tls-server: Share trusted public key search between client and server
[strongswan.git] / src / libtls / tls_server.c
1 /*
2 * Copyright (C) 2020 Pascal Knecht
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "tls_server.h"
20
21 #include <time.h>
22
23 #include <utils/debug.h>
24 #include <credentials/certificates/x509.h>
25 #include <collections/array.h>
26
27 typedef struct private_tls_server_t private_tls_server_t;
28
29 /**
30 * Size of a session ID
31 */
32 #define SESSION_ID_SIZE 16
33
34 typedef enum {
35 STATE_INIT,
36 STATE_HELLO_RECEIVED,
37 STATE_HELLO_SENT,
38 STATE_CERT_SENT,
39 STATE_KEY_EXCHANGE_SENT,
40 STATE_CERTREQ_SENT,
41 STATE_HELLO_DONE,
42 STATE_CERT_RECEIVED,
43 STATE_KEY_EXCHANGE_RECEIVED,
44 STATE_CERT_VERIFY_RECEIVED,
45 STATE_CIPHERSPEC_CHANGED_IN,
46 STATE_FINISHED_RECEIVED,
47 STATE_CIPHERSPEC_CHANGED_OUT,
48 STATE_FINISHED_SENT,
49 /* new states in TLS 1.3 */
50 STATE_ENCRYPTED_EXTENSIONS_SENT,
51 STATE_CERT_VERIFY_SENT,
52 STATE_KEY_UPDATE_REQUESTED,
53 STATE_KEY_UPDATE_SENT,
54 } server_state_t;
55
56 /**
57 * Private data of an tls_server_t object.
58 */
59 struct private_tls_server_t {
60
61 /**
62 * Public tls_server_t interface.
63 */
64 tls_server_t public;
65
66 /**
67 * TLS stack
68 */
69 tls_t *tls;
70
71 /**
72 * TLS crypto context
73 */
74 tls_crypto_t *crypto;
75
76 /**
77 * TLS alert handler
78 */
79 tls_alert_t *alert;
80
81 /**
82 * Server identity
83 */
84 identification_t *server;
85
86 /**
87 * Peer identity, NULL for no client authentication
88 */
89 identification_t *peer;
90
91 /**
92 * Is it acceptable if we couldn't verify the peer certificate?
93 */
94 bool peer_auth_optional;
95
96 /**
97 * State we are in
98 */
99 server_state_t state;
100
101 /**
102 * Hello random data selected by client
103 */
104 char client_random[32];
105
106 /**
107 * Hello random data selected by server
108 */
109 char server_random[32];
110
111 /**
112 * Auth helper for peer authentication
113 */
114 auth_cfg_t *peer_auth;
115
116 /**
117 * Auth helper for server authentication
118 */
119 auth_cfg_t *server_auth;
120
121 /**
122 * Peer private key
123 */
124 private_key_t *private;
125
126 /**
127 * DHE exchange
128 */
129 diffie_hellman_t *dh;
130
131 /**
132 * Requested DH group
133 */
134 tls_named_group_t requested_curve;
135
136 /**
137 * Selected TLS cipher suite
138 */
139 tls_cipher_suite_t suite;
140
141 /**
142 * Offered TLS version of the client
143 */
144 tls_version_t client_version;
145
146 /**
147 * TLS session identifier
148 */
149 chunk_t session;
150
151 /**
152 * Do we resume a session?
153 */
154 bool resume;
155
156 /**
157 * Hash and signature algorithms supported by peer
158 */
159 chunk_t hashsig;
160
161 /**
162 * Elliptic curves supported by peer
163 */
164 chunk_t curves;
165
166 /**
167 * Did we receive the curves from the client?
168 */
169 bool curves_received;
170 };
171
172 /**
173 * Find a trusted public key to encrypt/verify key exchange data
174 */
175 public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
176 {
177 public_key_t *public = NULL, *current;
178 certificate_t *cert, *found;
179 enumerator_t *enumerator;
180 auth_cfg_t *auth;
181
182 cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
183 if (cert)
184 {
185 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
186 KEY_ANY, cert->get_subject(cert),
187 peer_auth, TRUE);
188 while (enumerator->enumerate(enumerator, &current, &auth))
189 {
190 found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
191 if (found && cert->equals(cert, found))
192 {
193 public = current->get_ref(current);
194 peer_auth->merge(peer_auth, auth, FALSE);
195 break;
196 }
197 }
198 enumerator->destroy(enumerator);
199 }
200 return public;
201 }
202
203 /**
204 * Create an array of an intersection of server and peer supported key types
205 */
206 static array_t *create_common_key_types(chunk_t hashsig,
207 tls_version_t version_min,
208 tls_version_t version_max)
209 {
210 array_t *key_types;
211 enumerator_t *enumerator;
212 key_type_t v, lookup;
213 uint16_t sig_scheme;
214
215 key_types = array_create(sizeof(key_type_t), 8);
216 enumerator = tls_get_supported_key_types(version_min, version_max);
217 while (enumerator->enumerate(enumerator, &v))
218 {
219 bio_reader_t *reader;
220
221 reader = bio_reader_create(hashsig);
222 while (reader->remaining(reader) &&
223 reader->read_uint16(reader, &sig_scheme))
224 {
225 lookup = tls_signature_scheme_to_key_type(sig_scheme);
226 if (v == lookup)
227 {
228 array_insert(key_types, ARRAY_TAIL, &lookup);
229 break;
230 }
231 }
232 reader->destroy(reader);
233 }
234 enumerator->destroy(enumerator);
235 return key_types;
236 }
237
238 /**
239 * Find a cipher suite and a server key
240 */
241 static bool select_suite_and_key(private_tls_server_t *this,
242 tls_cipher_suite_t *suites, int count)
243 {
244 array_t *key_types;
245 tls_version_t version_min, version_max;
246 private_key_t *key;
247 key_type_t type;
248
249 version_min = this->tls->get_version_min(this->tls);
250 version_max = this->tls->get_version_max(this->tls);
251 key_types = create_common_key_types(this->hashsig, version_min, version_max);
252 if (!array_count(key_types))
253 {
254 DBG1(DBG_TLS, "no common signature algorithms found");
255 array_destroy(key_types);
256 return FALSE;
257 }
258 while (array_remove(key_types, ARRAY_HEAD, &type))
259 {
260 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
261 this->server_auth);
262 if (key)
263 {
264 break;
265 }
266 }
267 if (!key)
268 {
269 DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
270 this->server);
271 array_destroy(key_types);
272 return FALSE;
273 }
274
275 if (version_max >= TLS_1_3)
276 {
277 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
278 count, KEY_ANY);
279 }
280 else
281 {
282 this->suite = this->crypto->select_cipher_suite(this->crypto, suites,
283 count, type);
284 while (!this->suite && array_remove(key_types, ARRAY_HEAD, &type))
285 { /* find a key and cipher suite for one of the remaining key types */
286 DESTROY_IF(key);
287 this->server_auth->destroy(this->server_auth);
288 this->server_auth = auth_cfg_create();
