBG1(DBG_TLS, "signature verification failed");
625 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
626 return NEED_MORE;
627 }
628 public->destroy(public);
629
630 this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_VERIFY, msg);
631 this->state = STATE_CERT_VERIFY_RECEIVED;
632 return NEED_MORE;
633 }
634
635 /**
636 * Process a Key Exchange message using MODP Diffie Hellman
637 */
638 static status_t process_modp_key_exchange(private_tls_peer_t *this,
639 bio_reader_t *reader)
640 {
641 chunk_t prime, generator, pub, chunk;
642 public_key_t *public;
643
644 chunk = reader->peek(reader);
645 if (!reader->read_data16(reader, &prime) ||
646 !reader->read_data16(reader, &generator) ||
647 !reader->read_data16(reader, &pub))
648 {
649 DBG1(DBG_TLS, "received invalid Server Key Exchange");
650 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
651 return NEED_MORE;
652 }
653 /* reject (export) DH groups using primes smaller than 1024 bit */
654 if (prime.len < 1024 / 8)
655 {
656 DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len);
657 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
658 return NEED_MORE;
659 }
660 public = tls_find_public_key(this->server_auth);
661 if (!public)
662 {
663 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
664 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
665 return NEED_MORE;
666 }
667
668 chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
669 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
670 chunk_from_thing(this->server_random), chunk);
671 if (!this->crypto->verify(this->crypto, public, reader, chunk))
672 {
673 public->destroy(public);
674 free(chunk.ptr);
675 DBG1(DBG_TLS, "verifying DH parameters failed");
676 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
677 return NEED_MORE;
678 }
679 public->destroy(public);
680 free(chunk.ptr);
681
682 this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
683 generator, prime);
684 if (!this->dh)
685 {
686 DBG1(DBG_TLS, "custom DH parameters not supported");
687 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
688 return NEED_MORE;
689 }
690 if (!this->dh->set_other_public_value(this->dh, pub))
691 {
692 DBG1(DBG_TLS, "applying DH public value failed");
693 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
694 return NEED_MORE;
695 }
696
697 this->state = STATE_KEY_EXCHANGE_RECEIVED;
698 return NEED_MORE;
699 }
700
701 /**
702 * Get the EC group for a TLS named curve
703 */
704 static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
705 tls_named_group_t curve)
706 {
707 diffie_hellman_group_t group;
708 tls_named_group_t current;
709 enumerator_t *enumerator;
710
711 enumerator = this->crypto->create_ec_enumerator(this->crypto);
712 while (enumerator->enumerate(enumerator, &group, &current))
713 {
714 if (current == curve)
715 {
716 enumerator->destroy(enumerator);
717 return group;
718 }
719 }
720 enumerator->destroy(enumerator);
721 return 0;
722 }
723
724 /**
725 * Process a Key Exchange message using EC Diffie Hellman
726 */
727 static status_t process_ec_key_exchange(private_tls_peer_t *this,
728 bio_reader_t *reader)
729 {
730 diffie_hellman_group_t group;
731 public_key_t *public;
732 uint8_t type;
733 uint16_t curve;
734 chunk_t pub, chunk;
735
736 chunk = reader->peek(reader);
737 if (!reader->read_uint8(reader, &type))
738 {
739 DBG1(DBG_TLS, "received invalid Server Key Exchange");
740 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
741 return NEED_MORE;
742 }
743 if (type != TLS_ECC_NAMED_CURVE)
744 {
745 DBG1(DBG_TLS, "ECDH curve type %N not supported",
746 tls_ecc_curve_type_names, type);
747 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
748 return NEED_MORE;
749 }
750 if (!reader->read_uint16(reader, &curve) ||
751 !reader->read_data8(reader, &pub) || pub.len == 0)
752 {
753 DBG1(DBG_TLS, "received invalid Server Key Exchange");
754 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
755 return NEED_MORE;
756 }
757
758 group = curve_to_ec_group(this, curve);
759 if (!group)
760 {
761 DBG1(DBG_TLS, "ECDH curve %N not supported",
762 tls_named_group_names, curve);
763 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
764 return NEED_MORE;
765 }
766
767 public = tls_find_public_key(this->server_auth);
768 if (!public)
769 {
770 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
771 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
772 return NEED_MORE;
773 }
774
775 chunk.len = 4 + pub.len;
776 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
777 chunk_from_thing(this->server_random), chunk);
