tls-server: Make CertificateRequest conditional in old TLS versions
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 } server_state_t;
55
56 /**
57 * Private data of an tls_server_t object.
58 */
59 struct private_tls_server_t {
60
61 /**
62 * Public tls_server_t interface.
63 */
64 tls_server_t public;
65
66 /**
67 * TLS stack
68 */
69 tls_t *tls;
70
71 /**
72 * TLS crypto context
73 */
74 tls_crypto_t *crypto;
75
76 /**
77 * TLS alert handler
78 */
79 tls_alert_t *alert;
80
81 /**
82 * Server identity
83 */
84 identification_t *server;
85
86 /**
87 * Peer identity, NULL for no client authentication
88 */
89 identification_t *peer;
90
91 /**
92 * State we are in
93 */
94 server_state_t state;
95
96 /**
97 * Hello random data selected by client
98 */
99 char client_random[32];
100
101 /**
102 * Hello random data selected by server
103 */
104 char server_random[32];
105
106 /**
107 * Auth helper for peer authentication
108 */
109 auth_cfg_t *peer_auth;
110
111 /**
112 * Auth helper for server authentication
113 */
114 auth_cfg_t *server_auth;
115
116 /**
117 * Peer private key
118 */
119 private_key_t *private;
120
121 /**
122 * DHE exchange
123 */
124 diffie_hellman_t *dh;
125
126 /**
127 * Requested DH group
128 */
129 tls_named_group_t requested_curve;
130
131 /**
132 * Selected TLS cipher suite
133 */
134 tls_cipher_suite_t suite;
135
136 /**
137 * Offered TLS version of the client
138 */
139 tls_version_t client_version;
140
141 /**
142 * TLS session identifier
143 */
144 chunk_t session;
145
146 /**
147 * Do we resume a session?
148 */
149 bool resume;
150
151 /**
152 * Hash and signature algorithms supported by peer
153 */
154 chunk_t hashsig;
155
156 /**
157 * Elliptic curves supported by peer
158 */
159 chunk_t curves;
160
161 /**
162 * Did we receive the curves from the client?
163 */
164 bool curves_received;
165 };
166
167 /**
168 * Find a trusted public key to encrypt/verify key exchange data
169 */
170 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
171 {
172 public_key_t *public = NULL, *current;
173 certificate_t *cert, *found;
174 enumerator_t *enumerator;
175 auth_cfg_t *auth;
176
177 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
178 if (cert)
179 {
180 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
181 KEY_ANY, cert->get_subject(cert),
182 peer_auth, TRUE);
183 while (enumerator->enumerate(enumerator, &current, &auth))
184 {
185 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
186 if (found && cert->equals(cert, found))
187 {
188 public = current->get_ref(current);
189 peer_auth->merge(peer_auth, auth, FALSE);
190 break;
191 }
192 }
193 enumerator->destroy(enumerator);
194 }
195 return public;
196 }
197
198 /**
199 * Create an array of an intersection of server and peer supported key types
200 */
201 static array_t *create_common_key_types(chunk_t hashsig,
202 tls_version_t version_min,
203 tls_version_t version_max)
204 {
205 array_t *key_types;
206 enumerator_t *enumerator;
207 key_type_t v, lookup;
208 uint16_t sig_scheme;
209
210 key_types = array_create(sizeof(key_type_t), 8);
211 enumerator = tls_get_supported_key_types(version_min, version_max);
212 while (enumerator->enumerate(enumerator, &v))
213 {
214 bio_reader_t *reader;
215
216 reader = bio_reader_create(hashsig);
217 while (reader->remaining(reader) &&
218 reader->read_uint16(reader, &sig_scheme))
219 {
220 lookup = tls_signature_scheme_to_key_type(sig_scheme);
221 if (v == lookup)
222 {
223 array_insert(key_types, ARRAY_TAIL, &lookup);
224 break;
225 }
226 }
227 reader->destroy(reader);
228 }
229 enumerator->destroy(enumerator);
230 return key_types;
231 }
232
233 /**
234 * Find a cipher suite and a server key
235 */
236 static bool select_suite_and_key(private_tls_server_t *this,
237 tls_cipher_suite_t *suites, int count)
238 {
239 array_t *key_types;
240 tls_version_t version_min, version_max;
241 private_key_t *key;
242 key_type_t type;
243
244 version_min = this->tls->get_version_min(this->tls);
245 version_max = this->tls->get_version_max(this->tls);
246 key_types = create_common_key_types(this->hashsig, version_min, version_max);
247 if (!array_count(key_types))
248 {
249 DBG1(DBG_TLS, "no common signature algorithms found");
250 array_destroy(key_types);
251 return FALSE;
252 }
253 while (array_remove(key_types, ARRAY_HEAD, &type))
254 {
255 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
256 this->server_auth);
257 if (key)
258 {
259 break;
260 }
261 }
262 if (!key)
263 {
264 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
265 this->server);
266 array_destroy(key_types);
267 return FALSE;
268 }
269
270 if (version_max >= TLS_1_3)
271 {
272 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
273 count, KEY_ANY);
274 }
275 else
276 {
277 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
278 count, type);
279 while (!this->suite && array_remove(key_types, ARRAY_HEAD, &type))
280 { /* find a key and cipher suite for one of the remaining key types */
281 DESTROY_IF(key);
282 this->server_auth->destroy(this->server_auth);
283 this->server_auth = auth_cfg_create();
284 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
285 this->server_auth);
286 if (key)
287 {
288 this->suite = this->crypto->select_cipher_suite(this->crypto,
289 suites, count,
290 type);
291 }
292 }
293 }
294 array_destroy(key_types);
295 if (!this->suite || !key)
296 {
297 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
298 return FALSE;
299 }
300 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
301 this->private = key;
302 return TRUE;
303 }
304
305 /**
306 * Check if the peer supports a given TLS curve
307 */
308 static bool peer_supports_curve(private_tls_server_t *this,
309 tls_named_group_t curve)
310 {
311 bio_reader_t *reader;
312 uint16_t current;
313
314 if (!this->curves_received)
315 { /* none received, assume yes */
316 return TRUE;
317 }
318 reader = bio_reader_create(this->curves);
319 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
320 {
321 if (current == curve)
322 {
323 reader->destroy(reader);
324 return TRUE;
325 }
326 }
327 reader->destroy(reader);
328 return FALSE;
329 }
330
331 /**
332 * TLS 1.3 key exchange key share
333 */
334 typedef struct {
335 uint16_t curve;
336 chunk_t key_share;
337 } key_share_t;
338
339 /**
340 * Check if peer sent a key share of a given TLS named DH group
341 */
342 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
343 key_share_t *out)
344 {
345 key_share_t peer;
346 int i;
347
348 for (i = 0; i < array_count(key_shares); i++)
349 {
350 array_get(key_shares, i, &peer);
351 if (curve == peer.curve)
352 {
353 if (out)
354 {
355 *out = peer;
356 }
357 return TRUE;
358 }
359 }
360 return FALSE;
361 }
362
363 /**
364 * Check if client is currently retrying to connect to the server.