289 key = lib->credmgr->get_private(lib->credmgr, type, this->server,
290 this->server_auth);
291 if (key)
292 {
293 this->suite = this->crypto->select_cipher_suite(this->crypto,
294 suites, count,
295 type);
296 }
297 }
298 }
299 array_destroy(key_types);
300 if (!this->suite || !key)
301 {
302 DBG1(DBG_TLS, "received cipher suites or signature schemes unacceptable");
303 return FALSE;
304 }
305 DBG1(DBG_TLS, "using key of type %N", key_type_names, key->get_type(key));
306 this->private = key;
307 return TRUE;
308 }
309
310 /**
311 * Check if the peer supports a given TLS curve
312 */
313 static bool peer_supports_curve(private_tls_server_t *this,
314 tls_named_group_t curve)
315 {
316 bio_reader_t *reader;
317 uint16_t current;
318
319 if (!this->curves_received)
320 { /* none received, assume yes */
321 return TRUE;
322 }
323 reader = bio_reader_create(this->curves);
324 while (reader->remaining(reader) && reader->read_uint16(reader, &current))
325 {
326 if (current == curve)
327 {
328 reader->destroy(reader);
329 return TRUE;
330 }
331 }
332 reader->destroy(reader);
333 return FALSE;
334 }
335
336 /**
337 * TLS 1.3 key exchange key share
338 */
339 typedef struct {
340 uint16_t curve;
341 chunk_t key_share;
342 } key_share_t;
343
344 /**
345 * Check if peer sent a key share of a given TLS named DH group
346 */
347 static bool peer_offered_curve(array_t *key_shares, tls_named_group_t curve,
348 key_share_t *out)
349 {
350 key_share_t peer;
351 int i;
352
353 for (i = 0; i < array_count(key_shares); i++)
354 {
355 array_get(key_shares, i, &peer);
356 if (curve == peer.curve)
357 {
358 if (out)
359 {
360 *out = peer;
361 }
362 return TRUE;
363 }
364 }
365 return FALSE;
366 }
367
368 /**
369 * Check if client is currently retrying to connect to the server.
370 */
371 static bool retrying(private_tls_server_t *this)
372 {
373 return this->state == STATE_INIT && this->requested_curve;
374 }
375
376 /**
377 * Process client hello message
378 */
379 static status_t process_client_hello(private_tls_server_t *this,
380 bio_reader_t *reader)
381 {
382 uint16_t legacy_version = 0, version = 0, extension_type = 0;
383 chunk_t random, session, ciphers, versions = chunk_empty, compression;
384 chunk_t ext = chunk_empty, key_shares = chunk_empty;
385 key_share_t peer = {0};
386 chunk_t extension_data = chunk_empty;
387 bio_reader_t *extensions, *extension;
388 tls_cipher_suite_t *suites;
389 int count, i;
390 rng_t *rng;
391
392 this->crypto->append_handshake(this->crypto,
393 TLS_CLIENT_HELLO, reader->peek(reader));
394
395 if (!reader->read_uint16(reader, &legacy_version) ||
396 !reader->read_data(reader, sizeof(this->client_random), &random) ||
397 !reader->read_data8(reader, &session) ||
398 !reader->read_data16(reader, &ciphers) ||
399 !reader->read_data8(reader, &compression) ||
400 (reader->remaining(reader) && !reader->read_data16(reader, &ext)))
401 {
402 DBG1(DBG_TLS, "received invalid ClientHello");
403 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
404 return NEED_MORE;
405 }
406
407 /* before we do anything version-related, determine our supported suites
408 * as that might change the min./max. versions */
409 this->crypto->get_cipher_suites(this->crypto, NULL);
410
411 extensions = bio_reader_create(ext);
412 while (extensions->remaining(extensions))
413 {
414 if (!extensions->read_uint16(extensions, &extension_type) ||
415 !extensions->read_data16(extensions, &extension_data))
416 {
417 DBG1(DBG_TLS, "received invalid ClientHello Extensions");
418 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
419 extensions->destroy(extensions);
420 return NEED_MORE;
421 }
422 extension = bio_reader_create(extension_data);
423 DBG2(DBG_TLS, "received TLS '%N' extension",
424 tls_extension_names, extension_type);
425 DBG3(DBG_TLS, "%B", &extension_data);
426 switch (extension_type)
427 {
428 case TLS_EXT_SIGNATURE_ALGORITHMS:
429 if (!extension->read_data16(extension, &extension_data))
430 {
431 DBG1(DBG_TLS, "invalid %N extension",
432 tls_extension_names, extension_type);
433 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
434 extensions->destroy(extensions);
435 extension->destroy(extension);
436 return NEED_MORE;
437 }
438 chunk_free(&this->hashsig);
439 this->hashsig = chunk_clone(extension_data);
440 break;
441 case TLS_EXT_SUPPORTED_GROUPS:
442 if (!extension->read_data16(extension, &extension_data))
443 {
444 DBG1(DBG_TLS, "invalid %N extension",
445 tls_extension_names, extension_type);
446 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
447 extensions->destroy(extensions);
448 extension->destroy(extension);
449 return NEED_MORE;
450 }
451 chunk_free(&this->curves);
452 this->curves_received = TRUE;
453 this->curves = chunk_clone(extension_data);
454 break;
455 case TLS_EXT_SUPPORTED_VERSIONS:
456 if (!extension->read_data8(extension, &versions))
457 {
458 DBG1(DBG_TLS, "invalid %N extension",
459 tls_extension_names, extension_type);
460 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
461 extensions->destroy(extensions);
462 extension->destroy(extension);
463 return NEED_MORE;
464 }
465 break;
466 case TLS_EXT_KEY_SHARE:
467 if (!extension->read_data16(extension, &key_shares))
468 {
469 DBG1(DBG_TLS, "invalid %N extension",
470 tls_extension_names, extension_type);
471 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
472 extensions->destroy(extensions);
473 extension->destroy(extension);
474 return NEED_MORE;
475 }
476 break;
477 default:
478 break;
479 }
480 extension->destroy(extension);
481 }
482 extensions->destroy(extensions);
483
484 if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
485 {
486 DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
487 TLS_MISSING_EXTENSION);
488 this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
489 return NEED_MORE;
490 }
491
492 memcpy(this->client_random, random.ptr, sizeof(this->client_random));
493
494 htoun32(&this->server_random, time(NULL));
495 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
496 if (!rng ||
497 !rng->get_bytes(rng, sizeof(this->server_random) - 4,
498 this->server_random + 4))
499 {