778 if (!this->crypto->verify(this->crypto, public, reader, chunk))
779 {
780 public->destroy(public);
781 free(chunk.ptr);
782 DBG1(DBG_TLS, "verifying DH parameters failed");
783 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
784 return NEED_MORE;
785 }
786 public->destroy(public);
787 free(chunk.ptr);
788
789 this->dh = lib->crypto->create_dh(lib->crypto, group);
790 if (!this->dh)
791 {
792 DBG1(DBG_TLS, "DH group %N not supported",
793 diffie_hellman_group_names, group);
794 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
795 return NEED_MORE;
796 }
797
798 if (group != CURVE_25519 &&
799 group != CURVE_448)
800 { /* classic ECPoint format (see RFC 8422, section 5.4.1) */
801 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
802 {
803 DBG1(DBG_TLS, "DH point format '%N' not supported",
804 tls_ansi_point_format_names, pub.ptr[0]);
805 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
806 return NEED_MORE;
807 }
808 pub = chunk_skip(pub, 1);
809 }
810
811 if (!this->dh->set_other_public_value(this->dh, pub))
812 {
813 DBG1(DBG_TLS, "applying DH public value failed");
814 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
815 return NEED_MORE;
816 }
817
818 this->state = STATE_KEY_EXCHANGE_RECEIVED;
819 return NEED_MORE;
820 }
821
822 /**
823 * Process a Server Key Exchange
824 */
825 static status_t process_key_exchange(private_tls_peer_t *this,
826 bio_reader_t *reader)
827 {
828 diffie_hellman_group_t group;
829
830 this->crypto->append_handshake(this->crypto,
831 TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
832
833 group = this->crypto->get_dh_group(this->crypto);
834 if (group == MODP_NONE)
835 {
836 DBG1(DBG_TLS, "received Server Key Exchange, but not required "
837 "for current suite");
838 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
839 return NEED_MORE;
840 }
841 if (diffie_hellman_group_is_ec(group))
842 {
843 return process_ec_key_exchange(this, reader);
844 }
845 return process_modp_key_exchange(this, reader);
846 }
847
848 /**
849 * Process a Certificate Request message
850 */
851 static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
852 {
853 chunk_t types, hashsig, data;
854 bio_reader_t *authorities;
855 identification_t *id;
856 certificate_t *cert;
857
858 if (!this->peer)
859 {
860 DBG1(DBG_TLS, "server requested a certificate, but client "
861 "authentication disabled");
862 }
863 this->crypto->append_handshake(this->crypto,
864 TLS_CERTIFICATE_REQUEST, reader->peek(reader));
865
866 if (!reader->read_data8(reader, &types))
867 {
868 DBG1(DBG_TLS, "certreq message header invalid");
869 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
870 return NEED_MORE;
871 }
872 this->cert_types = chunk_clone(types);
873 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
874 {
875 if (!reader->read_data16(reader, &hashsig))
876 {
877 DBG1(DBG_TLS, "certreq message invalid");
878 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
879 return NEED_MORE;
880 }
881 this->hashsig = chunk_clone(hashsig);
882 }
883 if (!reader->read_data16(reader, &data))
884 {
885 DBG1(DBG_TLS, "certreq message invalid");
886 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
887 return NEED_MORE;
888 }
889 authorities = bio_reader_create(data);
890 while (authorities->remaining(authorities))
891 {
892 if (!authorities->read_data16(authorities, &data))
893 {
894 DBG1(DBG_TLS, "certreq message invalid");
895 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
896 authorities->destroy(authorities);
897 return NEED_MORE;
898 }
899 if (this->peer)
900 {
901 id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
902 cert = lib->credmgr->get_cert(lib->credmgr,
903 CERT_X509, KEY_ANY, id, TRUE);
904 if (cert)
905 {
906 DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
907 this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
908 }
909 else
910 {
911 DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
912 }
913 id->destroy(id);
914 }
915 }
916 authorities->destroy(authorities);
917 this->state = STATE_CERTREQ_RECEIVED;
918 return NEED_MORE;
919 }
920
921 /**
922 * Process Hello Done message
923 */
924 static status_t process_hello_done(private_tls_peer_t *this,
925 bio_reader_t *reader)
926 {
927 this->crypto->append_handshake(this->crypto,
928 TLS_SERVER_HELLO_DONE, reader->peek(reader));
929 this->state = STATE_HELLO_DONE;
930 return NEED_MORE;
931 }
932
933 /**
934 * Process finished message
935 */
936 static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
937 {
938 chunk_t received, verify_data;
939 u_char buf[12];
940
941 if (this->tls->get_version_max(this->tls) < TLS_1_3)