365 */
366 static bool retrying(private_tls_server_t *this)
367 {
368 return this->state == STATE_INIT && this->requested_curve;
369 }
370
371 /**
372 * Process client hello message
373 */
374 static status_t process_client_hello(private_tls_server_t *this,
375 bio_reader_t *reader)
376 {
377 uint16_t legacy_version = 0, version = 0, extension_type = 0;
378 chunk_t random, session, ciphers, versions = chunk_empty, compression;
379 chunk_t ext = chunk_empty, key_shares = chunk_empty;
380 key_share_t peer = {0};
381 chunk_t extension_data = chunk_empty;
382 bio_reader_t *extensions, *extension;
383 tls_cipher_suite_t *suites;
384 int count, i;
385 rng_t *rng;
386
387 this->crypto->append_handshake(this->crypto,
388 TLS_CLIENT_HELLO, reader->peek(reader));
389
390 if (!reader->read_uint16(reader, &legacy_version) ||
391 !reader->read_data(reader, sizeof(this->client_random), &random) ||
392 !reader->read_data8(reader, &session) ||
393 !reader->read_data16(reader, &ciphers) ||
394 !reader->read_data8(reader, &compression) ||
395 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
396 {
397 DBG1(DBG_TLS, "received invalid ClientHello");
398 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
399 return NEED_MORE;
400 }
401
402 /* before we do anything version-related, determine our supported suites
403 * as that might change the min./max. versions */
404 this->crypto->get_cipher_suites(this->crypto, NULL);
405
406 extensions = bio_reader_create(ext);
407 while (extensions->remaining(extensions))
408 {
409 if (!extensions->read_uint16(extensions, &extension_type) ||
410 !extensions->read_data16(extensions, &extension_data))
411 {
412 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
413 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
414 extensions->destroy(extensions);
415 return NEED_MORE;
416 }
417 extension = bio_reader_create(extension_data);
418 DBG2(DBG_TLS, "received TLS '%N' extension",
419 tls_extension_names, extension_type);
420 DBG3(DBG_TLS, "%B", &extension_data);
421 switch (extension_type)
422 {
423 case TLS_EXT_SIGNATURE_ALGORITHMS:
424 if (!extension->read_data16(extension, &extension_data))
425 {
426 DBG1(DBG_TLS, "invalid %N extension",
427 tls_extension_names, extension_type);
428 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
429 extensions->destroy(extensions);
430 extension->destroy(extension);
431 return NEED_MORE;
432 }
433 chunk_free(&this->hashsig);
434 this->hashsig = chunk_clone(extension_data);
435 break;
436 case TLS_EXT_SUPPORTED_GROUPS:
437 if (!extension->read_data16(extension, &extension_data))
438 {
439 DBG1(DBG_TLS, "invalid %N extension",
440 tls_extension_names, extension_type);
441 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
442 extensions->destroy(extensions);
443 extension->destroy(extension);
444 return NEED_MORE;
445 }
446 chunk_free(&this->curves);
447 this->curves_received = TRUE;
448 this->curves = chunk_clone(extension_data);
449 break;
450 case TLS_EXT_SUPPORTED_VERSIONS:
451 if (!extension->read_data8(extension, &versions))
452 {
453 DBG1(DBG_TLS, "invalid %N extension",
454 tls_extension_names, extension_type);
455 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
456 extensions->destroy(extensions);
457 extension->destroy(extension);
458 return NEED_MORE;
459 }
460 break;
461 case TLS_EXT_KEY_SHARE:
462 if (!extension->read_data16(extension, &key_shares))
463 {
464 DBG1(DBG_TLS, "invalid %N extension",
465 tls_extension_names, extension_type);
466 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
467 extensions->destroy(extensions);
468 extension->destroy(extension);
469 return NEED_MORE;
470 }
471 break;
472 default:
473 break;
474 }
475 extension->destroy(extension);
476 }
477 extensions->destroy(extensions);
478
479 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
480 {
481 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
482 TLS_MISSING_EXTENSION);
483 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
484 return NEED_MORE;
485 }
486
487 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
488
489 htoun32(&this->server_random, time(NULL));
490 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
491 if (!rng ||
492 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
493 this->server_random + 4))
494 {
495 DBG1(DBG_TLS, "failed to generate server random");
496 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
497 DESTROY_IF(rng);
498 return NEED_MORE;
499 }
500 rng->destroy(rng);
501
502 if (versions.len)
503 {
504 bio_reader_t *client_versions;
505
506 client_versions = bio_reader_create(versions);
507 while (client_versions->remaining(client_versions))
508 {
509 if (client_versions->read_uint16(client_versions, &version))
510 {
511 if (this->tls->set_version(this->tls, version, version))
512 {
513 this->client_version = version;
514 break;
515 }
516 }
517 }
518 client_versions->destroy(client_versions);
519 }
520 else
521 {
522 version = legacy_version;
523 if (this->tls->set_version(this->tls, version, version))
524 {
525 this->client_version = version;
526 }
527 }
528 if (!this->client_version)
529 {
530 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
531 version);
532 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
533 return NEED_MORE;
534 }
535
536 if (this->tls->get_version_max(this->tls) < TLS_1_3)
537 {
538 this->suite = this->crypto->resume_session(this->crypto, session,
539 this->peer,
540 chunk_from_thing(this->client_random),
541 chunk_from_thing(this->server_random));
542 }
543
544 if (this->suite)
545 {
546 this->session = chunk_clone(session);
547 this->resume = TRUE;
548 DBG1(DBG_TLS, "resumed %N using suite %N",
549 tls_version_names, this->tls->get_version_max(this->tls),
550 tls_cipher_suite_names, this->suite);
551 }
552 else