500 DBG1(DBG_TLS, "failed to generate server random");
501 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
502 DESTROY_IF(rng);
503 return NEED_MORE;
504 }
505 rng->destroy(rng);
506
507 if (versions.len)
508 {
509 bio_reader_t *client_versions;
510
511 client_versions = bio_reader_create(versions);
512 while (client_versions->remaining(client_versions))
513 {
514 if (client_versions->read_uint16(client_versions, &version))
515 {
516 if (this->tls->set_version(this->tls, version, version))
517 {
518 this->client_version = version;
519 break;
520 }
521 }
522 }
523 client_versions->destroy(client_versions);
524 }
525 else
526 {
527 version = legacy_version;
528 if (this->tls->set_version(this->tls, version, version))
529 {
530 this->client_version = version;
531 }
532 }
533 if (!this->client_version)
534 {
535 DBG1(DBG_TLS, "proposed version %N not supported", tls_version_names,
536 version);
537 this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
538 return NEED_MORE;
539 }
540
541 if (this->tls->get_version_max(this->tls) < TLS_1_3)
542 {
543 this->suite = this->crypto->resume_session(this->crypto, session,
544 this->peer,
545 chunk_from_thing(this->client_random),
546 chunk_from_thing(this->server_random));
547 }
548
549 if (this->suite)
550 {
551 this->session = chunk_clone(session);
552 this->resume = TRUE;
553 DBG1(DBG_TLS, "resumed %N using suite %N",
554 tls_version_names, this->tls->get_version_max(this->tls),
555 tls_cipher_suite_names, this->suite);
556 }
557 else
558 {
559 count = ciphers.len / sizeof(uint16_t);
560 suites = alloca(count * sizeof(tls_cipher_suite_t));
561 DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
562 for (i = 0; i < count; i++)
563 {
564 suites[i] = untoh16(&ciphers.ptr[i * sizeof(uint16_t)]);
565 DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
566 }
567 if (!select_suite_and_key(this, suites, count))
568 {
569 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
570 return NEED_MORE;
571 }
572 if (this->tls->get_version_max(this->tls) < TLS_1_3)
573 {
574 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
575 if (!rng ||
576 !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
577 {
578 DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
579 }
580 DESTROY_IF(rng);
581 }
582 else
583 {
584 this->session = chunk_clone(session);
585 }
586 DBG1(DBG_TLS, "negotiated %N using suite %N",
587 tls_version_names, this->tls->get_version_max(this->tls),
588 tls_cipher_suite_names, this->suite);
589 }
590
591 if (this->tls->get_version_max(this->tls) >= TLS_1_3)
592 {
593 diffie_hellman_group_t group;
594 tls_named_group_t curve, requesting_curve = 0;
595 enumerator_t *enumerator;
596 chunk_t shared_secret = chunk_empty;
597 array_t *peer_key_shares;
598
599 peer_key_shares = array_create(sizeof(key_share_t), 1);
600 extension = bio_reader_create(key_shares);
601 while (extension->remaining(extension))
602 {
603 if (!extension->read_uint16(extension, &peer.curve) ||
604 !extension->read_data16(extension, &peer.key_share) ||
605 !peer.key_share.len)
606 {
607 DBG1(DBG_TLS, "invalid %N extension",
608 tls_extension_names, extension_type);
609 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
610 extension->destroy(extension);
611 array_destroy(peer_key_shares);
612 return NEED_MORE;
613 }
614 array_insert(peer_key_shares, ARRAY_TAIL, &peer);
615 }
616 extension->destroy(extension);
617
618 enumerator = this->crypto->create_ec_enumerator(this->crypto);
619 while (enumerator->enumerate(enumerator, &group, &curve))
620 {
621 if (!requesting_curve &&
622 peer_supports_curve(this, curve) &&
623 !peer_offered_curve(peer_key_shares, curve, NULL))
624 {
625 requesting_curve = curve;
626 }
627 if (peer_supports_curve(this, curve) &&
628 peer_offered_curve(peer_key_shares, curve, &peer))
629 {
630 DBG1(DBG_TLS, "using key exchange %N",
631 tls_named_group_names, curve);
632 this->dh = lib->crypto->create_dh(lib->crypto, group);
633 break;
634 }
635 }
636 enumerator->destroy(enumerator);
637 array_destroy(peer_key_shares);
638
639 if (!this->dh)
640 {
641 if (retrying(this))
642 {
643 DBG1(DBG_TLS, "already replied with a hello retry request");
644 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
645 return NEED_MORE;
646 }
647
648 if (!requesting_curve)
649 {
650 DBG1(DBG_TLS, "no mutual supported group in client hello");
651 this->alert->add(this->alert, TLS_FATAL, TLS_ILLEGAL_PARAMETER);
652 return NEED_MORE;
653 }
654 this->requested_curve = requesting_curve;
655
656 if (!this->crypto->hash_handshake(this->crypto, NULL))
657 {
658 DBG1(DBG_TLS, "failed to hash handshake messages");
659 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
660 return NEED_MORE;
661 }
662 }
663 else
664 {
665 if (peer.key_share.len &&
666 peer.curve != TLS_CURVE25519 &&
667 peer.curve != TLS_CURVE448)
668 { /* classic format (see RFC 8446, section 4.2.8.2) */
669 if (peer.key_share.ptr[0] != TLS_ANSI_UNCOMPRESSED)
670 {
671 DBG1(DBG_TLS, "DH point format '%N' not supported",
672 tls_ansi_point_format_names, peer.key_share.ptr[0]);
673 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
674 return NEED_MORE;
675 }
676 peer.key_share = chunk_skip(peer.key_share, 1);
677 }
678 if (!peer.key_share.len ||
679 !this->dh->set_other_public_value(this->dh, peer.key_share))
680 {
681 DBG1(DBG_TLS, "DH key derivation failed");
682 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
683 chunk_clear(&shared_secret);
684 return NEED_MORE;
685 }
686 chunk_clear(&shared_secret);
687 this->requested_curve = 0;
688 }
689 }
690
691 this->state = STATE_HELLO_RECEIVED;
692 return NEED_MORE;
693 }
694
695 /**
696 * Process certificate
697 */
698 static status_t process_certificate(private_tls_server_t *this,
699 bio_reader_t *reader)
700 {
701 certificate_t *cert;
702 bio_reader_t *certs;
703 chunk_t data;
704 bool first = TRUE;
705
706 this->crypto->append_handshake(this->crypto,
707 TLS_CERTIFICATE, reader->peek(reader));
708
709 if (!reader->read_data24(reader, &data))
710 {
711 DBG1(DBG_TLS, "certificate message header invalid");
712 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
713 return NEED_MORE;
714 }