942 {
943 if (!reader->read_data(reader, sizeof(buf), &received))
944 {
945 DBG1(DBG_TLS, "received server finished too short");
946 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
947 return NEED_MORE;
948 }
949 if (!this->crypto->calculate_finished_legacy(this->crypto,
950 "server finished", buf))
951 {
952 DBG1(DBG_TLS, "calculating server finished failed");
953 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
954 return NEED_MORE;
955 }
956 verify_data = chunk_from_thing(buf);
957 }
958 else
959 {
960 received = reader->peek(reader);
961 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
962 {
963 DBG1(DBG_TLS, "calculating server finished failed");
964 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
965 return NEED_MORE;
966 }
967 }
968
969 if (!chunk_equals_const(received, verify_data))
970 {
971 DBG1(DBG_TLS, "received server finished invalid");
972 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
973 return NEED_MORE;
974 }
975
976 if (verify_data.ptr != buf)
977 {
978 chunk_free(&verify_data);
979 }
980
981 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
982 this->state = STATE_FINISHED_RECEIVED;
983 return NEED_MORE;
984 }
985
986 /**
987 * Process NewSessionTicket message
988 */
989 static status_t process_new_session_ticket(private_tls_peer_t *this,
990 bio_reader_t *reader)
991 {
992 uint32_t ticket_lifetime, ticket_age_add;
993 chunk_t ticket_nonce, ticket, extensions;
994
995 if (!reader->read_uint32(reader, &ticket_lifetime) ||
996 !reader->read_uint32(reader, &ticket_age_add) ||
997 !reader->read_data8(reader, &ticket_nonce) ||
998 !reader->read_data16(reader, &ticket) ||
999 !reader->read_data16(reader, &extensions))
1000 {
1001 DBG1(DBG_TLS, "received invalid NewSessionTicket");
1002 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1003 return NEED_MORE;
1004 }
1005 return NEED_MORE;
1006 }
1007
1008 /**
1009 * Process KeyUpdate message
1010 */
1011 static status_t process_key_update(private_tls_peer_t *this,
1012 bio_reader_t *reader)
1013 {
1014 uint8_t update_requested;
1015
1016 if (!reader->read_uint8(reader, &update_requested) ||
1017 update_requested > 1)
1018 {
1019 DBG1(DBG_TLS, "received invalid KeyUpdate");
1020 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1021 return NEED_MORE;
1022 }
1023
1024 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1025 {
1026 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1027 return NEED_MORE;
1028 }
1029 this->crypto->change_cipher(this->crypto, TRUE);
1030
1031 if (update_requested)
1032 {
1033 DBG1(DBG_TLS, "server requested KeyUpdate");
1034 this->state = STATE_KEY_UPDATE_REQUESTED;
1035 }
1036 return NEED_MORE;
1037 }
1038
1039 METHOD(tls_handshake_t, process, status_t,
1040 private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1041 {
1042 tls_handshake_type_t expected;
1043
1044 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1045 {
1046 switch (this->state)
1047 {
1048 case STATE_HELLO_SENT:
1049 if (type == TLS_SERVER_HELLO)
1050 {
1051 return process_server_hello(this, reader);
1052 }
1053 expected = TLS_SERVER_HELLO;
1054 break;
1055 case STATE_HELLO_RECEIVED:
1056 if (type == TLS_CERTIFICATE)
1057 {
1058 return process_certificate(this, reader);
1059 }
1060 expected = TLS_CERTIFICATE;
1061 break;
1062 case STATE_CERT_RECEIVED:
1063 if (type == TLS_SERVER_KEY_EXCHANGE)
1064 {
1065 return process_key_exchange(this, reader);
1066 }
1067 /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
1068 case STATE_KEY_EXCHANGE_RECEIVED:
1069 if (type == TLS_CERTIFICATE_REQUEST)
1070 {
1071 return process_certreq(this, reader);
1072 }
1073 /* no cert request, server does not want to authenticate us */
1074 DESTROY_IF(this->peer);
1075 this->peer = NULL;
1076 /* fall through since TLS_CERTIFICATE_REQUEST is optional */
1077 case STATE_CERTREQ_RECEIVED:
1078 if (type == TLS_SERVER_HELLO_DONE)
1079 {
1080 return process_hello_done(this, reader);
1081 }
1082 expected = TLS_SERVER_HELLO_DONE;
1083 break;
1084 case STATE_CIPHERSPEC_CHANGED_IN:
1085 if (type == TLS_FINISHED)
1086 {
1087 return process_finished(this, reader);
1088 }
1089 expected = TLS_FINISHED;
1090 break;
1091 default:
1092 DBG1(DBG_TLS, "TLS %N not expected in current state",
1093 tls_handshake_type_names, type);
1094 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1095 return NEED_MORE;
1096 }
1097 }
1098 else
1099 {
1100 switch (this->state)
1101 {
1102 case STATE_HELLO_SENT:
1103 if (type == TLS_SERVER_HELLO)
1104 {
1105 return process_server_hello(this, reader);
1106 }
1107 expected = TLS_SERVER_HELLO;