553 {
554 count = ciphers.len / sizeof(uint16_t);
555 suites = alloca(count * sizeof(tls_cipher_suite_t));
556 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
557 for (i = 0; i < count; i++)
558 {
559 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
560 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
561 }
562 if (!select_suite_and_key(this, suites, count))
563 {
564 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
565 return NEED_MORE;
566 }
567 if (this->tls->get_version_max(this->tls) < TLS_1_3)
568 {
569 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
570 if (!rng ||
571 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
572 {
573 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
574 }
575 DESTROY_IF(rng);
576 }
577 else
578 {
579 this->session = chunk_clone(session);
580 }
581 DBG1(DBG_TLS, "negotiated %N using suite %N",
582 tls_version_names, this->tls->get_version_max(this->tls),
583 tls_cipher_suite_names, this->suite);
584 }
585
586 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
587 {
588 diffie_hellman_group_t group;
589 tls_named_group_t curve, requesting_curve = 0;
590 enumerator_t *enumerator;
591 chunk_t shared_secret = chunk_empty;
592 array_t *peer_key_shares;
593
594 peer_key_shares = array_create(sizeof(key_share_t), 1);
595 extension = bio_reader_create(key_shares);
596 while (extension->remaining(extension))
597 {
598 if (!extension->read_uint16(extension, &peer.curve) ||
599 !extension->read_data16(extension, &peer.key_share) ||
600 !peer.key_share.len)
601 {
602 DBG1(DBG_TLS, "invalid %N extension",
603 tls_extension_names, extension_type);
604 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
605 extension->destroy(extension);
606 array_destroy(peer_key_shares);
607 return NEED_MORE;
608 }
609 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
610 }
611 extension->destroy(extension);
612
613 enumerator = this->crypto->create_ec_enumerator(this->crypto);
614 while (enumerator->enumerate(enumerator, &group, &curve))
615 {
616 if (!requesting_curve &&
617 peer_supports_curve(this, curve) &&
618 !peer_offered_curve(peer_key_shares, curve, NULL))
619 {
620 requesting_curve = curve;
621 }
622 if (peer_supports_curve(this, curve) &&
623 peer_offered_curve(peer_key_shares, curve, &peer))
624 {
625 DBG1(DBG_TLS, "using key exchange %N",
626 tls_named_group_names, curve);
627 this->dh = lib->crypto->create_dh(lib->crypto, group);
628 break;
629 }
630 }
631 enumerator->destroy(enumerator);
632 array_destroy(peer_key_shares);
633
634 if (!this->dh)
635 {
636 if (retrying(this))
637 {
638 DBG1(DBG_TLS, "already replied with a hello retry request");
639 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
640 return NEED_MORE;
641 }
642
643 if (!requesting_curve)
644 {
645 DBG1(DBG_TLS, "no mutual supported group in client hello");
646 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
647 return NEED_MORE;
648 }
649 this->requested_curve = requesting_curve;
650
651 if (!this->crypto->hash_handshake(this->crypto, NULL))
652 {
653 DBG1(DBG_TLS, "failed to hash handshake messages");
654 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
655 return NEED_MORE;
656 }
657 }
658 else
659 {
660 if (peer.key_share.len &&
661 peer.curve != TLS_CURVE25519 &&
662 peer.curve != TLS_CURVE448)
663 { /* classic format (see RFC 8446, section 4.2.8.2) */
664 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
665 {
666 DBG1(DBG_TLS, "DH point format '%N' not supported",
667 tls_ansi_point_format_names, peer.key_share.ptr[0]);
668 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
669 return NEED_MORE;
670 }
671 peer.key_share = chunk_skip(peer.key_share, 1);
672 }
673 if (!peer.key_share.len ||
674 !this->dh->set_other_public_value(this->dh, peer.key_share))
675 {
676 DBG1(DBG_TLS, "DH key derivation failed");
677 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
678 chunk_clear(&shared_secret);
679 return NEED_MORE;
680 }
681 chunk_clear(&shared_secret);
682 this->requested_curve = 0;
683 }
684 }
685
686 this->state = STATE_HELLO_RECEIVED;
687 return NEED_MORE;
688 }
689
690 /**
691 * Process certificate
692 */
693 static status_t process_certificate(private_tls_server_t *this,
694 bio_reader_t *reader)
695 {
696 certificate_t *cert;
697 bio_reader_t *certs;
698 chunk_t data;
699 bool first = TRUE;
700
701 this->crypto->append_handshake(this->crypto,
702 TLS_CERTIFICATE, reader->peek(reader));
703
704 if (!reader->read_data24(reader, &data))
705 {
706 DBG1(DBG_TLS, "certificate message header invalid");
707 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
708 return NEED_MORE;
709 }
710 certs = bio_reader_create(data);
711 while (certs->remaining(certs))
712 {
713 if (!certs->read_data24(certs, &data))
714 {
715 DBG1(DBG_TLS, "certificate message invalid");
716 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
717 certs->destroy(certs);
718 return NEED_MORE;
719 }
720 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
721 BUILD_BLOB_ASN1_DER, data, BUILD_END);
722 if (cert)
723 {
724 if (first)
725 {
726 this->peer_auth->add(this->peer_auth,
727 AUTH_HELPER_SUBJECT_CERT, cert);
728 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
729 cert->get_subject(cert));
730 first = FALSE;
731 }
732 else
733 {
734 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
735 cert->get_subject(cert));
736 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
737 }
738 }
739 else
740 {
741 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
742 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
743 }
744 }
745 certs->destroy(certs);
746 this->state = STATE_CERT_RECEIVED;
747 return NEED_MORE;
748 }
749
750 /**
751 * Process Client Key Exchange, using premaster encryption
752 */