715 certs = bio_reader_create(data);
716 while (certs->remaining(certs))
717 {
718 if (!certs->read_data24(certs, &data))
719 {
720 DBG1(DBG_TLS, "certificate message invalid");
721 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
722 certs->destroy(certs);
723 return NEED_MORE;
724 }
725 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
726 BUILD_BLOB_ASN1_DER, data, BUILD_END);
727 if (cert)
728 {
729 if (first)
730 {
731 this->peer_auth->add(this->peer_auth,
732 AUTH_HELPER_SUBJECT_CERT, cert);
733 DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
734 cert->get_subject(cert));
735 first = FALSE;
736 if (this->peer == NULL)
737 { /* apply identity to authenticate */
738 this->peer = cert->get_subject(cert);
739 this->peer = this->peer->clone(this->peer);
740 this->peer_auth_optional = TRUE;
741 }
742 }
743 else
744 {
745 DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
746 cert->get_subject(cert));
747 this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
748 }
749 }
750 else
751 {
752 DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
753 this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
754 }
755 }
756 certs->destroy(certs);
757 this->state = STATE_CERT_RECEIVED;
758 return NEED_MORE;
759 }
760
761 /**
762 * Process Client Key Exchange, using premaster encryption
763 */
764 static status_t process_key_exchange_encrypted(private_tls_server_t *this,
765 bio_reader_t *reader)
766 {
767 chunk_t encrypted, decrypted;
768 char premaster[48];
769 rng_t *rng;
770
771 this->crypto->append_handshake(this->crypto,
772 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
773
774 if (!reader->read_data16(reader, &encrypted))
775 {
776 DBG1(DBG_TLS, "received invalid Client Key Exchange");
777 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
778 return NEED_MORE;
779 }
780
781 htoun16(premaster, this->client_version);
782 /* pre-randomize premaster for failure cases */
783 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
784 if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
785 {
786 DBG1(DBG_TLS, "failed to generate premaster secret");
787 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
788 DESTROY_IF(rng);
789 return NEED_MORE;
790 }
791 rng->destroy(rng);
792
793 if (this->private &&
794 this->private->decrypt(this->private,
795 ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
796 {
797 if (decrypted.len == sizeof(premaster) &&
798 untoh16(decrypted.ptr) == this->client_version)
799 {
800 memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
801 }
802 else
803 {
804 DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
805 }
806 chunk_clear(&decrypted);
807 }
808 else
809 {
810 DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
811 }
812
813 if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
814 this->session, this->peer,
815 chunk_from_thing(this->client_random),
816 chunk_from_thing(this->server_random)))
817 {
818 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
819 return NEED_MORE;
820 }
821
822 this->state = STATE_KEY_EXCHANGE_RECEIVED;
823 return NEED_MORE;
824 }
825
826 /**
827 * Process client key exchange, using DHE exchange
828 */
829 static status_t process_key_exchange_dhe(private_tls_server_t *this,
830 bio_reader_t *reader)
831 {
832 chunk_t premaster, pub;
833 bool ec;
834
835 this->crypto->append_handshake(this->crypto,
836 TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
837
838 ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
839 if ((ec && !reader->read_data8(reader, &pub)) ||
840 (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
841 {
842 DBG1(DBG_TLS, "received invalid Client Key Exchange");
843 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
844 return NEED_MORE;
845 }
846
847 if (ec)
848 {
849 if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
850 {
851 DBG1(DBG_TLS, "DH point format '%N' not supported",
852 tls_ansi_point_format_names, pub.ptr[0]);
853 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
854 return NEED_MORE;
855 }
856 pub = chunk_skip(pub, 1);
857 }
858 if (!this->dh->set_other_public_value(this->dh, pub))
859 {
860 DBG1(DBG_TLS, "applying DH public value failed");
861 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
862 return NEED_MORE;
863 }
864 if (!this->dh->get_shared_secret(this->dh, &premaster))
865 {
866 DBG1(DBG_TLS, "calculating premaster from DH failed");
867 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
868 return NEED_MORE;
869 }
870
871 if (!this->crypto->derive_secrets(this->crypto, premaster,
872 this->session, this->peer,
873 chunk_from_thing(this->client_random),
874 chunk_from_thing(this->server_random)))
875 {
876 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
877 chunk_clear(&premaster);
878 return NEED_MORE;
879 }
880 chunk_clear(&premaster);
881
882 this->state = STATE_KEY_EXCHANGE_RECEIVED;
883 return NEED_MORE;
884 }
885
886 /**
887 * Process Client Key Exchange
888 */
889 static status_t process_key_exchange(private_tls_server_t *this,
890 bio_reader_t *reader)
891 {
892 if (this->dh)
893 {
894 return process_key_exchange_dhe(this, reader);
895 }
896 return process_key_exchange_encrypted(this, reader);
897 }
898
899 /**
900 * Process Certificate verify
901 */
902 static status_t process_cert_verify(private_tls_server_t *this,
903 bio_reader_t *reader)
904 {
905 bool verified = FALSE;
906 enumerator_t *enumerator;
907 public_key_t *public;
908 auth_cfg_t *auth;
909 bio_reader_t *sig;
910
911 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
912 KEY_ANY, this->peer, this->peer_auth, TRUE);
913 while (enumerator->enumerate(enumerator, &public, &auth))
914 {
915 sig = bio_reader_create(reader->peek(reader));
916 verified = this->crypto->verify_handshake(this->crypto, public, sig);
917 sig->destroy(sig);
918 if (verified)
919 {
920 this->peer_auth->merge(this->peer_auth, auth, FALSE);
921 break;
922 }
923 DBG1(DBG_TLS, "signature verification failed, trying another key");
924 }
925 enumerator->destroy(enumerator);
926
927 if (!verified)
928 {
929 DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
930 this->peer);