1108 break;
1109 case STATE_CIPHERSPEC_CHANGED_IN:
1110 case STATE_HELLO_RECEIVED:
1111 if (type == TLS_ENCRYPTED_EXTENSIONS)
1112 {
1113 return process_encrypted_extensions(this, reader);
1114 }
1115 expected = TLS_ENCRYPTED_EXTENSIONS;
1116 break;
1117 case STATE_ENCRYPTED_EXTENSIONS_RECEIVED:
1118 if (type == TLS_CERTIFICATE)
1119 {
1120 return process_certificate(this, reader);
1121 }
1122 expected = TLS_CERTIFICATE;
1123 break;
1124 case STATE_CERT_RECEIVED:
1125 if (type == TLS_CERTIFICATE_VERIFY)
1126 {
1127 return process_cert_verify(this, reader);
1128 }
1129 expected = TLS_CERTIFICATE_VERIFY;
1130 break;
1131 case STATE_CERT_VERIFY_RECEIVED:
1132 if (type == TLS_FINISHED)
1133 {
1134 return process_finished(this, reader);
1135 }
1136 expected = TLS_FINISHED;
1137 break;
1138 case STATE_FINISHED_RECEIVED:
1139 return NEED_MORE;
1140 case STATE_FINISHED_SENT_KEY_SWITCHED:
1141 if (type == TLS_NEW_SESSION_TICKET)
1142 {
1143 return process_new_session_ticket(this, reader);
1144 }
1145 if (type == TLS_KEY_UPDATE)
1146 {
1147 return process_key_update(this, reader);
1148 }
1149 expected = TLS_NEW_SESSION_TICKET;
1150 break;
1151 default:
1152 DBG1(DBG_TLS, "TLS %N not expected in current state",
1153 tls_handshake_type_names, type);
1154 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1155 return NEED_MORE;
1156 }
1157 }
1158 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1159 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1160 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1161 return NEED_MORE;
1162 }
1163
1164 /**
1165 * Send a client hello
1166 */
1167 static status_t send_client_hello(private_tls_peer_t *this,
1168 tls_handshake_type_t *type,
1169 bio_writer_t *writer)
1170 {
1171 tls_cipher_suite_t *suites;
1172 bio_writer_t *extensions, *curves = NULL, *versions, *key_share, *signatures;
1173 tls_version_t version_max, version_min;
1174 diffie_hellman_group_t group;
1175 tls_named_group_t curve;
1176 enumerator_t *enumerator;
1177 int count, i, v;
1178 rng_t *rng;
1179
1180 htoun32(&this->client_random, time(NULL));
1181 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1182 if (!rng ||
1183 !rng->get_bytes(rng, sizeof(this->client_random) - 4,
1184 this->client_random + 4))
1185 {
1186 DBG1(DBG_TLS, "failed to generate client random");
1187 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1188 DESTROY_IF(rng);
1189 return NEED_MORE;
1190 }
1191 rng->destroy(rng);
1192
1193 /* determine supported suites before the versions as they might change */
1194 count = this->crypto->get_cipher_suites(this->crypto, &suites);
1195
1196 /* TLS version_max in handshake protocol */
1197 version_max = this->tls->get_version_max(this->tls);
1198 version_min = this->tls->get_version_min(this->tls);
1199 if (version_max < TLS_1_3)
1200 {
1201 this->hello_version = version_max;
1202 }
1203 else
1204 {
1205 this->hello_version = TLS_1_2;
1206 }
1207 writer->write_uint16(writer, this->hello_version);
1208 writer->write_data(writer, chunk_from_thing(this->client_random));
1209
1210 /* session identifier */
1211 this->session = this->crypto->get_session(this->crypto, this->server);
1212 writer->write_data8(writer, this->session);
1213
1214 /* add TLS cipher suites */
1215 if (count <= 0)
1216 {
1217 DBG1(DBG_TLS, "no supported TLS cipher suite available");
1218 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1219 return NEED_MORE;
1220 }
1221 writer->write_uint16(writer, count * 2);
1222 for (i = 0; i < count; i++)
1223 {
1224 writer->write_uint16(writer, suites[i]);
1225 }
1226
1227 /* NULL compression only */
1228 writer->write_uint8(writer, 1);
1229 writer->write_uint8(writer, 0);
1230
1231 extensions = bio_writer_create(32);
1232
1233 if (this->server->get_type(this->server) == ID_FQDN)
1234 {
1235 bio_writer_t *names;
1236
1237 DBG2(DBG_TLS, "sending extension: Server Name Indication for '%Y'",
1238 this->server);
1239 names = bio_writer_create(8);
1240 names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
1241 names->write_data16(names, this->server->get_encoding(this->server));
1242 names->wrap16(names);
1243 extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
1244 extensions->write_data16(extensions, names->get_buf(names));
1245 names->destroy(names);
1246 }
1247
1248 DBG2(DBG_TLS, "sending extension: %N",
1249 tls_extension_names, TLS_EXT_SUPPORTED_GROUPS);
1250 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1251 while (enumerator->enumerate(enumerator, &group, &curve))
1252 {
1253 if (this->requested_curve && this->requested_curve != curve)
1254 {
1255 continue;