753 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
754 bio_reader_t *reader)
755 {
756 chunk_t encrypted, decrypted;
757 char premaster[48];
758 rng_t *rng;
759
760 this->crypto->append_handshake(this->crypto,
761 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
762
763 if (!reader->read_data16(reader, &encrypted))
764 {
765 DBG1(DBG_TLS, "received invalid Client Key Exchange");
766 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
767 return NEED_MORE;
768 }
769
770 htoun16(premaster, this->client_version);
771 /* pre-randomize premaster for failure cases */
772 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
773 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
774 {
775 DBG1(DBG_TLS, "failed to generate premaster secret");
776 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
777 DESTROY_IF(rng);
778 return NEED_MORE;
779 }
780 rng->destroy(rng);
781
782 if (this->private &&
783 this->private->decrypt(this->private,
784 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
785 {
786 if (decrypted.len == sizeof(premaster) &&
787 untoh16(decrypted.ptr) == this->client_version)
788 {
789 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
790 }
791 else
792 {
793 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
794 }
795 chunk_clear(&decrypted);
796 }
797 else
798 {
799 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
800 }
801
802 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
803 this->session, this->peer,
804 chunk_from_thing(this->client_random),
805 chunk_from_thing(this->server_random)))
806 {
807 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
808 return NEED_MORE;
809 }
810
811 this->state = STATE_KEY_EXCHANGE_RECEIVED;
812 return NEED_MORE;
813 }
814
815 /**
816 * Process client key exchange, using DHE exchange
817 */
818 static status_t process_key_exchange_dhe(private_tls_server_t *this,
819 bio_reader_t *reader)
820 {
821 chunk_t premaster, pub;
822 bool ec;
823
824 this->crypto->append_handshake(this->crypto,
825 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
826
827 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
828 if ((ec && !reader->read_data8(reader, &pub)) ||
829 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
830 {
831 DBG1(DBG_TLS, "received invalid Client Key Exchange");
832 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
833 return NEED_MORE;
834 }
835
836 if (ec)
837 {
838 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
839 {
840 DBG1(DBG_TLS, "DH point format '%N' not supported",
841 tls_ansi_point_format_names, pub.ptr[0]);
842 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
843 return NEED_MORE;
844 }
845 pub = chunk_skip(pub, 1);
846 }
847 if (!this->dh->set_other_public_value(this->dh, pub))
848 {
849 DBG1(DBG_TLS, "applying DH public value failed");
850 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
851 return NEED_MORE;
852 }
853 if (!this->dh->get_shared_secret(this->dh, &premaster))
854 {
855 DBG1(DBG_TLS, "calculating premaster from DH failed");
856 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
857 return NEED_MORE;
858 }
859
860 if (!this->crypto->derive_secrets(this->crypto, premaster,
861 this->session, this->peer,
862 chunk_from_thing(this->client_random),
863 chunk_from_thing(this->server_random)))
864 {
865 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
866 chunk_clear(&premaster);
867 return NEED_MORE;
868 }
869 chunk_clear(&premaster);
870
871 this->state = STATE_KEY_EXCHANGE_RECEIVED;
872 return NEED_MORE;
873 }
874
875 /**
876 * Process Client Key Exchange
877 */
878 static status_t process_key_exchange(private_tls_server_t *this,
879 bio_reader_t *reader)
880 {
881 if (this->dh)
882 {
883 return process_key_exchange_dhe(this, reader);
884 }
885 return process_key_exchange_encrypted(this, reader);
886 }
887
888 /**
889 * Process Certificate verify
890 */
891 static status_t process_cert_verify(private_tls_server_t *this,
892 bio_reader_t *reader)
893 {
894 bool verified = FALSE;
895 enumerator_t *enumerator;
896 public_key_t *public;
897 auth_cfg_t *auth;
898 bio_reader_t *sig;
899
900 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
901 KEY_ANY, this->peer, this->peer_auth, TRUE);
902 while (enumerator->enumerate(enumerator, &public, &auth))
903 {
904 sig = bio_reader_create(reader->peek(reader));
905 verified = this->crypto->verify_handshake(this->crypto, public, sig);
906 sig->destroy(sig);
907 if (verified)
908 {
909 this->peer_auth->merge(this->peer_auth, auth, FALSE);
910 break;
911 }
912 DBG1(DBG_TLS, "signature verification failed, trying another key");
913 }
914 enumerator->destroy(enumerator);
915
916 if (!verified)
917 {
918 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
919 this->peer);
920 /* reset peer identity, we couldn't authenticate it */
921 this->peer->destroy(this->peer);
922 this->peer = NULL;
923 this->state = STATE_KEY_EXCHANGE_RECEIVED;
924 }
925 else
926 {
927 this->state = STATE_CERT_VERIFY_RECEIVED;
928 }
929 this->crypto->append_handshake(this->crypto,
930 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
931 return NEED_MORE;
932 }
933
934 /**
935 * Process finished message
936 */
937 static status_t process_finished(private_tls_server_t *this,
938 bio_reader_t *reader)
939 {
940 chunk_t received, verify_data;
941 u_char buf[12];
942
943 if (this->tls->get_version_max(this->tls) < TLS_1_3)
944 {
945 if (!reader->read_data(reader, sizeof(buf), &received))
946 {
947 DBG1(DBG_TLS, "received client finished too short");
948 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
949 return NEED_MORE;
950 }
951 if (!this->crypto->calculate_finished_legacy(this->crypto,
952 "client finished", buf))
953 {
954 DBG1(DBG_TLS, "calculating client finished failed");
955 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