931 if (!this->peer_auth_optional)
932 { /* client authentication is required */
933 this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
934 return NEED_MORE;
935 }
936 /* reset peer identity, we couldn't authenticate it */
937 this->peer->destroy(this->peer);
938 this->peer = NULL;
939 this->state = STATE_KEY_EXCHANGE_RECEIVED;
940 }
941 else
942 {
943 this->state = STATE_CERT_VERIFY_RECEIVED;
944 }
945 this->crypto->append_handshake(this->crypto,
946 TLS_CERTIFICATE_VERIFY, reader->peek(reader));
947 return NEED_MORE;
948 }
949
950 /**
951 * Process finished message
952 */
953 static status_t process_finished(private_tls_server_t *this,
954 bio_reader_t *reader)
955 {
956 chunk_t received, verify_data;
957 u_char buf[12];
958
959 if (this->tls->get_version_max(this->tls) < TLS_1_3)
960 {
961 if (!reader->read_data(reader, sizeof(buf), &received))
962 {
963 DBG1(DBG_TLS, "received client finished too short");
964 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
965 return NEED_MORE;
966 }
967 if (!this->crypto->calculate_finished_legacy(this->crypto,
968 "client finished", buf))
969 {
970 DBG1(DBG_TLS, "calculating client finished failed");
971 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
972 return NEED_MORE;
973 }
974 verify_data = chunk_from_thing(buf);
975 }
976 else
977 {
978 received = reader->peek(reader);
979 if (!this->crypto->calculate_finished(this->crypto, FALSE, &verify_data))
980 {
981 DBG1(DBG_TLS, "calculating client finished failed");
982 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
983 return NEED_MORE;
984 }
985
986 if (!this->crypto->derive_app_keys(this->crypto))
987 {
988 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
989 return NEED_MORE;
990 }
991 this->crypto->change_cipher(this->crypto, TRUE);
992 this->crypto->change_cipher(this->crypto, FALSE);
993 }
994
995 if (!chunk_equals_const(received, verify_data))
996 {
997 DBG1(DBG_TLS, "received client finished invalid");
998 this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
999 return NEED_MORE;
1000 }
1001
1002 if (verify_data.ptr != buf)
1003 {
1004 chunk_free(&verify_data);
1005 }
1006
1007 this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
1008 this->state = STATE_FINISHED_RECEIVED;
1009 return NEED_MORE;
1010 }
1011
1012 /**
1013 * Process KeyUpdate message
1014 */
1015 static status_t process_key_update(private_tls_server_t *this,
1016 bio_reader_t *reader)
1017 {
1018 uint8_t update_requested;
1019
1020 if (!reader->read_uint8(reader, &update_requested) ||
1021 update_requested > 1)
1022 {
1023 DBG1(DBG_TLS, "received invalid KeyUpdate");
1024 this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
1025 return NEED_MORE;
1026 }
1027
1028 if (!this->crypto->update_app_keys(this->crypto, TRUE))
1029 {
1030 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1031 return NEED_MORE;
1032 }
1033 this->crypto->change_cipher(this->crypto, TRUE);
1034
1035 if (update_requested)
1036 {
1037 DBG1(DBG_TLS, "client requested KeyUpdate");
1038 this->state = STATE_KEY_UPDATE_REQUESTED;
1039 }
1040 return NEED_MORE;
1041 }
1042
1043 METHOD(tls_handshake_t, process, status_t,
1044 private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader)
1045 {
1046 tls_handshake_type_t expected;
1047
1048 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1049 {
1050 switch (this->state)
1051 {
1052 case STATE_INIT:
1053 if (type == TLS_CLIENT_HELLO)
1054 {
1055 return process_client_hello(this, reader);
1056 }
1057 expected = TLS_CLIENT_HELLO;
1058 break;
1059 case STATE_HELLO_DONE:
1060 if (type == TLS_CERTIFICATE)
1061 {
1062 return process_certificate(this, reader);
1063 }
1064 if (this->peer)
1065 {
1066 expected = TLS_CERTIFICATE;
1067 break;
1068 }
1069 /* otherwise fall through to next state */
1070 case STATE_CERT_RECEIVED:
1071 if (type == TLS_CLIENT_KEY_EXCHANGE)
1072 {
1073 return process_key_exchange(this, reader);
1074 }
1075 expected = TLS_CLIENT_KEY_EXCHANGE;
1076 break;
1077 case STATE_KEY_EXCHANGE_RECEIVED:
1078 if (type == TLS_CERTIFICATE_VERIFY)
1079 {
1080 return process_cert_verify(this, reader);
1081 }
1082 if (this->peer)
1083 {
1084 expected = TLS_CERTIFICATE_VERIFY;
1085 break;
1086 }
1087 return INVALID_STATE;
1088 case STATE_CIPHERSPEC_CHANGED_IN:
1089 if (type == TLS_FINISHED)
1090 {
1091 return process_finished(this, reader);
1092 }
1093 expected = TLS_FINISHED;
1094 break;
1095 default:
1096 DBG1(DBG_TLS, "TLS %N not expected in current state",
1097 tls_handshake_type_names, type);
1098 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1099 return NEED_MORE;
1100 }
1101 }
1102 else
1103 {
1104 switch (this->state)
1105 {
1106 case STATE_INIT:
1107 if (type == TLS_CLIENT_HELLO)
1108 {
1109 return process_client_hello(this, reader);
1110 }
1111 expected = TLS_CLIENT_HELLO;
1112 break;
1113 case STATE_CIPHERSPEC_CHANGED_IN:
1114 case STATE_FINISHED_SENT:
1115 if (type == TLS_FINISHED)
1116 {
1117 return process_finished(this, reader);
1118 }
1119 return NEED_MORE;
1120 case STATE_FINISHED_RECEIVED:
1121 if (type == TLS_KEY_UPDATE)
1122 {
1123 return process_key_update(this, reader);
1124 }
1125 return INVALID_STATE;
1126 default:
1127 DBG1(DBG_TLS, "TLS %N not expected in current state",
1128 tls_handshake_type_names, type);
1129 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1130 return NEED_MORE;
1131 }
1132 }
1133 DBG1(DBG_TLS, "TLS %N expected, but received %N",
1134 tls_handshake_type_names, expected, tls_handshake_type_names, type);
1135 this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
1136 return NEED_MORE;
1137 }
1138
1139 /**
1140 * Write public key into key share extension
1141 */
1142 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh)
1143 {
1144 bio_writer_t *writer;
1145 tls_named_group_t curve;
1146 chunk_t pub;
1147
1148 if (!dh)
1149 {
1150 return FALSE;
1151 }
1152 curve = tls_ec_group_to_curve(dh->get_dh_group(dh));
1153 if (!curve || !dh->get_my_public_value(dh, &pub))
1154 {
1155 return FALSE;
1156 }
1157 *key_share = writer = bio_writer_create(pub.len + 7);
1158 writer->write_uint16(writer, curve);
1159 if (curve == TLS_CURVE25519 ||
1160 curve == TLS_CURVE448)