1256 }
1257 if (!curves)
1258 {
1259 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_GROUPS);
1260 curves = bio_writer_create(16);
1261 }
1262 if (!this->dh)
1263 {
1264 this->dh = lib->crypto->create_dh(lib->crypto, group);
1265 if (!this->dh)
1266 {
1267 continue;
1268 }
1269 }
1270 curves->write_uint16(curves, curve);
1271 }
1272 enumerator->destroy(enumerator);
1273 if (curves)
1274 {
1275 curves->wrap16(curves);
1276 extensions->write_data16(extensions, curves->get_buf(curves));
1277 curves->destroy(curves);
1278
1279 /* if we support curves, add point format extension */
1280 extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
1281 extensions->write_uint16(extensions, 2);
1282 extensions->write_uint8(extensions, 1);
1283 extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
1284 }
1285
1286 if (version_max >= TLS_1_3)
1287 {
1288 DBG2(DBG_TLS, "sending extension: %N",
1289 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1290 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1291 versions = bio_writer_create(0);
1292 for (v = version_max; v >= version_min; v--)
1293 {
1294 versions->write_uint16(versions, v);
1295 }
1296 versions->wrap8(versions);
1297 extensions->write_data16(extensions, versions->get_buf(versions));
1298 versions->destroy(versions);
1299 }
1300
1301 if (this->cookie.len)
1302 {
1303 DBG2(DBG_TLS, "sending extension: %N",
1304 tls_extension_names, TLS_EXT_COOKIE);
1305 extensions->write_uint16(extensions, TLS_EXT_COOKIE);
1306 extensions->write_uint16(extensions, this->cookie.len + 2);
1307 extensions->write_data16(extensions, this->cookie);
1308 chunk_free(&this->cookie);
1309 }
1310
1311 DBG2(DBG_TLS, "sending extension: %N",
1312 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
1313 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
1314 signatures = bio_writer_create(32);
1315 this->crypto->get_signature_algorithms(this->crypto, signatures, FALSE);
1316 extensions->write_data16(extensions, signatures->get_buf(signatures));
1317 signatures->destroy(signatures);
1318
1319 DBG2(DBG_TLS, "sending extension: %N",
1320 tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
1321 extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
1322 signatures = bio_writer_create(32);
1323 this->crypto->get_signature_algorithms(this->crypto, signatures, TRUE);
1324 extensions->write_data16(extensions, signatures->get_buf(signatures));
1325 signatures->destroy(signatures);
1326
1327 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
1328 {
1329 DBG2(DBG_TLS, "sending extension: %N",
1330 tls_extension_names, TLS_EXT_KEY_SHARE);
1331 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1332 if (!tls_write_key_share(&key_share, this->dh))
1333 {
1334 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1335 extensions->destroy(extensions);
1336 return NEED_MORE;
1337 }
1338 key_share->wrap16(key_share);
1339 extensions->write_data16(extensions, key_share->get_buf(key_share));
1340 key_share->destroy(key_share);
1341 }
1342
1343 writer->write_data16(writer, extensions->get_buf(extensions));
1344 extensions->destroy(extensions);
1345
1346 *type = TLS_CLIENT_HELLO;
1347 this->state = STATE_HELLO_SENT;
1348 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1349 return NEED_MORE;
1350 }
1351
1352 /**
1353 * Find a private key suitable to sign Certificate Verify
1354 */
1355 static private_key_t *find_private_key(private_tls_peer_t *this)
1356 {
1357 private_key_t *key = NULL;
1358 bio_reader_t *reader;
1359 key_type_t type;
1360 uint8_t cert;
1361
1362 if (!this->peer)
1363 {
1364 return NULL;
1365 }
1366 reader = bio_reader_create(this->cert_types);
1367 while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
1368 {
1369 switch (cert)
1370 {
1371 case TLS_RSA_SIGN:
1372 type = KEY_RSA;
1373 break;
1374 case TLS_ECDSA_SIGN:
1375 type = KEY_ECDSA;
1376 break;
1377 default:
1378 continue;
1379 }
1380 key = lib->credmgr->get_private(lib->credmgr, type,
1381 this->peer, this->peer_auth);
1382 if (key)
1383 {
1384 break;
1385 }
1386 }
1387 reader->destroy(reader);
1388 return key;
1389 }
1390
1391 /**
1392 * Send Certificate
1393 */
1394 static status_t send_certificate(private_tls_peer_t *this,
1395 tls_handshake_type_t *type, bio_writer_t *writer)
1396 {
1397 enumerator_t *enumerator;
1398 certificate_t *cert;
1399 auth_rule_t rule;
1400 bio_writer_t *certs;
1401 chunk_t data;
1402
1403 this->private = find_private_key(this);
1404 if (!this->private)
1405 {
1406 DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
1407 "skipping client authentication", this->peer);