956 return NEED_MORE;
957 }
958 verify_data = chunk_from_thing(buf);
959 }
960 else
961 {
962 received = reader->peek(reader);
963 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
964 {
965 DBG1(DBG_TLS, "calculating client finished failed");
966 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
967 return NEED_MORE;
968 }
969
970 if (!this->crypto->derive_app_keys(this->crypto))
971 {
972 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
973 return NEED_MORE;
974 }
975 this->crypto->change_cipher(this->crypto, TRUE);
976 this->crypto->change_cipher(this->crypto, FALSE);
977 }
978
979 if (!chunk_equals_const(received, verify_data))
980 {
981 DBG1(DBG_TLS, "received client finished invalid");
982 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
983 return NEED_MORE;
984 }
985
986 if (verify_data.ptr != buf)
987 {
988 chunk_free(&verify_data);
989 }
990
991 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
992 this->state = STATE_FINISHED_RECEIVED;
993 return NEED_MORE;
994 }
995
996 /**
997 * Process KeyUpdate message
998 */
999 static status_t process_key_update(private_tls_server_t *this,
1000 bio_reader_t *reader)
1001 {
1002 uint8_t update_requested;
1003
1004 if (!reader->read_uint8(reader, &update_requested) ||
1005 update_requested > 1)
1006 {
1007 DBG1(DBG_TLS, "received invalid KeyUpdate");
1008 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1009 return NEED_MORE;
1010 }
1011
1012 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1013 {
1014 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1015 return NEED_MORE;
1016 }
1017 this->crypto->change_cipher(this->crypto, TRUE);
1018
1019 if (update_requested)
1020 {
1021 DBG1(DBG_TLS, "client requested KeyUpdate");
1022 this->state = STATE_KEY_UPDATE_REQUESTED;
1023 }
1024 return NEED_MORE;
1025 }
1026
1027 METHOD(tls_handshake_t, process, status_t,
1028 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1029 {
1030 tls_handshake_type_t expected;
1031
1032 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1033 {
1034 switch (this->state)
1035 {
1036 case STATE_INIT:
1037 if (type == TLS_CLIENT_HELLO)
1038 {
1039 return process_client_hello(this, reader);
1040 }
1041 expected = TLS_CLIENT_HELLO;
1042 break;
1043 case STATE_HELLO_DONE:
1044 if (type == TLS_CERTIFICATE)
1045 {
1046 return process_certificate(this, reader);
1047 }
1048 if (this->peer)
1049 {
1050 expected = TLS_CERTIFICATE;
1051 break;
1052 }
1053 /* otherwise fall through to next state */
1054 case STATE_CERT_RECEIVED:
1055 if (type == TLS_CLIENT_KEY_EXCHANGE)
1056 {
1057 return process_key_exchange(this, reader);
1058 }
1059 expected = TLS_CLIENT_KEY_EXCHANGE;
1060 break;
1061 case STATE_KEY_EXCHANGE_RECEIVED:
1062 if (type == TLS_CERTIFICATE_VERIFY)
1063 {
1064 return process_cert_verify(this, reader);
1065 }
1066 if (this->peer)
1067 {
1068 expected = TLS_CERTIFICATE_VERIFY;
1069 break;
1070 }
1071 return INVALID_STATE;
1072 case STATE_CIPHERSPEC_CHANGED_IN:
1073 if (type == TLS_FINISHED)
1074 {
1075 return process_finished(this, reader);
1076 }
1077 expected = TLS_FINISHED;
1078 break;
1079 default:
1080 DBG1(DBG_TLS, "TLS %N not expected in current state",
1081 tls_handshake_type_names, type);
1082 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1083 return NEED_MORE;
1084 }
1085 }
1086 else
1087 {
1088 switch (this->state)
1089 {
1090 case STATE_INIT:
1091 if (type == TLS_CLIENT_HELLO)
1092 {
1093 return process_client_hello(this, reader);
1094 }
1095 expected = TLS_CLIENT_HELLO;
1096 break;
1097 case STATE_CIPHERSPEC_CHANGED_IN:
1098 case STATE_FINISHED_SENT:
1099 if (type == TLS_FINISHED)
1100 {
1101 return process_finished(this, reader);
1102 }
1103 return NEED_MORE;
1104 case STATE_FINISHED_RECEIVED:
1105 if (type == TLS_KEY_UPDATE)
1106 {
1107 return process_key_update(this, reader);
1108 }
1109 return INVALID_STATE;
1110 default:
1111 DBG1(DBG_TLS, "TLS %N not expected in current state",
1112 tls_handshake_type_names, type);
1113 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1114 return NEED_MORE;
1115 }
1116 }
1117 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1118 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1119 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1120 return NEED_MORE;
1121 }
1122
1123 /**
1124 * Write public key into key share extension
1125 */
1126 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1127 {
1128 bio_writer_t *writer;
1129 tls_named_group_t curve;
1130 chunk_t pub;
1131
1132 if (!dh)
1133 {
1134 return FALSE;
1135 }
1136 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1137 if (!curve || !dh->get_my_public_value(dh, &pub))
1138 {
1139 return FALSE;
1140 }
1141 *key_share = writer = bio_writer_create(pub.len + 7);
1142 writer->write_uint16(writer, curve);
1143 if (curve == TLS_CURVE25519 ||
1144 curve == TLS_CURVE448)
1145 {
1146 writer->write_data16(writer, pub);
1147 }
1148 else
1149 { /* classic format (see RFC 8446, section 4.2.8.2) */
1150 writer->write_uint16(writer, pub.len + 1);
1151 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1152 writer->write_data(writer, pub);
1153 }
1154 free(pub.ptr);
1155 return TRUE;
1156 }
1157
1158 /**
1159 * Send ServerHello message
1160 */
1161 static status_t send_server_hello(private_tls_server_t *this,
1162 tls_handshake_type_t *type, bio_writer_t *writer)
1163 {
1164 bio_writer_t *key_share, *extensions;
1165 tls_version_t version;
1166
1167 version = this->tls->get_version_max(this->tls);
1168
1169 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1170 writer->write_uint16(writer, min(TLS_1_2, version));
1171
1172 if (this->requested_curve)
1173 {
1174 writer->write_data(writer, tls_hello_retry_request_magic);
1175 }
1176 else
1177 {