1161 {
1162 writer->write_data16(writer, pub);
1163 }
1164 else
1165 { /* classic format (see RFC 8446, section 4.2.8.2) */
1166 writer->write_uint16(writer, pub.len + 1);
1167 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1168 writer->write_data(writer, pub);
1169 }
1170 free(pub.ptr);
1171 return TRUE;
1172 }
1173
1174 /**
1175 * Send ServerHello message
1176 */
1177 static status_t send_server_hello(private_tls_server_t *this,
1178 tls_handshake_type_t *type, bio_writer_t *writer)
1179 {
1180 bio_writer_t *key_share, *extensions;
1181 tls_version_t version;
1182
1183 version = this->tls->get_version_max(this->tls);
1184
1185 /* cap legacy version at TLS 1.2 for middlebox compatibility */
1186 writer->write_uint16(writer, min(TLS_1_2, version));
1187
1188 if (this->requested_curve)
1189 {
1190 writer->write_data(writer, tls_hello_retry_request_magic);
1191 }
1192 else
1193 {
1194 writer->write_data(writer, chunk_from_thing(this->server_random));
1195 }
1196
1197 /* session identifier if we have one */
1198 writer->write_data8(writer, this->session);
1199
1200 /* add selected TLS cipher suite */
1201 writer->write_uint16(writer, this->suite);
1202
1203 /* NULL compression only */
1204 writer->write_uint8(writer, 0);
1205
1206 if (version >= TLS_1_3)
1207 {
1208 extensions = bio_writer_create(32);
1209
1210 DBG2(DBG_TLS, "sending extension: %N",
1211 tls_extension_names, TLS_EXT_SUPPORTED_VERSIONS);
1212 extensions->write_uint16(extensions, TLS_EXT_SUPPORTED_VERSIONS);
1213 extensions->write_uint16(extensions, 2);
1214 extensions->write_uint16(extensions, version);
1215
1216 DBG2(DBG_TLS, "sending extension: %N",
1217 tls_extension_names, TLS_EXT_KEY_SHARE);
1218 extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE);
1219 if (this->requested_curve)
1220 {
1221 DBG1(DBG_TLS, "requesting key exchange with %N",
1222 tls_named_group_names, this->requested_curve);
1223 extensions->write_uint16(extensions, 2);
1224 extensions->write_uint16(extensions, this->requested_curve);
1225 }
1226 else
1227 {
1228 if (!tls_write_key_share(&key_share, this->dh))
1229 {
1230 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1231 extensions->destroy(extensions);
1232 return NEED_MORE;
1233 }
1234 extensions->write_data16(extensions, key_share->get_buf(key_share));
1235 key_share->destroy(key_share);
1236 }
1237
1238 writer->write_data16(writer, extensions->get_buf(extensions));
1239 extensions->destroy(extensions);
1240 }
1241
1242 *type = TLS_SERVER_HELLO;
1243 this->state = this->requested_curve ? STATE_INIT : STATE_HELLO_SENT;
1244 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1245 return NEED_MORE;
1246 }
1247
1248 /**
1249 * Send encrypted extensions message
1250 */
1251 static status_t send_encrypted_extensions(private_tls_server_t *this,
1252 tls_handshake_type_t *type,
1253 bio_writer_t *writer)
1254 {
1255 chunk_t shared_secret = chunk_empty;
1256
1257 if (!this->dh->get_shared_secret(this->dh, &shared_secret) ||
1258 !this->crypto->derive_handshake_keys(this->crypto, shared_secret))
1259 {
1260 DBG1(DBG_TLS, "DH key derivation failed");
1261 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1262 chunk_clear(&shared_secret);
1263 return NEED_MORE;
1264 }
1265 chunk_clear(&shared_secret);
1266
1267 this->crypto->change_cipher(this->crypto, TRUE);
1268 this->crypto->change_cipher(this->crypto, FALSE);
1269
1270 /* currently no extensions are supported */
1271 writer->write_uint16(writer, 0);
1272
1273 *type = TLS_ENCRYPTED_EXTENSIONS;
1274 this->state = STATE_ENCRYPTED_EXTENSIONS_SENT;
1275 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1276 return NEED_MORE;
1277 }
1278
1279 /**
1280 * Send Certificate
1281 */
1282 static status_t send_certificate(private_tls_server_t *this,
1283 tls_handshake_type_t *type, bio_writer_t *writer)
1284 {
1285 enumerator_t *enumerator;
1286 certificate_t *cert;
1287 auth_rule_t rule;
1288 bio_writer_t *certs;
1289 chunk_t data;
1290
1291 /* certificate request context as described in RFC 8446, section 4.4.2 */
1292 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1293 {
1294 writer->write_uint8(writer, 0);
1295 }
1296
1297 /* generate certificate payload */
1298 certs = bio_writer_create(256);
1299 cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
1300 if (cert)
1301 {
1302 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1303 {
1304 DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
1305 cert->get_subject(cert));
1306 certs->write_data24(certs, data);
1307 free(data.ptr);
1308 }
1309 /* extensions see RFC 8446, section 4.4.2 */
1310 if (this->tls->get_version_max(this->tls) > TLS_1_2)
1311 {
1312 certs->write_uint16(certs, 0);
1313 }
1314 }
1315 enumerator = this->server_auth->create_enumerator(this->server_auth);
1316 while (enumerator->enumerate(enumerator, &rule, &cert))
1317 {
1318 if (rule == AUTH_RULE_IM_CERT)
1319 {
1320 if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
1321 {
1322 DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
1323 cert->get_subject(cert));
1324 certs->write_data24(certs, data);
1325 free(data.ptr);
1326 }
1327 }
1328 }
1329 enumerator->destroy(enumerator);
1330
1331 writer->write_data24(writer, certs->get_buf(certs));
1332 certs->destroy(certs);
1333
1334 *type = TLS_CERTIFICATE;
1335 this->state = STATE_CERT_SENT;
1336 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1337 return NEED_MORE;
1338 }
1339
1340 /**
1341 * Send Certificate Verify
1342 */
1343 static status_t send_certificate_verify(private_tls_server_t *this,
1344 tls_handshake_type_t *type,
1345 bio_writer_t *writer)
1346 {
1347 if (!this->crypto->sign_handshake(this->crypto, this->private, writer,
1348 this->hashsig))
1349 {
1350 DBG1(DBG_TLS, "signature generation failed");
1351 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1352 return NEED_MORE;
1353 }
1354
1355 *type = TLS_CERTIFICATE_VERIFY;
1356 this->state = STATE_CERT_VERIFY_SENT;
1357 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1358 return NEED_MORE;
1359 }
1360
1361 /**
1362 * Send Certificate Request
1363 */
1364 static status_t send_certificate_request(private_tls_server_t *this,