1408 this->peer->destroy(this->peer);
1409 this->peer = NULL;
1410 }
1411
1412 /* generate certificate payload */
1413 certs = bio_writer_create(256);
1414 if (this->peer)
1415 {
1416 cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
1417 if (cert)
1418 {
1419 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1420 {
1421 DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
1422 cert->get_subject(cert));
1423 certs->write_data24(certs, data);
1424 free(data.ptr);
1425 }
1426 }
1427 enumerator = this->peer_auth->create_enumerator(this->peer_auth);
1428 while (enumerator->enumerate(enumerator, &rule, &cert))
1429 {
1430 if (rule == AUTH_RULE_IM_CERT)
1431 {
1432 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1433 {
1434 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1435 cert->get_subject(cert));
1436 certs->write_data24(certs, data);
1437 free(data.ptr);
1438 }
1439 }
1440 }
1441 enumerator->destroy(enumerator);
1442 }
1443
1444 writer->write_data24(writer, certs->get_buf(certs));
1445 certs->destroy(certs);
1446
1447 *type = TLS_CERTIFICATE;
1448 this->state = STATE_CERT_SENT;
1449 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1450 return NEED_MORE;
1451 }
1452
1453 /**
1454 * Send client key exchange, using premaster encryption
1455 */
1456 static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
1457 tls_handshake_type_t *type, bio_writer_t *writer)
1458 {
1459 public_key_t *public;
1460 rng_t *rng;
1461 char premaster[48];
1462 chunk_t encrypted;
1463
1464 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
1465 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
1466 {
1467 DBG1(DBG_TLS, "failed to generate TLS premaster secret");
1468 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1469 DESTROY_IF(rng);
1470 return NEED_MORE;
1471 }
1472 rng->destroy(rng);
1473 htoun16(premaster, this->hello_version);
1474
1475 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
1476 this->session, this->server,
1477 chunk_from_thing(this->client_random),
1478 chunk_from_thing(this->server_random)))
1479 {
1480 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1481 return NEED_MORE;
1482 }
1483
1484 public = tls_find_public_key(this->server_auth);
1485 if (!public)
1486 {
1487 DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
1488 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
1489 return NEED_MORE;
1490 }
1491 if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
1492 chunk_from_thing(premaster), &encrypted))
1493 {
1494 public->destroy(public);
1495 DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
1496 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
1497 return NEED_MORE;
1498 }
1499 public->destroy(public);
1500
1501 writer->write_data16(writer, encrypted);
1502 free(encrypted.ptr);
1503
1504 *type = TLS_CLIENT_KEY_EXCHANGE;
1505 this->state = STATE_KEY_EXCHANGE_SENT;
1506 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1507 return NEED_MORE;
1508 }
1509
1510 /**
1511 * Send client key exchange, using DHE exchange
1512 */
1513 static status_t send_key_exchange_dhe(private_tls_peer_t *this,
1514 tls_handshake_type_t *type, bio_writer_t *writer)
1515 {
1516 chunk_t premaster, pub;
1517
1518 if (!this->dh->get_shared_secret(this->dh, &premaster))
1519 {
1520 DBG1(DBG_TLS, "calculating premaster from DH failed");
1521 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1522 return NEED_MORE;
1523 }
1524 if (!this->crypto->derive_secrets(this->crypto, premaster,
1525 this->session, this->server,
1526 chunk_from_thing(this->client_random),
1527 chunk_from_thing(this->server_random)))
1528 {
1529 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1530 chunk_clear(&premaster);
1531 return NEED_MORE;
1532 }
1533 chunk_clear(&premaster);
1534
1535 if (!this->dh->get_my_public_value(this->dh, &pub))
1536 {
1537 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1538 return NEED_MORE;
1539 }
1540 switch (this->dh->get_dh_group(this->dh))
1541 {
1542 case MODP_CUSTOM:
1543 writer->write_data16(writer, pub);
1544 break;
1545 case CURVE_25519:
1546 case CURVE_448:
1547 /* ECPoint uses an 8-bit length header only */
1548 writer->write_data8(writer, pub);
1549 break;
1550 default:
1551 /* classic ECPoint format (see RFC 8422, section 5.4.1) */
1552 writer->write_uint8(writer, pub.len + 1);
1553 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1554 writer->write_data(writer, pub);
1555 break;
1556 }
1557 free(pub.ptr);
1558
1559 *type = TLS_CLIENT_KEY_EXCHANGE;
1560 this->state = STATE_KEY_EXCHANGE_SENT;
1561 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1562 return NEED_MORE;