1178 writer->write_data(writer, chunk_from_thing(this->server_random));
1179 }
1180
1181 /* session identifier if we have one */
1182 writer->write_data8(writer, this->session);
1183
1184 /* add selected TLS cipher suite */
1185 writer->write_uint16(writer, this->suite);
1186
1187 /* NULL compression only */
1188 writer->write_uint8(writer, 0);
1189
1190 if (version >= TLS_1_3)
1191 {
1192 extensions = bio_writer_create(32);
1193
1194 DBG2(DBG_TLS, "sending extension: %N",
1195 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1196 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1197 extensions->write_uint16(extensions, 2);
1198 extensions->write_uint16(extensions, version);
1199
1200 DBG2(DBG_TLS, "sending extension: %N",
1201 tls_extension_names, TLS_EXT_KEY_SHARE);
1202 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1203 if (this->requested_curve)
1204 {
1205 DBG1(DBG_TLS, "requesting key exchange with %N",
1206 tls_named_group_names, this->requested_curve);
1207 extensions->write_uint16(extensions, 2);
1208 extensions->write_uint16(extensions, this->requested_curve);
1209 }
1210 else
1211 {
1212 if (!tls_write_key_share(&key_share, this->dh))
1213 {
1214 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1215 extensions->destroy(extensions);
1216 return NEED_MORE;
1217 }
1218 extensions->write_data16(extensions, key_share->get_buf(key_share));
1219 key_share->destroy(key_share);
1220 }
1221
1222 writer->write_data16(writer, extensions->get_buf(extensions));
1223 extensions->destroy(extensions);
1224 }
1225
1226 *type = TLS_SERVER_HELLO;
1227 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1228 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1229 return NEED_MORE;
1230 }
1231
1232 /**
1233 * Send encrypted extensions message
1234 */
1235 static status_t send_encrypted_extensions(private_tls_server_t *this,
1236 tls_handshake_type_t *type,
1237 bio_writer_t *writer)
1238 {
1239 chunk_t shared_secret = chunk_empty;
1240
1241 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1242 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1243 {
1244 DBG1(DBG_TLS, "DH key derivation failed");
1245 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1246 chunk_clear(&shared_secret);
1247 return NEED_MORE;
1248 }
1249 chunk_clear(&shared_secret);
1250
1251 this->crypto->change_cipher(this->crypto, TRUE);
1252 this->crypto->change_cipher(this->crypto, FALSE);
1253
1254 /* currently no extensions are supported */
1255 writer->write_uint16(writer, 0);
1256
1257 *type = TLS_ENCRYPTED_EXTENSIONS;
1258 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1259 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1260 return NEED_MORE;
1261 }
1262
1263 /**
1264 * Send Certificate
1265 */
1266 static status_t send_certificate(private_tls_server_t *this,
1267 tls_handshake_type_t *type, bio_writer_t *writer)
1268 {
1269 enumerator_t *enumerator;
1270 certificate_t *cert;
1271 auth_rule_t rule;
1272 bio_writer_t *certs;
1273 chunk_t data;
1274
1275 /* certificate request context as described in RFC 8446, section 4.4.2 */
1276 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1277 {
1278 writer->write_uint8(writer, 0);
1279 }
1280
1281 /* generate certificate payload */
1282 certs = bio_writer_create(256);
1283 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1284 if (cert)
1285 {
1286 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1287 {
1288 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1289 cert->get_subject(cert));
1290 certs->write_data24(certs, data);
1291 free(data.ptr);
1292 }
1293 /* extensions see RFC 8446, section 4.4.2 */
1294 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1295 {
1296 certs->write_uint16(certs, 0);
1297 }
1298 }
1299 enumerator = this->server_auth->create_enumerator(this->server_auth);
1300 while (enumerator->enumerate(enumerator, &rule, &cert))
1301 {
1302 if (rule == AUTH_RULE_IM_CERT)
1303 {
1304 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1305 {
1306 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1307 cert->get_subject(cert));
1308 certs->write_data24(certs, data);
1309 free(data.ptr);
1310 }
1311 }
1312 }
1313 enumerator->destroy(enumerator);
1314
1315 writer->write_data24(writer, certs->get_buf(certs));
1316 certs->destroy(certs);
1317
1318 *type = TLS_CERTIFICATE;
1319 this->state = STATE_CERT_SENT;
1320 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1321 return NEED_MORE;
1322 }
1323
1324 /**
1325 * Send Certificate Verify
1326 */
1327 static status_t send_certificate_verify(private_tls_server_t *this,
1328 tls_handshake_type_t *type,
1329 bio_writer_t *writer)
1330 {
1331 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1332 this->hashsig))
1333 {
1334 DBG1(DBG_TLS, "signature generation failed");
1335 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1336 return NEED_MORE;
1337 }
1338
1339 *type = TLS_CERTIFICATE_VERIFY;
1340 this->state = STATE_CERT_VERIFY_SENT;
1341 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1342 return NEED_MORE;
1343 }
1344
1345 /**
1346 * Send Certificate Request
1347 */
1348 static status_t send_certificate_request(private_tls_server_t *this,
1349 tls_handshake_type_t *type, bio_writer_t *writer)
1350 {
1351 bio_writer_t *authorities, *supported;
1352 enumerator_t *enumerator;
1353 certificate_t *cert;
1354 x509_t *x509;
1355 identification_t *id;
1356
1357 supported = bio_writer_create(4);
1358 /* we propose both RSA and ECDSA */
1359 supported->write_uint8(supported, TLS_RSA_SIGN);
1360 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1361 writer->write_data8(writer, supported->get_buf(supported));
1362 supported->destroy(supported);
1363 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1364 {
1365 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1366 }