1365 tls_handshake_type_t *type, bio_writer_t *writer)
1366 {
1367 bio_writer_t *authorities, *supported;
1368 enumerator_t *enumerator;
1369 certificate_t *cert;
1370 x509_t *x509;
1371 identification_t *id;
1372
1373 supported = bio_writer_create(4);
1374 /* we propose both RSA and ECDSA */
1375 supported->write_uint8(supported, TLS_RSA_SIGN);
1376 supported->write_uint8(supported, TLS_ECDSA_SIGN);
1377 writer->write_data8(writer, supported->get_buf(supported));
1378 supported->destroy(supported);
1379 if (this->tls->get_version_max(this->tls) >= TLS_1_2)
1380 {
1381 this->crypto->get_signature_algorithms(this->crypto, writer, TRUE);
1382 }
1383
1384 authorities = bio_writer_create(64);
1385 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
1386 CERT_X509, KEY_RSA, NULL, TRUE);
1387 while (enumerator->enumerate(enumerator, &cert))
1388 {
1389 x509 = (x509_t*)cert;
1390 if (x509->get_flags(x509) & X509_CA)
1391 {
1392 id = cert->get_subject(cert);
1393 DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
1394 authorities->write_data16(authorities, id->get_encoding(id));
1395 }
1396 }
1397 enumerator->destroy(enumerator);
1398 writer->write_data16(writer, authorities->get_buf(authorities));
1399 authorities->destroy(authorities);
1400
1401 *type = TLS_CERTIFICATE_REQUEST;
1402 this->state = STATE_CERTREQ_SENT;
1403 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1404 return NEED_MORE;
1405 }
1406
1407 /**
1408 * Try to find a curve supported by both, client and server
1409 */
1410 static bool find_supported_curve(private_tls_server_t *this,
1411 tls_named_group_t *curve)
1412 {
1413 tls_named_group_t current;
1414 enumerator_t *enumerator;
1415
1416 enumerator = this->crypto->create_ec_enumerator(this->crypto);
1417 while (enumerator->enumerate(enumerator, NULL, &current))
1418 {
1419 if (peer_supports_curve(this, current))
1420 {
1421 *curve = current;
1422 enumerator->destroy(enumerator);
1423 return TRUE;
1424 }
1425 }
1426 enumerator->destroy(enumerator);
1427 return FALSE;
1428 }
1429
1430 /**
1431 * Send Server key Exchange
1432 */
1433 static status_t send_server_key_exchange(private_tls_server_t *this,
1434 tls_handshake_type_t *type, bio_writer_t *writer,
1435 diffie_hellman_group_t group)
1436 {
1437 diffie_hellman_params_t *params = NULL;
1438 tls_named_group_t curve;
1439 chunk_t chunk;
1440
1441 if (diffie_hellman_group_is_ec(group))
1442 {
1443 curve = tls_ec_group_to_curve(group);
1444 if (!curve || (!peer_supports_curve(this, curve) &&
1445 !find_supported_curve(this, &curve)))
1446 {
1447 DBG1(DBG_TLS, "no EC group supported by client and server");
1448 this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
1449 return NEED_MORE;
1450 }
1451 DBG2(DBG_TLS, "selected ECDH group %N", tls_named_group_names, curve);
1452 writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
1453 writer->write_uint16(writer, curve);
1454 }
1455 else
1456 {
1457 params = diffie_hellman_get_params(group);
1458 if (!params)
1459 {
1460 DBG1(DBG_TLS, "no parameters found for DH group %N",
1461 diffie_hellman_group_names, group);
1462 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1463 return NEED_MORE;
1464 }
1465 DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
1466 writer->write_data16(writer, params->prime);
1467 writer->write_data16(writer, params->generator);
1468 }
1469 this->dh = lib->crypto->create_dh(lib->crypto, group);
1470 if (!this->dh)
1471 {
1472 DBG1(DBG_TLS, "DH group %N not supported",
1473 diffie_hellman_group_names, group);
1474 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1475 return NEED_MORE;
1476 }
1477 if (!this->dh->get_my_public_value(this->dh, &chunk))
1478 {
1479 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1480 return NEED_MORE;
1481 }
1482 if (params)
1483 {
1484 writer->write_data16(writer, chunk);
1485 }
1486 else
1487 { /* ECP uses 8bit length header only, but a point format */
1488 writer->write_uint8(writer, chunk.len + 1);
1489 writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
1490 writer->write_data(writer, chunk);
1491 }
1492 free(chunk.ptr);
1493
1494 chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
1495 chunk_from_thing(this->server_random), writer->get_buf(writer));
1496 if (!this->private || !this->crypto->sign(this->crypto, this->private,
1497 writer, chunk, this->hashsig))
1498 {
1499 DBG1(DBG_TLS, "signing DH parameters failed");
1500 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1501 free(chunk.ptr);
1502 return NEED_MORE;
1503 }
1504 free(chunk.ptr);
1505 *type = TLS_SERVER_KEY_EXCHANGE;
1506 this->state = STATE_KEY_EXCHANGE_SENT;
1507 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1508 return NEED_MORE;
1509 }
1510
1511 /**
1512 * Send Hello Done
1513 */
1514 static status_t send_hello_done(private_tls_server_t *this,
1515 tls_handshake_type_t *type, bio_writer_t *writer)
1516 {
1517 *type = TLS_SERVER_HELLO_DONE;
1518 this->state = STATE_HELLO_DONE;
1519 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1520 return NEED_MORE;
1521 }
1522
1523 /**
1524 * Send Finished
1525 */
1526 static status_t send_finished(private_tls_server_t *this,
1527 tls_handshake_type_t *type, bio_writer_t *writer)
1528 {
1529 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1530 {
1531 char buf[12];
1532
1533 if (!this->crypto->calculate_finished_legacy(this->crypto,
1534 "server finished", buf))
1535 {
1536 DBG1(DBG_TLS, "calculating server finished data failed");
1537 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1538 return FAILED;
1539 }
1540
1541 writer->write_data(writer, chunk_from_thing(buf));
1542 }
1543 else
1544 {
1545 chunk_t verify_data;
1546
1547 if (!this->crypto->calculate_finished(this->crypto, TRUE, &verify_data))
1548 {
1549 DBG1(DBG_TLS, "calculating server finished data failed");
1550 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1551 return NEED_MORE;
1552 }
1553
1554 writer->write_data(writer, verify_data);
1555 chunk_free(&verify_data);
1556 }
1557
1558 *type = TLS_FINISHED;
1559 this->state = STATE_FINISHED_SENT;
1560 this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