1563 }
1564
1565 /**
1566 * Send client key exchange, depending on suite
1567 */
1568 static status_t send_key_exchange(private_tls_peer_t *this,
1569 tls_handshake_type_t *type, bio_writer_t *writer)
1570 {
1571 if (this->dh)
1572 {
1573 return send_key_exchange_dhe(this, type, writer);
1574 }
1575 return send_key_exchange_encrypt(this, type, writer);
1576 }
1577
1578 /**
1579 * Send certificate verify
1580 */
1581 static status_t send_certificate_verify(private_tls_peer_t *this,
1582 tls_handshake_type_t *type, bio_writer_t *writer)
1583 {
1584 if (!this->private ||
1585 !this->crypto->sign_handshake(this->crypto, this->private,
1586 writer, this->hashsig))
1587 {
1588 DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
1589 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1590 return NEED_MORE;
1591 }
1592
1593 *type = TLS_CERTIFICATE_VERIFY;
1594 this->state = STATE_VERIFY_SENT;
1595 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1596 return NEED_MORE;
1597 }
1598
1599 /**
1600 * Send Finished
1601 */
1602 static status_t send_finished(private_tls_peer_t *this,
1603 tls_handshake_type_t *type, bio_writer_t *writer)
1604 {
1605 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1606 {
1607 char buf[12];
1608
1609 if (!this->crypto->calculate_finished_legacy(this->crypto,
1610 "client finished", buf))
1611 {
1612 DBG1(DBG_TLS, "calculating client finished data failed");
1613 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1614 return NEED_MORE;
1615 }
1616
1617 writer->write_data(writer, chunk_from_thing(buf));
1618 }
1619 else
1620 {
1621 chunk_t verify_data;
1622
1623 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
1624 {
1625 DBG1(DBG_TLS, "calculating client finished data failed");
1626 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1627 return NEED_MORE;
1628 }
1629
1630 writer->write_data(writer, verify_data);
1631 chunk_free(&verify_data);
1632 }
1633
1634 *type = TLS_FINISHED;
1635 this->state = STATE_FINISHED_SENT;
1636 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1637 return NEED_MORE;
1638 }
1639
1640 /**
1641 * Send KeyUpdate message
1642 */
1643 static status_t send_key_update(private_tls_peer_t *this,
1644 tls_handshake_type_t *type, bio_writer_t *writer)
1645 {
1646 *type = TLS_KEY_UPDATE;
1647
1648 /* we currently only send this as reply, so we never request an update */
1649 writer->write_uint8(writer, 0);
1650
1651 this->state = STATE_KEY_UPDATE_SENT;
1652 return NEED_MORE;
1653 }
1654
1655 METHOD(tls_handshake_t, build, status_t,
1656 private_tls_peer_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1657 {
1658 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1659 {
1660 switch (this->state)
1661 {
1662 case STATE_INIT:
1663 return send_client_hello(this, type, writer);
1664 case STATE_HELLO_DONE:
1665 if (this->peer)
1666 {
1667 return send_certificate(this, type, writer);
1668 }
1669 /* otherwise fall through to next state */
1670 case STATE_CERT_SENT:
1671 return send_key_exchange(this, type, writer);
1672 case STATE_KEY_EXCHANGE_SENT:
1673 if (this->peer)
1674 {
1675 return send_certificate_verify(this, type, writer);
1676 }
1677 else
1678 {
1679 return INVALID_STATE;
1680 }
1681 case STATE_CIPHERSPEC_CHANGED_OUT:
1682 return send_finished(this, type, writer);
1683 default:
1684 return INVALID_STATE;
1685 }
1686 }
1687 else
1688 {
1689 switch (this->state)
1690 {
1691 case STATE_INIT:
1692 return send_client_hello(this, type, writer);
1693 case STATE_HELLO_DONE:
1694 case STATE_CIPHERSPEC_CHANGED_OUT:
1695 case STATE_FINISHED_RECEIVED:
1696 return send_finished(this, type, writer);
1697 case STATE_FINISHED_SENT:
1698 if (!this->crypto->derive_app_keys(this->crypto))
1699 {
1700 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1701 return NEED_MORE;
1702 }
1703 this->crypto->change_cipher(this->crypto, TRUE);
1704 this->crypto->change_cipher(this->crypto, FALSE);
1705 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1706 return INVALID_STATE;
1707 case STATE_KEY_UPDATE_REQUESTED:
1708 return send_key_update(this, type, writer);
1709 case STATE_KEY_UPDATE_SENT:
1710 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1711 {
1712 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1713 return NEED_MORE;
1714 }
1715 this->crypto->change_cipher(this->crypto, FALSE);
1716 this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
1717 return INVALID_STATE;
1718 default:
1719 return INVALID_STATE;
1720 }
1721 }
1722 }
1723
1724 /**
1725 * Check if we are currently retrying to connect to the server.