1367
1368 authorities = bio_writer_create(64);
1369 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
1370 CERT_X509, KEY_RSA, NULL, TRUE);
1371 while (enumerator->enumerate(enumerator, &cert))
1372 {
1373 x509 = (x509_t*)cert;
1374 if (x509->get_flags(x509) & X509_CA)
1375 {
1376 id = cert->get_subject(cert);
1377 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1378 authorities->write_data16(authorities, id->get_encoding(id));
1379 }
1380 }
1381 enumerator->destroy(enumerator);
1382 writer->write_data16(writer, authorities->get_buf(authorities));
1383 authorities->destroy(authorities);
1384
1385 *type = TLS_CERTIFICATE_REQUEST;
1386 this->state = STATE_CERTREQ_SENT;
1387 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1388 return NEED_MORE;
1389 }
1390
1391 /**
1392 * Try to find a curve supported by both, client and server
1393 */
1394 static bool find_supported_curve(private_tls_server_t *this,
1395 tls_named_group_t *curve)
1396 {
1397 tls_named_group_t current;
1398 enumerator_t *enumerator;
1399
1400 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1401 while (enumerator->enumerate(enumerator, NULL, &current))
1402 {
1403 if (peer_supports_curve(this, current))
1404 {
1405 *curve = current;
1406 enumerator->destroy(enumerator);
1407 return TRUE;
1408 }
1409 }
1410 enumerator->destroy(enumerator);
1411 return FALSE;
1412 }
1413
1414 /**
1415 * Send Server key Exchange
1416 */
1417 static status_t send_server_key_exchange(private_tls_server_t *this,
1418 tls_handshake_type_t *type, bio_writer_t *writer,
1419 diffie_hellman_group_t group)
1420 {
1421 diffie_hellman_params_t *params = NULL;
1422 tls_named_group_t curve;
1423 chunk_t chunk;
1424
1425 if (diffie_hellman_group_is_ec(group))
1426 {
1427 curve = tls_ec_group_to_curve(group);
1428 if (!curve || (!peer_supports_curve(this, curve) &&
1429 !find_supported_curve(this, &curve)))
1430 {
1431 DBG1(DBG_TLS, "no EC group supported by client and server");
1432 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1433 return NEED_MORE;
1434 }
1435 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1436 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1437 writer->write_uint16(writer, curve);
1438 }
1439 else
1440 {
1441 params = diffie_hellman_get_params(group);
1442 if (!params)
1443 {
1444 DBG1(DBG_TLS, "no parameters found for DH group %N",
1445 diffie_hellman_group_names, group);
1446 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1447 return NEED_MORE;
1448 }
1449 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1450 writer->write_data16(writer, params->prime);
1451 writer->write_data16(writer, params->generator);
1452 }
1453 this->dh = lib->crypto->create_dh(lib->crypto, group);
1454 if (!this->dh)
1455 {
1456 DBG1(DBG_TLS, "DH group %N not supported",
1457 diffie_hellman_group_names, group);
1458 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1459 return NEED_MORE;
1460 }
1461 if (!this->dh->get_my_public_value(this->dh, &chunk))
1462 {
1463 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1464 return NEED_MORE;
1465 }
1466 if (params)
1467 {
1468 writer->write_data16(writer, chunk);
1469 }
1470 else
1471 { /* ECP uses 8bit length header only, but a point format */
1472 writer->write_uint8(writer, chunk.len + 1);
1473 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1474 writer->write_data(writer, chunk);
1475 }
1476 free(chunk.ptr);
1477
1478 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1479 chunk_from_thing(this->server_random), writer->get_buf(writer));
1480 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1481 writer, chunk, this->hashsig))
1482 {
1483 DBG1(DBG_TLS, "signing DH parameters failed");
1484 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1485 free(chunk.ptr);
1486 return NEED_MORE;
1487 }
1488 free(chunk.ptr);
1489 *type = TLS_SERVER_KEY_EXCHANGE;
1490 this->state = STATE_KEY_EXCHANGE_SENT;
1491 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1492 return NEED_MORE;
1493 }
1494
1495 /**
1496 * Send Hello Done
1497 */
1498 static status_t send_hello_done(private_tls_server_t *this,
1499 tls_handshake_type_t *type, bio_writer_t *writer)
1500 {
1501 *type = TLS_SERVER_HELLO_DONE;
1502 this->state = STATE_HELLO_DONE;
1503 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1504 return NEED_MORE;
1505 }
1506
1507 /**
1508 * Send Finished
1509 */
1510 static status_t send_finished(private_tls_server_t *this,
1511 tls_handshake_type_t *type, bio_writer_t *writer)
1512 {
1513 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1514 {
1515 char buf[12];
1516
1517 if (!this->crypto->calculate_finished_legacy(this->crypto,
1518 "server finished", buf))
1519 {
1520 DBG1(DBG_TLS, "calculating server finished data failed");
1521 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1522 return FAILED;
1523 }
1524
1525 writer->write_data(writer, chunk_from_thing(buf));
1526 }
1527 else
1528 {
1529 chunk_t verify_data;
1530
1531 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1532 {
1533 DBG1(DBG_TLS, "calculating server finished data failed");
1534 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1535 return NEED_MORE;
1536 }
1537
1538 writer->write_data(writer, verify_data);
1539 chunk_free(&verify_data);
1540 }
1541
1542 *type = TLS_FINISHED;
1543 this->state = STATE_FINISHED_SENT;
1544 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1545
1546 return NEED_MORE;
1547 }
1548
1549 /**
1550 * Send KeyUpdate message
1551 */
1552 static status_t send_key_update(private_tls_server_t *this,
1553 tls_handshake_type_t *type, bio_writer_t *writer)
1554 {
1555 *type = TLS_KEY_UPDATE;
1556
1557 /* we currently only send this as reply, so we never request an update */
1558 writer->write_uint8(writer, 0);
1559
1560 this->state = STATE_KEY_UPDATE_SENT;