1561
1562 return NEED_MORE;
1563 }
1564
1565 /**
1566 * Send KeyUpdate message
1567 */
1568 static status_t send_key_update(private_tls_server_t *this,
1569 tls_handshake_type_t *type, bio_writer_t *writer)
1570 {
1571 *type = TLS_KEY_UPDATE;
1572
1573 /* we currently only send this as reply, so we never request an update */
1574 writer->write_uint8(writer, 0);
1575
1576 this->state = STATE_KEY_UPDATE_SENT;
1577 return NEED_MORE;
1578 }
1579
1580 METHOD(tls_handshake_t, build, status_t,
1581 private_tls_server_t *this, tls_handshake_type_t *type, bio_writer_t *writer)
1582 {
1583 diffie_hellman_group_t group;
1584
1585 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1586 {
1587 switch (this->state)
1588 {
1589 case STATE_HELLO_RECEIVED:
1590 return send_server_hello(this, type, writer);
1591 case STATE_HELLO_SENT:
1592 return send_certificate(this, type, writer);
1593 case STATE_CERT_SENT:
1594 group = this->crypto->get_dh_group(this->crypto);
1595 if (group)
1596 {
1597 return send_server_key_exchange(this, type, writer, group);
1598 }
1599 /* otherwise fall through to next state */
1600 case STATE_KEY_EXCHANGE_SENT:
1601 return send_certificate_request(this, type, writer);
1602 case STATE_CERTREQ_SENT:
1603 return send_hello_done(this, type, writer);
1604 case STATE_CIPHERSPEC_CHANGED_OUT:
1605 return send_finished(this, type, writer);
1606 case STATE_FINISHED_SENT:
1607 return INVALID_STATE;
1608 default:
1609 return INVALID_STATE;
1610 }
1611 }
1612 else
1613 {
1614 switch (this->state)
1615 {
1616 case STATE_HELLO_RECEIVED:
1617 return send_server_hello(this, type, writer);
1618 case STATE_HELLO_SENT:
1619 case STATE_CIPHERSPEC_CHANGED_OUT:
1620 return send_encrypted_extensions(this, type, writer);
1621 case STATE_ENCRYPTED_EXTENSIONS_SENT:
1622 return send_certificate(this, type, writer);
1623 case STATE_CERT_SENT:
1624 return send_certificate_verify(this, type, writer);
1625 case STATE_CERT_VERIFY_SENT:
1626 return send_finished(this, type, writer);
1627 case STATE_FINISHED_SENT:
1628 return INVALID_STATE;
1629 case STATE_KEY_UPDATE_REQUESTED:
1630 return send_key_update(this, type, writer);
1631 case STATE_KEY_UPDATE_SENT:
1632 if (!this->crypto->update_app_keys(this->crypto, FALSE))
1633 {
1634 this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
1635 return NEED_MORE;
1636 }
1637 this->crypto->change_cipher(this->crypto, FALSE);
1638 this->state = STATE_FINISHED_RECEIVED;
1639 default:
1640 return INVALID_STATE;
1641 }
1642 }
1643 }
1644
1645 METHOD(tls_handshake_t, cipherspec_changed, bool,
1646 private_tls_server_t *this, bool inbound)
1647 {
1648 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1649 {
1650 if (inbound)
1651 {
1652 if (this->resume)
1653 {
1654 return this->state == STATE_FINISHED_SENT;
1655 }
1656 if (this->peer)
1657 {
1658 return this->state == STATE_CERT_VERIFY_RECEIVED;
1659 }
1660 return this->state == STATE_KEY_EXCHANGE_RECEIVED;
1661 }
1662 else
1663 {
1664 if (this->resume)
1665 {
1666 return this->state == STATE_HELLO_SENT;
1667 }
1668 return this->state == STATE_FINISHED_RECEIVED;
1669 }
1670 return FALSE;
1671 }
1672 else
1673 {
1674 if (inbound)
1675 { /* accept ChangeCipherSpec after ServerFinish or HelloRetryRequest */
1676 return this->state == STATE_FINISHED_SENT || retrying(this);
1677 }
1678 else
1679 {
1680 return this->state == STATE_HELLO_SENT;
1681 }
1682 }
1683 }
1684
1685 METHOD(tls_handshake_t, change_cipherspec, void,
1686 private_tls_server_t *this, bool inbound)
1687 {
1688 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1689 {
1690 this->crypto->change_cipher(this->crypto, inbound);
1691 }
1692
1693 if (retrying(this))
1694 { /* client might send a ChangeCipherSpec after a HelloRetryRequest and
1695 * before a new ClientHello which should not cause any state changes */
1696 return;
1697 }
1698
1699 if (inbound)
1700 {
1701 this->state = STATE_CIPHERSPEC_CHANGED_IN;
1702 }
1703 else
1704 {
1705 this->state = STATE_CIPHERSPEC_CHANGED_OUT;
1706 }
1707 }
1708
1709 METHOD(tls_handshake_t, finished, bool,
1710 private_tls_server_t *this)
1711 {
1712 if (this->tls->get_version_max(this->tls) < TLS_1_3)
1713 {
1714 if (this->resume)
1715 {
1716 return this->state == STATE_FINISHED_RECEIVED;
1717 }
1718 return this->state == STATE_FINISHED_SENT;
1719 }
1720 else
1721 {
1722 return this->state == STATE_FINISHED_RECEIVED;
1723 }
1724 }
1725
1726 METHOD(tls_handshake_t, get_peer_id, identification_t*,
1727 private_tls_server_t *this)
1728 {
1729 return this->peer;
1730 }
1731
1732 METHOD(tls_handshake_t, get_server_id, identification_t*,
1733 private_tls_server_t *this)
1734 {
1735 return this->server;
1736 }
1737
1738 METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
1739 private_tls_server_t *this)
1740 {
1741 return this->peer_auth;
1742 }
1743
1744 METHOD(tls_handshake_t, destroy, void,
1745 private_tls_server_t *this)
1746 {
1747 DESTROY_IF(this->private);
1748 DESTROY_IF(this->dh);
1749 DESTROY_IF(this->peer);
1750 this->server->destroy(this->server);
1751 this->peer_auth->destroy(this->peer_auth);
1752 this->server_auth->destroy(this->server_auth);
1753 free(this->hashsig.ptr);
1754 free(this->curves.ptr);
1755 free(this->session.ptr);
1756 free(this);
1757 }
1758
1759 /**
1760 * See header
1761 */
1762 tls_server_t *tls_server_create(tls_t *tls,
1763 tls_crypto_t *crypto, tls_alert_t *alert,
1764 identification_t *server, identification_t *peer)
1765 {
1766 private_tls_server_t *this;
1767
1768 INIT(this,
1769 .public = {
1770 .handshake = {
1771 .process = _process,
1772 .build = _build,
1773 .cipherspec_changed = _cipherspec_changed,
1774 .change_cipherspec = _change_cipherspec,
1775 .finished = _finished,
1776 .get_peer_id = _get_peer_id,
1777 .get_server_id = _get_server_id,
1778 .get_auth = _get_auth,
1779 .destroy = _destroy,
1780 },
1781 },
1782 .tls = tls,
1783 .crypto = crypto,
1784 .alert = alert,
1785 .server = server->clone(server),
1786 .peer = peer ? peer->clone(peer) : NULL,
1787 .state = STATE_INIT,
1788 .peer_auth = auth_cfg_create(),
1789 .server_auth = auth_cfg_create(),
1790 );
1791
1792 return &this->public;
1793 }