1726 */
1727 static bool retrying(private_tls_peer_t *this)
1728 {
1729 return this->state == STATE_INIT && (this->requested_curve || this->cookie.len);
1730 }
1731
1732 METHOD(tls_handshake_t, cipherspec_changed, bool,
1733 private_tls_peer_t *this, bool inbound)
1734 {
1735 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1736 {
1737 if (inbound)
1738 {
1739 if (this->resume)
1740 {
1741 return this->state == STATE_HELLO_RECEIVED;
1742 }
1743 return this->state == STATE_FINISHED_SENT;
1744 }
1745 else
1746 {
1747 if (this->resume)
1748 {
1749 return this->state == STATE_FINISHED_RECEIVED;
1750 }
1751 if (this->peer)
1752 {
1753 return this->state == STATE_VERIFY_SENT;
1754 }
1755 return this->state == STATE_KEY_EXCHANGE_SENT;
1756
1757 }
1758 }
1759 else
1760 {
1761 if (inbound)
1762 { /* accept ChangeCipherSpec after ServerHello or HelloRetryRequest */
1763 return this->state == STATE_HELLO_RECEIVED || retrying(this);
1764 }
1765 else
1766 {
1767 return FALSE;
1768 }
1769 }
1770 }
1771
1772 METHOD(tls_handshake_t, change_cipherspec, void,
1773 private_tls_peer_t *this, bool inbound)
1774 {
1775 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1776 {
1777 this->crypto->change_cipher(this->crypto, inbound);
1778 }
1779
1780 if (retrying(this))
1781 { /* servers might send a ChangeCipherSpec after a HelloRetryRequest,
1782 * which should not cause any state changes */
1783 return;
1784 }
1785
1786 if (inbound)
1787 {
1788 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1789 }
1790 else
1791 {
1792 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1793 }
1794 }
1795
1796 METHOD(tls_handshake_t, finished, bool,
1797 private_tls_peer_t *this)
1798 {
1799 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1800 {
1801 if (this->resume)
1802 {
1803 return this->state == STATE_FINISHED_SENT;
1804 }
1805 return this->state == STATE_FINISHED_RECEIVED;
1806 }
1807 else
1808 {
1809 return this->state == STATE_FINISHED_SENT_KEY_SWITCHED;
1810 }
1811 }
1812
1813 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1814 private_tls_peer_t *this)
1815 {
1816 return this->peer;
1817 }
1818
1819 METHOD(tls_handshake_t, get_server_id, identification_t*,
1820 private_tls_peer_t *this)
1821 {
1822 return this->server;
1823 }
1824
1825 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1826 private_tls_peer_t *this)
1827 {
1828 return this->server_auth;
1829 }
1830
1831 METHOD(tls_handshake_t, destroy, void,
1832 private_tls_peer_t *this)
1833 {
1834 DESTROY_IF(this->private);
1835 DESTROY_IF(this->dh);
1836 DESTROY_IF(this->peer);
1837 this->server->destroy(this->server);
1838 this->peer_auth->destroy(this->peer_auth);
1839 this->server_auth->destroy(this->server_auth);
1840 free(this->hashsig.ptr);
1841 free(this->cert_types.ptr);
1842 free(this->session.ptr);
1843 free(this->cookie.ptr);
1844 free(this);
1845 }
1846
1847 /**
1848 * See header
1849 */
1850 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
1851 identification_t *peer, identification_t *server)
1852 {
1853 private_tls_peer_t *this;
1854
1855 INIT(this,
1856 .public = {
1857 .handshake = {
1858 .process = _process,
1859 .build = _build,
1860 .cipherspec_changed = _cipherspec_changed,
1861 .change_cipherspec = _change_cipherspec,
1862 .finished = _finished,
1863 .get_peer_id = _get_peer_id,
1864 .get_server_id = _get_server_id,
1865 .get_auth = _get_auth,
1866 .destroy = _destroy,
1867 },
1868 },
1869 .state = STATE_INIT,
1870 .tls = tls,
1871 .crypto = crypto,
1872 .alert = alert,
1873 .peer = peer ? peer->clone(peer) : NULL,
1874 .server = server->clone(server),
1875 .peer_auth = auth_cfg_create(),
1876 .server_auth = auth_cfg_create(),
1877 );
1878
1879 return &this->public;
1880 }