1561 return NEED_MORE;
1562 }
1563
1564 METHOD(tls_handshake_t, build, status_t,
1565 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1566 {
1567 diffie_hellman_group_t group;
1568
1569 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1570 {
1571 switch (this->state)
1572 {
1573 case STATE_HELLO_RECEIVED:
1574 return send_server_hello(this, type, writer);
1575 case STATE_HELLO_SENT:
1576 return send_certificate(this, type, writer);
1577 case STATE_CERT_SENT:
1578 group = this->crypto->get_dh_group(this->crypto);
1579 if (group)
1580 {
1581 return send_server_key_exchange(this, type, writer, group);
1582 }
1583 /* otherwise fall through to next state */
1584 case STATE_KEY_EXCHANGE_SENT:
1585 if (this->peer)
1586 {
1587 return send_certificate_request(this, type, writer);
1588 }
1589 /* otherwise fall through to next state */
1590 case STATE_CERTREQ_SENT:
1591 return send_hello_done(this, type, writer);
1592 case STATE_CIPHERSPEC_CHANGED_OUT:
1593 return send_finished(this, type, writer);
1594 case STATE_FINISHED_SENT:
1595 return INVALID_STATE;
1596 default:
1597 return INVALID_STATE;
1598 }
1599 }
1600 else
1601 {
1602 switch (this->state)
1603 {
1604 case STATE_HELLO_RECEIVED:
1605 return send_server_hello(this, type, writer);
1606 case STATE_HELLO_SENT:
1607 case STATE_CIPHERSPEC_CHANGED_OUT:
1608 return send_encrypted_extensions(this, type, writer);
1609 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1610 return send_certificate(this, type, writer);
1611 case STATE_CERT_SENT:
1612 return send_certificate_verify(this, type, writer);
1613 case STATE_CERT_VERIFY_SENT:
1614 return send_finished(this, type, writer);
1615 case STATE_FINISHED_SENT:
1616 return INVALID_STATE;
1617 case STATE_KEY_UPDATE_REQUESTED:
1618 return send_key_update(this, type, writer);
1619 case STATE_KEY_UPDATE_SENT:
1620 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1621 {
1622 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1623 return NEED_MORE;
1624 }
1625 this->crypto->change_cipher(this->crypto, FALSE);
1626 this->state = STATE_FINISHED_RECEIVED;
1627 default:
1628 return INVALID_STATE;
1629 }
1630 }
1631 }
1632
1633 METHOD(tls_handshake_t, cipherspec_changed, bool,
1634 private_tls_server_t *this, bool inbound)
1635 {
1636 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1637 {
1638 if (inbound)
1639 {
1640 if (this->resume)
1641 {
1642 return this->state == STATE_FINISHED_SENT;
1643 }
1644 if (this->peer)
1645 {
1646 return this->state == STATE_CERT_VERIFY_RECEIVED;
1647 }
1648 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1649 }
1650 else
1651 {
1652 if (this->resume)
1653 {
1654 return this->state == STATE_HELLO_SENT;
1655 }
1656 return this->state == STATE_FINISHED_RECEIVED;
1657 }
1658 return FALSE;
1659 }
1660 else
1661 {
1662 if (inbound)
1663 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1664 return this->state == STATE_FINISHED_SENT || retrying(this);
1665 }
1666 else
1667 {
1668 return this->state == STATE_HELLO_SENT;
1669 }
1670 }
1671 }
1672
1673 METHOD(tls_handshake_t, change_cipherspec, void,
1674 private_tls_server_t *this, bool inbound)
1675 {
1676 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1677 {
1678 this->crypto->change_cipher(this->crypto, inbound);
1679 }
1680
1681 if (retrying(this))
1682 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1683 * before a new ClientHello which should not cause any state changes */
1684 return;
1685 }
1686
1687 if (inbound)
1688 {
1689 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1690 }
1691 else
1692 {
1693 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1694 }
1695 }
1696
1697 METHOD(tls_handshake_t, finished, bool,
1698 private_tls_server_t *this)
1699 {
1700 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1701 {
1702 if (this->resume)
1703 {
1704 return this->state == STATE_FINISHED_RECEIVED;
1705 }
1706 return this->state == STATE_FINISHED_SENT;
1707 }
1708 else
1709 {
1710 return this->state == STATE_FINISHED_RECEIVED;
1711 }
1712 }
1713
1714 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1715 private_tls_server_t *this)
1716 {
1717 return this->peer;
1718 }
1719
1720 METHOD(tls_handshake_t, get_server_id, identification_t*,
1721 private_tls_server_t *this)
1722 {
1723 return this->server;
1724 }
1725
1726 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1727 private_tls_server_t *this)
1728 {
1729 return this->peer_auth;
1730 }
1731
1732 METHOD(tls_handshake_t, destroy, void,
1733 private_tls_server_t *this)
1734 {
1735 DESTROY_IF(this->private);
1736 DESTROY_IF(this->dh);
1737 DESTROY_IF(this->peer);
1738 this->server->destroy(this->server);
1739 this->peer_auth->destroy(this->peer_auth);
1740 this->server_auth->destroy(this->server_auth);
1741 free(this->hashsig.ptr);
1742 free(this->curves.ptr);
1743 free(this->session.ptr);
1744 free(this);
1745 }
1746
1747 /**
1748 * See header
1749 */
1750 tls_server_t *tls_server_create(tls_t *tls,
1751 tls_crypto_t *crypto, tls_alert_t *alert,
1752 identification_t *server, identification_t *peer)
1753 {
1754 private_tls_server_t *this;
1755
1756 INIT(this,
1757 .public = {
1758 .handshake = {
1759 .process = _process,
1760 .build = _build,
1761 .cipherspec_changed = _cipherspec_changed,
1762 .change_cipherspec = _change_cipherspec,
1763 .finished = _finished,
1764 .get_peer_id = _get_peer_id,
1765 .get_server_id = _get_server_id,
1766 .get_auth = _get_auth,
1767 .destroy = _destroy,
1768 },
1769 },
1770 .tls = tls,
1771 .crypto = crypto,
1772 .alert = alert,
1773 .server = server->clone(server),
1774 .peer = peer ? peer->clone(peer) : NULL,
1775 .state = STATE_INIT,
1776 .peer_auth = auth_cfg_create(),
1777 .server_auth = auth_cfg_create(),
1778 );
1779
1780 return &this->public;
1781 }